Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Advisory 18 August 2023 – Critical Citrix ADC Backdoor Campaign
Black Arrow Cyber Advisory 18 August 2023 – Critical Citrix ADC Backdoor Campaign
This is an update following the 19 July Critical Citrix ADC and Gateway flaw actively exploited advisory by Black Arrow.
This is an update following the 19 July Critical Citrix ADC and Gateway flaw actively exploited advisory by Black Arrow.
Executive Summary
Following the previous advisory on the Citrix Netscaler ADC vulnerability (CVE-2023-3519), the NCC Group has identified that as of 14 August, 1828 Citrix NetScaler servers remain compromised or ‘backdoored’ by attackers. Approximately 69% of the servers that contain a backdoor have been updated to remediate the vulnerability and are no longer vulnerable to CVE-2023-3519. This means that the affected systems were compromised by a malicious actor prior to the updates being applied, allowing the malicious actor to establish persistent access to the systems even after the vulnerability has been remediated.
What’s the risk to me or my business?
Successful exploitation of the vulnerability prior to updating would allow an attacker to perform arbitrary code execution with administrator privileges. The main attack campaign is believed to have taken place between late 20 July to early 21 July. If updates were not applied to affected and vulnerable systems prior to this date, exploitation may have already taken place.
Further information on the vulnerability can be found on our previous advisory linked below.
What can I do?
If you have not already updated to a Citrix version that resolves this vulnerability, Black Arrow recommends applying these updates urgently. All affected systems, updated and vulnerable, should be scanned for indicators of compromise (IoC), Mandiant have released a tool that can help organisations to scan their Citrix devices for evidence of post-exploitation indicators. If IoC’s are identified, then forensic data should be secured by taking a copy of both the disk and the memory of the appliance before any remediation or investigative actions are completed. If evidence of persistence such as a webshell is found, then this should be investigated through threat hunting techniques to establish the extent of the incident whilst conducting containment and remediation activities.
More information on the NetScaler vulnerability:
Information on the Mandiant Tool:
https://github.com/mandiant/citrix-ioc-scanner-cve-2023-3519
Further information on the study of the exploited devices:
Previous Advisory: https://www.blackarrowcyber.com/blog/advisory-19-july-2023-citrix-vulns-exploited
Black Arrow Cyber Threat Briefing 12 November 2021
Black Arrow Cyber Threat Briefing 12 November 2021:
-Covid Impact Heightens Risk Of Cyber Security Breaches
-81% of Organisations Experienced Increased Cyber-Threats During COVID-19
-Phishing Attacks Grow 31.5% Over 2020, Social Media Attacks Continue To Climb
-Threat from Organised Cybercrime Syndicates Is Rising
-Ransomware Gangs Are Using These 'Ruthless' Tactics As They Aim For Bigger Payouts
-Firms Will Struggle to Secure Extended Attack Surface in 2022
-Millions Of Home Wi-Fi Routers Threatened By Malware — What To Do
-Vulnerabilities Associated With Ransomware Increased 4.5% In Q3 2021
-80% Of Organisations Experienced Employees Misusing And Abusing Access To Business Apps
-Gen Z Is Behaving Recklessly Online - And Will Live To Regret It
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Covid Impact Heightens Risk Of Cyber Security Breaches
CYBER SECURITY breaches are the biggest staff-related risk as Covid-19 and recruitment difficulties continue to impact workplaces, according to a survey of Channel Island employers.
Seven out of ten senior HR professionals and business leaders saw a cyber security breach as the greatest staff-related risk for a regulated financial services business – way ahead of employees leaving (16%) and employees working from home (10%). Some 57% of employers said Covid-19 had changed their policies, procedures and systems ‘moderately’, with 29.5% reporting ‘significant’ changes, according to the research undertaken at a virtual employment conference organised by Walkers last month.
https://guernseypress.com/news/2021/11/12/covid-impact-heightens-risk-of-cyber-security-breaches/
81% of Organisations Experienced Increased Cyber Threats During COVID-19
More than four in five (81%) organisations experienced increased cyber-threats during the COVD-19 pandemic, according to a new study by McAfee and FireEye.
The global survey of 1451 IT and line of business decision-makers found that close to half (43%) have suffered from downtime due to a cyber concern. This resulted in costs of $100,000 for some organisations.
Despite the increased threat landscape and the fact that over half (57%) of organisations saw a rise in online/web activity, 24% of respondents revealed they have had their technology and security budgets reduced over this period.
https://www.infosecurity-magazine.com/news/81-orgs-cyber-threats-covid19/
Phishing Attacks Grow 31.5% Over 2020, Social Media Attacks Continue To Climb
Phishing remains the dominant attack vector for bad actors, growing 31.5 percent over 2020, according to a PhishLabs report. Notably, attacks in September 2021 were more than twice as high as the previous year.
https://www.helpnetsecurity.com/2021/11/11/phishing-attacks-grow-2020/
Threat from Organised Cyber Crime Syndicates Is Rising
Europol reports that criminal groups are undermining the EU’s economy and its society, offering everything from murder-for-hire to kidnapping, torture and mutilation.
From encrypting communications to fencing ill-gotten gains on underground sites, organised crime is cashing in on the digital revolution.
The latest organised crime threat assessment from Europol issues a dire warning about the corrosive effect the rising influence of criminal syndicates is having on both the economy and society of the European Union. And it’s all happening online.
https://threatpost.com/organised-cybercrime-syndicates-europol/176326/
Ransomware Gangs Are Using These 'Ruthless' Tactics As They Aim For Bigger Payouts
More sophisticated ransomware attacks are on the way as cyber criminals tailor campaigns to raise the chances of a ransom payment.
Ransomware attacks are becoming more sophisticated as cyber criminals continue to develop new techniques to make campaigns more effective and increase their chances of successfully demanding a ransom payment.
According to the European law enforcement agency Europol there was a 300% increase in the number of ransom payments between 2019 and 2020 alone – and that doesn't account for 2021 being another bumper year for cyber criminals launching ransomware attacks, as they've taken advantage of security vulnerabilities presented by the rise in remote working.
Europol's Internet Organised Crime Threat Assessment (IOCT) shows that while cybercrime, including malware and DDoS attacks, continues to evolve, it's ransomware attacks that have been a significant amount of disruption over the course of the past year.
Firms Will Struggle to Secure Extended Attack Surface in 2022
Companies are relying more heavily on third parties, remote employees, and partners, expanding their attack surface area beyond traditional boundaries.
In 2022, much of cybersecurity will boil down to managing the security of relationships, as companies adapt to the post-pandemic remote workforce and the increased use of third-party providers, a panel of analysts stated at the Forrester Research Security & Risk 2021 Conference.
Among five predictions for the coming year, the analysts argued that companies' attempts to manage remote employees would stray into intrusive territory, causing workers to push back and hampering security-focused monitoring, such as that for insider threats. Other predictions maintain that 60% of security incidents in the next year will come from issues with third parties, while the cybersecurity workforce will suffer from burnout and join what's been called the "Great Resignation," the recent trend of workers leaving the workforce.
https://www.darkreading.com/risk/firms-will-struggle-to-secure-extended-attack-surface-in-2022
Millions Of Home Wi-Fi Routers Threatened By Malware — What To Do
Netgear, Linksys, D-Link routers among those targeted
There's a nasty new piece of malware out there targeting Wi-Fi routers, and you'll want to make sure yours is fully updated so it doesn't get infected.
The AT&T researchers who discovered the malware are calling it BotenaGo, and it's apparently different from the Mirai botnet malware that's been attacking routers since 2016. BotenaGo packs in exploits for 33 different known vulnerabilities in 12 different router brands, including D-Link, Linksys, Netgear, Tenda, Totolink, Zyxel and ZTE. A full list is on the AT&T Cybersecurity blog post.
To avoid infection, ensure you update your router with the latest firmware.
https://www.tomsguide.com/uk/news/botenago-router-malware
Vulnerabilities Associated With Ransomware Increased 4.5% In Q3 2021
Ransomware groups are continuing to grow in sophistication, boldness, and volume, with numbers up across the board since Q2 2021, a report by Ivanti, Cyber Security Works and Cyware reveals.
This last quarter saw a 4.5% increase in CVEs associated with ransomware, a 4.5% increase in actively exploited and trending vulnerabilities, a 3.4% increase in ransomware families, and a 1.2% increase in older vulnerabilities tied to ransomware compared to Q2 2021.
https://www.helpnetsecurity.com/2021/11/10/vulnerabilities-associated-with-ransomware/
80% Of Organisations Experienced Employees Misusing And Abusing Access To Business Apps
Organisations continue to operate with limited visibility into user activity and sessions associated with web applications, despite the ever-present risk of insider threats and credential theft, a CyberArk research reveals.
While the adoption of web applications has brought flexibility and increased productivity, organisations often lag in implementing the security controls necessary to mitigate risk of human error or malicious intent.
https://www.helpnetsecurity.com/2021/11/08/user-activity-visibility/
Gen Z Is Behaving Recklessly Online - And Will Live To Regret It
Handing out personal information could be a slippery slope
Members of Generation Z, the cohort of people born in the first decade of the 21st century, care about digital privacy, but their desire for online fame and popularity is greater, a new study from ExpressVPN suggests.
The VPN provider surveyed 1,500 young adults from the US to evaluate their online habits and attitudes towards social media, and identified a troubling pattern that could have dire consequences.
The survey found that Generation Z isn’t trusting of the social media platforms they frequent, expressing concern that platforms may be using their images for facial recognition (67%) and wariness about oversharing personal information (66%).
https://www.techradar.com/news/gen-z-is-behaving-recklessly-online-and-will-live-to-regret-it
Threats
Ransomware
Average Ransomware Payment For US Victims More Than $6 Million, Survey Says | ZDNet
Ransomware Disrupted Store Operations In The Netherlands And Germany - Security Affairs
Toronto’s Transit Agency Cyber Attack Exposes 25,000 Employees’ Data | Techcrunch
Comic Book Distributor Struggling With Shipments After Ransomware Attack | ZDNet
Ransomware Attack Hits UK Fertility Clinic - Infosecurity Magazine (infosecurity-magazine.com)
Spanish Brewery “Paralyzed” by Cyber-Attack - Infosecurity Magazine (infosecurity-magazine.com)
TrickBot Teams Up With Shatak Phishers For Conti Ransomware Attacks (Bleepingcomputer.Com)
BEC
Interpol Closes in on Global BEC Gang - Infosecurity Magazine (infosecurity-magazine.com)
Tiny Font Size Fools Email Filters in BEC Phishing | Threatpost
Phishing
How Cyber Criminals Use Bait Attacks To Gather Info About Their Intended Victims - TechRepublic
Microsoft Warns Of Surge In HTML Smuggling Phishing Attacks (Bleepingcomputer.Com)
Shadow IT Makes People More Vulnerable to Phishing (sans.edu)
Gmail Accounts Are Used In 91% Of All Baiting Email Attacks (Bleepingcomputer.Com)
Other Social Engineering
Malware
QAKBOT Loader Returns With New Techniques and Tools (trendmicro.com)
Abcbot — A New Evolving Wormable Botnet Malware Targeting Linux (thehackernews.com)
GravityRAT Returns Disguised As An End-To-End Encrypted Chat App - Security Affairs
Report: 57% Of All Ecommerce Cyber Attacks Are Bot-Driven | Venturebeat
New BazarBackdoor Attack Discovered - Infosecurity Magazine (infosecurity-magazine.com)
Mobile
IOT
BotenaGo Botnet Targets Millions Of IoT Devices With 33 Exploits (Bleepingcomputer.Com)
Why the NSA Wants To Protect You From Your Toothbrush (msnbc.com)
Vulnerabilities
Intel And AMD Address High Severity Vulnerabilities In Products And Drivers - Security Affairs
Samba Update Patches Plaintext Passwork Plundering Problem – Naked Security (Sophos.Com)
Palo Alto Networks Patches Zero-Day Affecting Firewalls Using GlobalProtect Portal VPN | ZDNet
Researchers Wait 12 Months To Report Vulnerability With 9.8 Out Of 10 Severity Rating | Ars Technica
Google Warns Hackers Used MacOS Zero-Day Flaw, Could Capture Keystrokes, Screengrabs | ZDNet
Data Breaches/Leaks
Robinhood Discloses Data Breach Impacting 7 Million Customers (Bleepingcomputer.Com)
This Top VPN Provider May Have Leaked Millions Of User Details | Techradar
Organised Crime & Criminal Actors
UK Recorded 1.8m Computer Misuse Crimes During 2019 • The Register
These Are The Top-Level Domains Threat Actors Like The Most (Bleepingcomputer.Com)
Aleksandr Zhukov, Self-Described 'King Of Fraud,' Is Sentenced To 10 Years - Cyberscoop
Cyber-Mercenary Group Void Balaur Attacks High-Profile Targets for Cash | Threatpost
Humanizing Hackers: Entering The Minds Of Those Behind The Attacks - Help Net Security
Cryptocurrency/Cryptojacking
Insider Threats
DoS/DDoS
OT, ICS, IIoT and SCADA
Nation State Actors
State Hackers Breach Defence, Energy, Healthcare Orgs Worldwide (Bleepingcomputer.Com)
China’s next generation of hackers won’t be criminals. That’s a problem. | TechCrunch
Russian Cyber Crime Group Exploits SolarWinds Serv-U Vulnerability | SecurityWeek.Com
North Korean Hackers Target The South's Think Tanks Through Blog Posts | ZDNet
Iranian Threat Actors Attempt To Buy Stolen Data Of US Orgs, FBI Warns - Security Affairs
'Lyceum' Threat Group Broadens Focus to ISPs (darkreading.com)
Cloud
Privacy
Reports Published in the Last Week
Other News
Booking.com Was Reportedly Hacked By A Us Intel Agency But Never Told Customers | Ars Technica
Younger Generations Care Little About Cybersecurity - Help Net Security
The Rising Threat Stemming From Identity Sprawl | SecurityWeek.Com
Playstation 5 Hacked—Twice! - Malwarebytes Labs | Malwarebytes Labs
Hong Kong Cyber Attack Reveals That Apple Favours Latest OS Versions For Security Updates | Techspot
Unique Challenges to Cyber-Security in Healthcare and How to Address Them (thehackernews.com)
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 21 May 2021
Black Arrow Cyber Threat Briefing 21 May 2021: Ransomware Attacks Are Spiking. Is Your Company Prepared?; Ban Ransom Payments To Hackers, Urges Ex-GCHQ Boss; How Penetration Testing Can Promote A False Sense Of Security; Ransomware’s New Swindle - Triple Extortion; ‘It’s A Battle, It’s Warfare’ - Experts Seek To Defeat Ransomware Attackers; 5 Reasons Why Enterprises Need Cyber Security Awareness And Training; 10 Emerging Cyber Security Trends To Watch In 2021
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
5 Reasons Why Enterprises Need Cyber Security Awareness And Training
Research shows that most cyber attacks rely on exploiting the human factor with the help of creative and innovative phishing techniques and other attack vectors. Almost 90% of all data breaches are caused due to human error. Therefore, even if an organisation has a robust cyber security infrastructure in place, the absence of cyber security awareness among employees can leave a huge gap in its cyber security framework. This gap can be easily exploited by cyber criminals to launch various types of cyber attacks. Hence, cyber security awareness and training are very much needed for any enterprise to secure it against cyber attacks.
Ban Ransom Payments To Hackers, Urges Ex-GCHQ Boss
Britain’s former cyber security chief has called for a ban on ransomware payments after the Irish health service became the latest to be hit by a major attack from international criminals. Ciaran Martin, the founding chief executive of GCHQ’s National Cyber Security Centre (NCSC), said that making payments illegal would help to break the lucrative global hacking business model. Martin said that businesses were helping to fund the organised criminals who locked and stole their data. “At the moment you can pay to make it quietly go away. There’s no legal obligations involved,” he said. “There’s no obligation to report to anybody, there’s no traceability of payment of crypto currency. We have allowed this to spiral in an invisible way.”
Ransomware’s New Swindle: Triple Extortion
Ransomware attacks are exploding at a staggering rate, and so are the ransoms being demanded. Now experts are warning against a new threat — triple extortion — which means that attackers are expanding out to demand payments from customers, partners and other third parties related to the initial breach to grab even more cash for their crimes. Check Point’s latest ransomware report found that over the past year, ransomware payments have spiked by 171 percent, averaging about $310,000 — and that globally, the number of attacks has surged by 102 percent.
https://threatpost.com/ransomwares-swindle-triple-extortion/166149/
‘It’s A Battle, It’s Warfare’: Experts Seek To Defeat Ransomware Attackers
Cyber security experts like to joke that the hackers who have turned ransomware attacks into a multibillion-dollar industry are often more professional than even their biggest victims. Ransomware attacks — when cyber attackers lock up their target’s computer systems or data until a ransom is paid — returned to the spotlight this week after attacks hit one of the biggest petroleum pipelines in the US, Toshiba’s European business, and Ireland’s health service. While governments have pledged to tackle the problem, experts said the criminal gangs have become more enterprising and continue to have the upper hand. For businesses, they said, there is more pain to come. “This is probably the biggest conundrum in security because companies have to decide how far they participate in this cat-and-mouse game,” said Myrna Soto, former chief strategy and trust officer at Forcepoint and current board member of gas and electricity group Consumers Energy. “It’s a battle, it’s warfare, to be honest.”
https://www.ft.com/content/b48a2d70-4a8c-4407-83a2-59cd055068f8
Colonial Pipeline Boss Confirms $4.4M Ransom Payment
Its boss told the Wall Street Journal he authorised the payment on 7 May because of uncertainty over how long the shutdown would continue. "I know that's a highly controversial decision," Joseph Blount said in his first interview since the hack. The 5,500-mile (8,900-km) pipeline carries 2.5 million barrels a day. According to the firm, it carries 45% of the East Coast's supply of diesel, petrol and jet fuel. Chief executive Mr Blount told the newspaper that the firm decided to pay the ransom after discussions with experts who had previously dealt with DarkSide, the criminal organisation behind the attack.
https://www.bbc.co.uk/news/business-57178503
10 Emerging Cyber Security Trends To Watch In 2021
A flurry of new threats, technologies and business models have emerged in the cyber security space as the world shifted to a remote work model in response to the COVID-19 pandemic. The lack of a network perimeter in this new world accelerated the adoption of SASE (secure access service edge), zero trust and XDR (extended detection and response) to ensure remote users and their data are protected. Adversaries have taken advantage of the complexity introduced by newly remote workforces to falsely impersonate legitimate users through credential theft and have upped the ante by targeting customers in the victim’s supply chain. The ability to monetize ransomware attacks by threatening to publicly leak victim data has made it more lucrative, while employers continue to fend off insiders with an agenda.
https://www.crn.com/news/security/10-emerging-cybersecurity-trends-to-watch-in-2021
How Penetration Testing Can Promote A False Sense Of Security
Rob Gurzeev is concerned about blind spots—past and present. In his DarkReading article Defending the Castle: How World History Can Teach Cyber security a Lesson, Gurzeev mentioned, "Military battles bring direct lessons and, I find, often serve as a reminder that attack surface blind spots have been an Achilles' heel for defenders for a long time." "Cyber security attackers follow this same principle today," wrote Gurzeev. "Companies typically have a sizable number of IT assets within their external attack surface they neither monitor nor defend and probably do not know about in the first place."
https://www.techrepublic.com/article/how-penetration-testing-can-promote-a-false-sense-of-security/
Ransomware Attacks Are Only Getting Worse, Darkside Group "Quits," But That May Just Be A Strategy
Earlier this month, a hacker group named DarkSide launched a ransomware attack against the business network of the Colonial Pipeline, forcing the company to shut down the 5,500-mile main pipeline and leading to fuel shortages in 17 states and Washington DC last week. According to a Bloomberg report, Colonial paid 75 Bitcoin (around $5 million on the day of the transaction) in ransom to the Eastern European hackers, but officially the company has maintained a different narrative of not having any intention of paying the extortion fee in crypto currency, as the DarkSide group had demanded. However, the Georgia-based company is said to have made the payment within hours of the attack, possibly using a cyber insurance policy to cover it.
https://www.techspot.com/news/89689-ransomware-attacks-only-getting-worse-darkside-group-quits.html
Learning From Cyber Attacks Could Be The Key To Stopping Them
Organisations should use major cyber incidents as a way to think through the core of their security strategies in order to prevent or recover better from similar attacks. "A significant cyber incident is really an opportunity; because it's an opportunity to focus on the core issues that led to these cyber incidents," said Anne Neuberger, deputy national security advisor for cyber and emerging technology at the White House, speaking at the UK National Cyber Security Centre's (NCSC) CYBERUK 21 virtual conference. Neuberger said that whether it's something like the SolarWinds sophisticated supply chain attack or the Colonial Pipeline ransomware incident, "we know that vulnerabilities across software and hardware can bring on larger concerns", but that looking at the core issues can help everyone improve their security.
https://www.zdnet.com/article/learning-from-cyber-attacks-could-be-the-key-to-stopping-them/
Microsoft Remote Desktop Protocol (RDP) Allegedly Has An Alarming Active Vulnerability
The Remote Desktop Protocol (RDP) is an incredibly useful feature used by likely millions of people every day. Considering it is free and preinstalled from Microsoft, it beats out most other Windows-based remote desktop software with ease. This, however, does not give it a free pass from having flaws; however, as a security researcher has discovered his password in cleartext within the RDP service’s memory. Researcher Jonas Lykkegård of the Secret Club, a group of hackers, seems to stumble across interesting things from time to time. He recently posted to Twitter about finding a password in cleartext in memory after using the RDP service. It seems he could not believe what he had found, as he tested it again and produced the same results using a new local account.
Amazon’s Ring Is The Largest Civilian Surveillance Network The US Has Ever Seen
In a 2020 letter to management, Max Eliaser, an Amazon software engineer, said Ring is “simply not compatible with a free society”. We should take his claim seriously. Ring video doorbells, Amazon’s signature home security product, pose a serious threat to a free and democratic society. Not only is Ring’s surveillance network spreading rapidly, it is extending the reach of law enforcement into private property and expanding the surveillance of everyday life. What’s more, once Ring users agree to release video content to law enforcement, there is no way to revoke access and few limitations on how that content can be used, stored, and with whom it can be shared.
Ransomware Attacks Are Spiking. Is Your Company Prepared?
With the migration to remote work over the last year, cyber attacks have increased exponentially. We saw more attacks of every kind, but the headline for 2020 was ransom attacks, which were up 150% over the previous year. The amount paid by victims of these attacks increased more than 300% in 2020. Already 2021 has seen a dramatic increase in this activity, with high-profile ransom attacks against critical infrastructure, private companies, and municipalities grabbing headlines on a daily basis. The amount of ransom demanded also has significantly increased this year, with some demands reaching tens of millions of dollars. And the attacks have become more sophisticated, with threat actors seizing sensitive company data and holding it hostage for payment.
https://hbr.org/2021/05/ransomware-attacks-are-spiking-is-your-company-prepared
Threats
Ransomware
Insurer AXA Hit By Ransomware After Dropping Support For Ransom Payments
One Of The US’s Largest Insurance Companies Reportedly Paid $40 Million To Ransomware Hackers
Ransomware’s Dangerous New Trick Is Double-Encrypting Your Data
Phishing
Other Social Engineering
Malware
Mobile
IoT
Four New Video Doorbells And Home Security Cameras Are Vulnerable To Hacking
EufyCam Users Should Turn Off Their Security Cams Immediately
Vulnerabilities
QNAP Warns Of eCh0raix Ransomware Attacks, Roon Server Zero-Day
Cross-Browser Tracking Vulnerability Tracks You Via Installed Apps
Cryptocurrency
Supply Chain
Nation State Actors
Denial of Service
Cloud
Governance, Risk and Compliance
Reports Published in the Last Week
Other News
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 23 April 2021
Black Arrow Cyber Threat Briefing 23 April 2021: Cyber Attacks Rise For Businesses, Pushing Many To The Brink; MI5 Warns Of Spies Using LinkedIn To Trick Staff; Sonicwall Warns Customers To Patch 3 Zero-Days Exploited In The Wild; FBI Removed Backdoors From Vulnerable Exchange Servers, Not Everyone Likes The Idea; Pulse Secure VPN Zero-Day Used To Hack Defense Firms & Govt Orgs; Solarwinds Hack Could Cost Insurance Firms $90M; Mount Locker Ransomware Aggressively Changes Up Tactics; QR Codes Offer Easy Cyber Attack Avenues as Usage Spikes
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Cyber Attacks On The Rise For Businesses, Pushing Many To The Brink
The proportion of businesses targeted by cyber criminals in the past year increased from 38% to 43%, with over a quarter of those targeted (28%) experiencing five attacks or more. Those attacks are pushing many firms to the brink, with one in six businesses attacked (17%) saying the financial impact materially threatened the company’s future. On a more positive note, the report shows firms are responding to the cyber challenge: mean spending per business on cyber security has more than doubled in the last two years.
https://www.insurancejournal.com/news/international/2021/04/19/610514.htm
MI5 Warns Of Spies Using Linkedin To Trick Staff Into Spilling Secrets
At least 10,000 UK nationals have been approached by fake profiles linked to hostile states, on the professional social network LinkedIn, over the past five years, according to MI5. It warned users who had accepted such connection requests might have then been lured into sharing secrets. A campaign has been launched to educate government workers about the threat. The 10,000-plus figure includes staff in virtually every government departments as well as key industries, who might be offered speaking or business and travel opportunities that could lead to attempts to recruit them to provide confidential information.
https://www.bbc.co.uk/news/technology-56812746
SonicWall Warns Customers To Patch 3 Zero-Days Exploited In The Wild
Security hardware manufacturer SonicWall is urging customers to patch a set of three zero-day vulnerabilities affecting both its on-premises and hosted Email Security products. "In at least one known case, these vulnerabilities have been observed to be exploited 'in the wild,'" SonicWall said in a security advisory published earlier today. The company said it is "imperative" that organisations using its Email Security hardware appliances, virtual appliances, or software installations on Microsoft Windows Server machines immediately upgrade to a patched version.
The FBI Removed Hacker Backdoors From Vulnerable Microsoft Exchange Servers. Not Everyone Likes The Idea
The FBI had worked to remove malicious web shells from hundreds of computers in the United States that were running vulnerable versions of Microsoft Exchange Server. While the move will have helped keep many organisations secure, it has also raised questions about the direction of cyber security. Earlier this year, four zero-day vulnerabilities in Microsoft Exchange Server, which were being actively exploited by a nation-state-backed hacking operation, were uncovered. Microsoft released a critical security update to protect Exchange Server customers from cyber attacks exploiting the vulnerabilities in March, but a significant number of organisations have yet to apply the security patch.
Pulse Secure VPN Zero-Day Used To Hack Defense Firms, Govt Organisations
A zero-day authentication bypass vulnerability in the Pulse Connect Secure (PCS) SSL VPN appliance actively exploited in attacks against worldwide organisations and focused on US Defence Industrial base networks. As a workaround, the vulnerability can be mitigated on some gateways by disabling Windows File Share Browser and Pulse Secure Collaboration features using instructions available in the security advisory published earlier today.
SolarWinds Hack Could Cost Cyber Insurance Firms $90 Million
Cyber insurance vendors are expected to spend $90 million on incident response and forensic services for clients who were compromised by the SolarWinds hackers. “Although the SolarWinds attack is a cyber catastrophe from a national security perspective, insurers may have narrowly avoided a catastrophic financial incident to their businesses,” The Russian hackers behind the SolarWinds attack appear to have avoided large scale exploitation of victims, instead opting to maintain access and collect sensitive data. But if the SolarWinds hackers had been focused on interrupting business and destroying networks, the campaign could have been catastrophic for insurers.
https://www.crn.com/news/security/solarwinds-hack-could-cost-cyber-insurance-firms-90-million
Mount Locker Ransomware Aggressively Changes Up Tactics
The Mount Locker ransomware has shaken things up in recent campaigns with more sophisticated scripting and anti-prevention features, according to researchers. And, the change in tactics appears to coincide with a rebranding for the malware into “AstroLocker.” According to researchers, Mount Locker has been a swiftly moving threat. Having just hit the ransomware-as-a-service scene in the second half of 2020, the group released a major update in November that broadened its targeting capabilities (including searching for file extensions utilized by TurboTax tax-return software to encrypt). It also added improved detection evasion. Attacks have continued to escalate, and now, another major update signals “an aggressive shift in Mount Locker’s tactics,”.
https://threatpost.com/mount-locker-ransomware-changes-tactics/165559/
QR Codes Offer Easy Cyber Attack Avenues as Usage Spikes
The use of mobile quick-response (QR) codes in daily life, for both work and personal use, continues to rise – and yet, most people are not aware that these handy mobile shortcuts can open them up to savvy cyber attacks. A survey of 4,157 consumers across China, France, Germany, Japan, the U.K. and the U.S. It found that 57 percent of respondents have increased their QR code usage since mid-March 2020, mainly because of the need for touchless transactions in the wake of COVID-19. In all, three-quarters of respondents (77 percent) said they have scanned a QR code before, with 43 percent having scanned a QR code in the past week.
https://threatpost.com/qr-codes-cyberattack-usage-spikes/165526/
Google Alerts Continues To Be A Hotbed Of Scams And Malware
Google Alerts continues to be a hotbed of scams and malware that threat actors are increasingly abusing to promote malicious websites. While Google Alerts has been abused for a long time, a significant increase in activity over the past couple of weeks. People use Google Alerts to monitor for various terms related to cyber attacks, security incidents, malware, etc. In one Google Alert, almost every new article shared with people today by the service led to a scam or malicious website.
Threats
Ransomware
Campus Still Closed as Portsmouth University Reels from Suspected Ransomware
Ransomware Gang Tries To Extort Apple Hours Ahead Of Spring Loaded Event
Discord Nitro gift codes now demanded as ransomware payments
Phishing
Malware
IOT
Vulnerabilities
Google Issues Chrome Update Patching Seven Security Vulnerabilities
Zero-Day Vulnerabilities In Sonicwall Email Security Are Being Actively Exploited
Cisco Router Flaws Left Small Business Networks Open To Abuse
Firefox 88 Patches Bugs And Kills Off A Sneaky Javascript Tracking Trick
Data Breaches
Organised Crime & Criminal Actors
Cryptocurrency
Supply Chain
Nation State Actors
Denial of Service
Other News
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 18 December 2020
Black Arrow Cyber Threat Briefing 18 December 2020: The great hack attack - SolarWinds breach exposes big gaps in cyber security; A wake-up for the world on cyber security; White House activates cyber emergency response; US nuclear weapons agency targeted; UK companies targeted; Increasing Risk of Cyber Attacks; millions of users install malicious browser extensions; C19 Vaccines sold on dark web
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.
Top Cyber Headlines of the Week
The great hack attack: SolarWinds breach exposes big gaps in cyber security
Until this week, SolarWinds was a little known IT software group from Texas. Its deserted lobby has a framed magazine article from a few years ago when it was on a list of America’s “Best Small Companies”.
Now the Austin-based company is at the heart of one of the biggest and most startling cyber hacks in recent history, with ramifications that extend into the fields of geopolitics, espionage and national security.
For nine months, sophisticated state-backed hackers have exploited a ubiquitous SolarWinds software product in order to spy on government and business networks around the world, including in the US, UK, Israel and Canada. Wielding innovative tools and tradecraft, the cyber spies lurked in email services, and posed as legitimate staffers to tap confidential information stored in the cloud.
The bombshell revelations have sent 18,000 exposed SolarWinds customers scrambling to assess whether outsiders did indeed enter their systems, what the damage was and how to fix it.
https://www.ft.com/content/c13dbb51-907b-4db7-8347-30921ef931c2
A wake-up for the world on cyber security
Imagine intruders break into your home and loiter undetected for months, spying on you and deciding which contents to steal. This in essence is the kind of access that hackers, assumed to be Russian, achieved in recent months at US government institutions including the Treasury and departments of commerce and homeland security, and potentially many US companies. If the fear in the Cold War was of occasional “moles” gaining access to secrets, this is akin to a small army of moles burrowing through computer systems. The impact is still being assessed, but it marks one of the biggest security breaches of the digital era.
https://www.ft.com/content/d3fc0b14-4a82-4671-b023-078516ea714e
US government, thousands of businesses now thought to have been affected by SolarWinds security attack
Thousands of businesses and several branches of the US government are now thought to have been affected by the attack on software firm SolarWinds.
The Austin-based company has fallen victim to a massive supply chain attack believed to be the work of state-sponsored hackers.
Along with the US treasury and commerce departments, the Department of Homeland Security is now thought to have been affected by the attack. In a statement to the SEC today, SolarWinds said it had notified 33,000 customers of its recent hack, but that only 18,000 of these used the affected version of its Orion platform.
https://www.techradar.com/uk/news/solarwinds-suffers-massive-supply-chain-attack
White House activates cyber emergency response under Obama-era directive
In the wake of the SolarWinds breach, the National Security Council has activated an emergency cyber security process that is intended to help the government plan its response and recovery efforts, according to White House officials and other sources.
The move is a sign of just how seriously the Trump administration is taking the foreign espionage operation, former NSC officials told CyberScoop.
The action is rooted in a presidential directive issued during the Obama administration known as PPD-41, which establishes a Cyber Unified Coordination Group (UCG) that is intended to help the U.S. government coordinate multiple agencies’ responses to the significant hacking incident.
The UCG is generally led by the Department of Justice — through the FBI and the National Cyber Investigative Joint Task Force — as well as the Office of the Director of National Intelligence and the Department of Homeland Security.
https://www.cyberscoop.com/solarwinds-white-house-national-security-council-emergency-meetings/
Hackers targeted US nuclear weapons agency in massive cyber security breach, reports say
The National Nuclear Security Administration and Energy Department, which safeguard the US stockpile of nuclear weapons, have had their networks hacked as part of the widespread cyber espionage attack on a number of federal agencies.
Politico reports that officials have begun coordinating notifications about the security breach to the relevant congressional oversight bodies.
Suspicious activity was identified in the networks of the Federal Energy Regulatory Commission (FERC), Los Alamos and Sandia national laboratories in New Mexico and Washington, the Office of Secure Transportation, and the Richland Field Office of the Department of Energy.
Officials with direct knowledge of the matter said hackers have been able to do more damage to the network at FERC, according to the report.
Microsoft warns UK companies were targeted by SolarWinds hackers
Microsoft has warned that some of its UK customers have been exposed to the malware used in the Russia-linked SolarWinds hack that targeted US states and government agencies.
More than 40 of the tech giant's customers are thought to have used breached SolarWinds software, including clients in Britain, the US, Canada, Mexico, Belgium, Spain, Israel, and the UAE.
The company would not name the victims, but said they include government agencies, think tanks, non-governmental organisations and IT firms. Microsoft said four in five were in the US, with nearly half of them tech companies.
“This is not ‘espionage as usual,’ even in the digital age,” said Brad Smith, Microsoft's president. “Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world.”
The attackers, believed to be working for the Russian government, got into computer networks by installing a vulnerability in Orion software from SolarWinds.
Society at Increasingly High Risk of Cyber Attacks
Cyber attacks are becoming easier to conduct while conversely security is getting increasingly difficult, according to Kevin Curran, senior IEEE member and professor of cyber security, Ulster University, during a virtual media roundtable.
“Any company you can think of has had a data breach,” he commented. “Whenever a data breach happens it weakens our credentials because our passwords are often reused on different websites.”
He observed that the art of hacking doesn’t necessarily require a significant amount of technical expertise anymore, and bad actors can receive substantial help from numerous and readily accessible tools online. “You don’t have to spend seven years in college to learn how to hack, you just have to know about these sites and what terms to use,” noted Curran.
A number of legitimate online mechanisms that can help damaging attacks to be launched by hackers were highlighted by Curran in his presentation. These include Google Dorks, which are “search strings which point to website vulnerabilities.” This means vulnerable accounts can be identified simply via Google searches.
https://www.infosecurity-magazine.com/news/society-increasingly-risk-cyber/
Three million users installed 28 malicious Chrome or Edge extensions
More than three million internet users are believed to have installed 15 Chrome, and 13 Edge extensions that contain malicious code, security firm Avast said today.
The 28 extensions contained code that could perform several malicious operations, including:
-redirect user traffic to ads
-redirect user traffic to phishing sites
-collect personal data, such as birth dates, email addresses, and active devices
-collect browsing history
-download further malware onto a user's device
But despite the presence of code to power all the above malicious features, Avast researchers said they believe the primary objective of this campaign was to hijack user traffic for monetary gains.
https://www.zdnet.com/article/three-million-users-installed-28-malicious-chrome-or-edge-extensions/
Vaccines for sale on dark web as criminals target pandemic profits
Black market vendors were offering coronavirus vaccines for sale on hidden parts of the internet days after the first Covid-19 shot was approved this month, as criminals seek to profit from global demand for inoculations.
One such offer on the so-called dark web, traced by cyber security company Check Point Software, was priced at $250 with the seller promising “stealth” delivery in double-wrapped packaging. Shipping from the US via post or a leading courier company would cost $20, with an extra $5 securing overnight delivery.
https://www.ft.com/content/8bfc674e-efe6-4ee0-b860-7fcb5716bed6
Threats
Ransomware
FBI says DoppelPaymer ransomware gang is harassing victims who refuse to pay
House purchases in Hackney fall through following cyber attack against council
Mount Locker Ransomware Offering Double Extortion Scheme to Other Hackers
Ransomware operators use SystemBC RAT as off-the-shelf Tor backdoor
Phishing
Subway Sandwich Loyalty-Card Users Suffer Ham-Handed Phishing Scam
Microsoft Office 365 Credentials Under Attack By Fax ‘Alert’ Emails
IoT
Malware
New iOS and Android spyware responsible for multi-layered sextortion campaign
Google Chrome, Firefox, Edge hijacked by massive malware attack: What you need to know
This nasty malware is infecting every web browser — what to do now
Tor malware is becoming a worryingly popular ransomware tool
Vulnerabilities
Israeli Phone-hacking Firm Claims It Can Now Break Into Encrypted Signal App
PgMiner botnet exploits disputed CVE to hack unsecured PostgreSQL DBs
Zero-day in WordPress SMTP plugin abused to reset admin account passwords
Sophos fixes SQL injection vulnerability in their Cyberoam OS
Wormable code-execution flaw in Cisco Jabber has a severity rating of 9.9 out of 10
Data Breaches
Twitter hit with €450,000 GDPR fine nearly two years after disclosing data breach
Data Leak Exposes Details of Two Million Chinese Communist Party Members
Organised Crime
Nation State Actors
Privacy
UK police unlawfully processing over a million people’s data on Microsoft 365
Sci-fi surveillance: Europe's secretive push into biometric technology
Other News
Reports Published in the Last Week
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Cyber Weekly Flash Briefing for 06 March 2020 phishing scams exploiting coronavirus, Boots Advantage and Tesco Clubcard hit in the same week, Android patches, ransomware takes legal giant offline
Cyber Weekly Flash Briefing for 06 March 2020 - phishing scams exploiting coronavirus, Boots Advantage and Tesco Clubcard hit in the same week, Android patches, ransomware takes legal giant offline
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Nasty phishing scams aim to exploit coronavirus fears
Phoney emails about health advice and more are being used to steal login credentials and financial details.
Cyber criminals are aiming to take advantage of fears over coronavirus as a means of conducting phishing attacks and spreading malware, along with stealing login credentials and credit card details.
Cybersecurity companies have identified a number of campaigns by hackers who are attempting to exploit concerns about the COVID-19 outbreak for their own criminal ends. Crooks often use current affairs to make their scams more timely.
Researchers have identified a Trickbot banking trojan campaign specifically targeting Italian email addresses in an attempt to play on worries about the virus. The phishing email comes with a Word document which claims to contain advice on how to prevent infection – but this attachment is in fact a Visual Basic for Applications (VBA) script which drops a new variant of Trickbot onto the victim's machine.
The message text claims to offer advice from the World Health Organization (WHO) in a Word document which claims to be produced using an earlier version of Microsoft Word which means the user needs to enable macros in order to see the content. By doing this, it executes a chain of commands which installs Trickbot on the machine.
Read more here: https://www.zdnet.com/article/nasty-phishing-scams-aim-to-exploit-coronovirus-fears/
Backdoor malware is being spread through fake security certificate alerts
Victims of this new technique are invited to install a malicious "security certificate update" when they visit compromised websites.
Backdoor and Trojan malware variants are being distributed through a new phishing technique that attempts to lure victims into accepting an "update" to website security certificates.
Certificate Authorities (CAs) distribute SSL/TLS security certificates for improved security online by providing encryption for communication channels between a browser and server -- especially important for domains providing e-commerce services -- as well as identity validation, which is intended to instill trust in a domain.
Read the full article here: https://www.zdnet.com/article/backdoor-malware-is-being-spread-through-fake-security-certificate-alerts/
Boots Advantage and Tesco Clubcard both suffer data breaches in same week
Boots has blocked all Advantage card holders from ‘paying with points’ after 150,000 accounts were subjected to attempted hacks using stolen passwords.
The news comes just days after Tesco said it would issue replacement Clubcards to more than 620,000 customers after a similar security breach.
Read more here: https://www.which.co.uk/news/2020/03/boots-advantage-card-tesco-clubcard-both-suffer-data-breaches-in-same-week/
Academics find 30 file upload vulnerabilities in 23 web apps, CMSes, and forums
Through the use of an automated testing toolkit, a team of South Korean academics has discovered 30 vulnerabilities in the file upload mechanisms used by 23 open-source web applications, forums, store builders, and content management systems (CMSes).
When present in real-world web apps, these types of vulnerabilities allow hackers to exploit file upload forms and plant malicious files on a victim's servers.
These files could be used to execute code on a website, weaken existing security settings, or function as backdoors, allowing hackers full control over a server.
Read the full article here: https://www.zdnet.com/article/academics-find-30-file-upload-vulnerabilities-in-23-web-apps-cmses-and-forums/
UK Home Office breached GDPR 100 times through botched management of EU Settlement Scheme
ID cards sent to the wrong addresses, third party data disclosures, and lost passports are only some examples of mishandling.
The UK Home Office has breached European data protection regulations at least 100 times in its handling of the EU Settlement Scheme (EUSS).
IDs have been lost, documents misplaced, passports have gone missing, and applicant information has been disclosed to third parties without permission in some of the cases, according to a new report.
Read more here: https://www.zdnet.com/article/uk-home-office-breached-gdpr-100-times-through-botched-handling-of-eu-settlement-scheme/
Legal services giant Epiq Global offline after ransomware attack
The company, which provides legal counsel and administration that counts banks, credit giants, and governments as customers, confirmed the attack hit on February 29.
“As part of our comprehensive response plan, we immediately took our systems offline globally to contain the threat and began working with a third-party forensic firm to conduct an independent investigation,” a company statement read. “Our technical team is working closely with world class third-party experts to address this matter, and bring our systems back online in a secure manner, as quickly as possible.”
The company’s website, however, says it was “offline to perform maintenance.”
A source with knowledge of the incident but who was not authorized to speak to the media said the ransomware hit the organization’s entire fleet of computers across its 80 global offices.
Read more here: https://techcrunch.com/2020/03/02/epiq-global-ransomware/
Android Patch Finally Lands for Widespread “MediaTek-SU” Vulnerability
Android has quietly patched a critical security flaw affecting millions of devices containing chipsets from Taiwanese semiconductor MediaTek: a full year after the security vulnerability – which gives an attacker root privileges – was first reported.
More here: https://www.cbronline.com/news/android-patch-mediatek-su
5G and IoT security: Why cybersecurity experts are sounding an alarm
Without regulation and strong proactive measures, 5G networks remain vulnerable to cyberattacks, and the responsibility falls on businesses and governments.
Seemingly everywhere you turn these days there is some announcement about 5G and the benefits it will bring, like greater speeds, increased efficiencies, and support for up to one million device connections on a private 5G network. All of this leads to more innovations and a significant change in how we do business.
But 5G also creates new opportunities for hackers.
There are five ways in which 5G networks are more susceptible to cyberattacks than their predecessors, according to the 2019 Brookings report, Why 5G requires new approaches to cybersecurity. They are:
The network has moved from centralized, hardware-based switching to distributed, software-defined digital routing. Previous networks had "hardware choke points" where cyber hygiene could be implemented. Not so with 5G.
Higher-level network functions formerly performed by physical appliances are now being virtualized in software, increasing cyber vulnerability.
Even if software vulnerabilities within the network are locked down, the 5G network is now managed by software. That means an attacker that gains control of the software managing the network can also control the network.
The dramatic expansion of bandwidth in 5G creates additional avenues of attack.
Increased vulnerability by attaching tens of billions of hackable smart devices to an IoT network.
Read the full article here: https://www.techrepublic.com/article/5g-and-iot-security-why-cybersecurity-experts-are-sounding-an-alarm/
Virgin Media apologises after data breach affects 900,000 customers
Virgin Media has apologised after a data breach left the personal details of around 900,000 customers unsecured and accessible.
The company said that the breach occurred after one of its marketing databases was “incorrectly configured” which allowed unauthorised access.
It assured those affected by the breach that the database “did not include any passwords or financial details” but said it contained information such as names, home and email addresses, and phone numbers.
Virgin said that access to the database had been shut down immediately following the discovery but by that time the database was accessed “on at least one occasion”.
Read more here: https://www.itv.com/news/2020-03-05/virgin-media-apologises-after-data-breach-affects-900-000-customers/
Do these three things to protect your web security camera from hackers
NCSC issues advice on how to keep connected cameras, baby monitors and other live streaming security tools secure from cyberattacks.
Owners of smart cameras, baby monitors and other Internet of Things products have been urged to help keep their devices safe by following three simple steps to boost cybersecurity – and making it more difficult for hackers to compromise them.
The advice from the UK's National Cyber Security Centre (NCSC) – the cyber arm of the GCHQ intelligence agency – comes as IoT security cameras and other devices are gaining popularity in households and workplaces.
Change the default password
Apply updates regularly
Disable unnecessary alerts
For more refer to the original article here: https://www.zdnet.com/article/do-these-three-things-to-protect-your-web-security-camera-from-hackers/