Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Fifth of Businesses Say Cyber Attack Nearly Broke Them

A fifth of US and European businesses have warned that a serious cyber attack nearly rendered them insolvent, with most (87%) viewing compromise as a bigger threat than an economic downturn, according to Hiscox.

The insurer polled over 5000 businesses in the US, UK, Ireland, France, Spain, Germany, the Netherlands and Belgium to compile its annual Hiscox Cyber Readiness Report.

It revealed the potentially catastrophic financial damage that a serious cyber-attack can wreak. The number claiming to have nearly been brought down by a breach increased 24% compared to the previous year.

Nearly half (48%) of respondents said they suffered an attack over the past 12 months, a 12% increase from the previous report’s findings. Perhaps unsurprisingly, businesses in seven out of eight countries see cyber as their biggest threat.

Yet perception appears to vary greatly depending on whether an organisation has suffered a serious compromise or not. While over half (55%) of total respondents said they view cyber as a high-risk area, the figure among companies that have not yet suffered an attack is just 36%.

https://www.infosecurity-magazine.com/news/fifth-of-businesses-cyber-attack/

• Weak Security Controls and Practices Routinely Exploited for Initial Access

Cyber actors routinely exploit poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system. A joint Cybersecurity Advisory by the cyber security authorities of the United States, Canada, New Zealand, the Netherlands, and the United Kingdom identifies commonly exploited controls and practices and includes best practices to mitigate the issues.

Malicious cyber actors often exploit the following common weak security controls, poor configurations, and poor security practices to employ the initial access techniques.

• Multifactor authentication (MFA) is not enforced

• Incorrectly applied privileges or permissions and errors within access control lists

• Software is not up to date

• Use of vendor-supplied default configurations or default login usernames and passwords

• Remote services, such as a virtual private network (VPN), lack sufficient controls to prevent unauthorised access

• Strong password policies are not implemented

• Cloud services are unprotected

• Open ports and misconfigured services are exposed to the internet

• Failure to detect or block phishing attempts

• Poor endpoint detection and response.

https://www.cisa.gov/uscert/ncas/alerts/aa22-137a

• How Do Ransomware Attacks Impact Victim Organisations’ Stock?

Ransomware has developed into an extremely lucrative business model with little risk involved for the threat actors. Couple this with the willingness of most victim organisations to pay the ransom demand under the assumption it will return business operations to normal - ultimately encouraging more attacks - and we have a big problem with no easy remedies.

Back in 2021, Cybereason published a report titled Ransomware Attacks and the True Cost to Business that revealed the various costs that organisations face after falling victim to a ransomware attack. Here are some of the most significant findings that stood out:

• Two-thirds of ransomware victims said that they endured a significant loss of revenue following the attack

• More than half (53%) of organisations suffered damage to their brand and reputation after a ransomware infection

• A third of those who fell to ransomware lost C-level talent in the attack’s aftermath

• Three in 10 organisations had no choice but to lay off employees due to the financial pressures resulting from a ransomware incident

• A quarter of ransomware victims said that they needed to suspend operations.

https://www.msspalert.com/cybersecurity-guests/how-do-ransomware-attacks-impact-victim-organizations-stock/

• Prioritise Patching Vulnerabilities Associated with Ransomware

In the last quarter, ransomware attacks have made mainstream headlines on a near-daily basis, with groups like Lapsus$ and Conti’s names splashed across the page. Major organisations like Okta, Globant and Kitchenware maker Meyer Corporation have all fallen victim, and they are very much not alone. The data indicates that increasing vulnerabilities, new advanced persistent threat (APT) groups and new ransomware families are contributing to ransomware’s continued prevalence and profitability.

The top stats include:

• 22 new vulnerabilities and nine new weaknesses have been associated with ransomware since January 2022; of the 22, a whopping 21 are considered of critical or high risk severity

• 19 (out of 22) of the newly-added vulnerabilities are associated with the Conti ransomware gang

• Three new APT groups (Exotic Lily, APT 35, DEV-0401) and four new ransomware families (AvosLocker, Karma, BlackCat, Night Sky) are deploying ransomware to attack their targets

• 141 of CISA’s Known Exploited Vulnerabilities (KEVs) are being used by ransomware operators – including 18 newly identified this quarter

• 11 vulnerabilities tied to ransomware remain undetected by popular scanners

• 624 unique vulnerabilities were found within the 846 healthcare products analysed.

https://www.helpnetsecurity.com/2022/05/19/increase-ransomware-vulnerabilities/

• Researchers Warn of Advanced Persistent Threats (APTs), Data Leaks as Serious Threats Against UK Financial Sector

Researchers say that geopolitical tension, ransomware, and cyber attacks using stolen credentials threaten the UK's financial sector.

KELA's security team published a report examining the cyber security issues and attacks that surfaced in 2021 and early 2022, specifically focused on the United Kingdom's banks and other financial services.

The UK was one of the first countries to stand with Ukraine after the invasion by Russia. This could make UK organisations a tempting target for threat actors siding with Russia - whether by state-sponsored advanced persistent threat (APT) groups or hacktivists. The National Cyber Security Centre (NCSC) previously warned businesses to shore up their cyber security following Russia's assault.

APTs are often responsible for attacking the financial sector: account credentials, card numbers, and the personally identifiable information (PII) of customers are useful not only in social engineering and identity theft but also to make fraudulent purchases or for card cloning.

APTs target organisations worldwide, and those located in the UK are no exception. Over the past few years, APTs, including the Chinese APT40 and APT31, have utilised vulnerabilities, including ProxyLogon, to compromise UK businesses.

"In general, APTs may target the financial sector to commit fraud, burglarise ATMs, execute transactions, and penetrate organisations' internal financial systems," KELA says. "Although specific threats to the UK financial sector have not been identified, there is no doubt that the UK has occasionally been a target of APT groups during 2021."

Exposed corporate information and leaked credentials are also of note. After browsing Dark Web forums, the researchers found that UK data is "in demand" by cyber criminals who are seeking PII, access credentials, and internal data.

https://www.zdnet.com/article/researchers-warn-of-apts-data-leaks-as-serious-threats-against-uk-financial-sector/

• Remote Work Hazards: Attackers Exploit Weak WiFi, Endpoints, and the Cloud

Infoblox unveils a global report examining the state of security concerns, costs, and remedies. As the pandemic and uneven shutdowns stretch into a third year, organisations are accelerating digital transformation projects to support remote work. Meanwhile, attackers have seized on vulnerabilities in these environments, creating more work and larger budgets for security teams.

1,100 respondents in IT and cyber security roles in 11 countries – United States, Mexico, Brazil, United Kingdom, Germany, France, the Netherlands, Spain, United Arab Emirates, Australia, and Singapore – participated in the survey.

The surge in remote work has changed the corporate landscape significantly – and permanently. 52% of respondents accelerated digital transformation projects, 42% increased customer portal support for remote engagement, 30% moved apps to third party cloud providers, and 26% shuttered physical offices for good. These changes led to the additions of VPNs and firewalls, a mix of corporate and employee owned devices as well as cloud and on-premises DDI servers to manage data traffic across the expanded network.

The hybrid workforce reality is causing greater concerns with data leakage, ransomware and attacks through remote access tools and cloud services. Respondents indicate concerns about their abilities to counter increasingly sophisticated cyber attacks with limited control over employees, work-from-home technologies, and vulnerable supply chain partners. The sophistication of state-sponsored malware also is a source of worry for many.

Organisations have good reason to worry: 53% of respondents experienced up to five security incidents that led to at least one breach.

https://www.helpnetsecurity.com/2022/05/17/state-of-security/

• Small Businesses Under Fire from Password Stealers

Password-stealing malware and other cyber attacks have increased significantly against small businesses over the past year, according to Kaspersky researchers.

An assessment released this week detailed the number of Trojan Password Stealing Ware (PSW) detections, internet attacks and attacks on Remote Desktop Protocol (RDP) between January and April 2022, compared with the same time frame from 2021. Kaspersky's research showed a jump in the detection of password stealers within small business environments, as well as increases in other types of cyber attacks.

According to Kaspersky, the biggest increase in threats against small businesses was password stealers, specifically Trojan PSWs. There were nearly 1 million more detected Trojan PSWs targeting small and medium-sized businesses in the first trimester of 2022 than the first of 2021, increasing from 3,029,903 to 4,003,323.

https://www.techtarget.com/searchsecurity/news/252518442/Small-businesses-under-fire-from-password-stealers

• Email Is the Riskiest Channel for Data Security

Research from Tessian and the Ponemon Institute reveals that nearly 60% of organisations experienced data loss or exfiltration caused by an employee mistake on email in the last 12 months.

Email was revealed as the riskiest channel for data loss in organisations, as stated by 65% of IT security practitioners. This was closely followed by cloud file-sharing services (62%) and instant messaging platforms (57%).

The research surveyed 614 IT security practitioners across the globe to also reveal that:

• Employee negligence, because of not following policies, is the leading cause of data loss incidents (40%)

• 27% of data loss incidents are caused by malicious insiders

• It takes up to three days for security and risk management teams to detect and remediate a data loss and exfiltration incident caused by a malicious insider on email

• 23% of organisations experience up to 30 security incidents involving employees’ use of email every month (for example, email was sent to an unintended recipient).

The most common types of confidential and sensitive information lost or intentionally stolen include: customer information (61%); intellectual property (56%); and consumer information (47%). User-created data (sensitive email content, text files, M&A documents), regulated data (credit card data, Social Security numbers, national ID numbers, employee data), and intellectual property were identified as the three types of data that are most difficult to protect from data loss.

The top two consequences for data loss incidents were revealed as non-compliance with data protection regulations (57%) and damage to an organisation’s reputation (52%). Furthermore, a previous study from Tessian found that 29% of businesses lost a client or customer because of an employee sending an email to the wrong person.

https://www.helpnetsecurity.com/2022/05/20/data-loss-email/

• Phishing Attacks for Initial Access Surged 54% in Q1

Threat actors doubled down on their use of phishing emails as an initial attack vector during the first quarter of 2022 — and in many cases then used that access to drop ransomware or to extort organisations in other ways.

Researchers from Kroll recently analysed data gathered from security incidents they responded to in the first three months of this year. The analysis showed a 54% increase in incidents of phishing for initial access compared with the same period last year.

For the first time since Microsoft disclosed the so-called ProxyLogon set of vulnerabilities in Exchange Server in the first quarter of 2021, incidents tied to email compromises surpassed those related to ransomware. Kroll described the sharp increase in phishing activity as likely the result of a surge in activity tied to Emotet and IceID malware — threat actors have been using both to drop other malware.

https://www.darkreading.com/risk/phishing-attacks-for-initial-access-surged-q1

• Fears Grow for Smaller Nations After Ransomware Attack on Costa Rica Escalates

Conti demanded $20M in ransom — and the overthrow of the government.

It’s been a rough start for the newly elected Costa Rica president Rodrigo Chaves, who less than a week into office declared his country “at war” with the Conti ransomware gang.

“We’re at war and this is not an exaggeration,” Chaves told local media. “The war is against an international terrorist group, which apparently has operatives in Costa Rica. There are very clear indications that people inside the country are collaborating with Conti.”

Conti’s assault on the Costa Rican government began in April. The country’s Finance Ministry was the first hit by the Russia-linked hacking group, and in a statement on May 16, Chaves said the number of institutions impacted had since grown to 27. This, he admitted, means civil servants wouldn’t be paid on time and will impact the country’s foreign trade.

In a message posted to its dark web leaks blog, Conti urged the citizens of Costa Rica to pressure their government to pay the ransom, which the group doubled from an initial $10 million to $20 million. In a separate statement, the group warned: “We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power.”

Conti is among the most prolific hacking groups. The FBI warned earlier this year that the gang was among “the three top variants” that targeted businesses in the United States, and it has been blamed for ransomware attacks targeting dozens of businesses, including Fat Face, Shutterfly and the Irish healthcare service.

But Conti has picked up its pace in recent months: In January and February it published 31 victims on its leaks blog. In March and April, it posted 133 victims.

https://techcrunch.com/2022/05/20/costa-rica-ransomware-attack/

Threats

Ransomware

• Ransomware Gangs Rely More on Weaponizing Vulnerabilities (bleepingcomputer.com)

• Ransomware Gang Extorted 725 BTC in One Attack, On-Chain Sleuths Find (coindesk.com)

• 5 Critical Questions to Test Your Ransomware Preparedness - Help Net Security

• “Alarming” Surge in Conti Group Activity This Year - Infosecurity Magazine

• Why AI-Powered Ransomware Cyber Attacks Could Be Coming Soon - Protocol

• Nikkei Says Customer Data Likely Impacted in Ransomware Attack | SecurityWeek.Com

• Wizard Spider Hackers Hire Cold Callers to Scare Ransomware Victims Into Paying Up | ZDNet

• Greenland Hit by Cyber Attack, Finds Its Health Service Crippled (bitdefender.com)

• Conti Ransomware Shuts Down Operation, Rebrands into Smaller Units (bleepingcomputer.com)

• No One Is Slowing Down BlackByte Ransomware Gang • The Register

• President Rodrigo Chaves says Costa Rica is at war with Conti hackers - BBC News

• Engineering Firm Parker Discloses Data Breach After Ransomware Attack (bleepingcomputer.com)

• US links Thanos and Jigsaw ransomware to 55-year-old doctor (bleepingcomputer.com)

• Russian Conti Ransomware Gang Threatens to Overthrow New Costa Rican Government (thehackernews.com)

Phishing & Email Based Attacks

• This Phishing Attack Delivers Three Forms of Malware. And They All Want to Steal Your Data | ZDNet

• HTML Attachments Remain Popular Among Phishing Actors In 2022 (bleepingcomputer.com)

• Chatbot Army Deployed in Latest DHL Shipping Phish (darkreading.com)

• Phishing Gang That Stole Over 400,000 Euros Busted in Spain (tripwire.com)

• Long Lost @ Symbol Gets New Life Obscuring Malicious URLs | Malwarebytes Labs

• Spanish Police Dismantle Phishing Gang That Emptied Bank Accounts (bleepingcomputer.com)

Malware

• Emotet is the Most Common Malware - Help Net Security

• Microsoft Identifies Botnet Variant Targeting Windows and Linux Systems - Infosecurity Magazine

• Activity of the Linux XorDdos bot increased by 254% over the last 6 monthsSecurity Affairs

• Fake Domains Offer Windows 11 Installers - But Deliver Malware Instead | ZDNet

• Bruised but Not Broken: The Resurgence of the Emotet Botnet Malware (trendmicro.com)

• Malicious PyPI Pymafka Package Opens Backdoors On Windows, Linux, and Macs (bleepingcomputer.com)

• April VMware Bugs Abused to Deliver Mirai Malware, Exploit Log4Shell | Threatpost

Mobile

• 6 Scary Tactics Used in Mobile App Attacks (darkreading.com)

• Researchers Find Potential Way to Run Malware on iPhone Even When it's OFF (thehackernews.com)

• Google TAG: Cytrox's Predator Spyware Used to Target Android Users | WIRED

IoT

• New Bluetooth Hack Could Let Attackers Remotely Unlock Smart Locks and Cars (thehackernews.com)

Data Breaches/Leaks

• Cornwall Council Data Breach - Information Security Buzz

• Pharmacy Giant Hit By Data Breach Affecting 3.6 Million Customers - Infosecurity Magazine

Organised Crime & Criminal Actors

• Ukrainian Hacker Jailed for 4-Years in U.S. for Selling Access to Hacked Servers (thehackernews.com)

• US Recovers a Record $15m from the 3ve Ad-Fraud Crew • The Register

Cryptocurrency/Cryptomining/Cryptojacking/NFTs

• How Cryptocurrencies Enable Attackers and Defenders (techtarget.com)

• Monero-Mining Sysrv Botnet Targets Windows, Linux Web Servers • The Register

• US Brings First-Of-Its-Kind Bitcoin Sanctions-Busting Case • The Register

• Fake Pixelmon NFT Site Infects You with Password-Stealing Malware (bleepingcomputer.com)

• Hackers Compromise a String of NFT Discord Channels (vice.com)

Fraud, Scams & Financial Crime

• Popularity Of Online Payment Goes Hand-In-Hand with Fraud - Help Net Security

Supply Chain and Third Parties

• MITRE Creates Framework for Supply Chain Security (darkreading.com)

• The Four Horsemen of Software Supply Chain Attacks - MSSP Alert

• Recovering From a Cyber Security Earthquake: The Lessons Organisations Must Learn - Help Net Security

Cloud/SaaS

• 7 Key Findings from the 2022 SaaS Security Survey Report (thehackernews.com)

• New Research Identifies Poor IAM Policies as The Greatest Cloud Vulnerability - CyberScoop

• Are You Investing in Securing Your Data in the Cloud? (thehackernews.com)

• 380K Kubernetes API Servers Exposed to Public Internet | Threatpost

Open Source

• The Industry Must Better Secure Open Source Code From Threat Actors (darkreading.com)

Privacy

• How To Ensure That the Smart Home Doesn’t Jeopardize Data Privacy? - Help Net Security

• Privacy. Ad Bidders Haven't Heard of It, Report Reveals • The Register

• Third-Party Web Trackers Log What You Type Before Submitting (bleepingcomputer.com)

Passwords & Credential Stuffing

• The Most Insecure and Easily Hackable Passwords - Help Net Security

• Half of IT Leaders Store Passwords in Shared Docs - Infosecurity Magazine

Cyber Bullying and Cyber Stalking

• UK Sextortion Cases Doubled in 2021 - Infosecurity Magazine

Regulations, Fines and Legislation

• Europe Moves Closer to Stricter Cyber Security Standards • The Register

• EU's NIS 2 Directive to Strengthen Cyber Security Requirements For Companies - Help Net Security

Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Google TAG: Cytrox's Predator Spyware Used to Target Android Users | WIRED

• Britain can legally launch cyber attacks against hostile states, says Attorney General (telegraph.co.uk)

• How Mobile Networks Have Become a Front in the Battle for Ukraine (darkreading.com)

• China-linked Twisted Panda Caught Spying on Russian R&D Orgs • The Register

• Pro-Russian Hackers Spread Hoaxes to Divide Ukraine, Allies | SecurityWeek.Com

• A custom PowerShell RAT Targets Germany Using Crisis in Ukraine as Bait - Security Affairs

Nation State Actors

Nation State Actors – Russia

• Putin Promises to Bolster Russia's IT Security in Face of Cyber Attacks | Reuters

• Russian Hackers Declare War On 10 Countries After Failed Eurovision DDoS attack | IT PRO

• Pro-Russian Information Operations Escalate in Ukraine War (darkreading.com)

• Russian Undersea Cable Threat Shifts Tech Business to UK (telegraph.co.uk)

• Russians Allegedly Storm Ukrainian ISP, Blackmail It to Switch To Russian Networks - CyberScoop

• Russia-linked Sandworm Continues to Conduct Attacks Against Ukraine - Security Affairs

• Russian Cyber Attack on Eurovision Foiled By Italian Authorities (bitdefender.com)

• This Russian Botnet Does Far More Than DDoS Attacks - And on A Massive Scale | ZDNet

Nation State Actors – China

• Chinese ‘Space Pirates’ are Hacking Russian Aerospace Firms (bleepingcomputer.com)

Nation State Actors – North Korea

• FBI Warns of North Korean Spies Posing as Foreign IT Workers • The Register

Nation State Actors – Iran

• US Charges Venezuelan Doctor with Selling Ransomware Used By Iranian Group | Reuters

Vulnerability Management

• APTs Overwhelmingly Share Known Vulnerabilities Rather Than Attack O-Days | Threatpost

• How Micropatching Could Help Close the Security Update Gap (techtarget.com)

• Partial Patching Still Provides Strong Protection Against APTs (darkreading.com)

Vulnerabilities

• QNAP Urges Users to Update NAS Devices to Prevent Deadbolt Ransomware Attacks (thehackernews.com)

• Cisco Fixes an IOS XR Flaw Actively Exploited in The Wild - Security Affairs

• 2 Vulnerabilities With 9.8 Severity Ratings Are Under Exploit. A 3rd Looms | Ars Technica

• Microsoft Rushes a Fix After May Patch Tuesday Breaks Authentication (darkreading.com)

• Microsoft Fixes New PetitPotam Windows NTLM Relay Attack Vector (bleepingcomputer.com)

• Apple Patches Zero-Day Kernel Hole and Much More – Update Now! – Naked Security (sophos.com)

• Two Business-Grade Netgear VPN Routers Have Security Vulnerabilities That Can't Be Fixed - Help Net Security

• SharePoint RCE Bug Resurfaces Three Months After Being Patched by Microsoft | The Daily Swig (portswigger.net)

• High-Severity Bug Reported in Google's OAuth Client Library for Java (thehackernews.com)

• Over 20,000 Zyxel Firewalls Still Exposed to Critical Bug - Infosecurity Magazine

• Apple Fixes the Sixth Zero-Day Since The Beginning of 2022 - Security Affairs

• Apache Releases Security Advisory for Tomcat | CISA

• Mozilla Patches Wednesday’s Pwn2Own Double-Exploit… on Friday! – Naked Security (sophos.com)

• Critical Vulnerability in Premium WordPress Themes Allows for Site Takeover | Threatpost

• Critical Jupiter WordPress Plugin Flaws Let Hackers Take Over Sites (bleepingcomputer.com)

• Apple Finally Patches Exploited Vulnerabilities in macOS Big Sur, Catalina | SecurityWeek.Com

• NVIDIA Fixes Ten Vulnerabilities in Windows GPU Display Drivers (bleepingcomputer.com)

• Gmail-Linked Facebook Accounts Vulnerable to Attack Using A Chain Of Bugs—Now Fixed | Malwarebytes Labs

• New Brute Force Attacks Against SQL Servers Use PowerShell Wrapper | SecurityWeek.Com

Sector Specific

Retail/eCommerce

• How Crooks Backdoor Sites and Scrape Credit Card Info • The Register

• Digital Skimming is Now the Preserve of Non-Magecart Groups - Infosecurity Magazine

Energy & Utilities

• Water Companies Are Increasingly Uninsurable Due To Ransomware, Industry Execs Say - CyberScoop

• UK Announces Nuclear Cyber Security Strategy - IT Security Guru

Education and Academia

• Ransomware Attack Exposes Data of 500,000 Chicago Students (bleepingcomputer.com)

• Higher Education Institutions Being Targeted for Ransomware Attacks | TechRepublic

• “Incompetent” Council Leaks Details of Students With Special Educational Needs • Graham Cluley

• Researchers Find Backdoor in School Management Plugin for WordPress (thehackernews.com)

Reports Published in the Last Week

• Q2 2022 State of Fraud & Account Security Report - Arkose Labs

• 2022 SaaS Security Survey Report (adaptive-shield.com)

• 2021-2022 UK Financial Sector Dark Web Threat Landscape Report - Kela (ke-la.com)

Other News

• UK Government: Lack of Skills the Number One Issue in Cyber Security - Infosecurity Magazine

• Malicious Hackers Are Finding It Too Easy to Achieve Their Initial Access (tripwire.com)

• NIST’s Cyber Security Framework Has Become The Common Language For International Cyber Security (scmagazine.com)

• How Threat Actors Are a Click Away From Becoming Quasi-APTs (darkreading.com)

• Cyber Security: Global Food Supply Chain at Risk From Malicious Hackers - BBC News

• Cyber Security Agencies Reveal Top Initial Access Attack Vectors (bleepingcomputer.com)

• 50% of Orgs Rely on Email to Manage Security (darkreading.com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Ransomware Volumes Hit Record Highs As 2021 Wears On

Ransomware has seen a significant uptick so far in 2021, with global attack volume increasing by 151 percent for the first six months of the year as compared with the year-ago half. Meanwhile, the FBI has warned that there are now 100 different strains circulating around the world. From a hard-number perspective, the ransomware scourge hit a staggering 304.7 million attempted attacks. To put that in perspective, the firm logged 304.6 million ransomware attempts for the entirety of 2020.

https://threatpost.com/ransomware-volumes-record-highs-2021/168327/

Ransomware Gangs Recruiting Insiders To Breach Corporate Networks

The LockBit 2.0 ransomware gang is actively recruiting corporate insiders to help them breach and encrypt networks. In return, the insider is promised million-dollar payouts. Many ransomware gangs operate as a Ransomware-as-a-Service, which consists of a core group of developers, who maintain the ransomware and payment sites, and recruited affiliates who breach victims' networks and encrypt devices. Any ransom payments that victims make are then split between the core group and the affiliate, with the affiliate usually receiving 70-80% of the total amount. However, in many cases, the affiliates purchase access to networks from other third-party pentesters rather than breaching the company themselves. With LockBit 2.0, the ransomware gang is trying to remove the middleman and instead recruit insiders to provide them access to a corporate network.

https://www.bleepingcomputer.com/news/security/lockbit-ransomware-recruiting-insiders-to-breach-corporate-networks/

More Than 12,500 Vulnerabilities Disclosed In First Half Of 2021

Two new reports were released, covering data breaches and vulnerabilities in the first half of 2021, finding that there was a decline in the overall number of reported breaches but an increase in the number of vulnerabilities disclosed.  The company's data breach report found that there were 1,767 publicly reported breaches in the first six months of 2021, a 24% decline compared to the same period last year. The number of reported breaches grew in the US by 1.5% while 18.8 billion records were exposed year to date, a 32% decline compared to the 27.8 billion records leaked in the first half of 2020.

https://www.zdnet.com/article/more-than-12500-vulnerabilities-disclosed-in-first-half-of-2021-risk-based-security/

New DNS Vulnerability Allows 'Nation-State Level Spying' On Companies

Security researchers found a new class of DNS vulnerabilities impacting major DNS-as-a-Service (DNSaaS) providers that could allow attackers to access sensitive information from corporate networks.

DNSaaS providers (also known as managed DNS providers) provide DNS renting services to other organisations that do not want to manage and secure yet another network asset on their own.

These DNS flaws provide threat actors with nation-state intelligence harvesting capabilities with a simple domain registration.

https://www.bleepingcomputer.com/news/security/new-dns-vulnerability-allows-nation-state-level-spying-on-companies/

Constant Review Of Third Party Security Critical As Ransomware Threat Climbs

Enterprises typically would give their third-party suppliers "the keys to their castle" after carrying out the usual checks on the vendor's track history and systems, according to a New York-based Forrester analyst who focuses on security and risk. They believed they had done their due diligence before establishing a relationship with the supplier, but they failed to understand that they should be conducting reviews on a regular basis, especially with their critical systems suppliers. Third-party suppliers should have the ability to deal with irregular activities in their systems and the appropriate security architecture in place to prevent any downstream effects, he added.

https://www.zdnet.com/article/constant-review-of-third-party-security-critical-as-ransomware-threat-climbs/

Kaseya Ransomware Attack Sets Off Race To Hack Service Providers

A ransomware attack in July that paralyzed as many as 1,500 organisations by compromising tech-management software from a company called Kaseya has set off a race among criminals looking for similar vulnerabilities, cyber security experts said. An affiliate of a top Russian-speaking ransomware gang known as REvil used two gaping flaws in software from Florida-based Kaseya to break into about 50 managed services providers (MSPs) that used its products, investigators said. Now that criminals see how powerful MSP attacks can be, "they are already busy, they have already moved on and we don’t know where," said head of the non-profit Dutch Institute for Vulnerability Disclosure, which warned Kaseya of the weaknesses before the attack.

https://www.reuters.com/technology/kaseya-ransomware-attack-sets-off-race-hack-service-providers-researchers-2021-08-03/

‘It’s Quite Feasible To Start A War’: Just How Dangerous Are Ransomware Hackers?

Secretive gangs are hacking the computers of governments, firms, even hospitals, and demanding huge sums. But if we pay these ransoms, are we creating a ticking time bomb? They have the sort of names that only teenage boys or aspiring Bond villains would dream up (REvil, Grief, Wizard Spider, Ragnar), they base themselves in countries that do not cooperate with international law enforcement and they don’t care whether they attack a hospital or a multinational corporation. Ransomware gangs are suddenly everywhere, seemingly unstoppable – and very successful.

https://www.theguardian.com/technology/2021/aug/01/crypto-criminals-hack-the-computer-systems-of-governments-firms-even-hospitals

Joint UK/US Advisory Detailing Top 30 Vulnerabilities Include Plenty Of Usual Suspects

A joint advisory from law enforcement agencies in the US, UK, and Australia this week tallied the 30 most-frequently exploited vulnerabilities. Perhaps not surprisingly, the list includes a preponderance of flaws that were disclosed years ago; everything on the list has a patch available for whoever wants to install it. But as we've written about time and again, many companies are slow to push updates through for all kinds of reasons, whether it's a matter of resources, know-how, or an unwillingness to accommodate the downtime often necessary for a software refresh. Given how many of these vulnerabilities can cause remote code execution—you don't want this—hopefully they'll start to make patching more of a priority.

https://www.wired.com/story/top-vulnerabilities-russia-nso-group-iran-security-news/

Average Total Cost Of A Data Breach Increased By Nearly 10% Year Over Year

Based on in-depth analysis of real-world data breaches experienced by over 500 organisations, the global study suggests that security incidents became more costly and harder to contain due to drastic operational shifts during the pandemic, with costs rising 10% compared to the prior year. Businesses were forced to quickly adapt their technology approaches last year, with many companies encouraging or requiring employees to work from home, and 60% of organisations moving further into cloud-based activities during the pandemic. The new findings suggest that security may have lagged behind these rapid IT changes, hindering organizations’ ability to respond to data breaches.

https://www.helpnetsecurity.com/2021/07/29/total-cost-data-breach/

65% Of All DDoS Attacks Target US And UK

Distributed denial of service (DDoS) attacks are common for cyber criminals who want to disrupt online-dependent businesses. According to the data analysed by a VPN team, 65% of all distributed denial of service (DDoS) attacks are directed at the US or UK. Computers and the internet industry are the favourite among cyber criminals. The United States was a target for 35% of all DDoS attacks in June 2021. Cyber criminals launched DDoS attacks against Amazon Web Services, Google, and other prominent US-based companies in the past. The United Kingdom comes second as it fell victim to 29% of all DDoS attacks. As the UK has many huge businesses, they often are targeted by hackers for valuable data or even a ransom. China was threatened by 18% of all DDoS attacks in June 2021. Assaults from and to China happen primarily due to political reasons, to interrupt some government agency.

https://www.pcr-online.biz/2021/08/05/65-of-all-ddos-attacks-target-us-and-uk/

Threats

Ransomware

• Ransomware Attempt Volume Sets Record, Reaches More Than 300 Million For First Half Of 2021: SonicWall

• Ransomware Attacks Rise Despite US Call For Clampdown On Cyber Criminals

• Isle Of Wight Schools Hit By Ransomware Attack

• BlackMatter Ransomware Gang Rises From The Ashes Of DarkSide, Revil

• Criminals Are Using Call Centres To Spread Ransomware In A Crafty Scheme

Phishing

• Phishing Campaign Dangles SharePoint File-Shares

• Microsoft Warns Office 365 Users Over This Sneaky Phishing Campaign

• Spear Phishing Now Targets Employees Outside The Finance And Executive Teams, Report Says

Other Social Engineering

• Bazarcaller – The Malware Gang That Talks You Into Infecting Yourself

Malware

• A Wide Range Of Cyber Attacks Leveraging Prometheus TDS Malware Service

• Several Malware Families Targeting IIS Web Servers With Malicious Modules

• Cyber Criminals Spoof Brave Browser Website To Push Malware

• Microsoft: This Windows And Linux Malware Does Everything It Can To Stay On Your Network

• Discord Once Again Found To Be Hosting Malware Payloads

Mobile

• An Explosive Spyware Report Shows Limits Of IOS, Android Security

• This Android Malware Steals Your Data In The Most Devious Way

• The Latest Android Bank-Fraud Malware Uses A Clever Tactic To Steal Credentials

Vulnerabilities

• Code Execution Flaw Found In Cisco Firepower Device Manager On-Box Software

• Cisco Issues Critical Security Patches To Fix Small Business VPN Router Bugs

• Decade-Long Vulnerability In Multiple Routers Could Allow Network Compromise

• Security Researchers Warn Of TCP/IP Stack Flaws In Operational Technology Devices

• PwnedPiper PTS Security Flaws Threaten 80% of Hospitals In The U.S.

• Researchers Highlight Windows Laptop TPM Vulnerabilities

Data Breaches

• Threat Actors Leaked Data Stolen From EA, Including FIFA Code

• Hackers Breach San Diego Hospital, Gaining Access To Patients'... Well, Uh, Everything

• Amazon Fined $886M For Alleged Data Breach

OT, ICS, IIoT and SCADA

• Novel Meteor Wiper Used In Attack That Crippled Iranian Train System

Organised Crime & Criminal Actors

• Critical Cobalt Strike Bug Leaves Botnet Servers Vulnerable To Takedown

Cryptocurrency/Cryptojacking

• Raccoon Stealer-As-A-Service Will Now Try To Grab Your Crypto Currency

Supply Chain

• Supply Chain Attacks Are Getting Worse, And You Are Not Ready For Them

Nation State Actors

• Here's 30 Servers Russian Intelligence Uses To Fling Malware At The West, Beams RiskIQ

• Russian Federal Agencies Were Attacked With Chinese Webdav-O Virus

• New Chinese Spyware Being Used In Widespread Cyber Espionage Attacks

• Suspected Chinese Hackers Took Advantage Of Microsoft Exchange Vulnerability To Steal Call Records

• Iranian APT Lures Defense Contractor In Catfishing-Malware Scam

• Chinese Hackers Target Major Southeast Asian Telecom Companies

Cloud

• The Rise Of Cloud Is Creating Security Blind Spots

Reports Published in the Last Week

• APT Trends Report Q2 2021

• Spam and Phishing in Q2 2021

Other News

• It's Time To Improve Linux's Security

• Leaked Document Says Google Fired Dozens Of Employees For Data Misuse

• Hybrid Work Is Here To Stay – But What Does That Mean For Cyber Security?

• Huawei To America: You're Not Taking Cyber Security Seriously Until You Let China Vouch For Us

• Windows 11's Strict Hardware Requirements Cannot Be Bypassed, Microsoft Admits, "We Know It Sucks... We Will Still Block You"

• Trusted Platform Module Security Defeated In 30 Minutes, No Soldering Required

• NSA Warns Public Networks Are Hacker Hotbeds

• Credit-Card-Stealing, Backdoored Packages Found In Python's PyPi Library Hub

• Apple Plans To Scan US IPhones For Child Abuse Imagery

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Ransomware Attacks Grew By 485% In 2020

Ransomware attacks increased by an astonishing 485% in 2020 compared to 2019, according to Bitdefender’s 2020 Consumer Threat Landscape Report, which highlighted the ways cyber criminals targeted the COVID-19 pandemic. Interestingly, nearly two-thirds (64%) of the ransomware attacks took place in the first two quarters of 2020.

https://www.infosecurity-magazine.com/news/ransomware-attacks-grow-2020/

Cyber Insurance Firm Suffers Sophisticated Ransomware Cyber Attack; Data Obtained May Help Hackers Better Target Firm’s Customers

One of the largest insurance firms in the US CNA Financial was reportedly hit by a “sophisticated cyber security attack” on March 21, 2021. The cyber attack disrupted the company’s employee and customer services for three days as the company shut down “out of an abundance of caution” to prevent further compromise.

https://www.cpomagazine.com/cyber-security/cyber-insurance-firm-suffers-sophisticated-ransomware-cyber-attack-data-obtained-may-help-hackers-better-target-firms-customers/amp/

Ransom Gangs Emailing Victim Customers For Leverage

Some of the top ransomware gangs are deploying a new pressure tactic to push more victim organisations into paying an extortion demand: Emailing the victim’s customers and partners directly, warning that their data will be leaked to the dark web unless they can convince the victim firm to pay up.

https://krebsonsecurity.com/2021/04/ransom-gangs-emailing-victim-customers-for-leverage/

'We Have Your Porn Collection': The Rise Of Extortionware

Experts say the trend towards ransoming sensitive private information could affect companies not just operationally but through reputation damage. It comes as hackers bragged after discovering an IT Director's secret porn collection. The targeted US firm has not publicly acknowledged that it was hacked. In its darknet blog post about the hack last month, the cyber-criminal gang named the IT director whose work computer allegedly contained the files.

https://www.bbc.co.uk/news/technology-56570862

Should Firms Be More Worried About Firmware Cyber Attacks?

Microsoft recently put out a report claiming that businesses globally are neglecting a key aspect of their cyber security - the need to protect computers, servers, and other devices from firmware attacks. Its survey of 1,000 cyber security decision makers at enterprises across multiple industries in the UK, US, Germany, Japan, and China has revealed that 80% of firms have experienced at least one firmware attack in the past two years. Yet only 29% of security budgets have been allocated to protect firmware.

https://www.bbc.co.uk/news/business-56671419

Armed Conflict Draws Closer As State-Backed Cyber Attacks Intensify

The world is coming perilously close to nation states retaliating against cyber attacks with conventional weapons, according to a new HP report. Publicly available reports into state-sponsored attacks and interviews with scores of experts. It claimed there has been a 100% increase in “significant” state-backed attacks between 2017-20, and an average of over 10 publicly attributed attacks per month in 2020 alone.

https://www.infosecurity-magazine.com/news/armed-conflict-closer-state/

Coca-Cola Trade Secret Theft Underscores Importance Of Insider Threat Early Detection

The trial of Xiaorong You started in Greenville, TN, this week. She is accused of trade secret theft and economic espionage after allegedly stealing technologies owned by several companies, including her former employers Coca-Cola and Eastman Chemical Company. The value placed on the development of the stolen technologies is $119.6 million. Other affected companies include Azko-Nobel, Dow Chemical, PPG, TSI, Sherwin Williams and ToyoChem.

The details of the case suggest that the damages the accused is allegedly responsible for could have been minimized if better real-time insider threat detection methods had been in place. They also outline possible motives for the theft of the intellectual property: ego and money.

https://www.csoonline.com/article/3613953/coca-cola-trade-secret-theft-underscores-importance-of-insider-threat-early-detection.html

Attackers Blowing Up Discord, Slack With Malware

Workflow and collaboration tools like Slack and Discord have been infiltrated by threat actors, who are abusing their legitimate functions to evade security and deliver info-stealers, remote-access trojans (RATs) and other malware. The pandemic-induced shift to remote work drove business processes onto these collaboration platforms in 2020, and predictably, 2021 has ushered in a new level cyber criminal expertise in attacking them.

https://threatpost.com/attackers-discord-slack-malware/165295/

Scraped Data Of 500 Million LinkedIn Users Being Sold Online, 2 Million Records Leaked As Proof

An archive containing data purportedly scraped from 500 million LinkedIn profiles has been put for sale on a popular hacker forum, with another 2 million records leaked as a proof-of-concept sample by the post author. The four leaked files contain information about the LinkedIn users whose data has been allegedly scraped by the threat actor, including their full names, email addresses, phone numbers, workplace information, and more.

While users on the hacker forum can view the leaked samples for about $2 worth of forum credits, the threat actor appears to be auctioning the much-larger 500 million user database for at least a 4-digit sum, presumably in bitcoin.

https://cybernews.com/news/stolen-data-of-500-million-linkedin-users-being-sold-online-2-million-leaked-as-proof-2/

Massive Facebook Data Breach Leaks Info On Millions Of Users

The personal information of hundreds of millions of Facebook users across the globe has been leaked online. Around 533 million Facebook users are thought to have been affected by the data breach, with phone numbers, Facebook ID, full name, location, past location, birthdate, email address, account creation date, relationship status, and personal bios all available. The data is thought to be the same set that was leaked in January 2021 and was available to purchase online, meaning Facebook has failed to secure its users once again.

https://www.techradar.com/uk/news/massive-facebook-data-breach-leaks-info-on-millions-of-users

Threats

Ransomware

• REvil ransomware now changes password to auto-login in Safe Mode

Phishing

• LinkedIn Spear-Phishing Campaign Targets Job Hunters

• Phishing Emails Most Commonly Originate from Eastern Europe

Malware

• IcedID Banking Trojan Surges: The New Emotet?

• New wormable Android malware poses as Netflix to hijack WhatsApp sessions

Mobile

• Another supply-chain attack? Android maker Gigaset injects malware into victims' phones via poisoned update

IOT

• 99% of security pros concerned about their IoT and IIoT security

Vulnerabilities

• Critical Zoom vulnerability triggers remote code execution without user input

• Zero-Day Bug Impacts Problem-Plagued Cisco SOHO Routers

• Bug allows attackers to hijack Windows time sync software used to track security incidents

• Critical Cloud Bug in VMWare Carbon Black Allows Takeover

• AMD admits Zen 3 processors are vulnerable to Spectre-like side-channel attack

• Hackers are actively targeting FortiOS vulnerabilities

• Legacy QNAP NAS Devices Vulnerable to Zero-Day Attack

• SAP Bugs Under Active Cyberattack, Causing Widespread Compromise

Data Breaches

• Adult content from hundreds of OnlyFans creators leaked online

• A huge trove of credit card records and Social Security numbers just got hacked

• Booking.com fined €475,000 for late reporting of data breach

Nation State Actors

• Spy Operations Target Vietnam with Sophisticated RAT

• North Korean hackers return, target infosec researchers in new operation

Privacy

• Cyber criminals could be watching your home security footage

• The Home Office is preparing another attack on encryption

Other News

• Ubiquiti is accused of covering up a ‘catastrophic’ data breach — and it’s not denying it

• VISA: Hackers increasingly using web shells to steal credit cards

• Cloud-native watering hole attack: Simple and potentially devastating

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.