Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 09 December 2022
Black Arrow Cyber Threat Briefing 09 December 2022:
-Economic Uncertainty Will Greatly Impact the Spread of Cyber Crime
-Cyber Security Resilience Emerges as Top Priority as 62% of Companies Say Security Incidents Impacted Business Operations
-Cyber Security Should Focus on Managing Risk
-Fear of Cyber Attacks Drives SMBs to Spend More on Software
-Business Email Compromise (BEC) Fraud Attacks Expand Beyond Email and Toward Mobile Devices
-Ransomware Professionalisation Grows as Ransomware-as-a-Service (RaaS) Takes Hold
-Automated Dark Web Markets Sell Corporate Email Accounts For $2
-Cloud Hosting Provider Rackspace Warns of Phishing Risks Following Ransomware Attack
-Security Concerns Scupper Deals for Two-Thirds of Firms
-Microsoft Encourages 'Strong Cyber Hygiene' in Light of Increasing Russian Cyber Attacks
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Economic Uncertainty Will Greatly Impact the Spread of Cyber Crime
Norton released its top cyber trends to watch in 2023, emphasising that the economy will have the greatest impact on the spread of cyber crime next year. Experts predict the pressures associated with economic uncertainty and rising costs will create the perfect environment for scammers to take advantage of people when they are more vulnerable.
It’s expected that cyber criminals will trick victims into surrendering personal information, emptying their bank accounts, or spending money for products, services or “lottery winnings” that never arrive. “We anticipate scammers will continue to prey on the vulnerability of people as economic pressures rise in 2023,” said Norton.
“Cyber criminals love to exploit seasonal opportunities, and consumers are facing a perfect storm of rising prices in the middle of the busiest shopping season of the year when scammers are particularly active. Scams are always harder to detect during the holiday season because consumers expect deep discounts and may believe prices that would normally seem too good to be true. This year, inflation and other unfavourable macroeconomic factors are likely to make people particularly eager to find good deals and they may therefore be at greater risk than in previous years. Taking a few proactive steps today could help you to be safer all year long.”
https://www.helpnetsecurity.com/2022/12/06/economic-uncertainty-cybercrime/
Cyber Security Resilience Emerges as Top Priority, as 62% of Companies Say Security Incidents Impacted Business Operations
Cyber security resilience is a top priority for companies as they look to defend against a rapidly evolving threat landscape, according to the latest edition of Cisco's annual Security Outcomes Report.
Resilience has emerged as a top priority as a staggering 62 percent of organisations surveyed said they had experienced a security event that impacted business in the past two years. The leading types of incidents were network or data breaches (51.5 percent), network or system outages (51.1 percent), ransomware events (46.7 percent) and distributed denial of service attacks (46.4 percent).
These incidents resulted in severe repercussions for the companies that experienced them, along with the ecosystem of organisations they do business with. The leading impacts cited include IT and communications interruption (62.6 percent), supply chain disruption (43 percent), impaired internal operations (41.4 percent) and lasting brand damage (39.7 percent).
With stakes this high, it is no surprise that 96 percent of executives surveyed for the report said that security resilience is high priority for them. The findings further highlight that the main objectives of security resilience for security leaders and their teams are to prevent incidents, and mitigate losses when they occur.
Technology is transforming businesses at a scale and speed never seen before. While this is creating new opportunities, it also brings with it challenges, especially on the security front. To be able to tackle these effectively, companies need the ability to anticipate, identify, and withstand cyber threats, and if breached be able to rapidly recover from one. That is what building resilience is all about.
Security, after all, is a risk business. As companies don't secure everything, everywhere, security resilience allows them to focus their security resources on the pieces of the business that add the most value to an organisation, and ensure that value is protected.
Cyber Security Should Focus on Managing Risk
Preventing all data breaches is an unrealistic goal. Instead, focus on finding and minimising the greatest risks.
There is a common misconception that all problems have clear, straightforward solutions — as long as you look hard enough. While this is a bold and ambitious goal, it's misguided when applied to cyber security. Organisations cannot prevent data breaches or cyberattacks altogether, and avoiding a breach or cyber incident is nearly impossible in the modern era. Organisations can, however, take steps to reduce an attack's negative impacts.
Eradicating risk is an impractical goal because you cannot "solve" something that constantly changes. To understand the risks you need to think like an attacker.
Threat actors are, first and foremost, opportunistic. They will always look for the easiest targets to maximise their financial gain. So intimately understanding an organisation's level of risk is the first step to managing and reducing it — and making yourself less of a target.
In line with Verizon’s "Data Breach Investigations Report" (DBIR) the four critical ways that threat actors most frequently use to compromise organisations large and small are credential compromise, phishing, vulnerability exploitation, and botnets, and these are the areas organisations should look reduce risks.
https://www.darkreading.com/edge-articles/cybersecurity-should-focus-on-managing-risk
Fear of Cyber Attacks Drives SMBs to Spend More on Software
Despite fears of a looming recession, small and medium sized businesses (SMBs) are spending more on software in 2023, according to Capterra’s 2023 SMB Software Buying Trends Survey. 75% of US SMBs estimate they’ll spend more on software in 2023 compared to 2022.
Alongside increased software budgets, Capterra’s survey of over 500 SMBs reveals four other major trends in software buying behaviours and challenges that will impact businesses in 2023:
Fearful of cyber attacks, US businesses rate security as a top motivator for software purchases
Implementation concerns are SMBs’ biggest purchase barrier
Most SMB software purchases are solely handled by IT, disregarding other important stakeholders
Customer reviews sway purchase decisions, and verified reviews are critical
Despite the expected increase in software investments, many US SMBs regret their technology purchases. 61% of US SMBs say they have buyer’s remorse over a technology purchase in the past 12-18 months. Inadequate support services (39%) and higher-than-anticipated costs (34%) are the top reasons behind such regrets.
https://www.helpnetsecurity.com/2022/12/07/smbs-software-spending-2023/
Business Email Compromise (BEC) Fraud Attacks Expand Beyond Email and Toward Mobile Devices
Business email compromise (BEC) scams have been increasingly targeting mobile devices, particularly with SMS-focused attacks. According to a new advisory by cyber security specialists at Trustwave, the trend indicates a broader shift towards phishing scams via text messages.
“Phishing scams are prevalent in the SMS threat landscape, and now, BEC attacks are also going mobile,” reads the report. Trustwave further added that scammers typically obtain mobile numbers from data breaches, social media and data brokers, among other methods. After that, attackers ask victims for a wire transfer, send a copy of an aging report or change a payroll account, luring them into paying for something that should be reimbursed later (but never will).
BEC attacks will always be here so long as they remain profitable. Their continued profitability proves that employee cyber security behaviour is neglected and mismanaged by the compliance-based approach to security awareness.
Security culture needs a reformation that begins with transforming the human layer into an asset which, when empowered by the right training and platform, augments the protect-detect-respond pillars of the [National Institute of Standards and Technology] NIST framework.
Trustwave’s findings were also confirmed in SlashNext’s State of Phishing 2022 report, which recently highlighted a 50% increase in attacks on mobile devices, with scams and credential theft at the top of the list of payloads. The document also suggested 83% of organisations reported that mobile device threats had been growing more quickly than other device threats.
https://www.infosecurity-magazine.com/news/bec-attacks-expand-toward-mobile/
Ransomware Professionalisation Grows as Ransomware-as-a-Service (RaaS) Takes Hold
Ransomware groups are getting their acts together, growing in sophistication and business acumen while monetising ransomware beyond encryption, including double and triple extortion, as the market for ransomware-as-a-service (RaaS) matures.
In first half of 2022, LockBit, Conti, Alphv, Black Basta, and Vice Society were among the most prolific ransomware gangs, focusing their attack on US-based organisations, according to a LookingGlass report on the topic.
The report confirmed and attributed 1,133 ransomware attacks in the first six months of the year and attributed 207 data leaks across all active threat actor groups throughout the same period. Of the more than 1,300 incidents, the bulk came from the top 15 most active ransomware groups, led by LockBit, Conti, and Alphv.
Ransomware gangs have primarily targeted two sectors during the analysis period: manufacturing and industrial products, followed by engineering and construction and healthcare and life sciences, with the consumer and retail industry rounding out the top five.
The report highlighted the rise of sophisticated software and networks as a principal contributor to the professionalisation of ransomware, with malicious actors now offering RaaS, bug bounties, sales teams, and even customer support.
“This new, more professional ransomware structure can only mean that the problem will continue to grow in the months ahead," the report noted. "We anticipate the adoption of more traditional business practices as the underground economy continues to remain robust”.
Automated Dark Web Markets Sell Corporate Email Accounts For $2
Cyber crime marketplaces are increasingly selling stolen corporate email addresses for as low as $2 to fill a growing demand by hackers who use them for business email compromise and phishing attacks or initial access to networks.
Analysts at Israeli cyber-intelligence firm KELA have closely followed this trend, reporting at least 225,000 email accounts for sale on underground markets.
The largest webmail shops are Xleet and Lufix, claiming to offer access to over 100k breached corporate email accounts, with prices ranging between $2 and $30, if not more, for highly-desirable organisations.
Typically, these accounts were stolen via password cracking (brute-forcing) or credential stuffing, had their credentials stolen through phishing, or were bought from other cyber criminals.
Hackers use their access to corporate email accounts in targeted attacks like business email compromise (BEC), social engineering, spear-phishing, and deeper network infiltration.
Cloud Hosting Provider Rackspace Warns of Phishing Risks Following Ransomware Attack
Cloud computing provider Rackspace warned customers on Thursday of increased risks of phishing attacks following a ransomware attack affecting its hosted Microsoft Exchange environment.
While the company is still investigating the incident and is working on bringing affected systems back online, it says that cyber criminals might also take advantage and exploit this incident for their own purposes.
"If you do receive a message from an individual you do not recognise, do not reply. Please login to your control panel and create a ticket, including details about the message you received," Rackspace said. "We understand that contact such as this may be alarming, but we currently have no evidence to suggest that you are at increased risk as a result of this direct contact."
Rackspace added that customers could easily spot scammers attempting to steal their sensitive information since:
Emails from Rackspace will be sent from @rackspace.com emails (although attackers might still use a spoofed email address and redirect their targets to a landing phishing page)
Rackspace support will not ask for login credentials or personal information (e.g., social security number, driver's license) during phone calls
Even though the company is yet to reveal if it has any evidence that the attackers have stolen data from its systems during the breach, customers were advised to remain vigilant and monitor their credit reports and banking account statements for suspicious activity.
Some customers are also reporting an increase in phishing emails impersonating Rackspace since the ransomware attack. Those affected by the Rackspace ransomware attack and outage should not open any suspicious email attachments or click any suspicious links.
Security Concerns Scupper Deals for Two-Thirds of Firms
Two-thirds (67%) of global organisations have admitted to losing out on acquiring potential customers due to concerns about their security posture, according to LogRhythm.
The security vendor polled 1175 security professionals and executives across five continents to compile its latest report, The State of the Security Team 2022. It found that security due diligence among customers and partners is increasingly rigorous.
Some 91% of respondents said that their security strategy must now align with customers’ security policies and standards, while 85% claimed their company must provide proof that they meet partners’ security requirements.
There was more worrying news from the report: 70% of respondents reported an increase in workplace stress for security teams, with nearly a third (30%) citing a “significant” increase. Among the key stress factors highlighted in the study were growing attack sophistication, greater responsibilities and increasing attack frequency.
Two-fifths (41%) claimed that better integrated solutions would help to relieve these pressures, while a similar number (42%) pointed to the need for more experienced security professionals. The latter would seem unlikely, given the coming recession’s likely impact on budgets, and persistent industry skills shortages. The gap is now 3.4 million globally, including 56,800 in the UK, a massive 73% year-on-year increase, according to ISC2.
https://www.infosecurity-magazine.com/news/security-concerns-scupper-deals/
Microsoft Encourages 'Strong Cyber Hygiene' in Light of Increasing Russian Cyber Attacks
Microsoft is gearing up for a slew of Russian cyber attacks this winter, and warns others to stay vigilant. Between missiles, drones, and cyber attacks the onslaught against Ukraine has been a brutal one, and reportedly only set to get worse in the coming months.
"Moscow has intensified its multi-pronged hybrid technology approach to pressure the sources of Kyiv’s military and political support," says Microsoft in a recent blog post. "Recent attacks in Poland suggest that Russian state-sponsored cyber attacks may increasingly be used outside Ukraine in an effort to undermine foreign-based supply chains."
In late October, Russian forces were pushed from formerly occupied territory, retaliating with missile, drone, and cyber strikes that left much of Kyiv in need of simple running water.
The Russian group known to Microsoft as IRIDIUM (aka Sandworm) is thought to be working with the Russian intelligence service, the GRU, in coordinated efforts to inflict suffering on the people of Ukraine. The group has been at large for almost a decade, as Microsoft notes, "Following Russia’s annexation of Crimea in 2014, IRIDIUM launched a series of wintertime operations against Ukrainian electricity providers, cutting power to hundreds of thousands of citizens in 2015 and 2016."
Threats
Ransomware, Extortion and Destructive Attacks
Ransomware Professionalization Grows as RaaS Takes Hold (darkreading.com)
Medibank share price slumps ahead of major shutdown and cyber security overhaul (fool.com.au)
Rackspace confirms ransomware behind days-long email outage • The Register
Vice Society: Profiling a Persistent Threat to the Education Sector (paloaltonetworks.com)
Wiper, Disguised as Fake Ransomware, Targets Russian Orgs (darkreading.com)
Never-before-seen malware is nuking data in Russia’s courts and mayors’ offices | Ars Technica
Rackspace rocked by ‘security incident’ in hosted Exchange • The Register
Open Source Ransomware Toolkit Cryptonite Turns Into Accidental Wiper Malware (thehackernews.com)
Understanding NIST CSF to assess your organisation's Ransomware readiness (thehackernews.com)
New Ransom Payment Schemes Target Executives, Telemedicine – Krebs on Security
South Pacific vacations may be wrecked by ransomware • The Register
Gartner: 5 Considerations for I&O Leaders Planning Against Ransomware Attacks - IT Security Guru
Intersport Data Posted On Hive Dark Web Blog - Information Security Buzz
Vice Society Ransomware Attackers Targeted Dozens of Schools in 2022 (thehackernews.com)
Education sector hit by Hive ransomware in November | TechTarget
Ransomware attack forces French hospital to transfer patients (bleepingcomputer.com)
CommonSpirit Health ransomware attack exposed data of 623,000 patients (bleepingcomputer.com)
Ransomware Gang Steals Employee and Customer Data From LJ Hooker (vice.com)
Phishing & Email Based Attacks
Rackspace warns of phishing risks following ransomware attack (bleepingcomputer.com)
Phishing in the Cloud: We're Gonna Need a Bigger Boat (darkreading.com)
Phishing scammers impersonate WhatsApp by buying a top ad spot on Google | PC Gamer
How to Recognize Phishing Emails: Cyber security Experts Give Advice - WSJ
Investment Fraud Gang May Have Made $500m - Infosecurity Magazine (infosecurity-magazine.com)
BEC – Business Email Compromise
Other Social Engineering; Smishing, Vishing, etc
Infostealer Malware Market Booms, as MFA Fatigue Sets In (darkreading.com)
Hardening Identities With Phish-Resistant MFA (darkreading.com)
'I had £8,000 stolen but Revolut won't refund it' - BBC News
Malware
Infostealer Malware Market Booms, as MFA Fatigue Sets In (darkreading.com)
Malware Authors Inadvertently Take Down Own Botnet (darkreading.com)
Artifact Poisoning in GitHub Actions Imports Malware via Software Pipelines (darkreading.com)
Mobile
Code of practice for app store operators and app developers - GOV.UK (www.gov.uk)
Android malware apps with 2 million installs spotted on Google Play (bleepingcomputer.com)
Privacy changes set Apple at odds with UK government over online safety bill | Apple | The Guardian
Android malware infected 300,000 devices to steal Facebook accounts (bleepingcomputer.com)
Android December 2022 security updates fix 81 vulnerabilities (bleepingcomputer.com)
Telcom and BPO Companies Under Attack by SIM Swapping Hackers (thehackernews.com)
Darknet's Largest Mobile Malware Marketplace Threatens Users Worldwide (thehackernews.com)
SIM swapper gets 18-months for involvement in $22 million crypto heist (bleepingcomputer.com)
Compromised Android keys used to sign info-stealing malware • The Register
Largest mobile malware marketplace identified by Resecurity in the Dark Web - Security Affairs
Internet of Things – IoT
How IoT is changing the threat landscape for businesses - Help Net Security
What's the Matter with digital trust in smart home devices? - Help Net Security
Security Risks Found in Millions of XIoT Devices - Infosecurity Magazine (infosecurity-magazine.com)
Self-Propagating 'Zerobot' Botnet Targeting Spring4Shell, IoT Vulnerabilities | SecurityWeek.Com
Data Breaches/Leaks
Popular HR and Payroll Company Sequoia Discloses a Data Breach | WIRED
Personal data of 10,000 Australians found for sale online | 7NEWS
Stolen data of 600,000 Indians sold on bot markets so far - study | Reuters
Organised Crime & Criminal Actors
Of Exploits and Experts: The Professionalization of Cyber Crime (darkreading.com)
Economic uncertainty will greatly impact the spread of cyber crime - Help Net Security
Automated dark web markets sell corporate email accounts for $2 (bleepingcomputer.com)
DHS Cyber Safety Board to review Lapsus$ gang’s hacking tactics (bleepingcomputer.com)
BlackProxies proxy service increasingly popular among hackers (bleepingcomputer.com)
Chart: Cyber crime Expected To Skyrocket in Coming Years | Statista
Metaparasites: The cyber criminals who rip each other off • Graham Cluley
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
North Korean Hackers Spread AppleJeus Malware Disguised as Cryptocurrency Apps (thehackernews.com)
Microsoft: Hackers target cryptocurrency firms over Telegram (bleepingcomputer.com)
UK finalises plans for regulation of ‘wild west’ crypto sector | Financial Times (ft.com)
North Korean Lazarus Group Linked to New Cryptocurrency Hacking Scheme – Security Bitcoin News
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
Even cyber criminals fall for online scams: $2.5m last year • The Register
'I had £8,000 stolen but Revolut won't refund it' - BBC News
Suspects arrested for hacking US networks to steal employee data (bleepingcomputer.com)
Australia arrests 'Pig Butchering' suspects for stealing $100 million (bleepingcomputer.com)
Cyber criminals are scamming each other, tipping off law enforcement - Help Net Security
Elon Musk "Freedom Giveaway" crypto scam promoted via Twitter lists (bleepingcomputer.com)
SIM swapper gets 18-months for involvement in $22 million crypto heist (bleepingcomputer.com)
Metaparasites: The cyber criminals who rip each other off • Graham Cluley
Investment Fraud Gang May Have Made $500m - Infosecurity Magazine (infosecurity-magazine.com)
Deepfakes
AML/CFT/Sanctions
Insurance
What you should know when considering cyber insurance in 2023 | CSO Online
Cyber Insurance Policy Underwriting Explained (trendmicro.com)
Dark Web
Supply Chain and Third Parties
Antwerp's city services down after hackers attack digital partner (bleepingcomputer.com)
Transport And Shipping Beware – Supply Chains Under Attack - Information Security Buzz
Popular HR and Payroll Company Sequoia Discloses a Data Breach | WIRED
Software Supply Chain
Denial of Service DoS/DDoS
3 Types Of DDoS Attack Types You Should Care About - Information Security Buzz
Microsoft warning after DDoS attack disrupts Russian bank • The Register
Cloud/SaaS
Phishing in the Cloud: We're Gonna Need a Bigger Boat (darkreading.com)
How to implement least privilege access in the cloud | TechTarget
Hybrid/Remote Working
Encryption
WhatsApp raises threat of UK shutdown in encryption row (telegraph.co.uk)
Governments want to avert quantum's encryption apocalypse (axios.com)
API
Open Source
Ping of death! FreeBSD fixes crashtastic bug in network tool – Naked Security (sophos.com)
Research reveals where 95% of open source vulnerabilities lie - Help Net Security
Critical Ping Vulnerability Allows Remote Attackers to Take Over FreeBSD Systems (thehackernews.com)
Passwords, Credential Stuffing & Brute Force Attacks
Social Media
Taiwan bans state-owned devices from running TikTok • The Register
Critical Vulnerabilities Force Twitter Alternative Hive Social Offline | SecurityWeek.Com
Does Hive's Security Problem Make It Unsafe to Use? (lifehacker.com)
Elon Musk "Freedom Giveaway" crypto scam promoted via Twitter lists (bleepingcomputer.com)
US States label TikTok a malicious and menacing threat • The Register
Training, Education and Awareness
Engage your employees with better cyber security training - Help Net Security
Lack of Cyber security Expertise Poses Threat for Public-Safety Orgs (darkreading.com)
4 cyber security predictions for 2023 --- SANS analysts look ahead | VentureBeat
Parental Controls and Child Safety
Regulations, Fines and Legislation
UK finalises plans for regulation of ‘wild west’ crypto sector | Financial Times (ft.com)
What Stricter Data Privacy Laws Mean for Your Cyber security Policies (thehackernews.com)
Governance, Risk and Compliance
Cyber security Risk Management In The Real World - Information Security Buzz
Economic uncertainty will greatly impact the spread of cyber crime - Help Net Security
Models, Frameworks and Standards
Understanding NIST CSF to assess your organisation's Ransomware readiness (thehackernews.com)
PCI Secure Software Standard 1.2 released - Help Net Security
How compliance leaders can encourage employees to report misconduct - Help Net Security
The changing role of the MITRE ATT@CK framework | CSO Online
Don't Wait to Become CMMC Compliant - Information Security Buzz
Three Ways to Improve Defence Readiness Using MITRE D3FEND | SecurityWeek.Com
Data Protection
Remote workers losing laptops are bigger threat to companies than hackers (telegraph.co.uk)
How companies time data leak disclosures - Help Net Security
What Stricter Data Privacy Laws Mean for Your Cyber security Policies (thehackernews.com)
Careers, Working in Cyber and Information Security
Law Enforcement Action and Take Downs
Suspects arrested for hacking US networks to steal employee data (bleepingcomputer.com)
Australia arrests 'Pig Butchering' suspects for stealing $100 million (bleepingcomputer.com)
Privacy, Surveillance and Mass Monitoring
Apple Faces Critics Over Its Privacy Policies | SecurityWeek.Com
Privacy changes set Apple at odds with UK government over online safety bill | Apple | The Guardian
Apple announces new security and privacy measures amid surge in cyber-attacks | Apple | The Guardian
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
NATO Readies for Cyber War: Simulation Shows Unified Front Against Attack - MSSP Alert
Microsoft warns of Russian cyber attacks throughout the winter (bleepingcomputer.com)
Microsoft warning after DDoS attack disrupts Russian bank • The Register
Russian Espionage APT Callisto Focuses on Ukraine War Support Organisations | SecurityWeek.Com
Russian Actors Use Compromised Healthcare Networks Against Ukrainian Orgs (darkreading.com)
Security Firms Aiding Ukraine During War Could Be Considered Participants in Conflict (substack.com)
Nation State Actors
Nation State Actors – Russia
Microsoft encourages 'strong cyber hygiene' in light of increasing Russian cyber attacks | PC Gamer
Russian Hackers Spotted Targeting US Military Weapons and Hardware Supplier (thehackernews.com)
The surprising ineffectiveness of Russia’s cyber-war | The Economist
Nation State Actors – China
Chinese Hackers Target Middle East Telecoms in Latest Cyber Attacks (thehackernews.com)
Chinese hackers stole millions worth of US COVID relief money, Secret Service says | Reuters
Amnesty International Canada breached by suspected Chinese hackers (bleepingcomputer.com)
China Operates More Than 100 Secret 'Police Stations' Globally: Report (businessinsider.com)
US Congress rolls back proposal to restrict use of Chinese chips | Computerworld
Nation State Actors – North Korea
North Korean tech freelancers' earnings fund nukes, missiles • The Register
North Korean Hackers Spread AppleJesus Malware Disguised as Cryptocurrency Apps (thehackernews.com)
Google Documents IE Browser Zero-Day Exploited by North Korean Hackers | SecurityWeek.Com
APT37 Uses Internet Explorer Zero-Day to Spread Malware (darkreading.com)
Google: State hackers still exploiting Internet Explorer zero-days (bleepingcomputer.com)
North Korean Lazarus Group Linked to New Cryptocurrency Hacking Scheme – Security Bitcoin News
Nation State Actors – Iran
Vulnerabilities
Attackers take over expired domain to deliver web skimming scripts - Help Net Security
Google discovers Windows exploit framework used to deploy spyware (bleepingcomputer.com)
Cisco discloses high-severity IP phone bug with exploit code (bleepingcomputer.com)
Google Chrome emergency update fixes 9th zero-day of the year (bleepingcomputer.com)
Google Documents IE Browser Zero-Day Exploited by North Korean Hackers | SecurityWeek.Com
For Cyber attackers, Popular EDR Tools Can Turn into Destructive Data Wipers (darkreading.com)
A new Linux flaw can be chained with other two bugs to gain full root privileges - Security Affairs
Self-Propagating 'Zerobot' Botnet Targeting Spring4Shell, IoT Vulnerabilities | SecurityWeek.Com
Google Chrome Flaw Added to CISA Patch List (darkreading.com)
Fortinet Patches High-Severity Authentication Bypass Vulnerability in FortiOS | SecurityWeek.Com
Research reveals where 95% of open source vulnerabilities lie - Help Net Security
Critical Ping Vulnerability Allows Remote Attackers to Take Over FreeBSD Systems (thehackernews.com)
Google: State hackers still exploiting Internet Explorer zero-days (bleepingcomputer.com)
APT37 Uses Internet Explorer Zero-Day to Spread Malware (darkreading.com)
WAFs of Several Major Vendors Bypassed With Generic Attack Method | SecurityWeek.Com
Google Chrome zero-day exploited in the wild (CVE-2022-4262) - Help Net Security
Sophos fixed a critical flaw in its Sophos Firewall version 19.5 - Security Affairs
Tools and Controls
Security pros feel threat detection and response workloads have increased - Help Net Security
Single Sign-on: It's Only as Good as Your Ability to Use It (darkreading.com)
Leveraging the full potential of zero trust - Help Net Security
Understanding malware analysis and its challenges | TechTarget
Using XDR to Consolidate and Optimize Cyber security Technology (thehackernews.com)
Reports Published in the Last Week
Other News
Over 4,000 Vulnerable Pulse Connect Secure Hosts Exposed to Internet | SecurityWeek.Com
Where Advanced Cyber attackers Are Heading Next: Disruptive Hits, New Tech (darkreading.com)
43 Trillion Security Data Points Illuminate Our Most Pressing Threats (darkreading.com)
7 reasons why you must embed trust into the core of your business - Help Net Security
Risky online behaviour ‘almost normalised’ among young people, says study | Internet | The Guardian
Top 7 factors boosting enterprise cyber security resilience - Help Net Security
Machine Learning Models: A Dangerous New Attack Vector (darkreading.com)
Consumers want convenience without sacrificing security - Help Net Security
4 cyber security predictions for 2023 --- SANS analysts look ahead | VentureBeat
3 of the Worst Data Breaches in the World That Could Have Been Prevented - Security Affairs
Removing the Barriers to Security Automation Implementation | SecurityWeek.Com
Cyber security Should Focus on Managing Risk (darkreading.com)
Deal with sophisticated bot attacks: Learn, adapt, improve - Help Net Security
Want to detect Cobalt Strike? Look to process memory • The Register
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 21 October 2022
Black Arrow Cyber Threat Briefing 21 October 2022:
-Gen Z, Millennials Really Doesn't Care About Workplace Cyber Security
-Supply Chain Attacks Increased Over 600% This Year and Companies Are Falling Behind
-Cyber-Enabled Crimes Are Biggest Police Concerns
-List of Common Passwords Accounts for Nearly All Cyber Attacks
-Shared Responsibility or Shared Fate? Decentralized IT Means We Are All Cyber Defenders
-Ukraine War Cuts Ransomware as Kremlin Co-Opts Hackers
-96% Of Companies Report Insufficient Security for Sensitive Cloud Data
-Your Microsoft Exchange Server Is a Security Liability
-Are Cyber Security Vendors Pushing Snake Oil?
-Ransomware Preparedness, What Are You Doing Wrong?
-NSA Cybersecurity Director's Six Takeaways from the War in Ukraine
-Microsoft Confirms Server Misconfiguration Led to 65,000+ Companies' Data Leak
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Gen Z, Millennials Really Don’t Care About Workplace Cyber Security
When it comes to cyber security in the workplace, younger employees don’t really seem to care that much, which is putting their organisations in serious harm’s way, new research has claimed.
Surveying approximately 1,000 workers using devices issued by their employers, professional services firm EY found Gen Z enterprise employees were more apathetic about cyber security than their Boomer counterparts in adhering to their employer's safety policies.
This is despite the fact that four in five (83%) of all those surveyed claimed to understand their employer’s security protocol.
When it comes to implementing mandatory IT updates, for example, 58% of Gen Z’ers and 42% of millennials would disregard them for as long as possible. Less than a third (31%) of Gen X’ers, and just 15% of baby boomers said they do the same.
Apathy in the young extends to password reuse between private and business accounts. A third of Gen Z and millennial workers surveyed admitted to this, compared to less than a quarter of all Gen X’ers and baby boomers.
Some say the apathy of young people towards technology is down to their over-familiarity with technology, and never having been without it. Being too comfortable with tech undoubtedly makes an enterprise's younger employees a major target for cyber criminals looking to exploit any hole in security.
If an organisation's cyber security practices aren't upheld strongly, threat actors can compromise huge networks with simple social engineering attacks.
https://www.techradar.com/news/younger-workers-dont-care-about-workplace-cybersecurity
Supply Chain Attacks Increased Over 600% This Year and Companies Are Falling Behind
The number of documented supply chain attacks involving malicious third-party components has increased 633% over the past year, now sitting at over 88,000 known instances, according to a new report from software supply chain management company Sonatype. Meanwhile, instances of transitive vulnerabilities that software components inherit from their own dependencies have also reached unprecedented levels and plague two-thirds of open-source libraries.
“The networked nature of dependencies highlights the importance of having visibility and awareness about these complex supply chains” Sonatype said in its newly released State of the Software Supply Chain report. “These dependencies impact our software, so having an understanding of their origins is critical to vulnerability response. Many organisations did not have the needed visibility and continued their incident response procedures for Log4Shell well beyond the summer of 2022 as a result.”
Log4Shell is a critical vulnerability discovered in November 2021 in Log4j, a widely popular open-source Java library used for logging and bundled in millions of enterprise applications and software products, often as an indirect dependency. According to Sonatype’s monitoring, as of August 2022, the adoption rate for fixed versions of Log4j sits at around 65%. Moreover, this doesn’t even account for the fact that the Log4Shell vulnerability originated in a Java class called JndiManager that is part of Log4j-core, but which has also been borrowed by 783 other projects and is now found in over 19,000 software components.
Log4Shell served as a watershed moment, highlighting the inherent risks that exist in the open-source software ecosystem – which sits at the core of modern software development – and the need to manage them properly. It also led to several initiatives to secure the software supply chain by private organisations, software repository managers, the Linux Foundation, and government bodies. Yet, most organisations are far from where they need to be in terms of open-source supply chain management.
Cyber-Enabled Crimes Are Biggest Police Concerns
Cyber-related crimes such as money laundering, ransomware and phishing pose the biggest threat to society, according to the first ever Interpol Global Crime Trend report.
The inaugural study was compiled from data received from the policing organisation’s 195 member countries, as well as information and analysis from external sources.
Money laundering was ranked the number one threat, with 67% of respondents claiming it to be a “high” or “very high” risk. Ransomware came second (66%) but was the crime type that most (72%) expected to increase in the next 3–5 years.
Of the nine top crime trends identified in the report, six are directly cyber-enabled, including money laundering, ransomware, phishing, financial fraud, computer intrusion and child sexual exploitation.
Interpol warned that the pandemic had fomented new underground offerings like “financial crime-as-a-service,” including digital money laundering tools which help to lower the barrier to entry for criminal gangs. It also claimed that demand for online child sexual exploitation and abuse (OCSEA) content surged during the pandemic. Some 62% of respondents expect it to increase or significantly increase in the coming years.
The findings represent something of a turnaround from pre-pandemic times, when drug trafficking regularly topped the list of police concerns. Thanks to a surge in corporate digitalisation, home working and online shopping, there are now rich pickings to be had from targeting consumers and business users with cyber-scams and attacks, Interpol claimed.
https://www.infosecurity-magazine.com/news/cyberenabled-crimes-are-biggest/
List of Common Passwords Accounts for Nearly All Cyber Attacks
Half of a million passwords from the RockYou2021 list account for 99.997% of all credential attacks against a variety of honeypots, suggesting attackers are just taking the easy road.
Tens of millions of credential-based attacks targeting two common types of servers boiled down to a small fraction of the passwords that formed a list of leaked credentials, known as the RockYou2021 list.
Vulnerability management firm Rapid7, via its network of honeypots, recorded every attempt to compromise those servers over a 12-month period, finding that the attempted credential attacks resulted in 512,000 permutations. Almost all of those passwords (99.997%) are included in a common password list — the RockYou2021 file, which has 8.4 billion entries — suggesting that attackers, or the subset of threat actors attacking Rapid7's honeypots, are sticking to a common playbook.
The overlap in all the attacks also suggest attackers are taking the easy road, said Rapid7. "We know now, in a provable and demonstrable way, that nobody — 0% of attackers — is trying to be creative when it comes to unfocused, untargeted attacks across the Internet," they said. "Therefore, it's very easy to avoid this kind of opportunistic attack, and it takes very little effort to take this threat off the table entirely, with modern password managers and configuration controls."
Every year, security firms present research suggesting users are continuing to pick bad passwords. In 2019, an evaluation of passwords leaked to the Internet found that the top password was "123456," followed by "123456789" and "qwerty," and unfortunately things have not got much better since then.
https://www.darkreading.com/endpoint/a-common-password-list-accounts-for-nearly-all-cyberattacks
Shared Responsibility or Shared Fate? Decentralised IT Means We Are All Cyber Defenders
Does your organisation truly understand the shared responsibility model? Shared responsibility emerged from the early days of cloud computing as a way to delineate responsibilities between cloud providers and their customers, but often there's a gap between what shared responsibility means and how it is interpreted. With the decentralisation of IT, this gap is getting worse.
Applications, servers, and overall technology used to be under the purview and control of the IT department, yet with the shift to cloud, and specifically software-as-a-service (SaaS), this dynamic has changed. Whether it's the sales team bringing in a customer relationship management (CRM) system like Salesforce, or the HR department operating a human resources information system (HRIS) like Workday, there's a clear "expanding universe" of IT that no longer sits where it used to. Critical business workflows exist in separate business units far from IT and security and are managed as such. Our corporate IT footprints have become decentralised.
This is not some minor, temporary trend. With the ease and speed of adopting new SaaS applications and the desire to "lift and shift" code into cloud-based environments, this is the future. The future is decentralised.
The shift to business-owned and -operated applications puts security teams in a position where risk management is their responsibility; they are not even able to log into some of these critical systems. It's like asking your doctor to keep you healthy but not giving her access to your information or having regular check-ups. It doesn't work that way.
Beyond the challenging human skills gap, there's technical entropy and diversity everywhere, with different configuration settings, event logs, threat vectors, and data sensitivities. On the access side, there are different admins, users, integrations, and APIs. If you think managing security on Windows and Mac is a lot, try it across many huge applications.
With this reality, how can the security team be expected to combat a growing amount of decentralised business technology risk?
We must operate our technology with the understanding that shared responsibility is the vertical view between cloud provider and customer, but that enterprise-owned piece of shared responsibility is the burden of multiple teams horizontally across an organisation. Too often the mentality is us versus them, availability versus security, too busy to care about risk, too concerned with risk to understand "the business."
Ukraine War Cuts Ransomware as Kremlin Co-Opts Hackers
The Ukraine war has helped reduce global ransomware attacks by 10pc in the last few months, a British cyber security company has said.
Criminal hacking gangs, usually engaged in corporate ransomware activities, are increasingly being co-opted by the Russian military to launch cyber attacks on Ukraine, according to Digital Shadows. “The war is likely to continue to motivate ransomware actors to target government and critical infrastructure entities,” according to the firm. Such attacks partly contributed to a 10pc drop in the number of ransomware threats launched during the three months to September, said the London-based company.
The drop in ransomware may also partly be caused by tit-for-tat digital attacks between rival hacking gangs. Researchers said the Lockbit gang, who recently targeted LSE-listed car retailer Pendragon with a $60m (£53.85m) ransom demand, were the target of attacks from their underworld rivals. The group is increasingly inviting resentment from competing threat groups and possibly former members.
Some cyber criminals’ servers went offline in September after what appeared to be an attack from competitors. In the world of cyber criminality, it is not uncommon for tensions to flare among rival groups.
Officials from GCHQ’s National Cyber Security Centre have said ransomware is one of the biggest cyber threats facing the UK. Figures published by the Department for Digital, Culture, Media and Sport this year revealed the average costs to businesses caused by ransomware attacks is around £19,000 per incident.
US-based cyber security company Palo Alto Networks, however, warned that the average ransom payment it saw in the early part of this year was $925,000 (£829,000).
https://www.telegraph.co.uk/business/2022/10/23/ukraine-war-cuts-ransomware-kremlin-co-opts-hackers/
96% Of Companies Report Insufficient Security for Sensitive Cloud Data
The vast majority of organisations lack confidence in securing their data in cloud, while many companies acknowledge they lack sufficient security even for their most sensitive data, according to a new report by the Cloud Security Alliance (CSA).
The CSA report surveyed 1,663 IT and security professionals from organisations of various sizes and in various locations. "Only 4% report sufficient security for 100% of their data in the cloud. This means that 96% of organisations have insufficient security for at least some of their sensitive data," according to the report, which was sponsored by data intelligence firm BigID.
Apart from struggling with securing sensitive data, organisations are also having trouble tracking data in the cloud. Over a quarter of organisations polled aren’t tracking regulated data, nearly a third aren’t tracking confidential or internal data, and 45% aren’t tracking unclassified data, the report said.
“This suggests that organisations’ current methods of classifying data aren’t sufficient for their needs. However, if the tracking is this low, it could be a contributing factor to the issue of dark data. Organisations need to utilise data discovery and classification tools to properly understand the data they have and how to protect it,” the CSA study noted.
Your Microsoft Exchange Server Is a Security Liability
With endless vulnerabilities, widespread hacking campaigns, slow and technically tough patching, it's time to say goodbye to on-premise Exchange.
Once, reasonable people who cared about security, privacy, and reliability ran their own email servers. Today, the vast majority host their personal email in the cloud, handing off that substantial burden to the capable security and engineering teams at companies like Google and Microsoft. Now, cyber security experts argue that a similar switch is due - or long overdue - for corporate and government networks. For enterprises that use on-premise Microsoft Exchange, still running their own email machine somewhere in a closet or data centre, the time has come to move to a cloud service, if only to avoid the years-long plague of bugs in Exchange servers that has made it nearly impossible to keep determined hackers out.
The latest reminder of that struggle arrived earlier this week, when Taiwanese security researcher Orange Tsai published a blog post laying out the details of a security vulnerability in Microsoft Exchange. Tsai warned Microsoft about this vulnerability as early as June of 2021, and while the company responded by releasing some partial fixes, it took Microsoft 14 months to fully resolve the underlying security problem. Tsai had earlier reported a related vulnerability in Exchange that was massively exploited by a group of Chinese state-sponsored hackers known as Hafnium, which last year penetrated more than 30,000 targets by some counts. Yet according to the timeline described in Tsai’s post this week, Microsoft repeatedly delayed fixing the newer variation of that same vulnerability, assuring Tsai no fewer than four times that it would patch the bug before pushing off a full patch for months longer. When Microsoft finally released a fix, Tsai wrote, it still required manual activation and lacked any documentation for four more months.
Meanwhile, another pair of actively exploited vulnerabilities in Exchange that were revealed last month still remain unpatched after researchers showed that Microsoft’s initial attempts to fix the flaws had failed. Those vulnerabilities were just the latest in a years-long pattern of security bugs in Exchange’s code. And even when Microsoft does release Exchange patches, they’re often not widely implemented, due to the time-consuming technical process of installing them.
The result of those compounding problems, for many who have watched the hacker-induced headaches of running an Exchange server pile up, is a clear message: An Exchange server is itself a security vulnerability, and the fix is to get rid of it.
“You need to move off of on-premise Exchange forever. That’s the bottom line,” says Dustin Childs, the head of threat awareness at security firm Trend Micro’s Zero Day Initiative (ZDI), which pays researchers for finding and reporting vulnerabilities in commonly used software and runs the Pwn2Own hacking competition. “You’re not getting the support, as far as security fixes, that you would expect from a really mission-critical component of your infrastructure.”
https://www.wired.com/story/microsoft-exchange-server-vulnerabilities/
Are Cyber Security Vendors Pushing Snake Oil?
Survey: 96 percent of cyber security decision makers confused by vendor marketing.
The availability of new security products increases, the amount of budget spent on cyber security grows, and the number of security breaches seems to outpace both. This basic lack of correlation between increasing cyber security spend and any clear increase in cyber security effectiveness is the subject of a new analytical survey from Egress.
With 52 million data breaches in Q2 2022 alone (Statista), Egress questioned 800 cyber security and IT leaders on why vendor claims and reality aren’t aligned. The headline response in the survey is that 91% of decision makers have difficulty in selecting cyber security vendors due to unclear marketing about their specific offerings.
The financial investment cycle doesn’t help in this. For many investors, the strength of the management team is more important than the product. The argument is not whether this product is a cyber security silver bullet, but whether this management can take the company to a point where it can exit with serious profits.
If investment is achieved, much of it will go into marketing. That marketing must compete against existing, established vendors – so it tends to be louder, more aggressive, and replete with hyperbole. Marketing noise can lead to increased valuation, which can lead to a successful and profitable exit by the investors.
Of course, this is an oversimplification and doesn’t always happen. The point, however, is that it does happen and has no relevance to the real effectiveness of the product in question. Without any doubt, there are many products that have been over-hyped by marketing funds provided by profit-driven investors.
https://www.securityweek.com/are-cybersecurity-vendors-pushing-snake-oil
Ransomware Preparedness: What Are You Doing Wrong?
Axio released its 2022 State of Ransomware Preparedness research report, revealing that although notable improvements have been made since Axio’s 2021 report, organisational ransomware preparedness continues to be insufficient to keep pace with new attack vectors.
The report reveals that the lack of fundamental cyber security practices and controls, including critical vulnerability patching and employee cyber security training, continues to undermine organisational attempts to improve ransomware defences.
“Ransomware continues to wreak havoc on global organisations, regardless of size or industry,” remarked the report’s co-author David White, President of Axio. “As the number of attacks will most likely continue on an exponential trajectory, it’s more important than ever for companies to re-evaluate their cyber security practices and make the needed improvements to help combat these attacks.”
The report identifies several emerging patterns that yield insights into why organisations are increasingly susceptible to ransomware attacks. In 2021, seven key areas where organisations were deficient in implementing and sustaining basic cyber security practices were identified, and these patterns dominated the 2022 study results as well:
Managing privileged access
Improving basic cyber hygiene
Reducing exposure to supply chain and third-party risk
Monitoring and defending networks
Managing ransomware incidents
Identifying and addressing vulnerabilities in a timely manner
Improving cyber security training and awareness
Overall, most organisations surveyed are not adequately prepared to manage the risk associated with a ransomware attack. Key data findings include:
The number of organisations with a functional privileged access management solution in place increased by 10% but remains low at 33% overall.
Limitations on the use of service and local administrator accounts remain average overall, with nearly 50% of organisations reporting implementing these practices.
Approximately 40% of organisations monitor third-party network access, evaluate third-party cyber security posture, and limit the use of third-party software.
Less than 50% of respondents implement basic network segmentation and only 40% monitor for anomalous connections.
Critical vulnerability patching within 24 hours was reported by only 24% of organisations.
A ransomware-specific playbook for incident management is in place for only 30% of organisations.
Active phishing training has improved but is still not practiced by 40% of organisations.
https://www.helpnetsecurity.com/2022/10/20/insufficient-ransomware-preparedness/
NSA Cybersecurity Director's Six Takeaways from the War in Ukraine
From the warning banner ‘Be afraid and expect the worst’ that was shown on several Ukrainian government websites on January 13, 2022, after a cyber-attack took them down, the US National Security Agency’s (NSA) cybersecurity director, Rob Joyce, knew that something was going to be different, and very aggressive, between Ukraine and Russia, and that it would be happening in the cyber space as well.
Ten months on, he was invited to speak at one of Mandiant Worldwide Information Security Exchange's (mWISE) opening keynotes on October 18, 2022. Joyce shared six takeaways from the Russia-Ukraine cyber-conflict in terms of what we learned from it and its impact on how nations should protect their organisations.
Both espionage and destructive attacks will occur in conflict
The cyber security industry has unique insight into these conflicts
Sensitive intelligence can make a decisive difference
You can develop resiliency skills
Don’t try to go it alone
You have not planned enough yet for the contingencies
Toward the end of the keynote, Joyce suggested the audience simulate a scenario based on what happened in Ukraine with the China-Taiwan conflict escalating and see what they should put in place to better prepare for such an event.
https://www.infosecurity-magazine.com/news/nsa-6-takeaways-war-ukraine/
Microsoft Confirms Server Misconfiguration Led to 65,000+ Companies' Data Leak
Microsoft this week confirmed that it inadvertently exposed information related to thousands of customers following a security lapse that left an endpoint publicly accessible over the internet sans any authentication.
"This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provisioning of Microsoft services," Microsoft said in an alert.
Microsoft also emphasised that the B2B leak was "caused by an unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem and was not the result of a security vulnerability."
The misconfiguration of the Azure Blob Storage was spotted on September 24, 2022, by cyber security company SOCRadar, which termed the leak BlueBleed. Microsoft said it's in the process of directly notifying impacted customers.
The Windows maker did not reveal the scale of the data leak, but according to SOCRadar, it affects more than 65,000 entities in 111 countries. The exposure amounts to 2.4 terabytes of data that consists of invoices, product orders, signed customer documents, partner ecosystem details, among others.
https://thehackernews.com/2022/10/microsoft-confirms-server.html
Threats
Ransomware and Extortion
Сryptocurrency and Ransomware — The Ultimate Friendship (thehackernews.com)
Venus Ransomware targets publicly exposed Remote Desktop services (bleepingcomputer.com)
Pendragon being held to $60m ransom by dark web hackers – Car Dealer Magazine
Magniber Ransomware Is Targeting Home PC (informationsecuritybuzz.com)
Hackers exploit critical VMware flaw to drop ransomware, miners (bleepingcomputer.com)
Ransomware Now Deployed as a Precursor to Physical War - MSSP Alert
TommyLeaks and SchoolBoys: Two sides of the same ransomware gang (bleepingcomputer.com)
With Conti gone, LockBit takes lead of the ransomware threat landscape | CSO Online
Tactics Tie Ransom Cartel Group to Defunct REvil Ransomware (darkreading.com)
Wholesale giant METRO hit by IT outage after cyber attack (bleepingcomputer.com)
The link between Ransom Cartel and REvil ransomware gangs - Security Affairs
How Vice Society Got Away With a Global Ransomware Spree | WIRED
Defenders beware: A case for post-ransomware investigations - Microsoft Security Blog
Ransomware crews regrouping as LockBit rise continues (computerweekly.com)
Ransom Cartel linked to notorious REvil ransomware operation (bleepingcomputer.com)
Hackney Council Ransomware Attack £12m+ Recovery - IT Security Guru
Microsoft Warns of Novel Ransomware Attacking Ukraine, Poland - MSSP Alert
Prestige ransomware hits victims of HermeticWiper • The Register
New ransomware targets transportation sectors in Ukraine, Poland | SC Media (scmagazine.com)
Japanese tech firm Oomiya hit by LockBit 3.0 - Security Affairs
Ransomware attack halts circulation of some German newspapers (bleepingcomputer.com)
Ransomware Insurance Security Requirement Strategies (trendmicro.com)
Australian insurance firm Medibank confirms ransomware attack (bleepingcomputer.com)
BlackByte ransomware uses new data theft tool for double-extortion (bleepingcomputer.com)
Phishing & Email Based Attacks
Phishing works so well crims won't use deepfakes: Sophos • The Register
Phishing Mitigation Can Cost Businesses More Than $1M Annually (darkreading.com)
Securing your organisation against phishing can cost up to $85 per email | CSO Online
How phishing campaigns abuse Google Ad click tracking redirects - Help Net Security
Other Social Engineering; Smishing, Vishing, etc
Malware
VMware bug with 9.8 severity rating exploited to install witch’s brew of malware | Ars Technica
Microsoft’s out-of-date driver list left Windows PCs open to malware attacks for years - The Verge
Ursnif malware switches from bank account theft to initial access (bleepingcomputer.com)
Experts spotted a new undetectable PowerShell Backdoor - Security Affairs
Typosquat campaign mimics 27 brands to push Windows, Android malware (bleepingcomputer.com)
Thousands of GitHub repositories deliver fake PoC exploits with malware (bleepingcomputer.com)
Hackers use new stealthy PowerShell backdoor to target 60+ victims (bleepingcomputer.com)
Hijacking of Popular Minecraft Launcher by Rogue Developer Raises Malware Fears - IGN
URSNIF (aka Gozi) banking trojan morphs into backdoor • The Register
What is a RAT (Remote Access Trojan)? | Definition from TechTarget
Mobile
Internet of Things – IoT
Riskiest IoT Devices - Cameras, VoIP And Video Conferencing (informationsecuritybuzz.com)
Securing IoT devices against attacks that target critical infrastructure - Microsoft Security Blog
74% say connected cars and EV chargers need cyber security ratings | Ars Technica
Data Breaches/Leaks
The companies most likely to lose your data - Help Net Security
Fines are not enough! Data breach victims want better security - Help Net Security
Medibank hack turned into a data breach: The attackers are demanding money - Help Net Security
Mormon Church Hit By Cyber attack, Personal Data Exposed (informationsecuritybuzz.com)
Keystone Health Data Breach Impacts 235,000 Patients | SecurityWeek.Com
Fashion brand SHEIN fined $1.9m for lying about data breach – Naked Security (sophos.com)
Client Data Exfiltrated In Advanced NHS cyber Attack (informationsecuritybuzz.com)
Australian Wine Dealer Suffers Data Breach, 500,000 Customers May Be (informationsecuritybuzz.com)
Advocate Aurora Health in potential 3 million patient leak • The Register
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Why Crypto Winter is No Excuse to Let Your Cyber Defences Falter (thehackernews.com)
North Korea’s Lazarus Group Attacks Japanese Crypto Firms - Decrypt
Coinbase users scammed out of $21M in crypto sue company for negligence | Ars Technica
SIM Swappers Sentenced to Prison for Hacking Accounts, Stealing Cryptocurrency | SecurityWeek.Com
Fraud, Scams & Financial Crime
Financial losses to synthetic identity-based fraud to double by 2024 | CSO Online
AI is Key to Tackling Money Mules and Disrupting Fraud: Industry Group | SecurityWeek.Com
Deepfakes
Deepfakes: What they are and how to spot them - Help Net Security
Phishing works so well crims won't use deepfakes: Sophos • The Register
Insurance
Supply Chain and Third Parties
Software Supply Chain
Software Supply Chain Attacks Soar 742% In Three Years (informationsecuritybuzz.com)
SBOMs: An Overhyped Concept That Won't Secure Your Software Supply Chain (darkreading.com)
Denial of Service DoS/DDoS
Cloud/SaaS
Microsoft Data-Exposure Incident Highlights Risk of Cloud Storage Misconfiguration (darkreading.com)
3 cloud security posture questions CISOs should answer (techtarget.com)
Attack Surface Management
Identity and Access Management
Encryption
API
Open Source
New security concerns for the open-source software supply chain - Help Net Security
Python vulnerability highlights open source security woes (techtarget.com)
3 Ways to Help Customers Defend Against Linux-Based Cyber attacks - MSSP Alert
OldGremlin hackers use Linux ransomware to attack Russian orgs (bleepingcomputer.com)
Passwords, Credential Stuffing & Brute Force Attacks
Most People Still Reuse Their Passwords Despite Years Of Hacking (informationsecuritybuzz.com)
Password Report: Honeypot Data Shows Bot Attack Trends Against RDP, SSH | SecurityWeek.Com
Eight RTX 4090s Can Break Passwords in Under an Hour | Tom's Hardware (tomshardware.com)
Training, Education and Awareness
Security Awareness Urged to Grow Beyond Compliance (darkreading.com)
Raising cyber security awareness is good for everyone - but it needs to be done better | ZDNET
Millennials, Gen Z blamed for poor company security • The Register
Privacy, Surveillance and Mass Monitoring
Regulations, Fines and Legislation
Fines are not enough! Data breach victims want better security - Help Net Security
Fashion brand SHEIN fined $1.9m for lying about data breach – Naked Security (sophos.com)
New York fines EyeMed $4.5 million for 2020 email hack, data breach | SC Media (scmagazine.com)
Health insurer pays out $4.5m over bungled data security • The Register
Law Enforcement Action and Take Downs
INTERPOL-led Operation Takes Down 'Black Axe' Cyber Crime Organisation (thehackernews.com)
Law enforcement arrested 31 suspects for stealing cars by hacking key fobs - Security Affairs
Interpol is setting up its own metaverse to learn how to police the virtual world | Euronews
Brazilian Police Nab Suspected Member of Lapsus$ Group (darkreading.com)
Interpol Report: "Financial Crime-as-a-Service" an Emerging Threat - MSSP Alert
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Ransomware Now Deployed as a Precursor to Physical War - MSSP Alert
US, China, Russia, more meet at Singapore infosec event • The Register
NSA cyber chief says Ukraine war is compelling more intelligence sharing with industry - CyberScoop
China-Linked Cyber-Espionage Team Homes In on Hong Kong Government Orgs (darkreading.com)
Microsoft Warns of Novel Ransomware Attacking Ukraine, Poland - MSSP Alert
Hackers target Asian casinos in lengthy cyber espionage campaign (bleepingcomputer.com)
Prestige ransomware hits victims of HermeticWiper • The Register
Pro-Russia Hackers DDoS Bulgarian Government - Infosecurity Magazine (infosecurity-magazine.com)
Nation State Actors
Nation State Actors – Russia
Ukraine's cyber chief calls for global anti-fake news fight • The Register
German Cyber security Boss Sacked Over Kremlin Connection (darkreading.com)
New ransomware targets transportation sectors in Ukraine, Poland | SC Media (scmagazine.com)
Bulgaria hit by a cyber attack originating from Russia - Security Affairs
Nation State Actors – China
As China-Taiwan tensions mount, how's your cyber defence? • The Register
Chinese 'Spyder Loader' Malware Spotted Targeting Organisations in Hong Kong (thehackernews.com)
Hackers compromised Hong Kong govt agency network for a year (bleepingcomputer.com)
WIP19 Threat Group Cyber attacks Target IT Service Providers, Telcos - MSSP Alert
Nation State Actors – North Korea
Nation State Actors – Iran
Vulnerability Management
Vulnerabilities
45,654 VMware ESXi servers reached End of Life on Oct. 15 - Security Affairs
VMware bug with 9.8 severity rating exploited to install witch’s brew of malware | Ars Technica
Text message verification flaws in your Windows Active Directory (bleepingcomputer.com)
Apache Commons Vulnerability: Patch but Don't Panic (darkreading.com)
Zoom for Mac patches sneaky “spy-on-me” bug – update now! – Naked Security (sophos.com)
ProxyLogon researcher details new Exchange Server flaws (techtarget.com)
Exploited Windows zero-day lets JavaScript files bypass security warnings (bleepingcomputer.com)
Dozen High-Severity Vulnerabilities Patched in F5 Products | SecurityWeek.Com
Oracle Releases 370 New Security Patches With October 2022 CPU | SecurityWeek.Com
Palo Alto Networks fixed a high-severity flaw in PAN-OS - Security Affairs
Hackers exploit critical VMware flaw to drop ransomware, miners (bleepingcomputer.com)
Zimbra Patches Under-Attack Code Execution Bug | SecurityWeek.Com
WordPress Security Update 6.0.3 Patches 16 Vulnerabilities | SecurityWeek.Com
Python vulnerability highlights open source security woes (techtarget.com)
Other News
Zero trust is misused in security, say Cloudflare, Zscaler - Protocol
Cyber professional shortfall hits 3.4 million (computerweekly.com)
VPN use prevails despite interest in VPN alternatives (techtarget.com)
JP Morgan Bans Staff From Working Remotely In Hotels and Coffee Shops-But Not Airbnbs | Inc.com
Experts discovered millions of .git folders exposed to public - Security Affairs
Microsoft Defender is lacking in offline detection capabilities, says AV-Comparatives | TechSpot
Internet connectivity worldwide impacted by severed fiber cables in France (bleepingcomputer.com)
UK's Remote Shetland Mysteriously Lose Phone, Internet After Cable Cut (businessinsider.com)
CISOs, rejoice! Security spending is increasing - Help Net Security
Equifax surveilled 1,000 remote workers, fired 24 found juggling two jobs | Ars Technica
NATO Just Deployed Its First Killer Ground Robot (futurism.com)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 14 October 2022
Black Arrow Cyber Threat Briefing 14 October 2022:
-Ransomware Report: Most Organisations Unprepared for an Attack, Lack Incident Playbook, Research Finds
-LinkedIn Scams, Fake Instagram Accounts Hit Businesses, Execs
-Study Highlights Surge in Identity Theft and Phishing Attacks
-Increase in Cyber Liability Insurance Claims as Cyber Crime Skyrockets
-UK Government Urges Action to Enhance Supply Chain Security
-For Most Companies Ransomware Is the Scariest Of All Cyber Attacks
-EDR Is Not a Silver Bullet
-Attackers Use Automation to Speed from Exploit to Compromise
-Rising Premiums, More Restricted Cyber Insurance Coverage Poses Big Risk for Companies
-Why CISO Roles Require Business and Technology Savvy
-Wi-Fi Spy Drones Used to Snoop on Financial Firm
-Magniber Ransomware Attacking Individuals and Home Users
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Ransomware Report: Most Organisations Unprepared for an Attack, Lack Incident Playbook, Research Finds
Some organisations have made significant improvements to their ransomware readiness profile in the last year, Axio said in a newly released report. However, a lack of fundamental cyber security practices and controls, inadequate vulnerability patching and employee training continues to leave ransomware defences lacking in potency.
Axio’s report reveals that only 30% of organisations have a ransomware-specific playbook for incident management in place. In 2021’s report Axio, maker of a cloud-based cyber management software platform, identified seven key areas emerged where organisations were deficient in implementing and sustaining basic cyber security practices.
The same patterns showed up in the 2022 report:
Managing privileged access.
Improving basic cyber hygiene.
Reducing exposure to supply chain and third-party risk.
Monitoring and defending networks.
Managing ransomware incidents.
Identifying and addressing vulnerabilities in a timely manner.
Improving cyber security training and awareness.
Overall, most organisations surveyed are not adequately prepared to manage the risk associated with a ransomware attack. Key data findings include:
The number of organisations with a functional privileged access management solution in place increased by 10% but remains low at 33% overall.
Limitations on the use of service and local administrator accounts remain average overall, with nearly 50% of organisations reporting implementing these practices.
Approximately 40% of organisations monitor third-party network access, evaluate third-party cyber security posture, and limit the use of third-party software.
Less than 50% of respondents implement basic network segmentation and only 40% monitor for anomalous connections.
Critical vulnerability patching within 24 hours was reported by only 24% of organisations.
Active phishing training has improved but is still not practiced by 40% of organisations.
LinkedIn Scams, Fake Instagram Accounts Hit Businesses, Execs
Business owners with public social media accounts are easy targets for scammers who lift information to create fake accounts. The arduous process for removing fraudulent accounts leaves victims frustrated and vulnerable to further data privacy issues. Victims say platform providers, particularly Facebook and Instagram, must improve their responses to reports of fraud.
Impersonation of a brand or executive contributed to more than 40% of all phishing and social media incidents in the second quarter, according to the Agari and Phish Labs Quarterly Threat Trends and Intelligence Report released in August. Q2 marks the second quarter that impersonation attacks have represented the majority of threats, despite a 6.1% decrease from Q1.
Executive impersonation has been on the rise over the past four quarters — representing more than 15% of attacks, according to the report — as impersonating a corporate figure or company on social media is simple and effective for threat actors.
Thom Singer, CEO for the Austin Technology Council and a public speaker, was recently impersonated on Instagram. A scammer created a fake Instagram account with his name and photos, creating a handle with an extra "r" at the end of Singer. That account appeared to amass over 2,300 followers – nearly as many as Singer's own account – lending to its appearance of authenticity.
He learned of the fake account from a contact who texted to ask if he'd reached out on Instagram, which wasn't a channel Singer typically uses to communicate. Singer reported the fraudulent account using the platform's report button and asked his followers to do the same.
"You can't reach anyone at these platforms, so it takes days to get a fake account removed," Singer said. "These social media sites have no liability, nothing to lose when fraud is happening. They need to up their game and have a better process to get [fraud] handled in a timely manner."
Study Highlights Surge in Identity Theft and Phishing Attacks
A new study from behavioural risk firm CybSafe and the National Cybersecurity Alliance (NCA) has been launched and it highlights an alarming surge in phishing and identity theft attacks.
The report, titled ‘Oh, Behave! The Annual Cybersecurity Attitudes and Behaviors report’, studied the opinions of 3,000 individuals across the US, the UK and Canada towards cyber security and revealed that nearly half (45%) of users are connected to the internet all the time, however, this has led to a surge in identity theft with almost 1 in 4 people being affected by the attack.
Furthermore, 1 in 3 (36%) respondents revealed they have lost money or data due to a phishing attack. Yet the study also revealed that 70% of respondents feel confident in their ability to identify a malicious email, but only 45% will confirm the authenticity of a suspicious email by reaching out to the apparent sender.
When it comes to implementing cyber security best practices, only 33% of respondents revealed they use a unique password for important online accounts, while only 16% utilise passwords of over 12 characters in length. Furthermore, only 18% of participants have downloaded a stand-alone password manager, while 43% of respondents have not even heard of multi-factor authentication.
Increase in Cyber Liability Insurance Claims as Cyber Crime Skyrockets
A cyber insurer, Acuity Insurance, is reporting an increased need for cyber liability insurance across both personal and business policyholders. From June 2021 to June 2022, the insurer saw cyber liability insurance claims on its commercial insurance policies increase by more than 50%. For personal policies, they saw more than a 90% increase in cyber claims being reported in 2021 compared with 2020.
Our lives, homes and businesses are more connected than ever before. Being connected leads to a greater risk of cyber attacks, which aren't covered under standard homeowners or business insurance policies.
The insurance experts caution that everyone is at risk — whether you are a small business owner or an individual — as cyber attacks continue to pose a serious financial threat. From 2019 to 2021, cyber attacks were up 50% from the previous year, according to recent research. Wire fraud and gift card scams are two of the most common types of cyber attacks impacting both businesses and individuals.
Scams involving social engineering are some of the easiest to fall for, as fraudsters exploit a person's trust to obtain money or personal information, which can then be used for unauthorised withdrawals of money. Cyber insurance can protect you from financial loss caused by wire transfer fraud, phishing attacks, cyber extortion, cyberbullying and more, Acuity reported.
While all cyber crimes have a financial impact, fraudulent wire transfers often come with greater losses. Banks are typically not responsible for funds lost as a result of a fraudulent wire transfer inadvertently authorised by the customer. Whether it's a wrongful money transfer by a business or an individual, cyber insurance can help mitigate some of the financial loss caused by these scams.
UK Government Urges Action to Enhance Supply Chain Security
The UK government has warned organisations to take steps to strengthen their supply chain security.
New National Cyber Security Centre (NCSC) guidance has been issued amid a significant increase in supply chain attacks in recent years, such as the SolarWinds incident in 2020. The NCSC cited official government data showing that just over one in 10 businesses review the risks posed by their immediate suppliers (13%), while the proportion covering the wider supply chain is just 7%.
Aimed at medium-to-large organisations, the document sets out practical steps to better assess cyber security across increasingly complex supply chains. This includes a description of typical supplier relationships and ways that organisations are exposed to vulnerabilities and cyber-attacks via the supply chain, and the expected outcomes and key steps needed to assess suppliers’ approaches to security.
The new guidance followed a government response to a call for views last year which highlighted the need for further advice. Supply chain attacks are a major cyber threat facing organisations and incidents can have a profound, long-lasting impact on businesses and customers. With incidents on the rise, it is vital organisations work with their suppliers to identify supply chain risks and ensure appropriate security measures are in place.
https://www.infosecurity-magazine.com/news/uk-government-supply-chain-security/
For Most Companies Ransomware Is the Scariest Of All Cyber Attacks
SonicWall released the 2022 SonicWall Threat Mindset Survey which found that 66% of customers are more concerned about cyber attacks in 2022, with the main threat being focused on financially motivated attacks like ransomware.
“No one is safe from cyber attacks — businesses or individuals,” said SonicWall Executive Chairman of the Board Bill Conner. “Today’s business landscape requires persistent digital trust to exist. Supply-chain attacks have dramatically changed the attack surface of the typical enterprise in the past few years, with more suppliers and service providers touching sensitive data than ever before.
“It’s likely we’ll see continued acceleration and evolution of ransomware tactics, as well as other advanced persistent threats (APTs), as cyber crime continues to scale the globe seeking both valuable and weak targets.”
Companies are not only losing millions of dollars to unending malware and ransomware strikes, but cyber attacks on essential infrastructure are impacting real-world services. Despite the growing concern of cyber attacks, organisations are struggling to keep pace with the fast-moving threat landscape as they orient their business, networks, data and employees against unwavering cyber attacks.
“The evolving cyber threat landscape has made us train our staff significantly more,” said Stafford Fields, IT Director, Cavett Turner & Wyble. “It’s made us spend more on cyber security. And what scares me is that an end-user can click on something and bring all our systems down — despite being well protected.”
https://www.helpnetsecurity.com/2022/10/12/customers-concerned-ransomware/
EDR Is Not a Silver Bullet
Old lore held that shooting a werewolf, vampire, or even just your average nasty villain with a silver bullet was a sure-fire takedown: one hit, no more bad guy.
As cyber security professionals, we understand – much like folks in the Old West knew – that there are no panaceas, no actual silver bullets. Yet humans gravitate towards simple solutions to complex challenges, and we are constantly (if unconsciously) seeking silver bullet technology.
Endpoint Detection and Response (EDR) tools have become Standard Operating Procedures for cyber security regimes. They are every CIO’s starting point, and there’s nothing wrong with this. In a recent study by Cymulate of over one million tests conducted by customers in 2021, the most popular testing vector was EDR.
Yet cyber security stakeholders should not assume that EDR is a silver bullet. The fact is that EDR’s efficacy and protective prowess as a standalone solution has been slowly diminished over the decade since the term was first coined by Gartner. Even as it became a mainstay of enterprise and SMB/SME security posture – attacks have skyrocketed in frequency, severity, and success. Today, EDR is facing some of its greatest challenges, including threats laser-targeting EDR systems like the highly-successful Grandoiero banking trojan.
While EDR should not be your only line of defence against advanced threats, including it in a defence solution array is paramount. It should be installed on all organisational servers – including Linux-based ones. Yet installation is not enough. Your organisation is at significant risk if the underlying OS and EDR are not both implemented and fine-tuned.
https://www.helpnetsecurity.com/2022/10/11/edr-is-not-a-silver-bullet/
Attackers Use Automation to Speed from Exploit to Compromise
A report from Laceworks examines the cloud security threat landscape over the past three months and unveils the new techniques and avenues cyber criminals are exploiting for profit at the expense of businesses. In this latest edition, the Lacework Labs team found a significantly more sophisticated attacker landscape, with an increase in attacks against core networking and virtualisation software, and an unprecedented increase in the speed of attacks following a compromise. Key trends and threats identified include:
Increased speed from exposure to compromise: Attackers are advancing to keep pace with cloud adoption and response time. Many classes of attacks are now fully automated to capitalise on timing. Additionally, one of the most common targets is credential leakage. In a specific example from the report, a leaked AWS access key was caught and flagged by AWS in record time. Despite the limited exposure, an unknown adversary was able to log in and launch tens of GPU EC2 instances, underscoring just how quickly attackers can take advantage of a single simple mistake.
Increased focus on infrastructure, specifically attacks against core networking and virtualisation software: Commonly deployed core networking and related infrastructure consistently remains a key target for adversaries. Core flaws in infrastructure often appear suddenly and are shared openly online, creating opportunities for attackers of all kinds to exploit these potential targets.
Continued Log4j reconnaissance and exploitation: Nearly a year after the initial exploit, the Lacework Labs team is still commonly observing vulnerable software targeted via OAST requests. Analysis of Project Discovery (interact.sh) activity revealed Cloudflare and DigitalOcean as the top originators.
Rising Premiums, More Restricted Cyber Insurance Coverage Poses Big Risk for Companies
Among the many consequences of the rising number of costly data breaches, ransomware, and other security attacks are pricier premiums for cyber security insurance. The rise in costs could put many organisations out of the running for this essential coverage, a risky proposition given the current threat landscape.
Cyber insurance is a type of specialty insurance that protects organisations against a variety of risks related to information security attacks such as ransomware and data breaches. Ordinarily, these types of risks aren’t included with traditional commercial general liability policies or are not specifically defined in these insurance plans.
Given the rise in attacks, the growing sophistication of these incidents and the potential financial impact, having cyber insurance coverage has become critical for many organisations. Premiums for these plans have been on the rise because of the increase in security-related losses and rising demand for coverage.
Cyber insurance premiums increased by an average of 28% in the first quarter of 2022 compared with the fourth quarter of 2021, according to the Council of Insurance Agents & Brokers (CIAB), an association for commercial insurance and employee benefits intermediaries.
Among the primary drivers for the continued price increases were a reduced carrier appetite for the risk and high demand for coverage, CIAB said. The high demand for cyber coverage is in part fueled by greater awareness among companies of the threat cyber risk poses for businesses of all sizes, it said.
https://www.cnbc.com/2022/10/11/companies-are-finding-it-harder-to-get-cyber-insurance-.html
Why CISO Roles Require Business and Technology Savvy
Listening and communicating to both the technical and business sides is critical to successfully leading IT teams and business leaders to the same end-goal.
Of all the crazy postings that advertise for CISO jobs, the one asking for a CISO to code in Python was probably the most outrageous example of the disconnect about a CISO’s role, says Joe Head, CISO search director at UK-based search firm, Intaso. This was a few years ago, and one can only guess that the role had been created by a technologist who didn’t care about or didn’t understand the business — or, inversely by a businessperson who didn’t understand enough about technology.
In either case, the disconnect is real. However, Head and other experts say that when it comes to achieving the true, executive role and reporting to the CEO and board, business skills rule. That doesn’t mean, however, that most CISOs know nothing about technology, because most still start out with technology backgrounds.
In the 2022 CISO survey by executive placement firm, Heidrick & Struggles, most CISOs come from a functional IT background that reflects the issues of the time. For example, in 2022 10% of CISOs came from software engineering backgrounds, which tracks with the White House directive to protect the software supply chain. The report notes that the majority of CISOs have experience in the financial services industry, which has a low risk tolerance and where more money is spent on security.
The survey also indicates that only a small core of CISOs (working primarily for the Fortune 500) rise to the executive level with the combination of business and technical responsibilities that come with the role. In it, more than two-thirds of CISOs responding to the survey worked for companies worth over $5 billion. So, instead of bashing a CISO’s lack of IT skills, the real need lies in developing business skills for the technologists coming up the ranks.
Wi-Fi Spy Drones Used to Snoop on Financial Firm
Modified off-the-shelf drones have been found carrying wireless network-intrusion kit in a very unlikely place.
The idea of using consumer-oriented drones for hacking has been explored over the past decade at security conferences like Black Hat 2016, in both the US and in Europe, but now these sort of attacks are actually taking place. A security researcher recently recounted an incident that occurred over the summer at a US East Coast financial firm focused on private investment.
The hacking incident was discovered when the financial firm spotted unusual activity on its internal Atlassian Confluence page that originated from within the company's network. The company's security team responded and found that the user whose MAC address was used to gain partial access to the company Wi-Fi network was also logged in at home several miles away. That is to say, the user was active off-site but someone within Wi-Fi range of the building was trying to wirelessly use that user's MAC address, which is a red flag. The team then took steps to trace the Wi-Fi signal and used a Fluke system to identify the Wi-Fi device.
This led the team to the roof, where two modified commercially available consumer drones series were discovered. One drone was in fine condition and had a modified Wi-Fi Pineapple device, used for network penetration testing. The second drone was carrying a case that contained a Raspberry Pi, several batteries, a GPD mini laptop, a 4G modem, and another Wi-Fi device. It had landed near the building's heating and ventilation system and appeared to be damaged but still operable.
During their investigation, they determined that the first drone had originally been used a few days prior to intercept a worker's credentials and Wi-Fi, and this data was then hard coded into the tools that were deployed on the second drone.
https://www.theregister.com/2022/10/12/drone-roof-attack/
Magniber Ransomware Attacking Individuals and Home Users
A recent analysis shows that Magniber ransomware has been targeting home users by masquerading as software updates.
Reports have shown a ransomware campaign isolated by HP Wolf Security in September 2022 saw Magniber ransomware spread. The malware is known as a single-client ransomware family that demands $2,500 from victims. Magniber was previously primarily spread through MSI and EXE files, but in September 2022 HP Wolf Security began seeing campaigns distributing the ransomware in JavaScript files.
HP Wolf Security reported that some malware families rely exclusively on JavaScript, but have done so for some time. Currently, analysts are also seeing more HTML smuggling, such as with Qakbot and IcedID. This technique also makes use of JavaScript to decode malicious content. The only difference is that the HTML file is executed in the context of the browser and therefore usually requires further user interaction.
Remarkably, HP Wolf Security said, the attackers used clever techniques to evade detection, such as running the ransomware in memory, bypassing User Account Control (UAC) in Windows, and bypassing detection techniques that monitor user-mode hooks by using syscalls instead of standard Windows API libraries.
It appears that with the UAC bypass, the malware deletes the infected system’s shadow copy files and disables backup and recovery features, preventing the victim from recovering their data using Windows tools.
Having recently described the ransomware campaign in a recent interview, HP Wolf noted that the infection chain starts with a web download from an attacker-controlled website.
Threats
Ransomware and Extortion
More and more ransomware is just data theft, no encryption • The Register
Magniber ransomware now infects Windows users via JavaScript files (bleepingcomputer.com)
Fake adult sites push data wipers disguised as ransomware (bleepingcomputer.com)
It was LockBit that forced NHS tech supplier to shut down • The Register
Ransomware posing as Windows antivirus update will just empty your wallet | TechRadar
Microsoft: New Prestige ransomware targets orgs in Ukraine, Poland (bleepingcomputer.com)
BlackByte ransomware uses new EDR evasion technique (techtarget.com)
Prevent Ransomware Attacks on Critical Infrastructure (trendmicro.com)
Microsoft Exchange servers hacked to deploy LockBit ransomware (bleepingcomputer.com)
Harvard Business Publishing licensee hit by ransomware - Security Affairs
LockBit affiliates compromise Microsoft Exchange servers to deploy ransomware - Security Affairs
Police tricks DeadBolt ransomware out of 155 decryption keys (bleepingcomputer.com)
Phishing & Email Based Attacks
Caffeine service lets anyone launch Microsoft 365 phishing attacks (bleepingcomputer.com)
A whole load of phishing emails make it past Microsoft Defender, researchers say | TechRadar
Google Forms abused in new COVID-19 phishing wave in the U.S. (bleepingcomputer.com)
US election workers hit with phishing, malware emails • The Register
Cyber criminals are having it easy with phishing-as-a-service - Help Net Security
Other Social Engineering; Smishing, Vishing, etc
Malware
How a Microsoft blunder opened millions of PCs to potent malware attacks | Ars Technica
Banks face their 'darkest hour' as crimeware powers up • The Register
Emotet Rises Again With More Sophistication, Evasion (darkreading.com)
QAKBOT Attacks Spike Amid Concerning Cyber Criminal Collaborations (darkreading.com)
Hackers behind IcedID malware attacks diversify delivery tactics (bleepingcomputer.com)
Eternity threat group’s LilithBot: A criminal multitool • The Register
Here's another excellent reason not to browse adult websites at work | TechRadar
Experts analysed the evolution of the Emotet supply chain - Security Affairs
Mobile
Modified WhatsApp App Caught Infecting Android Devices with Malware (thehackernews.com)
Meta uncovers 400 malicious apps on Android and iOS apps | SC Media (scmagazine.com)
‘Zero-Click’ Spyware Emerges as a Menacing Mobile Threat - Bloomberg
Mullvad: Android may leak information when connected to a VPN - gHacks Tech News
Android Security Updates Patch Critical Vulnerabilities | SecurityWeek.Com
Hackers Using Vishing to Trick Victims into Installing Android Banking Malware (thehackernews.com)
Mystery iPhone update patches against iOS 16 mail crash-attack – Naked Security (sophos.com)
Internet of Things – IoT
Data Breaches/Leaks
Client data exfiltrated in Advanced NHS cyber attack (digitalhealth.net)
Mormon Church data stolen in 'state-sponsored' cyber attack • The Register
2K Customer Data Stolen, Sold Online After Support Desk Scam (kotaku.com)
Toyota discloses data leak after access key exposed on GitHub (bleepingcomputer.com)
Fast Company says Executive Board member info was not stolen in attack (bleepingcomputer.com)
State Bar of Georgia Confirms Data Breach Following Ransomware Attack | SecurityWeek.Com
Singtel's second unit faces cyber attack weeks after Optus data breach | Reuters
Zoetop pays $1.9m to settle customer data theft case • The Register
CommonSpirit Health IT still suffering after cyber attack • The Register
Over 80,000 DJI drone IDs exposed in data leak: Report (dronedj.com)
High-Value Targets: String of Aussie Telco Breaches Continues (darkreading.com)
Data of 380K patients compromised in hack of 13 anesthesia practices | SC Media (scmagazine.com)
Australian police secret agents exposed in Colombian data leak (bleepingcomputer.com)
Toyota Reveals Data Leak of 300,000 Customers - Infosecurity Magazine (infosecurity-magazine.com)
Organised Crime & Criminal Actors
INTERPOL arrests ‘Black Axe’ cyber crime syndicate members (bleepingcomputer.com)
Caffeine Phishing-as-a-Service toolkit available in the underground - Security Affairs
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
North Korea's Crypto Hackers Are Paving the Road to Nuclear Armageddon - CNET
Fake Solana Phantom security updates push crypto-stealing malware (bleepingcomputer.com)
'Baby Al Capone' to pay $22m to SIM-swap crypto-heist victim • The Register
Fraud, Scams & Financial Crime
Alternative payment methods are creating new fraud risks - Help Net Security
Prison inmate charged with $11m fraud via cell phone • The Register
Mastercard moves to protect ‘risky and frisky’ transactions • The Register
Deepfakes
AML/CFT/Sanctions
Insurance
Dark Web
Software Supply Chain
Denial of Service DoS/DDoS
US airports' sites taken down in DDoS attacks by pro-Russian hackers (bleepingcomputer.com)
Russian DDoS attack project pays contributors for more firepower (bleepingcomputer.com)
Cloud/SaaS
Encryption
Microsoft Office 365 uses insecure block ciphers • The Register
Microsoft Office 365 email encryption could expose message content (bleepingcomputer.com)
Passwords, Credential Stuffing & Brute Force Attacks
Social Media
Training, Education and Awareness
Parental Controls and Child Safety
Cyber Bullying and Cyber Stalking
Regulations, Fines and Legislation
Backup and Recovery
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Vladimir Putin’s hybrid war has begun and the West must be ready | Evening Standard
Internet outages hit Ukraine following Russian missile strikes (bitdefender.com)
Seven 'Creepy' Backdoors Used by Lebanese Cyberspy Group in Israel Attacks | SecurityWeek.Com
Researchers Uncover Custom Backdoors and Spying Tools Used by Polonium Hackers (thehackernews.com)
We must tackle Europe’s winter cyber threats head-on – POLITICO
Researchers Detail Malicious Tools Used by Cyber Espionage Group Earth Aughisky (thehackernews.com)
‘Zero-Click’ Spyware Emerges as a Menacing Mobile Threat - Bloomberg
SpaceX’s Starlink terminals in Ukraine back online after outages | Financial Times
Nation State Actors
Nation State Actors – Russia
German Cyber security Chief Accused of Russian Contact Faces Sacking - IT Security Guru
Russian DDoS attack project pays contributors for more firepower (bleepingcomputer.com)
Extreme Networks admits sales to banned Russian arms maker • The Register
Nation State Actors – China
UK Spy Chief to Warn of 'Huge' China Tech Threat | SecurityWeek.Com
China’s attack motivations, tactics, and how CISOs can mitigate threats | CSO Online
China will manipulate new tech for global influence, warns GCHQ boss | Metro News
UK telcos legally required to remove Huawei equipment • The Register
Chinese-linked hackers targeted U.S. state legislature, researchers say - CyberScoop
New Chinese Malware Attack Framework Targets Windows, macOS, and Linux Systems (thehackernews.com)
UK to designate China a ‘threat’ in hawkish foreign policy shift | Foreign policy | The Guardian
WIP19, a new Chinese APT targets IT Service Providers and Telcos - Security Affairs
China-linked Budworm APT returns to target a US entity - Security Affairs
We must tackle China’s satellite-busting technology, says GCHQ chief | News | The Times
GCHQ boss: China could use Digital Yuan to swerve sanctions • The Register
Young people using TikTok is no problem, GCHQ chief says | TikTok | The Guardian
Nation State Actors – North Korea
Nation State Actors – Misc
Vulnerability Management
Vulnerabilities
Concerns Over Fortinet Flaw Mount; PoC Released, Exploit Activity Grows (darkreading.com)
Microsoft October 2022 Patch Tuesday fixes zero-day used in attacks, 84 flaws (bleepingcomputer.com)
Microsoft Addresses Zero-Days, but Exchange Server Exploit Chain Remains Unpatched (darkreading.com)
Auth bypass bug in FortiOS, FortiProxy is exploited in the wild (CVE-2022-40684) - Help Net Security
Chrome 106 Update Patches Several High-Severity Vulnerabilities | SecurityWeek.Com
Researchers Detail Windows Zero-Day Vulnerability Patched Last Month (thehackernews.com)
Almost 900 servers hacked using Zimbra zero-day flaw (bleepingcomputer.com)
Patch Tuesday: Critical Flaws in ColdFusion, Adobe Commerce | SecurityWeek.Com
Aruba fixes critical RCE and auth bypass flaws in EdgeConnect (bleepingcomputer.com)
WordPress Vulnerability In Shortcodes Ultimate Impacts 700,000 Sites (searchenginejournal.com)
Critical Open Source vm2 Sandbox Escape Bug Affects Millions (darkreading.com)
VMware vCenter Server bug disclosed last year still not patched (bleepingcomputer.com)
Other News
Board members should make CISOs their strategic partners - Help Net Security
5 Attack Elements Every Organisations Should Be Monitoring (darkreading.com)
Ukraine’s Starlink problems show the dangers of digital dependency | Financial Times (ft.com)
Here's 5 of the world's riskiest connected devices - Help Net Security
Older, Stored Data Is Cyber Security Risk, Report Warns - MSSP Alert
What the Uber Breach Verdict Means for CISOs in the US (darkreading.com)
Increasing network visibility is critical to improving security posture - Help Net Security
What the Uber Hack can teach us about navigating IT Security (bleepingcomputer.com)
Consumers want more transparency on how companies manage their data - Help Net Security
Gaming Is Booming. That’s Catnip for Cyber criminals. - The New York Times (nytimes.com)
Fear of cyber criminals drives cyber security improvements - Help Net Security
The next Ford Mustang won’t be easy to tune; blame cyber security | Ars Technica
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.