Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Advisory 12 October 2023 – Microsoft Patch Tuesday, Adobe and Chrome Updates Summary.
Black Arrow Cyber Advisory 12 October 2023 – Microsoft Patch Tuesday, Adobe and Chrome Security Updates Summary
Executive summary
Microsoft’s October 2023 Patch Tuesday provides updates to address 103 security issues across its product range, including two actively exploited zero-day vulnerabilities (CVE-2023-36563 and CVE-2023-41763). One of the exploited zero-day vulnerabilities is a privilege escalation vulnerability in skype. The other is an information disclosure vulnerability in Microsoft WordPad that can result in disclosure of NTLM hashes. Also among the updates provided by Microsoft were 13 critical vulnerabilities.
In addition to the Microsoft updates this week also saw Adobe fix 13 vulnerabilities across various products, with a vulnerability in Adobe Reader under active exploitation, and Google addressing 20 vulnerabilities in Chrome.
What’s the risk to me or my business?
The actively exploited vulnerabilities could allow an attacker with access, to elevate privileges or capture the hashes of user passwords to gain access to that users accounts. Both compromise the confidentiality, integrity and availability of data stored by an organisation.
What can I do?
Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible for the actively exploited vulnerability and all other vulnerabilities that have a critical severity rating.
Technical Summary
CVE-2023-36563: If exploited the vulnerability disclosures of information in Microsoft WordPad that could result in leak in NTLM hashes.
CVE-2023-41763: If actively exploited it allows for an attacker to escalate privileges in Skype that could lead to the exposure of sensitive information, such as IP addresses, port numbers and enabling an attacker to gain access to internal networks.
Adobe
This month, Adobe released fixes for 13 vulnerabilities, of which 8 were rated critical across Adobe Bridge (2), Commerce (10) and Photoshop (1). Adobe have stated a vulnerability in Adobe Reader is under active exploitation. The vulnerabilities include remote code execution, memory leak, privilege escalation and security bypass.
Chrome
An update for Google Chrome which patches 20 vulnerabilities, with the most severe allowing for arbitrary code execution to be performed by a malicious attacker. Depending on the privileges associated with the user an attacker could then install programs; view, delete or modify the data; or create new accounts with full user rights. Users whose accounts have fewer user rights could be less impacted than those who operate with administrative user rights. While there are currently no reports of these vulnerabilities being exploited in the wild, it is advised to update to the latest version as soon as possible.
further details on other specific updates within this patch Tuesday can be found here:
https://msrc.microsoft.com/update-guide/releaseNote/2023-Oct
Further details about CVE-2023-36563 can be found here:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-36563
Further details about CVE-2023-41763 can be found here:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-41763
Further details of the vulnerabilities addressed in Adobe Bridge can be found here:
https://helpx.adobe.com/security/products/bridge/apsb23-49.html
Further details of the vulnerabilities addressed in Adobe Commerce can be found here:
https://helpx.adobe.com/security/products/magento/apsb23-50.html
Further details of the vulnerabilities addressed in Adobe Photoshop can be found here:
https://helpx.adobe.com/security/products/photoshop/apsb23-51.html
Further details of the vulnerabilities addressed in Chrome can be found here:
https://chromereleases.googleblog.com/2023/10/stable-channel-update-for-desktop_10.html
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity
Black Arrow Cyber Threat Briefing 15 April 2022
Black Arrow Cyber Threat Briefing 15 April 2022:
-Cyber Security Is Getting Harder: More Threats, More Complexity, Fewer People
-Terrible Cloud Security Is Leaving the Door Open for Hackers. Here's What You're Doing Wrong
-More Organisations Are Paying the Ransom. Why?
-Cyber Attack Puts City Firms on High Alert To Bolster Defences
-More Than 60% of Organisations Suffered a Breach in the Past 12 Months
-Account Takeover Poised to Surpass Malware as The No. 1 Security Concern
-Security Research Reveals 42% Rise In New Ransomware Programs In 2021
-Fraudsters Stole £58m with Remote Access Trojans (RATs) in 2021
-As State-Backed Cyber Threats Grow, Here's How the World Is Reacting
-Q1 Reported Data Compromises Up 14% Over 2021
-Europol Announces Operation to Hit Russian Sanctions-Evaders
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Cyber Security Is Getting Harder: More Threats, More Complexity, Fewer People
Splunk and Enterprise Strategy Group released a global research report that examines the security issues facing the modern enterprise. More than 1,200 security leaders participated in the survey, revealing they’ve seen an increase in cyber attacks while their teams are facing widening talent gaps.
According to the report, 65% of respondents say they have seen an increase in attempted cyber attacks. In addition, many have been directly impacted by data breaches and costly ransomware attacks, which have left security teams exhausted:
· 49% of organisations say they have suffered a data breach over the past two years, an increase from 39% a year earlier.
· 79% of respondents say they’ve encountered ransomware attacks, and 35% admit that one or more of those attacks led them to lose access to data and systems.
· 59% of security teams say they had to devote significant time and resources to remediation, an increase from 42% a year ago.
· 54% of respondents report that their business-critical applications have suffered from unplanned outages related to cyber security incidents on at least a monthly basis, with a median of 12 outages per year. The median time to recover from unplanned downtime tied to cyber security incidents is 14 hours. Respondents estimated the cost of this downtime averaged about $200,000 per hour.
· 64% of security professionals have stated that it’s challenging to keep up with new security requirements, up from 49% a year ago.
https://www.helpnetsecurity.com/2022/04/13/modern-enterprise-security-issues/
Terrible Cloud Security Is Leaving the Door Open for Hackers. Here's What You're Doing Wrong
A rise in hybrid work and a shift to cloud platforms has changed how businesses operate - but it's also leaving them vulnerable to cyber attacks.
Cloud applications and services are a prime target for hackers because poor cyber security management and misconfigured services are leaving them exposed to the internet and vulnerable to simple cyber attacks.
Analysis of identity and access management (IAM) polices taking into account hundreds of thousands of users in 18,000 cloud environments across 200 organisations by cyber security researchers at Palo Alto Networks found that cloud accounts and services are leaving open doors for cyber criminals to exploit – and putting businesses and users at risk.
The global pandemic pushed organisations and employees towards new ways of remote and hybrid working, with the aid of cloud services and applications. While beneficial to businesses and employees, it also created additional cyber security risks – and malicious hackers know this.
More Organisations Are Paying the Ransom. Why?
Most organisations (71%) have been hit by ransomware in 2021, and most of those (63%) opted for paying the requested ransom, the 2022 Cyberthreat Defense Report (CDR) by the CyberEdge Group has shown.
The research company says that possible explanations for the steady yearly rise of the percentage of organisations that decided to pay the ransom may include: the threat of exposing exfiltrated data, increased confidence for data recovery, and the fact that many organisations find that paying a ransom is significantly less costly than system downtime, customer disruption, and potential lawsuits.
“72% of ransom-paying victims recovered their data [in 2021], up from 49% in 2017. This increased confidence for successful data recovery is often factored into the ransom-paying decision,” the company noted.
Similarly, BakerHostatler’s 2022 Data Security Incident Response Report says that in ransomware incidents the US-based law firm was called in to manage in 2021, ransomware groups provided decryptors and stuck to their promise to not publish stolen data 97% of the time.
https://www.helpnetsecurity.com/2022/04/11/organizations-paying-ransom/
Cyber Attack Puts City Firms on High Alert to Bolster Defences
Experts warn a combination of 'ignorance and arrogance' makes City executives vulnerable to attacks.
City firms on high alert for cyber attacks were sent a clear warning recently, bolstering concerns of the potential for breaches from Russia.
Ince Group, the London-listed law firm, last month fell prey to hackers who infiltrated its computer systems and stole confidential data. The company's security systems detected the intrusion on March 13, prompting the IT team to shut down servers to try and prevent widespread damage.
But soon after, the hackers demanded a ransom for stolen data and threatened to publish it on the dark web if Ince Group, which has clients in the shipping, energy and healthcare sectors, didn't pay up.
The incident has intensified worries of possible breaches after warnings that City firms could be targeted by Russian hackers following Putin’s invasion of Ukraine.
Julia O'Toole, chief executive of MyCena Security Solutions, says executives should be "very concerned" about any news of a cyber attack at a rival company.
More Than 60% of Organisations Suffered a Breach in the Past 12 Months
Firms focus too narrowly on external attackers when it's insiders, third parties, and stolen assets that cause many breaches, new study shows.
The majority of companies — 63% — have suffered at least one breach in the past 12 months. The global average breach cost $2.4 million — a price tag that increases to $3.0 million for companies unprepared to respond to compromises.
The new data from Forrester Research, released on April 8 in a report titled "The 2021 State Of Enterprise Breaches," found that the number of breaches and the cost of breaches varied widely depending on the geographic location of the business and to what degree the organisation is prepared to respond to breaches. Companies in North America had the largest disparity between the haves and have-nots: While the average organisation required 38 days to find, eradicate, and recover from a breach, companies that failed to adequately prepare for security challenges took 62 days.
The difference in response resulted in a large difference in cost as well, with the average North American company paying $3.0 million to recover from a breach, a bill that rises to $4.0 million if the company suffered from a lack of incident-response preparation.
"The misalignment between the expectation and the reality of breaches has become very important," says Allie Mellen, an analyst with Forrester's Security and Risk group. "On a global scale, there is a big disparity of about $600,000 between those who are prepared to respond to a breach and those who are not."
Account Takeover Poised to Surpass Malware as The No. 1 Security Concern
As most researchers and financial executives can attest, virtually all types of fraud have dramatically risen over the past two years. However, attackers taking over legitimate financial accounts have become even more of a favourite with cyber criminals than most fraud schemes.
Many major recent research reports have pointed out that account takeover (ATO), a form of identity theft where bad actors access legitimate bank accounts, change the account information and passwords, and hijack a real customer’s account, has skyrocketed since last year. According to Javelin Research’s annual "Identity Fraud Study: The Virtual Battleground" report, account takeover increased by 90% to an estimated $11.4 billion in 2021 when compared with 2020 — representing roughly one-quarter of all identity fraud losses last year.
Like many types of financial fraud, cyber thieves are betting on the fact that if they attempt to seize a large number of legitimate accounts, eventually they will get a payoff.
Account takeovers are a numbers game, the more accounts that an organisation has, the bigger their risk that some of them will be compromised.
Account takeovers often piggyback off of previous attacks, making these crimes a way for hackers to make the most out of stolen information. Diskin pointed out that account takeovers most commonly happen when a password is “taken from another data leak and reused for different accounts. But there are a variety of risky scenarios that can lead to compromise.”
Security Research Reveals 42% Rise in New Ransomware Programs In 2021
Critical infrastructure in the crosshairs: operational technology vulnerabilities jump 88% .
Threat intelligence analysts at Skybox Research Lab uncovered a 42% increase in new ransomware programs targeting known vulnerabilities in 2021. The Silicon Valley cyber security company released its annual 2022 Vulnerability and Threat Trends Report, revealing how quickly cyber criminals capitalise on new security weaknesses – shrinking the window that organisations have to remediate vulnerabilities ahead of an attack.
With 20,175 new vulnerabilities published in 2021, Skybox Research Lab witnessed the most vulnerabilities ever reported in a single year. And these new vulnerabilities are just the tip of the iceberg. The total number of vulnerabilities published over the last 10 years reached 166,938 in 2021 — a three-fold increase over a decade. These cumulative vulnerabilities, piling up year after year, represent an enormous aggregate risk, and they’ve left organisations struggling with a mountain of cyber security debt. As the US Cybersecurity and Infrastructure Security Agency (CISA) highlights in its Top Routinely Exploited Vulnerabilities list, threat actors are routinely exploiting publicly disclosed vulnerabilities from years past.
The sheer volume of accumulated risks — hundreds of thousands or even millions of vulnerability instances within organisations — means they can’t possibly patch all of them. To prevent cyber security incidents, it is critical to prioritise exposed vulnerabilities that could cause the most significant disruption, then, apply appropriate remediation options including configuration changes or network segmentation to eliminate risk, even before patches are applied or in cases where patches aren’t available.
Fraudsters Stole £58m with Remote Access Trojans (RATs) in 2021
2021 saw victims of Remote Access Tool (RAT) scams lose £58m in 2021, official UK police figures show.
RAT scams involve scammers taking control of a victim’s device, typically in order to access bank accounts.
Some 20,144 victims fell for this type of scam in 2021, averaging around £2800 stolen per incident.
Typically, RAT attacks begin with a victim being inundated with pop-ups claiming there is a problem with the computer. Users are often then asked to call a “hotline” number, when a scammer will persuade them to download a RAT.
RAT scams are often compared to the classic “tech support” scams. Modern RAT scams are typically more devious, however, with scammers often cold-calling their victims pretending to work for their bank and claiming that they need computer access to investigate a fraudulent transaction.
https://www.itsecurityguru.org/2022/04/11/fraudsters-stole-58m-with-rats-in-2021/
As State-Backed Cyber Threats Grow, Here's How the World Is Reacting
With the ongoing conflict in Eurasia, cyber warfare is inevitably making its presence felt. The fight is not only being fought on the fields. There is also a big battle happening in cyberspace. Several cyber-attacks have been reported over the past months.
Notably, cyber attacks backed by state actors are becoming prominent. There have been reports of a rise of ransomware and other malware attacks such as Cyclops Blink, HermeticWiper, and BlackCat. These target businesses as well as government institutions and nonprofit organisations. There have been cases of several attempts to shut down online communications and IT infrastructure.
The ongoing list of significant cyber incidents curated by the Center for Strategic and International Studies (CSIS) shows that the number of major incidents in January 2022 is 100% higher compared to the same period in the previous year. With the recent activities in cyberspace impacted by the emergence of the geopolitical tumult in February, it is not going to be surprising to see an even more dramatic rise in the number of significant incidents.
https://thehackernews.com/2022/04/as-state-backed-cyber-threats-grow.html
Q1 Reported Data Compromises Up 14% Over 2021
The Identity Theft Resource Center published a First Quarter 2022 Data Breach Analysis which found that Q1 of 2022 began with the highest number of publicly reported data compromises in the past three years.
Publicly reported data compromises totalled 404 through March 31, 2022, a 14 percent increase compared to Q1 2021.
This is the third consecutive year when the number of total data compromises increased compared to Q1 of the previous year. It also represents the highest number of Q1 data compromises since 2020.
https://informationsecuritybuzz.com/expert-comments/q1-reported-data-compromises-up-14-over-2021/
Europol Announces Operation to Hit Russian Sanctions-Evaders
European police have announced a major new operation designed to crack down on Russian oligarchs and businesses looking to circumvent sanctions.
Operation Oscar will run for at least a year as an umbrella initiative that will feature many separate investigations, Europol explained.
The policing organisation’s European Financial and Economic Crime Centre will work to exchange information and intelligence with partners and provide operational support in financial crime investigations.
A key focus appears to be on illicit flows of money, which Russian individuals and entities will be trying to move around the region in order to bypass sanctions imposed since President Putin’s invasion of Ukraine.
“Europol will centralise and analyse all information contributed under this operation to identify international links, criminal groups and suspects, as well as new criminal trends and patterns,” Europol said.
“Europol will further provide tailor-made analytical support to investigations, as well as operational coordination, forensics and technical expertise, and financial support to the relevant national authorities.”
https://www.infosecurity-magazine.com/news/europol-hit-russian/
Threats
Ransomware
Ransomware: These Two Gangs Are Behind Half of All Attacks | ZDNet
Don't Let Ransomware Gangs Spend Months in Your Network • The Register
Karakurt Data Thieves Linked to Larger Conti Hacking Group | CSO Online
Conti Ransomware Gang Claims Responsibility for The Nordex Hack - Security Affairs
OldGremlin Ransomware Gang Targets Russia with New Malware (bleepingcomputer.com)
Conti Ransomware Offshoot Targets Russian Organisations | Malwarebytes Labs
Other Social Engineering
FBI: Payment App Users Targeted in Social Engineering Attacks (bleepingcomputer.com)
These Hackers Pretend to Poach, Recruit Rival Bank Staff In New Cyber Attacks | ZDNet
Malware
Microsoft Sounds The Alarm Over New Cunning Windows Malware | TechRadar
Spring4Shell Under Active Exploit by Mirai Botnet Herders • The Register
Haskers Gang Gives Away ZingoStealer Malware to Other Cyber Criminals for Free (thehackernews.com)
Hackers Hijack Adult Websites to Infect Victims With Malware | TechRadar
Qbot Malware Switches To New Windows Installer Infection Vector (bleepingcomputer.com)
Windows 11 tool to Add Google Play Secretly Installed Malware (bleepingcomputer.com)
Over 16,500 Sites Hacked to Distribute Malware via Web Redirect Service (thehackernews.com)
Enemybot: a New Mirai, Gafgyt Hybrid Botnet Joins The Scene | ZDNet
Mobile
Android Banking Malware Intercepts Calls to Customer Support (bleepingcomputer.com)
How to Stop Octo Malware From Remotely Accessing Your Android (lifehacker.com)
IoT
New EnemyBot DDoS Botnet Recruits Routers and IoTs Into Its Army (bleepingcomputer.com)
3 Reasons Connected Devices are More Vulnerable than Ever (bleepingcomputer.com)
Data Breaches/Leaks
Organised Crime & Criminal Actors
New Industrial Spy Stolen Data Market Promoted Through Cracks, Adware (bleepingcomputer.com)
Google Files Suit Against Cameroonian Cyber Criminal Who Used Puppies as Lures - CyberScoop
Cryptocurrency/Cryptomining/Cryptojacking
10 NFT and Cryptocurrency Security Risks That CISOs Must Navigate | CSO Online
A Practical Reason Why Crypto Might Not Work for Large-Scale Sanctions Evasion - CyberScoop
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
Denial of Service DoS/DDoS
New Fodcha DDoS Botnet Targets Over 100 Victims Every Day (bleepingcomputer.com)
New EnemyBot DDoS Botnet Borrows Exploit Code from Mirai and Gafgyt (thehackernews.com)
Cloud
99% Of Cloud Identities Are Overly Permissive, Opening Door to Attackers | CSO Online
Top Attack Techniques for Breaching Enterprise And Cloud Environments - Help Net Security
Finding Attack Paths in Cloud Environments (thehackernews.com)
The Two Words You Should Never Forget When You’re Securing a Cloud - Help Net Security
Privacy
Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Preparing for Armageddon: How Ukraine Battles Russian hackers | Ars Technica
Hackers Target Ukrainian Govt with IcedID Malware, Zimbra Exploits (bleepingcomputer.com)
Russia’s Sandworm Hackers Attempted a Third Blackout In Ukraine | Ars Technica
The Unceasing Action of Anonymous Against Russia - Security Affairs
European Officials Reportedly Targeted by NSO Spyware • The Register
Nation State Actors
Nation State Actors – Russia
Nation State Actors – China
Nation State Actors – North Korea
US Gov Believes Lazarus APT is Behind Ronin Validator Cyber Heist - Security Affairs
Feds Offer $5m Reward for Info on North Korean Cyber Crooks • The Register
FBI Links Largest Crypto Hack Ever to North Korean Hackers (bleepingcomputer.com)
Symantec: North Korea's Lazarus Targets Chemical Companies • The Register
Vulnerabilities
Microsoft Issues Patches for 2 Windows Zero-Days and 126 Other Vulnerabilities (thehackernews.com)
Google Issues Third Emergency Fix For Chrome This Year • The Register
Critical HP Teradici PCoIP Flaws Impact 15 Million Endpoints (bleepingcomputer.com)
Critical Windows RPC Vulnerability Raises Alarm (techtarget.com)
VMware Workspace One Flaw Actively Exploited in The Wild (techtarget.com)
Adobe Patches Gaping Security Holes in Acrobat, Reader, Photoshop | SecurityWeek.Com
Cisco Vulnerability Lets Hackers Craft Their Own Login Credentials (bleepingcomputer.com)
Several Vulnerabilities Allow Disabling of Palo Alto Networks Products | SecurityWeek.Com
Cisco Patches Critical Vulnerability in Wireless LAN Controller | SecurityWeek.Com
Critical Flaw in Elementor WordPress Plugin May Affect 500k Sites (bleepingcomputer.com)
Critical Apache Struts RCE Vulnerability Wasn't Fully Fixed, Patch Now (bleepingcomputer.com)
Attackers Are Exploiting VMware RCE to Deliver Malware (CVE-2022-22954) - Help Net Security
These D-Link Routers Are Vulnerable To Remote Hacks And Should Be Retired Immediately | HotHardware
Upgrades for Spring Framework Have Stalled (darkreading.com)
Sector Specific
CNI, OT, ICS, IIoT and SCADA
CISA Alert on ICS, SCADA Devices Highlights Growing Enterprise IoT Security Risks (darkreading.com)
Pipedream Malware: Feds Uncover 'Swiss Army Knife' for Industrial System Hacking | WIRED
New Malware Tools Pose 'Clear and Present Threat' to ICS Environments (darkreading.com)
US Warns of APT Hackers Targeting ICS/SCADA Systems with Specialized Malware (thehackernews.com)
Flaws in ABB Network Interface Modules Expose Industrial Systems to DoS Attacks | SecurityWeek.Com
Energy & Utilities
Reports Published in the Last Week
Other News
Singapore To License Infosec Service Providers • The Register
What Is the Cyber Kill Chain? A Model for Tracing Cyber Attacks | CSO Online
Cyber Defense: Prioritized By Real-World Threat Data - Help Net Security
The Cyber Criminal Isn’t Necessarily Who You Think… | Mind Matters
How Cryptocurrency Gave Birth to the Ransomware Epidemic (vice.com)
Dark Data Is a Pain Point For Many Security Leaders - Help Net Security
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Advisory 13/04/2022 – Adobe releases security patches to address various vulnerabilities.
Black Arrow Cyber Advisory 13/04/2022 – Adobe releases security patches to address various vulnerabilities.
Executive Summary
Adobe has released several security updates deemed as ‘critical’ across their product range to address various vulnerabilities. The affected applications include Adobe Acrobat and Reader which are used by most commercial organisations, along with Photoshop and other products within their range. Some of these vulnerabilities could give a malicious actor access to remote code execution.
What’s the risk to me or my business?
While Adobe has disclosed that they are not aware of these vulnerabilities being currently exploited, it is highly likely that they will a target by malicious actors since products such as Adobe Reader are used by a large percentage of organisations.
What can I do?
Apply the available updates from Adobe as soon as possible for the software products deployed across your organisation, while taking into consideration any potential downtime that these updates may cause.
Technical Summary
The vulnerabilities have been confirmed to affect both Windows and MacOS versions of various Adobe products, including Acrobat, Reader, Photoshop, After Effects, commerce, Magento Open Source, DC. Some of the effects of the vulnerabilities may be mitigated by good security practices, such as limiting end users local privileged access on end points. Further details on the individual vulnerabilities can be found here: Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution (cisecurity.org)
Need help understanding your gaps, or just want some advice? Get in touch with us.
Black Arrow Cyber Threat Briefing 16 April 2021
Black Arrow Cyber Threat Briefing 16 April 2021: 61% Of Employees Fail Basic Cyber Security Quiz; More Than 1,900 Hacking Groups Active Today; Ransomware Crisis Worsens; Enterprise Security Attackers Are One Password Away From Your Worst Day; Microsoft’s April Update Patches 114 Bugs; Nation-State Attacks Targeting Businesses Rise; Criminals Installing Cryptojacking Malware On Unpatched Exchange Servers; Network Vulns Affect Over 100 Million Devices; Brits Still Confused By Multi-Factor Authentication
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
61 Percent Of Employees Fail Basic Cyber Security Quiz
Nearly 70% of employees polled in a new survey said they recently received cyber security training from their employers, yet 61% nevertheless failed when asked to take a basic quiz on the topic. This was one of the leading findings of a research study that sought to understand the cyber security habits of some 1,200 workers, as well as their knowledge of best practices and ability to recognize security threats.
https://www.scmagazine.com/home/security-news/61-percent-of-employees-fail-basic-cybersecurity-quiz/
More Than 1,900 Distinct Hacking Groups Are Active Today
There are currently more than 1,900 distinct hacking groups that are active today, a number that grew from 1,800 groups recorded at the end of 2019. In its yearly cyber crime report, the company said it discovered 650 new threat actors during 2020, but new evidence also allowed it to remove 500 groups from its threat actor tracker due to overlaps in activity and hacking infrastructure with previously known clusters.
https://therecord.media/fireeye-more-than-1900-distinct-hacking-groups-are-active-today/
Ransomware: The Internet's Biggest Security Crisis Is Getting Worse
Organisations continue to fall victim to ransomware, and yet progress on tackling these attacks, which now constitute one of the biggest security problems on the internet, remains slow. From small companies to councils, government agencies and big business, the number and range of organisations hit by ransomware is rising. One recent example; schools with 36,000 students have been hit, leaving pupils without access to email as attempts were made to get systems back online. That is at least four chains of schools attacked in the last month.
Enterprise Security Attackers Are One Password Away From Your Worst Day
If the definition of insanity is doing the same thing over and over and expecting a different outcome, then one might say the cyber security industry is insane.
Criminals continue to innovate with highly sophisticated attack methods, but many security organisations still use the same technological approaches they did 10 years ago. The world has changed, but cyber security hasn’t kept pace.
Distributed systems, with people and data everywhere, mean the perimeter has disappeared. And the hackers couldn’t be more excited. The same technology approaches, like correlation rules, manual processes and reviewing alerts in isolation, do little more than remedy symptoms while hardly addressing the underlying problem.
Credentials are supposed to be the front gates of the castle, but as the SOC is failing to change, it is failing to detect. The cyber security industry must rethink its strategy to analyse how credentials are used and stop breaches before they become bigger problems.
Microsoft’s April Update Patches 114 Bugs—Half Of Which Allow Remote Code Execution
The fourth Patch Tuesday of 2021 is another big one. Today, Microsoft revealed 114 vulnerabilities fixed in the monthly security, over half of which could potentially be exploited for remote code execution by attackers. Of the 55 remote execution bugs, over half were tied to Windows’ Remote Procedure Call (RPC) interface. Four more were Microsoft Exchange bugs (all urgent fixes) reported to Microsoft by the National Security Agency. In addition, six Chrome vulnerabilities that were previously addressed by Google are included in the roll-up.
Nation-State Cyber Attacks Targeting Businesses Are On The Rise
Businesses are increasingly coming under fire from nation state-backed hackers as governments around the world engage in attacks to steal secrets or lay the foundations for future attacks. Nation States, Cyberconflict and the Web of Profit, a study by cyber security researchers at HP and criminologists at the University of Surrey, warns that the number of key nation-state attacks has risen significantly over the past three years – and that enterprises and businesses are increasingly being targeted. An analysis of nation-state cyber attacks between 2017 and 2020 reveals that just over a third of organisations targeted were businesses: cyber defence, media, government, and critical infrastructure are all also common targets in these attacks, but enterprise has risen to the top of the list.
https://www.zdnet.com/article/nation-state-cyber-attacks-targeting-businesses-are-on-the-rise/
Cyber Criminals Are Installing Cryptojacking Malware On Unpatched Microsoft Exchange Servers
Cyber criminals are targeting vulnerable Microsoft Exchange servers with cryptocurrency mining malware in a campaign designed to secretly use the processing power of compromised systems to make money. Zero-day vulnerabilities in Microsoft Exchange Server were detailed last month when Microsoft released critical security updates to prevent the exploitation of vulnerable systems. Cyber attackers ranging from nation-state-linked hacking groups to ransomware gangs have rushed to take advantage of unpatched Exchange servers -- but they are not the only ones.
NAME:WRECK DNS Vulnerabilities Affect Over 100 Million Devices
Security researchers have disclosed nine vulnerabilities affecting network communication stacks running on at least 100 million devices. Collectively referred to as NAME: WRECK, the flaws could be leveraged to take offline affected devices or to gain control over them. The vulnerabilities were found in a wide range of products, from high-performance servers and networking equipment to operational technology (OT) systems that monitor and control industrial equipment. According to researchers threat actors could exploit NAME:WRECK vulnerabilities to deal significant damage to government or enterprise servers, healthcare facilities, retailers, or companies in the manufacturing business by stealing sensitive data, modifying or taking equipment offline for sabotage purposes.
Brits Still Confused By Multi-Factor Authentication
The British public are still woefully underinformed and unaware of the security benefits of multi-factor authentication (MFA). The industry association, founded in 2012 to promote authentication standards and reduce global reliance on passwords, recently polled over 4000 consumers in the UK, France, Germany, and the US. It revealed that half (49%) UK consumers have had their social media accounts compromised or know a friend or family member who has. However, despite a continued number of high-profile account takeovers, 43% said this does not make them enhance security on their accounts, even though they “feel like” they should. Part of the problem seems to be a general lack of understanding about the benefits of MFA in protecting account holders from phishing, as well as credential stuffing and other brute force attack types. Although such features are offered by all social media companies today, over a quarter (26%) of respondents said they were not using or didn’t know about them.
https://www.infosecurity-magazine.com/news/brits-still-confused-by/
623K Payment Cards Stolen From Cyber Crime Forum
The Swarmshop cyber underground “card shop” has been hit by hackers, who lifted the site’s database of stolen payment-card data and leaked it online. That is according to researchers, who said that the database was posted on a rival underground forum. Card shops, are online cyber criminal forums where stolen payment-card data is bought and sold. Researchers said the database in question contains 623,036 payment-card records from card-issuers in Brazil, Canada, China, France, Mexico, Saudi Arabia, Singapore, the U.K., and the U.S.
https://threatpost.com/623m-payment-cards-stolen-from-cybercrime-forum/165336/
Threats
Ransomware
Dutch Supermarkets Run Out Of Cheese After Ransomware Attack
This Nasty Ransomware Hacks Your VPN To Break Into Your Device
Phishing
Other Social Engineering
7 New Social Engineering Tactics Threat Actors Are Using Now
Cloud-Native Watering Hole Attack: Simple And Potentially Devastating
Malware
Mobile
Vulnerabilities
Adobe Patches Slew of Critical Security Bugs in Bridge, Photoshop
Microsoft Security Update Fixes Zero-Day Vulnerabilities In Windows And Other Software
Data Breaches
Organised Crime & Criminal Actors
Nation State Actors
Iran Vows Revenge For 'Israeli' Attack On Natanz Nuclear Site
NSA: Top 5 Vulnerabilities Actively Abused By Russian Govt Hackers
Privacy
Reports Published in the Last Week
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.