Threat Intelligence Blog

Contact our Experts Now

Subscribe to our Weekly Cyber Threat Intelligence Briefing

Black Arrow Admin 10/03/2024 Black Arrow Admin 10/03/2024

Black Arrow Cyber Threat Briefing 08 March 2024

Black Arrow Cyber Threat Intelligence Briefing 08 March 2024:

-FBI Reports Cyber Crime Losses Reached $12.5 billion in 2023, Ransomware Losses Surged by 74%, Average Ransomw Demand Reaching $600k

-Capita Plans £100 Million in Cost Cuts as it Continues to Grapple With 2023 Cyber Attack, Resulting in Significant Job Losses

-Employment Law Firm Sues IT Company Over Ransomware Attack

-Stolen Passwords are a Hacker Goldmine

-Phishing Attacks Up 40 Percent in 2023; Attackers Leverage Social Engineering for Greater Success

-Business Leaders Don’t Even Know They’ve Been Hacked

-Rising Cyber Security Risks: Insider Threat Main Concern Among Mid-Market Firms

-Security Risks Plague SMEs in Shift to Remote Working

-After Collecting $22 Million, Ransomware Group Stages FBI Takedown

-Cyber Attacks Remain Chief Concern for Businesses

-Two New Ransomware Groups Join Forces to Launch Joint Attacks

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Governance, Risk and Compliance

Threats

Ransomware, Extortion and Destructive Attacks

Ransomware Victims

Phishing & Email Based Attacks

Other Social Engineering

Artificial Intelligence

2FA/MFA

Google and Meta users see their 2FA security codes leaked online - Root-Nation.com

Malware

Mobile

Denial of Service/DoS/DDOS

DDoS Attacks on Financial Services Industry Up 154%, According to New FS-ISAC/Akamai Report (prnewswire.com)

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Supply Chain and Third Parties

Cloud/SaaS

Identity and Access Management

Encryption

Preparing for the post-quantum cryptography environment today | CSO Online

Linux and Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Training, Education and Awareness

In the News | Equip and Educate Students to Combat Cyberthreats - Security Boulevard

Regulations, Fines and Legislation

Models, Frameworks and Standards

Data Protection

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Misinformation, Disinformation and Propaganda

Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity

Cyber Warfare and Cyber Espionage

Nation State Actors

Complete Guide to Advanced Persistent Threat (APT) Security - Security Boulevard

China

Russia

North Korea

Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence

Vulnerability Management

Vulnerabilities

Tools and Controls

Reports Published in the Last Week

Kaspersky spam and phishing report for 2023 | Securelist

Other News

Sector Specific

Industry specific threat intelligence reports are available.

· Automotive

· Construction

· Critical National Infrastructure (CNI)

· Defence & Space

· Education & Academia

· Energy & Utilities

· Estate Agencies

· Financial Services

· FinTech

· Food & Agriculture

· Gaming & Gambling

· Government & Public Sector (including Law Enforcement)

· Health/Medical/Pharma

· Hotels & Hospitality

· Insurance

· Legal

· Manufacturing

· Maritime

· Oil, Gas & Mining

· OT, ICS, IIoT, SCADA & Cyber-Physical Systems

· Retail & eCommerce

· Small and Medium Sized Businesses (SMBs)

· Startups

· Telecoms

· Third Sector & Charities

· Transport & Aviation

· Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Black Arrow Admin 04/02/2024 Black Arrow Admin 04/02/2024

Black Arrow Cyber Threat Briefing 02 February 2024

Black Arrow Cyber Threat Intelligence Briefing 02 February 2024:

-The Financial Sector Is Plagued by Increasingly Sophisticated Cyber Attacks That Demand a Defensive Paradigm Shift

-The $10 Billion Cyber Insurance Industry Sees a Dangerous Year in Cyber Crime Ahead. AI, Ransomware, and War are its Biggest Concerns

-Microsoft Says Russian Hackers Used Known Identified Tactics to Breach Senior Exec Emails

-Old Methods, New Tricks: Cyber Criminals Are Still Using Social Engineering to Steal Your Credentials

-UK Government Unveils New Cyber Threat Guidelines as 32% of Firms Suffer Attacks in Past Year

-94% of Organisations Would Pay a Ransom, Despite Having ‘Do Not Pay’ Policies, as 79% Faced an Attack in 2023

-Interpol Arrests More than 30 Cyber Criminals in Global Operation

-Divide and Succeed: Splitting IT and Security Makes Business Sense

-Ransomware Groups Gain Clout with False Attack Claims

-Payment Fraud is Hitting Organisations Harder Than Ever Before

-Chinese Hacking Operations Have Entered a Far More Dangerous Phase, US Warns

Governance, Risk and Compliance

Threats

Ransomware, Extortion and Destructive Attacks

Ransomware Victims

Phishing & Email Based Attacks

Artificial Intelligence

2FA/MFA

Microsoft says Russian hackers used previously identified tactic to breach senior exec emails (therecord.media)

Malware

Mobile

Denial of Service/DoS/DDOS

DDoS attack power skyrockets to 1.6 Tbps - Help Net Security

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Insurance

Supply Chain and Third Parties

Cloud/SaaS

Identity and Access Management

Linux and Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Malvertising

Fake Google ads are trying to trick users into downloading nasty malware — here's how you can fight back | TechRadar

Regulations, Fines and Legislation

Models, Frameworks and Standards

Data Protection

ICO confirms data breach probe as UK councils remain downed by cyber attack | TechCrunch

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity

Cyber Warfare and Cyber Espionage

Nation State Actors

China

Russia

Iran

Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence

US sanctions 3 for supporting ISIS with cyber security expertise, money transfers - UPI.com

Vulnerability Management

Vulnerabilities

Tools and Controls

Reports Published in the Last Week

Other News

Sector Specific

Industry specific threat intelligence reports are available.

· Automotive

· Construction

· Critical National Infrastructure (CNI)

· Defence & Space

· Education & Academia

· Energy & Utilities

· Estate Agencies

· Financial Services

· FinTech

· Food & Agriculture

· Gaming & Gambling

· Government & Public Sector (including Law Enforcement)

· Health/Medical/Pharma

· Hotels & Hospitality

· Insurance

· Legal

· Manufacturing

· Maritime

· Oil, Gas & Mining

· OT, ICS, IIoT, SCADA & Cyber-Physical Systems

· Retail & eCommerce

· Small and Medium Sized Businesses (SMBs)

· Startups

· Telecoms

· Third Sector & Charities

· Transport & Aviation

· Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Black Arrow Admin 21/01/2024 Black Arrow Admin 21/01/2024

Black Arrow Cyber Threat Briefing 19 January 2024

Black Arrow Cyber Threat Intelligence Briefing 19 January 2024:

-World Economic Forum and UN Warn of Growing ‘Cyber Insecurity’ Amid Heightened Threat Landscape

-Cyber Attacks Reveal Fragility of Financial Markets as Attacks on Financial Services Sector Surge

-Researcher Uncovers One of The Biggest Password Dumps in Recent History

-Email Nightmare: 94% of Firms Hit by Phishing Attacks in 2023

-75% of Organisations Hit by Ransomware in 2023

-The Dangers of Quadruple Blow Ransomware Attacks

-Human Error and Insiders Expose Millions in UK Law Firm Data Breaches

-It’s a New Year and a Good Time for a Cyber Security Checkup

-Applying the Tyson Principle to Cyber Security: Why Attack Simulations are Key to Avoiding Disaster

-Cyber Threats Top Global Business Risk Concern for 2024

-Generative AI has CEOs Worried About Cyber Security, PwC Survey Says

-With Attacks on the Upswing, Cyber Insurance Premiums Poised to Rise Too

-Digital Resilience – a Step Up from Cyber Security

Governance, Risk and Compliance

Threats

Ransomware, Extortion and Destructive Attacks

Ransomware Victims

Phishing & Email Based Attacks

Artificial Intelligence

2FA/MFA

Malware

Mobile

Denial of Service/DoS/DDOS

Environmental Websites Hit by DDoS Surge in COP28 Crossfire - Infosecurity Magazine (infosecurity-magazine.com)

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Insurance

Supply Chain and Third Parties

Cloud/SaaS

Identity and Access Management

Digital nomads amplify identity fraud risks - Help Net Security

Encryption

New Report Charts Roadmap To A Quantum-Secure Financial System – Eurasia Review

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Senators Demand Probe into SEC Hack After Bitcoin Price Spike - Infosecurity Magazine (infosecurity-magazine.com)

Malvertising

Latest Adblock update causes massive YouTube performance hit (bleepingcomputer.com)

Training, Education and Awareness

Regulations, Fines and Legislation

Models, Frameworks and Standards

Backup and Recovery

Akira ransomware attackers are wiping NAS and tape backups - Help Net Security

Data Protection

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Misinformation, Disinformation and Propaganda

Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity

Cyber Warfare and Cyber Espionage

Nation State Actors

China

Russia

Iran

Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence

Vulnerability Management

Why we must bring order to cyber vulnerability chaos | TechRadar

Vulnerabilities

Tools and Controls

Other News

Sector Specific

Industry specific threat intelligence reports are available.

· Automotive

· Construction

· Critical National Infrastructure (CNI)

· Defence & Space

· Education & Academia

· Energy & Utilities

· Estate Agencies

· Financial Services

· FinTech

· Food & Agriculture

· Gaming & Gambling

· Government & Public Sector (including Law Enforcement)

· Health/Medical/Pharma

· Hotels & Hospitality

· Insurance

· Legal

· Manufacturing

· Maritime

· Oil, Gas & Mining

· OT, ICS, IIoT, SCADA & Cyber-Physical Systems

· Retail & eCommerce

· Small and Medium Sized Businesses (SMBs)

· Startups

· Telecoms

· Third Sector & Charities

· Transport & Aviation

· Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Black Arrow Admin 16/07/2023 Black Arrow Admin 16/07/2023

Black Arrow Cyber Threat Briefing 14 July 2023

Black Arrow Cyber Threat Briefing 14 July 2023:

-Cyber Attacks Are a War We'll Never Win, but We Can Defend Ourselves

-Helping Boards Understand Cyber Risks

-Enterprise Risk Management Should Inform Cyber Risk Strategies

-Law Firms at High Risk of Attack as Ransomware Groups Begin to Focus Attention

-20% of Malware Attacks Bypass Antivirus Protection

-Ransomware Payments and Extortion Spiked Compared to 2022

-AI, Trust, and Data Security are Key Issues for Finance Firms and Their Customers

-Caution: Microsoft Warns of Office Zero-Day Attacks with No Patch Available

-Scam Page Volumes Surge 304% Annually

-Financial Industry Faces Soaring Ransomware Threat

-The Need for Risk-Based Vulnerability Management to Combat Threats

-Government Agencies Breached in Microsoft 365 Email Attacks

-Concerns Raised as Report Questions UK’s “Completely Inadequate” Defence to Threats from China

-Hackers Backed by North Korea have Stolen Billions of Dollars Over the Last Five Years

Black Arrow Cyber Threat Briefing 05 August 2022

-Average Cost of Data Breaches Hits Record High of $4.35 Million: IBM

-Researchers Warns of Large-Scale Adversary-in-the-Middle (AiTM) Attacks Targeting Enterprise Users

-UK NHS Suffers Outage After Cyber Attack on Managed Service Provider

-A Third of Organisations Experience a Ransomware Attack Once a Week

-Ransomware Products, Services Ads on Dark Web Show Clues to Danger

-Wolf In Sheep’s Clothing, How Malware Tricks Users and Antivirus

-Microsoft Accounts Targeted with New MFA-Bypassing Phishing Kit

-Cyber Attack Prevention Is Cost-Effective, So Why Aren’t Businesses Investing to Protect?

-Securing Your Move to the Hybrid Cloud

-Lessons from the Russian Cyber Warfare Attacks

-Four Sneaky Attacker Evasion Techniques You Should Know About

-Zero-Day Defence: Tips for Defusing the Threat

Black Arrow Cyber Threat Briefing 01 April 2022

-One Tenth of UK Staff Bypass Corporate Security

-Majority Of Data Security Incidents Caused by Insiders

-One-Third of UK Firms Suffer A Cyber Attack Every Week

-Russia's Cyber Criminals Fear Sanctions Will Erase Their Wealth

-86% Of Organisations Believe They Have Suffered a Nation-State Cyber Attack

-Multiple Hacking Groups Are Using the War in Ukraine As A Lure In Phishing Attempts

-4 Ways Attackers Target Humans to Gain Network Access

-Security Incidents Reported to FCA Surge 52% in 2021

-NCSC Suggests Rethinking Russian Supply Chain Risks

-25% Of Workers Lost Their Jobs In The Past 12 Months After Making Cyber Security Mistakes: Report

-Attackers Compromise 94% Of Critical Assets Within Four Steps Of Initial Breach

-UK Spy Chief Warns Russia Looking for Cyber Targets

Black Arrow Cyber Threat Briefing 12 November 2021

Black Arrow Cyber Threat Briefing 12 November 2021:

-Covid Impact Heightens Risk Of Cyber Security Breaches

-81% of Organisations Experienced Increased Cyber-Threats During COVID-19

-Phishing Attacks Grow 31.5% Over 2020, Social Media Attacks Continue To Climb

-Threat from Organised Cybercrime Syndicates Is Rising

-Ransomware Gangs Are Using These 'Ruthless' Tactics As They Aim For Bigger Payouts

-Firms Will Struggle to Secure Extended Attack Surface in 2022

-Millions Of Home Wi-Fi Routers Threatened By Malware — What To Do

-Vulnerabilities Associated With Ransomware Increased 4.5% In Q3 2021

-80% Of Organisations Experienced Employees Misusing And Abusing Access To Business Apps

-Gen Z Is Behaving Recklessly Online - And Will Live To Regret It

Black Arrow Cyber Threat Briefing 22 October 2021

-Many Organisations Lack Basic Cyber Hygiene Despite High Confidence In Their Cyber Defences

-83% Of Ransomware Victims Paid Ransom: Survey

-Report: Ransomware Affected 72% Of Organizations In Past Year

-Ransomware: Looking For Weaknesses In Your Own Network Is Key To Stopping Attacks

-A Hacker Warns: Give Up Trying To Keep Me Out — And Focus On Your Data

-Cyber Risk Trends Driving The Surge In Ransomware Incidents

-US Ransomware Victims Paid $600 Million to Hackers in 1H of 2021

-Hacking Group Created Fake Cyber Security Companies To Hire Experts And Involve Them In Ransomware Attacks Tricking Them Of Conducting A Pentest

-Nearly Three-Quarters of Organizations Victimized by DNS Attacks in Past 12 Months

-Cyber Crime Matures As Hackers Are Forced To Work Smarter

-Hackers Stealing Browser Cookies to Hijack High-Profile YouTube Accounts

Black Arrow Cyber Threat Briefing 15 October 2021

-The Human Element Is the Weakest Link

-Ransomware is the Biggest Cyber Threat to Business: Most Firms Still Aren't Ready for It

-Most Known Ransomware Targets Windows Devices

-67% of Organisations Have Been Hit by Ransomware at Least Once

-Russian Cyber Crime Gang Targets Finance Firms With Stealthy Macros

-70% of Businesses Can’t Ensure the Same Level of Protection for Every Endpoint

-Over 90% of Firms Suffered Supply Chain Breaches Last Year

-Ransomware Attacks Preparedness Lagging, Despite Organisations Being Aware of The Risks

-6 Things to Know About 'Killware,' Cyber Security's Next Big Threat

Black Arrow Cyber Threat Briefing 11 June 2021

Black Arrow Cyber Threat Briefing 11 June 2021: World’s Biggest Meat Producer JBS Pays $11m Ransom; New Type Of Ransomware Could Be 10 Times As Dangerous; Lewd Phishing Lures Aimed At Business Explode; UK Schools Forced To Shut Following Ransomware; COVID-19 Has Transformed Work, But Cyber Security Is Not Keeping Pace; Colonial Pipeline Ransomware Attack Stemmed From Old VPN Password; Evil Corp Rebrands Ransomware To Escape Sanctions; Billions Of Passwords Leaked Online From Past Data Breaches

Black Arrow Cyber Threat Briefing 14 May 2021

Black Arrow Cyber Threat Briefing 14 May 2021: Two Thirds Of CISOs Expect Damaging Cyber Attack In Next 12 Months; Ransomware - Don't Pay, It Just Shows Cyber Criminals That Attacks Work; Most Significant Cyber Attacks 2006-2020; The Shape Of Fraud And Cyber Crime, 10 Things We Learned From 2020; US Pipeline Ransomware Serves As Warning To Persistent Corporate Inertia Over Security; Ransomware Attackers Now Using Triple Extortion Tactics; AXA Pledges To Stop Reimbursing French Ransomware Victims; Cyber Experts Warn Over Online Wine Scams

Cyber Security Guidance for Firms during Lockdown 2.0 - What Should Firms Be Doing? Guernsey Press 04 February 2020

Cyber Security is a key consideration for businesses during lockdown. In this article, the team from Guernsey’s Black Arrow Cyber Consulting consider some the issues and how to manage the risks

Black Arrow Admin 19/12/2020 Black Arrow Admin 19/12/2020

Black Arrow Cyber Threat Briefing 18 December 2020

Black Arrow Cyber Threat Briefing 18 December 2020: The great hack attack - SolarWinds breach exposes big gaps in cyber security; A wake-up for the world on cyber security; White House activates cyber emergency response; US nuclear weapons agency targeted; UK companies targeted; Increasing Risk of Cyber Attacks; millions of users install malicious browser extensions; C19 Vaccines sold on dark web

Top Cyber Headlines of the Week

The great hack attack: SolarWinds breach exposes big gaps in cyber security

Until this week, SolarWinds was a little known IT software group from Texas. Its deserted lobby has a framed magazine article from a few years ago when it was on a list of America’s “Best Small Companies”.

Now the Austin-based company is at the heart of one of the biggest and most startling cyber hacks in recent history, with ramifications that extend into the fields of geopolitics, espionage and national security.

For nine months, sophisticated state-backed hackers have exploited a ubiquitous SolarWinds software product in order to spy on government and business networks around the world, including in the US, UK, Israel and Canada. Wielding innovative tools and tradecraft, the cyber spies lurked in email services, and posed as legitimate staffers to tap confidential information stored in the cloud.

The bombshell revelations have sent 18,000 exposed SolarWinds customers scrambling to assess whether outsiders did indeed enter their systems, what the damage was and how to fix it.

https://www.ft.com/content/c13dbb51-907b-4db7-8347-30921ef931c2

A wake-up for the world on cyber security

Imagine intruders break into your home and loiter undetected for months, spying on you and deciding which contents to steal. This in essence is the kind of access that hackers, assumed to be Russian, achieved in recent months at US government institutions including the Treasury and departments of commerce and homeland security, and potentially many US companies. If the fear in the Cold War was of occasional “moles” gaining access to secrets, this is akin to a small army of moles burrowing through computer systems. The impact is still being assessed, but it marks one of the biggest security breaches of the digital era.

https://www.ft.com/content/d3fc0b14-4a82-4671-b023-078516ea714e

US government, thousands of businesses now thought to have been affected by SolarWinds security attack

Thousands of businesses and several branches of the US government are now thought to have been affected by the attack on software firm SolarWinds.

The Austin-based company has fallen victim to a massive supply chain attack believed to be the work of state-sponsored hackers.

Along with the US treasury and commerce departments, the Department of Homeland Security is now thought to have been affected by the attack. In a statement to the SEC today, SolarWinds said it had notified 33,000 customers of its recent hack, but that only 18,000 of these used the affected version of its Orion platform.

https://www.techradar.com/uk/news/solarwinds-suffers-massive-supply-chain-attack

White House activates cyber emergency response under Obama-era directive

In the wake of the SolarWinds breach, the National Security Council has activated an emergency cyber security process that is intended to help the government plan its response and recovery efforts, according to White House officials and other sources.

The move is a sign of just how seriously the Trump administration is taking the foreign espionage operation, former NSC officials told CyberScoop.

The action is rooted in a presidential directive issued during the Obama administration known as PPD-41, which establishes a Cyber Unified Coordination Group (UCG) that is intended to help the U.S. government coordinate multiple agencies’ responses to the significant hacking incident.

The UCG is generally led by the Department of Justice — through the FBI and the National Cyber Investigative Joint Task Force — as well as the Office of the Director of National Intelligence and the Department of Homeland Security.

https://www.cyberscoop.com/solarwinds-white-house-national-security-council-emergency-meetings/

Hackers targeted US nuclear weapons agency in massive cyber security breach, reports say

The National Nuclear Security Administration and Energy Department, which safeguard the US stockpile of nuclear weapons, have had their networks hacked as part of the widespread cyber espionage attack on a number of federal agencies.

Politico reports that officials have begun coordinating notifications about the security breach to the relevant congressional oversight bodies.

Suspicious activity was identified in the networks of the Federal Energy Regulatory Commission (FERC), Los Alamos and Sandia national laboratories in New Mexico and Washington, the Office of Secure Transportation, and the Richland Field Office of the Department of Energy.

Officials with direct knowledge of the matter said hackers have been able to do more damage to the network at FERC, according to the report.

https://www.independent.co.uk/news/world/americas/us-politics/hackers-nuclear-weapons-cybersecurity-b1775864.html

Microsoft warns UK companies were targeted by SolarWinds hackers

Microsoft has warned that some of its UK customers have been exposed to the malware used in the Russia-linked SolarWinds hack that targeted US states and government agencies.

More than 40 of the tech giant's customers are thought to have used breached SolarWinds software, including clients in Britain, the US, Canada, Mexico, Belgium, Spain, Israel, and the UAE.

The company would not name the victims, but said they include government agencies, think tanks, non-governmental organisations and IT firms. Microsoft said four in five were in the US, with nearly half of them tech companies.

“This is not ‘espionage as usual,’ even in the digital age,” said Brad Smith, Microsoft's president. “Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world.”

The attackers, believed to be working for the Russian government, got into computer networks by installing a vulnerability in Orion software from SolarWinds.

https://www.telegraph.co.uk/technology/2020/12/18/microsoft-warns-uk-companies-targeted-solarwinds-hackers/

Society at Increasingly High Risk of Cyber Attacks

Cyber attacks are becoming easier to conduct while conversely security is getting increasingly difficult, according to Kevin Curran, senior IEEE member and professor of cyber security, Ulster University, during a virtual media roundtable.

“Any company you can think of has had a data breach,” he commented. “Whenever a data breach happens it weakens our credentials because our passwords are often reused on different websites.”

He observed that the art of hacking doesn’t necessarily require a significant amount of technical expertise anymore, and bad actors can receive substantial help from numerous and readily accessible tools online. “You don’t have to spend seven years in college to learn how to hack, you just have to know about these sites and what terms to use,” noted Curran.

A number of legitimate online mechanisms that can help damaging attacks to be launched by hackers were highlighted by Curran in his presentation. These include Google Dorks, which are “search strings which point to website vulnerabilities.” This means vulnerable accounts can be identified simply via Google searches.

https://www.infosecurity-magazine.com/news/society-increasingly-risk-cyber/

Three million users installed 28 malicious Chrome or Edge extensions

More than three million internet users are believed to have installed 15 Chrome, and 13 Edge extensions that contain malicious code, security firm Avast said today.

The 28 extensions contained code that could perform several malicious operations, including:

-redirect user traffic to ads

-redirect user traffic to phishing sites

-collect personal data, such as birth dates, email addresses, and active devices

-collect browsing history

-download further malware onto a user's device

But despite the presence of code to power all the above malicious features, Avast researchers said they believe the primary objective of this campaign was to hijack user traffic for monetary gains.

https://www.zdnet.com/article/three-million-users-installed-28-malicious-chrome-or-edge-extensions/

Vaccines for sale on dark web as criminals target pandemic profits

Black market vendors were offering coronavirus vaccines for sale on hidden parts of the internet days after the first Covid-19 shot was approved this month, as criminals seek to profit from global demand for inoculations.

One such offer on the so-called dark web, traced by cyber security company Check Point Software, was priced at $250 with the seller promising “stealth” delivery in double-wrapped packaging. Shipping from the US via post or a leading courier company would cost $20, with an extra $5 securing overnight delivery.

https://www.ft.com/content/8bfc674e-efe6-4ee0-b860-7fcb5716bed6

Threats

Ransomware

Phishing

IoT

Millions of Unpatched IoT, OT Devices Threaten Critical Infrastructure

Malware

Vulnerabilities

Data Breaches

Organised Crime

Lithuania Suffers "Most Complex" Cyber-attack in Years

Nation State Actors

Privacy

Other News

Analysis of 5G Network Security Reveals Attack Possibilities

Reports Published in the Last Week

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Black Arrow Admin 25/10/2020 Black Arrow Admin 25/10/2020

Cyber Briefing 23 October 2020: Ransomware Continues to Evolve; Infected IoT Up 100%; Brute Force Attacks Up with more Open RDP Ports; 40% Unsure on Mobile Phishing; Most Imitated Phishing Brands

Cyber Briefing 23 October 2020: Ransomware Variants Evolve as Crooks Chase Bigger Paydays; Infected IoT Surges 100% in a Year; Brute Force Attacks Up Due To More Open RDP Ports; 40% of Users Not Sure What Mobile Phishing Is; Microsoft Most Imitated Phishing Brand Q3 2020; DDoS Triples as Ransoms Re-Emerge; Exploited Chrome Bug Fixed; WordPress Forces Security Update; The Most Worrying Vulns Around Today

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.

Threats

Ransomware

This week has been busy with ransomware related news, including new charges against Russian state-sponsored hackers and numerous attacks against well-known organisations.

In 2017, there was an attack utilizing the NotPetya ransomware to destroy data on systems worldwide. This week, the US govt indicted six Russian intelligence operatives [source], known to be part of the notorious 'Sandworm' group, for hacking operations, including NotPetya.

Ransomware variants continue to evolve as crooks chase bigger paydays

The number of ransomware attacks which threaten to leak stolen data if the victim doesn't pay a ransom to get their encrypted files and servers back is growing – and this is being reflected in the changing nature of the cyber criminal market.

Analysis by cyber security researchers found that over the last three months – between July and September - 80 percent of ransomware attacks combined with data dumps were associated with four families of ransomware – Maze, Sodinokibi, Conti and Netwalker.

The period from April to June saw just three ransomware families account for 80 percent of alerts – DoppelPaymer, Maze and Sodinokibi.

The way DoppelPayer has dropped off and how Conti and NetWalker have suddenly emerged some of the most prolific threats shows how the ransomware space continues to evolve, partly because of how successful it has already become for the crooks behind it. [source]

Why this matters:

Maze was the first major family of ransomware to add threats of data breaches to their ransom demands and other ransomware operators have taken note – and stolen the additional extortion tactic.

There is an inherent competitive nature that has befallen the ransomware landscape. The saturated ransomware market pushes ransomware developers to cut through the noise and gain the best ransomware title and this drives more affiliates to carry out their work and, thus, more successful attacks to reach their goal: to make as much money as possible.

DoppelPaymer's activity has dropped over the last few months – although it still remains active - enabling Conti and NetWalker to grab a larger slice of the pie.

Notable ransomware victims of the last week

French IT giant Sopra Steria hit by Ryuk ransomware

French IT services giant Sopra Steria suffered a cyber attack on October 20th, 2020, that reportedly encrypted portions of their network with the Ryuk ransomware.

Sopra Steria is a European information technology company with 46,000 employees in 25 countries worldwide. The company provides a wide range of IT services, including consulting, systems integration, and software development.

The firm has said that the attack has hit all geographies where they operate and have said it will take them several weeks to recover.

Numerous sources have confirmed that it was Ryuk ransomware threat actors who were behind the attack. This hacking group is known for its TrickBot and BazarLoader infections that allow threat actors to access a compromised network and deploy the Ryuk or Conti ransomware infections.

BazarLoader is increasingly being used in Ryuk attacks against high-value targets due to its stealthy nature and is less detected than TrickBot by security software.

When installed, BazarLoader will allow threat actors to remotely access the victim's computer and use it to compromise the rest of the network.

After gaining access to a Windows domain controller, the attackers then deploy the Ryuk ransomware on the network to encrypt all of its devices, as illustrated in the diagram above. [Source1] [source2]

The Nefilim ransomware operators have posted a long list of files that appear to belong to Italian eyewear and eyecare giant Luxottica.

Luxottica Group S.p.A. is an Italian eyewear conglomerate and the world’s largest company in the eyewear industry (which owns brands including LensCrafters, Sunglass Hut, Apex by Sunglass Hut, Pearle Vision, Target Optical, Eyemed vision care plan, and Glasses.com. Its best known brands are Ray-Ban, Persol, and Oakley) and employs over 80,000 people and generated 9.4 billion in revenue for 2019.

The company was hit by a cyber attack and some of the web sites operated by the company were not reachable, including Ray-Ban, Sunglass Hut, LensCrafters, EyeMed, and Pearle Vision.

Reports indicate that the firm was using a Citrix ADX controller device vulnerable to a critical vulnerability and it is believed that a threat actor or actors exploited the above flaw to infect the systems at the company with ransomware. This appears to have subsequently confirmed with Nefilim ransomware operators having posted a long list of files that appear to belong to Luxottica. [source]

Why this matters:

The analysis of the leaked files revealed that they contain confidential information regarding the recruitment process, professional resumes, and info about the internal structures of the Group’s human resource department. The ransomware operators also published a message which accuses Luxottica of having failed the properly manage the attack.

In the past months, the number of ransomware attacks surged, numerous ransomware gangs made the headlines targeting organisations worldwide and threatening victims with releasing the stolen data if the ransom was not paid.

Extortion is the new thing in cyber crime right now, more so than in the past. Companies cannot hide the cyber attack anymore. Now it’s more about how to manage the breach from the communication perspective. Defending companies from these types of attacks becomes even more strategic: data leak damages can generate tremendous amount of costs for companies worldwide.

Other notable ransomware victims this week include:

Barnes & Noble hit by Egregor ransomware, strange data leaked [source]
Montreal's STM public transport system hit by ransomware attack [source]
WastedLocker ransomware hits US-based ski and golf resort operator Boyne Resorts (WastedLocker was the same one used in the attack on Garmin in July) [source]

Other Threats

Infected IoT Device Numbers Surge 100% in a Year

The volume of infected Internet of Things (IoT) devices globally has soared by 100% over the past year, according to new data from Nokia.

It revealed that infected IoT devices now comprise nearly a third (32.7%) of the total number of devices, up from 16.2% in the 2019 report.

Nokia argued that infection rates for connected devices depend dramatically upon the visibility of the devices on the internet.

In networks where devices are routinely assigned public facing internet IP addresses there is a higher infection rate. In networks where carrier grade NAT is used, the infection rate is considerably reduced, because the vulnerable devices are not visible to network scanning.

With the introduction of 5G well underway, it is expected that not only the number of IoT devices will increase dramatically, but also the share of IoT devices accessible directly from the internet will increase as well, and rates of infection rising accordingly. [source]

Brute force attacks increase due to more open RDP ports

While leaving your back door open while you are working from home may be something you do without giving it a second thought, having unnecessary ports open on your computer or on your corporate network is a security risk that is sometimes underestimated. That’s because an open port can be subject to brute force attacks.

A brute force attack is where an attacker tries every way he can think of to get in. Including throwing the kitchen sink at it. In cases where the method they are trying is to get logged in to your system, they will try endless combinations of usernames and passwords until a combination works.

Brute force attacks are usually automated, so it doesn’t cost the attacker a lot of time or energy. Certainly not as much as individually trying to figure out how to access a remote system. Based on a port number or another system specific property, the attacker picks the target and the method and then sets his brute force application in motion. He can then move on to the next target and will get notified when one of the systems has swallowed the hook.

RDP attacks are one of the main entry points when it comes to targeted ransomware operations. To increase effectiveness, ransomware attacks are getting more targeted and one of the primary attack vectors is the Remote Desktop Protocol (RDP). Remote desktop is exactly what the name implies, an option to remotely control a computer system. It almost feels as if you were actually sitting behind that computer. Which is exactly what makes an attacker with RDP access so dangerous. [source]

Why this matters:

Because of the current pandemic, many people are working from home and may be doing so for a while to come. Working from home has the side effect of more RDP ports being opened. Not only to enable the workforce to access company resources from home, but also to enable IT staff to troubleshoot problems on the workers’ devices. A lot of enterprises rely on tech support teams using RDP to troubleshoot problems on employee’s systems.

But ransomware, although prevalent, is not the only reason for these types of attacks. Cyber criminals can also install keyloggers or other spyware on target systems to learn more about the organization they have breached. Other possible objectives might be data theft, espionage, or extortion.

Phishing

Two in five employees are not sure what a mobile phishing attack is

The COVID-19 pandemic has clearly changed the way people work and accelerated the already growing remote work trend. This has also created new security challenges for IT departments, as employees increasingly use their own personal devices to access corporate data and services.

These changes, where employees, IT infrastructures, and customers are everywhere – has led to employees not prioritising security in their new world of work, and the current distributed remote work environment has also triggered a new threat landscape, with malicious actors increasingly targeting mobile devices with phishing attacks.

A new study looking at the impact that lockdown has had on employees working habits polled 1,200 workers across the US, UK, France, Germany, Belgium, Netherlands, Australia, and New Zealand showed that many employees were unaware of how to identify and avoid a phishing attack, and over two in five (43%) of employees are not even sure what a phishing attack is. [source]

Microsoft is Most Imitated Brand for Phishing Attempts in Q3 2020

The latest Check Point ‘Q3 Brand Phishing Report’, highlighting the brands that hackers imitated the most to lure people into giving up personal data, reveals the brands which were most frequently imitated by criminals in their attempts to steal individuals’ personal information or payment credentials during July, August and September.

In Q3, Microsoft was the most frequently targeted brand by cyber criminals, soaring from fifth place (relating to 7% of all brand phishing attempted globally in Q2 of 2020) to the top of the ranking. 19% of all brand phishing attempts related to the technology giant, as threat actors sought to capitalise on large numbers of employees still working remotely during the Covid-19 pandemic. For the first time in 2020, DHL entered the top 10 rankings, taking the second spot with 9% of all phishing attempts related to the company. [source]

Top phishing brands in Q3 2020

Microsoft (19%)
DHL (9%)
Google (9%)
PayPal (6%)
Netflix (6%)
Facebook (5%)
Apple (5%)
Whatsapp (5%)
Amazon (4%)
Instagram (4%)

Phishing Lures Shifting from COVID-19 updates to Job Opportunities

Researchers are seeing a pivot in the spear-phishing and phishing lures used by cybercriminals, to entice potential job candidates as businesses start to open up following the pandemic.

Cyber criminals cashed in on the surge of COVID-19 earlier this year, with email lures purporting to be from healthcare professionals offering more information about the pandemic. However, as the year moves forward, bad actors are continuing to swap up their attacks and researchers are now seeing ongoing email based attacks that tap into new job opportunities as businesses start to open up. [source]

Denial of Service Attacks

DDoS (Distributed Denial of Service) Attacks Triple in Size as Ransom Demands Re-Emerge

The last quarter of 2020 has seen a wave of web application attacks which have used ransom letters to target businesses across a number of industries.

According to research from Akamai, the largest of these attacks sent over 200Gbps of traffic at their targets as part of a sustained campaign of higher Bits Per Second (BPS) and Packets Per Second (PPS) than similar attacks had displayed a few weeks prior.

Prior to August most of these attacks were targeting the gaming industry but since then these attacks abruptly swung to financial organisations, and later in the cycle, multiple other verticals.

Akamai explained that none of the vectors involved in these series of attacks were new, as most of the traffic was generated by reflectors and systems that were used to amplify traffic. However, multiple organisations began to receive targeted emails with threats of DDoS attacks, where this would be launched unless a ransom amount was paid. A small DDoS would be made against the company to show that the attackers were serious, and then there was a threat of a 1Tbps attack if payment was not made.

Many extortion DDoS campaigns start as a threat letter, and never progress beyond that point but this this campaign has seen frequent ‘sample’ attacks that prove to the target that criminals have the capability to make life difficult.

Many of the extortion emails ended up being caught by spam filters, and not all targets are willing to admit they’ve received an email from the attackers.

Why this matters:

This extortion DDoS campaign is not over and the criminals behind this campaign are changing and evolving their attacks in order to throw off defenders and the law enforcement agencies that are working to track them down.

Vulnerabilities

New Google Chrome version fixes actively exploited zero-day bug

Google released Chrome 86.0.4240.111 this week to address five security vulnerabilities, one of which is being actively exploited.

The announcement from Google stated they they were aware of reports that an exploit for CVE-2020-15999 exists in the wild.

This new version of Chrome started rolling out to the entire userbase. Users on Windows, Mac, and Linux desktop users can upgrade to Chrome 86 by going to Settings -> Help -> About Google Chrome.

The Google Chrome web browser will then automatically check for the new update and install it when available.

Adobe releases another out-of-band patch, squashing critical bugs across creative software

Adobe has released a second out-of-band security update to patch critical vulnerabilities across numerous software products.

The patch, released outside of the tech giant's typical monthly security cycle, impacts Adobe Illustrator, Dreamweaver, Marketo, Animate, After Effects, Photoshop, Premiere Pro, Media Encoder, InDesign, and the Creative Cloud desktop application on Windows and macOS machines.

The vulnerabilities across the different products variously could result in privilege escalation, cross-site scripting (XSS), which could be weaponised to deploy malicious JavaScript in a browser session, or otherwise could result in arbitrary code execution.

Last week, Adobe released a separate set of out-of-band security fixes impacting the Magento platform. On October 15, Adobe said the patch resolved nine vulnerabilities, eight of which are critical -- including a bug that could be abused to tamper with Magento customer lists. [source]

WordPress deploys forced security update for dangerous bug in popular plugin

The WordPress security team has taken a rare step last week and used a lesser-known internal capability to forcibly push a security update for a popular plugin called Loginizer, which provides security enhancements for the WordPress login page, but that was found to contain a dangerous SQL injection bug that could have allowed hackers to take over WordPress sites running older versions of the plugin. [source]

Why this matters:

Remote attackers to run code against the WordPress database — in what is referred to as an unauthenticated SQL injection attack.

These are the most worrying vulnerabilities around today

Failure to patch once again leaves organisations open to attacks

The US National Security Agency (NSA) has published a new cyber security advisory in which it details 25 of the most dangerous vulnerabilities actively being exploited in the wild by Chinese state-sponsored hackers and other cyber criminals.

Unlike zero-day vulnerabilities where hardware and software makers have yet to release a patch, all of the vulnerabilities in the NSA's advisory are well-known and patches have been made available to download from their vendors. However, the problem lies in the fact that organisations have yet to patch their systems, leaving them vulnerable to potential exploits and attacks.

The NSA provided further details on the nature of the vulnerabilities in its advisory while urging organisations to patch them immediately.

Most of the vulnerabilities listed below can be exploited to gain initial access to victim networks using products that are directly accessible from the Internet and act as gateways to internal networks. The majority of the products are either for remote access or for external web services and should be prioritised for immediate patching. The full list can be found here.

The first bug in the list, tracked as CVE-2019-11510, relates to Pulse Secure VPN servers and how an unauthenticated remote attacker can expose keys or passwords by sending a specially crafted URI to perform an arbitrary file reading vulnerability.

Another notable bug from the list, tracked as CVE-2020-5902, affects the Traffic Management User Interface (TMUI) of F5 BIG-IP proxies and load balancers and it is vulnerable to a Remote Code Execution (RCE) vulnerability that if exploited, could allow a remote attacker to take over an entire BIG-IP device.

The Citrix Application Delivery Controller (ADC) and Gateway systems are vulnerable to a directory traversal bug, tracked as CVE-2019-19781, that can lead to remote code execution where an attacker does not need to possess valid credentials for the device.

The advisory also mentions BlueKeep, SigRed, Netlogon, CurveBall and other more well-known vulnerabilities.

To avoid falling victim to any potential attacks exploiting these vulnerabilities, the NSA recommends that organisations keep their systems and products updated and patched as soon as possible after vendors release them. [source]

Miscellaneous Cyber News of the Weeks

Hackers Can Clone Millions of Toyota, Hyundai, and Kia Keys

Owners of cars with keyless start systems have learned to worry about so-called relay attacks, in which hackers exploit radio-enabled keys to steal vehicles without leaving a trace. Now it turns out that many millions of other cars that use chip-enabled mechanical keys are also vulnerable to high-tech theft. A few cryptographic flaws combined with a little old-fashioned hot-wiring—or even a well-placed screwdriver—lets hackers clone those keys and drive away in seconds.

Researchers this week revealed new vulnerabilities in the encryption systems used by immobilisers, the radio-enabled devices inside of cars that communicate at close range with a key fob to unlock the car's ignition and allow it to start. Specifically, they found problems in how Toyota, Hyundai, and Kia implement their encryption system. A hacker who swipes a relatively inexpensive RFID reader/transmitter device near the key fob of any affected car can gain enough information to derive its secret cryptographic value. That, in turn, would allow the attacker to spoof the device to impersonate the key inside the car, disabling the immobiliser and letting them start the engine.

The researchers say the affected car models include the Toyota Camry, Corolla, and RAV4; the Kia Optima, Soul, and Rio; and the Hyundai I10, I20, and I40, amongst others. [source]

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Black Arrow Admin 20/09/2020 Black Arrow Admin 20/09/2020

Cyber Weekly Flash Briefing 18 Sept 2020: Higher cyber losses; old MS Office exploit; banking Trojan given away free; new Bluetooth flaw; IoT risks; DDoS attacks up; US charge Iranians & Russians

Cyber Weekly Flash Briefing 18 September 2020: Cyber losses increasing in frequency & severity, decade-old MS Office exploit, Cerberus banking Trojan released for free to attackers, Bluetooth vulnerability affects billions of devices, The Internet of Things devices that could put you at risk from hackers

Cyber losses are increasing in frequency and severity

Research by a cyber insurance provider in North America shows cyber attacks have increased in number and severity since the onset of the coronavirus pandemic. The changes that organisations implemented to facilitate remote work have given cyber criminals new opportunities to launch campaigns exploiting mass uncertainty and fear.

The severity of ransomware attacks has increased since the beginning of COVID-19, with researchers having observed a 47% increase on top of a 100% increase in Q1 2020.

Researchers also found that newer strains of ransomware have been particularly malicious, with costly ransom demands and criminal actors threatening to expose an organisation’s data if they don’t pay. They report that the average demand from attackers using the Maze variety of ransomware is approximately six times larger than the overall average.

Researchers also reported a 35% increase in funds transfer fraud and social engineering claims filed by their policyholders since the pandemic began. Reported losses from these types of attack have ranged from the low thousands to well above $1 million per event.

Additionally, COVID-19 has resulted in a notable surge of business email compromise. The insurer observed a 67% increase in the number of email attacks during the pandemic.

Why this matters:

The report refers to North America but the findings are applicable to us all. They indicate that the most frequent types of losses incurred by victims were from ransomware (41%), funds transfer loss (27%), and business email compromise incidents (19%) — accounting for 87% of reported incidents and 84% of the insurer’s claim pay-outs in the first half of 2020.

Clearly with the landscape getting worse, firms more likely to fall victim, and with losses increasing all the time, firms should ensure they are taking these threats seriously.

Hackers have revived a decade-old Microsoft Office exploit - and they’re having a field day

Hackers have ramped up attempts to abuse a decade-old Microsoft Office flaw with the help of creative new email scams, new research has found.

According to analysis commissioned by NordVPN, attempts to exploit the vulnerability (CVE-2017-11882) rose by 400% in the second quarter of the year - with further growth expected.

Why this matters:

If exploited successfully, the memory corruption bug could allow attackers to execute code on the target device remotely. This is especially problematic if the affected user’s account has administrative privileges, in which case the hacker could seize control of the system.

Cerberus banking Trojan source code released for free to cyber attackers

The source code of the Cerberus banking Trojan has been released as free malware on underground hacking forums following a failed auction.

The leaked code, distributed under the name Cerberus v2, presents an increased threat for smartphone users and the banking sector at large.

Why this matters:

Cerberus is a mobile banking Trojan designed for the Google Android operating system. In circulation since at least July 2019, the Remote Access Trojan (RAT) is able to conduct covert surveillance, intercept communication, tamper with device functionality, and steal data including banking credentials by creating overlays on existing banking, retail, and social networking apps.

The malware is able to read text messages that may contain one-time passcodes (OTP) and two-factor authentication (2FA) codes, thereby bypassing typical 2FA account protections. OTPs generated through Google Authenticator may also be stolen.

Critical Bluetooth security vulnerability could affect billions of devices worldwide

A new security flaw in the Bluetooth software stack discovered over the summer has the potential to affect billions of smartphones, laptops and IoT devices using the Bluetooth Low Energy (BLE) protocol.

The new vulnerability has been given the name BLESA (Bluetooth Low Energy Spoofing Attack) by the team of seven academic researchers at Purdue University who first discovered it.

Unlike the recently discovered BLURtooth vulnerability that deals with how Bluetooth devices pair with one another, BLESA was found in the reconnection process. Reconnections occur when two BLE devices move out of range and then move back into range. Normally BLE devices check the cryptographic keys negotiated during the pairing process when reconnecting.

The research team found that the official BLE specification did not contain strong-enough language to describe the reconnection process properly leading to two systemic issues making their way into BLE software implementations.

The first deals with the fact that authentication during device reconnection is optional as opposed to mandatory while the second relates to how authentication can potentially be circumvented if a user's BLE device fails to force another device to authenticate the cryptographic keys sent while reconnecting.

Why this matters:

Billions of devices could be vulnerable to these BLESA attacks where a nearby attacker bypasses reconnection verification and sends spoofed data to a BLE device with incorrect information. This can lead both humans and automated processes to make incorrect decisions when it comes to allowing two devices to reconnect with one another.

Coffee machines, cuddly toys and cars: The Internet of Things devices that could put you at risk from hackers

Connected teddy bears, connected coffee machines and connected cars are just some of the unusual Internet of Things (IoT) devices being insecurely connected to corporate networks that could leave whole organisations open to cyber attacks.

A research paper by Palo Alto Networks details the surge in IoT devices being connected to corporate networks and their wide variety.

Some of the most common irregular devices being connected to organisations' networks include connected vehicles, connected toys and connected medical devices, with connected sports equipment such as fitness trackers, gaming devices and connected cars also being deployed.

These devices are being connected because they can often help people through the working day or help manage aspects of their personal life, but they're also creating additional problems for the corporate network.

Why this matters:

In many cases, these 'shadow IoT' devices are being added to the network without the knowledge of the security team.

This could potentially leave the corporate network vulnerable because not only do some IoT devices have poor security that means they can easily be discovered and exploited, but some workplaces still have flat networks and if a device is compromised then an attacker can move from the IoT product to another system.

DDoS Attacks Skyrocket as Pandemic Bites

More people being online during lockdowns and more people working from home has proven to be lucrative for DDoS type attacks.

The first half of 2020 saw a significant uptick in the number of distributed denial-of-service (DDoS) attacks compared to the same period last year — a phenomenon that appears to be directly correlated to the global coronavirus pandemic.

One firm’s Security Operations Centre (SOC) saw a 151 percent increase in DDoS activity in the period, including one of the largest and longest attacks they had has ever mitigated – that attack came in at 1.17 terabits-per-second (Tbps), and lasted five days and 18 hours.

These figures are representative of the growing number, volume and intensity of network-type cyber attacks as organizations shifted to remote operations and workers’ reliance on the internet increased.

Why this matters:

DDoS attacks are getting bigger, with a “noticeable spike” in volume: The number of attacks sized 100Gbps and above grew a whopping 275 percent. Emblematic of this is a 2.3Tbps attack targeting an Amazon Web Services client in February – the largest volumetric DDoS attack on record. And the aforementioned 1.17Tbps attack was 192 percent bigger than the largest attack mitigated during the first half of 2019.

US charges two Russians for stealing $16.8m via cryptocurrency phishing sites

The US Department of Justice has filed charges this week against two Russian nationals for orchestrating a multi-year phishing operation against the users of three cryptocurrency exchanges.

The two suspects stand accused of creating website clones for the Poloniex, Binance, and Gemini cryptocurrency exchanges, luring users on these fake sites, and collecting their account credentials. These phishing operations began around June 2017.

US officials said the Russian duo — made up of Danil Potekhin (aka cronuswar) and Dmitrii Karasavidi; residents of Voronezh and Moscow, respectively — used the stolen credentials to access victim accounts and steal their Bitcoin (BTC) and Ether (ETH) crypto-assets.

Why this matters:

In total, US officials estimated the victims in the hundreds. Court documents cite 313 defrauded Poloniex users, 142 Binance victims, and 42 users at Gemini. Losses were estimated at $16,876,000.

Whilst bitcoin has waned in popularity after its highs a few years back there is still value in holdings held in different exchanges and these holdings remain popular targets for attackers.

US charges two Iranian hackers for years-long cyber-espionage, cybercrime spree

The US has also filed charges against and is seeking the arrest of two Iranian nationals believed to have carried out cyber-intrusions at the behest of the Iranian government and for their own personal financial gain.

In an indictment unsealed this week, prosecutors accused Hooman Heidarian and Mehdi Farhadi, both from Hamedan, Iran, of launching cyber-attacks against a wide range of targets since at least 2013.

Past victims included several US and foreign universities, a Washington think tank, a defense contractor, an aerospace company, a foreign policy organization, non-governmental organizations (NGOs), non-profits, and foreign government and other entities the defendants identified as rivals or adversaries to Iran, with most targets located in the US, Israel, and Saudi Arabia.

US officials said Heidarian and Farhadi focused on gaining access to their victims' accounts, computers, and internal networks, from where they stole confidential data and communications pertaining to topics such as national security, foreign policy, nuclear energy, and aerospace.

Why this matters:

Financial data and personally identifiable information wasn't off-limits, and the two also stole intellectual property, such as unpublished scientific research.

In addition, the two also targeted and stole personal information and communications of Iranian dissidents, human rights activists, and opposition leaders, according to George M. Crouch Jr., Special Agent in Charge of the FBI Newark Division.

Prosecutors believe that some of the stolen data was handed over to Iranian government intelligence officials, but that other information was also sold on black markets for the hackers' personal gains.

Alert issued to UK universities and colleges about spike in cyber attacks

British universities and colleges have been warned about a spike in ransomware attacks targeting the education sector by the UK's National Cyber Security Centre (NCSC), a part of GCHQ.

Academic institutions are being urged to follow NCSC guidance following a sharp increase in attacks which have left some teachers fearing they won't be able to accept students when term begins.

Last week staff at Newcastle University warned Sky News they had "no idea how we are going to welcome students in three weeks' time" following one such ransomware attack, which has impacted IT services across the whole university.

Similar attacks in which criminal hackers infiltrated computer networks and stole data before encrypting the machines and demanding a ransom payment to unlock them again, have hit Northumbria University, Bolton Sixth Form College, Leeds City College and others in August alone.

Speaking to Sky News, NCSC's director of operations Paul Chichester said the agency had seen an increase in the "utterly reprehensible" attacks over the past 18 months and was concerned they would disrupt young people's education.

Why this matters:

There are more than a dozen criminal groups which are currently earning millions by encrypting their victim's computer networks and then leaking stolen documents online to pressure the victims into paying up.

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Black Arrow Admin 06/09/2020 Black Arrow Admin 06/09/2020

Cyber Weekly Flash Briefing 04 September 2020: CEOs could become personally liable for cyber attacks, DDoS extortion, WordPress flaw exploited, Business Email Compromise now $80k, printers at risk

Cyber Weekly Flash Briefing 04 September 2020: CEOs could soon be personally liable for cyber attacks, DDoS Extorters Demand Ransoms from Firms, Hackers exploiting a critical WordPress flaw, Average Business Email Compromise (BEC) attempts are now $80k, Iran based Pioneer Kitten APT Sells Corporate Network Access, Nearly A Million Printers At Risk Of Attack - Thousands Hacked To Prove It

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

CEOs could soon be personally liable for cyberattacks

Within four years, the majority of CEOs will be held personally responsible for cyberattacks that lead to injury and other physical damage.

This is according to a new report from Gartner, which asserts that liability for cyber-physical security incidents will “pierce the corporate veil to personal liability” for 75 percent of CEOs by 2024.

Cyber-physical systems (CPS) are described as digital systems that interact with the physical world, such as IoT devices or operational technologies (OT).

“Regulators and governments will react promptly to an increase in serious incidents resulting from failure to secure CPSs, drastically increasing rules and regulations governing them,” said Katell Thielemann, Research Vice President at Gartner.

“In the US, the FBI, NSA and Cybersecurity and Infrastructure Security Agency (CISA) have already increased the frequency and details provided around threats to critical infrastructure-related systems, most of which are owned by private industry. Soon, CEOs won’t be able to plead ignorance or retreat behind insurance policies.”

Why this matters:

CPS attacks with fatalities will incur costs to businesses of more than $50 billion within the next three years, Gartner predicts. Irrespective of the value of human life, businesses are looking at major costs in terms of compensation, litigation, insurance, regulatory fines and reputation loss.

Technology leaders need to help CEOs understand the risks that CPSs represent and the need to dedicate focus and budget to securing them. The more connected CPSs are, the higher the likelihood of an incident occurring.

Global DDoS Extorters Demand Ransom from Firms

Security experts are warning of a new global DDoS-related extortion campaign targeting businesses operating in the e-commerce, finance and travel sectors.

Researchers said they had been tracking the threat actors since mid-August, with victims in North America, APAC and EMEA. Emails are typically delivered claiming to come from state-sponsored groups such as Fancy Bear and Lazarus Group, as well as the “Armada Collective.”

The latter group has been linked to similar extortion emails sent in previous years.

The ransom emails threaten to launch DDoS attacks against the recipient organization of over 2Tbps, if payment of anywhere between 10 and 20BTC ($113,000-226,000) is not made. They also threaten to increase the ransom by 10BTC for each deadline missed.

Also included in the messages are the Autonomous System Numbers (ASNs) or IP addresses of servers or services that the group says it will target if their demands are not met.

Why this matters:

DDoS attacks take businesses legitimate online operations offline by flooding them with traffic such that legitimate traffic can’t get through, or they are so swamped with traffic that services can’t cope. Depending on the type of business and how reliant they are on their online presence these types of attacks could prevent firms from operating entirely.

Recipients of the emails were urged not to pay the ransom

Hackers are exploiting a critical flaw affecting >350,000 WordPress sites

Hackers are actively exploiting a vulnerability that allows them to execute commands and malicious scripts on Websites running File Manager, a WordPress plugin with more than 700,000 active installations, researchers said on Tuesday. Word of the attacks came a few hours after the security flaw was patched.

Why this matters:

Attackers are using the exploit to upload files hidden in an image, which from there provides a convenient interface that allows them to run commands in the directory where the File Manager plugin resides. Hackers may be able to exact more damage by uploading scripts that can carry out actions on other parts of a vulnerable site.

Phishing attacks surge during the pandemic

In yet another example of cyber criminals exploiting world events, the frequency of phishing threats has risen considerably since the start of the pandemic, with companies experiencing an average of 1,185 attacks every month.

New research reveals that more than half (53 percent) of over 300 IT professionals surveyed by Cyber security Insiders say they had witnessed an increase in phishing activity since the start of the COVID-19 pandemic.

Why this matters:

The report also shows that 38 percent of respondents report that a co-worker has fallen victim to an attack within the last year. As a result, 15 percent of organizations are now left spending anywhere from one to four days remediating malicious attacks during what is already a difficult time for many.

Average Business Email Compromise (BEC) attempts are now $80k, but one group is aiming for $1.27m per attack

BEC scammer groups are growing more brazen. The average sum that a BEC group will try to steal from a targeted company is now around $80,000 per attack, according to an industry report published on Monday.

The number is up from $54,000, the average sum that BEC groups tried to obtain from victims in Q1 2020, as reported by the Anti-Phishing Working Group (APWG), an industry coalition made up of more than 2,200 organizations from the cyber-security industry, government, law enforcement, and NGOs sector.

One of the largest industry group of its kind, the APWG has been releasing quarterly reports on the state of phishing operations since 2004.

Why this matters:

Most of these reports have usually centred on email phishing attacks that focus on stealing login credentials and distributing malware. However, since the mid-2010s, BEC fraud has been slowly taking more and more space in APWG's reports, as BEC fraud has become today's top cybercrime trend.

BEC, or Business Email Compromise (BEC) scams, usually begin with phishing, with an email sent to a company's employee. The end goal is to dupe the employee into paying fake invoices or transferring funds to an account controlled by the attackers.

Iran based Pioneer Kitten APT Sells Corporate Network Access

An APT (Advanced Persistent Threat) group known as Pioneer Kitten, linked to Iran, has been spotted selling corporate-network credentials on hacker forums.

Pioneer Kitten is a hacker group that specialises in infiltrating corporate networks using open-source tools to compromise remote external services. Researchers observed an actor associated with the group advertising access to compromised networks on an underground forum in July, according to a blog post earlier this week.

Pioneer Kitten’s work is related to other groups either sponsored or run by the Iranian government, which were previously seen hacking VPNs and planting backdoors in companies around the world.

Why this matters:

The credentials would let other cybercriminal groups and APTs perform cyberespionage and other nefarious cyber-activity. It is also noteworthy to see a group operating on behalf of or closed with a Nation State, in this case Iran, appearing to potential attempt to diversify their revenue streams through sales of stolen credentials.

Nearly A Million Printers At Risk Of Attack, Thousands Hacked To Prove It

Roughly 28,000 printers recently gave their owners an unexpected lesson in cybersecurity. Seemingly unprompted, the printers whirred to life and produced a 5-step guide to keeping hackers at bay.

“This printer has been hacked,” the message began ominously. Fortunately for the “victims” it was a group of ethical hackers behind the attack. A team of researchers from CyberNews was out to remind the public about the potential peril of connected devices.

To get the ball rolling, the team scoured the globe for printers that were vulnerable. They found more than 800,000 in total using a search engine called Shodan.

Shodan is a tool that’s leaned on by both security researchers and cyber criminals. In the past it’s been used to identify thousands of at-risk surveillance cameras, security alarm systems and hundreds of wind turbines and solar devices.

Why this matters:

Vulnerable devices within your networks can present a vulnerability to other devices on your network too and can be an easy point of entry for attackers.

Many firms do a good job of updating desktops and laptops when operating system updates come out, but too many firms neglect networking devices such as routers, modems and switches, and other devices on their networks such as printers.

WhatsApp reveals six previously undisclosed vulnerabilities on new security site

Facebook -owned WhatsApp has revealed six previously undisclosed vulnerabilities, which the company has now fixed. The vulnerabilities are being reported on a dedicated security advisory website that will serve as the new resource providing a comprehensive list of WhatsApp security updates and associated Common Vulnerabilities and Exposures (CVE).

WhatsApp said five of the six vulnerabilities were fixed in the same day, while the remaining bug took a couple of days to remediate. Although some of the bugs could have been remotely triggered, the company said it found no evidence of hackers actively exploiting the vulnerabilities.

Why this matters:

WhatsApp is one of the world’s most popular apps, with more than two billion users around the world. But it’s also a persistent target for hackers, who try to find and exploit vulnerabilities in the platform. As with all software updates should be applied as soon as possible to ensure that fixes that remediate known vulnerabilities are fixed.

Attackers are trying to exploit a high-severity zero day in Cisco gear

Telecoms and data-centre operators take note: attackers are actively trying to exploit a high-severity zero day vulnerability in Cisco networking devices, the company warned over the weekend.

The security flaw resides in Cisco’s iOS XR Software, an operating system for carrier-grade routers and other networking devices used by telecommunications and data-centre providers. In an advisory published on Saturday, the networking-gear manufacturer said that a patch is not yet available and provided no timeline for when one would be released.

Why this matters:

Zero days do not yet have patches available although the vulnerability is publicly known and in some cases, as in this case, already being targeted by malicious actors.

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Black Arrow Admin 31/07/2020 Black Arrow Admin 31/07/2020

Cyber Weekly Flash Briefing 31 July 2020: 386M user records stolen, Twitter spear-phishing, Garmin may have paid ransom, 27% of consumers hit with Covid19 phishing scams, Netflix phishing scam

Cyber Weekly Flash Briefing 31 July 2020: 386M user records stolen, Twitter says attack was spear-phishing, Criminals still exploiting COVID19, Netwalker ransomware, Garmin may have paid ransom, QNAP NAS devices infected, Hackers exploit networking vulns, 27% of consumers hit with pandemic-themed phishing scams, New Netflix phishing scam

386 million user records stolen in data breaches — and they're being given away for free

A notorious hacker or group of hackers is giving away copies of databases said to contain 386 million user records, after posting links to the databases on a marketplace used by cyber criminals.

The threat actor, who goes by the name ShinyHunters, claims to have data stolen from 18 different websites in the past seven months. According to reports, ShinyHungers last week began uploading the databases to a forum where anyone can download them free of charge.

ShinyHunters is believed to have played a role in high-profile data breaches at HomeChef, Promo.com, Mathway, Chatbooks, Dave.com, Wattpad and even Microsoft's GitHub account. Many of these records were previously offered for sale online.

Why this matters:

Any details stolen from one site or service will be used against other sites and services, this is why it is critical that passwords are not reused across different sites and that all passwords are unique. Using multi factor authentication is also very effective at safeguarding against these types of attacks.

Twitter says spear-phishing attack on employees led to breach

Twitter said a large hack two weeks ago targeted a small number of employees through a phone “spear-phishing” attack.

The social media platform said the hackers targeted about 130 accounts, tweeted from 45, accessed the inboxes of 36, and were able to download Twitter data from seven.

Attackers also targeted specific employees who had access to account support tools, Twitter said. The company added it has since restricted access to its internal tools and systems.

Twitter suffered a major security breach on 15 July that saw hackers take control of the accounts of major public figures and corporations, including Joe Biden, Barack Obama, Elon Musk, Bill Gates, Jeff Bezos and Apple.

The hack unfolded over the course of several hours, and in the course of halting it, Twitter stopped all verified accounts from tweeting – an unprecedented measure.

Publicly available blockchain records show the apparent scammers received more than $100,000 worth of cryptocurrency.

Why this matters?

It is nearly always a lot easier for attackers to attack your users than it is to attack your systems. IT controls alone cannot protect against social engineering attacks so making sure your staff are trained so they don’t fall for social engineering attacks is a critical part of your defence.

Cyber-Criminals Continue to Exploit #COVID19 During Q2

Cyber-criminals’ exploitation of the COVID-19 pandemic to target individuals and businesses has continued unabated during the second quarter of 2020, according to one Cyber Security firm’s Q2 2020 Threat Report published today. The findings highlight how the crisis is defining the cybersecurity landscape in Q2 in a similar way as it did in Q1 after the pandemic first struck.

The firm observed a continuous focus on phishing using COVID-19 lures in this period. This included criminals taking advantage of the rise in online shopping that has occurred during the pandemic, with a 10-fold increase in phishing emails impersonating one of the world’s leading package delivery services found in comparison to Q1.

The shift to remote working as a result of the pandemic has also led to increased targeting of Remote Desktop Protocol’s in recent months.

Ransomware tactics were found to be “rapidly developing” in this period, with operators moving away from doxing and random data leaking towards auctioning the stolen data on dedicated underground sites.

Why does this matter?

The Coronavirus crisis gave criminals an efficient lure to bait phishing emails with and for as long as it is working they will continue to exploit this crisis. It’s like we always say “cyber criminals will never let a good crisis or tragedy go to waste”

FBI Releases Flash Alert on Netwalker Ransomware

The US Federal Bureau of Investigations (FBI) released a flash alert in which it warned organisations about the dangers of Netwalker ransomware.

The FBI said that it had received notifications of attacks involving Netwalker against U.S. and foreign government organisations along with entities operating in the healthcare and education sectors.

In its alert, the FBI noted that those responsible for Netwalker had used COVID-19 phishing emails and unpatched vulnerabilities affecting VPN apps to gain entry into an organisation. The malicious actors had then used their crypto-malware to harvest administrator credentials and steal data from their victims. Ultimately, the attackers uploaded that stolen information to a file-sharing service.

Once they had come into possession of a victim’s data, the nefarious individuals activated the ransomware’s encryption routine. This step led the threat to encrypt all connected Windows-based devices and information before dropping a ransom note on the infected machine.

Why does this matter?

Ransomware remains one of the biggest risks for all firms, organisations and individuals, and the majority of the time the ransomware infection will stem from a phishing email that a user within an organisation clicked on. As with all social engineering attacks IT controls alone are of limited effectiveness and defending against these attacks comes down to educating your users and instilling in them the importance of the role they play in defending an organisation.

Garmin may have paid hackers ransom, reports suggest

Fitness wearable and Navtech supplier Garmin may have given in to the demands of cyber criminals who encrypted its systems with ransomware, according to news reports that suggest the firm has obtained a decryption key to recover its files, strongly suggesting it has either paid up, or brokered some kind of deal.

In a statement issued four days after its services first went offline, Garmin finally confirmed it had been the victim of a cyber attack, having previously limited its response to saying it was experiencing an outage. It has not yet confirmed it was the victim of a ransomware incident, although this is now all but certain.

A spokesperson said: “Garmin today announced it was the victim of a cyber attack that encrypted some of our systems on July 23, 2020. As a result, many of our online services were interrupted including website functions, customer support, customer-facing applications, and company communications. We immediately began to assess the nature of the attack and started remediation,” said the firm.

“We have no indication that any customer data, including payment information from Garmin Pay, was accessed, lost or stolen. Additionally, the functionality of Garmin products was not affected, other than the ability to access online services.

Why does this matter?

Ransomware can affect firms of any size, from the smallest to the largest, no firm or organisation is immune and even firms that are spending millions or tens of millions on advanced protections and controls can still fall victim. These types of attacks go after the people working for an organisation, not the organisations technical infrastructure and technical controls are of limited use in defending against these types of attacks. An organisation needs to ensure their users are efficient at spotting phishing emails, it only takes one user clicking on one malicious email to take down a multinational corporation.

Cyber-security agencies from the UK and the US say 62,000 QNAP NAS devices have been infected with the QSnatch malware

The UK NCSC and US CISA published a joint security alert this week about QSnatch, a strain of malware that has been infecting network-attached storage (NAS) devices from Taiwanese device maker QNAP.

In alerts by the United States Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom's National Cyber Security Centre (NCSC), the two agencies say that attacks with the QSnatch malware have been traced back to 2014, but attacks intensified over the last year when the number of reported infections grew from 7,000 devices in October 2019 to more than 62,000 in mid-June 2020.

Of these, CISA and the NSCS say that approximately 7,600 of the infected devices are located in the US, and around 3,900 in the UK.

Why this matters?

Vulnerable devices can be used to steal credentials (usernames and passwords) and exfiltrate information from devices on the network. It is important to keep devices up to date with the latest security patches to close any vulnerabilities before they can be exploited.

Hackers actively exploit high-severity networking vulnerabilities

Hackers are actively exploiting two unrelated high-severity vulnerabilities that allow unauthenticated access or even a complete takeover of networks run by FTSE100/Fortune 500 companies and government organisations.

The most serious exploits are targeting a critical vulnerability in F5’s Big-IP advanced delivery controller, a device that’s typically placed between a perimeter firewall and a Web application to handle load balancing and other tasks. The vulnerability, which F5 patched three weeks ago, allows unauthenticated attackers to remotely run commands or code of their choice. Attackers can then use their control of the device to hijack the internal network it’s connected to.

Why this matters?

Vulnerable devices such as this can be used to gain access to internal networks. It is important to keep devices up to date with the latest security patches to close any vulnerabilities before they can be exploited. When a vendor releases updates they should be installed as soon as possible, ideally having been tested before updates are applied in your live environment.

27% of consumers hit with pandemic-themed phishing scams

Phishing is the top digital fraud scheme worldwide related to the COVID-19 pandemic, according to new research.

Among consumers reporting being targeted with digital COVID-19 schemes globally, 27% said they were hit with pandemic-themed phishing scams.

Identity fraud is a primary way fraudsters leverage stolen consumer data from phishing and other social engineering schemes. It can have long-term impacts for consumers such as the compromise of multiple online accounts and bringing down credit scores, which we anticipate will increase during pandemic reconstruction.

To better understand the impacts of COVID-19 on consumers, 7,384 adults in Canada, Colombia, Hong Kong, South Africa, the U.K., and the U.S. have been surveyed between June 30 and July 6, 2020.

It asked the consumers if they had been targeted by digital COVID-19 fraud and if so, which digital fraud scheme(s) related to COVID-19 were they targeted with. Globally, 32% said they had been targeted by digital fraud related to COVID-19 with the below being the top types of COVID-19 fraud they faced:

Top global online COVID-19 scams targeting consumers:

Why this matters?

Whatever works for criminals they will continue doing. Until consumers, as well as businesses, get better at detecting these scams and get better at spotting phishing emails criminals will carry on using the latest crisis or tragedy to get users to click on malicious emails and open their networks to attackers.

New Netflix phishing scam uncovered - here’s how to stay safe

Security analysts have uncovered a dangerous and highly convincing new Netflix phishing scam, capable of evading traditional email security software.

The phishing email masquerades as a billing error alert, pressing the victim to update their payment details within 24 hours or have their Netflix subscription voided.

The link provided in the email redirects to a functioning CAPTCHA form, used in legitimate scenarios to distinguish between humans and AI. Although this step adds a layer of friction to the process, it serves to enhance the sense of legitimacy the attacker is attempting to cultivate.

After handing over account credentials, billing address and payment card information, the victim is then redirected to the genuine Netflix home page, unaware their data has been compromised.

Why does this matter?

Phishing campaigns like this cast a wide net and only need a small number of victims to fall for it to turn a profit, and that means these types of scams are not going to go away any time soon. If no one fell for them they would stop. Always question any email that urges you to take action quickly under the guise of some threat.

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Black Arrow Admin 10/07/2020 Black Arrow Admin 10/07/2020

Cyber Weekly Flash Briefing 10 July 2020: firms concerned by cloud security: most already breached, 15 Billion passwords on sale, routers present huge risk, BMW cust breach, NK hackers target retail

Majority of firms concerned about public cloud security, most have suffered breach

Most businesses are worried about the current state of their public cloud security, with 70% admitting they have experienced a breach over the past year including 93% in India, where this figure is highest worldwide. Companies that used more than one public cloud platforms reported more security incidents than their peers that used only one platform.

In addition, system misconfigurations enabled 66% of cyber attacks either because attackers were able to exploit a misconfigured system or tap flaws in the firewall applications to steal credentials of cloud provider accounts. Data loss or leak was the biggest security concern, with 44% of organisations pointing to this as a top focus area, according to Sophos' State of Cloud Security 2020 study.

The survey polled 3,521 IT managers across 26 markets including 158 in Singapore, 227 in India, 162 in China, 148 in Australia, 126 in Japan, 191 in the UK, and 413 in the US. These respondents used services from at least one of the following public cloud providers: Amazon Web Services (AWS) and VMWare Cloud on AWS, Microsoft Azure, Alibaba Cloud, and Oracle Cloud. They also might have used Google Cloud and IBM Cloud.

15 Billion Stolen Passwords On Sale On The Dark Web, Research Reveals

There are more than 15 billion stolen account credentials circulating on criminal forums within the dark web, a new study has revealed.

Researchers discovered usernames, passwords and other login information for everything from online bank accounts, to music and video streaming services.

The majority of exposed credentials belong to consumers rather than businesses, the researchers found, resulting from hundreds of thousands of data breaches.

Unsurprisingly, the most expensive credentials for sale were those for bank and financial services. The average listing for these was £56 on the dark web – a section of the internet notorious for criminal activity that is only accessible using specialist software.

Researched stated that the sheer number of credentials available is staggering.

Check your router now - it could be a huge security risk

Many of the most popular home routers available to buy today feature a worrying number of security flaws and vulnerabilities, new research has found and your router might be the biggest security hole in your network.

A report from Germany discovered that the firmware present in a large number of leading routers was susceptible to hugely damaging security issues.

Many routers were found to never have received a single security firmware update in their lifetime, despite the risk that this could pose to users at home and at work, and were vulnerable to hundreds of well-known security issues.

The study looked at 127 home routers from seven brands (Netgear, ASUS, AVM, D-Link, Linksys, TP-Link and Zyxel), examining the product firmware for any known security vulnerabilities.

46 of the products it tested had not received any kind of security update within the past 12 months, with some vendors shipping firmware updates without fixing known vulnerabilities, and one set of products not seeing a firmware update for more than five years.

Data Breach Affects 384,319 BMW Customers in the U.K.

Researchers at an intelligence firm discovered that a hacker group “KelvinSecurity” compromised the personal information of 384,319 BMW customers in the U.K. and put them for sale on various darknet forums.

The hacker group claimed that they got the BMW database from a call centre that handles customers’ information of various automobile brands. The stolen database contains over 500,000 customer records dated between 2016 and 2018, affecting U.K. owners of other car manufacturers, including Honda, Mercedes, SEAT, and Hyundai in the U.K.

The exposed BMW owners’ information included sensitive information such as surnames, emails, vehicle registration numbers, residential address, dealer names, car registration information, names of dealerships. The researchers also discovered multiple databases exposed by KelvinSecurity, including data related to the U.S. government contractors and the Russian military weapons development. The hacker group also exposed over 28 databases on various darknet forums for free, affecting organizations in Iran, Australia, Mexico, U.S., Sweden, Indonesia, and France.

SurveyMonkey Phishers Go Hunting for Office 365 Credentials

Security researchers are warning of a new phishing campaign that uses malicious emails from legitimate SurveyMonkey domains in a bid to bypass security filters.

The phishing emails in question are sent from a real SurveyMonkey domain but crucially have a different reply-to domain.

Within the body of the email is a hidden redirect link appearing as the text ‘Navigate to access statement’ with a brief message ‘Please do not forward this email as its survey link is unique to you’” it explained. Clicking on the link redirects to a site hosted on a Microsoft form submission page. This form asks the user to enter their Office 365 email and password. If the user is not vigilant and provides their credentials, the user account would be compromised.

The attack is effective for several reasons: its use of a legitimate SurveyMonkey email sender, the concealing of the phishing site URL and the description of the email as unique to every user.

Microsoft takes legal action against COVID-19-related cybercrime

This week a Court in the US unsealed documents detailing Microsoft’s work to disrupt cybercriminals that were taking advantage of the COVID-19 pandemic in an attempt to defraud customers in 62 countries around the world. The civil case has resulted in a court order allowing Microsoft to seize control of key domains in the criminals’ infrastructure so that it can no longer be used to execute cyberattacks.

Microsoft’s Digital Crimes Unit (DCU) first observed these criminals in December 2019, when they deployed a sophisticated, new phishing scheme designed to compromise Microsoft customer accounts. The criminals attempted to gain access to customer email, contact lists, sensitive documents and other valuable information. Based on patterns discovered at that time, Microsoft utilized technical means to block the criminals’ activity and disable the malicious application used in the attack. Recently, Microsoft observed renewed attempts by the same criminals, this time using COVID-19-related lures in the phishing emails to target victims.

North Korea's Lazarus hackers are planting skimmers on US and European retail websites, researchers warn

Researchers claim to have found evidence to suggest that North Korean state-sponsored actors are planting skimmers on the web stores of many American and European retailers in efforts to steal payment card details of unsuspecting shoppers.

The activities have been ongoing since at least May 2019, the researchers say, and can be attributed to hackers linked with the North Korean-backed Lazarus group.

The new research shows that in the last year, Lazarus has been able to infiltrate web stores of many retailers, such as international fashion chain Claire's. The group has also developed a global exfiltration network that uses authentic websites to transfer stolen assets to attackers. These websites are first hijacked and then repurposed to mask the malicious activities of the hackers.

British Army ‘to be slashed by 20,000 troops to make way for cyber warfare’

In a clear indication of the expectations of how future conflicts will be fought the British Army could be cut by more than a quarter under spending review plans dawn up by UK defence chiefs.

Up to 20,000 troops could be let go, while airfields are closed and helicopters are taken out of service. The Royal Marines commando brigade may also be disbanded and Royal Navy minesweepers could also be axed.

Security sources have claimed Johnson’s top adviser Dominic Cummings has been pushing to divert a sizeable amount of money from the army to fund cyber warfare, space and artificial intelligence projects.

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Black Arrow Admin 26/06/2020 Black Arrow Admin 26/06/2020

Cyber Weekly Flash Briefing 26 June 2020: Covid changes infosec landscape, ransomware actors lurk post attack, hacker earns millions, rogue bank staff steal $3.2m, massive DDoS against European bank

If you’re pressed for time watch the 60 second quick fire video summary of the top Cyber and InfoSec stories from the last week:

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Businesses believe the pandemic will change the security landscape forever

After Covid-19, nothing will ever be the same again, at least in terms of how businesses approach cyber security. This is according to a new report based on a poll of 6,700 infosec professionals around the world.

The report states that 81 percent expect long-term changes to the way their business operates, mostly because of remote working.

With this in mind, examining how remote employees approach cyber security will become paramount if an organisation is to maintain a strong security posture.

A third of respondents said they worry employees may feel more relaxed about cyber security than when they are working out of the office. Employees may also be less likely to follow protocol at home, particularly when it comes to identifying and flagging suspicious activity.

Further, almost a third (31 percent) fear employees might unintentionally leak sensitive data or fall prey to a phishing scam and a quarter are afraid staff might fall victim to malware attacks.

Of the largest risks associated with remote working, respondents singled out “using untrusted networks” as the most significant. Other people accessing employees' company devices, the use of personal messaging services for work, and the unintentional sharing of company data are also high on the list of risks.

Ransomware operators lurk on your network after their attack

When a company suffers a ransomware attack, many victims feel that the attackers quickly deploy the ransomware and leave so they won't get caught. Unfortunately, the reality is much different as threat actors are not so quick to give up a resource that they worked so hard to control.

Instead, ransomware attacks are conducted over time, ranging from a day to even a month, starting with a ransomware operator breaching a network.

This breach is through exposed remote desktop services, vulnerabilities in VPN software, or via remote access given by malware such as TrickBot, Dridex, and QakBot.

Once they gain access, they use tools such as Mimikatz, PowerShell Empire, PSExec, and others to gather login credentials and spread laterally throughout the network.

As they gain access to computers on the network, they use these credentials to steal unencrypted files from backup devices and servers before deploying the ransomware attack.

Once the ransomware is deployed, many victims believe that while their network is still compromised, they think the ransomware operators are now gone from the system.

This belief is far from the truth, as illustrated by a recent attack by the Maze Ransomware operators.

Read the full article here: https://www.bleepingcomputer.com/news/security/ransomware-operators-lurk-on-your-network-after-their-attack/

Prolific Hacker Made Millions Selling Network Access

A notorious Russian cyber-criminal made over $1.5m in just the past three years selling access to corporate networks around the world, according to a new report.

The study profiles the work of “Fxmsp” on underground forums where he published his first ad selling access to business networks in 2017.

Over the following years he would compromise banks, hotels, utilities, retailers, tech companies and organisations in many more verticals.

In just three years he claimed to have compromised over 130 targets in 44 countries, including four Fortune 500 firms. Some 9% of his victims were governments.

The report calculated the $1.5m figure purely from publicised sales, although 20% of those Fxmsp compromised were made through private sales, meaning the hacker’s trawl is likely to be even bigger.

Fxmsp even hired a sales manager in early 2018.

Rogue Postbank employees steal master encryption key; make off with $3.2 million

South Africa's Postbank has been forced to replace 12 million bank cards after a calamitous security breach that saw the bank's master encryption key printed off in plain, unencrypted language.

According to internal documents acquired by the Sunday Times of South Africa, the 36-digit code security key “allows anyone who has it to gain unfettered access to the bank’s systems, and allows them to read and rewrite account balances, and change information and data on any of the bank’s 12-million cards".

The master key was apparently printed out on plain paper in a data centre in Pretoria in 2018, enabling the fraudsters to make over 25,000 fraudulent transactions, mostly from cards used by people receiving social benefits from the government.

The crime, which is being pinned on a number of rogue bank employees, went unnoticed for months. More than $3.2 million was stolen in the raid.

The cost to the bank of replacing all the compromised cards is expected to reach $58 million.

Massive Distributed Denial of Service (DDoS) attack launched against European bank

This week, security firm Akamai mitigated what it claims to be the “largest ever packet per second (pps) DDoS attack”, launched against an unnamed European bank.

The attack reportedly generated 809 million packets per second (Mpps) - a new high for pps-focused attacks, and well over double the size of the previous record attack identified by the Akamai platform.

What also makes this DDoS attack unique is the “massive increase” in the quantity of source IP addresses observed. During the attack, Akamai identified more than 600 times average number of source IP addresses per minute, suggesting the attack was highly distributed in nature.

Further, most of the traffic came from previously unknown IP addresses (96.2 percent), which could indicate the assault was driven by an emerging botnet. Given that most of the source IP addresses could be identified within large ISPs via AS lookups, Akamai believes most of the devices used were compromised end user machines.

The speed at which the attack reached its peak was also remarkable. The company claims it grew from normal traffic levels to 418 Gbps in seconds, and took roughly two minutes to hit 809 Mpps. The attack lasted for a total of 10 minutes and was fully mitigated.

'Unstoppable' Malware Uses Bitcoin To Retrieve Secret Messages - Report

Glupteba, a sneaky malware that can be controlled from afar includes a range of components to cover its tracks, and it updates itself using encrypted messages hidden in the Bitcoin blockchain.

The Glupteba bot is a malware campaign that creates backdoors with full access to contaminated devices, which are added to its growing botnet. The analysis describes it as a “highly self-defending malware” with “enhancing features that enable the malware to evade detection.”

The most interesting aspect of Glupteba is that it uses the Bitcoin blockchain as a communication channel for receiving updated configuration information, given that bitcoin transactions can also include a comment of up to 80 characters.

Glupteba uses this messaging space for encrypted messages. These messages contain secrets, such as command-and-control server names, thus cleverly hiding them in the public blockchain - in plane sight.

Woman who deliberately deleted firm’s Dropbox is sentenced

58-year-old Danielle Bulley may not look like your typical cyber criminal, but the act of revenge she committed against a company had just as much impact as a conventional hacker breaking into a business’s servers and causing havoc.

Bulley has been successfully prosecuted under the UK’s Computer Misuse Act after deleting thousands of important files from a company that went on to collapse.

She was a director of a business called Property Press that produced a weekly property newspaper focused on south east Devon. Things turned sour, and Bulley resigned her position at the firm in 2018 before the company went into liquidation. However, fellow director Alan Marriott started a new business venture – without Bulley’s involvement – using the assets of the old firm.

Things clearly didn’t sit well with Bulley after her departure from the business, and several months after her resignation she managed to gain unauthorised access to the new company’s Dropbox account.

More than 5,000 documents were permanently erased, and the company claimed that the damage to business was so great that it could no longer operate, with people losing their jobs and a loss of almost £100,000.

The Police warned other companies of the threat which can be posed by former employees:

Ex-employees can pose a serious risk to a business because they are familiar with the company’s IT infrastructure and procedures. This can make it easier for them to carry out cyber crimes against their former organisation.

If someone is leaving your company, especially if they are quitting your firm under something of a cloud, you would be wise to check that they don’t know your business’s passwords or have retained access to sensitive information.

Passwords should be changed, and additional authentication methods should be in place to prevent unauthorised access. Dropbox, for instance, provides a two-step verification feature which all users would be wise to enable.

EasyJet Lawsuit Over Data Breach Attracts 10,000 Passengers

EasyJet Plc faces a lawsuit over a data breach disclosed last month that potentially exposed private details of 9 million passengers.

More than 10,000 people have joined the suit since it was filed last month, according to the law firm handling the lawsuit. Victims are entitled to as much as £2,000 in compensation, meaning the case could be worth as much as £18 billion.

EasyJet said last month that the email addresses and travel data of about 9 million customers were taken by hackers in one of the biggest privacy breaches to hit the airline industry. The credit card details of roughly 2,200 people was also accessed.

“This is a monumental data breach and a terrible failure of responsibility that has a serious impact on EasyJet’s customers, who are coming forward in their thousands,” the law firm said in a statement. “This is personal information that we trust companies with, and customers should expect that every effort is made to protect their privacy.”

Twitter apologises for business data breach

Twitter has emailed its business clients to tell them that personal information may have been compromised.

Unbeknownst to users, billing information of some clients was stored in the browser's cache, it said.

In an email to its clients, Twitter said it was "possible" others could have accessed personal information.

The personal data includes email addresses, phone numbers and the last four digits of clients' credit card numbers.

The tech company says that there is no evidence that clients' billing information was compromised.

Huge Data Dump of Police Files Dubbed “Blue Leaks” Leaked Online

Nearly 270 gigabytes worth of sensitive files including FBI, “fusion center” and police department data from across the US dubbed “Blue Leaks” has been stolen and leaked online on June 19 by a collective called DDoSecrets.

Fusion centres are hubs for threat and intelligence sharing. The concept was created after September 11, in a bid by the Department of Homeland Security to improve cooperation between state, local, and territorial law enforcement

The National Fusion Centre Association (NFCA) says that the data was taken after a security breach at web development firm Netsential in Houston, Texas. It includes 490 documents pertaining to the UK. Computer Business Review was not immediately able to open these to assess the contents.

DDoSecrets stated that the Blue Leaks archive spans “ten years of data from over 200 police departments, fusion centres and other law enforcement training and support resources […] among the hundreds of thousands of documents are police and FBI reports, bulletins, guides and more”.

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Black Arrow Admin 20/06/2020 Black Arrow Admin 20/06/2020

Cyber Weekly Flash Briefing 19 June 2020: Widespread Office 365 phishing attacks, new cyber storm as businesses reopen, cyber spies use LinkedIn, largest ever DDoS attack, Ripple20 IoT vulns

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

If you’re pressed for time watch the 60 second quick fire video summary of the top Cyber and InfoSec stories from the last week:

Office 365 Phishing Campaign Exploits Samsung, Adobe and Oxford Servers

Over the last few years, the adoption of Office 365 in the corporate sector has significantly increased. Its popularity has attracted the attention of cyber criminals who launch phishing campaigns specifically to attack the platform. As 90% of cyber-attacks start with a phishing campaign, Office 365 is an attractive target for threat actors who work to evade the continuously introduced security solutions.

Recently, a seemingly unsophisticated Office 365 phishing campaign caught our attention. The attackers abused an Adobe Campaign redirection mechanism, using a Samsung domain to redirect victims to an O365 themed phishing website. The hackers took advantage of the fact that access to a reputable domain, such as Samsung’s, would not be blocked by security software.

To expand their campaign, the attackers also compromised several websites to inject a script that imitates the same mechanism offered by the Adobe redirection service. Further investigation revealed that the actors behind the campaign implemented a few other interesting tricks to hide the phishing kit and avoid detection at each stage of the attack.

Guernsey Police warn businesses in Guernsey using Office 365 also targeted by scammers

Guernsey Police are warning local businesses about an online scam targeting users of Office 365.

Officers have been in contact with several businesses using the service who have fallen victim to phishing scams which have allowed hackers access to their email inbox.

The hackers then distribute malicious links to their contacts.

Police say using multi-factor authentication can help keep personal data safe.

Anyone who receives an unexpected email from someone they trust containing a link should contact them directly to make sure they sent it.

As Businesses Reopen, A New Storm Of Cybercrime Activity Looms

There is nothing ordinary about the amount of disruption that will impact our lives moving forward as countries and states reopen following the coronavirus pandemic. In the context of the cloud, disruptions caused by COVID-19 have opened the door to another type of virus: cybersecurity threats. Today we are witnessing a rapid rise of opportunistic cybercriminal activity taking advantage of the chaos created by COVID-19.

Focal concerns about economic recovery and a potential second wave of human infection are abounding. Still, the concern for many companies should also include heightened cybersecurity threats that can easily break companies before they have a chance to relaunch. For the many companies that are already fighting to remain afloat due to challenges faced during COVID-19, a cybersecurity breach could quickly mean the end. As businesses navigate this “new normal,” they must address weaknesses in their IT strategies exposed by COVID-19 and consider implementing a better preparedness plan to avoid long-term damage.

Microsoft: COVID-19 malware attacks were barely a blip in total malware volume

Microsoft says that despite all the media headlines over the past few months, malware attacks that abused the coronavirus (COVID-19) theme have barely been a blip in the total volume of threats the company sees each month.

These COVID-19 attacks included emails carrying malicious file attachments (also referred to as malspam) and emails containing malicious links that redirect users to phishing sites or malware downloads.

According to Microsoft's Threat Protection Intelligence Team, the first attacks abusing a COVID-19 lure started after the World Health Organization (WHO) declared COVID-19 a global pandemic on January 30.

As the world yearned to learn more about this new disease, attacks intensified, and they peaked in March when most of the world's countries enforced stay-at-home measures.

"The week following [the WHO] declaration saw these attacks increase eleven-fold," Microsoft said. "By the end of March, every country in the world had seen at least one COVID-19 themed attack."

Cyber spies use LinkedIn to hack European defence firms

LONDON (Reuters) - Hackers posed as recruiters working for U.S. defence giants Collins Aerospace and General Dynamics (GD.N) on LinkedIn to break into the networks of military contractors in Europe, cyber security researchers said on Wednesday.

The cyber spies were able to compromise the systems of at least two defence and aerospace firms in Central Europe last year by approaching employees with pseudo job offers from the U.S. firms.

The attackers then used LinkedIn’s private messaging feature to send documents containing malicious code which the employees were tricked into opening.

The researcher declined to name the victims, citing client confidentiality, and said it was unclear if any information was stolen. General Dynamics and Collins Aerospace, which is owned by Raytheon Technologies RTX.N, declined immediate comment.

The researchers were unable to determine the identity of the hackers but said the attacks had some links to a North Korean group known as Lazarus, which has been accused by U.S. prosecutors of orchestrating a string of high-profile cyber heists on victims including Sony Pictures and the Central Bank of Bangladesh.

Australian PM says nation under serious state-run 'cyber attack' – Microsoft, Citrix, Telerik UI bugs 'exploited'

Australian Prime Minister Scott Morrison has called a snap press conference to reveal that the nation is under cyber-attack by a state-based actor, but the nation’s infosec advice agency says that while the attacker has gained access to some systems it has not conducted “any disruptive or destructive activities within victim environments.”

Morrison said the attack has targeted government, key infrastructure and the private sector, and was sufficiently serious that he took the courteous-in-a-crisis, but not-compulsory step, of informing the leader of the opposition about the incident. He also said that the primary purpose of the snap press conference was to inform and educate Australians about the incident.

But Morrison declined to state whether Australian defence agencies have identified the source of the attack and said evidence gathered to date does not meet the government’s threshold of certainty to name the attacker.

Google removes 106 Chrome extensions for collecting sensitive user data

Google has removed 106 malicious Chrome extensions that have been caught collecting sensitive user data.

The 106 extensions are part of a batch of 111 Chrome extensions that have been identified as malicious in a report published this week.

These extensions posed as tools to improve web searches, convert files between different formats, as security scanners, and more.

But in reality the extensions contained code to bypass Google's Chrome Web Store security scans, take screenshots, read the clipboard, harvest authentication cookies, or grab user keystrokes (such as passwords).

AWS stops largest DDoS attack ever

Amazon has revealed that its AWS Shield service was able to mitigate the largest DDoS attack ever recorded at 2.3 Tbps back in February of this year.

The company's new AWS Shield Threat Landscape report provided details on this attack and others mitigated by its AWS Shield protection service.

While the report did not identify the AWS customer targeted in the DDoS attack, it did say that the attack itself was carried out using hijacked CLDAP (Connection-less Lightweight Directory Access Protocol) web servers and lasted for three days.

https://www.techradar.com/news/aws-stops-largest-ddos-attack-ever

Ripple20 Vulnerabilities Affect Hundreds of Millions of IoT Devices

Zero-day vulnerabilities have been discovered that could impact millions of IoT devices found in data centres, power grids, and elsewhere.

The flaws, dubbed Ripple20, includes multiple remote code execution vulnerabilities and affects "hundreds of millions of devices (or more)."

Researchers named the vulnerabilities Ripple20 to reflect the widespread impact they have had as a natural consequence of the supply chain "ripple-effect" that has seen the widespread dissemination of the software library and its internal flaws.

"A single vulnerable component, though it may be relatively small in and of itself, can ripple outward to impact a wide range of industries, applications, companies, and people," wrote researchers.

Ripple20 reached critical IoT devices involving a diverse group of vendors from a wide range of industries. Affected vendors range from one-person boutique shops to Fortune 500 multinational corporations, including HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, and Baxter.

Unpatched vulnerability identified in 79 Netgear router models

A whopping 79 Netgear router models are vulnerable to a severe security flaw that can let hackers take over devices remotely.

The vulnerability has been discovered by two security researchers independently, namely Adam Nichols from cyber-security GRIMM and a security researcher going by the nickname of d4rkn3ss, working for Vietnamese internet service provider VNPT.

According to Nichols, the vulnerability impacts 758 different firmware versions that have been used on 79 Netgear routers across the years, with some firmware versions being first deployed on devices released as far back as 2007.

This lack of proper security protections opens the door for an attacker to craft malicious HTTP requests that can be used to take over the router.

More here: https://www.zdnet.com/article/unpatched-vulnerability-identified-in-79-netgear-router-models/

New Mac malware uses 'novel' tactic to bypass macOS Catalina security

Security researchers have discovered a new Mac malware in the wild that tricks users into bypassing modern macOS app security protections.

In macOS Catalina, Apple introduced new app notarization requirements. The features, baked in Gatekeeper, discourage users from opening unverified apps — requiring malware authors to get more creative with their tactics.

As an example, researchers have discovered a new Trojan horse malware actively spreading in the wild via poisoned Google search results that tricks users into bypassing those protections themselves.

The malware is delivered as a .dmg disk image masquerading as an Adobe Flash installer. But once it's mounted on a user's machine, it displays instructions guiding users through the malicious installation process.

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Threat Intelligence Blog

Black Arrow Cyber Threat Briefing 08 March 2024

Top Cyber Stories of the Last Week

FBI Reports Cyber Crime Losses Reached $12.5 billion in 2023, Ransomware Losses Surged by 74%, Average Ransom Demand Reaching $600k

Capita Plans £100 Million in Cost Cuts as it Continues to Grapple With 2023 Cyber Attack, Resulting in Significant Job Losses

Employment Law Firm Sues IT Company Over Ransomware Attack

Stolen Passwords are a Hacker Goldmine

Phishing Attacks Up 40 Percent in 2023; Attackers Leverage Social Engineering for Greater Success

Business Leaders Don’t Even Know They’ve Been Hacked

Rising Cyber Security Risks: Insider Threat Main Concern Among Mid-Market Firms

C-Suite Executives: An Attacker’s Dream?

Security Risks Plague SMEs in Shift to Remote Working

After Collecting $22 Million, Ransomware Group Stages FBI Takedown

Cyber Attacks Remain Chief Concern for Businesses

Two New Ransomware Groups Join Forces to Launch Joint Attacks

Governance, Risk and Compliance

Threats

Ransomware, Extortion and Destructive Attacks

Ransomware Victims

Phishing & Email Based Attacks

Other Social Engineering

Artificial Intelligence

2FA/MFA

Malware

Mobile

Denial of Service/DoS/DDOS

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Supply Chain and Third Parties

Cloud/SaaS

Identity and Access Management

Encryption

Linux and Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Training, Education and Awareness

Regulations, Fines and Legislation

Models, Frameworks and Standards

Data Protection

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Misinformation, Disinformation and Propaganda

Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity

Cyber Warfare and Cyber Espionage

Nation State Actors

China

Russia

North Korea

Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence

Vulnerability Management

Vulnerabilities

Tools and Controls

Reports Published in the Last Week

Other News

Sector Specific

Black Arrow Cyber Threat Briefing 02 February 2024

Top Cyber Stories of the Last Week

The Financial Sector is Plagued by Increasingly Sophisticated Cyber Attacks That Demand a Defensive Paradigm Shift

The $10 Billion Cyber Insurance Industry Sees a Dangerous Year in Cyber Crime Ahead. AI, Ransomware, and War are its Biggest Concerns

Microsoft Says Russian Hackers Used Known Identified Tactics to Breach Senior Exec Emails

Old Methods, New Tricks: Cyber Criminals Are Still Using Social Engineering to Steal Your Credentials

UK Government Unveils New Cyber Threat Guidelines as 32% of Firms Suffer Attacks in Past Year

94% of Organisations Would Pay a Ransom, Despite Having ‘Do Not Pay’ Policies, as 79% Faced an Attack in 2023

Interpol Arrests More than 30 Cyber Criminals in Global Operation

Divide and Succeed: Splitting IT and Security Makes Business Sense

Ransomware Groups Gain Clout with False Attack Claims

Payment Fraud is Hitting Organisations Harder Than Ever Before

Chinese Hacking Operations Have Entered a Far More Dangerous Phase, US Warns

Governance, Risk and Compliance

Threats

Ransomware, Extortion and Destructive Attacks

Ransomware Victims

Phishing & Email Based Attacks

Artificial Intelligence

2FA/MFA

Malware

Mobile