Executive summary

Microsoft’s October 2023 Patch Tuesday provides updates to address 103 security issues across its product range, including two actively exploited zero-day vulnerabilities (CVE-2023-36563 and CVE-2023-41763).  One of the exploited zero-day vulnerabilities is a privilege escalation vulnerability in skype. The other is an information disclosure vulnerability in Microsoft WordPad that can result in disclosure of NTLM hashes. Also among the updates provided by Microsoft were 13 critical vulnerabilities.

In addition to the Microsoft updates this week also saw Adobe fix 13 vulnerabilities across various products, with a vulnerability in Adobe Reader under active exploitation, and Google addressing 20 vulnerabilities in Chrome.

What’s the risk to me or my business?

The actively exploited vulnerabilities could allow an attacker with access, to elevate privileges or capture the hashes of user passwords to gain access to that users accounts. Both compromise the confidentiality, integrity and availability of data stored by an organisation.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible for the actively exploited vulnerability and all other vulnerabilities that have a critical severity rating.

Technical Summary

CVE-2023-36563: If exploited the vulnerability disclosures of information in Microsoft WordPad that could result in leak in NTLM hashes.

CVE-2023-41763: If actively exploited it allows for an attacker to escalate privileges in Skype that could lead to the exposure of sensitive information, such as IP addresses, port numbers and enabling an attacker to gain access to internal networks.

Adobe

This month, Adobe released fixes for 13 vulnerabilities, of which 8 were rated critical across Adobe Bridge (2), Commerce (10) and Photoshop (1). Adobe have stated a vulnerability in Adobe Reader is under active exploitation. The vulnerabilities include remote code execution, memory leak, privilege escalation and security bypass.

Chrome

An update for Google Chrome which patches 20 vulnerabilities, with the most severe allowing for arbitrary code execution to be performed by a malicious attacker. Depending on the privileges associated with the user an attacker could then install programs; view, delete or modify the data; or create new accounts with full user rights. Users whose accounts have fewer user rights could be less impacted than those who operate with administrative user rights. While there are currently no reports of these vulnerabilities being exploited in the wild, it is advised to update to the latest version as soon as possible.

further details on other specific updates within this patch Tuesday can be found here:

https://msrc.microsoft.com/update-guide/releaseNote/2023-Oct

Further details about CVE-2023-36563 can be found here:              

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-36563

Further details about CVE-2023-41763 can be found here:

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-41763

Further details of the vulnerabilities addressed in Adobe Bridge can be found here:

https://helpx.adobe.com/security/products/bridge/apsb23-49.html

Further details of the vulnerabilities addressed in Adobe Commerce can be found here:

https://helpx.adobe.com/security/products/magento/apsb23-50.html

Further details of the vulnerabilities addressed in Adobe Photoshop can be found here:

https://helpx.adobe.com/security/products/photoshop/apsb23-51.html

Further details of the vulnerabilities addressed in Chrome can be found here:

https://chromereleases.googleblog.com/2023/10/stable-channel-update-for-desktop_10.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

Microsoft’s August Patch Tuesday provides updates to address 86 security issues across its product range, including two zero-day vulnerabilities (CVE-2023-36884, CVE-2023-38180). The vulnerabilities allow remote code execution and denial of service. Among the updates provided by Microsoft, 6 addressed critical vulnerabilities.

What’s the risk to me or my business?

The vulnerabilities allow an attacker to remotely execute code and cause a denial-of-service, impacting the confidentiality, integrity and availability of data held by an organisation. CVE-2023-38180, which is a denial-of-service vulnerability has been recorded by the US Cybersecurity and Infrastructure Security Agency (CISA) in its “Known Exploited Vulnerabilities” Catalogue.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied immediately for the zero-day vulnerabilities and as soon as possible for all other vulnerabilities.  Microsoft has also published an separate advisory for CVE-2023-36884.

Technical Summary

CVE-2023-36884: This vulnerability, if exploited allows threat actors to create specially crafted documents which bypass Mark of the Web (MoTW) security features, causing files to be opened with no warning, allowing a threat actor to perform remote code execution.

CVE-2023-38180: The actively exploited vulnerability allows an attacker to cause a denial-of-service attack on .NET applications and Visual Studio.

Adobe

In addition to Microsoft’s Patch Tuesday Adobe released fixes for 36 vulnerabilities, of which 19 were rated critical. The critical vulnerabilities spanned across Adobe Acrobat and Reader (16), Adobe Commerce and  Adobe Dimension (2). At current, Adobe is not aware of any of these vulnerabilities being actively exploited. The vulnerabilities include remote code execution, memory leak and security bypass.

further details on other specific updates within this patch Tuesday can be found here:

https://www.ghacks.net/2023/08/08/the-windows-august-2023-security-updates-fix-critical-vulnerabilities-and-internet-explorer/

Further details about CVE-2023-38180 can be found here:                     

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38180

Further details about CVE-2023-36884 can be found here:                     

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884  

The advisory from Microsoft can be found here:

Further information on CISA’s Known Exploited Vulnerabilities Catalog can be found here:

https://www.cisa.gov/known-exploited-vulnerabilities-catalog

https://msrc.microsoft.com/update-guide/vulnerability/ADV230003

Further details of the vulnerabilities addressed in Adobe Acrobat DC and Reader can be found here: https://helpx.adobe.com/security/products/acrobat/apsb23-30.html

Further details of the vulnerabilities addressed in Adobe Commerce can be found here: https://helpx.adobe.com/security/products/magento/apsb23-42.html

Further details of the vulnerabilities addressed in Adobe Dimension can be found here: https://helpx.adobe.com/security/products/dimension/apsb23-44.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity 

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Ransomware Report: Most Organisations Unprepared for an Attack, Lack Incident Playbook, Research Finds

Some organisations have made significant improvements to their ransomware readiness profile in the last year, Axio said in a newly released report. However, a lack of fundamental cyber security practices and controls, inadequate vulnerability patching and employee training continues to leave ransomware defences lacking in potency.

Axio’s report reveals that only 30% of organisations have a ransomware-specific playbook for incident management in place. In 2021’s report Axio, maker of a cloud-based cyber management software platform, identified seven key areas emerged where organisations were deficient in implementing and sustaining basic cyber security practices.

The same patterns showed up in the 2022 report:

• Managing privileged access.

• Improving basic cyber hygiene.

• Reducing exposure to supply chain and third-party risk.

• Monitoring and defending networks.

• Managing ransomware incidents.

• Identifying and addressing vulnerabilities in a timely manner.

• Improving cyber security training and awareness.

Overall, most organisations surveyed are not adequately prepared to manage the risk associated with a ransomware attack. Key data findings include:

• The number of organisations with a functional privileged access management solution in place increased by 10% but remains low at 33% overall.

• Limitations on the use of service and local administrator accounts remain average overall, with nearly 50% of organisations reporting implementing these practices.

• Approximately 40% of organisations monitor third-party network access, evaluate third-party cyber security posture, and limit the use of third-party software.

• Less than 50% of respondents implement basic network segmentation and only 40% monitor for anomalous connections.

• Critical vulnerability patching within 24 hours was reported by only 24% of organisations.

• Active phishing training has improved but is still not practiced by 40% of organisations.

https://www.msspalert.com/cybersecurity-research/most-organizations-unprepared-for-ransomware-attack-lack-incident-playbook-axio-reports/

• LinkedIn Scams, Fake Instagram Accounts Hit Businesses, Execs

Business owners with public social media accounts are easy targets for scammers who lift information to create fake accounts. The arduous process for removing fraudulent accounts leaves victims frustrated and vulnerable to further data privacy issues. Victims say platform providers, particularly Facebook and Instagram, must improve their responses to reports of fraud.

Impersonation of a brand or executive contributed to more than 40% of all phishing and social media incidents in the second quarter, according to the Agari and Phish Labs Quarterly Threat Trends and Intelligence Report released in August. Q2 marks the second quarter that impersonation attacks have represented the majority of threats, despite a 6.1% decrease from Q1.

Executive impersonation has been on the rise over the past four quarters — representing more than 15% of attacks, according to the report — as impersonating a corporate figure or company on social media is simple and effective for threat actors.

Thom Singer, CEO for the Austin Technology Council and a public speaker, was recently impersonated on Instagram. A scammer created a fake Instagram account with his name and photos, creating a handle with an extra "r" at the end of Singer. That account appeared to amass over 2,300 followers – nearly as many as Singer's own account – lending to its appearance of authenticity.

He learned of the fake account from a contact who texted to ask if he'd reached out on Instagram, which wasn't a channel Singer typically uses to communicate. Singer reported the fraudulent account using the platform's report button and asked his followers to do the same.

"You can't reach anyone at these platforms, so it takes days to get a fake account removed," Singer said. "These social media sites have no liability, nothing to lose when fraud is happening. They need to up their game and have a better process to get [fraud] handled in a timely manner."

https://www.techtarget.com/searchsecurity/feature/LinkedIn-scams-fake-Instagram-accounts-hit-businesses-execs

• Study Highlights Surge in Identity Theft and Phishing Attacks

A new study from behavioural risk firm CybSafe and the National Cybersecurity Alliance (NCA) has been launched and it highlights an alarming surge in phishing and identity theft attacks.

The report, titled ‘Oh, Behave! The Annual Cybersecurity Attitudes and Behaviors report’, studied the opinions of 3,000 individuals across the US, the UK and Canada towards cyber security and revealed that nearly half (45%) of users are connected to the internet all the time, however, this has led to a surge in identity theft with almost 1 in 4 people being affected by the attack.

Furthermore, 1 in 3 (36%) respondents revealed they have lost money or data due to a phishing attack. Yet the study also revealed that 70% of respondents feel confident in their ability to identify a malicious email, but only 45% will confirm the authenticity of a suspicious email by reaching out to the apparent sender.

When it comes to implementing cyber security best practices, only 33% of respondents revealed they use a unique password for important online accounts, while only 16% utilise passwords of over 12 characters in length. Furthermore, only 18% of participants have downloaded a stand-alone password manager, while 43% of respondents have not even heard of multi-factor authentication.

https://www.itsecurityguru.org/2022/10/12/study-highlights-surge-in-identity-theft-and-phishing-attacks/

• Increase in Cyber Liability Insurance Claims as Cyber Crime Skyrockets

A cyber insurer, Acuity Insurance, is reporting an increased need for cyber liability insurance across both personal and business policyholders. From June 2021 to June 2022, the insurer saw cyber liability insurance claims on its commercial insurance policies increase by more than 50%. For personal policies, they saw more than a 90% increase in cyber claims being reported in 2021 compared with 2020.

Our lives, homes and businesses are more connected than ever before. Being connected leads to a greater risk of cyber attacks, which aren't covered under standard homeowners or business insurance policies.

The insurance experts caution that everyone is at risk — whether you are a small business owner or an individual — as cyber attacks continue to pose a serious financial threat. From 2019 to 2021, cyber attacks were up 50% from the previous year, according to recent research. Wire fraud and gift card scams are two of the most common types of cyber attacks impacting both businesses and individuals.

Scams involving social engineering are some of the easiest to fall for, as fraudsters exploit a person's trust to obtain money or personal information, which can then be used for unauthorised withdrawals of money. Cyber insurance can protect you from financial loss caused by wire transfer fraud, phishing attacks, cyber extortion, cyberbullying and more, Acuity reported.

While all cyber crimes have a financial impact, fraudulent wire transfers often come with greater losses. Banks are typically not responsible for funds lost as a result of a fraudulent wire transfer inadvertently authorised by the customer. Whether it's a wrongful money transfer by a business or an individual, cyber insurance can help mitigate some of the financial loss caused by these scams.

https://www.darkreading.com/attacks-breaches/acuity-reports-increase-in-cyber-liability-insurance-claims-as-cybercrime-skyrockets

• UK Government Urges Action to Enhance Supply Chain Security

The UK government has warned organisations to take steps to strengthen their supply chain security.

New National Cyber Security Centre (NCSC) guidance has been issued amid a significant increase in supply chain attacks in recent years, such as the SolarWinds incident in 2020. The NCSC cited official government data showing that just over one in 10 businesses review the risks posed by their immediate suppliers (13%), while the proportion covering the wider supply chain is just 7%.

Aimed at medium-to-large organisations, the document sets out practical steps to better assess cyber security across increasingly complex supply chains. This includes a description of typical supplier relationships and ways that organisations are exposed to vulnerabilities and cyber-attacks via the supply chain, and the expected outcomes and key steps needed to assess suppliers’ approaches to security.

The new guidance followed a government response to a call for views last year which highlighted the need for further advice. Supply chain attacks are a major cyber threat facing organisations and incidents can have a profound, long-lasting impact on businesses and customers. With incidents on the rise, it is vital organisations work with their suppliers to identify supply chain risks and ensure appropriate security measures are in place.

https://www.infosecurity-magazine.com/news/uk-government-supply-chain-security/

• For Most Companies Ransomware Is the Scariest Of All Cyber Attacks

SonicWall released the 2022 SonicWall Threat Mindset Survey which found that 66% of customers are more concerned about cyber attacks in 2022, with the main threat being focused on financially motivated attacks like ransomware.

“No one is safe from cyber attacks — businesses or individuals,” said SonicWall Executive Chairman of the Board Bill Conner. “Today’s business landscape requires persistent digital trust to exist. Supply-chain attacks have dramatically changed the attack surface of the typical enterprise in the past few years, with more suppliers and service providers touching sensitive data than ever before.

“It’s likely we’ll see continued acceleration and evolution of ransomware tactics, as well as other advanced persistent threats (APTs), as cyber crime continues to scale the globe seeking both valuable and weak targets.”

Companies are not only losing millions of dollars to unending malware and ransomware strikes, but cyber attacks on essential infrastructure are impacting real-world services. Despite the growing concern of cyber attacks, organisations are struggling to keep pace with the fast-moving threat landscape as they orient their business, networks, data and employees against unwavering cyber attacks.

“The evolving cyber threat landscape has made us train our staff significantly more,” said Stafford Fields, IT Director, Cavett Turner & Wyble. “It’s made us spend more on cyber security. And what scares me is that an end-user can click on something and bring all our systems down — despite being well protected.”

https://www.helpnetsecurity.com/2022/10/12/customers-concerned-ransomware/

• EDR Is Not a Silver Bullet

Old lore held that shooting a werewolf, vampire, or even just your average nasty villain with a silver bullet was a sure-fire takedown: one hit, no more bad guy.

As cyber security professionals, we understand – much like folks in the Old West knew – that there are no panaceas, no actual silver bullets. Yet humans gravitate towards simple solutions to complex challenges, and we are constantly (if unconsciously) seeking silver bullet technology.

Endpoint Detection and Response (EDR) tools have become Standard Operating Procedures for cyber security regimes. They are every CIO’s starting point, and there’s nothing wrong with this. In a recent study by Cymulate of over one million tests conducted by customers in 2021, the most popular testing vector was EDR.

Yet cyber security stakeholders should not assume that EDR is a silver bullet. The fact is that EDR’s efficacy and protective prowess as a standalone solution has been slowly diminished over the decade since the term was first coined by Gartner. Even as it became a mainstay of enterprise and SMB/SME security posture – attacks have skyrocketed in frequency, severity, and success. Today, EDR is facing some of its greatest challenges, including threats laser-targeting EDR systems like the highly-successful Grandoiero banking trojan.

While EDR should not be your only line of defence against advanced threats, including it in a defence solution array is paramount. It should be installed on all organisational servers – including Linux-based ones. Yet installation is not enough. Your organisation is at significant risk if the underlying OS and EDR are not both implemented and fine-tuned.

https://www.helpnetsecurity.com/2022/10/11/edr-is-not-a-silver-bullet/

• Attackers Use Automation to Speed from Exploit to Compromise

A report from Laceworks examines the cloud security threat landscape over the past three months and unveils the new techniques and avenues cyber criminals are exploiting for profit at the expense of businesses. In this latest edition, the Lacework Labs team found a significantly more sophisticated attacker landscape, with an increase in attacks against core networking and virtualisation software, and an unprecedented increase in the speed of attacks following a compromise. Key trends and threats identified include:

• Increased speed from exposure to compromise: Attackers are advancing to keep pace with cloud adoption and response time. Many classes of attacks are now fully automated to capitalise on timing. Additionally, one of the most common targets is credential leakage. In a specific example from the report, a leaked AWS access key was caught and flagged by AWS in record time. Despite the limited exposure, an unknown adversary was able to log in and launch tens of GPU EC2 instances, underscoring just how quickly attackers can take advantage of a single simple mistake.

• Increased focus on infrastructure, specifically attacks against core networking and virtualisation software: Commonly deployed core networking and related infrastructure consistently remains a key target for adversaries. Core flaws in infrastructure often appear suddenly and are shared openly online, creating opportunities for attackers of all kinds to exploit these potential targets.

• Continued Log4j reconnaissance and exploitation: Nearly a year after the initial exploit, the Lacework Labs team is still commonly observing vulnerable software targeted via OAST requests. Analysis of Project Discovery (interact.sh) activity revealed Cloudflare and DigitalOcean as the top originators.

https://www.darkreading.com/cloud/attackers-use-automation-to-speed-from-exploit-to-compromise-according-to-lacework-labs-cloud-threat-report

• Rising Premiums, More Restricted Cyber Insurance Coverage Poses Big Risk for Companies

Among the many consequences of the rising number of costly data breaches, ransomware, and other security attacks are pricier premiums for cyber security insurance. The rise in costs could put many organisations out of the running for this essential coverage, a risky proposition given the current threat landscape.

Cyber insurance is a type of specialty insurance that protects organisations against a variety of risks related to information security attacks such as ransomware and data breaches. Ordinarily, these types of risks aren’t included with traditional commercial general liability policies or are not specifically defined in these insurance plans.

Given the rise in attacks, the growing sophistication of these incidents and the potential financial impact, having cyber insurance coverage has become critical for many organisations. Premiums for these plans have been on the rise because of the increase in security-related losses and rising demand for coverage.

Cyber insurance premiums increased by an average of 28% in the first quarter of 2022 compared with the fourth quarter of 2021, according to the Council of Insurance Agents & Brokers (CIAB), an association for commercial insurance and employee benefits intermediaries.

Among the primary drivers for the continued price increases were a reduced carrier appetite for the risk and high demand for coverage, CIAB said. The high demand for cyber coverage is in part fueled by greater awareness among companies of the threat cyber risk poses for businesses of all sizes, it said.

https://www.cnbc.com/2022/10/11/companies-are-finding-it-harder-to-get-cyber-insurance-.html

• Why CISO Roles Require Business and Technology Savvy

Listening and communicating to both the technical and business sides is critical to successfully leading IT teams and business leaders to the same end-goal.

Of all the crazy postings that advertise for CISO jobs, the one asking for a CISO to code in Python was probably the most outrageous example of the disconnect about a CISO’s role, says Joe Head, CISO search director at UK-based search firm, Intaso. This was a few years ago, and one can only guess that the role had been created by a technologist who didn’t care about or didn’t understand the business — or, inversely by a businessperson who didn’t understand enough about technology.

In either case, the disconnect is real. However, Head and other experts say that when it comes to achieving the true, executive role and reporting to the CEO and board, business skills rule. That doesn’t mean, however, that most CISOs know nothing about technology, because most still start out with technology backgrounds.

In the 2022 CISO survey by executive placement firm, Heidrick & Struggles, most CISOs come from a functional IT background that reflects the issues of the time. For example, in 2022 10% of CISOs came from software engineering backgrounds, which tracks with the White House directive to protect the software supply chain. The report notes that the majority of CISOs have experience in the financial services industry, which has a low risk tolerance and where more money is spent on security.

The survey also indicates that only a small core of CISOs (working primarily for the Fortune 500) rise to the executive level with the combination of business and technical responsibilities that come with the role. In it, more than two-thirds of CISOs responding to the survey worked for companies worth over $5 billion. So, instead of bashing a CISO’s lack of IT skills, the real need lies in developing business skills for the technologists coming up the ranks.

https://www.csoonline.com/article/3675952/why-ciso-roles-require-business-and-technology-savvy.html#tk.rss_news

• Wi-Fi Spy Drones Used to Snoop on Financial Firm

Modified off-the-shelf drones have been found carrying wireless network-intrusion kit in a very unlikely place.

The idea of using consumer-oriented drones for hacking has been explored over the past decade at security conferences like Black Hat 2016, in both the US and in Europe, but now these sort of attacks are actually taking place. A security researcher recently recounted an incident that occurred over the summer at a US East Coast financial firm focused on private investment.

The hacking incident was discovered when the financial firm spotted unusual activity on its internal Atlassian Confluence page that originated from within the company's network. The company's security team responded and found that the user whose MAC address was used to gain partial access to the company Wi-Fi network was also logged in at home several miles away. That is to say, the user was active off-site but someone within Wi-Fi range of the building was trying to wirelessly use that user's MAC address, which is a red flag. The team then took steps to trace the Wi-Fi signal and used a Fluke system to identify the Wi-Fi device.

This led the team to the roof, where two modified commercially available consumer drones series were discovered. One drone was in fine condition and had a modified Wi-Fi Pineapple device, used for network penetration testing. The second drone was carrying a case that contained a Raspberry Pi, several batteries, a GPD mini laptop, a 4G modem, and another Wi-Fi device. It had landed near the building's heating and ventilation system and appeared to be damaged but still operable.

During their investigation, they determined that the first drone had originally been used a few days prior to intercept a worker's credentials and Wi-Fi, and this data was then hard coded into the tools that were deployed on the second drone.

https://www.theregister.com/2022/10/12/drone-roof-attack/

• Magniber Ransomware Attacking Individuals and Home Users

A recent analysis shows that Magniber ransomware has been targeting home users by masquerading as software updates.

Reports have shown a ransomware campaign isolated by HP Wolf Security in September 2022 saw Magniber ransomware spread. The malware is known as a single-client ransomware family that demands $2,500 from victims. Magniber was previously primarily spread through MSI and EXE files, but in September 2022 HP Wolf Security began seeing campaigns distributing the ransomware in JavaScript files.

HP Wolf Security reported that some malware families rely exclusively on JavaScript, but have done so for some time. Currently, analysts are also seeing more HTML smuggling, such as with Qakbot and IcedID. This technique also makes use of JavaScript to decode malicious content. The only difference is that the HTML file is executed in the context of the browser and therefore usually requires further user interaction.

Remarkably, HP Wolf Security said, the attackers used clever techniques to evade detection, such as running the ransomware in memory, bypassing User Account Control (UAC) in Windows, and bypassing detection techniques that monitor user-mode hooks by using syscalls instead of standard Windows API libraries.

It appears that with the UAC bypass, the malware deletes the infected system’s shadow copy files and disables backup and recovery features, preventing the victim from recovering their data using Windows tools.

Having recently described the ransomware campaign in a recent interview, HP Wolf noted that the infection chain starts with a web download from an attacker-controlled website.

https://www.itsecurityguru.org/2022/10/14/https-www-infosecurity-magazine-com-news-magniber-ransomware-adopts/

Threats

Ransomware and Extortion

• More and more ransomware is just data theft, no encryption • The Register

• Why paying the ransom is a mistake - Help Net Security

• Ransomware: Undeniably Top of Mind - MSSP Alert

• Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike (trendmicro.com)

• Magniber ransomware now infects Windows users via JavaScript files (bleepingcomputer.com)

• Fake adult sites push data wipers disguised as ransomware (bleepingcomputer.com)

• It was LockBit that forced NHS tech supplier to shut down • The Register

• Ransomware posing as Windows antivirus update will just empty your wallet | TechRadar

• Microsoft: New Prestige ransomware targets orgs in Ukraine, Poland (bleepingcomputer.com)

• BlackByte ransomware uses new EDR evasion technique (techtarget.com)

• Prevent Ransomware Attacks on Critical Infrastructure (trendmicro.com)

• Microsoft Exchange servers hacked to deploy LockBit ransomware (bleepingcomputer.com)

• Harvard Business Publishing licensee hit by ransomware - Security Affairs

• LockBit affiliates compromise Microsoft Exchange servers to deploy ransomware - Security Affairs

• Police tricks DeadBolt ransomware out of 155 decryption keys (bleepingcomputer.com)

Phishing & Email Based Attacks

• Caffeine service lets anyone launch Microsoft 365 phishing attacks (bleepingcomputer.com)

• Kaspersky Warns Of A New Wave Of Malicious Email Campaign, Spreading The (informationsecuritybuzz.com)

• A whole load of phishing emails make it past Microsoft Defender, researchers say | TechRadar

• Google Forms abused in new COVID-19 phishing wave in the U.S. (bleepingcomputer.com)

• US election workers hit with phishing, malware emails • The Register

• Cyber criminals are having it easy with phishing-as-a-service - Help Net Security

Other Social Engineering; Smishing, Vishing, etc

• BazarCall Call Back Phishing Attacks Constantly Evolving Its Social Engineering Tactics (thehackernews.com)

• Hackers Using Vishing to Trick Victims into Installing Android Banking Malware (thehackernews.com)

Malware

• How a Microsoft blunder opened millions of PCs to potent malware attacks | Ars Technica

• Banks face their 'darkest hour' as crimeware powers up • The Register

• Emotet Rises Again With More Sophistication, Evasion (darkreading.com)

• QAKBOT Attacks Spike Amid Concerning Cyber Criminal Collaborations (darkreading.com)

• Hackers behind IcedID malware attacks diversify delivery tactics (bleepingcomputer.com)

• Eternity threat group’s LilithBot: A criminal multitool • The Register

• New Report Uncovers Emotet's Delivery and Evasion Techniques Used in Recent Attacks (thehackernews.com)

• Here's another excellent reason not to browse adult websites at work | TechRadar

• Experts analysed the evolution of the Emotet supply chain - Security Affairs

• Mirai Botnet Targeted Wynncraft Minecraft Server, Cloudflare Reports - Infosecurity Magazine (infosecurity-magazine.com)

• New Report Uncovers Emotet's Delivery and Evasion Techniques Used in Recent Attacks (thehackernews.com)

Mobile

• Modified WhatsApp App Caught Infecting Android Devices with Malware (thehackernews.com)

• Meta uncovers 400 malicious apps on Android and iOS apps   | SC Media (scmagazine.com)

• ‘Zero-Click’ Spyware Emerges as a Menacing Mobile Threat - Bloomberg

• Mullvad: Android may leak information when connected to a VPN - gHacks Tech News

• Android Security Updates Patch Critical Vulnerabilities | SecurityWeek.Com

• Hackers Using Vishing to Trick Victims into Installing Android Banking Malware (thehackernews.com)

• Mystery iPhone update patches against iOS 16 mail crash-attack – Naked Security (sophos.com)

Internet of Things – IoT

• Smart buildings may be your cyber security downfall - Help Net Security

Data Breaches/Leaks

• Client data exfiltrated in Advanced NHS cyber attack (digitalhealth.net)

• Mormon Church data stolen in 'state-sponsored' cyber attack • The Register

• Singtel's Australian IT Firm Dialog Suffers Data Breach - Infosecurity Magazine (infosecurity-magazine.com)

• 2K Customer Data Stolen, Sold Online After Support Desk Scam (kotaku.com)

• Toyota discloses data leak after access key exposed on GitHub (bleepingcomputer.com)

• Fast Company says Executive Board member info was not stolen in attack (bleepingcomputer.com)

• State Bar of Georgia Confirms Data Breach Following Ransomware Attack | SecurityWeek.Com

• Singtel's second unit faces cyber attack weeks after Optus data breach | Reuters

• Zoetop pays $1.9m to settle customer data theft case • The Register

• CommonSpirit Health IT still suffering after cyber attack • The Register

• Over 80,000 DJI drone IDs exposed in data leak: Report (dronedj.com)

• High-Value Targets: String of Aussie Telco Breaches Continues (darkreading.com)

• Data of 380K patients compromised in hack of 13 anesthesia practices | SC Media (scmagazine.com)

• Australian police secret agents exposed in Colombian data leak (bleepingcomputer.com)

• 64,000 Additional Patients Impacted by Omnicell Data Breach - What is Your Data Breach Action Plan? (thehackernews.com)

• Toyota Reveals Data Leak of 300,000 Customers - Infosecurity Magazine (infosecurity-magazine.com)

• Intel Processor UEFI Source Code Leaked (darkreading.com)

Organised Crime & Criminal Actors

• INTERPOL arrests ‘Black Axe’ cyber crime syndicate members (bleepingcomputer.com)

• Caffeine Phishing-as-a-Service toolkit available in the underground - Security Affairs

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• North Korea's Crypto Hackers Are Paving the Road to Nuclear Armageddon - CNET

• Fake Solana Phantom security updates push crypto-stealing malware (bleepingcomputer.com)

• 'Baby Al Capone' to pay $22m to SIM-swap crypto-heist victim • The Register

Fraud, Scams & Financial Crime

• A New Wave of PayPal Invoice Scams Using Crypto Disguise - Infosecurity Magazine (infosecurity-magazine.com)

• Alternative payment methods are creating new fraud risks - Help Net Security

• Prison inmate charged with $11m fraud via cell phone • The Register

• Mastercard moves to protect ‘risky and frisky’ transactions • The Register

Deepfakes

• DeepFakes Are The Cyber criminal Economy’s Latest Business Line - Security Affairs

AML/CFT/Sanctions

• GCHQ boss: China could use Digital Yuan to swerve sanctions • The Register

Insurance

• Australian insurer takes systems offline over possible hacking | Cybersecurity News | Al Jazeera

Dark Web

• Darkweb market BidenCash gives away 1.2 million credit cards for free (bleepingcomputer.com)

Software Supply Chain

• Novel npm Timing Attack Allows Corporate Targeting (darkreading.com)

Denial of Service DoS/DDoS

• The Nation State Threat — Philip Ingram Discusses DDoS and the Possibilities of Cyber War - IT Security Guru

• US airports' sites taken down in DDoS attacks by pro-Russian hackers (bleepingcomputer.com)

• Russian DDoS attack project pays contributors for more firepower (bleepingcomputer.com)

Cloud/SaaS

• Cloud Data Breaches Are Running Rampant. What Are the Common Characteristics? (darkreading.com)

Encryption

• Microsoft Office 365 uses insecure block ciphers • The Register

• Microsoft Office 365 email encryption could expose message content (bleepingcomputer.com)

Passwords, Credential Stuffing & Brute Force Attacks

• AI and Residual Finger Heat Could Be a Password Cracker's Latest Tools (darkreading.com)

Social Media

• Young people using TikTok is no problem, GCHQ chief says | TikTok | The Guardian

Training, Education and Awareness

• Phishing Simulations Do Not Give Users Enough Context As To Why They Are (informationsecuritybuzz.com)

• How to improve employees' cyber security behaviour - Help Net Security

Parental Controls and Child Safety

• Client-side scanning to detect child abuse material harmful • The Register

Cyber Bullying and Cyber Stalking

• Student jailed for hacking female classmates’ email, Snapchat accounts (bleepingcomputer.com)

Regulations, Fines and Legislation

• India set to extend deadline for verbose infosec reporting • The Register

Backup and Recovery

• Microsoft Teams: A channel for sensitive business information sharing that needs better backup - Help Net Security

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Vladimir Putin’s hybrid war has begun and the West must be ready | Evening Standard

• The Nation State Threat — Philip Ingram Discusses DDoS and the Possibilities of Cyber War - IT Security Guru

• Internet outages hit Ukraine following Russian missile strikes (bitdefender.com)

• Seven 'Creepy' Backdoors Used by Lebanese Cyberspy Group in Israel Attacks | SecurityWeek.Com

• Researchers Uncover Custom Backdoors and Spying Tools Used by Polonium Hackers (thehackernews.com)

• We must tackle Europe’s winter cyber threats head-on – POLITICO

• Starlink helped restore energy, communications infrastructure in parts of Ukraine - official | Reuters

• Researchers Detail Malicious Tools Used by Cyber Espionage Group Earth Aughisky (thehackernews.com)

• Ukraine Enhances Cooperation With EU Cybersecurity Agencies - Infosecurity Magazine (infosecurity-magazine.com)

• ‘Zero-Click’ Spyware Emerges as a Menacing Mobile Threat - Bloomberg

• SpaceX’s Starlink terminals in Ukraine back online after outages | Financial Times

Nation State Actors

Nation State Actors – Russia

• German Cyber security Chief Accused of Russian Contact Faces Sacking - IT Security Guru

• Russian DDoS attack project pays contributors for more firepower (bleepingcomputer.com)

• Extreme Networks admits sales to banned Russian arms maker • The Register

Nation State Actors – China

• UK Spy Chief to Warn of 'Huge' China Tech Threat | SecurityWeek.Com

• China’s attack motivations, tactics, and how CISOs can mitigate threats | CSO Online

• China will manipulate new tech for global influence, warns GCHQ boss | Metro News

• UK telcos legally required to remove Huawei equipment • The Register

• Chinese-linked hackers targeted U.S. state legislature, researchers say - CyberScoop

• New Chinese Malware Attack Framework Targets Windows, macOS, and Linux Systems (thehackernews.com)

• Feature-Rich 'Alchimist' Cyber attack Framework Targets Windows, Mac, Linux Environments (darkreading.com)

• China's cyber assault on Taiwan - 60 Minutes - CBS News

• UK to designate China a ‘threat’ in hawkish foreign policy shift | Foreign policy | The Guardian

• WIP19, a new Chinese APT targets IT Service Providers and Telcos - Security Affairs

• China-linked Budworm APT returns to target a US entity - Security Affairs

• We must tackle China’s satellite-busting technology, says GCHQ chief | News | The Times

• GCHQ boss: China could use Digital Yuan to swerve sanctions • The Register

• Young people using TikTok is no problem, GCHQ chief says | TikTok | The Guardian

Nation State Actors – North Korea

• North Korea's Crypto Hackers Are Paving the Road to Nuclear Armageddon - CNET

Nation State Actors – Misc

• Mormon Church data stolen in 'state-sponsored' cyber attack • The Register

Vulnerability Management

• Apple's Constant Battles Against Zero-Day Exploits (darkreading.com)

Vulnerabilities

• Concerns Over Fortinet Flaw Mount; PoC Released, Exploit Activity Grows (darkreading.com)

• Microsoft October 2022 Patch Tuesday fixes zero-day used in attacks, 84 flaws (bleepingcomputer.com)

• Microsoft Addresses Zero-Days, but Exchange Server Exploit Chain Remains Unpatched (darkreading.com)

• Auth bypass bug in FortiOS, FortiProxy is exploited in the wild (CVE-2022-40684) - Help Net Security

• Chrome 106 Update Patches Several High-Severity Vulnerabilities | SecurityWeek.Com

• Researchers Detail Windows Zero-Day Vulnerability Patched Last Month (thehackernews.com)

• SAP Patches Critical Vulnerabilities in Commerce, Manufacturing Execution Products | SecurityWeek.Com

• Almost 900 servers hacked using Zimbra zero-day flaw (bleepingcomputer.com)

• Patch Tuesday: Critical Flaws in ColdFusion, Adobe Commerce | SecurityWeek.Com

• Aruba fixes critical RCE and auth bypass flaws in EdgeConnect (bleepingcomputer.com)

• WordPress Vulnerability In Shortcodes Ultimate Impacts 700,000 Sites (searchenginejournal.com)

• Critical Open Source vm2 Sandbox Escape Bug Affects Millions (darkreading.com)

• VMware vCenter Server bug disclosed last year still not patched (bleepingcomputer.com)

Other News

• Board members should make CISOs their strategic partners - Help Net Security

• 5 Attack Elements Every Organisations Should Be Monitoring (darkreading.com)

• Ukraine’s Starlink problems show the dangers of digital dependency | Financial Times (ft.com)

• Here's 5 of the world's riskiest connected devices - Help Net Security

• 2FA is over. Long live 3FA! - Help Net Security

• White House to unveil ambitious cyber security labeling effort modeled after Energy Star - CyberScoop

• Older, Stored Data Is Cyber Security Risk, Report Warns - MSSP Alert

• What the Uber Breach Verdict Means for CISOs in the US (darkreading.com)

• Increasing network visibility is critical to improving security posture - Help Net Security

• What the Uber Hack can teach us about navigating IT Security (bleepingcomputer.com)

• Consumers want more transparency on how companies manage their data - Help Net Security

• Gaming Is Booming. That’s Catnip for Cyber criminals. - The New York Times (nytimes.com)

• 91% of Cyber Pros Experience Mental Health Challenges at Work - Infosecurity Magazine (infosecurity-magazine.com)

• Fear of cyber criminals drives cyber security improvements - Help Net Security

• The next Ford Mustang won’t be easy to tune; blame cyber security | Ars Technica

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

As Ukraine Tensions Rise, UK Organisations Should Protect Themselves From Cyber Threats

In a world that is so dependent on digital assets, cyber resilience is more important than ever. At the National Cyber Security Centre – a part of GCHQ – the mission is to make the UK the safest place to live and work online, but they have said they cannot do it alone. 

Now, at a time of heightened cyber threats, the NCSC is urging all organisations to follow their advice on the steps they should take to improve their resilience.

The UK is closer to the crisis in Ukraine than you might think. While 2,000-odd miles separate us physically from their borders with Russia, that distance is much shorter in cyber space – and attacks targeting Ukraine’s digital infrastructure could be felt here in Britain.

Cyber attacks do not respect geographic boundaries. On a daily basis, businesses in the UK are targeted by ransomware attacks from criminals overseas.

And as tensions have risen in Ukraine in recent weeks, authorities have already seen a number of cyber attacks occurring. On Friday evening, the UK government judged that the Russian Main Intelligence Directorate (GRU) was involved in last week’s distributed denial of service attacks against the financial sector in Ukraine.

If the situation continues to escalate, we could see cyber attacks that have international consequences, intentional or not. Rising tensions in the region, with the risk of overspill, are why the National Cyber Security Centre (NCSC) has said that the UK’s cyber risk has heightened in the last month, although there is no evidence of the UK being specifically targeted.

https://www.telegraph.co.uk/news/2022/02/19/uk-organisations-should-protect-now-unintended-consequences/

Small Businesses Facing Upwards of 11 Cyber Threats Per Day Per Device

BlackBerry's 2022 Threat Report highlights growing threats to SMBs, calls on government to make cyber security top priority

BlackBerry Limited has released the 2022 BlackBerry Annual Threat Report, highlighting a cybercriminal underground which it says has been optimised to better target local small businesses. Small businesses will continue to be an epicentre for cybercriminal focus as SMBs facing upward of 11 cyber threats per device per day, which only stands to accelerate as cybercriminals increasingly adopt collaborative mindsets.

The report also uncovered cyber breadcrumbs from some of last year’s most notorious ransomware attacks, suggesting some of the biggest culprits may have simply been outsourced labour.  In multiple incidents BlackBerry identified threat actors leaving behind playbook text files containing IP addresses and more, suggesting the authors of this year’s sophisticated ransomware are not the ones carrying out attacks. This highlights the growing shared economy within the cyber underground.

https://www.itsecurityguru.org/2022/02/15/small-businesses-facing-upwards-of-11-cyberthreats-per-day-per-device/

Microsoft Teams Targeted With Takeover Trojans

Threat actors are targeting Microsoft Teams users by planting malicious documents in chat threads that execute Trojans that ultimately can take over end-user machines, researchers have found.

Researchers began tracking the campaign in January, which drops malicious executable files in Teams conversations that, when clicked on, eventually take over the user’s computer, according to a report published Thursday.

Using an executable file, or a file that contains instructions for the system to execute, hackers can install DLL files and allow the program to self-administer and take control over the computer. By attaching the file to a Teams attack, hackers have found a new way to easily target millions of users.

Cyber criminals long have targeted Microsoft’s ubiquitous document-creation and sharing suite – the legacy Office and its cloud-based version, Office 365 – with attacks against individual apps in the suite such as PowerPoint as well as business email compromise and other scams.

Now Microsoft Teams – a business communication and collaboration suite – is emerging as an increasingly popular attack surface for cybercriminals.

https://threatpost.com/microsoft-teams-targeted-takeover-trojans/178497/

The European Central Bank is Warning Banks of Possible Russia-Linked Cyber Attack Amid the Rising Crisis With Ukraine

The European Central Bank is warning banks of possible Russia-linked cyber attack amid the rising crisis with Ukraine and is inviting them to step up defences.

The news was reported by Reuters, citing two unnamed sources. The ECB pointed out that addressing cyber security is a top priority for the European agency.

“The European Central Bank is telling euro zone banks zone to step up their defences against cyber attacks, also in the context of geopolitical tensions such as the stand-off between Russia and Ukraine, the ECB’s top supervisor said on Thursday.” reported Reuters.

ECB warned that the rising risk from cyber attacks begun in 2020.

https://securityaffairs.co/wordpress/128004/breaking-news/european-central-bank-warns-russia-cyberattacks.html

Companies Face Soaring Prices For Cyber Insurance

The cost of cyber insurance has risen steeply over the past year. According to Marsh, the price of cover in the US grew by 130 per cent in the fourth quarter of 2021 alone, while in the UK it grew by 92 per cent. That has increased pressure on companies who are facing cost inflation in other parts of their business.

The steep hikes in the cost of cyber insurance come against a backdrop of rising prices more broadly. According to Marsh, commercial insurance prices rose 13 per cent in the final quarter of 2021.

The hardening market from reduced capacity allied with increasing cyber fraud are potent forces. Pricing becomes more challenging, reinsurance appetite reduced whilst costs increasing and fraudsters have as much access to the latest technologies as do enterprises, the government sector and the insurance industry.

There may be limits to what insurers can cover. Speaking to the Financial Times last week the chief executive of Zurich said: “A connected economy offers lots of opportunities for cyber attacks.” A major cyber risk, he added, “is something only governments can manage”.

Companies will have to do more themselves to fight cyber fraud with technology partners. Meanwhile brokers and insurers must review underwriting data and practices and government raise effectiveness at prosecuting criminals.

https://www.ft.com/content/60ddc050-a846-461a-aa10-5aaabf6b35a5

Even When Warned, Businesses Ignore Critical Vulnerabilities And Hope For The Best

A Bulletproof research found the extent to which businesses are leaving themselves open to cyber attack. When tested, 28% of businesses had critical vulnerabilities – vulnerabilities that could be immediately exploited by cyber attacks.

A quarter of businesses neglected to fix those critical vulnerabilities, even though penetration testing had highlighted them to the business after a retest was completed.

The research analyzed data from over 3,800 days’ worth of penetration testing services. These tests are a means of identifying vulnerabilities within an organisation’s security systems by simulating how malicious actors would seek to exploit such shortcomings.

https://www.helpnetsecurity.com/2022/02/18/businesses-critical-vulnerabilities/

Ransomware-Related Data Leaks Nearly Doubled in 2021: Report

There was a significant increase in ransomware-related data leaks and interactive intrusions in 2021, according to the 2022 Global Threat Report released on Tuesday by endpoint security firm CrowdStrike.

The number of ransomware attacks that led to data leaks increased from 1,474 in 2020 to 2,686 in 2021, which represents an 82% increase. The sectors most impacted by data leaks in 2021 were industrial and engineering, manufacturing, and technology.

The growth and impact of big game hunting in 2021 was a palpable force felt across all sectors and in nearly every region of the world. Although some adversaries and ransomware ceased operations in 2021, the overall number of operating ransomware families increased,” CrowdStrike said in its report.

https://www.securityweek.com/ransomware-related-data-leaks-nearly-doubled-2021-report

Online Fraud Skyrocketing: Gaming, Streaming, Social Media, Travel and Ecommerce Hit the Most

An Arkose Labs report is warning UK commerce that it faces its most challenging year ever. Experts analyzed over 150 billion transaction requests across 254 countries and territories in 2021 over 12 months to discover that there has been an 85% increase in login attacks and fake consumer account creation at businesses.

Alongside this, it identified that one in four new online accounts created were fake. A further 21% of all traffic was confirmed as a fraudulent cyber attack.

From the earliest days of online information to the rapid evolution of today’s metaverses, the internet has come a long way. However, this latest data shows that it is more under attack than ever before.

Your digital identity is a currency for fraudsters and wherever there is online commerce, cyber criminals are quick to identify vulnerabilities.

https://www.helpnetsecurity.com/2022/02/14/fake-consumer-account/

Poor Security Hygiene Organisations and Ransomware Attacks: Painful Math

Poor cyber security hygiene is widely considered to be a major influencing factor for exposure to a ransomware attack. But is that an accurate assessment?

In a new study, RiskRecon, a security best practices specialist, investigated 600+ cyber hijacks to determine if companies victimized by a “detonation” had poor cyber security hygiene at the time and which factors, such as web encryption, application security and email security, are key gaps in coverage.

The answer: Cyber security hygiene does in fact play a large role in an organisation’s vulnerability to a ransomware attack. RiskRecon analyzed the cyber security hygiene on the day of ransomware incident for 622 organisations spanning 633 ransomware events occurring between 2017 and 2021. Based on a comparison population of cyber security ratings and assessments of some 100,000 entities, companies that have very poor cyber security hygiene in their internet-facing systems (a ‘D’ or ‘F’ RiskRecon rating) have about a 40 times higher rate of destructive ransomware events as compared to those with clean cyber security hygiene. Only .03 percent of ‘A-rated’ companies were victims of a destructive ransomware attack, compared with 1.08 percent of ‘D-rated’ and 0.91 percent of ‘F-rated’ companies.

The cyber security conditions underlying the RiskRecon rating reveal just how poor the cyber security hygiene is of companies, on average, that fall victim to a material system-encrypting ransomware attack. For example, ransomware victims have an average of 11 material software vulnerabilities in their internet-facing systems, in comparison with only one issue in the general population. Looking at network services that criminals commonly exploit, ransomware victims expose 3.3 times more unsafe network services to the internet than the general population.

https://www.msspalert.com/cybersecurity-research/poor-security-hygiene-organisations-and-ransomware-attacks-painful-math/

Security Teams Expect Attackers to Go After End Users First

Phishing, malware, and ransomware have spurred organisations to increase their investments in endpoint security, according to Dark Reading’s Endpoint Security Survey.

The shift to a more distributed work environment and an increase in digital transformation initiatives have motivated organisations to bolster their endpoint security defences. However, end users continue to be a major source of worry for IT and security decision-makers, according to the latest Dark Reading survey.

Phishing, malware, and ransomware pose major threats to organisations, as do attacks involving credential theft. An overwhelming 93% of IT and security professionals in Dark Reading’s "2022 Endpoint Security Survey" cite the growing number of ransomware attacks as the reason behind increased investments in endpoint security. Similarly, 83% say the increase in attacks using end-user credentials spurred their endpoint investments.

End users pose one of the biggest threats to the organisation, as 87% expect that if attackers wanted to steal the organisation’s data, they would begin by targeting a single end user.

Concerns about the end user are not new. Verizon’s "2021 Data Breach Investigations Report" found that 85% of the breaches it investigated in 2020 involved end users in some way – such as stolen account credentials, incorrectly assigned privileges or elevated privileges, social engineering, and user error.

https://www.darkreading.com/edge-threat-monitor/end-users-remain-one-of-the-biggest-headaches-in-it-security

US Warns of Imminent Russian Invasion of Ukraine With Tanks, Jet Fighters, Cyber Attacks

President Biden said Friday he is convinced Russian President Vladimir Putin has decided to invade Ukraine and that he expects an attack in the coming days, with targets including the Ukrainian capital, Kyiv.

US officials said a Russian attack could involve a broad combination of jet fighters, tanks, ballistic missiles and cyberattacks, with the ultimate intention of rendering Ukraine’s leadership powerless.

The officials said Mr. Putin has laid the groundwork in recent days through a series of destabilizing activities and false-flag operations, long predicted by U.S. and allied officials and intended to make it look as if Ukraine has provoked Russia into a conflict, thus justifying the Russian invasion.

https://www.wsj.com/articles/ukraine-troops-told-to-exercise-restraint-to-avoid-provoking-russian-invasion-11645185631

TrickBot Malware Targeted Customers of 60 High-Profile Companies Since 2020

The notorious TrickBot malware is targeting customers of 60 financial and technology companies, including cryptocurrency firms, primarily located in the U.S., even as its operators have updated the botnet with new anti-analysis features.

TrickBot is a sophisticated and versatile malware with more than 20 modules that can be downloaded and executed on demand.

In addition to being both prevalent and persistent, TrickBot has continually evolved its tactics to go past security and detection layers. To that end, the malware's "injectDll" web-injects module, which is responsible for stealing banking and credential data, leverages anti-deobfuscation techniques to crash the web page and thwart attempts to scrutinize the source code.

Also put in place are anti-analysis guardrails to prevent security researchers from sending automated requests to command-and-control (C2) servers to retrieve fresh web injects.

https://thehackernews.com/2022/02/trickbot-malware-targeted-customers-of.html

Threats

Ransomware

• Ransomware’s Savage Reign Continues As Attacks Increase 105% - Help Net Security

• SonicWall CEO on ransomware: Every good vendor was hit in past 2 years - The Register

• Are You Prepared for 2022's More Destructive Ransomware? | SecurityWeek.Com

• CISA Advisory Cautions MSPs: Beware More Ransomware Attacks - MSSP Alert

• Conti Ransomware Gang Takes Over Trickbot Malware Operation (bleepingcomputer.com)

• Ransomware Gangs Are Changing Their Tactics. That Could Prove Very Expensive For Some Victims | ZDNet

• FBI Eyes Ransomware Profits With New Cryptocurrency Crimes Unit | TechCrunch

• FBI Warns BlackByte Ransomware Is Targeting US Critical Infrastructure | TechCrunch

• Ransomware Is A Clear And Present Danger. So Why Rely On Legacy DR To Recover From It? • The Register

BEC – Business Email Compromise

• FBI Warns of BEC Scams Abusing Virtual Meeting Platforms | SecurityWeek.Com

Phishing & Email

• LinkedIn Phishing Attacks Up 232% | Phishing | Egress

• Half Of All Emails In 2021 Were Spam- IT Security Guru

• Microsoft Warns of 'Ice Phishing' Threat on Web3 and Decentralized Networks (thehackernews.com)

Malware

• Emotet Now Spreading Through Malicious Excel Files | Threatpost

• A Modern Ninja: Evasive Trickbot Attacks Customers of 60 High-Profile Companies - Check Point Research

• PseudoManuscrypt Malware Spreading the Same Way as CryptBot Targets Koreans (thehackernews.com)

• Baby Golang-Based Botnet Already Pulling in $3K/Month for Operators | Threatpost

• 25 Years On, Microsoft Makes Another Stab At Stopping Macro Malware • Graham Cluley

• Three-Fifths of Cyber-Attacks in 2021 Were Malware-Free - Infosecurity Magazine

Data Breaches/Leaks

• Millions of Internet Society Personal Files Exposed In Data Leak | Laptop Mag

Organised Crime & Criminal Actors

• 74% of Ransomware Revenue Goes to Russia-Linked Hackers - BBC News

• Interpol Must Change With Cyber Crime, Says Director • The Register

• Attackers Hone Their Playbooks, Become More Agile (darkreading.com)

• Cyber Criminals Have Changed Tactics (darkreading.com)

Cryptocurrency/Cryptomining/Cryptojacking

• ‘Heist Of The Century’: US Bitcoin Case Tests Ability To Crack Down On Cyber Crime | Law (US) | The Guardian

• SIM-Swapping Attacks, Many Aimed at Crypto Accounts, Are on the Rise - WSJ

• FBI Says Crypto Payments Are a 'Huge Challenge' Amid Rise in Ransomware Attacks - Decrypt

Insider Risk and Insider Threats

• The Rise Of The Super Malicious Insider: Yes, We Need To Worry - Help Net Security

• Finance Officer Jailed After Stealing £200,000 from Charity - Infosecurity Magazine

• Ex IT Tech Jailed For Wiping School Network During Lockdown • The Register

Fraud, Scams & Financial Crime

• Barclays: Scams Surged in Final Quarter of 2021 - Infosecurity Magazine

• Fraud and Scam Activity Hits All-Time High - Help Net Security

• Soaring Losses Accelerate Investments In Anti-Fraud Tech - Help Net Security

• Threat Actors Still Love a Romance Scam - Infosecurity Magazine

• Singapore Introduces Strong Measures To Stop Online Scams • The Register

• 7 Tips for How To Spot a Scammer and Protect Yourself | Well+Good

DoS/DDoS

• Ukraine Defence and Bank Networks DDoS-ed - Infosecurity Magazine

• Carpet Bombing Attacks on the Rise - Infosecurity Magazine

Nation State Actors

• Russia’s Offensive Cyber Actions Should Be A Cause For Concern For CISOs | CSO Online

• Russia Stole US Defense Data From IT Systems, Says CISA • The Register

• Cyber Security: These Countries Are The New Hacking Threats To Fear As Offensive Campaigns Escalate | ZDNet

• Researchers Link ShadowPad Malware Attacks to Chinese Ministry and PLA (thehackernews.com)

• Chinese MI6 Informant Gave Information To MPs About Huawei Threat | Huawei | The Guardian

• Red Cross Attributes Server Breach To Nation-State Actor - CyberScoop

• Iranian Hackers Targeting VMware Horizon Log4j Flaws to Deploy Ransomware (thehackernews.com)

Cloud

• Report: 63% of IT Pros Say Cyber Threats Are Top Obstacle To Cloud Adoption Strategy | VentureBeat

• EU Watchdog To Probe Public Sector's Love Affair With Cloud • The Register

Privacy

• Facebook Agrees to Pay $90 Million to Settle Decade-Old Privacy Violation Case (thehackernews.com)

Spyware, Espionage & Cyber Warfare

• How a Russia Cyber Attack On The UK Would Target Online Shopping, Card Payments And NHS Records (inews.co.uk)

• The Conflict In Ukraine Proves Cyber-Attacks Are Now Weapons Of War (thenextweb.com)

• Cyber, War and Ukraine: What Does Recent History Teach Us To Expect? | Science & Tech News | Sky News

• Cyber Warfare In Ukraine Poses A Threat To The Global System | Financial Times (ft.com)

• EU Data Protection Watchdog Calls for Ban on Pegasus-like Commercial Spyware (thehackernews.com)

• More Polish Opposition Figures Found To Have Been Targeted By Pegasus Spyware | Poland | The Guardian

• Using Mobile Networks For Cyber Attacks As Part Of A Warfare Strategy - Help Net Security

• Moses Staff Hackers Targeting Israeli Organisations for Cyber Espionage (thehackernews.com)

Vulnerabilities

• Squirrelwaffle, Microsoft Exchange Server Vulnerabilities Exploited For Financial Fraud | ZDNet

• Attackers Can Crash Cisco Email Security Appliances by Sending Malicious Emails (thehackernews.com)

• New Chrome 0-Day Bug Under Active Attack – Update Your Browser ASAP! (thehackernews.com)

• Multiple Vulnerabilities Put 40 Million Ubuntu Users At Risk | TechRadar

• Critical Flaw Uncovered in WordPress Backup Plugin Used by Over 3 Million Sites (thehackernews.com)

• High-Severity Vulnerability Found in Apache Database System Used by Major Firms | SecurityWeek.Com

• VMware Fixes Holes That Could Allow Virtual Machine Escapes – Naked Security (sophos.com)

• Another Critical RCE Discovered in Adobe Commerce and Magento Platforms (thehackernews.com)

• T2 Mac Security Vulnerability: Passwords Can Now Be Cracked - 9to5Mac

Sector Specific

Financial Services Sector

• Open Banking Innovation: A Race Between Developers And Cyber Criminals - Help Net Security

• Canada's Major Banks Go Offline In Mysterious Hours-Long Outage (bleepingcomputer.com)

Defence

• US Says Russian State Hackers Lurked In Defense Contractor Networks For Months | Ars Technica

Transport and Aviation

• Warning Over Mysterious Hackers That Have Been Targeting Aerospace And Defence Industries For Years | ZDNet

• Unskilled Hacker Linked To Years Of Attacks On Aviation, Transport Sectors (bleepingcomputer.com)

Energy & Utilities

• Energy, Oil And Utility Sector Most Likely To Pay Ransoms - Help Net Security

Reports Published in the Last Week

• 2022 Global Threat Report: A Year of Adaptability and Perseverance (crowdstrike.com)

• Threat Intelligence Report 2022: Cyber Security Priorities - Truesec

• The Year of Living Dangerously: Details from the BlackBerry 2022 Threat Report

Other News

• Over 28,000 Vulnerabilities Disclosed in 2021: Report | SecurityWeek.Com

• Web Application Firewalls (WAFs) Can't Give Organisations The Security They Need - Help Net Security

• How Challenging Is Corporate Data Protection? - Help Net Security

• Local Authority Sets Aside £380k for Cyber-Attack Recovery - Infosecurity Magazine

• Traditional MFA Is Creating A False Sense Of Security - Help Net Security

• Massive LinkedIn Phishing, Bot Attacks Feed on the Job-Hungry | Threatpost

• Be Flexible About Where People Work — But Not on Data Privacy (darkreading.com)

• Researchers Block “Largest Ever” Bot Attack - Infosecurity Magazine

• BadUSB: The Cyber Threat That Gets You To Plug It In – CloudSavvy IT

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.