Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Advisory 18 August 2023 – Critical Citrix ADC Backdoor Campaign
Black Arrow Cyber Advisory 18 August 2023 – Critical Citrix ADC Backdoor Campaign
This is an update following the 19 July Critical Citrix ADC and Gateway flaw actively exploited advisory by Black Arrow.
This is an update following the 19 July Critical Citrix ADC and Gateway flaw actively exploited advisory by Black Arrow.
Executive Summary
Following the previous advisory on the Citrix Netscaler ADC vulnerability (CVE-2023-3519), the NCC Group has identified that as of 14 August, 1828 Citrix NetScaler servers remain compromised or ‘backdoored’ by attackers. Approximately 69% of the servers that contain a backdoor have been updated to remediate the vulnerability and are no longer vulnerable to CVE-2023-3519. This means that the affected systems were compromised by a malicious actor prior to the updates being applied, allowing the malicious actor to establish persistent access to the systems even after the vulnerability has been remediated.
What’s the risk to me or my business?
Successful exploitation of the vulnerability prior to updating would allow an attacker to perform arbitrary code execution with administrator privileges. The main attack campaign is believed to have taken place between late 20 July to early 21 July. If updates were not applied to affected and vulnerable systems prior to this date, exploitation may have already taken place.
Further information on the vulnerability can be found on our previous advisory linked below.
What can I do?
If you have not already updated to a Citrix version that resolves this vulnerability, Black Arrow recommends applying these updates urgently. All affected systems, updated and vulnerable, should be scanned for indicators of compromise (IoC), Mandiant have released a tool that can help organisations to scan their Citrix devices for evidence of post-exploitation indicators. If IoC’s are identified, then forensic data should be secured by taking a copy of both the disk and the memory of the appliance before any remediation or investigative actions are completed. If evidence of persistence such as a webshell is found, then this should be investigated through threat hunting techniques to establish the extent of the incident whilst conducting containment and remediation activities.
More information on the NetScaler vulnerability:
Information on the Mandiant Tool:
https://github.com/mandiant/citrix-ioc-scanner-cve-2023-3519
Further information on the study of the exploited devices:
Previous Advisory: https://www.blackarrowcyber.com/blog/advisory-19-july-2023-citrix-vulns-exploited
Black Arrow Cyber Threat Briefing 21 July 2023
Black Arrow Cyber Threat Briefing 21 July 2023:
-Cyber Attacks Reach Two-Year High Amid Ransomware Resurgence as Financial Service Firms Lose $32 Billion in 5 Years
-MOVEit Body Count Closes in on 400 orgs, 20M+ Individuals
-IT Worker Jailed for Impersonating Ransomware Gang to Extort Employer
-Stabilising the Cyber Security Landscape: The CISO Exodus and the Rise of vCISOs
-Risk is Driving Medium-Sized Business Decisions
-Talent and Governance, Not Technology, are Key to Drive Change around Cyber Security
-Hybrid Work, Digital Transformation can Exploit Security Gaps
-Human Cyber-Risk Can Be Demonstrably Mitigated by Behaviour Changing Training
-AI Tool WormGPT Enables Convincing Fake Emails For BEC Attacks
-Pro-Russian Hacktivists Increase Focus on Western Targets
-Infosec Doesn't Know What AI Tools Orgs Are Using
-Google Restricting Internet Access to Some Employees to Reduce Cyber Attack Risk
-Unlocking Business Potential: How CISOs are Transforming Cyber Security into a Strategic Asset
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Cyber Attacks Reach Two-Year High Amid Ransomware Resurgence as Financial Service Firms Lose $32 Billion in 5 Years
The average weekly volume of cyber attacks reached a two-year high in the second quarter of 2023 amid a spike in activity among ransomware groups according to Check Point Research, with healthcare in particular facing a significant year-on-year increase. The impact of ransomware hits every organisation, with separate research finding global financial services organisations having lost over $32bn in downtime since 2018 due to ransomware breaches.
A recent report found that the ransomware gangs LockBit and Cl0p alone accounted for nearly 40% of all recorded ransomware attacks across June 2023. The impact from Cl0p’s MOVEit attack alone has been felt by over 400 organisations since May 2023. One of the key takeaways from the MOVEit attack is that no matter the sector, any organisation can be a victim and as such it is essential to have effective controls in place, incorporating defence-in-depth. It’s worth considering how many organisations are still running vulnerable instances of MOVEit, or have someone in their supply chain who is.
https://www.infosecurity-magazine.com/news/ransomware-costs-financial-32bn/
MOVEit Body Count Closes in on 400 Organisations, 20M+ Individuals
The number of victims and the costs tied to the MOVEit file transfer hack continues to climb as the fallout from the massive supply chain attack enters week seven. In late May 2023, Russian ransomware gang Cl0p exploited a security hole in Progress Software's MOVEit product suite to steal documents from vulnerable networks. As of last week, the number of affected organisations was closing in on 400 and individual victims exceed 20 million.
The attack highlights the need for organisations to have policies and procedures in place for third parties, and to be aware of the data which a third party supplier has on them. It will be the organisation who will need to let their customers know in the event of a breach.
https://www.theregister.com/2023/07/20/moveit_victim_count/
IT Worker Jailed for Impersonating Ransomware Gang to Extort Employer
28-year-old Ashley Liles, a former IT employee, has been sentenced to over three years in prison for attempting to blackmail his employer during a ransomware attack. Liles, an IT security analyst at an Oxford-based company in the UK, exploited his position to intercept a ransomware payment following an attack suffered by his employer. To deceive the company, he impersonated the ransomware gang extorting them. He tried to redirect the ransomware payments by switching the cyber criminals' cryptocurrency wallet to one under his control. He also accessed a board member's private emails over 300 times.
Insider threat is a risk that organisations need to be aware of and, although it was malicious in this case, it can also come from employee negligence. Organisations looking to achieve a strong level of cyber resilience should incorporate insider risk into their training and controls.
Stabilising the Cyber Security Landscape: The CISO Exodus and the Rise of vCISOs
In today's evolving digital landscape, the role of a chief information security officer (CISO) is critical. These professionals defend against the rising tide of daily cyber threats. Yet many CISOs are leaving or considering leaving their jobs; this trend seems to reflect the intense pressure CISOs endure. They face a constant stream of complex cyber threats, manage compliance issues and struggle with a talent deficit in cyber security. Paired with high expectations, many reconsider their roles which can lead to a leadership gap.
A virtual CISO (vCISO) is an outsourced security practitioner who offers their expertise to businesses on a part-time or contractual basis. These professionals provide many of the same services as a traditional CISO, such as developing and implementing security strategies, ensuring compliance with regulations, training staff and managing a company's cyber security posture. vCISOs, such as from Black Arrow, are often part of a larger team and can bring a wide range of experiences and skills. They are exposed to diverse security landscapes across industries, and can provide a fresh perspective and innovative solutions to your security challenges. The vCISO model may not replace the need for a full-time CISO in all cases, but it can certainly add a flexible and cost-effective tool to the arsenal of businesses looking to bolster their cyber security posture.
Risk is Driving Medium-Sized Business Decisions
Small and medium sized businesses (SMBs) have long lacked the tools, expertise, staff and budget to make major cyber security investments. However, as threats become more mainstream and more advanced, the focus is shifting, so SMBs need to take the threats seriously and evaluate their cyber security controls.
In a survey of 140 SMBs, it was found that 40% of respondents believe they are very likely or extremely likely to experience a cyber security attack target in the next 12 months. That fear is founded, as 34% of organisations stated they experienced a malware attack in the past year, and 29% experienced a phishing or spear phishing incident. SMBs are putting their time, energy, and budget toward risk management. When it came to budgeting, 67% list their primary budgeting method as “risk-based”, and only 32% as “ad hoc/following an attack or breach”. It was found that over two-thirds of businesses would rather spend money now than pay a ransom later.
Talent and Governance, Not Technology, are Key to Drive Change Around Cyber Security
For the last 20 years, large organisations have been spending significant amounts of money on cyber security products and solutions, on managed services, or with consultancies large and small. Yet maturity levels remain elusive: a report found that 70% of firms surveyed had yet to fully advance to a mature-based approach. Cyber security good practices have been well established for the best part of the last 20 years and continue to provide, in most industries, an acceptable level of protection against most threats and an acceptable level of compliance against most regulations.
However cyber security is often viewed as something external to the business. This perspective leads to talent alienation and execution failures because the employees who should be invested in maintaining and improving cyber security may feel disconnected from these efforts. To make genuine progress, cyber security needs to be intrinsically linked to business values as a visible priority, owned and directed from the highest levels of an organisation.
This approach underlines the importance of governance in setting effective cyber security policies and procedures. It also highlights the crucial role of nurturing talent within the organisation to ensure active involvement in maintaining and improving cyber security measures. While technology is undoubtedly an essential element of cyber security, prioritising talent and governance can lead to lasting progress.
Hybrid Work, Digital Transformation can Exploit Security Gaps
A new study showed that larger organisations generally recognise malware threats but they lack protection against malicious actors and ways to properly remediate infections. The report revealed security leaders are concerned about attacks that leverage malware-exfiltrated authentication data. 53% say they are extremely concerned about attacks, with 1% of security leaders saying they weren’t concerned at all. 98% said that better visibility into at-risk applications would significantly improve their security posture.
The most overlooked entry points for malware include 57% of organisations allowing employees to sync browser data between personal and corporate devices. 54% of organisations struggle with shadow IT, due to employees’ unsanctioned adoption of applications and systems, creating gaps not only in visibility but also in basic security controls and corporate policies.
Human Cyber Risk Can Be Demonstrably Mitigated by Behaviour Changing Training
The process of encouraging secure cyber habits in end users is evolving from traditional awareness training toward changing end user behaviour. It reflects a growing acceptance that traditional methods haven’t worked. While traditional security awareness teaches users how to recognise social engineering, new behaviour changing trains the brain – almost pre-programs it – on the correct recognition and response to phishing.
What is considered a standard phishing email today may not be tomorrow, and changes in user behaviour will help to combat this. It is simply not enough to be shown one phishing email and be told to follow procedures. Training should instead be focused on going beyond; this should look to change how the user approaches things such as phishing, and gamifying the recognition and reporting of it.
AI Tool WormGPT Enables Convincing Fake Emails For BEC Attacks
A generative AI tool, WormGPT, has emerged as a powerful weapon in the hands of cyber criminals, specifically for launching business email compromise (BEC) attacks, according to new findings. The tool is designed for malicious purposes and has no restrictions on what a user can request. Such a tool allows for impeccable grammar in emails to reduce suspicion and allows sophistication with no restrictions on prompts. The lowered entry threshold enables cyber criminals with limited skills to execute sophisticated attacks, democratising the use of this technology.
https://www.infosecurity-magazine.com/news/wormgpt-fake-emails-bec-attacks/
https://www.independent.co.uk/tech/chatgpt-dark-web-wormgpt-hack-b2376627.html
Pro-Russian Hacktivists Increase Focus on Western Targets
‘Anonymous Sudan’, apparent pro-Russian hacktivists, claimed a one-hour distributed denial of service attack on the social platform OnlyFans last week. This was the latest in a string of operations aimed at targets in the US and Europe. The group’s digital assaults coincide with attacks coming from a broader network of hackers aligned with Moscow that seek attention by taking down high-profile victims and strategic targets; many of the targets support Ukraine in its ongoing war against Russia.
The pro-Russian group appears to be affiliated with Killnet, a pro-Russian hacktivist group that emerged in late 2021 or early 2022 and has claimed distributed denial of service (DDoS) attacks, data theft and leaks on perceived adversaries of the Russian government, according to an analysis from Google’s Mandiant released earlier this week. The collective’s apparent significant growth in capabilities, demonstrated by Microsoft’s confirmation that Anonymous Sudan was responsible for the outages they experienced, potentially indicates a significant increase in outside investment in the collective, further suggesting a potential tie to the Russian state.
https://cyberscoop.com/anonymous-sudan-killnet-russia-onlyfans/
Infosec Doesn't Know What AI Tools Organisations Are Using
With the marketplace awash in new artificial intelligence (AI) tools and new AI features being added to existing tools, organisations are finding themselves lacking visibility into what AI tools are in use, how they are used, who has access, and what data is being shared. As businesses try, adopt, and abandon new generative AI tools, it falls on enterprise IT, risk, and security leaders to govern and secure their use without hindering innovation. While developing security policies to govern AI use is important, it is not possible without knowing what tools are being used in the first place.
Enterprise security teams have to consider how to handle discovery, learning which generative AI tools have been introduced into the environment and by whom, as well as risk assessment.
https://www.darkreading.com/tech-trends/infosec-doesnt-know-what-ai-tools-orgs-are-using
Google Restricting Internet Access to Some Employees to Reduce Cyber Attack Risk
In a bid to shrink the attack surface of its employees, and thus boost security, Google is taking an experimental, and some might say extreme, approach: cutting some of their workstations off from the internet. The company originally selected more than 2,500 employees to participate and will disable internet access on the selected desktops, except for internal web-based tools and Google owned websites like Google Drive and Gmail. Some workers who need the internet to do their job will get exceptions, the company stated in materials.
Google is running the programme to reduce the risk of cyber attacks, according to internal materials. If a Google employee’s device is compromised, the attackers may have access to user data and infrastructure code, which could result in a major incident and undermine user trust. The program comes as companies face increasingly sophisticated cyber attacks. Just last week, Microsoft said Chinese intelligence hacked into company email accounts belonging to two dozen government agencies in the US and Western Europe, including the US State Department, in a “significant” breach.
https://www.theregister.com/2023/07/19/google_cuts_internet/
Unlocking Business Potential: How CISOs are Transforming Cyber Security into a Strategic Asset
Enterprises are responding to growing cyber security threats by working to make the best use of tools and services to ensure business resilience, according to a recent report. Chief information security officers (CISOs) and virtual CISOs (vCISOS) in particular, want more solutions and services that help them align security measures with enterprise objectives and C-level executives have become more aware of the need for cyber resilience. As a result, security investments have expanded beyond detection and response to include rapid recovery and business continuity.
The report found that amongst other things, enterprises are investing in risk assessments and outsourcing more services. In some cases, where a CISO cannot be hired, organisations may look to hire a vCISO. It is important that the vCISO is able to understand cyber in context to the business and help to align security objectives with the organisations objectives. Black Arrow supports clients as their vCISO with specialist experience in cyber security risk management in a business context.
https://www.blackarrowcyber.com/blog/threat-briefing-14-july-2023
Governance, Risk and Compliance
Risk is Driving Small and Medium-Sized Businesses (SMB) Decisions - MSSP Alert
Stabilising The Cyber security Landscape: The Rise Of vCISOs (forbes.com)
Talent and Governance, not Technology, are Key to Drive Change around Cyber Security - TechNative
Hybrid Work, Digital Transformation Can Exploit Security Gaps, Study Finds - MSSP Alert
Stress, data privacy, zero trust to shape cyber security trends | SC Media (scmagazine.com)
Network, IAM, cloud are 2023's top cyber security spend priorities | VentureBeat
CISOs are making cyber security a business problem - Help Net Security
Top Information Security Threats for Businesses 2023 (cybersecuritynews.com)
Best practices for an effective cyber security strategy | CSO Online
Exploring the macro shifts in enterprise security - Help Net Security
Google Cloud CISO Phil Venables On Cyber security, Cloud Adoption And The Boardroom (forbes.com)
Threats
Ransomware, Extortion and Destructive Attacks
MOVEit victim count closes in on 400 orgs, 20M+ individuals • The Register
Weekly cyber attacks reach two-year high amid ransomware resurgence | ITPro
Ransomware attacks are on the rise—and so are ransom payments (fastcompany.com)
IT worker jailed for impersonating ransomware gang to extort employer (bleepingcomputer.com)
Security Patch Management Strengthens Ransomware Defence (trendmicro.com)
The rise in ransomware attacks this year may be related to Russia's war in Ukraine : NPR
Cyber security firm Sophos impersonated by new SophosEncrypt ransomware (bleepingcomputer.com)
Trends in ransomware-as-a-service and cryptocurrency to monitor - Help Net SecurityFIN8 deploys ALPHV ransomware using Sardonic malware variant (bleepingcomputer.com)
Linux Ransomware Poses Significant Threat to Critical Infrastructure (darkreading.com)
Financial cyber crime syndicate deploys reworked backdoor malware | CyberScoop
Ransomware attackers getting more sophisticated: Canadian Centre for Cyber Security (yahoo.com)
SophosEncrypt Ransomware Fools Security Researchers (darkreading.com)
Mallox Ransomware Exploits Weak MS-SQL Servers to Breach Networks (thehackernews.com)
New Ransomware With RAT Capabilities Impersonating Sophos - SecurityWeek
Google’s Bard poses ransomware risk, say researchers | Cybernews
FIN8 Group spotted delivering the BlackCat Ransomware - Security Affairs
Cyber insurers adapting to data-centric ransomware threats | TechTarget
Shutterfly says Clop ransomware attack did not impact customer data (bleepingcomputer.com)
Ransomware Victims
MOVEit victim count closes in on 400 orgs, 20M+ individuals • The Register
Ofcom says it won’t pay ransom, as new MOVEit hack victims come forward | TechCrunch
MOVEit Transfer vulnerability: New Cl0p 'victims' include Discovery (techmonitor.ai)
BlackCat and Clop gangs both claim cyber attack on Estée Lauder | Computer Weekly
Iron ore giant Fortescue Metals targeted by Russian ransomware group | Cybercrime | The Guardian
Russian medical lab suspends some services after ransomware attack (therecord.media)
Recycling Giant Tomra Takes Systems Offline Following Cyber attack - SecurityWeek
Shutterfly says Clop ransomware attack did not impact customer data (bleepingcomputer.com)
Phishing & Email Based Attacks
Typo leaks millions of US military emails to Mali web operator | Financial Times (ft.com)
Microsoft Exchange servers compromised by Turla APT - Help Net Security
Microsoft takes pains to obscure role in 0-days that caused email breach | Ars Technica
Analysis of Storm-0558 techniques for unauthorised email access | Microsoft Security Blog
Only a handful of hackers are responsible for all email extortion attacks | TechRadar
Microsoft Tops List of the Most Impersonated Brand for Phishing Scams in Q2 2023 - MSSP Alert
Enhanced Monitoring to Detect APT Activity Targeting Outlook Online | CISA
Gmail encouraging users to enable Enhanced Safe Browsing (9to5google.com)
BEC – Business Email Compromise
Only a handful of hackers are responsible for all email extortion attacks | TechRadar
Nigerian Man Sentenced to 8 Years in US Prison for $8 Million BEC Scheme - SecurityWeek
Other Social Engineering; Smishing, Vishing, etc
Artificial Intelligence
ChatGPT rival WormGPT with ‘no ethical boundaries’ sold to hackers on dark web | The Independent
Infosec Doesn't Know What AI Tools Orgs Are Using (darkreading.com)
AI models must be reconciled with data protection laws • The Register
1 in 4 Brits play with generative AI and some believe it too • The Register
OpenAI credentials stolen by the thousands for sale on the dark web (bleepingcomputer.com)
AI must have better security, says top cyber official - BBC News
Google Categorises 6 Real-World AI Attacks to Prepare for Now (darkreading.com)
How to Use Generative AI Tools While Still Protecting Your Privacy | WIRED
Google’s Bard poses ransomware risk, say researchers | Cybernews
Malware
Microsoft: Hackers turn Exchange servers into malware control centers (bleepingcomputer.com)
Malicious USB Drives Targeting Global Targets with SOGU and SNOWYDRIVE Malware (thehackernews.com)
Financial cyber crime syndicate deploys reworked backdoor malware | CyberScoop
New SOHO Router Botnet AVrecon Spreads to 70,000 Devices Across 20 Countries (thehackernews.com)
Hackers Target Gamers With Microsoft-Signed Rootkit (darkreading.com)
Source code of the BlackLotus UEFI Bootkit was leaked on GitHub - Security Affairs
Are Viruses Still a Threat to Cyber security? (makeuseof.com)
Black Hat Hacker Exposes Real Identity After Infecting Own Computer With Malware - SecurityWeek
Pernicious Rootkits Pose Growing Blight On Threat Landscape (darkreading.com)
Mobile
Hackers Exploit WebAPK to Deceive Android Users into Installing Malicious Apps (thehackernews.com)
Meta confirms WhatsApp is down worldwide (bleepingcomputer.com)
Botnets
New SOHO Router Botnet AVrecon Spreads to 70,000 Devices Across 20 Countries (thehackernews.com)
Ukraine's cyber police dismantled a massive bot farm - Security Affairs
Denial of Service/DoS/DDOS
Cloudflare reports 'alarming surge' in DDoS sophistication, escalation in recent months | CyberScoop
Attackers intensify DDoS attacks with new tactics - Help Net Security
Internet of Things – IoT
How your internet-connected domestic devices can be a critical tool of cyber attack (mid-day.com)
US preparing Cyber Trust Mark for more secure smart devices (bleepingcomputer.com)
Seven new gadgets added to riskiest connected devices list | SC Media (scmagazine.com)
Data Breaches/Leaks
MOVEit Hack: Number of Impacted Organisations Exceeds 340 - SecurityWeek
Data compromises on track to set a new record - Help Net Security
Virustotal data leak exposed data of some registered customers - Security Affairs
What to do (and what not to do) after a data breach - Help Net Security
Thousands of images on Docker Hub leak auth secrets, private keys (bleepingcomputer.com)
Met Police ‘passed victims’ data to Facebook via online tracking tool’ | Evening Standard
LastPass: The lessons we learnt from our devastating breach | TechRadar
JumpCloud, an IT firm serving 200,000 orgs, says it was hacked by nation-state | Ars Technica
Rogue Azure AD Guests Can Steal Data via Power Apps (darkreading.com)
FIA World Endurance Championship driver passports leaked - Security Affairs
Typo leaks millions of US military emails to Mali web operator | Financial Times (ft.com)
Colorado State University says data breach impacts students, staff (bleepingcomputer.com)
Organised Crime & Criminal Actors
Only a handful of hackers are responsible for all email extortion attacks | TechRadar
Nigerian Man Sentenced to 8 Years in US Prison for $8 Million BEC Scheme - SecurityWeek
Owner of BreachForums Pleads Guilty to Cyber crime and Child Pornography Charges (thehackernews.com)
Genesis Market infrastructure and inventory sold on hacker forum (bleepingcomputer.com)
Black Hat Hacker Exposes Real Identity After Infecting Own Computer With Malware - SecurityWeek
Police arrests Ukrainian scareware developer after 10-year hunt (bleepingcomputer.com)
Extremist-friendly tech company closes after fine for securities fraud | Technology | The Guardian
Hacker Conversations: Inside the Mind of Daniel Kelley, ex-Blackhat - SecurityWeek
Go Beyond the Headlines for Deeper Dives into the Cyber criminal Underground (thehackernews.com)
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Insider Risk and Insider Threats
IT worker jailed for impersonating ransomware gang to extort employer (bleepingcomputer.com)
Former contractor accused of remotely accessing town's water treatment facility | Tripwire
Insider Risk Management Starts With SaaS Security (darkreading.com)
Fraud, Scams & Financial Crime
Growing scam activity linked to social media and automation - Help Net Security
A fresh look at the current state of financial fraud - Help Net Security
Tech support scammers now accepting cash via snail mail • The Register
Extremist-friendly tech company closes after fine for securities fraud | Technology | The Guardian
The cruel new holiday scams you need to know about | This is Money
Airbnb-Related Scams Surge: Beware Of ‘Too Good To Be True’ Offers (forbes.com)
AML/CFT/Sanctions
Insurance
Cyber insurers adapting to data-centric ransomware threats | TechTarget
Strengthening Password Security may Lower Cyber Insurance Premiums (bleepingcomputer.com)
Dark Web
Genesis Market infrastructure and inventory sold on hacker forum (bleepingcomputer.com)
OpenAI credentials stolen by the thousands for sale on the dark web (bleepingcomputer.com)
Supply Chain and Third Parties
JumpCloud, an IT firm serving 200,000 orgs, says it was hacked by nation-state | Ars Technica
Google Cloud Build bug lets hackers launch supply chain attacks (bleepingcomputer.com)
Supply chain executives unaware of growing customer trust issues - Help Net Security
Possible Supply Chain Attack Targeting Pakistani Government Delivers Shadowpad (trendmicro.com)
Cloud/SaaS
Microsoft makes cloud security logs available for free • The Register
Microsoft Expands Cloud Logging to Counter Rising Nation-State Cyber Threats (thehackernews.com)
Network, IAM, cloud are 2023's top cyber security spend priorities | VentureBeat
Google Cloud Build bug lets hackers launch supply chain attacks (bleepingcomputer.com)
Three key unanswered questions about the Chinese breach of Microsoft cloud services | CyberScoop
TeamTNT's Cloud Credential Stealing Campaign Now Targets Azure and Google Cloud (thehackernews.com)
Hybrid/Remote Working
Hybrid Work, Digital Transformation Can Exploit Security Gaps, Study Finds - MSSP Alert
Securing The Hybrid Workforce Begins With Browsing (forbes.com)
Attack Surface Management
Identity and Access Management
Network, IAM, cloud are 2023's top cyber security spend priorities | VentureBeat
The rise of hassle-free and secure authentication | CyberScoop
Encryption
Real-world examples of quantum-based attacks - Help Net Security
EU Urged to Prepare for Quantum Cyber Attacks - Infosecurity Magazine (infosecurity-magazine.com)
Signal president rejects ‘mass surveillance’ UK law | Fortune
API
Docker Leaks API Secrets & Private Keys, as Cyber criminals Pounce (darkreading.com)
API keys: Weaknesses and security best practices | TechTarget
Open Source
Passwords, Credential Stuffing & Brute Force Attacks
LastPass: The lessons we learnt from our devastating breach | TechRadar
Millions of Keyboard Walk Patterns Found in Compromised Passwords - IT Security Guru
TeamTNT's Cloud Credential Stealing Campaign Now Targets Azure and Google Cloud (thehackernews.com)
Strengthening Password Security may Lower Cyber Insurance Premiums (bleepingcomputer.com)
Social Media
Growing scam activity linked to social media and automation - Help Net Security
Met Police ‘passed victims’ data to Facebook via online tracking tool’ | Evening Standard
Training, Education and Awareness
Security Awareness Training Isn’t Working - How Can We Improve It? - SecurityWeek
Companywide Cyber security Training: 20 Tips To Make It ‘Stick’ (forbes.com)
Digital Transformation
Travel
The cruel new holiday scams you need to know about | This is Money
Airbnb-Related Scams Surge: Beware Of ‘Too Good To Be True’ Offers (forbes.com)
Regulations, Fines and Legislation
AI models must be reconciled with data protection laws • The Register
Online Safety Bill Last chance for Lords to stop surveillance | Evening Standard
Models, Frameworks and Standards
Data Protection
Careers, Working in Cyber and Information Security
Career Benefits of Learning Ethical Hacking (analyticsinsight.net)
Should You Be Using a Cyber security Careers Framework? (darkreading.com)
Law Enforcement Action and Take Downs
Nigerian Man Sentenced to 8 Years in US Prison for $8 Million BEC Scheme - SecurityWeek
Owner of BreachForums Pleads Guilty to Cyber crime and Child Pornography Charges (thehackernews.com)
Police arrests Ukrainian scareware developer after 10-year hunt (bleepingcomputer.com)
Ukraine's cyber police dismantled a massive bot farm - Security Affairs
Privacy, Surveillance and Mass Monitoring
Online Safety Bill Last chance for Lords to stop surveillance | Evening Standard
Stress, data privacy, zero trust to shape cyber security trends | SC Media (scmagazine.com)
How to Use Generative AI Tools While Still Protecting Your Privacy | WIRED
Misinformation, Disinformation and Propaganda
Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare and Cyber Espionage
Russia
The rise in ransomware attacks this year may be related to Russia's war in Ukraine : NPR
Gamaredon hackers start stealing data 30 minutes after a breach (bleepingcomputer.com)
Analysis of Storm-0558 techniques for unauthorised email access | Microsoft Security Blog
Microsoft Exchange servers compromised by Turla APT - Help Net Security
Pro-Russian hacktivists increase focus on Western targets. The latest is OnlyFans. | CyberScoop
Elon Musk’s Starlink is putting our soldiers at risk, Ukraine warns (telegraph.co.uk)
Thousands of Russian officials to give up iPhones over US spying fears | Financial Times (ft.com)
Ukraine innovates on cyber defence | Financial Times (ft.com)
China
Three key unanswered questions about the Chinese breach of Microsoft cloud services | CyberScoop
China Espionage Operatives Left Empty Handed in Email Heist, White House Official Says - MSSP Alert
Xi wants to make the Great Firewall of China even greater • The Register
North Korea
JumpCloud breach traced back to North Korean state hackers (bleepingcomputer.com)
North Korean hackers breached a US tech company to steal crypto | Reuters
Misc/Other/Unknown
JumpCloud, an IT firm serving 200,000 orgs, says it was hacked by nation-state | Ars Technica
APT Protection: The Key to Safeguarding Your Business (ts2.space)
How to Secure Your OT Network Against Advanced Persistent Threats (APTs) (ts2.space)
Microsoft Expands Cloud Logging to Counter Rising Nation-State Cyber Threats (thehackernews.com)
Vulnerability Management
CVSS 4.0 released, to help assess real-time threat and impact of vulnerabilities - Help Net Security
Security Patch Management Strengthens Ransomware Defence (trendmicro.com)
What is Vulnerability Assessment In Cyber security? (gbhackers.com)
Vulnerabilities
Windows Users Urged To Update As Microsoft Confirms New Zero-Day Exploits (forbes.com)
Microsoft still unsure how hackers stole Azure AD signing key (bleepingcomputer.com)
Microsoft takes pains to obscure role in 0-days that caused email breach | Ars Technica
CVE-2023-38408: Remote Code Execution in OpenSSH’s forwarded ssh-agent | Qualys Security Blog
New critical Citrix ADC and Gateway flaw exploited as zero-day (bleepingcomputer.com)
OpenSSH Addresses Remote Code Execution Vulnerability: CVE-2023-38408 - VULNERA
Adobe Rolls Out New Patches for Actively Exploited ColdFusion Vulnerability (thehackernews.com)
Cisco fixed a critical flaw in SD-WAN vManage - Security Affairs
Hacking campaign targets sites using WordPress WooCommerce Payments Plugin - Security Affairs
Microsoft hit by Storm season – a tale of two semi-zero days – Naked Security (sophos.com)
5 Major Takeaways From Microsoft's July Patch Tuesday (darkreading.com)
Two Jira Plugin Vulnerabilities in Attacker Crosshairs - SecurityWeek
Google says Apple employee found a zero-day but did not report it | TechCrunch
Tools and Controls
Network, IAM, cloud are 2023's top cyber security spend priorities | VentureBeat
Stress, data privacy, zero trust to shape cyber security trends | SC Media (scmagazine.com)
Leverage Threat Intelligence, AI, and Data at Scale to Boost Cyber Defences (darkreading.com)
A Few More Reasons Why RDP is Insecure (Surprise!) (thehackernews.com)
Enterprise communication security a growing risk, priority | TechTarget
MIT’s Cyber security Metior: A Secret Weapon Against Side-Channel Attacks (scitechdaily.com)
NCSC Shares Alternatives to Using a SOC - Infosecurity Magazine (infosecurity-magazine.com)
Microsoft's security roadmap: Protect Azure DevOps secrets • The Register
CISA shares free tools to help secure data in the cloud (bleepingcomputer.com)
What is the new Enhanced Safe Browsing for Gmail (and should you enable it)? | ZDNET
Insider Risk Management Starts With SaaS Security (darkreading.com)
67% of daily security alerts overwhelm SOC analysts - Help Net Security
Gmail encouraging users to enable Enhanced Safe Browsing (9to5google.com)
Microsoft Expands Cloud Logging to Counter Rising Nation-State Cyber Threats (thehackernews.com)
Microsoft makes cloud security logs available for free • The Register
Security Awareness Training Isn’t Working - How Can We Improve It? - SecurityWeek
API keys: Weaknesses and security best practices | TechTarget
Other News
Google restricting internet access to some employees for security (cnbc.com)
Enterprise communication security a growing risk, priority | TechTarget
Healthcare organisations in the crosshairs of cyber attackers - Help Net Security
Broadband consumers demand security and sustainability - Help Net Security
Microsoft Exchange Online hit by new outage blocking emails (bleepingcomputer.com)
Cyber security measures SMBs should implement - Help Net Security
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 16 December 2022
Black Arrow Cyber Threat Briefing 16 December 2022:
-Executives Take More Cyber Security Risks Than Office Workers
-CISO Role is Diversifying from Technology to Leadership & Communication Skills
-How Emerging AIs, Like ChatGPT, Can Turn Anyone into a Ransomware and Malware Threat Actor
-Cyber Security Drives Improvements in Business Goals
-Incoming FCA Chair Says Crypto Firms Facilitate Money Laundering
-Managing Cyber Risk in 2023: The People Element
-What We Can't See Can Hurt Us
-Uber Suffers New Data Breach After Attack on Vendor, Info Leaked Online
-When Companies Compensate the Hackers, We All Foot the Bill
-HSE Cyber-Attack Costs Ireland $83m So Far
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Executives Take More Cyber Security Risks Than Office Workers
IT software company Ivanti worked with cyber security experts and surveyed 6,500 executive leaders, cybersecurity professionals, and office workers to understand the perception of today’s cybersecurity threats and to find out how companies are preparing for yet-unknown future threats.
The report revealed that despite 97% of leaders and security professionals reporting their organisation is as prepared, or more prepared, to defend against cybersecurity attacks than they were a year ago, one in five wouldn’t bet a chocolate bar that they could prevent a damaging breach.
In fact, the study finds that organisations are racing to fortify against cyber attacks, but the industry still struggles with a reactive, checklist mentality. This is most pronounced in how security teams are prioritising patches. While 92% of security professionals reported they have a method to prioritise patches, they also indicated that all types of patches rank high – meaning none do.
“Patching is not nearly as simple as it sounds,” said Ivanti. “Even well-staffed, well-funded IT and security teams experience prioritisation challenges amidst other pressing demands. To reduce risk without increasing workload, organisations must implement a risk-based patch management solution and leverage automation to identify, prioritise, and even address vulnerabilities without excess manual intervention”.
Cyber security insiders view phishing, ransomware, and software vulnerabilities as top industry-level threats for 2023. Approximately half of respondents indicated they are “very prepared” to meet the growing threat landscape including ransomware, poor encryption, and malicious employees, but the expected safeguards such as deprovisioning credentials is ignored a third of a time and nearly half of those surveyed say they suspect a former employee or contractor still has active access to company systems and files.
The report also revealed that leaders engage in more dangerous behaviour and are four times more likely to be victims of phishing compared to office workers.
Additionally:
More than 1 in 3 leaders have clicked on a phishing link
Nearly 1 in 4 use easy-to-remember birthdays as part of their password
They are much more likely to hang on to passwords for years
And they are 5x more likely to share their password with people outside the company.
One survey taker shared, “We’ve experienced a few advanced phishing attempts and the employees were totally unaware they were being targeted. These types of attacks have become so much more sophisticated over the last two years – even our most experienced staff are falling prey to it.”
To cope with a rapidly expanding threat landscape, organisations must move beyond a reactive, rules-based approach.
CISO Role is Diversifying from Technology to Leadership & Communication Skills
The role of chief information security officer (CISO), a relatively new executive position, is undergoing some significant changes and an archetype has yet to emerge, a new global report from Marlin Hawk, an executive recruiting and leadership consultant, said.
CISOs are still more likely to serve on advisory boards or industry bodies than on the board of directors. Only 13% of the global CISOs analysed are women; approximately 20% are non-white. Each diversity dimension analysed is down one percentage point year-on-year.
According to James Larkin, managing partner at Marlin Hawk, “Today’s CISOs are taking up the mantle of responsibilities that have traditionally fallen solely to the chief information officer (CIO), which is to act as the primary gateway from the tech department into the wider business and the outside marketplace. This widening scope requires CISOs to be adept communicators to the board, the broader business, as well as the marketplace of shareholders and customers. By thriving in the ‘softer’ skill sets of communication, leadership, and strategy, CISOs are now setting the new industry standards of today and, I predict, will be progressing into the board directors of tomorrow.”
The job does not come without its downsides. For one, according to the search firm, many CISOs change roles and leave their jobs. Their skillset may not be adequate or new leaders get appointed to the job, they lack the necessary internal support, or their company may not have the required commitment to cyber security to make the job effective.
Key findings from the report include:
45% of global CISOs have been in their current role for two years or less, down from 53% in 2021, with 18% turnover year-on-year. While there is still a lot of movement in the CISO seat, there is potentially some stabilisation emerging.
Approximately 62% of global CISOs were hired from another company, indicating a slight increase in the number of CISOs hired internally (38% were hired internally compared to 36% in 2021) but a large gap remains in appropriate successors.
36% of CISOs analysed with a graduate degree received a higher degree in business administration or management. This is down 10% from last year (46% in 2021). Conversely, there has been an increase to 61% of CISOs receiving a higher degree in STEM subjects (up from 46% in 2021).
How Emerging AIs, Like ChatGPT, Can Turn Anyone into a Ransomware and Malware Threat Actor
Ever since OpenAI launched ChatGPT at the end of November, commentators on all sides have been concerned about the impact AI-driven content-creation will have, particularly in the realm of cybersecurity. In fact, many researchers are concerned that generative AI solutions will democratise cyber crime.
With ChatGPT, any user can enter a query and generate malicious code and convincing phishing emails without any technical expertise or coding knowledge.
While security teams can also leverage ChatGPT for defensive purposes such as testing code, by lowering the barrier for entry for cyber attacks, the solution has complicated the threat landscape significantly. From a cyber security perspective, the central challenge created by OpenAI’s creation is that anyone, regardless of technical expertise, can create code to generate malware and ransomware on-demand.
Whilst it can be used for good to assist developers in writing code for good, it can (and already has) been used for malicious purposes. Examples including asking the bot to create convincing phishing emails or assist in reverse engineering code to find zero-day exploits that could be used maliciously instead of reporting them to a vendor.
ChatGPT does have inbuilt guardrails designed to prevent the solution from being used for criminal activity. For instance, it will decline to create shell code or provide specific instructions on how to create shellcode or establish a reverse shell and flag malicious keywords like phishing to block the requests.
The problem with these protections is that they’re reliant on the AI recognising that the user is attempting to write malicious code (which users can obfuscate by rephrasing queries), while there’s no immediate consequences for violating OpenAI’s content policy.
https://venturebeat.com/security/chatgpt-ransomware-malware/
Cyber Security Drives Improvements in Business Goals
Cyber threats should no longer be viewed as just an IT problem, but also a business problem, Deloitte said in its latest Future of Cyber study. Operational disruption, loss of revenue, and loss of customer trust are the top three significant impacts of cyber incidents. More than half, or 56%, of respondents told Deloitte they suffered related consequences to a moderate or large extent.
In 2021, the top three negative consequences from cyber incidents and breaches were operational disruption, which includes supply chain and the partner ecosystem, intellectual property theft, and a drop in share price. While operational disruption remained the top concern in 2022, loss of revenue and loss of customer trust and negative brand impact moved up in importance. Intellectual property theft and drop in share price dropped to eighth and ninth (out of ten) in ranking. Losing funding for a strategic initiative, loss of confidence in the integrity of the technology, and impact on employee recruitment and retention moved up in ranking in 2022. Respondents were also asked to mark two consequences they felt would be most important in 2023: Operational disruption and loss of revenue topped the list.
"Today, cyber means business, and it is difficult to overstate the importance of cyber as a foundational and integral business imperative," Deloitte noted in its report. "It [cyber] should be included in every functional area, as an essential ingredient for success—to drive continuous business value, not simply mitigate risks to IT."
Deloitte categorised organisations' cyber security maturity based on their adoption of cyber planning, risk management, and board engagement. Risk management included activities such as industry benchmarking, incident response, scenario planning, and qualitative and quantitative risk assessment.
Whether or not the organisation adopted any of these three practices hinged on stakeholders recognising the importance of cyber responsibility and engagement across the whole organisation, Deloitte said in its report. Examples included having a governing body that comprises IT and senior business leaders to oversee the cyber program, conducting incident-response scenario planning and simulation at the organisational and/or board level, regularly providing cyber updates to the board to secure funding, and conducting regular cyber awareness training for all employees.
https://www.darkreading.com/edge-threat-monitor/cybersecurity-drives-improvements-in-business-goals
Incoming FCA Chair Says Crypto Firms Facilitate Money Laundering
The man who will lead UK efforts to regulate cryptocurrency firms issued a stark condemnation of the sector on Wednesday, telling MPs that in his experience crypto platforms were “deliberately evasive”, facilitated money laundering at scale and created “massively untoward risk”.
The comments from Ashley Alder, the incoming chair of the Financial Conduct Authority, suggest that crypto firms hoping to build businesses in the UK will face an uphill battle when the FCA assumes new powers to regulate broad swaths of the sector.
They also put Alder, who will become FCA chair in February, on a potential collision course with the government’s aspiration to create a high quality crypto hub that fosters innovation, a vision ministers have remained loyal to even as the global crypto market lurches from crisis to crisis, epitomised by the collapse of FTX. The FCA declined to comment on whether their incoming chair’s views were at odds with those of the government.
Alder comments came during a sometimes terse appointment hearing with the cross-party Treasury select committee, where he faced sustained criticism for appearing virtually from Hong Kong and for his lack of familiarity with some parts of the UK market place and its accountability structures.
https://www.ft.com/content/7bf0a760-5fb5-4146-b757-1acc5fc1dee5
Managing Cyber Risk in 2023: The People Element
2022 has had many challenges from cyber war between Russia and Ukraine, continuing ransomware attacks, and a number of high-profile vulnerabilities and zero day attacks. With the attack surface constantly expanding, CISOs and security leaders are acutely aware of the need to minimise risk across people, processes, and technology.
Top infrastructure risk: people
It’s common knowledge that it’s not if, but when, your organisation will be the target of a cyber attack. CISOs and security leaders seem to share the same opinion—according to Trend Micro’s latest Cyber Risk Index (CRI) (1H’2022), 85% of 4,100 respondents across four global regions said its somewhat to very likely they will experience a cyber attack in the next 12 months. More concerning was 90% of respondents had at least one successful cyber attack in the past 12 months.
The CRI (1H’2022) also found that CISOs, IT practitioners, and managers identified that most organisations’ IT security objectives are not aligned with the business objectives, which could cause challenges when trying to implement a sound cyber security strategy.
It’s important to note that while ideal, avoiding a cyber attack isn’t the main goal—companies need to address critical challenges across their growing digital attack surface to enable faster detection and response, therefore minimising cyber risk.
While it's commonly assumed that security efforts should be largely focused on protecting critical servers and infrastructure, the human attack vector shouldn’t be so quickly forgotten.
https://www.trendmicro.com/en_us/ciso/22/e/managing-cyber-risk.html
What We Can't See Can Hurt Us
In speaking with security and fraud professionals, visibility remains a top priority. This is no surprise, since visibility into the network, application, and user layers is one of the fundamental building blocks of both successful security programs and successful fraud programs. This visibility is required across all environments — whether on-premises, private cloud, public cloud, multicloud, hybrid, or otherwise.
Given this, it is perhaps a bit surprising that visibility in the cloud has lagged behind the move to those environments. This occurred partially because few options for decent visibility were available to businesses as they moved to the cloud. But it also partially happened because higher priority was placed on deploying to the cloud than on protecting those deployments from security and fraud threats.
This is unfortunate, since what we can't see can hurt us. That being said, cloud visibility is becoming a top priority for many businesses. There are a few areas where many businesses are looking for visibility to play a key role, including Compliance, Monitoring, Investigation, Response, API Discovery, Application Breaches, and Malicious User Detection.
Organisation have been a bit behind in terms of ensuring the requisite visibility into cloud environments. Whilst time has been lost, it does seem that gaining visibility into the network, application, and user layers is now a priority for many businesses. This is a positive development, as it enables those businesses to better mitigate the risks that operating blindly creates.
https://www.darkreading.com/edge-articles/what-we-can-t-see-can-hurt-us
Uber Suffers New Data Breach After Attack on Vendor, Info Leaked Online
Uber has suffered a new data breach after a threat actor leaked employee email addresses, corporate reports, and IT asset information stolen from a third-party vendor in a cyber security incident.
On Saturday last week, a threat actor named 'UberLeaks' began leaking data they claimed was stolen from Uber and Uber Eats on a hacking forum known for publishing data breaches. The leaked data includes numerous archives claiming to be source code associated with mobile device management platforms (MDM) used by Uber and Uber Eats and third-party vendor services.
The threat actor created four separate topics, allegedly for Uber MDM at uberhub.uberinternal.com and Uber Eats MDM, and the third-party Teqtivity MDM and TripActions MDM platforms. Each post refers to a member of the Lapsus$ hacking group who is believed to be responsible for numerous high-profile attacks, including a September cyber attack on Uber where threat actors gained access to the internal network and the company's Slack server.
News outlet BleepingComputer has been told that the newly leaked data consists of source code, IT asset management reports, data destruction reports, Windows domain login names and email addresses, and other corporate information. One of the documents seen by BleepingComputer includes email addresses and Windows Active Directory information for over 77,000 Uber employees.
While BleepingComputer initially thought this data was stolen during the September attack, Uber told BleepingComputer it believes it is related to a security breach on a third-party vendor.
When Companies Compensate the Hackers, We All Foot the Bill
Companies are always absorbing costs that are seen as par for the course of budget planning: maintenance, upgrades, office supplies, wastage, shrinkage, etc. These costs ratchet up the price of a company's products and are then passed on to the consumer. Breaches in cyber security and paying out ransoms to hackers should be outside of this remit, and yet more than half of all companies admit to transferring the costs of data breaches on to consumers. Careless or ill-informed employees and other weaknesses in a company's protections lead to catastrophic losses to businesses of around $1,797,945 per minute — and the consumers are paying it off.
If a company estimates the recovery costs from a ransomware attack to exceed the requested payment from the hacker, then it feels like a no-brainer — they're better off just cutting their losses and giving in to the cyber criminal's demands. The issue is that this creates an unvirtuous circle of paying the hacker, which enforces nefarious behaviour and empowers hackers to increase the number and volume of ransoms.
When it comes to ransomware, 32% of companies pay off hackers, and, of that percentage, the average company only retrieves about 65% of its data. Giving in to hackers is counterintuitive. On an even more disturbing note, one study found that 80% of companies that paid a ransom were targeted a second time, with about 40% paying again and a majority of that 40% paying a higher ransom the second time round. This is ludicrous. With 33% of companies suspending operations following an attack, and nearly 40% resorting to laying off staff, it comes as no surprise that the downstream costs are picked up to some extent by the consumer.
As for smaller companies, about 50% of US small businesses don't have a cyber security plan in place, despite the fact that small businesses are three times more likely to be targeted by cyber criminals than larger companies. An average breach costs these companies around $200,000 and has put many out of business. It isn't simply the cost passed on to consumers, it's also the intangible assets, such as brand reputation.
When data is leaked and a site goes down, customers become rightly anxious when their information is sold to the highest bidder on the Dark Web. To safeguard against this, companies of all sizes should exploit automated solutions while training every single member of staff to recognise and report online threats. Paying a ransom does not guarantee the return of data, and for a smaller business, losing valuable customer information could cause long-term damage way beyond the initial attack.
Cyber security professionals, governments, and law enforcement agencies all advise companies to avoid paying the hackers' ransoms. This strategy is affirmed by the success businesses have had in retrieving the stolen data and turning the lights back on — 78% of organisations who say they did not pay a ransom were able to fully restore systems and data without the decryption key. This evidently is not enough to reassure companies who, at the click of a dangerous email being opened, have lost sensitive information and access to their systems and are desperate to get back online. There are many preventative techniques businesses can take advantage of before it even gets to that stage.
HSE Cyber-Attack Costs Ireland $83m So Far
The cost of the cyber-attack that hit the Irish Health Service Executive (HSE) last year has officially reached €80m ($83.75m).
The figures come from a letter from HSE’s chief information officer, seen by The Irish Times. This comes months after the Department of Health suggested in February the attack could end up costing up to €100m ($104m). The letter confirmed that the costs reached €42m ($43.97m) in 2021 and almost €39m ($40.83m) until October of this year.
Ireland has a very capable national cyber security centre and a well-oiled CSIRT team that engages the public/private sector. If the cost does continue to escalate to €100m, that is the equivalent to everyone in the Republic of Ireland having been defrauded by €20. According to The Irish Times, the costs were said to be “enormous,” and the government has been asked to complete a comprehensive assessment of the impact caused by the breach.
The cyber-attack, believed to have been conducted by Russia-based state actors, was reportedly caused by a malicious Microsoft Excel file delivered via a phishing email. According to a December 2021 report, the file was opened at an HSE workstation in March 2021. The malware would have been latent for two months before the breach, which was reportedly discovered in May, two months later. A total of roughly 100,000 people had their personal data stolen during the cyber-attack.
Healthcare continues to be a target of attacks given their enormous attack surface across critical applications, cloud environments and IoT devices.
https://www.infosecurity-magazine.com/news/hse-cyber-attack-ireland-dollar83m/
Threats
Ransomware, Extortion and Destructive Attacks
HSE Cyber-Attack Costs Ireland $83m So Far - Infosecurity Magazine (infosecurity-magazine.com)
Ransomware-hit Rackspace email outage enters 12th day • The Register
The Dark Web is Getting Darker - Ransomware Thrives on Illegal Markets (bleepingcomputer.com)
Rash of New Ransomware Variants Springs Up in the Wild (darkreading.com)
Patch Tuesday: Microsoft Plugs Windows Hole Exploited in Ransomware Attacks | SecurityWeek.Com
Preventing a ransomware attack with intelligence: Strategies for CISOs - Help Net Security
LockBit ransomware crew claims attack on California Department of Finance - CyberScoop
When Companies Compensate the Hackers, We All Foot the Bill (darkreading.com)
Clop ransomware uses TrueBot malware for access to networks (bleepingcomputer.com)
TrueBot infections were observed in Clop ransomware attacks - Security Affairs
Play ransomware claims attack on Belgium city of Antwerp (bleepingcomputer.com)
Brooklyn hospital network victim of cyber hack crash (msn.com)
Cyber security Experts Uncover Inner Workings of Destructive Azov Ransomware (thehackernews.com)
Cybereason warns of rapid increase in Royal ransomware | TechTarget
New Royal ransomware group evades detection with partial encryption | CSO Online
How ChatGPT can turn anyone into a ransomware and malware threat actor | VentureBeat
Check Point classifies Azov as wiper, not ransomware | TechTarget
Phishing & Email Based Attacks
Open-source repositories flooded by 144,000 phishing packages (bleepingcomputer.com)
Phishing attack uses Facebook posts to evade email security (bleepingcomputer.com)
BEC – Business Email Compromise
Other Social Engineering; Smishing, Vishing, etc
Malware
Microsoft digital certificates have once again been abused to sign malware | Ars Technica
Hackers target Japanese politicians with new MirrorStealer malware (bleepingcomputer.com)
Zscaler: Nearly 90% of Cyber attacks Now Use Encrypted Channels, Malware Tops - MSSP Alert
Crooks use HTML smuggling to spread QBot malware via SVG files - Security Affairs
A clever trick turns antivirus software into unstoppable data wiping scourges | TechSpot
How ChatGPT can turn anyone into a ransomware and malware threat actor | VentureBeat
Mobile
Android Malware Campaign Leverages Money-Lending Apps to Blackmail Victims (thehackernews.com)
Why You Should Enable Apple’s New iOS 16.2 Security Feature | Reviews by Wirecutter (nytimes.com)
Xnspy stalkerware spied on thousands of iPhones and Android devices | TechCrunch
Internet of Things – IoT
3.5m IP cameras exposed, with US in the lead - Security Affairs
Are robots too insecure for lethal use by law enforcement? | CSO Online
10 Ways Doorbell Cameras Pose a Threat to Privacy and Security - Listverse
Data Breaches/Leaks
Uber suffers new data breach after attack on vendor, info leaked online (bleepingcomputer.com)
Twitter confirms recent user data leak is from 2021 breach (bleepingcomputer.com)
HR platform Sequoia says hackers accessed customer SSNs and COVID-19 data | TechCrunch
Australia's Telstra suffers privacy breach, 132,000 customers impacted | Reuters
Unauthorised server access caused AirAsia data leak: Fahmi | Malaysia | The Vibes
FBI's InfraGard Cyber security Program Breached by Hackers (gizmodo.com)
Aussie Data Breaches Surge 489% in Q4 2022 - Infosecurity Magazine (infosecurity-magazine.com)
Uber staff information leaks after IT supply chain attack • The Register
TPG Telecom joins list of hacked Australian companies, shares slide | Reuters
How companies can avoid costly data breaches - Help Net Security
Hackers leak personal info allegedly stolen from 5.7M Gemini users (bleepingcomputer.com)
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Incoming FCA chair says crypto firms facilitate money laundering | Financial Times (ft.com)
Britons lose life savings to ‘Ali Baba and the cryptocurrency scammers’ | News | The Times
DOJ divided over charging Binance for alleged crypto crimes, report says | Ars Technica
Facebook Asks Lawmakers Not to Regulate Crypto Too Harshly Just Because of All the Fraud (vice.com)
The amateur sleuths who helped to bring down Sam Bankman-Fried - New Statesman
Hackers leak personal info allegedly stolen from 5.7M Gemini users (bleepingcomputer.com)
Insider Risk and Insider Threats
Executives take more cyber security risks than office workers - Help Net Security
Managing Cyber Risk in 2023: The People Element (trendmicro.com)
Fraud, Scams & Financial Crime
Britons lose life savings to ‘Ali Baba and the cryptocurrency scammers’ | News | The Times
Restaurant closes after fraudsters posing as officials steal thousands | News | The Times
Woman gets 66 months in prison for role in $3.3 million ID fraud op (bleepingcomputer.com)
Patrick Giblin conned women all over the US. Now he's going to prison for 5 years | CNN
UK arrests five for selling dodgy point of sale software • The Register
The amateur sleuths who helped to bring down Sam Bankman-Fried - New Statesman
8 charged with conspiracy to commit securities fraud • The Register
AML/CFT/Sanctions
Insurance
Dark Web
Supply Chain and Third Parties
Uber staff information leaks after IT supply chain attack • The Register
Report highlights serious cyber security issues with US defence contractors | CSO Online
Software Supply Chain
How Naming Can Change the Game in Software Supply Chain Security (darkreading.com)
Microsoft digital certificates have once again been abused to sign malware | Ars Technica
Denial of Service DoS/DDoS
FBI Charges 6, Seizes 48 Domains Linked to DDoS-for-Hire Service Platforms (thehackernews.com)
Prosecutors charge 6 people for allegedly waging massive DDoS attacks | Ars Technica
‘Booter’ sites taken down in global cyber crime bust (gbnews.uk)
Microsoft discovers Windows/Linux botnet used in DDoS attacks | Ars Technica
Cloud/SaaS
Microsoft launches EU 'data boundary' from next year • The Register
HR platform Sequoia says hackers accessed customer SSNs and COVID-19 data | TechCrunch
Lego fixes dangerous API vulnerability in BrickLink service | TechTarget (computerweekly.com)
Data Destruction Policies in the Age of Cloud Computing (darkreading.com)
Hybrid/Remote Working
Encryption
Zscaler: Nearly 90% of Cyber attacks Now Use Encrypted Channels, Malware Tops - MSSP Alert
The FBI Says Apple’s New Encryption Is “Deeply Concerning” (futurism.com)
Over 85% of Attacks Hide in Encrypted Channels - Infosecurity Magazine (infosecurity-magazine.com)
Privacy advocates are aghast at UK’s anti-encryption plans (thenextweb.com)
API
Open Source
Google Launches OSV-Scanner Tool to Identify Open Source Vulnerabilities (thehackernews.com)
Open-source repositories flooded by 144,000 phishing packages (bleepingcomputer.com)
Passwords, Credential Stuffing & Brute Force Attacks
Social Media
TikTok may push potentially harmful content to teens within minutes, study finds | CNN Business
Meta warns spyware still being used to target people on social media | Meta | The Guardian
Elon Musk Bans Journalists From Twitter After Reinstating Nazis (gizmodo.com)
Russian disinformation rampant on far-right social media platforms - CyberScoop
HowTo: Fight Cyber-Threats in the Metaverse - Infosecurity Magazine
US politicians propose TikTok ban over China security concerns (telegraph.co.uk)
Training, Education and Awareness
Keep Your Grinch at Bay: Here's How to Stay Safe Online this Holiday Season (thehackernews.com)
Remote Work Cyber security Requires a Change in Mindset (informationsecuritybuzz.com)
Parental Controls and Child Safety
TikTok may push potentially harmful content to teens within minutes, study finds | CNN Business
Microsoft Teams is a vector for child sexual abuse material • The Register
Cyber Bullying, Cyber Stalking and Sextortion
Xnspy stalkerware spied on thousands of iPhones and Android devices | TechCrunch
Proposed law offers support to tech-enabled abuse survivors • The Register
Regulations, Fines and Legislation
Privacy concerns are limiting data usage abilities - Help Net Security
European Commission takes step toward approving EU-US data privacy pact | Computerworld
Governance, Risk and Compliance
Managing Cyber Risk in 2023: The People Element (trendmicro.com)
Executives take more cyber security risks than office workers - Help Net Security
Cyber security Drives Improvements in Business Goals (darkreading.com)
Compliance Is Not Enough: How to Manage Your Customer Data (darkreading.com)
5 tips for building a culture of cyber security accountability - Help Net Security
Data Destruction Policies in the Age of Cloud Computing (darkreading.com)
What CISOs consider when building up security resilience - Help Net Security
CISO Role is Diversifying From Technology to Leadership & Communication Skills - MSSP Alert
Models, Frameworks and Standards
Why PCI DSS 4.0 Should Be on Your Radar in 2023 (thehackernews.com)
PCI Secure Software Standard version 1.2 sets out new payment security requirements | CSO Online
Backup and Recovery
Why Your MSSP Should Offer Backup-as-a-Service (BaaS) - MSSP Alert
CISA Warns Veeam Backup & Replication Vulnerabilities Exploited in Attacks | SecurityWeek.Com
Data Protection
Careers, Working in Cyber and Information Security
Law Enforcement Action and Take Downs
FBI Charges 6, Seizes 48 Domains Linked to DDoS-for-Hire Service Platforms (thehackernews.com)
Prosecutors charge 6 people for allegedly waging massive DDoS attacks | Ars Technica
8 charged with conspiracy to commit securities fraud • The Register
Privacy, Surveillance and Mass Monitoring
Privacy advocates are aghast at UK’s anti-encryption plans (thenextweb.com)
Apple should pay €6m for tracking users – French official • The Register
European Commission takes step toward approving EU-US data privacy pact | Computerworld
Privacy concerns are limiting data usage abilities - Help Net Security
Artificial Intelligence
Are robots too insecure for lethal use by law enforcement? | CSO Online
How ChatGPT can turn anyone into a ransomware and malware threat actor | VentureBeat
Misinformation, Disinformation and Propaganda
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Trojanized Windows 10 Operating System Installers Targeted Ukrainian Government | Mandiant
Reassessing cyberwarfare. Lessons learned in 2022 | Securelist
As Wiretap Claims Rattle Government, Greece Bans Spyware | SecurityWeek.Com
Ex-Twitter Worker Gets Prison Time in Saudi 'Spy' Case | SecurityWeek.Com
Reassessing cyberwarfare. Lessons learned in 2022 | Securelist
Nation State Actors
Nation State Actors – Russia
Seven accused of smuggling out US military tech for Moscow • The Register
Neo-Nazi Russian militia appeals for intelligence on Nato member states | Ukraine | The Guardian
NSA cyber director warns of Russian digital assaults on global energy sector - CyberScoop
Russian disinformation rampant on far-right social media platforms - CyberScoop
Nation State Actors – China
NSA Outs Chinese Hackers Exploiting Citrix Zero-Day | SecurityWeek.Com
US politicians propose TikTok ban over China security concerns (telegraph.co.uk)
Hackers target Japanese politicians with new MirrorStealer malware (bleepingcomputer.com)
US to add Chinese chipmaker to trade blacklist | Financial Times (ft.com)
AIIMS cyber attack suspected to have originated in China, Hong Kong - Rediff.com India News
Spies and Lies by Alex Joske — inside China’s intelligence operation | Financial Times (ft.com)
Nation State Actors – North Korea
Nation State Actors – Iran
Vulnerability Management
Transitive Dependencies Account for 95% of Bugs - Infosecurity Magazine (infosecurity-magazine.com)
24% of technology applications contain high-risk security flaws - Help Net Security
Vulnerabilities
Hackers exploit critical Citrix ADC and Gateway zero day, patch now (bleepingcomputer.com)
CISA Warns Veeam Backup & Replication Vulnerabilities Exploited in Attacks | SecurityWeek.Com
Adobe Patches 38 Flaws in Enterprise Software Products | SecurityWeek.Com
VMware fixed critical VM Escape bug demonstrated at Geekpwn hacking contest - Security Affairs
Samba Issues Security Updates to Patch Multiple High-Severity Vulnerabilities (thehackernews.com)
Fortinet says SSL-VPN pre-auth RCE bug is exploited in attacks (bleepingcomputer.com)
Transitive Dependencies Account for 95% of Bugs - Infosecurity Magazine (infosecurity-magazine.com)
Citrix Releases Security Updates for Citrix ADC, Citrix Gateway | CISA
Security Flaw in Atlassian Products Affecting Multiple Companies (darkreading.com)
Patch Tuesday: 0-days, RCE bugs, and a curious tale of signed malware – Naked Security (sophos.com)
Patch Tuesday: Microsoft Plugs Windows Hole Exploited in Ransomware Attacks | SecurityWeek.Com
New Actively Exploited Zero-Day Vulnerability Discovered in Apple Products (thehackernews.com)
Apple patches everything, finally reveals mystery of iOS 16.1.2 – Naked Security (sophos.com)
Apple fixed the tenth actively exploited zero-day this year - Security Affairs
High-Severity Memory Safety Bugs Patched With Latest Chrome 108 Update | SecurityWeek.Com
Top 5 Web App Vulnerabilities and How to Find Them (thehackernews.com)
Severe vulnerabilities found in most industrial controllers - The Washington Post
Akamai WAF bypassed via Spring Boot to trigger RCE | The Daily Swig (portswigger.net)
Tools and Controls
CISA Warns Veeam Backup & Replication Vulnerabilities Exploited in Attacks | SecurityWeek.Com
Why Your MSSP Should Offer Backup-as-a-Service (BaaS) - MSSP Alert
Data Destruction Policies in the Age of Cloud Computing (darkreading.com)
Other News
Cyber Threats Loom as 5B People Prepare to Watch World Cup Final (darkreading.com)
Tech companies must start sharing intelligence to avert global conflicts | Financial Times (ft.com)
Microsoft Defender, Avast, AVG turned against Windows to permanently delete files - Neowin
Analysis Shows Attackers Favour PowerShell, File Obfuscation (darkreading.com)
Automated Cyber campaign Creates Masses of Bogus Software Building Blocks (darkreading.com)
12 types of wireless network attacks and how to prevent them | TechTarget
FuboTV says World Cup streaming outage caused by a cyber attack (bleepingcomputer.com)
MTTR “not a viable metric” for complex software system reliability and security | CSO Online
Low-code/no-code security risks climb as tools gain traction | TechTarget
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Advisory 09/11/2022 – Patches available for Three Citrix Vulnerabilities
Black Arrow Cyber Advisory 09/11/2022 – Patches available for Three Citrix Vulnerabilities
Executive Summary
Citrix has released patches to address three vulnerabilities present within Citrix Gateway and Citrix Application Delivery Controller (ADC). The vulnerabilities could allow a malicious attacker to gain unauthorised access, remote desktop takeover and bypass brute force protection on the affected products. Customers using Citrix-managed cloud services do not need to take any action to address these issues.
What’s the risk to me or my business?
These vulnerabilities could lead to a remote user gaining unauthorised access to Gateway user capabilities, ability to takeover a remote desktop session and the ability to bypass brute force protection which in turn could be used to access business data through these servers leading to further compromise.
What can I do?
Contact your Managed Service Provider to confirm if Citrix Gateway and Citrix ADC is currently being used s for you organisation and confirm if the vulnerabilities is being managed and patched in line with Citrix guidance.
Technical Summary
Only limited technical details have been supplied by Citrix so far relating to the three vulnerabilities.
CVE-2022-27510: A critical rated remote authentication bypass vulnerability which does not currently have a CVSS 3.1 rating, which allows for a remote attacker to bypass authentication using an alternate path or channel, granting user capabilities. It is important to note that only appliances that are operating as a Gateway, using the SSL VPN functionality, or being deployed as an ICA proxy with authentication enabled are affected by this vulnerability.
CVE-2022-27513: A remote desktop takeover via phishing vulnerability which does not currently have a CVSS 3.1 rating, which allows for an attacker to take advantage of insufficient verification of Data Authenticity to takeover a remote desktop session using phishing. It is important to note that the only appliances configured as a VPN Gateway with RDP Proxy functionality configured are affected by this vulnerability.
CVE-2022-27516: A brute force protection bypass vulnerability which does not currently have a CVSS 3.1 rating, which allows for an attacker to take advantage of a protection mechanism failure to brute force credentials on the user login. It is important to note that only appliances configured as a VPN gateway or AAA virtual server with the user lockout functionality “Max Login Attempts” configured are affected by this vulnerability.
Further details can be found here: https://support.citrix.com/article/CTX463706/citrix-gateway-and-citrix-adc-security-bulletin-for-cve202227510-cve202227513-and-cve202227516
Need help understanding your gaps, or just want some advice? Get in touch with us.