Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Despite Recent NCA and FBI Disruptions, a Rise in Ransomware Means 2024 Will be a Volatile Year for Cyber Security

There has been a lot of high profile coverage this week of the infamous and prolific LockBit gang’s infrastructure having been seized by law enforcement following an international Police operation led by the UK’s National Crime Agency. Whilst the international operation shows the seriousness of the matter, and the success of the operation should be celebrated, those celebrations should be muted and organisations should not become lax. Like the Hydra of Greek mythology, when one head disappears, a few more appear in its place. Ransomware really is a case of if, not when, and your organisation needs to be prepared.

Further, a recent threat report has found that the median ransom demand rose by 20% year on year, hitting an average of $600,000 and it is expected that 2024 will be even more volatile. Ransomware groups are expanding their target lists and exploring new pressure tactics in response to increasingly effective law enforcement efforts, and this is coupled with the increasing regulatory impact on organisations.

Sources: [Sky News] [GOV Infosecurity] [Bleeping Computer] [Infosecurity Magazine] [Cyber Reason]

The Old, Not the New: Basic Security Issues Still the Biggest Threat to Enterprises

In the latest IBM X-Force Threat Intelligence Index, it was revealed that basic security issues remain the most significant threat to enterprises. Cyber criminals are increasingly turning to credential stuffing, using and exploiting valid accounts harvested from the darkweb and previous breaches, with a 266% uptick in info-stealing malware. This tactic is harder to detect and elicits a costly response from enterprises. On the other hand, it is also important to adopt an attacker mindset for effective security. Understanding the attacker’s tools, motives, and efforts can help in limiting access, compartmentalising the impact of any successful attack, and minimising the time to attack detection. In essence, while organisations continue to grapple with complex cyber threats, the biggest security problem boils down to the basic and the already known. Therefore, it is crucial to focus on strengthening basic security measures and thinking like an attacker to proactively mitigate the risk for a more secure attack surface.

Source: [Help Net Security] [Forbes]

Reevaluating Your Cyber Security Priorities

Both technology and cyber criminals are evolving, yet many companies and organisations are not. For many corporate leaders, they may not know where to begin. Organisations looking to evolve their cyber security posture should look to elevate cyber to the C-suite and board, conduct audits of their sensitive information, create or update and test their incident response plan and finally, revisit their cyber hygiene training to ensure it is doing more than just ticking boxes. Organisations doing the above will find themselves improving their cyber security posture, and mitigating their risk to threats.

Source: [Dark Reading]

Cyber Threat Environment at its Most Dangerous for SMBs, as Geopolitical Tenison, Extortion and Attacks Present Biggest Risks

A new study has found that extortion campaigns, geopolitical threats, and attacks on small and medium-sized businesses (SMBs) are amongst the greatest threats to cyber security defences currently. The report, conducted by Mimecast, highlights how individual ransom groups have claimed over 1,000 victims and over $300 million in payments. Regarding SMBs, the report found that these businesses encountered twice the normal number of threats, at over 30 threats per user, as compared to larger companies who saw approximately 15. Not only are SMBs at more risk, but they also do not have the same resources a large company would have to mitigate such threats. SMBs must be efficient in the way they prioritise and address their cyber risk as part of their larger risk management strategy.

Sources: [Emerging Risks] [The HR Director]

Legal Sector Grows as a Target, with Cyber Attacks on Law Firms Surging by Over a Third

A new report has found that the number of reported cyber breaches on UK law firms has increased 30% from the previous year, as attackers increasingly target the profession. As a note, this does not include firms who may be unaware that they have been breached. Law firms are an attractive target to attackers due to the sensitive information such as M&A activity, divorce information and big ticket litigation; many attackers believe that law firms will pay handsomely to have this data back.

Sources: [Emerging Risks] [Legal Cheek]

It’s Not Only Ransomware Seeing Huge Rises: Business Email Compromise (BEC) Attacks are Also Seeing a Huge Rise. Is Your Business Prepared?

A recent report found that business email compromise (BEC) saw a staggering increase of 10 time the amount compared to the previous year. BEC involves a genuine business email account being compromised by a threat actor; this could be your supplier, a client, or anyone you have legitimate contact with. With such an increase, organisations must consider if they would be able to spot and mitigate BEC in their corporate environment through robust operational controls such as callback procedures for example. Due to the rise in deep fake fraud with voice cloning and video, the efficacy of traditional safeguards such as callbacks are not providing the assurance they once did. Firms and employees need to be on their guard to these changing tactics to safeguard the business.

Source: [TechRadar]

Deepfake Phishing Grew by 3,000% in 2023, and it’s Just the Beginning

Phishing remains one of the most prevalent cyber security threats, and with the emergence of artificial intelligence it is only going to carry on getting worse. According to a recent report, the number of deepfake fraud attempts rose by 3,000%. In one instance, the CEO of an energy enterprise sent €220,000 to a supplier after getting a call from the parent company’s leader requesting the exchange; the call was a deepfake.

Source: [HackerNoon]

Cyber Attacks are Getting Faster, More Common and More Successful, Although Detection is More Advanced Than Ever. New Report Signals the Threats to Businesses, Supply Chains, and Democracy

A recent report from CrowdStrike sheds light on the increasing speed and sophistication of cyber attacks. Breakout times have plummeted to an average of 62 minutes, with a record time of just two minutes and seven seconds observed. Hackers are now targeting the cloud, exploiting its vulnerabilities and leveraging AI assistance to escalate attacks. The human factor remains a primary entry point for threat actors, with social engineering and phishing campaigns on the rise. As organisations transition to the cloud, threat actors follow suit, with cloud intrusions soaring by 75%. CrowdStrike warns of state-sponsored adversaries targeting critical elections, emphasising the need for a platform-based approach bolstered by threat intelligence to safeguard against evolving threats.

Source: [TechRadar]

Report Finds Malicious Emails Bypassing Secure Email Gateways Rose by 105%

A report by Cofense has found a 105% increase in malicious emails that successfully bypassed Secure Email Gateways (SEGs), with approximately one malicious email navigating their way past SEGs every 57 seconds. The report suggests that phishing efforts are outpacing that of SEGs, and such phishing efforts are responsible for 90% of data breaches. Whilst SEGs may be filtering out a number of malicious emails, they, like everything in cyber security, are not a silver bullet. Organisations should not fall foul of believing that they are impenetrable because they have a SEG.

Sources: [SiliconANGLE] [Security Magazine] [Help Net Security]

Rising Cyber Threats Identified as Major Business Risk for 2024

In the latest Allianz risk barometer, cyber incidents have been identified as the most significant concern for companies globally in 2024. This is particularly true for remote desktop connections, which have become a prime target for cyber attacks since the shift to a work-from-home environment. The report also highlights that the risk landscape is being shaped by digitalisation, climate change, and geopolitical uncertainties. Meanwhile, a report from Coalition reveals that the cyber attack surface has expanded due to new ways of working. The report found that smaller businesses often lack the resources to prepare for a wide range of risk scenarios, which can lead to longer recovery times after an unexpected incident. These findings underscore the importance of robust cyber security measures and the need for continuous monitoring and improvement of an organisation’s digital defences.

Sources: [Reinsurance News] [Allianz]

Huge Cyber Security Leak Lifts the Lid on China’s Hackers for Hire

A huge leak of data from a Chinese cyber security firm, iSoon, has revealed state security agents paying tens of thousands of pounds to harvest data on targets, including the likes of foreign governments, and the leak shows this has been going on for years. Since the release, CrowdStrike has drawn overlaps between the firm and multiple known Chinese threat actors who are well resourced and conduct attacks over an extended period (referred to as advanced persistent threats, APTs). Among some of the 500 leaked documents are product manuals, lists of clients and employees, and WeChat instant messages. The leaks show over 14 governments have been attacked, as well as gambling and telecommunications companies.

Sources: [Dark Reading] [The Guardian]

Fifth of British Kids Have Broken the Law Online

In a recent study by the UK National Crime Agency (NCA), one in five children aged 10 to 16 have engaged in online offences with the figure rising to 25% among online gamers. These "low-level" cyber crimes, such as attempting to access protected servers or launching distributed denial of service (DDoS) attacks, may not be perceived by young individuals as violating the Computer Misuse Act. The consequences, however, are severe, including potential arrest, criminal records, and restrictions on future opportunities. The NCA stresses the importance of educating both children and adults about the legal and ethical implications of such actions, highlighting the transition from minor offences to more serious cyber crimes. With a significant shortage of cyber security professionals globally, fostering positive digital skills among young individuals is crucial for meeting industry demands and deterring cyber crime. Parents, teachers, and children are encouraged to explore resources provided by the NCA's Cyber Choices website to prevent inadvertent involvement in illegal online activities.

Source: [Infosecurity Magazine]

Over 40% of Firms Struggle with Cyber Security Talent Shortage

A recent report from Kaspersky has unveiled a critical global challenge: over 40% of companies are struggling to fill essential cyber security roles, with information security research and malware analysis roles particularly affected. This scarcity is felt most acutely in Europe and Latin America. Roles within security operations centres (SOCs) and network security are also understaffed, with figures around 35% and 33% respectively. The government sector faces the most significant demand for cyber security experts, followed closely by the telecoms and media sectors. While efforts like offering competitive salaries and enhanced training are underway, the gap persists due to the rapid pace of technological advancement outstripping educational initiatives. The report emphasises the need for innovative solutions to bridge this shortfall, highlighting recruitment, training, and technological advancements as key components of a comprehensive strategy to bolster cyber security resilience in the face of evolving threats.

Source: [Infosecurity Magazine]

Governance, Risk and Compliance

• Cyber attacks are getting faster, more common and more successful, even though detection is more advanced than ever | TechRadar

• 7 Ways Companies’ Cyber Related Governance Disclosures Will Evolve Post-SEC Rule Change (harvard.edu)

• Cyber security professionals admit “knowledge gaps” have led to serious security blunders | ITPro

• The old, not the new: Basic security issues still biggest threat to enterprises - Help Net Security

• Cyber threat environment more dangerous then ever - Mimecast (emergingrisks.co.uk)

• Over two-thirds of IT security decision-makers report an increase in cyber security budgets for 2024 | IT Reseller Magazine (itrportal.com)

• Geopolitical tension, extortion and attacks present biggest cyber security risks | theHRD (thehrdirector.com)

• 2024 CrowdStrike Global Threat Report: From Breakout to Breach in Under Three Minutes; Cloud Infrastructure Under Attack | Business Wire

• Gartner: Three top trends in cyber security for 2024 | Computer Weekly

• Barracuda report highlights rise of high-risk business security threats in 2023 (securitybrief.co.nz)

• Coalition report reveals rising cyber threats amidst business vulnerabilities - Reinsurance News

• Over 40% of Firms Struggle With Cyber Security Talent Shortage - Infosecurity Magazine (infosecurity-magazine.com)

• Thinking Like An Attacker—Another Look At Enterprise Security (forbes.com)

• Hackers using stolen credentials to launch attacks as info-stealing peaks | CSO Online

• The evolution of the CISO - Compare the Cloud

• How CISOs Balance Business Growth, Security in Cyber Threat Landscape (darkreading.com)

• Allianz Risk Barometer: Identifying the major business risks for 2024

• How to mitigate C-Suite cyber risks | Professional Security

• Why cyber security can boost organisational innovation | TechRadar

• 4 Key Steps to Reevaluate Your Cyber Security Priorities (darkreading.com)

• Cyber security success -- elevate your defence against cyber threats (betanews.com)

Threats

Ransomware, Extortion and Destructive Attacks

• Ransom demands surge by 20% in 2023, hitting key industries hardest - SiliconANGLE

• Police arrests LockBit ransomware members, release decryptor in global crackdown (bleepingcomputer.com)

• LockBit takedown is a “huge win for law enforcement”, but let’s not celebrate too soon, security experts warn | ITPro

• LockBit Attempts to Stay Afloat with a New Version (trendmicro.com)

• LockBit registered nearly 200 "affiliates" over the past two years | TechRadar

• 2024 will be a volatile year for cyber security as ransomware groups evolve - Help Net Security

• Ransomware Experts See Problems With Banning Ransom Payments (govinfosecurity.com)

• Initial Ransomware Demands Jump 20% to $600,000 in 2023 - Infosecurity Magazine (infosecurity-magazine.com)

• Ransomware: True Cost to Business 2024 (cybereason.com)

• Ransomware and BEC are seeing a huge rise — is your business ready? | TechRadar

• ConnectWise exploit could spur ‘ransomware free-for-all,’ expert warns | SC Media (scmagazine.com)

• 3 trends set to drive cyber attacks and ransomware in 2024 | World Economic Forum (weforum.org)

• Year-over-year, the median initial ransom has risen by 20% | Security Magazine

• Alpha ransomware linked to NetWalker operation dismantled in 2021 (bleepingcomputer.com)

• Why are ransomware gangs making so much money? | TechCrunch

• Akira Ransomware Exploiting Cisco Anyconnect Vulnerability (gbhackers.com)

• Knight ransomware source code for sale after leak site shuts down (bleepingcomputer.com)

• Exclusive: eSentire Confirms Rhysida Ransomware Victims - Infosecurity Magazine (infosecurity-magazine.com)

• Stuck in cyber attack nightmare? Call the negotiators (techxplore.com)

• Why some cyber attacks hit harder than others - BBC News

• Report: Manufacturing bears the brunt of industrial ransomware | CyberScoop

Ransomware Victims

• eSentire Confirms Rhysida Ransomware Victims - Infosecurity Magazine (infosecurity-magazine.com)

• Why some cyber attacks hit harder than others - BBC News

• ALPHV ransomware claims loanDepot, Prudential Financial breaches (bleepingcomputer.com)

• Cactus ransomware gang claims the theft of 1.5TB of data from Energy management and industrial automation firm Schneider Electric (securityaffairs.com)

• Dead Man's Fingers maker cuts over 500 jobs and enters the red after cyber attack hits sales (cityam.com)

• 147 ransomware attacks on large Dutch companies, institutions last year; 18% paid ransom | NL Times

• Pharmacy Delays Across US Blamed on Nation-State Hackers (darkreading.com)

Phishing & Email Based Attacks

• New report warns of ongoing rise of malicious emails bypassing secure email gateways - SiliconANGLE

• Secure email gateways struggle to keep pace with sophisticated phishing campaigns - Help Net Security

• The phishing bait you're most likely to take (betanews.com)

• Deepfake Phishing Grew by 3,000% in 2023 — And It's Just Beginning | HackerNoon

• SMBs at Risk From SendGrid-Focused Phishing Tactics - Infosecurity Magazine (infosecurity-magazine.com)

Other Social Engineering

• What ‘psychological warfare’ tactics do scammers use, and how can you protect yourself? (theconversation.com)

• North Koreans using ChatGPT to scam LinkedIn users; "attacks are getting very sophisticated" - MSPoweruser

• What Is Social Engineering? Types Of Attacks To Beware Of (forbes.com)

Artificial Intelligence

• AI models can be weaponized to hack websites on their own • The Register

• North Koreans using ChatGPT to scam LinkedIn users; "attacks are getting very sophisticated" - MSPoweruser

• Deepfake Phishing Grew by 3,000% in 2023 — And It's Just Beginning | HackerNoon

• Generative AI and elections are key focus for hackers in 2024, report warns | Evening Standard

• As adversaries harness AI, tech firms peer through chat logs to catch them - Defense One

• Here Comes the Flood of AI-Generated Clickbait | WIRED

• Air Canada Has to Honor a Refund Policy Its Chatbot Made Up | WIRED

• 36% of code generated by GitHub CoPilot contains security flaws - Help Net Security

• Employees input sensitive data into generative AI tools despite the risks | ZDNET

• Ransomware Declines as InfoStealers and AI Threats Gain Ground: IBM X-Force - SecurityWeek

• Gartner: Three top trends in cyber security for 2024 | Computer Weekly

• Global AI Regulatory Update - Lexology

Malware

• PDF Malware on the Rise, Used to Spread WikiLoader, Ursnif and DarkGat - Infosecurity Magazine (infosecurity-magazine.com)

• FBI's Most-Wanted Zeus and IcedID Malware Mastermind Pleads Guilty (thehackernews.com)

• Iranian Hackers Target Middle East Policy Experts with New BASICSTAR Backdoor (thehackernews.com)

• VIPRE report predicts 276% rise in malware in 2024 (securitybrief.co.nz)

• Anatsa Android malware downloaded 150,000 times via Google Play (bleepingcomputer.com)

• 'Lucifer' Botnet Turns Up the Heat on Apache Hadoop Servers (darkreading.com)

• What are Botnets and Why are MSSPs So Concerned? | MSSP Alert

• New SSH-Snake malware steals SSH keys to spread across the network (bleepingcomputer.com)

• Ransomware Declines as InfoStealers and AI Threats Gain Ground: IBM X-Force - SecurityWeek

• Your Mac Is Not Virus Proof. It Never Has Been. (gizmodo.com)

• Click: Your innocent mouse could be a cyber criminal's silent weapon - Digital Journal

• Vibrator virus steals your personal information | Malwarebytes

Mobile

• Meta Warns of 8 Spyware Firms Targeting iOS, Android, and Windows Devices (thehackernews.com)

• New Wave of 'Anatsa' Banking Trojans Targets Android Users in Europe (darkreading.com)

• Your fingerprints can be recreated from the sounds made when you swipe on a touchscreen — Chinese and US researchers show new side channel can reproduce fingerprints to enable attacks | Tom's Hardware (tomshardware.com)

• VoltSchemer attacks use wireless chargers to inject voice commands, fry phones (bleepingcomputer.com)

• New Wi-Fi Vulnerabilities Expose Android and Linux Devices to Hackers (thehackernews.com)

• Zero-Click Apple Shortcuts Vulnerability Allows Silent Data Theft (darkreading.com)

Denial of Service/DoS/DDOS

• Cyber attacks in Malta, Hungary, Ukraine, Bosnia are a 'wake-up call', IPI warns (timesofmalta.com)

• Average DDoS attack cost businesses £325,000 in 2023, according to new Zayo data | IT Reseller Magazine (itrportal.com)

• Top UK Universities Recovering Following Targeted DDoS Attack - Infosecurity Magazine (infosecurity-magazine.com)

Internet of Things – IoT

• 'Anywhere there's a camera, now there's a risk': Billions of users at risk of Peeping Toms — scientists devise incredibly simple eavesdropping system costing only a few hundred dollars | TechRadar

• Wyze camera glitch gave 13,000 users a peek into other homes (bleepingcomputer.com)

• As Cyber attacks Ramp Up, Electric Vehicles Are Vulnerable (autoweek.com)

• Wi-Fi jamming to knock out cameras suspected in nine Minnesota burglaries -- smart security systems vulnerable as tech becomes cheaper and easier to acquire | Tom's Hardware (tomshardware.com)

• Is new technology making cars less secure? - Verdict

Data Breaches/Leaks

• Bank of America Suffers Massive Data Breach, Exposing Social Security Numbers, Addresses and Additional Sensitive Data To Hackers - The Daily Hodl

• Infosys subsidiary named as source of Bank of America leak • The Register

• Why Data Breaches Spiked in 2023 (hbr.org)

• Massive Cloud Database Leak Exposes 380 Million Records (hackread.com)

• UK council's sneaky insider steals 79k email addresses • The Register

• Eye Care Services Firm Faces Lawsuit Over Data Breach Impacting 2.3 Million - SecurityWeek

Cyber Crime General & Criminal Actors

• Fifth of British Kids Have Broken the Law Online - Infosecurity Magazine (infosecurity-magazine.com)

• Despite Knowing Risks, Brits Continue to Expose Themselves to Cyber Criminals Finds IDnow | The Fintech Times

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Cyber Criminals Are Employing New Tactics To Launder Money, Warns Report - Benzinga

Insider Risk and Insider Threats

• UK council's sneaky insider steals 79k email addresses • The Register

Insurance

• Personal cyber insurance nascent but growing in demand as digital crimes increase - Victoria Times Colonist

• Insurers Use Claims Data to Recommend Cyber Security Technologies (darkreading.com)

• Cyber Insurance Needs to Evolve to Ensure Greater Benefit (darkreading.com)

• What is Cyber Insurance and Does Your Small Business Need It? (smallbiztrends.com)

Supply Chain and Third Parties

• Infosys subsidiary named as source of Bank of America leak • The Register

• North Korean hackers linked to defence sector supply-chain attack (bleepingcomputer.com)

Cloud/SaaS

• 2024 CrowdStrike Global Threat Report: From Breakout to Breach in Under Three Minutes; Cloud Infrastructure Under Attack | Business Wire

• Cyber security report reveals 75% spike in cloud attacks (securitybrief.co.nz)

• Cyber security fears drive a return to on-premise infrastructure from cloud computing - Help Net Security

• Massive Cloud Database Leak Exposes 380 Million Records (hackread.com)

• How Nation-State Actors Target Your Business: New Research Exposes Major SaaS Vulnerabilities (thehackernews.com)

• Cyber attacks follow businesses to the cloud (betanews.com)

• Six steps for stronger cloud security | SC Media (scmagazine.com)

Identity and Access Management

• Why identity fraud costs organisations millions - Help Net Security

• Orgs are having a major identity crisis • The Register

• Active Directory outages can cost organisations $100,000 per day - Help Net Security

Encryption

• European Court of Human Rights rules against government backdoors in end-to-end encryption - Neowin

Linux and Open Source

• New Wi-Fi Vulnerabilities Expose Android and Linux Devices to Hackers (thehackernews.com)

Passwords, Credential Stuffing & Brute Force Attacks

• Hackers using stolen credentials to launch attacks as info-stealing peaks | CSO Online

• How to proactively prevent password-spray attacks on legacy email accounts | CSO Online

Social Media

• EU Watchdog Urged to Reject Meta 'Pay for Privacy' Scheme - SecurityWeek

• Social Media Platforms Are in an ‘Information Trafficking Business’: Cyber Security Adviser | NTD

• ChatGPT Used by North Korean Hackers to Scam LinkedIn Users (tech.co)

• 76% of Super Bowl Traffic From Elon Musk's X to Advertisers Could Be Fake (thewrap.com)

• Elon Musk’s X allows China-based propaganda banned on other platforms | Ars Technica

• European Union deepens its investigation of TikTok • The Register

Training, Education and Awareness

• People cannot be patched (betanews.com)

Regulations, Fines and Legislation

• European Court of Human Rights rules against government backdoors in end-to-end encryption - Neowin

• Hedge Funds Warn SEC Cyber Lapses Risk Exposing Trading Secrets (bloomberglaw.com)

• One Year After the Colonial Pipeline Attack, Regulation Is Still a Problem (securityintelligence.com)

• 7 Ways Companies’ Cyber Related Governance Disclosures Will Evolve Post-SEC Rule Change (harvard.edu)

• European Union deepens its investigation of TikTok • The Register

• Decoding DORA: Navigating the digital regulatory landscape | World Finance

• 81 Percent of Security Leaders Say SEC Cyber Security Rules Will Substantially Impact Their Business | Business Wire

• FTC Fines Avast $16.5 Million For Selling Browsing Data Harvested by Antivirus (404media.co)

• Avast settles claims of customer data peddling for $17M • The Register

• Global AI Regulatory Update - Lexology

Careers, Working in Cyber and Information Security

• Over 40% of Firms Struggle With Cyber Security Talent Shortage - Infosecurity Magazine (infosecurity-magazine.com)

• The Psychology of Cyber Security Burnout (informationweek.com)

• How can we adapt work practices to protect CISO mental health? | Computer Weekly

Misinformation, Disinformation and Propaganda

• Feds deliver stark warnings to state election officials ahead of November - Iowa Capital Dispatch

• UK election cyber attack warning after Putin's hackers target US (inews.co.uk)

• Social Media Platforms Are in an ‘Information Trafficking Business’: Cyber Security Adviser | NTD

• Elon Musk’s X allows China-based propaganda banned on other platforms | Ars Technica

• Election security threats in 2024 range from AI to … anthrax • The Register

• 76 percent of Super Bowl LVIII traffic from Twitter dubbed 'fake' (awfulannouncing.com)

• Iran and Hezbollah Hackers Launch Attacks to Influence Israel-Hamas Narrative (thehackernews.com)

• Russian Hackers Target Ukraine with Disinformation and Credential-Harvesting Attacks (thehackernews.com)

Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity

Cyber Warfare and Cyber Espionage

• Countries fear state-sponsored cyber war | The World from PRX

• Cyberwar: What Is It Good For? - GovInfoSecurity

Nation State Actors

• Cyber attacks are getting faster, more common and more successful, even though detection is more advanced than ever — new report signals the threats to businesses, supply chains, and democracy | TechRadar

• Countries fear state-sponsored cyber war | The World from PRX

• How Nation-State Actors Target Your Business: New Research Exposes Major SaaS Vulnerabilities (thehackernews.com)

• Generative AI and elections are key focus for hackers in 2024, report warns | Evening Standard

• Pharmacy Delays Across US Blamed on Nation-State Hackers (darkreading.com)

China

• In the evolving cyberwar, China aims to take down our critical infrastructure | SC Media (scmagazine.com)

• 'Major Chinese hack' on Foreign Office urgently investigated by UK spies (inews.co.uk)

• Leaked Chinese Hacking Files Reveal How Compromised the US Could Be (businessinsider.com)

• iSoon's Secret APT Status Exposes China's Foreign Hacking Machination (darkreading.com)

• Generative AI and elections are key focus for hackers in 2024, report warns | Evening Standard

• China’s Cyber Security and Statecraft – The Diplomat

• Elon Musk’s X allows China-based propaganda banned on other platforms | Ars Technica

• China’s Spy Agency Sees Threats Everywhere in Data Security Push - Bloomberg

Russia

• FBI disrupts hacking network 'linked to Russian intelligence services' | US News | Sky News

• Russian APT 'Winter Vivern' Targets European Governments, Military (darkreading.com)

• Russian Cyber attackers Launch Multiphase PsyOps Campaign (darkreading.com)

• Russian-Linked Hackers Target 80+ Organisations via Roundcube Flaws (thehackernews.com)

• Russian military botnet discovered on 1000+ compromised routers — FBI deactivated Moobot by taking control of impacted routers | Tom's Hardware (tomshardware.com)

• NHS hospitals ‘easy targets’ for Russian hackers (thetimes.co.uk)

• Russia-Aligned TAG-70 Targets European Government and Military Mail Servers in New Espionage Campaign (recordedfuture.com)

• Generative AI and elections are key focus for hackers in 2024, report warns | Evening Standard

• Russian Turla Cyber Spies Target Polish NGOs With New Backdoor - SecurityWeek

• Russian-Aligned Network Doppelgänger Targets German Elections - Infosecurity Magazine (infosecurity-magazine.com)

• Russian Hackers Target Ukraine with Disinformation and Credential-Harvesting Attacks (thehackernews.com)

• NATO's chief information officer on what Ukraine did right in its cyberwar with Russia (therecord.media)

• Russian Government Software Backdoored to Deploy Konni RAT Malware (thehackernews.com)

• Three terms sure to grab attention: Russia, nuclear, anti-satellite weapon | Ars Technica

Iran

• Iranian Hackers Target Middle East Policy Experts with New BASICSTAR Backdoor (thehackernews.com)

• Iranian APTs Dress Up As Hacktivists for Disruption, Influence Ops (darkreading.com)

• Iran and Hezbollah Hackers Launch Attacks to Influence Israel-Hamas Narrative (thehackernews.com)

• Iran-Backed Charming Kitten Stages Fake Webinar Platform to Ensnare Targets (darkreading.com)

• Israeli Aircraft Survive “Cyber Hijacking” Attempts - Infosecurity Magazine (infosecurity-magazine.com)

North Korea

• ChatGPT Used by North Korean Hackers to Scam LinkedIn Users (tech.co)

• North Korean hackers linked to defence sector supply-chain attack (bleepingcomputer.com)

• North Koreans using ChatGPT to scam LinkedIn users; "attacks are getting very sophisticated" - MSPoweruser

• Russian Government Software Backdoored to Deploy North Korean Konni RAT Malware (thehackernews.com)

Vulnerability Management

• CVEs expected to increase 25% in 2024 | Security Magazine

• Coalition: Vulnerability scoring systems falling short | TechTarget

Vulnerabilities

• Ransomware Warning as CVSS 10.0 ConnectWise ScreenConnect Bug is Exploited - Infosecurity Magazine (infosecurity-magazine.com)

• ConnectWise exploit could spur ‘ransomware free-for-all,’ expert warns | SC Media (scmagazine.com)

• Exploiting critical ConnectWise bug is 'embarrassingly easy' • The Register

• Akira Ransomware Exploiting Cisco AnyConnect Vulnerability (gbhackers.com)

• New Ivanti Vulnerability Observed as Widespread Security Concerns Grow - Infosecurity Magazine (infosecurity-magazine.com)

• Microsoft Exchange flaw CVE-2024-21410 could impact up to 97,000 servers (securityaffairs.com)

• VMware Alert: Uninstall EAP Now - Critical Flaw Puts Active Directory at Risk (thehackernews.com)

• VMware issues no-patch advisory for critical flaw in old SSO plugin | SC Media (scmagazine.com)

• Russian-Linked Hackers Target 80+ Organisations via Roundcube Flaws (thehackernews.com)

• ESET fixed high-severity local privilege escalation bug in Windows products (securityaffairs.com)

• SolarWinds addressed critical RCEs in Access Rights Manager (securityaffairs.com)

• Chrome 122, Firefox 123 Patch High-Severity Vulnerabilities - SecurityWeek

• Critical Vulnerability in VMware vSphere Plug-in Allows Session Hijacking (darkreading.com)

• Joomla XSS Bugs Open Millions of Websites to RCE (darkreading.com)

• Zero-Click Apple Shortcuts Vulnerability Allows Silent Data Theft (darkreading.com)

• Urgent patches available for QNAP vulnerabilities, one 0-day • The Register

• Hackers exploit critical RCE flaw in Bricks WordPress site builder (bleepingcomputer.com)

Tools and Controls

• Secure email gateways struggle to keep pace with sophisticated phishing campaigns - Help Net Security

• NCSC Sounds Alarm Over Private Branch Exchange Attacks - Infosecurity Magazine (infosecurity-magazine.com)

• Stuck in cyber attack nightmare? Call the negotiators (techxplore.com)

• New Google Chrome feature blocks attacks against home networks (bleepingcomputer.com)

• How Businesses Can Safeguard Their Communication Channels Against Hackers (thehackernews.com)

• Limiting remote access exposure in hybrid work environments | CSO Online

• Cyber Insurance Needs to Evolve to Ensure Greater Benefit (darkreading.com)

• The double-edged sword of zero trust - Help Net Security

• Orgs are having a major identity crisis • The Register

• Active Directory outages can cost organisations $100,000 per day - Help Net Security

• SOC Landscapes: Insights from SANS' 2023 SOC Report (trendmicro.com)

• 36% of code generated by GitHub CoPilot contains security flaws - Help Net Security

• Microsoft expands free logging capabilities after May breach (bleepingcomputer.com)

• Why ransomware gangs love using RMM tools—and how to stop them | Malwarebytes

• People cannot be patched (betanews.com)

• “Ruthlessly prioritize what’s critical”: Check Point expert on CISOs and the evolving attack surface | ITPro

Reports Published in the Last Week

• VIPRE report predicts 276% rise in malware in 2024 (securitybrief.co.nz)

• CrowdStrike 2024 Global Threat Report | CrowdStrike

• IBM XForce Threat Intelligence Index 2024.pdf

• Cyber Threat Index 2024: Scans, Honeypots, and CVEs  (coalitioninc.com)

Other News

• Israeli Aircraft Survive “Cyber-Hijacking” Attempts - Infosecurity Magazine (infosecurity-magazine.com)

• The Power Sector’s High-Stakes Battle for Cyber-Resiliency (powermag.com)

• Ways to elevate public sector cyber security | Professional Security

• Increasing Europe's cyber resilience - government.lu (gouvernement.lu)

• Industries most targeted by active adversaries | SC Media (scmagazine.com)

• Library Cyber Defences Are Falling Down (darkreading.com)

• How conveyancers can protect themselves against a cyber attack | Today's Conveyancer (todaysconveyancer.co.uk)

• US govt shares cyber attack defence tips for water utilities (bleepingcomputer.com)

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·         Automotive

·         Construction

·         Critical National Infrastructure (CNI)

·         Defence & Space

·         Education & Academia

·         Energy & Utilities

·         Estate Agencies

·         Financial Services

·         FinTech

·         Food & Agriculture

·         Gaming & Gambling

·         Government & Public Sector (including Law Enforcement)

·         Health/Medical/Pharma

·         Hotels & Hospitality

·         Insurance

·         Legal

·         Manufacturing

·         Maritime

·         Oil, Gas & Mining

·         OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·         Retail & eCommerce

·         Small and Medium Sized Businesses (SMBs)

·         Startups

·         Telecoms

·         Third Sector & Charities

·         Transport & Aviation

·         Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Cyber Insurers Clamp Down on Clients' Self-Attestation of Security Controls

After one company suffered a breach that could have been headed off by the MFA it claimed to have, insurers are looking to confirm claimed cyber security measures.

A voided lawsuit from a cyber insurance carrier claiming its customer misled it on its insurance application could potentially pave the way to change how underwriters evaluate self-attestation claims on insurance applications.

The case — Travelers Property Casualty Company of America v. International Control Services Inc. (ICS) — hinged on ICS claiming it had multifactor authentication (MFA) in place when the electronics manufacturer applied for a policy. In May the company experienced a ransomware attack. Forensics investigators determined there was no MFA in place, so Travelers asserted it should not be liable for the claim. The case was filed in the US District Court for the Central District of Illinois on July 6 and at the end of August, the litigants agreed to void the contract, ending ICS's efforts to have its insurer cover its losses.

This case was unusual in that Travelers maintained the misrepresentation "materially affected the acceptance of the risk and/or the hazard assumed by Travelers" in the court filing. Taking a client to court is a departure from other similar cases where an insurance company simply denied the claim.

Sean O'Brien of Yale Law School notes that security should be proactive, stopping possible breaches before they occur rather than simply responding to each successful attack. The insurance industry is likely to become more and more pernickety as cyber security claims rise, defending their bottom line and avoiding reimbursement wherever possible. This has always been the role of insurance adjusters, of course, and their business is in many ways adversarial to your organisation's interests after the dust settles from a cyber attack.

That said, organisations should not expect a payout for poor cyber security policies and practices, he notes.

https://www.darkreading.com/edge/cyber-insurers-clamp-down-on-clients-self-attestation-of-security-controls

• Survey Shows CISOs Losing Confidence in Ability to Stop Ransomware Attacks

Despite an 86% surge in budget resources to defend against ransomware, 90% of organisations were impacted by attacks last year, a survey reveals.

An annual survey of CISOs from Canada, the UK, and US reveals that security teams are starting to lose hope that they can defend against the next ransomware attack. The survey was conducted by SpyCloud, and it showed that although budgets to protect against cyber attacks have swelled by 86%, a full 90% of organisations surveyed said they had been impacted by a ransomware over the past year.

More organisations have implemented 'Plan B' measures this year, from opening cryptocurrency accounts to purchasing ransomware insurance. These findings suggest that organisations realise threats are slipping through their defences and a ransomware attack is inevitable.

The survey did show some bright spots on the cyber security front — nearly three-quarters of those organisations surveyed are using multifactor authentication (MFA), with an increase from 44% to 73% year-over-year. The report added that respondents said they are focused on stopping credential-stealing malware, particularly on unmanaged network devices.

https://www.darkreading.com/application-security/survey-cisos-losing-confidence-stop-ransomware-attacks

• MFA Fatigue: Hackers’ New Favourite Tactic in High-Profile Breaches

Hackers are more frequently using social engineering attacks to gain access to corporate credentials and breach large networks. One component of these attacks that is becoming more popular with the rise of multi-factor authentication is a technique called MFA Fatigue.

When breaching corporate networks, hackers commonly use stolen employee login credentials to access VPNs and the internal network. The reality is that obtaining corporate credentials is far from difficult for threat actors, who can use various methods, including phishing attacks, malware, leaked credentials from data breaches, or purchasing them on dark web marketplaces.

To counter this, enterprises have increasingly adopted multi-factor authentication to prevent users from logging into a network without first entering an additional form of verification. This additional information can be a one-time passcode, a prompt asking you to verify the login attempt, or the use of hardware security keys.

While threat actors can use numerous methods to bypass multi-factor authentication, most revolve around stealing cookies through malware or man-in-the-middle phishing attack frameworks. However, a social engineering technique called 'MFA Fatigue' is growing more popular with threat actors as it does not require malware or phishing infrastructure and has proven to be successful in attacks.

An MFA Fatigue attack is when a threat actor runs a script that attempts to log in with stolen credentials over and over, causing what feels like an endless stream of MFA push requests to be sent to the account's owner's mobile device. The goal is to keep this up, day and night, to break down the target's cyber security posture and inflict a sense of "fatigue" regarding these MFA prompts.

https://www.bleepingcomputer.com/news/security/mfa-fatigue-hackers-new-favorite-tactic-in-high-profile-breaches/

• Credential Stuffing Accounts for One-third Of Global Login Attempts

Okta’s global State of Secure Identity Report has found that credential stuffing is the top threat against customer accounts, outpacing legitimate login traffic in some countries. The report presents trends, examples and observations unearthed from the billions of authentications on Okta’s Auth0 platform.

Credential stuffing is when attacks take advantage of the practice of password reuse. It begins with a stolen login or password pair, then threat actors use these credentials across other common sites, using automated tooling used to “stuff” credential pairs into login forms. When an account holder reuses the same (or similar) passwords on multiple sites, it creates a domino effect in which a single credential pair can be used to breach multiple applications.

Across all industries globally, Okta found there were almost 10 billion credential stuffing attempts in the first 90 days of 2022, which amounts to 34% of authentication traffic.

https://informationsecuritybuzz.com/study-research/credential-stuffing-accounts-for-one-third-of-global-login-attempts-okta-finds/

• Ransomware Operators Might Be Dropping File Encryption in Favour of Corrupting Files

Corrupting files is faster, cheaper, and less likely to be stopped by endpoint protection tools than encrypting them.

A recent attack that involved a threat actor believed to be an affiliate of the BlackCat/ALPHV ransomware-as-a-service (RaaS) operation was found to use a data exfiltration tool dubbed Exmatter. Exmatter is a tool that allows attackers to scan the victim computer's drives for files with certain extensions and then upload them to an attacker-controlled server in a unique directory created for every victim. The tool supports several exfiltration methods including FTP, SFTP, and webDAV.

The way the Eraser function works is that it loads two random files from the list into memory and then copies a random chunk from the second file to the beginning of the first file overwriting its original contents. This doesn't technically erase the file but rather corrupts it. The researchers believe this feature is still being developed because the command that calls the Eraser function is not yet fully implemented and the function’s code still has some inefficiencies. Since the selected data chunk is random, it can sometimes be very small, which makes some files more recoverable than others.

Why destroy files by overwriting them with random data instead of deploying ransomware to encrypt them? At a first glance these seem like similar file manipulation operations. Encrypting a file involves overwriting it, one block at a time, with random-looking data (the ciphertext). However, there are ways to detect these encryption operations when done in great succession and many endpoint security programs can now detect when a process exhibits this behaviour and can stop it. Meanwhile, the kind of file overwriting that Exmatter does is much more subtle.

The act of using legitimate file data from the victim machine to corrupt other files may be a technique to avoid heuristic-based detection for ransomware and wipers, as copying file data from one file to another is much more plausibly benign functionality compared to sequentially overwriting files with random data or encrypting them.

Another reason is that encrypting files is a more intensive task that takes a longer time. It's also much harder and costly to implement file encryption programs, which ransomware essentially are, without bugs or flaws that researchers could exploit to reverse the encryption. There have been many cases over the years where researchers found weaknesses in ransomware encryption implementations and were able to release decryptors. This has happened to BlackMatter, the Ransomwware-as-a-Service (RaaS) operation with which the Exmatter tool has been originally associated.

With data exfiltration now the norm among threat actors, developing stable, secure, and fast ransomware to encrypt files is a redundant and costly endeavour compared to corrupting files and using the exfiltrated copies as the means of data recovery.

It remains to be seen if this is the start of a trend where ransomware affiliates switch to data destruction instead of encryption, ensuring the only copy is in their possession, or if it's just an isolated incident where BlackMatter/BlackCat affiliates want to avoid mistakes of the past. However, data theft and extortion attacks that involve destruction are not new and have been widespread in the cloud database space. Attackers have hit unprotected S3 buckets, MongoDB databases, Redis instances, and ElasticSearch indexes for years, deleting their contents and leaving behind ransom notes so it wouldn't be a surprise to see this move to on-premises systems as well.

https://www.csoonline.com/article/3674848/ransomware-operators-might-be-dropping-file-encryption-in-favor-of-corrupting-files.html#tk.rss_news

• Revolut Hack Exposes Data Of 50,000 Users, Fuels New Phishing Wave

Revolut has suffered a cyber attack that gave an unauthorised third party access to personal information of tens of thousands of clients. The incident occurred over a week ago, on Sunday night, and has been described as "highly targeted."

Founded in 2015, Revolut is a financial technology company that has seen a rapid growth, now offering banking, money management, and investment services to customers all over the world. In a statement a company spokesperson said that an unauthorised party had access "for a short period of time" to details of only a 0.16% of its customers.

"We immediately identified and isolated the attack to effectively limit its impact and have contacted those customers affected. Customers who have not received an email have not been impacted" , Revolut said.

According to the breach disclosure to the State Data Protection Inspectorate in Lithuania, where Revolut has a banking license, 50,150 customers have been impacted. Based on the information from Revolut, the agency said that the number of affected customers in the European Economic Area is 20,687, and just 379 Lithuanian citizens are potentially impacted by this incident.

Details on how the threat actor gained access to the database have not been disclosed but it appears that the attacker relied on social engineering. The Lithuanian data protection agency notes that the likely exposed information includes:

• Email addresses

• Full names

• Postal addresses

• Phone numbers

• Limited payment card data

• Account data

However, in a message to an affected customer, Revolut says that the type of compromised personal data varies for different customers. Card details, PINs, or passwords were not accessed.

https://www.bleepingcomputer.com/news/security/revolut-hack-exposes-data-of-50-000-users-fuels-new-phishing-wave/

• Researchers Say Insider Threats Play a Larger Role In Security Incidents

Insider threats are becoming an increasingly common part of the attack chain, with malicious insiders and unwitting assets playing critical roles in incidents over the past year, according to Cisco Talos research.

In a blog post, Cisco Talos researchers said organisations can mitigate these types of risks via education, user-access control, and ensuring proper processes and procedures are in place when and if employees leave the organisation.

There are a variety of reasons a user may choose to become a malicious insider, and unfortunately many of them are occurring today. The most obvious being financial distress, where a user has a lot of debt and selling the ability to infect their employer can be a tempting avenue. There have been examples of users trying to sell access into employer networks for more than a decade, having spotted them on dark web forums. The current climate, with the economy tilting toward recession, is ripe for this type of abuse.

The cyber crime underground remains a hot spot for insider threat recruitment efforts because of the relative anonymity, accessibility, and low barrier of entry it affords. Malicious actors use forums and instant messaging platforms to advertise their insider services or, vice versa, to recruit accomplices for specific schemes that require insider access or knowledge.

By far, the most popular motivation for insider threats is financial gain. There are plenty of examples of financially-motivated threat actors seeking employees at companies to provide data and access to sell in the underground or leverage against the organisation or its customers. There have also been instances where individuals turn to underground forums and instant messaging platforms claiming to be employees at notable organisations to sell company information.

https://www.scmagazine.com/analysis/insider-threat/researchers-say-insider-threats-play-a-larger-role-in-security-incidents

• SMBs vs. Large Enterprises: Not All Compromises Are Created Equal

Attackers view smaller organisations as having fewer security protocols in place, therefore requiring less effort to compromise. Lumu has found that compromise is significantly different for small businesses than for medium-sized and large enterprises.

There is no silver bullet for organisations to protect themselves from compromise, but there are critical steps to take to understand your potential exposure and make sure that your cyber security protocols are aligned accordingly.

Compromise often stay undetected for long periods of time – 201 days on average with compromise detection and containment taking approximately 271 days. It’s critical for smaller businesses to know they are more susceptible and to get ahead of the curve with safeguards.

Results from the Lumu Ransomware Assessment show a few reasons why attacks continue to stay undetected for such long periods of time:

·       58% of organisations aren’t monitoring roaming devices, which is concerning with a workforce that has embraced remote working

·       72% of organisations either don’t or only partially monitor the use of network resources and traffic, which is problematic given that most compromises tend to originate from within the network

·       Crypto-mining doesn’t appear to be a concern for the majority of organisations as 76% either do not know or only partially know how to identify it; however, this is a commonly used technique for cyber criminals

Additionally, threat data unveils attack techniques used and how they vary based on the size of the organisation.

Small businesses are primarily targeted by malware attacks (60%) and are also at greater risk of Malware, Command and Control, and Crypto-Mining. Medium-sized businesses and large enterprises don’t see as much malware and are more susceptible to Domain Generated Algorithms (DGA). This type of attack allows adversaries to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains.

https://www.helpnetsecurity.com/2022/09/22/smaller-organizations-security-protocols/

• Cyber Attack Costs for Businesses up by 80%

In seven out of eight countries, cyber attacks are now seen as the biggest risk to business — outranking COVID-19, economic turmoil, skills shortages, and other issues. The "Hiscox Cyber Readiness Report 2022," which assesses how prepared businesses are to fight back against cyber incidents and breaches, polled more than 5,000 corporate cyber security professionals in the US, UK, Belgium, France, Germany, Ireland, Spain, and the Netherlands. These experts had some enlightening things to say.

According to the report, IT pros are more worried about cyber attacks (46%) than the pandemic (43%) or skills shortages (38%). And the data prove it. The survey indicates that in the past 12 months, US businesses weathered a 7% increase in cyber attacks. Approximately half of all US businesses (47%) suffered an attack in the past year.

Remote work has caused many smaller organisations to use cloud solutions instead of utilizing in-house IT services. However, with more cloud applications and APIs in use, the attack surface has broadened, too, making these organisations more vulnerable to cyber crime.

Although the proportion of staff working remotely almost halved in the past year — from 62% of the workforce in 2021 to 39% in 2022 — overall IT expenditures doubled, from $11.5 million in 2021 to $24.2 million this year. "Despite 61% of survey respondents now being back in the office, businesses are still experiencing a hangover from the pandemic," Hiscox said in a statement. "Remote working provided a year-long Christmas for cyber criminals, and we can see the results of their cyber-feast in the increased frequency and cost of attacks. As we move into a new era of hybrid working, we all have an increased responsibility to continue learning, and managing our own cyber security."

It may come as no surprise that as more organisations evolve and scale their digital business models, the median cost of an attack has surged — from $10,000 last year to $18,000 in 2022. The US is bearing the brunt of generally higher cyber attack costs, with 40% of attack victims incurring costs of $25,000 or higher. The most common vulnerability — i.e., the entry point for cyber criminals — was a cloud-based corporate server.

However, in terms of attack costs, the report reveals major regional disparities. While one organisation in the UK suffered total attack costs of $6.7 million, the hardest-hit firms in Germany, Ireland, and the Netherlands paid out more than $5 million. In turn, Belgium, France, Germany, and Spain all experienced stable or lower median costs.

https://www.darkreading.com/attacks-breaches/cyberattack-costs-for-us-businesses-up-by-80-

• Morgan Stanley Fined $35m By SEC For Data Security Lapse, Sold Devices Full of Customer PII

American financial services giant Morgan Stanley agreed to pay the Securities and Exchange Commission (SEC) a $35m penalty on Tuesday over data security lapses.

According to the SEC's complaint, the firm would have allowed roughly 1000 unencrypted hard drives (HDDs) and about 8000 backup tapes from decommissioned data centres to be resold on auction sites without first being wiped.

The improper disposal of the devices reportedly started in 2016 and per the SEC complaint, was part of an "extensive failure" that exposed 15 million customers' data.

In fact, instead of destroying the hard drives or employing an internal IT team to erase them, Morgan Stanley would have contracted an unnamed third–party moving company with allegedly no experience in decommissioning storage media to take care of the hardware.

The moving company initially subcontracted an IT firm to wipe the drives, but their business relationship went sour, so the mover started selling the storage devices to another firm that auctioned them online without erasing them.

"This is an astonishing security mistake by one of the world's most prestigious banks, who would be expected to have well–established procedures in system life cycle management," Jordan Schroeder, managing CISO at Barrier Networks, told Infosecurity Magazine.

"Not only does the situation mean that the bank put customer data at risk, but it also demonstrates the organisation was not following an expected policy which explained the secure disposing of IT equipment."

https://www.infosecurity-magazine.com/news/morgan-stanley-pay-dollar35m-sec/

• Eyeglass Reflections Can Leak Information During Video Calls

A group of academic researchers have devised a method of reconstructing text exposed via participants’ eyeglasses and other reflective objects during video conferences.

Zoom and other video conferencing tools, which have been widely adopted over the past couple of years as a result of the Covid-19 pandemic, may be used by attackers to leak information unintentionally reflected in objects such as eyeglasses, the researchers say.

Using mathematical modelling and human subjects experiments, this research explores the extent to which emerging webcams might leak recognizable textual and graphical information gleaming from eyeglass reflections captured by webcams.

Dubbed ‘webcam peeking attack’, a threat model devised by academics shows that it is possible to obtain an accuracy of over 75% when reconstructing and recognizing text with heights as small as 10 mm, captured by a 720p webcam.

According to the academics, attackers can also rely on webcam peeking to identify the websites that the victims are using. Moreover, they believe that 4k webcams will allow attackers to easily reconstruct most header texts on popular websites.

To mitigate the risk posed by webcam peeking attacks, the researchers propose both near- and long-term mitigations, including the use of software that can blur the eyeglass areas of the video stream. Some video conferencing solutions already offer blurring capabilities, albeit not fine-tuned.

https://www.securityweek.com/eyeglass-reflections-can-leak-information-during-video-calls

• Uber Says It Was Likely Hacked by Teenage Hacker Gang LAPSUS$

Uber has published additional information about how it was hacked, claiming that it was targeted by LAPSUS$, a cyber criminal gang with a hefty track record that is thought to be composed largely of teenagers.

Last week, someone broke into Uber’s network and used the access to cause all sorts of chaos. The culprit, who claims to be 18 years old, managed to spam company staff with vulgar Slack messages, post a picture of a penis on the company’s internal websites, and leak images of Uber’s internal environment to the web. Now, the ride-share giant has released a statement providing details on its ordeal.

In its update, the company has clarified how it was hacked, largely confirming an account made by the hacker themself. Uber says that the hacker exploited the login credentials of a company contractor to initially gain access to the network. The hacker may have originally bought access to those credentials via the dark web, Uber says. The hacker then used them to make multiple login attempts to the contractor’s account. The login attempts prompted a slew of multi-factor authentication requests for the contractor, who ultimately authenticated one of them. The hacker has previously claimed that it conducted a social engineering scheme to convince the contractor to authenticate the login attempt.

Security experts have called this an “MFA fatigue” attack. This increasingly common intrusion tactic seeks to overwhelm a victim with authentication push requests until they validate the hacker’s illegitimate login attempt.

Most interestingly, Uber has also claimed that whoever was behind this hacking episode is affiliated with the cyber crime gang “LAPSUS$.” It’s not totally clear how Uber knows that.

https://gizmodo.com/uber-says-it-was-hacked-by-teenage-hacker-gang-lapsus-1849554679

Threats

Ransomware and Extortion

• Microsoft Issues Out-of-Band Patch for Flaw Allowing Lateral Movement, Ransomware Attacks | SecurityWeek.Com

• Microsoft SQL servers hacked in TargetCompany ransomware attacks (bleepingcomputer.com)

• BlackCat ransomware’s data exfiltration tool gets an upgrade (bleepingcomputer.com)

• SpyCloud Report: 90% of Companies Affected by Ransomware in 2022 - MSSP Alert

• Netflix-style Ransomware Makes Your Organisation’s Data The Prize In A (informationsecuritybuzz.com)

• Ransomware: The Latest Chapter (darkreading.com)

• How to Dodge New Ransomware Tactics (darkreading.com)

• Colonial Pipeline hackers add startling new capabilities to ransomware operation - The Record by Recorded Future

• LockBit ransomware builder leaked online by “angry developer” (bleepingcomputer.com)

• How to Prevent Ransomware as a Service (RaaS) Attacks (trendmicro.com)

• The Risk of Ransomware Supply Chain Attacks (trendmicro.com)

• Europol and Bitdefender Release Free Decryptor for LockerGoga Ransomware (thehackernews.com)

• Bosnia and Herzegovina investigating alleged ransomware attack on parliament - The Record by Recorded Future

• Vice Society Demands Ransom From LAUSD Two Weeks After Hack (gizmodo.com)

Phishing & Email Based Attacks

• Microsoft: Exchange servers hacked via OAuth apps for phishing (bleepingcomputer.com)

• LinkedIn Smart Links abused in evasive email phishing attacks (bleepingcomputer.com)

• BBC Warns Of Cost-of-living Phishing, Expert Weighs In (informationsecuritybuzz.com)

• Microsoft 365 phishing attacks impersonate US govt agencies (bleepingcomputer.com)

• How DKIM records reduce email spoofing, phishing and spam (techtarget.com)

• Security alert: new phishing campaign targets GitHub users | The GitHub Blog

• American Airlines learned it was breached from phishing targets (bleepingcomputer.com)

• Email-based threats: A pain point for organisations - Help Net Security

Other Social Engineering; Smishing, Vishing, etc

• Energy bill rebate scams spread via SMS and email • Graham Cluley

Malware

• IT giants warn of ongoing Chromeloader malware campaigns - Security Affairs

• SEO poisoning campaign directs search engine visitors from multiple industries to JavaScript malware | CSO Online

• Fake sites fool Zoom users into downloading deadly code • The Register

• Malicious NPM package discovered in supply chain attack (techtarget.com)

• How botnet attacks work and how to defend against them (bleepingcomputer.com)

Mobile

• This dangerous Android spyware could affect millions of devices | TechRadar

• Banking Users Faced With Rewards Phishing Scam - IT Security Guru

• Malicious Apps With Millions of Downloads Found in Apple App Store, Google Play (darkreading.com)

• Don't Wait for a Mobile WannaCry (darkreading.com)

Data Breaches/Leaks

• Cyber Attack Steals Passenger Data From Portuguese Airline | SecurityWeek.Com

• American Airlines discloses data breach after employee email compromise (bleepingcomputer.com)

• Significant cyber attack hits Australian telco Optus • The Register

Organised Crime & Criminal Actors

• London Police Arrested 17-Year-Old Hacker Suspected of Uber and GTA 6 Breaches (thehackernews.com)

• Cyber Mercenary Group Void Balaur Continues Hack-For-Hire Campaigns - Infosecurity Magazine (infosecurity-magazine.com)

• Ukraine dismantles hacker gang that stole 30 million accounts (bleepingcomputer.com)

• The Deep Roots of Nigeria’s Cyber Security Problem | WIRED

• Cambodian authorities crack down on cyber slavery • The Register

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Cryptocurrency world's Wintermute loses $160m in cyber-heist • The Register

• South Korean prosecutors ask Interpol to issue red notice for Do Kwon | Financial Times (ft.com)

• "Fake crypto millionaire" charged with alleged $1.7M cryptomining scam (bitdefender.com)

Insider Risk and Insider Threats

• Risk management focus shifts from external to internal exposure - Help Net Security

Fraud, Scams & Financial Crime

• Authorized Push Payment Surges to 75% of Banking Fraud - Infosecurity Magazine (infosecurity-magazine.com)

• Multi-million dollar credit card fraud operation uncovered (bleepingcomputer.com)

• Microsoft Warns of Large-Scale Click Fraud Campaign Targeting Gamers (thehackernews.com)

• The impact of location-based fraud - Help Net Security

• How does identity crime affect victims? - Help Net Security

• Two-Fifths of US Consumers Suffer Personal Data Theft - Infosecurity Magazine (infosecurity-magazine.com)

• Cyber crime cost American seniors $3 billion last year, a 62% jump (usatoday.com)

Insurance

• Cyber Security Insurance Trends: Key Takeaways for MSPs - MSSP Alert

• D&O insurance not yet a priority despite criminal trial of Uber’s former CISO | CSO Online

Supply Chain and Third Parties

• The Risk of Ransomware Supply Chain Attacks (trendmicro.com)

Denial of Service DoS/DDoS

• DDoS and bot attacks in 2022: Business sectors at risk and how to defend (bleepingcomputer.com)

• Record DDoS Attack with 25.3 Billion Requests Abused HTTP/2 Multiplexing (thehackernews.com)

• Imperva mitigated long-lasting, 25.3 billion request DDoS attack (bleepingcomputer.com)

Cloud/SaaS

• Mitigating Risk and Communicating Value in Multicloud Environments (darkreading.com)

• How to keep public cloud data secure - Help Net Security

Encryption

• Quantum Computing Already Putting Data at Risk, Cyber Pros Agree - Infosecurity Magazine (infosecurity-magazine.com)

API

• What could be the cause of growing API security incidents? - Help Net Security

Open Source

• Open-source software usage slowing down for fear of vulnerabilities, exposures, or risks - Help Net Security

• Open Source Repository Attacks Soar 700% in Three Years - Infosecurity Magazine (infosecurity-magazine.com)

• Neglecting Open Source Developers Puts the Internet at Risk (darkreading.com)

• 350K Open-Source Projects At Risk of Supply Chain Vulnerability - Infosecurity Magazine (infosecurity-magazine.com)

Privacy, Surveillance and Mass Monitoring

• Pressure mounts against Europol over data privacy • The Register

• San Francisco cops can use private cameras for surveillance • The Register

• Revealed: US Military Bought Mass Monitoring Tool That Includes Internet Browsing, Email Data (vice.com)

Parental Controls and Child Safety

• Child Predators Use Amazon’s Twitch to Systematically Track Kids Who Stream (bloomberg.com)

Regulations, Fines and Legislation

• 5 Data Privacy Laws That Could Affect Your Business (informationsecuritybuzz.com)

• France and Germany fall foul of EU data retention rules • The Register

• Morgan Stanley fined millions for selling off devices full of customer PII – Naked Security (sophos.com)

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Russia Makes Veiled Threat to Destroy SpaceX's Starlink (pcmag.com)

• Researchers Uncover New Metador APT Targeting Telcos, ISPs, and Universities (thehackernews.com)

• Russian Sandworm hackers pose as Ukrainian telcos to drop malware (bleepingcomputer.com)

• Anonymous claims hacked website of Russian Ministry of Defence - Security Affairs

• Pro-Ukraine Hacktivists Claim to Have Hacked Notorious Russian Mercenary Group (vice.com)

• European Spyware Investigators Criticize Israel and Poland | SecurityWeek.Com

• Hackathon finds dozens of Ukrainian refugees trafficked online | Ars Technica

• Researchers Uncover Mysterious 'Metador' Cyber-Espionage Group (darkreading.com)

• This dangerous Android spyware could affect millions of devices | TechRadar

Nation State Actors

Nation State Actors – Russia

• Inside Russia’s Vast Surveillance State: ‘They Are Watching’ - The New York Times (nytimes.com)

• Russian Cyberspies Targeting Ukraine Pose as Telecoms Providers | SecurityWeek.Com

Nation State Actors – China

• USA labels two more Chinese carriers national security risks • The Register

Nation State Actors – Iran

• FBI: Iranian hackers lurked in Albania’s govt network for 14 months (bleepingcomputer.com)

• Whatsapp and Instagram restricted in Iran • The Register

• International Law Enforcement Warns of Iran-backed Hacking Crews Targeting Critical Infrastructure - MSSP Alert

• NATO's Team in Albania to Help on Iran-Alleged Cyber Attack | SecurityWeek.Com

Nation State Actors – Misc

• Feds Sound Alarm on Rising OT/ICS Threats From APT Groups (darkreading.com)

• Researchers Uncover New Metador APT Targeting Telcos, ISPs, and Universities (thehackernews.com)

Vulnerability Management

• Vulnerability Management Fatigue Fuelled by Non-Exploitable Bugs | SecurityWeek.Com

Vulnerabilities

• Microsoft Issues Out-of-Band Patch for Flaw Allowing Lateral Movement, Ransomware Attacks | SecurityWeek.Com

• New Firmware Vulnerabilities Affecting Millions of Devices Allow Persistent Access | SecurityWeek.Com

• Hackers Actively Exploiting New Sophos Firewall RCE Vulnerability (thehackernews.com)

• CISA adds Zoho ManageEngine flaw to its Known Exploited Vulnerabilities Catalogue - Security Affairs

• AttachMe: a critical flaw affects Oracle Cloud Infrastructure (OCI) - Security Affairs

• Atlassian Confluence bug CVE-2022-26134 exploited in cryptocurrency mining campaign - Security Affairs

• BIND Updates Patch High-Severity Vulnerabilities | SecurityWeek.Com

• 15-year-old Python flaw found in 'over 350,000' projects • The Register

• CISA warns of critical ManageEngine RCE bug used in attacks (bleepingcomputer.com)

• Critical Magento vulnerability targeted in new surge of attacks (bleepingcomputer.com)

Reports Published in the Last Week

• VMware Global Incident Response Report 2022

• 2022 Ransomware Defence Report | SpyCloud

• Hiscox Cyber Readiness Report 2022 | Hiscox Group

Other News

• How Organisational Structure, Personalities and Politics Can Get in the Way of Security | SecurityWeek.Com

• Why Even Big Tech Companies Keep Getting Hacked—and What They Plan to Do About It - WSJ

• 20/20 visibility is paramount to network security - Help Net Security

• Domain shadowing becoming more popular among cyber criminals (bleepingcomputer.com)

• Multi-factor authentication fatigue attacks are on the rise: How to defend against them | CSO Online

• Uber Is Hiring For Over 80 Cyber Security Jobs After Being Hacked Last Week (informationsecuritybuzz.com)

• What's behind the different names for cyber hacker groups (axios.com)

• IT services group Wipro fires 300 employees moonlighting for competitors | TechCrunch

• Microsoft Teams' GIFShell Attack: What Is It and How You Can Protect Yourself from It (thehackernews.com)

• How can organisations benefit from full-stack observability? - Help Net Security

• Quantifying ROI in Cyber Security Spend | SecurityWeek.Com

• Firing Your Entire Cyber Security Team? Are You Sure? (thehackernews.com)

• Cyber criminals launching more MFA bypass attacks (techtarget.com)

• Microsoft (MSFT) Says Managers Shouldn’t Spy on Staff to Ensure They’re Working - Bloomberg

• A third of enterprises globally don’t prioritize digital trust: ISACA | CSO Online

• Slack’s and Teams’ Lax App Security Raises Alarms | WIRED

• How Malware Hides in Images and What You Can Do About It (gizmodo.com)

• International cooperation is key to fighting threat actors and cyber crime | CSO Online

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.