Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 07 January 2022
Black Arrow Cyber Threat Briefing 07 January 2022:
-Microsoft Sees Rampant Log4j Exploit Attempts, Testing
-Warning: Log4j Still Lurks Where Dependency Analysis Can’t Find It
-Hackers Sending Malware-Filled USB Sticks to Companies Disguised as Presents
-Patch Systems Vulnerable To Critical Log4j Flaws, UK And US Officials Warn
-‘Elephant Beetle’ Lurks For Months In Networks
-Sonicwall: Y2k22 Bug Hits Email Security, Firewall Products
-Hackers Use Video Player To Steal Credit Cards From Over 100 Sites
-Cyber World Is Starting 2022 In Crisis Mode With The Log4j Bug
-Everything You Need To Know About Ransomware Attacks and Gangs In 2022
-Why the Log4j Vulnerability Makes Endpoint Visibility and Zero Trust Security More Important Than Ever
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Microsoft Sees Rampant Log4j Exploit Attempts, Testing
Microsoft says it’s only going to get worse: It’s seen state-sponsored and cyber-criminal attackers probing systems for the Log4Shell flaw through the end of December.
No surprise here: The holidays bought no Log4Shell relief.
Threat actors vigorously launched exploit attempts and testing during the last weeks of December, Microsoft said on Monday, in the latest update to its landing page and guidance around the flaws in Apache’s Log4j logging library.
“We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks,” according to Microsoft.
https://threatpost.com/microsoft-rampant-log4j-exploits-testing/177358/
Warning: Log4j Still Lurks Where Dependency Analysis Can’t Find It
The best programming practice to include a third-party library in source code is to use the import command. It is the easiest way to do it, and it is also the way that most dependency analysis programs work to determine if a vulnerable library is in play. But any time code is included without calling it as an external package, traditional dependency analysis might not be enough to find it — including when Java coders use a common trick to resolve conflicting dependencies during the design process.
A new study by jFrog found that 400 packages on repository Maven Central used Log4j code without calling it as an external package. Around a third of that came from fat jars — jar files that include all external dependencies to make a more efficient product. The remainder came from directly inserting Log4j code into the source code, including shading, a work-around used when two or more dependencies call different versions of the same library in a way that might conflict.
While 400 may not seem like a lot for Maven Central, where Google found 17,000 packages implementing the vulnerable Log4j library, some of the 400 packages unearthed by JFrog are widely used.
Hackers Sending Malware-Filled USB Sticks to Companies Disguised as Presents
The "malicious USB stick" trick is old but apparently it's still wildly popular with the crooks.
Word to the wise: If a stranger ever offers you a random USB stick as a gift, best not to take it.
On Thursday, the FBI warned that a hacker group has been using the US mail to send malware-laden USB drives to companies in the defence, transportation and insurance industries. The criminals’ hope is that employees will be gullible enough to stick them into their computers, thus creating the opportunity for ransomware attacks or the deployment of other malicious software, The Record reports.
The hacker group behind this bad behaviour—a group called FIN7—has gone to great lengths to make their parcels appear innocuous. In some cases, packages were dressed up as if they were sent by the US Department of Health and Human Services, with notes explaining that the drives contained important information about COVID-19 guidelines. In other cases, they were delivered as if they had been sent via Amazon, along with a “decorative gift box containing a fraudulent thank you letter, counterfeit gift card, and a USB,” according to the FBI warning.
https://gizmodo.com/hackers-have-been-sending-malware-filled-usb-sticks-to-1848323578
Patch Systems Vulnerable To Critical Log4j Flaws, UK And US Officials Warn
One of the highest-severity vulnerabilities in years, Log4Shell remains under attack.
Criminals are actively exploiting the high-severity Log4Shell vulnerability on servers running VMware Horizon in an attempt to install malware that allows them to gain full control of affected systems, the UK’s publicly funded healthcare system is warning.
CVE-2021-44228 is one of the most severe vulnerabilities to come to light in the past few years. It resides in Log4J, a system-logging code library used in thousands if not millions of third-party applications and websites. That means there is a huge base of vulnerable systems. Additionally, the vulnerability is extremely easy to exploit and allows attackers to install Web shells, which provide a command window for executing highly privileged commands on hacked servers.
The remote-code execution flaw in Log4J came to light in December after exploit code was released before a patch was available. Malicious hackers quickly began actively exploiting CVE-2021-44228 to compromise sensitive systems.
‘Elephant Beetle’ Lurks For Months In Networks
The group blends into an environment before loading up trivial, thickly stacked, fraudulent financial transactions too tiny to be noticed but adding up to millions of dollars.
Researchers have identified a threat group that’s been quietly siphoning off millions of dollars from financial- and commerce-sector companies, spending months patiently studying their targets’ financial systems and slipping in fraudulent transactions amongst regular activity.
The Sygnia Incident Response team has been tracking the group, which it named Elephant Beetle, aka TG2003, for two years.
In a Wednesday report, the researchers called Elephant Beetle’s attack relentless, as the group has hidden “in plain sight” without the need to develop exploits.
https://threatpost.com/elephant-beetle-months-networks-financial/177393/
Sonicwall: Y2k22 Bug Hits Email Security, Firewall Products
SonicWall has confirmed today that some of its Email Security and firewall products have been hit by the Y2K22 bug, causing message log updates and junk box failures starting with January 1st, 2022.
The company says that email users and administrators will no longer be able to access the junk box or un-junk newly received emails on affected systems.
They will also no longer be able to trace incoming/outgoing emails using the message logs because they're no longer updated.
On January 2nd, SonicWall deployed updates to North American and European instances of Hosted Email Security, the company's cloud email security service.
It also released fixes for its on-premises Email Security Appliance (ES 10.0.15) and customers using firewalls with the Anti-Spam Junk Store functionality toggled on (Junk Store 7.6.9).
Hackers Use Video Player To Steal Credit Cards From Over 100 Sites
Hackers used a cloud video hosting service to perform a supply chain attack on over one hundred real estate sites that injected malicious scripts to steal information inputted in website forms.
These scripts are known as skimmers or formjackers and are commonly injected into hacked websites to steal sensitive information entered into forms. Skimmers are commonly used on checkout pages for online stores to steal payment information.
In a new supply chain attack discovered by Palo Alto Networks Unit42, threat actors abused a cloud video hosting feature to inject skimmer code into a video player. When a website embeds that player, it embeds the malicious script, causing the site to become infected.
Cyber World Is Starting 2022 In Crisis Mode With The Log4j Bug
The cyber security world is starting off 2022 in crisis mode.
The newest culprit is the log4j software bug, which cyber security and Infrastructure Security Agency (CISA) Director Jen Easterly called “the most serious vulnerability I have seen in my decades-long career.” It forced many cyber security pros to work through the holidays to protect computer systems at Big Tech firms, large and small companies and government agencies.
But crises like log4j have become the norm rather than the exception during the past few years.
Last year kicked off with the SolarWinds hack — a Russian government operation that compromised reams of sensitive information from U.S. government agencies and corporations.
Digital threats of all sorts are growing far faster than the capability to defend against them. If past is prologue, 2022 is likely to be a year of big hacks, big threats and plenty more crises.
“We’re always in crisis is the long and short of it,” Jake Williams, a former National Security Agency (NSA) cyber operator and founder of the firm Rendition Infosec, told me. “Anyone looking for calm rather than the storm in cyber is in the wrong field.”
Everything You Need To Know About Ransomware Attacks and Gangs In 2022
Ransomware is a lucrative business for criminals. It is paying off, and it is working.
According to a recent Trend Micro report, a staggering 84% of US organisations experienced either a phishing or ransomware attack in the last year. The average ransomware payment was over $500,000.
Bad actors want to keep cashing in. So they’re going as far as creating ransomware kits as a service (Ransomware as a Service) to be sold on the dark web and even setting up fake companies to recruit potential employees.
Many ransomware gangs function like real companies — with marketing teams, websites, software development, user documentation, support forums and media relations.
If the “companies” run by ransomware gangs can operate with minimal expenses and mind-blowing revenues, what’s stopping them from growing in number and size?
https://securityintelligence.com/articles/ransomware-attacks-gangs-2022/
Why the Log4j Vulnerability Makes Endpoint Visibility and Zero Trust Security More Important Than Ever
The Apache Log4j vulnerability is one of the most serious vulnerabilities in recent years—putting millions of devices at risk.
IT organisations worldwide are still reeling from the discovery of a major security vulnerability in Apache Log4j, an open-source logging utility embedded in countless internal and commercial applications.
By submitting a carefully constructed variable string to log4j, attackers can take control of any application that includes log4j. Suddenly, cyber criminals around the world have a blueprint for launching attacks on everything from retail store kiosks to mission-critical applications in hospitals.
If security teams overlook even one instance of log4j in their software, they give attackers an opportunity to issue system commands at will. Attackers can use those commands to install ransomware, exfiltrate data, shut down operations — the list goes on.
How should enterprises respond to this pervasive threat?
Threats
Ransomware
Night Sky Is The Latest Ransomware Targeting Corporate Networks (bleepingcomputer.com)
Counties In New Mexico, Arkansas Begin 2022 With Ransomware Attacks | ZDNet
Ransomware Attack Affects The Websites Of 5,000 Schools - CNNPolitics
Phishing
Google Docs Comments Weaponized in New Phishing Campaign (darkreading.com)
US Arrests Suspect Who Stole Unpublished Books In Phishing Attacks (bleepingcomputer.com)
Malware
FluBot Malware Now Targets Europe Posing As Flash Player App (bleepingcomputer.com)
New Mac Malware Samples Underscore Growing Threat (darkreading.com)
Purple Fox Rootkit Now Bundled With Telegram Installer | Malwarebytes Labs
‘Malsmoke’ Exploits Microsoft’s E-Signature Verification | Threatpost
Mobile
IoT
Data Breaches/Leaks
List Of Data Breaches And Cyber Attacks In December 2021 | 219M records (itgovernance.co.uk)
Have I Been Pwned Warns Of DatPiff Data Breach Impacting Millions (bleepingcomputer.com)
Morgan Stanley To Pay $60 Million To Resolve Data Security Lawsuit (Yahoo.Com)
Cryptocurrency/Cryptomining/Cryptojacking
Report: $2.2 Billion In Cryptocurrency Stolen From DeFi Platforms In 2021 | ZDNet
UK Police Seize £322m of Cryptocurrency in Past Five Years - Infosecurity Magazine
Fraud, Scams & Financial Crime
DoS/DDoS
OT, ICS, IIoT and SCADA
Nation State Actors
Should Businesses Be Concerned About APT-Style Attacks? - Help Net Security
MI6 Chief Thanks China For ‘Free Publicity’ After James Bond Spoof | China | The Guardian
Log4j Vulnerabilities: New Patches And Nation-State Exploitation. (thecyberwire.com)
North Korea-Linked Konni APT Targets Russian Diplomatic Bodies - Security Affairs
Privacy
Passwords & Credential Stuffing
Spyware and Espionage
Vulnerabilities
Emergency Windows Server Update Fixes Remote Desktop Issues (bleepingcomputer.com)
Microsoft Rolled Out Emergency Fix For Y2k22 Bug In Exchange Servers - Security Affairs
VMware Fixed CVE-2021-22045 Heap-Overflow In Workstation, Fusion and ESXi - Security Affairs
Latest WordPress Security Release Fixes XSS, SQL Injection Bugs | The Daily Swig (portswigger.net)
New Ubuntu Linux Kernel Security Updates Fix 9 Vulnerabilities, Patch Now - 9to5Linux
JFrog Researchers Find JNDI Vulnerability In H2 Database Consoles Similar To Log4Shell | ZDNet
Unpatched HomeKit Vulnerability Exposes iPhones, iPads to DoS Attacks | SecurityWeek.Com
Sector Specific
Defence
Health/Medical/Pharma Sector
Estate Agents
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 12 March 2021
Black Arrow Cyber Threat Briefing 12 March 2021: ‘Really Messy’: Why The Hack of Microsoft’s Email System Is Getting Worse - Attacks Doubling Every Two Hours; Trickbot Malware Becoming Huge Security Headache; Criminals Targeting Browser Zero Days; More Than 1m Small Businesses ‘At Risk Of Collapse’ Due To Cyber Threats; Ransomware Attacks Up 150%; Massive Supply-Chain Cyber Attack Breaches Several Airlines; Millions Of Windows Devices Are Still Infested With Malware; Browser Extensions Looking at Bank Accounts?
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
‘Really Messy’: Why The Hack of Microsoft’s Email System Is Getting Worse, With Attacks Doubling Every Two Hours
The cyber security community sprang into action after Microsoft first announced a series of vulnerabilities that let hackers break into the company's Exchange email and calendar programs. China has used it to spy on a wide range of industries in the United States ranging from medical research to law firms to defence contractors, the company said. China has denied responsibility. In the past 24 hours, the team has observed "exploitation attempts on organizations doubling every two to three hours." The countries feeling the brunt of attack attempts are Turkey, the United States, and Italy, accounting for 19%, 18%, and 10% of all tracked exploit attempts, respectively.
https://www.zdnet.com/article/microsoft-exchange-server-hacks-doubling-every-two-hours/
Trickbot Malware Is Now Your Biggest Security Headache
Trickbot malware has risen to fill the gap left by the takedown of the Emotet botnet, with a higher number of criminals shifting towards it to distribute malware attacks. Emotet was the world's most prolific and dangerous malware botnet before it was disrupted by an international law enforcement operation in January this year.
https://www.zdnet.com/article/this-trojan-malware-is-now-your-biggest-security-headache/
Cyber Criminals Are Increasingly Targeting Browser Zero Days
As more and more of our work is done within our browsers, cyber criminals have begun to leverage web browser exploits to compromise endpoint systems, according to new research from Menlo Security. At the same time, enterprises around the world were forced to make an almost overnight transition to remote work last year and this surge in employees working from home along with the shift to cloud computing have resulted in a greatly increased attack surface.
https://www.techradar.com/news/cybercriminals-are-increasingly-targeting-browser-zero-days
More Than 1m Small Businesses ‘At Risk Of Collapse’ Due To Cyber Threats
The research, commissioned by Vodafone, also showed that 16 per cent of firms would likely be forced to lay off staff in the event of a hack. As a result, the report called on ministers to beef up the country’s corporate cyber defences, warning that a failure to do so could hamper the post-pandemic economic recovery. It urged the government to expand a dedicated business cyber security within the National Cyber Security Centre (NCSC), which is part of GCHQ, and introduce a five per cent VAT cut on cybersecurity products for small companies.
Number Of Ransomware Attacks Grew By More Than 150%
By the end of 2020, the ransomware market, fueled by the pandemic turbulence, had turned into the biggest cyber crime money artery. Based on the analysis of more than 500 attacks observed during Group-IB’s own incident response engagements and cyber threat intelligence activity, researchers estimate that the number of ransomware attacks grew by more than 150% in 2020.
https://www.helpnetsecurity.com/2021/03/08/ransomware-attacks-grew-2020/
Hackers Are Using Home Office Selfies To Steal Your Personal Data
The pandemic has been the source of plenty of memes and new internet trends, not least the remote working selfie, which involves people taking photos of their home office setup or video conferencing sessions. However, a new blog suggests cyber criminals are capitalizing on this new genre of selfie to steal a range of personal data that could be used to execute identity or financial fraud.
https://www.techradar.com/uk/news/hackers-are-using-home-office-selfies-to-steal-your-personal-data
Massive Supply-Chain Cyber Attack Breaches Several Airlines
A communications and IT vendor for 90 percent of the world’s airlines, SITA, has been breached, compromising passenger data stored on the company’s U.S. servers in what the company is calling a “highly sophisticated attack.” The affected servers are in Atlanta, and belong to the SITA Passenger Service System (SITA PSS).
https://threatpost.com/supply-chain-cyberattack-airlines/164549/
Millions Of Windows Devices Are Still Infested With Malware
Over 100 million Windows consumer and business devices across the world were infected with malware last year, new analysis has found. While examining the recent Malwarebytes "State of Malware" report, Atlas VPN noted that whilst the number of infected Windows machines seems high, this landmark figure was actually 12% drop when compared to 2019.
https://www.techradar.com/uk/news/millions-of-windows-devices-are-still-infested-with-malware
Did You Know Browser Extensions Are Looking at Your Bank Account?
Browser extensions have full access to all the web pages you visit. It can see which web pages you are browsing, read their contents, and watch everything you type. It could even modify the web pages—for example, by inserting extra advertisements. If the extension is malicious, it could gather all that private data of yours—from web browsing activity and the emails you type to your passwords and financial information—and send it to a remote server on the internet.
https://www.howtogeek.com/716771/did-you-know-browser-extensions-are-looking-at-your-bank-account/
Threats
Ransomware
Capcom reportedly forced employees to work in the office following ransomware attack
Fake Ad Blocker Delivers Hybrid Cryptominer/Ransomware Infection
New ransomware only decrypts victims who join their Discord server
Phishing
Malware
Mobile
Vulnerabilities
Microsoft's March Patch Tuesday: Critical remote code execution flaws, IE zero-day fixed
F5 issues BIG-IP patches to tackle unauthenticated remote code execution, critical flaws
Hackers Exploit QNAP Vulnerabilities to Turn NAS Devices Into Crypto Miners
Malware Can Exploit New Flaw in Intel CPUs to Launch Side-Channel Attacks
Adobe releases batch of security fixes for Framemaker, Creative Cloud, Connect
Critical 0-day that targeted security researchers gets a patch
Intel CPU interconnects can be exploited by malware to leak encryption keys and other info
Organised Crime
Dark Web
OT, ICS, IIoT and SCADA
Nation-State Actors
Researchers Unveil New Linux Malware Linked to Chinese Hackers
United States considering cyber war on Russia in retaliation for SolarWinds hack
Privacy
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.