Threat Intelligence Blog

Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.

Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 19 April 2024

Black Arrow Cyber Threat Intelligence Briefing 19 April 2024:

-94% of Ransomware Victims Have Their Backups Targeted by Attackers

-Sharing IT Providers Is a Risk for Financial Services, Says IMF, as Rising Cyber Threats Pose Serious Concerns for Financial Stability

-Hackers are Threatening to Publish a Huge Stolen Sanctions and Financial Crimes Watchlist

-Your Annual Cyber Security Is Not Working, but There is a Solution

-73% of Security Professionals Say They’ve Missed, Ignored or Failed to Act on a High Priority Security Alert

-Russia and Ukraine Top Inaugural World Cyber Crime Index

-Police Takedown Major Cyber Fraud Superstore: Will the Cyber Crime Industry Become More Fragmented?

-Small Businesses See Stable Business Climate; Cite Cyber Security as Top Threat

-The Threat from Inside: 14% Surge in Insider Threats Compared to Previous Year

-Dark Web Sales Driving Major Rise in Credential Attacks as Attackers Pummel Networks with Millions of Login Attempts

-Large Enterprises Experience Breaches, Despite Large Security Stacks - Report Finds 93% of Breaches Lead to Downtime and Data Loss

-Charities Doing Worse than Private Sector in Staving off Cyber Attacks

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

94% of Ransomware Victims Have Their Backups Targeted by Attackers

Organisations that have backed up sensitive data may believe they are safe from the effects of ransomware attacks; however a new study by Sophos reported that cyber criminals attempted to compromise the backups of 94% of companies hit by ransomware in the past year. The research found that criminals can demand a higher ransom when they compromise an organisation’s backup data, and those victims are twice as likely to pay. The median ransom demand is $2.3 million when backups are compromised, compared to $1 million otherwise.

Additionally, sectors like state and local governments, along with media and entertainment, are particularly vulnerable with nearly all affected organisations experiencing backup compromises.

Source: [Tech Republic]

Sharing IT Providers Is a Risk for Financial Services, Says IMF, as Rising Cyber Threats Pose Serious Concerns for Financial Stability

The International Monetary Fund has found that with greater digitalisation and heightened geopolitical tensions comes a greater risk of cyber attack with systemic consequences. The IMF noted that losses more than quadrupled since 2017 to $2.5 billion.

The push for technology has led to a number of financial services institutions relying on third-party IT firms, increasing their susceptibility to cyber disruption on a wider scale and a potential ripple effect were a third party to be hit. Whilst such third parties can increase the cyber resilience of a financial services institution, they also expose the industry to systemwide shocks, the IMF reports.

The IMF recommend institutions should identify potential systematic risks in their third-party IT firms. If the organisation is unable to perform such risk assessments, they should seek the expert support of an independent cyber security specialist.

Sources: [The Banker] [IMF]

Hackers are Threatening to Publish a Huge Stolen Sanctions and Financial Crimes Watchlist

A cyber crime group named GhostR has claimed responsibility for stealing 5.3 million records from the World-Check database, which companies use for "know your customer" (KYC) checks to screen potential clients for financial crime risks. The data theft occurred in March and originated from a Singapore-based firm with access to World-Check. The London Stock Exchange Group (LSEG), which owns World-Check, confirmed that the breach involved a third-party's dataset and not their systems directly. The stolen data includes sensitive information on individuals identified as high-risk, such as government-sanctioned figures and those linked to organised crime. LSEG is coordinating with the affected third party and authorities to protect the compromised data and prevent its dissemination.

Source: [TechCrunch]

Your Annual Cyber Security Is Not Working, But There is a Solution

Most organisations utilise annual security training in an attempt to ensure every department develops their cyber awareness skills and is able to spot and report a threat. However, this training is often out of date. Additionally, often training has limited interactivity, failing to capture and maintain employees’ attention and retention. On top of this, many training courses fail to connect employees to real-world scenarios that could occur in their specific job.

To get the most return on investment, organisations need to have more regular education, with the aim of long-term behavioural shifts in the work place, nudging employees towards greater cyber hygiene.

Source: [TechRadar]

73% of Security Professionals Say They’ve Missed, Ignored or Failed to Act on a High Priority Security Alert

A new survey from Coro, targeting small medium enterprises (SME) cyber security professionals, reveals that 73% have missed or ignored high priority security alerts due to overwhelming workloads and managing multiple security tools. The 2024 SME Security Workload Impact Report highlights that SMEs are inundated with alerts and responsibilities, which dilute their focus from critical security threats. On average, these professionals manage over 11 security tools and spend nearly five hours daily on tasks like monitoring and patching vulnerabilities. Respondents handle an average of over 2,000 endpoint security agents across 656 devices, more than half dealing with frequent vendor updates.

Source: [Business Wire]

Russia and Ukraine Top Inaugural World Cyber Crime Index

The inaugural World Cybercrime Index (WCI) identifies Russia, Ukraine, and China as the top sources of global cyber crime. This index, the first of its kind, was developed over four years by an international team from the University of Oxford and the University of New South Wales, with input from 92 cyber crime experts. These experts ranked countries based on the impact, professionalism, and technical skills of their cyber criminals across five cyber crime categories, including data theft, scams, and money laundering. Russia topped the list, followed by Ukraine and China, highlighting their significant roles in high-tech cyber criminal activities. The index, expected to be updated regularly, aims to provide a clearer understanding of cyber crime's global geography and its correlation with national characteristics like internet penetration and GDP. Of note the UK and US also made the top ten list, so it is not just other countries we need to worry about.

Top ten Countries in full:

1.       Russia

2.       Ukraine

3.       China

4.       United States

5.       Nigeria

6.       Romania

7.       North Korea

8.       United Kingdom

9.       Brazil

10.   India

Source: [Infosecurity Magazine]

Police Takedown Major Cyber Fraud Superstore: Will the Cyber Crime Industry Become More Fragmented?

The London Metropolitan Police takedown of online fraud service LabHost serves as a reminder of the industrial scale on which cyber crimes are being performed, with the service amassing 480,000 debit or credit card numbers and 64,000 PINs: all for the subscription price of £300 a month. The site even included tutorial videos on how to commit crime and offered customer service.

Such takedowns can lead to fragmentation. The 2,000 individuals subscribed to LabHost may have lost access but where there is demand, supply will be found. The takedown of one service allows other, small services to fill the gap. As the saying goes ‘nature abhors a vacuum’ and it is especially true when it comes to cyber crime; there is too much business for empty spaces not to be filled.

Sources: [ITPro] [The Guardian]

Small Businesses See Stable Business Climate; Cite Cyber Security as Top Threat

Small businesses are experiencing a stable business climate, as reflected by the Small Business Index, indicating an increasing optimism about the economy. However, the recent surge in cyber attacks, including major assaults on UnitedHealth Group and MGM Resorts, has underscored the growing vulnerability of these businesses to cyber crime. Despite 80% of small to medium-sized enterprises feeling well-protected by their IT defences, a Devolutions survey reveals that 69% of them still fell victim to cyber attacks last year. This has led to cyber security being viewed as the greatest threat by 60% of small businesses, even surpassing concerns over supply chain disruptions and the potential for another pandemic.

The average cost of these attacks ranges from $120,000 to $1.24 million, leading to 60% of affected businesses closing within six months. This vulnerability is further compounded by a common underestimation of the ransomware threat. While 71% of businesses feel prepared for future threats, the depth of this preparedness varies, with only 23% feeling very prepared for cyber security challenges.

Sources: [Claims Journal] [Inc.com]

The Threat from Inside: Insider Threats Surge 14% Annually as Cost-of-Living Crisis Bites

Employee fraud grew significantly last year thanks to the opportunities afforded by remote working and the pressures of a cost-of-living crisis in the UK, according to Cifas, an anti-fraud non-profit. The number of individuals recorded in its cross-sector Insider Threat Database (ITD) increased 14% year-on-year (YoY) in 2023, with the most common reason being “dishonest action to obtain benefit by theft or deception” (49%).

Insider threats – both by accident or with malicious intent – by their own employees are overlooked, despite accounting for 58% of cybersecurity breaches in recent years. As a result, a large proportion of businesses may lack any strategy to address insider risks, leaving them vulnerable to financial, operational and reputational harm.

Source: [Infosecurity Magazine] [TechRadar]

Dark Web Sales Driving Major Rise in Credential Attacks as Attackers Pummel Networks with Millions of Login Attempts

Dark web sales are driving a major rise in credential attacks, with a surge in infostealer malware attacks over the last three years significantly heightening the cyber crime landscape. Kaspersky reports a sevenfold increase in data theft attacks, leading to the compromise of over 26 million devices since 2022. Cyber criminals stole roughly 400 million login credentials last year alone, often sold on dark web markets for as low as $10 per log file. These stolen credentials have become a lucrative commodity, fostering a complex economy of initial access brokers who facilitate broader corporate network infiltrations. The Asia-Pacific and Latin America regions have been particularly affected, with millions of credentials stolen annually.

Simultaneously, Cisco’s Talos team warns of a current credential compromise campaign targeting networks via mass login attempts to VPN, SSH, and web apps. Attackers use a mix of generic and specific usernames with nearly 100 passwords from about 4,000 IP addresses, likely routed through anonymising services (such as TOR). These attacks pose risks like unauthorised access, account lockouts, and potential denial-of-service. The attack volume has increased since 18 March this year mirroring a previous alert by Cisco about a similar campaign affecting VPNs. Despite method and infrastructure similarities, a direct link between these campaigns is yet to be confirmed.

Sources: [Ars Technica] [Data Breach Today]

Large Enterprises Experience Breaches, Despite Large Security Stacks; Report Finds 93% of Breaches Lead to Downtime and Data Loss

93% of enterprises admitting to having had a breach have suffered significant consequences, ranging from unplanned downtime to data exposure or financial loss, according to a recent report. 73% of organisations made changes to their IT environment at least quarterly, however only 40% tested their security at the same frequency. Unfortunately, this means that many organisations are facing a significant gap in which changes in the IT environment are untested, and therefore their risk unknown.

Security tools can aid this, however as the report finds, despite having a large number of security stacks, 51% still reported a breach in the past 24 months. Organisations must keep in mind that security extends beyond the technical realm, and it needs to include people and operations.

Sources: [Infosecurity Magazine] [Help Net Security]

Charities Doing Worse than Private Sector in Staving off Cyber Attacks

Recent UK Government data reveals a significant cyber security challenge for charities, with about a third experiencing breaches this past year, equating to nearly 924,000 cyber crimes. Notably, 83% of these incidents involved phishing, with other prevalent threats including fraud emails and malware. The data found that 63% of charities said cyber security was a high priority for senior management, however, charities lag behind the private sector in adopting security monitoring tools and conducting risk assessments.

Additionally, while half of the charities implement basic cyber hygiene defences like malware protection and password policies, only about 40% seek external cyber security guidance.

Source: [TFN]

Governance, Risk and Compliance

Threats

Ransomware, Extortion and Destructive Attacks

Ransomware Victims

Phishing & Email Based Attacks

Other Social Engineering

Artificial Intelligence

2FA/MFA

Malware

Mobile

Denial of Service/DoS/DDOS

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Insurance

Cloud/SaaS

Identity and Access Management

Linux and Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Malvertising

Training, Education and Awareness

Regulations, Fines and Legislation

Models, Frameworks and Standards

Backup and Recovery

Data Protection

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Misinformation, Disinformation and Propaganda

Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity

Cyber Warfare and Cyber Espionage

China

Russia

Iran

North Korea

Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence

Vulnerability Management

Vulnerabilities

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·         Automotive

·         Construction

·         Critical National Infrastructure (CNI)

·         Defence & Space

·         Education & Academia

·         Energy & Utilities

·         Estate Agencies

·         Financial Services

·         FinTech

·         Food & Agriculture

·         Gaming & Gambling

·         Government & Public Sector (including Law Enforcement)

·         Health/Medical/Pharma

·         Hotels & Hospitality

·         Insurance

·         Legal

·         Manufacturing

·         Maritime

·         Oil, Gas & Mining

·         OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·         Retail & eCommerce

·         Small and Medium Sized Businesses (SMBs)

·         Startups

·         Telecoms

·         Third Sector & Charities

·         Transport & Aviation

·         Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 10 September 2021

Black Arrow Cyber Threat Briefing 10 September 2021

-91% Of IT Teams Have Felt 'Forced' To Trade Security For Business Operations

-Ransomware Attacks Increased Exponentially In 2021

-One In Three Suspect Phishing Emails Reported By Employees Really Are Malicious

-Hackers Shift From Malware To Credential Hijacking

-Attacker Breakout Time Now Less Than 30 Minutes

-Hackers Leak VPN Account Passwords From 87,000 Fortinet FortiGate Devices

-The Impact Of Ransomware On Cyber Insurance Driving The Need For Broader Cyber Security Knowledge

-Hackers Exploit Camera Vulnerabilities To Spy On Parents

-39% Of All Internet Traffic Is From Bad Bots

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

91% Of IT Teams Have Felt 'Forced' To Trade Security For Business Operations

A new survey suggests that most IT staff have felt pressured to ignore security concerns in favour of business operations. On Thursday, a new study report was released, which combines data from an online YouGov survey targeting office workers that adopted WFH and global research conducted with IT decision-makers. In total, 91% of those surveyed said that they have felt "pressured" to compromise security due to the need for business continuity during the COVID-19 pandemic. 76% of respondents said that security had taken a backseat, and furthermore, 83% believe that working from home has created a "ticking time bomb" for corporate security incidents. https://www.zdnet.com/article/91-of-it-teams-have-felt-forced-to-trade-security-for-business-operations/

Ransomware Attacks Increased Exponentially In 2021

The growing threat of ransomware has been highlighted by NCC Group's Research Intelligence and Fusion Team (RIFT) analysis. Between January-March 2021 and April-June 2021, the number of ransomware assaults studied by the team climbed by 288%, indicating that enterprises are still facing waves of digital extortion in the form of targeted ransomware. https://www.ehackingnews.com/2021/09/ransomware-attacks-increased.html

Phishing Attacks: One In Three Suspect Emails Reported By Employees Really Are Malicious

All the time spent ticking boxes in cyber security training sessions seems to be paying off after all: according to a new report, about a third of emails reported by employees really are malicious or highly suspect, demonstrating the effectiveness of the well-established maxim "Think before you click".  Researchers analysed over 200,000 emails that were flagged by employees from organisations across the globe in the first half of 2021 and found that 33% of the reports could be classified as phishing. https://www.zdnet.com/article/phishing-attacks-one-in-three-suspect-emails-reported-by-employees-really-are-malicious/

Hackers Shift From Malware To Credential Hijacking

Adversaries are relying less on malware to conduct attacks that are consequently more difficult to detect, according to an annual report conducted by researchers. “According to data from our customer base indexed by Threat Graph, 68% of detections from the last three months were not malware-based,” reads the report released Wednesday. “Attackers are increasingly attempting to accomplish their objectives without writing malware to the endpoint, using legitimate credentials and built-in tools (living off the land)—which are deliberate efforts to evade detection by traditional antivirus products.” https://www.nextgov.com/cybersecurity/2021/09/report-hackers-shift-malware-credential-hacking/185209/

Attacker Breakout Time Now Less Than 30 Minutes

The average time it takes threat actors to move from initial access to lateral movement has fallen by 67% over the past year, putting extra pressure on security operations (SecOps) teams, according to researchers. The findings come from researchers own investigations with customers across around 248,000 unique global endpoints. For incidents where this “breakout time” could be derived over the past year, it averaged just 1 hour 32 minutes. However, in over a third (36%) of intrusions, adversaries managed to move laterally to additional hosts in under 30 minutes. https://www.infosecurity-magazine.com/news/attacker-breakout-time-now-less/

Hackers Leak VPN Account Passwords From 87,000 Fortinet FortiGate Devices

Network security solutions provider Fortinet confirmed that a malicious actor had unauthorizedly disclosed VPN login names and passwords associated with 87,000 FortiGate SSL-VPN devices. "These credentials were obtained from systems that remained unpatched at the time of the actor's scan. While they may have since been patched, if the passwords were not reset, they remain vulnerable," the company said in a statement on Wednesday. https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html

53% Find It Difficult To Prevent An Insider Attack During Data Aggregation

Recent data from researchers found that 53% of companies find it impossible or very difficult to prevent an insider attack when data is being aggregated, a key indicator of intent of an attack. The vast majority of security threats follow a pattern or sequence of activity leading up to an attack, and insider threats are no exception. To fully understand any insider incident, visibility into the entire kill chain of an attack is imperative to preventing the exfiltration of critical data. https://venturebeat.com/2021/09/02/53-find-it-difficult-to-prevent-an-insider-attack-during-data-aggregation/

The Impact Of Ransomware On Cyber Insurance Driving The Need For Broader Cyber Security Knowledge

Not only have ransomware attacks spiked, the amount of ransom demanded has grown exponentially—to somewhere between $50 and $70 million dollars. Cyber Insurers can’t cover “whatever amount the hacker demands”—so major policies lost money. Insurers have responded by raising premiums, restricting coverage, or even getting out of the cyber-insurance game altogether in vulnerable markets. https://www.helpnetsecurity.com/2021/09/10/cyber-insurance-ransomware/

Hackers Exploit Camera Vulnerabilities To Spy On Parents

Various zero day vulnerabilities in home baby monitor could be compromised that lets threat actors hack into camera feed and put malicious codes like malware. The security issues were found in the IoT gadgets, made by China based developer Victure, that were found by researchers. In a security report, researchers revealed about the stack-based buffer flaw present in ONVIF server Victure PC420 component camera that allows hackers to plant remote codes on the victim device. When compromised, hacker can discover cameras (not owned by them) and command devices to broadcast camera feeds to third party and exploit the camera firmware. https://www.ehackingnews.com/2021/09/hackers-exploit-camera-vulnerabilities.html

39% Of All Internet Traffic Is From Bad Bots

Automated traffic takes up 64% of internet traffic – and whilst just 25% of automated traffic was made up by good bots, such as search engine crawlers and social network bots, 39% of all traffic was from bad bots, a Barracuda report reveals.

These bad bots include both basic web scrapers and attack scripts, as well as advanced persistent bots. These advanced bots try their best to evade standard defences and attempt to perform their malicious activities under the radar. The report revealed that the most common of these persistent bots were ones that went after e-commerce applications and login portals. https://www.helpnetsecurity.com/2021/09/07/bad-bots-internet-traffic/

Threats

Ransomware

BEC

Phishing

Other Social Engineering

Malware

Mobile

IOT

Vulnerabilities

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptojacking

Insider Threats

DoS/DDoS

Nation State Actors

Cloud

Privacy

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 03 September 2021

Black Arrow Cyber Threat Briefing 03 September 2021

-Ransomware Attacks Soar 288% in H1 2021

-Ransomware Costs Expected To Reach $265 Billion By 2031

-Brute Force Email Attacks and Account Takeover Attempts Rise 671%, Reaching Unprecedented Levels, Causing Financial And Reputational Damage

-Investigation Into Hacked "Map" Of UK Gun Owners

-Eight US Financial Services Firms Given Six-Figure Fines Over BEC Data Breaches

-Ransomware Has Been A ‘Game Changer’ For Cyber Insurance

-WhatsApp hit with $267 million GDPR fine for bungling user privacy disclosure

-Microsoft Warns About Open Redirect Phishing Campaign

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week 

Ransomware Attacks Soar 288% in First Half of 2021

The number of ransomware attacks surged by 288% between the first and second quarters of 2021 as double extortion attempts grew, according to the latest data.

Nearly a quarter (22%) of data leaks in the second quarter came from the Conti ransomware group, who typically gain initial network access to victim organisations via phishing emails.

It’s an unfortunate fact that no organisation in any sector is safe from ransomware today.

Targets range from IT companies and suppliers to financial institutions and critical national infrastructure providers, with ransomware-as-a-service increasingly being sold by ransomware gangs in a subscription model. https://www.infosecurity-magazine.com/news/ransomware-attacks-soar-half-2021/  

Ransomware Costs Expected To Reach $265 Billion By 2031

Think ransomware is expensive now? It’s not predicted to get any cheaper over the next decade. Ransoms could cost victims a collective total of $265 billion by 2031. The estimate is based on the prediction that the price tag will increase 30% every year over the next 10 years. https://securityintelligence.com/news/ransomware-costs-expected-265-billion-2031/ 

Brute Force Email Attacks and Account Takeover Attempts Rise 671%, Reaching Unprecedented Levels, Causing Financial And Reputational Damage

A new Email Threat Report for Q3 2021 examines the escalating adverse impact of socially-engineered and never-seen-before email attacks, and other advanced email threats—both financial and reputational—to organisations worldwide. The report surveyed advanced email attacks across eight major industry sectors, including retail and consumer goods, manufacturing, technology, energy and infrastructure services, medical, media and television, finance, and hospitality.

The report also finds 61% of organisations experienced a vendor email compromise/supply chain attack in Q2 2021.

Key report findings include:

  • 32.5% of all companies were targeted by brute force attacks in early June 2021

  • 137 account takeovers occurred per 100,000 mailboxes for members of the C-suite

  • 61% of organisations experienced a vendor email compromise attack this quarter

  • 22% more business email compromise attacks since Q4 2020

  • 60% chance of a successful account takeover each week for organisations with 50,000+ employees

  • 73% of all advanced threats were credential phishing attacks

  • 80% probability of attack every week for retail and consumer goods, technology, and media and television companies

https://finance.yahoo.com/news/brute-force-email-attacks-account-120100299.html  

Investigation Into Hacked "Map" Of UK Gun Owners

Gun-selling site Guntrader announced a data breach affecting more than 100,000 customers in July. This week, reports emerged that an animal rights activist blog had published the information. The group had formatted the data so it could be easily imported into mapping software to show individual homes. The National Crime Agency, which has been investigating the data breach and its fallout, said it "is aware that information has been published online as a result of a recent data breach which impacted Guntrader". https://www.bbc.co.uk/news/technology-58413847 

Eight US Financial Services Firms Given Six-Figure Fines Over BEC Data Breaches

The US Securities and Exchange Commission (SEC) has sanctioned multiple financial services firms for cyber security failures that led to the compromise of corporate email accounts and the personal data of thousands of individuals. The case was brought after the unauthorised takeover of cloud-based email accounts at Seattle-based KMS Financial Services, and subsidiaries of California-headquartered Cetera Financial Group and Iowa-based Cambridge Investment Group. https://portswigger.net/daily-swig/eight-us-financial-services-firms-given-six-figure-fines-over-bec-data-breaches

Ransomware Has Been A ‘Game Changer’ For Cyber Insurance

Ransomware attacks accounted for nearly one quarter of all cyber incidents globally last year, according to a software company. The researchers “think of December 2019 as the tipping point for when we started to see ransomware take hold”. The U.S. was hit by a barrage of ransomware attacks in 2019 that impacted at least 966 government agencies, educational establishments, and healthcare providers at a potential cost in excess of $7.5 billion. All of this has a massive knock-on affect for the Insurance firms. https://www.insurancejournal.com/news/national/2021/08/30/628672.htm 

Getting Ahead Of A Major Blind Spot For CISOs: Third-Party Risk

For many CISOs and security leaders, it was not long ago that their remit focused on the networks and digital ecosystems for their organisation alone. In today’s digital world, those days are a thing of the past with a growing number of businesses relying on third-party vendors to scale, save time and outsource expertise to stay ahead. With this change, new security risks affiliated with third-party vendors are more prevalent than ever before. https://www.helpnetsecurity.com/2021/09/01/getting-ahead-of-a-major-blind-spot-for-cisos-third-party-risk/ 

WhatsApp Hit With $267 Million GDPR Fine For Bungling User Privacy Disclosure

Ireland’s Data Protection Commission fined Facebook-owned messenger WhatsApp for $225 million for failing to provide users enough information about the data it shared with other Facebook companies.

The fine is the largest penalty that the Irish regulator has waged since the European Union data protection law, the General Data Protection Regulation, or GDPR, went into effect in 2018. https://www.cyberscoop.com/whatsapp-hit-with-267-million-gdpr-fine-for-bungling-user-privacy-disclosure/  

Microsoft Warns About Open Redirect Phishing Campaign

Microsoft’s Security Intelligence team is warning over phishing campaigns using open redirector links, links crafted to subvert normal inspection efforts. Smart users know to hover over links to see where they're going to lead, but these links are prepared for that type of user and display a safe destination designed to lure targets into a false sense of security. Click the link and you'll be redirected to a domain that appears legit (such as a Microsoft 365 login page, for example) and sets the stage for you to voluntarily hand over credentials to bad actors without even realising it until it's too late. https://www.windowscentral.com/microsoft-warns-about-open-redirect-phishing-campaign

Previous Employees With Access To Corporate Data Remain A Threat To Businesses

Offboarding employees securely is a key problem for business leaders, with 40% concerned that employees who leave a company retain knowledge of passwords that grant access to corporate data. This is according to a report, which found few organisations are implementing access management solutions that work with all applications, meaning most lack the ability to revoke access to all corporate data as soon as an employee leaves. https://www.helpnetsecurity.com/2021/09/02/previous-employees-access-data/

BEC Scammers Seek Native English Speakers On Underground

Looking for work? Speak fluent English? Capable of convincingly portraying a professional – as in, somebody a highly ranked corporate leader would talk to? If you lack scruples and disregard those pesky things called “laws,” it could be your lucky day: Cyber Crooks are putting up help-wanted ads, looking for native English speakers to carry out the social-engineering elements of business email compromise (BEC) attacks. https://threatpost.com/bec-scammers-native-english-speakers/169092/

Half Of Businesses Can't Spot These Signs Of Insider Cyber Security Threats

Most businesses are struggling to identify and detect early indicators that could suggest an insider is plotting to steal data or carry out other cyber attacks. Research suggests that over half of companies find it impossible or very difficult to prevent insider attacks. These businesses are missing indicators that something might be wrong. Those include unusual amounts of files being opened, attempts to use USB devices, staff purposefully circumventing security controls, masking their online activities, or moving and saving files to unusual locations. All these and more might suggest that a user is planning malicious activity, including the theft of company data. https://www.zdnet.com/article/half-of-businesses-cant-spot-these-signs-of-insider-cybersecurity-threats/

Threats

Ransomware

Phishing

Malware

Mobile

Vulnerabilities

Data Breaches/Leaks

Organised Crime & Criminal Actors

Dark Web

DoS/DDoS

OT, ICS, IIoT and SCADA

Cloud

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

What is a Brute Force attack - Cyber Tip Tuesday Explainer Series

This week's Black Arrow Cyber Tip Tuesday video explains Brute Force Attacks as part of our video explainer series, introducing key terms and concepts to help you understand the threats and risks facing your business.

This week's Black Arrow Cyber Tip Tuesday video explains Brute Force Attacks as part of our video explainer series, introducing key terms and concepts to help you understand the threats and risks facing your business.

Read More
Black Arrow Admin Black Arrow Admin

Cyber Briefing 23 October 2020: Ransomware Continues to Evolve; Infected IoT Up 100%; Brute Force Attacks Up with more Open RDP Ports; 40% Unsure on Mobile Phishing; Most Imitated Phishing Brands

Cyber Briefing 23 October 2020: Ransomware Variants Evolve as Crooks Chase Bigger Paydays; Infected IoT Surges 100% in a Year; Brute Force Attacks Up Due To More Open RDP Ports; 40% of Users Not Sure What Mobile Phishing Is; Microsoft Most Imitated Phishing Brand Q3 2020; DDoS Triples as Ransoms Re-Emerge; Exploited Chrome Bug Fixed; WordPress Forces Security Update; The Most Worrying Vulns Around Today

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.

Threats

Ransomware

This week has been busy with ransomware related news, including new charges against Russian state-sponsored hackers and numerous attacks against well-known organisations.

In 2017, there was an attack utilizing the NotPetya ransomware to destroy data on systems worldwide. This week, the US govt indicted six Russian intelligence operatives [source], known to be part of the notorious 'Sandworm' group, for hacking operations, including NotPetya.

Ransomware variants continue to evolve as crooks chase bigger paydays

The number of ransomware attacks which threaten to leak stolen data if the victim doesn't pay a ransom to get their encrypted files and servers back is growing – and this is being reflected in the changing nature of the cyber criminal market.

Analysis by cyber security researchers found that over the last three months – between July and September - 80 percent of ransomware attacks combined with data dumps were associated with four families of ransomware – Maze, Sodinokibi, Conti and Netwalker.

The period from April to June saw just three ransomware families account for 80 percent of alerts – DoppelPaymer, Maze and Sodinokibi.

The way DoppelPayer has dropped off and how Conti and NetWalker have suddenly emerged some of the most prolific threats shows how the ransomware space continues to evolve, partly because of how successful it has already become for the crooks behind it. [source]

Why this matters:

Maze was the first major family of ransomware to add threats of data breaches to their ransom demands and other ransomware operators have taken note – and stolen the additional extortion tactic.

There is an inherent competitive nature that has befallen the ransomware landscape. The saturated ransomware market pushes ransomware developers to cut through the noise and gain the best ransomware title and this drives more affiliates to carry out their work and, thus, more successful attacks to reach their goal: to make as much money as possible.

DoppelPaymer's activity has dropped over the last few months – although it still remains active - enabling Conti and NetWalker to grab a larger slice of the pie.

Notable ransomware victims of the last week

French IT giant Sopra Steria hit by Ryuk ransomware

French IT services giant Sopra Steria suffered a cyber attack on October 20th, 2020, that reportedly encrypted portions of their network with the Ryuk ransomware.

Sopra Steria is a European information technology company with 46,000 employees in 25 countries worldwide. The company provides a wide range of IT services, including consulting, systems integration, and software development.

The firm has said that the attack has hit all geographies where they operate and have said it will take them several weeks to recover.

Numerous sources have confirmed that it was Ryuk ransomware threat actors who were behind the attack. This hacking group is known for its TrickBot and BazarLoader infections that allow threat actors to access a compromised network and deploy the Ryuk or Conti ransomware infections.

BazarLoader is increasingly being used in Ryuk attacks against high-value targets due to its stealthy nature and is less detected than TrickBot by security software.

When installed, BazarLoader will allow threat actors to remotely access the victim's computer and use it to compromise the rest of the network.

After gaining access to a Windows domain controller, the attackers then deploy the Ryuk ransomware on the network to encrypt all of its devices, as illustrated in the diagram above. [Source1] [source2]

The Nefilim ransomware operators have posted a long list of files that appear to belong to Italian eyewear and eyecare giant Luxottica.

Luxottica Group S.p.A. is an Italian eyewear conglomerate and the world’s largest company in the eyewear industry (which owns brands including LensCrafters, Sunglass Hut, Apex by Sunglass Hut, Pearle Vision, Target Optical, Eyemed vision care plan, and Glasses.com. Its best known brands are Ray-Ban, Persol, and Oakley) and employs over 80,000 people and generated 9.4 billion in revenue for 2019.

The company was hit by a cyber attack and some of the web sites operated by the company were not reachable, including Ray-Ban, Sunglass Hut, LensCrafters, EyeMed, and Pearle Vision.

Reports indicate that the firm was using a Citrix ADX controller device vulnerable to a critical vulnerability and it is believed that a threat actor or actors exploited the above flaw to infect the systems at the company with ransomware. This appears to have subsequently confirmed with Nefilim ransomware operators having posted a long list of files that appear to belong to Luxottica. [source]

Why this matters:

The analysis of the leaked files revealed that they contain confidential information regarding the recruitment process, professional resumes, and info about the internal structures of the Group’s human resource department. The ransomware operators also published a message which accuses Luxottica of having failed the properly manage the attack.

In the past months, the number of ransomware attacks surged, numerous ransomware gangs made the headlines targeting organisations worldwide and threatening victims with releasing the stolen data if the ransom was not paid.

Extortion is the new thing in cyber crime right now, more so than in the past. Companies cannot hide the cyber attack anymore. Now it’s more about how to manage the breach from the communication perspective. Defending companies from these types of attacks becomes even more strategic: data leak damages can generate tremendous amount of costs for companies worldwide.

Other notable ransomware victims this week include:

  • Barnes & Noble hit by Egregor ransomware, strange data leaked [source]

  • Montreal's STM public transport system hit by ransomware attack [source]

  • WastedLocker ransomware hits US-based ski and golf resort operator Boyne Resorts (WastedLocker was the same one used in the attack on Garmin in July) [source]

Other Threats

Infected IoT Device Numbers Surge 100% in a Year

The volume of infected Internet of Things (IoT) devices globally has soared by 100% over the past year, according to new data from Nokia.

It revealed that infected IoT devices now comprise nearly a third (32.7%) of the total number of devices, up from 16.2% in the 2019 report.

Nokia argued that infection rates for connected devices depend dramatically upon the visibility of the devices on the internet.

In networks where devices are routinely assigned public facing internet IP addresses there is a higher infection rate. In networks where carrier grade NAT is used, the infection rate is considerably reduced, because the vulnerable devices are not visible to network scanning.

With the introduction of 5G well underway, it is expected that not only the number of IoT devices will increase dramatically, but also the share of IoT devices accessible directly from the internet will increase as well, and rates of infection rising accordingly. [source]

Brute force attacks increase due to more open RDP ports

While leaving your back door open while you are working from home may be something you do without giving it a second thought, having unnecessary ports open on your computer or on your corporate network is a security risk that is sometimes underestimated. That’s because an open port can be subject to brute force attacks.

A brute force attack is where an attacker tries every way he can think of to get in. Including throwing the kitchen sink at it. In cases where the method they are trying is to get logged in to your system, they will try endless combinations of usernames and passwords until a combination works.

Brute force attacks are usually automated, so it doesn’t cost the attacker a lot of time or energy. Certainly not as much as individually trying to figure out how to access a remote system. Based on a port number or another system specific property, the attacker picks the target and the method and then sets his brute force application in motion. He can then move on to the next target and will get notified when one of the systems has swallowed the hook.

RDP attacks are one of the main entry points when it comes to targeted ransomware operations. To increase effectiveness, ransomware attacks are getting more targeted and one of the primary attack vectors is the Remote Desktop Protocol (RDP). Remote desktop is exactly what the name implies, an option to remotely control a computer system. It almost feels as if you were actually sitting behind that computer. Which is exactly what makes an attacker with RDP access so dangerous. [source]

Why this matters:

Because of the current pandemic, many people are working from home and may be doing so for a while to come. Working from home has the side effect of more RDP ports being opened. Not only to enable the workforce to access company resources from home, but also to enable IT staff to troubleshoot problems on the workers’ devices. A lot of enterprises rely on tech support teams using RDP to troubleshoot problems on employee’s systems.

But ransomware, although prevalent, is not the only reason for these types of attacks. Cyber criminals can also install keyloggers or other spyware on target systems to learn more about the organization they have breached. Other possible objectives might be data theft, espionage, or extortion.

Phishing

Two in five employees are not sure what a mobile phishing attack is

The COVID-19 pandemic has clearly changed the way people work and accelerated the already growing remote work trend. This has also created new security challenges for IT departments, as employees increasingly use their own personal devices to access corporate data and services.

These changes, where employees, IT infrastructures, and customers are everywhere – has led to employees not prioritising security in their new world of work, and the current distributed remote work environment has also triggered a new threat landscape, with malicious actors increasingly targeting mobile devices with phishing attacks.

A new study looking at the impact that lockdown has had on employees working habits polled 1,200 workers across the US, UK, France, Germany, Belgium, Netherlands, Australia, and New Zealand showed that many employees were unaware of how to identify and avoid a phishing attack, and over two in five (43%) of employees are not even sure what a phishing attack is. [source]

Microsoft is Most Imitated Brand for Phishing Attempts in Q3 2020

The latest Check Point ‘Q3 Brand Phishing Report’, highlighting the brands that hackers imitated the most to lure people into giving up personal data, reveals the brands which were most frequently imitated by criminals in their attempts to steal individuals’ personal information or payment credentials during July, August and September.

In Q3, Microsoft was the most frequently targeted brand by cyber criminals, soaring from fifth place (relating to 7% of all brand phishing attempted globally in Q2 of 2020) to the top of the ranking. 19% of all brand phishing attempts related to the technology giant, as threat actors sought to capitalise on large numbers of employees still working remotely during the Covid-19 pandemic. For the first time in 2020, DHL entered the top 10 rankings, taking the second spot with 9% of all phishing attempts related to the company. [source]

Top phishing brands in Q3 2020

  • Microsoft (19%)

  • DHL (9%)

  • Google (9%)

  • PayPal (6%)

  • Netflix (6%)

  • Facebook (5%)

  • Apple (5%)

  • Whatsapp (5%)

  • Amazon (4%)

  • Instagram (4%)

Phishing Lures Shifting from COVID-19 updates to Job Opportunities

Researchers are seeing a pivot in the spear-phishing and phishing lures used by cybercriminals, to entice potential job candidates as businesses start to open up following the pandemic.

Cyber criminals cashed in on the surge of COVID-19 earlier this year, with email lures purporting to be from healthcare professionals offering more information about the pandemic. However, as the year moves forward, bad actors are continuing to swap up their attacks and researchers are now seeing ongoing email based attacks that tap into new job opportunities as businesses start to open up. [source]

Denial of Service Attacks

DDoS (Distributed Denial of Service) Attacks Triple in Size as Ransom Demands Re-Emerge

The last quarter of 2020 has seen a wave of web application attacks which have used ransom letters to target businesses across a number of industries.

According to research from Akamai, the largest of these attacks sent over 200Gbps of traffic at their targets as part of a sustained campaign of higher Bits Per Second (BPS) and Packets Per Second (PPS) than similar attacks had displayed a few weeks prior.

Prior to August most of these attacks were targeting the gaming industry but since then these attacks abruptly swung to financial organisations, and later in the cycle, multiple other verticals.

Akamai explained that none of the vectors involved in these series of attacks were new, as most of the traffic was generated by reflectors and systems that were used to amplify traffic. However, multiple organisations began to receive targeted emails with threats of DDoS attacks, where this would be launched unless a ransom amount was paid. A small DDoS would be made against the company to show that the attackers were serious, and then there was a threat of a 1Tbps attack if payment was not made.

Many extortion DDoS campaigns start as a threat letter, and never progress beyond that point but this this campaign has seen frequent ‘sample’ attacks that prove to the target that criminals have the capability to make life difficult.

Many of the extortion emails ended up being caught by spam filters, and not all targets are willing to admit they’ve received an email from the attackers.

Why this matters:

This extortion DDoS campaign is not over and the criminals behind this campaign are changing and evolving their attacks in order to throw off defenders and the law enforcement agencies that are working to track them down.

Vulnerabilities

New Google Chrome version fixes actively exploited zero-day bug

Google released Chrome 86.0.4240.111 this week to address five security vulnerabilities, one of which is being actively exploited.

The announcement from Google stated they they were aware of reports that an exploit for CVE-2020-15999 exists in the wild.

This new version of Chrome started rolling out to the entire userbase. Users on Windows, Mac, and Linux desktop users can upgrade to Chrome 86 by going to Settings -> Help -> About Google Chrome.

The Google Chrome web browser will then automatically check for the new update and install it when available.

Adobe releases another out-of-band patch, squashing critical bugs across creative software

Adobe has released a second out-of-band security update to patch critical vulnerabilities across numerous software products.

The patch, released outside of the tech giant's typical monthly security cycle, impacts Adobe Illustrator, Dreamweaver, Marketo, Animate, After Effects, Photoshop, Premiere Pro, Media Encoder, InDesign, and the Creative Cloud desktop application on Windows and macOS machines.

The vulnerabilities across the different products variously could result in privilege escalation, cross-site scripting (XSS), which could be weaponised to deploy malicious JavaScript in a browser session, or otherwise could result in arbitrary code execution.

Last week, Adobe released a separate set of out-of-band security fixes impacting the Magento platform. On October 15, Adobe said the patch resolved nine vulnerabilities, eight of which are critical -- including a bug that could be abused to tamper with Magento customer lists. [source]

WordPress deploys forced security update for dangerous bug in popular plugin

The WordPress security team has taken a rare step last week and used a lesser-known internal capability to forcibly push a security update for a popular plugin called Loginizer, which provides security enhancements for the WordPress login page, but that was found to contain a dangerous SQL injection bug that could have allowed hackers to take over WordPress sites running older versions of the plugin. [source]

Why this matters:

Remote attackers to run code against the WordPress database — in what is referred to as an unauthenticated SQL injection attack.

These are the most worrying vulnerabilities around today

Failure to patch once again leaves organisations open to attacks

The US National Security Agency (NSA) has published a new cyber security advisory in which it details 25 of the most dangerous vulnerabilities actively being exploited in the wild by Chinese state-sponsored hackers and other cyber criminals.

Unlike zero-day vulnerabilities where hardware and software makers have yet to release a patch, all of the vulnerabilities in the NSA's advisory are well-known and patches have been made available to download from their vendors. However, the problem lies in the fact that organisations have yet to patch their systems, leaving them vulnerable to potential exploits and attacks.

The NSA provided further details on the nature of the vulnerabilities in its advisory while urging organisations to patch them immediately.

Most of the vulnerabilities listed below can be exploited to gain initial access to victim networks using products that are directly accessible from the Internet and act as gateways to internal networks. The majority of the products are either for remote access or for external web services and should be prioritised for immediate patching. The full list can be found here.

The first bug in the list, tracked as CVE-2019-11510, relates to Pulse Secure VPN servers and how an unauthenticated remote attacker can expose keys or passwords by sending a specially crafted URI to perform an arbitrary file reading vulnerability.

Another notable bug from the list, tracked as CVE-2020-5902, affects the Traffic Management User Interface (TMUI) of F5 BIG-IP proxies and load balancers and it is vulnerable to a Remote Code Execution (RCE) vulnerability that if exploited, could allow a remote attacker to take over an entire BIG-IP device.

The Citrix Application Delivery Controller (ADC) and Gateway systems are vulnerable to a directory traversal bug, tracked as CVE-2019-19781, that can lead to remote code execution where an attacker does not need to possess valid credentials for the device.

The advisory also mentions BlueKeep, SigRed, Netlogon, CurveBall and other more well-known vulnerabilities.

To avoid falling victim to any potential attacks exploiting these vulnerabilities, the NSA recommends that organisations keep their systems and products updated and patched as soon as possible after vendors release them. [source]

Miscellaneous Cyber News of the Weeks

Hackers Can Clone Millions of Toyota, Hyundai, and Kia Keys

Owners of cars with keyless start systems have learned to worry about so-called relay attacks, in which hackers exploit radio-enabled keys to steal vehicles without leaving a trace. Now it turns out that many millions of other cars that use chip-enabled mechanical keys are also vulnerable to high-tech theft. A few cryptographic flaws combined with a little old-fashioned hot-wiring—or even a well-placed screwdriver—lets hackers clone those keys and drive away in seconds.

Researchers this week revealed new vulnerabilities in the encryption systems used by immobilisers, the radio-enabled devices inside of cars that communicate at close range with a key fob to unlock the car's ignition and allow it to start. Specifically, they found problems in how Toyota, Hyundai, and Kia implement their encryption system. A hacker who swipes a relatively inexpensive RFID reader/transmitter device near the key fob of any affected car can gain enough information to derive its secret cryptographic value. That, in turn, would allow the attacker to spoof the device to impersonate the key inside the car, disabling the immobiliser and letting them start the engine.

The researchers say the affected car models include the Toyota Camry, Corolla, and RAV4; the Kia Optima, Soul, and Rio; and the Hyundai I10, I20, and I40, amongst others. [source]

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More