Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• The NCSC Sets Out the UK’s Cyber Threat Landscape

The current state of the UK’s cyber threat landscape was outlined by the National Cyber Security Centre (NCSC), during a keynote address on the final day of Infosecurity Europe 2022.

They described the cyber threats posed by nation-states, particularly Russia and China. Russia remains “one of the world’s most prolific cyber actors and dedicates significant resources to conducting cyber operations across the globe.”  The NCSC and international partner organisations have attributed a number of high-profile attacks related to the conflict to Russian state actors, including the Viasat incident on the eve of the invasion of Ukraine on February 24. Therefore, the NCSC recommends that organisations prepare for a dynamic situation that is liable to change rapidly.

The NCSC emphasised that a more significant long-term threat comes from China, citing GCHQ director Jeremy Fleming’s assertion that “Russia is affecting the weather, but China is shaping the climate.” She described the nation’s “highly sophisticated” activities in cyberspace, born out of its “increasing ambitions to project its influence beyond its borders.” This includes a keen interest in the UK’s commercial secrets.

In addition to nation-state attacks, the NCSC noted that cyber crime is continuing to rise, with ransomware a continuing concern. Attacks are expected to grow in scale, with threat actors likely to increasingly target managed service providers (MSPs) to gain access to a wider range of targets. More generally, cyber capabilities will become more commoditised over the next few years, meaning they are increasingly available to a larger group of would-be attackers who are willing to pay.

https://www.infosecurity-magazine.com/news/ncsc-uk-cyber-threat-landscape/

• We're Now Truly in The Era of Ransomware as Pure Extortion Without the Encryption

Increasingly cyber crime rings tracked as ransomware operators are turning toward primarily data theft and extortion – and skipping the encryption step altogether. Rather than scramble files and demand payment for the decryption keys, and all the faff in between in facilitating that, simply exfiltrating the data and demanding a fee to not leak it all is just as effective. This shift has been ongoing for many months, and is now virtually unavoidable.

The FBI and CISA this month warned about a lesser-known extortion gang called Karakurt, which demands ransoms as high as $13 million. Karakurt doesn't target any specific sectors or industries, and the gang's victims haven't had any of their documents encrypted and held to ransom. Instead, the crooks claim to have stolen data, with screenshots or copies of exfiltrated files as proof, and they threaten to sell it or leak it publicly if they don't receive a payment.

Some of these thieves offer discounted ransoms to corporations to encourage them to pay sooner, with the demanded payment getting larger the longer it takes to cough up the cash (or Bitcoin, as the case may be).

Additionally, some crime groups offer sliding-scale payment systems. So you pay for what you get, and depending on the amount of ransom paid you get a control panel, you get customer support, you get all of the tools you need."

https://www.theregister.com/2022/06/25/ransomware_gangs_extortion_feature/

• 5 Social Engineering Assumptions That Are Wrong

Social engineering is involved in the vast majority of cyber attacks, but a new report from Proofpoint has revealed five common social engineering assumptions that are not only wrong but are repeatedly subverted by malicious actors in their attacks.

1. Threat actors don’t have conversations with targets.

2. Legitimate services are safe from social engineering abuse.

3. Attackers only use computers, not telephones.

4. Replying to existing email conversations is safe.

5. Fraudsters only use business-related content as lures.

Commenting on the report’s findings, Sherrod DeGrippo, Proofpoint’s Vice-President Threat Research and Detection, stated that the vendor has attempted to debunk faulty assumptions made by organisations and security teams so they can better protect employees against cyber crime. “Despite defenders’ best efforts, cyber criminals continue to defraud, extort and ransom companies for billions of dollars annually. Security-focused decision makers have prioritised bolstering defences around physical and cloud-based infrastructure, which has led to human beings becoming the most relied upon entry point for compromise. As a result, a wide array of content and techniques continue to be developed to exploit human behaviours and interests.”

Indeed, cyber criminals will go to creative and occasionally unusual lengths to carry out social engineering campaigns, making it more difficult for users to avoid falling victim to them.

https://www.csoonline.com/article/3664932/5-social-engineering-assumptions-that-are-wrong.html#tk.rss_news

• Gartner: Regulation, Human Costs Will Create Stormy Cyber Security Weather Ahead

Security teams should prepare for what researchers say will be a challenging environment through 2023, with increased pressure from government regulators, partners, and threat actors.

Gartner kicked off its Security & Risk Management Summit with the release of its analysts' assessments of the work ahead, which Richard Addiscott, the company's senior director analyst, discussed during his opening keynote address.

“We can’t fall into old habits and try to treat everything the same as we did in the past,” Addiscott said. “Most security and risk leaders now recognise that major disruption is only one crisis away. We can’t control it, but we can evolve our thinking, our philosophy, our program, and our architecture.”

Topping Gartner's list of eight predictions is a rise in the government regulation of consumer privacy rights and ransomware response, a widespread shift by enterprises to unify security platforms, more zero trust, and, troublingly, the prediction that by 2025 threat actors will likely have figured out how to "weaponise operational technology environments successfully to cause human casualties”, the cyber security report said.

https://www.darkreading.com/attacks-breaches/gartner-regulation-human-cost-stormy-cybersecurity-weather

• Ransomware Attacks - This Is the Data That Cyber Criminals Really Want to Steal

There are certain types of data that criminals target the most, according to an analysis of attacks.

Data theft and extortion has become a common – and unfortunately effective – part of ransomware attacks, where in addition to encrypting data and demanding a ransom payment for the decryption key, gangs steal information and threaten to publish it if a payment isn't received.

These so-called double extortion attacks have become an effective tool in the arsenal of ransomware gangs, who leverage them to force victims to pay up, even in cases where data could be restored from offline backups, because the threat of sensitive information being published is too great.

Any stolen data is potentially useful to ransomware gangs, but according to analysis by researchers at cyber security company Rapid7, of 161 disclosed ransomware incidents where data was published, some data is seen as more valuable than others.

According to the report, financial services is the sector that is most likely to have customer data exposed, with 82% of incidents involving ransomware gangs accessing and making threats to release this data. Stealing and publishing sensitive customer information would undermine consumer trust in financial services organisations: while being hacked in the first place would be damaging enough, some business leaders might view paying a ransom to avoid further damage caused by data leaks to be worth it.

The second most-leaked type of file in ransomware attacks against financial services firms, featuring in 59% of disclosures from victims, is employee personally identifiable information (PII) and data related to human resources. 

https://www.zdnet.com/article/ransomware-attacks-this-is-the-data-that-cyber-criminals-really-want-to-steal/

• Cloud Email Threats Soar 101% in a Year

The number of email-borne cyber-threats blocked by Trend Micro surged by triple digits last year, highlighting the continued risk from conventional attack vectors.

The vendor stopped over 33.6 million such threats reaching customers via cloud-based email in 2021, a 101% increase. This included 16.5 million phishing emails, a 138% year-on-year increase, of which 6.5 million were credential phishing attempts.

Trend Micro also blocked 3.3 million malicious files in cloud-based emails, including a 134% increase in known threats and a 221% increase in unknown malware.

The news comes as Proofpoint warned in a new report of the continued dangers posed by social engineering, and the mistaken assumptions many users make. 

Many users don’t realise that threat actors may spend considerable time and effort building a rapport over email with their victims, especially if they’re trying to conduct a business email compromise (BEC) attack, it said.

https://www.infosecurity-magazine.com/news/cloud-email-threats-soar-101-in-a/

• 80% of Firms Suffered Identity-Related Breaches in Last 12 Months

Rapidly growing employee identities, third-party partners, and machine nodes have companies scrambling to secure credential information, software secrets, and cloud identities, according to researchers.

In a survey of IT and identity professionals from Dimensional Research, almost every organisation — 98% — experienced rapid growth in the number of identities that have to be managed, with that growth driven by expanding cloud usage, more third-party partners, and machine identities. Furthermore, businesses are also seeing an increase in breaches because of this, with 84% of firms suffering an identity-related breach in the past 12 months, compared with 79% in a previous study covering two years.

The number and complexity of identities organisations are having to manage and secure is increasing. Whenever there is an increase in identities, there is a corresponding heightened risk of identity-related breaches due to them not being properly managed and secured, and with the attack surfaces also growing exponentially, these breaches can occur on multiple fronts.

For the most part, organisations focus on employee identities, which 70% consider to be the most likely to be breached and 58% believe to have the greatest impact, according to the 2022 "Trends in Securing Digital Identities" report based on the survey. Yet third-party partners and business customers are significant sources of risk as well, with 35% and 25% of respondents considering those to be a major source of breaches, respectively.

https://www.darkreading.com/operations/identity-related-breaches-last-12-months

• After Being Breached Once, Many Companies Are Likely to Be Hit Again

Cymulate announced the results of a survey, revealing that two-thirds of companies who have been hit by cyber crime in the past year have been hit more than once, with almost 10% experiencing 10 or so more attacks a year.

Research taken from 858 security professionals surveyed across North America, EMEA, APAC and LATAM across a wide range of industries including technology, banking, finance and government, also highlighted larger companies hit by cyber crime are experiencing shorter disruption time and damage to business with 40% reported low damage compared with medium-size businesses (less than 2,500 employees) which had longer recovery times and more business affecting damage.

Other highlights

• 40% of respondents admitted to being breached over the past 12 months.

• After being breached once, statistics showed they were more likely to be hit again than not (66%).

• Malware (55%), and more specifically ransomware (40%) and DDoS (32%) were the main forms of cyber attacks experienced by those surveyed.

• Attacks primarily occurred via end-user phishing (56%), via third parties connected to the enterprise (37%) or direct attacks on enterprise networks (34%).

• 22% of companies publicly disclosed cyber attacks in the worst-case breaches, with 35% needing to hire security consultants, 12% dismissing their current security professionals and 12% hiring public relations consultants to deal with the repercussions to their reputations. Top three best practices for cyber attack prevention, mitigation and remediation include multi-factor authentication (67%), proactive corporate phishing and awareness campaigns (53%), and well-planned and practiced incident response plans (44%). Least privilege also ranked highly, at 43%.

• 29% of attacks come from insider threats – intentionally or unintentionally.

• Leadership and cyber security teams who meet regularly to discuss risk reduction are more cyber security-ready – those who met 15 times a year incurred zero breaches whereas those who suffered six or more breaches met under nine times on average.

https://www.helpnetsecurity.com/2022/06/21/companies-hit-by-cybercrime/

• Do You Have Ransomware Insurance? Look at the Fine Print

Insurance exists to protect the insured party against catastrophe, but the insurer needs protection so that its policies are not abused – and that's where the fine print comes in. However, in the case of ransomware insurance, the fine print is becoming contentious and arguably undermining the usefulness of ransomware insurance.

In recent years, ransomware insurance has grown as a product field because organisations are trying to buy protection against the catastrophic effects of a successful ransomware attack. Why try to buy insurance? Well, a single, successful attack can just about wipe out a large organisation, or lead to crippling costs – NotPetya alone led to a total of $10bn in damages.

Ransomware attacks are notoriously difficult to protect against completely. Like any other potentially catastrophic event, insurers stepped in to offer an insurance product. In exchange for a premium, insurers promise to cover many of the damages resulting from a ransomware attack.

Depending on the policy, a ransomware policy could cover loss of income if the attack disrupts operations, or loss of valuable data, if data is erased due to the ransomware event. A policy may also cover you for extortion – in others, it will refund the ransom demanded by the criminal.

The exact payout and terms will of course be defined in the policy document, also called the "fine print." Critically, fine print also contains exclusions, in other words circumstances under which the policy won't pay out. And therein lies the problem.

https://thehackernews.com/2022/06/do-you-have-ransomware-insurance-look.html

• The Price of Stolen Info: Everything on Sale on The Dark Web

What is the price for personal information, including credit cards and bank accounts, on the dark web?

Privacy Affairs researchers concluded that criminals using the dark web need only spend $1,115 for a complete set of a person’s account details, enabling them to create fake IDs and forge private documents, such as passports and driver’s licenses.

Access to other information is becoming even cheaper. The Dark Web Price Index 2022 – based on data scanning dark web marketplaces, forums, and websites, revealed:

• Credit card details and associated information cost between $17-$120

• Online banking login information costs $45

• Hacked Facebook accounts cost $45

• Cloned VISA with PIN cost $20

• Stolen PayPal account details, with minimum $1000 balances, cost $20.

In December 2021, about 4.5 million credit cards went up for sale on the dark web, the study found. The average price ranged from $1-$20.

Scammers can buy full credit card details, including CVV number, card number, associated dates, and even the email, physical address and phone number. This enables them to penetrate the credit card processing chain, overriding any security countermeasures.

https://www.helpnetsecurity.com/2022/06/22/stolen-info-sale-dark-web/

• How Companies Are Prioritising Infosec and Compliance

New research conducted by Enterprise Management Associates (EMA), examines the impact of the compliance budget on security strategy and priorities. It describes areas for which companies prioritise information security and compliance, which leaders control information security spending, how compliance has shifted the overall security strategy of the organisation, and the solutions and tools on which organisations are focusing their technology spending.

The findings cover three critical areas of an organisation’s security and compliance posture: information security and IT audit and compliance, data security and data privacy, and security and compliance spending.

One key takeaway is that merging security and compliance priorities addresses regulatory control gaps while improving the organisation’s security posture. Respondents revealed insights on how they handle compliance, who is responsible for compliance and security responsibilities, and what compliance-related security challenges organisations face.

Additional findings:

• Companies found the need to shift their information security strategy to address compliance priorities (93%).

• Information security and IT compliance priorities are generally aligned (89%).

• Existing security tools have to address data privacy considerations going forward (76%).

• Managing an organisation’s multiple IT environments and the controls that govern those environments is the greatest challenge in the IT audit and compliance space (39%).

https://www.helpnetsecurity.com/2022/06/24/companies-infosec-compliance-priorities/

• Businesses Risk ‘Catastrophic Financial Loss’ from Cyber Attacks, US Watchdog Warns

A US Government watchdog has warned that private insurance companies are increasingly backing out of covering damages from major cyber attacks — leaving businesses facing “catastrophic financial loss” unless another insurance model can be found.

The growing challenge of covering cyber risk is outlined in a new report from the Government Accountability Office (GAO), which calls for a government assessment of whether a federal cyber insurance option is needed.

The report draws on threat assessments from the National Security Agency (NSA), Office of the Director of National Intelligence (ODNI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Justice, to quantify the risk of cyber attacks on critical infrastructure, identifying vulnerable technologies that might be attacked and a range of threat actors capable of exploiting them.

Citing an annual threat assessment released by the ODNI, the report finds that hacking groups linked to Russia, China, Iran, and North Korea pose the greatest threat to US infrastructure — along with certain non-state actors like organised cyber criminal gangs.

Given the wide and increasingly skilled range of actors willing to target US entities, the number of cyber incidents is rising at an alarming rate.

https://www.theverge.com/2022/6/23/23180115/gao-infrastructure-catastrophic-financial-loss-cyberattacks-insurance

Threats

Ransomware

• Attackers exploited a Mitel VOIP zero-day to compromise a network Security Affairs

• Chinese hackers use ransomware as decoy for cyber espionage (bleepingcomputer.com)

• If you don't store valuable data, ransomware is impotent • The Register

• Ransomware-as-a-Service: Learn to Enhance Cyber security Approaches (analyticsinsight.net)

• Mitigate Ransomware in a Remote-First World (thehackernews.com)

• Delivery Firm Yodel Scrambling to Restore Operations Following Cyber attack | SecurityWeek.Com

• Black Basta Ransomware Becomes Major Threat in Two Months | SecurityWeek.Com

• These hackers are spreading ransomware as a distraction - to hide their cyber spying | ZDNet

• Conti ransomware hacking spree breaches over 40 orgs in a month (bleepingcomputer.com)

• Conti effectively created an extortion-oriented IT company, says Group-IB - Help Net Security

• Conti ransomware finally shuts down data leak, negotiation sites (bleepingcomputer.com)

• Conti ransomware group's pulse stops, but did it fake its own death? | Malwarebytes Labs

• Without Conti on the Scene, LockBit 2.0 Leads Ransomware Attacks (darkreading.com)

• Cyber attack: Gloucester council services still not back to normal - BBC News

Phishing & Email Based Attacks

• Your email is a major source of security risks and it's getting worse | ZDNet

• New Phishing Attack Infects Devices with Cobalt Strike- IT Security Guru

• Voicemail phishing emails steal Microsoft credentials • The Register

• The Risk of Multichannel Phishing Is on the Horizon (darkreading.com)

• Cops arrests nine suspected of stealing millions via email • The Register

• Cyber criminals Use Azure Front Door in Phishing Attacks - Security Affairs

• Microsoft Exchange servers hacked by new ToddyCat APT gang (bleepingcomputer.com)

• Cyber attackers Abuse QuickBooks Cloud Service in 'Double-Spear' Campaign (darkreading.com)

Other Social Engineering

• Proofpoint: Social engineering attacks slipping past users (techtarget.com)

• #InfosecurityEurope2022: Actions Not Words: Hacking the Human Through Social Engineering - Infosecurity Magazine

• Inside a large-scale phishing campaign targeting millions of Facebook users - Help Net Security

Malware

• RIG Exploit Kit Now Infects Victims' PCs With Dridex Instead of Raccoon Stealer (thehackernews.com)

• Organisations Battling Phishing Malware, Viruses the Most (darkreading.com)

• This Linux botnet has found a novel way of spreading to new devices | ZDNet

• New 'Quantum' Builder Lets Attackers Easily Create Malicious Windows Shortcuts (thehackernews.com)

• NSA warns against silly mistake in the fight against Windows malware | TechRadar

Mobile

• This Android malware is so dangerous, even Google is worried | TechRadar

• Google is notifying Android users targeted by Hermit government-grade spyware | TechCrunch

• Google Says ISPs Helped Attackers Infect Targeted Smartphones with Hermit Spyware (thehackernews.com)

• This phone-wiping Android banking trojan is getting nastier | ZDNet

• BRATA Android Malware Group Now Classified As Advanced Persistent Threat - Infosecurity Magazine

• Spurred by Roe overturn, senators seek FTC probe of iOS and Android tracking | Ars Technica

Internet of Things – IoT

• Hackers can target Eufy Homebase 2 to spy on you (komando.com)

• Vulnerabilities in the Jacuzzi SmartTub app could allow to access users’ data - Security Affairs - Security Affairs

Data Breaches/Leaks

• US Bank Data Breach Impacts Over 1.5 Million Customers - Infosecurity Magazine

• CafePress fined $500,000 for breach affecting 23 million users (bleepingcomputer.com)

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Hackers steal $100 million from California cryptocurrency firm - CNN

• DARPA study finds blockchain not as decentralised as assumed • The Register

Insider Risk and Insider Threats

• Former Amazon Worker Convicted of Capital One Data Breach - Infosecurity Magazine

Fraud, Scams & Financial Crime

• Why Fraud On Linkedin A ‘Significant Threat’ To Platform And Consumer – Information Security Buzz

Supply Chain and Third Parties

• IT pros are not very confident in their organisation's supply chain security - Help Net Security

• #InfosecurityEurope2022: Tackling Widespread Data Breaches from Third Parties - Infosecurity Magazine

Cloud/SaaS

• Risk Disconnect in the Cloud (darkreading.com)

• Microsoft 365 Users in US Face Raging Spate of Attacks (darkreading.com)

• 7 Steps to Stronger SaaS Security (darkreading.com)

• Getting a Better Handle on Identity Management in the Cloud (darkreading.com)

• Researchers Uncover Ways to Break the Encryption of 'MEGA' Cloud Storage Service (thehackernews.com)

Identity and Access Management

• Risky behaviour reduced when executives put focus on identity security - Help Net Security

• Access management issues may create security holes (techtarget.com)

• IAM Research: Inadequate Programs Leave Organisations Open to Cyber Attacks - MSSP Alert

• Why 84% Of US Firms Hit With Identity-Related Breaches In 2021 – Information Security Buzz

Open Source

• Open-source software risks persist, according to new reports | CSO Online

• Less Than Half of Organisations Have Open Source Security Policy - Infosecurity Magazine

• Blind trust in open source security is hurting us: Report | ZDNet

Training, Education and Awareness

• #InfosecurityEurope2022: Security Awareness Must Be in the Moment - Infosecurity Magazine

Privacy

• Privacy-focused Brave Search grew by 5,000% in a year (bleepingcomputer.com)

• Supreme Court's Roe v. Wade reversal sparks calls for strengthening privacy - CyberScoop

Regulations, Fines and Legislation

• Do Privacy and Data Protection Regulations Create as Many Problems as They Solve? | SecurityWeek.Com

Law Enforcement Action and Take Downs

• Phishing gang behind millions in losses dismantled by police (bleepingcomputer.com)

• Euro Police Target Crime Groups Grooming Ukrainian Refugees Online - Infosecurity Magazine

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Microsoft: Russian Cyber Spying Targets 42 Ukraine Allies | SecurityWeek.Com

• Italian spyware firm is hacking into iOS and Android devices, Google says | Computerworld

• NSO claims 'more than 5' EU states used its Pegasus spyware • The Register

• #InfosecurityEurope2022: Geopolitical Tensions a “Danger” to Cyber security - Infosecurity Magazine

• Examples of Cyber Warfare #TrendTalksBizSec (trendmicro.com)

• Ukraine deploys a DDoS protection service to survive the cyberwar | VentureBeat

• Lithuania warns of rise in DDoS attacks against government sites (bleepingcomputer.com)

• Russia's APT28 Launches Nuke-Themed Follina Exploit Campaign (darkreading.com)

• Ukrainian cyber security officials disclose two new hacking campaigns - IT Security Guru

• Scalper bots out of control in Israel, selling state appointments (bleepingcomputer.com)

• Research questions potentially dangerous implications of Ukraine's IT Army - CyberScoop

• Lithuania under cyber-attack after ban on Russian railway goodsSecurity Affairs

• #InfosecurityEurope2022: Disinformation Warfare – How Do We Tackle Fake News? - Infosecurity Magazine

Nation State Actors

Nation State Actors – Russia

• Microsoft reveals extent of attacks by Russian hackers on Ukraine allies - and why Estonia is striking exception | World News | Sky News

• Russia Steps Up Cyber-Espionage Against Ukraine Allies - Infosecurity Magazine

• Ukrainian organisations warned of hacking attempts using CredoMap malware, Cobalt Strike beacons | ZDNet

• Fancy Bear Uses Nuke Threat Lure to Exploit 1-Click Bug | Threatpost

• Russian APT28 hacker accused of the NATO think tank hack in Germany - Security Affairs

• Russia fines Google for spreading ‘unreliable’ info defaming its army (bleepingcomputer.com)

Nation State Actors – China

• Chinese APT 'Bronze Starlight' Uses Ransomware to Disguise Cyberespionage | SecurityWeek.Com

• Chinese Tropic Trooper APT spreads a hacking tool laced with a backdoor - Security Affairs

• Chinese hackers target script kiddies with info-stealer trojan (bleepingcomputer.com)

Nation State Actors – Iran

• False Air Raid Sirens in Israel Possibly Triggered by Iranian Cyber Attack | SecurityWeek.Com

Nation State Actors – Misc APT

• Elusive ToddyCat APT Targets Microsoft Exchange Servers | Threatpost

• APT Groups Swarming on VMware Servers with Log4Shell (darkreading.com)

• How APTs Are Achieving Persistence Through IoT, OT, and Network Devices (darkreading.com)

Vulnerability Management

• Why We're Getting Vulnerability Management Wrong (darkreading.com)

Vulnerabilities

• Cisco warns of security holes in its security appliances • The Register

• Citrix Releases Security Updates for Hypervisor | CISA

• Google Patches 14 Vulnerabilities With Release of Chrome 103 | SecurityWeek.Com

• Cisco will not address critical RCE in end-of-life Small Business RV routers - Security Affairs

• Google expert detailed a 5-Year-Old flaw in Apple Safari exploited in the wild - Security Affairs

• Oracle spent 6 months to fix 'Mega' flaws in the Fusion Middleware - Security Affairs

• Researchers criticize Oracle's vulnerability disclosure process (techtarget.com)

• Critical PHP Vulnerability Exposes QNAP NAS Devices to Remote Attacks (thehackernews.com)

Sector Specific

Financial Services Sector

• Flagstar Bank discloses data breach impacting 1.5 million customers (bleepingcomputer.com)

• 7 Cyber security Best Practices for Financial Services Firms - MSSP Alert

• Why Financial Institutions Must Double Down on Open Source Investments (darkreading.com)

• 10 Biggest Data Breaches in Finance | UpGuard

SMBs – Small and Medium Businesses

• How tool sprawl is becoming a common issue for SMEs - Help Net Security

• Middle market companies under attack: Threats coming from all directions - Help Net Security

• #InfosecurityEurope2022: How Should SMEs Defend Against Cyber-Risks? - Infosecurity Magazine

Legal

• #InfosecurityEurope2022: Lawyers Update Security for New Ways of Working - Infosecurity Magazine

Health/Medical/Pharma Sector

• Healthcare breaches on the rise in 2022 (techtarget.com)

Retail/eCommerce

• Magecart attacks are still around. And they are becoming more stealthy | ZDNet

• Newly Discovered Magecart Infrastructure Reveals the Scale of Ongoing Campaign- IT Security Guru

Manufacturing

• Automotive fabric supplier TB Kawashima announces cyber attack (bleepingcomputer.com)

CNI, OT, ICS, IIoT and SCADA

• Researchers disclose 56 vulnerabilities impacting thousands of OT devices - Help Net Security

• Operational Technology (OT) Security and Cyber attacks: Research Reveals Key Trends - MSSP Alert

• How To Minimise Your OT Blind Spots – Information Security Buzz

Reports Published in the Last Week

• State of Open Source Security 2022 | Snyk

Other News

• Threat Intelligence Services Are Universally Valued by IT Staff (darkreading.com)

• #InfosecurityEurope2022 Firms Face Emerging Threats as Bad Actors Evade Defences - Infosecurity Magazine

• Security pros increasingly plan to adopt MDR services in the next 12 months - Help Net Security

• Board members and the C-suite need secure communication tools - Help Net Security

• Adobe Acrobat may block antivirus tools from monitoring PDF files (bleepingcomputer.com)

• 7 Ways to Avoid Worst-Case Cyber Scenarios (darkreading.com)

• 3 threats dirty data poses to the enterprise (techtarget.com)

• Data recovery depends on how good your backup strategy is - Help Net Security

• Unsecured APIs Could Be Costing Firms $75bn Per Year - Infosecurity Magazine

• The Rise, Fall, and Rebirth of the Presumption of Compromise (darkreading.com)

• AI Is Not a Security Silver Bullet (darkreading.com)

• #InfosecurityEurope2022: Are You Prepared For The Next Big Crisis? - Infosecurity Magazine

• Ongoing PowerShell security threats prompt a call to action (techtarget.com)

• Despite known security issues, VPN usage continues to thrive - Help Net Security

• Space-based assets aren’t immune to cyber attacks | CSO Online

• Cyber security expert on how $13K of fuel was stolen from station (wtvr.com)

• Cloudflare Outage Knocks Hundreds of Websites Offline - Infosecurity Magazine (infosecurity-magazine.com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

UK Warned To Bolster Defences Against Cyber Attacks As Russia Threatens Ukraine - BBC News

UK organisations are being urged to bolster their defences amid fears cyber attacks linked to the conflict in Ukraine could move beyond its borders.

The National Cyber Security Centre (NCSC) has issued new guidance, saying it is vital companies stay ahead of a potential threat.

The centre said it was unaware of any specific threats to UK organisations.

It follows a series of cyber attacks in Ukraine which are suspected to have involved Russia, which Moscow denies.

In December 2015, engineers in Ukrainian power stations saw cursors on their computer screens moving by themselves. They had been hacked. Hundreds of thousands of people lost power for hours.

It was the first time a power station had been taken offline, a sign that cyber intrusions were moving beyond stealing information into disrupting the infrastructure on which everyday life depends. Russia was blamed.

"It was a complex operation," says John Hultquist, an expert on Russian cyber operations at the US security firm Mandiant. "They even disrupted the telephone lines so that the engineers couldn't make calls."

Ukraine has been on the front line of a cyber conflict for years. But if Russia does invade the country soon, tanks and troops will still be at the forefront.

https://www.bbc.co.uk/news/uk-60158874

Cyber Attacks And Ransomware Hit A New Record In 2021, Says Report

Ransomware attacks have doubled for the past two years, says a new report—but a lot of people aren’t bothering to change their passwords.

Hackers made up for some lost time last year.

After seeing the number of data breaches decline in 2020, the Identity Theft Resource Center’s 16th Annual Data Breach Report says the number of security compromises was up more than 68% in 2021. That tops the all-time high by a shocking 23%.

All told, there were 1,862 breaches last year, says the ITRC, 356 more than in 2017, the previous busiest year on record.

“Many of the cyber attacks committed were highly sophisticated and complex, requiring aggressive defences to prevent them,” Eva Velasquez, ITRC president and CEO, said in a statement. “If those defences failed, too often we saw an inadequate level of transparency for consumers to protect themselves from identity fraud.”

https://www.fastcompany.com/90715622/cyberattacks-ransomware-data-breach-new-record-2021

Ransomware Families Becoming More Sophisticated With Newer Attack Methods

Ivanti, Cyber Security Works and Cyware announced a report which identified 32 new ransomware families in 2021, bringing the total to 157 and representing a 26% increase over the previous year.

The report also found that these ransomware groups are continuing to target unpatched vulnerabilities and weaponize zero-day vulnerabilities in record time to instigate crippling attacks. At the same time, they are broadening their attack spheres and finding newer ways to compromise organisational networks and fearlessly trigger high-impact assaults.

https://www.helpnetsecurity.com/2022/01/28/new-ransomware-families/

More Than 90% Of Enterprises Surveyed Have Been Hit By Successful Cyber Attacks

Cyber attacks can impact any organisation, big or small. But large enterprises are often more tempting targets due to the vast amount of lucrative data they hold. A new report from cyber security firm Anomali reveals an increase in successful cyber attacks and offers ideas on how organisations can better protect themselves.

Published on Thursday, the "2022 Anomali Cyber security Insights Report" is based on a survey of 800 cyber security decision makers commissioned by Anomali and conducted by Harris between September 9 and October 13 of 2021. The survey elicited responses from professionals in the US, UK, Canada and other countries who work full time in such industries as manufacturing, telecommunications and financial services.

Among the respondents, 87% said that their organisations were victims of successful cyber attacks sometime over the past three years. In this case, a successful attack is one that caused damage, disruption or a data breach. Since the pandemic started almost two years ago, 83% of those polled have experienced an increase in attempted cyber attacks, while 87% have been hit with a rise in phishing emails, many of them exploiting coronavirus-related themes.

https://www.techrepublic.com/article/more-than-90-of-enterprises-surveyed-have-been-hit-by-successful-cyberattacks/

Ransomware Gangs Increase Efforts To Enlist Insiders For Attacks

A recent survey of 100 large (over 5,000 employees) North American IT firms shows that ransomware actors are making greater effort to recruit insiders in targeted firms to aid in attacks.

The survey was conducted by Hitachi ID, which performed a similar study in November 2021. Compared to the previous survey, there has been a 17% rise in the number of employees offered money to aid in ransomware attacks against their employer.

Most specifically, 65% of the survey respondents say that they or their employees were approached between December 7, 2021, and January 4, 2022, to help hackers establish initial access.

https://www.bleepingcomputer.com/news/security/ransomware-gangs-increase-efforts-to-enlist-insiders-for-attacks/

Shipment-Delivery Scams Become the Favoured Way to Spread Malware

Attackers increasingly are spoofing the courier DHL and using socially engineered messages related to packages to trick users into downloading Trickbot and other malicious payloads.

Threat actors are increasingly using scams that spoof package couriers like DHL or the U.S. Postal Service in authentic-looking phishing emails that attempt to dupe victims into downloading credential-stealing or other malicious payloads, researchers have found.

Researchers from Avanan, a Check Point company, and Cofense have discovered recent phishing campaigns that include malicious links or attachments aimed at infecting devices with Trickbot and other dangerous malware, they reported separately on Thursday.

The campaigns separately relied on trust in widely used methods for shipping and employees’ comfort with receiving emailed documents related to shipments to try to elicit further action to compromise corporate systems, researchers said.

https://threatpost.com/shipment-delivery-scams-a-fav-way-to-spread-malware/178050/

Most Ransomware Infections Are Self-Installed

New research from managed detection and response (MDR) provider Expel found that most ransomware attacks in 2021 were self-installed.

The finding was included in the company’s inaugural annual report on cyber security trends and predictions, Great eXpeltations, published on Thursday.

Researchers found eight out of ten ransomware infections occurred after victims unwittingly opened a zipped file containing malicious code. Abuse of third-party access accounted for 3% of all ransomware incidents, and 4% were caused by exploiting a software vulnerability on the perimeter.

The report was based on the analysis of data aggregated from Expel’s security operations center (SOC) concerning incidents spanning January 1 2021 to December 31 2021.

Other key findings were that 50% of incidents were BEC (business email compromise) attempts, with SaaS apps a top target.

https://www.infosecurity-magazine.com/news/most-ransomware-infections-self/

Staff Negligence Is Now A Major Reason For Insider Security Incidents

Insider threats cost organisations approximately $15.4 million every year, with negligence a common reason for security incidents, new research suggests.

Enterprise players today are facing cyber security challenges from every angle. Weak endpoint security, unsecured cloud systems, vulnerabilities -- whether unpatched or zero-days -- the introduction of unregulated internet of things (IoT) devices to corporate networks and remote work systems can all become conduits for a cyber attack to take place.

When it comes to the human element of security, a lack of training or cyber security awareness, mistakes, or deliberate, malicious actions also needs to be acknowledged in managing threat detection and response.

https://www.zdnet.com/article/employee-contractor-negligence-is-now-a-major-reason-for-insider-security-incidents/

22 Cyber Security Myths Organisations Need To Stop Believing In 2022

Security teams trying to defend their organisations need to adapt quickly to new challenges. Yesterday’s buzzwords and best practices have become today’s myths.

The past few years have seen a dramatic shift in how organisations protect themselves against attackers. The hybrid working model, fast-paced digitalization, and increased number of ransomware incidents have changed the security landscape, making CISOs' jobs more complex than ever.

This convoluted environment requires a new mindset to defend, and things that might have held true in the past might no longer be useful. Can digital certificates' expiration dates still be managed in a spreadsheet? Is encryption 'magic dust'? And are humans actually the weakest link?

Security experts weigh in the 22 cyber security myths that we finally need to retire in 2022.

https://www.csoonline.com/article/3648048/22-cybersecurity-myths-organisations-need-to-stop-believing-in-2022.html

Android Malware Can Factory-Reset Phones After Draining Bank Accounts

A banking-fraud trojan that has been targeting Android users for three years has been updated to create even more grief. Besides draining bank accounts, the trojan can now activate a kill switch that performs a factory reset and wipes infected devices clean.

Brata was first documented in a post from security firm Kaspersky, which reported that the Android malware had been circulating since at least January 2019. The malware spread primarily through Google Play but also through third-party marketplaces, push notifications on compromised websites, sponsored links on Google, and messages delivered by WhatsApp or SMS. At the time, Brata targeted people with accounts from Brazil-based banks.

https://arstechnica.com/information-technology/2022/01/android-malware-can-factory-reset-phones-after-draining-bank-accounts/

GDPR Fines Surged Sevenfold to $1.25 Billion in 2021: Study

Fines issued for GDPR non-compliance increased sevenfold from 2020 to 2021, analysis shows

In its latest annual GDPR summary, international law firm DLA Piper focuses attention in two areas: fines imposed and the evolving effect of the Schrems II ruling of 2020. Fines are increasing and Schrems II issues are becoming more complex.

Fines issued for GDPR non-compliance increased significantly (sevenfold) in 2021, from €158.5 million (approximately $180 million) in 2020 to just under €1.1 billion (approximately $1.25 billion) in 2021. The largest fines came from Luxembourg against Amazon (€746 million / $846 million), and Ireland against WhatsApp (€225 million / $255 million). Both are currently being appealed.

The WhatsApp fine is interesting. The original fine proposed by the Irish Data Protection Commission (DPC) was for €30 million to €50 million. However, other European regulators objected, and the European Data Processing Board (EDPB) adjudicated – instructing Ireland to increase the fine by 350%.

https://www.securityweek.com/gdpr-fines-surged-sevenfold-125-billion-2021-study

Cyber Security In 2022 – A Fresh Look At Some Very Alarming Stats

Last year Forbes wrote a couple of articles  that highlighted some of the more significant cyber statistics associated with our expanding digital ecosystem.  In retrospect, 2021 was a very trying year for cyber security in so many areas. There were high profile breaches such as Solar Winds, Colonial Pipeline and dozens of others that had major economic and security related impact.  Ransomware came on with a vengeance targeting many small and medium businesses.  

Perhaps most worrisome was how critical infrastructure and supply chains security weaknesses were targeted and exploited by adversaries at higher rates than in the past.  Since it is only January, we are just starting to learn of some of the statistics that certainly will trend in 2022.  By reviewing the topics below, we can learn what we need to fortify and bolster in terms of cyber security throughout the coming year.

https://www.forbes.com/sites/chuckbrooks/2022/01/21/cybersecurity-in-2022--a-fresh-look-at-some-very-alarming-stats/

Buy now, pay later fraud, romance and cryptocurrency schemes top the list of threats this year

Experian released its annual forecast, which reveals five fraud threats for the new year. With consumers continuing to take a digital-first approach to everything from shopping, dating and investing, fraudsters are finding new and innovative ways to commit fraud.

The main areas they are predicting seeing rises in fraud are:

-Buy now, pay never

-Cryptocurrency scams

-Doubling ransomware attacks

-More increases in romance fraud

-Digital elder abuse will rise

https://www.helpnetsecurity.com/2022/01/26/fraud-threats-this-year/

Threats

Ransomware

• Ransomware: More Families, More Vulnerabilities, More Weaponry Dominate 2021 - MSSP Alert

• Linux Version Of LockBit Ransomware Targets VMware ESXi Servers (bleepingcomputer.com)

• BlackCat Ransomware Targeting US, European Retail, Construction And Transportation Orgs | ZDNet

• Conti Ransomware Hits Apple, Tesla Supplier - The Record by Recorded Future

Phishing

• There's Been A Big Rise In Phishing Attacks Using Microsoft Excel XLL Add-Ins | ZDNet

• Microsoft warns of multi-stage phishing campaign leveraging Azure AD (bleepingcomputer.com)

• Evolved phishing: Device Registration Trick Adds To Phishers’ Toolbox For Victims Without MFA - Microsoft Security Blog

Other Social Engineering

• Coronavirus SMS Scam Offers Home PCR Testing Devices – Don’t Fall For It! – Naked Security (sophos.com)

Malware

• Trickbot Injections Get Harder to Detect & Analyze (darkreading.com)

• Log4j: Mirai Botnet Found Targeting ZyXEL Networking Devices | ZDNet

• Hackers Infect macOS with New DazzleSpy Backdoor in Watering-Hole Attacks (thehackernews.com)

• TrickBot Malware Using New Techniques to Evade Web Injection Attacks (thehackernews.com)

Mobile

• 105 Million Android Users Targeted By Subscription Fraud Campaign (bleepingcomputer.com)

• 2FA App With 10,000 Google Play Downloads Loaded Well-Known Banking Trojan | Ars Technica

• New FluBot And TeaBot Campaigns Target Android Devices Worldwide (bleepingcomputer.com)

• Latest Version Of Android RAT BRATA Wipes Devices After Stealing Data - Security Affairs

• Is Google Tracking Your Location Even When You Think You’ve Turned It Off? US States Sue Over “Deception” • Graham Cluley

IoT

• As IoT Attacks Increase, Experts Fear More Serious Threats (darkreading.com)

• Mirai Splinter Botnets Dominate IoT Attack Scene | ZDNet

• Millions of Routers, IoT Devices at Risk as Malware Source Code Surfaces on GitHub (darkreading.com)

• 19-Year-Old Describes How He Remotely Hacked 25+ Teslas (businessinsider.com)

Data Breaches/Leaks

• 'We're Losing Control Of Our Data' As Breaches Reach An All-Time High | ZDNet

• Personal Identifying Information For 1.5 Billion Users Was Stolen In 2021, But From Where? - TechRepublic

Organised Crime & Criminal Actors

• Russia Makes More Arrests, But Cyber Crime-Harbouring Reputation Hard To Shake (scmagazine.com)

Cryptocurrency/Cryptomining/Cryptojacking

• People Are Still Getting Pwned a Week After a Crypto Hack Was ‘Contained’ (vice.com)

Supply Chain

• Aqua Security Reports Large Increase in Supply Chain Attacks (infoq.com)

DoS/DDoS

• Microsoft Mitigates Largest DDoS Attack 'Ever Reported In History' (bleepingcomputer.com)

• Nobel Foundation Site Hit By DDoS Attack On Award Day (bleepingcomputer.com)

CNI, OT, ICS, IIoT and SCADA

• Over 20,000 Data Center Management Systems Exposed To Hackers (bleepingcomputer.com)

• Energy Sector Still Needs to Shut the Barn Door (darkreading.com)

Nation State Actors

• North Korean Hackers Using Windows Update Service to Infect PCs with Malware (thehackernews.com)

• Russian APT29 Hackers' Stealthy Malware Undetected For Years (bleepingcomputer.com)

• North Korean Hackers Return with Stealthier Variant of KONNI RAT Malware (thehackernews.com)

• German Intel Warns Of APT27 Targeting Commercial Organisations - Security Affairs

• Threat Actors Use Microsoft OneDrive for Command-and-Control in Attack Campaign (darkreading.com)

• APTs Quiet Ahead Of Beijing Games, But Financially Motivated Hackers Are Still Lurking, Research Says - CyberScoop

Cloud

• Top 5 Cloud Security Data Breaches in Recent Years (makeuseof.com)

• Molerats Group Uses Public Cloud Services As Attack Infrastructure - Security Affairs

Privacy

• UK’s Privacy Tsar Mounts Fierce Defence of End-to-End Encryption - Infosecurity Magazine

Passwords & Credential Stuffing

• 65% Of Organisations Continue To Rely On Shared Logins - Help Net Security

• Strong Security Starts With The Strengthening Of The Weakest Link: Passwords - Help Net Security

• Has That Password Been Compromised? - IT Security Guru

Spyware, Espionage & Cyber Warfare

• DazzleSpy: Pro-Democracy Org Hijacked To Become macOS Spyware Distributor | ZDNet

Vulnerabilities

• Ubiquitous Linux Bug: ‘An Attacker’s Dream Come True’ | Threatpost

• Outlook Security Feature Bypass Allowed Sending Malicious Links | SecurityWeek.Com

• Attackers Now Actively Targeting Critical SonicWall RCE Bug (bleepingcomputer.com)

• Patching the CentOS 8 Encryption Bug is Urgent – What Are Your Plans? (thehackernews.com)

• Apple Fixes New Zero-Day Exploited To Hack macOS, iOS Devices (bleepingcomputer.com)

• F5 Fixes 25 Flaws In BIG-IP, BIG-IQ, and NGINX Products - Security Affairs

Sector Specific

Health/Medical/Pharma Sector

• Healthcare Industry Most Common Victim Of Third-Party Breaches Last Year - Help Net Security

Education and Academia

• Education Sector Hounded By Cyber Attacks In 2021 | CSO Online

• Reports Published in the Last Week

• Identity Theft Resource Center’s 2021 Annual Data Breach Report Sets New Record for Number of Compromises - ITRC (idtheftcenter.org)

• Experian plc - Experian’s Annual Future of Fraud Forecast Predicts Five Key Threats for Businesses and Consumers in 2022

• Aqua Security Reports Large Increase in Supply Chain Attacks (infoq.com)

Other News

• Cyber Security: 11 Steps To Take As Threat Levels Increase | ZDNet

• Right of Boom: Can Your MSP Really Survive A Cyber Attack? - MSSP Alert

• Are You Prepared to Defend Against a USB Attack? (darkreading.com)

• Prioritizing And Remediating Vulnerabilities In The Wake Of Log4J and Microsoft's Patch Tuesday Blunder | CSO Online

• VW Fired Senior Employee After They Raised Cyber Security Concerns | Financial Times

• Microsoft Outlook RCE Zero-Day Exploits Now Selling For $400,000 (bleepingcomputer.com)

• Hackers Are Taking Over CEO Accounts With Rogue OAuth Apps (bleepingcomputer.com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.