Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Business Leaders Need a Hands-on Approach to Stop Cyber Crime, Says Spy Chief

Business leaders must not see cyber crime as “just a technical issue” that can be left up to IT departments, said Lindy Cameron, chief executive of the National Cyber Security Centre (NCSC).  Ms Cameron later commented that “In the world of cyber security, the new year has brought with it some sadly familiar themes - a continuation of cyber incidents affecting organisations large and small as well as the British public”.

Along with this, came the urge for business leaders to step up their efforts in combating cyber crime by taking an active interest and educating themselves on the subject.  When commenting upon board members’ level of understanding, Ms Cameron said “I’d also encourage board members to develop a basic understanding of cyber security, which can help when seeking assurances from IT teams about the resilience of an organisation - in a similar way that leaders have a certain level of understanding of finance to assess financial health”.

https://www.telegraph.co.uk/news/2023/01/28/business-leaders-need-hands-on-approach-stop-cyber-crime-says/

• Rising ‘Firebrick Ostrich’ BEC Group Launches Industrial Scale Cyber Attacks

Business email compromise (BEC) has become one of the most popular methods of financially motivated hacking. And over the past year, one group in particular has demonstrated just how quick, easy, and lucrative it really is.

"Firebrick Ostrich" is a threat actor that's been performing BEC at a near-industrial scale. Since April 2021, the group has carried out more than 350 BEC campaigns, impersonating 151 organisations and utilising 212 malicious domains in the process. This volume of attacks is made possible by the group's wholesale gunslinging approach. Firebrick Ostrich doesn't discriminate much when it comes to targets, or gather exceptional intelligence in order to craft the perfect phishing bait. It throws darts at a wall because, evidently, when it comes to BEC at scale, that's enough.

BEC is attractive to bad actors due to the lower barriers to entry than malware, less risk, faster scaling opportunities, and way more profit potential to higher echelons than other methods of attack. These factors may explain why such attacks are absolutely the emerging trend, potentially even leaving even ransomware in the dust. There are literally hundreds, if not thousands, of these groups out there.

https://www.darkreading.com/remote-workforce/rising-firebrick-ostrich-bec-group-launches-industrial-scale-cyberattacks

• The Corporate World is Losing its Grip on Cyber Risk

Lloyd's of London’s insurance market prides itself on being able to put a price on anything, from Tina Turner’s legs or Bruce Springsteen’s vocal cords, to the risk that a bounty hunter might claim the reward from Cutty Sark Whisky in the 1970s for capturing the Loch Ness monster.

But from the end of March, there will be something it won’t price: systemic cyber risk, or the type of major, catastrophic disruption caused by state-backed cyber warfare. In one sense, this isn’t surprising. Insurance policies typically exclude acts of war. Russia’s NotPetya attack on Ukraine in 2017 showed how state-backed cyber assaults can surpass traditional definitions of armed conflict and overspill their sovereign target to hit global businesses. It caused an estimated $10bn in damages and years of wrangling between companies like pharma group Merck and snack maker Mondelez and their insurers.

But the move is prompting broader questions about the growing pains in this corner of the insurance world. “Cyber insurance isn’t working anywhere at the moment as a public good for society,” says Ciaran Martin, former head of the UK National Cyber Security Centre. “It has a huge role to play in improving defences in a market-based economy and it has been a huge disappointment in that sense so far.”

The Lloyd’s move is designed, say insurers, to clarify rather than restrict coverage. Whether it succeeds is another matter: this is a murky world, where cyber crime groups operate with impunity in certain jurisdictions.

https://www.ft.com/content/78bfdf29-1e20-4c12-a348-06e98d5ae906

• Microsoft Reveals Over 100 Threat Actors are Deploying Ransomware in Attacks

Microsoft revealed this week that its security teams are tracking over 100 threat actors deploying ransomware during attacks. In all, the company says it monitors over 50 unique ransomware families, with some of the most prominent ransomware payloads in recent campaigns including Lockbit, BlackCat (aka ALPHV), Play, Vice Society, Black Basta, and Royal.

Microsoft said that defence strategies should focus less on payloads themselves but more on the chain of activities that lead to their deployment, since ransomware gangs are still targeting servers and devices not yet patched against common or recently addressed vulnerabilities.

Furthermore, while new ransomware families launch all the time, most threat actors utilise the same tactics when breaching and spreading through networks, making the effort of detecting such behaviour even more helpful in thwarting their attacks.

Attackers are increasingly relying on tactics beyond phishing to conduct their attacks, with threat actors for example capitalising on recently patched Exchange Server vulnerabilities to hack vulnerable servers and deploy Cuba and Play ransomware.

https://www.bleepingcomputer.com/news/security/microsoft-over-100-threat-actors-deploy-ransomware-in-attacks/

• Ransomware Conversations: Why the CFO is Pivotal to Discussing and Preparing for Risk

With the amount of cyber attacks in all industries, organisations are beginning to grasp the significance of cyber risk and how it is integral to protecting and maintaining an efficient business. In fact, the first half of 2022 alone saw 236.1 million cases of ransomware.

Whilst the expectation for responsibility has typically fallen on Chief Information Security Officers (CISOs), Chief Financial Officers (CFOs) are just as vital in managing cyber risk, which is now inherently also business risk.  The CFO plays an important part in determining whether cyber security incidents will become material and affect the business more seriously. Their insight is critical across many areas which include ransomware, cyber insurance, regulatory compliance and budget management.

https://www.itsecurityguru.org/2023/02/02/ransomware-conversations-why-the-cfo-is-pivotal-to-discussing-and-preparing-for-risk

• Greater Incident Complexity, a Shift in How Threat Actors Use Stolen Data Will Drive the Cyber Threat Landscape in 2023

Insurance provider Beazley released their Cyber Services Snapshot Report which claims the cyber security landscape will be influenced by greater complexity and the way threat actors use stolen data. The report also found that as a category, fraudulent instruction experienced a growth as a cause of loss in 2022, up 13% year-over year. 

In response to vulnerabilities such as fraudulent instructions, the report suggests organisations must get smarter about educating users to spot things such as spoofed emails or domain names. The report also cautions organisations to watch for social engineering, spear phishing, bypassing of multi-factor authentication (MFA), targeting of managed service providers (MSP) and the compromise of cloud environments as areas of vulnerability.

https://www.darkreading.com/attacks-breaches/greater-incident-complexity-a-shift-in-the-way-threat-actors-use-stolen-data-and-a-rise-in-us-class-actions-will-drive-the-cyber-threat-landscape-in-2023-according-to-beazley-report

• The Threat from Within: 71% of Business Leaders Surveyed Think Next Cyber Security Breach Will Come from the Inside

A survey conducted by IT provider EisnerAmper found that 71% of business executives worry about accidental internal staff error as one of the top threats facing their organisation and 23% of these worried about malicious intent by an employee. In comparison, 75% of business executives had concerns about external hackers. The survey also asked about current safety measures, with 51% responding that they were “somewhat prepared”. Despite this, only 50% of respondents reported conducting regular cyber security training. 

https://www.darkreading.com/vulnerabilities-threats/the-threat-from-within-71-of-business-leaders-surveyed-think-next-cybersecurity-breach-will-come-from-the-inside

• 98% of Organisations Have a Supply Chain Relationship That Has Been Breached

A report from SecurityScorecard found that 98% of organisations have a relationship with at least one third party that has experienced a breach in the last two years, while more than 50% have an indirect relationship with more than 200 fourth parties that have been breached. Of course, this is keeping in mind that not all organisations disclose or even know they have been breached.

https://www.securityweek.com/98-of-firms-have-a-supply-chain-relationship-that-has-been-breached-analysis/

• New Survey Reveals 40% of Companies Experienced a Data Leak in the Past Year

Software provider SysKit has published a report on the effects of digital transformation on IT administrators and the current governance landscape. The report found that 40% of organisations experienced a data leak in the previous year. A data leak can have severe consequences on an organisation's efficiency and the impact can lead to large fines, downtime, and loss of business-critical certifications and customers.

In addition, the Survey found that the biggest challenge for IT administrators was a lack of understanding from superiors, huge workloads and misalignment of IT and business strategies.

https://www.darkreading.com/attacks-breaches/new-survey-reveals-40-of-companies-experienced-a-data-leak-in-the-past-year

• Russian Hackers Launch Cyber Attack on Germany in Leopard Tank Retaliation

The websites of key German administrations, including companies and airports, have been targeted by cyber attacks, the German Federal Office for Information Security (BSI) stated.

The BSI commented they had been informed of DDoS (distributed denial of service) attacks “currently in progress against targets in Germany". This was followed by the statement that “Individual targets in the financial sector” and federal government sites were also attacked, with some websites becoming temporarily unavailable.  It is believed that this is due to the approved deployment of Leopard 2 tanks to Ukraine, with Russian hacker site Killnet taking credit.

https://www.euronews.com/2023/01/26/russian-hackers-launch-cyberattack-on-germany-in-leopard-retaliation

• Financial Services Targeted in 28% of UK Cyber Attacks Last Year

Based on data from security provider Imperva, security researchers have identified that over a quarter (28%) of all cyber attacks in the UK hit the financial services and insurance (FSI) industry in the last 12 months. The data also found that Application Programme Interface (API) attacks, malicious automated software and distributed denial of service (DDoS) attacks were the most challenging for the industry. In addition, the data found that roughly 40% of all account takeover attempts were targeted at the FSI industry.

https://www.infosecurity-magazine.com/news/quarter-cyber-attacks-uk-financial/

• Phishing Attacks are Getting Scarily Sophisticated. Here’s What to Watch Out For

Hackers are going to great lengths, including mimicking real people and creating and updating fake social media profiles, to trick victims into clicking phishing links and handing over usernames and passwords. The National Cyber Security Centre (NCSC) warns that these phishing attacks are targeting a range of sectors.

The NCSC has also released mitigation advice to help organisations and individuals protect themselves online. The mitigation advice included the use of strong passwords, separate to other accounts; enabling multi-factor authentication (MFA); and applying the latest security updates.

https://www.zdnet.com/article/phishing-attacks-are-getting-scarily-sophisticated-heres-what-to-watch-out-for/

• City of London on High Alert After Ransomware Attack

A suspected ransomware attack on a key supplier of trading software to the City of London this week appears to have disrupted activity in the derivatives market. The company impacted, Ion Cleared Derivatives, is investigating. It is reported that 42 clients were impacted by the attack.

https://www.infosecurity-magazine.com/news/city-of-london-high-alert/

• JD Sports Warns of 10 Million Customers Put at Risk in Cyber Attack

Sportswear retailer JD Sports said it was the victim of a cyber attack that exposed the data of 10 million customers, in the latest spate of hacks on UK companies.

JD Sports explained that the attack involved unauthorised access to a system that contained “the name, billing address, delivery address, phone number, order details and the final four digits of payment cards”. The data related to customers’ orders made between November 2018 and October 2020, with outdoor gear companies Millets and Blacks also impacted. A full review with cyber security and external specialists is underway.

https://www.ft.com/content/afe00f2f-afcd-478f-9e4d-1cf9c943fa79

Threats

Ransomware, Extortion and Destructive Attacks

• City Of London Traders Hit By Russia-Linked Cyber Attack (informationsecuritybuzz.com)

• New Nevada Ransomware targets Windows and VMware ESXi systems (bleepingcomputer.com)

• City of London on High Alert After Ransomware Attack - Infosecurity Magazine (infosecurity-magazine.com)

• Ransomware conversations: Why the CFO is pivotal to discussing and preparing for risk - IT Security Guru

• US puts a $10m bounty on Hive while Russia shuts down access • The Register

• Copycat Criminals mimicking Lockbit gang in northern Europe security affairs

• Ransom-what? Learning from Hacked Hackers (secureworld.io)

• Most criminal cryptocurrency is funneled through just 5 exchanges | Ars Technica

• Council leader 'put her foot down' and refused to pay multi-million pound ransom demand from hackers - Teesside Live (gazettelive.co.uk)

• 6 Ransomware Trends & Evolutions For 2023 (trendmicro.com)

• Cyber Attack Hits Derivatives Unit of Trading Software Firm ION - Bloomberg

• Regulators weigh in on ION attack as LockBit takes credit • The Register

• New Mimic Ransomware Abuses Windows Search Engine (cyber securitynews.com)

• Stratford University discloses ransomware attack — but which ransomware attack? (databreaches.net)

• Schools don't pay, but ransomware attacks still increasing | TechTarget

• Poser Hackers Impersonate LockBit in SMB Cyber attacks (darkreading.com)

• Risk & Repeat: The FBI's Hive ransomware takedown | TechTarget

• Nevada Ransomware Has Released Upgraded Locker security affairs

• LockBit Green ransomware variant borrows code from Conti one security affairs

• Arnold Clark customer data stolen in attack claimed by Play ransomware (bleepingcomputer.com)

• Ransomware attacks on public sector persist in January | TechTarget

• Ransomware attack on data firm ION could take days to fix -sources | Reuters

• APT groups use ransomware TTPs as cover for intelligence gathering and sabotage | CSO Online

Phishing & Email Based Attacks

• Phishing attacks are getting scarily sophisticated. Here's what to watch out for | ZDNET

• BEC Group Uses Open Source Tactics in Hundreds of Attacks - Infosecurity Magazine (infosecurity-magazine.com)

• Rising ‘Firebrick Ostrich’ BEC Group Launches Industrial-Scale Cyber attacks (darkreading.com)

• Porsche halts NFT launch, phishing sites fill the void (bleepingcomputer.com)

• Phishers Trick Microsoft Into Granting Them 'Verified' Cloud Partner Status (darkreading.com)

• DocuSign Brand Impersonation Attack Bypasses Security Measures, Targets Over 10,000 - Infosecurity Magazine (infosecurity-magazine.com)

BEC – Business Email Compromise

• BEC Group Uses Open Source Tactics in Hundreds of Attacks - Infosecurity Magazine (infosecurity-magazine.com)

• Rising ‘Firebrick Ostrich’ BEC Group Launches Industrial-Scale Cyber attacks (darkreading.com)

Other Social Engineering; Smishing, Vishing, etc

• New 'Pig Butchering' Scam in West Africa Impersonates US Financial Advisors - Infosecurity Magazine (infosecurity-magazine.com)

• Long Con Impersonates Financial Advisers to Target Victims (darkreading.com)

2FA/MFA

• Facebook Bug Allows 2FA Bypass Via Instagram (darkreading.com)

Malware

• How Can Disrupting DNS Communications Thwart a Malware Attack? (darkreading.com)

• Hackers use new IceBreaker malware to breach gaming companies (bleepingcomputer.com)

• New Threat: Stealthy HeadCrab Malware Compromised Over 1,200 Redis Servers (thehackernews.com)

• PoS malware can block contactless payments to steal credit cards (bleepingcomputer.com)

• Experts Uncover the Identity of Mastermind Behind Golden Chickens Malware Service (thehackernews.com)

• New APT34 Malware Targets The Middle East (trendmicro.com)

• HeadCrab malware targets Redis to mine cryptocurrency | TechTarget

• Malvertising attacks are distributing .NET malware loaders • The Register

• Hackers weaponize Microsoft Visual Studio add-ins to push malware (bleepingcomputer.com)

Mobile

• Google Fi data breach let hackers carry out SIM swap attacks (bleepingcomputer.com)

• Over 1,800 Android phishing forms for sale on cyber crime market (bleepingcomputer.com)

• Mobile phone fraud: 'They stole £22,500 using my banking app' - BBC News

Botnets

• New Threat: Stealthy HeadCrab Malware Compromised Over 1,200 Redis Servers (thehackernews.com)

Denial of Service/DoS/DDOS

• Killnet Attackers DDoS US and Dutch Hospitals - Infosecurity Magazine (infosecurity-magazine.com)

• New DDoS-as-a-Service platform used in recent attacks on hospitals (bleepingcomputer.com)

Internet of Things – IoT

• IoT, connected devices biggest contributors to expanding application attack surface | CSO Online

• European IoT Manufacturers Lag in Vulnerability Disclosure (databreachtoday.co.uk)

• Realtek Vulnerability Under Attack: Over 134 Million Attempts to Hack IoT Devices (thehackernews.com)

• Anker finally comes clean about its Eufy security cameras - The Verge

Data Breaches/Leaks

• JD Sports warns data of 10mn customers put at risk in cyber attack | Financial Times (ft.com)

• New Survey Reveals 40% of Companies Experienced a Data Leak in the Past Year (darkreading.com)

• Planet Ice hacked! 240,000 skating fans' details stolen (bitdefender.com)

• If a locked filing cabinet is stolen along with its key, can you still say it’s locked? GoTo thinks you can • Graham Cluley

Organised Crime & Criminal Actors

• Cyber crime job ads on the dark web pay up to $20k per month (bleepingcomputer.com)

• Most criminal cryptocurrency is funneled through just 5 exchanges | Ars Technica

• How $6 Can Buy Hacked Social Media & Streaming Accounts From the Dark Web, Whizcase Study Reveals (darkreading.com)

• Cyber crime Ecosystem Spawns Lucrative Underground Gig Economy (darkreading.com)

• Cyber crime job ads on the dark web pay up to $20k per month (bleepingcomputer.com)

• Developers, Attackers Top List of Most In Demand Dark Web Jobs, Kaspersky Reports - MSSP Alert

• Report on hackers' salaries shows poor wages for developers • The Register

• 6 Examples of the Evolution of a Scam Site (darkreading.com)

• Cyber Insights 2023: Criminal Gangs - SecurityWeek

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• ‘Everything is fake’: how global crime gangs are using UK shell companies in multi-million pound crypto scams | Organised crime | The Guardian

• Most criminal cryptocurrency is funneled through just 5 exchanges | Ars Technica

• FBI: North Korea’s Lazarus Group behind $100m crypto attack • The Register

• Oxford student jailed for £2m crypto theft after PhD blunder | News | The Times

• Porsche halts NFT launch, phishing sites fill the void (bleepingcomputer.com)

• Crypto theft: North Korea-linked hackers stole $1.7b in 2022 - BBC News

• HeadCrab malware targets Redis to mine cryptocurrency | TechTarget

Insider Risk and Insider Threats

• Insider attacks becoming more frequent, more difficult to detect - Help Net Security

• The Threat from Within: 71% of Business Leaders Surveyed Think Next Cyber security Breach Will Come from the Inside (darkreading.com)

• Are Your Employees Thinking Critically About Their Online Behaviours? (darkreading.com)

• The next cyber threat may come from within - Help Net Security

• Insider threats: The cyber risks lurking in the dark (betanews.com)

• Executives Worry Equally About Insider Cyber Errors, Outsider Threats: How MSSPs Can Help - MSSP Alert

• Former Ubiquiti dev pleads guilty to data theft, extortion • The Register

Fraud, Scams & Financial Crime

• ‘Everything is fake’: how global crime gangs are using UK shell companies in multi-million pound crypto scams | Organised crime | The Guardian

• New 'Pig Butchering' Scam in West Africa Impersonates US Financial Advisors - Infosecurity Magazine (infosecurity-magazine.com)

• FBI: North Korea’s Lazarus Group behind $100m crypto attack • The Register

• Oxford student jailed for £2m crypto theft after PhD blunder | News | The Times

• Porsche halts NFT launch, phishing sites fill the void (bleepingcomputer.com)

• Russian Millionaire on Trial in Hack, Insider Trade Scheme - SecurityWeek

• 6 Examples of the Evolution of a Scam Site (darkreading.com)

• Mobile phone fraud: 'They stole £22,500 using my banking app' - BBC News

• Crypto theft: North Korea-linked hackers stole $1.7b in 2022 - BBC News

• Romance fraud losses rose 91% during the pandemic, claims UK's TSB bank | Tripwire

• Romance Fraudsters Have Stolen £65m From Brits Since 2020 (informationsecuritybuzz.com)

Impersonation Attacks

• DocuSign Brand Impersonation Attack Bypasses Security Measures, Targets Over 10,000 - Infosecurity Magazine (infosecurity-magazine.com)

• Why CISOs Should Care About Brand Impersonation Scam Sites (darkreading.com)

AML/CFT/Sanctions

• As the anti-money laundering perimeter expands, who needs to be compliant, and how? - Help Net Security

Insurance

• 4 Cyber Insurance Requirement Predictions for 2023 (trendmicro.com)

Dark Web

• There’s a Wild Scramble for Control of the Dark Web Taking Place in Russia (vice.com)

• How $6 Can Buy Hacked Social Media & Streaming Accounts From the Dark Web, Whizcase Study Reveals (darkreading.com)

• Cyber crime job ads on the dark web pay up to $20k per month (bleepingcomputer.com)

• Developers, Attackers Top List of Most In Demand Dark Web Jobs, Kaspersky Reports - MSSP Alert

• Report on hackers' salaries shows poor wages for developers • The Register

Supply Chain and Third Parties

• 98% of Firms Have a Supply Chain Relationship That Has Been Breached: Analysis - SecurityWeek

• Almost all Organisations are Working with Recently Breached Vendors - Infosecurity Magazine (infosecurity-magazine.com)

• 50% of organisations have indirect relationships with 200+ breached fourth-party vendors - Help Net Security

• Cyber attack Impact “Catastrophic” for Third Parties, New Study Finds MSSPs at Risk? - MSSP Alert

• New “MITRE ATT&CK-like” framework outlines software supply chain attack TTPs | CSO Online

• CISA to Open Supply Chain Risk Management Office (darkreading.com)

• Cyber Insights 2023 | Supply Chain Security - SecurityWeek

Cloud/SaaS

• Misconfiguration and vulnerabilities biggest risks in cloud security: Report | CSO Online

• Hybrid cloud storage security challenges - Help Net Security

• Short-staffed SOCs struggle to gain visibility into cloud activities - Help Net Security

Containers

• Researchers Claim High-Risk Vulnerabilities Found in 87% of All Container Images - Infosecurity Magazine (infosecurity-magazine.com)

Encryption

• Serious Security: The Samba logon bug caused by outdated crypto – Naked Security (sophos.com)

• Encryption Explained: At Rest, In Transit & End-To-End Encryption | Splunk

• Cyber Insights 2023 | Quantum Computing and the Coming Cryptopocalypse - SecurityWeek

API

• The emergence of trinity attacks on APIs - Help Net Security

• API management (APIM): What It Is and Where It’s Going security affairs

Open Source

• Microsoft upgrades Defender to lock down Linux devices • The Register

Passwords, Credential Stuffing & Brute Force Attacks

• Bitwarden Password Manager users are being targeted by phishing ads on Google- gHacks Tech News

• KeePass disputes vulnerability allowing stealthy password theft (bleepingcomputer.com)

Social Media

• Inside TikTok’s proposal to address US national security concerns | CyberScoop

• Facebook Bug Allows 2FA Bypass Via Instagram (darkreading.com)

Malvertising

• Malvertising attacks are distributing .NET malware loaders • The Register

Training, Education and Awareness

• Are Your Employees Thinking Critically About Their Online Behaviours? (darkreading.com)

Regulations, Fines and Legislation

• Regulators weigh in on ION attack as LockBit takes credit • The Register

• New UN cyber crime convention has a long way to go in a tight timeframe | CSO Online

Governance, Risk and Compliance

• Business leaders need hands-on approach to stop cyber crime, says spy chief (telegraph.co.uk)

• New Survey Reveals 40% of Companies Experienced a Data Leak in the Past Year (darkreading.com)

• Financial Services Targeted in 28% of UK Cyber-Attacks Last Year - Infosecurity Magazine (infosecurity-magazine.com)

• 70% of CIOs anticipate their involvement in cyber security to increase - Help Net Security

• Cyber security Budgets Are Going Up. So Why Aren't Breaches Going Down? (thehackernews.com)

• Ransomware conversations: Why the CFO is pivotal to discussing and preparing for risk - IT Security Guru

• You Don't Know Where Your Secrets Are (thehackernews.com)

• Inability to prevent bad things from happening seen as the worst part of a security job - Help Net Security

• The corporate world is losing its grip on cyber risk | Financial Times (ft.com)

• IT and Security Professionals Spend an Average of 4,300 Hours Annually Achieving or Maintaining Compliance (darkreading.com)

Careers, Working in Cyber and Information Security

• Inability to prevent bad things from happening seen as the worst part of a security job - Help Net Security

• Thriving Dark Web Trade in Fake Security Certifications - Infosecurity Magazine (infosecurity-magazine.com)

• The Effect of Cyber security Layoffs on Cyber security Recruitment - SecurityWeek

• Economic headwinds could deepen the cyber security skills shortage | CSO Online

Law Enforcement Action and Take Downs

• 7 Ways Hive Ransomware Gang Caused Chaos Before FBI Hacked It (gizmodo.com)

• US puts a $10m bounty on Hive while Russia shuts down access • The Register

• Hacker accused of having stolen personal data of all Austrians security affairs

• Alleged ShinyHunters gang member in US court • The Register

• Risk & Repeat: The FBI's Hive ransomware takedown | TechTarget

Privacy, Surveillance and Mass Monitoring

• On Data Privacy Day, Organisations Fail Data Privacy Expectations (darkreading.com)

• Hacker accused of having stolen personal data of all Austrians security affairs

• Enterprises Need to Do More to Assure Consumers About Privacy (darkreading.com)

Artificial Intelligence

• Foreign states already using ChatGPT maliciously, UK IT leaders believe | CSO Online

• OpenAI releases tool to detect AI-written text (bleepingcomputer.com)

• Reality check: Is ChatGPT really the next big cyber security threat? | CyberScoop

• Cyber Insights 2023: Artificial Intelligence - SecurityWeek

Misinformation, Disinformation and Propaganda

• Google deletes 50,000 pro-China fake-news vids and blogs • The Register

• Google: Influence Operator Dragonbridge Floods Social Media in Sprawling Cyber Campaign (darkreading.com)

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Iranian APT Leaks Data From Saudi Arabia Government Under New Persona - SecurityWeek

• Ukraine Links Media Centre Attack to Russian Intelligence (govinfosecurity.com)

• Latvia confirms phishing attack on Ministry of Defence, linking it to Russian hacking group - The Record from Recorded Future News

• British Cyber Agency Warns of Russian and Iranian Hackers Targeting Key Industries (thehackernews.com)

• Russia-Linked APT29 Uses New Malware in Embassy Attacks - SecurityWeek

• Russia's Sandworm APT Launches Swarm of Wiper Attacks in Ukraine (darkreading.com)

• Russia-linked Hackers Launch DDoS Attacks on Germany and US. Hospitals, Threaten Canada - MSSP Alert

• Latvia says Russian hackers tried to phish its Ministry of Defence (bitdefender.com)

• Inside Killnet: Pro-Russia Hacktivist Group's Support and Influence Grows (darkreading.com)

• New APT34 Malware Targets The Middle East (trendmicro.com)

• Lazarus Group Attack Identified After Operational Security Fail - Infosecurity Magazine (infosecurity-magazine.com)

• Crypto theft: North Korea-linked hackers stole $1.7b in 2022 - BBC News

• North Korean hackers stole research data in two-month-long breach (bleepingcomputer.com)

• APT groups use ransomware TTPs as cover for intelligence gathering and sabotage | CSO Online

• Cyber Insights 2023: The Geopolitical Effect - SecurityWeek

Nation State Actors

Nation State Actors – Russia

• Russian Nuisance Hacking Group KillNet Targets Germany (govinfosecurity.com)

• Russian hackers launch cyber attack on Germany in Leopard retaliation | Euronews

• Ukraine Links Media Centre Attack to Russian Intelligence (govinfosecurity.com)

• Latvia confirms phishing attack on Ministry of Defence, linking it to Russian hacking group - The Record from Recorded Future News

• A Link to News Site Meduza Can (Technically) Land You in Russian Prison | WIRED

• British Cyber Agency Warns of Russian and Iranian Hackers Targeting Key Industries (thehackernews.com)

• Russia-Linked APT29 Uses New Malware in Embassy Attacks - SecurityWeek

• Russia's Sandworm APT Launches Swarm of Wiper Attacks in Ukraine (darkreading.com)

• Russia-linked Hackers Launch DDoS Attacks on Germany and US. Hospitals, Threaten Canada - MSSP Alert

• Latvia says Russian hackers tried to phish its Ministry of Defence (bitdefender.com)

• Killnet Attackers DDoS US and Dutch Hospitals - Infosecurity Magazine (infosecurity-magazine.com)

• IT Army of Ukraine gained access to 1.5GB archive from Gazprom security affairs

• There’s a Wild Scramble for Control of the Dark Web Taking Place in Russia (vice.com)

• Inside Killnet: Pro-Russia Hacktivist Group's Support and Influence Grows (darkreading.com)

Nation State Actors – China

• Google deletes 50,000 pro-China fake-news vids and blogs • The Register

• Google: Influence Operator Dragonbridge Floods Social Media in Sprawling Cyber Campaign (darkreading.com)

• TikTok CEO to testify before US. Congress over security concerns | Reuters

Nation State Actors – North Korea

• FBI: North Korea’s Lazarus Group behind $100m crypto attack • The Register

• Lazarus Group Attack Identified After Operational Security Fail - Infosecurity Magazine (infosecurity-magazine.com)

• Crypto theft: North Korea-linked hackers stole $1.7b in 2022 - BBC News

• North Korean hackers stole research data in two-month-long breach (bleepingcomputer.com)

Nation State Actors – Iran

• Iranian APT Leaks Data From Saudi Arabia Government Under New Persona - SecurityWeek

• British Cyber Agency Warns of Russian and Iranian Hackers Targeting Key Industries (thehackernews.com)

Nation State Actors – Misc

• Foreign states already using ChatGPT maliciously, UK IT leaders believe | CSO Online

• New APT34 Malware Targets The Middle East (trendmicro.com)

• APT groups use ransomware TTPs as cover for intelligence gathering and sabotage | CSO Online

Vulnerability Management

• The future of vulnerability management and patch compliance - Help Net Security

• What is the CVSS (Common Vulnerability Scoring System)? (techtarget.com)

Vulnerabilities

• Researchers to release VMware vRealize Log RCE exploit, patch now (bleepingcomputer.com)

• Patch management is crucial to protect Exchange servers, Microsoft warns security affairs

• Realtek Vulnerability Under Attack: Over 134 Million Attempts to Hack IoT Devices (thehackernews.com)

• QNAP Fixes Critical Vulnerability in NAS Devices with Latest Security Updates (thehackernews.com)

• Over 29,000 QNAP devices unpatched against new critical flaw (bleepingcomputer.com)

• Firmware Flaws Could Spell 'Lights Out' for Servers (darkreading.com)

• Why you might not be done with your January Microsoft security patches | CSO Online

• Researcher drops Lexmark RCE zero-day rather than sell vuln ‘for peanuts’ | The Daily Swig (portswigger.net)

• HPE, NetApp warn of critical open-source bug | SC Media (scmagazine.com)

• High-severity bug in F5 BIG-IP can lead to code execution and DoS security affairs

• Cisco fixes bug allowing backdoor persistence between reboots (bleepingcomputer.com)

• Atlassian's Jira Software Found Vulnerable to Critical Authentication Vulnerability (thehackernews.com)

• CISA Alert: Oracle E-Business Suite and SugarCRM Vulnerabilities Under Attack (thehackernews.com)

• Threat activity increasing around Fortinet VPN vulnerability | TechTarget

• Remote code execution exploit chain available for VMware vRealize Log Insight | CSO Online

Tools and Controls

• Gartner report shows zero trust isn’t a silver bullet | VentureBeat

Other News

• We can't rely on goodwill to protect our critical infrastructure - Help Net Security

• Playing Military Sim War Thunder May Get You Classed as a National Security Risk

• Cyber attacks in space: How safe are our satellites? | Metro News

• Threat Actors Use ClickFunnels to Bypass Security Services - Infosecurity Magazine (infosecurity-magazine.com)

• Massive Microsoft 365 outage caused by WAN router IP change (bleepingcomputer.com)

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Cyber Attacks Set to Become ‘Uninsurable’, Says Zurich Chief

The chief executive of one of Europe’s biggest insurance companies has warned that cyber attacks, rather than natural catastrophes, will become “uninsurable” as the disruption from hacks continues to grow.

Insurance executives have been increasingly vocal in recent years about systemic risks, such as pandemics and climate change, that test the sector’s ability to provide coverage. For the second year in a row, natural catastrophe-related claims are expected to top $100bn. 

But Mario Greco, chief executive at insurer Zurich, told the Financial Times that cyber was the risk to watch. “What will become uninsurable is going to be cyber,” he said. “What if someone takes control of vital parts of our infrastructure, the consequences of that?” Recent attacks that have disrupted hospitals, shut down pipelines and targeted government departments have all fed concern about this expanding risk among industry executives. Focusing on the privacy risk to individuals was missing the bigger picture, Greco added: “First off, there must be a perception that this is not just data . . . this is about civilisation. These people can severely disrupt our lives.” 

Spiralling cyber losses in recent years have prompted emergency measures by the sector’s underwriters to limit their exposure. As well as pushing up prices, some insurers have responded by tweaking policies so clients retain more losses. There are exemptions written into policies for certain types of attacks. In 2019, Zurich initially denied a $100mn claim from food company Mondelez, arising from the NotPetya attack, on the basis that the policy excluded a “warlike action”. The two sides later settled. In September, Lloyd’s of London defended a move to limit systemic risk from cyber attacks by requesting that insurance policies written in the market have an exemption for state-backed attacks.

https://www.ft.com/content/63ea94fa-c6fc-449f-b2b8-ea29cc83637d

Your Business Should Compensate for Modern Ransomware Capabilities Right Now

The “if, not when” mentality surrounding ransomware may be the biggest modern threat to business longevity. Companies of all sizes and across all industries are increasingly common targets for ransomware attacks, and we know that 94% of organisations experienced a cyber security incident last year alone. Yet, many enterprises continue to operate with decades-old security protocols that are unequipped to combat modern ransomware. Leaders have prioritised improving physical security measures in light of the pandemic — so why haven’t ransomware protections improved?

Maybe it’s the mistaken notion that ransomware attacks are declining. In reality, Q1 of 2022 saw a 200% YoY increase in ransomware incidents. Meanwhile, the rise in Ransomware as a Service (RaaS) offerings suggests that cyber threats have become a commodity for bad actors.

The RaaS market presents a new and troubling trend for business leaders and IT professionals. With RaaS — a subscription ransomware model that allows affiliates to deploy malware for a fee — the barrier to entry for hackers is lower than ever. The relatively unskilled nature of RaaS hackers may explain why the average ransomware downtime has plummeted to just 3.85 days (compared to an average attack duration of over two months in 2019).

While the decrease in attack duration is promising, the rise of RaaS still suggests an inconvenient truth for business leaders: All organisations are at risk. And in time, all organisations will become a target, which is why it’s time for IT and business leaders to implement tough cyber security protocols.

https://venturebeat.com/security/your-business-should-compensate-for-modern-ransomware-capabilities-right-now/

• Reported Phishing Attacks Have Quintupled

In the third quarter of 2022, the international Anti-Phishing Working Group (APWG) consortium observed 1,270,883 total phishing attacks; the worst quarter for phishing that APWG has ever observed. The total for August 2022 was 430,141 phishing sites, the highest monthly total ever reported to APWG.

Over recent years, reported phishing attacks submitted to APWG have more than quintupled since the first quarter of 2020, when APWG observed 230,554 attacks. The rise in Q3 2022 was attributable, in part, to increasing numbers of attacks reported against several specific targeted brands. These target companies and their customers suffered from large numbers of attacks from persistent phishers.

Threat researchers at the cyber security solution provider Fortra noted a 488 percent increase in response-based email attacks in Q3 2022 compared to the prior quarter. While every subtype of these attacks increased compared to Q2, the largest increase was in Advance Fee Fraud schemes, which rose by a staggering 1,074 percent.

In the third quarter of 2022, APWG founding member OpSec Security found that phishing attacks against the financial sector, which includes banks, remained the largest set of attacks, accounting for 23.2 percent of all phishing. Attacks against webmail and software-as-a-service (SaaS) providers remained prevalent as well. Phishing against social media services fell to 11 percent of the total, down from 15.3 percent.

Phishing against cryptocurrency targets — such as cryptocurrency exchanges and wallet providers — fell from 4.5 percent of all phishing attacks in Q2 2022 to 2 percent in Q3. This mirrored the fall in value of many cryptocurrencies since mid-year.

https://www.helpnetsecurity.com/2022/12/28/reported-phishing-attacks-quintupled/

• Ransomware, DDoS See Major Upsurge Led by Upstart Hacker Group

Cyber threat actors Cuba and Royal are driving a 41% boom in ransomware and other attacks hitting industry and consumer goods and services.

According to the Global Threat Intelligence team of information assurance firm NCC Group, November saw a 41% increase in ransomware attacks from 188 incidents to 265. In its most recent Monthly Threat Pulse, the group reported that the month was the most active for ransomware attacks since April this year.

Key takeaways from the study:

• Ransomware attacks rose by 41% in November.

• Threat group Royal (16%) was the most active, replacing LockBit as the worst offender for the first time since September 2021.

• Industrials (32%) and consumer cyclicals (44%) remain the top two most targeted sectors, but technology experienced a large 75% increase over the last month.

• Regional data remains consistent with last month — North America (45%), Europe (25%) and Asia (14%)

• DDoS attacks continue to increase.

Recent examples in the services sector include the Play ransomware group’s claimed attack of the German H-Hotels chain, resulting in communications outages. This attack reportedly uses a vulnerability in Microsoft Exchange called ProxyNotShell, which as the name implies, has similarities to the ProxyShell zero-day vulnerability revealed in 2021.

Also, back on the scene is the TrueBot malware downloader (a.k.a., the silence.downloader), which is showing up in an increasing number of devices. TrueBot Windows malware, designed by a Russian-speaking hacking group identified as Silence, has resurfaced bearing Ransom.Clop, which first appeared in 2019. Clop ransomware encrypts systems and exfiltrates data with the threat that if no ransom is forthcoming, the data will show up on a leak site.

https://www.techrepublic.com/article/ransomware-ddos-major-upsurge-led-upstart-hacker-group/

• Videoconferencing Worries Grow, With SMBs in Cyber Attack Crosshairs

Securing videoconferencing solutions is just one of many IT security challenges small businesses are facing, often with limited financial and human resources.

It's no secret that the acceleration of work-from-home and distributed workforce trends — infamously spurred on by the pandemic — has occurred in tandem with the rise of video communications and collaboration platforms, led by Zoom, Microsoft, and Cisco.

But given that videoconferencing now plays a critical role in how businesses interact with their employees, customers, clients, vendors, and others, these platforms carry significant potential security risks, researchers say.

Organisations use videoconferencing to discuss M&A, legal, military, healthcare, intellectual property and other topics, and even corporate strategies. A loss of that data could be catastrophic for a company, its employees, its clients, and its customers.

However, a recent report on videoconferencing security showed that 93% of IT professionals surveyed acknowledged security vulnerabilities and gaping risks in their videoconferencing solutions.

Among the most relevant risks is the lack of controlled access to conversations that could result in disruption, sabotage, compromise, or exposure of sensitive information, while use of nonsecure, outdated, or unpatched videoconferencing applications can expose security flaws.

The risks include the potential for interruptions, unauthorised access, and perhaps most concerning, the opportunity for a bad actor to acquire sensitive information.

https://www.darkreading.com/application-security/videoconferencing-worries-grow-with-smbs-in-cyberattack-crosshairs

• Will the Crypto Crash Impact Cyber Security in 2023? Maybe.

With the implosion of the FTX exchange putting a punctuation mark on the cryptocurrency crash of 2022, one of the natural questions for those in the cyber security world is, how will this rapid decline of cryptocurrency valuations change the cyber crime economy?

Throughout the most recent crypto boom, and even before then, cyber criminals have used and abused cryptocurrency to build up their empires. The cryptocurrency market provides the extortionary medium for ransomware; it's a hotbed of scams against consumers to steal their wallets and accounts. Traditionally, it's provided a ton of anonymous cover for money laundering on the back end of a range of cyber criminal enterprises.

Even so, according to cyber security experts and intelligence analysts, while there certainly have been some shifts in trends and tactics that they believe are loosely tied to the crypto crash, the jury's still out on long-term impacts.

Regardless of crypto values, cyber criminals this year have definitely become more sophisticated in how they use cryptocurrencies to monetise their attacks including the use by some ransomware groups taking advantage of yield farming within decentralised finance (DeFi), as an example.

The concept of yield farming is the same as lending money, with a contract in place that clearly shows how much interest will need to be paid. The advantage for ransomware groups is that the 'interest' will be legitimate proceeds, so there will be no need to launder or hide it.

Threat actors are increasingly turning toward 'stablecoins,' which are usually tied to fiat currencies or gold to stem their volatility. In many ways, the downturn in crypto values has increased the risk appetite of cyber criminals and is spurring them into more investment fraud and cryptocurrency scams.

https://www.darkreading.com/threat-intelligence/crypto-crash-impact-cybersecurity-2023-maybe

• The Worst Hacks of 2022

The year was marked by sinister new twists on cyber security classics, including phishing, breaches, and ransomware attacks.

With the pandemic evolving into an amorphous new phase and political polarisation on the rise around the world, 2022 was an uneasy and often perplexing year in digital security. And while hackers frequently leaned on old chestnuts like phishing and ransomware attacks, they still found vicious new variations to subvert defences.

Technology magazine Wired looked back on the year's worst breaches, leaks, ransomware attacks, state-sponsored hacking campaigns, and digital takeovers. If the first years of the 2020s are any indication, the digital security field in 2023 will be more bizarre and unpredictable than ever. Stay alert, and stay safe out there.

Russia Hacking Ukraine

For years, Russia has pummelled Ukraine with brutal digital attacks causing blackouts, stealing and destroying data, meddling in elections, and releasing destructive malware to ravage the country's networks. Since invading Ukraine in February, though, times have changed for some of Russia's most prominent and most dangerous military hackers. Shrewd long-term campaigns and grimly ingenious hacks have largely given way to a stricter and more regimented clip of quick intrusions into Ukrainian institutions, reconnaissance, and widespread destruction on the network—and then repeated access over and over again, whether through a new breach or by maintaining the old access.

Twilio and the 0ktapus Phishing Spree

Over the summer, a group of researchers dubbed 0ktapus went on a massive phishing bender, compromising nearly 10,000 accounts within more than 130 organisations. The majority of the victim institutions were US-based, but there were dozens in other countries as well.

Ransomware Still Hitting the Most Vulnerable Targets

In recent years, countries around the world and the cyber security industry have increasingly focused on countering ransomware attacks. While there has been some progress on deterrence, ransomware gangs were still on a rampage in 2022 and continued to target vulnerable and vital social institutions, including health care providers and schools. The Russian-speaking group Vice Society, for example, has long specialised in targeting both categories, and it focused its attacks on the education sector this year.

The Lapsus$ Rampage Continues

The digital extortion gang Lapsus$ was on an intense hacking spree at the beginning of 2022, stealing source code and other sensitive information from companies like Nvidia, Samsung, Ubisoft, and Microsoft and then leaking samples as part of apparent extortion attempts. Lapsus$ has a sinister talent for phishing, and in March, it compromised a contractor with access to the ubiquitous authentication service Okta.

LastPass

The beleaguered password manager giant LastPass, which has repeatedly dealt with data breaches and security incidents over the years, said at the end of December that a breach of its cloud storage in August led to a further incident in which hackers targeted a LastPass employee to compromise credentials and cloud storage keys.

Vanuatu

At the beginning of November, Vanuatu, an island nation in the Pacific, was hit by a cyber attack that took down virtually all of the government's digital networks. Agencies had to move to conducting their work on paper because emergency systems, medical records, vehicle registrations, driver's license databases, and tax systems were all down.

Honourable Mention: Twitter-Related Bedlam

Twitter has been in chaos mode for months following Elon Musk's acquisition of the company earlier this year. Amidst the tumult, reports surfaced in July and then again in November of a trove of 5.4 million Twitter users' data that has been circulating on criminal forums since at least July, if not earlier. The data was stolen by exploiting a vulnerability in a Twitter application programming interface, or API.

https://www.wired.com/story/worst-hacks-2022/

• Geopolitical Tensions Expected to Further Impact Cyber Security in 2023

Geopolitics will continue to have an impact on cyber security and the security posture of organisations long into 2023.

The impact of global conflicts on cyber security was thrust into the spotlight when Russia made moves to invade Ukraine in February 2022. Ukraine’s Western allies were quick to recognise that with this came the threat of Russian-backed cyber-attacks against critical national infrastructure (CNI), especially in retaliation to hefty sanctions. While this may not have materialised in the way many expected, geopolitics is still front of mind for many cyber security experts looking to 2023.

Russia has always been among a handful of states recognised for their cyber prowess and being the source of many cyber criminal gangs. As previously mentioned, we have failed to see a significant cyber-attack, at least one comparable to the Colonial Pipeline incident, in 2022. However the cyber security services provider, e2e-assure, warned: “We have underestimated Russia’s cyber capability. There is a wide view that Russian cyber activity leading up to and during their invasion of Ukraine indicated that they aren’t the cyber power we once thought. Patterns and evidence will emerge in 2023 that shows this wasn’t the case, instead Russia was directing its cyber efforts elsewhere, with non-military goals (financial and political).”

NordVPN, the virtual private network (VPN) provider, warns that the cyber-war is only just starting: “With China’s leader securing his third term and Russia’s war in Ukraine, many experts predict an increase in state-sponsored cyber-attacks. China may increase cyber-attacks on Taiwan, Hong Kong, and other countries opposing the regime. Meanwhile, Russia is predicted to sponsor attacks on countries supporting Ukraine.”

We are used to seeing cyber-attacks that encrypt data and ask for ransom, but it is likely in this era of nation-state sponsored attacks we could experience attacks for the sake of disruption.

https://www.infosecurity-magazine.com/news/geopolitical-tensions-impact/

• Fraudsters’ Working Patterns Have Changed in Recent Years

Less sophisticated fraud — in which doctored identity documents are readily spotted — has jumped 37% in 2022, according to the identify verfication provider Onfido. Fraudsters can scale these attacks on an organisation’s systems around the clock.

It is estimated that the current global financial cost of fraud is $5.38 trillion (£4.37 trillion), which is 6.4% of the world’s GDP. With most fraud now happening online (80% of reported fraud is cyber-enabled), Onfido’s Identity Fraud Report uncovers patterns of fraudster behaviour, attack techniques, and emerging tactics.

Over the last four years, fraudsters’ working patterns have dramatically changed. In 2019, attacks mirrored a typical working week, peaking Monday to Friday and dropping off during the weekends. Yet over the last three years, fraudulent activity started to shift so that levels of fraud span every day of the week.

In 2022, fraud levels were consistent across 24 hours, seven days a week. With technology, fraudsters are more connected across the globe and are able to traverse regions and time zones, and can easily take advantage of businesses’ closed hours when staff are likely offline. This hyperconnectivity means there are no more ‘business hours’ for fraudsters and sophisticated fraud rings — they will scam and defraud 24/7.

“As criminals look to take advantage of digitisation processes, they’re able to commit financial crimes with increasing efficiency and sophistication, to the extent that financial crime and cyber crime are now invariably linked,” said Interpol. “A significant amount of financial fraud takes place through digital technologies, and the pandemic has only hastened the emergence of digital money laundering tools and other cyber-enabled financial crimes.”

https://www.helpnetsecurity.com/2022/12/29/less-sophisticated-fraud/

• Hacktivism is Back and Messier Than Ever

Throughout 2022, geopolitics has given rise to a new wave of politically motivated attacks with an undercurrent of state-sponsored meddling.

During its brutal war in Ukraine, Russian troops have burnt cities to the ground, raped and tortured civilians, and committed scores of potential war crimes. On November 23, lawmakers across Europe overwhelmingly labelled Russia a “state sponsor” of terrorism and called for ties with the country to be reduced further. The response to the declaration was instant. The European Parliament’s website was knocked offline by a DDoS attack.

The unsophisticated attack—which involves flooding a website with traffic to make it inaccessible—disrupted the Parliament’s website offline for several hours. Pro-Russian hacktivist group Killnet claimed responsibility for the attack. The hacktivist group has targeted hundreds of organisations around the world this year, having some limited small-scale successes knocking websites offline for short periods of time. It’s been one player in a bigger hacktivism surge.

Following years of sporadic hacktivist activity, 2022 has seen the re-emergence of hacktivism on a large scale. Russia’s full-scale invasion of Ukraine spawned scores of hacktivist groups on both sides of the conflict, while in Iran and Israel, so-called hacktivist groups are launching increasingly destructive attacks. This new wave of hacktivism, which varies between groups and countries, comes with new tactics and approaches and, increasingly, is blurring lines between hacktivism and government-sponsored attacks.

https://www.wired.com/story/hacktivism-russia-ukraine-ddos/

Threats

Ransomware, Extortion and Destructive Attacks

• Custom-Branded Ransomware: The Vice Society Group and the Threat of Outsourced Development - SentinelOne

• Jersey school locked out of systems as hackers demand "ransom" | Bailiwick Express Jersey

• Vice Society Ransomware Attackers Adopt Robust Encryption Methods (thehackernews.com)

• Global counter-ransomware task force to become active in January - CyberScoop

• Fool Me Thrice? How to Avoid Double and Triple Ransomware Extortion (darkreading.com)

• Rackspace criticized for PR response to ransomware attack (expressnews.com)

• After ransomware hits Colombian energy firm, Moody’s says low patch rate suggests inadequacies in cyber practices | SC Media (scmagazine.com)

• Ransomware, DDoS see major upsurge led by upstart hacker group (techrepublic.com)

• 6 Ways to Protect Your Organisation Against LAPSUS$ (darkreading.com)

• Your business should compensate for modern ransomware capabilities right now | VentureBeat

• Vice Society Adds Custom-branded Payload PolyVice to its Arsenal | Cyware Alerts - Hacker News

• Hackers stole data from multiple electric utilities in recent ransomware attack | CNN Politics

• Ransomware attack at Louisiana hospital impacts 270,000 patients (bleepingcomputer.com)

• The mounting death toll of hospital cyber attacks - POLITICO

• Royal ransomware claims attack on Intrado telecom provider (bleepingcomputer.com)

• Healthcare Providers and Hospitals Under Ransomware's Siege (darkreading.com)

• 2023 Predictions: Expect More Supply Chain Attacks, Ransomware-as-a-Service Kits in 2023 - MSSP Alert

• Guardian Australia staff sent home after cyber attack takes out systems (theage.com.au)

• Queensland University hit by cyber attack | PerthNow

• Dumfries Arnold Clark garages hit by company-wide cyber attack - Daily Record

• Ransom Deadline Given By LockBit In Port Of Lisbon Attack (informationsecuritybuzz.com)

Phishing & Email Based Attacks

• Reported phishing attacks have quintupled - Help Net Security

• 6 Ways to Protect Your Organisation Against LAPSUS$ (darkreading.com)

Other Social Engineering; Smishing, Vishing, etc

• Linkedin Is Full Of Job Scams – Be Careful Out There (informationsecuritybuzz.com)

Malware

• GuLoader implements new evasion techniques - Security Affairs

• PrivateLoader PPI Service Found Distributing Info-Stealing RisePro Malware (thehackernews.com)

• 2022 sees over 5000 times new Windows malware vs macOS, over 60 times vs Linux - Neowin

• APT Hackers Turn to Malicious Excel Add-ins as Initial Intrusion Vector (thehackernews.com)

• New information-stealing malware is being spread by fake pirate sites | TechSpot

Mobile

• Hackers steal $8 million from users running trojanized BitKeep apps (bleepingcomputer.com)

• EarSpy: Spying on Phone Calls via Ear Speaker Vibrations Captured by Accelerometer | SecurityWeek.Com

Denial of Service/DoS/DDOS

• Cyber criminals create new methods to evade legacy DDoS defences - Help Net Security

Internet of Things – IoT

• Anker admits Eufy camera security issues | TechRadar

• Smart Home Cyber security Hubs: Protecting Endpoints in Your Smarthome (compuquip.com)

• Google Home speakers allowed hackers to snoop on conversations (bleepingcomputer.com)

Data Breaches/Leaks

• BetMGM discloses security breach impacting 1.5 Million customers - Security Affairs

• Massive Twitter data leak investigated by EU privacy watchdog (bleepingcomputer.com)

• LastPass finally admits: Those crooks who got in? They did steal your password vaults, after all… – Naked Security (sophos.com)

• Massive EDiscovery Provider Shut Down Over 'Unauthorized Access' - Above the LawAbove the Law

• Data of 400 Million Twitter users up for sale - Security Affairs

• Ten significant data breaches from 2022 (smartermsp.com)

• It’s all in the (lack of) details: 2022’s badly handled data breaches | TechCrunch

• Military device with biometric database of 2K people sold on eBay for $68 | Ars Technica

Organised Crime & Criminal Actors

• 'Cyber crime has surpassed drug trafficking' - Rediff.com India News

• Labour attacks delays to online safety bill as it highlights Christmas scams | Cyber crime | The Guardian

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• FTX collapse shows crypto is 'too dangerous' not to regulate, Bank of England deputy governor says | Business News | Sky News

• How ‘brazen’ multibillion-dollar crypto fraud fell to pieces | Business | The Times

• BTC.com lost $3 million worth of cryptocurrency in cyber attack (bleepingcomputer.com)

• Hackers steal $8 million from users running trojanized BitKeep apps (bleepingcomputer.com)

• Bitcoin Mining Pool Btc.com Suffers $3 Million Cyber attack – Mining Bitcoin News

• Crypto wallet BitKeep lost over $9M over a cyber attack - Security Affairs

• Case for blockchain in financial services dented by failures | Financial Times (ft.com)

• Digital Assets Of $9.9 Million Stolen In BitKeep Cyber Attack (informationsecuritybuzz.com)

• Crypto platform 3Commas admits hackers stole API keys (bleepingcomputer.com)

Fraud, Scams & Financial Crime

• Linkedin Is Full Of Job Scams – Be Careful Out There (informationsecuritybuzz.com)

• Scam complaints from Revolut users more than double since 2020 (telegraph.co.uk)

• Labour attacks delays to online safety bill as it highlights Christmas scams | Cyber crime | The Guardian

• Fraudsters’ working patterns have changed in recent years - Help Net Security

• Experts warn of attacks exploiting WordPress gift card plugin - Security Affairs

• North Korean Hackers Created 70 Fake Bank, Venture Capital Firm Domains | SecurityWeek.Com

• Ukraine shuts down fraudulent call center claiming 18,000 victims (bleepingcomputer.com)

Insurance

• Zurich chief warned that cyber attacks will become uninsurable - Security Affairs

Supply Chain and Third Parties

• 2023 Predictions: Expect More Supply Chain Attacks, Ransomware-as-a-Service Kits in 2023 - MSSP Alert

Software Supply Chain

• Why Attackers Target GitHub, and How You Can Secure It (darkreading.com)

• Improving Software Supply Chain Cyber security (trendmicro.com)

Cloud/SaaS

• Google: With Cloud Comes APIs & Security Headaches (darkreading.com)

Identity and Access Management

• Enterprises waste money on identity tools they don't use - Help Net Security

• Steps To Planning And Implementation Of PAM Solutions (informationsecuritybuzz.com)

Encryption

• US passes the Quantum Computing Cybersecurity Preparedness Act – and why not? – Naked Security (sophos.com)

API

• Crypto platform 3Commas admits hackers stole API keys (bleepingcomputer.com)

• Google: With Cloud Comes APIs & Security Headaches (darkreading.com)

Passwords, Credential Stuffing & Brute Force Attacks

• Extracting Encrypted Credentials From Common Tools (darkreading.com)

Biometrics

• Military device with biometric database of 2K people sold on eBay for $68 | Ars Technica

Social Media

• TikTok User Data Has Been Compromised (giantfreakinrobot.com)

• Elon Musk ‘orders Twitter to remove suicide prevention feature’ | Twitter | The Guardian

• Massive Twitter data leak investigated by EU privacy watchdog (bleepingcomputer.com)

• TikTok parent company ByteDance revealed the use of TikTok data to track journalists - Security Affairs

• Meta settles Cambridge Analytica scandal case for $725m - BBC News

• TikTok bans haven't really banned much of anything - The Washington Post

• Twitter restores suicide prevention feature | Twitter | The Guardian

• Data of 400 Million Twitter users up for sale - Security Affairs

• Hacker claims to be selling Twitter data of 400 million users (bleepingcomputer.com)

• Piers Morgan’s Twitter account abuses queen and Ed Sheeran in apparent hack | Piers Morgan | The Guardian

• US House boots TikTok from government phones • The Register

Malvertising

• Hackers abuse Google Ads to spread malware in legit software (bleepingcomputer.com)

• Cyber criminals using search engine ads to direct users to sites with malware, FBI warns | SC Media (scmagazine.com)

Privacy

• The Threat of Predictive Policing to Data Privacy and Personal Liberty (darkreading.com)

Regulations, Fines and Legislation

• FTX collapse shows crypto is 'too dangerous' not to regulate, Bank of England deputy governor says | Business News | Sky News

• US passes the Quantum Computing Cybersecurity Preparedness Act – and why not? – Naked Security (sophos.com)

Governance, Risk and Compliance

• IBM and 70 Global Banks Co-Create New Cyber security, Risk Framework (accelerationeconomy.com)

• Economic uncertainty compels IT leaders to rethink their strategy - Help Net Security

• 3 important changes in how data will be used and treated - Help Net Security

• 2022 Top Five Immediate Threats in Geopolitical Context (thehackernews.com)

Secure Disposal

• For Sale on eBay: A Military Database of Fingerprints and Iris Scans - The New York Times (nytimes.com)

Careers, Working in Cyber and Information Security

• How to Get Your First Job in InfoSec (freecodecamp.org)

• IT Jobs: How To Become An Information Security Analyst (informationsecuritybuzz.com)

• ‘There's a career in cyber security for everyone,’ Microsoft Security CVP says | Fortune

Law Enforcement Action and Take Downs

• Ukraine shuts down fraudulent call centre claiming 18,000 victims (bleepingcomputer.com)

Privacy, Surveillance and Mass Monitoring

• Google Home speakers allowed hackers to snoop on conversations (bleepingcomputer.com)

• Police in China can track protests by enabling ‘alarms’ on Hikvision software | China | The Guardian

• The Threat of Predictive Policing to Data Privacy and Personal Liberty (darkreading.com)

• Meta settles Cambridge Analytica scandal case for $725m - BBC News

• 78% of Employers Are Using Remote Work Tools to Spy on You (entrepreneur.com)

• Germany: Police surveillance software a legal headache – DW – 12/22/2022

Artificial Intelligence

• Code-generating AI can introduce security vulnerabilities, study finds | TechCrunch

• AI cyber attacks are a ‘critical threat’. This is how NATO is countering them | Euronews

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• 2022 Top Five Immediate Threats in Geopolitical Context (thehackernews.com)

• Ukraine marks a turning point for cyberwarfare – POLITICO

• Russia’s Cyberwar Foreshadowed Deadly Attacks on Civilians | WIRED

• Hacktivism Is Back and Messier Than Ever | WIRED

• Hundreds of Russian cyber attacks on CHPPs, regional power plants prevented - SBU

• Ukrainian Hackers Gather Data on Russian Soldiers, Minister Says - Bloomberg

• North Korean hackers targeted nearly 1,000 South Korean foreign policy experts

• German double agent ‘passed Ukraine intelligence to Russia’ (telegraph.co.uk)

Nation State Actors

Nation State Actors – Russia

• Hundreds of Russian cyber attacks on CHPPs, regional power plants prevented - SBU

• Russian mobile calls, internet seen deteriorating after Nokia, Ericsson leave – EURACTIV.com

Nation State Actors – China

• US House boots TikTok from government phones • The Register

• Police in China can track protests by enabling ‘alarms’ on Hikvision software | China | The Guardian

• Chinese-backed company instructs US law firm after UK blocked microchip factory takeover (telegraph.co.uk)

Nation State Actors – North Korea

• BlueNoroff APT Hackers Using New Ways to Bypass Windows MotW Protection (thehackernews.com)

• North Korean Hackers Created 70 Fake Bank, Venture Capital Firm Domains | SecurityWeek.Com

• North Korean hacking outfit impersonating venture capital firms | SC Media (scmagazine.com)

• North Korean hackers targeted nearly 1,000 South Korean foreign policy experts

Nation State Actors – Iran

• An Iranian group hacked Israeli CCTV cameras, defence was aware but didn’t block it - Security Affairs

Nation State Actors – Misc

• APT Hackers Turn to Malicious Excel Add-ins as Initial Intrusion Vector (thehackernews.com)

Vulnerability Management

• Log4Shell remains a big threat and a common cause for security breaches | CSO Online

• After ransomware hits Colombian energy firm, Moody’s says low patch rate suggests inadequacies in cyber practices | SC Media (scmagazine.com)

Vulnerabilities

• Patch now: Serious Linux kernel security hole uncovered | ZDNET

• Microsoft Patches Azure Cross-Tenant Data Access Flaw | SecurityWeek.Com

• Critical Linux Kernel flaw affects SMB servers with ksmbd enabled - Security Affairs

• Critical “10-out-of-10” Linux kernel SMB hole – should you worry? – Naked Security (sophos.com)

• Log4Shell remains a big threat and a common cause for security breaches | CSO Online

• Thousands of Citrix servers vulnerable to patched critical flaws (bleepingcomputer.com)

• Netgear warns users to patch recently fixed WiFi router bug (bleepingcomputer.com)

• CISA Warns of Active exploitation of JasperReports Vulnerabilities (thehackernews.com)

• Several DoS, Code Execution Vulnerabilities Found in Rockwell Automation Controllers | SecurityWeek.Com

Tools and Controls

• Understanding current XDR elements and options | TechTarget

Other News

• Cyber crime Top 10 Rankings: China is No. 1 While US Records Highest Rate of Security Breaches - MSSP Alert

• AI cyber attacks are a ‘critical threat’. This is how NATO is countering them | Euronews

• Review: 10 Biggest Hacks And Cyber Security Threats Of 2022 (informationsecuritybuzz.com)

• Modern technology and cyber recovery will intersect in the next generation of attacks - Help Net Security

• New information-stealing malware is being spread by fake pirate sites | TechSpot

•  Ten significant data breaches from 2022 (smartermsp.com)

• Trend Micro: Expect 2023 to Bring Uncertainty to Cyber Attackers and Defenders - MSSP Alert

• After the Uber Breach: 3 Questions All CISOs Should Ask Themselves (darkreading.com)

• Top 10 Cyber Security Predictions For 2023 Based On Expert Responses (informationsecuritybuzz.com)

• The Five Stories That Shaped Cyber security in 2022 | SecurityWeek.Com

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• LastPass Admits Attackers have an Encrypted Copy of Customers’ Password Vaults 

Password locker LastPass has warned customers that the August 2022 attack on its systems saw unknown parties copy encrypted files that contain the passwords to their accounts.

In a December 22nd update to its advice about the incident, LastPass brings customers up to date by explaining that in the August 2022 attack “some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.” Those creds allowed the attacker to copy information “that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.”

The update reveals that the attacker also copied “customer vault” data, the file LastPass uses to let customers record their passwords. That file “is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.” The passwords are encrypted with “256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password”.

LastPass’ advice is that even though attackers have that file, customers who use its default settings have nothing to do as a result of this update as “it would take millions of years to guess your master password using generally-available password-cracking technology.” One of those default settings is not to re-use the master password that is required to log into LastPass. The outfit suggests you make it a complex credential and use that password for just one thing: accessing LastPass.

LastPass therefore offered the following advice to individual and business users: If your master password does not make use of the defaults above, then it would significantly reduce the number of attempts needed to guess it correctly. In this case, as an extra security measure, you should consider minimising risk by changing passwords of websites you have stored.

LastPass’s update concludes with news it decommissioned the systems breached in August 2022 and has built new infrastructure that adds extra protections.

https://www.theregister.com/2022/12/23/lastpass_attack_update/

• Ransomware Attacks Increased 41% In November

Ransomware attacks rose 41% last month as groups shifted among the top spots and increasingly leveraged DDoS attacks, according to new research from NCC Group.

A common thread of NCC Group's November Threat Pulse was a "month full of surprises," particularly related to unexpected shifts in threat actor behaviour. The Cuba ransomware gang resurged with its highest number of attacks recorded by NCC Group. Royal replaced LockBit 3.0 as the most active strain, a first since September of last year.

These factors and more contributed to the significant jump in November attacks, which rose from 188 in October to 265.

"For 2022, this increase represents the most reported incidents in one month since that of April, when there were 289 incidents, and is also the largest month-on-month increase since June-July's marginally larger increase of 47%," NCC Group wrote in the report.

Operators behind Royal ransomware, a strain that emerged earlier this year that operates without affiliates and utilises intermittent encryption to evade detection, surpassed LockBit 3.0 for the number one spot, accounting for 16% of hack and leak incidents last month.

https://www.techtarget.com/searchsecurity/news/252528505/NCC-Group-Ransomware-attacks-increased-41-in-November

• The Risk of Escalation from Cyber Attacks Has Never Been Greater

In 2022, an American dressed in his pyjamas took down North Korea’s Internet from his living room. Fortunately, there was no reprisal against the United States. But Kim Jong Un and his generals must have weighed retaliation and asked themselves whether the so-called independent hacker was a front for a planned and official American attack.

In 2023, the world might not get so lucky. There will almost certainly be a major cyber attack. It could shut down Taiwan’s airports and trains, paralyse British military computers, or swing a US election. This is terrifying, because each time this happens, there is a small risk that the aggrieved side will respond aggressively, maybe at the wrong party, and (worst of all) even if it carries the risk of nuclear escalation.

This is because cyber weapons are different from conventional ones. They are cheaper to design and wield. That means great powers, middle powers, and pariah states can all develop and use them.

More important, missiles come with a return address, but virtual attacks do not. Suppose in 2023, in the coldest weeks of winter, a virus shuts down American or European oil pipelines. It has all the markings of a Russian attack, but intelligence experts warn it could be a Chinese assault in disguise. Others see hints of the Iranian Revolutionary Guard. No one knows for sure. Presidents Biden and Macron have to decide whether to retaliate at all, and if so, against whom … Russia? China? Iran? It's a gamble, and they could get unlucky.

Neither country wants to start a conventional war with one another, let alone a nuclear one. Conflict is so ruinous that most enemies prefer to loathe one another in peace. During the Cold War, the prospect of mutual destruction was a huge deterrent to any great power war. There were almost no circumstances in which it made sense to initiate an attack. But cyber warfare changes that conventional strategic calculus. The attribution problem introduces an immense amount of uncertainty, complicating the decision our leaders have to make.

https://arstechnica.com/information-technology/2022/12/the-risk-of-escalation-from-cyberattacks-has-never-been-greater/

• FBI Recommends Ad Blockers as Cyber Criminals Impersonate Brands in Search Engine Ads

The Federal Bureau of Investigation (FBI) this week raised the alarm on cyber criminals impersonating brands in advertisements that appear in search engine results. The agency has advised consumers to use ad blockers to protect themselves from such threats.

The attackers register domains similar to those of legitimate businesses or services, and use those domains to purchase ads from search engine advertisement services, the FBI says in an alert. These nefarious ads are displayed at the top of the web page when the user searches for that business or service, and the user might mistake them for an actual search result.

Links included in these ads take users to pages that are identical to the official web pages of the impersonated businesses, the FBI explains. If the user searches for an application, they are taken to a fake web page that uses the real name of the program the user searches for, and which contains a link to download software that is, in fact, malware.

“These advertisements have also been used to impersonate websites involved in finances, particularly cryptocurrency exchange platforms,” the FBI notes. Seemingly legitimate exchange platforms, the malicious sites prompt users to provide their login and financial information, which the cyber criminals then use to steal the victim’s funds.

“While search engine advertisements are not malicious in nature, it is important to practice caution when accessing a web page through an advertised link,” the FBI says.

Businesses are advised to use domain protection services to be notified of domain spoofing, and to educate users about spoofed websites and on how to find legitimate downloads for the company’s software.

Users are advised to check URLs to make sure they access authentic websites, to type a business’ URL into the browser instead of searching for that business, and to use ad blockers when performing internet searches. Ad blockers can have a negative impact on the revenues of online businesses and advertisers, but they can be good for online security, and even the NSA and CIA are reportedly using them.

https://www.securityweek.com/fbi-recommends-ad-blockers-cybercriminals-impersonate-brands-search-engine-ads

• North Korea-Linked Hackers Stole $626 Million in Virtual Assets in 2022

South Korea’s spy agency, the National Intelligence Service, estimated that North Korea-linked threat actors have stolen an estimated 1.5 trillion won ($1.2 billion) in cryptocurrency and other virtual assets in the past five years.

According to the spy agency, more than half the crypto assets (about 800 billion won ($626 million)) have been stolen this year alone, reported the Associated Press. The Government of Pyongyang focuses on crypto hacking to fund its military program following harsh UN sanctions.

“South Korea’s main spy agency, the National Intelligence Service, said North Korea’s capacity to steal digital assets is considered among the best in the world because of the country’s focus on cyber crimes since UN economic sanctions were toughened in 2017 in response to its nuclear and missile tests.” reported the AP agency. North Korea cannot export its products due to the UN sanctions imposed in 2016 and 1017, and the impact on its economy is dramatic.

The NIS added that more than 100 billion won ($78 million) of the total stolen funds came from South Korea. Cyber security and intelligence experts believe that attacks aimed at the cryptocurrency industry will continue to increase next year. National Intelligence Service experts believe that North Korea-linked APT groups will focus on the theft of South Korean technologies and confidential information on South Korean foreign policy and national security.

Data published by the National Intelligence Service agency confirms a report published by South Korean media outlet Chosun early this year that revealed North Korean threat actors have stolen around $1.7 billion (2 trillion won) worth of cryptocurrency from multiple exchanges during the past five years.

https://securityaffairs.co/wordpress/139909/intelligence/north-korea-cryptocurrency-theft.html

• UK Security Agency Wants Fresh Approach to Combat Phishing

The UK National Cyber Security Centre (NCSC) has called for a defence-in-depth approach to help mitigate the impact of phishing, combining technical controls with a strong reporting culture.

Writing in the agency’s blog, technical director and principal architect, “Dave C,” argued that many of the well-established tenets of anti-phishing advice simply don’t work. For example, advising users not to click on links in unsolicited emails is not helpful when many need to do exactly that as part of their job.

This is often combined with a culture where users are afraid to report that they’ve accidentally clicked, which can delay incident response, he said. It’s not the user’s responsibility to spot a phish – rather, it’s their organisation’s responsibility to protect them from such threats, Dave C argued.

As such, they should build layered technical defences, consisting of email scanning and DMARC/SPF policies to prevent phishing emails from arriving into inboxes. Then, organisations should consider the following to prevent code from executing:

• Allow-listing for executables

• Registry settings changes to ensure dangerous scripting or file types are opened in Notepad and not executed

• Disabling the mounting of .iso files on user endpoints

• Making sure macro settings are locked down

• Enabling attack surface reduction rules

• Ensuring third-party software is up to date

• Keeping up to date about current threats

Additionally, organisations should take steps such as DNS filtering to block suspicious connections and endpoint detection and response (EDR) to monitor for suspicious behaviour, the NCSC advised.

https://www.infosecurity-magazine.com/news/uk-security-agency-combat-phishing/

• GodFather Android malware targets 400 banks, crypto exchanges

An Android banking malware named 'Godfather' has been targeting users in 16 countries, attempting to steal account credentials for over 400 online banking sites and cryptocurrency exchanges.

The malware generates login screens overlaid on top of the banking and crypto exchange apps' login forms when victims attempt to log into the site, tricking the user into entering their credentials on well-crafted HTML phishing pages.

The Godfather trojan was discovered by Group-IB analysts, who believe it is the successor of Anubis, a once widely-used banking trojan that gradually fell out of use due to its inability to bypass newer Android defences. ThreatFabric first discovered Godfather in March 2021, but it has undergone massive code upgrades and improvements since then.

Also, Cyble published a report yesterday highlighting a rise in the activity of Godfather, pushing an app that mimics a popular music tool in Turkey, downloaded 10 million times via Google Play. Group-IB has found a limited distribution of the malware in apps on the Google Play Store; however, the main distribution channels haven't been discovered, so the initial infection method is largely unknown.

Almost half of all apps targeted by Godfather, 215, are banking apps, and most of them are in the United States (49), Turkey (31), Spain (30), Canada (22), France (20), Germany (19), and the UK (17).

Apart from banking apps, Godfather targets 110 cryptocurrency exchange platforms and 94 cryptocurrency wallet apps.

https://www.bleepingcomputer.com/news/security/godfather-android-malware-targets-400-banks-crypto-exchanges/

• Companies Overwhelmed by Available Tech Solutions

92% of executives reported challenges in acquiring new tech solutions, highlighting the complexities that go into the decision-making process, according to GlobalDots.

Moreover, some 34% of respondents said the overwhelming amount of options was a challenge when deciding on the right solutions, and 33% admitted the time needed to conduct research was another challenge in deciding.

Organisations of all varieties rely on technology more than ever before. The constant adoption of innovation is no longer a luxury but rather a necessity to stay on par in today’s fast-paced and competitive digital landscape. In this environment, IT and security leaders are coming under increased pressure to show ROIs from their investment in technology while balancing operational excellence with business innovation. Due to current market realities, IT teams are short-staffed and suffering from a lack of time and expertise, making navigating these challenges even more difficult.

The report investigated how organisations went about finding support for their purchasing decisions. Conferences, exhibitions, and online events served as companies’ top source of information for making purchasing decisions, at 52%. Third-party solutions, such as value-added resellers and consultancies, came in second place at 48%.

54% are already using third parties to purchase, implement, or support their solutions, highlighting the value that dedicated experts with in-depth knowledge of every solution across a wide range of IT fields provide.

We are living in an age of abundance when it comes to tech solutions for organisations, and this makes researching and purchasing the right solutions for your organisation extremely challenging.

https://www.helpnetsecurity.com/2022/12/20/tech-purchasing-decisions/

• Nine in 10 Third-party Contractors, Freelancers Use Personal, Unmanaged Devices Likely to be Infected

Talon Cyber Security surveyed 258 third-party providers to better understand the state of third-party working conditions, including work models, types of devices and security technologies used, potentially risky actions taken, and how security and IT tools impact productivity.

Looking at recent high-profile breaches, third parties have consistently been at the epicenter, so they took a step back with their research to better understand the potential root causes. The findings paint a picture of a third-party work landscape where individuals are consistently working from personal, unmanaged devices, conducting risky activities, and having their productivity impacted by legacy security and IT solutions.

Here’s what Talon discovered:

• Most third parties (89%) work from personal, unmanaged devices, where organisations lack visibility and cannot enforce the enterprise’s security posture on. Talon pointed to a Microsoft data point that estimated users are 71% more likely to be infected on an unmanaged device.

• With third parties working from personal devices, they tend to carry out personal, potentially risky tasks. Respondents note that at least on occasion, they have used their devices to:

  • Browse the internet for personal needs (76%)

  • Indulge in online shopping (71%)

  • Check personal email (75%)

  • Save weak passwords in the web browser (61%)

  • Play games (53%)

  • Allow family members to browse (36%)

  • Share passwords with co-workers (24%)

• Legacy apps such as Virtual Desktop Infrastructure (VDI) and Desktop-as-a-Service (DaaS) solutions are prominent, with 45% of respondents using such technologies while working for organisations.

https://www.msspalert.com/cybersecurity-research/nine-in-10-third-party-contractors-freelancers-use-personal-unmanaged-devices-likely-to-be-infected/

• UK Privacy Regulator Names and Shames Breached Firms

The UK Information Commissioner’s Office (ICO) has taken the unusual step of publishing details of personal data breaches, complaints and civil investigations on its website, according to legal experts.

The data, available from Q4 2021 onwards, includes the organisation’s name and sector, the relevant legislation and the type of issues involved, the date of completion and the outcome.

Given the significance of this development, it’s surprising that the ICO has (1) chosen to release it with limited fanfare, and (2) buried the data sets on its website. Indeed, it seems to have flown almost entirely under the radar.

Understanding whether their breach or complaint will be publicised by European regulators is one of – if not the – main concern that organisations have when working through an incident, and the answer has usually been no. That is particularly the understanding or assumption where the breach or complaint is closed without regulatory enforcement. Now, at least in the UK, the era of relative anonymity looks to be over.

Despite the lack of fanfare around the announcement, this naming and shaming approach could make the ICO one of the more aggressive privacy regulators in Europe. In the future, claimant firms in class action lawsuits may adopt “US-style practices” of scanning the ICO database to find evidence of repeat offending or possible new cases.

The news comes even as data reveals the value of ICO fines issued in the past year tripled from the previous 12 months. In the year ending October 31 2022, the regulator issued fines worth £15.2m, up from £4.8m the previous year. The sharp increase in the value of fines shows the ICO’s increasing willingness selectively to crack down on businesses – particularly those that the ICO perceives has not taken adequate measures to protect customer and employee data.

https://www.infosecurity-magazine.com/news/uk-privacy-regulator-names-and/

Threats

Ransomware, Extortion and Destructive Attacks

• 20 companies affected by major ransomware attacks in 2021 | TechTarget

• NCC Group: Ransomware attacks increased 41% in November | TechTarget

• Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks (trendmicro.com)

• Adversarial risk in the age of ransomware - Help Net Security

• Guardian newspaper hit by suspected ransomware attack, staff told not to come to office - The Record by Recorded Future

• FIN7 hackers create auto-attack platform to breach Exchange servers (bleepingcomputer.com)

• New Agenda Ransomware Variant, Written in Rust, Aiming at Critical Infrastructure (thehackernews.com)

• Ransomware Groups to Increase Zero-Day Exploit-Based Access Methods in the Future - Infosecurity Magazine (infosecurity-magazine.com)

• Ransomware Uses New Exploit to Bypass ProxyNotShell Mitigations | SecurityWeek.Com

• New Microsoft Exchange exploit chain lets ransomware attackers in (CVE-2022-41080) - Help Net Security

• British newspaper The Guardian says it’s been hit by ransomware | TechCrunch

• Play ransomware actors bypass ProxyNotShell mitigations | TechTarget

• Preventing Cryptocurrency Cyber Extortion (trendmicro.com)

• FIN7 Cyber crime Syndicate Emerges as Major Player in Ransomware Landscape (thehackernews.com)

• Vice Society ransomware gang is using a custom locker - Security Affairs

• NIO suffers user data breach, hacker demands $2.25 million worth of bitcoin - CnEVPost

• German industrial giant ThyssenKrupp targeted in a cyber attack - Security Affairs

• Paying Ransom: Why Manufacturers Shell Out to Cyber criminals (darkreading.com)

• France Seeks to Protect Hospitals After Series of Cyber attacks | SecurityWeek.Com

• Fire and rescue service in Victoria, Australia, confirms cyber attack - Security Affairs

• Ransomware hits Leiden University - Techzine Europe

• Play Ransomware Gang Lay Claims For Cyber Attack On H-Hotels (informationsecuritybuzz.com)

• Evolving threats and broadening responses to Ransomware in the UAE - Security Boulevard

• Cyber Incident Causes System Failures at Canadian Children’s Hospital - Infosecurity Magazine (infosecurity-magazine.com)

Phishing & Email Based Attacks

• Five Best Practices for Consumers to Beat Phishing Campaigns This Holiday Season - CPO Magazine

• Hackers continue to exploit hijacked MailChimp accounts in cyber crime campaigns (bitdefender.com)

• Holiday Spam, Phishing Campaigns Challenge Retailers (darkreading.com)

• Email hijackers scam food out of businesses, not just money • The Register

• Telling users to ‘avoid clicking bad links’ still isn’t working - NCSC.GOV.UK

• UK Security Agency Calls for Fresh Approach to Combat Phishing - Infosecurity Magazine (infosecurity-magazine.com)

• “Suspicious login” scammers up their game – take care at Christmas – Naked Security (sophos.com)

• Simple Steps to Avoid Phishing Attacks During This Festive season | Tripwire

• Web3 IPFS Currently Used For Phishing (trendmicro.com)

BEC – Business Email Compromise

• Telling users to ‘avoid clicking bad links’ still isn’t working - NCSC.GOV.UK

• What happens once scammers receive funds from their victims - Help Net Security

Other Social Engineering; Smishing, Vishing, etc

• Amplified security trends to watch out for in 2023 - Help Net Security

2FA/MFA

• Why Security Teams Shouldn't Snooze on MFA Fatigue (darkreading.com)

• Comcast Xfinity accounts hacked in widespread 2FA bypass attacks (bleepingcomputer.com)

Malware

• DarkTortilla malware spreads on phishing sites masquerading as legitimate domains | SC Media (scmagazine.com)

• Malicious ‘SentinelOne’ PyPI package steals data from developers (bleepingcomputer.com)

• Glupteba Botnet Continues to Thrive Despite Google's Attempts to Disrupt It (thehackernews.com)

• Ukraine's DELTA military system users targeted by info-stealing malware (bleepingcomputer.com)

• Sophisticated DarkTortilla Malware Serves Imposter Cisco, Grammarly Pages (darkreading.com)

• Trojanized Windows 10 installers compromised the Ukrainian government | SC Media (scmagazine.com)

• Raspberry Robin Worm Targets Telcos & Governments (darkreading.com)

• Detecting Windows AMSI Bypass Techniques (trendmicro.com)

• Raspberry Robin worm drops fake malware to confuse researchers (bleepingcomputer.com)

• Number of command-and-control servers spiked in 2022: report - The Record by Recorded Future

Mobile

• GodFather Android malware targets 400 banks, crypto exchanges (bleepingcomputer.com)

• Godfather makes banking apps an offer they can’t refuse • The Register

• Beware: Cyber criminals Launch New BrasDex Android Trojan Targeting Brazilian Banking Users (thehackernews.com)

• T-Mobile hacker gets 10 years for $25 million phone unlock scheme (bleepingcomputer.com)

Botnets

• Glupteba Botnet Continues to Thrive Despite Google's Attempts to Disrupt It (thehackernews.com)

• Zerobot malware now spreads by exploiting Apache vulnerabilities (bleepingcomputer.com)

• Flaws within IoT devices exploited by the Zerobot botnet (izoologic.com)

• Zerobot Adds Brute Force, DDoS to Its IoT Attack Arsenal (darkreading.com)

Denial of Service/DoS/DDOS

• How AI/ML Can Thwart DDoS Attacks (darkreading.com)

• DDoS Attacks are Slowly Growing in the Technology Era (analyticsinsight.net)

• Zerobot Adds Brute Force, DDoS to Its IoT Attack Arsenal (darkreading.com)

BYOD

• Nine in 10 Third-party Contractors, Freelancers Use Personal, Unmanaged Devices Likely to be Infected - MSSP Alert

Internet of Things – IoT

• Millions of IP cameras around the world are unprotected | TechRadar

• Zerobot Adds Brute Force, DDoS to Its IoT Attack Arsenal (darkreading.com)

• Eufy has removed privacy-focused language from its website amid ongoing security camera fiasco (androidpolice.com)

• Throw away all your Eufy cameras right now | Android Central

• Read what Anker’s customer support is telling worried Eufy camera owners - The Verge

• Amazon Ring Cameras Used in Nationwide ‘Swatting’ Spree, US Says - Bloomberg

• Connected homes are expanding, so is attack volume - Help Net Security

• Security Risks, Serious Vulnerabilities Rampant Among XIoT Devices in the Workplace - CPO Magazine

• Researchers Develop AI-powered Malware Classification for 5G-enabled IIoT - Infosecurity Magazine (infosecurity-magazine.com)

Data Breaches/Leaks

• LastPass users: Your info and password vault data are now in hackers’ hands | Ars Technica

• Okta's source code stolen after GitHub repositories hacked (bleepingcomputer.com)

• McGraw Hill's S3 buckets exposed 100,000 students' grades • The Register

• NIO suffers user data breach, hacker demands $2.25 million worth of bitcoin - CnEVPost

• Notice of Recent Security Incident - The LastPass Blog

• Shoemaker Ecco leaks over 60GB of sensitive data for 500+ days - Security Affairs

• Restaurant CRM platform ‘SevenRooms’ confirms breach after data for sale (bleepingcomputer.com)

• Leading sports betting firm BetMGM discloses data breach (bleepingcomputer.com)

• MP blasts water firm over cyber attack that saw customers' details leaked to dark web - Staffordshire Live (staffordshire-live.co.uk)

Organised Crime & Criminal Actors

• 'Russian hackers' help two New York men game JFK taxi system - CyberScoop

• Hackers Mined a Single Software Flaw for a Year in NY Cyber attack - The New York Times (nytimes.com)

• What happens once scammers receive funds from their victims - Help Net Security

• [FIN7] Fin7 Unveiled: A deep dive into notorious cyber crime gang - PRODAFT

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Microsoft bans cryptomining in Azure | TechRadar

• FTX's alleged run-of-the-mill frauds depended entirely on crypto (yahoo.com)

• GodFather Android malware targets 400 banks, crypto exchanges (bleepingcomputer.com)

• Preventing Cryptocurrency Cyber Extortion (trendmicro.com)

• Two associates of Sam Bankman-Fried plead guilty to fraud charges in FTX fall | FTX | The Guardian

• North Korea-linked hackers stole $626M in virtual assets in 2022 - Security Affairs

Insider Risk and Insider Threats

• Amplified security trends to watch out for in 2023 - Help Net Security

Fraud, Scams & Financial Crime

• FTX's alleged run-of-the-mill frauds depended entirely on crypto (yahoo.com)

• “Suspicious login” scammers up their game – take care at Christmas – Naked Security (sophos.com)

• Fraudulent ‘popunder’ Google Ad campaign generated millions of dollars • The Register

• Over 67,000 DraftKings Betting Accounts Hit by Hackers (gizmodo.com)

• What happens once scammers receive funds from their victims - Help Net Security

• T-Mobile hacker gets 10 years for $25 million phone unlock scheme (bleepingcomputer.com)

• Google Ad fraud campaign used adult content to make millions (bleepingcomputer.com)

• Two associates of Sam Bankman-Fried plead guilty to fraud charges in FTX fall | FTX | The Guardian

• Inside The Next-Level Fraud Ring Scamming Billions Off Holiday Retailers (darkreading.com)

Supply Chain and Third Parties

• teiss - Supply Chain Security - Hacking the supply chain

• Supply Chain Risks Got You Down? Keep Calm and Get Strategic! (darkreading.com)

Cloud/SaaS

• Microsoft bans cryptomining in Azure | TechRadar

• McGraw Hill's S3 buckets exposed 100,000 students' grades • The Register

• AWS simplifies Simple Storage Service to prevent data leaks • The Register

• Organisations Warned of New Attack Vector in Amazon Web Services - Infosecurity Magazine (infosecurity-magazine.com)

• New Brand of Security Threats Surface in the Cloud (darkreading.com)

• Google WordPress Plug-in Bug Allows AWS Metadata Theft (darkreading.com)

• Dealing with cloud security shortfalls - Help Net Security

• It’s time to fill those cloud security gaps • The Register

• Security on a Shoestring? Cloud, Consolidation Best Bets for Businesses (darkreading.com)

Hybrid/Remote Working

• Remote Workers Are Blowing the Whistle, Employees Exposing Companies

Attack Surface Management

• Nine in 10 Third-party Contractors, Freelancers Use Personal, Unmanaged Devices Likely to be Infected - MSSP Alert

Encryption

• Biden Signs Post-Quantum Cyber security Guidelines Into Law (darkreading.com)

API

• APIs are placing your enterprise at risk - Help Net Security

Open Source

• Open source vulnerabilities add to security debt - Help Net Security

Passwords, Credential Stuffing & Brute Force Attacks

• LastPass admits attackers copied password vaults • The Register

• LastPass users: Your info and password vault data are now in hackers’ hands | Ars Technica

• Notice of Recent Security Incident - The LastPass Blog

Social Media

• Meta Takes Down Over 200 Covert Influence Operations Since 2017 - Infosecurity Magazine (infosecurity-magazine.com)

• Social media use can put companies at risk: Here are some ways to mitigate the danger | CSO Online

• Colleges Move To Ban TikTok on Campus (gizmodo.com)

Malvertising

• Fraudulent ‘popunder’ Google Ad campaign generated millions of dollars • The Register

• Don't click too quick! FBI warns of malicious search engine ads | Tripwire

• FBI Recommends Ad Blockers as Cyber criminals Impersonate Brands in Search Engine Ads | SecurityWeek.Com

• Google Ad fraud campaign used adult content to make millions (bleepingcomputer.com)

Parental Controls and Child Safety

• Buggy parental-control apps could allow device takeover • The Register

• Bfore.Ai Releases 'The King, The Knight & The Snowball' - Cyber security Book for Children (darkreading.com)

• Children And The Dangers Of The Virtual World (informationsecuritybuzz.com)

Regulations, Fines and Legislation

• TSB fined nearly $60m for platform migration disaster • The Register

• FTC Fines Fortnite Maker Epic Games $275 Million for Violating Children's Privacy Law (thehackernews.com)

• UK Privacy Regulator Names and Shames Breached Firms - Infosecurity Magazine (infosecurity-magazine.com)

• FCC proposes record-breaking $300 million fine against robocaller (bleepingcomputer.com)

• France Fines Microsoft 60 Million Euros Over Advertising Cookies | SecurityWeek.Com

• The long, long reach of the UK’s national security laws | Financial Times

Governance, Risk and Compliance

• Make sure your company is prepared for the holiday hacking season - Help Net Security

• Rethinking Risk After the FTX Debacle (darkreading.com)

• The benefit of adopting a hacker mindset for building security strategies - Help Net Security

Careers, Working in Cyber and Information Security

• CISO roles continue to expand beyond technical expertise - Help Net Security

• UK secret services wants ‘corkscrew thinkers’ for new cyber force | News | The Times

Law Enforcement Action and Take Downs

• Swatting spree suspects charged after compromising Ring cams • The Register

Privacy, Surveillance and Mass Monitoring

• Not Big Brother, but close: a surveillance expert explains some of the ways we’re all being watched, all the time (theconversation.com)

• France Fines Microsoft 60 Million Euros Over Advertising Cookies | SecurityWeek.Com

• What is surveillance capitalism? - Definition from WhatIs.com (techtarget.com)

• Google Maps: Important reason you should blur your house on Street View (ladbible.com)

• Blur Your House ASAP if It's on Google Maps. Here's Why - CNET

Artificial Intelligence

• Threat Modeling in the Age of OpenAI's Chatbot (darkreading.com)

• This is how OpenAI's ChatGPT can be used to launch cyber attacks (techmonitor.ai)

• How AI/ML Can Thwart DDoS Attacks (darkreading.com)

• Bfore.Ai Releases 'The King, The Knight & The Snowball' - Cyber security Book for Children (darkreading.com)

Misinformation, Disinformation and Propaganda

• Sophisticated DarkTortilla Malware Serves Imposter Cisco, Grammarly Pages (darkreading.com)

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Cyber Warfare Is Getting Real | WIRED

• State level cyber attacks – Why and how (ukdefencejournal.org.uk)

• The risk of escalation from cyber attacks has never been greater | Ars Technica

• Ukraine's DELTA military system users targeted by info-stealing malware (bleepingcomputer.com)

• Trojanized Windows 10 installers compromised the Ukrainian government | SC Media (scmagazine.com)

• NATO-Member Oil Refinery Targeted in Russian APT Blitz Against Ukraine (darkreading.com)

• Russian APT Gamaredon Changes Tactics in Attacks Targeting Ukraine | SecurityWeek.Com

• Kremlin-linked hackers tried to spy on oil firm in NATO country, researchers say | CNN Politics

• ‘Our weapons are computers’: Ukrainian coders aim to gain battlefield edge | Ukraine | The Guardian

• The long, long reach of the UK’s national security laws | Financial Times

• UK secret services wants ‘corkscrew thinkers’ for new cyber force | News | The Times

Nation State Actors

Nation State Actors – Russia

• UK orders sale of Russian-backed broadband firm Upp over ‘security risk’ | Telecommunications industry | The Guardian

• Dark Web Profile: Killnet - Russian Hacktivist Group - SOCRadar

Nation State Actors – China

• Apple accused of censoring apps in Hong Kong and Russia • The Register

• The long, long reach of the UK’s national security laws | Financial Times

Nation State Actors – North Korea

• North Korea-linked hackers stole $626M in virtual assets in 2022 - Security Affairs

Vulnerability Management

• Open source vulnerabilities add to security debt - Help Net Security

• Ransomware Groups to Increase Zero-Day Exploit-Based Access Methods in the Future - Infosecurity Magazine (infosecurity-magazine.com)

• Top 5 Vulnerabilities Routinely Exploited by Threat Actors in 2022 (socradar.io)

• Over 50 New CVE Numbering Authorities Announced in 2022 | SecurityWeek.Com

• A Guide to Efficient Patch Management with Action1 (thehackernews.com)

• Digging into the numbers one year after Log4Shell | SC Media (scmagazine.com)

Vulnerabilities

• Critical Windows code-execution vulnerability went undetected until now | Ars Technica

• FoxIt Patches Code Execution Flaws in PDF Tools | SecurityWeek.Com

• Old vulnerabilities in Cisco products actively exploited in the wild - Security Affairs

• OWASSRF: CrowdStrike Identifies New Method for Bypassing ProxyNotShell Mitigations

• Microsoft reports macOS Gatekeeper has an 'Achilles' heel • The Register

• Microsoft will turn off Exchange Online basic auth in January (bleepingcomputer.com)

• Cisco’s Talos security bods predict new wave of Excel Hell • The Register

• Microsoft pushes emergency fix for Windows Server Hyper-V VM issues (bleepingcomputer.com)

• Ransomware Groups to Increase Zero-Day Exploit-Based Access Methods in the Future - Infosecurity Magazine (infosecurity-magazine.com)

• Ransomware Uses New Exploit to Bypass ProxyNotShell Mitigations | SecurityWeek.Com

• New Microsoft Exchange exploit chain lets ransomware attackers in (CVE-2022-41080) - Help Net Security

• Zerobot malware now spreads by exploiting Apache vulnerabilities (bleepingcomputer.com)

• Two New Security Flaws Reported in Ghost CMS Blogging Software (thehackernews.com)

• Critical Security Flaw Reported in Passwordstate Enterprise Password Manager (thehackernews.com)

• This critical Windows security flaw could be as serious as WannaCry, experts claim | TechRadar

• Google WordPress Plug-in Bug Allows AWS Metadata Theft (darkreading.com)

• Microsoft Details Gatekeeper Bypass Vulnerability in Apple macOS Systems (thehackernews.com)

Tools and Controls

• Companies overwhelmed by available tech solutions - Help Net Security

• Is Enterprise VPN on Life Support or Ripe for Reinvention? | SecurityWeek.Com

Reports Published in the Last Week

• National Cyber Security Centre (NCSC) Annual Review 2022: Highlights and Thoughts | Tripwire

Other News

• 'Sextortion,' Business Disruption, and a Massive Attack: What Could Be in Store for 2023 (darkreading.com)

• The Growing Risk Of Malicious QR Codes (informationsecuritybuzz.com)

• NASA infosec again falls short of required standard • The Register

• US Joint Cyber Force Elevated to Newest Subordinate Unified Command - MSSP Alert

• The Rise of the Rookie Hacker - A New Trend to Reckon With (thehackernews.com)

• What enumeration attacks are and how to prevent them | TechTarget

• US consumers seriously concerned over their personal data | CSO Online

• The FBI is worried about wave of crime against small businesses (cnbc.com)

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Executives Take More Cyber Security Risks Than Office Workers

IT software company Ivanti worked with cyber security experts and surveyed 6,500 executive leaders, cybersecurity professionals, and office workers to understand the perception of today’s cybersecurity threats and to find out how companies are preparing for yet-unknown future threats.

The report revealed that despite 97% of leaders and security professionals reporting their organisation is as prepared, or more prepared, to defend against cybersecurity attacks than they were a year ago, one in five wouldn’t bet a chocolate bar that they could prevent a damaging breach.

In fact, the study finds that organisations are racing to fortify against cyber attacks, but the industry still struggles with a reactive, checklist mentality. This is most pronounced in how security teams are prioritising patches. While 92% of security professionals reported they have a method to prioritise patches, they also indicated that all types of patches rank high – meaning none do.

“Patching is not nearly as simple as it sounds,” said Ivanti. “Even well-staffed, well-funded IT and security teams experience prioritisation challenges amidst other pressing demands. To reduce risk without increasing workload, organisations must implement a risk-based patch management solution and leverage automation to identify, prioritise, and even address vulnerabilities without excess manual intervention”.

Cyber security insiders view phishing, ransomware, and software vulnerabilities as top industry-level threats for 2023. Approximately half of respondents indicated they are “very prepared” to meet the growing threat landscape including ransomware, poor encryption, and malicious employees, but the expected safeguards such as deprovisioning credentials is ignored a third of a time and nearly half of those surveyed say they suspect a former employee or contractor still has active access to company systems and files.

The report also revealed that leaders engage in more dangerous behaviour and are four times more likely to be victims of phishing compared to office workers.

Additionally:

• More than 1 in 3 leaders have clicked on a phishing link

• Nearly 1 in 4 use easy-to-remember birthdays as part of their password

• They are much more likely to hang on to passwords for years

• And they are 5x more likely to share their password with people outside the company.

One survey taker shared, “We’ve experienced a few advanced phishing attempts and the employees were totally unaware they were being targeted. These types of attacks have become so much more sophisticated over the last two years – even our most experienced staff are falling prey to it.”

To cope with a rapidly expanding threat landscape, organisations must move beyond a reactive, rules-based approach.

https://www.helpnetsecurity.com/2022/12/16/executives-take-more-cybersecurity-risks-than-office-workers/

• CISO Role is Diversifying from Technology to Leadership & Communication Skills

The role of chief information security officer (CISO), a relatively new executive position, is undergoing some significant changes and an archetype has yet to emerge, a new global report from Marlin Hawk, an executive recruiting and leadership consultant, said.

CISOs are still more likely to serve on advisory boards or industry bodies than on the board of directors. Only 13% of the global CISOs analysed are women; approximately 20% are non-white. Each diversity dimension analysed is down one percentage point year-on-year.

According to James Larkin, managing partner at Marlin Hawk, “Today’s CISOs are taking up the mantle of responsibilities that have traditionally fallen solely to the chief information officer (CIO), which is to act as the primary gateway from the tech department into the wider business and the outside marketplace. This widening scope requires CISOs to be adept communicators to the board, the broader business, as well as the marketplace of shareholders and customers. By thriving in the ‘softer’ skill sets of communication, leadership, and strategy, CISOs are now setting the new industry standards of today and, I predict, will be progressing into the board directors of tomorrow.”

The job does not come without its downsides. For one, according to the search firm, many CISOs change roles and leave their jobs. Their skillset may not be adequate or new leaders get appointed to the job, they lack the necessary internal support, or their company may not have the required commitment to cyber security to make the job effective.

Key findings from the report include:

• 45% of global CISOs have been in their current role for two years or less, down from 53% in 2021, with 18% turnover year-on-year. While there is still a lot of movement in the CISO seat, there is potentially some stabilisation emerging.

• Approximately 62% of global CISOs were hired from another company, indicating a slight increase in the number of CISOs hired internally (38% were hired internally compared to 36% in 2021) but a large gap remains in appropriate successors.

• 36% of CISOs analysed with a graduate degree received a higher degree in business administration or management. This is down 10% from last year (46% in 2021). Conversely, there has been an increase to 61% of CISOs receiving a higher degree in STEM subjects (up from 46% in 2021).

https://www.msspalert.com/cybersecurity-research/ciso-role-is-diversifying-from-technology-to-leadership-communication-skills/

• How Emerging AIs, Like ChatGPT, Can Turn Anyone into a Ransomware and Malware Threat Actor

Ever since OpenAI launched ChatGPT at the end of November, commentators on all sides have been concerned about the impact AI-driven content-creation will have, particularly in the realm of cybersecurity. In fact, many researchers are concerned that generative AI solutions will democratise cyber crime.

With ChatGPT, any user can enter a query and generate malicious code and convincing phishing emails without any technical expertise or coding knowledge.

While security teams can also leverage ChatGPT for defensive purposes such as testing code, by lowering the barrier for entry for cyber attacks, the solution has complicated the threat landscape significantly. From a cyber security perspective, the central challenge created by OpenAI’s creation is that anyone, regardless of technical expertise, can create code to generate malware and ransomware on-demand.

Whilst it can be used for good to assist developers in writing code for good, it can (and already has) been used for malicious purposes. Examples including asking the bot to create convincing phishing emails or assist in reverse engineering code to find zero-day exploits that could be used maliciously instead of reporting them to a vendor.

ChatGPT does have inbuilt guardrails designed to prevent the solution from being used for criminal activity. For instance, it will decline to create shell code or provide specific instructions on how to create shellcode or establish a reverse shell and flag malicious keywords like phishing to block the requests.

The problem with these protections is that they’re reliant on the AI recognising that the user is attempting to write malicious code (which users can obfuscate by rephrasing queries), while there’s no immediate consequences for violating OpenAI’s content policy.

https://venturebeat.com/security/chatgpt-ransomware-malware/

• Cyber Security Drives Improvements in Business Goals

Cyber threats should no longer be viewed as just an IT problem, but also a business problem, Deloitte said in its latest Future of Cyber study. Operational disruption, loss of revenue, and loss of customer trust are the top three significant impacts of cyber incidents. More than half, or 56%, of respondents told Deloitte they suffered related consequences to a moderate or large extent.

In 2021, the top three negative consequences from cyber incidents and breaches were operational disruption, which includes supply chain and the partner ecosystem, intellectual property theft, and a drop in share price. While operational disruption remained the top concern in 2022, loss of revenue and loss of customer trust and negative brand impact moved up in importance. Intellectual property theft and drop in share price dropped to eighth and ninth (out of ten) in ranking. Losing funding for a strategic initiative, loss of confidence in the integrity of the technology, and impact on employee recruitment and retention moved up in ranking in 2022. Respondents were also asked to mark two consequences they felt would be most important in 2023: Operational disruption and loss of revenue topped the list.

"Today, cyber means business, and it is difficult to overstate the importance of cyber as a foundational and integral business imperative," Deloitte noted in its report. "It [cyber] should be included in every functional area, as an essential ingredient for success—to drive continuous business value, not simply mitigate risks to IT."

Deloitte categorised organisations' cyber security maturity based on their adoption of cyber planning, risk management, and board engagement. Risk management included activities such as industry benchmarking, incident response, scenario planning, and qualitative and quantitative risk assessment.

Whether or not the organisation adopted any of these three practices hinged on stakeholders recognising the importance of cyber responsibility and engagement across the whole organisation, Deloitte said in its report. Examples included having a governing body that comprises IT and senior business leaders to oversee the cyber program, conducting incident-response scenario planning and simulation at the organisational and/or board level, regularly providing cyber updates to the board to secure funding, and conducting regular cyber awareness training for all employees.

https://www.darkreading.com/edge-threat-monitor/cybersecurity-drives-improvements-in-business-goals

• Incoming FCA Chair Says Crypto Firms Facilitate Money Laundering

The man who will lead UK efforts to regulate cryptocurrency firms issued a stark condemnation of the sector on Wednesday, telling MPs that in his experience crypto platforms were “deliberately evasive”, facilitated money laundering at scale and created “massively untoward risk”.

The comments from Ashley Alder, the incoming chair of the Financial Conduct Authority, suggest that crypto firms hoping to build businesses in the UK will face an uphill battle when the FCA assumes new powers to regulate broad swaths of the sector.

They also put Alder, who will become FCA chair in February, on a potential collision course with the government’s aspiration to create a high quality crypto hub that fosters innovation, a vision ministers have remained loyal to even as the global crypto market lurches from crisis to crisis, epitomised by the collapse of FTX. The FCA declined to comment on whether their incoming chair’s views were at odds with those of the government.

Alder comments came during a sometimes terse appointment hearing with the cross-party Treasury select committee, where he faced sustained criticism for appearing virtually from Hong Kong and for his lack of familiarity with some parts of the UK market place and its accountability structures.

https://www.ft.com/content/7bf0a760-5fb5-4146-b757-1acc5fc1dee5

• Managing Cyber Risk in 2023: The People Element

2022 has had many challenges from cyber war between Russia and Ukraine, continuing ransomware attacks, and a number of high-profile vulnerabilities and zero day attacks.  With the attack surface constantly expanding, CISOs and security leaders are acutely aware of the need to minimise risk across people, processes, and technology.

Top infrastructure risk: people

It’s common knowledge that it’s not if, but when, your organisation will be the target of a cyber attack. CISOs and security leaders seem to share the same opinion—according to Trend Micro’s latest Cyber Risk Index (CRI) (1H’2022), 85% of 4,100 respondents across four global regions said its somewhat to very likely they will experience a cyber attack in the next 12 months.  More concerning was 90% of respondents had at least one successful cyber attack in the past 12 months.

The CRI (1H’2022) also found that CISOs, IT practitioners, and managers identified that most organisations’ IT security objectives are not aligned with the business objectives, which could cause challenges when trying to implement a sound cyber security strategy.

It’s important to note that while ideal, avoiding a cyber attack isn’t the main goal—companies need to address critical challenges across their growing digital attack surface to enable faster detection and response, therefore minimising cyber risk.

While it's commonly assumed that security efforts should be largely focused on protecting critical servers and infrastructure, the human attack vector shouldn’t be so quickly forgotten.

https://www.trendmicro.com/en_us/ciso/22/e/managing-cyber-risk.html

• What We Can't See Can Hurt Us

In speaking with security and fraud professionals, visibility remains a top priority. This is no surprise, since visibility into the network, application, and user layers is one of the fundamental building blocks of both successful security programs and successful fraud programs. This visibility is required across all environments — whether on-premises, private cloud, public cloud, multicloud, hybrid, or otherwise.

Given this, it is perhaps a bit surprising that visibility in the cloud has lagged behind the move to those environments. This occurred partially because few options for decent visibility were available to businesses as they moved to the cloud. But it also partially happened because higher priority was placed on deploying to the cloud than on protecting those deployments from security and fraud threats.

This is unfortunate, since what we can't see can hurt us. That being said, cloud visibility is becoming a top priority for many businesses. There are a few areas where many businesses are looking for visibility to play a key role, including Compliance, Monitoring, Investigation, Response, API Discovery, Application Breaches, and Malicious User Detection.

Organisation have been a bit behind in terms of ensuring the requisite visibility into cloud environments. Whilst time has been lost, it does seem that gaining visibility into the network, application, and user layers is now a priority for many businesses. This is a positive development, as it enables those businesses to better mitigate the risks that operating blindly creates.

https://www.darkreading.com/edge-articles/what-we-can-t-see-can-hurt-us

• Uber Suffers New Data Breach After Attack on Vendor, Info Leaked Online

Uber has suffered a new data breach after a threat actor leaked employee email addresses, corporate reports, and IT asset information stolen from a third-party vendor in a cyber security incident.

On Saturday last week, a threat actor named 'UberLeaks' began leaking data they claimed was stolen from Uber and Uber Eats on a hacking forum known for publishing data breaches. The leaked data includes numerous archives claiming to be source code associated with mobile device management platforms (MDM) used by Uber and Uber Eats and third-party vendor services.

The threat actor created four separate topics, allegedly for Uber MDM at uberhub.uberinternal.com and Uber Eats MDM, and the third-party Teqtivity MDM and TripActions MDM platforms. Each post refers to a member of the Lapsus$ hacking group who is believed to be responsible for numerous high-profile attacks, including a September cyber attack on Uber where threat actors gained access to the internal network and the company's Slack server.

News outlet BleepingComputer has been told that the newly leaked data consists of source code, IT asset management reports, data destruction reports, Windows domain login names and email addresses, and other corporate information. One of the documents seen by BleepingComputer includes email addresses and Windows Active Directory information for over 77,000 Uber employees.

While BleepingComputer initially thought this data was stolen during the September attack, Uber told BleepingComputer it believes it is related to a security breach on a third-party vendor.

https://www.bleepingcomputer.com/news/security/uber-suffers-new-data-breach-after-attack-on-vendor-info-leaked-online/

• When Companies Compensate the Hackers, We All Foot the Bill

Companies are always absorbing costs that are seen as par for the course of budget planning: maintenance, upgrades, office supplies, wastage, shrinkage, etc. These costs ratchet up the price of a company's products and are then passed on to the consumer. Breaches in cyber security and paying out ransoms to hackers should be outside of this remit, and yet more than half of all companies admit to transferring the costs of data breaches on to consumers. Careless or ill-informed employees and other weaknesses in a company's protections lead to catastrophic losses to businesses of around $1,797,945 per minute — and the consumers are paying it off.

If a company estimates the recovery costs from a ransomware attack to exceed the requested payment from the hacker, then it feels like a no-brainer — they're better off just cutting their losses and giving in to the cyber criminal's demands. The issue is that this creates an unvirtuous circle of paying the hacker, which enforces nefarious behaviour and empowers hackers to increase the number and volume of ransoms.

When it comes to ransomware, 32% of companies pay off hackers, and, of that percentage, the average company only retrieves about 65% of its data. Giving in to hackers is counterintuitive. On an even more disturbing note, one study found that 80% of companies that paid a ransom were targeted a second time, with about 40% paying again and a majority of that 40% paying a higher ransom the second time round. This is ludicrous. With 33% of companies suspending operations following an attack, and nearly 40% resorting to laying off staff, it comes as no surprise that the downstream costs are picked up to some extent by the consumer.

As for smaller companies, about 50% of US small businesses don't have a cyber security plan in place, despite the fact that small businesses are three times more likely to be targeted by cyber criminals than larger companies. An average breach costs these companies around $200,000 and has put many out of business. It isn't simply the cost passed on to consumers, it's also the intangible assets, such as brand reputation.

When data is leaked and a site goes down, customers become rightly anxious when their information is sold to the highest bidder on the Dark Web. To safeguard against this, companies of all sizes should exploit automated solutions while training every single member of staff to recognise and report online threats. Paying a ransom does not guarantee the return of data, and for a smaller business, losing valuable customer information could cause long-term damage way beyond the initial attack.

Cyber security professionals, governments, and law enforcement agencies all advise companies to avoid paying the hackers' ransoms. This strategy is affirmed by the success businesses have had in retrieving the stolen data and turning the lights back on — 78% of organisations who say they did not pay a ransom were able to fully restore systems and data without the decryption key. This evidently is not enough to reassure companies who, at the click of a dangerous email being opened, have lost sensitive information and access to their systems and are desperate to get back online. There are many preventative techniques businesses can take advantage of before it even gets to that stage.

https://www.darkreading.com/attacks-breaches/when-companies-compensate-the-hackers-we-all-foot-the-bill

• HSE Cyber-Attack Costs Ireland $83m So Far

The cost of the cyber-attack that hit the Irish Health Service Executive (HSE) last year has officially reached €80m ($83.75m).

The figures come from a letter from HSE’s chief information officer, seen by The Irish Times. This comes months after the Department of Health suggested in February the attack could end up costing up to €100m ($104m). The letter confirmed that the costs reached €42m ($43.97m) in 2021 and almost €39m ($40.83m) until October of this year.

Ireland has a very capable national cyber security centre and a well-oiled CSIRT team that engages the public/private sector. If the cost does continue to escalate to €100m, that is the equivalent to everyone in the Republic of Ireland having been defrauded by €20. According to The Irish Times, the costs were said to be “enormous,” and the government has been asked to complete a comprehensive assessment of the impact caused by the breach.

The cyber-attack, believed to have been conducted by Russia-based state actors, was reportedly caused by a malicious Microsoft Excel file delivered via a phishing email. According to a December 2021 report, the file was opened at an HSE workstation in March 2021. The malware would have been latent for two months before the breach, which was reportedly discovered in May, two months later. A total of roughly 100,000 people had their personal data stolen during the cyber-attack.

Healthcare continues to be a target of attacks given their enormous attack surface across critical applications, cloud environments and IoT devices.

https://www.infosecurity-magazine.com/news/hse-cyber-attack-ireland-dollar83m/

Threats

Ransomware, Extortion and Destructive Attacks

• HSE Cyber-Attack Costs Ireland $83m So Far - Infosecurity Magazine (infosecurity-magazine.com)

• Ransomware-hit Rackspace email outage enters 12th day • The Register

• The Dark Web is Getting Darker - Ransomware Thrives on Illegal Markets (bleepingcomputer.com)

• Rash of New Ransomware Variants Springs Up in the Wild (darkreading.com)

• Patch Tuesday: Microsoft Plugs Windows Hole Exploited in Ransomware Attacks | SecurityWeek.Com

• Preventing a ransomware attack with intelligence: Strategies for CISOs - Help Net Security

• Agenda Ransomware Switches to Rust to Attack Critical Infrastructure - Infosecurity Magazine (infosecurity-magazine.com)

• LockBit ransomware crew claims attack on California Department of Finance - CyberScoop

• When Companies Compensate the Hackers, We All Foot the Bill (darkreading.com)

• Clop ransomware uses TrueBot malware for access to networks (bleepingcomputer.com)

• TrueBot infections were observed in Clop ransomware attacks - Security Affairs

• Pulling the Curtains on Azov Ransomware: Not a Skidsware but Polymorphic Wiper - Check Point Research

• Play ransomware claims attack on Belgium city of Antwerp (bleepingcomputer.com)

• Brooklyn hospital network victim of cyber hack crash (msn.com)

• Ransomware Group Threatens to Publish Data Stolen From California Department of Finance | SecurityWeek.Com

• Cyber security Experts Uncover Inner Workings of Destructive Azov Ransomware (thehackernews.com)

• Cybereason warns of rapid increase in Royal ransomware | TechTarget

• New Royal ransomware group evades detection with partial encryption | CSO Online

• How ChatGPT can turn anyone into a ransomware and malware threat actor   | VentureBeat

• Check Point classifies Azov as wiper, not ransomware | TechTarget

• The Future of Ransomware - Security News (trendmicro.com)

• Hive ransomware gang claims responsibility for attack on Intersport that left cash registers disabled (bitdefender.com)

Phishing & Email Based Attacks

• Open-source repositories flooded by 144,000 phishing packages (bleepingcomputer.com)

• Phishing attack uses Facebook posts to evade email security (bleepingcomputer.com)

BEC – Business Email Compromise

• US Food Companies Warned of BEC Attacks Stealing Food Product Shipments | SecurityWeek.Com

Other Social Engineering; Smishing, Vishing, etc

• North Korean Hackers Use Impersonation to Steal Intel - Infosecurity Magazine (infosecurity-magazine.com)

Malware

• Microsoft digital certificates have once again been abused to sign malware | Ars Technica

• Hackers target Japanese politicians with new MirrorStealer malware (bleepingcomputer.com)

• Zscaler: Nearly 90% of Cyber attacks Now Use Encrypted Channels, Malware Tops - MSSP Alert

• This Linux-targeting malware just got more powerful | ZDNET

• Crooks use HTML smuggling to spread QBot malware via SVG files - Security Affairs

• A clever trick turns antivirus software into unstoppable data wiping scourges | TechSpot

• How ChatGPT can turn anyone into a ransomware and malware threat actor   | VentureBeat

Mobile

• Android Malware Campaign Leverages Money-Lending Apps to Blackmail Victims (thehackernews.com)

• Why You Should Enable Apple’s New iOS 16.2 Security Feature | Reviews by Wirecutter (nytimes.com)

• NSA Slices Up 5G Mobile Security Risks (darkreading.com)

• Xnspy stalkerware spied on thousands of iPhones and Android devices | TechCrunch

Internet of Things – IoT

• Critical Infrastructure Attacks: Convergence of IoT and OT Gives Hackers a Huge Attack Surface - SSP Alert

• 3.5m IP cameras exposed, with US in the lead - Security Affairs

• Are robots too insecure for lethal use by law enforcement? | CSO Online

• 10 Ways Doorbell Cameras Pose a Threat to Privacy and Security - Listverse

Data Breaches/Leaks

• Uber suffers new data breach after attack on vendor, info leaked online (bleepingcomputer.com)

• Twitter confirms recent user data leak is from 2021 breach (bleepingcomputer.com)

• HR platform Sequoia says hackers accessed customer SSNs and COVID-19 data | TechCrunch

• Parsing LastPass’ data breach notice | TechCrunch

• Social Blade discloses security breach - Security Affairs

• Australia's Telstra suffers privacy breach, 132,000 customers impacted | Reuters

• Unauthorised server access caused AirAsia data leak: Fahmi | Malaysia | The Vibes

• FBI's InfraGard Cyber security Program Breached by Hackers (gizmodo.com)

• Database of the FBI's InfraGard US Critical Infrastructure Intelligence portal available for sale - Security Affairs

• Aussie Data Breaches Surge 489% in Q4 2022 - Infosecurity Magazine (infosecurity-magazine.com)

• Uber staff information leaks after IT supply chain attack • The Register

• TPG reveals emails of 15,000 iiNet and Westnet customers exposed in hack | Telecommunications industry | The Guardian

• TPG Telecom joins list of hacked Australian companies, shares slide | Reuters

• How companies can avoid costly data breaches - Help Net Security

• Hackers leak personal info allegedly stolen from 5.7M Gemini users (bleepingcomputer.com)

Organised Crime & Criminal Actors

• ‘Booter’ sites taken down in global cyber crime bust (gbnews.uk)

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Incoming FCA chair says crypto firms facilitate money laundering | Financial Times (ft.com)

• Britons lose life savings to ‘Ali Baba and the cryptocurrency scammers’ | News | The Times

• Bitcoin miners took on billions in debt to ‘pump their stock’—leading to a crypto catastrophe | Fortune

• Chaos RAT Used to Enhance Linux Cryptomining Attacks - Infosecurity Magazine (infosecurity-magazine.com)

• DOJ divided over charging Binance for alleged crypto crimes, report says | Ars Technica

• Crypto was meant to solve financial corruption. The FTX scandal shows it’s got worse | David A Banks | The Guardian

• Facebook Asks Lawmakers Not to Regulate Crypto Too Harshly Just Because of All the Fraud (vice.com)

• The amateur sleuths who helped to bring down Sam Bankman-Fried - New Statesman

• Hackers leak personal info allegedly stolen from 5.7M Gemini users (bleepingcomputer.com)

Insider Risk and Insider Threats

• Executives take more cyber security risks than office workers - Help Net Security

• Managing Cyber Risk in 2023: The People Element (trendmicro.com)

Fraud, Scams & Financial Crime

• Loan Fee Fraud Surges by a Fifth as Christmas Approaches - Infosecurity Magazine (infosecurity-magazine.com)

• Fraudsters Flooding Retail Markets with Bad Bots, Preying on Unsuspecting Retailers, Consumers - MSSP Alert

• Britons lose life savings to ‘Ali Baba and the cryptocurrency scammers’ | News | The Times

• Australians have lost at least $7.2 million to the 'Hi Mum' scam. How does it work and why is it so lucrative for cyber criminals? - ABC News

• Restaurant closes after fraudsters posing as officials steal thousands | News | The Times

• Woman gets 66 months in prison for role in $3.3 million ID fraud op (bleepingcomputer.com)

• Patrick Giblin conned women all over the US. Now he's going to prison for 5 years | CNN

• UK arrests five for selling dodgy point of sale software • The Register

• The amateur sleuths who helped to bring down Sam Bankman-Fried - New Statesman

• Scammers are pretending to be striking paramedics to trick people into giving donations, ambulance service warns | UK News | Sky News

• 8 charged with conspiracy to commit securities fraud • The Register

AML/CFT/Sanctions

• Incoming FCA chair says crypto firms facilitate money laundering | Financial Times (ft.com)

Insurance

• Most startups have cyber insurance but are uncertain about how much risk is covered - Help Net Security

• Cyber Insurer Cowbell Launches Cyber security Advisory Board - MSSP Alert

Dark Web

• The Dark Web is Getting Darker - Ransomware Thrives on Illegal Markets (bleepingcomputer.com)

Supply Chain and Third Parties

• Uber staff information leaks after IT supply chain attack • The Register

• Report highlights serious cyber security issues with US defence contractors | CSO Online

Software Supply Chain

• How Naming Can Change the Game in Software Supply Chain Security (darkreading.com)

• Microsoft digital certificates have once again been abused to sign malware | Ars Technica

Denial of Service DoS/DDoS

• FBI Charges 6, Seizes 48 Domains Linked to DDoS-for-Hire Service Platforms (thehackernews.com)

• Prosecutors charge 6 people for allegedly waging massive DDoS attacks | Ars Technica

• teiss - Cyber Threats - DDoS attacks on the rise

• How My Startup Survived a DDoS Attack - Bannerbear

• DDoS is not back; it never went away; and PAM is on hand to fight the ‘unstoppable’ menace (techxmedia.com)

• ‘Booter’ sites taken down in global cyber crime bust (gbnews.uk)

• Microsoft discovers Windows/Linux botnet used in DDoS attacks | Ars Technica

Cloud/SaaS

• Top 4 SaaS Security Threats for 2023 (thehackernews.com)

• Microsoft launches EU 'data boundary' from next year • The Register

• What We Can't See Can Hurt Us (darkreading.com)

• HR platform Sequoia says hackers accessed customer SSNs and COVID-19 data | TechCrunch

• Parsing LastPass’ data breach notice | TechCrunch

• Lego fixes dangerous API vulnerability in BrickLink service | TechTarget (computerweekly.com)

• Data Destruction Policies in the Age of Cloud Computing (darkreading.com)

Hybrid/Remote Working

• Remote Work Cyber security Requires a Change in Mindset (informationsecuritybuzz.com)

Encryption

• Zscaler: Nearly 90% of Cyber attacks Now Use Encrypted Channels, Malware Tops - MSSP Alert

• The FBI Says Apple’s New Encryption Is “Deeply Concerning” (futurism.com)

• NIST Retires SHA-1 Cryptographic Algorithm | NIST

• Over 85% of Attacks Hide in Encrypted Channels - Infosecurity Magazine (infosecurity-magazine.com)

• WhatsApp is getting closer to a total UK shutdown | indy100

• Privacy advocates are aghast at UK’s anti-encryption plans (thenextweb.com)

API

• Lego fixes dangerous API vulnerability in BrickLink service | TechTarget (computerweekly.com)

Open Source

• This Linux-targeting malware just got more powerful | ZDNET

• Chaos RAT Used to Enhance Linux Cryptomining Attacks - Infosecurity Magazine (infosecurity-magazine.com)

• Google Launches OSV-Scanner Tool to Identify Open Source Vulnerabilities (thehackernews.com)

• Open-source repositories flooded by 144,000 phishing packages (bleepingcomputer.com)

Passwords, Credential Stuffing & Brute Force Attacks

• New GoTrim botnet brute forces WordPress site admin accounts (bleepingcomputer.com)

Social Media

• Fleeing Twitter users face uncertain privacy, security features on alternative platforms - CyberScoop

• Elon Musk's Twitter dissolves Trust and Safety Council - just days after its members speak out | Science & Tech News | Sky News

• TikTok may push potentially harmful content to teens within minutes, study finds | CNN Business

• Meta warns spyware still being used to target people on social media | Meta | The Guardian

• Elon Musk Bans Journalists From Twitter After Reinstating Nazis (gizmodo.com)

• Russian disinformation rampant on far-right social media platforms - CyberScoop

• HowTo: Fight Cyber-Threats in the Metaverse - Infosecurity Magazine

• US politicians propose TikTok ban over China security concerns (telegraph.co.uk)

• Social Blade discloses security breach - Security Affairs

• Twitter suspends Mastodon’s official account | The Hill

Training, Education and Awareness

• Keep Your Grinch at Bay: Here's How to Stay Safe Online this Holiday Season (thehackernews.com)

• Remote Work Cyber security Requires a Change in Mindset (informationsecuritybuzz.com)

Parental Controls and Child Safety

• Most apps used in US classrooms share students' personal data with advertisers, researchers find - CyberScoop

• TikTok may push potentially harmful content to teens within minutes, study finds | CNN Business

• Microsoft Teams is a vector for child sexual abuse material • The Register

Cyber Bullying, Cyber Stalking and Sextortion

• Xnspy stalkerware spied on thousands of iPhones and Android devices | TechCrunch

• Proposed law offers support to tech-enabled abuse survivors • The Register

Regulations, Fines and Legislation

• Privacy concerns are limiting data usage abilities - Help Net Security

• European Commission takes step toward approving EU-US data privacy pact | Computerworld

Governance, Risk and Compliance

• Managing Cyber Risk in 2023: The People Element (trendmicro.com)

• Executives take more cyber security risks than office workers - Help Net Security

• Cyber security Drives Improvements in Business Goals (darkreading.com)

• Compliance Is Not Enough: How to Manage Your Customer Data (darkreading.com)

• 5 tips for building a culture of cyber security accountability - Help Net Security

• How acceptable is your acceptable use policy? | CSO Online

• Data Destruction Policies in the Age of Cloud Computing (darkreading.com)

• What CISOs consider when building up security resilience - Help Net Security

• CISO Role is Diversifying From Technology to Leadership & Communication Skills - MSSP Alert

Models, Frameworks and Standards

• Why PCI DSS 4.0 Should Be on Your Radar in 2023 (thehackernews.com)

• PCI Secure Software Standard version 1.2 sets out new payment security requirements | CSO Online

Backup and Recovery

• Why Your MSSP Should Offer Backup-as-a-Service (BaaS) - MSSP Alert

• CISA Warns Veeam Backup & Replication Vulnerabilities Exploited in Attacks | SecurityWeek.Com

Data Protection

• OECD Signs "Landmark" Privacy Agreement - Infosecurity Magazine (infosecurity-magazine.com)

Careers, Working in Cyber and Information Security

• Top Reasons Not to Become a Self-Taught Ethical Hacker in 2023 (analyticsinsight.net)

• The Cyber security Industry Doesn't Have a Stress Problem — It Has a Leadership Problem (darkreading.com)

• Two-Thirds of Security Pros Have Burnt Out in Past Year - Infosecurity Magazine (infosecurity-magazine.com)

Law Enforcement Action and Take Downs

• FBI Charges 6, Seizes 48 Domains Linked to DDoS-for-Hire Service Platforms (thehackernews.com)

• Prosecutors charge 6 people for allegedly waging massive DDoS attacks | Ars Technica

• 8 charged with conspiracy to commit securities fraud • The Register

Privacy, Surveillance and Mass Monitoring

• Privacy advocates are aghast at UK’s anti-encryption plans (thenextweb.com)

• WhatsApp is getting closer to a total UK shutdown | indy100

• Most apps used in US classrooms share students' personal data with advertisers, researchers find - CyberScoop

• Apple should pay €6m for tracking users – French official • The Register

• European Commission takes step toward approving EU-US data privacy pact | Computerworld

• Privacy concerns are limiting data usage abilities - Help Net Security

Artificial Intelligence

• Are robots too insecure for lethal use by law enforcement? | CSO Online

• How ChatGPT can turn anyone into a ransomware and malware threat actor   | VentureBeat

Misinformation, Disinformation and Propaganda

• Russian disinformation rampant on far-right social media platforms - Cyberscoop

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Trojanized Windows 10 Operating System Installers Targeted Ukrainian Government | Mandiant

• Meta takes down surveillance-for-hire firms, calls for government action against the industry - CyberScoop

• Reassessing cyberwarfare. Lessons learned in 2022 | Securelist

• As Wiretap Claims Rattle Government, Greece Bans Spyware | SecurityWeek.Com

• Ex-Twitter Worker Gets Prison Time in Saudi 'Spy' Case | SecurityWeek.Com

• Reassessing cyberwarfare. Lessons learned in 2022 | Securelist

Nation State Actors

Nation State Actors – Russia

• Seven accused of smuggling out US military tech for Moscow • The Register

• Neo-Nazi Russian militia appeals for intelligence on Nato member states | Ukraine | The Guardian

• GPS Signals Are Being Disrupted in Russian Cities | WIRED

• NSA cyber director warns of Russian digital assaults on global energy sector - CyberScoop

• Russian disinformation rampant on far-right social media platforms - CyberScoop

Nation State Actors – China

• NSA Outs Chinese Hackers Exploiting Citrix Zero-Day | SecurityWeek.Com

• US politicians propose TikTok ban over China security concerns (telegraph.co.uk)

• Hackers target Japanese politicians with new MirrorStealer malware (bleepingcomputer.com)

• US to add Chinese chipmaker to trade blacklist | Financial Times (ft.com)

• AIIMS cyber attack suspected to have originated in China, Hong Kong - Rediff.com India News

• Spies and Lies by Alex Joske — inside China’s intelligence operation | Financial Times (ft.com)

Nation State Actors – North Korea

• North Korean cyber spies deploy new tactic: tricking foreign experts into writing research for them | Reuters

• North Korean Hackers Use Impersonation to Steal Intel - Infosecurity Magazine (infosecurity-magazine.com)

Nation State Actors – Iran

• MuddyWater APT group is back with updated TTPs - Security Affairs

• Iran-Backed Charming Kitten APT Eyes Kinetic Ops, Kidnapping (darkreading.com)

• Not-so-Charming Kitten targets orgs for espionage and worse • The Register

Vulnerability Management

• Transitive Dependencies Account for 95% of Bugs - Infosecurity Magazine (infosecurity-magazine.com)

• 24% of technology applications contain high-risk security flaws - Help Net Security

Vulnerabilities

• Hackers exploit critical Citrix ADC and Gateway zero day, patch now (bleepingcomputer.com)

• CISA Warns Veeam Backup & Replication Vulnerabilities Exploited in Attacks | SecurityWeek.Com

• Adobe Patches 38 Flaws in Enterprise Software Products | SecurityWeek.Com

• VMware fixed critical VM Escape bug demonstrated at Geekpwn hacking contest - Security Affairs

• Samba Issues Security Updates to Patch Multiple High-Severity Vulnerabilities (thehackernews.com)

• Fortinet says SSL-VPN pre-auth RCE bug is exploited in attacks (bleepingcomputer.com)

• Transitive Dependencies Account for 95% of Bugs - Infosecurity Magazine (infosecurity-magazine.com)

• Citrix Releases Security Updates for Citrix ADC, Citrix Gateway | CISA

• Security Flaw in Atlassian Products Affecting Multiple Companies (darkreading.com)

• Serious Attacks Could Have Been Staged Through This Amazon ECR Public Gallery Vulnerability (thehackernews.com)

• Patch Tuesday: 0-days, RCE bugs, and a curious tale of signed malware – Naked Security (sophos.com)

• Patch Tuesday: Microsoft Plugs Windows Hole Exploited in Ransomware Attacks | SecurityWeek.Com

• New Actively Exploited Zero-Day Vulnerability Discovered in Apple Products (thehackernews.com)

• Apple patches everything, finally reveals mystery of iOS 16.1.2 – Naked Security (sophos.com)

• Apple fixed the tenth actively exploited zero-day this year - Security Affairs

• High-Severity Memory Safety Bugs Patched With Latest Chrome 108 Update | SecurityWeek.Com

• Top 5 Web App Vulnerabilities and How to Find Them (thehackernews.com)

• Microsoft Reclassifies SPNEGO Extended Negotiation Security Vulnerability as 'Critical' (thehackernews.com)

• Severe vulnerabilities found in most industrial controllers - The Washington Post

• Akamai WAF bypassed via Spring Boot to trigger RCE | The Daily Swig (portswigger.net)

Tools and Controls

• CISA Warns Veeam Backup & Replication Vulnerabilities Exploited in Attacks | SecurityWeek.Com

• Why Your MSSP Should Offer Backup-as-a-Service (BaaS) - MSSP Alert

• How My Startup Survived a DDoS Attack - Bannerbear

• Data Destruction Policies in the Age of Cloud Computing (darkreading.com)

• 8 Firewall Best Practices | Enterprise Networking Planet

• Zero Trust Shouldn’t Be The New Normal (darkreading.com)

Other News

• Cyber Threats Loom as 5B People Prepare to Watch World Cup Final (darkreading.com)

• Tech companies must start sharing intelligence to avert global conflicts | Financial Times (ft.com)

• Japan, Australia, to bolster cyber-defences • The Register

• Microsoft Defender, Avast, AVG turned against Windows to permanently delete files - Neowin

• Analysis Shows Attackers Favour PowerShell, File Obfuscation (darkreading.com)

• Automated Cyber campaign Creates Masses of Bogus Software Building Blocks (darkreading.com)

• 12 types of wireless network attacks and how to prevent them | TechTarget

• Windows: Still insecure after all these years | ZDNET

• FuboTV says World Cup streaming outage caused by a cyber attack (bleepingcomputer.com)

• MTTR “not a viable metric” for complex software system reliability and security | CSO Online

• Low-code/no-code security risks climb as tools gain traction | TechTarget

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• How Organisations Can Protect Themselves in The Emerging Risk Landscape

ThoughtLab’s 2022 cyber security benchmarking study ‘Cyber Security Solutions for a Riskier World’ revealed that the pandemic has brought cyber security to a critical inflection point. The number of material breaches that respondents suffered rose 20.5% from 2020 to 2021, and cyber security budgets as a percentage of firms’ total revenue jumped 51%, from 0.53% to 0.80%.

During that time, cyber security has become a strategic business imperative, requiring CEOs and their management teams to work together to meet the higher expectations of regulators, shareholders, and the board.

https://www.helpnetsecurity.com/2022/06/13/cybersecurity-strategic-business-imperative-video/

• Phishing Reaches All-Time High in Early 2022

The Anti-Phishing Working Group (APWG) Phishing Activity Trends Report reveals that in the first quarter of 2022 there were 1,025,968 total phishing attacks—the worst quarter for phishing observed to date. This quarter was the first time the three-month total has exceeded one million. There were 384,291 attacks in March 2022, which was a record monthly total.

In the first quarter of 2022, OpSec Security reported that phishing attacks against the financial sector, which includes banks, remained the largest set of attacks, accounting for 23.6 percent of all phishing. Attacks against webmail and software-as-a-service (SaaS) providers remained prevalent as well, while attacks against retail/ecommerce sites fell from 17.3 to 14.6 percent after the holiday shopping season.

Phishing against social media services rose markedly, from 8.5 percent of all attacks in 4Q2021 to 12.5 percent in 1Q2022. Phishing against cryptocurrency targets—such as cryptocurrency exchanges and wallet providers—inched up from 6.5 in the previous quarter to 6.6 percent of attacks.

https://www.helpnetsecurity.com/2022/06/15/2022-total-phishing-attacks/

• Ransomware Attacks Are Surging, with More Dangerous Hybrid Attacks to Come. Is Your Cyber Security Up to Date?

Time to reassess your cyber security strategies. Again.

Ransomware attacks on businesses have increased by one-third in the past year, according to a recent report by the Boston-based cyber security company Cybereason. 

Most (73 percent of businesses) were hit by at least one ransomware attack in the past year, and 68 percent of businesses that paid a ransom were hit again in less than a month for a higher ransom, according to the survey, which polled 1,456 cyber security professionals at global companies with 700 or more employees.

These attacks have big implications: Thirty-seven percent of companies were forced to lay off employees after paying ransoms, and 33 percent were forced to temporarily suspend business.

Since the invasion of Ukraine, cyber security experts have insisted businesses improve their lines of defence to protect against an increased risk of ransomware attacks from Russia. ​Ransomware attacks have also increased since the start of the pandemic--the rise of remote work increased vulnerability for many businesses, which hackers have taken advantage of, a 2020 FBI memo noted. So, enterprises of all sizes are at risk from many more points of attack.

https://www.inc.com/rebecca-deczynski/ransomware-attacks-increasing-cyber-security-advice.html

• The Challenges of Managing Increased Complexity as Hybrid IT Accelerates

SolarWinds released the findings of its ninth annual IT Trends Report which examines the acceleration of digital transformation efforts and its impact on IT departments. The report found the acceleration of hybrid IT has increased network complexity for most organisations and caused several worrisome challenges for IT professionals.

Hybrid and remote work have amplified the impact of distributed and complex IT environments. Running workloads and applications across both cloud and on-premises infrastructure can be challenging, and many organisations are increasingly experiencing—and ultimately hindered by—these pain points.

As more and more mission-critical workloads move to connected cloud architectures that span public, private, hybrid, and multi-cloud environments, enterprises recognise they need to invest in the tools that will help them ensure consistent policies and performance across all platforms and end users. However, they simultaneously face challenges such as budget, time constraints, and barriers to implementing observability as a strategy to keep pace with hybrid IT realities.

However professionals feel less confident in their organisation’s ability to manage IT. While 54% of respondents state they leverage monitoring strategies to manage this complexity, 49% revealed they lack visibility into the majority of their organisation’s apps and infrastructure. This lack of visibility impacts their ability to conduct anomaly detection, easy root-cause analysis, and other critical processes to ensure the availability, performance, and security of business-critical applications.

https://www.helpnetsecurity.com/2022/06/16/hybrid-it-acceleration-challenges/

• 72% Of Middle Market Companies Expect to Experience a Cyber Attack

Middle market companies face an increasingly volatile cyber security environment, with threats coming from more directions than ever before and more skilled criminals targeting the segment, according to an RSM US and US Chamber of Commerce report.

However, there is good news as the number of breaches reported in the last year among middle market companies slightly decreased with protections becoming more available and executives understanding the consequences related to potential incidents. Twenty-two percent of middle market leaders claimed that their company experienced a data breach in the last year, representing a drop from 28% in last year’s survey, suggesting that even with enhanced protections in place and the decrease in attacks, companies cannot afford to let their guard down.

The middle market encountered a roller coaster of risks in the last year, from lingering threats related to the COVID-19 pandemic to geopolitical conflicts and economic uncertainty.

The small drop in reported breaches is encouraging, and largely attributed to middle market companies beginning to implement better identity and access management controls. Yet, even with the decline in reported attacks, companies recognise the risks posed by the current dynamic threat environment, with 72% of executives anticipating that unauthorised users will attempt to access data or systems in 2022, a sharp rise from 64% last year and the highest number since RSM began tracking data in 2015.

https://www.helpnetsecurity.com/2022/06/16/middle-market-companies-cybersecurity/

• Malware's Destruction Trajectory and How to Defeat It

Malware and targeted attacks on operating systems and firmware have become increasingly destructive in nature, and these more nefarious attack methods are rising in prevalence. And just to add insult to injury, there are more of them. Today’s attacks are hitting more often, and they are hitting harder.

In the first three decades of its existence, malware was primarily restricted to mischief and attempts by virus creators to discover if their creations would work. But now the threat landscape has changed from simple vandalism to lucrative cyber crime and state-sponsored attacks.

Wiper malware, in particular, has gained traction in recent months. The FortiGuard Labs research team has seen at least seven different malware attacks targeting Ukrainian infrastructure or Ukrainian companies so far this year. The primary reason for using Wiper malware is its sheer destructiveness – the intent is to cripple infrastructure. What does the increased presence of Wiper malware strains indicate? And what do security leaders need to know and do to keep their organisation safe? Read more…

https://www.securityweek.com/malwares-destruction-trajectory-and-how-defeat-it

• Which Stolen Data Are Ransomware Gangs Most Likely to Disclose?

If your organisation gets hit by a ransomware gang that has also managed to steal company data before hitting the “encrypt” button, which types of data are more likely to end up being disclosed as you debate internally on whether you should pay the ransomware gang off?

Rapid7 analysed 161 data disclosures performed by ransomware gangs using the double extortion approach between April 2020 and February 2022, and found that:

• The most commonly leaked data is financial (63%), followed by customer/patient data (48%)

• Files containing intellectual property (e.g., trade secrets, research data, etc.) are rarely disclosed (12%) by ransomware gangs, but if the organisation is part of the pharmaceutical industry, the risk of IP data being disclosed is considerably higher (43%), “likely due to the high value placed on research and development within this industry.”

https://www.helpnetsecurity.com/2022/06/17/ransomware-data-disclosed/

• Threat Actors Becoming More Creative Exploiting the Human Factor

Threat actors exhibited "ceaseless creativity" last year when attacking the Achilles heel of every organisation—its human capital—according to Proofpoint's annual The Human Factor 2022 report. The report, released June 2, draws on a multi-trillion datapoint graph created from the company's deployments to identify the latest attack trends by malicious players.

"Last year, attackers demonstrated just how unscrupulous they really are, making protecting people from cyber threats an ongoing—and often eye-opening—challenge for organisations,” Proofpoint said in a statement.

The combination of remote work and the blurring of work and personal life on smartphones have influenced attacker techniques, the report notes. During the year, SMS phishing, or smishing, attempts more than doubled in the United States, while in the UK, 50% of phishing lures focused on delivery notifications. An expectation that more people were likely working from home even drove good, old-fashioned voice scams, with more than 100,000 telephone attacks a day being launched by cyber criminals.

https://www.csoonline.com/article/3663478/threat-actors-becoming-more-creative-exploiting-the-human-factor.html#tk.rss_news

• 66% Of Organisations Store 21%-60% Of Their Sensitive Data in The Cloud

A Thales report, conducted by 451 Research, reveals that 45% of businesses have experienced a cloud-based data breach or failed audit in the past 12 months, up 5% from the previous year, raising even greater concerns regarding the protection of sensitive data from cyber criminals.

Globally, cloud adoption and notably multicloud adoption, remains on the rise. In 2021, organisations worldwide were using an average amount of 110 software as a service (SaaS) applications, compared with just eight in 2015, showcasing a startlingly rapid increase.

With increasing complexity of multicloud environments comes an even greater need for robust cyber security. When asked what percentage of their sensitive data is stored in the cloud, 66% said between 21-60%. However, only 25% said they could fully classify all data.

https://www.helpnetsecurity.com/2022/06/16/cloud-based-data-breach-video/

• Travel-related Cyber Crime Takes Off as Industry Rebounds

An upsurge in the tourism industry after the COVID-19 pandemic grabs the attention of cyber criminals to scam the tourists.

Researchers are warning a post-COVID upsurge in travel has painted a bullseye on the travel industry and has spurred related cyber crimes.

Criminal activity includes an uptick in adversaries targeting the theft of airline mileage reward points, website credentials for travel websites and travel-related databases breaches, according to a report by Intel 471.

The impact of the attacks are hacked accounts stripped of value. But also, researchers say the consequences of recent attacks can also include flight delays and cancelations as airlines grapple with mitigating hacks.

https://threatpost.com/travel-related-cybercrime-takes-off/179962/

• How Should You Think About Security When Considering Digital Transformation Projects?

Digital transformation helps businesses keep operating and stay competitive. Here are the ways to think about security so that businesses reap the benefits without taking on associated risks.

Multiple factors contribute to the sheer number of digital transformation projects underway today: the proliferation of the Internet of Things (IoT), expanding artificial intelligence (AI) capabilities, the sudden shift to a remote workforce prompted by the global COVID-19 pandemic, and the rapid rate of cloud migration. Digital transformation is no longer a nice-to-have; it’s a must-have in order to survive and thrive in today’s business world.

CISOs and their security teams need to think about security in the digital age from both an internal and an external perspective. For the former, security teams should introduce and adopt digital enablers to transform the information security organisation. Digital enablers include the cloud, IoT, AI/machine learning (ML), and automation to transform the information security organisation.

For the latter, they should address potential risks as new digital enablers are introduced by the business to drive growth.

Here are five specific areas security teams should prioritise to achieve security-first digital transformation:

1. Security operations modernisation

2. Developer-centric security

3. Cloud strategy and execution

4. Connected devices

5. Big data and analytics

As important as it is to keep the business operating and competitive, organisations must transform securely. Keeping security at the forefront gives the business the benefits of digital transformation without the associated risks.

https://www.darkreading.com/edge-ask-the-experts/how-should-i-think-about-security-when-considering-digital-transformation-projects-

• Internet Explorer Now Retired but Still an Attacker Target

Microsoft's official end-of-support for the Internet Explorer 11 desktop application on June 15 relegated to history a browser that's been around for almost 27 years. Even so, IE still likely will provide a juicy target for attackers.

That's because some organisations are still using Internet Explorer (IE) despite Microsoft's long-known plans to deprecate the technology. Microsoft meanwhile has retained the MSHTML (aka Trident) IE browser engine as part of Windows 11 until 2029, allowing organisations to run in IE mode while they transition to the Microsoft Edge browser. In other words, IE isn't dead just yet, nor are threats to it.

Though IE has a negligible share of the browser market worldwide these days (0.52%), many enterprises still run it or have legacy applications tied to IE. This appears to be the case in countries such as Japan and Korea. Stories in Nikkei Asia and Japan Times this week quoted a survey by Keyman's Net showing that nearly 49% of 350 Japanese companies surveyed are still using IE. Another report in South Korea's MBN pointed to several large organisations still running IE.

https://www.darkreading.com/vulnerabilities-threats/internet-explorer-will-likely-remain-an-attacker-target-for-some-time

Threats

Ransomware

• Ransomware attacks are increasing with more dangerous hybrids ahead | CSO Online

• Why do organisations need to prioritize ransomware preparedness? - Help Net Security

• Ransomware and Phishing Remain IT's Biggest Concerns (darkreading.com)

• The attacker’s toolkit: Ransomware-as-a-service | VentureBeat

• Ransomware gang publishes stolen victim data on the public Internet - Help Net Security

• Researchers Discover Way to Attack SharePoint and OneDrive Files with Ransomware | SecurityWeek.Com

• ALPHV/BlackCat ransomware gang starts publishing victims' data on the clear web - Security Affairs

• Ransomware gang creates site for employees to search for their stolen data (bleepingcomputer.com)

• Microsoft: Exchange servers hacked to deploy BlackCat ransomware (bleepingcomputer.com)

• Conti's Attack Against Costa Rica Sparks a New Ransomware Era | WIRED UK

• Hello XD ransomware now drops a backdoor while encrypting (bleepingcomputer.com)

• Alphv ransomware gang ups pressure with new extortion scheme (techtarget.com)

• Costa Rica Chaos a Warning That Ransomware Threat Remains | SecurityWeek.Com

• DeadBolt ransomware takes another shot at QNAP storage • The Register

• The many lives of BlackCat ransomware - Microsoft Security Blog

• Atlassian Confluence Flaw Being Used to Deploy Ransomware and Crypto Miners (thehackernews.com)

• BlackCat Ransomware affiliates target unpatched Microsoft Exchange servers - Security Affairs

• Ransomware gangs target Japan as a feeding ground | Financial Times (ft.com)

• Africa's biggest supermarket hit by ransomware attacks | TechRadar

Phishing & Email Based Attacks

• NakedPages Phishing Toolkit is Now Available on Cyber crime Forums - Infosecurity Magazine

• New phishing attack infects devices with Cobalt Strike (bleepingcomputer.com)

Other Social Engineering

• How social engineering attacks are evolving beyond email - Help Net Security

• 2,000 People Arrested Worldwide for Social Engineering Schemes | SecurityWeek.Com

• Facebook Messenger Scam Duped Millions | Threatpost

• Heineken giving away free beer for Father's Day? It's a WhatsApp scam (bitdefender.com)

Malware

• Businesses are leaving bot attacks unchallenged for almost four months - Help Net Security

• New Syslogk Linux rootkit uses magic packets to trigger backdoor (bleepingcomputer.com)

• Linux Malware Deemed ‘Nearly Impossible’ to Detect | Threatpost

• Authorities Shut Down Russian RSOCKS Botnet That Hacked Millions of Devices (thehackernews.com)

• PSA: Beware of Clipboard Malware | NiceHash

• New Emotet Variant Stealing Users’ Credit Card Information From Google Chrome – Information Security Buzz

• Akamai Warns Of "Panchan" Linux Botnet That Leverages Golang Concurrency, Systemd - Phoronix

• Websites Hosting Fake Cracks Spread Updated CopperStealer Malware (trendmicro.com)

Mobile

• Over a billion Google Play Store app downloads could be infected by malware | TechRadar

• Android malware on the Google Play Store gets 2 million downloads (bleepingcomputer.com)

• MaliBot: A New Android Banking Trojan Spotted in the Wild (thehackernews.com)

• Cyber security Researchers Find Several Google Play Store Apps Stealing Users Data - Infosecurity Magazine

• Chinese Hackers Distribute Backdoored Web3 Wallets for iOS and Android Users (thehackernews.com)

• Android Spyware 'Hermit' Discovered in Targeted Attacks (darkreading.com)

Internet of Things - IoT

• Anker Eufy smart home hubs exposed to RCE attacks by critical flaw (bleepingcomputer.com)

• Researcher Shows How Tesla Key Card Feature Can Be Abused to Steal Cars | SecurityWeek.Com

Data Breaches/Leaks

• Unsecured Elasticsearch server leaks a million records • The Register

Organised Crime & Criminal Actors

• Cyber Criminals Smuggle Ukrainian Men Across Border - Infosecurity Magazine

• iCloud hacker gets 9 years in prison for stealing nude photos (bleepingcomputer.com)

Cryptocurrency/Cryptomining/Cryptojacking/NFTs

• Atlassian Confluence Flaw Being Used to Deploy Ransomware and Crypto Miners (thehackernews.com)

Insider Risk and Insider Threats

• At Second Trial, Ex-CIA Employee Defends Himself in Big Leak | SecurityWeek.Com

Fraud, Scams & Financial Crime

• BNPL (Buy Now Pay Later) Fraud Alert as Account Takeovers Surge - Infosecurity Magazine (infosecurity-magazine.com)

• INTERPOL raids hundreds of scammy call centers in sweep - CyberScoop

• Fraud trends and scam tactics consumers should be aware of - Help Net Security

Dark Web

• 24 Billion Usernames And Passwords Found On The Dark Web – Information Security Buzz

Supply Chain and Third Parties

• How confident are IT pros in the security of their organisation's supply chain? - Help Net Security

Denial of Service DoS/DDoS

• A tiny botnet launched the largest DDoS attack on record | ZDNet

• Cloudflare Saw Record-Breaking DDoS Attack Peaking at 26 Million Request Per Second (thehackernews.com)

• DDoS Subscription Service Operator Gets 2 Years in Prison (darkreading.com)

Cloud/SaaS

• Increased cloud complexity needs stronger cyber security - Help Net Security

• Beware the 'Secret Agent' Cloud Middleware (darkreading.com)

• SaaS security: How to avoid “death by 1000 apps” - Help Net Security

• Quantifying the SaaS Supply Chain and Its Risks (darkreading.com)

• 83% of IT pros are using either hybrid or multi-cloud - Help Net Security

Privacy

• Location data poses risks to individuals, organisations | CSO Online

Passwords, Credential Stuffing & Brute Force Attacks

• 24+ Billion Credentials Circulating on the Dark Web in 2022 — So Far (darkreading.com)

• Strong passwords still a priority strategy for enterprises - Help Net Security

• The future is passwordless. What's slowing it down? - Help Net Security

• Brute-Force Attacks: How to Defend Against Them - MSSP Alert

• Staffing Firm Robert Half Says Hackers Targeted Over 1,000 Customer Accounts | SecurityWeek.Com

Travel

• Cyber Criminals Capitalizing on Resurgence in Travel (darkreading.com)

Regulations, Fines and Legislation

• Privacy Watchdog Set to Keep Millions in Fines for Legal Costs - Infosecurity Magazine

• Canada wants companies to report cyber attacks and hacking incidents | Reuters

• A closer look at the US SEC Cyber Security Disclosure rule - Help Net Security

Law Enforcement Action and Take Downs

• Interpol anti-fraud op leads to 2,000 arrests, $50m seized • The Register

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Chinese Threat Actor Employs Fake Removable Devices as Lures in Cyber-Espionage Campaign (darkreading.com)

• Sophisticated Android Spyware 'Hermit' Used by Governments | SecurityWeek.Com

• Chinese 'Gallium' Hackers Using New PingPull Malware in Cyberespionage Attacks (thehackernews.com)

• Vladimir Putin forced by cyber attack in Russia to delay keynote speech | The Independent

• Iranian hacking campaign that included former US ambassador exposed - CyberScoop

Nation State Actors

Nation State Actors – Russia

• Russia Reportedly Warns of "Direct Military Clash" if Cyber-Attacks on its Infrastructure Continue - IT Security Guru

• Russian hackers start targeting Ukraine with Follina exploits (bleepingcomputer.com)

• Mixed results for Russia's aggressive Ukraine information war, experts say - CyberScoop

Nation State Actors – China

• Chinese Gallium hackers backdoor finance, govt orgs using new PingPull malware (bleepingcomputer.com)

• China-linked APT Flew Under Radar for Decade | Threatpost

• Chinese APT exploited Sophos Firewall Zero-Day before it was fixed - Security Affairs

Nation State Actors – Iran

• New Iranian Spear-Phishing Campaign Hijacks Email Conversations- IT Security Guru

• State-Sponsored Phishing Attack Targeted Israeli Military Officials | Threatpost

Vulnerability Management

• Only 10% of vulnerabilities are remediated each month - Help Net Security

• Vulnerability management mistakes CISOs still make | CSO Online

• Mind the gap: How to ensure your vulnerability detection methods are up to scratch - Help Net Security

Vulnerabilities

• Microsoft fixes Follina and 55 other CVEs - Help Net Security

• Details of Twice-Patched Windows RDP Vulnerability Disclosed | SecurityWeek.Com

• New Hertzbleed side-channel attack affects Intel, AMD CPUs (bleepingcomputer.com)

• Time to throw out those older, vulnerable Cisco SMB routers • The Register

• Critical Citrix Bugs Impact All ADM Servers, Agents (darkreading.com)

• Time to update: Google patches seven Chrome browser bugs, four rated 'high' risk | ZDNet

• Critical Flaw in Cisco Secure Email and Web Manager Lets Attackers Bypass Authentication (thehackernews.com)

• Cisco fixed a critical Bypass Authentication flaw in Cisco ESA and Secure Email and Web Manager- Security Affairs

• Why Log4j Is Still The Problem When The Patch Is Released 6 Months Ago? – Information Security Buzz

• Atlassian Confluence Flaw Being Used to Deploy Ransomware and Crypto Miners (thehackernews.com)

• Sophos Firewall zero-day bug exploited weeks before fix (bleepingcomputer.com)

• Researchers Disclose Rooting Backdoor in Mitel IP Phones for Businesses (thehackernews.com)

• NinjaForms WordPress plugin, actively exploited in wild, receives forced security update • Graham Cluley

• How to mitigate Active Directory attacks that use the KrbRelayUp toolset | CSO Online

• Hertzbleed disclosure raises questions for Intel (techtarget.com)

• Critical Atlassian Confluence flaw remains under attack (techtarget.com)

• Hackers exploit three-year-old Telerik flaws to deploy Cobalt Strike (bleepingcomputer.com)

• Technical Details Released for 'SynLapse' RCE Vulnerability Reported in Microsoft Azure (thehackernews.com)

• Zimbra bug allows stealing email logins with no user interaction (bleepingcomputer.com)

• Microsoft takes months to fix critical Azure Synapse bug (techtarget.com)

• PACMAN, a new attack technique against Apple M1 CPUs - Security Affairs

• Critical Code Execution Vulnerability Patched in Splunk Enterprise | SecurityWeek.Com

• High-Severity RCE Vulnerability Reported in Popular Fastjson Library (thehackernews.com)

• This Security Exploit Could Have Major PS5 And PS4 Implications (slashgear.com)

Sector Specific

Financial Services Sector

• Chinese GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool (paloaltonetworks.com)

Telecoms

• Chinese GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool (paloaltonetworks.com)

Government

• Chinese GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool (paloaltonetworks.com)

Health/Medical/Pharma Sector

• Ransomware Risk in Healthcare Endangers Patients | Threatpost

• Kaiser Permanente Says Data Breach Hit 69,000 Patients (gizmodo.com)

Transport and Aviation

• Cyber Criminals Capitalizing on Resurgence in Travel (darkreading.com)

CNI, OT, ICS, IIoT and SCADA

• Tackling 5 Challenges Facing Critical National Infrastructure Today (darkreading.com)

• State of OT Security in 2022: Big Survey Key Insights (trendmicro.com)

• Over a Dozen Flaws Found in Siemens' Industrial Network Management System (thehackernews.com)

• Eight ICS Zero Days Could Open Doors for Hackers - Infosecurity Magazine

Web3

• Web3 and IAM: Marching toward disruption | CSO Online

Reports Published in the Last Week

• Voice of the CISO 2022 | Proofpoint

• 3 Big Takeaways From the Verizon DBIR 2022 (darkreading.com)

• Other News

• Why We Need Security Knowledge and Not Just Threat Intel (darkreading.com)

• Once is never enough: The need for continuous penetration testing - Help Net Security

• CISOs Gain False Confidence in the Calm After the Storm of the Pandemic (darkreading.com)

• 9 ways hackers will use machine learning to launch attacks | CSO Online

• API security warrants its own specific solution - Help Net Security

• Cyber Security Courses Ramp Up Amid Shortage of Professionals | SecurityWeek.Com

• How Russian sanctions may be helping US cyber security (techtarget.com)

• UK Security Practitioners Lack The Confidence To Stop Attacks – Information Security Buzz

• How Can Security Partnerships Help to Mitigate the Increasing Cyber Threat? (darkreading.com)

• 45% of cyber security pros are considering quitting the industry due to stress - Help Net Security

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.