Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 07 October 2022
Black Arrow Cyber Threat Briefing 07 October 2022:
-Russian Sanctions Instigator Lloyd's Possibly Hit by Cyber Attack
-Former Uber Security Chief Convicted of Covering Up Data Breach
-First 72 Hours of Incident Response Critical to Taming Cyber Attack Chaos
-Email Defences Under Siege: Phishing Attacks Dramatically Improve
-Remote Services Are Becoming an Attractive Target for Ransomware
-Growing Reliance on Cloud Brings New Security Challenges
-Many IT Pros Don’t Think a Ransomware Attack Can Impact Microsoft 365 Data
-Ransomware Group Bypasses "Enormous" Range of EDR Tools
-MS Exchange Zero-Days: The Calm Before the Storm?
-Average Company with Data in the Cloud Faces $28 Million in Data-Breach Risk
-Secureworks Finds Network Intruders See Little Resistance
-Regulations, Laws and Accountability are Changing the Cyber Security Landscape
-This Year’s Biggest Cyber Threats
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Russian Sanctions Instigator Lloyd's Possibly Hit by Cyber Attack
Lloyd’s of London, the London-based insurance market heavily involved in implementing sanctions against Russia, may have been hit by a cyber-attack. On Wednesday, October 5, 2022, the British insurance market revealed it had detected “unusual activity” on its systems and has turned off all external connectivity “as a precautionary measure.”
“We have informed market participants and relevant parties, and we will provide more information once our investigations have concluded,” said a Lloyd’s spokesperson.
The company did not comment on whether or not it has been contacted by hackers, if a ransom demand has been issued, or on the possible source of the attack.
However, the insurance market has been closely involved with the design and implementation of sanctions imposed on Russia in response to its invasion of Ukraine – a potential motive for the attack. Lloyd’s itself has confirmed it was working closely with British and international governments to implement such sanctions.
Around 100 insurance syndicates operate at Lloyd's.
Earlier in 2022, Lloyd’s instructed its 76 insurance syndicates to remove “nation-state-backed cyber attacks” from insurance policies by March 2023, as well as losses “arising from a war.”
https://www.infosecurity-magazine.com/news/lloyds-possibly-hit-by-cyberattack/
Former Uber Security Chief Convicted of Covering Up Data Breach
Uber’s former head of security has been convicted of covering up a 2016 data breach at the rideshare giant, hiding details from US regulators and paying off a pair of hackers in return for their discretion.
The trial, closely watched in cyber security circles, is believed to be the first criminal prosecution of a company executive over the handling of a data breach.
Joe Sullivan, who was fired in 2017 over the incident, was found guilty by a San Francisco jury of obstructing an investigation by the Federal Trade Commission. At the time of the 2016 breach, the regulator had been investigating the car-booking service over a different cyber security lapse that had occurred two years earlier.
Jurors also convicted Sullivan of a second count related to having knowledge of but failing to report the 2016 breach to the appropriate government authorities. The incident eventually became public in 2017 when Dara Khosrowshahi, who had just taken over as chief executive, disclosed details of the attack.
Prosecutors said Sullivan had taken steps to make sure data compromised in the attack would not be revealed. According to court documents, two hackers approached Sullivan’s team to notify Uber of a security flaw that exposed the personal information of almost 60mn drivers and riders on the platform.
https://www.ft.com/content/051af6a1-41d1-4a6c-9e5a-d23d46b2a9c9
First 72 Hours of Incident Response Critical to Taming Cyber Attack Chaos
Cyber security professionals tasked with responding to attacks experience stress, burnout, and mental health issues that are exacerbated by a lack of breach preparedness and sufficient incident response practice in their organisations.
A new IBM Security-sponsored survey published this week found that two-thirds (67%) of incident responders suffer stress and anxiety during at least some of their engagements, while 44% have sacrificed the well-being of their relationships, and 42% have suffered burnout, according to the survey conducted by Morning Consult. In addition, 68% of incidents responders often have to work on two or more incidents at the same time, increasing their stress, according to the survey's results.
Companies that plan and practice responding to a variety of incidents can lower the stress levels of their incident responders, employees, and executives, says John Dwyer, head of research for IBM Security's X-Force response team.
"Organisations are not effectively establishing their response strategies with the responders in mind — it does not need to be as stressful as it is," he says. "There is a lot of time when the responders are managing organisations during an incident, because those organisations were not prepared for the crisis that occurs. These attacks happen every day."
The IBM Security-funded study underscores why the cyber security community has focused increasingly on the mental health of its members. About half (51%) of cyber security defenders have suffered burnout or extreme stress in the past year, according to a VMware survey released in August 2021. Cyber security executives have also spotlighted the issue as one that affects the community and companies' ability to retain skilled workers.
Email Defences Under Siege: Phishing Attacks Dramatically Improve
This week's report that cyber attackers are laser-focused on crafting attacks specialised to bypass Microsoft's default security showcases an alarming evolution in phishing tactics, security experts said this week.
Threat actors are getting better at slipping phishing attacks through the weak spots in platform email defences, using a variety of techniques, such as zero-point font obfuscation, hiding behind cloud-messaging services, and delaying payload activation, for instance. They're also doing more targeting and research on victims.
As a result, nearly 1 in 5 phishing emails (18.8%) bypassed Microsoft's platform defences and landed in workers' inboxes in 2022, a rate that increased 74% compared to 2020, according to research published by cyber security firm Check Point Software. Attackers increasingly used techniques to pass security checks, such as Sender Policy Framework (SPF), and obfuscate functional components of an e-mail, such as using zero-size fonts or hiding malicious URLs from analysis.
The increasing capabilities of attackers is due to the better understanding of current defences, says Avanan, an email security firm acquired by Check Point in August 2021.
"It is a family of 10 to 20 techniques, but they all lead to the objective of deceiving a company's security layers," he says. "The end result is always an email that looks genuine to the recipient but looks different to the algorithm that analyses the content."
Microsoft declined to comment on the research. However, the company has warned of advanced techniques, such as adversary-in-the-middle phishing (AiTM), which uses a custom URL to place a proxy server between a victim and their desired site, allowing the attacker to capture sensitive data, such as usernames and passwords. In July, the company warned that more than 10,000 organisations had been targeted during one AiTM campaign.
Remote Services Are Becoming an Attractive Target for Ransomware
Stolen credentials are no longer the number one initial access vector for ransomware operators looking to infect a target network and its endpoints - instead, they’ve become more interested in exploiting vulnerabilities found in internet-facing systems.
A report from Secureworks claims ransomware-as-a-service developers are quick to add newly discovered vulnerabilities into their arsenals, allowing even less competent hackers to exploit them swiftly, and with relative ease.
In fact, the company's annual State of the Threat Report reveals that flaw exploitation in remote services accounted for 52% of all ransomware incidents the company analysed over the last 12 months.
Besides remote services, Secureworks also spotted a 150% increase in the use of infostealers, which became a “key precursor” to ransomware. Both these factors, the report stresses, kept ransomware as the number one threat for businesses of all sizes, “who must fight to stay abreast of the demands of new vulnerability prioritisation and patching”.
All things considered, ransomware is still the biggest threat for businesses. It takes up almost a quarter of all attacks that were reported in the last 12 months, Secureworks says, and despite law enforcement being actively involved, operators remained highly active.
https://www.techradar.com/news/remote-services-are-becoming-an-attractive-target-for-ransomware
Growing Reliance on Cloud Brings New Security Challenges
There was a time when cloud was just a small subset of IT infrastructure, and cloud security referred to a very specific set of tasks. The current reality is very different, organisations are heavily dependent on cloud technologies and cloud security has become a much more complex endeavour.
Organisations increasingly rely on the cloud to deliver new applications, reduce costs, and support business operations. One in every four organisations already have majority workloads in the cloud, and 44% of workloads currently run in some form of public cloud, says Omdia, a research and advisory group.
Practically every midsize and large organisation now operates in some kind of a hybrid cloud environment, with a mix of cloud and on-premises systems. For most organisations, software-as-a-service constitute the bulk (80%) of their cloud environments, followed by infrastructure-as-a-service and platform-as-a-service deployments.
In the past, cloud security conversations tended to focus on making sure cloud environments are being configured properly, but cloud security nowadays goes far beyond just configuration management. The sprawling cloud environment means security management has to be centralised, Omdia said. Security functions also need to be integrated into existing application deployment workflows.
On top of all of this, multicloud is becoming more common among organisations as they shift their workloads to avoid being dependent on a single platform. The three major cloud providers – Amazon Web Services, Microsoft Azure, and Google Cloud Platform – account for 65% of the cloud market.
https://www.darkreading.com/dr-tech/growing-reliance-on-cloud-brings-new-security-challenges
Many IT Pros Don’t Think a Ransomware Attack Can Impact Microsoft 365 Data
The 2022 Ransomware Report, which surveyed over 2,000 IT leaders, revealed that 24% have been victims of a ransomware attack, with 20% of attacks happening in the last year.
Cyber attacks are happening more frequently. Last year’s ransomware survey revealed that 21% of companies experienced an attack. This year it rose by three percent to 24%.
“Attacks on businesses are increasing, and there is a shocking lack of awareness and preparation by IT pros. Our survey shows that many in the IT community have a false sense of security. As bad actors develop new techniques, companies like ours have to do what it takes to come out ahead and protect businesses around the world,” said Hornetsecurity.
The report highlighted a lack of knowledge on the security available to businesses. 25% of IT professionals either don’t know or don’t think that Microsoft 365 data can be impacted by a ransomware attack.
Just as worryingly, 40% of IT professionals that use Microsoft 365 in their organisation admitted they do not have a recovery plan in case their Microsoft 365 data was compromised by a ransomware attack.
“Microsoft 365 is vulnerable to phishing attacks and ransomware attacks, but with the help of third-party tools, IT admins can backup their Microsoft 365 data securely and protect themselves from such attacks,” said Hofmann.
https://www.helpnetsecurity.com/2022/10/03/ransomware-attack-impact-microsoft-365-data/
Ransomware Group Bypasses "Enormous" Range of EDR Tools
A notorious ransomware group has been spotted leveraging sophisticated techniques to bypass endpoint detection and response (EDR) tools.
BlackByte, which the US government has said poses a serious threat to critical infrastructure, used a “Bring Your Own Driver” technique to circumvent over 1000 drivers used by commercially available EDR products, according to Sophos. The UK cyber security vendor explained in a new report that the group had exploited a known vulnerability, CVE-2019-16098, in Windows graphics utility driver RTCorec6.sys. This enabled it to communicate directly with a victim system’s kernel and issue commands to disable callback routines used by EDR tools.
The group also used EDR bypass techniques borrowed from open source tool EDRSandblast to deactivate the Microsoft-Windows-Threat-Intelligence ETW (Event Tracing for Windows) provider. This is a Windows feature “that provides logs about the use of commonly maliciously abused API calls such as NtReadVirtualMemory to inject into another process’s memory,” explained Sophos. Neutralising it in this way renders any security tool relying on the feature also useless, the firm argued.
“If you think of computers as a fortress, for many EDR providers, ETW is the guard at the front gate,” said Sophos. “If the guard goes down, then that leaves the rest of the system extremely vulnerable. And, because ETW is used by so many different providers, BlackByte’s pool of potential targets for deploying this EDR bypass is enormous.”
BlackByte is not the only ransomware group using these advanced techniques to get around existing detection tools, illustrating the continued arms race between attackers and defenders. AvosLocker used a similar method in May, Sophos said. “Anecdotally, from what we’re seeing in the field, it does appear that EDR bypass is becoming a more popular technique for ransomware threat groups,” the firm confirmed. “This is not surprising. Threat actors often leverage tools and techniques developed by the ‘offensive security’ industry to launch attacks faster and with minimal effort.”
https://www.infosecurity-magazine.com/news/ransomware-bypasses-enormous-range/
MS Exchange Zero-Days: The Calm Before the Storm?
Two exploited MS Exchange zero-days that still have no official fix, have been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog.
But mitigating the risk of exploitation until patches are ready will require patience and doggedness, as Microsoft is still revising its advice to admins and network defenders, and still working on the patches.
The two vulnerabilities were publicly documented last Wednesday, by researchers with Vietnamese company GTSC, and Microsoft soon after sprung into (discernible) action by offering customer guidance, followed by an analysis of the attacks exploiting the two vulnerabilities. Several changes have been made to the documents since then, after the company found and other researchers pointed out several shortcomings.
Microsoft says its threat analysts observed “activity related to a single activity group in August 2022 that achieved initial access and compromised Exchange servers by chaining CVE-2022-41040 and CVE-2022-41082 in a small number of targeted attacks,” and that the attackers breached fewer than 10 organisations globally. “MSTIC assesses with medium confidence that the single activity group is likely to be a state-sponsored organisation,” they added.
The other good news is there are still no public exploits for the two vulnerabilities. But, Microsoft says, “Prior Exchange vulnerabilities that require authentication have been adopted into the toolkits of attackers who deploy ransomware, and these vulnerabilities are likely to be included in similar attacks due to the highly privileged access Exchange systems confer onto an attacker.”
Enterprise defenders should expect trouble via this attack path in the near future, it seems, so keeping abreast of the changing situation and springing into action as quickly as possible once the patches are made available is advised. Scammers have since started impersonating security researchers and offering non-existing PoC exploits for CVE-2022-41082 for sale via GitHub
https://www.helpnetsecurity.com/2022/10/03/ms-exchange-cve-2022-41040-cve-2022-41082/
Average Company with Data in the Cloud Faces $28 Million in Data-Breach Risk
Hard-to-control collaboration, complex SaaS permissions, and risky misconfigurations — such as admin accounts without multi-factor authentication (MFA) — have left a dangerous amount of cloud data exposed to insider threats and cyber attacks, according to Varonis.
For the report, researchers analysed nearly 10 billion cloud objects (more than 15 petabytes of data) across a random sample of data risk assessments performed at more than 700 companies worldwide. In the average company, 157,000 sensitive records are exposed to everyone on the internet by SaaS sharing features, representing $28 million in data-breach risk, Varonis researchers have found.
One out of every 10 records in the cloud is exposed to all employees — creating an impossibly large internal blast radius, which maximises damage during a ransomware attack. The average company has 4,468 user accounts without MFA enabled, making it easier for attackers to compromise internally exposed data.
Out of 33 super admin accounts in the average organisation, more than half did not have MFA enabled. This makes it easier for attackers to compromise these powerful accounts, steal more data, and create backdoors. Companies have more than 40 million unique permissions across SaaS applications, creating a nightmare for IT and security teams responsible for managing and reducing cloud data risk.
“Cloud security shouldn’t be taken for granted. When security teams lack critical visibility to manage and protect SaaS and IaaS apps and services, it’s nearly impossible to ensure your data isn’t walking out the door,” said Varonis. “This report is a true-to-life picture of over 700 real-world risk assessments of production SaaS environments. The results underscore the urgent need for CISOs to uncover and remediate their cloud risk as quickly as possible.”
https://www.helpnetsecurity.com/2022/10/05/company-data-breach-risk/
Secureworks Finds Network Intruders See Little Resistance
Attackers who break into networks only need to take a few basic measures in order to avoid detection.
Security vendor Secureworks said in its annual State of the Threat report that it observed several data breaches between June 2021 and June 2022 and found that, by and large, once network intruders gained a foothold on the targets' environment, they had to do relatively little to stay concealed.
"One thing that is notable about them is that none of these techniques are particularly sophisticated," the vendor said. "That is because threat actors do not need them to be; the adversary will only innovate enough to achieve their objectives. So there is a direct relationship between the maturity of the controls in a target environment and the techniques they employ to bypass those controls."
Among the more basic measures taken by the attackers was coding their tools in newer languages such as Go or Rust. This tweak created enough of a difference in the software to evade signature-checking tools, according to Secureworks' report. In other cases, the network intruders hid their activity by packing their malware within a trusted Windows installer or by sneaking it into the Authenticode signature of a trusted DLL. In another case, a malware infection was seen moving data out of the victim's network via TOR nodes. While effective, Secureworks said the techniques are hardly innovative. Rather, they indicate that threat actors find themselves only needing to do the bare minimum to conceal themselves from detection.
Regulations, Laws and Accountability are Changing the Cyber Security Landscape
As cyber criminals continue to develop new ways to wreak havoc, regulators have been working to catch up. They aim to protect data and consumers while avoiding nation-state attacks that are a risk to national and economic security. But some of these regulations may provide an opportunity for MSSPs.
Some of these regulations are a response to what’s generally been a hands-off approach to telling organisations what to do. Unfortunately, cyber security isn’t always prioritised when budgets and resources are allocated. The result is a steadily rising tide of breaches and exploits that have held organisations hostage and made private information available on the dark web.
The new regulations are coming from all directions: at the state and federal levels in the US and around the world. While many of these regulations aren’t yet final, there’s no reason not to start aligning with where trends will ease the impact of changing rules. At the same time, many organisations want to hold the government responsible for some kinds of attacks. It will be interesting to see how regulating works, as most politicians and bureaucrats aren’t known for their technological savvy.
In the US, for example, new regulations are in development in the Federal Trade Commission, Food and Drug Administration, Department of Homeland Security, Department of Transportation, Department of Energy, and the Cybersecurity and Infrastructure Security Agency. Thirty-six states have enacted cyber security legislation, and the count increases as other countries join.
One of the motivating factors for all these new regulations is that most cyber attacks aren’t reported. Lawmakers realise cyber security threats continue to be one of the top national security and economic risks. In the last year and a half (2020-2022), there have been attacks on America’s gas supply, meat supply, and various other companies, courts, and government agencies. One FBI cyber security official estimated the government only learns about 20% to 25% of intrusions at US business and academic institutions.
In March, Congress passed legislation requiring critical infrastructure operators to report significant cyber attacks to CISA within 72 hours of learning about the attack. It also required them to report a ransomware payment within 24 hours. These regulations will also consider reporting “near misses” so that this data can also be studied and tracked. The problem is, how does one define a “near miss”?
This Year’s Biggest Cyber Threats
OpenText announced the Nastiest Malware of 2022, a ranking of the year’s biggest cyber threats. For the fifth year running, experts combed through the data, analysed different behaviours, and determined which malicious payloads are the nastiest.
Emotet regained its place at the top, reminding the world that while affiliates may be taken down, the masterminds are resilient. LockBit evolved its tactics into something never seen before: triple extortion. Analysis also revealed an almost 1100% increase in phishing during the first four months of 2022 compared to the same period in 2021, indicating a possible end to the “hacker holiday,” a hacker rest period following the busy holiday season.
“The key takeaway from this year’s findings is that malware remains centre stage in the threats posed towards individuals, businesses, and governments,” said OpenText.
“Cyber criminals continue to evolve their tactics, leaving the infosec community in a constant state of catch-up. With the mainstream adoption of ransomware payloads and cryptocurrency facilitating payments, the battle will continue. No person, no business—regardless of size—is immune to these threats.”
While this year’s list may designate payloads into different categories of malware, it’s important to note many of these bad actor groups contract work from others. This allows each group to specialise in their respective payload and perfect it.
https://www.helpnetsecurity.com/2022/10/06/2022-nastiest-malware/
Threats
Ransomware and Extortion
Ransomware Attacks On The Rise, Secureworks Reveals in its State of the Threat Report - MSSP Alert
Ransomware: This is how half of attacks begin, and this is how you can stop them | ZDNET
Fake adult sites push data wipers disguised as ransomware (bleepingcomputer.com)
BlackByte ransomware abuses legit driver to disable security products (bleepingcomputer.com)
Ransomware attacks ravage schools, municipal governments (techtarget.com)
More and more ransomware is just data theft, no encryption • The Register
Netwalker ransomware affiliate sentenced to 20 years in prison (bleepingcomputer.com)
Cheerscrypt ransomware is linked to Chinese DEV-0401 APT group - Security Affairs
ADATA denies RansomHouse cyber attack, says leaked data from 2021 breach (bleepingcomputer.com)
Avast releases a free decryptor for some Hades ransomware variants - Security Affairs
Cyber criminals Leak LA School Data After It Refuses to Ransom (vice.com)
How Ransomware Is Causing Chaos in American Schools (vice.com)
Ransomware hunters: the self-taught tech geniuses fighting cyber crime | Cyber crime | The Guardian
BEC – Business Email Compromise
BEC fraudster and romance scammer sent to prison for 25 years – Naked Security (sophos.com)
Hackers Target Homebuyers’ Life Savings in Real Estate Scam - Bloomberg
Phishing & Email Based Attacks
Other Social Engineering; Smishing, Vishing, etc
Callback phishing attacks evolve their social engineering tactics (bleepingcomputer.com)
3 ways enterprises can mitigate social engineering risks - Help Net Security
Malware
OpenText Releases List Of The Year’s “Nastiest” Malware - MSSP Alert
This devious malware is able to disable your antivirus | TechRadar
Bumblebee Malware Loader's Payloads Significantly Vary by Victim System (darkreading.com)
Live support service hacked to spread malware in supply chain attack (bleepingcomputer.com)
NullMixer Dropper Delivers a Multimalware Code Bomb (darkreading.com)
Maggie malware already infected over 250 Microsoft SQL servers - Security Affairs
Mobile
Internet of Things – IoT
7 IoT Devices That Make Security Pros Cringe (darkreading.com)
Ikea Smart Light System Flaw Lets Attackers Turn Bulbs on Full Blast (darkreading.com)
Acronis founder is afraid of his own vacuum cleaner • The Register
Data Breaches/Leaks
“Egypt Leaks” – Hacktivists are Leaking Financial Data - Security Affairs
No Shangri-La for you: Top hotel chain confirms data leak • The Register
NSA: Someone hacked military contractor and stole data • The Register
City of Tucson discloses data breach affecting over 123,000 people (bleepingcomputer.com)
Optus Says ID Numbers of 2.1 Million Compromised in Data Breach | SecurityWeek.Com
Aussie Telco Telstra Breached, Reportedly Exposing 30,000 Employees' Data (darkreading.com)
2K warns users their info has been stolen following breach of its help desk | Ars Technica
Russian retail chain 'DNS' confirms hack after data leaked online (bleepingcomputer.com)
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Breaking: Scams Linked To Crypto Soared By 335% (informationsecuritybuzz.com)
Hacker steals $566 million worth of crypto from Binance Bridge (bleepingcomputer.com)
Hackers are breaching scam sites to hijack crypto transactions (bleepingcomputer.com)
Binance Says $100 Million Stolen in Latest Crypto Hack (gizmodo.com)
Hackers are breaching scam sites to hijack crypto transactions (bleepingcomputer.com)
Insider Risk and Insider Threats
Meta sues app dev for stealing over 1 million WhatsApp accounts (bleepingcomputer.com)
Microsoft publishes report on holistic insider risk management - Microsoft Security Blog
Unearth offboarding risks before your employees say goodbye - Help Net Security
Splunk alleges source code theft by former employee • The Register
Ex-NSA Employee Arrested for Trying to Sell U.S. Secrets to a Foreign Government (thehackernews.com)
Fraud, Scams & Financial Crime
Consumers Feel Hopeless in Protecting Themselves Against Cyber crime, ISACA Reports - MSSP Alert
BEC fraudster and romance scammer sent to prison for 25 years – Naked Security (sophos.com)
Hackers Target Homebuyers’ Life Savings in Real Estate Scam - Bloomberg
Russians dodging mobilization behind flourishing scam market (bleepingcomputer.com)
Scammers and rogue callers – can anything ever stop them? – Naked Security (sophos.com)
Online romance scam boss netted $9.5m, jailed for 25 years • The Register
Deepfakes
Supply Chain and Third Parties
Live support service hacked to spread malware in supply chain attack (bleepingcomputer.com)
Supply Chain Attack Targets Customer Engagement Firm Comm100 | SecurityWeek.Com
Denial of Service DoS/DDoS
Cloud/SaaS
Encryption
API
More Than 30% of All Malicious Attacks Target Shadow APIs (darkreading.com)
APIs are quickly becoming the most popular attack vector - Help Net Security
The Problem of API Security and How To Fix It (informationsecuritybuzz.com)
API authentication failures demonstrate the need for zero trust - Help Net Security
Shadow APIs hit with 5 billion malicious requests - Help Net Security
Open Source
When transparency is also obscurity: The conundrum that is open-source security - Help Net Security
How Secure is Using Open Source Components? - IT Security Guru
Passwords, Credential Stuffing & Brute Force Attacks
Microsoft warns Basic Auth users over password spray attacks • The Register
Is mandatory password expiration helping or hurting your password security? - Help Net Security
Detecting and preventing LSASS credential dumping attacks - Microsoft Security Blog
Meta Says It Has Busted More Than 400 Login-Stealing Apps This Year | WIRED
Privacy, Surveillance and Mass Monitoring
Regulations, Fines and Legislation
Models, Frameworks and Standards
Secure Disposal
Backup and Recovery
Law Enforcement Action and Take Downs
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Relentless Russian Cyber attacks on Ukraine Raise Important Policy Questions (darkreading.com)
Finnish intelligence warns of Russia's cyber espionage activities - Security Affairs
Kazakhstan Pins Wave Of Cyber attacks On Foreign Actors | OilPrice.com
Albania weighed invoking NATO’s Article 5 over Iranian cyber attack - POLITICO
We breached Russian satellite network, say pro-Ukraine partisans | Cybernews
Ukrainian forces report Starlink outages during push against Russia | Financial Times (ft.com)
Report: Mexico Continued to Use Spyware Against Activists | SecurityWeek.Com
Nation State Actors
Nation State Actors – China
US authorities name China's 20 favourite vulns to exploit • The Register
Cheerscrypt ransomware is linked to Chinese DEV-0401 APT group - Security Affairs
Nation State Actors – North Korea
Vulnerabilities
Fortinet warns admins to patch critical auth bypass bug immediately (bleepingcomputer.com)
Atlassian, Microsoft bugs make CISA’s must-patch list • The Register
US authorities name China's 20 favourite vulns to exploit • The Register
October 2022 Patch Tuesday forecast: Looking for treats, not more tricks - Help Net Security
Fake Microsoft Exchange ProxyNotShell exploits for sale on GitHub (bleepingcomputer.com)
CISA Warns of Attacks Exploiting Recent Atlassian Bitbucket Vulnerability | SecurityWeek.Com
No fix in sight for mile-wide loophole plaguing a key Windows defence for years | Ars Technica
Hackers Exploiting Unpatched RCE Flaw in Zimbra Collaboration Suite (thehackernews.com)
Lazarus employed an exploit in a Dell firmware driver in recent attacks - Security Affairs
Unpatched Zimbra flaw under attack is letting hackers backdoor servers | Ars Technica
macOS Archive Utility Bug Lets Malicious Apps Bypass Security Checks (darkreading.com)
Fortinet Warns of New Auth Bypass Flaw Affecting FortiGate and FortiProxy (thehackernews.com)
VMware fixed a high-severity bug in vCenter Server - Security Affairs
Reports Published in the Last Week
Other News
Guilty verdict in the Uber breach case makes personal liability real for CISOs | CSO Online
Cyber attackers view smaller organisations as easier targets - Help Net Security
Moody's turns up the heat on 'riskiest' sectors for attacks • The Register
5 reasons why security operations are getting harder | CSO Online
Former NSA Employee Faces Death Penalty for Selling Secrets (darkreading.com)
Fast Company Is Back From the Dead After Being Hacked (gizmodo.com)
Ready Or Not, Web 3 Is Coming And With It Comes Cybersquatting 2.0 (informationsecuritybuzz.com)
Cyber Hygiene: 5 Best Practices for Company Buy-In (trendmicro.com)
School Is in Session: 5 Lessons for Future Cyber Security Pros (darkreading.com)
Want More Secure Software? Start Recognizing Security-Skilled Developers (thehackernews.com)
Incident responders increasingly seek out mental health assistance - Help Net Security
You Are Not Alone If You're Unclear About Extended Detection and Response (XDR) - MSSP Alert
Why digital trust is the bedrock of business relationships - Help Net Security
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 26 August 2022
Black Arrow Cyber Threat Briefing 26 August 2022:
-Lloyd's to Exclude Certain Nation-State Attacks from Cyber Insurance Policies
-Cyber Security Top Risk for Enterprise C-Suite Leaders, PwC Study Says
-Apathy Is Your Company's Biggest Cyber Security Vulnerability — Here's How to Combat It
-The World’s Largest Sovereign Wealth Fund Warns Cyber Security Is Top Concern as Attacks on Banks and Financial Services Double
-Configuration Errors to Blame for 80% of Ransomware
-Ransomware Surges to 1.2 Million Attacks Per Month
-A Massive Hacking Campaign Stole 10,000 Login Credentials From 130 Different Organisations
-This Company Paid a Ransom Demand. Hackers Leaked Its Data Anyway
-Sophisticated BEC Scammers Bypass Microsoft 365 Multi-Factor Authentication
-77% Of Security Leaders Fear We’re in Perpetual Cyber War from Now On
-Cyber Security Governance: A Path to Cyber Maturity
-The Rise of Data Exfiltration and Why It Is a Greater Risk Than Ransomware
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Lloyd's to Exclude Certain Nation-State Attacks from Cyber Insurance Policies
Lloyd's of London insurance policies will stop covering losses from certain nation-state cyber attacks and those that happen during wars, beginning in seven months' time.
In a memo sent to the company's 76-plus insurance syndicates, underwriting director Tony Chaudhry said Lloyd's remains "strongly supportive" of cyber attack coverage. However, as these threats continue to grow, they may "expose the market to systemic risks that syndicates could struggle to manage," he added, noting that nation-state-sponsored attacks are particularly costly to cover.
Because of this, all standalone cyber attack policies must include "a suitable clause excluding liability for losses arising from any state-backed cyber attack," Chaudhry wrote. These changes will take effect beginning March 31, 2023 at the inception or renewal of each policy.
At a minimum (key word: minimum) these policies must exclude losses arising from a war, whether declared or not, if the policy doesn't already have a separate war exclusion. They must also at least exclude losses from nation-state cyber attacks that "significantly impair the ability of a state to function or that significantly impair the security capabilities of a state."
Policies must also "set out a robust basis" on which to attribute state-sponsored cyber attacks, according to Chaudhry – and therein lies the rub.
Attributing a cyber attack to a particular crime group or nation-state with 100 percent confidence "is absolutely hard," NSA director of cybersecurity Rob Joyce said at this year's RSA Conference.
Threat analysts typically attribute an attack to a nation-state from its level of sophistication, but as advanced persistent crime groups become more sophisticated – and have more resources at their disposal to buy zero-day exploits and employ specialists for each stage of an attack – differentiating between nation-states and cyber crime gangs becomes increasingly difficult, he explained.
There are times when nation-states will act like criminals, using their tools and infrastructure, and sometimes vice versa. The clear line of sophistication and stealth that many have used as a common sense delineation has blurred. Yet, If you are going to pay out money you are likely going to look for something that is more ironclad and likely related to forensic evidence.
https://www.theregister.com/2022/08/24/lloyds_cybersecurity_insurance/
Cyber Security Top Risk for Enterprise C-Suite Leaders, PwC Study Says
Cyber security is now firmly on the agenda of the entire C-suite, consultancy PricewaterhouseCoopers (PwC) reports in a new survey of more than 700 business leaders across a variety of industries.
Of key enterprise issues, cyber security ranks at the top of business risks, with nearly 80% of the respondents considering it a moderate to serious risk. The warning isn’t confined to just chief information security officers, but ranges from chief executives to chief financial officers, chief operating officers, chief technology officers, chief marketing officers and includes corporate board members. Virtually all roles ranked cyber attacks high on their list of risks, PwC said.
Overall, 40% of business leaders ranked cyber security as the top serious risk facing their companies, and 38% ranked it a moderate risk.
Here are six steps businesses can take to address cyber security concerns:
View cyber security as a broad business concern and not just an IT issue.
Build cyber security and data privacy into agendas across the C-suite and board.
Increase investment to improve security.
Educate employees on effective cyber security practices.
For each new business initiative or transformation, make sure there’s a cyber plan in place.
Use data and intelligence to regularly measure cyber risks. Proactively look for blind spots in third-party relationships and supply chains.
Apathy Is Your Company's Biggest Cyber Security Vulnerability — Here's How to Combat It
Human error continues to be the leading cause of a cyber security breach. Nearly 60% of organisations experienced a data loss due to an employee's mistake on email in the last year, while one in four employees fell for a phishing attack.
Employee apathy, while it may not seem like a major cyber security issue, can leave an organisation vulnerable to both malicious attacks and accidental data loss. Equipping employees with the tools and knowledge they need to prevent these risks has never been more important to keep organisations safe.
A new report from Tessian sheds light on the full extent of employee apathy and its impact on cyber security posture. The report found that a significant number of employees aren't engaged in their organisation's cyber security efforts and don't understand the role they play. One in three employees say they don't understand the importance of cyber security at work. What's more, only 39% say they're very likely to report a cyber security incident. Why? A quarter of employees say they don't care enough about cyber security to mention it.
This is a serious problem. IT and security teams can't investigate or remediate a threat they don't know about.
Employees play an important role in flagging incidents or suspicious activity early on to prevent them from escalating to a costly breach. Building a strong cyber security culture can mitigate apathy by engaging employees as part of the solution and providing the tools and training they need to work productively and securely.
The World’s Largest Sovereign Wealth Fund Warns Cyber Security Is Top Concern, as Attacks on Banks and Financial Service Double
Cyber security has eclipsed tumultuous financial markets as the biggest concern for the world’s largest sovereign wealth fund, as it faces an average of three “serious” cyber attacks each day.
The number of significant hacking attempts against Norway’s $1.2tn oil fund, Norges Bank Investment Management, has doubled in the past two to three years.
The fund, which reported its biggest half-year dollar loss last week after inflation and recession fears shook markets, suffers about 100,000 cyber attacks a year, of which it classifies more than 1,000 as serious, according to its top executives.
“I’m worried about cyber more than I am about markets,” their CEO told the Financial Times. “We’re seeing many more attempts, more attacks [that are] increasingly sophisticated.”
The fund’s top executives are even concerned that concerted cyber attacks are becoming a systemic financial risk as markets become increasingly digitised.
Their deputy CEO pointed to the 2020 attack on SolarWinds, a software provider, by Russian state-backed hackers that allowed them to breach several US government agencies, including the Treasury and Pentagon, and a number of Fortune 500 companies including Microsoft, Intel and Deloitte.
“They estimate there were 1,000 Russians [involved] in that one attack, working in a co-ordinated fashion. I mean, Jesus, that’s our whole building on one attack, so you’re up against some formidable forces there,” he said.
Cyber attacks targeting the financial industry have risen sharply in recent months. Malware attacks globally rose 11 per cent in the first half of 2022, but they doubled at banks and financial institutions, according to cyber security specialist SonicWall. Ransomware attacks dropped 23 per cent worldwide, but increased 243 per cent against financial targets in the same period.
https://www.ft.com/content/1aa6f92a-078b-4e1a-81ca-65298b8310b2
Configuration Errors to Blame for 80% of Ransomware
The vast majority (80%) of ransomware attacks can be traced back to common configuration errors in software and devices, according to Microsoft.
The tech giant’s latest Cyber Signals report focuses on the ransomware as a service (RaaS) model, which it claims has democratised the ability to launch attacks to groups “without sophistication or advanced skills.” Some RaaS programs now have over 50 affiliate groups on their books.
For defenders, a key challenge is ensuring they don’t leave systems misconfigured, it added.
“Ransomware attacks involve decisions based on configurations of networks and differ for each victim even if the ransomware payload is the same,” the report argued. “Ransomware culminates an attack that can include data exfiltration and other impacts. Because of the interconnected nature of the cyber-criminal economy, seemingly unrelated intrusions can build upon each other.”
Although each attack is different, Microsoft pointed to missing or misconfigured security products and legacy configurations in enterprise apps as two key areas of risk exposure.
“Like smoke alarms, security products must be installed in the correct spaces and tested frequently. Verify that security tools are operating in their most secure configuration, and that no part of a network is unprotected,” it urged. “Consider deleting duplicative or unused apps to eliminate risky, unused services. Be mindful of where you permit remote helpdesk apps like TeamViewer. These are notoriously targeted by threat actors to gain express access to laptops.”
Although not named in the report, another system regularly misconfigured and hijacked by ransomware actors is the remote desktop protocol (RDP), which often is not protected by a strong password or two-factor authentication. It’s widely believed to be one of the top three vectors for attack.
The bad news for network defenders is they don’t have much time after initial compromise to contain an attack. Microsoft claimed the median time for an attacker to begin moving laterally inside the network after device compromise is one hour, 42 minutes. The median time for an attacker to access private data following a phishing email is one hour, 12 minutes, the firm added.
https://www.infosecurity-magazine.com/news/configuration-errors-blame-80/
Ransomware Surges to 1.2 Million Attacks Per Month
Ransomware threat detections have risen to over one million per month this year, with a French hospital the latest to suffer a major outage.
The 1000-bed Center Hospitalier Sud Francilien (CHSF) near Paris revealed it was hit on Sunday morning, in an attack which has knocked out all the hospital's business software, storage systems including medical imaging, and patient admissions. This has led to all but the most urgent emergency patients being diverted to other facilities in the region.
France24 cited figures claiming cyber-attacks against French hospitals surged 70% year-on-year in 2021. "Each day we need to rewrite patients' medications, all the prescriptions, the discharge prescriptions," Valerie Caudwell, president of the medical commission at CHSF hospital, reportedly said. "For the nurses, instead of putting in all the patients' data on the computer, they now need to file it manually from scratch."
Reports suggest Lockbit 3.0 may be to blame for the $10m ransom demand, which the hospital is refusing to pay.
Barracuda Networks claimed in a new report out today that education, municipalities, healthcare, infrastructure and finance have remained the top five targets for ransomware over the past 12 months. However, while attacks on local government increased only slightly, those targeting educational institutions more than doubled, and attacks on the healthcare and financial verticals tripled. Overall, Barracuda claimed that ransomware detections between January and June of this year climbed to more than 1.2 million per month.
https://www.infosecurity-magazine.com/news/ransomware-surges-to-12-million/
A Massive Hacking Campaign Stole 10,000 Login Credentials From 130 Different Organisations
A phishing campaign targeted Okta users at multiple companies, successfully swiping passwords from staffers and then using them to steal company secrets.
Researchers say that a mysterious “threat actor” (a fancy term for a hacker or hacker group) has managed to steal nearly 10,000 login credentials from the employees of 130 organisations, in the latest far-reaching supply chain attack on corporate America. Many of the victims are prominent software companies, including firms like Twilio, MailChimp, and Cloudflare, among many others.
The news comes from research conducted by cyber security firm Group-IB, which began looking into the hacking campaign after a client was phished and reached out for help. The research shows that the threat actor behind the campaign, which researchers have dubbed “0ktapus,” used basic tactics to target staff from droves of well-known companies. The hacker(s) would use stolen login information to gain access to corporate networks before going on to steal data and then break into another company’s network.
“This case is of interest because despite using low-skill methods it was able to compromise a large number of well-known organisations,” researchers wrote in their blog. “Furthermore, once the attackers compromised an organisation they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance.”
https://gizmodo.com/oktapus-okta-hack-twilio-10000-logins-130-companies-1849457420
This Company Paid a Ransom Demand. Hackers Leaked Its Data Anyway
A victim of a ransomware attack paid to restore access to their network – but the cyber criminals didn't hold up their end of the deal.
The real-life incident, as detailed by cyber security researchers at Barracuda Networks, took place in August 2021, when hackers from BlackMatter ransomware group used a phishing email to compromise the account of a single victim at an undisclosed company.
From that initial entry point, the attackers were able to expand their access to the network by moving laterally around the infrastructure, ultimately leading to the point where they were able to install hacking tools and steal sensitive data. Stealing sensitive data has become a common part of ransomware attacks. Criminals leverage it as part of their extortion attempts, threatening to release it if a ransom isn't received.
The attackers appear to have had access to the network for at least a few weeks, seemingly going undetected before systems were encrypted and a ransom was demanded, to be paid in Bitcoin.
Cyber security agencies warn that despite networks being encrypted, victims shouldn't pay ransom demands for a decryption key because this only shows hackers that such attacks are effective.
https://www.zdnet.com/article/this-company-paid-a-ransom-demand-hackers-leaked-its-data-anyway/
Sophisticated BEC Scammers Bypass Microsoft 365 Multi-Factor Authentication
A Business Email Compromise (BEC) attack recently analysed by cloud incident response company Mitiga used an adversary-in-the-middle (AitM) phishing attack to bypass Microsoft Office 365 MFA and gain access to a business executive's account, and then managed to add a second authenticator device to the account for persistent access. According to the researchers, the campaign they analysed is widespread and targets large transactions of up to several million dollars each.
The attack started with a well-crafted phishing email masquerading as a notification from DocuSign, a widely used cloud-based electronic document signing service. The email was crafted to the targeted business executive, suggesting that attackers have done reconnaissance work. The link in the phishing email led to an attacker-controlled website which then redirects to a Microsoft 365 single sign-on login page.
This fake login page uses an AitM technique, where the attackers run a reverse proxy to authentication requests back and forth between the victim and the real Microsoft 365 website. The victim has the same experience as they would have on the real Microsoft login page, complete with the legitimate MFA request that they must complete using their authenticator app. Once the authentication process is completed successfully, the Microsoft service creates a session token which gets flagged in its systems that it fulfilled MFA. The difference is that since the attackers acted as a proxy, they now have this session token too and can use it to access the account.
This reverse proxy technique is not new and has been used to bypass MFA for several years. In fact, easy-to-use open-source attack frameworks have been created for this purpose.
77% Of Security Leaders Fear We’re in Perpetual Cyber War from Now On
A survey of cyber security decision makers found 77 percent think the world is now in a perpetual state of cyber warfare.
In addition, 82 percent believe geopolitics and cyber security are "intrinsically linked," and two-thirds of polled organisations reported changing their security posture in response to the Russian invasion of Ukraine.
Of those asked, 64 percent believe they may have already been the target of a nation-state-directed cyber attack. Unfortunately, 63 percent of surveyed security leaders also believe that they'd never even know if a nation-state level actor pwned them.
The survey, organised by security shop Venafi, questioned 1,100 security leaders. They said the results show cyber warfare is here, and that it's completely different to many would have imagined. "Any business can be damaged by nation-states," they stated.
It's been common knowledge for some time that government-backed advanced persistent threat (APT) crews are being used to further online geopolitical goals. Unlike conventional warfare, everyone is a target and there's no military or government method for protecting everyone.
Nor is there going to be much financial redress available. Earlier this week Lloyd's of London announced it would no longer recompense policy holders for certain nation-state attacks.
https://www.theregister.com/2022/08/27/in-brief-security/
Cyber Security Governance: A Path to Cyber Maturity
Organisations need cyber security governance programs that make every employee aware of the cyber security mitigation efforts required to reduce cyber-risks.
In an increasingly challenging threat landscape, many organisations struggle with developing and implementing effective cyber security governance. The "Managing Cybersecurity Risk: A Crisis of Confidence" infographic by the CMMI Institute and ISACA stated: "While enterprise leaders recognise that mature cyber security is essential to thriving in today's digital economy, they often lack the insights and data to have peace of mind that their organisations are efficiently and effectively managing cyber risk."
Indeed, damages from cyber crime are projected to cost the world $7 trillion in 2022, according to the "Boardroom Cybersecurity 2022 Report" from Cybersecurity Ventures. As a result, "board members and chief executives are more interested in cyber security now than ever before," the report stated, adding that the time is ripe for turning awareness into action.
How, then, can board leaders have confidence that their organisations are prepared against cyber attacks? The first order of business for most organisations is to enable a strong cyber security governance program.
Cyber security governance refers to the component of governance that addresses an organisation's dependence on cyber space in the presence of adversaries. The ISO/IEC 27001 standard defines cyber security governance as the following: “The system by which an organisation directs and controls security governance, specifies the accountability framework and provides oversight to ensure that risks are adequately mitigated, while management ensures that controls are implemented to mitigate risks”.
Traditionally, cyber security is viewed through the lens of a technical or operational issue to be handled in the technology space. Cyber security planning needs to fully transition from a back-office operational function to its own area aligned with law, privacy and enterprise risk. The CISO should have a seat at the table alongside the CIO, COO, CFO and CEO. This helps the C-suite understand cyber security as an enterprise-wide risk management issue, along with the legal implications of cyber-risks, and not solely a technology issue.
https://www.techtarget.com/searchsecurity/post/Cybersecurity-governance-A-path-to-cyber-maturity
The Rise of Data Exfiltration and Why It Is a Greater Risk Than Ransomware
Ransomware is the de facto threat organisations have faced over the past few years. Threat actors were making easy money by exploiting the high valuation of cryptocurrencies and their victims' lack of adequate preparation.
Think about bad security policies, untested backups, patch management practices not up-to-par, and so forth. It resulted in easy growth for ransomware extortion, a crime that multiple threat actors around the world perpetrate.
Something's changed, though. Crypto valuations have dropped, reducing the monetary appeal of ransomware attacks due to organisations mounting better defence against ransomware.
Threat actors have been searching for another opportunity – and found one. It's called data exfiltration, or exfil, a type of espionage causing headaches at organisations worldwide.
Information exfiltration is rapidly becoming more prevalent. Earlier this year, incidents at Nvidia, Microsoft, and several other companies have highlighted how big of a problem it's become – and how, for some organisations, it may be a threat that's even bigger than ransomware.
Nvidia, for example, became entangled in a complex tit-for-tat exchange with hacker group Lapsus$. One of the biggest chipmakers in the world was faced with the public exposure of the source code for invaluable technology, as Lapsus$ leaked the source code for the company's Deep Learning Super Sampling (DLSS) research.
When it comes to exfil extortion, attackers do not enter with the primary aim of encrypting a system and causing disruption the way that a ransomware attacker does. Though, yes, attackers may still use encryption to cover their tracks.
Instead, attackers on an information exfiltration mission will move vast amounts of proprietary data to systems that they control. And here's the game: attackers will proceed to extort the victim, threatening to release that confidential information into the wild or to sell it to unscrupulous third parties.
https://thehackernews.com/2022/08/the-rise-of-data-exfiltration-and-why.html
Threats
Ransomware
[Whoa] Ransomware Strains Almost Double in Six Months from 5,400 to 10,666 (knowbe4.com)
Ransomware dominates the threat landscape - Help Net Security
We need to think about ransomware differently - Help Net Security
NATO investigates hacker sale of missile firm data - BBC News
Cyber attackers disrupt services at French hospital, demand $10 million ransom (france24.com)
New 'Agenda' Ransomware Customized for Each Victim | SecurityWeek.Com
LockBit gang hit by DDoS attack after Entrust leaks • The Register
New ransomware HavanaCrypt poses as Google software update | CSO Online
LockBit Ransomware Site Hit by DDoS Attack as Hackers Start Leaking Entrust Data | SecurityWeek.Com
New Golang Ransomware Agenda Customizes Attacks (trendmicro.com)
New 'BianLian' Ransomware Variant on the Rise (darkreading.com)
New 'Donut Leaks' extortion gang linked to recent ransomware attacks (bleepingcomputer.com)
Quantum ransomware attack disrupts govt agency in Dominican Republic (bleepingcomputer.com)
Car Dealership Hit by Major Ransomware Attack - Infosecurity Magazine
Ransomware Gang Leaks Data Allegedly Stolen from Greek Gas Supplier | SecurityWeek.Com
BEC – Business Email Compromise
Phishing & Email Based Attacks
Phishing attacks abusing SaaS platforms see a massive 1,100% growth (bleepingcomputer.com)
Researchers Warn of AiTM Attack Targeting Google G-Suite Enterprise Users (thehackernews.com)
Hiding a phishing attack behind the AWS cloud • The Register
10 key facts about callback phishing attacks - CyberTalk 2022
Other Social Engineering; Smishing, Vishing, etc
Malware
Threat actor abuses Genshin Impact Anti-Cheat driver to disable antivirus - Security Affairs
Fake DDoS Protection Alerts Distribute Dangerous RAT (darkreading.com)
Meet Borat RAT, a New Unique Triple Threat (thehackernews.com)
Donot Team group updates its Windows malware framework - Security Affairs
How 'Kimsuky' hackers ensure their malware only reach valid targets (bleepingcomputer.com)
Grandoreiro banking malware targets Mexico and Spain - Security Affairs
Fake Chrome extension 'Internet Download Manager' has 200,000 installs (bleepingcomputer.com)
Threat actors are using the Tox P2P messenger as C2 server - Security Affairs
Mobile
Internet of Things – IoT
Cyber criminals Are Selling Access to Chinese Surveillance Cameras | Threatpost
IoT Vulnerability Disclosures Up 57% in Six Months, Claroty Reveals - Infosecurity Magazine
Thousands of Organisations Remain at Risk from Critical Zero-Click IP Camera Bug (darkreading.com)
Data Breaches/Leaks
LastPass data breach: threat actors stole portion of source code - Security Affairs
Plex discloses data breach and urges password reset - Security Affairs
Plex was compromised, exposing usernames, emails, and passwords - The Verge
DoorDash discloses new data breach tied to Twilio hackers (bleepingcomputer.com)
Data on California Prisons' Visitors, Staff, Inmates Exposed | SecurityWeek.Com
Expert Commentary On The Plex Data Breach (informationsecuritybuzz.com)
Textile Company Sferra Discloses Data Breach | SecurityWeek.Com
Novant Health: Oops, we leaked 1.3m patients' info to Meta • The Register
Organised Crime & Criminal Actors
RaaS Kits Are Hiding Who The Attackers Really Are – Expert Comments (informationsecuritybuzz.com)
Researchers warn of darkverse emerging from the metaverse | CSO Online
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
An anatomy of crypto-enabled cyber crime | Financial Times (ft.com)
Cryptojackers Spread Across Computers Globally- IT Security Guru
Hackers Are Breaking Into and Emptying Cash App Accounts (vice.com)
Threat actors are stealing funds from General Bytes Bitcoin ATMSecurity Affairs
How Economic Changes and Crypto's Rise Are Fuelling the use of "Cyber Mules" | SecurityWeek.Com
Fraud, Scams & Financial Crime
Scammers Create “AI Hologram” of C-Suite Crypto Exec - Infosecurity Magazine
Employee fraud: Beware of deepfake job applicants - Protocol
A closer look at identity crimes committed against individuals - Help Net Security
What type of fraud enables attackers to make a living? - Help Net Security
Insurance
Software Supply Chain
Denial of Service DoS/DDoS
DDoS attacks jump 203%, patriotic hacktivism surges - Help Net Security
Threat Actor Deploys Raven Storm Tool to Perform DDoS Attacks - Infosecurity Magazine
LockBit gang hit by DDoS attack after Entrust leaks • The Register
Cloud/SaaS
Mitiga: Attackers evade Microsoft MFA to lurk inside M365 (techtarget.com)
Phishing attacks abusing SaaS platforms see a massive 1,100% growth (bleepingcomputer.com)
How complicated access management protocols have impacted cloud security - Help Net Security
Identity and Access Management
IT leaders struggling to address identity sprawl - Help Net Security
Identity Security Pain Points and What Can Be Done (darkreading.com)
Thoma Bravo: Securing digital identities has become a major priority - Help Net Security
Encryption
CISA: Action required now to prepare for quantum computing cyber threats | ZDNET
Encrypted Traffic Analysis: Mitigating Against The Risk Of Encryption (informationsecuritybuzz.com)
US Government: Stop Dickering and Prepare for Post-Quantum Encryption Now - CNET
API
Passwords, Credential Stuffing & Brute Force Attacks
Credential phishing attacks rise and represent a huge threat to businesses - Help Net Security
Twilio hackers breached over 130 organisations during months-long hacking spree | TechCrunch
FBI: Beware Residential IPs Hiding Credential Stuffing - Infosecurity Magazine
Social Media
Privacy
Travel
Hackers target hotel and travel companies with fake reservations (bleepingcomputer.com)
British Airways passengers targeted in baggage scam using Twitter | The Independent
Models, Frameworks and Standards
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Lloyd's of London Introduces New War Exclusion Insurance Clauses | SecurityWeek.Com
EU Outlines Critical Cyber Response to Ukraine War - Infosecurity Magazine
Unprecedented cyber attack hit State Infrastructure of Montenegro - Security Affairs
Suspected Iranian Hackers Targeted Several Israeli Organisations for Espionage (thehackernews.com)
Nation State Actors
Nation State Actors – Russia
Microsoft: Russian hackers gain powerful 'MagicWeb' authentication bypass | ZDNET
Microsoft Attributes New Post-Compromise Capability to Nobelium - Infosecurity Magazine
Nation State Actors – Iran
Nation State Actors – Misc APT
Vulnerability Management
Up to 35% more CVEs published so far this year compared to 2021 | CSO Online
Why patching quality, vendor info on vulnerabilities are declining | CSO Online
How fast is the financial industry fixing its software security flaws? - Help Net Security
Highlighting What should be Patched First at the Endpoint (bleepingcomputer.com)
Vulnerabilities
Cisco Patches High-Severity Vulnerabilities in Business Switches | SecurityWeek.Com
CISA Warns of Active Exploitation of Palo Alto Networks' PAN-OS Vulnerability (thehackernews.com)
Critical flaw impacts Atlassian Bitbucket Server and Data Center - Security Affairs
VMware fixes privilege escalation vulnerabilities in VMware Tools - Infosecurity Magazine
VMware LPE Bug Allows Cyber attackers to Feast on Virtual Machine Data (darkreading.com)
Critical RCE bug in GitLab patched, update ASAP! (CVE-2022-2884) - Help Net Security
Zoom patches root exploit, patches patch due to root exploit • The Register
US government really hopes you've patched your Zimbra server • The Register
Apple security flaw ‘actively exploited’ by hackers to fully control devices | Apple | The Guardian
Microsoft publicly discloses details on critical ChromeOS flaw - Security Affairs
Mozilla Patches High-Severity Vulnerabilities in Firefox, Thunderbird | SecurityWeek.Com
'DirtyCred' Vulnerability Haunting Linux Kernel for 8 Years | SecurityWeek.Com
Privilege Escalation Flaw Haunts VMware Tools | SecurityWeek.Com
Other News
How attackers use and abuse Microsoft MFA - Help Net Security
There is an urgent need to reduce systemic cyber risks | Financial Times (ft.com)
We Need to Talk About How Good A.I. Is Getting - The New York Times (nytimes.com)
A lack of endpoint security strategy is leaving enterprises open to attack - Help Net Security
Twitter whistleblower report holds security lessons (techtarget.com)
Nearly 3 Years Later, SolarWinds CISO Shares 3 Lessons From the Infamous Attack (darkreading.com)
Data governance: 5 tips for holistic data protection - Microsoft Security Blog
US Government Spending Billions on Cyber security (thehackernews.com)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.