Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 14 July 2023
Black Arrow Cyber Threat Briefing 14 July 2023:
-Cyber Attacks Are a War We'll Never Win, but We Can Defend Ourselves
-Helping Boards Understand Cyber Risks
-Enterprise Risk Management Should Inform Cyber Risk Strategies
-Law Firms at High Risk of Attack as Ransomware Groups Begin to Focus Attention
-20% of Malware Attacks Bypass Antivirus Protection
-Ransomware Payments and Extortion Spiked Compared to 2022
-AI, Trust, and Data Security are Key Issues for Finance Firms and Their Customers
-Caution: Microsoft Warns of Office Zero-Day Attacks with No Patch Available
-Scam Page Volumes Surge 304% Annually
-Financial Industry Faces Soaring Ransomware Threat
-The Need for Risk-Based Vulnerability Management to Combat Threats
-Government Agencies Breached in Microsoft 365 Email Attacks
-Concerns Raised as Report Questions UK’s “Completely Inadequate” Defence to Threats from China
-Hackers Backed by North Korea have Stolen Billions of Dollars Over the Last Five Years
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Cyber Attacks Are a War We'll Never Win, But We Can Defend Ourselves
The cyber threat landscape is constantly evolving, with hackers becoming more creative in their exploitation of businesses and personal data. As the frequency and sophistication of cyber attacks increase, it's clear that the cyber security war is an endless series of battles that demand constant innovation and vigilance. Recognising the necessity of having built-in security, organisations should integrate security measures into their systems and foster a culture of security awareness.
Acknowledging that breaches are an inevitable risk, an orchestrated team response, well-practiced recovery plan, and effective communication strategy are key to managing crises. Organisations must also invest in proactive security measures, including emerging technologies to spot intrusions early. Ultimately, cyber security isn't just a technical concern, it's a cultural and organisational imperative, requiring the incorporation of security measures into every aspect of an organisation's operations and philosophy.
Helping Boards Understand Cyber Risks
A difference in perspective is a fundamental reason board members and the cyber security team are not always aligned. Board members typically have a much broader view of the organisation’s goals, strategies, and overall risk landscape, where CISOs are responsible for assessing and mitigating cyber security risk.
It’s often a result of the board lacking cyber security expertise among its members, the complexity with understanding the topic and CISOs who focus too heavily on technical language during their discussions with the board which can cause a differing perspective. For organisations to be most effective in their approach to cyber security, they should hire CISOs or vCISOs who wear more than one hat and are able to understand cyber in context to the business. In addition, having cyber expertise on the board will pay dividends; this can be achieved by direct hiring or upskilling of board members.
Black Arrow supports clients as their vCISO or Non-Executive Director (NED) with specialist experience in cyber security risk management in a business context.
https://www.helpnetsecurity.com/2023/07/11/david-christensen-plansource-board-ciso-communication/
Enterprise Risk Management Should Inform Cyber Risk Strategies
While executives and boards once viewed cyber security as a primarily technical concern, many now recognise it as a major business issue. A single serious data breach could result in debilitating operational disruptions, financial losses, reputational damage, and regulatory penalties.
Cyber security focuses on protecting digital assets from threats, while enterprise risk management adopts a wider approach, mitigating diverse risks across several domains beyond the digital sphere. Rather than existing in siloes, enterprise risk management and cyber risk management strategies should complement and inform each other. By integrating cyber security into their risk management frameworks, organisations can more efficiently and effectively protect their most valuable digital assets.
Law Firms at High Risk of Attack as Ransomware Groups Begin to Focus Attention
Three of the largest US law firms have been newly hit by the Cl0p cyber syndicate as part of dozens of ransomware attacks across industries that so far have affected more than 16 million people. All three law firms feature on Cl0p’s leak site, which lists organisations who Cl0p have breached.
This comes as the UK National Cyber Security (NCSC) noted in a report the threat to the legal sector. Law firms are a particularly attractive target for the depth of sensitive personal information they hold from individuals and companies, plus the dual threat of publishing it publicly should a ransom demand go unmet. In Australia, law firm HWL Ebsworth confirmed several documents relating to its work with several Victorian Government departments and agencies had been released by cyber criminals to the dark web following a data breach announced in April 2023.
The extortion of law firms allows extra opportunities for an attacker, including exploiting opportunities for insider trading, gaining the upper hand in negotiations and litigation, or subverting the course of justice. Based on the above, it is no wonder the Solicitors Regulation Authority (SRA) in the UK found that 75% of the law firms they visited has been a victim of a cyber attack.
https://www.helpnetsecurity.com/2023/07/10/law-firm-cyberattack/
20% of Malware Attacks Bypass Antivirus Protection
In the first half of 2023, researchers found that 20% of all recaptured malware logs had an antivirus program installed at the time of successful malware execution. Not only did these solutions not prevent the attack, they also lack the automated ability to protect against any stolen data that can be used in the aftermath.
The researchers found that the common entry points for malware are permitting employees to sync browser data between personal and professional devices (57%), struggling with shadow IT due to employees' unauthorised use of applications and systems (54%), and allowing unmanaged personal or shared devices to access business applications (36%).
Such practices expose organisations to subsequent attacks, like ransomware, resulting from stolen access credentials. Malware detection and quick action on exposures are critical; however, many organisations struggle with response and recovery with many firms failing to have robust incident response plans.
https://www.helpnetsecurity.com/2023/07/13/malware-infections-responses/
Ransomware Payments and Extortion Spiked Compared to 2022
A recent report from Chainalysis found that ransomware activity is on track to break previous records, having extorted at least $449.1 million through June. For all of 2022, that number didn’t even reach $500 million. Similarly, a separate report using research statistics from Action Fraud UK, the UK’s national reporting centre for fraud, found cyber extortion cases surged 39% annually.
It’s no wonder both are on the rise, as the commonly used method of encrypting data behind a ransom is being combined with threatening to leak data; this gives bad actors two opportunities to gain payment. With this, the worry about the availability of your data now extends to the confidentiality and integrity of it.
https://www.infosecurity-magazine.com/news/cyber-extortion-cases-surge-39/
AI, Trust, and Data Security are Key Issues for Finance Firms and Their Customers
Business leaders have been warned to expect more instability and uncertainly following on from the unpredictable nature of events during the past few years, from COVID-19 to business restructurings, the Russian invasion of Ukraine and the rise of generative artificial intelligence (AI). A recent report found that customers feel they lack appropriate guidance from their financial providers during times of economic uncertainty; the lack of satisfactory experience and a desire for a better digital experience is causing 25% of customers to switch banks.
The report also found that 23% of customers do not trust AI and 56% are neutral. This deficit in trust can swing in either direction based on how Financial Services Institutions (FSIs) use and deliver AI-powered services. While the benefits of AI are unclear, an increased awareness of personal data security has made trust between providers and customers more crucial than ever. In fact, 78% of customers say they would switch financial service providers if they felt their data was mishandled.
Caution: Microsoft Warns of Office Zero-Day Attacks with No Patch Available
Russian spies and cyber criminals are actively exploiting still-unpatched security flaws in Microsoft Windows and Office products, according to an urgent warning from Microsoft. While Microsoft recently released patches for 130 vulnerabilities, including 9 criticals, 6 which are actively being exploited (see our advisory here), a series of remote code execution vulnerabilities were not addressed, and attackers have been actively exploiting them because the patches are not yet available.
An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. All an attacker would have to do is to convince the victim to open the malicious file. Microsoft have stated that a security update may be released out of cycle to address these flaws.
https://www.securityweek.com/microsoft-warns-of-office-zero-day-attacks-no-patch-available/
Scam Page Volumes Surge 304% Annually
Security researchers have recorded a 62% year-on-year increase in phishing websites and a 304% surge in scam pages in 2022. The Digital Risk Trends 2023 report classifies phishing as a threat resulting in the theft of personal information and a scam as any attempt to trick a victim into voluntarily handing over money or sensitive information.
It found that the average number of instances in which a brand’s image and logo was appropriated for use in scam campaigns increased 162% YoY, rising to 211% in APAC. Scams are also becoming more automated, as the ever-increasing number of new tools available to would-be cyber criminals has lowered the barrier of entry. We expect to see AI also play a greater role in scams in the future.
https://www.infosecurity-magazine.com/news/scam-page-volumes-surge-304/
Financial Industry Faces Soaring Ransomware Threat
The financial industry has been facing a surge in ransomware attacks over the past few years, said cyber security provider SOCRadar in a threat analysis post. This trend started in the first half of 2021, when Trend Micro saw a staggering 1,318% increase in ransomware attacks targeting banks and financial institutions compared to the same period in 2020. Sophos also found that over half (55%) of financial service firms fell victim to at least one ransomware attack in 2021, a 62% increase from 2020.
https://www.infosecurity-magazine.com/news/financial-industry-faces-soaring/
The Need for Risk-Based Vulnerability Management to Combat Threats
Cyber attacks are increasing as the number of vulnerabilities found in software has increased by over 50% in the last 5 years. This is a result of unpatched and poorly configured systems as 75% of organisations believe they are vulnerable to a cyber attack due to unpatched software. As vulnerabilities continue to rise and security evolves, it is becoming increasingly apparent that conventional vulnerability management programs are inadequate for managing the expanding attack surface. In comparison, a risk-based strategy enables organisations to assess the level of risk posed by vulnerabilities. This approach allows teams to prioritise vulnerabilities based on their assessed risk levels and remediate those with higher risks, minimising potential attacks in a way that is continuous, and automated.
By enhancing your vulnerability risk management process, you will be able to proactively address potential issues before they escalate and maintain a proactive stance in managing vulnerabilities and cloud security. Through the incorporation of automated threat intelligence risk monitoring, you will be able to identify significant risks before they become exploitable.
Government Agencies Breached in Microsoft 365 Email Attacks
Microsoft disclosed an attack against customer email accounts that affected US government agencies and led to stolen data. While questions remain about the attacks, Microsoft provided some details in two blog posts on Tuesday, including attribution to a China-based threat actor it tracks as Storm-0558. The month long intrusion began on 15 May and was first reported to Microsoft by a federal civilian executive branch (FCEB) agency in June.
Microsoft said attackers gained access to approximately 25 organisations, including government agencies. While Microsoft has mitigated the attack vector, the US Government Cybersecurity and Infrastructure Security Agency (CISA) was first to initially detect the suspicious activity. The government agency published an advisory that included an attack timeline, technical details and mitigation recommendations. CISA said an FCEB agency discovered suspicious activity in its Microsoft 365 (M365) environment sometime last month.
Concerns Raised as Report Questions UK’s “Completely Inadequate” Defence to Threats from China
Britain’s spy watchdog has slammed the UK Government for a “completely inadequate” response to Chinese espionage and interference which risked an “existential threat to liberal democratic systems”. In a bombshell 207 page report, Parliament’s Intelligence and Security Committee issued a series of alarming warnings about how British universities, the nuclear sector, Government and organisations alike were being targeted by China.
Hackers Backed by North Korea have Stolen Billions of Dollars Over the Last Five Years
Hackers have developed a list of sophisticated tricks that allow them to weasel their way into the networks of possible targets, including organisations. Sometimes a North Korean hacker would pose as a recruitment officer to get an employee’s attention. The cyber criminal would then share an infected file with the unsuspecting company employee. This was the case of the famous 2021’s Axie Infinity hack that allowed the North Koreans to steal more than $600 million after one of the game developers was offered a fake job by the hackers.
https://www.pandasecurity.com/en/mediacenter/security/north-korea-stolen-crypto/
Governance, Risk and Compliance
CISO perspective on why boards don't fully grasp cyber attack risks - Help Net Security
Top Takeaways From Table Talks With Fortune 100 CISOs (darkreading.com)
AI, trust, and data security are key issues for finance firms and their customers | ZDNET
Cyber Attacks Are a War We'll Never Win, but We Can Defend Ourselves (darkreading.com)
Exposure Management Looks to Attack Paths, Identity to Better Measure Risk (darkreading.com)
Enterprise risk management should inform cyber-risk strategies | TechTarget
Threats
Ransomware, Extortion and Destructive Attacks
Cl0p Hackers Hit Three of the Biggest US Law Firms in Large Ransomware Attack - MSSP Alert
UK battles hacking wave as ransomware gang claims ‘biggest ever’ NHS breach | TechCrunch
Cl0p has yet to deploy ransomware while exploiting MOVEit zero-day | SC Media (scmagazine.com)
Banks, hotels and hospitals among latest MOVEit mass-hack victims | TechCrunch
Cyber Extortion Cases Surge 39% Annually - Infosecurity Magazine (infosecurity-magazine.com)
Ransomware payments on record-breaking trajectory for 2023 (bleepingcomputer.com)
Beware of Big Head Ransomware: Spreading Through Fake Windows Updates (thehackernews.com)
Deutsche Bank confirms provider breach exposed customer data (bleepingcomputer.com)
BigHead and RedEnergy ransomware, more MOVEIt problems (cisoseries.com)
Cl0p hacker operating from Russia-Ukraine war front line-Security Affairs
Same code, different ransomware? Leaks kick-start myriad of new variants - Help Net Security
Rogue IT security worker who impersonated ransomware gang is sentenced to jail • Graham Cluley
BlackByte 2.0 Ransomware: Infiltrate, Encrypt, and Extort in Just 5 Days (thehackernews.com)
Ransomware Victims
Capita admits hackers also stole staff’s personal details (thetimes.co.uk)
Banks, hotels and hospitals among latest MOVEit mass-hack victims | TechCrunch
Royal Navy contractor forced to pay off cyber criminals (telegraph.co.uk)
Barts NHS hack leaves folks on tenterhooks over extortion • The Register
Scottish university cyber attack under investigation | The National
Phishing & Email Based Attacks
New Phishing Attack Spoofs Microsoft 365 Authentication System (hackread.com)
Number of email-based phishing attacks surges 464% - Help Net Security
Chinese hackers compromised emails of US Government agencies- -Security Affairs
Microsoft: Government agencies breached in email attacks | TechTarget
RomCom hackers target NATO Summit attendees in phishing attacks (bleepingcomputer.com)Facebook and Microsoft remain prime targets for spoofing - Help Net Security
Top 10 Email Security Best Practices in 2023 (gbhackers.com)
Other Social Engineering; Smishing, Vishing, etc
Vishing Goes High-Tech: New 'Letscall' Malware Employs Voice Traffic Routing (thehackernews.com)
Evil QR - A new QR Jacking Attack to Take Over User Accounts (cybersecuritynews.com)
How hackers are now targeting your voice and how to protect yourself | Fox News
Artificial Intelligence
How the EU AI Act Will Affect Businesses, Cyber Security (darkreading.com)
Vishing Goes High-Tech: New 'Letscall' Malware Employs Voice Traffic Routing (thehackernews.com)
ChatGPT and Cyber Security : 5 Cyber Security Risks of ChatGPT (gbhackers.com)
WormGPT Cyber Crime Tool Heralds an Era of AI Malware vs. AI Defences (darkreading.com)
How to Safely Architect AI in Your Cyber Security Programs (darkreading.com)
ChatGPT users drop for the first time as people turn to uncensored chatbots | Ars Technica
Secretaries of State brace for wave of AI-fueled disinformation during 2024 campaign | CyberScoop
Civil society, labor and rights groups express concerns about AI at White House meeting | CyberScoop
2FA/MFA
Malware
20% of malware attacks bypass antivirus protection - Help Net Security
Malware delivery to Microsoft Teams users made easy - Help Net Security
WormGPT Cyber Crime Tool Heralds an Era of AI Malware vs. AI Defences (darkreading.com)
Truebot Malware Variants Abound, According to CISA Advisory (darkreading.com)
Hackers Exploit Windows Policy Loophole to Forge Kernel-Mode Driver Signatures (thehackernews.com)
USB drive malware attacks spiking again in first half of 2023 (bleepingcomputer.com)
Charming Kitten hackers use new ‘NokNok’ malware for macOS (bleepingcomputer.com)
Banking Firms Under Attack by Sophisticated 'Toitoin' Campaign (darkreading.com)
Over 100 malicious signed Windows drivers blocked by Microsoft - NotebookCheck.net News
New 'ShadowVault' macOS malware steals passwords, crypto, credit card data | Macworld
BlackLotus UEFI Bootkit Source Code Leaked on GitHub - SecurityWeek
PicassoLoader Malware Used in Ongoing Attacks on Ukraine and Poland (thehackernews.com)
AVrecon malware infects 70,0000 Linux routers to build botnet (bleepingcomputer.com)
Serious Security: Rowhammer returns to gaslight your computer – Naked Security (sophos.com)
Linux Hacker Exploits Researchers With Fake PoCs Posted to GitHub (darkreading.com)
Mobile
Crooks Evolve Antidetect Tooling for Mobile OS-Based Fraud-Security Affairs
The FCC aims to stop SIM swappers with new rules - The Verge
Google Play will enforce business checks to curb malware submissions (bleepingcomputer.com)
Clever Letscall vishing malware targets Android phones | SC Media (scmagazine.com)
Denial of Service/DoS/DDOS
Industry responses and strategies for navigating the tides of DDoS attacks - Help Net Security
Archive Of Our Own Down: AO3 DDoS Attack Explained - Dataconomy
Internet of Things – IoT
Data Breaches/Leaks
So you gave personal info to a company caught in a data breach. Now what? | CBC News
HCA confirms breach after hacker steals data of 11 million patients (bleepingcomputer.com)
US on Track For Record Number of Data Breaches - Infosecurity Magazine (infosecurity-magazine.com)
Twitter User Exposes Nickelodeon Data Leak - Infosecurity Magazine (infosecurity-magazine.com)
Capita attackers reportedly stole data from pension fund • The Register
Twenty Manx public authorities reprimanded for data breach - BBC News
Bangladesh government website leaked data of millions of citizens-Security Affairs
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Cyber security professional accused of stealing $9M in crypto | TechCrunch
SCARLETEEL Cryptojacking Campaign Exploiting AWS Fargate in Ongoing Campaign (thehackernews.com)
Insider Risk and Insider Threats
How To Protect Your Business From The Security Risks Freelancers Pose (forbes.com)
Former employee charged for attacking water treatment plant (bleepingcomputer.com)
Rogue IT security worker who impersonated ransomware gang is sentenced to jail • Graham Cluley
Fraud, Scams & Financial Crime
E-commerce Fraud Surges By Over 50% Annually - Infosecurity Magazine (infosecurity-magazine.com)
Scam Page Volumes Surge 304% Annually - Infosecurity Magazine (infosecurity-magazine.com)
The FCC aims to stop SIM swappers with new rules - The Verge
Insurance
Dark Web
Supply Chain and Third Parties
Royal Navy contractor forced to pay off cyber criminals (telegraph.co.uk)
Capita attackers reportedly stole data from pension fund • The Register
MOVEit: Testing the Limits of Supply Chain Security - SecurityWeek
Cloud/SaaS
Only 45% of cloud data is currently encrypted - Help Net Security
Microsoft alleges China behind attack on Exchange Online • The Register
For stronger public cloud data security, use defence in depth | TechTarget
Silentbob Campaign: Cloud-Native Environments Under Attack (thehackernews.com)
Global Retailers Must Keep an Eye on Their SaaS Stack (thehackernews.com)
SCARLETEEL Cryptojacking Campaign Exploiting AWS Fargate in Ongoing Campaign (thehackernews.com)
Decentralized storage emerging as solution to cloud-based attacks | Cybernews
Hybrid/Remote Working
Attack Surface Management
Identity and Access Management
Why Hybrid Work Has Made Secure Access So Complicated (darkreading.com)
less than half of SMBs use Privileged Access Management- IT Security Guru
Encryption
API
Cisco SD-WAN vManage impacted by unauthenticated REST API access (bleepingcomputer.com)
API Flaw in QuickBlox Framework Exposed PII of Millions of Users - SecurityWeek
Open Source
Novel Linux kernel vulnerability exploitable for elevated privileges | SC Media (scmagazine.com)
The EU’s Product Liability Directive could kill open source | TechRadar
Linux Hacker Exploits Researchers With Fake PoCs Posted to GitHub (darkreading.com)
AVrecon malware infects 70,0000 Linux routers to build botnet (bleepingcomputer.com)
Passwords, Credential Stuffing & Brute Force Attacks
Social Media
Critical Vulnerability Can Allow Takeover of Mastodon Servers - SecurityWeek
Mastodon Patches 4 Bugs, but Is the Twitter Killer Safe to Use? (darkreading.com)
Travel
Regulations, Fines and Legislation
How the EU AI Act Will Affect Businesses, Cyber security (darkreading.com)
A Cyber Security Wish List Ahead of NATO Summit - SecurityWeek
The EU’s Product Liability Directive could kill open source | TechRadar
Microsoft and AWS caution Ofcom against referring UK cloud market over to CMA | Computer Weekly
Models, Frameworks and Standards
How to map security gaps to the Mitre ATT&CK framework | TechTarget
Get started: Threat modeling with the Mitre ATT&CK framework | TechTarget
Data Protection
Careers, Working in Cyber and Information Security
Law Enforcement Action and Take Downs
Privacy, Surveillance and Mass Monitoring
Misinformation, Disinformation and Propaganda
Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare and Cyber Espionage
Russia
Storm-0978 attacks reveal financial and espionage motives | Microsoft Security Blog
Russia-based actor exploited unpatched Office zero day | TechTarget
SolarWinds Attackers Dangle BMWs to Spy on Diplomats (darkreading.com)
Russian state hackers lure Western diplomats with BMW car ads (bleepingcomputer.com)
Killnet Tries Building Russian Hacktivist Clout With Media Stunts (darkreading.com)
Cl0p hacker operating from Russia-Ukraine war front line-Security Affairs
Killer ‘tracked Russian sub commander using Strava jogging app’ (thetimes.co.uk)
Inside the murky world accelerating Russia’s economic meltdown (telegraph.co.uk)
Cyber attacks Against Ukrainians Adjoin NATO Summit in Lithuania - MSSP Alert
Russian Hackers Find Sneaky Way to Infiltrate Embassy Networks in Kyiv (kyivpost.com)
PicassoLoader Malware Used in Ongoing Attacks on Ukraine and Poland (thehackernews.com)
China
Chinese hackers compromised emails of US Government agencies-Security Affairs
UK has ‘no strategy’ to tackle China threat as spies target Britain, report warns | The Independent
Cabinet tensions emerge over labelling China a threat to UK national security (inews.co.uk)
Iran
North Korea
Vulnerability Management
CVSS 4.0 released, to help assess real-time threat and impact of vulnerabilities - Help Net Security
The Need for Risk-Based Vulnerability Management to Combat Threats (bleepingcomputer.com)
Creating a Patch Management Playbook: 6 Key Questions (darkreading.com)
Close Security Gaps with Continuous Threat Exposure Management (thehackernews.com)
Vulnerabilities
MOVEit Transfer customers warned to patch new critical flaw (bleepingcomputer.com)
After Zero-Day Attacks, MOVEit Turns to Security Service Packs - SecurityWeek
Microsoft Warns of Office Zero-Day Attacks, No Patch Available - SecurityWeek
Juniper Networks Patches High-Severity Vulnerabilities in Junos OS - SecurityWeek
Cisco SD-WAN vManage impacted by unauthenticated REST API access (bleepingcomputer.com)
SonicWall warns admins to patch critical auth bypass bugs immediately (bleepingcomputer.com)
Fortinet warns of critical RCE flaw in FortiOS, FortiProxy devices (bleepingcomputer.com)
Russia-based actor exploited unpatched Office zero day | TechTarget
Hackers Steal $20 Million by Exploiting Flaw in Revolut's Payment Systems (thehackernews.com)
Raising concerns over Google Authenticator’s new features | TechRadar
Novel Linux kernel vulnerability exploitable for elevated privileges | SC Media (scmagazine.com)
Hackers Exploit Windows Policy Loophole to Forge Kernel-Mode Driver Signatures (thehackernews.com)
VMware warns of exploit available for critical vRealize RCE bug (bleepingcomputer.com)
Adobe Patch Tuesday: Critical Flaws Haunt InDesign, ColdFusion - SecurityWeek
Zimbra urges customers to manually fix actively exploited zero-day-Security Affairs
Critical Vulnerability Can Allow Takeover of Mastodon Servers - SecurityWeek
New StackRot Linux kernel flaw allows privilege escalation (bleepingcomputer.com)
Exploit Code Published for Remote Root Flaw in VMware Logging Software - SecurityWeek
API Flaw in QuickBlox Framework Exposed PII of Millions of Users - SecurityWeek
Experts released PoC exploit for Ubiquiti EdgeRouter flaw-Security Affairs
Critical RCE found in popular Ghostscript open-source PDF library (bleepingcomputer.com)
Citrix fixed a critical flaw in Secure Access Client for Ubuntu-Security Affairs
OT/ICS Vulnerabilities
Tools and Controls
The Need for Risk-Based Vulnerability Management to Combat Threats (bleepingcomputer.com)
less than half of SMBs use Privileged Access Management- IT Security Guru
Exposure Management Looks to Attack Paths, Identity to Better Measure Risk (darkreading.com)
Enterprise risk management should inform cyber-risk strategies | TechTarget
Infrastructure upgrades alone won't guarantee strong security - Help Net Security
What is a Network Intrusion Protection System (NIPS)? | Definition from TechTarget
Overcoming user resistance to passwordless authentication - Help Net Security
Zero Trust Keeps Digital Attacks From Entering the Real World (darkreading.com)
3 Strategies For Simplifying And Strengthening Your Data Security (forbes.com)
The history, evolution and current state of SIEM | TechTarget
Attack Surface Management: Identify and protect the unknown - Help Net Security
How to Put Generative AI to Work in Your Security Operations Center (darkreading.com)
Close Security Gaps with Continuous Threat Exposure Management (thehackernews.com)
Platform Approach to Cyber Security: The New Paradigm (trendmicro.com)
Intrusion Detection & Prevention Systems Guide (trendmicro.com)
Decentralized storage emerging as solution to cloud-based attacks | Cybernews
Wi-Fi AP placement best practices and security policies | TechTarget
For stronger public cloud data security, use defence in depth | TechTarget
Other News
White House Urged to Quickly Nominate National Cyber Director (darkreading.com)
The rise of cyber threats in a digital dystopia | Mint #AskBetterQuestions (livemint.com)
Building the right collective defence against cyber attacks for critical infrastructure | CyberScoop
Satellites lack standard security mechanisms found in mobile phones and laptops - Help Net Security
White House publishes National Cyber Security Strategy Implementation Plan - Help Net Security
Cyber attacks through Browser Extensions – the Importance of MFA (bleepingcomputer.com)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 26 May 2023
Black Arrow Cyber Threat Briefing 26 May 2023:
-50% of UK CEOs See Cyber as a Bigger Business Risk than the Economy
-Report Finds 78% of Organisations Felt Prepared for Ransomware Attacks, Yet Half Still Fell Victim
-SMBs and Regional MSPs are Increasingly Targeted by State-Sponsored APT Groups
-IT Employee Piggybacked on Cyber Attack for Personal Gain
-Ransomware Threats Are Growing, and Targeting Microsoft Devices More and More
-Microsoft Reports Jump in Business Email Compromise (BEC) Activity
-Forrester Predicts 2023’s Top Cyber security Threats: From Generative AI to Geopolitical Tensions
-Advanced Phishing Attacks Surge 356% in 2022
-Today’s Cyber Defence Challenges: Complexity and a False Sense of Security
-Almost All Ransomware Attacks Target Backups, Says Veeam
-NCSC Warns Against Chinese Cyber Attacks on Critical Infrastructure
-Half of all Companies were Impacted by Spearphishing in 2022
-Google's .zip, .mov Domains Give Social Engineers a Shiny New Tool
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
50% of UK CEOs see Cyber as a Bigger Business Risk than the Economy
Half of UK CEOs consider cyber security as a bigger risk to their organisation than economic uncertainty, a new study by Palo Alto Networks has found. The findings came from a survey of 2500 CEOs from the UK, Germany, France, Brazil and the UAE at large organisations (500+ employees).
Despite the recognition of the business threats posed by cyber attacks, UK CEOs have a lower level of understanding of cyber security risks than their international counterparts, with just 16% saying they have a complete understanding. This compares to 21% in Brazil, 21% in the UAE, 22% in France and 39% in Germany. Additionally, many UK CEOs feel detached from responsibility for cyber security at their organisations, instead leaving it to the responsibility of IT, although IT is only part of the solution.
https://www.infosecurity-magazine.com/news/uk-ceo-cyber-risk-economy/
Report Finds 78% of Organisations Felt Prepared for Ransomware Attacks, Yet Half Still Fell Victim
Fortinet has unveiled its 2023 Global Ransomware Report based on a recent global survey and explores cyber security leaders’ perspectives on ransomware, particularly how it impacted their organisations in the last year and their strategies to mitigate an attack. The report found that the global threat of ransomware remains at peak levels, with half of organisations across all sizes, regions and industries falling victim in the last year.
The top challenges to stopping a ransomware attack were people and process related, with many organisations lacking clarity on how to secure against the threat. Specifically, four out of the five top challenges to stopping ransomware were people or process related. The second largest challenge was a lack of clarity on how to secure against the threat as a result of a lack of user awareness and training and no clear chain-of-command strategy to deal with attacks.
Despite the global macroeconomic environment, security budgets will have to increase in the next year with a focus on AI/ML technologies to speed detection, centralised monitoring tools to speed response and better preparation of people and processes.
https://www.itweb.co.za/content/mYZRX79g8gRqOgA8
SMBs and Regional MSPs are Increasingly Targeted by State-Sponsored APT Groups
Advanced persistent threat (APT) attacks were once mainly a concern for large corporations in industries that presented cyber espionage interest. That's no longer the case and over the past year in particular, the number of such state-sponsored attacks against small- and medium-sized businesses (SMBs) has increased significantly.
Cyber security firm Proofpoint analysed its telemetry data more than 200,000 SMB customers over the past year and saw a rise in phishing campaigns originating from APT groups, particularly those serving Russian, Iranian, and North Korean interests.
SMBs are also targeted by APT groups indirectly, through the managed services providers (MSPs) that maintain their infrastructure. Proofpoint has seen an increase in attacks against regional MSPs because their cyber security defences could be weaker than larger MSPs yet they still serve hundreds of SMBs in local geographies.
IT Employee Piggybacked on Cyber Attack for Personal Gain
A 28-year-old former IT employee of an Oxford-based company has been convicted of blackmailing his employer and unauthorised access to a computer with intent to commit other offences.
The convicted employee was the one who began to investigate the incident and, along with colleagues and the police, tried to mitigate it and its fallout. But he also realized that he could take advantage of the breach to line his own pockets.
“He accessed a board member’s private emails over 300 times as well as altering the original blackmail email and changing the payment address provided by the original attacker. This was in the hope that if payment was made, it would be made to him rather than the original attacker,” the South East Regional Organised Crime Unit (SEROCU) revealed. He went as far as creating an almost identical email address to that of the original attacker, using it to pressure his employer into making the payment.
While some insider threats may stem from negligence or ignorance, this case highlights a more sinister scenario involving a malicious, opportunistic individual. Malicious insiders exploit their authorized access and privileges to engage in harmful, unethical, or illegal activities.
https://www.helpnetsecurity.com/2023/05/24/it-employee-blackmailing-company/
Ransomware Threats Are Growing, and Targeting Microsoft Devices More and More
Ransomware attacks have never been this popular, a new report from cyber security researchers Securin, Ivanti, and Cyware has stated. New ransomware groups are emerging constantly, and new vulnerabilities being exploited are being discovered almost daily, but out of all the different hardware and software, Microsoft’s products are being targeted the most.
Attackers are now targeting more than 7,000 products built by 121 vendors, all used by businesses in their day-to-day operations. Most products belong to Microsoft, which has 135 vulnerabilities associated with ransomware. In just March 2023, there had been more breaches reported, than in all three previous years combined. Even though most cyber security incidents never get reported, too. In the first quarter of the year, the researchers discovered 12 new vulnerabilities used in ransomware attacks, three-quarters of which (73%) were trending in the dark web.
Microsoft Reports Jump in Business Email Compromise (BEC) Activity
Thirty-five million business email compromise (BEC) attempts were detected in the last year, according to the latest Microsoft Cyber Signals report. Activity around BEC spiked between April 2022 and April 2023, with over 150,000 daily attempts, on average, detected by Microsoft’s Digital Crimes Unit.
Rather than targeting unpatched devices for vulnerabilities, BEC operators focus on leveraging the vast volume of daily email and other message traffic to trick victims into sharing financial information or unknowingly transferring funds to money mule accounts. Their goal is to exploit the constant flow of communication to carry out fraudulent money transfers.
Using secure email applications, securing identities to block lateral movement, adopting a secure payment platform and training employees are a few effective methods, according to the report.
Forrester Predicts 2023’s Top Cyber security Threats: From Generative AI to Geopolitical Tensions
The nature of cyber attacks is changing fast. Generative AI, cloud complexity and geopolitical tensions are among the latest weapons and facilitators in attackers’ arsenals. Three-quarters (74%) of security decision-makers say their organisations’ sensitive data was “potentially compromised or breached in the past 12 months” alone. Forrester’s Top Cyber security Threats in 2023 report provides a stark warning about the top cyber security threats this year, along with prescriptive advice to CISOs and their teams on countering them. By weaponising generative AI and using ChatGPT, attackers are fine-tuning their ransomware and social engineering techniques.
Perimeter-based legacy systems not designed with an AI-based upgrade path are the most vulnerable. With a new wave of cyber attacks coming that seek to capitalise on any given business’ weakest links, including complex cloud configurations, the gap between reported and actual breaches will grow.
Forrester cites Russia’s invasion of Ukraine and its relentless cyber attacks on Ukrainian infrastructure as examples of geopolitical cyber attacks with immediate global implications. Forrester advises that nation-state actors continue to use cyber attacks on private companies for geopolitical purposes like espionage, negotiation leverage, resource control and intellectual property theft to gain technological superiority.
Advanced Phishing Attacks Surge 356% in 2022
A new report published this week observed a 356% growth in the number of advanced phishing attacks attempted by threat actors in 2022, with the total number of attacks having increased by 87%. Among the reasons behind this growth is the fact that malicious actors continue to gain widespread access to new tools, including artificial intelligence (AI) and machine learning (ML)-powered tools. These have automated the process of generating sophisticated attacks, including those characterized by social engineering as well as evasion techniques.
The global threat landscape continues to evolve with a meteoric rise in the number of attacks, combined with increasingly sophisticated attack techniques designed to breach and damage organisations.
Additionally, the report highlighted that the changing threat landscape has resulted from the swift adoption of new cloud collaboration apps, cloud storage and productivity services for external collaboration.
https://www.infosecurity-magazine.com/news/advanced-phishing-attacks-surge/
Today’s Cyber Defence Challenges: Complexity and a False Sense of Security
Organisations can mistakenly believe that deploying more security solutions will result in greater protection against threats. However, the truth of the matter can be very different. Gartner estimates that global spending on IT security and risk management solutions will exceed $189.7 billion annually in 2023, yet the breaches keep on coming. Blindly purchasing more security tools can add to complexity in enterprise environments and creates a false sense of security that contributes to today’s cyber security challenges.
To add to the dilemma, the new work-from-anywhere model is putting a strain on IT and security teams. Employees shifting between corporate and off-corporate networks are creating visibility and control challenges, which are impacting those teams’ ability to diagnose and remediate end user issues and minimize cyber security risks. In addition, they have to deal with a broad mix of networks, hardware, business and security applications, operating system (OS) versions, and patches.
Almost All Ransomware Attacks Target Backups
Data stored in backups is the most common target for ransomware attackers. Almost all intrusions (93%) target backups and in 75% of cases succeed in taking out victims’ ability to recover. In addition, 85% of global organisations suffered at least one cyber attack in the past year according to the Veeam 2023 Ransomware trends report. Only 16% of organisations avoided paying ransom because they were able to recover from backups, down from 19% in last year’s survey.
According to the survey, criminals attempt to attack backup repositories in almost all (93%) cyber events in EMEA, with 75% losing at least some of their backups and more than one-third (39%) of backup repositories being completely lost.
Other key findings included that 21% said ransomware is now specifically excluded from insurance policies; and of those with cyber insurance, 74% saw increased premiums since their last policy renewal.
With most ransomware actors moving to double and triple extortion the days of a backup being all you need to keep you safe are far behind and firms should do more to prevent being the victim of ransomware in the first place.
NCSC Warns Against Chinese Cyber Attacks on Critical Infrastructure
The UK National Cyber Security Centre (NCSC) and several other international security agencies have issued a new advisory warning the public against Chinese cyber activity targeting critical national infrastructure networks. According to the document, the People’s Republic of China (PRC)’s associated threat actors employed sophisticated tactics to evade detection while conducting malicious activities against targets in the US and Guam. These tactics are expected to be used on critical infrastructure targets outside the US, including the UK.
The document further added that the threat actors mainly focused on credential access theft via brute force and password spraying techniques. The NCSC advisory provides network defenders with technical indicators and examples of techniques used by the attacker to help identify any malicious activity.
https://www.infosecurity-magazine.com/news/ncsc-warns-chinese-cyber-attacks/
Half of All Companies were Impacted by Spearphishing in 2022
Spearphishing is a sliver of all email exploits but the extent to which it succeeds is revealed in a new study from cyber security firm Barracuda Networks, which analysed 50 billion emails across 3.5 million mailboxes in 2022, unearthing around 30 million spearphishing emails and affecting 50% of all companies.
The report identified the top prevalent spearphishing emails were Scamming (47%) used to trick victims into disclosing sensitive information and the other being brand impersonation (42%) attacks mimicking a brand familiar with the victim to harvest credentials.
The report found that remote work is increasing risks. Users at companies with more than a 50% remote workforce report higher levels of suspicious emails — 12 per day on average, compared to 9 per day for those with less than a 50% remote workforce.
https://www.techrepublic.com/article/barracuda-networks-spearphishing-study/
Google's .zip, .mov Domains Give Social Engineers a Shiny New Tool
Two new top-level domain names (.zip and .mov) have caused concern among security researchers, who say they allow for the construction of malicious URLs that even tech-savvy users are likely to miss. While a top-level domain (TLD) that mimics a file extension is only one component in the lookalike attack, the overall combination is much more effective with the .zip or .mov extension.
There's no question that phishing links that involve these TLDs can be used to lure unsuspecting users into accidentally downloading malware. Unlike other kinds of phishing URLs that are intended to lure the user to enter credentials into a phony login page, the lures with the .zip or .mov domains are more suited to drive-by download types of attacks.
https://www.darkreading.com/endpoint/google-zip-mov-domains-social-engineers-shiny-new-tool
Governance, Risk and Compliance
Security Pros: Before You Do Anything, Understand Your Threat Landscape - SecurityWeek
The Rising Threat of Secrets Sprawl and the Need for Action (thehackernews.com)
Mass resignations, layoffs seen as major threat to corporate cyber security - The Korea Times
Improving Cyber security Requires Building Better Public-Private Cooperation (darkreading.com)
5 Cyber security Woes That Threaten Digital Growth (analyticsinsight.net)
Cyber Warfare Lessons From the Russia-Ukraine Conflict (darkreading.com)
What Security Professionals Need to Know About Aggregate Cyber Risk (darkreading.com)
Where to Focus Your Company’s Limited Cyber security Budget (hbr.org)
Former Uber CSO Joe Sullivan and lessons learned from the infamous 2016 Uber breach | CSO Online
CISO Criminalization, Vague Cyber Disclosure Rules Create Angst for Security Teams (darkreading.com)
Today’s Cyber Defence Challenges: Complexity and a False Sense of Security - SecurityWeek
The biggest threats are always those we fail to predict - Big Think
How continuous security monitoring is changing the compliance game - Help Net Security
Defining CISOs, CTOs, and CIOs' Roles in Cyber security (analyticsinsight.net)
Threats
Ransomware, Extortion and Destructive Attacks
3 Common Initial Attack Vectors Account for Most Ransomware Campaigns (darkreading.com)
12 vulnerabilities newly associated with ransomware - Help Net Security
IT employee impersonates ransomware gang to extort employer (bleepingcomputer.com)
Ransomware threats are growing, and targeting Microsoft devices more and more | TechRadar
Microsoft: Notorious FIN7 hackers return in Clop ransomware attacks (bleepingcomputer.com)
FIN7 gang returned and was spotted delivering Clop ransomware - Security Affairs
Bridgestone CISO: Lessons From Ransomware Attack Include Acting, Not Thinking (darkreading.com)
Cyble — New Ransomware Wave Engulfs over 200 Corporate Victims
Updated 'StopRansomware Guide' warns of shifting tactics | TechTarget
The Week in Ransomware - May 19th 2023 - A Shifting Landscape (bleepingcomputer.com)
US saw 45% fewer ransomware victims posted on the dark web | Security Magazine
Judge Throws Out Ransomware Class-Action Suit Against Rackspace - MSSP Alert
Ransomware tales: The MitM attack that really had a Man in the Middle – Naked Security (sophos.com)
Here's another great reason to make sure your enterprises is safeguarded from ransomware | TechRadar
Inside Qilin Ransomware: Affiliates Take Home 85% of Ransom Payouts (thehackernews.com)
Buhti Ransomware Gang Switches Tactics, Utilizes Leaked LockBit and Babuk Code (thehackernews.com)
Ransomware Victims
Food Distributor Sysco Says Cyber Attack Exposed 126,000 Individuals - SecurityWeek
Suzuki motorcycle plant shut down by cyber attack (bitdefender.com)
Iowa hospital discloses breach following Royal ransomware leak | TechTarget
Arms maker Rheinmetall confirms BlackBasta ransomware attack (bleepingcomputer.com)
Dish Network says February ransomware attack impacted +300K - Security Affairs
Philly Inquirer disputes Cuba ransomware gang's leak claims • The Register
Dorchester school IT system held to ransom in cyber attack - BBC News
BlackByte lists city of Augusta after cyber 'incident' • The Register
Phishing & Email Based Attacks
Advanced Phishing Attacks Surge 356% in 2022 - Infosecurity Magazine (infosecurity-magazine.com)
50% of companies had spearphishing puncture wounds in 2022 (techrepublic.com)
Microsoft 365 phishing attacks use encrypted RPMSG messages (bleepingcomputer.com)
Threat actors exploit new channels for advanced phishing attacks - Help Net Security
Malicious links and misaddressed emails slip past security controls - Help Net Security
CopperStealer Malware Crew Resurfaces with New Rootkit and Phishing Kit Modules (thehackernews.com)
Crypto phishing service Inferno Drainer defrauds thousands of victims (bleepingcomputer.com)
BEC – Business Email Compromise
Cyber Signals: Shifting tactics show surge in business email compromise | Microsoft Security Blog
Microsoft reports jump in business email compromise activity | CSO Online
Other Social Engineering; Smishing, Vishing, etc
Artificial Intelligence
Employees are banned from using ChatGPT at these companies | Fortune
BatLoader campaign impersonates ChatGPT and Midjourney to deliver Redline Stealer - Security Affairs
6 ChatGPT risks for legal and compliance leaders - Help Net Security
5 Ways Hackers Will Use ChatGPT For Cyber attacks (informationsecuritybuzz.com)
Simple OSINT techniques to spot AI-fueled disinformation, fake reviews - Help Net Security
Microsoft urges lawmakers to adopt new guidelines for responsible AI | CyberScoop
AI Used to Create Malware, WithSecure Observes - Infosecurity Magazine (infosecurity-magazine.com)
The Security Hole at the Heart of ChatGPT and Bing | WIRED UK
2FA/MFA
Malware
New PowerExchange malware backdoors Microsoft Exchange servers (bleepingcomputer.com)
Hackers Use Weaponised DOCX File to Deploy Stealthy Malware (gbhackers.com)
Meet 'Jack' from Romania! Mastermind Behind Golden Chickens Malware (thehackernews.com)
Developer Alert: NPM Packages for Node.js Hiding Dangerous TurkoRat Malware (thehackernews.com)
CopperStealer Malware Crew Resurfaces with New Rootkit and Phishing Kit Modules (thehackernews.com)
Threat actors leverage kernel drivers in new attacks | TechTarget
BatLoader campaign impersonates ChatGPT and Midjourney to deliver Redline Stealer - Security Affairs
Malicious links and misaddressed emails slip past security controls - Help Net Security
Potentially millions of Android TVs and phones come with malware preinstalled | Ars Technica
New AhRat Android malware hidden in app with 50,000 installs (bleepingcomputer.com)
Malware turns home routers into proxies for Chinese state-sponsored hackers | Ars Technica
PyPI open-source code repository deals with manic malware maelstrom – Naked Security (sophos.com)
Legion Malware Upgraded to Target SSH Servers and AWS Credentials (thehackernews.com)
AI Used to Create Malware, WithSecure Observes - Infosecurity Magazine (infosecurity-magazine.com)
Mobile
Warning: Samsung Devices Under Attack! New Security Flaw Exposed (thehackernews.com)
Android phones are vulnerable to fingerprint brute-force attacks (bleepingcomputer.com)
New AhRat Android malware hidden in app with 50,000 installs (bleepingcomputer.com)
Predator: Looking under the hood of Intellexa’s Android spyware (bleepingcomputer.com)
Botnets
How smart bots are infecting and exploiting the internet - Help Net Security
The Dark Frost Enigma: An Unexpectedly Prevalent Botnet Author Profile | Akamai
Denial of Service/DoS/DDOS
Internet of Things – IoT
Potentially millions of Android TVs and phones come with malware preinstalled | Ars Technica
Malware turns home routers into proxies for Chinese state-sponsored hackers | Ars Technica
Data Breaches/Leaks
Capita under fire after ‘confidential’ files published online (thetimes.co.uk)
Luxottica confirms 2021 data breach after info of 70M leaks online (bleepingcomputer.com)
Hackers steal the SSN of nearly 6 million people (pandasecurity.com)
Food Distributor Sysco Says Cyber attack Exposed 126,000 Individuals - SecurityWeek
Organised Crime & Criminal Actors
IT employee piggybacked on cyber attack for personal gain - Help Net Security
Child hackers: How are kids becoming sophisticated cyber criminals? | Euronews
UK Fraudster Behind iSpoof Scam Receives 13-Year Jail Term for Cyber Crimes (thehackernews.com)
The Strange Story of the Teens Behind the Mirai Botnet - IEEE Spectrum
FBI: Human Trafficking Rings Force Job Seekers Into Cryptojacking Schemes (darkreading.com)
'Operation Magalenha' Attacks Gives Window Into Brazil's Cyber crime Ecosystem (darkreading.com)
Cyber criminals masquerading as MFA vendors - Help Net Security
The Dark Frost Enigma: An Unexpectedly Prevalent Botnet Author Profile | Akamai
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Crypto phishing service Inferno Drainer defrauds thousands of victims (bleepingcomputer.com)
Forex boss Anthony Constantinou guilty of £70m ‘Ponzi’ fraud (thetimes.co.uk)
FBI: Human Trafficking Rings Force Job Seekers Into Cryptojacking Schemes (darkreading.com)
Insider Risk and Insider Threats
How to prevent against the 5 main types of insider threats - IT Security Guru
IT employee impersonates ransomware gang to extort employer (bleepingcomputer.com)
Fraud, Scams & Financial Crime
Get-rich-quick schemes, pyramids and ponzis: five signs you're being scammed (theconversation.com)
Scammers Using ChatGPT "Fleeceware" Apps to Cash In on AI Hype, Sophos Report - MSSP Alert
Online scams target bargain-hunting holiday travelers - Help Net Security
Ads for lucrative jobs in Asia may be tech slavery scams • The Register
Crypto phishing service Inferno Drainer defrauds thousands of victims (bleepingcomputer.com)
79-year-old woman tricks German scammers into getting arrested (iamexpat.de)
Forex boss Anthony Constantinou guilty of £70m ‘Ponzi’ fraud (thetimes.co.uk)
IT employee impersonates ransomware gang to extort employer (bleepingcomputer.com)
Supply Chain and Third Parties
Capita under fire after ‘confidential’ files published online (thetimes.co.uk)
UK councils caught in Capita unsecured AWS bucket data leak • The Register
New Cyber Security Training Packages Launched to Manage Supply Chain Risk - NCSC
Software Supply Chain
GUAC 0.1 Beta: Google's Breakthrough Framework for Secure Software Supply Chains (thehackernews.com)
Cloud/SaaS
UK councils caught in Capita unsecured AWS bucket data leak • The Register
CISO-level tips for securing corporate data in the cloud - Help Net Security
Google Cloud Bug Allows Server Takeover From CloudSQL Service (darkreading.com)
Attack Surface Management
Identity and Access Management
7 access management challenges during M&A - Help Net Security
Think security first when switching from traditional Active Directory to Azure AD | CSO Online
Encryption
API
API bug in OAuth dev tool opened websites, apps to account hijacking | SC Media (scmagazine.com)
The fragmented nature of API security ownership - Help Net Security
Open Source
Passwords, Credential Stuffing & Brute Force Attacks
Inactive accounts pose significant account takeover security risks | CSO Online
What’s a Double-Blind Password Strategy and When Should It Be Used (bleepingcomputer.com)
Netflix's Password-Sharing Ban Offers Security Upsides (darkreading.com)
Biometrics
Social Media
Meta Hit With $1.3B Record-Breaking Fine for GDPR Violations (darkreading.com)
Pentagon explosion hoax goes viral after verified Twitter accounts push (bleepingcomputer.com)
Training, Education and Awareness
Travel
Online scams target bargain-hunting holiday travelers - Help Net Security
Four ways your devices can be hacked in hotels and how to stay safe | This is Money
Tips to Protect Against Holiday and Airline Scams - IT Security Guru
Parental Controls and Child Safety
Regulations, Fines and Legislation
Meta Hit With $1.3B Record-Breaking Fine for GDPR Violations (darkreading.com)
Microsoft urges lawmakers to adopt new guidelines for responsible AI | CyberScoop
Models, Frameworks and Standards
NIST Launches Cyber security Initiative for Small Businesses (securityintelligence.com)
New security model launched to eliminate 95% of cyber breaches - IT Security Guru
Backup and Recovery
Almost all ransomware attacks target backups, says Veeam | Computer Weekly
'Operation Magalenha' Attacks Gives Window Into Brazil's Cyber crime Ecosystem (darkreading.com)
Here's another great reason to make sure your enterprises is safeguarded from ransomware | TechRadar
Data Protection
Careers, Working in Cyber and Information Security
Law Enforcement Action and Take Downs
UK Fraudster Behind iSpoof Scam Receives 13-Year Jail Term for Cyber Crimes (thehackernews.com)
79-year-old woman tricks German scammers into getting arrested (iamexpat.de)
Privacy, Surveillance and Mass Monitoring
UK police to 'embed' facial recog but oversight is at risk • The Register
Abuse of government spying powers: What's to worry about? • The Register
Reflections on Ten Years Past The Snowden Revelations (ietf.org)
Misinformation, Disinformation and Propaganda
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Cyber Warfare Lessons From the Russia-Ukraine Conflict (darkreading.com)
Russia's War in Ukraine Shows Cyber attacks Can Be War Crimes (darkreading.com)
The Underground History of Turla, Russia's Most Ingenious Hacker Group | WIRED
Bad Magic's Extended Reign in Cyber Espionage Goes Back Over a Decade (thehackernews.com)
North Korean Kimsuky Hackers Strike Again with Advanced Reconnaissance Malware (thehackernews.com)
Cyber Attacks Strike Ukraine's State Bodies in Espionage Operation (thehackernews.com)
Mysterious malware designed to cripple industrial systems linked to Russia | CyberScoop
New Russian-linked CosmicEnergy malware targets industrial systems (bleepingcomputer.com)
United Nations official and others in Armenia hacked by NSO Group spyware | Hacking | The Guardian
Predator: Looking under the hood of Intellexa’s Android spyware (bleepingcomputer.com)
Nation State Actors
APT attacks: Exploring Advanced Persistent Threats and their evasive techniques (malwarebytes.com)
SMBs and regional MSPs are increasingly targeted by state-sponsored APT groups | CSO Online
The Underground History of Turla, Russia's Most Ingenious Hacker Group | WIRED
Malware turns home routers into proxies for Chinese state-sponsored hackers | Ars Technica
North Korean Kimsuky Hackers Strike Again with Advanced Reconnaissance Malware (thehackernews.com)
Five Eyes and Microsoft accuse China US infrastructure raids • The Register
Iranian hackers use new Moneybird ransomware to attack Israeli orgs (bleepingcomputer.com)
Mysterious malware designed to cripple industrial systems linked to Russia | CyberScoop
GCHQ warns of fresh threat from Chinese state-sponsored hackers | Hacking | The Guardian
New Russian-linked CosmicEnergy malware targets industrial systems (bleepingcomputer.com)
Five Eyes agencies detail how Chinese hackers breached US infrastructure - Help Net Security
Lazarus Group Striking Vulnerable Windows IIS Web Servers (darkreading.com)
'Volt Typhoon' Breaks Fresh Ground for China-Backed Cyber Campaigns (darkreading.com)
Vulnerability Management
12 vulnerabilities newly associated with ransomware - Help Net Security
Fresh perspectives needed to manage growing vulnerabilities - Help Net Security
Judge Throws Out Ransomware Class-Action Suit Against Rackspace - MSSP Alert
How to check for new exploits in real time? VulnCheck has an answer | CSO Online
Vulnerabilities
12 vulnerabilities newly associated with ransomware - Help Net Security
Hackers target 1.5M WordPress sites with cookie consent plugin exploit (bleepingcomputer.com)
Barracuda Alerts Of Breaches In Email Gateways From Zero-Day Flaws (informationsecuritybuzz.com)
Threat Actors Compromise Barracuda Email Security Appliances (darkreading.com)
Microsoft: Windows issue causes file copying, saving failures (bleepingcomputer.com)
GitLab 'strongly recommends' patching max severity flaw ASAP (bleepingcomputer.com)
83C0000B: The error code that means a software update bricked your HP printer (bitdefender.com)
CISA adds iPhone bugs to Known Exploited Vulnerabilities catalog - Security Affairs
Vulnerability in Zyxel firewalls may soon be widely exploited (CVE-2023-28771) - Help Net Security
Zyxel warns of critical vulnerabilities in firewall and VPN devices (bleepingcomputer.com)
Warning: Samsung Devices Under Attack! New Security Flaw Exposed (thehackernews.com)
Tools and Controls
Security Pros: Before You Do Anything, Understand Your Threat Landscape - SecurityWeek
Malicious links and misaddressed emails slip past security controls - Help Net Security
Making The Most Of A Penetration Test: The Organisational Perspective (forbes.com)
Against the Clock: Cyber Incident Response Plan (trendmicro.com)
Investigating Risks Through Threat Hunting Capability Guide (informationsecuritybuzz.com)
Almost all ransomware attacks target backups, says Veeam | Computer Weekly
How continuous security monitoring is changing the compliance game - Help Net Security
Blacklist untrustworthy apps that peek behind your firewall - Help Net Security
How generative AI is reshaping the identity verification landscape - Help Net Security
The fragmented nature of API security ownership - Help Net Security
Enterprises Must Prepare Now for Shorter TLS Certificate Lifespans (darkreading.com)
Cutting Through the Noise: What is Zero Trust Security? - SecurityWeek
CISO-level tips for securing corporate data in the cloud - Help Net Security
6 ways generative AI chatbots and LLMs can enhance cyber security | CSO Online
'Operation Magalenha' Attacks Gives Window Into Brazil's Cyber crime Ecosystem (darkreading.com)
Here's another great reason to make sure your enterprises is safeguarded from ransomware | TechRadar
Attributes of a mature cyber-threat intelligence program | CSO Online
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 03 March 2023
Black Arrow Cyber Briefing 03 March 2023:
-It’s Time to Evaluate Your Security Education Plan Amongst the Rise in Social Engineering Attacks
-Mobile Users are More Susceptible to Phishing Attacks
-Phishing as a Service Stimulates Cyber Crime
-Attacker Breakout Time Drops to Just 84 Minutes
-Attackers are Developing and Deploying Exploits Faster Than Ever
-Old Vulnerabilities are Haunting Organisations and Aiding Attackers
-Scams Drive Nearly $9bn Fraud Surge in 2022
-Economic Pressure are Increasing Cyber Security Risks and a Recession Would Only Further This
-Cyber Security in This Era of Polycrisis
-Russian Ransomware Projects Rebranded to Avoid Western Sanctions
-Ransomware Attacks Ravaged Big Names in February
-Firms Who Pay Ransom Subsidise New Attacks
-How the Ukraine War Opened a Fault Line in Cyber Crime
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
It’s Time to Evaluate Your Security Education Plan with the Rise in Social Engineering Attacks
Security provider Purplesec found 98% of attacks in 2022 involved an element of social engineering. Social engineering attacks can take many forms including phishing, smishing, vishing and quishing and it’s vital to educate your organisation on how to best prepare for these. Education plans should focusing on educating all levels of users, including those at the top. These plans should also be tested to allow organisations to assess where they are at and identify where they can improve.
Mobile Users are More Susceptible to Phishing Attacks
A report conducted by mobile security provider Lookout focused on the impact of mobile phishing. Some of the key findings from the report included that more than 50% of personal devices were exposed to a mobile phishing attack every quarter, the percentage of users falling for multiple mobile phishing links increasing and an increased targeting of highly regulated industries such as insurance, banking and financial services. It is likely that this has resulted from the increase in relaxed bring your own device (BYOD) policies.
Phishing as a Service Stimulates Cyber Crime
Phishing attacks are at an all-time high and the usage of Phishing as a Service (PaaS) opens this attack technique to virtually anyone. The sale of “phishing kits” and usage of artificial intelligence has further increased the availability of this attack technique. In response, organisations should look to improve their email security, cloud security and education programs for employees.
https://www.trendmicro.com/en_us/ciso/23/c/phishing-as-a-service-phaas.html
Attacker Breakout Time Drops to Just 84 Minutes
The average time it takes for a threat actor to move laterally from a compromised host within an organisation dropped 14% between 2012 and 2022 down to 84 minutes, according to a report by security provider Crowdstrike. With the reduction in time it takes a threat actor to move across systems, organisations have even less time to enact their incident response plans and contain breaches effectively, putting further pressure on the incident response team. By responding quickly, organisations can minimise the cost and damage of a breach. The report from Crowdstrike found that organisations were facing increasing difficulty in detecting suspicious activity as attackers are choosing to use valid organisation credentials rather than malware, to gain access to an organisation’s systems.
https://www.infosecurity-magazine.com/news/attacker-breakout-time-drops-just/
Attackers are Developing and Deploying Exploits Faster Than Ever
A report from security provider Rapid7 found that over 56% of vulnerabilities were exploited within seven days of public disclosure. Worryingly, the median time for exploitation in 2022 was just one day. The finding from the report highlights the need for organisations to not only conduct threat intelligence to be aware of vulnerabilities but to also look to employ patches where possible in a timely manner.
https://www.helpnetsecurity.com/2023/03/03/attackers-developing-deploying-exploits/
Old Vulnerabilities are Haunting Organisations and Aiding Attackers
Known vulnerabilities, vulnerabilities for which patches have already been made available, are one of the primary attack vectors for threat actors. Vulnerability management vendor Tenable found that the top exploited vulnerabilities were originally disclosed as far back as 2017 and organisations that had not applied these patches were at increased risks of attack.
https://www.helpnetsecurity.com/2023/03/03/known-exploitable-vulnerabilities/
Scams Drive Nearly $9bn Fraud Surge in 2022
Americans lost $8.8 billion to fraud last year, with imposter scams responsible for $2.8 billion of that amount, according to the Federal Trade Commission (FTC). Losses to business imposters were particularly damaging, climbing to $660 million from the previous year. Interestingly, the FTC found that younger people reported losing money to fraud the most often.
https://www.infosecurity-magazine.com/news/investment-scams-drive-9bn-in/
Economic Pressure are Increasing Cyber Security Risks and a Recession Would Only Further This
The World Economic Forum’s recent report found that 93% of cyber security leaders and 86% of business leaders think it is moderately or very likely that global geopolitical instability will lead to a catastrophic cyber event in the next two years. Reinforcing this, a report from (ISC)² found that 80% of business executives believe a weakening economy will increase cyber threats and a recession will only amplify this.
Cyber Security in this Era of Polycrisis
A year since Russia invaded Ukraine, the geopolitical context is increasingly tense and volatile. The world faces several major crises in what has been coined a 'polycrisis,' a cluster of global shocks with compounding effects. This, along with increasing geopolitical tensions causes a rise in risk from cyber attacks. In fact, the European Union Agency for Cyber Security (ENISA) recently issued an alert regarding actors conducting malicious cyber activities against businesses and governments in the European Union and findings from Google show a 300% increase in state-sponsored cyber attacks targeting users in NATO countries.
https://www.weforum.org/agenda/2023/02/cybersecurity-in-an-era-of-polycrisis/
Russian Ransomware Projects Rebranded to Avoid Western Sanctions
Research provider TRM labs found that some major Russian-linked ransomware crime gangs have rebranded their activities in 2022 to avoid sanctions. To strengthen their anonymity, two major ransomware crime gangs LockBit and Conti restructured their activities. Conti is reported to have restructured into three smaller groups named Black Besta, BlackByte, Karakurt. LockBit on the other hand launched LockBit 3.0, which is focused on monetary gain. Additionally, the report found that Russian-speaking darknet markets had amassed over $130 million in sales.
https://cryptopotato.com/russian-ransomware-projects-rebranded-to-avoid-western-sanctions-report/
Ransomware Attacks Ravaged Big Names in February
Despite the apparent slight drop in ransomware activity last month, several high profile targets of various industries were hit; this ranges from the likes of the US Marshal Service, retailer WH Smith, satellite provider Dish and many more. These attacks reinforce the concept that any organisation can be a victim, regardless of industry.
Firms Who Pay Ransoms Subsidise New Attacks
A report from security provider Trend Micro found that whilst only a relatively small number of ransomware victims pay their extorters, those that do pay are effectively funding 6-10 new attacks. The report also found that attackers are aware of which industries and countries pay ransoms more often, so organisations belonging to those industries and countries may find themselves an even more attractive target.
https://www.infosecurity-magazine.com/news/firms-pay-ransom-subsidise-10/
How the Ukraine War Opened a Fault Line in Cyber Crime
A report from threat intelligence provider Recorded Future has highlighted the impact that the Russian invasion of Ukraine has had on cyber. Recorded Future explain how a number of threat actor groups fled during the war and in addition to differing political views between groups, there has been a disruption to the cyber environment. In fact, Recorded Future found that Russian-language dark web marketplaces have taken a major hit and the prediction is that the epicentre of cyber crime may shift to English-speaking dark web forums, shops and marketplaces.
https://www.darkreading.com/analytics/ukraine-war-fault-line-cybercrime-forever
Threats
Ransomware, Extortion and Destructive Attacks
Well-funded security systems fail to prevent cyber attacks in US and Europe: Report | CSO Online
Russian Ransomware Projects Rebranded to Avoid Western Sanctions: Report (cryptopotato.com)
New cyber attack tactics rise up as ransomware payouts increase | CSO Online
Ransomware Attacks: Don’t Let Your Guard Down - SecurityWeek
Ransomware attacks ravaged big names in February | TechTarget
Cyber Insurance Market Back From Brink After Onslaught of Ransomware Attacks (insurancejournal.com)
Royal Mail schools LockBit in leaked negotiation (malwarebytes.com)
'Ethical hacker' among ransomware suspects arrested • The Register
Wiper malware goes global, destructive attacks surge - Help Net Security
A Deep Dive into the Evolution of Ransomware Part 3 (trendmicro.com)
New Exfiltrator-22 post-exploitation kit linked to LockBit ransomware (bleepingcomputer.com)
PureCrypter malware hits govt orgs with ransomware, info-stealers (bleepingcomputer.com)
Bitdefender Releases Free Decryptor for MortalKombat Ransomware Strain (thehackernews.com)
Dish Network confirms ransomware attack behind multi-day outage (bleepingcomputer.com)
US Marshals Ransomware Hit Is 'Major' Incident (darkreading.com)
The DoJ Disruption of the Hive Ransomware Group Is a Short-Lived Win (darkreading.com)
Vice Society publishes data stolen during Vesuvius ransomware attack • Graham Cluley
US Cybersecurity Agency Raises Alarm Over Royal Ransomware's Deadly Capabilities (thehackernews.com)
Phishing & Email Based Attacks
New cyber attack tactics rise up as ransomware payouts increase | CSO Online
Mobile Users More Susceptible to Phishing Attacks than Two Years Ago - MSSP Alert
Phishing as a Service Stimulates Cyber crime (trendmicro.com)
BEC – Business Email Compromise
New cyber attack tactics rise up as ransomware payouts increase | CSO Online
Expert strategies for defending against multilingual email-based attacks - Help Net Security
Hackers Target Young Gamers: How Your Child Can Cause Business Compromise (darkreading.com)
Other Social Engineering; Smishing, Vishing, etc
As Social Engineering Attacks Skyrocket, Evaluate Your Security Education Plan (darkreading.com)
The Top 5 New Social Engineering Attacks in 2023 - (ISC)² Blog (isc2.org)
How to Prevent Callback Phishing Attacks on Your Organization (bleepingcomputer.com)
2FA/MFA
Malware
RIG Exploit Kit still infects enterprise users via Internet Explorer (bleepingcomputer.com)
Exfiltrator-22 Post-Exploitation Toolkit Nips At Cobalt Strike's Heels (darkreading.com)
Malicious package flood on PyPI might be sign of new attacks to come | CSO Online
Iron Tiger hackers create Linux version of their custom malware (bleepingcomputer.com)
It's official: BlackLotus malware can bypass secure boot • The Register
Threat actors target law firms with GootLoader and SocGholish--Security Affairs
Mobile
Mobile Users More Susceptible to Phishing Attacks than Two Years Ago - MSSP Alert
Mobile Banking Trojans Surge, Doubling in Volume (darkreading.com)
Signal would 'walk' from UK if Online Safety Bill undermined encryption - BBC News
Don't be fooled by a pretty icon, malicious apps hide in plain sight - Help Net Security
Denial of Service/DoS/DDOS
Data Breaches/Leaks
LastPass Says DevOps Engineer Home Computer Hacked - SecurityWeek
LastPass Reveals Second Attack Resulting in Breach of Encrypted Password Vaults (thehackernews.com)
Stanford University discloses data breach affecting PhD applicants (bleepingcomputer.com)
Threat actors leak Activision employee data on hacking forum--Security Affairs
10 US states that suffered the most devastating data breaches in 2022 - Help Net Security
Australian orgs lodged 497 data breach notices in back half of 2022 - Security - iTnews
Hatch Bank discloses data breach after GoAnywhere MFT hack (bleepingcomputer.com)
GunAuction site was hacked and data of 565k accounts were exposed--Security Affairs
Chick-fil-A confirms accounts hacked in months-long "automated" attack (bleepingcomputer.com)
What GoDaddy's Years-Long Breach Means for Millions of Clients (darkreading.com)
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Cryptocurrency Bitcoin mining rig found in school crawlspace • The Register
Highly evasive cryptocurrency miner targets macOS--Security Affairs
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
Investment Scams Drive $9bn Fraud Surge in 2022 - Infosecurity Magazine (infosecurity-magazine.com)
How I Broke Into a Bank Account With an AI-Generated Voice (vice.com)
FTC reveals alarming increase in scam activity, costing consumers billions - Help Net Security
Resecurity identified the investment scam network Digital Smoke - Help Net Security
Pig butchering scam explained: Everything you need to know (techtarget.com)
AML/CFT/Sanctions
Insurance
Dark Web
Supply Chain and Third Parties
Third-party risks overwhelm traditional ERM setups - Help Net Security
Third-Party Risks: Challenges for MSSPs and How to Overcome Them - MSSP Alert
Shocking Findings from the 2023 Third-Party App Access Report (thehackernews.com)
Software Supply Chain
Shocking Findings from the 2023 Third-Party App Access Report (thehackernews.com)
SBOM is a 'massive galaxy of mess' for supply chain security • The Register
IBM Contributes Supply Chain Security Tools to OWASP (darkreading.com)
Cloud/SaaS
How to Tackle the Top SaaS Challenges of 2023 (thehackernews.com)
Cloud incident response: Frameworks and best practices | TechTarget
Security teams have no control over risky SaaS-to-SaaS connections - Help Net Security
It only takes one over-privileged identity to do major damage to a cloud - Help Net Security
SCARLETEEL hackers use advanced cloud skills to steal source code, data (bleepingcomputer.com)
Shocking Findings from the 2023 Third-Party App Access Report (thehackernews.com)
Google Cloud Platform allows data exfiltration without a (forensic) trace - Help Net Security
What Happened in That Cyber attack? With Some Cloud Services, You May Never Know (darkreading.com)
New Report: Inside the High Risk of Third-Party SaaS Apps (darkreading.com)
Containers
Hybrid/Remote Working
Work-From-Home Regulations Are Coming. Companies Aren’t Ready. (mit.edu)
How to work from home securely, the NSA way (malwarebytes.com)
Encryption
API
Open Source
Iron Tiger hackers create Linux version of their custom malware (bleepingcomputer.com)
Should organisations swear off open-source software altogether? | VentureBeat
IBM Contributes Supply Chain Security Tools to OWASP (darkreading.com)
Passwords, Credential Stuffing & Brute Force Attacks
LastPass Says DevOps Engineer Home Computer Hacked - SecurityWeek
Critical Vulnerabilities Allowed Booking.com Account Takeover - SecurityWeek
Sale of Stolen Credentials and Initial Access Dominate Dark Web Markets (darkreading.com)
Social Media
White House: No More TikTok on Gov't Devices Within 30 Days - SecurityWeek
EU Parliament bans staff from using TikTok over ‘cybersecurity concerns’ – POLITICO
TikTok answers three big cyber-security fears about the app - BBC News
Meta says $725M deal ends all Cambridge Analytica claims; one state disagrees | Ars Technica
Training, Education and Awareness
Parental Controls and Child Safety
Regulations, Fines and Legislation
UK seeks to ‘focus’ espionage bill to head off Lords rebellion | Financial Times (ft.com)
Cyber resilience in focus: EU act to set strict standards - Help Net Security
Work-From-Home Regulations Are Coming. Companies Aren’t Ready. (mit.edu)
ML practitioners push for mandatory AI Bill of Rights - Help Net Security
Governance, Risk and Compliance
Third-party risks overwhelm traditional ERM setups - Help Net Security
CISOs Share Their 3 Top Challenges for Cybersecurity Management (darkreading.com)
The Importance of Recession-Proofing Security Operations (darkreading.com)
Third-Party Risks: Challenges for MSSPs and How to Overcome Them - MSSP Alert
CISO Conversations: Code42, BreachQuest Leaders Discuss Combining CISO and CIO Roles - SecurityWeek
Models, Frameworks and Standards
Careers, Working in Cyber and Information Security
Gartner Prediction: Nearly Half of Cybersecurity Pros Will Change Jobs by 2025 - MSSP Alert
Growing Demand For Skilled Cybersecurity Workforce In Digital Age (informationsecuritybuzz.com)
Partnering With a Cybersecurity Vendor Can Help You Recruit Top Talent - MSSP Alert
CISOs Are Stressed Out and It's Putting Companies at Risk (thehackernews.com)
Law Enforcement Action and Take Downs
'Ethical hacker' among ransomware suspects arrested • The Register
The DoJ Disruption of the Hive Ransomware Group Is a Short-Lived Win (darkreading.com)
Privacy, Surveillance and Mass Monitoring
UK seeks to ‘focus’ espionage bill to head off Lords rebellion | Financial Times (ft.com)
Press greets Home Office redraft of national security bill with scepticism | Media | The Guardian
The Air Force Is Now Using Facial Recognition Drones (gizmodo.com)
How dog tracker apps are snooping on humans, according to cyber security experts (telegraph.co.uk)
Artificial Intelligence
Generative AI Changes Everything We Know About Cyber attacks (darkreading.com)
ChatGPT is bringing advancements and challenges for cybersecurity - Help Net Security
How I Broke Into a Bank Account With an AI-Generated Voice (vice.com)
ML practitioners push for mandatory AI Bill of Rights - Help Net Security
Misinformation, Disinformation and Propaganda
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Cyber security must be tightened up in this era of polycrisis | World Economic Forum (weforum.org)
How the Ukraine War Opened a Fault Line in Cyber crime, Possibly Forever (darkreading.com)
Russia-Ukraine War: A Year of Cyber Shortfalls (foreignpolicy.com)
Evaluating the Cyberwar Set Off by Russian Invasion of Ukraine (darkreading.com)
CERT of Ukraine: Russia-linked APT backdoored multiple govt sites-Security Affairs
White House: No More TikTok on Gov't Devices Within 30 Days - SecurityWeek
Russian charged with smuggling US counterintel tech • The Register
Cyber security in wartime: how Ukraine's infosec community is coping | CSO Online
China's BlackFly Targets Materials Sector in 'Relentless' Quest for IP (darkreading.com)
'Hackers' Behind Air Raid Alerts Across Russia: Official - SecurityWeek
China spends billions on pro-Russia disinformation, US special envoy says | China | The Guardian
Nation State Actors
Cyber security must be tightened up in this era of polycrisis | World Economic Forum (weforum.org)
How the Ukraine War Opened a Fault Line in Cyber crime, Possibly Forever (darkreading.com)
Hacker group defaces Russian websites to display the Kremlin on fire | TechCrunch
Russia-Ukraine War: A Year of Cyber Shortfalls (foreignpolicy.com)
CERT of Ukraine: Russia-linked APT backdoored multiple govt sites-Security Affairs
Evaluating the Cyberwar Set Off by Russian Invasion of Ukraine (darkreading.com)
White House: No More TikTok on Gov't Devices Within 30 Days - SecurityWeek
Russian charged with smuggling US counterintel tech • The Register
Cyber security in wartime: how Ukraine's infosec community is coping | CSO Online
EU Parliament bans staff from using TikTok over ‘cybersecurity concerns’ – POLITICO
China's BlackFly Targets Materials Sector in 'Relentless' Quest for IP (darkreading.com)
'Hackers' Behind Air Raid Alerts Across Russia: Official - SecurityWeek
China spends billions on pro-Russia disinformation, US special envoy says | China | The Guardian
TikTok answers three big cyber-security fears about the app - BBC News
Russia bans foreign messaging apps in government organisations (bleepingcomputer.com)
Chinese hackers use new custom backdoor to evade detection (bleepingcomputer.com)
Vulnerability Management
Vulnerabilities
A world of hurt for Fortinet and ManageEngine after users fail to install patches | Ars Technica
Hackers are actively exploiting Zoho ManageEngine flaw-Security Affairs
All In One SEO WordPress Plugin Vulnerability Affects Up To 3+ Million (searchenginejournal.com)
CISA warns of hackers exploiting ZK Java Framework RCE flaw (bleepingcomputer.com)
Cisco patches critical Web UI RCE flaw in multiple IP phones (bleepingcomputer.com)
Aruba Networks fixes six critical vulnerabilities in ArubaOS (bleepingcomputer.com)
Microsoft releases Windows security updates for Intel CPU flaws (bleepingcomputer.com)
Tools and Controls
LastPass Reveals Second Attack Resulting in Breach of Encrypted Password Vaults (thehackernews.com)
Well-funded security systems fail to prevent cyber attacks in US and Europe: Report | CSO Online
The Future of Network Security: Predictive Analytics and ML-Driven Solutions (thehackernews.com)
Microsoft announces automatic BEC, ransomware attack disruption capabilities - Help Net Security
How to use zero trust and IAM to defend against cyber attacks in an economic downturn | VentureBeat
Pentesting No Longer Driven by Regulatory Compliance, New Study Finds - MSSP Alert
Application Security vs. API Security: What is the difference? (thehackernews.com)
Accurately assessing the success of zero-trust initiatives | TechTarget
Other News
Attackers are developing and deploying exploits faster than ever - Help Net Security
Attacker Breakout Time Drops to Just 84 Minutes - Infosecurity Magazine (infosecurity-magazine.com)
Moving target defence must keep cyber attackers guessing - Help Net Security
Covert cyber attacks on the rise as attackers shift tactics for maximum impact - Help Net Security
Dormant accounts are a low-hanging fruit for attackers - Help Net Security
Dish Network goes offline after likely cyber attack, employees cut off (bleepingcomputer.com)
News Corp says state hackers were on its network for two years (bleepingcomputer.com)
UK won the Military Cyberwarfare exercise Defence Cyber Marvel-Security Affairs
To Safeguard Critical Infrastructure, Go Back to Basics (darkreading.com)
Feds accuse Google of destroying evidence in antitrust case • The Register
Microsoft recommending you scan more Exchange server files • The Register
CISA director urges tech sector to stop shipping unsafe products | CyberScoop
Developers can make a great extension of your security team - Help Net Security
2023 Browser Security Report Uncovers Major Browsing Risks and Blind Spots (thehackernews.com)
Uncovering the most pressing cybersecurity concerns for SMBs - Help Net Security
Wiz execs: Most overhyped security tool is technology itself • The Register
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 11 November 2022
Black Arrow Cyber Threat Briefing 11 November 2022:
-Research Finds Organisations Lack Tools and Teams to Address Cyber Security Threats
-Some 98% of Global Firms Suffer Supply Chain Breach in 2021
-Only 30% of Cyber Insurance Holders Say Ransomware is Covered
-Companies Hit by Ransomware Often Targeted Again, Research Says
-Ransomware Remains Top Cyber Risk for Organisations Globally, Says Allianz
-How Geopolitical Turmoil Changed the Cyber Security Threat Landscape
-Swiss Re Wants Government Bail Out academias Cyber Crime Insurance Costs Spike
-Extortion Economics: Ransomware's New Business Model
-Confidence in Data Recovery Tools Low
-Russia’s Sway Over Criminal Ransomware Gangs Is Coming into Focus
-Insider Risk on the Rise: 12% of Employees Take IP When Leaving Jobs
-Why a Clear Cyber Policy is Critical for Companies
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Research Finds Organisations Lack Tools and Teams to Address Cyber Security Threats
In research conducted in the summer of 2022 by BlackBerry, the findings describe the situation facing organisations regardless of size or vertical.
The survey of 405 senior IT, networking, and security decision-makers in the US, Canada, and the UK revealed 83% of organisations agreed building cyber security programs is expensive due to required tools, licenses, and personnel, and 80% agreed it’s challenging to fill specialised security roles. Most organisations (78%) have an incident management process, but about half (49%) agree they lack the teams and tools to be effective 24x7x365. Evolving security threats (53%) and the task of integrating new technology (53%) are cited as top challenges in maintaining security posture.
While it’s likely these findings surprise no one, they do reveal the challenges facing organisations who are caught between limited resources and increased risk. The urgency increases if we look at the critical infrastructure that keeps things running–like utilities, banks, transportation, key suppliers, industrial controls, and more.
Some 98% of Global Firms Suffer Supply Chain Breach in 2021
Just 2% of global organisations didn’t suffer a supply chain breach last year, with visibility into cyber risk getting harder as these ecosystems expand, according to BlueVoyant.
The security firm polled 2100 C-level execs with responsibility for supply chain and cyber risk management from companies with 1000+ employees to compile its study, The State of Supply Chain Defense: Annual Global Insights Report 2022.
It found the top challenges listed by respondents were:
Awareness internally that third-party suppliers are part of their cyber security posture
Meeting regulatory requirements and ensuring third-party cyber security compliance
Working with third-party suppliers to improve their posture.
Supply chains are growing: the number of firms with over 1000 suppliers increased from 38% in 2021’s report to 50%. Although 53% of organisations audited or reported on supplier security more than twice annually, 40% still rely on suppliers to ensure security levels are sufficient. That means they have no way of knowing if an issue arises with a supplier.
Worse, 42% admitted that if they do discover an issue in their supply chain and inform their supplier, they cannot verify that the issue was resolved. Just 3% monitor their supply chain daily, although the number of respondents using security ratings services to enhance visibility and reduce cyber risk increased from 36% last year to 39% in this year’s report.
With the escalating threat landscape and number of high-profile incidents being reported, firms should focus more strategically on addressing supply chain cyber security risk. In the current volatile economic climate, the last thing any business needs is any further disruption to their operations, any unexpected costs, or negative impact on their brand.
https://www.infosecurity-magazine.com/news/98-global-firms-supply-chain/
Only 30% of Cyber Insurance Holders Say Ransomware is Covered
Cyber insurance providers appear to be limiting policy coverage due to surging costs from claimants, according to a new study from Delinea.
The security vendor polled 300 US-based IT decision makers to compile its latest report, Cyber insurance: if you get it be ready to use it.
Although 93% were approved for specialised cyber insurance cover by their provider, just 30% said their policy covered “critical risks” including ransomware, ransom negotiations and payments. Around half (48%) said their policy covers data recovery, while just a third indicated it covers incident response, regulatory fines and third-party damages.
That may be because many organisations are regularly being breached and look to their providers for pay-outs, driving up costs for carriers. Some 80% of those surveyed said they’ve had to call on their insurance, and half of these have submitted claims multiple times, the study noted.
As a result, many insurers are demanding that prospective policyholders implement more comprehensive security controls before they’re allowed to sign up.
Half (51%) of respondents said that security awareness training was a requirement, while (47%) said the same about malware protection, AV software, multi-factor authentication (MFA) and data backups.
However, high-level checks may not be enough to protect insurers from surging losses, as they can’t guarantee customers are properly deploying security controls.
Cyber insurance providers need to start advancing beyond simple checklists for security controls. They must require their customers to validate that their security controls work as designed and expected. They need their customers to simulate their adversaries to ensure that when they are attacked, the attack will not result in a breach. In fact, we're already starting to see government regulations and guidance that includes adversary simulation as part of their proactive response to threats.
https://www.infosecurity-magazine.com/news/cyberinsurance-ransomware-cover/
Companies Hit by Ransomware Often Targeted Again, Research Says
It has been reported that more than a third of companies who paid a ransom to cyber criminals after being hit by a ransomware attack went on to be targeted for a second time, according to a new report.
The Hiscox Cyber Readiness Report found that 36% of companies that made the ransom payment were hit again, while 41% who paid failed to recover all of their data.
The head of the UK’s National Cyber Security Centre (NCSC), Lindy Cameron, said last year that ransomware attacks were the “most immediate danger” to the UK and urged companies to take more steps to protect themselves and their data.
The NCSC urges firms not to pay ransoms as it not only helps fund further crime but offers no guarantee that criminals will return the stolen or locked data. The Hiscox report appeared to back up the NCSC’s warnings, with 43% of the businesses who paid a ransom saying they still had to rebuild their systems while 29% said that despite making the payment their stolen data was still leaked. A further 26% said a ransomware attack had had a significant financial impact on their business.
Ransomware Remains Top Cyber Risk for Organisations Globally, Says Allianz
According to an Allianz Global Corporate & Specialty cyber report, ransomware remains a top cyber risk for organisations globally, while the threat of state-sponsored cyber attacks grows.
There were a record 623 million attacks in 2021, which was double that of 2020, says Allianz.
It also notes that despite the frequency reducing 23% globally during H1 of 2022, the year-to-date total still exceeds that of the full years of 2017, 2018 and 2019, while Europe saw attacks surge over this period. Allianz suggests that ransomware is forecast to cause $30bn in damages to organisations globally by 2023.
It adds that from an Allianz perspective, the value of ransomware claims the company was involved in together with other insurers, accounted for well over 50% of all cyber claims costs during 2020 and 2021.
The cyber risk landscape doesn’t allow for any resting on laurels. Ransomware and phishing scams are as active as ever and on top of that there is the prospect of a hybrid cyber war.
Most companies will not be able to evade a cyber threat. However, it is clear that organisations with good cyber maturity are better equipped to deal with incidents. Even when they are attacked, losses are typically less severe due to established identification and response mechanisms.
Many companies still need to strengthen their cyber controls, particularly around IT security trainings, better network segmentation for critical environments and cyber incident response plans and security governance.
Allianz observes that geopolitical tensions, such as the war in Ukraine, are a major factor reshaping the cyber threat landscape as the risks of espionage, sabotage, and destructive cyber-attacks against companies with ties to Russia and Ukraine increase, as well as allies and those in neighbouring countries.
How Geopolitical Turmoil Changed the Cyber Security Threat Landscape
ENISA, EU’s Agency for Cybersecurity, released its annual Threat Landscape report, covering the period from July 2021 up to July 2022.
With more than 10 terabytes of data stolen monthly, ransomware still fares as one of the prime threats in the new report with phishing now identified as the most common initial vector of such attacks. The other threats to rank highest along ransomware are attacks against availability also called Distributed Denial of Service (DDoS) attacks.
However, the geopolitical situations particularly the Russian invasion of Ukraine have acted as a game changer over the reporting period for the global cyber domain. While we still observe an increase of the number of threats, we also see a wider range of vectors emerge such as zero-day exploits and AI-enabled disinformation and deepfakes. As a result, more malicious and widespread attacks emerge having more damaging impact.
EU Agency for Cybersecurity Executive Director, Juhan Lepassaar stated that “Today’s global context is inevitably driving major changes in the cyber security threat landscape. The new paradigm is shaped by the growing range of threat actors. We enter a phase which will need appropriate mitigation strategies to protect all our critical sectors, our industry partners and therefore all EU citizens.”
State sponsored, cyber crime, hacker-for-hire actors and hacktivists remain the prominent threat actors during the reporting period of July 2021 to July 2022.
ENISA sorted threats into 8 groups. Frequency and impact determine how prominent all of these threats still are.
Ransomware: 60% of affected organisations may have paid ransom demands
Malware: 66 disclosures of zero-day vulnerabilities observed in 2021
Social engineering: Phishing remains a popular technique but we see new forms of phishing arising such as spear-phishing, whaling, smishing and vishing
Threats against data: Increasing in proportionally to the total of data produced
Disinformation – misinformation: Escalating AI-enabled disinformation, deepfakes and disinformation-as-a-service
Supply chain targeting: Third-party incidents account for 17% of the intrusions in 2021 compared to less than 1% in 2020
Threats against availability:
Largest denial of service (DDoS) attack ever was launched in Europe in July 2022
Internet: destruction of infrastructure, outages and rerouting of internet traffic.
https://www.helpnetsecurity.com/2022/11/08/cybersecurity-threat-landscape-2022/
Swiss Re Wants Government Bail Out as Cyber Crime Insurance Costs Spike
As insurance companies struggle to stay afloat amid rising cyber claims, Swiss Re has recommended a public-private partnership insurance scheme with one option being a government-backed fund to help fill the coverage gap.
Global cyber insurance premiums hit $10 billion in 2021, according to Swiss Re's estimates. In a study published this week, the insurance giant forecasted 20 percent annual growth to 2025, with premiums rising to $23 billion over the next few years.
Meanwhile, annual cyber attack-related losses total about $945 billion globally, and about 90% of that risk remains uninsured, according to insurance researchers at the Geneva Association.
While Forrester estimates a typical data breach costs an average $2.4 million for investigation and recovery, only 55 percent of companies currently have cyber insurance policies. Additionally, less than 20 percent have coverage limits in excess of $600,000, which the analyst firm cites as the median ransomware demand in 2021.
https://www.theregister.com/2022/11/08/government_cyber_insurance/
Extortion Economics: Ransomware's New Business Model
Ransomware-as-a-service lowers the barriers to entry, hides attackers’ identities, and creates multitier, specialised roles in service of ill-gotten gains.
Did you know that more than 80% of ransomware attacks can be traced to common configuration errors in software and devices? This ease of access is one of many reasons why cyber criminals have become emboldened by the underground ransomware economy.
And yet many threat actors work within a relatively small and interconnected ecosystem of players. This pool of cyber criminals has created specialised roles and consolidated the cyber crime economy, fuelling ransomware-as-a-service (RaaS) to become the dominant business model. In doing so, they've enabled a wider range of criminals to deploy ransomware regardless of their technical expertise and forced all of us to become cyber security defenders in the process.
Ransomware takes advantage of existing security compromises to gain access to internal networks. In the same way businesses hire gig workers to cut costs, cyber criminals have turned to renting or selling their ransomware tools for a portion of the profits rather than performing the attacks themselves.
This flourishing RaaS economy allows cyber criminals to purchase access to ransomware payloads and data leakage, as well as payment infrastructure. What we think of as ransomware gangs are actually RaaS programs like Conti or REvil, used by the many different actors who switch between RaaS programs and payloads.
RaaS lowers the barrier to entry and obfuscates the identity of the attackers behind the ransoming. Some programs can have 50 or more "affiliates," as they refer to their users, with varying tools, tradecraft, and objectives. Anyone with a laptop and credit card who is willing to search the Dark Web for penetration-testing tools or out-of-the-box malware can join this maximum efficiency economy.
https://www.darkreading.com/microsoft/extortion-economics-ransomware-s-new-business-model
Confidence in Data Recovery Tools Low
A recent IDC and Druva survey asked 505 respondents across 10 industries about their ransomware experiences and found that many organisations struggle to recover after an attack. In the survey, 85% of the respondents said their organisations had a ransomware recovery plan. The challenge seems to lie in effectively executing that plan.
"A majority of organisations suffered significant consequences from ransomware attacks including long recoveries and unrecoverable data despite paying a ransom," states the "You Think Ransomware Is Your Only Problem? Think Again" report.
Data resiliency is such an important element of cyber security that 96% of respondents considered it a top priority for their organisations, with a full 77% placing it in the top 3. What's striking about the survey results is that only 14% of respondents said they were "extremely confident" in their tools, even though 92% called their data resiliency tools "efficient" or "highly efficient."
When data is spread across hybrid, cloud, and edge environments, data resiliency becomes much more complicated. A plan might seem to cover everything, but then you realise that you lost your backup or can't find the latest restore point.
The ability to recover from an attack is vital, since the growth in ransomware makes it likely that your organisation will get hit. This is why agencies like NIST recommend preparing for when an attacker pierces your defences rather than trying to keep out every intruder. That mindset also shifts the priority to preparation and planning; you need to create a disaster recovery plan that includes policy on restore points and recovery tools — and you need to practice implementing that plan before disaster strikes.
The report lists three key performance indicators that reveal the success of an organisation's recovery from a cyber attack:
The ability to fully recover encrypted or deleted data without paying a ransom.
Zero data loss in the process of recovering the data.
Rapid recovery as defined by applicable service-level requirements.
When a recovery fails to meet these criteria, then the organisation may suffer financial loss, loss of reputation, permanently lost customers, and reduced employee productivity.
https://www.darkreading.com/tech-trends/confidence-in-data-recovery-tools-low
Russia’s Sway Over Criminal Ransomware Gangs Is Coming into Focus
Russia-based ransomware gangs are some of the most prolific and aggressive, in part thanks to an apparent safe harbour the Russian government extends to them. The Kremlin doesn't cooperate with international ransomware investigations and typically declines to prosecute cyber criminals operating in the country so long as they don't attack domestic targets. A long-standing question, though, is whether these financially motivated hackers ever receive directives from the Russian government and to what extent the gangs are connected to the Kremlin's offensive hacking. The answer is starting to become clearer.
New research presented at the Cyberwarcon security conference in Arlington, Virginia, this week looked at the frequency and targeting of ransomware attacks against organisations based in the United States, Canada, the United Kingdom, Germany, Italy, and France in the lead-up to these countries' national elections. The findings suggest a loose but visible alignment between Russian government priorities and activities and ransomware attacks leading up to elections in the six countries.
The project analysed a data set of over 4,000 ransomware attacks perpetrated against victims in 102 countries between May 2019 and May 2022. The analysis showed a statistically significant increase in ransomware attacks from Russia-based gangs against organisations in the six victim countries ahead of their national elections. These nations suffered the most total ransomware attacks per year in the data set, about three-quarters of all the attacks.
The data was used to compare the timing of attacks for groups believed to be based out of Russia and groups based everywhere else. They looked at the number of attacks on any given day, and what they found was an interesting relationship where for these Russia-based groups, there was an increase in the number of attacks starting four months before an election and moving three, two, one month in, up to the event.
The findings showed broadly that non-Russian ransomware gangs didn't have a statistically significant increase in attacks in the lead-up to elections. Whereas two months out from a national election, for example, the researchers found that organisations in the six top victim countries were at a 41 percent greater chance of having a ransomware attack from a Russia-based gang on a given day, compared to the baseline.
https://www.wired.com/story/russia-ransomware-gang-connections/
Insider Risk on the Rise: 12% of Employees Take IP When Leaving Jobs
Twelve percent of all employees take sensitive intellectual property (IP) with them when they leave an organisation.
The data comes from workforce cyber intelligence and security company Dtex, which published a report about top insider risk trends for 2022. “Customer data, employee data, health records, sales contacts, and the list goes on,” reads the document. “More and more applications are providing new features that make data exfiltration easier. For example, many now provide the ability to maintain clipboard history and sync across multiple devices.”
Case in point, the report also suggests a 55% increase in unsanctioned application usage, including those making data exfiltration easier by allowing users to maintain clipboard history and sync IP across multiple devices. “Bring Your Own Applications (BYOA) or Shadow IT can be a source of intelligence for business innovation,” Dtex wrote. “Still, they pose a major risk if the security team has not tested these tools thoroughly.”
Further, the new data highlight a 20% increase in resignation letter research and creation from employees taking advantage of the tight labour market to switch positions for higher wages.
“In most cases, an individual planning to leave the business is not pleased with the company’s product, co-workers, work environment, or compensation,” reads the report. “Disgruntled employees are usually jaded by a business that has not shown any steps to alleviate concerns, even after communication attempts.”
Finally, the Dtex report says the industry has witnessed a 200% increase in unsanctioned third-party work on corporate devices from a high prevalence of employees engaged in side gigs.
https://www.infosecurity-magazine.com/news/12-of-employees-take-ip-when/
Why a Clear Cyber Policy is Critical for Companies
In October, Joe Sullivan, Uber’s former head of security, was convicted of covering up a 2016 data breach at the ride hailing giant by hiding details from US regulators and then paying off the hackers.
It was a trial followed nervously by cyber security professionals around the world — coming eight years after an incident that had compromised the personal information of more than 57mn people.
“Any news about another company dealing with a data security incident can strike a bit of fear across industries,” notes Mary Pothos, chief privacy officer at digital travel company Booking.com. She adds that incidents like these cause “many companies to pause, rethink or revisit their internal processes to make sure that they are operating effectively”.
These incidents, and threats, are growing at lightning speed, too. War in Ukraine is now being played out as much in cyber space as on the battlefield. The Covid pandemic has forced businesses to rethink where their employees work, and handle or access data. At the same time, the sheer number of web-connected devices is multiplying.
“We need to be people who can predict what is coming along the line, predict the future, almost” said Victor Shadare, head of cyber security at media company Condé Nast, at a recent FT event on cyber security.
Palo Alto Networks, a specialist security company, found that cyber extortion grew rapidly in 2021. Some 35 new ransomware gangs emerged, the average ransom demand increasing 144 per cent that year to $2.2mn, and the average payment rose by 78 per cent to $541,010.
Meanwhile, cyber security personnel have found themselves hemmed in by increasingly onerous regulations. These include threats of legal action if the right people are not informed about breaches, or if products come to market that are not safe enough. On September 15, for example, the European Commission presented a proposal for a new Cyber Resilience Act to protect consumers from products with inadequate security features.
“New domains of security have sprung up over the past years, so it’s not just an information technology problem any more, it’s really a full company risk issue,” says Kevin Tierney, vice-president of global cyber security at automotive group General Motors. He warns that automated and connected vehicles have thrown up additional threats to be addressed.
“You have to start out with the right governance structure and the right policies and procedures — that’s step one of really getting the company to understand what it needs to do,” he says. These include clear rules on how to disable access to tech equipment, on data protection and storage, on transferring and disposing of data, on using corporate networks, and on reporting any data breaches.
Security experts also tend to agree that there need to be robust systems of governance and accountability, to prevent the sort of trouble that befell Sullivan at Uber. Perhaps most crucially, staff across the organisation, from C-suite to assistants, need to know how to spot and manage a threat.
https://www.ft.com/content/0bb6df09-7d77-4605-aac3-89443ed65a18
Threats
Ransomware and Extortion
Medibank: Hackers release abortion data after stealing Australian medical records - BBC News
Medical data hacked from 10m Australians begins to appear on dark web | World news | The Guardian
How ransomware gangs and malware campaigns are changing - Help Net Security
Thales confirms hackers have released its data on the dark web | Reuters
Most SMBs Fear Ransomware Attack Amid Heightened Geopolitical Tensions - MSSP Alert
Australia to consider banning paying of ransoms to cyber criminals | Reuters
LockBit gang claims to have stolen data from Kearney & Company - Security Affairs
Azov Ransomware is a wiper, destroying data 666 bytes at a time (bleepingcomputer.com)
Ransomware Gang Offers to Sell Files Stolen From Continental for $50 Million | SecurityWeek.Com
Canadian food retail giant Sobeys hit by Black Basta ransomware (bleepingcomputer.com)
LockBit affiliate uses Amadey Bot malware to deploy ransomware (bleepingcomputer.com)
Russia-linked IRIDIUM APT linked to Prestige ransomware attacks against Ukraine - Security Affairs
US Health Dept warns of Venus ransomware targeting healthcare orgs (bleepingcomputer.com)
Ransomware attacks on hospitals take toll on patients (nbcnews.com)
Hackers post Hereford schoolchildren's data records on dark web | Hereford Times
CISA and Spain Partnership to Develop Tool to Help Countries Combat Ransomware - MSSP Alert
Phishing & Email Based Attacks
Phishing threats are increasingly convincing and evasive - Help Net Security
Robin Banks phishing-as-a-service platform continues to evolve - Security Affairs
Phishing drops IceXLoader malware on thousands of home, corporate devices (bleepingcomputer.com)
Massive Phishing Campaigns Target India Banks’ Clients (trendmicro.com)
BEC – Business Email Compromise
Malware
Phishing drops IceXLoader malware on thousands of home, corporate devices (bleepingcomputer.com)
Cloud9 Malware Offers a Paradise of Cyber attack Methods (darkreading.com)
More malware is being hidden in PNG images, so watch out | TechRadar
Attackers Using IPFS for Distributed, Bulletproof Malware Hosting | SecurityWeek.Com
Malicious extension lets attackers control Google Chrome remotely (bleepingcomputer.com)
New hacking group uses custom 'Symatic' Cobalt Strike loaders (bleepingcomputer.com)
New StrelaStealer malware steals your Outlook, Thunderbird accounts (bleepingcomputer.com)
Mobile
5 Common Smartphone Security Myths, Debunked (makeuseof.com)
Oh, look: More malware in the Google Play store • The Register
Malicious app in the Play Store spotted distributing Xenomorph Banking Trojan - Security Affairs
Malicious droppers on Google Play deliver banking malware to victims - Help Net Security
Samsung phones are being targeted by some seriously shady zero-days | TechRadar
New BadBazaar Android malware linked to Chinese cyber spies (bleepingcomputer.com)
Worok hackers hide new malware in PNGs using steganography (bleepingcomputer.com)
Internet of Things – IoT
Organised Crime & Criminal Actors
An initial access broker claims to have hacked Deutsche Bank - Security Affairs
Cyber crime costs to hit $10.5tn by 2025 hears Saudi forum - Arabian Business
Cyber crime Group OPERA1ER Stole $11M From 16 African Businesses (darkreading.com)
Instagram star gets 11 years for $300m BEC conspiracy • The Register
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
FTX says it is probing ‘abnormal transactions’ after potential hack | Financial Times
Kraken's CSO Claims To Have Identified The $600 Million FTX Hacker (coingape.com)
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
Fifth Of 18 To 34-year-olds Have Fallen Victim To Financial Scams – Information Security Buzz
Ukrainian Cyber Cops Bust $200m Fraud Ring - Infosecurity Magazine (infosecurity-magazine.com)
Retail Sector Prepares for Annual Holiday Cyber crime Onslaught (darkreading.com)
US seized 18 web domains used for recruiting money mules (bleepingcomputer.com)
Insurance
Rising cost of cyber attacks sends insurance policy charges soaring | Financial Times (ft.com)
Just 25% of businesses are insured against cyber attacks. Here's why (theconversation.com)
Re-Focusing Cyber Insurance with Security Validation (thehackernews.com)
Swiss Re: Cyber-Insurance Industry Must Reform - Infosecurity Magazine (infosecurity-magazine.com)
Dark Web
DoJ seizes $3.36B Bitcoin from Silk Road hacker - Security Affairs
Silk Road drugs market hacker pleads guilty, faces 20 years inside – Naked Security (sophos.com)
Supply Chain and Third Parties
Hybrid Working
Attack Surface Management
Identity and Access Management
API
Passwords, Credential Stuffing & Brute Force Attacks
Microsoft Password Hacking Increase – Information Security Buzz
False sense of safety undermines good password hygiene - Help Net Security
Password-hacking attacks are on the rise. Here's how to stop your accounts from being stolen | ZDNET
Social Media
Twitter blue check unavailable after impostor accounts erupt on platform | Twitter | The Guardian
Twitter chief information security officer Lea Kissner departs | TechCrunch
Privacy, Surveillance and Mass Monitoring
World Cup apps pose a data security and privacy nightmare • The Register
Surveillance 'Existential' Danger of Tech: Signal Boss | SecurityWeek.Com
Regulations, Fines and Legislation
Careers, Working in Cyber and Information Security
Three million empty seats: What can we do about the cyber skills shortage? (computerweekly.com)
Cyber security, cloud and coding: Why these three skills will lead demand in 2023 | ZDNET
Cyber security leaders want to quit. Here's what is pushing them to leave | ZDNET
Law Enforcement Action and Take Downs
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Red Cross seeks digital equivalent of its emblems • The Register
Russia’s New Cyberwarfare in Ukraine Is Fast, Dirty, and Relentless | WIRED
EU calls for joint cyber defence in response to Russia • The Register
Nation-State Hacker Attacks on Critical Infrastructure Soar: Microsoft | SecurityWeek.Com
What Ukraine’s cyber defence tactics can teach other nations | Financial Times (ft.com)
Russia-linked IRIDIUM APT linked to Prestige ransomware attacks against Ukraine - Security Affairs
APT29 abused Windows Credential Roaming in attacks - Security Affairs
Dutch MEP says illegal spyware ‘a grave threat to democracy’ | European Commission | The Guardian
Greece Is Banning Spyware After Predator Phone-Tapping Scandal (gizmodo.com)
British embassy security guard David Smith admits spying for Russia - BBC News
Nation State Actors
Nation State Actors – Russia
EU calls for joint cyber defence in response to Russia • The Register
Ukraine war: Russians kept in the dark by internet search - BBC News
Microsoft links Russia’s military to cyber attacks in Poland and Ukraine | Ars Technica
Putin ally Yevgeny Prigozhin admits interfering in US elections | Russia | The Guardian
Russia-linked IRIDIUM APT linked to Prestige ransomware attacks against Ukraine - Security Affairs
Nation State Actors – China
Nation State Actors – Misc
Vulnerability Management
Why CVE Management as a Primary Strategy Doesn't Work (darkreading.com)
Why it's time to review your Microsoft patch management options | CSO Online
Risk-Based Vulnerability Management: Understanding the RBVM Trend (darkreading.com)
How can CISOs catch up with the security demands of their ever-growing networks? - Help Net Security
Microsoft: Nation-state threats, zero-day attacks increasing (techtarget.com)
Types of vulnerability scanning and when to use each (techtarget.com)
Vulnerabilities
Microsoft November 2022 Patch Tuesday fixes 6 exploited zero-days, 68 flaws (bleepingcomputer.com)
VMware fixes three critical auth bypass bugs in remote access tool (bleepingcomputer.com)
Citrix ADC and Citrix Gateway are affected by a critical auth bypass - Security Affairs
Cisco Patches 33 Vulnerabilities in Enterprise Firewall Products | SecurityWeek.Com
Microsoft Patches MotW Zero-Day Exploited for Malware Delivery | SecurityWeek.Com
Apple out-of-band patches fix RCE bugs in iOS and macOS - Security Affairs
Microsoft fixes ProxyNotShell Exchange zero-days exploited in attacks (bleepingcomputer.com)
SAP Patches Critical Vulnerabilities in BusinessObjects, SAPUI5 | SecurityWeek.Com
Lenovo driver goof poses security risk for users of 25 notebook models | Ars Technica
Foxit Patches Several Code Execution Vulnerabilities in PDF Reader | SecurityWeek.Com
LiteSpeed Vulnerabilities Can Lead to Complete Web Server Takeover | SecurityWeek.Com
Reports Published in the Last Week
Other News
What Is Threat Hunting? A Definition for MSPs and Channel Partners - MSSP Alert
Cyber security: These are the new things to worry about in 2023 | ZDNET
What We Really Mean When We Talk About ‘Cyber security’ (darkreading.com)
Personal cyber security is now a company problem - Help Net Security
History of Computer Viruses & Malware | What Was Their Impact? (esecurityplanet.com)
5 Reasons to Consolidate Your Tech Stack (thehackernews.com)
Cookies for MFA Bypass Gain Traction Among Cyber attackers (darkreading.com)
Common lateral movement techniques and how to prevent them (techtarget.com)
Beyond the Pen Test: How to Protect Against Sophisticated Cyber criminals (darkreading.com)
5 ways to overcome multifactor authentication vulnerabilities (techtarget.com)
15,000 sites hacked for massive Google SEO poisoning campaign (bleepingcomputer.com)
Unencrypted Traffic Still Undermining Wi-Fi Security (darkreading.com)
Researchers Devise Wi-Peep Drone That Can 'See Through Walls' (gizmodo.com)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 04 November 2022
Black Arrow Cyber Threat Briefing 04 November 2022:
-NCSC Looks Back on Year Of ‘Profound Change’ for Cyber
-LastPass Research Finds False Sense of Cyber Security Running Rampant
-Insurance Giant Settles NotPetya ‘Act of War’ Lawsuit, Signaling Cyber Insurance Shakeup
-Microsoft Warns of Uptick in Hackers Leveraging Publicly-Disclosed 0-Day Vulnerabilities
-Chinese Mob Has 100K Slaves Working in Cambodian Cyber Crime Mills
-Ransomware Research: 17 Leaked Databases Operated by Threat Actors Threaten Third Party Organisations
-Not Enough Ransomware Victims Are Reporting Attacks, And That's a Problem for Everyone
-Hackers Selling Access to 576 Corporate Networks for $4 Million
-Cyber Security Recovery is a Process That Starts Long Before a Cyber Attack Occurs
-Geopolitics Plays Major Role in Cyber Attacks, Says EU Cyber Security Agency
-Russian Hackers Account for Most 2021 Ransomware Schemes, US Says
-Exposed: The Global Hacking Network That Targets VIPs
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
NCSC Looks Back on Year Of ‘Profound Change’ for Cyber
The UK’s National Cyber Security Centre (NCSC) provided support for 18 nationally significant ransomware attacks; removed 2.1 million cyber-enabled commodity campaigns; issued 34 million early warning alerts about attacks, compromises, vulnerabilities or open ports; and received 6.5 million reports of suspicious emails in the past 12 months – but in a year of “profound change” in the cyber security landscape, it was Russia’s invasion of Ukraine that dominated the agenda.
Reflecting on the past 12 months as she launched the NCSC’s latest annual report on 1 November at an event in London, NCSC CEO Lindy Cameron said that the return of war to Europe with Russia’s invasion of Ukraine presented a unique set of challenges in cyber space for the NCSC and its partners and allies.
Cameron added that while the cyber threat from Russia has perhaps been the most visible security issue of 2022, it was also important not to forget that when it comes to nation-state actors, it will likely be the technical development and evolution of China that ultimately has the more lasting impact on the UK’s national cyber security.
https://www.computerweekly.com/news/252526766/NCSC-looks-back-on-year-of-profound-change-for-cyber
LastPass Research Finds False Sense of Cyber Security Running Rampant
LastPass released findings from its fifth annual Psychology of Password findings, which revealed even with cyber security education on the rise, password hygiene has not improved. Regardless of generational differences across Boomers, Millennials and Gen Z, the research shows a false sense of password security given current behaviours across the board. In addition, LastPass found that while 65% of all respondents have some form of cyber security education — through school, work, social media, books or via online courses — the reality is that 62% almost always or mostly use the same or variation of a password.
The survey, which explored the password security behaviours of 3,750 professionals across seven countries, asked about respondents’ mindset and behaviours surrounding their online security. The findings highlighted a clear disconnect between high confidence when it comes to their password management and their unsafe actions. While the majority of professionals surveyed claimed to be confident in their current password management, this doesn’t translate to safer online behaviour and can create a detrimental false sense of safety.
Key findings from the research include:
Gen Z is confident when it comes to their password management, while also being the biggest offenders of poor password hygiene.
Cyber security education doesn’t necessarily translate to action.
Confidence creates a false sense of password security.
The latest research showcases that even in the face of a pandemic, where we spent more time online amid rising cyber attacks, there continues to be a disconnect for people when it comes to protecting their digital lives. Even though nearly two-thirds of respondents had some form of cyber security education, it is not being put into practice for varying reasons.
https://www.darkreading.com/vulnerabilities-threats/untitled
Insurance Giant Settles NotPetya ‘Act of War’ Lawsuit, Signaling Cyber Insurance Shakeup
The settlement last week in a $100 million lawsuit over whether insurance giant Zurich should cover losses Mondelez International suffered from NotPetya may very well reshape the entire cyber insurance marketplace.
Zurich initially denied claims from Mondelez after the malware, which experts estimate caused some $10 billion in damages globally, wreaked havoc on its computer networks. The insurance provider claimed an act of war exemption since it’s widely believed Russian military hackers unleashed NotPetya on a Ukrainian company before it spread around the world.
Now, however, it’s increasingly clear insurers aren’t off the hook for NotPetya payouts or from covering losses from other attacks with clear links to nation-state hackers.
That’s because in this case, what Mondelez and many other corporations endured was not an act of war, but “collateral damage” in a much larger cyber conflict that had nothing to do with them, said the Center for Strategic and International Studies.
There needs to be a rethink what act of war means in cyber space when it comes to insurance. The current definitions come out of the 19th century when we had pirates, navies and privateers.
Last week’s ruling in favour of Mondelez follows a January ruling in a New Jersey court that sided with global pharmaceutical company Merck in a similar case. Its insurance companies initially refused to pay for damages from NotPetya. Merck claimed losses that amounted to $1.4 billion. The insurers are appealing the ruling.
Insurers seized on the NotPetya episode to test how courts would rule on cyber coverage questions, particularly when there’s so much evidence pointing to one particular nation-state actor. Since NotPetya was widely attributed to the Russian government it gave the industry a “really strong opportunity” to set legal precedent limiting their responsibility in these instances.
Insurers will start to be much more upfront about the fact that they aren’t going to cover acts of cyber war or limit payouts for NotPetya type incidents in the future.
https://www.cyberscoop.com/insurance-giant-settles-notpetya-lawsuit/
Microsoft Warns of Uptick in Hackers Leveraging Publicly-Disclosed 0-Day Vulnerabilities
Microsoft is warning of an uptick among nation-state and criminal actors increasingly leveraging publicly-disclosed zero-day vulnerabilities for breaching target environments.
The tech giant, in its 114-page Digital Defense Report, said it has "observed a reduction in the time between the announcement of a vulnerability and the commoditisation of that vulnerability," making it imperative that organisations patch such exploits in a timely manner.
This also corroborates with an April 2022 advisory from the US Cybersecurity and Infrastructure Security Agency (CISA), which found that bad actors are "aggressively" targeting newly disclosed software bugs against broad targets globally.
Microsoft noted that it only takes 14 days on average for an exploit to be available in the wild after public disclosure of a flaw, stating that while zero-day attacks are initially limited in scope, they tend to be swiftly adopted by other threat actors, leading to indiscriminate probing events before the patches are installed.
It further accused Chinese state-sponsored groups of being "particularly proficient" at discovering and developing zero-day exploits. This has been compounded by the fact that the Cyberspace Administration of China (CAC) enacted a new vulnerability reporting regulation in September 2021 that requires security flaws to be reported to the government prior to them being shared with the product developers.
Redmond further said the law could enable government-backed elements to stockpile and weaponise the reported bugs, resulting in the increased use of zero-days for espionage activities designed to advance China's economic and military interests.
https://thehackernews.com/2022/11/microsoft-warns-of-uptick-in-hackers.html
Chinese Mob Has 100K Slaves Working in Cambodian Cyber Crime Mills
Up to 100,000 people from across Asia have been lured to Cambodia by Chinese crime syndicates with the promise of good jobs. When they arrive, their passports are seized and they are put to work in modern-day sweatshops, running cyber crime campaigns.
The Los Angeles Times reported that Cambodia, which was hit hard economically by the pandemic, has allowed Chinese mobsters to set up enormous cyber crime operations using human trafficked labour without consequence, because of the revenue it generates for the country. The campaigns they carry out run the gamut from romance scams to fake sports betting.
Although the Cambodian government acknowledges that as many as 100,000 workers are involved in these activities, it denies anyone is being held against their will. However, the stories from traumatised victims rescued from cyber crime mills include tales of beatings and torture for failing to meet quotas, and of being sold and passed around from gang to gang.
https://www.darkreading.com/attacks-breaches/chinese-mob-100k-slaves-cambodian-cybercrime-mills
Ransomware Research: 17 Leaked Databases Operated by Threat Actors Threaten Third Party Organisations
Ransomware remains a serious threat to organisations, Deep Instinct, a New York-based deep learning cyber security specialist, said in its recently released 2022 Interim Cyber Threat Report.
It’s no surprise, the company said, as there are currently 17 leaked databases operated by threat actors who are leveraging the data for attacks on third-party companies, most notably social engineering, credential theft, and triple-extortion attacks.
Here are the report’s key findings:
Changes in ransomware gangs, including LockBit, Hive, BlackCat, and Conti. The latter has spawned “Conti Splinters” made up of former affiliates Quantum, BlackBasta, and BlackByte.
Significant changes to tactics by Emotet, Agent Tesla, NanoCore, and others. For example, Emotet uses highly obfuscated VBA macros to avoid detection.
The use of documents for malware has decreased as the top attack vector, following Microsoft’s move to disable macros by default in Microsoft Office files. Threat actors have already pivoted to other methods such as LNK, HTML, and archive email attachments.
Vulnerabilities such as SpoolFool, Follina and DirtyPipe highlighted the exploitability of both Windows and Linux systems despite efforts to enhance their security.
The number of exploited in-the-wild vulnerabilities spikes every 3-4 months. The next spike is expected to occur by the end of the year.
Threat actor groups are extending data exfiltration attacks to demand ransoms from third-party companies if the leaked data contains their sensitive information.
The report also makes three predictions:
More inside jobs. Malicious threat actors look for the weakest link, which is often in the supply chain. Groups like Lapsus$ do not rely on exploits but instead look for insiders who are willing to sell access to data within their organisation.
Rise of protestware. Look for a spike in protestware, which is self-sabotaging one’s software and weaponising it with malware capabilities in an effort to harm all or some of its users. The war between Russia and Ukraine has caused a surge in protestware.
End of year attacks. While no major vulnerability in 2022 has emerged similar to the Log4J or the Exchange cases in 2021, there is an increase year-over-year in the number of publicly assigned CVEs for reported vulnerabilities. For now, threat actors are still exploiting old vulnerabilities during 2022 simply because there is a plethora of unpatched systems for 2021 CVEs but that will change.
Organisations are warned to be on their guard. 2022 has been another record year for cyber criminals and ransomware gangs. It’s no secret that these threat actors are constantly upping their game with new and improved tactics designed to evade traditional cyber defences. Defenders must continue to be vigilant and find new approaches to prevent these attacks from happening.
Ransomware: Not Enough Victims Are Reporting Attacks, And That's a Problem for Everyone
Ransomware continues to be a significant cyber threat to businesses and the general public – but it's difficult to know the true impact of attacks because many victims aren't coming forward to report them.
The warning comes in the National Cyber Security Centre (NCSC) Annual Review for 2022, which looks back at key developments and incidents in cyber crime over the last year, with ransomware described as an "ever present" threat and a "major challenge" to businesses and public services.
That's demonstrated by how the review details how in the 12-month period between 1 September 2021 and 31 August 2022 there were 18 ransomware incidents that needed a "nationally coordinated" response. These included attacks on a supplier to the National Health Service (NHS) and a ransomware attack against South Staffordshire Water.
However, the true impact of ransomware remains unclear, because the NCSC says that many organisations that fall prey to ransomware attacks aren't disclosing them.
That lack of reporting is despite the significant and disruptive consequences ransomware attacks can have, not only for organisations that fall victim, but for wider society – which is why it's vital that cyber security is taken seriously and incidents are reported.
Hackers Selling Access to 576 Corporate Networks for $4 Million
A new report shows that hackers are selling access to 576 corporate networks worldwide for a total cumulative sales price of $4,000,000, fuelling attacks on the enterprise.
The research comes from Israeli cyber-intelligence firm KELA which published its Q3 2022 ransomware report, reflecting stable activity in the sector of initial access sales but a steep rise in the value of the offerings.
Although the number of sales for network access remained about the same as in the previous two quarters, the cumulative requested price has now reached $4,000,000. For comparison, the total value of initial access listings in Q2 2022 was $660,000, recording a drop in value that coincided with the summer ransomware hiatus that hurt demand.
Initial access brokers (IABs) are hackers who sell access to corporate networks, usually achieved through credential theft, webshells, or exploiting vulnerabilities in publicly exposed hardware. After establishing a foothold on the network, the threat actors sell this corporate access to other hackers who use it to steal valuable data, deploy ransomware, or conduct other malicious activity. The reasons IABs choose not to leverage network access vary, ranging from lacking diverse intrusion skills to preferring not to risk increased legal trouble.
IABs still play a crucial role in the ransomware infection chain, even if they got sidelined last year when big ransomware gangs that operated as crime syndicates operated their own IAB departments.
Cyber Security Recovery is a Process That Starts Long Before a Cyber Attack Occurs
Organisations are racing to stay ahead of cyber criminals, and as a result, we see businesses investing a lot of money on identifying and detecting attacks, on preventing attacks in the first place, and in responding to live attacks. But they are not spending the same amounts on attack recovery. They may have followed all the relevant guidelines, and even implemented the ISO 27000 standard, but none of that helps them to understand how to build the business back after a serious cyber attack.
Until recent years, this cyber security recovery investment would be spent on an annual tabletop exercise or disaster recovery test and auditing recovery plans. While this should be done, it isn’t enough on its own.
Cyber security insurance is also critical, of course, but it only covers some of the losses. It won’t cover future loss. The reality is most organisations find it very difficult to fully recover from an attack. Those that invest more in disaster recovery and business continuity recover from these attacks far more swiftly than their less-prepared competitors.
The four core components of an effective cyber security recovery program
Pre-emptive action
Responsibilities and accountability
Having the right IT architecture, security and recovery process in place
Learning lessons and implementing changes.
Once these factors are understood, and any weak spots identified, the organisation can focus on re-designing or updating architecture and procedures, and on retraining employees (something that should happen regularly).
Recovery is a process that starts long before a cyber attack occurs. It concludes not when the data is secured, but when the organisation can say that it’s learned everything it can from the event and has made the changes necessary to avoid it happening again.
https://www.helpnetsecurity.com/2022/11/03/cybersecurity-recovery/
Geopolitics Plays Major Role in Cyber Attacks, Says EU Cyber Security Agency
The ongoing Russia-Ukraine conflict has resulted in an increase in hacktivist activity in the past year, with state-sponsored threat actors targeting 128 governmental organisations in 42 countries that support Ukraine, according to the European Union Agency for Cybersecurity (ENISA).
In addition, some threat actors targeted Ukrainian and Russian entities during the early days of the conflict, likely for the collection of intelligence, according to the 10th edition of the ENISA threat landscape report. The report, this year titled Volatile Geopolitics Shake the Trends of the 2022 Cybersecurity Threat Landscape, notes that in general geopolitical situations continue to have a high impact on cyber security.
This year's report identified several attack types frequently used by state-sponsored attackers. These include zero-day and critical vulnerability exploitation; attacks on operational technology (OT) networks; wiper attacks to destroy and disrupt networks of governmental agencies and critical infrastructure entities; and supply chain attacks. Attacks also featured social engineering, disinformation, and threats against data.
State-sponsored threat actors have also been observed targeting entities from countries in Southeast Asia, Japan, Australia, and Taiwan. Due to increased tensions between specific countries in Asia, state-sponsored threat actors have targeted countries (including EU member states) that had established closer ties with Taiwan.
Ransomware remains the top cyber crime attack type this year as well. More than 10 terabytes of data were stolen monthly during the period studied, with phishing identified as the most common initial vector of such attacks. The report also noted that 60% of affected organisations likely have paid the ransom demanded.
The second most used form of attack was DDoS. The largest DDoS attack ever was launched in Europe in July 2022 against a European customer of Akamai. The attack hit a peak at 853.7Gbps and 659.6Mpps (megapackets per second) over 14 hours.
While all sectors fell victim to attacks, public administration and government entities were the most affected, making up 24% of all cyber attack victims. This was followed by digital service providers at 13% and the general public at 12%. These three sectors alone accounted for 50% of all the attacks during this year.
Russian Hackers Account for Most 2021 Ransomware Schemes, US Says
Payment-seeking software made by Russian hackers was used in three quarters of all the ransomware schemes reported to a US financial crime agency in the second half of 2021, a Treasury Department analysis released on Tuesday showed.
In an analysis issued in response to the increase in number and severity of ransomware attacks against critical infrastructure in the United States since late 2020, the US Financial Crimes Enforcement Network (FinCEN) said it had received 1,489 ransomware-related filings worth nearly $1.2 billion in 2021, a 188% jump from the year before.
Out of 793 ransomware incidents reported to FinCEN in the second half of 2021, 75% "had a nexus to Russia, its proxies, or persons acting on its behalf," the report said.
Washington last week hosted a meeting with officials from 36 countries and the European Union, as well as 13 global companies to address the growing threat of ransomware and other cyber crime, including the illicit use of cryptocurrencies.
Exposed: The Global Hacking Network That Targets VIPs
Private investigators linked to the City of London are using an India-based computer hacking gang to target British businesses, government officials and journalists.
The Sunday Times and the Bureau of Investigative Journalism have been given access to the gang’s database, which reveals the extraordinary scale of the attacks. It shows the criminals targeted the private email accounts of more than 100 victims on behalf of investigators working for autocratic states, British lawyers and their wealthy clients. Critics of Qatar who threatened to expose wrongdoing by the Gulf state in the run-up to this month’s World Cup were among those hacked.
It is the first time the inner workings of a major “hack-for-hire” gang have been leaked to the media and it reveals multiple criminal conspiracies. Some of the hackers’ clients are private investigators used by major law firms with bases in the City of London.
The investigation — based on the leaked documents and undercover work in India — reveals:
Orders went out to the gang to target the BBC’s political editor Chris Mason in May, three weeks after his appointment was announced.
The president of Switzerland and his deputy were targeted just days after he met Boris Johnson and Liz Truss in Downing Street to discuss Russian sanctions.
Philip Hammond, then chancellor, was hacked as he was dealing with the fallout of Russia’s novichok poisonings in Salisbury.
A private investigator hired by a London law firm acting for the Russian state ordered the gang to target a British-based oligarch fleeing President Putin.
Michel Platini, the former head of European football, was hacked shortly before he was due to talk to French police about corruption allegations relating to this year’s World Cup.
The hackers broke into the email inboxes of the Formula One motor racing bosses Ruth Buscombe, the British head of race strategy at the Alfa Romeo team, and Otmar Szafnauer, who was chief executive of the Aston Martin team.
The gang seized control of computers owned by Pakistan’s politicians, generals and diplomats and eavesdropped on their private conversations apparently at the behest of the Indian secret services.
The commissioning of hacking is a criminal offence punishable with a maximum sentence of ten years in jail in Britain. The Metropolitan Police was tipped off about the allegations regarding Qatar in October last year, yet chose not to take any action. David Davis, the former cabinet minister, said that the force should reopen its investigation into the cyber attacks against British citizens. Davis said the investigation exposed how London has become “the global centre of hacking”.
https://www.thetimes.co.uk/article/exposed-the-global-hacking-network-that-targets-vips-nff67j67z
Threats
Ransomware and Extortion
International Counter Ransomware Initiative 2022 Joint Statement | The White House
Oreo Giant Mondelez Settles NotPetya 'Act of War' Insurance Suit (darkreading.com)
Extortion fears after hacker stole patient files from Dutch mental health clinics (bitdefender.com)
Ransomware activity and network access sales in Q3 2022 - Security Affairs
Ransomware costs top $1 billion as White House inks new threat-sharing initiative - CyberScoop
FIN7 Cyber crime Group Likely Behind Black Basta Ransomware Campaign (darkreading.com)
Yanluowang ransomware gang goes dark after leaks (techtarget.com)
LockBit 3.0 gang claims to have stolen data from Thales - Security Affairs
Ransomware cost US banks $1.2 billion last year • The Register
Australia sees rise in cyber crimes on back of 'destructive' ransomware, state actors | ZDNET
Australian Defence Department Impacted In Ransomware Attack (informationsecuritybuzz.com)
LockBit ransomware gang claims the hack of the Continental automotive group - Security Affairs
Cyber attack Strikes Global Copper Conglomerate (darkreading.com)
ALMA Observatory shuts down operations due to a cyber attack (bleepingcomputer.com)
Phishing & Email Based Attacks
Robin Banks phishing service returns to steal banking accounts (bleepingcomputer.com)
Attackers leverage Microsoft Dynamics 365 to phish users - Help Net Security
CISA Urges Organisations to Implement Phishing-Resistant MFA | SecurityWeek.Com
130 private Dropbox GitHub repos copied after phish attack • The Register
As Twitter brings on $8 fee, phishing emails target verified accounts (bleepingcomputer.com)
BEC – Business Email Compromise
New Crimson Kingsnake gang impersonates law firms in BEC attacks (bleepingcomputer.com)
Double-check those demand-payment emails from law firms • The Register
Malware
RomCom RAT malware campaign impersonates KeePass, SolarWinds NPM, Veeam (bleepingcomputer.com)
Emotet botnet starts blasting malware again after 4 month break (bleepingcomputer.com)
Drinik banking malware returns: Things you can do to keep your data safe | Mint (livemint.com)
Hacking group abuses antivirus software to launch LODEINFO malware (bleepingcomputer.com)
This stealthy hacking campaign uses a new trick to deliver its malware | ZDNET
Cranefly threat group uses innocent-looking info-stealer • The Register
250+ US news sites spotted spreading FakeUpdates malware in a supply-chain attack - Security Affairs
New Azov data wiper tries to frame researchers and BleepingComputer
Dozens of PyPI packages caught dropping 'W4SP' info-stealing malware (bleepingcomputer.com)
Mobile
US govt employees exposed to mobile attacks from outdated Android, iOS (bleepingcomputer.com)
Cyber-Threat Actor Uses Booby-Trapped VPN App to Deploy Android Spyware (darkreading.com)
Malicious dropper apps on Play Store totaled 30.000+ installations - Security Affairs
New SandStrike spyware infects Android devices via malicious VPN app (bleepingcomputer.com)
Internet of Things – IoT
IoT devices can undermine your security. Here are four ways to boost your defences | ZDNET
Understanding The Importance Of Cyber Resilience In Smart Buildings - IT Security Guru
Data Breaches/Leaks
Royal Mail customer data leak shutters online Click and Drop • The Register
Vodafone Italy discloses data breach after reseller hacked (bleepingcomputer.com)
LockBit 3.0 gang claims to have stolen data from Thales - Security Affairs
Dropbox discloses breach after hacker stole 130 GitHub repositories (bleepingcomputer.com)
Experian tool exposed partial Social Security numbers, putting customers at risk - CyberScoop
Label Giant Multi-Color Corporation Discloses Data Breach | SecurityWeek.Com
Bed Bath & Beyond Discloses Data Breach to SEC (darkreading.com)
Organised Crime & Criminal Actors
Four-year cyber crime campaign targeting African banks netted $30 million - CyberScoop
French-speaking crooks stole $30m in bank cyber-heist spree • The Register
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Fraud, Scams & Financial Crime
Fraudulent Instruction Losses Spike in 2022 - Infosecurity Magazine (infosecurity-magazine.com)
Former Apple worker pleads guilty to $17m fraud charges • The Register
Insurance
Dark Web
Supply Chain and Third Parties
NCSC issues fresh guidance following recent rise in supply chain cyber attacks – Intelligent CISO
Hundreds of US news sites push malware in supply-chain attack (bleepingcomputer.com)
Software Supply Chain
You can up software supply chain security by implementing these measures - Help Net Security
W4SP Stealer Stings Python Developers in Supply Chain Attack (darkreading.com)
Denial of Service DoS/DDoS
FBI: Hacktivist DDoS attacks had minor impact on critical orgs (bleepingcomputer.com)
DDoS Attacks are Upgrading 70% with The Help of CLDAP (analyticsinsight.net)
Cloud/SaaS
Why Identity & Access Management Governance is a Core Part of Your SaaS Security (thehackernews.com)
Top 4 priorities for cloud data protection - Help Net Security
Zscaler's Cloud-Based Cyber security Outages Showcase Redundancy Problem (darkreading.com)
API
Open Source
Passwords, Credential Stuffing & Brute Force Attacks
Social Media
Training, Education and Awareness
Travel
Regulations, Fines and Legislation
ICO Slashes Government Data Breach Fine - Infosecurity Magazine (infosecurity-magazine.com)
SolarWinds reaches $26m settlement, expects SEC action • The Register
How to Prepare for New SEC Cyber security Disclosure Requirements | SecurityWeek.Com
Careers, Working in Cyber and Information Security
How Microsoft works to grow the next generation of cyber defenders - Microsoft Security Blog
Economic Uncertainty Isn't Stopping Cyber crime Recruitment — It's Fueling It (darkreading.com)
How to Narrow the Talent Gap in Cyber security (darkreading.com)
Is there a problem with stress and burnout in cyber security? - IT Security Guru
Law Enforcement Action and Take Downs
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Will cyber saber-rattling drive us to destruction? - Help Net Security
No.10 WhatsApp Use Is Critical Danger To Security (informationsecuritybuzz.com)
Oreo Giant Mondelez Settles NotPetya 'Act of War' Insurance Suit (darkreading.com)
Cyber Threat Actor Uses Booby-Trapped VPN App to Deploy Android Spyware (darkreading.com)
New SandStrike spyware infects Android devices via malicious VPN app (bleepingcomputer.com)
Russian missile strikes overshadow cyber attacks as Ukraine reels from blackouts | CNN Politics
Nation State Actors
Nation State Actors – Russia
Liz Truss 's phone was allegedly hacked by Russian spies - Security Affairs
MPs 'constantly' warned their phones are national security risk (telegraph.co.uk)
US Treasury thwarted attack by Russian hacker group last month-official | Reuters
Russia tries to impose switch to Linux from Windows (freethink.com)
Nation State Actors – China
China-Backed APT10 Supercharges Spy Game With Custom Fileless Backdoor (darkreading.com)
Chinese Hackers Using New Stealthy Infection Chain to Deploy LODEINFO Malware (thehackernews.com)
Nation State Actors – Misc
Vulnerabilities
Critical ConnectWise Vulnerability Affects Thousands of Internet-Exposed Servers | SecurityWeek.Com
Fortinet fixed 16 vulnerabilities, 6 rated as high severity - Security Affairs
Cisco Patches High-Severity Bugs in Email, Identity, Web Security Products | SecurityWeek.Com
You Need to Update Google Chrome, Windows, and Zoom Right Now | WIRED UK
The Sky Is Not Falling: Disclosed OpenSSL Bugs Are Serious but Not Critical (darkreading.com)
Splunk Patches 9 High-Severity Vulnerabilities in Enterprise Product | SecurityWeek.Com
OpenSSL downgrades horror bug after week of speculation • The Register
Follina Exploit Leads to Domain Compromise (thedfirreport.com)
Patch Now: Dangerous RCE Bug Lays Open ConnectWise Server Backup Managers (darkreading.com)
Other News
Meet fundamental cyber security needs before aiming for more - Help Net Security
NCSC Issued 34 Million Cyber Alerts in Past Year - Infosecurity Magazine (infosecurity-magazine.com)
Multi-factor authentication fatigue can blow open security • The Register
WiFi security flaw lets a drone track devices through walls | Engadget
Build Security Around Users: A Human-First Approach to Cyber Resilience (darkreading.com)
The Role of Ethical Hacking in Cyber security (bolton.ac.uk)
Top 10 Ethical Hacking Trends and Predictions for 2023 (analyticsinsight.net)
British govt is scanning all Internet devices hosted in UK (bleepingcomputer.com)
Red Cross Eyes Digital Emblem for Cyber space Protection | SecurityWeek.Com
Security hygiene and posture management requires new tools (techtarget.com)
Offense Gets the Glory, but Defence Wins the Game | SecurityWeek.Com
The 7 Core Pillars of a Zero-Trust Architecture (techtarget.com)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 28 October 2022
Black Arrow Cyber Threat Briefing 28 October 2022:
-‘Biggest Cyber Risk Is Complacency, Not Hackers’ - UK Information Commissioner Issues Warning as Construction Company Fined £4.4 Million
-Ransomware Threat Shifts from US to EMEA and APAC
-Phishing Attacks Increase by Over 31% In Third Quarter
-UK Urged to Watch for Fraud as People Aim to Make Extra Cash in Cost of Living Crisis
-HR Departments Play a Key Role in Cyber Security
-The Long-Term Psychological Effects of Ransomware Attacks
-7 Hidden Social Media Cyber Risks for Enterprises
-54% of Staff Would Reconsider Working for a Firm That Had Experienced a Cyber Breach, Research Finds
-Evolve as Fast as the Cyber Criminals: Protect Your Business Now, Before it’s Too Late
-Enterprise Ransomware Preparedness Improving but Still Lacking
-Why Are There So Many Data Breaches? A Growing Industry of Criminals is Brokering in Stolen Data
-How The "pizza123" Password Could Take Down an Organisation
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
‘Biggest Cyber Risk Is Complacency, Not Hackers’ - UK Information Commissioner Issues Warning as Construction Company Fined £4.4 Million
The UK Information Commissioner has warned that companies are leaving themselves open to cyber attack by ignoring crucial measures like updating software and training staff.
The warning comes as the Information Commissioner’s Office (ICO) issued a fine of £4,400,000 to Interserve Group Ltd, a Berkshire based construction company, for failing to keep personal information of its staff secure. This is a breach of data protection law.
The ICO found that the company failed to put appropriate security measures in place to prevent a cyber attack, which enabled hackers to access the personal data of up to 113,000 employees through a phishing email.
The compromised data included personal information such as contact details, national insurance numbers, and bank account details, as well as special category data including ethnic origin, religion, details of any disabilities, sexual orientation, and health information.
John Edwards, UK Information Commissioner, said:
“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn't regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn't update software and fails to provide training to staff, you can expect a similar fine from my office.
“Leaving the door open to cyber attackers is never acceptable, especially when dealing with people’s most sensitive information. This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud.
“Cyber attacks are a global concern, and businesses around the world need to take steps to guard against complacency. The ICO and NCSC already work together to offer advice and support to businesses, and this week I will be meeting with regulators from around the world, to work towards consistent international cyber guidance so that people’s data is protected wherever a company is based.”
Ransomware Threat Shifts from US to EMEA and APAC
The volume of ransomware detections in Q3 2022 was the lowest in two years, but certain geographical regions have become bigger targets as attacks on US organisations wane, according to SonicWall. The security vendor used its own threat detection network, including over one million security sensors in more than 200 countries, to reveal the current landscape.
The good news is that global malware volumes have remained flat for the past three quarters, amounting to a total of over four billion detections in the year to date. Of these, ransomware is also trending down after a record-breaking 2021. Even so, SonicWall detected 338 million compromise attempts in the first three quarters of the year.
Year-to-date ransomware attempts in 2022 have already exceeded the full-year totals from four of the past five years, the vendor claimed. While attacks on US organisations dipped by 51% year-on-year during the period, they increased significantly in the UK (20%), EMEA (38%) and APAC (56%).
The cyber-warfare battlefront continues to shift, posing dangerous threats to organisations of all sizes. With expanding attack surfaces, growing numbers of threats and the current geopolitical landscape, it should be no surprise that even the most seasoned IT professional can feel overwhelmed.
https://www.infosecurity-magazine.com/news/ransomware-threat-shifts-from-us/
Phishing Attacks Increase by Over 31% In Third Quarter
Email security and threat detection company Vade has found that phishing emails in the third quarter this year increased by more than 31% quarter on quarter, with the number of emails containing malware in the first three quarters surpassing the 2021 level by 55.8 million.
Malware emails in the third quarter of 2022 alone increased by 217% compared to same period in 2021. Malware email volume peaked in July, reaching 19.2 million, before month-over-month declines in August and September, with numbers dropping to 16.8 million and 16.5 million respectively.
According to the report, email is the preferred attack vector for phishing and malware, as it gives hackers a direct channel to users, the weakest link in an organisation’s attack surface. The report analyses phishing and malware data captured by Vade, which does business internationally.
As attacks become more sophisticated, Vade said, they also become increasingly capable of evading the basic security offered by email providers, which almost eight in 10 businesses still rely on, according to Vade’s research.
While the activity of threat actors fluctuates, Vade’s research found that impersonating trusted and established brands remains the most popular strategy for hackers. In the third quarter of 2022, Facebook was the most impersonated brand for the second consecutive quarter, followed by Google, MTB, PayPal, and Microsoft.
The financial services sector remains the most impersonated industry, representing 32% of phishing emails detected by Vade, followed by cloud at 25%, social media at 22%, and internet/telco at 13%.
As phishing attacks increase, the techniques used by threat actors continue to evolve. While phishing campaigns were traditionally large scale and random, more recent campaigns seen by Vade suggest that hackers have pivoted to using more targeted campaigns.
UK Urged to Watch for Fraud as People Aim to Make Extra Cash in Cost of Living Crisis
Brits have been warned to “stay alert for fraud” as more people are out to make extra cash as the cost of living rises across the country.
UK Finance said that more than half (56%) of people admitted that they are likely to look for opportunities to make extra money in the coming months, which could leave some people more susceptible to fraud.
According to the trade association’s Take Five To Stop Fraud campaign, one in six, or 16%, of people said the rising cost of living means they are more likely to respond to an unprompted approach from someone offering an investment opportunity or a loan.
Young people were more likely to be at risk, the data suggested, which surveyed 2,000 people across the UK. More than a third (34%) of 18 to 34-year-olds said they are more likely to respond to an unprompted approach from someone, with three in 10 (30%) also more likely to provide their personal or financial details to secure the arrangement.
Overall, three in five people (60%) said they are concerned about falling victim to financial fraud or a scam. It comes as recent figures from UK Finance showed that £609.8m was lost due to fraud and scams in the first half of this year.
https://uk.news.yahoo.com/uk-watch-for-fraud-extra-cash-cost-of-living-crisis-230154352.html
HR Departments Play a Key Role in Cyber Security
A common shortcoming of human resources (HR) departments is that — despite being an operation designed to put humans at the centre of how an organisation is run — they often fail to adequately align with their IT counterparts and the core technology systems that define how a business is run and protected from cyber-risk.
Insufficient coordination between HR and IT processes and procedures remains common and gives rise to security gaps that can represent some of the most dangerous vulnerabilities on a company's attack surface. Let's examine the scope of the challenge and some key cyber-asset management priorities that can close the schism for a more robust cyber security posture.
Gone are the days when HR's role in securing the enterprise relied on basic tutorials for employees about protecting passwords on company equipment. Today's threat environment intersects with the workforce in more ways than ever — from bring-your-own-device (BYOD) and authentication gaps to user vulnerabilities that make spear-phishing seem quaint. Traditional social engineering attacks are now being augmented by zero-click exploits that compromise employee devices without the user ever having to click a link or take any action at all.
Beyond malicious threats, even routine HR processes can introduce risk to the organisation when they're not adequately aligned with the IT processes in an organisation. As just one example, when an employee leaves a company, the offboarding goes far beyond just the exit interview to also include removing access to multiple enterprise systems, accounts, and devices — all of which require close coordination between HR and IT personnel and systems.
To better secure the enterprise, it's mission-critical to get HR and IT more united in a common and advanced understanding of cyber hygiene and risk mitigation. This relies on enhanced awareness of the impact that HR processes have on cyber assets in other parts of the organisation, as well as the HR role in access management for employees and contractors. This requires asset visibility that must be ongoing and in real time, since our roles, devices, and access to data and systems may change multiple times over the course of our employment.
https://www.darkreading.com/vulnerabilities-threats/hr-departments-play-a-key-role-in-cybersecurity
The Long-Term Psychological Effects of Ransomware Attacks
Northwave has conducted scientific research into the psychological effects of a ransomware crisis on both organisations and individuals. The findings reveal the deep marks that a ransomware crisis leaves on all those affected. It also shows how their IT and security teams can turn in disarray long after the crisis itself has passed.
The research reveals how the psychological impact of ransomware attacks can persist on people in affected organisations for a very long time. It shows that crisis team members may develop serious symptoms far later. Top management and HR need to take measures against this, in fact right from the very beginning of the crisis. They are the ones bearing responsibility for the well-being of their staff.
They also discovered how teams have fallen apart some time after the crisis, with members leaving or staying home on sick-leave. The study reveals that effects can linger throughout the organisation. All in all the investigation shows that this invisible impact of a cyber crisis is an issue for the general business management, and certainly also for HR.
Northwave regards the response to a cyber attack as occurring in three phases. First comes the actual crisis situation, which evolves into an incident phase after about a week. A plan of action is then in place, and recovery measures are launched. The fire has been largely extinguished after a month or so, with the first (basic) functionalities available again.
Full recovery can take one to two years. Each phase has its specific effects on the minds and bodies of those involved, and by extension, on the organisation or parts of it. “On average a company is down for three weeks following a malware attack,” notes Van der Beijl. “But it surprised us that the impact persists for so long afterwards. Psychological issues are still surfacing a year after the actual crisis.”
One of every seven employees involved in the attack, either directly or indirectly, exhibits severe enough symptoms several months later, at a level considered to be above the clinical threshold at which professional trauma treatment help is needed. One in five employees say they would actually have needed more professional help subsequently in coming to terms with the attack. One in three liked to have more knowledge and concrete tools to deal with the psychological effects of the attack.
A ransomware attack has enduring psychological effects on the way employees view the world. Two-thirds of employees, including those not actually involved in the attack, now believe the world is less safe. As one IT manager pointed out, “I’ve become far more suspicious. The outside world is a dangerous place.”
https://www.helpnetsecurity.com/2022/10/25/psychological-effects-ransomware/
7 Hidden Social Media Cyber Risks for Enterprises
Whether they use it to amplify the brand, recruit new employees, advertise new products, or even sell directly to consumers, corporate brands love social media.
According to recent figures, brand advertising on social media is up by 53% in the last year, and that's not accounting for further investments that brands are making in developing and distributing content. They're pushing viral videos, funny memes, podcasts, written material, and more to increase engagement with their customers.
And brands are doing it across not only the old reliable social networks like Facebook and Twitter, but also emerging platforms like TikTok. In fact, according to another recent study, in 2022 marketers are expanding their horizons, with their increased content investments focused on areas like live streaming, long-form and short-form video content, virtual reality and augmented reality content, experimental content, and live audio chat rooms. The top platforms they're focused on most for increasing spending are now TikTok, Instagram, YouTube, and LinkedIn.
With the broadening of these social-media marketing strategies comes more risk. Whether an organisation uses social media to amplify its brand, or its executives and employees leverage social channels to bolster their professional and personal brands, these marketing platforms are a breeding ground for a wide range of cyber attacks and scams, including in the areas of artificial intelligence, deepfakes, and biometrics.
Cyber criminals, fraudsters, spies, and activists work around the clock to take advantage of emerging attack surfaces that arise from enterprise use of social media. The article below presents just a few avenues that organisations may overlook when they double-down on their social media investments.
https://www.darkreading.com/application-security/7-hidden-social-media-cyber-risks-enterprises
54% of Staff Would Reconsider Working for a Firm That Had Experienced a Cyber Breach, Research Finds
Over half (54%) of office workers would reconsider working for a company that had recently experienced a cyber breach. That's according to a new study by cyber security technology provider, Encore.
An independent study of 100 C-level executives, 100 Chief Information Security Officers (CISOs) and 500 office workers in the US and the UK, conducted by Censuswide, sought to uncover the gap that remains between boards and security teams when it comes to addressing cyber demands.
Only a third (33%) of staff said they would be "completely unphased" if their employer suffered a cyber break-in. The majority (57%) of C-level executives polled said they have been breached in the last 12 months alone. Most office workers, however, were unaware, with only 39% believing their organisation had been the victim of a successful attack.
The immediate financial cost of a cyber-attack remains the number one concern for businesses, but security teams are learning that there is a long tail to these breaches, with employees at risk of losing faith in their company, its ethics and values and its overarching responsibilities to the general public. In a competitive market, this is a stark warning to businesses across the world. Keeping your staff in the dark about cyber risk is a fundamental error, not to mention the additional impact of delayed disclosure to customers.
41% of C-level executives polled named reputational damage as one of the biggest costs to their business following a cyber-attack, with 34% agreeing that loss of clientele or their trust was a significant cost.
Despite many admitting to suffering a cyber breach in the last year, the overwhelming majority (92%) of CISOs and C-level executives polled believe their business is secure at any given moment. Encore believes that a mindset shift is needed at an organisational level, treating cyber incidents and the security of employee and customer data as a fundamental part of normal business operations, not a function that sits on the outside, looking in.
Evolve as Fast as the Cyber Criminals: Protect Your Business Now, Before It’s Too Late
According to the 2022 Cyber Threat Report, 2021 saw a global average increase of 105% in the number of ransomware attacks. Proofpoint's 2022 State of the Phish report said that a staggering 82% of UK businesses that experienced a ransomware attack sent payment to the cyber criminals – believing this was the cheapest and easiest way to regain access to their data. However, in many cases criminals simply took the payment without restoring access and the organisation finds itself on criminal target lists as it has demonstrated that attacks pay off. Even when decryption keys are handed over it can take an extended period of time to restore data.
One attack, on a hospital in Dusseldorf, Germany, was implicated in the death of a patient who had to be diverted to an alternative site as the A&E department had been forced to close due to the loss of core computer systems. It appears that the attack had been misdirected, and the hackers – who were quickly apprehended by the police – handed over the encryption keys immediately when they realised what had happened. Nevertheless, the decryption process was slow. It began in the early hours of September 11 and by September 20 the hospital was still unable to add or retrieve information, or even send emails. 30 servers had been corrupted.
The methods and techniques required to conduct a cyber-attack have never been more accessible. Whether it is on the darknet or through open-source content, the ability to purchase material that allows a malicious user to conduct a cyber-attack is readily available. Conducting a ransomware attack and using it to extort money from companies and government services alike, is now viewed as a viable business model by organised criminals.
Enterprise Ransomware Preparedness Improving but Still Lacking
The majority of organisations have made ransomware preparedness a top-five business priority, yet only half believe their preparedness is stronger than it was two years ago. That is according to a recent survey, "The Long Road Ahead to Ransomware Preparedness" by Enterprise Strategy Group, a division of TechTarget.
Despite warnings and available preparedness resources, ransomware continues to distress companies. Seventy-nine percent of survey respondents said they suffered a successful attack within the last year, and 73% reported they had one or more attacks that caused negative financial impact or disrupted business operations in the same time period.
The good news is the board and the C-suite are finally getting the message that more needs to be done to address impending ransomware attempts. In fact, 79% of respondents said business leaders made ransomware preparedness a top business priority, and 82% of organisations plan to invest more in ransomware preparedness over the next 12 to 18 months.
With preparedness investments expected to grow, the survey asked how organisations currently tackle ransomware. Respondents said the most important prevention tactics involve efforts in the following:
network security (43%)
backup infrastructure security (40%)
endpoint security (39%)
email security (36%)
data encryption (36%)
Ongoing activities cited included data recovery testing, employee security awareness training, response readiness assessments, incident response functional exercises, penetration testing, incident planning and playbook development, phishing simulation programs, tabletop exercises, and blue/red/purple team engagements.
Why Are There So Many Data Breaches? A Growing Industry of Criminals is Brokering in Stolen Data
New details have emerged on the severity of the Australian Medibank hack, which has now affected all users. Optus, Medibank, Woolworths, and, last Friday, electricity provider Energy Australia are all now among the Australian household names that have fallen victim to a data breach.
If it seems like barely a week goes by without news of another incident like this, you would be right. Cyber crime is on the rise – seven major Australian businesses were affected by data breaches in the past month alone.
But why now? And who is responsible for this latest wave of cyber attacks?
In large part, the increasing number of data breaches is being driven by the growth of a global illicit industry that trades in your data. In particular, hackers known as “initial access brokers” specialise in illegally gaining access to victim networks and then selling this access to other cyber criminals.
Hackers and initial access brokers are just one part of a complex and diversifying cyber crime ecosystem. This ecosystem contains various cyber criminal groups who increasingly specialise in one particular aspect of online crime and then work together to carry out the attacks.
Ransomware attacks are complex, involving up to nine different stages. These include gaining access to a victim’s network, stealing data, encrypting a victim’s network, and issuing a ransom demand. Increasingly, these attacks are carried out not by lone cyber criminal groups, but rather by networks of different cyber crime groups, each of which specialises in a different stage of the attack.
Initial access brokers will often carry out the first stage of a ransomware attack. Described by Google’s Threat Analysis Group as “the opportunistic locksmiths of the security world”, it’s their job to gain access to a victim’s network.
How The "pizza123" Password Could Take Down an Organisation
Criminal hackers took responsibility for a recent FastCompany breach, saying they exploited an easily guessed default password, "pizza123." The business magazine reused the weak password across a dozen WordPress accounts, according to the hackers, who described the attack in their own article on FastCompany.com before the publication took the site down.
The breach, the bitter taste of pizza123, and the plight of malicious push notifications, demand caution when selecting and managing passwords.
The hackers claimed to have used the vulnerable password pizza123 to access authentication tokens, Apple News API keys, and Amazon Simple Email Service (SES) tokens. Then they sent offensive push notifications to the home screens of subscribers of the FastCompany channel on the Apple News service.
After decades of investment in sculpting the organisation's brand image, a business can watch its reputation flounder in the face of an obscene push notification. The sentiment of millions of faithful customers can turn sour in an instant. By the time organisations block the messages and make public apologies, the harm is done.
Customers can swap to a competitor, or even sue for the offence when they have entrusted a publisher to provide safe content. Regulatory bodies can fine organisations. The company can spend time and money defending itself in court and restoring its image. But malicious push notifications can do a lot worse than offend customers—criminal hackers can load messages with malware and infect consumer devices, leading to privacy violations and consumer financial fraud.
People often build passwords using the first word that comes to mind and a brief series of numbers. Pizza123 is a perfect example of an easy-to-guess password. Employees will create passwords already appearing on breached password lists. Criminal hackers use brute force attacks to confirm working passwords from the same lists.
Nearly two-thirds of employees reuse their passwords. The more they reuse them across business and personal accounts, the more likely criminal hackers will breach them and test them on the organisation. Hackers know to try the same passwords on different companies they hack because of password reuse.
Robust password management enables fine-grained password policies and policy customisation. With a custom password policy, organisations can increase complexity requirements, like length and previous-password change minimums. A custom password policy with increased complexity requirements will block 95% of weak and breached passwords.
Password length is a particularly critical component of strong passwords. Ninety-three percent of the passwords used in brute force attacks include eight or more characters. A custom password policy can require a minimum password length, decreasing password entropy.
Threats
Ransomware and Extortion
SonicWall: Ransomware down this year, but there’s a catch • The Register
Health insurer Medibank's infosec diagnosis is getting worse • The Register
Microsoft links Raspberry Robin worm to Clop ransomware attacks (bleepingcomputer.com)
How to detect Windows worm that now distributes ransomware • The Register
Ransomware Barrage Aimed at US Healthcare Sector, Feds Warn (darkreading.com)
BlackByte ransomware affiliate also steals victims' data • The Register
Cuba ransomware affiliate targets Ukraine, CERT-UA warns - Security Affairs
OldGremlin Ransomware Fierce Comeback Against Russian Targets (informationsecuritybuzz.com)
CISA warns of ransomware attacks on healthcare providers (techtarget.com)
Ransom Cartel - REvil Rebrand? (informationsecuritybuzz.com)
Addressing Ransomware in Hospitals & Medical Devices (trendmicro.com)
Australian Clinical Labs says patient data stolen in ransomware attack (bleepingcomputer.com)
Vice Society Hackers Confess To Education Sector Ransomware Attacks (informationsecuritybuzz.com)
Why Ransomware in Education on the Rise and What That Means for 2023 (thehackernews.com)
Largest EU copper producer Aurubis suffers cyber attack, IT outage (bleepingcomputer.com)
Hive Ransomware Hackers Begin Leaking Data Stolen from Tata Power Energy Company (thehackernews.com)
Ransomware Gangs Ramp Up Industrial Attacks in US (darkreading.com)
Phishing & Email Based Attacks
Other Social Engineering; Smishing, Vishing, etc
Social engineering attacks anybody could fall victim to - Help Net Security
Twilio Says Employees Targeted in Separate Smishing, Vishing Attacks | SecurityWeek.Com
Malware
Threat Groups Repurpose Banking Trojans into Backdoors (darkreading.com)
Types of cloud malware and how to defend against them (techtarget.com)
Chrome extensions with 1 million installs hijack targets’ browsers (bleepingcomputer.com)
Hackers use Microsoft IIS web server logs to control malware (bleepingcomputer.com)
Mobile
Internet of Things – IoT
IoT Fingerprinting Helps Authenticate and Secure All Those Devices (darkreading.com)
IoT security strategy from enterprises using connected devices | Network World
Your CCTV devices can be hacked and weaponized - Help Net Security
Data Breaches/Leaks
Thomson Reuters leaked at least 3TB of sensitive data | Cybernews
See Tickets discloses 2.5 years-long credit card theft breach (bleepingcomputer.com)
Twilio discloses another hack from June, blames voice phishing (bleepingcomputer.com)
Organised Crime & Criminal Actors
Ukrainian charged for operating Raccoon Stealer malware service (bleepingcomputer.com)
Interpol says metaverse opens up new world of cyber crime | Reuters
From Bounty to Exploit Observations About Cyber criminal Contests (trendmicro.com)
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Purpleurchin: Cryptocurrency miners scour GitHub, Heroku • The Register
Cryptomining campaign abused free GitHub account trials (techtarget.com)
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
Dealers Report Dramatic Increase in Identity Fraud: Most Lack Effective Protection (darkreading.com)
LinkedIn Releases New Security Features To Combat Fraud (informationsecuritybuzz.com)
Beware Of SCAMS As Cost Of Living Bites Finances, Expert Comments (informationsecuritybuzz.com)
Insurance
Health insurer Medibank's infosec diagnosis is getting worse • The Register
Cyber Insurance Market 2022: FAQs & Updates with iBynd (trendmicro.com)
Dark Web
Notorious ‘BestBuy’ hacker arraigned for running dark web market (bleepingcomputer.com)
Student arrested for running one of Germany’s largest dark web markets (bleepingcomputer.com)
British hacker arraigned for running The Real Deal dark web marketplace - Security Affairs
Software Supply Chain
How the Software Supply Chain Security is Threatened by Hackers (thehackernews.com)
Open Source Is Just the Tip of the Iceberg in Software Supply Chain Security (darkreading.com)
Consumer behaviours are the root of open source risk - Help Net Security
Denial of Service DoS/DDoS
Key observations on DDoS attacks in H1 2022 - Help Net Security
Meet the Windows servers that have been fuelling massive DDoSes for months | Ars Technica
Cloud/SaaS
Everything you Need to Know about Cloud Hacking and its Methodologies (analyticsinsight.net)
Top Cloud Security Challenges & How to Beat Them (trendmicro.com)
Atlassian Vulnerabilities Highlight Criticality of Cloud Services (darkreading.com)
Threat Actors Target AWS EC2 Workloads to Steal Credentials (trendmicro.com)
Cloud and Hybrid Working Security Concerns Surge - Infosecurity Magazine (infosecurity-magazine.com)
4 Reasons Open Source Matters for Cloud Security (darkreading.com)
Cloud Providers Throw Their Weight Behind Confidential Computing (darkreading.com)
Hybrid Working
Balancing remote work privacy vs. productivity monitoring (techtarget.com)
Cloud and Hybrid Working Security Concerns Surge - Infosecurity Magazine (infosecurity-magazine.com)
Attack Surface Management
Attack Surface Management 2022 Midyear Review Part 2 (trendmicro.com)
Asset risk management: Getting the basics right - Help Net Security
Encryption
New Critical Vuln In Component That Allow Encryption Across Internet - (informationsecuritybuzz.com)
API
Open Source
Open Source Is Just the Tip of the Iceberg in Software Supply Chain Security (darkreading.com)
4 Reasons Open Source Matters for Cloud Security (darkreading.com)
Passwords, Credential Stuffing & Brute Force Attacks
Why it's time to expire mandatory password expiration policies (techtarget.com)
Feds say Ukrainian man running malware service amassed 50M unique credentials | Ars Technica
Biometrics
Social Media
LinkedIn Phishing Spoof Bypasses Google Workspace Security (darkreading.com)
LinkedIn's new security features combat fake profiles, threat actors (bleepingcomputer.com)
Cyber security event cancelled after scammers disrupt LinkedIn live chat (bitdefender.com)
Expert Opinion: What Does Musk's Takeover Mean For Cyber security? (informationsecuritybuzz.com)
Cyber attackers Target Instagram Users With Threats of Copyright Infringement (darkreading.com)
Cyber Bullying, Cyber Stalking and Sextortion
Regulations, Fines and Legislation
Data Protection
Law Enforcement Action and Take Downs
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Ukraine: Russian cyber attacks aimless and opportunistic (techtarget.com)
Unknown Actors are Deploying RomCom RAT to Target Ukrainian Military (thehackernews.com)
Slovak, Polish Parliaments Hit by Cyber attacks | SecurityWeek.Com
Cuba ransomware affiliate targets Ukraine, CERT-UA warns - Security Affairs
Ukraine Warns of Cuba Ransomware Attacks - Infosecurity Magazine (infosecurity-magazine.com)
Nation State Actors
Nation State Actors – Russia
Russia says Starlink satellites could become military target • The Register
Calls for inquiry mount after reports that Truss’s phone was hacked | Financial Times
OldGremlin Ransomware Fierce Comeback Against Russian Targets (informationsecuritybuzz.com)
Nation State Actors – China
Chinese Connected Cyber Crew Unleashes Disinformation Campaign Ahead of US Elections - MSSP Alert
Federal bans don't stop US states from buying Chinese kit • The Register
Nation State Actors – North Korea
Nation State Actors – Iran
Vulnerabilities
OpenSSL to fix the second critical flaw ever - Security Affairs
Urgent: Google Issues Emergency Patch for Chrome Zero-Day (darkreading.com)
ConnectWise fixes RCE bug exposing thousands of servers to attacks (bleepingcomputer.com)
Apple megaupdate: Ventura out, iOS and iPad kernel zero-day – act now! – Naked Security (sophos.com)
Windows Mark of the Web Zero-Days Remain Patchless, Under Exploit (darkreading.com)
22-Year-Old Vulnerability Reported in Widely Used SQLite Database Library (thehackernews.com)
Cisco warns admins to patch AnyConnect flaws exploited in attacks (bleepingcomputer.com)
Exploit released for critical VMware RCE vulnerability, patch now (bleepingcomputer.com)
Cisco Confirms In-the-Wild Exploitation of Two VPN Vulnerabilities | SecurityWeek.Com
Incoming OpenSSL critical fix: Organisations, users, get ready! - Help Net Security
Cisco Users Informed of Vulnerabilities in Identity Services Engine | SecurityWeek.Com
VMware fixes critical RCE in VMware Cloud Foundation - Security Affairs
VMware Patches Critical Vulnerability in End-of-Life Product | SecurityWeek.Com
Multiple vulnerabilities affect the Juniper Junos OS - Security Affairs
Other News
Cyber Security Risks & Stats This Spooky Season (darkreading.com)
Cyber Certification Skills Are For Life, Not Just For Linkedin (informationsecuritybuzz.com)
Implementing Defence in Depth to Prevent and Mitigate Cyber Attacks (thehackernews.com)
Cyber security’s importance and impact reaches all levels of the tech workforce - Help Net Security
Stress Is Driving Cyber Security Professionals to Rethink Roles (darkreading.com)
Equifax's Lessons Are Still Relevant, 5 Years Later (darkreading.com)
Why dark data is a growing danger for corporations - Help Net Security
Know the dangers you're facing: 4 notable TTPs used by cyber criminals worldwide - Help Net Security
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 21 October 2022
Black Arrow Cyber Threat Briefing 21 October 2022:
-Gen Z, Millennials Really Doesn't Care About Workplace Cyber Security
-Supply Chain Attacks Increased Over 600% This Year and Companies Are Falling Behind
-Cyber-Enabled Crimes Are Biggest Police Concerns
-List of Common Passwords Accounts for Nearly All Cyber Attacks
-Shared Responsibility or Shared Fate? Decentralized IT Means We Are All Cyber Defenders
-Ukraine War Cuts Ransomware as Kremlin Co-Opts Hackers
-96% Of Companies Report Insufficient Security for Sensitive Cloud Data
-Your Microsoft Exchange Server Is a Security Liability
-Are Cyber Security Vendors Pushing Snake Oil?
-Ransomware Preparedness, What Are You Doing Wrong?
-NSA Cybersecurity Director's Six Takeaways from the War in Ukraine
-Microsoft Confirms Server Misconfiguration Led to 65,000+ Companies' Data Leak
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Gen Z, Millennials Really Don’t Care About Workplace Cyber Security
When it comes to cyber security in the workplace, younger employees don’t really seem to care that much, which is putting their organisations in serious harm’s way, new research has claimed.
Surveying approximately 1,000 workers using devices issued by their employers, professional services firm EY found Gen Z enterprise employees were more apathetic about cyber security than their Boomer counterparts in adhering to their employer's safety policies.
This is despite the fact that four in five (83%) of all those surveyed claimed to understand their employer’s security protocol.
When it comes to implementing mandatory IT updates, for example, 58% of Gen Z’ers and 42% of millennials would disregard them for as long as possible. Less than a third (31%) of Gen X’ers, and just 15% of baby boomers said they do the same.
Apathy in the young extends to password reuse between private and business accounts. A third of Gen Z and millennial workers surveyed admitted to this, compared to less than a quarter of all Gen X’ers and baby boomers.
Some say the apathy of young people towards technology is down to their over-familiarity with technology, and never having been without it. Being too comfortable with tech undoubtedly makes an enterprise's younger employees a major target for cyber criminals looking to exploit any hole in security.
If an organisation's cyber security practices aren't upheld strongly, threat actors can compromise huge networks with simple social engineering attacks.
https://www.techradar.com/news/younger-workers-dont-care-about-workplace-cybersecurity
Supply Chain Attacks Increased Over 600% This Year and Companies Are Falling Behind
The number of documented supply chain attacks involving malicious third-party components has increased 633% over the past year, now sitting at over 88,000 known instances, according to a new report from software supply chain management company Sonatype. Meanwhile, instances of transitive vulnerabilities that software components inherit from their own dependencies have also reached unprecedented levels and plague two-thirds of open-source libraries.
“The networked nature of dependencies highlights the importance of having visibility and awareness about these complex supply chains” Sonatype said in its newly released State of the Software Supply Chain report. “These dependencies impact our software, so having an understanding of their origins is critical to vulnerability response. Many organisations did not have the needed visibility and continued their incident response procedures for Log4Shell well beyond the summer of 2022 as a result.”
Log4Shell is a critical vulnerability discovered in November 2021 in Log4j, a widely popular open-source Java library used for logging and bundled in millions of enterprise applications and software products, often as an indirect dependency. According to Sonatype’s monitoring, as of August 2022, the adoption rate for fixed versions of Log4j sits at around 65%. Moreover, this doesn’t even account for the fact that the Log4Shell vulnerability originated in a Java class called JndiManager that is part of Log4j-core, but which has also been borrowed by 783 other projects and is now found in over 19,000 software components.
Log4Shell served as a watershed moment, highlighting the inherent risks that exist in the open-source software ecosystem – which sits at the core of modern software development – and the need to manage them properly. It also led to several initiatives to secure the software supply chain by private organisations, software repository managers, the Linux Foundation, and government bodies. Yet, most organisations are far from where they need to be in terms of open-source supply chain management.
Cyber-Enabled Crimes Are Biggest Police Concerns
Cyber-related crimes such as money laundering, ransomware and phishing pose the biggest threat to society, according to the first ever Interpol Global Crime Trend report.
The inaugural study was compiled from data received from the policing organisation’s 195 member countries, as well as information and analysis from external sources.
Money laundering was ranked the number one threat, with 67% of respondents claiming it to be a “high” or “very high” risk. Ransomware came second (66%) but was the crime type that most (72%) expected to increase in the next 3–5 years.
Of the nine top crime trends identified in the report, six are directly cyber-enabled, including money laundering, ransomware, phishing, financial fraud, computer intrusion and child sexual exploitation.
Interpol warned that the pandemic had fomented new underground offerings like “financial crime-as-a-service,” including digital money laundering tools which help to lower the barrier to entry for criminal gangs. It also claimed that demand for online child sexual exploitation and abuse (OCSEA) content surged during the pandemic. Some 62% of respondents expect it to increase or significantly increase in the coming years.
The findings represent something of a turnaround from pre-pandemic times, when drug trafficking regularly topped the list of police concerns. Thanks to a surge in corporate digitalisation, home working and online shopping, there are now rich pickings to be had from targeting consumers and business users with cyber-scams and attacks, Interpol claimed.
https://www.infosecurity-magazine.com/news/cyberenabled-crimes-are-biggest/
List of Common Passwords Accounts for Nearly All Cyber Attacks
Half of a million passwords from the RockYou2021 list account for 99.997% of all credential attacks against a variety of honeypots, suggesting attackers are just taking the easy road.
Tens of millions of credential-based attacks targeting two common types of servers boiled down to a small fraction of the passwords that formed a list of leaked credentials, known as the RockYou2021 list.
Vulnerability management firm Rapid7, via its network of honeypots, recorded every attempt to compromise those servers over a 12-month period, finding that the attempted credential attacks resulted in 512,000 permutations. Almost all of those passwords (99.997%) are included in a common password list — the RockYou2021 file, which has 8.4 billion entries — suggesting that attackers, or the subset of threat actors attacking Rapid7's honeypots, are sticking to a common playbook.
The overlap in all the attacks also suggest attackers are taking the easy road, said Rapid7. "We know now, in a provable and demonstrable way, that nobody — 0% of attackers — is trying to be creative when it comes to unfocused, untargeted attacks across the Internet," they said. "Therefore, it's very easy to avoid this kind of opportunistic attack, and it takes very little effort to take this threat off the table entirely, with modern password managers and configuration controls."
Every year, security firms present research suggesting users are continuing to pick bad passwords. In 2019, an evaluation of passwords leaked to the Internet found that the top password was "123456," followed by "123456789" and "qwerty," and unfortunately things have not got much better since then.
https://www.darkreading.com/endpoint/a-common-password-list-accounts-for-nearly-all-cyberattacks
Shared Responsibility or Shared Fate? Decentralised IT Means We Are All Cyber Defenders
Does your organisation truly understand the shared responsibility model? Shared responsibility emerged from the early days of cloud computing as a way to delineate responsibilities between cloud providers and their customers, but often there's a gap between what shared responsibility means and how it is interpreted. With the decentralisation of IT, this gap is getting worse.
Applications, servers, and overall technology used to be under the purview and control of the IT department, yet with the shift to cloud, and specifically software-as-a-service (SaaS), this dynamic has changed. Whether it's the sales team bringing in a customer relationship management (CRM) system like Salesforce, or the HR department operating a human resources information system (HRIS) like Workday, there's a clear "expanding universe" of IT that no longer sits where it used to. Critical business workflows exist in separate business units far from IT and security and are managed as such. Our corporate IT footprints have become decentralised.
This is not some minor, temporary trend. With the ease and speed of adopting new SaaS applications and the desire to "lift and shift" code into cloud-based environments, this is the future. The future is decentralised.
The shift to business-owned and -operated applications puts security teams in a position where risk management is their responsibility; they are not even able to log into some of these critical systems. It's like asking your doctor to keep you healthy but not giving her access to your information or having regular check-ups. It doesn't work that way.
Beyond the challenging human skills gap, there's technical entropy and diversity everywhere, with different configuration settings, event logs, threat vectors, and data sensitivities. On the access side, there are different admins, users, integrations, and APIs. If you think managing security on Windows and Mac is a lot, try it across many huge applications.
With this reality, how can the security team be expected to combat a growing amount of decentralised business technology risk?
We must operate our technology with the understanding that shared responsibility is the vertical view between cloud provider and customer, but that enterprise-owned piece of shared responsibility is the burden of multiple teams horizontally across an organisation. Too often the mentality is us versus them, availability versus security, too busy to care about risk, too concerned with risk to understand "the business."
Ukraine War Cuts Ransomware as Kremlin Co-Opts Hackers
The Ukraine war has helped reduce global ransomware attacks by 10pc in the last few months, a British cyber security company has said.
Criminal hacking gangs, usually engaged in corporate ransomware activities, are increasingly being co-opted by the Russian military to launch cyber attacks on Ukraine, according to Digital Shadows. “The war is likely to continue to motivate ransomware actors to target government and critical infrastructure entities,” according to the firm. Such attacks partly contributed to a 10pc drop in the number of ransomware threats launched during the three months to September, said the London-based company.
The drop in ransomware may also partly be caused by tit-for-tat digital attacks between rival hacking gangs. Researchers said the Lockbit gang, who recently targeted LSE-listed car retailer Pendragon with a $60m (£53.85m) ransom demand, were the target of attacks from their underworld rivals. The group is increasingly inviting resentment from competing threat groups and possibly former members.
Some cyber criminals’ servers went offline in September after what appeared to be an attack from competitors. In the world of cyber criminality, it is not uncommon for tensions to flare among rival groups.
Officials from GCHQ’s National Cyber Security Centre have said ransomware is one of the biggest cyber threats facing the UK. Figures published by the Department for Digital, Culture, Media and Sport this year revealed the average costs to businesses caused by ransomware attacks is around £19,000 per incident.
US-based cyber security company Palo Alto Networks, however, warned that the average ransom payment it saw in the early part of this year was $925,000 (£829,000).
https://www.telegraph.co.uk/business/2022/10/23/ukraine-war-cuts-ransomware-kremlin-co-opts-hackers/
96% Of Companies Report Insufficient Security for Sensitive Cloud Data
The vast majority of organisations lack confidence in securing their data in cloud, while many companies acknowledge they lack sufficient security even for their most sensitive data, according to a new report by the Cloud Security Alliance (CSA).
The CSA report surveyed 1,663 IT and security professionals from organisations of various sizes and in various locations. "Only 4% report sufficient security for 100% of their data in the cloud. This means that 96% of organisations have insufficient security for at least some of their sensitive data," according to the report, which was sponsored by data intelligence firm BigID.
Apart from struggling with securing sensitive data, organisations are also having trouble tracking data in the cloud. Over a quarter of organisations polled aren’t tracking regulated data, nearly a third aren’t tracking confidential or internal data, and 45% aren’t tracking unclassified data, the report said.
“This suggests that organisations’ current methods of classifying data aren’t sufficient for their needs. However, if the tracking is this low, it could be a contributing factor to the issue of dark data. Organisations need to utilise data discovery and classification tools to properly understand the data they have and how to protect it,” the CSA study noted.
Your Microsoft Exchange Server Is a Security Liability
With endless vulnerabilities, widespread hacking campaigns, slow and technically tough patching, it's time to say goodbye to on-premise Exchange.
Once, reasonable people who cared about security, privacy, and reliability ran their own email servers. Today, the vast majority host their personal email in the cloud, handing off that substantial burden to the capable security and engineering teams at companies like Google and Microsoft. Now, cyber security experts argue that a similar switch is due - or long overdue - for corporate and government networks. For enterprises that use on-premise Microsoft Exchange, still running their own email machine somewhere in a closet or data centre, the time has come to move to a cloud service, if only to avoid the years-long plague of bugs in Exchange servers that has made it nearly impossible to keep determined hackers out.
The latest reminder of that struggle arrived earlier this week, when Taiwanese security researcher Orange Tsai published a blog post laying out the details of a security vulnerability in Microsoft Exchange. Tsai warned Microsoft about this vulnerability as early as June of 2021, and while the company responded by releasing some partial fixes, it took Microsoft 14 months to fully resolve the underlying security problem. Tsai had earlier reported a related vulnerability in Exchange that was massively exploited by a group of Chinese state-sponsored hackers known as Hafnium, which last year penetrated more than 30,000 targets by some counts. Yet according to the timeline described in Tsai’s post this week, Microsoft repeatedly delayed fixing the newer variation of that same vulnerability, assuring Tsai no fewer than four times that it would patch the bug before pushing off a full patch for months longer. When Microsoft finally released a fix, Tsai wrote, it still required manual activation and lacked any documentation for four more months.
Meanwhile, another pair of actively exploited vulnerabilities in Exchange that were revealed last month still remain unpatched after researchers showed that Microsoft’s initial attempts to fix the flaws had failed. Those vulnerabilities were just the latest in a years-long pattern of security bugs in Exchange’s code. And even when Microsoft does release Exchange patches, they’re often not widely implemented, due to the time-consuming technical process of installing them.
The result of those compounding problems, for many who have watched the hacker-induced headaches of running an Exchange server pile up, is a clear message: An Exchange server is itself a security vulnerability, and the fix is to get rid of it.
“You need to move off of on-premise Exchange forever. That’s the bottom line,” says Dustin Childs, the head of threat awareness at security firm Trend Micro’s Zero Day Initiative (ZDI), which pays researchers for finding and reporting vulnerabilities in commonly used software and runs the Pwn2Own hacking competition. “You’re not getting the support, as far as security fixes, that you would expect from a really mission-critical component of your infrastructure.”
https://www.wired.com/story/microsoft-exchange-server-vulnerabilities/
Are Cyber Security Vendors Pushing Snake Oil?
Survey: 96 percent of cyber security decision makers confused by vendor marketing.
The availability of new security products increases, the amount of budget spent on cyber security grows, and the number of security breaches seems to outpace both. This basic lack of correlation between increasing cyber security spend and any clear increase in cyber security effectiveness is the subject of a new analytical survey from Egress.
With 52 million data breaches in Q2 2022 alone (Statista), Egress questioned 800 cyber security and IT leaders on why vendor claims and reality aren’t aligned. The headline response in the survey is that 91% of decision makers have difficulty in selecting cyber security vendors due to unclear marketing about their specific offerings.
The financial investment cycle doesn’t help in this. For many investors, the strength of the management team is more important than the product. The argument is not whether this product is a cyber security silver bullet, but whether this management can take the company to a point where it can exit with serious profits.
If investment is achieved, much of it will go into marketing. That marketing must compete against existing, established vendors – so it tends to be louder, more aggressive, and replete with hyperbole. Marketing noise can lead to increased valuation, which can lead to a successful and profitable exit by the investors.
Of course, this is an oversimplification and doesn’t always happen. The point, however, is that it does happen and has no relevance to the real effectiveness of the product in question. Without any doubt, there are many products that have been over-hyped by marketing funds provided by profit-driven investors.
https://www.securityweek.com/are-cybersecurity-vendors-pushing-snake-oil
Ransomware Preparedness: What Are You Doing Wrong?
Axio released its 2022 State of Ransomware Preparedness research report, revealing that although notable improvements have been made since Axio’s 2021 report, organisational ransomware preparedness continues to be insufficient to keep pace with new attack vectors.
The report reveals that the lack of fundamental cyber security practices and controls, including critical vulnerability patching and employee cyber security training, continues to undermine organisational attempts to improve ransomware defences.
“Ransomware continues to wreak havoc on global organisations, regardless of size or industry,” remarked the report’s co-author David White, President of Axio. “As the number of attacks will most likely continue on an exponential trajectory, it’s more important than ever for companies to re-evaluate their cyber security practices and make the needed improvements to help combat these attacks.”
The report identifies several emerging patterns that yield insights into why organisations are increasingly susceptible to ransomware attacks. In 2021, seven key areas where organisations were deficient in implementing and sustaining basic cyber security practices were identified, and these patterns dominated the 2022 study results as well:
Managing privileged access
Improving basic cyber hygiene
Reducing exposure to supply chain and third-party risk
Monitoring and defending networks
Managing ransomware incidents
Identifying and addressing vulnerabilities in a timely manner
Improving cyber security training and awareness
Overall, most organisations surveyed are not adequately prepared to manage the risk associated with a ransomware attack. Key data findings include:
The number of organisations with a functional privileged access management solution in place increased by 10% but remains low at 33% overall.
Limitations on the use of service and local administrator accounts remain average overall, with nearly 50% of organisations reporting implementing these practices.
Approximately 40% of organisations monitor third-party network access, evaluate third-party cyber security posture, and limit the use of third-party software.
Less than 50% of respondents implement basic network segmentation and only 40% monitor for anomalous connections.
Critical vulnerability patching within 24 hours was reported by only 24% of organisations.
A ransomware-specific playbook for incident management is in place for only 30% of organisations.
Active phishing training has improved but is still not practiced by 40% of organisations.
https://www.helpnetsecurity.com/2022/10/20/insufficient-ransomware-preparedness/
NSA Cybersecurity Director's Six Takeaways from the War in Ukraine
From the warning banner ‘Be afraid and expect the worst’ that was shown on several Ukrainian government websites on January 13, 2022, after a cyber-attack took them down, the US National Security Agency’s (NSA) cybersecurity director, Rob Joyce, knew that something was going to be different, and very aggressive, between Ukraine and Russia, and that it would be happening in the cyber space as well.
Ten months on, he was invited to speak at one of Mandiant Worldwide Information Security Exchange's (mWISE) opening keynotes on October 18, 2022. Joyce shared six takeaways from the Russia-Ukraine cyber-conflict in terms of what we learned from it and its impact on how nations should protect their organisations.
Both espionage and destructive attacks will occur in conflict
The cyber security industry has unique insight into these conflicts
Sensitive intelligence can make a decisive difference
You can develop resiliency skills
Don’t try to go it alone
You have not planned enough yet for the contingencies
Toward the end of the keynote, Joyce suggested the audience simulate a scenario based on what happened in Ukraine with the China-Taiwan conflict escalating and see what they should put in place to better prepare for such an event.
https://www.infosecurity-magazine.com/news/nsa-6-takeaways-war-ukraine/
Microsoft Confirms Server Misconfiguration Led to 65,000+ Companies' Data Leak
Microsoft this week confirmed that it inadvertently exposed information related to thousands of customers following a security lapse that left an endpoint publicly accessible over the internet sans any authentication.
"This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provisioning of Microsoft services," Microsoft said in an alert.
Microsoft also emphasised that the B2B leak was "caused by an unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem and was not the result of a security vulnerability."
The misconfiguration of the Azure Blob Storage was spotted on September 24, 2022, by cyber security company SOCRadar, which termed the leak BlueBleed. Microsoft said it's in the process of directly notifying impacted customers.
The Windows maker did not reveal the scale of the data leak, but according to SOCRadar, it affects more than 65,000 entities in 111 countries. The exposure amounts to 2.4 terabytes of data that consists of invoices, product orders, signed customer documents, partner ecosystem details, among others.
https://thehackernews.com/2022/10/microsoft-confirms-server.html
Threats
Ransomware and Extortion
Сryptocurrency and Ransomware — The Ultimate Friendship (thehackernews.com)
Venus Ransomware targets publicly exposed Remote Desktop services (bleepingcomputer.com)
Pendragon being held to $60m ransom by dark web hackers – Car Dealer Magazine
Magniber Ransomware Is Targeting Home PC (informationsecuritybuzz.com)
Hackers exploit critical VMware flaw to drop ransomware, miners (bleepingcomputer.com)
Ransomware Now Deployed as a Precursor to Physical War - MSSP Alert
TommyLeaks and SchoolBoys: Two sides of the same ransomware gang (bleepingcomputer.com)
With Conti gone, LockBit takes lead of the ransomware threat landscape | CSO Online
Tactics Tie Ransom Cartel Group to Defunct REvil Ransomware (darkreading.com)
Wholesale giant METRO hit by IT outage after cyber attack (bleepingcomputer.com)
The link between Ransom Cartel and REvil ransomware gangs - Security Affairs
How Vice Society Got Away With a Global Ransomware Spree | WIRED
Defenders beware: A case for post-ransomware investigations - Microsoft Security Blog
Ransomware crews regrouping as LockBit rise continues (computerweekly.com)
Ransom Cartel linked to notorious REvil ransomware operation (bleepingcomputer.com)
Hackney Council Ransomware Attack £12m+ Recovery - IT Security Guru
Microsoft Warns of Novel Ransomware Attacking Ukraine, Poland - MSSP Alert
Prestige ransomware hits victims of HermeticWiper • The Register
New ransomware targets transportation sectors in Ukraine, Poland | SC Media (scmagazine.com)
Japanese tech firm Oomiya hit by LockBit 3.0 - Security Affairs
Ransomware attack halts circulation of some German newspapers (bleepingcomputer.com)
Ransomware Insurance Security Requirement Strategies (trendmicro.com)
Australian insurance firm Medibank confirms ransomware attack (bleepingcomputer.com)
BlackByte ransomware uses new data theft tool for double-extortion (bleepingcomputer.com)
Phishing & Email Based Attacks
Phishing works so well crims won't use deepfakes: Sophos • The Register
Phishing Mitigation Can Cost Businesses More Than $1M Annually (darkreading.com)
Securing your organisation against phishing can cost up to $85 per email | CSO Online
How phishing campaigns abuse Google Ad click tracking redirects - Help Net Security
Other Social Engineering; Smishing, Vishing, etc
Malware
VMware bug with 9.8 severity rating exploited to install witch’s brew of malware | Ars Technica
Microsoft’s out-of-date driver list left Windows PCs open to malware attacks for years - The Verge
Ursnif malware switches from bank account theft to initial access (bleepingcomputer.com)
Experts spotted a new undetectable PowerShell Backdoor - Security Affairs
Typosquat campaign mimics 27 brands to push Windows, Android malware (bleepingcomputer.com)
Thousands of GitHub repositories deliver fake PoC exploits with malware (bleepingcomputer.com)
Hackers use new stealthy PowerShell backdoor to target 60+ victims (bleepingcomputer.com)
Hijacking of Popular Minecraft Launcher by Rogue Developer Raises Malware Fears - IGN
URSNIF (aka Gozi) banking trojan morphs into backdoor • The Register
What is a RAT (Remote Access Trojan)? | Definition from TechTarget
Mobile
Internet of Things – IoT
Riskiest IoT Devices - Cameras, VoIP And Video Conferencing (informationsecuritybuzz.com)
Securing IoT devices against attacks that target critical infrastructure - Microsoft Security Blog
74% say connected cars and EV chargers need cyber security ratings | Ars Technica
Data Breaches/Leaks
The companies most likely to lose your data - Help Net Security
Fines are not enough! Data breach victims want better security - Help Net Security
Medibank hack turned into a data breach: The attackers are demanding money - Help Net Security
Mormon Church Hit By Cyber attack, Personal Data Exposed (informationsecuritybuzz.com)
Keystone Health Data Breach Impacts 235,000 Patients | SecurityWeek.Com
Fashion brand SHEIN fined $1.9m for lying about data breach – Naked Security (sophos.com)
Client Data Exfiltrated In Advanced NHS cyber Attack (informationsecuritybuzz.com)
Australian Wine Dealer Suffers Data Breach, 500,000 Customers May Be (informationsecuritybuzz.com)
Advocate Aurora Health in potential 3 million patient leak • The Register
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Why Crypto Winter is No Excuse to Let Your Cyber Defences Falter (thehackernews.com)
North Korea’s Lazarus Group Attacks Japanese Crypto Firms - Decrypt
Coinbase users scammed out of $21M in crypto sue company for negligence | Ars Technica
SIM Swappers Sentenced to Prison for Hacking Accounts, Stealing Cryptocurrency | SecurityWeek.Com
Fraud, Scams & Financial Crime
Financial losses to synthetic identity-based fraud to double by 2024 | CSO Online
AI is Key to Tackling Money Mules and Disrupting Fraud: Industry Group | SecurityWeek.Com
Deepfakes
Deepfakes: What they are and how to spot them - Help Net Security
Phishing works so well crims won't use deepfakes: Sophos • The Register
Insurance
Supply Chain and Third Parties
Software Supply Chain
Software Supply Chain Attacks Soar 742% In Three Years (informationsecuritybuzz.com)
SBOMs: An Overhyped Concept That Won't Secure Your Software Supply Chain (darkreading.com)
Denial of Service DoS/DDoS
Cloud/SaaS
Microsoft Data-Exposure Incident Highlights Risk of Cloud Storage Misconfiguration (darkreading.com)
3 cloud security posture questions CISOs should answer (techtarget.com)
Attack Surface Management
Identity and Access Management
Encryption
API
Open Source
New security concerns for the open-source software supply chain - Help Net Security
Python vulnerability highlights open source security woes (techtarget.com)
3 Ways to Help Customers Defend Against Linux-Based Cyber attacks - MSSP Alert
OldGremlin hackers use Linux ransomware to attack Russian orgs (bleepingcomputer.com)
Passwords, Credential Stuffing & Brute Force Attacks
Most People Still Reuse Their Passwords Despite Years Of Hacking (informationsecuritybuzz.com)
Password Report: Honeypot Data Shows Bot Attack Trends Against RDP, SSH | SecurityWeek.Com
Eight RTX 4090s Can Break Passwords in Under an Hour | Tom's Hardware (tomshardware.com)
Training, Education and Awareness
Security Awareness Urged to Grow Beyond Compliance (darkreading.com)
Raising cyber security awareness is good for everyone - but it needs to be done better | ZDNET
Millennials, Gen Z blamed for poor company security • The Register
Privacy, Surveillance and Mass Monitoring
Regulations, Fines and Legislation
Fines are not enough! Data breach victims want better security - Help Net Security
Fashion brand SHEIN fined $1.9m for lying about data breach – Naked Security (sophos.com)
New York fines EyeMed $4.5 million for 2020 email hack, data breach | SC Media (scmagazine.com)
Health insurer pays out $4.5m over bungled data security • The Register
Law Enforcement Action and Take Downs
INTERPOL-led Operation Takes Down 'Black Axe' Cyber Crime Organisation (thehackernews.com)
Law enforcement arrested 31 suspects for stealing cars by hacking key fobs - Security Affairs
Interpol is setting up its own metaverse to learn how to police the virtual world | Euronews
Brazilian Police Nab Suspected Member of Lapsus$ Group (darkreading.com)
Interpol Report: "Financial Crime-as-a-Service" an Emerging Threat - MSSP Alert
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Ransomware Now Deployed as a Precursor to Physical War - MSSP Alert
US, China, Russia, more meet at Singapore infosec event • The Register
NSA cyber chief says Ukraine war is compelling more intelligence sharing with industry - CyberScoop
China-Linked Cyber-Espionage Team Homes In on Hong Kong Government Orgs (darkreading.com)
Microsoft Warns of Novel Ransomware Attacking Ukraine, Poland - MSSP Alert
Hackers target Asian casinos in lengthy cyber espionage campaign (bleepingcomputer.com)
Prestige ransomware hits victims of HermeticWiper • The Register
Pro-Russia Hackers DDoS Bulgarian Government - Infosecurity Magazine (infosecurity-magazine.com)
Nation State Actors
Nation State Actors – Russia
Ukraine's cyber chief calls for global anti-fake news fight • The Register
German Cyber security Boss Sacked Over Kremlin Connection (darkreading.com)
New ransomware targets transportation sectors in Ukraine, Poland | SC Media (scmagazine.com)
Bulgaria hit by a cyber attack originating from Russia - Security Affairs
Nation State Actors – China
As China-Taiwan tensions mount, how's your cyber defence? • The Register
Chinese 'Spyder Loader' Malware Spotted Targeting Organisations in Hong Kong (thehackernews.com)
Hackers compromised Hong Kong govt agency network for a year (bleepingcomputer.com)
WIP19 Threat Group Cyber attacks Target IT Service Providers, Telcos - MSSP Alert
Nation State Actors – North Korea
Nation State Actors – Iran
Vulnerability Management
Vulnerabilities
45,654 VMware ESXi servers reached End of Life on Oct. 15 - Security Affairs
VMware bug with 9.8 severity rating exploited to install witch’s brew of malware | Ars Technica
Text message verification flaws in your Windows Active Directory (bleepingcomputer.com)
Apache Commons Vulnerability: Patch but Don't Panic (darkreading.com)
Zoom for Mac patches sneaky “spy-on-me” bug – update now! – Naked Security (sophos.com)
ProxyLogon researcher details new Exchange Server flaws (techtarget.com)
Exploited Windows zero-day lets JavaScript files bypass security warnings (bleepingcomputer.com)
Dozen High-Severity Vulnerabilities Patched in F5 Products | SecurityWeek.Com
Oracle Releases 370 New Security Patches With October 2022 CPU | SecurityWeek.Com
Palo Alto Networks fixed a high-severity flaw in PAN-OS - Security Affairs
Hackers exploit critical VMware flaw to drop ransomware, miners (bleepingcomputer.com)
Zimbra Patches Under-Attack Code Execution Bug | SecurityWeek.Com
WordPress Security Update 6.0.3 Patches 16 Vulnerabilities | SecurityWeek.Com
Python vulnerability highlights open source security woes (techtarget.com)
Other News
Zero trust is misused in security, say Cloudflare, Zscaler - Protocol
Cyber professional shortfall hits 3.4 million (computerweekly.com)
VPN use prevails despite interest in VPN alternatives (techtarget.com)
JP Morgan Bans Staff From Working Remotely In Hotels and Coffee Shops-But Not Airbnbs | Inc.com
Experts discovered millions of .git folders exposed to public - Security Affairs
Microsoft Defender is lacking in offline detection capabilities, says AV-Comparatives | TechSpot
Internet connectivity worldwide impacted by severed fiber cables in France (bleepingcomputer.com)
UK's Remote Shetland Mysteriously Lose Phone, Internet After Cable Cut (businessinsider.com)
CISOs, rejoice! Security spending is increasing - Help Net Security
Equifax surveilled 1,000 remote workers, fired 24 found juggling two jobs | Ars Technica
NATO Just Deployed Its First Killer Ground Robot (futurism.com)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 14 October 2022
Black Arrow Cyber Threat Briefing 14 October 2022:
-Ransomware Report: Most Organisations Unprepared for an Attack, Lack Incident Playbook, Research Finds
-LinkedIn Scams, Fake Instagram Accounts Hit Businesses, Execs
-Study Highlights Surge in Identity Theft and Phishing Attacks
-Increase in Cyber Liability Insurance Claims as Cyber Crime Skyrockets
-UK Government Urges Action to Enhance Supply Chain Security
-For Most Companies Ransomware Is the Scariest Of All Cyber Attacks
-EDR Is Not a Silver Bullet
-Attackers Use Automation to Speed from Exploit to Compromise
-Rising Premiums, More Restricted Cyber Insurance Coverage Poses Big Risk for Companies
-Why CISO Roles Require Business and Technology Savvy
-Wi-Fi Spy Drones Used to Snoop on Financial Firm
-Magniber Ransomware Attacking Individuals and Home Users
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Ransomware Report: Most Organisations Unprepared for an Attack, Lack Incident Playbook, Research Finds
Some organisations have made significant improvements to their ransomware readiness profile in the last year, Axio said in a newly released report. However, a lack of fundamental cyber security practices and controls, inadequate vulnerability patching and employee training continues to leave ransomware defences lacking in potency.
Axio’s report reveals that only 30% of organisations have a ransomware-specific playbook for incident management in place. In 2021’s report Axio, maker of a cloud-based cyber management software platform, identified seven key areas emerged where organisations were deficient in implementing and sustaining basic cyber security practices.
The same patterns showed up in the 2022 report:
Managing privileged access.
Improving basic cyber hygiene.
Reducing exposure to supply chain and third-party risk.
Monitoring and defending networks.
Managing ransomware incidents.
Identifying and addressing vulnerabilities in a timely manner.
Improving cyber security training and awareness.
Overall, most organisations surveyed are not adequately prepared to manage the risk associated with a ransomware attack. Key data findings include:
The number of organisations with a functional privileged access management solution in place increased by 10% but remains low at 33% overall.
Limitations on the use of service and local administrator accounts remain average overall, with nearly 50% of organisations reporting implementing these practices.
Approximately 40% of organisations monitor third-party network access, evaluate third-party cyber security posture, and limit the use of third-party software.
Less than 50% of respondents implement basic network segmentation and only 40% monitor for anomalous connections.
Critical vulnerability patching within 24 hours was reported by only 24% of organisations.
Active phishing training has improved but is still not practiced by 40% of organisations.
LinkedIn Scams, Fake Instagram Accounts Hit Businesses, Execs
Business owners with public social media accounts are easy targets for scammers who lift information to create fake accounts. The arduous process for removing fraudulent accounts leaves victims frustrated and vulnerable to further data privacy issues. Victims say platform providers, particularly Facebook and Instagram, must improve their responses to reports of fraud.
Impersonation of a brand or executive contributed to more than 40% of all phishing and social media incidents in the second quarter, according to the Agari and Phish Labs Quarterly Threat Trends and Intelligence Report released in August. Q2 marks the second quarter that impersonation attacks have represented the majority of threats, despite a 6.1% decrease from Q1.
Executive impersonation has been on the rise over the past four quarters — representing more than 15% of attacks, according to the report — as impersonating a corporate figure or company on social media is simple and effective for threat actors.
Thom Singer, CEO for the Austin Technology Council and a public speaker, was recently impersonated on Instagram. A scammer created a fake Instagram account with his name and photos, creating a handle with an extra "r" at the end of Singer. That account appeared to amass over 2,300 followers – nearly as many as Singer's own account – lending to its appearance of authenticity.
He learned of the fake account from a contact who texted to ask if he'd reached out on Instagram, which wasn't a channel Singer typically uses to communicate. Singer reported the fraudulent account using the platform's report button and asked his followers to do the same.
"You can't reach anyone at these platforms, so it takes days to get a fake account removed," Singer said. "These social media sites have no liability, nothing to lose when fraud is happening. They need to up their game and have a better process to get [fraud] handled in a timely manner."
Study Highlights Surge in Identity Theft and Phishing Attacks
A new study from behavioural risk firm CybSafe and the National Cybersecurity Alliance (NCA) has been launched and it highlights an alarming surge in phishing and identity theft attacks.
The report, titled ‘Oh, Behave! The Annual Cybersecurity Attitudes and Behaviors report’, studied the opinions of 3,000 individuals across the US, the UK and Canada towards cyber security and revealed that nearly half (45%) of users are connected to the internet all the time, however, this has led to a surge in identity theft with almost 1 in 4 people being affected by the attack.
Furthermore, 1 in 3 (36%) respondents revealed they have lost money or data due to a phishing attack. Yet the study also revealed that 70% of respondents feel confident in their ability to identify a malicious email, but only 45% will confirm the authenticity of a suspicious email by reaching out to the apparent sender.
When it comes to implementing cyber security best practices, only 33% of respondents revealed they use a unique password for important online accounts, while only 16% utilise passwords of over 12 characters in length. Furthermore, only 18% of participants have downloaded a stand-alone password manager, while 43% of respondents have not even heard of multi-factor authentication.
Increase in Cyber Liability Insurance Claims as Cyber Crime Skyrockets
A cyber insurer, Acuity Insurance, is reporting an increased need for cyber liability insurance across both personal and business policyholders. From June 2021 to June 2022, the insurer saw cyber liability insurance claims on its commercial insurance policies increase by more than 50%. For personal policies, they saw more than a 90% increase in cyber claims being reported in 2021 compared with 2020.
Our lives, homes and businesses are more connected than ever before. Being connected leads to a greater risk of cyber attacks, which aren't covered under standard homeowners or business insurance policies.
The insurance experts caution that everyone is at risk — whether you are a small business owner or an individual — as cyber attacks continue to pose a serious financial threat. From 2019 to 2021, cyber attacks were up 50% from the previous year, according to recent research. Wire fraud and gift card scams are two of the most common types of cyber attacks impacting both businesses and individuals.
Scams involving social engineering are some of the easiest to fall for, as fraudsters exploit a person's trust to obtain money or personal information, which can then be used for unauthorised withdrawals of money. Cyber insurance can protect you from financial loss caused by wire transfer fraud, phishing attacks, cyber extortion, cyberbullying and more, Acuity reported.
While all cyber crimes have a financial impact, fraudulent wire transfers often come with greater losses. Banks are typically not responsible for funds lost as a result of a fraudulent wire transfer inadvertently authorised by the customer. Whether it's a wrongful money transfer by a business or an individual, cyber insurance can help mitigate some of the financial loss caused by these scams.
UK Government Urges Action to Enhance Supply Chain Security
The UK government has warned organisations to take steps to strengthen their supply chain security.
New National Cyber Security Centre (NCSC) guidance has been issued amid a significant increase in supply chain attacks in recent years, such as the SolarWinds incident in 2020. The NCSC cited official government data showing that just over one in 10 businesses review the risks posed by their immediate suppliers (13%), while the proportion covering the wider supply chain is just 7%.
Aimed at medium-to-large organisations, the document sets out practical steps to better assess cyber security across increasingly complex supply chains. This includes a description of typical supplier relationships and ways that organisations are exposed to vulnerabilities and cyber-attacks via the supply chain, and the expected outcomes and key steps needed to assess suppliers’ approaches to security.
The new guidance followed a government response to a call for views last year which highlighted the need for further advice. Supply chain attacks are a major cyber threat facing organisations and incidents can have a profound, long-lasting impact on businesses and customers. With incidents on the rise, it is vital organisations work with their suppliers to identify supply chain risks and ensure appropriate security measures are in place.
https://www.infosecurity-magazine.com/news/uk-government-supply-chain-security/
For Most Companies Ransomware Is the Scariest Of All Cyber Attacks
SonicWall released the 2022 SonicWall Threat Mindset Survey which found that 66% of customers are more concerned about cyber attacks in 2022, with the main threat being focused on financially motivated attacks like ransomware.
“No one is safe from cyber attacks — businesses or individuals,” said SonicWall Executive Chairman of the Board Bill Conner. “Today’s business landscape requires persistent digital trust to exist. Supply-chain attacks have dramatically changed the attack surface of the typical enterprise in the past few years, with more suppliers and service providers touching sensitive data than ever before.
“It’s likely we’ll see continued acceleration and evolution of ransomware tactics, as well as other advanced persistent threats (APTs), as cyber crime continues to scale the globe seeking both valuable and weak targets.”
Companies are not only losing millions of dollars to unending malware and ransomware strikes, but cyber attacks on essential infrastructure are impacting real-world services. Despite the growing concern of cyber attacks, organisations are struggling to keep pace with the fast-moving threat landscape as they orient their business, networks, data and employees against unwavering cyber attacks.
“The evolving cyber threat landscape has made us train our staff significantly more,” said Stafford Fields, IT Director, Cavett Turner & Wyble. “It’s made us spend more on cyber security. And what scares me is that an end-user can click on something and bring all our systems down — despite being well protected.”
https://www.helpnetsecurity.com/2022/10/12/customers-concerned-ransomware/
EDR Is Not a Silver Bullet
Old lore held that shooting a werewolf, vampire, or even just your average nasty villain with a silver bullet was a sure-fire takedown: one hit, no more bad guy.
As cyber security professionals, we understand – much like folks in the Old West knew – that there are no panaceas, no actual silver bullets. Yet humans gravitate towards simple solutions to complex challenges, and we are constantly (if unconsciously) seeking silver bullet technology.
Endpoint Detection and Response (EDR) tools have become Standard Operating Procedures for cyber security regimes. They are every CIO’s starting point, and there’s nothing wrong with this. In a recent study by Cymulate of over one million tests conducted by customers in 2021, the most popular testing vector was EDR.
Yet cyber security stakeholders should not assume that EDR is a silver bullet. The fact is that EDR’s efficacy and protective prowess as a standalone solution has been slowly diminished over the decade since the term was first coined by Gartner. Even as it became a mainstay of enterprise and SMB/SME security posture – attacks have skyrocketed in frequency, severity, and success. Today, EDR is facing some of its greatest challenges, including threats laser-targeting EDR systems like the highly-successful Grandoiero banking trojan.
While EDR should not be your only line of defence against advanced threats, including it in a defence solution array is paramount. It should be installed on all organisational servers – including Linux-based ones. Yet installation is not enough. Your organisation is at significant risk if the underlying OS and EDR are not both implemented and fine-tuned.
https://www.helpnetsecurity.com/2022/10/11/edr-is-not-a-silver-bullet/
Attackers Use Automation to Speed from Exploit to Compromise
A report from Laceworks examines the cloud security threat landscape over the past three months and unveils the new techniques and avenues cyber criminals are exploiting for profit at the expense of businesses. In this latest edition, the Lacework Labs team found a significantly more sophisticated attacker landscape, with an increase in attacks against core networking and virtualisation software, and an unprecedented increase in the speed of attacks following a compromise. Key trends and threats identified include:
Increased speed from exposure to compromise: Attackers are advancing to keep pace with cloud adoption and response time. Many classes of attacks are now fully automated to capitalise on timing. Additionally, one of the most common targets is credential leakage. In a specific example from the report, a leaked AWS access key was caught and flagged by AWS in record time. Despite the limited exposure, an unknown adversary was able to log in and launch tens of GPU EC2 instances, underscoring just how quickly attackers can take advantage of a single simple mistake.
Increased focus on infrastructure, specifically attacks against core networking and virtualisation software: Commonly deployed core networking and related infrastructure consistently remains a key target for adversaries. Core flaws in infrastructure often appear suddenly and are shared openly online, creating opportunities for attackers of all kinds to exploit these potential targets.
Continued Log4j reconnaissance and exploitation: Nearly a year after the initial exploit, the Lacework Labs team is still commonly observing vulnerable software targeted via OAST requests. Analysis of Project Discovery (interact.sh) activity revealed Cloudflare and DigitalOcean as the top originators.
Rising Premiums, More Restricted Cyber Insurance Coverage Poses Big Risk for Companies
Among the many consequences of the rising number of costly data breaches, ransomware, and other security attacks are pricier premiums for cyber security insurance. The rise in costs could put many organisations out of the running for this essential coverage, a risky proposition given the current threat landscape.
Cyber insurance is a type of specialty insurance that protects organisations against a variety of risks related to information security attacks such as ransomware and data breaches. Ordinarily, these types of risks aren’t included with traditional commercial general liability policies or are not specifically defined in these insurance plans.
Given the rise in attacks, the growing sophistication of these incidents and the potential financial impact, having cyber insurance coverage has become critical for many organisations. Premiums for these plans have been on the rise because of the increase in security-related losses and rising demand for coverage.
Cyber insurance premiums increased by an average of 28% in the first quarter of 2022 compared with the fourth quarter of 2021, according to the Council of Insurance Agents & Brokers (CIAB), an association for commercial insurance and employee benefits intermediaries.
Among the primary drivers for the continued price increases were a reduced carrier appetite for the risk and high demand for coverage, CIAB said. The high demand for cyber coverage is in part fueled by greater awareness among companies of the threat cyber risk poses for businesses of all sizes, it said.
https://www.cnbc.com/2022/10/11/companies-are-finding-it-harder-to-get-cyber-insurance-.html
Why CISO Roles Require Business and Technology Savvy
Listening and communicating to both the technical and business sides is critical to successfully leading IT teams and business leaders to the same end-goal.
Of all the crazy postings that advertise for CISO jobs, the one asking for a CISO to code in Python was probably the most outrageous example of the disconnect about a CISO’s role, says Joe Head, CISO search director at UK-based search firm, Intaso. This was a few years ago, and one can only guess that the role had been created by a technologist who didn’t care about or didn’t understand the business — or, inversely by a businessperson who didn’t understand enough about technology.
In either case, the disconnect is real. However, Head and other experts say that when it comes to achieving the true, executive role and reporting to the CEO and board, business skills rule. That doesn’t mean, however, that most CISOs know nothing about technology, because most still start out with technology backgrounds.
In the 2022 CISO survey by executive placement firm, Heidrick & Struggles, most CISOs come from a functional IT background that reflects the issues of the time. For example, in 2022 10% of CISOs came from software engineering backgrounds, which tracks with the White House directive to protect the software supply chain. The report notes that the majority of CISOs have experience in the financial services industry, which has a low risk tolerance and where more money is spent on security.
The survey also indicates that only a small core of CISOs (working primarily for the Fortune 500) rise to the executive level with the combination of business and technical responsibilities that come with the role. In it, more than two-thirds of CISOs responding to the survey worked for companies worth over $5 billion. So, instead of bashing a CISO’s lack of IT skills, the real need lies in developing business skills for the technologists coming up the ranks.
Wi-Fi Spy Drones Used to Snoop on Financial Firm
Modified off-the-shelf drones have been found carrying wireless network-intrusion kit in a very unlikely place.
The idea of using consumer-oriented drones for hacking has been explored over the past decade at security conferences like Black Hat 2016, in both the US and in Europe, but now these sort of attacks are actually taking place. A security researcher recently recounted an incident that occurred over the summer at a US East Coast financial firm focused on private investment.
The hacking incident was discovered when the financial firm spotted unusual activity on its internal Atlassian Confluence page that originated from within the company's network. The company's security team responded and found that the user whose MAC address was used to gain partial access to the company Wi-Fi network was also logged in at home several miles away. That is to say, the user was active off-site but someone within Wi-Fi range of the building was trying to wirelessly use that user's MAC address, which is a red flag. The team then took steps to trace the Wi-Fi signal and used a Fluke system to identify the Wi-Fi device.
This led the team to the roof, where two modified commercially available consumer drones series were discovered. One drone was in fine condition and had a modified Wi-Fi Pineapple device, used for network penetration testing. The second drone was carrying a case that contained a Raspberry Pi, several batteries, a GPD mini laptop, a 4G modem, and another Wi-Fi device. It had landed near the building's heating and ventilation system and appeared to be damaged but still operable.
During their investigation, they determined that the first drone had originally been used a few days prior to intercept a worker's credentials and Wi-Fi, and this data was then hard coded into the tools that were deployed on the second drone.
https://www.theregister.com/2022/10/12/drone-roof-attack/
Magniber Ransomware Attacking Individuals and Home Users
A recent analysis shows that Magniber ransomware has been targeting home users by masquerading as software updates.
Reports have shown a ransomware campaign isolated by HP Wolf Security in September 2022 saw Magniber ransomware spread. The malware is known as a single-client ransomware family that demands $2,500 from victims. Magniber was previously primarily spread through MSI and EXE files, but in September 2022 HP Wolf Security began seeing campaigns distributing the ransomware in JavaScript files.
HP Wolf Security reported that some malware families rely exclusively on JavaScript, but have done so for some time. Currently, analysts are also seeing more HTML smuggling, such as with Qakbot and IcedID. This technique also makes use of JavaScript to decode malicious content. The only difference is that the HTML file is executed in the context of the browser and therefore usually requires further user interaction.
Remarkably, HP Wolf Security said, the attackers used clever techniques to evade detection, such as running the ransomware in memory, bypassing User Account Control (UAC) in Windows, and bypassing detection techniques that monitor user-mode hooks by using syscalls instead of standard Windows API libraries.
It appears that with the UAC bypass, the malware deletes the infected system’s shadow copy files and disables backup and recovery features, preventing the victim from recovering their data using Windows tools.
Having recently described the ransomware campaign in a recent interview, HP Wolf noted that the infection chain starts with a web download from an attacker-controlled website.
Threats
Ransomware and Extortion
More and more ransomware is just data theft, no encryption • The Register
Magniber ransomware now infects Windows users via JavaScript files (bleepingcomputer.com)
Fake adult sites push data wipers disguised as ransomware (bleepingcomputer.com)
It was LockBit that forced NHS tech supplier to shut down • The Register
Ransomware posing as Windows antivirus update will just empty your wallet | TechRadar
Microsoft: New Prestige ransomware targets orgs in Ukraine, Poland (bleepingcomputer.com)
BlackByte ransomware uses new EDR evasion technique (techtarget.com)
Prevent Ransomware Attacks on Critical Infrastructure (trendmicro.com)
Microsoft Exchange servers hacked to deploy LockBit ransomware (bleepingcomputer.com)
Harvard Business Publishing licensee hit by ransomware - Security Affairs
LockBit affiliates compromise Microsoft Exchange servers to deploy ransomware - Security Affairs
Police tricks DeadBolt ransomware out of 155 decryption keys (bleepingcomputer.com)
Phishing & Email Based Attacks
Caffeine service lets anyone launch Microsoft 365 phishing attacks (bleepingcomputer.com)
A whole load of phishing emails make it past Microsoft Defender, researchers say | TechRadar
Google Forms abused in new COVID-19 phishing wave in the U.S. (bleepingcomputer.com)
US election workers hit with phishing, malware emails • The Register
Cyber criminals are having it easy with phishing-as-a-service - Help Net Security
Other Social Engineering; Smishing, Vishing, etc
Malware
How a Microsoft blunder opened millions of PCs to potent malware attacks | Ars Technica
Banks face their 'darkest hour' as crimeware powers up • The Register
Emotet Rises Again With More Sophistication, Evasion (darkreading.com)
QAKBOT Attacks Spike Amid Concerning Cyber Criminal Collaborations (darkreading.com)
Hackers behind IcedID malware attacks diversify delivery tactics (bleepingcomputer.com)
Eternity threat group’s LilithBot: A criminal multitool • The Register
Here's another excellent reason not to browse adult websites at work | TechRadar
Experts analysed the evolution of the Emotet supply chain - Security Affairs
Mobile
Modified WhatsApp App Caught Infecting Android Devices with Malware (thehackernews.com)
Meta uncovers 400 malicious apps on Android and iOS apps | SC Media (scmagazine.com)
‘Zero-Click’ Spyware Emerges as a Menacing Mobile Threat - Bloomberg
Mullvad: Android may leak information when connected to a VPN - gHacks Tech News
Android Security Updates Patch Critical Vulnerabilities | SecurityWeek.Com
Hackers Using Vishing to Trick Victims into Installing Android Banking Malware (thehackernews.com)
Mystery iPhone update patches against iOS 16 mail crash-attack – Naked Security (sophos.com)
Internet of Things – IoT
Data Breaches/Leaks
Client data exfiltrated in Advanced NHS cyber attack (digitalhealth.net)
Mormon Church data stolen in 'state-sponsored' cyber attack • The Register
2K Customer Data Stolen, Sold Online After Support Desk Scam (kotaku.com)
Toyota discloses data leak after access key exposed on GitHub (bleepingcomputer.com)
Fast Company says Executive Board member info was not stolen in attack (bleepingcomputer.com)
State Bar of Georgia Confirms Data Breach Following Ransomware Attack | SecurityWeek.Com
Singtel's second unit faces cyber attack weeks after Optus data breach | Reuters
Zoetop pays $1.9m to settle customer data theft case • The Register
CommonSpirit Health IT still suffering after cyber attack • The Register
Over 80,000 DJI drone IDs exposed in data leak: Report (dronedj.com)
High-Value Targets: String of Aussie Telco Breaches Continues (darkreading.com)
Data of 380K patients compromised in hack of 13 anesthesia practices | SC Media (scmagazine.com)
Australian police secret agents exposed in Colombian data leak (bleepingcomputer.com)
Toyota Reveals Data Leak of 300,000 Customers - Infosecurity Magazine (infosecurity-magazine.com)
Organised Crime & Criminal Actors
INTERPOL arrests ‘Black Axe’ cyber crime syndicate members (bleepingcomputer.com)
Caffeine Phishing-as-a-Service toolkit available in the underground - Security Affairs
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
North Korea's Crypto Hackers Are Paving the Road to Nuclear Armageddon - CNET
Fake Solana Phantom security updates push crypto-stealing malware (bleepingcomputer.com)
'Baby Al Capone' to pay $22m to SIM-swap crypto-heist victim • The Register
Fraud, Scams & Financial Crime
Alternative payment methods are creating new fraud risks - Help Net Security
Prison inmate charged with $11m fraud via cell phone • The Register
Mastercard moves to protect ‘risky and frisky’ transactions • The Register
Deepfakes
AML/CFT/Sanctions
Insurance
Dark Web
Software Supply Chain
Denial of Service DoS/DDoS
US airports' sites taken down in DDoS attacks by pro-Russian hackers (bleepingcomputer.com)
Russian DDoS attack project pays contributors for more firepower (bleepingcomputer.com)
Cloud/SaaS
Encryption
Microsoft Office 365 uses insecure block ciphers • The Register
Microsoft Office 365 email encryption could expose message content (bleepingcomputer.com)
Passwords, Credential Stuffing & Brute Force Attacks
Social Media
Training, Education and Awareness
Parental Controls and Child Safety
Cyber Bullying and Cyber Stalking
Regulations, Fines and Legislation
Backup and Recovery
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Vladimir Putin’s hybrid war has begun and the West must be ready | Evening Standard
Internet outages hit Ukraine following Russian missile strikes (bitdefender.com)
Seven 'Creepy' Backdoors Used by Lebanese Cyberspy Group in Israel Attacks | SecurityWeek.Com
Researchers Uncover Custom Backdoors and Spying Tools Used by Polonium Hackers (thehackernews.com)
We must tackle Europe’s winter cyber threats head-on – POLITICO
Researchers Detail Malicious Tools Used by Cyber Espionage Group Earth Aughisky (thehackernews.com)
‘Zero-Click’ Spyware Emerges as a Menacing Mobile Threat - Bloomberg
SpaceX’s Starlink terminals in Ukraine back online after outages | Financial Times
Nation State Actors
Nation State Actors – Russia
German Cyber security Chief Accused of Russian Contact Faces Sacking - IT Security Guru
Russian DDoS attack project pays contributors for more firepower (bleepingcomputer.com)
Extreme Networks admits sales to banned Russian arms maker • The Register
Nation State Actors – China
UK Spy Chief to Warn of 'Huge' China Tech Threat | SecurityWeek.Com
China’s attack motivations, tactics, and how CISOs can mitigate threats | CSO Online
China will manipulate new tech for global influence, warns GCHQ boss | Metro News
UK telcos legally required to remove Huawei equipment • The Register
Chinese-linked hackers targeted U.S. state legislature, researchers say - CyberScoop
New Chinese Malware Attack Framework Targets Windows, macOS, and Linux Systems (thehackernews.com)
UK to designate China a ‘threat’ in hawkish foreign policy shift | Foreign policy | The Guardian
WIP19, a new Chinese APT targets IT Service Providers and Telcos - Security Affairs
China-linked Budworm APT returns to target a US entity - Security Affairs
We must tackle China’s satellite-busting technology, says GCHQ chief | News | The Times
GCHQ boss: China could use Digital Yuan to swerve sanctions • The Register
Young people using TikTok is no problem, GCHQ chief says | TikTok | The Guardian
Nation State Actors – North Korea
Nation State Actors – Misc
Vulnerability Management
Vulnerabilities
Concerns Over Fortinet Flaw Mount; PoC Released, Exploit Activity Grows (darkreading.com)
Microsoft October 2022 Patch Tuesday fixes zero-day used in attacks, 84 flaws (bleepingcomputer.com)
Microsoft Addresses Zero-Days, but Exchange Server Exploit Chain Remains Unpatched (darkreading.com)
Auth bypass bug in FortiOS, FortiProxy is exploited in the wild (CVE-2022-40684) - Help Net Security
Chrome 106 Update Patches Several High-Severity Vulnerabilities | SecurityWeek.Com
Researchers Detail Windows Zero-Day Vulnerability Patched Last Month (thehackernews.com)
Almost 900 servers hacked using Zimbra zero-day flaw (bleepingcomputer.com)
Patch Tuesday: Critical Flaws in ColdFusion, Adobe Commerce | SecurityWeek.Com
Aruba fixes critical RCE and auth bypass flaws in EdgeConnect (bleepingcomputer.com)
WordPress Vulnerability In Shortcodes Ultimate Impacts 700,000 Sites (searchenginejournal.com)
Critical Open Source vm2 Sandbox Escape Bug Affects Millions (darkreading.com)
VMware vCenter Server bug disclosed last year still not patched (bleepingcomputer.com)
Other News
Board members should make CISOs their strategic partners - Help Net Security
5 Attack Elements Every Organisations Should Be Monitoring (darkreading.com)
Ukraine’s Starlink problems show the dangers of digital dependency | Financial Times (ft.com)
Here's 5 of the world's riskiest connected devices - Help Net Security
Older, Stored Data Is Cyber Security Risk, Report Warns - MSSP Alert
What the Uber Breach Verdict Means for CISOs in the US (darkreading.com)
Increasing network visibility is critical to improving security posture - Help Net Security
What the Uber Hack can teach us about navigating IT Security (bleepingcomputer.com)
Consumers want more transparency on how companies manage their data - Help Net Security
Gaming Is Booming. That’s Catnip for Cyber criminals. - The New York Times (nytimes.com)
Fear of cyber criminals drives cyber security improvements - Help Net Security
The next Ford Mustang won’t be easy to tune; blame cyber security | Ars Technica
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 07 October 2022
Black Arrow Cyber Threat Briefing 07 October 2022:
-Russian Sanctions Instigator Lloyd's Possibly Hit by Cyber Attack
-Former Uber Security Chief Convicted of Covering Up Data Breach
-First 72 Hours of Incident Response Critical to Taming Cyber Attack Chaos
-Email Defences Under Siege: Phishing Attacks Dramatically Improve
-Remote Services Are Becoming an Attractive Target for Ransomware
-Growing Reliance on Cloud Brings New Security Challenges
-Many IT Pros Don’t Think a Ransomware Attack Can Impact Microsoft 365 Data
-Ransomware Group Bypasses "Enormous" Range of EDR Tools
-MS Exchange Zero-Days: The Calm Before the Storm?
-Average Company with Data in the Cloud Faces $28 Million in Data-Breach Risk
-Secureworks Finds Network Intruders See Little Resistance
-Regulations, Laws and Accountability are Changing the Cyber Security Landscape
-This Year’s Biggest Cyber Threats
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Russian Sanctions Instigator Lloyd's Possibly Hit by Cyber Attack
Lloyd’s of London, the London-based insurance market heavily involved in implementing sanctions against Russia, may have been hit by a cyber-attack. On Wednesday, October 5, 2022, the British insurance market revealed it had detected “unusual activity” on its systems and has turned off all external connectivity “as a precautionary measure.”
“We have informed market participants and relevant parties, and we will provide more information once our investigations have concluded,” said a Lloyd’s spokesperson.
The company did not comment on whether or not it has been contacted by hackers, if a ransom demand has been issued, or on the possible source of the attack.
However, the insurance market has been closely involved with the design and implementation of sanctions imposed on Russia in response to its invasion of Ukraine – a potential motive for the attack. Lloyd’s itself has confirmed it was working closely with British and international governments to implement such sanctions.
Around 100 insurance syndicates operate at Lloyd's.
Earlier in 2022, Lloyd’s instructed its 76 insurance syndicates to remove “nation-state-backed cyber attacks” from insurance policies by March 2023, as well as losses “arising from a war.”
https://www.infosecurity-magazine.com/news/lloyds-possibly-hit-by-cyberattack/
Former Uber Security Chief Convicted of Covering Up Data Breach
Uber’s former head of security has been convicted of covering up a 2016 data breach at the rideshare giant, hiding details from US regulators and paying off a pair of hackers in return for their discretion.
The trial, closely watched in cyber security circles, is believed to be the first criminal prosecution of a company executive over the handling of a data breach.
Joe Sullivan, who was fired in 2017 over the incident, was found guilty by a San Francisco jury of obstructing an investigation by the Federal Trade Commission. At the time of the 2016 breach, the regulator had been investigating the car-booking service over a different cyber security lapse that had occurred two years earlier.
Jurors also convicted Sullivan of a second count related to having knowledge of but failing to report the 2016 breach to the appropriate government authorities. The incident eventually became public in 2017 when Dara Khosrowshahi, who had just taken over as chief executive, disclosed details of the attack.
Prosecutors said Sullivan had taken steps to make sure data compromised in the attack would not be revealed. According to court documents, two hackers approached Sullivan’s team to notify Uber of a security flaw that exposed the personal information of almost 60mn drivers and riders on the platform.
https://www.ft.com/content/051af6a1-41d1-4a6c-9e5a-d23d46b2a9c9
First 72 Hours of Incident Response Critical to Taming Cyber Attack Chaos
Cyber security professionals tasked with responding to attacks experience stress, burnout, and mental health issues that are exacerbated by a lack of breach preparedness and sufficient incident response practice in their organisations.
A new IBM Security-sponsored survey published this week found that two-thirds (67%) of incident responders suffer stress and anxiety during at least some of their engagements, while 44% have sacrificed the well-being of their relationships, and 42% have suffered burnout, according to the survey conducted by Morning Consult. In addition, 68% of incidents responders often have to work on two or more incidents at the same time, increasing their stress, according to the survey's results.
Companies that plan and practice responding to a variety of incidents can lower the stress levels of their incident responders, employees, and executives, says John Dwyer, head of research for IBM Security's X-Force response team.
"Organisations are not effectively establishing their response strategies with the responders in mind — it does not need to be as stressful as it is," he says. "There is a lot of time when the responders are managing organisations during an incident, because those organisations were not prepared for the crisis that occurs. These attacks happen every day."
The IBM Security-funded study underscores why the cyber security community has focused increasingly on the mental health of its members. About half (51%) of cyber security defenders have suffered burnout or extreme stress in the past year, according to a VMware survey released in August 2021. Cyber security executives have also spotlighted the issue as one that affects the community and companies' ability to retain skilled workers.
Email Defences Under Siege: Phishing Attacks Dramatically Improve
This week's report that cyber attackers are laser-focused on crafting attacks specialised to bypass Microsoft's default security showcases an alarming evolution in phishing tactics, security experts said this week.
Threat actors are getting better at slipping phishing attacks through the weak spots in platform email defences, using a variety of techniques, such as zero-point font obfuscation, hiding behind cloud-messaging services, and delaying payload activation, for instance. They're also doing more targeting and research on victims.
As a result, nearly 1 in 5 phishing emails (18.8%) bypassed Microsoft's platform defences and landed in workers' inboxes in 2022, a rate that increased 74% compared to 2020, according to research published by cyber security firm Check Point Software. Attackers increasingly used techniques to pass security checks, such as Sender Policy Framework (SPF), and obfuscate functional components of an e-mail, such as using zero-size fonts or hiding malicious URLs from analysis.
The increasing capabilities of attackers is due to the better understanding of current defences, says Avanan, an email security firm acquired by Check Point in August 2021.
"It is a family of 10 to 20 techniques, but they all lead to the objective of deceiving a company's security layers," he says. "The end result is always an email that looks genuine to the recipient but looks different to the algorithm that analyses the content."
Microsoft declined to comment on the research. However, the company has warned of advanced techniques, such as adversary-in-the-middle phishing (AiTM), which uses a custom URL to place a proxy server between a victim and their desired site, allowing the attacker to capture sensitive data, such as usernames and passwords. In July, the company warned that more than 10,000 organisations had been targeted during one AiTM campaign.
Remote Services Are Becoming an Attractive Target for Ransomware
Stolen credentials are no longer the number one initial access vector for ransomware operators looking to infect a target network and its endpoints - instead, they’ve become more interested in exploiting vulnerabilities found in internet-facing systems.
A report from Secureworks claims ransomware-as-a-service developers are quick to add newly discovered vulnerabilities into their arsenals, allowing even less competent hackers to exploit them swiftly, and with relative ease.
In fact, the company's annual State of the Threat Report reveals that flaw exploitation in remote services accounted for 52% of all ransomware incidents the company analysed over the last 12 months.
Besides remote services, Secureworks also spotted a 150% increase in the use of infostealers, which became a “key precursor” to ransomware. Both these factors, the report stresses, kept ransomware as the number one threat for businesses of all sizes, “who must fight to stay abreast of the demands of new vulnerability prioritisation and patching”.
All things considered, ransomware is still the biggest threat for businesses. It takes up almost a quarter of all attacks that were reported in the last 12 months, Secureworks says, and despite law enforcement being actively involved, operators remained highly active.
https://www.techradar.com/news/remote-services-are-becoming-an-attractive-target-for-ransomware
Growing Reliance on Cloud Brings New Security Challenges
There was a time when cloud was just a small subset of IT infrastructure, and cloud security referred to a very specific set of tasks. The current reality is very different, organisations are heavily dependent on cloud technologies and cloud security has become a much more complex endeavour.
Organisations increasingly rely on the cloud to deliver new applications, reduce costs, and support business operations. One in every four organisations already have majority workloads in the cloud, and 44% of workloads currently run in some form of public cloud, says Omdia, a research and advisory group.
Practically every midsize and large organisation now operates in some kind of a hybrid cloud environment, with a mix of cloud and on-premises systems. For most organisations, software-as-a-service constitute the bulk (80%) of their cloud environments, followed by infrastructure-as-a-service and platform-as-a-service deployments.
In the past, cloud security conversations tended to focus on making sure cloud environments are being configured properly, but cloud security nowadays goes far beyond just configuration management. The sprawling cloud environment means security management has to be centralised, Omdia said. Security functions also need to be integrated into existing application deployment workflows.
On top of all of this, multicloud is becoming more common among organisations as they shift their workloads to avoid being dependent on a single platform. The three major cloud providers – Amazon Web Services, Microsoft Azure, and Google Cloud Platform – account for 65% of the cloud market.
https://www.darkreading.com/dr-tech/growing-reliance-on-cloud-brings-new-security-challenges
Many IT Pros Don’t Think a Ransomware Attack Can Impact Microsoft 365 Data
The 2022 Ransomware Report, which surveyed over 2,000 IT leaders, revealed that 24% have been victims of a ransomware attack, with 20% of attacks happening in the last year.
Cyber attacks are happening more frequently. Last year’s ransomware survey revealed that 21% of companies experienced an attack. This year it rose by three percent to 24%.
“Attacks on businesses are increasing, and there is a shocking lack of awareness and preparation by IT pros. Our survey shows that many in the IT community have a false sense of security. As bad actors develop new techniques, companies like ours have to do what it takes to come out ahead and protect businesses around the world,” said Hornetsecurity.
The report highlighted a lack of knowledge on the security available to businesses. 25% of IT professionals either don’t know or don’t think that Microsoft 365 data can be impacted by a ransomware attack.
Just as worryingly, 40% of IT professionals that use Microsoft 365 in their organisation admitted they do not have a recovery plan in case their Microsoft 365 data was compromised by a ransomware attack.
“Microsoft 365 is vulnerable to phishing attacks and ransomware attacks, but with the help of third-party tools, IT admins can backup their Microsoft 365 data securely and protect themselves from such attacks,” said Hofmann.
https://www.helpnetsecurity.com/2022/10/03/ransomware-attack-impact-microsoft-365-data/
Ransomware Group Bypasses "Enormous" Range of EDR Tools
A notorious ransomware group has been spotted leveraging sophisticated techniques to bypass endpoint detection and response (EDR) tools.
BlackByte, which the US government has said poses a serious threat to critical infrastructure, used a “Bring Your Own Driver” technique to circumvent over 1000 drivers used by commercially available EDR products, according to Sophos. The UK cyber security vendor explained in a new report that the group had exploited a known vulnerability, CVE-2019-16098, in Windows graphics utility driver RTCorec6.sys. This enabled it to communicate directly with a victim system’s kernel and issue commands to disable callback routines used by EDR tools.
The group also used EDR bypass techniques borrowed from open source tool EDRSandblast to deactivate the Microsoft-Windows-Threat-Intelligence ETW (Event Tracing for Windows) provider. This is a Windows feature “that provides logs about the use of commonly maliciously abused API calls such as NtReadVirtualMemory to inject into another process’s memory,” explained Sophos. Neutralising it in this way renders any security tool relying on the feature also useless, the firm argued.
“If you think of computers as a fortress, for many EDR providers, ETW is the guard at the front gate,” said Sophos. “If the guard goes down, then that leaves the rest of the system extremely vulnerable. And, because ETW is used by so many different providers, BlackByte’s pool of potential targets for deploying this EDR bypass is enormous.”
BlackByte is not the only ransomware group using these advanced techniques to get around existing detection tools, illustrating the continued arms race between attackers and defenders. AvosLocker used a similar method in May, Sophos said. “Anecdotally, from what we’re seeing in the field, it does appear that EDR bypass is becoming a more popular technique for ransomware threat groups,” the firm confirmed. “This is not surprising. Threat actors often leverage tools and techniques developed by the ‘offensive security’ industry to launch attacks faster and with minimal effort.”
https://www.infosecurity-magazine.com/news/ransomware-bypasses-enormous-range/
MS Exchange Zero-Days: The Calm Before the Storm?
Two exploited MS Exchange zero-days that still have no official fix, have been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog.
But mitigating the risk of exploitation until patches are ready will require patience and doggedness, as Microsoft is still revising its advice to admins and network defenders, and still working on the patches.
The two vulnerabilities were publicly documented last Wednesday, by researchers with Vietnamese company GTSC, and Microsoft soon after sprung into (discernible) action by offering customer guidance, followed by an analysis of the attacks exploiting the two vulnerabilities. Several changes have been made to the documents since then, after the company found and other researchers pointed out several shortcomings.
Microsoft says its threat analysts observed “activity related to a single activity group in August 2022 that achieved initial access and compromised Exchange servers by chaining CVE-2022-41040 and CVE-2022-41082 in a small number of targeted attacks,” and that the attackers breached fewer than 10 organisations globally. “MSTIC assesses with medium confidence that the single activity group is likely to be a state-sponsored organisation,” they added.
The other good news is there are still no public exploits for the two vulnerabilities. But, Microsoft says, “Prior Exchange vulnerabilities that require authentication have been adopted into the toolkits of attackers who deploy ransomware, and these vulnerabilities are likely to be included in similar attacks due to the highly privileged access Exchange systems confer onto an attacker.”
Enterprise defenders should expect trouble via this attack path in the near future, it seems, so keeping abreast of the changing situation and springing into action as quickly as possible once the patches are made available is advised. Scammers have since started impersonating security researchers and offering non-existing PoC exploits for CVE-2022-41082 for sale via GitHub
https://www.helpnetsecurity.com/2022/10/03/ms-exchange-cve-2022-41040-cve-2022-41082/
Average Company with Data in the Cloud Faces $28 Million in Data-Breach Risk
Hard-to-control collaboration, complex SaaS permissions, and risky misconfigurations — such as admin accounts without multi-factor authentication (MFA) — have left a dangerous amount of cloud data exposed to insider threats and cyber attacks, according to Varonis.
For the report, researchers analysed nearly 10 billion cloud objects (more than 15 petabytes of data) across a random sample of data risk assessments performed at more than 700 companies worldwide. In the average company, 157,000 sensitive records are exposed to everyone on the internet by SaaS sharing features, representing $28 million in data-breach risk, Varonis researchers have found.
One out of every 10 records in the cloud is exposed to all employees — creating an impossibly large internal blast radius, which maximises damage during a ransomware attack. The average company has 4,468 user accounts without MFA enabled, making it easier for attackers to compromise internally exposed data.
Out of 33 super admin accounts in the average organisation, more than half did not have MFA enabled. This makes it easier for attackers to compromise these powerful accounts, steal more data, and create backdoors. Companies have more than 40 million unique permissions across SaaS applications, creating a nightmare for IT and security teams responsible for managing and reducing cloud data risk.
“Cloud security shouldn’t be taken for granted. When security teams lack critical visibility to manage and protect SaaS and IaaS apps and services, it’s nearly impossible to ensure your data isn’t walking out the door,” said Varonis. “This report is a true-to-life picture of over 700 real-world risk assessments of production SaaS environments. The results underscore the urgent need for CISOs to uncover and remediate their cloud risk as quickly as possible.”
https://www.helpnetsecurity.com/2022/10/05/company-data-breach-risk/
Secureworks Finds Network Intruders See Little Resistance
Attackers who break into networks only need to take a few basic measures in order to avoid detection.
Security vendor Secureworks said in its annual State of the Threat report that it observed several data breaches between June 2021 and June 2022 and found that, by and large, once network intruders gained a foothold on the targets' environment, they had to do relatively little to stay concealed.
"One thing that is notable about them is that none of these techniques are particularly sophisticated," the vendor said. "That is because threat actors do not need them to be; the adversary will only innovate enough to achieve their objectives. So there is a direct relationship between the maturity of the controls in a target environment and the techniques they employ to bypass those controls."
Among the more basic measures taken by the attackers was coding their tools in newer languages such as Go or Rust. This tweak created enough of a difference in the software to evade signature-checking tools, according to Secureworks' report. In other cases, the network intruders hid their activity by packing their malware within a trusted Windows installer or by sneaking it into the Authenticode signature of a trusted DLL. In another case, a malware infection was seen moving data out of the victim's network via TOR nodes. While effective, Secureworks said the techniques are hardly innovative. Rather, they indicate that threat actors find themselves only needing to do the bare minimum to conceal themselves from detection.
Regulations, Laws and Accountability are Changing the Cyber Security Landscape
As cyber criminals continue to develop new ways to wreak havoc, regulators have been working to catch up. They aim to protect data and consumers while avoiding nation-state attacks that are a risk to national and economic security. But some of these regulations may provide an opportunity for MSSPs.
Some of these regulations are a response to what’s generally been a hands-off approach to telling organisations what to do. Unfortunately, cyber security isn’t always prioritised when budgets and resources are allocated. The result is a steadily rising tide of breaches and exploits that have held organisations hostage and made private information available on the dark web.
The new regulations are coming from all directions: at the state and federal levels in the US and around the world. While many of these regulations aren’t yet final, there’s no reason not to start aligning with where trends will ease the impact of changing rules. At the same time, many organisations want to hold the government responsible for some kinds of attacks. It will be interesting to see how regulating works, as most politicians and bureaucrats aren’t known for their technological savvy.
In the US, for example, new regulations are in development in the Federal Trade Commission, Food and Drug Administration, Department of Homeland Security, Department of Transportation, Department of Energy, and the Cybersecurity and Infrastructure Security Agency. Thirty-six states have enacted cyber security legislation, and the count increases as other countries join.
One of the motivating factors for all these new regulations is that most cyber attacks aren’t reported. Lawmakers realise cyber security threats continue to be one of the top national security and economic risks. In the last year and a half (2020-2022), there have been attacks on America’s gas supply, meat supply, and various other companies, courts, and government agencies. One FBI cyber security official estimated the government only learns about 20% to 25% of intrusions at US business and academic institutions.
In March, Congress passed legislation requiring critical infrastructure operators to report significant cyber attacks to CISA within 72 hours of learning about the attack. It also required them to report a ransomware payment within 24 hours. These regulations will also consider reporting “near misses” so that this data can also be studied and tracked. The problem is, how does one define a “near miss”?
This Year’s Biggest Cyber Threats
OpenText announced the Nastiest Malware of 2022, a ranking of the year’s biggest cyber threats. For the fifth year running, experts combed through the data, analysed different behaviours, and determined which malicious payloads are the nastiest.
Emotet regained its place at the top, reminding the world that while affiliates may be taken down, the masterminds are resilient. LockBit evolved its tactics into something never seen before: triple extortion. Analysis also revealed an almost 1100% increase in phishing during the first four months of 2022 compared to the same period in 2021, indicating a possible end to the “hacker holiday,” a hacker rest period following the busy holiday season.
“The key takeaway from this year’s findings is that malware remains centre stage in the threats posed towards individuals, businesses, and governments,” said OpenText.
“Cyber criminals continue to evolve their tactics, leaving the infosec community in a constant state of catch-up. With the mainstream adoption of ransomware payloads and cryptocurrency facilitating payments, the battle will continue. No person, no business—regardless of size—is immune to these threats.”
While this year’s list may designate payloads into different categories of malware, it’s important to note many of these bad actor groups contract work from others. This allows each group to specialise in their respective payload and perfect it.
https://www.helpnetsecurity.com/2022/10/06/2022-nastiest-malware/
Threats
Ransomware and Extortion
Ransomware Attacks On The Rise, Secureworks Reveals in its State of the Threat Report - MSSP Alert
Ransomware: This is how half of attacks begin, and this is how you can stop them | ZDNET
Fake adult sites push data wipers disguised as ransomware (bleepingcomputer.com)
BlackByte ransomware abuses legit driver to disable security products (bleepingcomputer.com)
Ransomware attacks ravage schools, municipal governments (techtarget.com)
More and more ransomware is just data theft, no encryption • The Register
Netwalker ransomware affiliate sentenced to 20 years in prison (bleepingcomputer.com)
Cheerscrypt ransomware is linked to Chinese DEV-0401 APT group - Security Affairs
ADATA denies RansomHouse cyber attack, says leaked data from 2021 breach (bleepingcomputer.com)
Avast releases a free decryptor for some Hades ransomware variants - Security Affairs
Cyber criminals Leak LA School Data After It Refuses to Ransom (vice.com)
How Ransomware Is Causing Chaos in American Schools (vice.com)
Ransomware hunters: the self-taught tech geniuses fighting cyber crime | Cyber crime | The Guardian
BEC – Business Email Compromise
BEC fraudster and romance scammer sent to prison for 25 years – Naked Security (sophos.com)
Hackers Target Homebuyers’ Life Savings in Real Estate Scam - Bloomberg
Phishing & Email Based Attacks
Other Social Engineering; Smishing, Vishing, etc
Callback phishing attacks evolve their social engineering tactics (bleepingcomputer.com)
3 ways enterprises can mitigate social engineering risks - Help Net Security
Malware
OpenText Releases List Of The Year’s “Nastiest” Malware - MSSP Alert
This devious malware is able to disable your antivirus | TechRadar
Bumblebee Malware Loader's Payloads Significantly Vary by Victim System (darkreading.com)
Live support service hacked to spread malware in supply chain attack (bleepingcomputer.com)
NullMixer Dropper Delivers a Multimalware Code Bomb (darkreading.com)
Maggie malware already infected over 250 Microsoft SQL servers - Security Affairs
Mobile
Internet of Things – IoT
7 IoT Devices That Make Security Pros Cringe (darkreading.com)
Ikea Smart Light System Flaw Lets Attackers Turn Bulbs on Full Blast (darkreading.com)
Acronis founder is afraid of his own vacuum cleaner • The Register
Data Breaches/Leaks
“Egypt Leaks” – Hacktivists are Leaking Financial Data - Security Affairs
No Shangri-La for you: Top hotel chain confirms data leak • The Register
NSA: Someone hacked military contractor and stole data • The Register
City of Tucson discloses data breach affecting over 123,000 people (bleepingcomputer.com)
Optus Says ID Numbers of 2.1 Million Compromised in Data Breach | SecurityWeek.Com
Aussie Telco Telstra Breached, Reportedly Exposing 30,000 Employees' Data (darkreading.com)
2K warns users their info has been stolen following breach of its help desk | Ars Technica
Russian retail chain 'DNS' confirms hack after data leaked online (bleepingcomputer.com)
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Breaking: Scams Linked To Crypto Soared By 335% (informationsecuritybuzz.com)
Hacker steals $566 million worth of crypto from Binance Bridge (bleepingcomputer.com)
Hackers are breaching scam sites to hijack crypto transactions (bleepingcomputer.com)
Binance Says $100 Million Stolen in Latest Crypto Hack (gizmodo.com)
Hackers are breaching scam sites to hijack crypto transactions (bleepingcomputer.com)
Insider Risk and Insider Threats
Meta sues app dev for stealing over 1 million WhatsApp accounts (bleepingcomputer.com)
Microsoft publishes report on holistic insider risk management - Microsoft Security Blog
Unearth offboarding risks before your employees say goodbye - Help Net Security
Splunk alleges source code theft by former employee • The Register
Ex-NSA Employee Arrested for Trying to Sell U.S. Secrets to a Foreign Government (thehackernews.com)
Fraud, Scams & Financial Crime
Consumers Feel Hopeless in Protecting Themselves Against Cyber crime, ISACA Reports - MSSP Alert
BEC fraudster and romance scammer sent to prison for 25 years – Naked Security (sophos.com)
Hackers Target Homebuyers’ Life Savings in Real Estate Scam - Bloomberg
Russians dodging mobilization behind flourishing scam market (bleepingcomputer.com)
Scammers and rogue callers – can anything ever stop them? – Naked Security (sophos.com)
Online romance scam boss netted $9.5m, jailed for 25 years • The Register
Deepfakes
Supply Chain and Third Parties
Live support service hacked to spread malware in supply chain attack (bleepingcomputer.com)
Supply Chain Attack Targets Customer Engagement Firm Comm100 | SecurityWeek.Com
Denial of Service DoS/DDoS
Cloud/SaaS
Encryption
API
More Than 30% of All Malicious Attacks Target Shadow APIs (darkreading.com)
APIs are quickly becoming the most popular attack vector - Help Net Security
The Problem of API Security and How To Fix It (informationsecuritybuzz.com)
API authentication failures demonstrate the need for zero trust - Help Net Security
Shadow APIs hit with 5 billion malicious requests - Help Net Security
Open Source
When transparency is also obscurity: The conundrum that is open-source security - Help Net Security
How Secure is Using Open Source Components? - IT Security Guru
Passwords, Credential Stuffing & Brute Force Attacks
Microsoft warns Basic Auth users over password spray attacks • The Register
Is mandatory password expiration helping or hurting your password security? - Help Net Security
Detecting and preventing LSASS credential dumping attacks - Microsoft Security Blog
Meta Says It Has Busted More Than 400 Login-Stealing Apps This Year | WIRED
Privacy, Surveillance and Mass Monitoring
Regulations, Fines and Legislation
Models, Frameworks and Standards
Secure Disposal
Backup and Recovery
Law Enforcement Action and Take Downs
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Relentless Russian Cyber attacks on Ukraine Raise Important Policy Questions (darkreading.com)
Finnish intelligence warns of Russia's cyber espionage activities - Security Affairs
Kazakhstan Pins Wave Of Cyber attacks On Foreign Actors | OilPrice.com
Albania weighed invoking NATO’s Article 5 over Iranian cyber attack - POLITICO
We breached Russian satellite network, say pro-Ukraine partisans | Cybernews
Ukrainian forces report Starlink outages during push against Russia | Financial Times (ft.com)
Report: Mexico Continued to Use Spyware Against Activists | SecurityWeek.Com
Nation State Actors
Nation State Actors – China
US authorities name China's 20 favourite vulns to exploit • The Register
Cheerscrypt ransomware is linked to Chinese DEV-0401 APT group - Security Affairs
Nation State Actors – North Korea
Vulnerabilities
Fortinet warns admins to patch critical auth bypass bug immediately (bleepingcomputer.com)
Atlassian, Microsoft bugs make CISA’s must-patch list • The Register
US authorities name China's 20 favourite vulns to exploit • The Register
October 2022 Patch Tuesday forecast: Looking for treats, not more tricks - Help Net Security
Fake Microsoft Exchange ProxyNotShell exploits for sale on GitHub (bleepingcomputer.com)
CISA Warns of Attacks Exploiting Recent Atlassian Bitbucket Vulnerability | SecurityWeek.Com
No fix in sight for mile-wide loophole plaguing a key Windows defence for years | Ars Technica
Hackers Exploiting Unpatched RCE Flaw in Zimbra Collaboration Suite (thehackernews.com)
Lazarus employed an exploit in a Dell firmware driver in recent attacks - Security Affairs
Unpatched Zimbra flaw under attack is letting hackers backdoor servers | Ars Technica
macOS Archive Utility Bug Lets Malicious Apps Bypass Security Checks (darkreading.com)
Fortinet Warns of New Auth Bypass Flaw Affecting FortiGate and FortiProxy (thehackernews.com)
VMware fixed a high-severity bug in vCenter Server - Security Affairs
Reports Published in the Last Week
Other News
Guilty verdict in the Uber breach case makes personal liability real for CISOs | CSO Online
Cyber attackers view smaller organisations as easier targets - Help Net Security
Moody's turns up the heat on 'riskiest' sectors for attacks • The Register
5 reasons why security operations are getting harder | CSO Online
Former NSA Employee Faces Death Penalty for Selling Secrets (darkreading.com)
Fast Company Is Back From the Dead After Being Hacked (gizmodo.com)
Ready Or Not, Web 3 Is Coming And With It Comes Cybersquatting 2.0 (informationsecuritybuzz.com)
Cyber Hygiene: 5 Best Practices for Company Buy-In (trendmicro.com)
School Is in Session: 5 Lessons for Future Cyber Security Pros (darkreading.com)
Want More Secure Software? Start Recognizing Security-Skilled Developers (thehackernews.com)
Incident responders increasingly seek out mental health assistance - Help Net Security
You Are Not Alone If You're Unclear About Extended Detection and Response (XDR) - MSSP Alert
Why digital trust is the bedrock of business relationships - Help Net Security
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 19 August 2022
Black Arrow Cyber Threat Briefing 19 August 2022:
-Businesses Found to Neglect Cyber Security Until it is Too Late
-Cyber Tops Staff Retention as Biggest Business Risk
-Cyber Criminals Weaponising Ransomware Data for BEC Attacks
-Callback Phishing Attacks See Massive 625% Growth Since Q1 2021
-Credential Phishing Attacks Skyrocketing, 265 Brands Impersonated in H1 2022
-Are Cloud Environments Secure Enough for Today’s Threats?
-Most Q2 Attacks Targeted Old Microsoft Vulnerabilities
-Cyber Resiliency Isn't Just About Technology, It's About People
-The “Cyber Insurance Gap” Is Threatening Most Companies
-Easing the Cyber-Skills Crisis with Staff Augmentation
-Mailchimp Suffers Second Breach In 4 Months
-Firm Told It Can't Claim Full Cyber Crime Insurance After Social Engineering Attack
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Businesses Found to Neglect Cyber Security Until it is Too Late
Businesses only take cyber security seriously after falling victim to an attack, according to a report published by the UK's Department for Culture, Media and Sport (DCMS) this week.
For the research, the UK government surveyed IT professionals and end users in 10 UK organisations of varying sizes that have experienced cyber security breaches in the past three years. This analysed their existing level of security prior to a breach, the business impacts of the attack and how cyber security arrangements changed in the wake of the incident.
Nearly all respondents said their organisation took cyber security much more seriously after experiencing a breach, including reviewing existing practices and significantly increased investment in technology solutions.
While there was a consensus among participants that there is a greater need for vigilance and investment in cyber security, there was significant variation between organisations’ practices in this area. Medium and large organisations tended to have formal plans in place and budget allocated for further cyber security investment, but smaller businesses mostly did not due to resource constraints.
https://www.infosecurity-magazine.com/news/cybersecurity-seriously-breach/
Cyber Tops Staff Retention as Biggest Business Risk
Cyber security concerns represent the most serious risk facing organisations, beating inflation, talent acquisition/retention and rising production costs, according to a new PwC study.
The PwC Pulse: Managing business risks in 2022 report was compiled from interviews with 722 US C-suite executives.
Two-fifths (40%) ranked cyber-attacks as a serious risk, rising to 51% of board members. PwC said boardrooms may be getting more attuned to cyber risk after new SEC proposals were published in March that would require directors to oversee cyber security risk and be more transparent about their cyber expertise.
In fact, executives appear to be getting more proactive with cyber security on a number of fronts.
Some 84% said they are taking action or monitoring closely policy areas related to cyber security, privacy and data protection. A further 79% said they’re revising or enhancing their cyber risk management approaches, and half (49%) pointed to increased investments in cyber security and privacy.
By way of comparison, 53% said they’re increasing investment in digital transformation and 52% in IT.
Cyber security is a strategic business enabler – technology is the central nervous system of many companies – and confirming its data is secure and protected can be brand defining.
There’s now heightened attention from a wider range of business leaders and corporate directors as they recognise that cyber security and data privacy should be part of not only a risk management strategy, but also a broader corporate strategy. C-suite and boards are actively taking steps to better understand the global threat landscape, confirm a foundational cyber security program is in place, and manage these risks to create opportunities.
https://www.infosecurity-magazine.com/news/cyber-tops-staff-retention-biggest/
Cyber Criminals Weaponising Ransomware Data for BEC Attacks
Cyber criminals and other threat actors are increasingly using data dumped from ransomware attacks in secondary business email compromise (BEC) attacks, according to new analysis by Accenture Cyber Threat Intelligence.
The ACTI team analysed data from the 20 most active ransomware leak sites, measured by number of featured victims, between July 2021 and July 2022. Of the 4,026 victims (corporate, non-governmental organisations, and governmental entities) uncovered on various ransomware groups’ dedicated leak sites, an estimated 91% incurred subsequent data disclosures, ACTI found.
Dedicated leak sites most commonly provide financial data, followed by employee and client personally identifiable information and communication documentation. The rise of double extortion attempts – where attack groups use ransomware to exfiltrate data and then publicise the data on dedicated leak sites – has made large amounts of sensitive corporate data available to any threat actor. The most valuable types of data most useful for conducting BEC attacks are financial, employee, and communication data, as well as operational documents. There is a significant overlap between the types of data most useful for conducting BEC attacks and the types of data most commonly posted on these ransomware leak sites, ACTI said.
The data is a “rich source for information for criminals who can easily weaponise it for secondary BEC attacks,” ACTI said. “The primary factor driving an increased threat of BEC and VEC attacks stemming from double-extortion leaks is the availability of [corporate and communication data].”
Callback Phishing Attacks See Massive 625% Growth Since Q1 2021
Hackers are increasingly moving towards hybrid forms of phishing attacks that combine email and voice social engineering calls as a way to breach corporate networks for ransomware and data extortion attacks.
According to Agari's Q2 2022 cyber-intelligence report, phishing volumes have only increased by 6% compared to Q1 2022. However, the use of 'hybrid vishing' is seeing a massive 625% growth.
Vishing, "voice phishing," involves some form of a phone call to perform social engineering on the victim. Its hybrid form, called "callback phishing," also includes an email before the call, typically presenting the victim with a fake subscription/invoice notice.
The recipient is advised to call on the provided phone number to resolve any issues with the charge, but instead of a real customer support agent, the call is answered by phishing actors.
The scammers then offer to resolve the presented problem by tricking the victim into disclosing sensitive information or installing remote desktop tools on their system. The threat actors then connect to the victim's device remotely to install further backdoors or spread to other machines.
These callback phishing attacks were first introduced by the 'BazarCall/BazaCall' campaigns that appeared in March 2021 to gain initial access to corporate networks for ransomware attacks.
The attacks work so well that multiple ransomware and extortion gangs, such as Quantum, Zeon, and Silent Ransom Group, have adopted the same technique today to gain initial network access through an unsuspecting employee.
"Hybrid Vishing attacks reached a six-quarter high in Q2, increasing 625% from Q1 2021. This threat type also contributed to 24.6% of the overall share of Response-Based threats," details the Agari report.
"While this is the second quarter hybrid vishing attacks have declined in share due to the overall increase of response-based threats, vishing volume has steadily increased in count over the course of the year."
Credential Phishing Attacks Skyrocketing, 265 Brands Impersonated in H1 2022
Abnormal Security released a report which explores the current email threat landscape and provides insight into the latest advanced email attack trends, including increases in business email compromise, the evolution of financial supply chain compromise, and the rise of brand impersonation in credential phishing attacks.
The research found a 48% increase in email attacks over the previous six months, and 68.5% of those attacks included a credential phishing link. In addition to posing as internal employees and executives, cyber criminals impersonated well-known brands in 15% of phishing emails, relying on the brands’ familiarity and reputation to convince employees to provide their login credentials. Most common among the 265 brands impersonated in these attacks were social networks and Microsoft products.
“The vast majority of cyber crime today is successful because it exploits the people behind the keyboard,” said Crane Hassold, director of threat intelligence at Abnormal Security.
“By compromising people rather than networks, it’s easier for attackers to circumvent conventional security measures. This is especially true with brand impersonation, where attackers use urgency and fear to encourage their targets to provide usernames and passwords.”
LinkedIn took the top spot for brand impersonation, but Outlook, OneDrive and Microsoft 365 appeared in 20% of all attacks. What makes these attacks particularly dangerous is that phishing emails are often the first step to compromising employee email accounts. Acquiring Microsoft credentials enables cyber criminals to access the full suite of connected products, allowing them to view sensitive data and use the account to send business email compromise attacks.
https://www.helpnetsecurity.com/2022/08/15/landscape-email-threat/
Are Cloud Environments Secure Enough for Today’s Threats?
Cyber security is a major problem right now. Not only is it the highest priority of any given business to keep their own data and their customers’ and clients’ data secure, but changes in the workplace have had a knock-on effect on cyber security. The concept of working from home has forced businesses all around the world to address old and new cyber security threats. People taking their laptops, and therefore their data, home to public networks that can be hacked or leaving access details like passwords scribbled on notebooks has meant that access to a business and therefore their customers’ data is a lot more accessible.
The saving grace was said to be the cloud. Beyond retraining cyber security in staff workforces, the practical solution was to move data into the cloud. But we’re now a few years from the point when the cloud really gained popularity. Is it still the answer to all our cyber security problems? Is there a chance of risk to using the cloud?
Cloud data breaches do happen and misconfiguration is a leading cause of them, mainly due to businesses inadequate cyber security strategies. This is due to several factors, such as the fundamental nature of the cloud designed to be easy for anyone to access, and businesses unable to completely see or control the cloud’s infrastructure and therefore relying on the cyber security controls that are provided by the cloud service provider (or CSP).
Unauthorised access is also a risk. The internet, which is a readily available public resource to most of the world, makes it easy for hackers to access data if they have the credentials to get past the cyber security set up by the individual business. This is where the ugliness of internal cloud breaches happens. If security is not configured well or credentials like passwords and secret questions are compromised, an attacker can easily access the cloud.
However, it’s not only through an employee that hackers access credentials. Phishing is a very common means of gaining information that would allow access to a customer or business data.
Plus, the simple nature of sharing data can easily backfire on a company. A lot of data access is granted with a link to someone external, which can then be forwarded, either sold or stolen, to an attacker to access the cloud’s data.
https://www.itsecurityguru.org/2022/08/16/are-cloud-environments-secure-enough-for-todays-threats/
Most Q2 Attacks Targeted Old Microsoft Vulnerabilities
Attacks targeting a remote code execution vulnerability in Microsoft's MSHTML browser engine — which was patched last September — soared during the second quarter of this year, according to a Kaspersky analysis.
Researchers from Kaspersky counted at least 4,886 attacks targeting the flaw (CVE-2021-40444) last quarter, an eightfold increase over the first quarter of 2022. The security vendor attributed the continued adversary interest in the vulnerability to the ease with which it can be exploited.
Kaspersky said it has observed threat actors exploiting the flaw in attacks on organisations across multiple sectors including the energy and industrial sectors, research and development, IT companies, and financial and medical technology firms. In many of these attacks, the adversaries have used social engineering tricks to try and get victims to open specially crafted Office documents that would then download and execute a malicious script. The flaw was under active attack at the time Microsoft first disclosed it in September 2021.
Attacks targeting a remote code execution vulnerability in Microsoft's MSHTML browser engine — which was patched last September — soared during the second quarter of this year, according to a Kaspersky analysis. Researchers from Kaspersky counted at least 4,886 attacks targeting the flaw last quarter, an eightfold increase over the first quarter of 2022. The security vendor attributed the continued adversary interest in the vulnerability to the ease with which it can be exploited. According to Kaspersky, exploits for Windows vulnerabilities accounted for 82% of all exploits across all platforms during the second quarter of 2022. While attacks on the MSHTML vulnerability increased the most dramatically, it was by no means the most exploited flaw, which was a remote code execution vulnerability in Microsoft Office that was disclosed and patched four years ago that was attacked some 345,827 times last quarter.
Cyber Resiliency Isn't Just About Technology, It's About People
Cyber attacks are on the rise — but if we're being honest, that statement has been true for quite a while, given the acceleration of cyber incidents over the past several years. Recent research indicates that organisations experienced 50% more attack attempts per week on corporate networks in 2021 than they did in 2020, and tactics such as phishing are becoming increasingly popular as attackers refine their tried-and-true methods to more successfully entice unsuspecting targets.
It's no surprise, then, that cyber resiliency has been a hot topic in the cyber security world. But although cyber resiliency refers broadly to the ability of an organisation to anticipate, withstand, and recover from cyber security incidents, many experts make the mistake of applying the term specifically to technology. And while it's true that detection and remediation tools, backup systems, and other resources play an important role in cyber resiliency, organisations that focus exclusively on technology risk are overlooking an equally important element: people.
People are often thought of as the weak link in cyber security. It's easy to understand why. People fall for phishing scams. They use weak passwords and procrastinate on installing security updates. They misconfigure hardware and software, leave cloud assets unsecured, and send confidential files to the wrong recipient. There's a reason so much cyber security technology is moving toward automation: removing people from the equation is seen as one of the most obvious ways to improve security. To many security experts, that's just common sense.
Except — is it, really? It's true that people make mistakes — it's called "human error" for a reason, after all — but many of those mistakes come when employees aren't put in a position to succeed. Phishing is a great example. Most people are familiar with the concept of phishing, but many may not be aware of the nefarious techniques that today's attackers deploy. If employees have not been properly trained, they may not be aware that attackers often impersonate real people within the organisation, or that the CEO asking them to buy gift cards "for a company happy hour" probably isn't legit. Organisations that want to build strong cyber-resiliency cannot pretend that people don't exist. Instead, they need to prioritise the resiliency of their people just as highly as the resiliency of their technology.
Training the organisation to recognise the signs of common attack tactics, practice better password and cyber hygiene, and report signs of suspicious activity can help ease the burden on IT and security personnel by providing them better information in a more timely manner. It also avoids some of the pitfalls that create a drain on their time and resources. By ensuring that people at every level of the business are more resilient, today's organisations will discover that their overall cyber-resiliency will improve significantly.
The “Cyber Insurance Gap” Is Threatening Most Companies
A new study by BlackBerry and Corvus Insurance confirms a “cyber insurance gap” is growing, with a majority of businesses either uninsured or under insured against a rising tide of ransomware attacks and other cyber threats.
Only 19% of all businesses surveyed have ransomware coverage limits above the median ransomware demand amount ($600,000)
Among SMBs with fewer than 1,500 employees, only 14% have a coverage limit in excess of $600,000
37% of respondents with cyber insurance do not have any coverage for ransomware payment demands
43% of those with a policy are not covered for auxiliary costs such as court fees or employee downtime
60% say they would reconsider entering into a partnership or agreement with another business or supplier if the organisation did not have comprehensive cyber insurance
Endpoint detection and response (EDR) software is frequently a key component to obtaining a policy
34% of respondents have been previously denied cyber coverage by insurance providers due to not meeting EDR eligibility requirements
Easing the Cyber-Skills Crisis with Staff Augmentation
Filling cyber security roles can be costly, slow, and chancy. More firms are working with third-party service providers to quickly procure needed expertise.
There are many possible solutions to the cyber security skills shortage, but most of them take time. Cyber security education, career development tracks, training programs, employer-sponsored academies, and internships are great ways to build a talent pipeline and develop skill sets to meet organisational needs in years to come.
But sometimes the need to fill a gap in capability is more immediate.
An organisation in the entertainment industry recently found itself in such a position. Its primary cyber security staff member quit suddenly without notice, taking along critical institutional knowledge and leaving various projects incomplete. With its key defender gone, the organisation's environment was left vulnerable. In a scarce talent market, the organisation faced a long hiring process to find a replacement — too long to leave its digital estate unattended. It needed expertise, and quickly.
According to a 2021 ESG report, 57% of organisations have been impacted by the global cyber security skills crisis. Seventy-six percent say it's difficult to recruit and hire security professionals. The biggest effects of this shortage are increasing workloads, positions open for weeks or months, and high cyber security staff burnout and attrition.
In this climate, more companies are turning to third parties for cyber security staff reinforcement. According to a NewtonX study, 56% of organisations are now subcontracting up to a quarter of their cyber security staff. Sixty-nine percent of companies rely on third-party expertise to assist in mitigating the risk of ransomware — up from 58% in 2017 — per a study by Ponemon and CBI, a Converge Company.
One way that companies gain this additional support is via third-party staff augmentation and consulting services. Cyber security staff augmentation, or strategic staffing, entails trained external consultants acting as an extension of an organisation's security team in a residency. Engagements can be anywhere from a few weeks to a few years, and roles can range from analysts and engineers to architects, compliance specialists, and virtual CISOs.
https://www.darkreading.com/operations/easing-the-cyber-skills-crisis-with-staff-augmentation
Mailchimp Suffers Second Breach In 4 Months
Mailchimp suffered another data breach earlier this month, and this one cost it a client.
In a statement Friday, Mailchimp disclosed that a security incident involving phishing and social engineering tactics had targeted cryptocurrency and blockchain companies using the email marketing platform. It was the second Mailchimp breach to target cryptocurrency customers in a four-month span.
Though Mailchimp said it has suspended accounts where suspicious activity was detected while an investigation is ongoing, it did not reveal the source of the breach or scope of the attack.
More details were provided Sunday by one of the affected customers, DigitalOcean, which cut ties with Mailchimp on Aug. 9.
The cloud hosting provider observed suspicious activity beginning Aug. 8, when threat actors used its Mailchimp account for "a small number of attempted compromises" of DigitalOcean customer accounts -- specifically cryptocurrency platforms.
While it is not clear whether any DigitalOcean accounts were compromised, the company did confirm that some email addresses were exposed. More importantly, the statement attributed a potential source of the most recent Mailchimp breach.
https://www.techtarget.com/searchsecurity/news/252523911/Mailchimp-suffers-second-breach-in-4-months
Firm Told It Can't Claim Full Cyber Crime Insurance After Social Engineering Attack
A Minnesota computer store suing its cyber insurance provider has had its case dismissed, with the courts saying it was a clear instance of social engineering, a crime for which the insurer was only liable to cover a fraction of total losses.
SJ Computers alleged in a November lawsuit that Travelers Casualty and Surety Co. owed it far more than paid on a claim for nearly $600,000 in losses due to a successful business email compromise (BEC) attack.
According to its website, SJ Computers is a Microsoft Authorised Refurbisher, reselling Dell, HP, Lenovo and Acer products, as well as providing tech services including software installs and upgrades.
Travelers, which filed a motion to dismiss, said SJ's policy clearly delineated between computer fraud and social engineering fraud. The motion was granted with prejudice last Friday.
In the dismissal order, the US District Court for Minnesota found that the two policy agreements are mutually exclusive, as well as finding SJ's claim fell squarely into its social engineering fraud agreement with Travelers, which has a cap of $100,000.
When SJ filed its claim with Travelers, the court noted, it did so only under the social engineering fraud agreement. After realising the policy limit on computer fraud was 10 times higher, "SJ Computers then made a series of arguments – ranging from creative to desperate – to try to persuade Travelers that its loss was not the result of social-engineering-fraud (as SJ Computers itself had initially said) but instead the result of computer fraud," the district judge wrote in the order.
https://www.theregister.com/2022/08/16/social_engineering_cyber_crime_insurance/
Threats
Ransomware
Ransomware Group Threatens to Leak Data Stolen From Security Firm Entrust | SecurityWeek.Com
Cisco Confirms Hack: Yanluowang Ransom Gang Claims 2.8GB Of Data (informationsecuritybuzz.com)
Ransomware is still on the rise. Here's what you need to do to stay safe from hackers | ZDNET
Russian Man Extradited to US for Laundering Ryuk Ransomware Money | SecurityWeek.Com
‘Coopetition’ a growing trend among ransomware gangs (computerweekly.com)
Hackers Attack UK Water Supplier, Sends Ransom Demand to the Wrong Company (gizmodo.com)
SOVA malware adds ransomware feature to encrypt Android devices (bleepingcomputer.com)
BlackByte ransomware v2 is out with new extortion novelties - Security Affairs
Ransomware is back, healthcare sector most targeted - Help Net Security
Why Hackers Are Now Targeting Electric Car Charging Stations (nocamels.com)
BlackByte Ransomware Gang Returns With Twitter Presence, Tiered Pricing (darkreading.com)
Ski-Doo maker BRP resumes operations following cyber attack; shares fluctuate - MarketWatch
Argentina's Judiciary of Córdoba hit by PLAY ransomware attack (bleepingcomputer.com)
BEC – Business Email Compromise
Phishing & Email Based Attacks
Response-based attacks make up 41% of all email-based scams - Help Net Security
PayPal Phishing Scam Uses Invoices Sent Via PayPal – Krebs on Security
Microsoft admits it can't stop scammers fooling you with their latest tricks | ZDNET
Other Social Engineering; SMishing, Vishing, etc
Malware
Hackers Deploy Bumblebee Loader to Breach Target Networks - Infosecurity Magazine
'DarkTortilla' Malware Wraps in Sophistication for High-Volume RAT Infections (darkreading.com)
Malicious browser extensions targeted almost 7 million people (bleepingcomputer.com)
DoNot Team Hackers Updated its Malware Toolkit with Improved Capabilities (thehackernews.com)
Whack-a-Mole: More Malicious PyPI Packages Spring Up Targeting Discord, Roblox (darkreading.com)
Mobile
SOVA Android malware now also encrypts victims' files - Security Affairs
Malware devs already bypassed Android 13's new security feature (bleepingcomputer.com)
Google releases Android 13 with improved privacy and security features - Help Net Security
Android malware apps with 2 million installs found on Google Play (bleepingcomputer.com)
Researchers Find 35 Adware Apps on Google Play - Infosecurity Magazine
Nearly 1,900 Signal Messenger Accounts Potentially Compromised in Twilio Hack (thehackernews.com)
Internet of Things – IoT
How attackers are exploiting corporate IoT - Help Net Security
Amazon fixes Ring Android app flaw exposing camera recordings (bleepingcomputer.com)
Data Breaches/Leaks
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
With Plunge in Value, Cryptocurrency Crimes Decline in 2022 (darkreading.com)
Hardware-based threat defence against increasingly complex cryptojackers - Microsoft Security Blog
Insider Risk and Insider Threats
Ex-HP manager jailed for $5m company card shopping spree • The Register
Microsoft Employees Exposed Own Company’s Internal Logins (vice.com)
Fraud, Scams & Financial Crime
AML/CFT/Sanctions
Insurance
Organisations are losing cyber insurance as an important risk management tool - Help Net Security
For cyber insurance, some technology leads to higher premiums (techtarget.com)
New Study Reveals Serious Cyber-Insurance Shortfalls - Infosecurity Magazine
Supply Chain and Third Parties
Denial of Service DoS/DDoS
Cloud/SaaS
Organisations Struggle to Fend Off Cloud and Web Attacks - Infosecurity Magazine
Incident response in the cloud can be simple if you are prepared - Help Net Security
Passwords, Credential Stuffing & Brute Force Attacks
Credential Theft Is (Still) A Top Attack Method (thehackernews.com)
FBI Warns of Proxies and Configurations Used in Credential Stuffing Attacks | SecurityWeek.Com
Over 9,000 VNC servers exposed online without a password (bleepingcomputer.com)
Privacy
Google fined $60 million over Android location data collection (bleepingcomputer.com)
New Amazon Ring Vulnerability Could Have Exposed All Your Camera Recordings (thehackernews.com)
Period and pregnancy tracking apps have bad privacy protections, report finds - The Verge
Regulations, Fines and Legislation
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
5 Russia-Linked Groups Target Ukraine in Cyberwar (darkreading.com)
Russia-linked Gamaredon APT continues to target Ukraine - Security Affairs
Microsoft shuts down accounts linked to Russian spies • The Register
State-Sponsored APTs Dangle Job Opps to Lure In Spy Victims (darkreading.com)
Estonia Repels Biggest Cyber-Attack Since 2007 - Infosecurity Magazine
NHS cyber attacks hit record levels in four in five trusts after Russian invasion (telegraph.co.uk)
Nation State Actors
Nation State Actors – Russia
Microsoft disrupts Russian hackers' operation on NATO targets (bleepingcomputer.com)
Russian APT29 hackers abuse Azure services to hack Microsoft 365 users (bleepingcomputer.com)
Microsoft Disrupts Russian Group's Multiyear Cyber-Espionage Campaign (darkreading.com)
Russian hackers target Ukraine with default Word template hijacker (bleepingcomputer.com)
Estonia says it repelled major cyber attack after removing Soviet monuments | Reuters
Nation State Actors – China
Western companies wake up to China risk | Financial Times (ft.com)
China-backed APT41 Hackers Targeted 13 Organisations Worldwide Last Year (thehackernews.com)
China-linked RedAlpha behind multi-year credential theft campaign - Security Affairs
Chinese Cyberspy Group 'RedAlpha' Targeting Governments, Humanitarian Entities | SecurityWeek.Com
China's APT41 Embraces Baffling Approach for Dropping Cobalt Strike Payload (darkreading.com)
Chinese takeover of tech company blocked over security fears (telegraph.co.uk)
3 ways China's access to TikTok data is a security risk | CSO Online
Montana flagged bugs in cow app exploited in alleged China hack | Business and Economy | Al Jazeera
APT41 group: 4 malicious campaigns, 13 victims, new tools and techniques - Help Net Security
Nation State Actors – North Korea
Vulnerability Management
Vulnerabilities
CISA adds 7 vulnerabilities to list of bugs exploited by hackers (bleepingcomputer.com)
Google patches yet another Chrome zero-day vulnerability (techtarget.com)
Chrome browser gets 11 security fixes with 1 zero-day – update now! – Naked Security (sophos.com)
Cisco fixes High-Severity bug in Secure Web Appliance - Security Affairs
Exploit out for critical Realtek flaw affecting many networking devices (bleepingcomputer.com)
Safari 15.6.1 fixes a zero-day flaw actively exploited in the wild - Security Affairs
Rapid7: Cisco ASA and ASDM flaws went unpatched for months (techtarget.com)
Windows Vulnerability Could Crack DC Server Credentials Open (darkreading.com)
ÆPIC and SQUIP Vulnerabilities Found in Intel and AMD Processors (thehackernews.com)
PoC exploit code for the critical Realtek RCE flaw released online - Security Affairs
Other News
Exploiting stolen session cookies to bypass multi-factor authentication (MFA) - Help Net Security
Janet Jackson music video given CVE for crashing laptops • The Register
How aware are organisations of the importance of endpoint management security? - Help Net Security
The Future of Cyber Security is Prevention | SecurityWeek.Com
DigitalOcean Discloses Impact From Recent Mailchimp Cyber Attack | SecurityWeek.Com
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 18 February 2022
Black Arrow Cyber Threat Briefing 18 February 2022
-Small Businesses Facing Upwards of 11 Cyber Threats Per Day Per Device
-As Ukraine Tensions Rise, UK Organisations Should Protect Themselves From Cyber Threats
-Microsoft Teams Targeted With Takeover Trojans
-The European Central Bank is Warning Banks of Possible Russia-Linked Cyber Attack Amid the Rising Crisis With Ukraine
-Companies Face Soaring Prices For Cyber Insurance
-Even When Warned, Businesses Ignore Critical Vulnerabilities And Hope For The Best
-Ransomware-Related Data Leaks Nearly Doubled in 2021: Report
-Online Fraud Skyrocketing: Gaming, Streaming, Social Media, Travel and Ecommerce Hit the Most
-Poor Security Hygiene Organisations and Ransomware Attacks: Painful Math
-Security Teams Expect Attackers to Go After End Users First
-US Warns of Imminent Russian Invasion of Ukraine With Tanks, Jet Fighters, Cyber Attacks
-TrickBot Malware Targeted Customers of 60 High-Profile Companies Since 2020
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
As Ukraine Tensions Rise, UK Organisations Should Protect Themselves From Cyber Threats
In a world that is so dependent on digital assets, cyber resilience is more important than ever. At the National Cyber Security Centre – a part of GCHQ – the mission is to make the UK the safest place to live and work online, but they have said they cannot do it alone.
Now, at a time of heightened cyber threats, the NCSC is urging all organisations to follow their advice on the steps they should take to improve their resilience.
The UK is closer to the crisis in Ukraine than you might think. While 2,000-odd miles separate us physically from their borders with Russia, that distance is much shorter in cyber space – and attacks targeting Ukraine’s digital infrastructure could be felt here in Britain.
Cyber attacks do not respect geographic boundaries. On a daily basis, businesses in the UK are targeted by ransomware attacks from criminals overseas.
And as tensions have risen in Ukraine in recent weeks, authorities have already seen a number of cyber attacks occurring. On Friday evening, the UK government judged that the Russian Main Intelligence Directorate (GRU) was involved in last week’s distributed denial of service attacks against the financial sector in Ukraine.
If the situation continues to escalate, we could see cyber attacks that have international consequences, intentional or not. Rising tensions in the region, with the risk of overspill, are why the National Cyber Security Centre (NCSC) has said that the UK’s cyber risk has heightened in the last month, although there is no evidence of the UK being specifically targeted.
Small Businesses Facing Upwards of 11 Cyber Threats Per Day Per Device
BlackBerry's 2022 Threat Report highlights growing threats to SMBs, calls on government to make cyber security top priority
BlackBerry Limited has released the 2022 BlackBerry Annual Threat Report, highlighting a cybercriminal underground which it says has been optimised to better target local small businesses. Small businesses will continue to be an epicentre for cybercriminal focus as SMBs facing upward of 11 cyber threats per device per day, which only stands to accelerate as cybercriminals increasingly adopt collaborative mindsets.
The report also uncovered cyber breadcrumbs from some of last year’s most notorious ransomware attacks, suggesting some of the biggest culprits may have simply been outsourced labour. In multiple incidents BlackBerry identified threat actors leaving behind playbook text files containing IP addresses and more, suggesting the authors of this year’s sophisticated ransomware are not the ones carrying out attacks. This highlights the growing shared economy within the cyber underground.
Microsoft Teams Targeted With Takeover Trojans
Threat actors are targeting Microsoft Teams users by planting malicious documents in chat threads that execute Trojans that ultimately can take over end-user machines, researchers have found.
Researchers began tracking the campaign in January, which drops malicious executable files in Teams conversations that, when clicked on, eventually take over the user’s computer, according to a report published Thursday.
Using an executable file, or a file that contains instructions for the system to execute, hackers can install DLL files and allow the program to self-administer and take control over the computer. By attaching the file to a Teams attack, hackers have found a new way to easily target millions of users.
Cyber criminals long have targeted Microsoft’s ubiquitous document-creation and sharing suite – the legacy Office and its cloud-based version, Office 365 – with attacks against individual apps in the suite such as PowerPoint as well as business email compromise and other scams.
Now Microsoft Teams – a business communication and collaboration suite – is emerging as an increasingly popular attack surface for cybercriminals.
https://threatpost.com/microsoft-teams-targeted-takeover-trojans/178497/
The European Central Bank is Warning Banks of Possible Russia-Linked Cyber Attack Amid the Rising Crisis With Ukraine
The European Central Bank is warning banks of possible Russia-linked cyber attack amid the rising crisis with Ukraine and is inviting them to step up defences.
The news was reported by Reuters, citing two unnamed sources. The ECB pointed out that addressing cyber security is a top priority for the European agency.
“The European Central Bank is telling euro zone banks zone to step up their defences against cyber attacks, also in the context of geopolitical tensions such as the stand-off between Russia and Ukraine, the ECB’s top supervisor said on Thursday.” reported Reuters.
ECB warned that the rising risk from cyber attacks begun in 2020.
Companies Face Soaring Prices For Cyber Insurance
The cost of cyber insurance has risen steeply over the past year. According to Marsh, the price of cover in the US grew by 130 per cent in the fourth quarter of 2021 alone, while in the UK it grew by 92 per cent. That has increased pressure on companies who are facing cost inflation in other parts of their business.
The steep hikes in the cost of cyber insurance come against a backdrop of rising prices more broadly. According to Marsh, commercial insurance prices rose 13 per cent in the final quarter of 2021.
The hardening market from reduced capacity allied with increasing cyber fraud are potent forces. Pricing becomes more challenging, reinsurance appetite reduced whilst costs increasing and fraudsters have as much access to the latest technologies as do enterprises, the government sector and the insurance industry.
There may be limits to what insurers can cover. Speaking to the Financial Times last week the chief executive of Zurich said: “A connected economy offers lots of opportunities for cyber attacks.” A major cyber risk, he added, “is something only governments can manage”.
Companies will have to do more themselves to fight cyber fraud with technology partners. Meanwhile brokers and insurers must review underwriting data and practices and government raise effectiveness at prosecuting criminals.
https://www.ft.com/content/60ddc050-a846-461a-aa10-5aaabf6b35a5
Even When Warned, Businesses Ignore Critical Vulnerabilities And Hope For The Best
A Bulletproof research found the extent to which businesses are leaving themselves open to cyber attack. When tested, 28% of businesses had critical vulnerabilities – vulnerabilities that could be immediately exploited by cyber attacks.
A quarter of businesses neglected to fix those critical vulnerabilities, even though penetration testing had highlighted them to the business after a retest was completed.
The research analyzed data from over 3,800 days’ worth of penetration testing services. These tests are a means of identifying vulnerabilities within an organisation’s security systems by simulating how malicious actors would seek to exploit such shortcomings.
https://www.helpnetsecurity.com/2022/02/18/businesses-critical-vulnerabilities/
Ransomware-Related Data Leaks Nearly Doubled in 2021: Report
There was a significant increase in ransomware-related data leaks and interactive intrusions in 2021, according to the 2022 Global Threat Report released on Tuesday by endpoint security firm CrowdStrike.
The number of ransomware attacks that led to data leaks increased from 1,474 in 2020 to 2,686 in 2021, which represents an 82% increase. The sectors most impacted by data leaks in 2021 were industrial and engineering, manufacturing, and technology.
The growth and impact of big game hunting in 2021 was a palpable force felt across all sectors and in nearly every region of the world. Although some adversaries and ransomware ceased operations in 2021, the overall number of operating ransomware families increased,” CrowdStrike said in its report.
https://www.securityweek.com/ransomware-related-data-leaks-nearly-doubled-2021-report
Online Fraud Skyrocketing: Gaming, Streaming, Social Media, Travel and Ecommerce Hit the Most
An Arkose Labs report is warning UK commerce that it faces its most challenging year ever. Experts analyzed over 150 billion transaction requests across 254 countries and territories in 2021 over 12 months to discover that there has been an 85% increase in login attacks and fake consumer account creation at businesses.
Alongside this, it identified that one in four new online accounts created were fake. A further 21% of all traffic was confirmed as a fraudulent cyber attack.
From the earliest days of online information to the rapid evolution of today’s metaverses, the internet has come a long way. However, this latest data shows that it is more under attack than ever before.
Your digital identity is a currency for fraudsters and wherever there is online commerce, cyber criminals are quick to identify vulnerabilities.
https://www.helpnetsecurity.com/2022/02/14/fake-consumer-account/
Poor Security Hygiene Organisations and Ransomware Attacks: Painful Math
Poor cyber security hygiene is widely considered to be a major influencing factor for exposure to a ransomware attack. But is that an accurate assessment?
In a new study, RiskRecon, a security best practices specialist, investigated 600+ cyber hijacks to determine if companies victimized by a “detonation” had poor cyber security hygiene at the time and which factors, such as web encryption, application security and email security, are key gaps in coverage.
The answer: Cyber security hygiene does in fact play a large role in an organisation’s vulnerability to a ransomware attack. RiskRecon analyzed the cyber security hygiene on the day of ransomware incident for 622 organisations spanning 633 ransomware events occurring between 2017 and 2021. Based on a comparison population of cyber security ratings and assessments of some 100,000 entities, companies that have very poor cyber security hygiene in their internet-facing systems (a ‘D’ or ‘F’ RiskRecon rating) have about a 40 times higher rate of destructive ransomware events as compared to those with clean cyber security hygiene. Only .03 percent of ‘A-rated’ companies were victims of a destructive ransomware attack, compared with 1.08 percent of ‘D-rated’ and 0.91 percent of ‘F-rated’ companies.
The cyber security conditions underlying the RiskRecon rating reveal just how poor the cyber security hygiene is of companies, on average, that fall victim to a material system-encrypting ransomware attack. For example, ransomware victims have an average of 11 material software vulnerabilities in their internet-facing systems, in comparison with only one issue in the general population. Looking at network services that criminals commonly exploit, ransomware victims expose 3.3 times more unsafe network services to the internet than the general population.
Security Teams Expect Attackers to Go After End Users First
Phishing, malware, and ransomware have spurred organisations to increase their investments in endpoint security, according to Dark Reading’s Endpoint Security Survey.
The shift to a more distributed work environment and an increase in digital transformation initiatives have motivated organisations to bolster their endpoint security defences. However, end users continue to be a major source of worry for IT and security decision-makers, according to the latest Dark Reading survey.
Phishing, malware, and ransomware pose major threats to organisations, as do attacks involving credential theft. An overwhelming 93% of IT and security professionals in Dark Reading’s "2022 Endpoint Security Survey" cite the growing number of ransomware attacks as the reason behind increased investments in endpoint security. Similarly, 83% say the increase in attacks using end-user credentials spurred their endpoint investments.
End users pose one of the biggest threats to the organisation, as 87% expect that if attackers wanted to steal the organisation’s data, they would begin by targeting a single end user.
Concerns about the end user are not new. Verizon’s "2021 Data Breach Investigations Report" found that 85% of the breaches it investigated in 2020 involved end users in some way – such as stolen account credentials, incorrectly assigned privileges or elevated privileges, social engineering, and user error.
US Warns of Imminent Russian Invasion of Ukraine With Tanks, Jet Fighters, Cyber Attacks
President Biden said Friday he is convinced Russian President Vladimir Putin has decided to invade Ukraine and that he expects an attack in the coming days, with targets including the Ukrainian capital, Kyiv.
US officials said a Russian attack could involve a broad combination of jet fighters, tanks, ballistic missiles and cyberattacks, with the ultimate intention of rendering Ukraine’s leadership powerless.
The officials said Mr. Putin has laid the groundwork in recent days through a series of destabilizing activities and false-flag operations, long predicted by U.S. and allied officials and intended to make it look as if Ukraine has provoked Russia into a conflict, thus justifying the Russian invasion.
TrickBot Malware Targeted Customers of 60 High-Profile Companies Since 2020
The notorious TrickBot malware is targeting customers of 60 financial and technology companies, including cryptocurrency firms, primarily located in the U.S., even as its operators have updated the botnet with new anti-analysis features.
TrickBot is a sophisticated and versatile malware with more than 20 modules that can be downloaded and executed on demand.
In addition to being both prevalent and persistent, TrickBot has continually evolved its tactics to go past security and detection layers. To that end, the malware's "injectDll" web-injects module, which is responsible for stealing banking and credential data, leverages anti-deobfuscation techniques to crash the web page and thwart attempts to scrutinize the source code.
Also put in place are anti-analysis guardrails to prevent security researchers from sending automated requests to command-and-control (C2) servers to retrieve fresh web injects.
https://thehackernews.com/2022/02/trickbot-malware-targeted-customers-of.html
Threats
Ransomware
Ransomware’s Savage Reign Continues As Attacks Increase 105% - Help Net Security
SonicWall CEO on ransomware: Every good vendor was hit in past 2 years - The Register
Are You Prepared for 2022's More Destructive Ransomware? | SecurityWeek.Com
CISA Advisory Cautions MSPs: Beware More Ransomware Attacks - MSSP Alert
Conti Ransomware Gang Takes Over Trickbot Malware Operation (bleepingcomputer.com)
FBI Eyes Ransomware Profits With New Cryptocurrency Crimes Unit | TechCrunch
FBI Warns BlackByte Ransomware Is Targeting US Critical Infrastructure | TechCrunch
BEC – Business Email Compromise
Phishing & Email
Malware
Emotet Now Spreading Through Malicious Excel Files | Threatpost
PseudoManuscrypt Malware Spreading the Same Way as CryptBot Targets Koreans (thehackernews.com)
Baby Golang-Based Botnet Already Pulling in $3K/Month for Operators | Threatpost
25 Years On, Microsoft Makes Another Stab At Stopping Macro Malware • Graham Cluley
Three-Fifths of Cyber-Attacks in 2021 Were Malware-Free - Infosecurity Magazine
Data Breaches/Leaks
Organised Crime & Criminal Actors
74% of Ransomware Revenue Goes to Russia-Linked Hackers - BBC News
Interpol Must Change With Cyber Crime, Says Director • The Register
Attackers Hone Their Playbooks, Become More Agile (darkreading.com)
Cryptocurrency/Cryptomining/Cryptojacking
SIM-Swapping Attacks, Many Aimed at Crypto Accounts, Are on the Rise - WSJ
FBI Says Crypto Payments Are a 'Huge Challenge' Amid Rise in Ransomware Attacks - Decrypt
Insider Risk and Insider Threats
The Rise Of The Super Malicious Insider: Yes, We Need To Worry - Help Net Security
Finance Officer Jailed After Stealing £200,000 from Charity - Infosecurity Magazine
Ex IT Tech Jailed For Wiping School Network During Lockdown • The Register
Fraud, Scams & Financial Crime
Barclays: Scams Surged in Final Quarter of 2021 - Infosecurity Magazine
Fraud and Scam Activity Hits All-Time High - Help Net Security
Soaring Losses Accelerate Investments In Anti-Fraud Tech - Help Net Security
Threat Actors Still Love a Romance Scam - Infosecurity Magazine
Singapore Introduces Strong Measures To Stop Online Scams • The Register
7 Tips for How To Spot a Scammer and Protect Yourself | Well+Good
DoS/DDoS
Nation State Actors
Russia’s Offensive Cyber Actions Should Be A Cause For Concern For CISOs | CSO Online
Russia Stole US Defense Data From IT Systems, Says CISA • The Register
Researchers Link ShadowPad Malware Attacks to Chinese Ministry and PLA (thehackernews.com)
Chinese MI6 Informant Gave Information To MPs About Huawei Threat | Huawei | The Guardian
Red Cross Attributes Server Breach To Nation-State Actor - CyberScoop
Iranian Hackers Targeting VMware Horizon Log4j Flaws to Deploy Ransomware (thehackernews.com)
Cloud
Report: 63% of IT Pros Say Cyber Threats Are Top Obstacle To Cloud Adoption Strategy | VentureBeat
EU Watchdog To Probe Public Sector's Love Affair With Cloud • The Register
Privacy
Spyware, Espionage & Cyber Warfare
The Conflict In Ukraine Proves Cyber-Attacks Are Now Weapons Of War (thenextweb.com)
Cyber Warfare In Ukraine Poses A Threat To The Global System | Financial Times (ft.com)
EU Data Protection Watchdog Calls for Ban on Pegasus-like Commercial Spyware (thehackernews.com)
Using Mobile Networks For Cyber Attacks As Part Of A Warfare Strategy - Help Net Security
Moses Staff Hackers Targeting Israeli Organisations for Cyber Espionage (thehackernews.com)
Vulnerabilities
Squirrelwaffle, Microsoft Exchange Server Vulnerabilities Exploited For Financial Fraud | ZDNet
Attackers Can Crash Cisco Email Security Appliances by Sending Malicious Emails (thehackernews.com)
New Chrome 0-Day Bug Under Active Attack – Update Your Browser ASAP! (thehackernews.com)
Multiple Vulnerabilities Put 40 Million Ubuntu Users At Risk | TechRadar
Critical Flaw Uncovered in WordPress Backup Plugin Used by Over 3 Million Sites (thehackernews.com)
High-Severity Vulnerability Found in Apache Database System Used by Major Firms | SecurityWeek.Com
VMware Fixes Holes That Could Allow Virtual Machine Escapes – Naked Security (sophos.com)
Another Critical RCE Discovered in Adobe Commerce and Magento Platforms (thehackernews.com)
T2 Mac Security Vulnerability: Passwords Can Now Be Cracked - 9to5Mac
Sector Specific
Financial Services Sector
Open Banking Innovation: A Race Between Developers And Cyber Criminals - Help Net Security
Canada's Major Banks Go Offline In Mysterious Hours-Long Outage (bleepingcomputer.com)
Defence
Transport and Aviation
Energy & Utilities
Other News
Over 28,000 Vulnerabilities Disclosed in 2021: Report | SecurityWeek.Com
Web Application Firewalls (WAFs) Can't Give Organisations The Security They Need - Help Net Security
How Challenging Is Corporate Data Protection? - Help Net Security
Local Authority Sets Aside £380k for Cyber-Attack Recovery - Infosecurity Magazine
Traditional MFA Is Creating A False Sense Of Security - Help Net Security
Massive LinkedIn Phishing, Bot Attacks Feed on the Job-Hungry | Threatpost
Be Flexible About Where People Work — But Not on Data Privacy (darkreading.com)
Researchers Block “Largest Ever” Bot Attack - Infosecurity Magazine
BadUSB: The Cyber Threat That Gets You To Plug It In – CloudSavvy IT
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.