Threat Intelligence Blog

Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.

Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 10 May 2024

Black Arrow Cyber Threat Intelligence Briefing 10 May 2024:

-China Suspected of Hacking MoD, Through Its Payroll Provider

-Security Tools Fail to Translate Risks for Executives

-Gang Accused of MGM Hack Shifts Attacks to Finance Sector

-Are SMEs Paving the Way for Cyber Attacks on Larger Companies?

-Misconfigurations Drive 80% of Security Exposure, Report Finds

-Only 45% of Organisations Employ MFA Protections

-You Cannot Protect What You Do Not Know You Have, as Criminals are Exploiting Vulnerabilities Faster Than Ever

-The Rise and Stealth of The Socially Engineered Insider

-Over 70% of Staff Use AI At Work, But Only 30% of European Organisations Provide AI Training

-Don't Be the Weakest Link – You and Your Team's Crucial Role in Cyber Security

-Ransomware Activity Thrives, Despite Law enforcement Efforts

-NATO Warns of Russian Hybrid Warfare

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

China Suspected of Hacking UK Ministry of Defence, Through Its Payroll Provider

UK Defence Secretary Grant Shapps has confirmed that over 270,000 personal details have been leaked after the MoD was hacked through its third-party payroll provider, SSCL. The affected systems have been pulled offline since the attack. SSCL’s website describes that it manages HR for the armed forces, the Metropolitan Police and other areas of British government. The commercial supply chain, and in particular HR and payroll providers, is increasing being used as the soft underbelly to attack larger and better protected organisations.

Sources: [LBC] [The Register] [Sky News]

Security Tools Fail to Translate Risks for Executives

Organisations are struggling with internal communication barriers, hindering their ability to address and mitigate cyber security threats, according to a report which found that seven out of 10 C-suite executives said their security teams talk in technical terms without providing business context. However, in contrast, 75% of CISO’s highlight the issue is rooted in security tools that cannot generate the insights C-level executives and boards can use to understand business implications. The role of a good CISO should be to take the output of these tools and turn that data into metrics the Boards can understand.

The issues highlight the necessity for organisations to have someone in their organisation, whether an employee or a third-party, who is able to ingest technical results and translate them into a style that the C-suite can understand for business risk management.

Source: [Help Net Security]

Gang Accused of MGM Hack Shifts Attacks to Finance Sector

The hacking group responsible for the infamous hack on MGM and Caesar’s Palace resorts is engaged in a new campaign targeting the financial sector. The group known as Scattered Spider has targeted 29 companies since 20 April this year, compromising at least 2 insurance companies so far. The research has stated that the attackers are purchasing lookalike domains that match the name of target companies, hosting fake log-in pages. Links to these are sent to employees, in an attempt to direct them there. The most recent attack took place just days ago, with more expected.

Sources: [Bloomberg Law] [Claims Journal]

Are SMEs Paving the Way for Cyber Attacks on Larger Companies?

A recent study highlights the escalating cyber threats facing businesses, particularly SMEs and supply chains. The study found that 32% of UK businesses, including 69% of large and 59% of mid-sized organisations, suffered a cyber attack last year. The situation is worse for SMEs, with weaker security systems and 77% lacking in-house cyber security. SMEs can become entry points for hackers targeting larger partners through interconnected supply chains. Meanwhile, Verizon’s latest data breaches report revealed a 68% increase in supply chain breaches, accounting for 15% of all breaches in 2023, up from 9% in 2022. These breaches are primarily driven by third-party software vulnerabilities exploited in ransomware and extortion attacks. Experts emphasise proactive cyber policies, vulnerability scans, and employee education for SMEs to bolster defences. They also urge organisations to consider third-party bugs as both vulnerability and vendor management problems, make better vendor choices, and use external signals like SEC disclosures in the United States to guide decisions. These measures can help prevent SMEs from becoming gateways for larger attacks and manage the rising threat of supply chain breaches.

Sources: [Insurance Times] [Dark Reading]

Misconfigurations Drive 80% of Security Exposure, Report Finds

A recent report has found that 80% of security exposures are caused by identity and credential misconfigurations, with a third of these putting critical assets at risk of a breach. According to the report, the majority of this is within an organisation’s network user management (Active Directory) and 56% of breaches that impact critical assets are within cloud platforms. There is often the misconception that cloud-based environments are secure by default, but misconfigurations can undo any security benefits and still leave you exposed. Just because someone else built and maintains your house, it is still your responsibility to lock the doors and windows.

Sources: [Security Magazine]

Only 45% of Organisations Employ MFA Protections

A recent report of IT decision-makers has found that 97% are facing challenges with identity verification and 52% are very concerned about credential compromise, followed by account takeover (50%). When it comes to reinforcing identity verification, only 45% used multi-factor authentication (MFA). By using MFA, organisations are forcing two identification verifications: simply knowing a username and password is not enough, especially given the speeds with which attackers can crack passwords, with average 8 character passwords able to be cracked in less than a minute. Whilst no control is 100% impenetrable, enabling MFA will aid in increasing your organisation's cyber resilience.

Source: [Help Net Security]

You Cannot Protect What You Do Not Know You Have, as Criminals are Exploiting Vulnerabilities Faster Than Ever

For many organisations, visibility of their information assets can be incredibly hard to obtain and maintain, with different tools, under-reporting and shadow IT contributing to the problem. Unfortunately, cyber criminals are getting faster at exploiting vulnerabilities, and if you do not know you have the vulnerability in your estate then you cannot patch against it. In their recent report, Fortinet found that attacks started on average 4.76 days after new exploits were publicly disclosed.

Interestingly though, while zero-day threats garner much attention (these are ‘new’ vulnerabilities that are being exploited by attackers but for which there are no security patches yet available), one third of all exploits are for older vulnerabilities. This highlights the need for a comprehensive and robust approach to network security and vulnerability management, beyond simply patching what Microsoft puts out once a month. To have effective patch management, organisations must know what they need to patch and therefore must have visibility of the corporate environment. A good starting block is the creation of a robust information asset register.

Sources: [Security Brief] [Help Net Security] [IT Security Guru]

The Rise and Stealth of The Socially Engineered Insider

Social engineering has become increasingly prevalent as the preferred tactic for foreign adversaries. Insiders are prime targets due to their privileged access to sensitive data. This is particularly affecting the technology, pharma, and critical infrastructure sectors. Advances in AI and social platforms have made it easier to exploit these vulnerabilities. These advances allow threat actors to tailor attacks with unprecedented speed and realism. Using methods like coercion or deception, these actors exploit employees to gain high-value data that can be weaponised. As a result, the threat landscape has become more complex, blurring the lines between internal and external risks. To bolster their defences, organisations are now investing in insider risk management and AI. They are also emphasising employee education and cross-sector collaboration.

Source: [Forbes]

Over 70% of Staff Use AI At Work, But Only 30% of European Organisations Provide AI Training

An ISACA study and the AI Security & Governance Report reveal a complex landscape of AI adoption and security. 73% of European organisations and 54% of global organisations use AI, with 79% increasing their AI budgets, however training and policy development lag behind. Only 30% offer limited training, 40% provide none, and a mere 17% have a comprehensive AI policy. Despite AI’s potential, 80% of data experts find it complicates security, with concerns high around generative AI exploitation (61% of respondents) and AI-powered attacks (over 50% of business leaders). Data poisoning and privacy issues persist, yet 85% of leaders express confidence in their data security strategies, with 83% revising privacy and governance guidelines. With 86% recognising a need for AI training within two years, the call for dynamic governance strategies and formal education is clear to manage evolving threats.

Sources: [Help Net Security] [IT Security Guru]

Don't Be the Weakest Link – You and Your Team's Crucial Role in Cyber Security

Cyber security success depends on more than just technology. Bad actors are always looking for the easiest entry point, meaning that employees’ everyday actions are crucial, when even one careless click or a weak password can be an open door for hackers. However, empowered with the right knowledge and tools, staff can become a robust defence. Nearly 80% of organisations have reported an increase in phishing attacks, but training programs like role-playing exercises and phishing simulations significantly reduce these risks. Effective cyber security also hinges on C-suite leaders promoting a security-first culture, ensuring all employees understand the risks and follow strict protocols like MFA and strong password policies. Consistent training and open communication are vital in fostering a resilient, security-aware workforce.

Source: [JDSupra]

Ransomware Activity Thrives, Despite Law enforcement Efforts

Despite the recent law enforcement takedowns on ransomware groups, ransomware remains rife. Whilst the takedown of a group can come as an initial relief in that the group has gone, it simply forces ransomware affiliates to diversify. This is reflected in ransomware continuing its growth in the first quarter of 2024, with 18 new leak sites, the largest number in a single quarter, emerging over this period. When comes to those at risk, both financial services and healthcare remain a prominent target.

Sources: [Help Net Security ] [Infosecurity Magazine] [Help Net Security]

NATO Warns of Russian Hybrid Warfare

NATO has issued a statement in which it describes it is “deeply concerned about Russia's hybrid actions and the threat that they constitute to NATO security”.  The actions are described to include sabotage, acts of violence, cyber and electronic interference, and disinformation campaigns. This comes as many countries including the UK and US are due to have elections this year.

Sources: [EU Reporter] [Financial Times]



Threats

Ransomware, Extortion and Destructive Attacks

Ransomware Victims

Phishing & Email Based Attacks

Other Social Engineering

Artificial Intelligence

2FA/MFA

Malware

Mobile

Denial of Service/DoS/DDOS

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Supply Chain and Third Parties

Cloud/SaaS

Encryption

Linux and Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Training, Education and Awareness

Regulations, Fines and Legislation

Models, Frameworks and Standards

Data Protection

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs


Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity

Cyber Warfare and Cyber Espionage

Nation State Actors

China

Russia

Iran

North Korea

Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence




Tools and Controls


Reports Published in the Last Week



Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·         Automotive

·         Construction

·         Critical National Infrastructure (CNI)

·         Defence & Space

·         Education & Academia

·         Energy & Utilities

·         Estate Agencies

·         Financial Services

·         FinTech

·         Food & Agriculture

·         Gaming & Gambling

·         Government & Public Sector (including Law Enforcement)

·         Health/Medical/Pharma

·         Hotels & Hospitality

·         Insurance

·         Legal

·         Manufacturing

·         Maritime

·         Oil, Gas & Mining

·         OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·         Retail & eCommerce

·         Small and Medium Sized Businesses (SMBs)

·         Startups

·         Telecoms

·         Third Sector & Charities

·         Transport & Aviation

·         Web3


As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 19 April 2024

Black Arrow Cyber Threat Intelligence Briefing 19 April 2024:

-94% of Ransomware Victims Have Their Backups Targeted by Attackers

-Sharing IT Providers Is a Risk for Financial Services, Says IMF, as Rising Cyber Threats Pose Serious Concerns for Financial Stability

-Hackers are Threatening to Publish a Huge Stolen Sanctions and Financial Crimes Watchlist

-Your Annual Cyber Security Is Not Working, but There is a Solution

-73% of Security Professionals Say They’ve Missed, Ignored or Failed to Act on a High Priority Security Alert

-Russia and Ukraine Top Inaugural World Cyber Crime Index

-Police Takedown Major Cyber Fraud Superstore: Will the Cyber Crime Industry Become More Fragmented?

-Small Businesses See Stable Business Climate; Cite Cyber Security as Top Threat

-The Threat from Inside: 14% Surge in Insider Threats Compared to Previous Year

-Dark Web Sales Driving Major Rise in Credential Attacks as Attackers Pummel Networks with Millions of Login Attempts

-Large Enterprises Experience Breaches, Despite Large Security Stacks - Report Finds 93% of Breaches Lead to Downtime and Data Loss

-Charities Doing Worse than Private Sector in Staving off Cyber Attacks

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

94% of Ransomware Victims Have Their Backups Targeted by Attackers

Organisations that have backed up sensitive data may believe they are safe from the effects of ransomware attacks; however a new study by Sophos reported that cyber criminals attempted to compromise the backups of 94% of companies hit by ransomware in the past year. The research found that criminals can demand a higher ransom when they compromise an organisation’s backup data, and those victims are twice as likely to pay. The median ransom demand is $2.3 million when backups are compromised, compared to $1 million otherwise.

Additionally, sectors like state and local governments, along with media and entertainment, are particularly vulnerable with nearly all affected organisations experiencing backup compromises.

Source: [Tech Republic]

Sharing IT Providers Is a Risk for Financial Services, Says IMF, as Rising Cyber Threats Pose Serious Concerns for Financial Stability

The International Monetary Fund has found that with greater digitalisation and heightened geopolitical tensions comes a greater risk of cyber attack with systemic consequences. The IMF noted that losses more than quadrupled since 2017 to $2.5 billion.

The push for technology has led to a number of financial services institutions relying on third-party IT firms, increasing their susceptibility to cyber disruption on a wider scale and a potential ripple effect were a third party to be hit. Whilst such third parties can increase the cyber resilience of a financial services institution, they also expose the industry to systemwide shocks, the IMF reports.

The IMF recommend institutions should identify potential systematic risks in their third-party IT firms. If the organisation is unable to perform such risk assessments, they should seek the expert support of an independent cyber security specialist.

Sources: [The Banker] [IMF]

Hackers are Threatening to Publish a Huge Stolen Sanctions and Financial Crimes Watchlist

A cyber crime group named GhostR has claimed responsibility for stealing 5.3 million records from the World-Check database, which companies use for "know your customer" (KYC) checks to screen potential clients for financial crime risks. The data theft occurred in March and originated from a Singapore-based firm with access to World-Check. The London Stock Exchange Group (LSEG), which owns World-Check, confirmed that the breach involved a third-party's dataset and not their systems directly. The stolen data includes sensitive information on individuals identified as high-risk, such as government-sanctioned figures and those linked to organised crime. LSEG is coordinating with the affected third party and authorities to protect the compromised data and prevent its dissemination.

Source: [TechCrunch]

Your Annual Cyber Security Is Not Working, But There is a Solution

Most organisations utilise annual security training in an attempt to ensure every department develops their cyber awareness skills and is able to spot and report a threat. However, this training is often out of date. Additionally, often training has limited interactivity, failing to capture and maintain employees’ attention and retention. On top of this, many training courses fail to connect employees to real-world scenarios that could occur in their specific job.

To get the most return on investment, organisations need to have more regular education, with the aim of long-term behavioural shifts in the work place, nudging employees towards greater cyber hygiene.

Source: [TechRadar]

73% of Security Professionals Say They’ve Missed, Ignored or Failed to Act on a High Priority Security Alert

A new survey from Coro, targeting small medium enterprises (SME) cyber security professionals, reveals that 73% have missed or ignored high priority security alerts due to overwhelming workloads and managing multiple security tools. The 2024 SME Security Workload Impact Report highlights that SMEs are inundated with alerts and responsibilities, which dilute their focus from critical security threats. On average, these professionals manage over 11 security tools and spend nearly five hours daily on tasks like monitoring and patching vulnerabilities. Respondents handle an average of over 2,000 endpoint security agents across 656 devices, more than half dealing with frequent vendor updates.

Source: [Business Wire]

Russia and Ukraine Top Inaugural World Cyber Crime Index

The inaugural World Cybercrime Index (WCI) identifies Russia, Ukraine, and China as the top sources of global cyber crime. This index, the first of its kind, was developed over four years by an international team from the University of Oxford and the University of New South Wales, with input from 92 cyber crime experts. These experts ranked countries based on the impact, professionalism, and technical skills of their cyber criminals across five cyber crime categories, including data theft, scams, and money laundering. Russia topped the list, followed by Ukraine and China, highlighting their significant roles in high-tech cyber criminal activities. The index, expected to be updated regularly, aims to provide a clearer understanding of cyber crime's global geography and its correlation with national characteristics like internet penetration and GDP. Of note the UK and US also made the top ten list, so it is not just other countries we need to worry about.

Top ten Countries in full:

1.       Russia

2.       Ukraine

3.       China

4.       United States

5.       Nigeria

6.       Romania

7.       North Korea

8.       United Kingdom

9.       Brazil

10.   India

Source: [Infosecurity Magazine]

Police Takedown Major Cyber Fraud Superstore: Will the Cyber Crime Industry Become More Fragmented?

The London Metropolitan Police takedown of online fraud service LabHost serves as a reminder of the industrial scale on which cyber crimes are being performed, with the service amassing 480,000 debit or credit card numbers and 64,000 PINs: all for the subscription price of £300 a month. The site even included tutorial videos on how to commit crime and offered customer service.

Such takedowns can lead to fragmentation. The 2,000 individuals subscribed to LabHost may have lost access but where there is demand, supply will be found. The takedown of one service allows other, small services to fill the gap. As the saying goes ‘nature abhors a vacuum’ and it is especially true when it comes to cyber crime; there is too much business for empty spaces not to be filled.

Sources: [ITPro] [The Guardian]

Small Businesses See Stable Business Climate; Cite Cyber Security as Top Threat

Small businesses are experiencing a stable business climate, as reflected by the Small Business Index, indicating an increasing optimism about the economy. However, the recent surge in cyber attacks, including major assaults on UnitedHealth Group and MGM Resorts, has underscored the growing vulnerability of these businesses to cyber crime. Despite 80% of small to medium-sized enterprises feeling well-protected by their IT defences, a Devolutions survey reveals that 69% of them still fell victim to cyber attacks last year. This has led to cyber security being viewed as the greatest threat by 60% of small businesses, even surpassing concerns over supply chain disruptions and the potential for another pandemic.

The average cost of these attacks ranges from $120,000 to $1.24 million, leading to 60% of affected businesses closing within six months. This vulnerability is further compounded by a common underestimation of the ransomware threat. While 71% of businesses feel prepared for future threats, the depth of this preparedness varies, with only 23% feeling very prepared for cyber security challenges.

Sources: [Claims Journal] [Inc.com]

The Threat from Inside: Insider Threats Surge 14% Annually as Cost-of-Living Crisis Bites

Employee fraud grew significantly last year thanks to the opportunities afforded by remote working and the pressures of a cost-of-living crisis in the UK, according to Cifas, an anti-fraud non-profit. The number of individuals recorded in its cross-sector Insider Threat Database (ITD) increased 14% year-on-year (YoY) in 2023, with the most common reason being “dishonest action to obtain benefit by theft or deception” (49%).

Insider threats – both by accident or with malicious intent – by their own employees are overlooked, despite accounting for 58% of cybersecurity breaches in recent years. As a result, a large proportion of businesses may lack any strategy to address insider risks, leaving them vulnerable to financial, operational and reputational harm.

Source: [Infosecurity Magazine] [TechRadar]

Dark Web Sales Driving Major Rise in Credential Attacks as Attackers Pummel Networks with Millions of Login Attempts

Dark web sales are driving a major rise in credential attacks, with a surge in infostealer malware attacks over the last three years significantly heightening the cyber crime landscape. Kaspersky reports a sevenfold increase in data theft attacks, leading to the compromise of over 26 million devices since 2022. Cyber criminals stole roughly 400 million login credentials last year alone, often sold on dark web markets for as low as $10 per log file. These stolen credentials have become a lucrative commodity, fostering a complex economy of initial access brokers who facilitate broader corporate network infiltrations. The Asia-Pacific and Latin America regions have been particularly affected, with millions of credentials stolen annually.

Simultaneously, Cisco’s Talos team warns of a current credential compromise campaign targeting networks via mass login attempts to VPN, SSH, and web apps. Attackers use a mix of generic and specific usernames with nearly 100 passwords from about 4,000 IP addresses, likely routed through anonymising services (such as TOR). These attacks pose risks like unauthorised access, account lockouts, and potential denial-of-service. The attack volume has increased since 18 March this year mirroring a previous alert by Cisco about a similar campaign affecting VPNs. Despite method and infrastructure similarities, a direct link between these campaigns is yet to be confirmed.

Sources: [Ars Technica] [Data Breach Today]

Large Enterprises Experience Breaches, Despite Large Security Stacks; Report Finds 93% of Breaches Lead to Downtime and Data Loss

93% of enterprises admitting to having had a breach have suffered significant consequences, ranging from unplanned downtime to data exposure or financial loss, according to a recent report. 73% of organisations made changes to their IT environment at least quarterly, however only 40% tested their security at the same frequency. Unfortunately, this means that many organisations are facing a significant gap in which changes in the IT environment are untested, and therefore their risk unknown.

Security tools can aid this, however as the report finds, despite having a large number of security stacks, 51% still reported a breach in the past 24 months. Organisations must keep in mind that security extends beyond the technical realm, and it needs to include people and operations.

Sources: [Infosecurity Magazine] [Help Net Security]

Charities Doing Worse than Private Sector in Staving off Cyber Attacks

Recent UK Government data reveals a significant cyber security challenge for charities, with about a third experiencing breaches this past year, equating to nearly 924,000 cyber crimes. Notably, 83% of these incidents involved phishing, with other prevalent threats including fraud emails and malware. The data found that 63% of charities said cyber security was a high priority for senior management, however, charities lag behind the private sector in adopting security monitoring tools and conducting risk assessments.

Additionally, while half of the charities implement basic cyber hygiene defences like malware protection and password policies, only about 40% seek external cyber security guidance.

Source: [TFN]


Governance, Risk and Compliance


Threats

Ransomware, Extortion and Destructive Attacks

Ransomware Victims

Phishing & Email Based Attacks

Other Social Engineering

Artificial Intelligence

2FA/MFA

Malware

Mobile

Denial of Service/DoS/DDOS

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Insurance

Cloud/SaaS

Identity and Access Management

Linux and Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Malvertising

Training, Education and Awareness

Regulations, Fines and Legislation

Models, Frameworks and Standards

Backup and Recovery

Data Protection

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Misinformation, Disinformation and Propaganda


Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity

Cyber Warfare and Cyber Espionage

China

Russia

Iran

North Korea

Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence


Vulnerability Management

Vulnerabilities





Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·         Automotive

·         Construction

·         Critical National Infrastructure (CNI)

·         Defence & Space

·         Education & Academia

·         Energy & Utilities

·         Estate Agencies

·         Financial Services

·         FinTech

·         Food & Agriculture

·         Gaming & Gambling

·         Government & Public Sector (including Law Enforcement)

·         Health/Medical/Pharma

·         Hotels & Hospitality

·         Insurance

·         Legal

·         Manufacturing

·         Maritime

·         Oil, Gas & Mining

·         OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·         Retail & eCommerce

·         Small and Medium Sized Businesses (SMBs)

·         Startups

·         Telecoms

·         Third Sector & Charities

·         Transport & Aviation

·         Web3


As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 30 December 2022

Black Arrow Cyber Threat Briefing 30 December 2022:

-Cyber Attacks Set to Become ‘Uninsurable’, Says Zurich Chief

-Your Business Should Compensate for Modern Ransomware Capabilities Right Now

-Reported Phishing Attacks Have Quintupled

-Ransomware, DDoS See Major Upsurge Led by Upstart Hacker Group

-Videoconferencing Worries Grow, With SMBs in Cyber Attack Crosshairs

-Will the Crypto Crash Impact Cyber Security in 2023? Maybe.

-The Worst Hacks of 2022

-Geopolitical Tensions Expected to Further Impact Cyber Security in 2023

-Fraudsters’ Working Patterns Have Changed in Recent Years

-Hacktivism is Back and Messier Than Ever

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • Cyber Attacks Set to Become ‘Uninsurable’, Says Zurich Chief

The chief executive of one of Europe’s biggest insurance companies has warned that cyber attacks, rather than natural catastrophes, will become “uninsurable” as the disruption from hacks continues to grow.

Insurance executives have been increasingly vocal in recent years about systemic risks, such as pandemics and climate change, that test the sector’s ability to provide coverage. For the second year in a row, natural catastrophe-related claims are expected to top $100bn. 

But Mario Greco, chief executive at insurer Zurich, told the Financial Times that cyber was the risk to watch. “What will become uninsurable is going to be cyber,” he said. “What if someone takes control of vital parts of our infrastructure, the consequences of that?” Recent attacks that have disrupted hospitals, shut down pipelines and targeted government departments have all fed concern about this expanding risk among industry executives. Focusing on the privacy risk to individuals was missing the bigger picture, Greco added: “First off, there must be a perception that this is not just data . . . this is about civilisation. These people can severely disrupt our lives.” 

Spiralling cyber losses in recent years have prompted emergency measures by the sector’s underwriters to limit their exposure. As well as pushing up prices, some insurers have responded by tweaking policies so clients retain more losses. There are exemptions written into policies for certain types of attacks. In 2019, Zurich initially denied a $100mn claim from food company Mondelez, arising from the NotPetya attack, on the basis that the policy excluded a “warlike action”. The two sides later settled. In September, Lloyd’s of London defended a move to limit systemic risk from cyber attacks by requesting that insurance policies written in the market have an exemption for state-backed attacks.

https://www.ft.com/content/63ea94fa-c6fc-449f-b2b8-ea29cc83637d

Your Business Should Compensate for Modern Ransomware Capabilities Right Now

The “if, not when” mentality surrounding ransomware may be the biggest modern threat to business longevity. Companies of all sizes and across all industries are increasingly common targets for ransomware attacks, and we know that 94% of organisations experienced a cyber security incident last year alone. Yet, many enterprises continue to operate with decades-old security protocols that are unequipped to combat modern ransomware. Leaders have prioritised improving physical security measures in light of the pandemic — so why haven’t ransomware protections improved?

Maybe it’s the mistaken notion that ransomware attacks are declining. In reality, Q1 of 2022 saw a 200% YoY increase in ransomware incidents. Meanwhile, the rise in Ransomware as a Service (RaaS) offerings suggests that cyber threats have become a commodity for bad actors.

The RaaS market presents a new and troubling trend for business leaders and IT professionals. With RaaS — a subscription ransomware model that allows affiliates to deploy malware for a fee — the barrier to entry for hackers is lower than ever. The relatively unskilled nature of RaaS hackers may explain why the average ransomware downtime has plummeted to just 3.85 days (compared to an average attack duration of over two months in 2019).

While the decrease in attack duration is promising, the rise of RaaS still suggests an inconvenient truth for business leaders: All organisations are at risk. And in time, all organisations will become a target, which is why it’s time for IT and business leaders to implement tough cyber security protocols.

https://venturebeat.com/security/your-business-should-compensate-for-modern-ransomware-capabilities-right-now/

  • Reported Phishing Attacks Have Quintupled

In the third quarter of 2022, the international Anti-Phishing Working Group (APWG) consortium observed 1,270,883 total phishing attacks; the worst quarter for phishing that APWG has ever observed. The total for August 2022 was 430,141 phishing sites, the highest monthly total ever reported to APWG.

Over recent years, reported phishing attacks submitted to APWG have more than quintupled since the first quarter of 2020, when APWG observed 230,554 attacks. The rise in Q3 2022 was attributable, in part, to increasing numbers of attacks reported against several specific targeted brands. These target companies and their customers suffered from large numbers of attacks from persistent phishers.

Threat researchers at the cyber security solution provider Fortra noted a 488 percent increase in response-based email attacks in Q3 2022 compared to the prior quarter. While every subtype of these attacks increased compared to Q2, the largest increase was in Advance Fee Fraud schemes, which rose by a staggering 1,074 percent.

In the third quarter of 2022, APWG founding member OpSec Security found that phishing attacks against the financial sector, which includes banks, remained the largest set of attacks, accounting for 23.2 percent of all phishing. Attacks against webmail and software-as-a-service (SaaS) providers remained prevalent as well. Phishing against social media services fell to 11 percent of the total, down from 15.3 percent.

Phishing against cryptocurrency targets — such as cryptocurrency exchanges and wallet providers — fell from 4.5 percent of all phishing attacks in Q2 2022 to 2 percent in Q3. This mirrored the fall in value of many cryptocurrencies since mid-year.

https://www.helpnetsecurity.com/2022/12/28/reported-phishing-attacks-quintupled/

  • Ransomware, DDoS See Major Upsurge Led by Upstart Hacker Group

Cyber threat actors Cuba and Royal are driving a 41% boom in ransomware and other attacks hitting industry and consumer goods and services.

According to the Global Threat Intelligence team of information assurance firm NCC Group, November saw a 41% increase in ransomware attacks from 188 incidents to 265. In its most recent Monthly Threat Pulse, the group reported that the month was the most active for ransomware attacks since April this year.

Key takeaways from the study:

  • Ransomware attacks rose by 41% in November.

  • Threat group Royal (16%) was the most active, replacing LockBit as the worst offender for the first time since September 2021.

  • Industrials (32%) and consumer cyclicals (44%) remain the top two most targeted sectors, but technology experienced a large 75% increase over the last month.

  • Regional data remains consistent with last month — North America (45%), Europe (25%) and Asia (14%)

  • DDoS attacks continue to increase.

Recent examples in the services sector include the Play ransomware group’s claimed attack of the German H-Hotels chain, resulting in communications outages. This attack reportedly uses a vulnerability in Microsoft Exchange called ProxyNotShell, which as the name implies, has similarities to the ProxyShell zero-day vulnerability revealed in 2021.

Also, back on the scene is the TrueBot malware downloader (a.k.a., the silence.downloader), which is showing up in an increasing number of devices. TrueBot Windows malware, designed by a Russian-speaking hacking group identified as Silence, has resurfaced bearing Ransom.Clop, which first appeared in 2019. Clop ransomware encrypts systems and exfiltrates data with the threat that if no ransom is forthcoming, the data will show up on a leak site.

https://www.techrepublic.com/article/ransomware-ddos-major-upsurge-led-upstart-hacker-group/

  • Videoconferencing Worries Grow, With SMBs in Cyber Attack Crosshairs

Securing videoconferencing solutions is just one of many IT security challenges small businesses are facing, often with limited financial and human resources.

It's no secret that the acceleration of work-from-home and distributed workforce trends — infamously spurred on by the pandemic — has occurred in tandem with the rise of video communications and collaboration platforms, led by Zoom, Microsoft, and Cisco.

But given that videoconferencing now plays a critical role in how businesses interact with their employees, customers, clients, vendors, and others, these platforms carry significant potential security risks, researchers say.

Organisations use videoconferencing to discuss M&A, legal, military, healthcare, intellectual property and other topics, and even corporate strategies. A loss of that data could be catastrophic for a company, its employees, its clients, and its customers.

However, a recent report on videoconferencing security showed that 93% of IT professionals surveyed acknowledged security vulnerabilities and gaping risks in their videoconferencing solutions.

Among the most relevant risks is the lack of controlled access to conversations that could result in disruption, sabotage, compromise, or exposure of sensitive information, while use of nonsecure, outdated, or unpatched videoconferencing applications can expose security flaws.

The risks include the potential for interruptions, unauthorised access, and perhaps most concerning, the opportunity for a bad actor to acquire sensitive information.

https://www.darkreading.com/application-security/videoconferencing-worries-grow-with-smbs-in-cyberattack-crosshairs

  • Will the Crypto Crash Impact Cyber Security in 2023? Maybe.

With the implosion of the FTX exchange putting a punctuation mark on the cryptocurrency crash of 2022, one of the natural questions for those in the cyber security world is, how will this rapid decline of cryptocurrency valuations change the cyber crime economy?

Throughout the most recent crypto boom, and even before then, cyber criminals have used and abused cryptocurrency to build up their empires. The cryptocurrency market provides the extortionary medium for ransomware; it's a hotbed of scams against consumers to steal their wallets and accounts. Traditionally, it's provided a ton of anonymous cover for money laundering on the back end of a range of cyber criminal enterprises.

Even so, according to cyber security experts and intelligence analysts, while there certainly have been some shifts in trends and tactics that they believe are loosely tied to the crypto crash, the jury's still out on long-term impacts.

Regardless of crypto values, cyber criminals this year have definitely become more sophisticated in how they use cryptocurrencies to monetise their attacks including the use by some ransomware groups taking advantage of yield farming within decentralised finance (DeFi), as an example.

The concept of yield farming is the same as lending money, with a contract in place that clearly shows how much interest will need to be paid. The advantage for ransomware groups is that the 'interest' will be legitimate proceeds, so there will be no need to launder or hide it.

Threat actors are increasingly turning toward 'stablecoins,' which are usually tied to fiat currencies or gold to stem their volatility. In many ways, the downturn in crypto values has increased the risk appetite of cyber criminals and is spurring them into more investment fraud and cryptocurrency scams.

https://www.darkreading.com/threat-intelligence/crypto-crash-impact-cybersecurity-2023-maybe

  • The Worst Hacks of 2022

The year was marked by sinister new twists on cyber security classics, including phishing, breaches, and ransomware attacks.

With the pandemic evolving into an amorphous new phase and political polarisation on the rise around the world, 2022 was an uneasy and often perplexing year in digital security. And while hackers frequently leaned on old chestnuts like phishing and ransomware attacks, they still found vicious new variations to subvert defences.

Technology magazine Wired looked back on the year's worst breaches, leaks, ransomware attacks, state-sponsored hacking campaigns, and digital takeovers. If the first years of the 2020s are any indication, the digital security field in 2023 will be more bizarre and unpredictable than ever. Stay alert, and stay safe out there.

Russia Hacking Ukraine

For years, Russia has pummelled Ukraine with brutal digital attacks causing blackouts, stealing and destroying data, meddling in elections, and releasing destructive malware to ravage the country's networks. Since invading Ukraine in February, though, times have changed for some of Russia's most prominent and most dangerous military hackers. Shrewd long-term campaigns and grimly ingenious hacks have largely given way to a stricter and more regimented clip of quick intrusions into Ukrainian institutions, reconnaissance, and widespread destruction on the network—and then repeated access over and over again, whether through a new breach or by maintaining the old access.

Twilio and the 0ktapus Phishing Spree

Over the summer, a group of researchers dubbed 0ktapus went on a massive phishing bender, compromising nearly 10,000 accounts within more than 130 organisations. The majority of the victim institutions were US-based, but there were dozens in other countries as well.

Ransomware Still Hitting the Most Vulnerable Targets

In recent years, countries around the world and the cyber security industry have increasingly focused on countering ransomware attacks. While there has been some progress on deterrence, ransomware gangs were still on a rampage in 2022 and continued to target vulnerable and vital social institutions, including health care providers and schools. The Russian-speaking group Vice Society, for example, has long specialised in targeting both categories, and it focused its attacks on the education sector this year.

The Lapsus$ Rampage Continues

The digital extortion gang Lapsus$ was on an intense hacking spree at the beginning of 2022, stealing source code and other sensitive information from companies like Nvidia, Samsung, Ubisoft, and Microsoft and then leaking samples as part of apparent extortion attempts. Lapsus$ has a sinister talent for phishing, and in March, it compromised a contractor with access to the ubiquitous authentication service Okta.

LastPass

The beleaguered password manager giant LastPass, which has repeatedly dealt with data breaches and security incidents over the years, said at the end of December that a breach of its cloud storage in August led to a further incident in which hackers targeted a LastPass employee to compromise credentials and cloud storage keys.

Vanuatu

At the beginning of November, Vanuatu, an island nation in the Pacific, was hit by a cyber attack that took down virtually all of the government's digital networks. Agencies had to move to conducting their work on paper because emergency systems, medical records, vehicle registrations, driver's license databases, and tax systems were all down.

Honourable Mention: Twitter-Related Bedlam

Twitter has been in chaos mode for months following Elon Musk's acquisition of the company earlier this year. Amidst the tumult, reports surfaced in July and then again in November of a trove of 5.4 million Twitter users' data that has been circulating on criminal forums since at least July, if not earlier. The data was stolen by exploiting a vulnerability in a Twitter application programming interface, or API.

https://www.wired.com/story/worst-hacks-2022/

  • Geopolitical Tensions Expected to Further Impact Cyber Security in 2023

Geopolitics will continue to have an impact on cyber security and the security posture of organisations long into 2023.

The impact of global conflicts on cyber security was thrust into the spotlight when Russia made moves to invade Ukraine in February 2022. Ukraine’s Western allies were quick to recognise that with this came the threat of Russian-backed cyber-attacks against critical national infrastructure (CNI), especially in retaliation to hefty sanctions. While this may not have materialised in the way many expected, geopolitics is still front of mind for many cyber security experts looking to 2023.

Russia has always been among a handful of states recognised for their cyber prowess and being the source of many cyber criminal gangs. As previously mentioned, we have failed to see a significant cyber-attack, at least one comparable to the Colonial Pipeline incident, in 2022. However the cyber security services provider, e2e-assure, warned: “We have underestimated Russia’s cyber capability. There is a wide view that Russian cyber activity leading up to and during their invasion of Ukraine indicated that they aren’t the cyber power we once thought. Patterns and evidence will emerge in 2023 that shows this wasn’t the case, instead Russia was directing its cyber efforts elsewhere, with non-military goals (financial and political).”

NordVPN, the virtual private network (VPN) provider, warns that the cyber-war is only just starting: “With China’s leader securing his third term and Russia’s war in Ukraine, many experts predict an increase in state-sponsored cyber-attacks. China may increase cyber-attacks on Taiwan, Hong Kong, and other countries opposing the regime. Meanwhile, Russia is predicted to sponsor attacks on countries supporting Ukraine.”

We are used to seeing cyber-attacks that encrypt data and ask for ransom, but it is likely in this era of nation-state sponsored attacks we could experience attacks for the sake of disruption.

https://www.infosecurity-magazine.com/news/geopolitical-tensions-impact/

  • Fraudsters’ Working Patterns Have Changed in Recent Years

Less sophisticated fraud — in which doctored identity documents are readily spotted — has jumped 37% in 2022, according to the identify verfication provider Onfido. Fraudsters can scale these attacks on an organisation’s systems around the clock.

It is estimated that the current global financial cost of fraud is $5.38 trillion (£4.37 trillion), which is 6.4% of the world’s GDP. With most fraud now happening online (80% of reported fraud is cyber-enabled), Onfido’s Identity Fraud Report uncovers patterns of fraudster behaviour, attack techniques, and emerging tactics.

Over the last four years, fraudsters’ working patterns have dramatically changed. In 2019, attacks mirrored a typical working week, peaking Monday to Friday and dropping off during the weekends. Yet over the last three years, fraudulent activity started to shift so that levels of fraud span every day of the week.

In 2022, fraud levels were consistent across 24 hours, seven days a week. With technology, fraudsters are more connected across the globe and are able to traverse regions and time zones, and can easily take advantage of businesses’ closed hours when staff are likely offline. This hyperconnectivity means there are no more ‘business hours’ for fraudsters and sophisticated fraud rings — they will scam and defraud 24/7.

“As criminals look to take advantage of digitisation processes, they’re able to commit financial crimes with increasing efficiency and sophistication, to the extent that financial crime and cyber crime are now invariably linked,” said Interpol. “A significant amount of financial fraud takes place through digital technologies, and the pandemic has only hastened the emergence of digital money laundering tools and other cyber-enabled financial crimes.”

https://www.helpnetsecurity.com/2022/12/29/less-sophisticated-fraud/

  • Hacktivism is Back and Messier Than Ever

Throughout 2022, geopolitics has given rise to a new wave of politically motivated attacks with an undercurrent of state-sponsored meddling.

During its brutal war in Ukraine, Russian troops have burnt cities to the ground, raped and tortured civilians, and committed scores of potential war crimes. On November 23, lawmakers across Europe overwhelmingly labelled Russia a “state sponsor” of terrorism and called for ties with the country to be reduced further. The response to the declaration was instant. The European Parliament’s website was knocked offline by a DDoS attack.

The unsophisticated attack—which involves flooding a website with traffic to make it inaccessible—disrupted the Parliament’s website offline for several hours. Pro-Russian hacktivist group Killnet claimed responsibility for the attack. The hacktivist group has targeted hundreds of organisations around the world this year, having some limited small-scale successes knocking websites offline for short periods of time. It’s been one player in a bigger hacktivism surge.

Following years of sporadic hacktivist activity, 2022 has seen the re-emergence of hacktivism on a large scale. Russia’s full-scale invasion of Ukraine spawned scores of hacktivist groups on both sides of the conflict, while in Iran and Israel, so-called hacktivist groups are launching increasingly destructive attacks. This new wave of hacktivism, which varies between groups and countries, comes with new tactics and approaches and, increasingly, is blurring lines between hacktivism and government-sponsored attacks.

https://www.wired.com/story/hacktivism-russia-ukraine-ddos/


Threats

Ransomware, Extortion and Destructive Attacks

Phishing & Email Based Attacks

Other Social Engineering; Smishing, Vishing, etc

Malware

Mobile

Denial of Service/DoS/DDOS

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Fraud, Scams & Financial Crime

Insurance

Supply Chain and Third Parties

Software Supply Chain

Cloud/SaaS

Identity and Access Management

Encryption

API

Passwords, Credential Stuffing & Brute Force Attacks

Biometrics

Social Media

Malvertising

Privacy

Regulations, Fines and Legislation

Governance, Risk and Compliance

Secure Disposal

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Privacy, Surveillance and Mass Monitoring

Artificial Intelligence

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine






Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3


As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 21 October 2022

Black Arrow Cyber Threat Briefing 21 October 2022:

-Gen Z, Millennials Really Doesn't Care About Workplace Cyber Security

-Supply Chain Attacks Increased Over 600% This Year and Companies Are Falling Behind

-Cyber-Enabled Crimes Are Biggest Police Concerns

-List of Common Passwords Accounts for Nearly All Cyber Attacks

-Shared Responsibility or Shared Fate? Decentralized IT Means We Are All Cyber Defenders

-Ukraine War Cuts Ransomware as Kremlin Co-Opts Hackers

-96% Of Companies Report Insufficient Security for Sensitive Cloud Data

-Your Microsoft Exchange Server Is a Security Liability

-Are Cyber Security Vendors Pushing Snake Oil?

-Ransomware Preparedness, What Are You Doing Wrong?

-NSA Cybersecurity Director's Six Takeaways from the War in Ukraine

-Microsoft Confirms Server Misconfiguration Led to 65,000+ Companies' Data Leak

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • Gen Z, Millennials Really Don’t Care About Workplace Cyber Security

When it comes to cyber security in the workplace, younger employees don’t really seem to care that much, which is putting their organisations in serious harm’s way, new research has claimed.

Surveying approximately 1,000 workers using devices issued by their employers, professional services firm EY found Gen Z enterprise employees were more apathetic about cyber security than their Boomer counterparts in adhering to their employer's safety policies.

This is despite the fact that four in five (83%) of all those surveyed claimed to understand their employer’s security protocol.

When it comes to implementing mandatory IT updates, for example, 58% of Gen Z’ers and 42% of millennials would disregard them for as long as possible. Less than a third (31%) of Gen X’ers, and just 15% of baby boomers said they do the same.

Apathy in the young extends to password reuse between private and business accounts. A third of Gen Z and millennial workers surveyed admitted to this, compared to less than a quarter of all Gen X’ers and baby boomers.

Some say the apathy of young people towards technology is down to their over-familiarity with technology, and never having been without it. Being too comfortable with tech undoubtedly makes an enterprise's younger employees a major target for cyber criminals looking to exploit any hole in security. 

If an organisation's cyber security practices aren't upheld strongly, threat actors can compromise huge networks with simple social engineering attacks.

https://www.techradar.com/news/younger-workers-dont-care-about-workplace-cybersecurity

  • Supply Chain Attacks Increased Over 600% This Year and Companies Are Falling Behind

The number of documented supply chain attacks involving malicious third-party components has increased 633% over the past year, now sitting at over 88,000 known instances, according to a new report from software supply chain management company Sonatype. Meanwhile, instances of transitive vulnerabilities that software components inherit from their own dependencies have also reached unprecedented levels and plague two-thirds of open-source libraries.

“The networked nature of dependencies highlights the importance of having visibility and awareness about these complex supply chains” Sonatype said in its newly released State of the Software Supply Chain report. “These dependencies impact our software, so having an understanding of their origins is critical to vulnerability response. Many organisations did not have the needed visibility and continued their incident response procedures for Log4Shell well beyond the summer of 2022 as a result.”

Log4Shell is a critical vulnerability discovered in November 2021 in Log4j, a widely popular open-source Java library used for logging and bundled in millions of enterprise applications and software products, often as an indirect dependency. According to Sonatype’s monitoring, as of August 2022, the adoption rate for fixed versions of Log4j sits at around 65%. Moreover, this doesn’t even account for the fact that the Log4Shell vulnerability originated in a Java class called JndiManager that is part of Log4j-core, but which has also been borrowed by 783 other projects and is now found in over 19,000 software components.

Log4Shell served as a watershed moment, highlighting the inherent risks that exist in the open-source software ecosystem – which sits at the core of modern software development – and the need to manage them properly. It also led to several initiatives to secure the software supply chain by private organisations, software repository managers, the Linux Foundation, and government bodies. Yet, most organisations are far from where they need to be in terms of open-source supply chain management.

https://www.csoonline.com/article/3677228/supply-chain-attacks-increased-over-600-this-year-and-companies-are-falling-behind.html#tk.rss_news

  • Cyber-Enabled Crimes Are Biggest Police Concerns

Cyber-related crimes such as money laundering, ransomware and phishing pose the biggest threat to society, according to the first ever Interpol Global Crime Trend report.

The inaugural study was compiled from data received from the policing organisation’s 195 member countries, as well as information and analysis from external sources.

Money laundering was ranked the number one threat, with 67% of respondents claiming it to be a “high” or “very high” risk. Ransomware came second (66%) but was the crime type that most (72%) expected to increase in the next 3–5 years.

Of the nine top crime trends identified in the report, six are directly cyber-enabled, including money laundering, ransomware, phishing, financial fraud, computer intrusion and child sexual exploitation.

Interpol warned that the pandemic had fomented new underground offerings like “financial crime-as-a-service,” including digital money laundering tools which help to lower the barrier to entry for criminal gangs. It also claimed that demand for online child sexual exploitation and abuse (OCSEA) content surged during the pandemic. Some 62% of respondents expect it to increase or significantly increase in the coming years.

The findings represent something of a turnaround from pre-pandemic times, when drug trafficking regularly topped the list of police concerns. Thanks to a surge in corporate digitalisation, home working and online shopping, there are now rich pickings to be had from targeting consumers and business users with cyber-scams and attacks, Interpol claimed.

https://www.infosecurity-magazine.com/news/cyberenabled-crimes-are-biggest/

  • List of Common Passwords Accounts for Nearly All Cyber Attacks

Half of a million passwords from the RockYou2021 list account for 99.997% of all credential attacks against a variety of honeypots, suggesting attackers are just taking the easy road.

Tens of millions of credential-based attacks targeting two common types of servers boiled down to a small fraction of the passwords that formed a list of leaked credentials, known as the RockYou2021 list.

Vulnerability management firm Rapid7, via its network of honeypots, recorded every attempt to compromise those servers over a 12-month period, finding that the attempted credential attacks resulted in 512,000 permutations. Almost all of those passwords (99.997%) are included in a common password list — the RockYou2021 file, which has 8.4 billion entries — suggesting that attackers, or the subset of threat actors attacking Rapid7's honeypots, are sticking to a common playbook.

The overlap in all the attacks also suggest attackers are taking the easy road, said Rapid7. "We know now, in a provable and demonstrable way, that nobody — 0% of attackers — is trying to be creative when it comes to unfocused, untargeted attacks across the Internet," they said. "Therefore, it's very easy to avoid this kind of opportunistic attack, and it takes very little effort to take this threat off the table entirely, with modern password managers and configuration controls."

Every year, security firms present research suggesting users are continuing to pick bad passwords. In 2019, an evaluation of passwords leaked to the Internet found that the top password was "123456," followed by "123456789" and "qwerty," and unfortunately things have not got much better since then.

https://www.darkreading.com/endpoint/a-common-password-list-accounts-for-nearly-all-cyberattacks

  • Shared Responsibility or Shared Fate? Decentralised IT Means We Are All Cyber Defenders

Does your organisation truly understand the shared responsibility model? Shared responsibility emerged from the early days of cloud computing as a way to delineate responsibilities between cloud providers and their customers, but often there's a gap between what shared responsibility means and how it is interpreted. With the decentralisation of IT, this gap is getting worse.

Applications, servers, and overall technology used to be under the purview and control of the IT department, yet with the shift to cloud, and specifically software-as-a-service (SaaS), this dynamic has changed. Whether it's the sales team bringing in a customer relationship management (CRM) system like Salesforce, or the HR department operating a human resources information system (HRIS) like Workday, there's a clear "expanding universe" of IT that no longer sits where it used to. Critical business workflows exist in separate business units far from IT and security and are managed as such. Our corporate IT footprints have become decentralised.

This is not some minor, temporary trend. With the ease and speed of adopting new SaaS applications and the desire to "lift and shift" code into cloud-based environments, this is the future. The future is decentralised.

The shift to business-owned and -operated applications puts security teams in a position where risk management is their responsibility; they are not even able to log into some of these critical systems. It's like asking your doctor to keep you healthy but not giving her access to your information or having regular check-ups. It doesn't work that way.

Beyond the challenging human skills gap, there's technical entropy and diversity everywhere, with different configuration settings, event logs, threat vectors, and data sensitivities. On the access side, there are different admins, users, integrations, and APIs. If you think managing security on Windows and Mac is a lot, try it across many huge applications.

With this reality, how can the security team be expected to combat a growing amount of decentralised business technology risk?

We must operate our technology with the understanding that shared responsibility is the vertical view between cloud provider and customer, but that enterprise-owned piece of shared responsibility is the burden of multiple teams horizontally across an organisation. Too often the mentality is us versus them, availability versus security, too busy to care about risk, too concerned with risk to understand "the business."

https://www.darkreading.com/vulnerabilities-threats/shared-responsibility-or-shared-fate-decentralized-it-means-we-are-all-cyber-defenders

  • Ukraine War Cuts Ransomware as Kremlin Co-Opts Hackers

The Ukraine war has helped reduce global ransomware attacks by 10pc in the last few months, a British cyber security company has said.

Criminal hacking gangs, usually engaged in corporate ransomware activities, are increasingly being co-opted by the Russian military to launch cyber attacks on Ukraine, according to Digital Shadows. “The war is likely to continue to motivate ransomware actors to target government and critical infrastructure entities,” according to the firm. Such attacks partly contributed to a 10pc drop in the number of ransomware threats launched during the three months to September, said the London-based company.

The drop in ransomware may also partly be caused by tit-for-tat digital attacks between rival hacking gangs. Researchers said the Lockbit gang, who recently targeted LSE-listed car retailer Pendragon with a $60m (£53.85m) ransom demand, were the target of attacks from their underworld rivals. The group is increasingly inviting resentment from competing threat groups and possibly former members.

Some cyber criminals’ servers went offline in September after what appeared to be an attack from competitors. In the world of cyber criminality, it is not uncommon for tensions to flare among rival groups.

Officials from GCHQ’s National Cyber Security Centre have said ransomware is one of the biggest cyber threats facing the UK. Figures published by the Department for Digital, Culture, Media and Sport this year revealed the average costs to businesses caused by ransomware attacks is around £19,000 per incident.

US-based cyber security company Palo Alto Networks, however, warned that the average ransom payment it saw in the early part of this year was $925,000 (£829,000).

https://www.telegraph.co.uk/business/2022/10/23/ukraine-war-cuts-ransomware-kremlin-co-opts-hackers/

  • 96% Of Companies Report Insufficient Security for Sensitive Cloud Data

The vast majority of organisations lack confidence in securing their data in cloud, while many companies acknowledge they lack sufficient security even for their most sensitive data, according to a new report by the Cloud Security Alliance (CSA).

The CSA report surveyed 1,663 IT and security professionals from organisations of various sizes and in various locations. "Only 4% report sufficient security for 100% of their data in the cloud. This means that 96% of organisations have insufficient security for at least some of their sensitive data," according to the report, which was sponsored by data intelligence firm BigID.

Apart from struggling with securing sensitive data, organisations are also having trouble tracking data in the cloud. Over a quarter of organisations polled aren’t tracking regulated data, nearly a third aren’t tracking confidential or internal data, and 45% aren’t tracking unclassified data, the report said.

“This suggests that organisations’ current methods of classifying data aren’t sufficient for their needs. However, if the tracking is this low, it could be a contributing factor to the issue of dark data. Organisations need to utilise data discovery and classification tools to properly understand the data they have and how to protect it,” the CSA study noted.

https://www.csoonline.com/article/3677491/96-of-companies-report-insufficient-security-for-sensitive-cloud-data.html#tk.rss_news

  • Your Microsoft Exchange Server Is a Security Liability

With endless vulnerabilities, widespread hacking campaigns, slow and technically tough patching, it's time to say goodbye to on-premise Exchange.

Once, reasonable people who cared about security, privacy, and reliability ran their own email servers. Today, the vast majority host their personal email in the cloud, handing off that substantial burden to the capable security and engineering teams at companies like Google and Microsoft. Now, cyber security experts argue that a similar switch is due - or long overdue - for corporate and government networks. For enterprises that use on-premise Microsoft Exchange, still running their own email machine somewhere in a closet or data centre, the time has come to move to a cloud service, if only to avoid the years-long plague of bugs in Exchange servers that has made it nearly impossible to keep determined hackers out.

The latest reminder of that struggle arrived earlier this week, when Taiwanese security researcher Orange Tsai published a blog post laying out the details of a security vulnerability in Microsoft Exchange. Tsai warned Microsoft about this vulnerability as early as June of 2021, and while the company responded by releasing some partial fixes, it took Microsoft 14 months to fully resolve the underlying security problem. Tsai had earlier reported a related vulnerability in Exchange that was massively exploited by a group of Chinese state-sponsored hackers known as Hafnium, which last year penetrated more than 30,000 targets by some counts. Yet according to the timeline described in Tsai’s post this week, Microsoft repeatedly delayed fixing the newer variation of that same vulnerability, assuring Tsai no fewer than four times that it would patch the bug before pushing off a full patch for months longer. When Microsoft finally released a fix, Tsai wrote, it still required manual activation and lacked any documentation for four more months.

Meanwhile, another pair of actively exploited vulnerabilities in Exchange that were revealed last month still remain unpatched after researchers showed that Microsoft’s initial attempts to fix the flaws had failed. Those vulnerabilities were just the latest in a years-long pattern of security bugs in Exchange’s code. And even when Microsoft does release Exchange patches, they’re often not widely implemented, due to the time-consuming technical process of installing them.

The result of those compounding problems, for many who have watched the hacker-induced headaches of running an Exchange server pile up, is a clear message: An Exchange server is itself a security vulnerability, and the fix is to get rid of it.

“You need to move off of on-premise Exchange forever. That’s the bottom line,” says Dustin Childs, the head of threat awareness at security firm Trend Micro’s Zero Day Initiative (ZDI), which pays researchers for finding and reporting vulnerabilities in commonly used software and runs the Pwn2Own hacking competition. “You’re not getting the support, as far as security fixes, that you would expect from a really mission-critical component of your infrastructure.”

https://www.wired.com/story/microsoft-exchange-server-vulnerabilities/

  • Are Cyber Security Vendors Pushing Snake Oil?

Survey: 96 percent of cyber security decision makers confused by vendor marketing.

The availability of new security products increases, the amount of budget spent on cyber security grows, and the number of security breaches seems to outpace both. This basic lack of correlation between increasing cyber security spend and any clear increase in cyber security effectiveness is the subject of a new analytical survey from Egress.

With 52 million data breaches in Q2 2022 alone (Statista), Egress questioned 800 cyber security and IT leaders on why vendor claims and reality aren’t aligned. The headline response in the survey is that 91% of decision makers have difficulty in selecting cyber security vendors due to unclear marketing about their specific offerings.

The financial investment cycle doesn’t help in this. For many investors, the strength of the management team is more important than the product. The argument is not whether this product is a cyber security silver bullet, but whether this management can take the company to a point where it can exit with serious profits.

If investment is achieved, much of it will go into marketing. That marketing must compete against existing, established vendors – so it tends to be louder, more aggressive, and replete with hyperbole. Marketing noise can lead to increased valuation, which can lead to a successful and profitable exit by the investors.

Of course, this is an oversimplification and doesn’t always happen. The point, however, is that it does happen and has no relevance to the real effectiveness of the product in question. Without any doubt, there are many products that have been over-hyped by marketing funds provided by profit-driven investors.

https://www.securityweek.com/are-cybersecurity-vendors-pushing-snake-oil

  • Ransomware Preparedness: What Are You Doing Wrong?

Axio released its 2022 State of Ransomware Preparedness research report, revealing that although notable improvements have been made since Axio’s 2021 report, organisational ransomware preparedness continues to be insufficient to keep pace with new attack vectors.

The report reveals that the lack of fundamental cyber security practices and controls, including critical vulnerability patching and employee cyber security training, continues to undermine organisational attempts to improve ransomware defences.

“Ransomware continues to wreak havoc on global organisations, regardless of size or industry,” remarked the report’s co-author David White, President of Axio. “As the number of attacks will most likely continue on an exponential trajectory, it’s more important than ever for companies to re-evaluate their cyber security practices and make the needed improvements to help combat these attacks.”

The report identifies several emerging patterns that yield insights into why organisations are increasingly susceptible to ransomware attacks. In 2021, seven key areas where organisations were deficient in implementing and sustaining basic cyber security practices were identified, and these patterns dominated the 2022 study results as well:

  • Managing privileged access

  • Improving basic cyber hygiene

  • Reducing exposure to supply chain and third-party risk

  • Monitoring and defending networks

  • Managing ransomware incidents

  • Identifying and addressing vulnerabilities in a timely manner

  • Improving cyber security training and awareness

Overall, most organisations surveyed are not adequately prepared to manage the risk associated with a ransomware attack. Key data findings include:

  • The number of organisations with a functional privileged access management solution in place increased by 10% but remains low at 33% overall.

  • Limitations on the use of service and local administrator accounts remain average overall, with nearly 50% of organisations reporting implementing these practices.

  • Approximately 40% of organisations monitor third-party network access, evaluate third-party cyber security posture, and limit the use of third-party software.

  • Less than 50% of respondents implement basic network segmentation and only 40% monitor for anomalous connections.

  • Critical vulnerability patching within 24 hours was reported by only 24% of organisations.

  • A ransomware-specific playbook for incident management is in place for only 30% of organisations.

  • Active phishing training has improved but is still not practiced by 40% of organisations.

https://www.helpnetsecurity.com/2022/10/20/insufficient-ransomware-preparedness/

  • NSA Cybersecurity Director's Six Takeaways from the War in Ukraine

From the warning banner ‘Be afraid and expect the worst’ that was shown on several Ukrainian government websites on January 13, 2022, after a cyber-attack took them down, the US National Security Agency’s (NSA) cybersecurity director, Rob Joyce, knew that something was going to be different, and very aggressive, between Ukraine and Russia, and that it would be happening in the cyber space as well.

Ten months on, he was invited to speak at one of Mandiant Worldwide Information Security Exchange's (mWISE) opening keynotes on October 18, 2022. Joyce shared six takeaways from the Russia-Ukraine cyber-conflict in terms of what we learned from it and its impact on how nations should protect their organisations.

  1. Both espionage and destructive attacks will occur in conflict

  2. The cyber security industry has unique insight into these conflicts

  3. Sensitive intelligence can make a decisive difference

  4. You can develop resiliency skills

  5. Don’t try to go it alone

  6. You have not planned enough yet for the contingencies

Toward the end of the keynote, Joyce suggested the audience simulate a scenario based on what happened in Ukraine with the China-Taiwan conflict escalating and see what they should put in place to better prepare for such an event.

https://www.infosecurity-magazine.com/news/nsa-6-takeaways-war-ukraine/

  • Microsoft Confirms Server Misconfiguration Led to 65,000+ Companies' Data Leak

Microsoft this week confirmed that it inadvertently exposed information related to thousands of customers following a security lapse that left an endpoint publicly accessible over the internet sans any authentication.

"This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provisioning of Microsoft services," Microsoft said in an alert.

Microsoft also emphasised that the B2B leak was "caused by an unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem and was not the result of a security vulnerability."

The misconfiguration of the Azure Blob Storage was spotted on September 24, 2022, by cyber security company SOCRadar, which termed the leak BlueBleed. Microsoft said it's in the process of directly notifying impacted customers.

The Windows maker did not reveal the scale of the data leak, but according to SOCRadar, it affects more than 65,000 entities in 111 countries. The exposure amounts to 2.4 terabytes of data that consists of invoices, product orders, signed customer documents, partner ecosystem details, among others.

https://thehackernews.com/2022/10/microsoft-confirms-server.html


Threats

Ransomware and Extortion

Phishing & Email Based Attacks

Other Social Engineering; Smishing, Vishing, etc

Malware

Mobile

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Fraud, Scams & Financial Crime

Deepfakes

Insurance

Supply Chain and Third Parties

Software Supply Chain

Denial of Service DoS/DDoS

Cloud/SaaS

Attack Surface Management

Identity and Access Management

Encryption

API

Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Training, Education and Awareness

Privacy, Surveillance and Mass Monitoring

Regulations, Fines and Legislation

Law Enforcement Action and Take Downs

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine




Vulnerabilities




Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3


As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 02 September 2022

Black Arrow Cyber Threat Briefing 02 September 2022

-79% Of Companies Only Invest in Cyber Security After Hacking Incidents

-Nearly Half of Breaches During First Half of 2022 Involved Stolen Credentials

-Outdated Infrastructure Not Up to Today’s Ransomware Challenges

-Ghost Data Increases Enterprise Business Risk

-Detected Cyber Threats Surge 52% in 1H 2022

-An Interview with Initial Access Broker Wazawaka: ‘There Is No Such Money Anywhere as There is in Ransomware’

-Cyber Crime Underground More Dangerous Than Organisations Realize

-New Ransomware Group BianLian Activity Exploding

-Can Your Passwords Withstand Threat Actors’ Dirty Tricks?

-Ransomware Gangs’ Favourite Targets

-Tentacles of ‘0ktapus’ Threat Group Victimize 130 Firms

-Organisations Are Spending Billions on Malware Defence That’s Easy to Bypass

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • 79% Of Companies Only Invest in Cyber Security After Hacking Incidents

The British cyber security company Tanium published a survey on investments in digital protection in UK companies with alarming results: 79% of them only approve investments in cyber security after suffering a data breach; 92% experienced a data attack or breach, of which 74% occurred in 2021. Leadership reticence is also high, with 63% of leaders convinced cyber security is only a concern after an attack.

The complexity of the situation has grown with the digital transformation of work. If it streamlines many processes, it can also open up serious security gaps. A sensitive point is the “home office”: companies need effective solutions to eliminate gaps that may appear between employees’ computers (often shared devices) and the company’s internal network.

Putting in solutions is just the beginning of a necessary strategy and investment effort in virtual protection. Complex scams based on phishing, reverse engineering, and backdoor-type malicious programs (“planted” discreetly on a device and sometimes inactive for months) often combine real-world and virtual-world fraud.

The escalation of corporate data hijacking appears in this scenario. The most notorious case at a global level of such an incident, with a million-dollar ransom demand, was launched in 2021 on Colonial Pipeline. This US company paid $40 million to regain control over strategic data after fuel supplies through its pipelines to several states were threatened for days.

https://informationsecuritybuzz.com/infosec-news/79-of-the-companies-only-invest-in-cybersecurity-after-hacking-incidents/

  • Nearly Half of Breaches During First Half of 2022 Involved Stolen Credentials

According to a new report by Acronis, a Switzerland-based cyber security company, nearly half of breaches during the first six months of 2022 involved stolen credentials.

The goal of stealing credentials is to launch ransomware attacks. According to the report, these “continue to be the number one threat to large and medium-sized businesses, including government organisations.”

Attackers usually use phishing techniques to extract these credentials. In the first half of the year, over 600 malicious email campaigns made their way across the internet, of which 58% were phishing attempts and 28% featured malware.

Acronis also added that “as reliance on the cloud increases, attackers have homed in on different entryways to cloud-based networks.”

Additionally, cyber criminals now also target unpatched or software vulnerabilities to extract data, with a recent increase on Linux operating systems and managed service providers (MSPs) and their network of SMB customers.

The third vector spotted by Acronis was “non-traditional entry avenues” such as cryptocurrencies and decentralised finance (DeFi) systems.

https://www.itsecurityguru.org/2022/08/30/nearly-half-of-breaches-during-first-half-of-2022-involved-stolen-credentials/

  • Outdated Infrastructure Not Up to Today’s Ransomware Challenges

A global research commissioned by Cohesity reveals that nearly half of respondents say their company depends on outdated, legacy backup and recovery infrastructure to manage and protect their data. In some cases, this technology is more than 20 years old and was designed long before today’s multicloud era and onslaught of sophisticated cyber attacks plaguing enterprises globally.

Challenges pertaining to outdated infrastructure could easily be compounded by the fact that many IT and security teams don’t seem to have a plan in place to mobilise if and when a cyber attack occurs. Nearly 60% of respondents expressed some level of concern that their IT and security teams would be able to mobilise efficiently to respond to the attack.

These are just some of the findings from an April 2022 survey, conducted by Censuswide, of more than 2,000 IT and SecOps professionals (split nearly 50/50 between the two groups) in the United States, the United Kingdom, Australia and New Zealand. All respondents play a role in the decision-making process for IT or security within their organisations.

IT and security teams should raise the alarm bell if their organisation continues to use antiquated technology to manage and secure their most critical digital asset – their data.

Cyber criminals are actively preying on this outdated infrastructure as they know it was not built for today’s dispersed, multicloud environments, nor was it built to help companies protect and rapidly recover from sophisticated cyber attacks.

https://www.helpnetsecurity.com/2022/08/30/outdated-infrastructure-manage-data/

  • Ghost Data Increases Enterprise Business Risk

IT has to get its hands around cloud data sprawl. Another area of focus should be on ghost data, as it expands the organisation's cloud attack surface.

Cloud sprawl is a big issue for organisations, with business teams spinning up cloud systems and services on their own, often without IT oversight. That leads to cloud data sprawl as data is scattered across different environments. If IT doesn’t know about the cloud systems and services, then IT is also not managing the data being collected, processed, and stored there.

We all know about shadow IT, the systems and network devices in the organisation’s environment that IT is not managing. Similarly, shadow data refers to unmanaged data store copies and snapshots or log data that are not part of IT’s backup and recovery strategy. Researchers at Cyera estimate that 60% of the data security posture issues that are present in cloud accounts stem from unsecured sensitive data.

Then there is the problem of ghost data. When data gets deleted from cloud systems, it isn’t fully gone. Copies linger in backups or snapshots of data stores. Ghost data refers to those copies left behind after the original has been deleted, and Cyera’s recent analysis show that enterprises have quite a lot of it.

After scanning the three major cloud providers (Amazon Web Services, Azure, and Google Cloud), Cyera researchers found that over 30% of scanned customer cloud data stores are ghost data and more than 58% contain sensitive, or very sensitive, data. For example, researchers found unsecured database snapshots in non-production environments that contained sensitive customer data where the original database had been destroyed. Researchers also uncovered sensitive personal and authentication data in plain text where the production data and application were no longer in use.

Ghost data usually has no business value - the data was deleted for a reason - and having it around unnecessarily increases business risk. Attackers don’t care if they get their hands on the original sensitive information or the copy because to them, all data has value, regardless of the form it takes.

https://www.darkreading.com/edge-threat-monitor/ghost-data-increases-enterprise-business-risk

  • Detected Cyber Threats Surge 52% in 1H 2022

A leading cyber security vendor blocked 63 billion threats in the first half of 2022 alone, over 50% more than the same period a year ago.

The findings come from the Trend Micro 2022 Midyear Cybersecurity Report and illustrate the scale of the challenge facing network defenders.

Trend Micro highlighted the persistent threat posed by ransomware-as-a-service (RaaS) groups as one that will continue to cause major challenges for organisations in the years to come.

It said detections of prolific groups such as LockBit and Conti increased by 500% year-on-year in 1H 2022. Such groups will continue to adapt their tactics, techniques and procedures (TTPs) in the race for profits.

The report warned of a surge in threats targeting Linux systems, for example. It said detections of attacks on Linux servers and embedded systems grew 75% year-on-year in the first half of 2022. Both SMBs and larger organisations are now a target, it claimed.

Many RaaS groups exploit vulnerabilities as a primary attack vector. Their job is getting easier as the number of published common vulnerabilities and exposures (CVEs) continues to grow strongly.

Trend Micro’s Zero Day Initiative published advisories on 944 vulnerabilities in the first half of 2021, a 23% year-on-year increase. The number of critical bug advisories it published soared by 400% over the same period.

https://www.infosecurity-magazine.com/news/detected-cyberthreats-surge-52-in/

  • An Interview with Initial Access Broker Wazawaka: ‘There Is No Such Money Anywhere as There is in Ransomware’

Last April, a ransomware group threatened to expose police informants and other sensitive information if the Washington, D.C. Metropolitan Police Department did not pay a demand.

The brazen attack was the work of a gang known as Babuk, which in early 2021 gained a reputation for posting stolen databases on its website from victims that refused to pay a ransom. Just days after it tried to extort the Metropolitan Police Department, Babuk announced it was closing its ransomware affiliate program, and would focus on data theft and extortion instead.

Earlier this year, cyber security journalist Brian Krebs uncovered details about one man behind the operation named Mikhail Matveev, who was also connected to a number of other groups and identities, including the handle ‘Wazawaka.’ According to Krebs, Matveev had become more unhinged than usual, “publishing bizarre selfie videos” and creating a Twitter account to share exploit code.

Matveev talked to Recorded Future about his interaction with other hackers, details about ransomware attacks he’s been involved in, and how he settled on the name Babuk.

Click the link below for the full interview but the long and short is ransomware has created a criminal ecosystem the likes of which the world has never seen.

https://therecord.media/an-interview-with-initial-access-broker-wazawaka-there-is-no-such-money-anywhere-as-there-is-in-ransomware/

  • Cyber Crime Underground More Dangerous Than Organisations Realise

Kela, a cyber threat intelligence specialist, found in a new study of some 400 security pros in the US that organisations are more at risk from the “cyber crime underground” than they realise.

The Israel-based company surveyed security team members responsible for gathering cyber crime threat intelligence daily to better understand if they’re proactively scanning the dark web and other cyber crime sources, what tools they’re using and the gaps they see in their cyber crime threat intelligence approach. Nearly 60% of the respondents do not believe their current cyber crime prevention is effective, the results showed.

Here are the study’s key findings:

  • 69% are concerned about threats from the cyber crime underground.

  • 54% wouldn’t be surprised to find their organisation’s data on the cyber crime underground.

  • Only 38% believe that they’re very likely to detect it if it was released.

  • 48% have no documented cyber crime threat intelligence policy in place.

  • Only 41% believe their current security program is very effective.

  • 49% are not satisfied with the visibility they have of the cyber crime underground.

  • Of the 51% who were satisfied with their visibility into the cyber crime underground, 39% were still unable to prevent an attack.

  • Additional training and proficiency in cyber crime intelligence investigations is the most needed capability.

https://www.msspalert.com/cybersecurity-research/cybercrime-underground-more-dangerous-than-organizations-realize-threat-intelligence-firm-warns/

  • New Ransomware Group BianLian Activity Exploding

A new ransomware group operating under the name BianLian emerged in late 2021 and has become increasingly active since.

The threat actor already has twenty alleged victims across several industries (insurance, medicine, law and engineering), according to a research paper from US cyber security firm Redacted, published on September 1, 2022. The majority of the victim organisations have been based in Australia, North America and the UK.

The research team has given no attribution yet but believes the threat actor “represents a group of individuals who are very skilled in network penetration but are relatively new to the extortion/ransomware business.”

BianLian uses a custom toolkit, including homemade encryptors and encryption backdoors. Both, as well as the command-and-control (C&C) software the hackers use, are written in Go, an increasingly popular programming language among ransomware threat actors.

Troublingly, the Redacted team of researchers has found evidence that BianLian is likely now trying to up their game.

https://www.infosecurity-magazine.com/news/new-ransomware-group-bianlian/

  • Can Your Passwords Withstand Threat Actors’ Dirty Tricks?

Password security hinges on the answer to that seemingly simple question. Unfortunately, you can’t know the answer until you’ve engaged a ruthless penetration tester to find out if your environment can stand up to the frighteningly good password cracking skills of today’s most nefarious hackers.

The whole purpose of hiring skilled penetration testers (“pentesters”) is to find out if your environment is truly impenetrable — and if it’s not, exactly how you should shore up your defences. Good pentesters and red teamers spend their time trying to simulate and emulate the real bad actors. After all, what’s the point of pressure-testing your IT infrastructure if you don’t use the same pressure that you’ll face in the real world?

You should “train like you fight.” Without sparring, how can you expect to jump into a boxing ring and go a few rounds with a skilled boxer? That’s the entire point of goal-based penetration testing and red/purple team engagements that simulate real-world threat actors.

Password cracking will continue to evolve – and so should your penetration testing tactics and plans. By the time you get to your fourth or fifth round with a quality pentesting consultancy, your risk mitigation will have dramatically improved — which means you’ll be able to move on to the next stage of security maturity.

https://www.helpnetsecurity.com/2022/08/30/stand-up-to-password-cracking/

  • Ransomware Gangs’ Favourite Targets

Barracuda released its fourth-annual threat research report which looks at ransomware attack patterns that occurred between August 2021 and July 2022.

For the 106 highly publicised attacks our researchers analysed, the dominant targets are still five key industries: education (15%), municipalities (12%), healthcare (12%), infrastructure (8%), and financial (6%). The number of ransomware attacks increased year-over-year across each of these five industry verticals, and attacks against other industries more than doubled compared to last year’s report.

While attacks on municipalities increased only slightly, the analysis over the past 12 months showed that ransomware attacks on educational institutions more than doubled, and attacks on the healthcare and financial verticals tripled. Many choose not to disclose when they get hit.

This year, researchers dug in deeper on these highly publicised attacks to see which other industries are starting to be targeted. Service providers were hit the most, and ransomware attacks on automobile, hospitality, media, retail, software, and technology organisations all increased as well.

Most ransomware attacks don’t make headlines, though. Many victims choose not to disclose when they get hit, and the attacks are often sophisticated and extremely hard to handle for small businesses.

As ransomware and other cyber threats continue to evolve, the need for adequate security solutions has never been greater. Many cyber criminals target small businesses in an attempt to gain access to larger organisations. As a result, it is essential for security providers to create products that are easy to use and implement, regardless of a company’s size.

Additionally, sophisticated security technologies should be available as services, so that businesses of all sizes can protect themselves against these ever-changing threats. By making security solutions more accessible and user-friendly, the entire industry can help to better defend against ransomware and other cyber attacks.

https://www.helpnetsecurity.com/2022/08/31/ransomware-attack-patterns/

  • Tentacles of ‘0ktapus’ Threat Group Victimise 130 Firms

Over 130 companies were tangled in sprawling phishing campaign that spoofed a multi-factor authentication system.

Targeted attacks on Twilio and Cloudflare employees are tied to a massive phishing campaign that resulted in 9,931 accounts at over 130 organisations being compromised. The campaigns are tied to focused abuse of identity and access management firm Okta, which gained the threat actors the 0ktapus moniker, by researchers.

The primary goal of the threat actors was to obtain Okta identity credentials and multi-factor authentication (MFA) codes from users of the targeted organisations. These users received text messages containing links to phishing sites that mimicked the Okta authentication page of their organisation.

114 US-based firms were impacted, with additional victims of sprinkled across 68 additional countries. The full scope of the attack is still unknown but the 0ktapus campaign has been incredibly effective, and the full scale of it may not be known for some time.

The 0ktapus attackers are believed to have begun their campaign by targeting telecommunications companies in hopes of winning access to potential targets’ phone numbers.

While unsure exactly how threat actors obtained a list of phone numbers used in MFA-related attacks, one theory researchers posit is that 0ktapus attackers began their campaign targeting telecommunications companies.

https://threatpost.com/0ktapus-victimize-130-firms/180487/

  • Organisations Are Spending Billions on Malware Defence That’s Easy to Bypass

Last year, organisations spent $2 billion on products that provide Endpoint Detection and Response, a relatively new type of security protection for detecting and blocking malware targeting network-connected devices. EDRs, as they're commonly called, represent a newer approach to malware detection. Static analysis, one of two more traditional methods, searches for suspicious signs in the DNA of a file itself. Dynamic analysis, the other more established method, runs untrusted code inside a secured "sandbox" to analyse what it does to confirm it's safe before allowing it to have full system access.

EDRs—which are forecasted to generate revenue of $18 billion by 2031 and are sold by dozens of security companies—take an entirely different approach. Rather than analyse the structure or execution of the code ahead of time, EDRs monitor the code's behaviour as it runs inside a machine or network. In theory, it can shut down a ransomware attack in progress by detecting that a process executed on hundreds of machines in the past 15 minutes is encrypting files en masse. Unlike static and dynamic analyses, EDR is akin to a security guard that uses machine learning to keep tabs in real time on the activities inside a machine or network.

Despite the buzz surrounding EDRs, new research suggests that the protection they provide isn't all that hard for skilled malware developers to circumvent. In fact, the researchers behind the study estimate EDR evasion adds only one additional week of development time to the typical infection of a large organisational network. That's because two fairly basic bypass techniques, particularly when combined, appear to work on most EDRs available in the industry.

https://arstechnica.com/information-technology/2022/08/newfangled-edr-malware-detection-generates-billions-but-is-easy-to-bypass/


Threats

Ransomware

BEC – Business Email Compromise

Malware

Mobile

Internet of Things – IoT

Data Breaches/Leaks

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Fraud, Scams & Financial Crime

Insurance

Dark Web

Supply Chain and Third Parties

Software Supply Chain

Denial of Service DoS/DDoS

Cloud/SaaS

Encryption

API

Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Training, Education and Awareness

Privacy

Travel

Parental Controls and Child Safety

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine






Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3


As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More