Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• CFOs’ Overconfidence in Cyber Security Can Cost Millions

Kroll announced its report entitled ‘Cyber Risk and CFOs: Over-Confidence is Costly’ which found chief financial officers (CFOs) to be woefully in the dark regarding cyber security, despite confidence in their company’s ability to respond to an incident.

The report, conducted by StudioID of Industry Dive, exposed three key themes among the 180 senior finance executives surveyed worldwide:

1. Ignorance is bliss. Eighty-seven percent of CFOs are either very or extremely confident in their organisation’s cyber attack response. This is at odds with the level of visibility CFOs have into cyber risk issues, given only four out of 10 surveyed have regular briefings with their cyber teams.

2. Wide-ranging damages. 71% of the represented organisations suffered more than $5 million in financial losses stemming from cyber incidents in the previous 18 months, and 61% had suffered at least three significant cyber incidents in that time. Eighty-two percent of the executives in the survey said their companies suffered a loss of 5% or more in their valuations following their largest cyber security incident in the previous 18 months.

3. Increasing investment in cyber security. Forty-five percent of respondents plan to increase the percentage of their overall IT budget dedicated to information security by at least 10%.

According to Kroll: “We often see that CFOs are not aware enough of the financial risk presented by cyber threats until they face an incident. At that point, it’s clear that they need to be involved not only in the recovery, including permitting access to emergency funds and procuring third-party suppliers, but also in the strategy and investment around cyber both pre- and post-incident.”

“Ultimately, cyber attacks represent a financial risk to the business, and incidents can have a significant impact on value. It is, therefore, critical that this is included in wider business risk considerations. A CFO and CISO should work side-by-side, helping the business navigate the operational and financial risk of cyber.”

https://www.helpnetsecurity.com/2022/09/14/cfos-cybersecurity-confidence/

• Cyber Security Outflanks Inflation, Talent, Logistics in Business Worries

Nearly six in 10 IT leaders in a new study view cyber security as their top business concern, ranking it higher than inflation, retaining talent and supply chain/logistics management.

Less than half of respondents (43%) believe their critical data and assets are protected from cyber threats despite increased cyber security investments by their organisations, greater board visibility and increased collaboration between the security team and the C-suite, Rackspace said in its new survey of 1,420 IT professionals worldwide.

The multi-cloud technology services specialist said that a “large majority” of the survey respondents report being either unprepared or only “somewhat prepared” to respond to major threats, such as identifying and mitigating threats and areas of concern (62%), recovering from cyber attacks (61%) or preventing lapses and breaches (63%).

Cloud native security is where organisations are most likely to rely on an outside partner, such as a managed security service provider, for expertise.

Here are more of the survey’s findings:

• The top three cyber security challenges their organisation is facing: migrating and operating apps (45%); shortage of workers with cyber security skills (39%); lack of visibility of vulnerabilities across all infrastructure (38%).

• 70% of survey respondents report that their cyber security budgets have increased over the past three years.

• The leading recipients of new investment are cloud native security (59%); data security (50%), consultative security services (44%); and application security (41%).

• Investments align closely with the areas where organisations perceive their greatest concentration of threats, led by network security (58%), closely followed by web application attacks (53%) and cloud architecture attacks (50%).

• 70% of respondents said there has been an increase in board visibility for cyber security over the past five years, while 69% cite better collaboration between the security team and members of the C-suite.

• Only 13% of respondents said there were significant communications gaps between the security team and C-suite, while 69% of IT executives view their counterparts in the C-suite as advocates for their concerns.

The authors stated “We are seeing a major shift in how organisations are allocating resources to address cyber threats, even as budgets increase. The cloud brings with it a new array of security challenges that require new expertise, and often reliance on external partners who can help implement cloud native security tools, automate security, provide cloud native application protection, offer container security solutions and other capabilities”.

https://www.msspalert.com/cybersecurity-research/cybersecurity-outflanks-inflation-talent-logistics-in-business-worries-rackspace-research/

• Attackers Can Compromise Most Cloud Data in Just 3 Steps

An analysis of cloud services finds that known vulnerabilities typically open the door for attackers, while insecure cloud architectures allow them to gain access to the crown jewels.

Companies and their cloud providers often leave vulnerabilities open in their system and services, gifting attackers with an easy path to gain access to critical data.

According to an Orca Security analysis of data collected from major cloud services, attackers only need on average three steps to gain access to sensitive data, the so-called "crown jewels," starting most often — in 78% of cases — with the exploitation of a known vulnerability.

While much of the security discussion has focused on the misconfigurations of cloud resources by companies, cloud providers have often been slow to plug vulnerabilities.

The key is to fix the root causes, which is the initial vector, and to increase the number of steps that they attacker needs to take. Proper security controls can make sure that even if there is an initial attack vector, you are still not able to reach the crown jewels.

The report analysed data from Orca's security research team using data from a "billions of cloud assets on AWS, Azure, and Google Cloud," which the company's customers regularly scan. The data included cloud workload and configuration data, environment data, and information on assets collected in the first half of 2022.

https://www.darkreading.com/cloud/cyberattackers-compromise-most-cloud-data-3-steps

• Cyber Insurance Premiums Soar 80% As Claims Surge

Cyber insurance premiums have soared in the past year as claims surged in response to a rise in damaging attacks by hackers.

The cost of taking out cyber cover had doubled on average every year for the past three years, said global insurance broker Marsh. Honan Group, another broker, pointed to an 80 per cent rise in premiums in the past 12 months, following a 20 per cent increase in the cost of cover in each of the previous two years.

Brokers are calling cyber “the new D&O”, referring to sharp rises in directors and officers insurance premiums since 2018. Brokers were hopeful premiums would ease, but have warned insurers would continue to demand companies prove they had strong security systems and policies in place before agreeing to sell them insurance.

There’ll be a number of insurance companies that won’t even look at a business that doesn’t have a bunch of security measures in place. They’ll just turn around and say, ‘we’re not going to insure you’. The chief reason for the price rises is the increase in the number and size of claims relating to ransomware, where criminals use malicious software to block access to an organisation’s computer system until a sum of money is paid. In addition, some insurers left the market, while remaining players attempted to recoup the cost of under-priced contracts written in previous years.

The rise in the premiums is mainly due to ransomware and cyber attacks across the board have risen sharply over the past few years.

https://www.afr.com/work-and-careers/management/cyber-insurance-premiums-soar-80pc-as-claims-surge-20220908-p5bglo

• One In 10 Employees Leaks Sensitive Company Data Every 6 Months

Departing employees are most likely to leak sensitive information to competitors, criminals or the media in exchange for cash.

Insider threats are an ongoing menace that enterprise security teams need to handle. It's a global problem but especially acute in the US, with 47 million Americans quitting their jobs in 2021. The threat of ex-employees taking sensitive information to competitors, selling it to criminals in exchange for cash, and leaking files to media is making data exfiltration a growing concern. 

About 1.4 million people who handle sensitive information in their organisation globally were tracked over the period from January to June 30 this year by cyber security firm Cyberhaven to find out when, how and who is involved in data exfiltration.

On average, 2.5% of employees exfiltrate sensitive information in a month, but over a six-month period, nearly one in 10, or 9.4% of employees, do so, Cyberhaven noted in its report. Data exfiltration incidents occur when data is transferred outside the organisation in unapproved ways.

Among employees that exfiltrated data, the top 1% most prolific “super stealers” were responsible for 7.7% of incidents, and the top 10% were responsible for 34.9% of incidents.

North America accounted for the highest number of incidents at 44%, followed by the Asia Pacific region at 27%. Europe, the Middle East, and Africa accounted for 24% of incidents while 5% of incidents were recorded in South America.

https://www.csoonline.com/article/3673260/one-in-10-employees-leaks-sensitive-company-data-every-6-months-report.html#tk.rss_news

• Business Application Compromise and the Evolving Art of Social Engineering

Social engineering is hardly a new concept, even in the world of cyber security. Phishing scams alone have been around for nearly 30 years, with attackers consistently finding new ways to entice victims into clicking a link, downloading a file, or providing sensitive information.

Business email compromise (BEC) attacks iterated on this concept by having the attacker gain access to a legitimate email account and impersonate its owner. Attackers reason that victims won't question an email that comes from a trusted source — and all too often, they're right.

But email isn't the only effective means cyber criminals use to engage in social engineering attacks. Modern businesses rely on a range of digital applications, from cloud services and VPNs to communications tools and financial services. What's more, these applications are interconnected, so an attacker who can compromise one can compromise others, too. Organisations can't afford to focus exclusively on phishing and BEC attacks — not when business application compromise (BAC) is on the rise.

https://www.darkreading.com/vulnerabilities-threats/business-application-compromise-the-evolving-art-of-social-engineering

• SMBs Are Hardest-Hit By Ransomware

Coalition announced the mid-year update to its 2022 Cyber Claims Report detailing the evolution of cyber trends, revealing that small businesses have become bigger targets, overall incidents are down, and ransomware attacks are declining as demands go unpaid.

During the first half of 2022, the average cost of a claim for a small business owner increased to $139,000, which is 58% higher than levels during the first half of 2021.

“Across industries, we continue to see high-profile attacks targeting organisations with weak or exposed infrastructure — which has become exacerbated by today’s remote working culture and companies’ dependence on third-party vendors,” said Coalition’s Head of Claims.

“Small businesses are especially vulnerable because they often lack resources. For these businesses, avoiding downtime and disruption is essential, and they must understand that Active Insurance is accessible.”

The good news: both Coalition and the broader insurance industry observed a decrease in ransomware attack frequency and the amount of ransom demanded between the second half of 2021 and the first half of 2022. Ransomware demands decreased from $1.37M in H2 2021 to $896,000 in H1 2022.

“Organisations are increasingly aware of the threat ransomware poses. They have started to implement controls such as offline data backups that allow them to refuse to pay the ransom and restore operations through other means,” said Coalition’s Head of Incident Response. “As ransomware is on the decline, attackers are turning to reliable methods. Phishing, for example, has skyrocketed – and only continues to grow.”

https://www.helpnetsecurity.com/2022/09/15/small-businesses-ransomware-targets/

• 65% Say Legacy Backup Solutions Aren’t Up To Ransomware Challenges

HYCU researchers are reporting 65% of respondents lack full confidence in their legacy backup solutions (HYCU is a multi-cloud backup-as-a-service provider).

According to the report, 65% of surveyed enterprise organisations are increasing spending on detection, prevention and recovery, and respondents are beginning to understand that air-gapped or immutable backups are the only ways to ensure that the backups themselves don’t fall prey to encryption worms when ransomware hits.

Key findings include:

• 52% of ransomware victims suffered data loss

• 63% of victims suffered an operational disruption

• Just 41% air gap their backups

• Just 47% routinely test their backups

• Only 35% of respondents believe their current backup and recovery tools are sufficient.

https://informationsecuritybuzz.com/expert-comments/65-say-legacy-backup-solutions-arent-up-to-ransomware-challenges/

• Four-Fifths of Firms Hit by Critical Cloud Security Incident

Some 80% of organisations suffered a “severe” cloud security incident over the past year, while a quarter worry they’ve suffered a cloud data breach and aren’t aware of it, according to new research from Snyk.

The developer security specialist polled 400 cloud engineering and security practitioners from organisations of various sizes and sectors, to compile its State of Cloud Security Report.

Among the incidents flagged by respondents over the past 12 months were breaches, leaks, intrusions, crypto-mining, compliance violations, failed audits and system downtime in the cloud.

Startups (89%) and public sector organisations (88%) were the most likely to have suffered such an incident over the period.

The bad news is that 58% of respondents predict they will suffer another severe incident in the cloud over the coming year. Over three-quarters (77%) of those questioned cited poor training and collaboration as a major challenge in this regard.

“Many cloud security failures result from a lack of effective cross-team collaboration and team training. When different teams use different tools or policy frameworks, reconciling work across those teams and ensuring consistent enforcement can be challenging,” the report argued.

https://www.infosecurity-magazine.com/news/fourfifths-firms-critical-cloud/

• Homeworkers Putting Home and Business Cyber Safety at Risk

BlackBerry published a European research report exposing the cyber security risk created by cost-conscious homeworkers who prioritise security behind price, usability and ease of set up in their purchase of domestic smart devices.

32% of European home workers who own a smart device surveyed said security was a top three factor when choosing a smart device, compared to 50% who prioritised price. 28% of businesses aren’t putting adequate security provisions in place to extend cyber protection as far as homes. This heightens the risk of cyber attacks for businesses and their employees, as hybrid and home working become the norm.

The survey of 4,000 home workers in the UK, France, Germany, and the Netherlands revealed that 28% of people say that their employer has not done or communicated anything about protecting their home network or smart devices, or they don’t know if they are protected.

Furthermore, 75% of Europeans say their employers have taken no steps to secure the home internet connection or provide software protection for home devices. This failure to extend network security to home devices increases risk of the vulnerabilities created by hybrid and home working being successfully exploited. These are particularly sobering findings for small and mid-sized businesses who face upwards of eleven cyber attacks per device, per day, according to the research.

Through even the most innocent of devices, bad actors can access home networks with connections to company devices – or company data on consumer devices – and seize the opportunity to steal data and intellectual property worth millions. It’s likely businesses will bear the brunt of cyber attacks caused by unsecured home devices, with knock-on effects to employees themselves.

https://www.helpnetsecurity.com/2022/09/12/homeworkers-smart-devices-security/

• Uber Hacked, Internal Systems Breached and Vulnerability Reports Stolen

Uber suffered a cyber attack Thursday afternoon with an allegedly 18-year-old hacker downloading HackerOne vulnerability reports and sharing screenshots of the company's internal systems, email dashboard, and Slack server.

The screenshots shared by the hacker and seen by BleepingComputer show what appears to be full access to many critical Uber IT systems, including the company's security software and Windows domain.

Other systems accessed by the hacker include the company's Amazon Web Services console, VMware vSphere/ESXi virtual machines, and the Google Workspace admin dashboard for managing the Uber email accounts.

The threat actor also breached the Uber Slack server, which he used to post messages to employees stating that the company was hacked. However, screenshots from Uber's slack indicate that these announcements were first met with memes and jokes as employees had not realised an actual cyber attack was taking place.

Uber has since confirmed the attack, tweeting that they are in touch with law enforcement and will post additional information as it becomes available. "We are currently responding to a cyber security incident. We are in touch with law enforcement and will post additional updates here as they become available," tweeted the Uber Communications account.

The New York Times, which first reported on the breach, said they spoke to the threat actor, who said they breached Uber after performing a social engineering attack on an employee and stealing their password. The threat actor then gained access to the company's internal systems using the stolen credentials.

https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/

• IHG Hack: 'Vindictive' Couple Deleted Hotel Chain Data for Fun

Hackers have told the BBC they carried out a destructive cyber-attack against Holiday Inn owner Intercontinental Hotels Group (IHG) "for fun".

Describing themselves as a couple from Vietnam, they say they first tried a ransomware attack, then deleted large amounts of data when they were foiled. They accessed the FTSE 100 firm's databases thanks to an easily found and weak password, Qwerty1234. An expert says the case highlights the vindictive side of criminal hackers.

UK-based IHG operates 6,000 hotels around the world, including the Holiday Inn, Crowne Plaza and Regent brands. On Monday last week, customers reported widespread problems with booking and check-in. For 24 hours IHG responded to complaints on social media by saying that the company was "undergoing system maintenance".

Then on the Tuesday afternoon it told investors that it had been hacked.

https://www.bbc.co.uk/news/technology-62937678

Threats

Ransomware and Extortion

• How prepared are organisations to tackle ransomware attacks? - Help Net Security

• Lorenz ransomware breaches corporate network via phone systems (bleepingcomputer.com)

• 3 Iranian nationals are accused of ransomware attacks on US victims (cnbc.com)

• Emotet botnet now pushes Quantum and BlackCat ransomware (bleepingcomputer.com)

• Cisco confirms Yanluowang ransomware leaked stolen company data (bleepingcomputer.com)

• DEV-0270 Hacker Group Uses Windows BitLocker Feature to Encrypt Systems (gbhackers.com)

• New York ambulance service discloses data breach after ransomware attack (bleepingcomputer.com)

• The ransomware problem won't get better until we change one thing | ZDNET

• Iranian Hackers Used Victims’ Printers to Issue Ransom Demands, DOJ Says (vice.com)

• Transparency, disclosure key to fighting ransomware (techtarget.com)

• Researchers Warn of 674% Surge in Deadbolt Ransomware - Infosecurity Magazine (infosecurity-magazine.com)

• Over Three-Quarters of Retailers Hit by Ransomware in 2021 - Infosecurity Magazine (infosecurity-magazine.com)

• Cisco Data Breach Attributed to Lapsus$ Ransomware Group (darkreading.com)

• Ransomware Group Leaks Files Stolen From Cisco | SecurityWeek.Com

• The LA School District Cyber Attack Keeps Unravelling – Expert Comments (informationsecuritybuzz.com)

Phishing & Email Based Attacks

• Revolut hit by ‘phishing’ cyber attack | Business | The Times

• Crooks are using lures related to Her Majesty Queen Elizabeth II in phishing attacks - Security Affairs

• Phishing page embeds keylogger to steal passwords as you type (bleepingcomputer.com)

• Hackers now use ‘sock puppets’ for more realistic phishing attacks (bleepingcomputer.com)

• Phishers take aim at Facebook page owners - Help Net Security

• New Spear Phish Methodology Relies on PuTTY SSH Client to Infect Systems - Infosecurity Magazine (infosecurity-magazine.com)

• Real Estate Phish Swallows 1,000s of Microsoft 365 Credentials (darkreading.com)

• Death of Queen Elizabeth II exploited to steal Microsoft credentials (bleepingcomputer.com)

• Potential phishing activity update - NCSC.GOV.UK

Other Social Engineering; Smishing, Vishing, etc

• Serious Breach at Uber Spotlights Hacker Social Deception | SecurityWeek.Com

Malware

• Hackers Are Using WeTransfer Links To Spread Malware (informationsecuritybuzz.com)

• New malware bundle self-spreads through YouTube gaming videos (bleepingcomputer.com)

• Linux variant of the SideWalk backdoor discovered - Help Net Security

• Malware on Pirated Content Sites a Major WFH Risk for Enterprises (darkreading.com)

• How to spot and avoid scams and malware in search results - The Washington Post

• Gay hookup site typosquatted to push dodgy Chrome extensions, scams (bleepingcomputer.com)

Mobile

• Google Patches Critical Vulnerabilities in Pixel Phones | SecurityWeek.Com

• Apple patches iPhone and macOS flaws under active attack • The Register

Internet of Things – IoT

• Securing your IoT devices against cyber attacks in 5 steps (bleepingcomputer.com)

• EU Wants to Toughen Cyber Security Rules for Smart Devices | SecurityWeek.Com

Data Breaches/Leaks

• Uber hacked, internal systems breached and vulnerability reports stolen (bleepingcomputer.com)

• LastPass says hackers had internal access for four days (bleepingcomputer.com)

• Hacker sells stolen Starbucks data of 219,000 Singapore customers (bleepingcomputer.com)

• U-Haul discloses data breach exposing customer driver licenses (bleepingcomputer.com)

• Hackers Compromise Employee Data at PVC-Maker Eurocell - Infosecurity Magazine (infosecurity-magazine.com)

Organised Crime & Criminal Actors

• Chinese-linked cyber crims nab $529 million from India • The Register

• Cyber Crime Forum Admins Steal from Site Users - Infosecurity Magazine (infosecurity-magazine.com)

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Police arrest man for laundering tens of millions in stolen crypto (bleepingcomputer.com)

• US regulators say multi-billion-dollar crypto lender Celsius was operating like a ponzi scheme | PC Gamer

• Hackers Targeting WebLogic Servers and Docker APIs for Mining Cryptocurrencies (thehackernews.com)

• Fake cryptocurrency giveaway sites have tripled this year (bleepingcomputer.com)

• Crypto Scams Skyrocket - IT Security Guru

• A Post-exploitation Look at Coinminers Abusing WebLogic Vulnerabilities (trendmicro.com)

• DOJ drops report on cryptocurrency crime efforts (techtarget.com)

• 76% Of Financial Institutions Plan On Using Crypto In The Next 3 Years (informationsecuritybuzz.com)

• How Can You Tell if a Cryptocurrency is Legitimate? Read Our Guide To Find Out - IT Security Guru

Insider Risk and Insider Threats

• 5 Ways to Mitigate Your New Insider Threats in the Great Resignation (thehackernews.com)

• Ex-Broadcom engineer asks for no prison in trade secret case • The Register

Fraud, Scams & Financial Crime

• Microsoft Edge’s News Feed ads abused for tech support scams (bleepingcomputer.com)

• Cops Raid Suspected Fraudster Penthouses - Infosecurity Magazine (infosecurity-magazine.com)

• How to spot and avoid scams and malware in search results - The Washington Post

• Tax fraud ring leader jailed for selling children’s stolen identities (bleepingcomputer.com)

AML/CFT/Sanctions

• Spanish police arrest ‘one of Europe’s biggest money launderers’ | Financial Times (ft.com)

Insurance

• Coalition Cyber Insurance - Small Businesses Prime Targets (informationsecuritybuzz.com)

Dark Web

• Documents For Sale on the Dark Web - IT Security Guru

Supply Chain and Third Parties

• Hackers breach software vendor for Magento supply-chain attacks (bleepingcomputer.com)

• WordPress sites backdoored after FishPig supply chain attack • The Register

Denial of Service DoS/DDoS

• DDoS Attacks on UK Firms Surge During Ukraine War - Infosecurity Magazine (infosecurity-magazine.com)

• Akamai stopped new record-breaking DDoS attack in Europe (bleepingcomputer.com)

Cloud/SaaS

• 5 ways to improve your cloud security posture (techtarget.com)

• Excess privilege in the cloud is a universal security problem, IBM says | CSO Online

• Organisations lack visibility into unauthorised public cloud data access - Help Net Security

• One-third of enterprises don’t encrypt sensitive data in the cloud | CSO Online

Attack Surface Management

• Cyber attack trends vs. growing IT complexity - Help Net Security

• Outdated infrastructure remains a problem against sophisticated cyber attacks - Help Net Security

Shadow IT

• Use shadow IT discovery to find unauthorized devices and apps (techtarget.com)

Encryption

• Keep Today's Encrypted Data From Becoming Tomorrow's Treasure (darkreading.com)

API

• Hackers Targeting WebLogic Servers and Docker APIs for Mining Cryptocurrencies (thehackernews.com)

• API security—and even visibility—isn’t getting handled by enterprises | CSO Online

• Bad bots are coming at APIs! How to beat the API bot attacks? - Help Net Security

Open Source

• When It Comes to Security, Don’t Overlook Your Linux Systems | SecurityWeek.Com

• 40% of pros scaled back back open source use over security • The Register

• You never walk alone: The SideWalk backdoor gets a Linux variant | WeLiveSecurity

Passwords, Credential Stuffing & Brute Force Attacks

• IHG Was Hacked Using Password “Qwerty1234” - LoyaltyLobby

Social Media

• Thwarting attackers in their favourite new playground: Social media - Help Net Security

• Twitter whistleblower tells Senate of ‘egregious’ security failings by company | Twitter | The Guardian

• Cyber attackers Abuse Facebook Ad Manager in Savvy Credential-Harvesting Campaign (darkreading.com)

Training, Education and Awareness

• Security Awareness Training Must Evolve to Align With Growing E-Commerce Security Threats (darkreading.com)

Parental Controls and Child Safety

• Cyber Crime Fears for Children as Cost-of-Living Bites - Infosecurity Magazine (infosecurity-magazine.com)

Regulations, Fines and Legislation

• 10 Steps to Successfully Navigate Cyber Security Compliance - MSSP Alert

Models, Frameworks and Standards

• Don’t Put Preparation on Pause: CMMC 2.0 is Coming Quicker Than You Think - MSSP Alert

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Montenegro Under Cyber Attack, Russia Blamed, All NATO States Would Be (informationsecuritybuzz.com)

• DDoS Attacks on UK Firms Surge During Ukraine War - Infosecurity Magazine (infosecurity-magazine.com)

• New Cyberespionage Group 'Worok' Targeting Entities in Asia | SecurityWeek.Com

• ShadowPad Threat Actors Return With Fresh Government Strikes, Updated Tools (darkreading.com)

Nation State Actors

Nation State Actors – Russia

• Montenegro Wrestles With Massive Cyber Attack, Russia Blamed | SecurityWeek.Com

• Russia’s cyber future connected at the waist to Soviet military industrial complex | CSO Online

Nation State Actors – North Korea

• North Korea-linked APT spreads tainted versions of PuTTY via WhatsApp - Security Affairs

Nation State Actors – Iran

• Iranian cyber spies use multi-persona impersonation in phishing threads | CSO Online

• Albania says Iranian hackers hit the country with another cyber attack - CyberScoop

• US, UK, Canada and Australia Link Iranian Government Agency to Ransomware Attacks | SecurityWeek.Com

• Iranian Hackers Target High-Value Targets in Nuclear Security and Genomic Research (thehackernews.com)

• Iranian Hackers Used Victims’ Printers to Issue Ransom Demands, DOJ Says (vice.com)

Vulnerability Management

• Backlogs larger than 100K+ vulnerabilities but too time-consuming to address - Help Net Security

Vulnerabilities

• Microsoft September 2022 Patch Tuesday fixes zero-day used in attacks, 63 flaws (bleepingcomputer.com)

• Adobe Patches 63 Security Flaws in Patch Tuesday Bundle | SecurityWeek.Com

• CISA orders agencies to patch vulnerability used in Stuxnet attacks (bleepingcomputer.com)

• Chrome 105 Update Patches High-Severity Vulnerabilities | SecurityWeek.Com

• Microsoft Teams stores auth tokens as cleartext in Windows, Linux, Macs (bleepingcomputer.com)

• Microsoft Quashes Actively Exploited Zero-Day, Wormable Critical Bugs (darkreading.com)

• Apple fixed the eighth actively exploited zero-day this year - Security Affairs

• Cisco Patches High-Severity Vulnerability in SD-WAN vManage | SecurityWeek.Com

• Over 280,000 WordPress Sites Attacked Using WPGateway Plugin Zero-Day Vulnerability (thehackernews.com)

• Over 280,000 WordPress sites may have been hijacked by zero-day hiding in popular plugin | TechRadar

• High-Severity Firmware Security Flaws Left Unpatched in HP Enterprise Devices (thehackernews.com)

• CISA added 2 more security flaws to its Known Exploited Vulnerabilities Catalog - Security Affairs

• ManageEngine Password Management Vulnerability and Patch: Details for MSPs, MSSPs - MSSP Alert

Reports Published in the Last Week

• Falcon OverWatch Threat Hunting Report 2022 | CrowdStrike

• Cyber Security: Benchmarking Security Gaps & Privileged Access (delinea.com)

Other News

• MSPs and cyber security: The time for turning a blind eye is over - Help Net Security

• Red Teaming to Reduce Cyber Risk (trendmicro.com)

• Organisations should fear misconfigurations more than vulnerabilities - Help Net Security

• Companies need data privacy plan before joining metaverse (techtarget.com)

• Lens reflections may betray your secrets in Zoom video calls • The Register

• US Government Wants Security Guarantees From Software Vendors | SecurityWeek.Com

• Serious Security: Browser-in-the-browser attacks – watch out for windows that aren’t! – Naked Security (sophos.com)

• The Cyber Security Head Game | Psychology Today South Africa

• Cyber Security Report: Average Data Breach in US Costs $9.4 Million - MSSP Alert

• 5 Best Practices for Building Your Data Loss Prevention Strategy (darkreading.com)

• Hands-on cyber attacks jump 50%, CrowdStrike reports | CSO Online

• Penetration Testing Report: Security Misconfiguration Is "Top Vulnerability" - MSSP Alert

• Twitter whistleblower: Lack of access, data controls invite exploitation | SC Media (scmagazine.com)

• Cost of Living Crisis Impact on Online Activity - IT Security Guru

• Attacker Apparently Didn't Have to Breach a Single System to Pwn Uber (darkreading.com)

• Zoom outage left users unable to sign in or join meetings (bleepingcomputer.com)

• Five ways your data may be at risk — and what to do about it (bleepingcomputer.com)

• Notepad++ Plugins Allow Attackers to Infiltrate Systems, Achieve Persistence - Infosecurity Magazine (infosecurity-magazine.com)

• Twitter's ex-security boss Zatko disses biz as dysfunctional • The Register

• Don't Let Your Home Wi-Fi Get Hacked. Here's What to Do - CNET

• How serious are organisations about their data sovereignty strategies? - Help Net Security

• Undermining Microsoft Teams Security By Mining Tokens (informationsecuritybuzz.com)

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Protect Your Passwords, Warns Spy Chief, As Ransomware Cyber Attacks Double

Ransomware cyber attacks doubled in the past year, the chief of GCHQ has revealed - as he warned Britain must “pay attention” to attacks from China.

Sir Jeremy Fleming, director of the cyber spy agency, called for more action to "sort out" ransomware attacks across the UK, adding it was not "rocket science".

He said such attacks have doubled in the last year, with hackers using software to lock files on computers and stop victims from accessing their own data.

This essentially holds them hostage until the hackers receive payment and then give a decryption key to the victim, so they can regain access.

‘Criminals are making very good money from it’

Sir Jeremy said ransomware "just pays" and added that "criminals are making very good money from it and are often feeling that that's largely uncontested".

While cautious of “keeping up” with security challenges alongside European partners, he said the immediate priority was tackling “links between criminal and state actors” to defeat ransomware, which he said “is no mean feat in itself”. https://www.telegraph.co.uk/news/2021/10/25/ransomware-cyber-attacks-double-year-reveals-spy-chief/

Graff Multinational Jeweller Hit by Conti Gang. Data of its Rich Clients Are At Risk, Including Trump and Beckham, as the Gang Threaten to Release Private Details of World Leaders, Actors and Tycoons

The latest attack of the Conti ransomware gang makes the headlines, the threat actors hit high society jeweller Graff and asked the payment of a multi-million ransom to avoid leaking details of world leaders, actors and tycoons.

The customers of the company are the richest people on the globe, including Donald Trump, David Beckham, Tom Hanks, Samuel L Jackson, Alec Baldwin, and Sir Philip Green.

As proof of the hack, the group already published on its leak site files related to purchases made by David Beckham, Oprah, and Donald Trump.

The Conti gang has already leaked 69,000 confidential documents, leaked files include customer lists, invoices, receipts, and credit notes. https://securityaffairs.co/wordpress/123980/cyber-crime/conti-ransomware-graff-jeweller.html

Business Email Compromise (BEC) Costs UK Firms £140M Over Past Year

Reported business email compromise (BEC) incidents have hit 4600 cases over the past 12 months, costing individuals and businesses £138m in losses, according to new figures from the UK’s National Economic Crime Centre (NECC).

The government body is working with the National Crime Agency (NCA), City of London Police, banking group UK Finance and fraud prevention non-profit Cifas on a new campaign to raise awareness of the crime, also dubbed “mandate fraud” or “payment diversion fraud.”

It claimed that the average amount lost over those 4600 cases was £30,000, with criminals typically impersonating others and creating or amending invoices to trick victims into diverting money to accounts under their control. https://www.infosecurity-magazine.com/news/bec-costs-uk-firms-140m-past-year/

Ransomware: It's A 'Golden Era' For Cyber Criminals - And It Could Get Worse Before It Gets Better

Ransomware is the most significant cybersecurity threat facing organisations today as increasingly professional and sophisticated cyber criminals follow the money in order to maximise the profit from illicit campaigns.

ENISNA, the European Union Agency for Cybersecurity, has released the latest edition of the ENISA Threat Landscape (ETL) report, which analyses cyber-criminal activity between April 2020 and July 2021. It warns of a surge in cyber criminality, much of it driven by the monetisation of ransomware attacks.

Although the paper warns that many different cybersecurity threats are on the rise, ransomware represents the 'prime threat' faced by organisations today, with a 150% rise in ransomware attacks during the reporting period. And there are fears that despite the problem of ransomware attracting the attention of world leaders, the problem will get worse before it gets better. https://www.zdnet.com/article/ransomware-its-a-golden-era-for-cyber-criminals-and-it-could-get-worse-before-it-gets-better/

Despite Increased Cyber Threats, Many Organisations Have No Defence Plans In Place

98% of US executives report that their organisations experienced at least one cyber event in the past year, compared to a slightly lower rate of 84% in non-US executives, according to a Deloitte survey.

Further, COVID-19 pandemic disruption led to increased cyber threats to US executives’ organisations (86%) at a considerably higher rate than non-US executives experienced (63%). Yet, 14% of US executives say their organisations have no cyber threat defence plans, a rate more than double that of non-US executives (6%).

The biggest fallout US execs report from cyber incidents or breaches at their organisations during the past year include operational disruption (28%), share price drop (24%), leadership change (23%), intellectual property theft (22%) and loss of customer trust (22%).

Increases in data management, perimeter and complexities (38%), inability to match rapid technology changes (35%) and a need for better prioritization of cyber risk across the enterprise (31%) all pose obstacles to US executives’ organisation-wide cybersecurity management programs.

“No CISO or CSO ever wants to tell organisational stakeholders that efforts to manage cyber risk aren’t keeping-up with the speed of digital transformations made, or bad actors’ improving tactics”. https://www.helpnetsecurity.com/2021/10/28/threat-defence-plans/

Serious Warning Issued For Millions Of Apple iPhone Users

While iPhone 13 sales continue to soar, iPhones owners have faced growing security threats, multiple App Store scams, potential privacy violations and zero day hacks. Now a shocking account of extreme iPhone hacking has been revealed.

In a remarkable report, New York Times senior reporter Ben Hubbard has revealed how his iPhone was hacked multiple times over a period of several years, and without any human interaction or knowledge the attacks were taking place. And the experience results in a stark warning: “the spyware used against me makes us all vulnerable”.

“It’s like being robbed by a ghost,” explains Hubbard, recounting the experience. “I didn’t even have to click on a link for my phone to be infected.” https://www.forbes.com/sites/gordonkelly/2021/10/27/apple-iphone-warning-pegasus-hack-upgrade-ios-15-security/

Ransomware Attacks Are Evolving. Your Security Strategy Should, Too

Ransomware is an intensifying problem for all organisations, and it’s only going to get worse. What started as a floppy disk-based attack with a $189 ransom demands has grown from a minor inconvenience for organisations into a multi-billion dollar cyber crime industry.

The organisational threat of these types of attacks goes well beyond encryption of sensitive or mission-critical data – for many companies, the thought of a breach and data becoming publicly available on the internet makes a high ransom seem worth it. No wonder ransomware is on the rise: Organisations pay an average of $220,298 and suffer 23 days of downtime following an attack. https://threatpost.com/ransomware-attacks-evolving-security-strategy/175835/

Solarwinds Hackers Are Targeting The Global IT Supply Chain, Microsoft Says

The Russian-linked hacking group that’s been blamed for an attack on the US government and a significant number of private US companies last year is targeting key players in the global technology supply chain, according to cybersecurity experts at Microsoft.

Nobelium, as the hacking group is known, is infamous for the SolarWinds hack.

On Monday, Tom Burt, Microsoft corporate vice president of customer security and trust, said Nobelium has “been attempting to replicate the approach it has used in past attacks by targeting organisations integral to the global IT supply chain.”

“This time, it is attacking a different part of the supply chain: resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers” https://www.cnbc.com/2021/10/25/solarwinds-hackers-targeting-global-it-supply-chain-microsoft-says.html

Defenders Worry Orgs Are More Vulnerable Than Last Year

Enterprise security defenders find themselves in a rough spot: The number of threats against their organisations is growing and that they're vulnerable to attacks. Data from Dark Reading's 2021 Strategic Security Survey suggest that even though most IT and security leaders are confident about the security defences they have implemented, they also believe their organisations are more vulnerable to attacks compared with a year ago.

The reasons for this pessimism vary. For 67% of respondents, the biggest concern lies in the fact that there are more attacks this year than there were last year. However, 56% say the increased sophistication of the threats they are facing is why their organisations are more vulnerable to compromise. Other reasons include the surge in ransomware attacks and shortage of skilled security professionals to detect and respond to threats. https://www.darkreading.com/edge-threat-monitor/defenders-worry-orgs-are-more-vulnerable-than-last-year

Threats

Ransomware

• These Companies Are Most at Risk for Ransomware Attacks | PCMag

• Ransomware: How Bad Is It Going To Get? - Help Net Security

• As Fewer Victims Pay Ransoms, Conti Gang Looks To Sell Victim Data | Sc Media (Scmagazine.Com)

• Europol Announces “Targeting” Of 12 Suspects In Ransomware Attacks – Naked Security (Sophos.Com)

• Police Arrest Suspected Ransomware Hackers Behind 1,800 Attacks Worldwide (thehackernews.com)

• SEO Poisoning Used to Distribute Ransomware (darkreading.com)

• FBI Warns Of Ranzy Locker Ransomware Threat, As Over 30 Companies Hit (Tripwire.Com)

• Ransomware Has Disrupted Almost 1,000 Schools in the US This Year (vice.com)

• Chaos Ransomware Targets Gamers Via Fake Minecraft Alt Lists (Bleepingcomputer.Com)

Phishing

• These Phishing Emails Use QR Codes To Bypass Defences And Steal Microsoft 365 Usernames And Passwords | ZDNet

• Phishing as a Ransomware Precursor - MSP Insights - MSSP Alert

• Teen Rakes in $2.74M Worth of Bitcoin in Phishing Scam | Threatpost

Other Social Engineering

• How Deepfakes Enhance Social Engineering And Authentication Threats, And What To Do About It | CSO Online

Malware

• Squid Game Malware Might Be The Scariest Thing You See This Halloween | Techradar

• TA575 Criminal Group Using 'Squid Game' Lures For Dridex Malware | ZDNet

• Snake Malware Biting Hard On 50 Apps For Only $25 (Bleepingcomputer.Com)

• New WSlink Malware Loader Runs as a Server and Executes Modules in Memory (thehackernews.com)

Mobile

• 6 Ways Your Cell Phone Can Be Hacked—Are You Safe? (makeuseof.com)

• Millions Of Android Users Targeted In Subscription Fraud Campaign (Bleepingcomputer.Com)

• New AbstractEmu Malware Roots Android Devices, Evades Detection (Bleepingcomputer.Com)

IOT

• Cyber Criminals Take Aim at Connected Car Infrastructure (darkreading.com)

Vulnerabilities

• All Windows Versions Impacted By New LPE Zero-Day Vulnerability (Bleepingcomputer.Com)

• Google Releases Urgent Chrome Update to Patch 2 Actively Exploited 0-Day Bugs (thehackernews.com)

• Adobe's Surprise Security Bulletin Dominated by Critical Patches | Threatpost

• WordPress Plugin Bug Lets Subscribers Wipe Sites | Threatpost

• Over 1 Million WordPress Sites Affected by OptinMonster Plugin Flaws - Security Affairs

• Cisco SD-WAN Flaw Could Lead To Arbitrary Code Execution, Patch It Now! Security Affairs

Data Breaches/Leaks

• Millions Of Healthcare Records Reportedly Exposed In Mega Data Breach | Techradar

• Location Data Collection Firm Admits Privacy Breach - BBC News

• HIV Scotland Reveals Patient-Advocates' Names In Email Fail • The Register

Organised Crime & Criminal Actors

• Suspected Trickbot Malware Developer Faces 60 Years in Jail - Infosecurity Magazine (infosecurity-magazine.com)

• Reading INTERPOL the African Cyberthreat Assessment Report 2021 - Security Affairs

Dark Web

• Police Arrest 150 Dark Web Vendors Of Illegal Drugs And Guns (Bleepingcomputer.Com)

Supply Chain

• The SolarWinds Hackers Are Looking for Their Next Big Score | WIRED

• North Korean Lazarus Attackers Turn to the IT Supply Chain | Threatpost

• 6 Eye-Opening Statistics About Software Supply Chain Security (darkreading.com)

Nation State Actors

• North Korea-linked Lazarus APT targets the IT supply chainSecurity Affairs

• Microsoft Says Russia Hacked At Least 14 IT Service Providers This Year - The Record By Recorded Future

Other News

• All Sectors Are Now Prey as Cyber Threats Expand Targeting | Threatpost

• Attack The Block – How A Security Researcher Cracked 70% Of Urban WiFi Networks In One Hit | The Daily Swig (Portswigger.Net)

• Microsoft Warns Over Uptick In Password Spraying Attacks | ZDNet

• Increased Risk Tolerances Are Making Digital Transformation Programs Vulnerable - Help Net Security

• MITRE and CISA Publish The 2021 List of Most Common Hardware Weaknesses - Security Affairs

• Enterprises Allocating More IT Dollars on Cybersecurity (darkreading.com)

• Cyber-Attack Hits UK Internet Phone Providers - BBC News

• Despite Spending Millions On Bot Mitigation, 64% Of Organisations Lost Revenue Due To Bot Attacks - Help Net Security

• Threat Actor Leaks Mercedes-Benz Platform’s Source Code | CyberNews

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.