Executive Summary

Microsoft Threat intelligence team has recently exposed the activities of a threat actor named DEV-1101. This threat actor advertises an open-source phishing kit that can be deployed to automate Adversary-in-the-middle (AiTM) campaigns. The phishing kit has the capability to circumvent multifactor authentication (MFA), evade detection through an antibot database, manage the phishing activity through telegram bots, and mimics services such as Microsoft Office or Outlook.

What’s the risk to me or my business?

If an AiTM phishing campaign is successful, the actor can set up a malicious site that will act as the intended valid website such as Microsoft Office or Microsoft Outlook. Here it can steal the credentials of the user and steal the authenticated session tokens of the MFA. In the most severe situations this can lead to a loss of confidentiality, integrity or availability of affected systems as the attacker has free access to perform any further criminal activity such as stealing, corrupting or and deleting data. Alongside the impact of the compromise, this can also lead to reputational damage and potentially financial penalties.

What can I do?

Black arrow recommends that you always deploy and maintain MFA where possible. While certain certain attacks may be able to circumvent MFA, it is important to remember that strong cyber security controls involve having layers of defences, in this case Conditional Access could be used to supplement the MFA control could reduce the risk of compromise. Organisations should also look to implement continuous monitoring for suspicious and anomalous activity to identify indicators of compromise. Other actions can be to ensure software and operating systems are up to date to avoid common vulnerabilities to be exploited.  It is also vital that this is supplemented with end-user training including phishing simulations as this is the ingress point for this type of attack. Users should be encouraged to report any instances of interactions with emails that do not seem right.

Further information on the attack method can be found here:

https://www.microsoft.com/en-us/security/blog/2023/03/13/dev-1101-enables-high-volume-aitm-campaigns-with-open-source-phishing-kit/

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Russian Sanctions Instigator Lloyd's Possibly Hit by Cyber Attack

Lloyd’s of London, the London-based insurance market heavily involved in implementing sanctions against Russia, may have been hit by a cyber-attack. On Wednesday, October 5, 2022, the British insurance market revealed it had detected “unusual activity” on its systems and has turned off all external connectivity “as a precautionary measure.”

“We have informed market participants and relevant parties, and we will provide more information once our investigations have concluded,” said a Lloyd’s spokesperson.

The company did not comment on whether or not it has been contacted by hackers, if a ransom demand has been issued, or on the possible source of the attack.

However, the insurance market has been closely involved with the design and implementation of sanctions imposed on Russia in response to its invasion of Ukraine – a potential motive for the attack. Lloyd’s itself has confirmed it was working closely with British and international governments to implement such sanctions.

Around 100 insurance syndicates operate at Lloyd's.

Earlier in 2022, Lloyd’s instructed its 76 insurance syndicates to remove “nation-state-backed cyber attacks” from insurance policies by March 2023, as well as losses “arising from a war.”

https://www.infosecurity-magazine.com/news/lloyds-possibly-hit-by-cyberattack/

• Former Uber Security Chief Convicted of Covering Up Data Breach

Uber’s former head of security has been convicted of covering up a 2016 data breach at the rideshare giant, hiding details from US regulators and paying off a pair of hackers in return for their discretion.

The trial, closely watched in cyber security circles, is believed to be the first criminal prosecution of a company executive over the handling of a data breach.

Joe Sullivan, who was fired in 2017 over the incident, was found guilty by a San Francisco jury of obstructing an investigation by the Federal Trade Commission. At the time of the 2016 breach, the regulator had been investigating the car-booking service over a different cyber security lapse that had occurred two years earlier.

Jurors also convicted Sullivan of a second count related to having knowledge of but failing to report the 2016 breach to the appropriate government authorities. The incident eventually became public in 2017 when Dara Khosrowshahi, who had just taken over as chief executive, disclosed details of the attack.

Prosecutors said Sullivan had taken steps to make sure data compromised in the attack would not be revealed. According to court documents, two hackers approached Sullivan’s team to notify Uber of a security flaw that exposed the personal information of almost 60mn drivers and riders on the platform.

https://www.ft.com/content/051af6a1-41d1-4a6c-9e5a-d23d46b2a9c9

• First 72 Hours of Incident Response Critical to Taming Cyber Attack Chaos

Cyber security professionals tasked with responding to attacks experience stress, burnout, and mental health issues that are exacerbated by a lack of breach preparedness and sufficient incident response practice in their organisations.

A new IBM Security-sponsored survey published this week found that two-thirds (67%) of incident responders suffer stress and anxiety during at least some of their engagements, while 44% have sacrificed the well-being of their relationships, and 42% have suffered burnout, according to the survey conducted by Morning Consult. In addition, 68% of incidents responders often have to work on two or more incidents at the same time, increasing their stress, according to the survey's results.

Companies that plan and practice responding to a variety of incidents can lower the stress levels of their incident responders, employees, and executives, says John Dwyer, head of research for IBM Security's X-Force response team.

"Organisations are not effectively establishing their response strategies with the responders in mind — it does not need to be as stressful as it is," he says. "There is a lot of time when the responders are managing organisations during an incident, because those organisations were not prepared for the crisis that occurs. These attacks happen every day."

The IBM Security-funded study underscores why the cyber security community has focused increasingly on the mental health of its members. About half (51%) of cyber security defenders have suffered burnout or extreme stress in the past year, according to a VMware survey released in August 2021. Cyber security executives have also spotlighted the issue as one that affects the community and companies' ability to retain skilled workers.

https://www.darkreading.com/attacks-breaches/incident-response-s-first-72-hours-critical-to-taming-chaos

• Email Defences Under Siege: Phishing Attacks Dramatically Improve

This week's report that cyber attackers are laser-focused on crafting attacks specialised to bypass Microsoft's default security showcases an alarming evolution in phishing tactics, security experts said this week.

Threat actors are getting better at slipping phishing attacks through the weak spots in platform email defences, using a variety of techniques, such as zero-point font obfuscation, hiding behind cloud-messaging services, and delaying payload activation, for instance. They're also doing more targeting and research on victims.

As a result, nearly 1 in 5 phishing emails (18.8%) bypassed Microsoft's platform defences and landed in workers' inboxes in 2022, a rate that increased 74% compared to 2020, according to research published by cyber security firm Check Point Software. Attackers increasingly used techniques to pass security checks, such as Sender Policy Framework (SPF), and obfuscate functional components of an e-mail, such as using zero-size fonts or hiding malicious URLs from analysis.

The increasing capabilities of attackers is due to the better understanding of current defences, says Avanan, an email security firm acquired by Check Point in August 2021.

"It is a family of 10 to 20 techniques, but they all lead to the objective of deceiving a company's security layers," he says. "The end result is always an email that looks genuine to the recipient but looks different to the algorithm that analyses the content."

Microsoft declined to comment on the research. However, the company has warned of advanced techniques, such as adversary-in-the-middle phishing (AiTM), which uses a custom URL to place a proxy server between a victim and their desired site, allowing the attacker to capture sensitive data, such as usernames and passwords. In July, the company warned that more than 10,000 organisations had been targeted during one AiTM campaign.

https://www.darkreading.com/remote-workforce/email-defenses-under-siege-phishing-attacks-dramatically-improve

• Remote Services Are Becoming an Attractive Target for Ransomware

Stolen credentials are no longer the number one initial access vector for ransomware operators looking to infect a target network and its endpoints - instead, they’ve become more interested in exploiting vulnerabilities found in internet-facing systems.

A report from Secureworks claims ransomware-as-a-service developers are quick to add newly discovered vulnerabilities into their arsenals, allowing even less competent hackers to exploit them swiftly, and with relative ease.

In fact, the company's annual State of the Threat Report reveals that flaw exploitation in remote services accounted for 52% of all ransomware incidents the company analysed over the last 12 months.

Besides remote services, Secureworks also spotted a 150% increase in the use of infostealers, which became a “key precursor” to ransomware. Both these factors, the report stresses, kept ransomware as the number one threat for businesses of all sizes, “who must fight to stay abreast of the demands of new vulnerability prioritisation and patching”.

All things considered, ransomware is still the biggest threat for businesses. It takes up almost a quarter of all attacks that were reported in the last 12 months, Secureworks says, and despite law enforcement being actively involved, operators remained highly active.

https://www.techradar.com/news/remote-services-are-becoming-an-attractive-target-for-ransomware

• Growing Reliance on Cloud Brings New Security Challenges

There was a time when cloud was just a small subset of IT infrastructure, and cloud security referred to a very specific set of tasks. The current reality is very different, organisations are heavily dependent on cloud technologies and cloud security has become a much more complex endeavour.

Organisations increasingly rely on the cloud to deliver new applications, reduce costs, and support business operations. One in every four organisations already have majority workloads in the cloud, and 44% of workloads currently run in some form of public cloud, says Omdia, a research and advisory group.

Practically every midsize and large organisation now operates in some kind of a hybrid cloud environment, with a mix of cloud and on-premises systems. For most organisations, software-as-a-service constitute the bulk (80%) of their cloud environments, followed by infrastructure-as-a-service and platform-as-a-service deployments.

In the past, cloud security conversations tended to focus on making sure cloud environments are being configured properly, but cloud security nowadays goes far beyond just configuration management. The sprawling cloud environment means security management has to be centralised, Omdia said. Security functions also need to be integrated into existing application deployment workflows.

On top of all of this, multicloud is becoming more common among organisations as they shift their workloads to avoid being dependent on a single platform. The three major cloud providers – Amazon Web Services, Microsoft Azure, and Google Cloud Platform – account for 65% of the cloud market.

https://www.darkreading.com/dr-tech/growing-reliance-on-cloud-brings-new-security-challenges

• Many IT Pros Don’t Think a Ransomware Attack Can Impact Microsoft 365 Data

The 2022 Ransomware Report, which surveyed over 2,000 IT leaders, revealed that 24% have been victims of a ransomware attack, with 20% of attacks happening in the last year.

Cyber attacks are happening more frequently. Last year’s ransomware survey revealed that 21% of companies experienced an attack. This year it rose by three percent to 24%.

“Attacks on businesses are increasing, and there is a shocking lack of awareness and preparation by IT pros. Our survey shows that many in the IT community have a false sense of security. As bad actors develop new techniques, companies like ours have to do what it takes to come out ahead and protect businesses around the world,” said Hornetsecurity.

The report highlighted a lack of knowledge on the security available to businesses. 25% of IT professionals either don’t know or don’t think that Microsoft 365 data can be impacted by a ransomware attack.

Just as worryingly, 40% of IT professionals that use Microsoft 365 in their organisation admitted they do not have a recovery plan in case their Microsoft 365 data was compromised by a ransomware attack.

“Microsoft 365 is vulnerable to phishing attacks and ransomware attacks, but with the help of third-party tools, IT admins can backup their Microsoft 365 data securely and protect themselves from such attacks,” said Hofmann.

https://www.helpnetsecurity.com/2022/10/03/ransomware-attack-impact-microsoft-365-data/

• Ransomware Group Bypasses "Enormous" Range of EDR Tools

A notorious ransomware group has been spotted leveraging sophisticated techniques to bypass endpoint detection and response (EDR) tools.

BlackByte, which the US government has said poses a serious threat to critical infrastructure, used a “Bring Your Own Driver” technique to circumvent over 1000 drivers used by commercially available EDR products, according to Sophos. The UK cyber security vendor explained in a new report that the group had exploited a known vulnerability, CVE-2019-16098, in Windows graphics utility driver RTCorec6.sys. This enabled it to communicate directly with a victim system’s kernel and issue commands to disable callback routines used by EDR tools.

The group also used EDR bypass techniques borrowed from open source tool EDRSandblast to deactivate the Microsoft-Windows-Threat-Intelligence ETW (Event Tracing for Windows) provider. This is a Windows feature “that provides logs about the use of commonly maliciously abused API calls such as NtReadVirtualMemory to inject into another process’s memory,” explained Sophos. Neutralising it in this way renders any security tool relying on the feature also useless, the firm argued.

“If you think of computers as a fortress, for many EDR providers, ETW is the guard at the front gate,” said Sophos. “If the guard goes down, then that leaves the rest of the system extremely vulnerable. And, because ETW is used by so many different providers, BlackByte’s pool of potential targets for deploying this EDR bypass is enormous.”

BlackByte is not the only ransomware group using these advanced techniques to get around existing detection tools, illustrating the continued arms race between attackers and defenders. AvosLocker used a similar method in May, Sophos said. “Anecdotally, from what we’re seeing in the field, it does appear that EDR bypass is becoming a more popular technique for ransomware threat groups,” the firm confirmed. “This is not surprising. Threat actors often leverage tools and techniques developed by the ‘offensive security’ industry to launch attacks faster and with minimal effort.”

https://www.infosecurity-magazine.com/news/ransomware-bypasses-enormous-range/

• MS Exchange Zero-Days: The Calm Before the Storm?

Two exploited MS Exchange zero-days that still have no official fix, have been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog.

But mitigating the risk of exploitation until patches are ready will require patience and doggedness, as Microsoft is still revising its advice to admins and network defenders, and still working on the patches.

The two vulnerabilities were publicly documented last Wednesday, by researchers with Vietnamese company GTSC, and Microsoft soon after sprung into (discernible) action by offering customer guidance, followed by an analysis of the attacks exploiting the two vulnerabilities. Several changes have been made to the documents since then, after the company found and other researchers pointed out several shortcomings.

Microsoft says its threat analysts observed “activity related to a single activity group in August 2022 that achieved initial access and compromised Exchange servers by chaining CVE-2022-41040 and CVE-2022-41082 in a small number of targeted attacks,” and that the attackers breached fewer than 10 organisations globally. “MSTIC assesses with medium confidence that the single activity group is likely to be a state-sponsored organisation,” they added.

The other good news is there are still no public exploits for the two vulnerabilities. But, Microsoft says, “Prior Exchange vulnerabilities that require authentication have been adopted into the toolkits of attackers who deploy ransomware, and these vulnerabilities are likely to be included in similar attacks due to the highly privileged access Exchange systems confer onto an attacker.”

Enterprise defenders should expect trouble via this attack path in the near future, it seems, so keeping abreast of the changing situation and springing into action as quickly as possible once the patches are made available is advised. Scammers have since started impersonating security researchers and offering non-existing PoC exploits for CVE-2022-41082 for sale via GitHub

https://www.helpnetsecurity.com/2022/10/03/ms-exchange-cve-2022-41040-cve-2022-41082/

• Average Company with Data in the Cloud Faces $28 Million in Data-Breach Risk

Hard-to-control collaboration, complex SaaS permissions, and risky misconfigurations — such as admin accounts without multi-factor authentication (MFA) — have left a dangerous amount of cloud data exposed to insider threats and cyber attacks, according to Varonis.

For the report, researchers analysed nearly 10 billion cloud objects (more than 15 petabytes of data) across a random sample of data risk assessments performed at more than 700 companies worldwide. In the average company, 157,000 sensitive records are exposed to everyone on the internet by SaaS sharing features, representing $28 million in data-breach risk, Varonis researchers have found.

One out of every 10 records in the cloud is exposed to all employees — creating an impossibly large internal blast radius, which maximises damage during a ransomware attack. The average company has 4,468 user accounts without MFA enabled, making it easier for attackers to compromise internally exposed data.

Out of 33 super admin accounts in the average organisation, more than half did not have MFA enabled. This makes it easier for attackers to compromise these powerful accounts, steal more data, and create backdoors. Companies have more than 40 million unique permissions across SaaS applications, creating a nightmare for IT and security teams responsible for managing and reducing cloud data risk.

“Cloud security shouldn’t be taken for granted. When security teams lack critical visibility to manage and protect SaaS and IaaS apps and services, it’s nearly impossible to ensure your data isn’t walking out the door,” said Varonis. “This report is a true-to-life picture of over 700 real-world risk assessments of production SaaS environments. The results underscore the urgent need for CISOs to uncover and remediate their cloud risk as quickly as possible.”

https://www.helpnetsecurity.com/2022/10/05/company-data-breach-risk/

• Secureworks Finds Network Intruders See Little Resistance

Attackers who break into networks only need to take a few basic measures in order to avoid detection.

Security vendor Secureworks said in its annual State of the Threat report that it observed several data breaches between June 2021 and June 2022 and found that, by and large, once network intruders gained a foothold on the targets' environment, they had to do relatively little to stay concealed.

"One thing that is notable about them is that none of these techniques are particularly sophisticated," the vendor said. "That is because threat actors do not need them to be; the adversary will only innovate enough to achieve their objectives. So there is a direct relationship between the maturity of the controls in a target environment and the techniques they employ to bypass those controls."

Among the more basic measures taken by the attackers was coding their tools in newer languages such as Go or Rust. This tweak created enough of a difference in the software to evade signature-checking tools, according to Secureworks' report. In other cases, the network intruders hid their activity by packing their malware within a trusted Windows installer or by sneaking it into the Authenticode signature of a trusted DLL. In another case, a malware infection was seen moving data out of the victim's network via TOR nodes. While effective, Secureworks said the techniques are hardly innovative. Rather, they indicate that threat actors find themselves only needing to do the bare minimum to conceal themselves from detection.

https://www.techtarget.com/searchsecurity/news/252525696/Secureworks-finds-network-intruders-see-little-resistance

• Regulations, Laws and Accountability are Changing the Cyber Security Landscape

As cyber criminals continue to develop new ways to wreak havoc, regulators have been working to catch up. They aim to protect data and consumers while avoiding nation-state attacks that are a risk to national and economic security. But some of these regulations may provide an opportunity for MSSPs.

Some of these regulations are a response to what’s generally been a hands-off approach to telling organisations what to do. Unfortunately, cyber security isn’t always prioritised when budgets and resources are allocated. The result is a steadily rising tide of breaches and exploits that have held organisations hostage and made private information available on the dark web.

The new regulations are coming from all directions: at the state and federal levels in the US and around the world. While many of these regulations aren’t yet final, there’s no reason not to start aligning with where trends will ease the impact of changing rules. At the same time, many organisations want to hold the government responsible for some kinds of attacks. It will be interesting to see how regulating works, as most politicians and bureaucrats aren’t known for their technological savvy.

In the US, for example, new regulations are in development in the Federal Trade Commission, Food and Drug Administration, Department of Homeland Security, Department of Transportation, Department of Energy, and the Cybersecurity and Infrastructure Security Agency. Thirty-six states have enacted cyber security legislation, and the count increases as other countries join.

One of the motivating factors for all these new regulations is that most cyber attacks aren’t reported. Lawmakers realise cyber security threats continue to be one of the top national security and economic risks. In the last year and a half (2020-2022), there have been attacks on America’s gas supply, meat supply, and various other companies, courts, and government agencies. One FBI cyber security official estimated the government only learns about 20% to 25% of intrusions at US business and academic institutions.

In March, Congress passed legislation requiring critical infrastructure operators to report significant cyber attacks to CISA within 72 hours of learning about the attack. It also required them to report a ransomware payment within 24 hours. These regulations will also consider reporting “near misses” so that this data can also be studied and tracked. The problem is, how does one define a “near miss”?

https://www.msspalert.com/cybersecurity-guests/regulations-laws-and-accountability-are-changing-the-cybersecurity-landscape/

• This Year’s Biggest Cyber Threats

OpenText announced the Nastiest Malware of 2022, a ranking of the year’s biggest cyber threats. For the fifth year running, experts combed through the data, analysed different behaviours, and determined which malicious payloads are the nastiest.

Emotet regained its place at the top, reminding the world that while affiliates may be taken down, the masterminds are resilient. LockBit evolved its tactics into something never seen before: triple extortion. Analysis also revealed an almost 1100% increase in phishing during the first four months of 2022 compared to the same period in 2021, indicating a possible end to the “hacker holiday,” a hacker rest period following the busy holiday season.

“The key takeaway from this year’s findings is that malware remains centre stage in the threats posed towards individuals, businesses, and governments,” said OpenText.

“Cyber criminals continue to evolve their tactics, leaving the infosec community in a constant state of catch-up. With the mainstream adoption of ransomware payloads and cryptocurrency facilitating payments, the battle will continue. No person, no business—regardless of size—is immune to these threats.”

While this year’s list may designate payloads into different categories of malware, it’s important to note many of these bad actor groups contract work from others. This allows each group to specialise in their respective payload and perfect it.

https://www.helpnetsecurity.com/2022/10/06/2022-nastiest-malware/

Threats

Ransomware and Extortion

• Ransomware Attacks On The Rise, Secureworks Reveals in its State of the Threat Report - MSSP Alert

• Ransomware: This is how half of attacks begin, and this is how you can stop them | ZDNET

• Fake adult sites push data wipers disguised as ransomware (bleepingcomputer.com)

• Ferrari Hit By Ransomware Attack: 7 GB Of Data Published Online – Expert (informationsecuritybuzz.com)

• BlackByte Ransomware Abuses Vulnerable Windows Driver to Disable Security Solutions (thehackernews.com)

• BlackByte ransomware abuses legit driver to disable security products (bleepingcomputer.com)

• Ransomware attacks ravage schools, municipal governments (techtarget.com)

• Ransomware 3.0: The Next Frontier (darkreading.com)

• More and more ransomware is just data theft, no encryption • The Register

• Netwalker ransomware affiliate sentenced to 20 years in prison (bleepingcomputer.com)

• Cheerscrypt ransomware is linked to Chinese DEV-0401 APT group - Security Affairs

• ADATA denies RansomHouse cyber attack, says leaked data from 2021 breach (bleepingcomputer.com)

• Avast releases a free decryptor for some Hades ransomware variants - Security Affairs

• Cyber criminals Leak LA School Data After It Refuses to Ransom (vice.com)

• How Ransomware Is Causing Chaos in American Schools (vice.com)

• Ransomware hunters: the self-taught tech geniuses fighting cyber crime | Cyber crime | The Guardian

BEC – Business Email Compromise

• BEC fraudster and romance scammer sent to prison for 25 years – Naked Security (sophos.com)

• Hackers Target Homebuyers’ Life Savings in Real Estate Scam - Bloomberg

Phishing & Email Based Attacks

• Hackers Can Use 'App Mode' in Chromium Browsers' for Stealth Phishing Attacks (thehackernews.com)

• Phishing Campaigns Target KFC, McDonald's in Saudi Arabia, UAE, Singapore - Infosecurity Magazine (infosecurity-magazine.com)

Other Social Engineering; Smishing, Vishing, etc

• Callback phishing attacks evolve their social engineering tactics (bleepingcomputer.com)

• 3 ways enterprises can mitigate social engineering risks - Help Net Security

Malware

• OpenText Releases List Of The Year’s “Nastiest” Malware - MSSP Alert

• This devious malware is able to disable your antivirus | TechRadar

• Bumblebee Malware Loader's Payloads Significantly Vary by Victim System (darkreading.com)

• Eternity Group Hackers Offering New LilithBot Malware-as-a-Service to Cyber criminals (thehackernews.com)

• Live support service hacked to spread malware in supply chain attack (bleepingcomputer.com)

• NullMixer Dropper Delivers a Multimalware Code Bomb (darkreading.com)

• Maggie malware already infected over 250 Microsoft SQL servers - Security Affairs

Mobile

• Android Spyware 'RatMilad' Targets Enterprise Devices in Iran - Infosecurity Magazine (infosecurity-magazine.com)

Internet of Things – IoT

• 7 IoT Devices That Make Security Pros Cringe (darkreading.com)

• Ikea Smart Light System Flaw Lets Attackers Turn Bulbs on Full Blast (darkreading.com)

• Acronis founder is afraid of his own vacuum cleaner • The Register

Data Breaches/Leaks

• “Egypt Leaks” – Hacktivists are Leaking Financial Data - Security Affairs

• No Shangri-La for you: Top hotel chain confirms data leak • The Register

• Home Office reprimanded after sensitive counter-terror documents left at London venue | The Independent

• NSA: Someone hacked military contractor and stole data • The Register

• City of Tucson discloses data breach affecting over 123,000 people (bleepingcomputer.com)

• Optus Says ID Numbers of 2.1 Million Compromised in Data Breach | SecurityWeek.Com

• Aussie Telco Telstra Breached, Reportedly Exposing 30,000 Employees' Data (darkreading.com)

• 2K warns users their info has been stolen following breach of its help desk | Ars Technica

• Russian retail chain 'DNS' confirms hack after data leaked online (bleepingcomputer.com)

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Breaking: Scams Linked To Crypto Soared By 335% (informationsecuritybuzz.com)

• Hacker steals $566 million worth of crypto from Binance Bridge (bleepingcomputer.com)

• Hackers are breaching scam sites to hijack crypto transactions (bleepingcomputer.com)

• Binance Says $100 Million Stolen in Latest Crypto Hack (gizmodo.com)

• Hackers are breaching scam sites to hijack crypto transactions (bleepingcomputer.com)

Insider Risk and Insider Threats

• Why Don't CISOs Trust Their Employees? (darkreading.com)

• Meta sues app dev for stealing over 1 million WhatsApp accounts (bleepingcomputer.com)

• To avoid insider threats, try empathy - Help Net Security

• Microsoft publishes report on holistic insider risk management - Microsoft Security Blog

• Unearth offboarding risks before your employees say goodbye - Help Net Security

• Splunk alleges source code theft by former employee • The Register

• Ex-NSA Employee Arrested for Trying to Sell U.S. Secrets to a Foreign Government (thehackernews.com)

Fraud, Scams & Financial Crime

• ICO Fines Four "Predatory" Privacy-Invading Firms - Infosecurity Magazine (infosecurity-magazine.com)

• Consumers Feel Hopeless in Protecting Themselves Against Cyber crime, ISACA Reports - MSSP Alert

• BEC fraudster and romance scammer sent to prison for 25 years – Naked Security (sophos.com)

• Hackers Target Homebuyers’ Life Savings in Real Estate Scam - Bloomberg

• Russians dodging mobilization behind flourishing scam market (bleepingcomputer.com)

• Scammers and rogue callers – can anything ever stop them? – Naked Security (sophos.com)

• Healthcare Company Owners Get Jail Time for $7m Fraud Scheme - Infosecurity Magazine (infosecurity-magazine.com)

• Online romance scam boss netted $9.5m, jailed for 25 years • The Register

Deepfakes

• How a deepfake Mark Ruffalo scammed half a million dollars from a lonely heart • Graham Cluley

Supply Chain and Third Parties

• Live support service hacked to spread malware in supply chain attack (bleepingcomputer.com)

• Supply Chain Attack Targets Customer Engagement Firm Comm100 | SecurityWeek.Com

Denial of Service DoS/DDoS

• DDoS Attacks Spike in First Half of 2022 to Highest Levels in Four Years - MSSP Alert

Cloud/SaaS

• How Will the Metaverse Affect Cloud Security? (trendmicro.com)

• Hardening data security in the cloud • The Register

• Monitoring Your Cloud And Hybrid IT Infrastructure: How To Find The Right Monitoring Solution (informationsecuritybuzz.com)

Encryption

• Loads of connected PostgreSQL systems do not use SSL • The Register

API

• More Than 30% of All Malicious Attacks Target Shadow APIs (darkreading.com)

• APIs are quickly becoming the most popular attack vector - Help Net Security

• The Problem of API Security and How To Fix It (informationsecuritybuzz.com)

• API authentication failures demonstrate the need for zero trust - Help Net Security

• Shadow APIs hit with 5 billion malicious requests - Help Net Security

Open Source

• When transparency is also obscurity: The conundrum that is open-source security - Help Net Security

• How Secure is Using Open Source Components? - IT Security Guru

Passwords, Credential Stuffing & Brute Force Attacks

• Microsoft warns Basic Auth users over password spray attacks • The Register

• Is mandatory password expiration helping or hurting your password security? - Help Net Security

• Detecting and preventing LSASS credential dumping attacks - Microsoft Security Blog

• Meta Says It Has Busted More Than 400 Login-Stealing Apps This Year | WIRED

Privacy, Surveillance and Mass Monitoring

• The gap between security and privacy, and what it will take to bridge it - Help Net Security

• ICO Fines Four "Predatory" Privacy-Invading Firms - Infosecurity Magazine (infosecurity-magazine.com)

Regulations, Fines and Legislation

• New Telecoms Security Framework Comes Into Force (informationsecuritybuzz.com)

Models, Frameworks and Standards

• CIS Controls v8: Safeguards to mitigate the most prevalent cyber-attacks - Help Net Security

Secure Disposal

• The astronomical costs of an asset disposal program gone wrong | CSO Online

• New forensic analysis of electronical devices unveils dangers of inadequate data disposal for individuals and businesses - Business in the News

Backup and Recovery

• Giving Away the Keys to Your Backups? Here’s How to Keep Out Hackers (darkreading.com)

Law Enforcement Action and Take Downs

• Police arrest teen for using leaked Optus data to extort victims (bleepingcomputer.com)

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Relentless Russian Cyber attacks on Ukraine Raise Important Policy Questions (darkreading.com)

• Finnish intelligence warns of Russia's cyber espionage activities - Security Affairs

• Kazakhstan Pins Wave Of Cyber attacks On Foreign Actors | OilPrice.com

• Albania weighed invoking NATO’s Article 5 over Iranian cyber attack - POLITICO

• Russian Hackers Take Aim at Kremlin Targets: Report - Infosecurity Magazine (infosecurity-magazine.com)

• We breached Russian satellite network, say pro-Ukraine partisans | Cybernews

• Ukrainian forces report Starlink outages during push against Russia | Financial Times (ft.com)

• Android Spyware 'RatMilad' Targets Enterprise Devices in Iran - Infosecurity Magazine (infosecurity-magazine.com)

• Report: Mexico Continued to Use Spyware Against Activists | SecurityWeek.Com

Nation State Actors

Nation State Actors – China

• US authorities name China's 20 favourite vulns to exploit • The Register

• Cheerscrypt ransomware is linked to Chinese DEV-0401 APT group - Security Affairs

Nation State Actors – North Korea

• Lazarus employed an exploit in a Dell firmware driver in recent attacks - Security Affairs

Vulnerability Management

• CISA mandates vulnerability detection and reporting rules • The Register

• The Zero Day Dilemma | SecurityWeek.Com

Vulnerabilities

• Microsoft Issues Improved Mitigations for Unpatched Exchange Server Vulnerabilities (thehackernews.com)

• Fortinet warns admins to patch critical auth bypass bug immediately (bleepingcomputer.com)

• Cisco Patches High-Severity Vulnerabilities in Communications, Networking Products | SecurityWeek.Com

• Atlassian, Microsoft bugs make CISA’s must-patch list • The Register

• US authorities name China's 20 favourite vulns to exploit • The Register

• October 2022 Patch Tuesday forecast: Looking for treats, not more tricks - Help Net Security

• Fake Microsoft Exchange ProxyNotShell exploits for sale on GitHub (bleepingcomputer.com)

• CISA Warns of Attacks Exploiting Recent Atlassian Bitbucket Vulnerability | SecurityWeek.Com

• No fix in sight for mile-wide loophole plaguing a key Windows defence for years | Ars Technica

• Hackers Exploiting Unpatched RCE Flaw in Zimbra Collaboration Suite (thehackernews.com)

• Lazarus employed an exploit in a Dell firmware driver in recent attacks - Security Affairs

• Unpatched Zimbra flaw under attack is letting hackers backdoor servers | Ars Technica

• macOS Archive Utility Bug Lets Malicious Apps Bypass Security Checks (darkreading.com)

• Fortinet Warns of New Auth Bypass Flaw Affecting FortiGate and FortiProxy (thehackernews.com)

• VMware fixed a high-severity bug in vCenter Server - Security Affairs

• BlackByte Ransomware Abuses Vulnerable Windows Driver to Disable Security Solutions (thehackernews.com)

Reports Published in the Last Week

• 2022 State of the Threat Report | Secureworks

• Building a Holistic Insider Risk Management Program

Other News

• Guilty verdict in the Uber breach case makes personal liability real for CISOs | CSO Online

• Cyber attackers view smaller organisations as easier targets - Help Net Security

• Moody's turns up the heat on 'riskiest' sectors for attacks • The Register

• 5 reasons why security operations are getting harder | CSO Online

• Former NSA Employee Faces Death Penalty for Selling Secrets (darkreading.com)

• Fast Company Is Back From the Dead After Being Hacked (gizmodo.com)

• Ready Or Not, Web 3 Is Coming And With It Comes Cybersquatting 2.0 (informationsecuritybuzz.com)

• Cyber Hygiene: 5 Best Practices for Company Buy-In (trendmicro.com)

• School Is in Session: 5 Lessons for Future Cyber Security Pros (darkreading.com)

• Want More Secure Software? Start Recognizing Security-Skilled Developers (thehackernews.com)

• Incident responders increasingly seek out mental health assistance - Help Net Security

• You Are Not Alone If You're Unclear About Extended Detection and Response (XDR) - MSSP Alert

• Why digital trust is the bedrock of business relationships - Help Net Security

• Incident Responders Driven by Sense of Duty, Handcuffed by Volume of Cyber attacks, IBM Reports - MSSP Alert

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Lloyd's to Exclude Certain Nation-State Attacks from Cyber Insurance Policies

Lloyd's of London insurance policies will stop covering losses from certain nation-state cyber attacks and those that happen during wars, beginning in seven months' time.

In a memo sent to the company's 76-plus insurance syndicates, underwriting director Tony Chaudhry said Lloyd's remains "strongly supportive" of cyber attack coverage. However, as these threats continue to grow, they may "expose the market to systemic risks that syndicates could struggle to manage," he added, noting that nation-state-sponsored attacks are particularly costly to cover.

Because of this, all standalone cyber attack policies must include "a suitable clause excluding liability for losses arising from any state-backed cyber attack," Chaudhry wrote. These changes will take effect beginning March 31, 2023 at the inception or renewal of each policy.

At a minimum (key word: minimum) these policies must exclude losses arising from a war, whether declared or not, if the policy doesn't already have a separate war exclusion. They must also at least exclude losses from nation-state cyber attacks that "significantly impair the ability of a state to function or that significantly impair the security capabilities of a state."

Policies must also "set out a robust basis" on which to attribute state-sponsored cyber attacks, according to Chaudhry – and therein lies the rub.

Attributing a cyber attack to a particular crime group or nation-state with 100 percent confidence "is absolutely hard," NSA director of cybersecurity Rob Joyce said at this year's RSA Conference.

Threat analysts typically attribute an attack to a nation-state from its level of sophistication, but as advanced persistent crime groups become more sophisticated – and have more resources at their disposal to buy zero-day exploits and employ specialists for each stage of an attack – differentiating between nation-states and cyber crime gangs becomes increasingly difficult, he explained.

There are times when nation-states will act like criminals, using their tools and infrastructure, and sometimes vice versa. The clear line of sophistication and stealth that many have used as a common sense delineation has blurred. Yet, If you are going to pay out money you are likely going to look for something that is more ironclad and likely related to forensic evidence.

https://www.theregister.com/2022/08/24/lloyds_cybersecurity_insurance/

• Cyber Security Top Risk for Enterprise C-Suite Leaders, PwC Study Says

Cyber security is now firmly on the agenda of the entire C-suite, consultancy PricewaterhouseCoopers (PwC) reports in a new survey of more than 700 business leaders across a variety of industries.

Of key enterprise issues, cyber security ranks at the top of business risks, with nearly 80% of the respondents considering it a moderate to serious risk. The warning isn’t confined to just chief information security officers, but ranges from chief executives to chief financial officers, chief operating officers, chief technology officers, chief marketing officers and includes corporate board members. Virtually all roles ranked cyber attacks high on their list of risks, PwC said.

Overall, 40% of business leaders ranked cyber security as the top serious risk facing their companies, and 38% ranked it a moderate risk.

Here are six steps businesses can take to address cyber security concerns:

1. View cyber security as a broad business concern and not just an IT issue.

2. Build cyber security and data privacy into agendas across the C-suite and board.

3. Increase investment to improve security.

4. Educate employees on effective cyber security practices.

5. For each new business initiative or transformation, make sure there’s a cyber plan in place.

6. Use data and intelligence to regularly measure cyber risks. Proactively look for blind spots in third-party relationships and supply chains.

https://www.msspalert.com/cybersecurity-research/cybersecurity-top-risk-for-enterprise-c-suite-leaders-pwc-study-says/

• Apathy Is Your Company's Biggest Cyber Security Vulnerability — Here's How to Combat It

Human error continues to be the leading cause of a cyber security breach. Nearly 60% of organisations experienced a data loss due to an employee's mistake on email in the last year, while one in four employees fell for a phishing attack.

Employee apathy, while it may not seem like a major cyber security issue, can leave an organisation vulnerable to both malicious attacks and accidental data loss. Equipping employees with the tools and knowledge they need to prevent these risks has never been more important to keep organisations safe.

A new report from Tessian sheds light on the full extent of employee apathy and its impact on cyber security posture. The report found that a significant number of employees aren't engaged in their organisation's cyber security efforts and don't understand the role they play. One in three employees say they don't understand the importance of cyber security at work. What's more, only 39% say they're very likely to report a cyber security incident. Why? A quarter of employees say they don't care enough about cyber security to mention it.

This is a serious problem. IT and security teams can't investigate or remediate a threat they don't know about.

Employees play an important role in flagging incidents or suspicious activity early on to prevent them from escalating to a costly breach. Building a strong cyber security culture can mitigate apathy by engaging employees as part of the solution and providing the tools and training they need to work productively and securely.

https://www.darkreading.com/attacks-breaches/apathy-is-your-company-s-biggest-cybersecurity-vulnerability-here-s-how-to-combat-it

• The World’s Largest Sovereign Wealth Fund Warns Cyber Security Is Top Concern, as Attacks on Banks and Financial Service Double

Cyber security has eclipsed tumultuous financial markets as the biggest concern for the world’s largest sovereign wealth fund, as it faces an average of three “serious” cyber attacks each day.

The number of significant hacking attempts against Norway’s $1.2tn oil fund, Norges Bank Investment Management, has doubled in the past two to three years.

The fund, which reported its biggest half-year dollar loss last week after inflation and recession fears shook markets, suffers about 100,000 cyber attacks a year, of which it classifies more than 1,000 as serious, according to its top executives.

“I’m worried about cyber more than I am about markets,” their CEO told the Financial Times. “We’re seeing many more attempts, more attacks [that are] increasingly sophisticated.”

The fund’s top executives are even concerned that concerted cyber attacks are becoming a systemic financial risk as markets become increasingly digitised.

Their deputy CEO pointed to the 2020 attack on SolarWinds, a software provider, by Russian state-backed hackers that allowed them to breach several US government agencies, including the Treasury and Pentagon, and a number of Fortune 500 companies including Microsoft, Intel and Deloitte.

“They estimate there were 1,000 Russians [involved] in that one attack, working in a co-ordinated fashion. I mean, Jesus, that’s our whole building on one attack, so you’re up against some formidable forces there,” he said.

Cyber attacks targeting the financial industry have risen sharply in recent months. Malware attacks globally rose 11 per cent in the first half of 2022, but they doubled at banks and financial institutions, according to cyber security specialist SonicWall. Ransomware attacks dropped 23 per cent worldwide, but increased 243 per cent against financial targets in the same period.

https://www.ft.com/content/1aa6f92a-078b-4e1a-81ca-65298b8310b2

Configuration Errors to Blame for 80% of Ransomware

The vast majority (80%) of ransomware attacks can be traced back to common configuration errors in software and devices, according to Microsoft.

The tech giant’s latest Cyber Signals report focuses on the ransomware as a service (RaaS) model, which it claims has democratised the ability to launch attacks to groups “without sophistication or advanced skills.” Some RaaS programs now have over 50 affiliate groups on their books.

For defenders, a key challenge is ensuring they don’t leave systems misconfigured, it added.

“Ransomware attacks involve decisions based on configurations of networks and differ for each victim even if the ransomware payload is the same,” the report argued. “Ransomware culminates an attack that can include data exfiltration and other impacts. Because of the interconnected nature of the cyber-criminal economy, seemingly unrelated intrusions can build upon each other.”

Although each attack is different, Microsoft pointed to missing or misconfigured security products and legacy configurations in enterprise apps as two key areas of risk exposure.

“Like smoke alarms, security products must be installed in the correct spaces and tested frequently. Verify that security tools are operating in their most secure configuration, and that no part of a network is unprotected,” it urged. “Consider deleting duplicative or unused apps to eliminate risky, unused services. Be mindful of where you permit remote helpdesk apps like TeamViewer. These are notoriously targeted by threat actors to gain express access to laptops.”

Although not named in the report, another system regularly misconfigured and hijacked by ransomware actors is the remote desktop protocol (RDP), which often is not protected by a strong password or two-factor authentication. It’s widely believed to be one of the top three vectors for attack.

The bad news for network defenders is they don’t have much time after initial compromise to contain an attack. Microsoft claimed the median time for an attacker to begin moving laterally inside the network after device compromise is one hour, 42 minutes. The median time for an attacker to access private data following a phishing email is one hour, 12 minutes, the firm added.

https://www.infosecurity-magazine.com/news/configuration-errors-blame-80/

• Ransomware Surges to 1.2 Million Attacks Per Month

Ransomware threat detections have risen to over one million per month this year, with a French hospital the latest to suffer a major outage.

The 1000-bed Center Hospitalier Sud Francilien (CHSF) near Paris revealed it was hit on Sunday morning, in an attack which has knocked out all the hospital's business software, storage systems including medical imaging, and patient admissions. This has led to all but the most urgent emergency patients being diverted to other facilities in the region.

France24 cited figures claiming cyber-attacks against French hospitals surged 70% year-on-year in 2021. "Each day we need to rewrite patients' medications, all the prescriptions, the discharge prescriptions," Valerie Caudwell, president of the medical commission at CHSF hospital, reportedly said. "For the nurses, instead of putting in all the patients' data on the computer, they now need to file it manually from scratch."

Reports suggest Lockbit 3.0 may be to blame for the $10m ransom demand, which the hospital is refusing to pay.

Barracuda Networks claimed in a new report out today that education, municipalities, healthcare, infrastructure and finance have remained the top five targets for ransomware over the past 12 months. However, while attacks on local government increased only slightly, those targeting educational institutions more than doubled, and attacks on the healthcare and financial verticals tripled. Overall, Barracuda claimed that ransomware detections between January and June of this year climbed to more than 1.2 million per month.

https://www.infosecurity-magazine.com/news/ransomware-surges-to-12-million/

• A Massive Hacking Campaign Stole 10,000 Login Credentials From 130 Different Organisations

A phishing campaign targeted Okta users at multiple companies, successfully swiping passwords from staffers and then using them to steal company secrets.

Researchers say that a mysterious “threat actor” (a fancy term for a hacker or hacker group) has managed to steal nearly 10,000 login credentials from the employees of 130 organisations, in the latest far-reaching supply chain attack on corporate America. Many of the victims are prominent software companies, including firms like Twilio, MailChimp, and Cloudflare, among many others.

The news comes from research conducted by cyber security firm Group-IB, which began looking into the hacking campaign after a client was phished and reached out for help. The research shows that the threat actor behind the campaign, which researchers have dubbed “0ktapus,” used basic tactics to target staff from droves of well-known companies. The hacker(s) would use stolen login information to gain access to corporate networks before going on to steal data and then break into another company’s network.

“This case is of interest because despite using low-skill methods it was able to compromise a large number of well-known organisations,” researchers wrote in their blog. “Furthermore, once the attackers compromised an organisation they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance.”

https://gizmodo.com/oktapus-okta-hack-twilio-10000-logins-130-companies-1849457420

• This Company Paid a Ransom Demand. Hackers Leaked Its Data Anyway

A victim of a ransomware attack paid to restore access to their network – but the cyber criminals didn't hold up their end of the deal.

The real-life incident, as detailed by cyber security researchers at Barracuda Networks, took place in August 2021, when hackers from BlackMatter ransomware group used a phishing email to compromise the account of a single victim at an undisclosed company.

From that initial entry point, the attackers were able to expand their access to the network by moving laterally around the infrastructure, ultimately leading to the point where they were able to install hacking tools and steal sensitive data. Stealing sensitive data has become a common part of ransomware attacks. Criminals leverage it as part of their extortion attempts, threatening to release it if a ransom isn't received. 

The attackers appear to have had access to the network for at least a few weeks, seemingly going undetected before systems were encrypted and a ransom was demanded, to be paid in Bitcoin.

Cyber security agencies warn that despite networks being encrypted, victims shouldn't pay ransom demands for a decryption key because this only shows hackers that such attacks are effective.

https://www.zdnet.com/article/this-company-paid-a-ransom-demand-hackers-leaked-its-data-anyway/

• Sophisticated BEC Scammers Bypass Microsoft 365 Multi-Factor Authentication

A Business Email Compromise (BEC) attack recently analysed by cloud incident response company Mitiga used an adversary-in-the-middle (AitM) phishing attack to bypass Microsoft Office 365 MFA and gain access to a business executive's account, and then managed to add a second authenticator device to the account for persistent access. According to the researchers, the campaign they analysed is widespread and targets large transactions of up to several million dollars each.

The attack started with a well-crafted phishing email masquerading as a notification from DocuSign, a widely used cloud-based electronic document signing service. The email was crafted to the targeted business executive, suggesting that attackers have done reconnaissance work. The link in the phishing email led to an attacker-controlled website which then redirects to a Microsoft 365 single sign-on login page.

This fake login page uses an AitM technique, where the attackers run a reverse proxy to authentication requests back and forth between the victim and the real Microsoft 365 website. The victim has the same experience as they would have on the real Microsoft login page, complete with the legitimate MFA request that they must complete using their authenticator app. Once the authentication process is completed successfully, the Microsoft service creates a session token which gets flagged in its systems that it fulfilled MFA. The difference is that since the attackers acted as a proxy, they now have this session token too and can use it to access the account.

This reverse proxy technique is not new and has been used to bypass MFA for several years. In fact, easy-to-use open-source attack frameworks have been created for this purpose.

https://www.csoonline.com/article/3670575/sophisticated-bec-scammers-bypass-microsoft-365-multi-factor-authentication.html

• 77% Of Security Leaders Fear We’re in Perpetual Cyber War from Now On

A survey of cyber security decision makers found 77 percent think the world is now in a perpetual state of cyber warfare.

In addition, 82 percent believe geopolitics and cyber security are "intrinsically linked," and two-thirds of polled organisations reported changing their security posture in response to the Russian invasion of Ukraine.

Of those asked, 64 percent believe they may have already been the target of a nation-state-directed cyber attack. Unfortunately, 63 percent of surveyed security leaders also believe that they'd never even know if a nation-state level actor pwned them.

The survey, organised by security shop Venafi, questioned 1,100 security leaders. They said the results show cyber warfare is here, and that it's completely different to many would have imagined. "Any business can be damaged by nation-states," they stated.

It's been common knowledge for some time that government-backed advanced persistent threat (APT) crews are being used to further online geopolitical goals. Unlike conventional warfare, everyone is a target and there's no military or government method for protecting everyone.

Nor is there going to be much financial redress available. Earlier this week Lloyd's of London announced it would no longer recompense policy holders for certain nation-state attacks.

https://www.theregister.com/2022/08/27/in-brief-security/

• Cyber Security Governance: A Path to Cyber Maturity

Organisations need cyber security governance programs that make every employee aware of the cyber security mitigation efforts required to reduce cyber-risks.

In an increasingly challenging threat landscape, many organisations struggle with developing and implementing effective cyber security governance. The "Managing Cybersecurity Risk: A Crisis of Confidence" infographic by the CMMI Institute and ISACA stated: "While enterprise leaders recognise that mature cyber security is essential to thriving in today's digital economy, they often lack the insights and data to have peace of mind that their organisations are efficiently and effectively managing cyber risk."

Indeed, damages from cyber crime are projected to cost the world $7 trillion in 2022, according to the "Boardroom Cybersecurity 2022 Report" from Cybersecurity Ventures. As a result, "board members and chief executives are more interested in cyber security now than ever before," the report stated, adding that the time is ripe for turning awareness into action.

How, then, can board leaders have confidence that their organisations are prepared against cyber attacks? The first order of business for most organisations is to enable a strong cyber security governance program.

Cyber security governance refers to the component of governance that addresses an organisation's dependence on cyber space in the presence of adversaries. The ISO/IEC 27001 standard defines cyber security governance as the following: “The system by which an organisation directs and controls security governance, specifies the accountability framework and provides oversight to ensure that risks are adequately mitigated, while management ensures that controls are implemented to mitigate risks”.

Traditionally, cyber security is viewed through the lens of a technical or operational issue to be handled in the technology space. Cyber security planning needs to fully transition from a back-office operational function to its own area aligned with law, privacy and enterprise risk. The CISO should have a seat at the table alongside the CIO, COO, CFO and CEO. This helps the C-suite understand cyber security as an enterprise-wide risk management issue, along with the legal implications of cyber-risks, and not solely a technology issue.

https://www.techtarget.com/searchsecurity/post/Cybersecurity-governance-A-path-to-cyber-maturity

• The Rise of Data Exfiltration and Why It Is a Greater Risk Than Ransomware

Ransomware is the de facto threat organisations have faced over the past few years. Threat actors were making easy money by exploiting the high valuation of cryptocurrencies and their victims' lack of adequate preparation.

Think about bad security policies, untested backups, patch management practices not up-to-par, and so forth. It resulted in easy growth for ransomware extortion, a crime that multiple threat actors around the world perpetrate.

Something's changed, though. Crypto valuations have dropped, reducing the monetary appeal of ransomware attacks due to organisations mounting better defence against ransomware.

Threat actors have been searching for another opportunity – and found one. It's called data exfiltration, or exfil, a type of espionage causing headaches at organisations worldwide.

Information exfiltration is rapidly becoming more prevalent. Earlier this year, incidents at Nvidia, Microsoft, and several other companies have highlighted how big of a problem it's become – and how, for some organisations, it may be a threat that's even bigger than ransomware.

Nvidia, for example, became entangled in a complex tit-for-tat exchange with hacker group Lapsus$. One of the biggest chipmakers in the world was faced with the public exposure of the source code for invaluable technology, as Lapsus$ leaked the source code for the company's Deep Learning Super Sampling (DLSS) research.

When it comes to exfil extortion, attackers do not enter with the primary aim of encrypting a system and causing disruption the way that a ransomware attacker does. Though, yes, attackers may still use encryption to cover their tracks.

Instead, attackers on an information exfiltration mission will move vast amounts of proprietary data to systems that they control. And here's the game: attackers will proceed to extort the victim, threatening to release that confidential information into the wild or to sell it to unscrupulous third parties.

https://thehackernews.com/2022/08/the-rise-of-data-exfiltration-and-why.html

Threats

Ransomware

• Ransomware Groups Can Adapt Malware Code to Different Operating Systems Simultaneously, Kaspersky Research Finds - MSSP Alert

• [Whoa] Ransomware Strains Almost Double in Six Months from 5,400 to 10,666 (knowbe4.com)

• Ransomware: Most attacks exploit these common cyber security mistakes - so fix them now, warns Microsoft | ZDNET

• Ransomware dominates the threat landscape - Help Net Security

• We need to think about ransomware differently - Help Net Security

• Disk wiping malware knows no borders - Help Net Security

• NATO investigates hacker sale of missile firm data - BBC News           

• Cyber attackers disrupt services at French hospital, demand $10 million ransom (france24.com)

• New 'Agenda' Ransomware Customized for Each Victim | SecurityWeek.Com

• LockBit gang hit by DDoS attack after Entrust leaks • The Register

• New ransomware HavanaCrypt poses as Google software update | CSO Online

• WannaCry explained: A perfect ransomware storm | CSO Online

• LockBit Ransomware Site Hit by DDoS Attack as Hackers Start Leaking Entrust Data | SecurityWeek.Com

• New Golang Ransomware Agenda Customizes Attacks (trendmicro.com)

• New 'BianLian' Ransomware Variant on the Rise (darkreading.com)

• New 'Donut Leaks' extortion gang linked to recent ransomware attacks (bleepingcomputer.com)

• Ransomware Attacks are on the Rise | Threatpost

• Quantum ransomware attack disrupts govt agency in Dominican Republic (bleepingcomputer.com)

• Car Dealership Hit by Major Ransomware Attack - Infosecurity Magazine

• Ransomware Gang Leaks Data Allegedly Stolen from Greek Gas Supplier | SecurityWeek.Com

• Major airline technology provider Accelya attacked by ransomware group - The Record by Recorded Future

• Businesses expect the government to increase its financial assistance for all ransomware incidents - Help Net Security

BEC – Business Email Compromise

• Before Portland lost $1.4 million in cyber breach, city treasurer raised red flag - OPB

Phishing & Email Based Attacks

• Phishing attacks abusing SaaS platforms see a massive 1,100% growth (bleepingcomputer.com)

• Researchers Warn of AiTM Attack Targeting Google G-Suite Enterprise Users (thehackernews.com)

• Unusual Microsoft 365 Phishing Campaign Spoofs eFax Via Compromised Dynamics Voice Account (darkreading.com)

• Hiding a phishing attack behind the AWS cloud • The Register

• 10 key facts about callback phishing attacks - CyberTalk 2022

Other Social Engineering; Smishing, Vishing, etc

• New social engineering tactics discovered in the wild - Help Net Security

Malware

• Threat actor abuses Genshin Impact Anti-Cheat driver to disable antivirus - Security Affairs

• Fake DDoS Protection Alerts Distribute Dangerous RAT (darkreading.com)

• Meet Borat RAT, a New Unique Triple Threat (thehackernews.com)

• Donot Team group updates its Windows malware framework - Security Affairs

• How 'Kimsuky' hackers ensure their malware only reach valid targets (bleepingcomputer.com)

• Grandoreiro banking malware targets Mexico and Spain - Security Affairs

• Fake Chrome extension 'Internet Download Manager' has 200,000 installs (bleepingcomputer.com)

• Threat actors are using the Tox P2P messenger as C2 server - Security Affairs

Mobile

• Google Play Store Serving Up Chameleon-like Apps (informationsecuritybuzz.com)

• We can make our phones harder to hack but complete security is a pipe dream | John Naughton | The Guardian

Internet of Things – IoT

• Cyber criminals Are Selling Access to Chinese Surveillance Cameras | Threatpost

• IoT Vulnerability Disclosures Up 57% in Six Months, Claroty Reveals - Infosecurity Magazine

• Thousands of Organisations Remain at Risk from Critical Zero-Click IP Camera Bug (darkreading.com)

Data Breaches/Leaks

• LastPass data breach: threat actors stole portion of source code - Security Affairs

• Plex discloses data breach and urges password reset - Security Affairs

• Why the Twilio Breach Cuts So Deep | WIRED

• Plex was compromised, exposing usernames, emails, and passwords - The Verge

• DoorDash discloses new data breach tied to Twilio hackers (bleepingcomputer.com)

• Data on California Prisons' Visitors, Staff, Inmates Exposed | SecurityWeek.Com

• Expert Commentary On The Plex Data Breach (informationsecuritybuzz.com)

• Textile Company Sferra Discloses Data Breach | SecurityWeek.Com

• Novant Health: Oops, we leaked 1.3m patients' info to Meta • The Register

Organised Crime & Criminal Actors

• RaaS Kits Are Hiding Who The Attackers Really Are – Expert Comments (informationsecuritybuzz.com)

• Researchers warn of darkverse emerging from the metaverse | CSO Online

 Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• An anatomy of crypto-enabled cyber crime | Financial Times (ft.com)

• Cryptojackers Spread Across Computers Globally- IT Security Guru

• Hackers Are Breaking Into and Emptying Cash App Accounts (vice.com)

• Threat actors are stealing funds from General Bytes Bitcoin ATMSecurity Affairs

• How Economic Changes and Crypto's Rise Are Fuelling the use of "Cyber Mules" | SecurityWeek.Com

Fraud, Scams & Financial Crime

• Scammers Create “AI Hologram” of C-Suite Crypto Exec - Infosecurity Magazine

• Employee fraud: Beware of deepfake job applicants - Protocol

• A closer look at identity crimes committed against individuals - Help Net Security

• What type of fraud enables attackers to make a living? - Help Net Security

Insurance

• Lloyds Of London Ends Insurance Coverage For State Cyber Attacks, Expert (informationsecuritybuzz.com)

Software Supply Chain

• Why SBOMs alone aren’t enough for software supply chain security | CSO Online

Denial of Service DoS/DDoS

• DDoS attacks jump 203%, patriotic hacktivism surges - Help Net Security

• Threat Actor Deploys Raven Storm Tool to Perform DDoS Attacks - Infosecurity Magazine

• LockBit gang hit by DDoS attack after Entrust leaks • The Register

• Gambling sites are losing significant amounts of revenue due to raising DDoS attacks - Help Net Security

Cloud/SaaS

• Mitiga: Attackers evade Microsoft MFA to lurk inside M365 (techtarget.com)

• Phishing attacks abusing SaaS platforms see a massive 1,100% growth (bleepingcomputer.com)

• How complicated access management protocols have impacted cloud security - Help Net Security

Identity and Access Management

• IT leaders struggling to address identity sprawl - Help Net Security

• Identity Security Pain Points and What Can Be Done (darkreading.com)

• Thoma Bravo: Securing digital identities has become a major priority - Help Net Security

Encryption

• CISA: Action required now to prepare for quantum computing cyber threats | ZDNET

• Encrypted Traffic Analysis: Mitigating Against The Risk Of Encryption (informationsecuritybuzz.com)

• US Government: Stop Dickering and Prepare for Post-Quantum Encryption Now - CNET

API

• API security incidents occur at least once a month - Help Net Security

Passwords, Credential Stuffing & Brute Force Attacks

• Credential phishing attacks rise and represent a huge threat to businesses - Help Net Security

• Twilio hackers breached over 130 organisations during months-long hacking spree | TechCrunch

• FBI: Beware Residential IPs Hiding Credential Stuffing - Infosecurity Magazine

Social Media

• Experts Reaction to Poor Security At Twitter (informationsecuritybuzz.com)

Privacy

• Oracle sued over ‘worldwide surveillance machine’ by privacy rights activists | CSO Online

• Most top mobile carriers retain geolocation data for two years on average, FCC findings show - CyberScoop

Travel

• Hackers target hotel and travel companies with fake reservations (bleepingcomputer.com)

• Fake Reservation Links Prey on Weary Travelers | Threatpost

• British Airways passengers targeted in baggage scam using Twitter | The Independent

Models, Frameworks and Standards

• PCI DSS v4.0 is coming, here's how to prepare to comply (techtarget.com)

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Lloyd's of London Introduces New War Exclusion Insurance Clauses | SecurityWeek.Com

• The (Nation) State of Cyber: 64% of Businesses Suspect They've Been Targeted or Impacted by Nation-State Attacks (darkreading.com)

• EU Outlines Critical Cyber Response to Ukraine War - Infosecurity Magazine

• Unprecedented cyber attack hit State Infrastructure of Montenegro - Security Affairs

• Suspected Iranian Hackers Targeted Several Israeli Organisations for Espionage (thehackernews.com)

Nation State Actors

Nation State Actors – Russia

• Microsoft: Russian hackers gain powerful 'MagicWeb' authentication bypass | ZDNET

• Microsoft Attributes New Post-Compromise Capability to Nobelium - Infosecurity Magazine

Nation State Actors – Iran

• Google Uncovers Tool Used by Iranian Hackers to Steal Data from Email Accounts (thehackernews.com)

• Iranian Hackers Exploiting Unpatched Log4j 2 Bugs to Target Israeli Organisations (thehackernews.com)

Nation State Actors – Misc APT

• Donot Team group updates its Windows malware framework - Security Affairs

• Cyber crime Groups Increasingly Adopting Sliver Command-and-Control Framework (thehackernews.com)

Vulnerability Management

• Up to 35% more CVEs published so far this year compared to 2021 | CSO Online

• Why patching quality, vendor info on vulnerabilities are declining | CSO Online

• How fast is the financial industry fixing its software security flaws? - Help Net Security

• Highlighting What should be Patched First at the Endpoint (bleepingcomputer.com)

Vulnerabilities

• Cisco Patches High-Severity Vulnerabilities in Business Switches | SecurityWeek.Com

• CISA Warns of Active Exploitation of Palo Alto Networks' PAN-OS Vulnerability (thehackernews.com)

• Critical flaw impacts Atlassian Bitbucket Server and Data Center - Security Affairs

• VMware fixes privilege escalation vulnerabilities in VMware Tools - Infosecurity Magazine

• VMware LPE Bug Allows Cyber attackers to Feast on Virtual Machine Data (darkreading.com)

• Critical RCE bug in GitLab patched, update ASAP! (CVE-2022-2884) - Help Net Security

• Mac users urged to update Zoom, after security patch released for previously-flawed security patch (bitdefender.com)

• Zoom patches root exploit, patches patch due to root exploit • The Register

• US government really hopes you've patched your Zimbra server • The Register

• Apple security flaw ‘actively exploited’ by hackers to fully control devices | Apple | The Guardian

• Microsoft publicly discloses details on critical ChromeOS flaw - Security Affairs

• Mozilla Patches High-Severity Vulnerabilities in Firefox, Thunderbird | SecurityWeek.Com

• 'DirtyCred' Vulnerability Haunting Linux Kernel for 8 Years | SecurityWeek.Com

• Privilege Escalation Flaw Haunts VMware Tools | SecurityWeek.Com

Reports Published in the Last Week

• Cyber Signals: Defend against the new ransomware landscape - Microsoft

• Threat Spotlight: The untold stories of ransomware - Journey Notes (barracuda.com)

Other News

• How attackers use and abuse Microsoft MFA - Help Net Security

• There is an urgent need to reduce systemic cyber risks | Financial Times (ft.com)

• Critical infrastructure is under attack from hackers. Securing it needs to be a priority - before it's too late | ZDNET

• We Need to Talk About How Good A.I. Is Getting - The New York Times (nytimes.com)

• A lack of endpoint security strategy is leaving enterprises open to attack - Help Net Security

• NIST Weighs in on AI Risk (darkreading.com)

• Twitter whistleblower report holds security lessons (techtarget.com)

• Nearly 3 Years Later, SolarWinds CISO Shares 3 Lessons From the Infamous Attack (darkreading.com)

• Data governance: 5 tips for holistic data protection - Microsoft Security Blog

• US Government Spending Billions on Cyber security (thehackernews.com)

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Average Cost of Data Breaches Hits Record High of $4.35 Million: IBM

The global average cost of data breaches reached an all-time high of $4.35 million in 2022 compared with $4.24 million in 2021, according to a new IBM Security report. About 60% of the breached organisations raised product and services prices due to the breaches.

The annual report, conducted by Ponemon Institute and analysed and sponsored by IBM Security, is based on the analysis of real-world data breaches experienced by 550 organisations globally between March 2021 and March 2022.

According to the report, about 83% of the organisations have experienced more than one breach in their lifetime, with nearly half of the costs reported to be incurred more than a year after the breach.

The report revealed that ransomware and destructive attacks represented 28% of breaches among the critical infrastructure organisations studied, indicating that threat actors are specifically targeting the sector to disrupt global supply chains. The critical infrastructure sector includes financial services, industrial, transportation, and healthcare companies.

https://www.csoonline.com/article/3668655/average-cost-of-data-breaches-hits-record-high-of-435-million-ibm.html#tk.rss_news

• Researchers Warns of Large-Scale Adversary-in-the-Middle (AiTM) Attacks Targeting Enterprise Users

A new, large-scale phishing campaign has been observed using adversary-in-the-middle (AitM) techniques to get around security protections and compromise enterprise email accounts.

It uses a technique capable of bypassing multi-factor authentication. The campaign is specifically designed to reach end users in enterprises that use Microsoft's email services.

Prominent targets include fintech, lending, insurance, energy, manufacturing, and federal credit union verticals located in the US, UK, New Zealand, and Australia.

This is not the first time such a phishing attack has come to light. Last month, Microsoft disclosed that over 10,000 organisations had been targeted since September 2021 by means of AitM techniques to breach accounts secured with multi-factor authentication (MFA).

The ongoing campaign, effective June 2022, commences with an invoice-themed email sent to targets containing an HTML attachment, which includes a phishing URL embedded within it.

https://thehackernews.com/2022/08/researchers-warns-of-large-scale-aitm.html

• UK NHS Suffers Outage After Cyber Attack on Managed Service Provider

The UK National Health Service (NHS) 111 emergency services were affected by a significant and ongoing outage triggered by a cyber attack that hit the systems of British managed service provider (MSP) Advanced.

Advanced's Adastra client patient management solution, which is used by 85% of NHS 111 services, was hit by a major outage together with several other services provided by the MSP, according to a status page.

"There was a major outage of a computer system that is used to refer patients from NHS 111 Wales to out-of-hours GP providers," the Welsh Ambulance Services said. "This system is used by Local Health Boards to coordinate these services for patients. The ongoing outage is significant and has been far-reaching, impacting each of the four nations in the UK."

The UK public was advised to access the NHS 111 emergency services using the online platform until the incident is resolved.

While no details were provided regarding the nature of the cyber attack, based on the wording, it is likely that this was a ransomware or data extortion attack.

https://www.bleepingcomputer.com/news/security/uk-nhs-suffers-outage-after-cyberattack-on-managed-service-provider/

• A Third of Organisations Experience a Ransomware Attack Once a Week

Ransomware attacks show no sign of slowing. According to new research published by Menlo Security, a third of organisations experience a ransomware attack at least once a week, with one in 10 experiencing them more than once a day.

The research, conducted among 500+ IT security decision makers at US and UK organisations with more than 1,000 employees, highlights the impact this is having on security professionals’ own wellbeing. When asked what keeps them awake at night, 41% of respondents say they worry about ransomware attacks evolving beyond their team’s knowledge and skillset, while 39% worry about them evolving beyond their company’s security capabilities.

Their biggest concern, however, is the risk of employees ignoring corporate security advice and clicking on links or attachments containing malware (46%). Respondents worry more about this than they do their own job security, with just a quarter (26%) of respondents worried about losing their job.

According to the report, around half of organisations (61% US and 44% UK) have been the victim of a successful ransomware attack in the last 18 months, with customers and prospects the most likely entry point for an attack.

Partners/suppliers and employees/contractors are also seen as serious security risks, although one in 10 admit they are unable to identify how the attacks got in. The top three ransomware attack vectors are email (54%), web browsers via a desktop or laptop (49%) and mobile devices (39%).

https://www.helpnetsecurity.com/2022/08/04/organizations-experience-ransomware-attack/

• Ransomware Products and Services Ads on Dark Web Show Clues to Danger

Why is ransomware’s destructive potential so daunting? Some clues are in the “for sale” ads. In an examination of some 35 million dark web URLs, a provider of machine identity management and a forensic specialist found some 475 web pages peddling sophisticated ransomware products and services with a number of high profile crews hawking ransomware-as-a-service.

The work is a joint effort between the Salt Lake City-based Venafi and Forensic Pathways, which took place between November 2021 and March 2022. Researchers used Forensic’s Dark Search Engine to carry out the investigation.

Here are some of the research findings:

• 87% of the ransomware found on the dark web has been delivered via malicious macros to infect targeted systems.

• 30 different “brands” of ransomware were identified within marketplace listings and forum discussions.

• Many strains of ransomware being sold — such as Babuk, GoldenEye, Darkside/BlackCat, Egregor, HiddenTear and WannaCry — have been successfully used in high-profile attacks.

• Ransomware strains used in high-profile attacks command a higher price for associated services. For example, the most expensive listing was $1,262 for a customised version of Darkside ransomware, which was used in the Colonial Pipeline ransomware attack.

• Source code listings for well-known ransomware generally command higher price points. For example, Babuk source code is listed for $950 and Paradise source code is selling for $593.

Ransomware Sold for as Little as $1: In addition to a variety of ransomware at various price points, a wide range of services and tools that help make it easier for attackers with minimal technical skills to launch ransomware attacks are for sale on the dark web, Venafi said. Services with the greatest number of listings include those offering source code, build services, custom development services and ransomware packages that include step-by-step tutorials.

https://www.msspalert.com/cybersecurity-breaches-and-attacks/ransomware/ransomware-products-services-ads-on-dark-web-show-clues-to-danger/

• Wolf In Sheep’s Clothing: How Malware Tricks Users and Antivirus

One of the primary methods used by malware distributors to infect devices is by deceiving people into downloading and running malicious files, and to achieve this deception, malware authors are using a variety of tricks.

Some of these tricks include masquerading malware executables as legitimate applications, signing them with valid certificates, or compromising trustworthy sites to use them as distribution points.

According to VirusTotal, a security platform for scanning uploaded files for malware, some of these tricks are happening on a much larger scale than initially thought.

The platform has compiled a report presenting stats from January 2021 until July 2022, based on the submission of two million files daily, illustrating trends in how malware is distributed.

• Abusing legitimate domains: Distributing malware through legitimate, popular, and high-ranking websites allows threat actors to evade IP-based blocklists, enjoy high availability, and provide a greater level of trust.

• Using stolen code-signing certificates: Signing malware samples with valid certificates stolen from companies is a reliable way to evade AV detection and security warnings on the host. Of all the malicious samples uploaded to VirusTotal between January 2021 and April 2022, over a million were signed, and 87% used a valid certificate.

• Disguised as popular software: Masquerading a malware executable as a legitimate, popular application has seen an upward trend in 2022. Victims download these files thinking they’re getting the applications they need, but upon running the installers, they infect their systems with malware. The most mimicked applications are Skype, Adobe Acrobat, VLC, and 7zip.

• Lacing legitimate installers - Finally, there’s the trick of hiding malware inside legitimate application installers and running the infection process in the background while the real apps execute in the foreground. Based on VirusTotal stats, this practice also appears to be on the rise this year, using Google Chrome, Malwarebytes, Windows Updates, Zoom, Brave, Firefox, ProtonVPN, and Telegram as lures.

https://www.bleepingcomputer.com/news/security/wolf-in-sheep-s-clothing-how-malware-tricks-users-and-antivirus/

• Microsoft Accounts Targeted with New MFA-Bypassing Phishing Kit

A new large-scale phishing campaign targeting credentials for Microsoft email services use a custom proxy-based phishing kit to bypass multi-factor authentication.

Researchers believe the campaign's goal is to breach corporate accounts to conduct BEC (business email compromise) attacks, diverting payments to bank accounts under their control using falsified documents.

The phishing campaign's targets include fin-tech, lending, accounting, insurance, and Federal Credit Union organisations in the US, UK, New Zealand, and Australia.

The campaign was discovered by Zscaler's ThreatLabz researchers, who report that the operation is still ongoing, and the phishing actors register new phishing domains almost daily.

Starting in June 2022, Zscaler's analysts noticed a spike in sophisticated phishing attempts against specific sectors and users of Microsoft email services.

Some of the newly registered domains used in the campaign are typo-squatted versions of legitimate domains.

Notably, many phishing emails originated from the accounts of executives working in these organisations, whom the threat actors most likely compromised earlier.

https://www.bleepingcomputer.com/news/security/microsoft-accounts-targeted-with-new-mfa-bypassing-phishing-kit/

• Cyber Attack Prevention Is Cost-Effective, So Why Aren’t Businesses Investing to Protect?

Cyber attacks like ransomware, BEC scams and data breaches are some of the key issues businesses are facing today, but despite the number of high-profile incidents, many boardrooms are reluctant to free up budget to invest in the cyber security measures necessary to avoid becoming the next victim.

In a Help Net Security interview, Former Pentagon Chief Strategy Officer Jonathan Reiber, VP Cyber security Strategy and Policy, AttackIQ, discusses how now, more than ever, companies need to protect themselves from cyber threat actors. He offers insight for CISOs, from talking to the Board to proper budget allocation.

https://www.helpnetsecurity.com/2022/08/01/cyberattack-prevention-investing/

• Securing Your Move to the Hybrid Cloud

The combination of private and public cloud infrastructure, which most organisations are already using, poses unique security challenges. There are many reasons why organisations adopt the public cloud, from enabling rapid growth without the burden of capacity planning to leveraging flexibility and agility in delivering customer-centric services. However, this use can leave companies open to threats.

Since regulatory requirements or other preferences dictate that certain applications remain on private (on-prem) infrastructure, many organisations choose to maintain a mix of private and public infrastructure. Additionally, organisations typically use multiple cloud providers simultaneously or preserve the option to move between providers. However, this hybrid approach presents unique and diverse security challenges. Different cloud providers and private cloud platforms may offer similar capabilities but different ways of implementing security controls, along with disparate management tools.

The question then becomes: How can an organisation maintain consistent governance, policy enforcement and controls across different clouds? And how can it ensure that it maintains its security posture when moving between them? Fortunately, there are steps professionals can take to ensure that applications are continuously secure, starting from the early stages of development and extending throughout the lifecycle.

https://threatpost.com/secure-move-cloud/180335/

• Lessons from the Russian Cyber Warfare Attacks

Cyber warfare tactics may not involve tanks and bombs, but they often go hand-in-hand with real combat.

The Russian invasion of Ukraine is a prime example. Before Russian troops crossed the border, Russian hackers had already taken down Ukrainian government websites. And after the conflict started, the hacktivist group Anonymous turned the tables by hacking Russian media to shut down propaganda about the war.

In these unprecedented times of targeted attacks against governments and financial institutions, every organisation should be on heightened alert about protecting their critical infrastructure and digital attack surface.

With the Russia-Ukraine conflict as a backdrop, two Trend Micro security experts recently discussed cyber warfare techniques and how they’re an important reminder for every business to proactively manage cyber risk.

https://www.trendmicro.com/en_us/ciso/22/h/russian-cyber-warfare-attacks.html

• Four Sneaky Attacker Evasion Techniques You Should Know About

Remember those portrayals of hackers in the 80s and 90s where you just knew when you got pwned? A blue screen of death, a scary message, a back-and-forth text exchange with a hacker—if you got pwned in a movie in the 80s and 90s, you knew it right off the bat.

What a shame that today’s hackers have learned to be quiet when infiltrating an environment. Sure, “loud” attacks like ransomware still exist, but threat actors have learned that if they keep themselves hidden, they can usually do far more damage. For hackers, a little stealth can go a long way. Some attack tactics are inherently quiet, making them arguably more dangerous as they can be harder to detect. Here are four of these attack tactics you should know about.

1. Trusted Application Abuse: Attackers know that many people have applications that they inherently trust, making those trusted applications the perfect launchpad for cyber attacks. Threat actors know that defenders and the tools they use are often on the hunt for new malware presenting itself in environments. What isn’t so easy to detect is when the malware masquerades under legitimate applications.

2. Trusted Infrastructure Abuse: Much like trusted application abuse, trusted infrastructure abuse is the act of using legitimate, publicly hosted services and toolsets (such as Dropbox or Google Drive) as part of the attack infrastructure. Threat actors know that people tend to trust Dropbox and Google Drive. As a result, this makes these tools a prime means for threat actors to carry out malicious activity. Threat actors often find trusted infrastructure abuse easy because these services aren’t usually blocked at an enterprise’s gateway. In turn, outbound communications can hide in plain sight.

3. Obfuscation: Although cyber security has more than its fair share of tedious acronyms, the good news is that many terms can be broken down by their generic dictionary definitions. According to dictionary.com, this is what obfuscate means: “To make something unclear, obscure or difficult to understand.” And that’s exactly what it means in cyber security: finding ways to conceal malicious behaviour. In turn, this makes it more difficult for analysts and the tools they use to flag suspicious or malicious activity.

4. Persistence: Imagine writing up documentation using your computer, something you may well do in your role. You’ve spent a ton of time doing the research required, finding the right sources and compiling all your information into a document. Now, imagine not hitting save on that document and losing it as soon as you reboot your computer. Sound like a nightmare—or perhaps a real anxiety-inducing experience you’ve been through before? Threat actors agree. And that’s why they establish persistence. They don’t want all of their hard work to get into your systems in the first place to be in vain just because you restart your computer. They establish persistence to make sure they can still hang around even after you reboot.

https://www.msspalert.com/cybersecurity-guests/four-sneaky-attacker-evasion-techniques-you-should-know-about/

• Zero-Day Defence: Tips for Defusing the Threat

Because they leave so little time to patch and defuse, zero-day threats require a proactive, multi-layered approach based on zero trust.

The recent Atlassian Confluence remote code execution bug is just the latest example of zero-day threats targeting critical vulnerabilities within major infrastructure providers. The specific threat, an Object-Graph Navigation Language (OGNL) injection, has been around for years but took on new significance given the scope of the Atlassian exploit. And OGNL attacks are on the rise.

Once bad actors find such a vulnerability, proof-of-concept exploits start knocking at the door, seeking unauthenticated access to create new admin accounts, execute remote commands, and take over servers. In the Atlassian case, Akamai's threat research team identified that the number of unique IP addresses attempting these exploits grew to more than 200 within just 24 hours.

Defending against these exploits becomes a race against time worthy of a 007 movie. The clock is ticking and you don't have much time to implement a patch and "defuse" the threat before it's too late. But first you need to know that an exploit is underway. That requires a proactive, multi-layered approach to online security based on zero trust.

What do these layers look like? There are a number of different practices that security teams — and their third-party Web application and infrastructure partners — should be aware of.

https://www.darkreading.com/attacks-breaches/zero-day-defense-tips-for-defusing-the-threat

Threats

Ransomware

• Reported ransomware attacks are just the tip of the iceberg. That's a problem for everyone | ZDNet

• Initial Access Brokers - Key to Rise In Ransomware Attacks (informationsecuritybuzz.com)

• Ransomware gangs are hitting roadblocks, but aren't stopping (yet) - Help Net Security

• SonicWall: Ransomware Global Cyber Attack Volume Shrinks, Still Exceeds Totals for 2017-2019 - MSSP Alert

• 87% of the ransomware found on the dark web has been delivered via malicious macros - Help Net Security

• LockBit Ransomware Abuses Windows Defender for Payload Loading | SecurityWeek.Com

• German Chambers of Industry and Commerce hit by 'massive' cyber attack (bleepingcomputer.com)

• Brand-New HavanaCrypt Ransomware Poses as Google Software Update App Uses Microsoft Hosting Service IP Address as C&C Server (trendmicro.com)

• Ransomware Task Force releases SMB blueprint for defence and mitigation (scmagazine.com)

• Prepare for ransomware before you're hit • The Register

• German semiconductor giant Semikron says hackers encrypted its network | TechCrunch

• Ransomware Hit on European Pipeline & Energy Supplier Encevo Linked to BlackCat (darkreading.com)

• Luxembourg Energy Company Hit by Ransomware | SecurityWeek.Com

• Spanish research agency still recovering after ransomware attack (bleepingcomputer.com)

Phishing & Email Based Attacks

• Countdown Clock Puts Pressure on Phishing Targets - Infosecurity Magazine

• The most impersonated brand in phishing attacks? Microsoft - Help Net Security

• Open Redirect Flaw Snags Amex, Snapchat User Data | Threatpost

• American Express, Snapchat Open-Redirect Vulnerabilities Exploited in Phishing Scheme (darkreading.com)

• A new malware threat is spying on users' Gmail inbox — do this before you're next | Laptop Mag

• Massive New Phishing Campaign Targets Microsoft Email Service Users (darkreading.com)

• North Korean Hackers Use Browser Extension to Spy on Gmail and AOL Accounts - Infosecurity Magazine

Other Social Engineering; SMishing, Vishing, etc

• US FCC warns of the rise of smishing attacks - Security Affairs

Malware

• VirusTotal Reveals Most Impersonated Software in Malware Attacks (thehackernews.com)

• Gootkit Loader Resurfaces with Updated Tactic to Compromise Targeted Computers (thehackernews.com)

• Woody RAT: A new feature-rich malware spotted in the wild | Malwarebytes Labs

• VirusTotal: Threat Actors Mimic Legitimate Apps, Use Stolen Certs to Spread Malware (darkreading.com)

• New IoT RapperBot Malware Targeting Linux Servers via SSH Brute-Forcing Attack (thehackernews.com)

• New Linux malware brute-forces SSH servers to breach networks (bleepingcomputer.com)

• Credential Stealer Malware Raccoon Updated to Obtain Passwords More Efficiently - Infosecurity Magazine

• Attackers cause Discord discord with malicious npm packages • The Register

• Gootkit AaaS malware is still active and uses updated tactics - Security Affairs

Mobile

• Facebook finds new Android malware used by APT hackers (bleepingcomputer.com)

• Google Patches Critical Android Bluetooth Flaw in August Security Bulletin - Infosecurity Magazine

• Banking trojan finds new routes to accounts by infiltrating Google Play Store (scmagazine.com)

Internet of Things – IoT

• A Digital Home Has Many Open Doors (darkreading.com)

• All the Data Amazon's Ring Cameras Collect About You | WIRED

Organised Crime & Criminal Actors

• Thousands of hackers flock to 'Dark Utilities' C2-as-a-Service (bleepingcomputer.com)

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Phishing campaign targets Coinbase wallet holders to steal cryptocurrency in real-time - Help Net Security

• Nearly $200 Million Stolen from Cryptocurrency Bridge Nomad | SecurityWeek.Com

• Crypto firm that promised security loses $200 million in 'frenzied free-for-all' hack | PC Gamer

• Nomad to crooks: Keep 10% as a bounty, return the rest • The Register

• Cyber attackers Drain Nearly $6M From Solana Crypto Wallets (darkreading.com)

• Man robbed of $800,000 in cryptocurrency sues Google • The Register

Insider Risk and Insider Threats

• T-Mobile Store Owner Made $25M Using Stolen Employee Credentials (darkreading.com)

Fraud, Scams & Financial Crime

• UK Branded Europe’s “Capital of Card Fraud” - Infosecurity Magazine

• Huge network of 11,000 fake investment sites targets Europe (bleepingcomputer.com)

• Online payment fraud losses accelerate at an alarming rate - Help Net Security

• COMMENT: 'Hi Mum, Hi Dad' Scams On The Rise - Britons Already (informationsecuritybuzz.com)

• Increase in Fake Tickets Being Sold by Cyber criminals on Social Media - IT Security Guru

AML/CFT/Sanctions

• Robinhood Crypto Penalized $30M for Violating NY Cybersecurity Regulations | SecurityWeek.Com

Dark Web

• A Ransomware Explosion Fosters Thriving Dark Web Ecosystem (darkreading.com)

• The popularity of Dark Utilities 'C2-as-a-Service' rapidly increases - Security Affairs

Software Supply Chain

• Now is the time to focus on software supply chain security improvements - Help Net Security

Cloud/SaaS

• Cyber attackers Increasingly Target Cloud IAM as a Weak Link (darkreading.com)

• What Worries Security Teams About the Cloud? (darkreading.com)

• Who Has Control: The SaaS App Admin Paradox (thehackernews.com)

• Enterprises face a multitude of barriers to securing diverse cloud environments - Help Net Security

Open Source

• New Linux malware brute-forces SSH servers to breach networks (bleepingcomputer.com)

Passwords, Credential Stuffing & Brute Force Attacks

• Hackers stole passwords for accessing 140,000 payment terminals | TechCrunch

• Credential Canaries Create Minefield for Attackers (darkreading.com)

• 5 reasons why businesses should never use consumer-grade password managers | TechRadar

Social Media

• Hackers Exploit Twitter Vulnerability to Exposes 5.4 Million Accounts (thehackernews.com)

• Parliament shuts down TikTok account over China data security concerns (telegraph.co.uk)

• Over 3,200 Apps Leak Twitter API Keys, Some Allowing Account Hijacks (informationsecuritybuzz.com)

• Increase in Fake Tickets Being Sold by Cyber criminals on Social Media - IT Security Guru

Privacy

• DuckDuckGo browser now blocks all Microsoft trackers, most of the time (bleepingcomputer.com)

Cyber Bullying and Cyber Stalking

• Australia charges dev of Imminent Monitor RAT used by domestic abusers (bleepingcomputer.com)

Regulations, Fines and Legislation

• Most companies are unprepared for CCPA and GDPR compliance - Help Net Security

• Data privacy: Collect what you need, protect what you collect | CSO Online

• India scraps data protection law, promises better successor • The Register

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Austrian Investigation Reveals Spyware Targeting Law Firms, Finance Institutions - Infosecurity Magazine

• Ukraine takes down 1,000,000 bots used for disinformation (bleepingcomputer.com)

• Nancy Pelosi ties Chinese cyber-attacks to Taiwan visit • The Register

• Spanish Research Center Suffers Cyber attack Linked to Russia | SecurityWeek.Com

• Russian organisations attacked with new Woody RAT malware (bleepingcomputer.com)

• Greek intelligence spied on journalist with a surveillance spyware - Security Affairs

• Rare Pegasus screenshots depict NSO Group's spyware capabilities | AppleInsider

Nation State Actors

Nation State Actors – Russia

• Double Whammy: Russian Hackers Launch Cyber Attacks On Lockheed Martin; Armed Forces Hack Into HIMARS -- Reports (eurasiantimes.com)

• Ukraine Shutters Major Russian Bot Farm - Infosecurity Magazine

Nation State Actors – China

• Chinese hackers use new Cobalt Strike-like attack framework (bleepingcomputer.com)

• Massive China-Linked Disinformation Campaign Taps PR Firm for Help (darkreading.com)

• Parliament shuts down TikTok account over China data security concerns (telegraph.co.uk)

• China, Huawei, and the eavesdropping threat | CSO Online

• Global network of fake news sites push Chinese propaganda, researchers find - CyberScoop

• Taiwanese military reports DDoS in wake of US Speaker visit • The Register

Nation State Actors – North Korea

• Cyber crime a Key Revenue Stream For North Korea's Weapons Program - Infosecurity Magazine (infosecurity-magazine.com)

• North Korean Hackers Use Browser Extension to Spy on Gmail and AOL Accounts - Infosecurity Magazine (infosecurity-magazine.com)

Nation State Actors – Iran

• Iranian Hackers Likely Behind Disruptive Cyber attacks Against Albanian Government (thehackernews.com)

• Disruptive Cyber attacks on NATO Member Albania Linked to Iran | SecurityWeek.Com

Nation State Actors – Misc APT

• Twitter breach exposes anonymous accounts to nation state hackers - CyberScoop

Vulnerabilities

• VMware urges admins to patch critical auth bypass bug immediately (bleepingcomputer.com)

• Critical RCE Bug in DrayTek Routers Opens SMBs to Zero-Click Attacks (darkreading.com)

• Cisco fixes critical remote code execution bug in VPN routers (bleepingcomputer.com)

• F5 Fixes 21 Vulnerabilities With Quarterly Security Patches | SecurityWeek.Com

• High-Severity Bug in Kaspersky VPN Client Opens Door to PC Takeover (darkreading.com)

• Hackers Exploit Atlassian Confluence Vulnerability to Deploy New 'Ljl' Backdoor - Infosecurity Magazine

• Slack Resets Passwords After a Bug Exposed Hashed Passwords for Some Users (thehackernews.com)

• VMware Releases Patches for Several New Flaws Affecting Multiple Products (thehackernews.com)

• Hackers are actively exploiting password-stealing flaw in Zimbra (bleepingcomputer.com)

• Google fixed Critical Remote Code Execution flaw in Android - Security Affairs

• CISA adds Zimbra bug to Known Exploited Vulnerabilities Catalogue - Security Affairs

• Warning! Critical flaws found in US Emergency Alert System • The Register

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

Other News

• APIs attacked in 94% of companies in past year - IT Security Guru

• Over 60% of Organisations Expose SSH to the Internet - Infosecurity Magazine

• How IT and security teams can work together to improve endpoint security - Microsoft Security Blog

• Burnout and attrition impact tech teams sustaining modern digital systems - Help Net Security

• Machine learning creates a new attack surface requiring specialized defences - Help Net Security

• Cyber security lessons learned from COVID-19 pandemic (techtarget.com)

• 10 enterprise database security best practices (techtarget.com)

• Resolving Availability vs. Security, a Constant Conflict in IT (thehackernews.com)

• Tips to prevent RDP and other remote attacks on Microsoft networks | CSO Online

• 5 ways to unite security and compliance | CSO Online

• The Myth of Protection Online — and What Comes Next (darkreading.com)

• The Importance of Data Security in the Enterprise (techtarget.com)

• Who Needs Macros? | Threat Actors Pivot to Abusing Explorer and Other LOLBins via Windows Shortcuts - SentinelOne

• How IT Teams Can Use 'Harm Reduction' for Better Cyber security Outcomes (darkreading.com)

• Businesses lack visibility into run-time threats against mobile apps and APIs - Help Net Security

• Browser synchronization abuse: Bookmarks as a covert data exfiltration channel - Help Net Security

• Threats emanating from digital ecosystems can be a blind spot for businesses - Help Net Security

• Busting the Myths of Hardware Based Security - Security Affairs

• New Traffic Light Protocol standard released after five years (bleepingcomputer.com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Executive Summary

Microsoft has released information on a new phishing campaign involving “adversary-in-the-middle” AiTM techniques, which has affected more than 10,000 organisations since September 2021. What is unique about this particular attack method is that it has the potential to bypass Multi-Factor Authentication (MFA). It is important to note that this attack does not make use of a vulnerability within MFA, and that MFA is still a key control in preventing credential compromise.

What’s the risk to me or my business?

As more organisations implement security controls such as MFA, malicious actors will be looking into possibilities of targeting these controls. This particular attack technique involves a proxy server being deployed in between the recipient and a valid targeted website. In short, a targeted user would receive a phishing email, the link to the phishing email would resolve in a valid website, with the traffic being re-directed through the server of a malicious actor. This allows the malicious actor to steal “authenticated session cookies”, after the user has logged into the valid website. The malicious actor can then use the authenticated session cookies to access the valid website with the targeted users credentials, which can then lead to further attacks such as Business Email Compromise as shown in the diagram below.

Figure 1: Overview of AiTM phishing campaign and follow-on BEC (Microsoft 365 Defender Research Team, 2022)

What can I do?

Microsoft recommends implementing conditional access policies, which can limit user access in different scenarios, such as only allowing access to trusted locations, compliant devices or trusted IP addresses. This would prevent a stolen session cookie from granting access to an account outside of these conditions. Anti-Phishing solutions can also be used to block phishing emails from arriving in end-users inboxes, however it is worth noting that these solutions may not be able to block every threat. Where possible, security monitoring should be in place to detect suspicious sign-in attempts, and unusual mailbox activities including external forwarding, rule creation and access from untrusted IP addresses or devices.

It is also critically important that technical controls such as MFA are supplemented with end-user training, including Phishing simulations as it is the primary ingress point for this type of attack.

Technical Summary

Microsoft has published a full breakdown of sample attacks that they have monitored. So far they have followed the following process:

1.       An attacker sends emails containing an HTML file attachment, stating that a voicemail has been received on their Microsoft account. This email follows the same template which is received when a user receives a voicemail via Microsoft Teams.

2.       The user clicks on the HTML attachment, which takes them to a website displaying the mp3 file being downloaded. No actual download takes place, but a progress bar is updated.

3.       The user is then re-directed to a gatekeeper, which confirms that the user has clicked on the html attachment.

4.       The user arrives at a proxied version of the Microsoft Azure Active Directory login page. It is important to note that if an organisation has customised this landing page with their corporate logo then this will also be displayed, making the website seem even more legitimate.

5.       The user enters their credentials which are then authenticated by Microsoft. If MFA is enabled, the user would be prompted for MFA at this stage.

6.       The user is re-directed to the official Microsoft 365 website, while the authenticated session cookies are captured by the attacker, also allowing them into the official Microsoft 365 website.

7.       Microsoft’s research has then shown that the stolen session is used for Business Email Compromise (BEC) attacks, targeting finance related emails within the targeted users inbox to request fraud payments. At this stage however a malicious attacker also has potential to access any 365 service which the targeted user has access to.

Appropriate conditional access controls could prevent an attacker at step 6 from using the stolen cookies to access the targeted users Microsoft 365 account.

A full breakdown of this particular phishing campaign is available here: From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud - Microsoft Security Blog

Need help understanding your gaps, or just want some advice? Get in touch with us.

References

Microsoft 365 Defender Research Team. (2022, 07 19). From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud. Retrieved from Microsoft 365 Defender Research Team Security Blog: https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• 10,000 Organisations Targeted by Phishing Attack That Bypasses Multi-Factor Authentication

Microsoft has shared details of a widespread phishing campaign that not only attempted to steal the passwords of targeted organisations, but was also capable of circumventing multi-factor authentication (MFA) defences.

The attackers used AiTM (Attacker-in-The-Middle) reverse-proxy sites to pose as Office 365 login pages which requested MFA codes, and then use them to log into the genuine site.

According to Microsoft’s detailed report on the campaign, once hackers had broken into email inboxes via the use of stolen passwords and session cookies, they would exploit their access to launch Business Email Compromise (BEC) attacks on other targets.

By creating rules on victims’ email accounts, the attackers are able to then ensure that they maintain access to incoming email even if a victim later changes their password.

The global pandemic, and the resulting increase in staff working from home, has helped fuel a rise in the adoption of multi-factor authentication.

Cyber criminals, however, haven’t thrown in the towel when faced with MFA-protected accounts. Accounts with MFA are certainly less trivial to break into than accounts which haven’t hardened their security, but that doesn’t mean that it’s impossible.

Reverse-proxy phishing kits like Modlishka, for instance, impersonate a login page, and ask unsuspecting users to enter their login credentials and MFA code. That collected data is then passed to the genuine website – granting the cyber criminal access to the site.

As more and more people recognise the benefits of MFA, we can expect a rise in the number of cyber criminals investing effort into bypassing MFA.

Microsoft’s advice is that organisations should complement MFA with additional technology and best practices.

https://www.tripwire.com/state-of-security/featured/10000-organisations-targeted-by-phishing-attack-that-bypasses-multi-factor-authentication/

• Businesses Are Adding More Endpoints, But Can’t Manage Them All

Most enterprises struggle to maintain visibility and control of their endpoint devices, leading to increased security breaches and impaired ability to ward off outside attacks, according to a survey conducted by Ponemon Institute.

Findings show that the average enterprise now manages approximately 135,000 endpoint devices. Despite $4,252,500 of annual budget spent on endpoint protection, an average of 48 percent of devices – or 64,800 per enterprise – are at risk because they are no longer detected by the organisation’s IT department or the endpoints’ operating systems have become outdated.

Additionally, 63 percent of respondents find that the lack of visibility into their endpoints is the most significant barrier to achieving a strong security posture.

IT organisations are facing unprecedented rates of distribution point sprawl, which has grown rapidly since the onset of the COVID-19 pandemic. 61 percent of respondents say distribution points have increased in the last two years, and the average endpoint has as many as 7 agents installed for remote management, further adding to management complexity.

https://www.helpnetsecurity.com/2022/07/14/businesses-are-adding-more-endpoints/

• Ransomware Activity Resurges in Q2

Ransomware activity rose by a fifth in the last quarter, according to a report from security firm Digital Shadows.

The company, which monitors almost 90 data leak sites on the dark web, observed ransomware groups name 705 victims in Q2 2022, representing a 21% increase over last quarter’s 582. This was a resurgence in activity following a 25.3% decline quarter-on-quarter during Q1.

The LockBit ransomware group overtook Conti in victim numbers as Conti ceased operations following the leak of internal chat logs. Conti had reached almost 900 victims during its operations, but LockBit is now closing in on 1,000 after a 13% growth in activity during the quarter.

LockBit also continued to innovate, releasing version 3 of its ransomware with new features, including support for payments using the Zcash cryptocurrency. It also launched a reward program for any information on high-value targets, along with a data leak site that allows anyone to purchase victim data.

At around 230, Lockbit’s quarterly victim numbers far exceeded any other group in Q2. It was accountable for almost a third of all postings to leak sites in Q2. Conti, which had limped along for several weeks after its own data leak, managed just over 50. In third place was Alphv, which grew 118% during the quarter. Basta came in fourth.

Some other smaller groups are also growing rapidly, according to the report. Vice Society, in fifth place this quarter, doubled its activity.

https://www.infosecurity-magazine.com/news/ransomware-activity-resurges-q2/

• One-Third of Users Without Security Awareness Training Click on Phishing URLs

Phishing attacks just won't die, and new data underscores their effectiveness among users who have not been provided security awareness training.

According to data pulled from security awareness training provider KnowBe4's clients, 32.4% of users will fall for a phish — clicking on a link or following a phony request — if those users have not had any official training. The disconnect is worse in some industry sectors, including consulting, energy and utilities, and healthcare and pharmaceuticals, where half of all untrained users fall for phishing attacks.

The data was pulled from 23.4 million simulated phishing tests conducted at more than 30,000 organisations, encompassing some 9.5 million users. According to KnowBe4, 90 days after monthly or more training, the number of phishing test fails dropped to around 17.6%, and to 5% after one year of regular awareness training.

https://www.darkreading.com/remote-workforce/one-third-of-users-click-on-phishing

• Ransomware Scourge Drives Price Hikes in Cyber Insurance

Cyber security insurance costs are rising, and insurers are likely to demand more direct access to organisational metrics and measures to make more accurate risk assessments.

The rising cost of ransomware attacks is helping push significant premium increases in cyber insurance policies in the UK and US, new data shows.

With the average payouts across the past two years averaging more than $3.5 million in the US, a growing number of cyber security insurers want direct access to customer security metrics and measures. This would help prove the status of security controls, according to a Panaseer report on the state of the cyber insurance industry.

However, insurance firms are struggling to accurately understand a customer's security posture, which is in turn affecting price increases.

Panaseer notes that 82% of insurers surveyed said they expect the rise in premiums to continue. The increasing cost of ransomware is putting premiums up, and the increase in the number of attacks, as well as the number of successful attacks, means insurance is getting harder to get and is getting more expensive.

Meanwhile, 87% of insurers surveyed say they want a more consistent approach to analysing cyber-risk. Fundamentally, insurers need better information in order to price the risk — questionnaires aren't going to cut it. Having real live data coming from a customer about their security posture is what's going to be required for them to accurately price risk, in the same way that telematics did for car insurance.

https://www.darkreading.com/attacks-breaches/ransomware-scourge-drives-price-hikes-in-cyber-insurance

• Conventional Cyber Security Approaches Are Falling Short

Traditional security approaches that rely on reactive, detect-and-respond measures and tedious manual processes can’t keep pace with the volume, variety, and velocity of current threats, according to Skybox Security. As a result, 27% of all executives and 40% of CSOs say their organisations are not well prepared for today’s rapidly shifting threat landscape.

On average, organisations experienced 15% more cyber security incidents in 2021 than in 2020. In addition, “material breaches”— defined as “those generating a large loss, compromising many records, or having a significant impact on business operations” — jumped 24.5%.

The top four causes of the most significant breaches reported by the affected organisations were:

• Human error

• Misconfigurations

• Poor maintenance/lack of cyber hygiene

• Unknown assets.

https://www.helpnetsecurity.com/2022/07/14/conventional-cybersecurity-approaches/

• Virtual CISOs Are the Best Defence Against Accelerating Cyber-Risks

The cyber security challenges that companies are facing today are vast, multidimensional, and rapidly changing. Exacerbating the issue is the relentless evolution of threat actors and their ability to outmanoeuvre security controls effortlessly.

As technology races forward, companies without a full-time CISO (Chief Information Security Officer) are struggling to keep pace. For many, finding, attracting, retaining, and affording the level of skills and experience needed is out of reach or simply unrealistic. Enter the virtual CISO (vCISO). These on-demand experts provide security insights to companies on an ongoing basis and help ensure that security teams have the resources they need to be successful.

Typically, an engagement with a vCISO is long lasting, but in a fractional delivery model. This is very different from a project-oriented approach that requires a massive investment and results in a stack of deliverables for the internal team to implement and maintain. A vCISO not only helps to form the approach, define the action plan, and set the road map but, importantly, stays engaged throughout the implementation and well into the ongoing management phases.

The best vCISO engagements are long-term contracts. Typically, there's an upfront effort where the vCISO is more engaged in the first few months to establish an understanding, develop a road map, and create a rhythm with the team. Then, their support drops into a regular pace which can range from two to three days per week or five to ten days per month.

https://www.darkreading.com/careers-and-people/virtual-cisos-are-the-best-defense-against-accelerating-cyber-risks

• Firms Not Planning for Supply Chain Threats

Enterprises are failing to plan properly for supply chain risks and cyber security threats from the wider digital ecosystem, a leading technology consultancy has warned.

According to Tata Consultancy Services (TCS), firms put the risks posed by ecosystem partners at the bottom of a list of 10 key threats. CISOs and chief risk officers believed that financial systems, customer databases and R&D were the systems most likely to be targeted. Supply chain and distribution was placed in ninth.

The report, based on a survey of larger firms with annual revenues of $1bn or more, found that only 16% of chief risk officers believed the digital ecosystem was a concern when it comes to cyber risks, and only 14% said those ecosystems were a priority for board level discussions.

The research also found that a small number of enterprises fail to focus on cyber risk, with one in six boards discussing it only “occasionally, as necessary or never.” TCS found, though, that organisations with above-average profit and revenue growth were more likely to put cyber security on the agenda at board meetings.

TCS also found that enterprises view the cloud as a more secure environment than conventional data centres and on-premises systems. Additionally, the research highlighted ongoing concerns about skills and the need to attract and retain talented security staff. Firms where senior leaders focus on cyber security are more likely to be able to close the skills gap, according to the study.

https://www.infosecurity-magazine.com/news/planning-supply-chain-threats/

• Data Breach Lawsuit: Will IT Service Provider Capgemini Owe Damages?

IT service provider and consulting firm Capgemini is facing a lawsuit related to a June 2020 data breach. The plaintiff — gaming company Razer — is seeking $7 million in damages. A trial in Singapore’s High Court regarding the dispute is underway, according to Vulcan Post.

Razer claims it has suffered approximately $6.85 million in profit losses from its online website due to the data breach. Razer is pursuing damages for an unquantified sum for profit losses from the rejection of its digital bank license application.

The Razer data breach occurred due to an issue with an IT system. It may have exposed the personal information of about 100,000 Razer customers.

The Razer data breach may have occurred due to a misconfigured Elasticsearch cluster. It also was exposed to the public and indexed by public search engines and took more than three weeks to fix.

Experts from Razer and Capgemini agreed that the data breach was caused by a security misconfiguration. However, Razer now claims that a Capgemini employee recommended the IT system that led to the breach and is therefore responsible for the incident.

https://www.msspalert.com/cybersecurity-breaches-and-attacks/data-breach-lawsuit-gaming-company-razer-sues-capgemini-for-7-million/

• Security Culture: Fear of Cyber Warfare Driving Initiatives

KnowBe4, the provider of security awareness training and simulated phishing platform, has conducted a survey during Infosecurity Europe, which evaluated the opinions of nearly 200 security professionals towards security culture, or more specifically: the ideas, customs and social behaviours of an organisation that influence their security practices.

The research found the threat of cyber warfare (30%) or experiencing a data breach or cyber attack (30%) were the two biggest reasons why security professionals wanted to improve security culture at their organisations. Given the current invasion of Ukraine by Russia and the resulting cyber security warnings announced by many of the world’s leading governments, improving current cyber security efforts has continued to be a top priority for many.

The study also revealed just over two thirds (67%) answered that a strong security culture would very likely reduce the risk of security incidents, with the majority (85%) directing their efforts into both improving security awareness training and communicating values expected from employees regarding security.

However, there are many obstacles when attempting to create a strong security culture, with the main issue being a lack of budget (26%) which was followed security professionals facing indifference from fellow employees (24%) and a lack of senior management support (16%).

Interestingly, just under three quarters (73%) admitted to putting an increased effort into measuring employees understanding of security – this still leaves a considerable gap of 27% that do not, something many security professionals will want to consider closing. Thankfully, 38% agree this aspect of security culture would be an area they want to improve in their organisation. When witnessing a colleague display poor security practises, 67% of UK security experts would prefer to tell the individual discreetly, while just under a third (31%) would send the member of staff training material to review. Only 18% would report the individual to the security team.

https://www.itsecurityguru.org/2022/07/11/security-culture-fear-of-cyber-warfare-driving-initiatives/

• Cryptocurrency 'Mixers' See Record Transactions from Sanctioned Actors

Use of so-called cryptocurrency “mixers,” which combine various types of assets to mask their origin, peaked at a 30-day average of nearly $52 million worth of digital currency in April, representing an unprecedented volume of funds moving through those services, researchers at cryptocurrency research firm Chainalysis found.

A near two-fold increase in funds sent from illicit addresses has accelerated the increase, indicating that the technology that can obfuscate the currency continues to be highly attractive to cyber criminals.

Cryptocurrency mixers work by taking an individual’s cryptocurrency and combining it with a larger pool before returning units equivalent to the original amount minus a service fee to the original account. As a result, it makes it harder for law enforcement and cryptocurrency analysts to trace the currency.

Mixers aren’t solely used by criminals, but they are extremely popular with them. 10% of all funds from illicit wallets are sent to mixers, while mixers received less than 0.5% of the share of other sources of funds tracked by the firm, including decentralised finance projects.

The bulk of illicit funds transferred to mixers came from sanctioned actors, primarily Russian dark net market Hydra and more recently the Lazarus Group, a group of North Korean state-backed hackers. International law enforcement took out Hydra, which had been responsible for 80% of dark web transactions involving cryptocurrency, in May. The US Treasury’s Office of Foreign Assets Control followed with sanctions on more than 100 of its cryptocurrency addresses.

The use of mixers by North Korea state-backed hackers, and a popular mixer they employed to launder funds, made up the rest of the transfers.

https://www.cyberscoop.com/cryptocurrency-mixers-see-record-transactions-from-sanctioned-actors/

• Online Payment Fraud Expected to Cost $343B Over Next 5 Years

Despite ratcheted-up efforts to prevent account takeover, fraudsters are cashing in on a range of online payment fraud schemes, which researchers predict will cost retail organisations more than $343 billion over the next five years.

Physical good purchases are loss leaders, making up 49% of online payment fraud, driven in large part by developing markets with little address verification, according to a new Juniper Research report.

Fundamentally, no two online transactions are the same, so the way transactions are secured cannot follow a one-size-fits-all solution. Payment fraud detection and prevention vendors must build a multitude of verification capabilities, and intelligently orchestrate different solutions depending on circumstances, in order to correctly protect both merchants and users.

https://www.darkreading.com/application-security/online-payment-fraud-expected-to-cost-343b-over-5-years

Threats

Ransomware

• Largest ransom pay-outs by cyber-insurers averaged £3.2 million in the past two years – Intelligent CISO

• Risk & Repeat: Ransomware in 2022 so far (techtarget.com)

• Paying ransomware crooks won’t reduce your legal risk, warns regulator – Naked Security (sophos.com)

• Ransomware Attacks Reign Supreme in 2022 - MSSP Alert

• BlackCat (aka ALPHV) ransomware is increasing stakes up to $2.5 million in demands - Help Net Security

• New Lilith ransomware emerges with extortion site, lists first victim (bleepingcomputer.com)

• Experts warn of the new 0mega ransomware operation - Security Affairs

• Organisations Warned of New Lilith, RedAlert, 0mega Ransomware | SecurityWeek.Com

• Microsoft links H0ly Gh0st ransomware operation to North Korean hackers (bleepingcomputer.com)

• Feds Issue Warning for North Korean-backed Ransomware Hijackers - MSSP Alert

• Ransomware gang now lets you search their stolen data (bleepingcomputer.com)

• Rise in ransomware drives IT leaders to implement data encryption - Help Net Security

• BlackCat Ransomware Group Deploys Brute Ratel Pen Testing Kit - Infosecurity Magazine (infosecurity-magazine.com)

• Bandai Namco confirms hack after ALPHV ransomware data leak threat (bleepingcomputer.com)

• 1.9m patients' medical data exposed in PFC ransomware attack • The Register

Phishing & Email Based Attacks

• Email scams are getting more personal – they even fool cyber security experts (theconversation.com)

• New Phishing Attacks Shame, Scare Victims into Surrendering Twitter, Discord Credentials (darkreading.com)

• Hackers impersonate cyber security firms in callback phishing attacks (bleepingcomputer.com)

• $8 million stolen in large-scale Uniswap airdrop phishing attack (bleepingcomputer.com)

• Almost a third of untrained users will click a phishing link - KnowBe4 research - IT Security Guru

• PayPal phishing kit added to hacked WordPress sites for full ID theft (bleepingcomputer.com)

Other Social Engineering

• Rise In Smishing Scams, Why And How To Protect? (informationsecuritybuzz.com)

• How Hackers Create Fake Personas for Social Engineering (darkreading.com)

• How attackers abuse Quickbooks to send phone scam emails - Help Net Security

Malware

• Criminals are now posing as security companies to trick you into installing malware | TechRadar

Mobile

• New Android malware on Google Play installed 3 million times (bleepingcomputer.com)

• The weaponizing of smartphone location data on the battlefield - Help Net Security

Internet of Things – IoT

• Honda Admits Hackers Could Unlock Car Doors, Start Engines | SecurityWeek.Com

• Watch This $80,000 Tesla Model Y Get Hacked With $20 Hardware - autoevolution

Data Breaches/Leaks

• Fewer Individuals Fall Victim to Data Breaches as Attackers Switch to Business in 2022 - Infosecurity Magazine (infosecurity-magazine.com)

Organised Crime & Criminal Actors

• A look inside Russian cyber crime syndicate TrickBot reveals an organised, potent adversary - CyberScoop

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Crypto Scams Soar Despite Crash (informationsecuritybuzz.com)

• Cryptocurrency flowing into “mixers” hits an all-time high. Wanna guess why? | Ars Technica

• Falling Cryptocurrency Market Stalling Cyber Crime Activity - Infosecurity Magazine (infosecurity-magazine.com)

• Hackers stole $620 million from Axie Infinity via fake job interviews (bleepingcomputer.com)

Insider Risk and Insider Threats

• Joshua Schulte Convicted of Leaking CIA 'Vault 7' to Wikileaks (gizmodo.com)

Fraud, Scams & Financial Crime

• New Phishing Kit Hijacks WordPress Sites for PayPal Scam (darkreading.com)

Insurance

• Cyber Insurers Looking for New Risk Assessment Models - Infosecurity Magazine (infosecurity-magazine.com)

• How War Impacts Cyber Insurance | Threatpost4

• The cyber insurance market has a critical infrastructure problem - CyberScoop

Supply Chain and Third Parties

• 3 Golden Rules of Modern Third-Party Risk Management (darkreading.com)

Denial of Service DoS/DDoS

• Mantis, the tiny shrimp that launched 3,000 DDoS attacks • The Register

Identity and Access Management

• Report: Financial Institutions Overly Complacent About Current Authentication Methods (darkreading.com)

• Access Permissions: Manual Reviews Less Effective than Automation, Netwrix Study Finds - MSSP Alert

Encryption

• What to do now about tomorrow’s code-cracking computers | The Economist

Social Media

• Facebook 2FA scammers return – this time in just 21 minutes – Naked Security (sophos.com)

• Disneyland Social Media Hacked - IT Security Guru

Training, Education and Awareness

• Accessible Cyber security Awareness Training Reduces Your Risk of Cyber Attack (darkreading.com)

Privacy

• New Cache Side Channel Attack Can De-Anonymize Targeted Online Users (thehackernews.com)

• Amazon handed Ring video to police without warrant, consent • The Register

• TikTok Chief Security Officer Steps Down Amid Concerns About Privacy (businessinsider.com)

Regulations, Fines and Legislation

• Proposed SEC Rules Require More Transparency About Cyber-Risk (darkreading.com)

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Ukraine's Cyber Agency Reports Q2 Cyber-Attack Surge - Infosecurity Magazine (infosecurity-magazine.com)

• Cyber espionage groups increasingly target journalists and media organisations | CSO Online

• Sandworm APT Trolls Researchers on Its Trail as It Targets Ukraine (darkreading.com)

• The Man at the Centre of the New Cyber World War - POLITICO

• How War Impacts Cyber Insurance | Threatpost

• Lithuanian Energy Firm Disrupted by DDOS Attack - Infosecurity Magazine (infosecurity-magazine.com)

• Security vendor splits to address Russia’s war in Ukraine • The Register

• Apple previews Lockdown Mode, a new extreme security feature | ZDNet

Nation State Actors

Nation State Actors – North Korea

• ‘Nobody is holding them back’ — North Korean cyber-attack threat rises (cointelegraph.com)

• North Korean threat actor targets small and midsize businesses with H0lyGh0st ransomware - Microsoft Security Blog

Nation State Actors – Misc APT

• APT groups target journalists and media organisations since 2021 - Security Affairs

Vulnerability Management

• Rethinking Vulnerability Management in a Heightened Threat Landscape | Threatpost

• Using shields up to secure credentials and mitigate vulnerabilities (scmagazine.com)

• The enemy of vulnerability management? Unrealistic expectations - Help Net Security

Vulnerabilities

• DHS warns: Expect Log4j risks for 'a decade or longer' • The Register

• Microsoft's Patch Tuesday fixes one bug under active exploit • The Register

• Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution (cisecurity.org)

• CISA orders agencies to patch new Windows zero-day used in attacks (bleepingcomputer.com)

• Flaw in Netwrix Auditor application allows arbitrary code execution - Security Affairs

• Elastix VoIP systems hacked in massive campaign to install PHP web shells (bleepingcomputer.com)

• Hackers Targeting VoIP Servers by Exploiting Digium Phone Software (thehackernews.com)

• Microsoft Teams security vulnerability left users open to XSS via flawed stickers feature | The Daily Swig (portswigger.net)

• Anvil Mobile Hit By New Exploit - DNS Hijacking. (informationsecuritybuzz.com)

• Microsoft Issues Fixes for 84 Vulnerabilities: Here's What to Patch Now (darkreading.com)

• Patch these Juniper Networks bugs, CISA says • The Register

• Buggy WordPress plugin allows complete site takeover • The Register

• VMware patches vCenter Server flaw disclosed in November (bleepingcomputer.com)

• Vulnerabilities that could allow undetectable infections affect 70 Lenovo laptop models | Ars Technica

• AMD, Intel chips vulnerable to 'Retbleed' Spectre variant • The Register

• Microsoft fixes dozens of Azure Site Recovery privilege escalation bugs (bleepingcomputer.com)

• Microsoft releases PoC exploit for macOS sandbox escape vulnerability (bleepingcomputer.com)

• AWS squashes authentication bugs in Kubernetes service • The Register

• Lenovo fixes trio of UEFI vulnerabilities • The Register

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in. 

• Automotive

• Construction

• Critical National Infrastructure (CNI)

• Defence & Space

• Education & Academia

• Energy & Utilities

• Estate Agencies

• Financial Services

• FinTech

• Food & Agriculture

• Gaming & Gambling

• Government & Public Sector (including Law Enforcement)

• Health/Medical/Pharma

• Hotels & Hospitality

• Insurance

• Legal

• Manufacturing

• Maritime

• Oil, Gas & Mining

• OT, ICS, IIoT, SCADA & Cyber-Physical Systems

• Retail & eCommerce

• Small and Medium Sized Businesses (SMBs)

• Startups

• Telecoms

• Third Sector & Charities

• Transport & Aviation

• Web3

Reports Published in the Last Week

State of Authentication in the Finance Industry 2022 | HYPR

Online Payment Fraud Market Report 2022-27: Size, Share, Trends (juniperresearch.com)

Other News

5 key considerations for your 2023 cyber security budget planning | CSO Online

What Are the Risks of Employees Going on a 'Hybrid Holiday'? (darkreading.com)

New ‘Luna Moth’ hackers breach orgs via fake subscription renewals (bleepingcomputer.com)

Experian accounts could still be at risk from hackers | TechRadar

Cyber security skills surpass cloud skills as this year's training priority, if professionals can find the time | ZDNet

Average American Accesses Suspicious Sites 6.5 Times a Day - Infosecurity Magazine (infosecurity-magazine.com)

Mergers and acquisitions are a strong zero-trust use case • The Register

Recruitment agency Morgan Hunt confirms 'cyber incident' • The Register

New Exploit Attacks UK Routers and Runs Up Mobile Data Bills - ISPreview UK

How Attackers Could Dupe Developers into Downloading Malicious Code From GitHub (darkreading.com)

CEO of Dozens of Companies Charged in Scheme to Traffic An Estimated $1bn in Fake Cisco Devices - Infosecurity Magazine (infosecurity-magazine.com)

Data breaches explained: Types, examples, and impact | CSO Online

President of European Central Bank Christine Lagarde targeted by hackers - Security Affairs

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.