Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 28 April 2023
Black Arrow Cyber Threat Briefing 28 April 2023:
- Navigating The Future of Cyber: Business Strategy, Cyber Security Training, and Digital Transformation Are Key
- Shadow IT, SaaS Pose Security Liability for Enterprises
- The Strong Link Between Cyber Threat Intelligence and Digital Risk Protection
- Weak Credentials, Unpatched Vulnerabilities, Malicious Open Source Packages Causing Cloud Security Risks
- Over 70 billion Unprotected Files Available on Unsecured Web Servers
- Cyber Thieves Are Getting More Creative
- Modernising Vulnerability Management: The Move Toward Exposure Management
- Almost Three-quarters of Cyber Attacks Involve Ransomware
- Corporate Boards Pressure CISOs to Step Up Risk Mitigation Efforts
- NSA Sees ‘Significant’ Russian Intel Gathering on European, US Supply Chain Entities
- Email Threat Report 2023: Key Takeaways
- 5 Most Dangerous New Attack Techniques
- Many Public Salesforce Sites are Leaking Private Data
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Navigating the Future of Cyber: Business Strategy, Cyber Security Training, and Digital Transformation are Key
Cyber investments have become table stakes for businesses around the world. Cyber crime is increasing, with 91% of organisations reporting at least one cyber incident in the past year. Not only are they growing in numbers, but they are becoming more sophisticated and diverse, with new threats constantly emerging. According to the 2023 Deloitte Global Future of Cyber survey, business leaders are changing how they think of cyber, and it’s emerging as a larger strategic discussion tied to an organisation’s long-term success.
Cyber is about more than protecting information—risk management, incident response planning, threat intelligence and training can often be directly correlated to increasing trust within businesses.
Cyber security training is essential for employees to ensure the safety and security of a business. Employees are often the first line of defence against cyber-attacks and frequently the weakest link in an organisation's security posture. Cyber security training can help employees recognise and avoid common cyber threats, such as phishing attacks, malware, and social engineering. 89% of organisations cited as high-performing cyber organisations have implemented annual cyber awareness training among all employees. With increased digital dependency year over year—effective employee training can raise awareness, reduce risk, improve security posture, and support compliance.
Shadow IT, SaaS Pose Security Liability for Enterprises
There's no denying that software-as-a-service (SaaS) has entered its golden age. Software tools have now become essential to modern business operations and continuity. However, not enough organisations have implemented the proper procurement processes to ensure they're protecting themselves from potential data breaches and reputational harm.
A critical component contributing to concerns around SaaS management is the rising trend of shadow IT, which is when employees download and use software tools without notifying their internal IT teams. A recent study shows that 77% of IT professionals believe that shadow IT is becoming a major concern in 2023, with more than 65% saying their SaaS tools aren't being approved. Organisations are beginning to struggle with maintaining security as their SaaS usage continues to sprawl.
To combat shadow IT and the high risks that come along with it, organisations must gain greater visibility over their SaaS stacks and institute an effective procurement process when bringing on new software solutions.
https://www.darkreading.com/edge-articles/shadow-it-saas-pose-security-liability-for-enterprises
The Strong Link Between Cyber Threat Intelligence and Digital Risk Protection
While indicators of compromise and attackers’ tactics, techniques, and processes (TTPs) remain central to threat intelligence, cyber threat intelligence needs have grown over the past few years, driven by things like digital transformation, cloud computing and remote working. In fact, these changes have led to a cyber threat intelligence (CTI) subcategory focused on digital risk protection (DRP). DRP is broadly defined as, “telemetry, analysis, processes, and technologies used to identify and mitigate risks associated with digital assets”.
According to research provider ESG, the most important functions of DRP as part of a mature CTI programme are: vulnerability exploit intelligence, takedown services, leaked data monitoring, malicious mobile application monitoring, brand protection and attack surface management. It should be noted that a mature CTI programme can utilise service providers to help carry out threat intelligence, it doesn’t have to be spun up by the organisation from nothing. Regardless, an organisation employing these DRP functions as part of a CTI programme will be increasing its cyber resilience and reducing the chance of a cyber incident.
Weak Credentials, Unpatched Vulnerabilities, Malicious Open Source Packages Causing Cloud Security Risks
Threat actors are getting more adept at exploiting common everyday issues in the cloud, including misconfigurations, weak credentials, lack of authentication, unpatched vulnerabilities, and malicious open-source software (OSS) packages. Meanwhile, security teams take an average of 145 hours to solve alerts, with 80% of cloud alerts triggered by just 5% of security rules in most environments according to a recent report. The report, conducted by UNIT 42 analysed the workload of 210,000 cloud accounts across 1,300 organisations.
The report’s findings echoed similarities from the previous year, finding almost all cloud users, roles, services and resources grant excessive permissions. Some of the other key findings include as many as 83% of organisations having hard-coded credentials in their source control management systems, 53% of cloud accounts allowing weak password usage and 44% allowing password reuse and 71% of high or critical vulnerabilities exposed were at least two years old.
Over 70 Billion Unprotected Files Available on Unsecured Web Servers
A recent report found that more than 70 billion files, including intellectual property and financial information, are freely available and unprotected on unsecured web servers. Other key findings of the report included almost 1 in 10 of all detected internet-facing assets having an unpatched vulnerability, with the top 10 vulnerabilities found unpatched at least 12 million times each.
The report predicted that there will be a significant rise in information stealing malware; the report had found that 50% of emails associated with customers were plaintext and unencrypted. Additionally, there will be more incidents due to an increase in assets which are not known to IT, known as shadow IT.
Organisations should look to employ efficient patch management, have an up to date asset register, and use encryption to better increase their cyber defences.
https://www.helpnetsecurity.com/2023/04/24/critical-cybersecurity-exposures/
Cyber Thieves Are Getting More Creative
Cyber criminals are constantly changing their tactics and finding new ways to steal money from organisations. An example of this can be seen where criminals are breaking into systems to learn who is authorised to send payments and what the procedures are. Eventually, this leads to the criminal instructing payment to their own account.
Unfortunately, it is only after such events that some organisations are taking actions, such as verifying payments through phone calls. Whilst it is important for organisations to learn from attacks, it is beneficial to take a pro-active approach and employ procedures such as call back procedures before an incident has occurred.
https://hbr.org/2023/04/cyber-thieves-are-getting-more-creative
Modernising Vulnerability Management: The Move Toward Exposure Management
Managing vulnerabilities in the constantly evolving technological landscape is a difficult task. Although vulnerabilities emerge regularly, not all vulnerabilities present the same level of risk. Traditional metrics such as CVSS score or the number of vulnerabilities are insufficient for effective vulnerability management as they lack business context, prioritisation, and understanding of attackers' motivations, opportunities and means. Vulnerabilities only represent a small part of the attack surface that attackers can leverage.
Exposures are broader and can encompass more than just vulnerabilities. Exposures can result from various factors, such as human error, improperly defined security controls, and poorly designed and unsecured architecture. Organisations should consider that an attacker doesn’t just look at one exposure; attackers will often use a combination of vulnerabilities, misconfigurations, permissions and other exposures to move across systems and reach valuable assets.
As such, organisations looking to improve their cyber resiliency should consider their vulnerability management system and assess both whether it is taking into account exposures and the context in relation to the organisation.
https://thehackernews.com/2023/04/modernizing-vulnerability-management.html
Two-thirds of Cyber Attacks Involve Ransomware
A report from Sophos focusing on recent incident response cases, found that 68.4% of incidents resulted from ransomware. This was followed by network breaches, accounting for 18.4%. Regarding threat actor access, the report found that unpatched vulnerabilities were the single most common access method, followed by compromised credentials.
Corporate Boards Pressure CISOs to Step Up Risk Mitigation Efforts
A recent report found that the top challenges when implementing an effective cyber/IT risk management programme include an increase in the quantity (49%) and severity (49%) of cyber threats, a lack of funding (37%) and a lack of staffing/cyber risk talent (36%).
Cyber attacks have been increasing for several years now and resulting data breaches cost businesses an average of $4.35 million in 2022, according to the annual IBM ‘Cost of a Data Breach’ report. Given the financial and reputational consequences of cyber attacks, corporate board rooms are putting pressure on CISOs to identify and mitigate cyber/IT risk.
When it came to reporting to the board, 30% of CIO and CISO respondents say they do not communicate risk around specific business initiatives to other company leaders, indicating they may not know how to share that information in a constructive way.
https://www.helpnetsecurity.com/2023/04/26/effective-it-risk-management/
NSA Sees ‘Significant’ Russian Intel Gathering on European, US Supply Chain Entities
According to the US National Security Agency (NSA), Russian hackers could be looking to attack logistics targets more broadly. The NSA have noted a significant amount of intelligence gathering into western countries, including the UK and the US.
Although there is no indication yet regarding attacks from Russia in connection with the logistics related to Ukraine, organisations should be aware and look to improve their cyber security practices to be best prepared.
https://cyberscoop.com/nsa-russian-ukraine-supply-chain-ransomware/
Email Threat Report 2023: Key Takeaways
According to a recent report, email phishing made up 24% of all spam types in 2022, a significant increase in proportion from 11% in 2021. The finance industry was the most targeted by far, accounting for 48% of phishing incidents. It is followed by the construction sector at 17%, overtaking 2021’s second-place industry, e-commerce. Both the finance and construction industries saw an increase in phishing since last year. Of all the emails analysed in 2022, an enormous 90% were spam emails.
With phishing as prevalent as ever, organisations should look to implement training for their staff to not only be able to spot phishing emails, but to be able to report these and aid in improving the cyber security culture of their organisation.
https://www.itsecurityguru.org/2023/04/27/email-threat-report-2023-key-takeaways/
5 Most Dangerous New Attack Techniques
Experts from security training provider SANS Institute have revealed the 5 most dangerous new attack techniques: adversarial AI, ChatGPT-powered social engineering, third-party developer attacks (also known as software supply chain attacks), SEO, and paid advertising attacks.
The new techniques highlight the ever changing environment of the attack environment. SEO and paid advertising attacks are leveraging fundamental marketing strategies to gain initial access, heightening the importance for organisations to incorporate scalable user awareness training programmes, tailored to new threats.
https://www.csoonline.com/article/3694892/5-most-dangerous-new-attack-techniques.html
Many Public Salesforce Sites are Leaking Private Data
A shocking number of organisations — including banks and healthcare providers — are leaking private and sensitive information from their public Salesforce Community websites. The data exposures all stem from a misconfiguration in Salesforce Community that allows an unauthenticated user to access records that should only be available after logging in.
This included the US State of Vermont who had at least five separate Salesforce Community sites that allowed guest access to sensitive data, including a Pandemic Unemployment Assistance programme that exposed the applicant’s full name, social security number, address, phone number, email, and bank account number. Similar information was leaked by TCF Bank on their Salesforce Community Website.
It's not just Salesforce though; misconfigurations in general are responsible for a number of leaked documents and or exposures relating to an organisation.
https://krebsonsecurity.com/2023/04/many-public-salesforce-sites-are-leaking-private-data/
Threats
Ransomware, Extortion and Destructive Attacks
New coercive tactics used to extort ransomware payments - Help Net Security
Almost three-quarters of cyber attacks involve ransomware | Computer Weekly
Ransomware attacks, human error main cause of cloud data breaches: Report (business-standard.com)
Effects of the Hive Ransomware Group Takedown (darkreading.com)
Microsoft Confirms PaperCut Servers Used to Deliver LockBit and Cl0p Ransomware (thehackernews.com)
Tank storage company Vopak hacked, Ransomware groups report | NL Times
Health insurer Point32Health suffered a ransomware attack-Security Affairs
Hacker demands ransom after 'taking control' of Wiltshire school's IT | Swindon Advertiser
RSAC speaker offers ransomware victims unconventional advice | TechTarget
How ransomware victims can make the best of a bad situation | TechTarget
Hackers Leaked Minneapolis Students' Psychological Reports, Allegations of Abuse (gizmodo.com)
Linux version of RTM Locker ransomware targets VMware ESXi servers (bleepingcomputer.com)
CommScope employees left in the dark after ransomware attack | TechCrunch
Phishing & Email Based Attacks
How Dangerous Is Phishing in 2023? - Duo Blog | Duo Security
The New Frontier in Email Security: Goodbye, Gateways; Hello, Behavioural AI (darkreading.com)
BEC – Business Email Compromise
2FA/MFA
CrowdStrike details new MFA bypass, credential theft attack | TechTarget
Phishing-resistant MFA shapes the future of authentication forms - Help Net Security
Malware
Malware-Free Cyber attacks Are On the Rise; Here's How to Detect Them (darkreading.com)
Ex-Conti and FIN7 Actors Collaborate with New Backdoor (securityintelligence.com)
EvilExtractor malware activity spikes in Europe and the US (bleepingcomputer.com)
Zaraza Malware Exploits Web Browsers To Steal Stored Passwords (latesthackingnews.com)
This evil malware disables your security software, then goes in for the kill | TechRadar
Decoy Dog malware toolkit found after analysing 70 billion DNS queries (bleepingcomputer.com)
Lazarus Subgroup Targeting Apple Devices with New RustBucket macOS Malware (thehackernews.com)
A Security Team Is Turning This Malware Gang’s Tricks Against It | WIRED
Evasive Panda APT group delivers malware via updates for popular Chinese software | WeLiveSecurity
Google banned 173K developer accounts to block malware, fraud rings (bleepingcomputer.com)
Chinese Cyber spies Delivered Malware via Legitimate Software Updates - SecurityWeek
Chinese hackers launch Linux variant of PingPull malware | CSO Online
Mobile
WhatsApp used in BEC scam to pilfer $6.4M | SC Media (scmagazine.com)
35M Downloads Of Android Minecraft Clones Spreads Adware (informationsecuritybuzz.com)
Botnets
Denial of Service/DoS/DDOS
New SLP bug can lead to massive 2,200x DDoS amplification attacks (bleepingcomputer.com)
'Anonymous Sudan' Claims Responsibility for DDoS Attacks Against Israel (darkreading.com)
Internet of Things – IoT
Data Breaches/Leaks
Over 70 billion unprotected files available on unsecured web servers - Help Net Security
Many Public Salesforce Sites are Leaking Private Data – Krebs on Security
American Bar Association data breach hits 1.4 million members (bleepingcomputer.com)
American Bar Association (ABA) suffered a data breach-Security Affairs
Shields Health Breach Exposes 2.3M Users' Data (darkreading.com)
Serving UK Armed Forces member charged under Official Secrets Act (telegraph.co.uk)
Yellow Pages Canada confirms cyber attack as Black Basta leaks data (bleepingcomputer.com)
Vantage Travel Experiences Data Security Incident (darkreading.com)
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
The IRS is sending four investigators across the world to fight cyber crime | TechCrunch
US deploys more cyber forces abroad to help fight hackers | Reuters
The ‘Your computer was locked’ scam is gaining traction (consumeraffairs.com)
Google banned 173K developer accounts to block malware, fraud rings (bleepingcomputer.com)
Deepfakes
AML/CFT/Sanctions
Insurance
Dark Web
Supply Chain and Third Parties
The Huge 3CX Breach Was Actually 2 Linked Supply Chain Attacks | WIRED
That 3CX supply chain attack keeps getting worse • The Register
NSA sees 'significant' Russian intel gathering on European, US supply chain entities | CyberScoop
North Korean hackers breach software firm in significant cyber attack | CNN Politics
SD Worx hack: Payroll firm for M&S hit by cyber attack (thetimes.co.uk)
A third-party’s perspective on third-party InfoSec risk management - Help Net Security
Software Supply Chain
Cloud/SaaS
Shadow IT, SaaS Pose Security Liability for Enterprises (darkreading.com)
14 Kubernetes and Cloud Security Challenges and How to Solve Them (thehackernews.com)
Ransomware attacks, human error main cause of cloud data breaches: Report (business-standard.com)
GhostToken Flaw Could Let Attackers Hide Malicious Apps in Google Cloud Platform (thehackernews.com)
Saas Security: The Need For Continuous Sustenance (informationsecuritybuzz.com)
How CISOs navigate security and compliance in a multi-cloud world - Help Net Security
Security experts found a major bug in Google Cloud | TechRadar
Most SaaS adopters exposed to browser-borne attacks - Help Net Security
Exposed Artifacts Seen In Misconfigured Cloud Software Registries (informationsecuritybuzz.com)
Google accounts attacked and hijacked by this devious security flaw | TechRadar
Containers
Kubernetes RBAC abused to create persistent cluster backdoors (bleepingcomputer.com)
Experts spotted first-ever crypto mining campaign leveraging Kubernetes RBAC-Security Affairs
Combating Kubernetes — the Newest IAM Challenge (darkreading.com)
Attack Surface Management
Over 70 billion unprotected files available on unsecured web servers - Help Net Security
Study of past cyber attacks can improve organisations' defence strategies - Help Net Security
Shadow IT
Identity and Access Management
Rethinking the effectiveness of current authentication initiatives - Help Net Security
Combating Kubernetes — the Newest IAM Challenge (darkreading.com)
Open Source
The double-edged sword of open-source software - Help Net Security
Linux Shift: Chinese APT Alloy Taurus Is Back With Retooling (darkreading.com)
Chinese hackers launch Linux variant of PingPull malware | CSO Online
Linux version of RTM Locker ransomware targets VMware ESXi servers (bleepingcomputer.com)
Passwords, Credential Stuffing & Brute Force Attacks
Password reset woes could cost FTSE 100 companies $156 million each month - Help Net Security
A '!password20231#' password may not be as complex as you think (bleepingcomputer.com)
Social Media
Malvertising
Google ads push BumbleBee malware used by ransomware gangs (bleepingcomputer.com)
35M Downloads Of Android Minecraft Clones Spreads Adware (informationsecuritybuzz.com)
Training, Education and Awareness
Digital Transformation
Parental Controls and Child Safety
Regulations, Fines and Legislation
Governance, Risk and Compliance
Corporate boards pressure CISOs to step up risk mitigation efforts - Help Net Security
How the Talent Shortage Impacts Cyber security Leadership (securityintelligence.com)
Is your bank account safe? Mass layoffs weaken cyber security across finance sector | Fox Business
The strong link between cyber threat intelligence and digital risk protection | CSO Online
Organisations are stepping up their game against cyber threats - Help Net Security
CISOs: unsupported, unheard, and invisible - Help Net Security
The Relationship Between Security Maturity and Business Enablement | CSO Online
CISOs Rethink Data Security with Info-Centric Framework (darkreading.com)
UK Cyber Pros Burnt Out and Overwhelmed - Infosecurity Magazine (infosecurity-magazine.com)
Good, Better And Best Security (informationsecuritybuzz.com)
SANS Reveals Top 5 Most Dangerous Cyber attacks for 2023 (darkreading.com)
Models, Frameworks and Standards
Careers, Working in Cyber and Information Security
UK Cyber Pros Burnt Out and Overwhelmed - Infosecurity Magazine (infosecurity-magazine.com)
How to Begin a Career in Ethical Hacking in the Year 2023? (analyticsinsight.net)
Law Enforcement Action and Take Downs
To combat cyber crime, US law enforcement increasingly prioritizes disruption | CyberScoop
US to focus on stifling cyber attacks, not convictions • The Register
US deploys more cyber forces abroad to help fight hackers | Reuters
Effects of the Hive Ransomware Group Takedown (darkreading.com)
Privacy, Surveillance and Mass Monitoring
Artificial Intelligence
The Growing Need for Cyber Security in an Age of AI Disruption (analyticsinsight.net)
Cyber security Survival: Hide From Adversarial AI (darkreading.com)
AI Experts: Account for AI/ML Resilience & Risk While There's Still Time (darkreading.com)
NSA Cyber security Director Says ‘Buckle Up’ for Generative AI | WIRED
From ChatGPT to HackGPT: Meeting the Cyber security Threat of Generative AI (mit.edu)
ChatGPT fans need 'defensive mindset' to avoid scammers • The Register
DHS announces AI task force, security sprint on China-related threats | SC Media (scmagazine.com)
The New Frontier in Email Security: Goodbye, Gateways; Hello, Behavioral AI (darkreading.com)
Nvidia releases a toolkit to make text-generating AI ‘safer’ | TechCrunch
Artificial intelligence takes RSA Conference by storm | SC Media (scmagazine.com)
Secureworks CEO weighs in on XDR landscape, AI concerns | TechTarget
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
FBI aiding Ukraine in collection of digital and physical war crime evidence | CyberScoop
NSA sees 'significant' Russian intel gathering on European, US supply chain entities | CyberScoop
UK undersea cables worth £7.4 trillion a day under ‘real threat’ from Russia | The Independent
Eurocontrol says website 'under attack' by pro-Russia crew • The Register
Iran cyberespionage group taps SimpleHelp for persistence on victim devices | CSO Online
Russian Hackers Tomiris Targeting Central Asia for Intelligence Gathering (thehackernews.com)
CISA, Cyber Command Collaboration Blocks Attempted Attacks on US Interests - MSSP Alert
Nation State Actors
Chinese Cyber spies Delivered Malware via Legitimate Software Updates - SecurityWeek
North Korean hackers breach software firm in significant cyber attack | CNN Politics
China building cyber weapons to hijack enemy satellites, says US leak | Financial Times (ft.com)
NCSC raises alert on cyber threat to infrastructure | UKAuthority
Iran cyberespionage group taps SimpleHelp for persistence on victim devices | CSO Online
DHS announces AI task force, security sprint on China-related threats | SC Media (scmagazine.com)
North Korea's Kimsuky APT Keeps Growing, Despite Public Outing (darkreading.com)
APT 'Mint Sandstorm' quickly exploits new PoC hacks | SC Media (scmagazine.com)
Russian Hackers Suspected in Ongoing Exploitation of Unpatched PaperCut Servers (thehackernews.com)
Lazarus Subgroup Targeting Apple Devices with New RustBucket macOS Malware (thehackernews.com)
US Cyberwarriors Thwarted 2020 Iran Election Hacking Attempt - SecurityWeek
Evasive Panda APT group delivers malware via updates for popular Chinese software | WeLiveSecurity
Linux Shift: Chinese APT Alloy Taurus Is Back With Retooling (darkreading.com)
Charming Kitten's New BellaCiao Malware Discovered in Multi-Country Attacks (thehackernews.com)
Iranian cyber spies deploy new malware implant on Microsoft Exchange Servers | CSO Online
Ukrainian arrested for selling data of 300M people to Russians (bleepingcomputer.com)
FIN7 Hackers Caught Exploiting Recent Veeam Vulnerability - SecurityWeek
Chinese hackers launch Linux variant of PingPull malware | CSO Online
CISA, Cyber Command Collaboration Blocks Attempted Attacks on US Interests - MSSP Alert
Lazarus, Scarcruft North Korean APTs Shift Tactics, Thrive (darkreading.com)
Vulnerabilities
New Google Chrome Zero-Day Bug Actively Exploited in Wide (gbhackers.com)
Flaw in Microsoft Process Explorer under active attack • The Register
APC warns of critical unauthenticated RCE flaws in UPS software (bleepingcomputer.com)
Double zero-day in Chrome and Edge – check your versions now! – Naked Security (sophos.com)
Security experts found a major bug in Google Cloud | TechRadar
TP-Link Archer WiFi router flaw exploited by Mirai malware (bleepingcomputer.com)
SolarWinds Platform Update Patches High-Severity Vulnerabilities - SecurityWeek
VMware Releases Critical Patches for Workstation and Fusion Software (thehackernews.com)
Cisco discloses XSS zero-day flaw in server management tool (bleepingcomputer.com)
Microsoft removes LSA Protection from Windows settings to fix bug (bleepingcomputer.com)
PaperCut says hackers are exploiting ‘critical’ security flaws in unpatched servers | TechCrunch
FIN7 Hackers Caught Exploiting Recent Veeam Vulnerability - SecurityWeek
Tools and Controls
Corporate boards pressure CISOs to step up risk mitigation efforts - Help Net Security
14 Kubernetes and Cloud Security Challenges and How to Solve Them (thehackernews.com)
Six Key Considerations When Choosing a Web Application Firewall - Security Boulevard
The Complexities of Cyber Insurance | Cyber Risk Management (telos.com)
Unified Endpoint Management: A Powerful Tool for Your Cyber security Arsenal | CSO Online
GitLab’s new security feature uses AI to explain vulnerabilities to developers | TechCrunch
Google Authenticator finally, mercifully adds account syncing for two-factor codes - The Verge
The Needs of a Modernized SOC for Hybrid Cloud (securityintelligence.com)
Rethinking the effectiveness of current authentication initiatives - Help Net Security
Google will add End-to-End encryption to Google Authenticator (bleepingcomputer.com)
Google 2FA Syncing Feature Could Put Your Privacy at Risk (darkreading.com)
CISOs struggle to manage risk due to DevSecOps inefficiencies - Help Net Security
Generative AI and security: Balancing performance and risk - Help Net Security
CISA aims to reduce email threats with serial CDR prototype | TechTarget
Threat Actor Names Proliferate, Adding Confusion (darkreading.com)
Reports Published in the Last Week
Other News
The threat from commercial cyber proliferation - NCSC.GOV.UK
Hackers could learn how to send fake terror threats on YouTube, warn experts (telegraph.co.uk)
Government launches new cyber security measures to tackle ever growing threats - GOV.UK (www.gov.uk)
Attackers are logging in instead of breaking in - Help Net Security
38 Countries Take Part in NATO's 2023 Locked Shields Cyber Exercise - SecurityWeek
The White House National Cyber security Strategy Has a Fatal Flaw (darkreading.com)
Threat Actor Names Proliferate, Adding Confusion (darkreading.com)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Alert 25 April 2023 - ACTION REQUIRED: APC Warns of Critical Flaws in UPS Monitoring Software
Black Arrow Cyber Alert 25 April 2023 - ACTION REQUIRED: APC Warns of Critical Flaws in UPS Monitoring Software
Executive summary
Several critical vulnerabilities in APC’s Easy UPS (Uninterruptible Power Supply) Online Monitoring Software allow an unauthenticated attacker to execute remote code and change administrator credentials. A UPS is an electrical apparatus that provides power when the input power source or mains power fails; they are used to improve redundancy. Earlier this month, Schneider Electric, who own APC, released a security notification which has recently been updated again.
Technical Summary
The vulnerabilities are:
CVE-2023-29411 - A critical vulnerability, which if exploited, allows an attacker to change administrator credentials.
CVE-2023-29412 - A critical vulnerability, which if exploited, could allow remote code execution.
CVE-2023-29413 - A vulnerability which could cause a Denial-of-Service on the Schneider UPS Monitor Service.
What’s the risk to me or my business?
The vulnerabilities, if exploited, allow an attacker to change administrator credentials, execute remote code and cause a denial of service – all of which impact the confidentiality, integrity and availability of data, and could compromise the ability for the devices to provide redundant power, or allow the attacker to switch off the device entirely.
The affected products and versions are:
APC Easy UPS Online Monitoring Software, versions: V2.5-GA-01-22320 and earlier (Windows 10, 11 Windows Server 2016, 2019, 2022).
Schneider Electric Easy UPS Online Monitoring Software: V2.5-GS-01-22320 and earlier (Windows 10, 11 Windows Server 2016, 2019, 2022).
What can I do?
It is recommended that patches are applied immediately for the impacted products. Patches are available in version V2.5-GA-01-23036 for APC Easy UPS Online Monitoring Software and n V2.5-GS-01-23036 for Schneider Electric Easy UPS Online Monitoring Software where the products are running on Windows 10. It is also recommended by the vendor that users to transition to PowerChute Serial Shutdown (PCSS) for the purposes of serial shutdown and monitoring.
Users of APC Easy UPS Online Monitoring Software using Windows version 11 and Windows server 2016, 2019 or 2022 have been given the following mitigation as a remediating patch is not currently available and is being worked on: “Customers with direct access to their Easy UPS units should upgrade to PowerChute Serial Shutdown (PCSS) software on all servers protected by your Easy UPS On-Line (SRV, SRVL models). PCSS provides serial shutdown and monitoring”. Please note, mitigations are not a long-term fixes, patches should be applied as soon as they become available. This advisory will be updated when Schneider Electric has released a patch for the remaining affected operating systems.
Further information on the vulnerabilities, patches and affected software versions can be found here: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-101-04&p_enDocType=Security%20and%20Safety%20Notice&p_File_Name=SEVD-2023-101-04.pdf
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity
Black Arrow Cyber Threat Briefing 11 March 2022
Black Arrow Cyber Threat Briefing 11 March 2022
-Sharp Rise in SMB Cyberattacks By Russia And China
-We're Seeing An 800% Increase in Cyber Attacks, Says One MSP
-Internet Warfare: How The Russians Could Paralyse Britain
-Just 3% Of Employees Cause 92% Of Malware Events
-70% Of Breached Passwords Are Still in Use
-Organisations Taking Nearly Two Months To Remediate Critical Risk Vulnerabilities
-Android Malware Escobar Steals Your Google Authenticator MFA Codes
-Smartphone Malware Is On The Rise - Here's How To Stay Safe
-Russia May Use Ransomware Payouts to Avoid Sanctions’ Financial Harm
-How An 8-Character Password Could Be Cracked in Less Than An Hour
-Cyber Insurance and Business Risk: How the Relationship Is Changing Reinsurance & Policy Guidance
-Security Teams Prep Too Slowly for Cyber Attacks
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Sharp Rise in SMB Cyber Attacks by Russia and China
SaaS Alerts, a cloud security company, unveiled the findings of its latest report which analysed approximately 136 million security events across 2,100 small and medium businesses (SMBs) globally and identified cyber trends negatively impacting businesses.
The findings of the report take into account security events occurring across more than 120,000 user accounts during the period of January 1st to December 31st, 2021 and shows that the vast majority of attacks on top SaaS platforms such as Microsoft 365, Google Workspace, Slack and Dropbox are originating from Russia and China. The data set is statistically significant and enables solution providers managing a portfolio of SaaS applications with pertinent data and trends to support defensive IT security re-alignments as required.
https://www.helpnetsecurity.com/2022/03/09/saas-security-events-smbs/
We're Seeing An 800% Increase in Cyber Attacks, Says One Managed Service Provider
Revenge and inflation are believed to be key drivers behind an 800 percent increase in cyber attacks seen by a single managed services provider since the days before the onset of Russia's invasion of Ukraine last month.
The attacks are coming not only from groups inside of Russia but also from elsewhere within the region as well from Russia allies like North Korea and Iran, historically sources of global cyber-threats.
The MSP serves about 2,400 companies around the world, most of them small businesses and midsize enterprises and most in North America. The MSP said it has seen the spike in cyber attacks throughout its customer base.
The sharp rise has been attributed to pro-Russian cyber criminal groups linked to nation states lashing out at countries – first Ukraine and then Western countries – angry at the sanctions being levelled against Russia. At the same time, the sharp inflation that is spreading around the world is also hitting hackers, who need to make money to keep up with rising costs.
https://www.theregister.com/2022/03/11/russia-invasion-cyber-war-rages/
Internet Warfare: How the Russians Could Paralyse Britain
The collapse of critical national infrastructure is a science fiction staple. Fifty years ago, actively switching off a country’s water and power networks would have required huge physical damage to power stations and the sources of those services. Today, however, many of the tools we use every day are connected to the internet.
All of those things now have remote access — and therefore, all of them could be vulnerable.
Ukraine has been blitzed by cyber attacks since the annexation of Crimea in 2014 and they have increased in the lead-up to the invasion. As Russia marched into Ukraine, British officials were concerned about “spillover” from any cyber offensives targeted thousands of miles away.
In today’s interconnected digital world, the reality is that distance from the conflict zone makes no difference.
As the West fears a cyber-reprisal, what would a successful attack look like in Britain — and how likely is a complete “network failure”?
https://www.thetimes.co.uk/article/russia-cyberattack-uk-what-would-happen-l3dt98dmb
Just 3% Of Employees Cause 92% Of Malware Events
A small group of employees is typically responsible for most of the digital risk in an organisation, according to new research.
The report, from cybersecurity company Elevate Security and cyber security research organisation Cyentia, also found that those putting their companies at risk from phishing, malware, and insecure browsing are often repeat offenders.
The research found that 4% of employees clicked 80% of phishing links, and 3% were responsible for 92% of malware events.
Four in five employees have never clicked on a phishing email, according to the research. In fact, it asserts that half of them never see one, highlighting the need to focus anti-phishing efforts on at-risk workers.
The malware that phishing and other attack vectors deliver also affects a small group of employees. The research found that 96% of users have never suffered from a malware event. Most malware events revolve around the 3% of users who suffered from two malware events or more, reinforcing the notion that security awareness messages just aren't getting through to some.
https://www.itpro.co.uk/security/malware/366011/just-3-of-employees-cause-92-of-malware-events
70% Of Breached Passwords Are Still in Use
A new report examines trends related to exposed data. Researchers identified 1.7 billion exposed credentials, a 15% increase from 2020, and 13.8 billion recaptured Personally Identifiable Information (PII) records obtained from breaches in 2021.
Through its analysis of this data, it was found that despite increasingly sophisticated and targeted cyber attacks, consumers continue to engage in poor cyber practices regarding passwords, including the use of similar passwords for multiple accounts, weak or common passwords and passwords containing easy-to-guess words or phrases connected to pop culture.
https://www.helpnetsecurity.com/2022/03/08/exposed-data-trends/
Organisations Taking Nearly Two Months to Remediate Critical Risk Vulnerabilities
Edgescan announces the findings of a report which offers a comprehensive view of the state of vulnerability management globally. This year’s report takes a more granular look at the trends by industry, and provides details on which of the known, patchable vulnerabilities are currently being exploited by threat actors.
The report reveals that organisations are still taking nearly two months to remediate critical risk vulnerabilities, with the average mean time to remediate (MTTR) across the full stack set at 60 days.
High rates of “known” (i.e. patchable) vulnerabilities which have working exploits in the wild, used by known nation state and cybercriminal groups are not uncommon.
Crucially, 57% of all observed vulnerabilities are more than two years old, with as many as 17% being more than five years old. These are all vulnerabilities that have working exploits in the wild, used by known nation state and cybercriminal groups. Edgescan also observed a concerning 1.5% of known, unpatched vulnerabilities that are over 20 years old, dating back to 1999.
https://www.helpnetsecurity.com/2022/03/10/state-of-vulnerability-management/
Android Malware Escobar Steals Your Google Authenticator MFA Codes
The Aberebot Android banking trojan has returned under the name 'Escobar' with new features, including stealing Google Authenticator multi-factor authentication codes.
The new features in the latest Aberebot version also include taking control of the infected Android devices using VNC, recording audio, and taking photos, while also expanding the set of targeted apps for credential theft.
The main goal of the trojan is to steal enough information to allow the threat actors to take over victims' bank accounts, siphon available balances, and perform unauthorised transactions.
Like most banking trojans, Escobar displays overlay login forms to hijack user interactions with e-banking apps and websites and steal credentials from victims.
The malware also packs several other features that make it potent against any Android version, even if the overlay injections are blocked in some manner.
The authors have expanded the set of targeted banks and financial institutions to a whopping 190 entities from 18 countries in the latest version.
Smartphone Malware Is on The Rise - Here's How to Stay Safe
The volume of malware attacks targeting mobile devices has skyrocketed so far this year, cyber security researchers are saying.
A new report from security company Proofpoint claims that the number of detected mobile malware attacks has spiked 500% in the first few months of 2022, with peaks at the beginning and end of February.
Much of this malware aims to steal usernames and passwords from mobile banking applications, Proofpoint says. But some strains are even more sinister, recording audio and video from infected devices, tracking the victim's location, or exfiltrating and deleting data.
https://www.techradar.com/nz/news/smartphone-malware-is-coming-for-more-and-more-of-us
Russia May Use Ransomware Payouts to Avoid Sanctions’ Financial Harm
FinCEN warns financial institutions to be wary of unusual cryptocurrency payments or illegal transactions Russia may use to ease financial hurt from Ukraine-linked sanctions.
Russia may ramp up ransomware attacks against the United States as a way to ease the financial hurt it’s under due to sanctions, U.S. federal authorities are warning. Those sanctions have been levied against the nation and Vladimir Putin’s government due to its invasion of Ukraine.
The Financial Crimes Enforcement Network (FinCEN) issued a FinCEN Alert (PDF) on Wednesday advising all financial institutions to remain vigilant against potential efforts to evade the expansive sanctions and other U.S.-imposed restrictions related to the current conflict. One way this may be done is to move cryptocurrency funds through ransomware payments collected after Russian state-sponsored actors carry out cyberattacks.
“In the face of mounting economic pressure on Russia, it is vitally important for financial institutions to be vigilant about potential Russian sanctions evasion, including by both state actors and oligarchs,” said FinCEN Acting Director Him Das in a press statement.
https://threatpost.com/russia-ransomware-payouts-avoid-sanctions/178854/
How An 8-Character Password Could Be Cracked in Less Than an Hour
Security experts keep advising us to create strong and complex passwords to protect our online accounts and data from savvy cybercriminals. And “complex” typically means using lowercase and uppercase characters, numbers and even special symbols. But complexity by itself can still open your password to cracking if it doesn’t contain enough characters, according to research by security firm Hive Systems.
As described in a recent report, Hive found that an 8-character complex password could be cracked in just 39 minutes if the attacker were to take advantage of the latest graphics processing technology. A seven-character complex password could be cracked in 31 seconds, while one with six or fewer characters could be cracked instantly. Shorter passwords with only one or two character types, such as only numbers or lowercase letters, or only numbers and letters, would take just minutes to crack.
Cyber Insurance and Business Risk: How the Relationship Is Changing Reinsurance & Policy Guidance
Cyber insurance is a significant industry and growing fast — according to GlobalData, it was worth $7 billion in gross written premiums in 2020. The cyber-insurance market is expected to reach $20.6 billion by 2025. Over the past few years, the cyber-insurance market was competitive, so premiums were low and policies were comprehensive. Over the past year, that has changed — the volume of claims has gone up and led to more payouts, which affected the insurance companies' profitability.
The recent Log4j issue will affect how insurance and reinsurance companies write their policies in future. Already, we're seeing discussions about Log4j-related issues being excluded from reinsurance policies in 2022, as many policies came up for renewal on Dec. 31, 2021. This will affect the policies that insurance companies can offer to their customers.
What does this mean for IT security teams? For practitioners, it will make their work more important than before, as preventing possible issues would be more valuable to the business. Carrying out standard security practices like asset inventory and vulnerability management will be needed, while examining software bills of materials for those same issues will help on the software supply chain security side. These practices will also need to be highly automated, as business must be able to gain accurate insights within hours, not months, to deal with future threats while reducing the cost impact.
For those responsible for wider business risk, these developments around cyber insurance will present a more significant problem. Cyber-insurance policies will still be available — and necessary where needed — but the policies themselves will cover less ground. While the past few years had pretty wide-ranging policies that would pay out on a range of issues, future policies will deliver less coverage.
Security Teams Prep Too Slowly for Cyber Attacks
Attackers typically take days or weeks to exploit new vulnerabilities, but defenders are slow to learn about critical issues and take action, requiring 96 days on average to learn to identify and block current cyber threats, according to a new report analysing training and crisis scenarios.
The report, Cyber Workforce Benchmark 2022, found that cybersecurity professionals are much more likely to focus on vulnerabilities that have garnered media attention, such as Log4j, than more understated issues, and that different industries develop their security capabilities at widely different rates. Security professionals in some of the most crucial industries, such as transport and critical infrastructure, are twice as slow to learn skills compare to their colleagues in the leisure, entertainment, and retail sectors.
The amount of time it takes for security professionals to get up to speed on new threats matters. CISA says that patches should be applied within 15 days, sooner than that if the vulnerability is being exploited, says Kevin Breen, director of cyber threat research at Immersive Labs.
https://www.darkreading.com/risk/security-teams-prep-too-slowly-for-cyberattacks
Threats
Ransomware
Inside Conti leaks: The Panama Papers of Ransomware - The Record by Recorded Future
CISA Added 98 Domains To The Joint Alert Related To Conti Ransomware Gang - Security Affairs
Ragnar Locker Ransomware - What You Need To Know (tripwire.com)
Conti Ransomware Group Spent Millions In 2021 - IT Security Guru
Ragnar Locker Ransomware Hits Critical Infrastructure • The Register
Ukrainian Man Arrested for Alleged Role in Ransomware Attack on Kaseya, Others (darkreading.com)
FBI: Ransomware Gang Breached 52 US Critical Infrastructure Orgs (bleepingcomputer.com)
Alleged REvil Ransomware Hacker Extradited And Arraigned In Texas | CSO Online
Bridgestone Americas Confirms Ransomware Attack, LockBit Leaks Data (bleepingcomputer.com)
Phishing & Email
Watch Out For This Phishing Attack That Hijacks Your Email Chats To Spread Malware | ZDNet
The Most Impersonated Brands In Phishing Attacks - Help Net Security
Malware
Nvidia's Stolen Data Is Being Used To Disguise Malware As GPU Drivers | PC Gamer
Qakbot Botnet Sprouts Fangs, Injects Malware into Email Threads | Threatpost
Emotet Botnet Is Rapidly Growing, +130K Bots Spread Across 179 Countries - Security Affairs
All About the Bots: What Botnet Trends Portend for Security Pros | SecurityWeek.Com
Mobile
Smartphone malware is on the rise, here's what to watch out for | ZDNet
Samsung Confirms Hackers Stole Galaxy Devices Source Code (bleepingcomputer.com)
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking
Fraud, Scams & Financial Crime
Consumers Worried About Digital Banking Security - Infosecurity Magazine (infosecurity-magazine.com)
Shipping Fraud Quickly Emerging As One Of The Top Fraud Types - Help Net Security
Insurance
Supply Chain
DoS/DDoS
Mitel VoIP Systems Used In Staggering DDoS Attacks • The Register
In-The-Wild DDoS Attack Can Be Launched From A Single Packet To Create Terabytes Of Traffic | ZDNet
Malware Posing as Russia DDoS Tool Bites Pro-Ukraine Hackers | Threatpost
The Fight Against the Hydra: New DDoS Report from Link11 (darkreading.com)
Imperva Thwarts 2.5 Million RPS Ransom DDoS Extortion Attacks (thehackernews.com)
Parental Controls and Child Safety
Spyware, Espionage & Cyber Warfare
Nation State Actors
Nation State Actors - Russia
Jump In Cyber Attacks Since Start Of Ukraine Invasion (rte.ie)
Will Russian Oil Ban Spur Increased Cyber-Attacks (trendmicro.com)
Russia to Create Its Own Security Certificate Authority, Alarming Experts - CyberScoop
Russia Mulls Legalizing Software Piracy As It’s Cut Off From Western Tech | Ars Technica
Google: Russian Hackers Target Ukrainians, European Allies via Phishing Attacks (thehackernews.com)
French Bank Denies Access to Russian Workforce - Infosecurity Magazine (infosecurity-magazine.com)
Anonymous & its Affiliates Hacked 90% of Russian Misconfigured Databases (hackread.com)
Nation State Actors - China
Chinese Phishing Actors Consistently Targeting EU Diplomats (bleepingcomputer.com)
Chinese APT41 Hackers Broke into at Least 6 U.S. State Governments: Mandiant (thehackernews.com)
Nation State Actors – North Korea
Nation State Actors - Iran
Vulnerabilities
Linux Has Been Bitten By Its Most High-Severity Vulnerability In Years | Ars Technica
Microsoft Addresses 3 Zero-Days & 3 Critical Bugs for March Patch Tuesday | Threatpost
New Exploit Bypasses Existing Spectre-V2 Mitigations in Intel, AMD, Arm CPUs (thehackernews.com)
Google Attempts to Explain Surge in Chrome Zero-Day Exploitation | SecurityWeek.Com
“Dirty Pipe” Linux Kernel Bug Lets Anyone Write To Any File – Naked Security (sophos.com)
Microsoft Azure Flaw Allowed Unauthorized Account Access • The Register
Intel, AMD, Arm Warn Of New Speculative Execution CPU Bugs (bleepingcomputer.com)
Adobe Patches 'Critical' Security Flaws in Illustrator, After Effects | SecurityWeek.Com
Up to 30% of WordPress Plugin Bugs Don't Get Patched - IT Security Guru
Within Hours of the Log4j Flaw Being Revealed, These Hackers Were Using It | ZDNet
Critical Firefox Zero-Day Bugs Allow RCE, Sandbox Escape | Threatpost
Microsoft Warns of Spoofing Vulnerability in Defender for Endpoint | SecurityWeek.Com
Microsoft Fixes Critical Azure Bug That Exposed Customer Data (bleepingcomputer.com)
Researchers Disclose New Spectre V2 Vulnerabilities (techtarget.com)
Critical Bugs Could Let Attackers Remotely Hack, Damage APC Smart-UPS Devices (thehackernews.com)
Over 40% of Log4j Downloads Are Vulnerable Versions of the Software (darkreading.com)
HP Patches 16 UEFI Firmware Bugs Allowing Stealthy Malware Infections (bleepingcomputer.com)
Critical RCE Bugs Found in Pascom Cloud Phone System Used by Businesses (thehackernews.com)
Sector Specific
Health/Medical/Pharma Sector
Medical and IoT Devices From More Than 100 Vendors Vulnerable to Attack (darkreading.com)
Oklahoma Hospital Data Breach Impacts 92,000 People - Infosecurity Magazine
Transport and Aviation
Automotive
CNI, OT, ICS, IIoT and SCADA
Reports Published in the Last Week
Other News
Why You Should Be Using CISA's Catalog of Exploited Vulns (darkreading.com)
How to Combat the No. 1 Cause of Security Breaches: Complexity (darkreading.com)
Every Business Is A Cyber Security Business - Help Net Security
Operationalising a “Think Like The Enemy” Strategy | CSO Online
SpaceX Shifts Resources To Cyber Security To Address Starlink Jamming - SpaceNews
Report: Cyber Security Teams Need Nearly 100 Days To Develop Threat Defenses | VentureBeat
6 Potential Enterprise Security Risks With NFC Technology (techtarget.com)
BBC Targeted With 383,278 Spam, Phishing And Malware Attacks Every Day - Help Net Security
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.