Threat Intelligence Blog

Contact our Experts Now

Subscribe to our Weekly Cyber Threat Intelligence Briefing

Black Arrow Admin 05/02/2023 Black Arrow Admin 05/02/2023

Black Arrow Cyber Threat Briefing 03 February 2023

Black Arrow Cyber Threat Briefing 03 February 2023:

-Business Leaders Need a Hands-on Approach to Stop Cyber Crime, Says Spy Chief

-Rising ‘Firebrick Ostrich’ BEC Group Launches Industrial Scale Cyber Attacks

-The Corporate World is Losing its Grip on Cyber Risk

-Microsoft Reveals Over 100 Threat Actors are Deploying Ransomware in Attacks

-Greater Incident Complexity, a Shift in How Threat Actors Use Stolen Data Will Drive the Cyber Threat Landscape in 2023

-The Threat from Within: 71% of Business Leaders Surveyed Think Next Cyber Security Breach Will come from the Inside

-98% of Organisations Have a Supply Chain Relationship That Has Been Breached

-New Survey Reveals 40% of Companies Experienced a Data Leak in the Past Year

-Russian Hackers Launch Cyber Attack on Germany in Leopard Tank Retaliation

-Financial Services Targeted in 28% of UK Cyber Attacks Last Year

-Phishing Attacks are Getting Scarily Sophisticated. Here’s what to Watch Out For

-City of London on High Alert After Ransomware Attack

-Ransomware Conversations: Why the CFO is Pivotal to Discussing and Preparing for Risk

-JD Sports Warns of 10 Million Customers Put at Risk in Cyber Attack

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Business Leaders Need a Hands-on Approach to Stop Cyber Crime, Says Spy Chief

Business leaders must not see cyber crime as “just a technical issue” that can be left up to IT departments, said Lindy Cameron, chief executive of the National Cyber Security Centre (NCSC). Ms Cameron later commented that “In the world of cyber security, the new year has brought with it some sadly familiar themes - a continuation of cyber incidents affecting organisations large and small as well as the British public”.

Along with this, came the urge for business leaders to step up their efforts in combating cyber crime by taking an active interest and educating themselves on the subject. When commenting upon board members’ level of understanding, Ms Cameron said “I’d also encourage board members to develop a basic understanding of cyber security, which can help when seeking assurances from IT teams about the resilience of an organisation - in a similar way that leaders have a certain level of understanding of finance to assess financial health”.

https://www.telegraph.co.uk/news/2023/01/28/business-leaders-need-hands-on-approach-stop-cyber-crime-says/

Rising ‘Firebrick Ostrich’ BEC Group Launches Industrial Scale Cyber Attacks

Business email compromise (BEC) has become one of the most popular methods of financially motivated hacking. And over the past year, one group in particular has demonstrated just how quick, easy, and lucrative it really is.

"Firebrick Ostrich" is a threat actor that's been performing BEC at a near-industrial scale. Since April 2021, the group has carried out more than 350 BEC campaigns, impersonating 151 organisations and utilising 212 malicious domains in the process. This volume of attacks is made possible by the group's wholesale gunslinging approach. Firebrick Ostrich doesn't discriminate much when it comes to targets, or gather exceptional intelligence in order to craft the perfect phishing bait. It throws darts at a wall because, evidently, when it comes to BEC at scale, that's enough.

BEC is attractive to bad actors due to the lower barriers to entry than malware, less risk, faster scaling opportunities, and way more profit potential to higher echelons than other methods of attack. These factors may explain why such attacks are absolutely the emerging trend, potentially even leaving even ransomware in the dust. There are literally hundreds, if not thousands, of these groups out there.

https://www.darkreading.com/remote-workforce/rising-firebrick-ostrich-bec-group-launches-industrial-scale-cyberattacks

The Corporate World is Losing its Grip on Cyber Risk

Lloyd's of London’s insurance market prides itself on being able to put a price on anything, from Tina Turner’s legs or Bruce Springsteen’s vocal cords, to the risk that a bounty hunter might claim the reward from Cutty Sark Whisky in the 1970s for capturing the Loch Ness monster.

But from the end of March, there will be something it won’t price: systemic cyber risk, or the type of major, catastrophic disruption caused by state-backed cyber warfare. In one sense, this isn’t surprising. Insurance policies typically exclude acts of war. Russia’s NotPetya attack on Ukraine in 2017 showed how state-backed cyber assaults can surpass traditional definitions of armed conflict and overspill their sovereign target to hit global businesses. It caused an estimated $10bn in damages and years of wrangling between companies like pharma group Merck and snack maker Mondelez and their insurers.

But the move is prompting broader questions about the growing pains in this corner of the insurance world. “Cyber insurance isn’t working anywhere at the moment as a public good for society,” says Ciaran Martin, former head of the UK National Cyber Security Centre. “It has a huge role to play in improving defences in a market-based economy and it has been a huge disappointment in that sense so far.”

The Lloyd’s move is designed, say insurers, to clarify rather than restrict coverage. Whether it succeeds is another matter: this is a murky world, where cyber crime groups operate with impunity in certain jurisdictions.

https://www.ft.com/content/78bfdf29-1e20-4c12-a348-06e98d5ae906

Microsoft Reveals Over 100 Threat Actors are Deploying Ransomware in Attacks

Microsoft revealed this week that its security teams are tracking over 100 threat actors deploying ransomware during attacks. In all, the company says it monitors over 50 unique ransomware families, with some of the most prominent ransomware payloads in recent campaigns including Lockbit, BlackCat (aka ALPHV), Play, Vice Society, Black Basta, and Royal.

Microsoft said that defence strategies should focus less on payloads themselves but more on the chain of activities that lead to their deployment, since ransomware gangs are still targeting servers and devices not yet patched against common or recently addressed vulnerabilities.

Furthermore, while new ransomware families launch all the time, most threat actors utilise the same tactics when breaching and spreading through networks, making the effort of detecting such behaviour even more helpful in thwarting their attacks.

Attackers are increasingly relying on tactics beyond phishing to conduct their attacks, with threat actors for example capitalising on recently patched Exchange Server vulnerabilities to hack vulnerable servers and deploy Cuba and Play ransomware.

https://www.bleepingcomputer.com/news/security/microsoft-over-100-threat-actors-deploy-ransomware-in-attacks/

Ransomware Conversations: Why the CFO is Pivotal to Discussing and Preparing for Risk

With the amount of cyber attacks in all industries, organisations are beginning to grasp the significance of cyber risk and how it is integral to protecting and maintaining an efficient business. In fact, the first half of 2022 alone saw 236.1 million cases of ransomware.

Whilst the expectation for responsibility has typically fallen on Chief Information Security Officers (CISOs), Chief Financial Officers (CFOs) are just as vital in managing cyber risk, which is now inherently also business risk. The CFO plays an important part in determining whether cyber security incidents will become material and affect the business more seriously. Their insight is critical across many areas which include ransomware, cyber insurance, regulatory compliance and budget management.

https://www.itsecurityguru.org/2023/02/02/ransomware-conversations-why-the-cfo-is-pivotal-to-discussing-and-preparing-for-risk

Greater Incident Complexity, a Shift in How Threat Actors Use Stolen Data Will Drive the Cyber Threat Landscape in 2023

Insurance provider Beazley released their Cyber Services Snapshot Report which claims the cyber security landscape will be influenced by greater complexity and the way threat actors use stolen data. The report also found that as a category, fraudulent instruction experienced a growth as a cause of loss in 2022, up 13% year-over year.

In response to vulnerabilities such as fraudulent instructions, the report suggests organisations must get smarter about educating users to spot things such as spoofed emails or domain names. The report also cautions organisations to watch for social engineering, spear phishing, bypassing of multi-factor authentication (MFA), targeting of managed service providers (MSP) and the compromise of cloud environments as areas of vulnerability.

https://www.darkreading.com/attacks-breaches/greater-incident-complexity-a-shift-in-the-way-threat-actors-use-stolen-data-and-a-rise-in-us-class-actions-will-drive-the-cyber-threat-landscape-in-2023-according-to-beazley-report

The Threat from Within: 71% of Business Leaders Surveyed Think Next Cyber Security Breach Will Come from the Inside

A survey conducted by IT provider EisnerAmper found that 71% of business executives worry about accidental internal staff error as one of the top threats facing their organisation and 23% of these worried about malicious intent by an employee. In comparison, 75% of business executives had concerns about external hackers. The survey also asked about current safety measures, with 51% responding that they were “somewhat prepared”. Despite this, only 50% of respondents reported conducting regular cyber security training.

https://www.darkreading.com/vulnerabilities-threats/the-threat-from-within-71-of-business-leaders-surveyed-think-next-cybersecurity-breach-will-come-from-the-inside

98% of Organisations Have a Supply Chain Relationship That Has Been Breached

A report from SecurityScorecard found that 98% of organisations have a relationship with at least one third party that has experienced a breach in the last two years, while more than 50% have an indirect relationship with more than 200 fourth parties that have been breached. Of course, this is keeping in mind that not all organisations disclose or even know they have been breached.

https://www.securityweek.com/98-of-firms-have-a-supply-chain-relationship-that-has-been-breached-analysis/

New Survey Reveals 40% of Companies Experienced a Data Leak in the Past Year

Software provider SysKit has published a report on the effects of digital transformation on IT administrators and the current governance landscape. The report found that 40% of organisations experienced a data leak in the previous year. A data leak can have severe consequences on an organisation's efficiency and the impact can lead to large fines, downtime, and loss of business-critical certifications and customers.

In addition, the Survey found that the biggest challenge for IT administrators was a lack of understanding from superiors, huge workloads and misalignment of IT and business strategies.

https://www.darkreading.com/attacks-breaches/new-survey-reveals-40-of-companies-experienced-a-data-leak-in-the-past-year

Russian Hackers Launch Cyber Attack on Germany in Leopard Tank Retaliation

The websites of key German administrations, including companies and airports, have been targeted by cyber attacks, the German Federal Office for Information Security (BSI) stated.

The BSI commented they had been informed of DDoS (distributed denial of service) attacks “currently in progress against targets in Germany". This was followed by the statement that “Individual targets in the financial sector” and federal government sites were also attacked, with some websites becoming temporarily unavailable. It is believed that this is due to the approved deployment of Leopard 2 tanks to Ukraine, with Russian hacker site Killnet taking credit.

https://www.euronews.com/2023/01/26/russian-hackers-launch-cyberattack-on-germany-in-leopard-retaliation

Financial Services Targeted in 28% of UK Cyber Attacks Last Year

Based on data from security provider Imperva, security researchers have identified that over a quarter (28%) of all cyber attacks in the UK hit the financial services and insurance (FSI) industry in the last 12 months. The data also found that Application Programme Interface (API) attacks, malicious automated software and distributed denial of service (DDoS) attacks were the most challenging for the industry. In addition, the data found that roughly 40% of all account takeover attempts were targeted at the FSI industry.

https://www.infosecurity-magazine.com/news/quarter-cyber-attacks-uk-financial/

Phishing Attacks are Getting Scarily Sophisticated. Here’s What to Watch Out For

Hackers are going to great lengths, including mimicking real people and creating and updating fake social media profiles, to trick victims into clicking phishing links and handing over usernames and passwords. The National Cyber Security Centre (NCSC) warns that these phishing attacks are targeting a range of sectors.

The NCSC has also released mitigation advice to help organisations and individuals protect themselves online. The mitigation advice included the use of strong passwords, separate to other accounts; enabling multi-factor authentication (MFA); and applying the latest security updates.

https://www.zdnet.com/article/phishing-attacks-are-getting-scarily-sophisticated-heres-what-to-watch-out-for/

City of London on High Alert After Ransomware Attack

A suspected ransomware attack on a key supplier of trading software to the City of London this week appears to have disrupted activity in the derivatives market. The company impacted, Ion Cleared Derivatives, is investigating. It is reported that 42 clients were impacted by the attack.

https://www.infosecurity-magazine.com/news/city-of-london-high-alert/

JD Sports Warns of 10 Million Customers Put at Risk in Cyber Attack

Sportswear retailer JD Sports said it was the victim of a cyber attack that exposed the data of 10 million customers, in the latest spate of hacks on UK companies.

JD Sports explained that the attack involved unauthorised access to a system that contained “the name, billing address, delivery address, phone number, order details and the final four digits of payment cards”. The data related to customers’ orders made between November 2018 and October 2020, with outdoor gear companies Millets and Blacks also impacted. A full review with cyber security and external specialists is underway.

https://www.ft.com/content/afe00f2f-afcd-478f-9e4d-1cf9c943fa79

Threats

Ransomware, Extortion and Destructive Attacks

Phishing & Email Based Attacks

BEC – Business Email Compromise

Other Social Engineering; Smishing, Vishing, etc

2FA/MFA

Facebook Bug Allows 2FA Bypass Via Instagram (darkreading.com)

Malware

Mobile

Botnets

New Threat: Stealthy HeadCrab Malware Compromised Over 1,200 Redis Servers (thehackernews.com)

Denial of Service/DoS/DDOS

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Fraud, Scams & Financial Crime

Impersonation Attacks

AML/CFT/Sanctions

As the anti-money laundering perimeter expands, who needs to be compliant, and how? - Help Net Security

Insurance

4 Cyber Insurance Requirement Predictions for 2023 (trendmicro.com)

Dark Web

Supply Chain and Third Parties

Cloud/SaaS

Containers

Researchers Claim High-Risk Vulnerabilities Found in 87% of All Container Images - Infosecurity Magazine (infosecurity-magazine.com)

Encryption

API

Open Source

Microsoft upgrades Defender to lock down Linux devices • The Register

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Malvertising

Malvertising attacks are distributing .NET malware loaders • The Register

Training, Education and Awareness

Are Your Employees Thinking Critically About Their Online Behaviours? (darkreading.com)

Regulations, Fines and Legislation

Governance, Risk and Compliance

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Privacy, Surveillance and Mass Monitoring

Artificial Intelligence

Misinformation, Disinformation and Propaganda

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

Nation State Actors

Nation State Actors – Russia

Nation State Actors – China

Nation State Actors – North Korea

Nation State Actors – Iran

Nation State Actors – Misc

Vulnerability Management

Vulnerabilities

Tools and Controls

Gartner report shows zero trust isn’t a silver bullet | VentureBeat

Other News

Sector Specific

Industry specific threat intelligence reports are available.

· Automotive

· Construction

· Critical National Infrastructure (CNI)

· Defence & Space

· Education & Academia

· Energy & Utilities

· Estate Agencies

· Financial Services

· FinTech

· Food & Agriculture

· Gaming & Gambling

· Government & Public Sector (including Law Enforcement)

· Health/Medical/Pharma

· Hotels & Hospitality

· Insurance

· Legal

· Manufacturing

· Maritime

· Oil, Gas & Mining

· OT, ICS, IIoT, SCADA & Cyber-Physical Systems

· Retail & eCommerce

· Small and Medium Sized Businesses (SMBs)

· Startups

· Telecoms

· Third Sector & Charities

· Transport & Aviation

· Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Black Arrow Admin 30/01/2023 Black Arrow Admin 30/01/2023

Black Arrow Cyber Informational 30/01/2023 – PoC Released for Microsoft Certification Vulnerability, Devices Still Vulnerable Months After NSA Disclosure

Executive Summary

The security provider Akami has identified that less than 1% of visible devices in data centres have been patched for a Microsoft CryptoAPI spoofing vulnerability (CVE-2022-34689), despite NSA disclosure and a publicly released patch by Microsoft in October 2022. In addition, Akamai have created a proof of concept for how this vulnerability can be exploited.

What’s the risk to me or my business?

Successful exploitation of this vulnerability could allow an attacker to spoof their identity and perform actions such as authentication or code signing from a targeted certificate. If you do not use applications with end-certificate caching, you are not vulnerable to this attack. At this time, the provided proof of concept was only applicable if the attacker had the ability to generate a certificate from the targeted infrastructure, and if the targeted webpage or application was accessed using version v48 of Chrome or earlier, which was released on 25 January 2016.

What can I do?

Patch your Windows endpoints and servers with the latest security patches provided by Microsoft. This vulnerability was addressed as part of the October 2022 Patch Tuesday.

Further information on the vulnerability can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34689

Akami’s Report can be found here: https://www.akamai.com/blog/security-research/exploiting-critical-spoofing-vulnerability-microsoft-cryptoapi

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Black Arrow Admin 29/01/2023 Black Arrow Admin 29/01/2023

Black Arrow Cyber Threat Briefing 27 January 2023

Black Arrow Cyber Threat Briefing 27 January 2023:

-Supply Chain Attacks Caused More Data Compromises Than Malware

-What Makes Small and Medium-Sized Businesses Vulnerable to BEC Attacks

-Understanding Your Attack Surface Makes It Easier to Prioritise Technologies and Systems

-Cyber Security Pros Sound Alarm Over Insider Threats

-Ransomware Attack Hit KFC and Pizza Hut Stores in the UK

-Forthcoming SEC Rules Will Trigger ‘Tectonic Shift’ in How Corporate Boards Treat Cyber Security

-Why CISOs Make Great Board Members

-View From Davos: The Changing Economics of Cyber Crime

-Cloud Based Networks Under Increasing Attack, Report Finds

-GoTo Admits: Customer Cloud Backups Stolen Together with Decryption Key

-State-Linked Hackers in Russia and Iran are Targeting UK Groups, NCSC Warns

-3.7 Million Customers’ Data of Hilton Hotels Put Up For Sale

Top Cyber Stories of the Last Week

Supply Chain Attacks Caused More Data Compromises Than Malware

According to the Identity Theft Resource Center, data compromises steadily increased in the second half of 2022 and cyber attacks remained the primary source of data breaches.

The number of data breaches resulting from supply chain attacks exceeded malware related compromises in 2022 by 40%. According to the report, more than 10 million people were impacted by supply chain attacks targeting 1,743 entities. By comparison, 70 malware-based cyber attacks affected 4.3 million people.

https://www.helpnetsecurity.com/2023/01/26/data-compromises-2022/

What Makes Small and Medium-Sized Businesses Vulnerable to BEC Attacks

According to the United States’ FBI’s 2021 Internet Crime Report, business email compromise (BEC) accounted for almost a third of the country’s $6.9 billion in cyber losses that year – around $2.4 billion. In surprisingly sharp contrast, ransomware attacks accounted for only $50 million of those losses.

Small and medium-sized businesses (SMBs) are especially vulnerable to this form of attack and BEC’s contribution to annual cyber losses not only makes sense but is also likely underreported.

In stark contrast to highly disruptive ransomware attacks, BEC is subversive and is neither technically complicated nor expensive to deploy. In the case of large organisations, the financial fallout of BEC is almost negligible. That’s not the case for small and medium-sized businesses, which often lack the means to absorb similar financial losses.

BEC’s simplicity gives more credence for attackers to target smaller organisations, and because of that, it’s doubly essential for SMBs to be vigilant.

https://www.helpnetsecurity.com/2023/01/25/what-makes-small-medium-sized-businesses-vulnerable-bec-attacks-video/

Understanding Your Attack Surface Makes It Easier to Prioritise Technologies and Systems

It has been observed that attackers will attempt to start exploiting vulnerabilities within the first fifteen minutes of their disclosure. As the time to patch gets shorter, organisations need to be more pragmatic when it comes to remediating vulnerabilities, particularly when it comes to prioritisation.

Attack surfaces constantly evolve and change as new applications are developed, old systems are decommissioned, and new assets are registered. Also, more and more organisations are moving towards cloud-hosted infrastructure, which changes the risk and responsibility for securing those assets. Therefore, it is essential to carry out continuous or regular assessments to understand what systems are at risk, instead of just taking a point-in-time snapshot of how the attack surface looks at that moment.

The first step would be to map “traditional” asset types – those easily associated with an organisation and easy to monitor, such as domains and IP addresses. Ownership of these assets can be easily identified through available information (e.g., WHOIS data). The less traditional asset types (such as GitHub repositories) aren’t directly owned by the organisation but can also provide high-value targets or information for attackers.

It’s also important to understand which technologies are in use to make sound judgements based on the vulnerabilities relevant to the organisation. For example, out of one hundred vulnerabilities released within one month only 20% might affect the organisation’s technologies.

Once organisations have a good understanding of which assets might be at risk, context and prioritisation can be applied to the vulnerabilities affecting those assets. Threat intelligence can be utilised to determine which vulnerabilities are already being exploited in the wild.

What is then the correct answer for this conundrum? The answer is that there is no answer! Instead, organisations should consider a mindset shift and look towards preventing issues whilst adopting a defence-in-depth approach; focus on minimising impact and risk by prioritising assets that matter the most and reducing time spent on addressing those that don’t. This can be achieved by understanding your organisation’s attack surface and prioritising issues based on context and relevance.

https://www.helpnetsecurity.com/2023/01/24/understanding-your-attack-surface/

Cyber Security Pros Sound Alarm Over Insider Threats

Gurucul, a security information and event management (SIEM) solution provider, and Cyber security Insiders, a 600,000-plus member online community for information security professionals, found in their annual 2023 Insider Threat Report that only 3% of respondents surveyed are not concerned with insider risk.

Among all potential insiders, cyber security professionals are most concerned about IT users and admins with far-reaching access privileges (60%). This is followed by third-party contractors (such as MSPs and MSSPs) and service providers (57%), regular employees (55%), and privileged business users (53%).

The research also found that more than half of organisations in the study had been victimised by an insider threat in the past year. According to the data, 75% of the respondents believe they are moderately to extremely vulnerable to insider threats, an 8% spike from last year. That coincided with a similar percentage who said attacks have become more frequent, with 60% experiencing at least one attack and 25% getting hit by more than six attacks.

https://www.msspalert.com/cybersecurity-research/research-report-cybersecurity-pros-sound-alarm-over-insider-threats/

Ransomware Attack Hit KFC and Pizza Hut Stores in the UK

Nearly 300 fast food restaurants, including branches of KFC and Pizza Hut, were forced to close following a ransomware attack against parent company Yum! Brands. In a statement dated 18 January 2023, Yum! confirmed that unnamed ransomware had impacted some of its IT infrastructure, and that data had been exfiltrated by hackers from its servers. However, although an investigation into the security breach continues, the company said that it had seen no evidence that customer details had been exposed.

What has not yet been made public, and may not even be known to those investigating the breach, is how long hackers might have had access to the company's IT infrastructure, and how they might have been able to gain access to what should have been a secure system. Yum! has also not shared whether it has received a ransom demand from its attackers, and if it did how much ransom was demanded, and whether it would be prepared to negotiate with its extortionists.

https://www.bitdefender.com/blog/hotforsecurity/ransomware-attack-hit-kfc-and-pizza-hut-stores-in-the-uk/

Forthcoming SEC Rules Will Trigger ‘Tectonic Shift’ in How Corporate Boards Treat Cyber Security

Under rules first proposed in 2022 but expected to be finalised as soon as April 2023, publicly traded companies in the US that determine a cyber incident has become “material”, meaning it could have a significant impact on the business, must disclose details to the SEC and investors within four business days. That requirement would also apply “when a series of previously undisclosed, individually immaterial cyber security incidents has become material in the aggregate.

The SEC’s rules will also require the boards of those companies to disclose significant information on their security governance, such as how and when it exercises oversight on cyber risks. That info includes identifying who on the board (or which subcommittee) is responsible for cyber security and their relevant expertise. Required disclosures will also include how often and by which processes board members are informed and discuss cyber risk. The former cyber adviser to the SEC commented that “The problem we have with the current cyber security ecosystem is that it’s very focused on technical mitigation measures and does not contemplate these business, operational, [or] financial factors.”

Whilst this only impacts US firms, we can expect other jurisdictions to follow suit.

https://www.itbrew.com/stories/2023/01/20/forthcoming-sec-rules-will-trigger-tectonic-shift-in-how-corporate-boards-treat-cybersecurity

Why CISOs Make Great Board Members

Cyber security-related risk is a top concern, so boards need to know they have the proper oversight in place. The past three years created a perfect storm situation with lasting consequences for how we think about cyber security, and as a result cyber security technologies and teams have shifted from being viewed as a cost centre to a business enabler.

Gartner predicts that by 2025, 40% of companies will have a dedicated cyber security committee. Who is better suited than a CISO to lead that conversation? Cyber security-related risk is a top concern, so boards need to know they have the proper oversight in place. CISOs can provide advice on moving forward with digital change initiatives and help companies prepare for the future. They can explain the organisation’s risk posture, including exposure related to geopolitical conflict as well as to new business initiatives and emerging threats, and what can be done to mitigate risk.

Lastly, the role of the CISO has evolved from being a risk metrics presenter to a translator of risk to the business. Therefore, the expertise CISOs have developed in recent years in how to explain risk to the board makes them valuable contributors to these conversations. They can elevate the discussion to ensure deep understanding of the trade-offs between growth and risk, enable more informed decision-making, and serve as guardrails for total business alignment.

https://www.securityweek.com/why-cisos-make-great-board-members/

View From Davos: The Changing Economics of Cyber Crime

Cyber crime is a risk created by humans, driven by the economic conditions of high profit and easy opportunity. Ransomware is the most recent monetisation of these motives and opportunities, and it has evolved from simple malware to advanced exploits and double or triple extortion models.

The motive for cyber crime is clear: to steal money, but the digital nature of cyber crime makes the opportunity uniquely attractive, due to the following:

· Cryptocurrency makes online extortion, trading illicit goods and services, and laundering fraudulent funds highly anonymous and usually beyond the reach of financial regulators or inspection

· There isn't enough fear of getting caught for cyber crime.

· With the explosion in spending on digital transformation, data is the new gold and it is incredibly easy to steal, due to lapses in basic hygiene like encrypting data-at-rest and in-transit or limiting access to only authorised users.

· Paying extortion through extensive cyber insurance policies only feeds the ransomware epidemic by incentivising further crime, as noted by the FBI.

Fighting cyber crime is a team sport, and to succeed, we must adopt this framework of cyber resilience that integrates the technical, policy, behavioural, and economic elements necessary to manage the reality of ever-growing cyber crime as a predictable and manageable cyber risk.

https://www.darkreading.com/edge-articles/view-from-davos-the-changing-economics-of-cybercrime

Cloud Based Networks Under Increasing Attack, Report Finds

As enterprises around the world continue to move to the cloud, cyber criminals are following right behind them. There was a 48 percent year-over-year jump in 2022 in cyber attacks on cloud-based networks, and it comes at a time when 98 percent of global organisations use cloud services, according to Check Point. The increases in cyber attacks were experienced in various regions, including Asia (with a 60 percent jump), Europe (50 percent), and North America (28 percent) according to a report by Checkpoint last week.

Check Point explained that "The rise in attacks on the cloud was driven both by an overall increase in cyber attacks globally (38 percent overall in 2022, compared to 48 percent in the cloud) and also by the fact that it holds much more data and incorporates infrastructure and services from large amounts of potential victims, so when exploited the attacks could have a larger impact,". Later, Checkpoint highlighted that human error is a significant factor in the vulnerability of cloud-based networks.

The report highlighted the need for defence capabilities in the cloud to improve. According to Check Point, this means adopting zero-trust cloud network security controls, incorporating security and compliance earlier in the development lifecycle, avoiding misconfigurations, and using tools such as an intrusion detection and prevention systems and next-generation web application firewalls. As commented by Check Point “it is still up to the network and security admins to make sure all their infrastructure is not vulnerable.

https://www.theregister.com/2023/01/20/cloud_networks_under_attack/

GoTo Admits: Customer Cloud Backups Stolen Together with Decryption Key

On 2022-11-30, GoTo informed customers that it had suffered “a security incident”, summarising the situation as follows:

“Based on the investigation to date, we have detected unusual activity within our development environment and third-party cloud storage service. The third-party cloud storage service is currently shared by both GoTo and its affiliate, LastPass.”

Two months later, GoTo has come back with an update, and the news isn’t great:

“[A] threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere. We also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups. The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information.”

The company also noted that although MFA settings for some Rescue and GoToMyPC customers were stolen, their encrypted databases were not.

https://nakedsecurity.sophos.com/2023/01/25/goto-admits-customer-cloud-backups-stolen-together-with-decryption-key/

State-Linked Hackers in Russia and Iran are Targeting UK Groups, NCSC Warns

Russian and Iranian state-linked hackers are increasingly targeting British politicians, journalists and researchers with sophisticated campaigns aimed at gaining access to a person’s email, Britain’s online security agency warned on Thursday. The National Cyber Security Centre (NCSC) issued an alert about two groups from Russia and Iran, warning those in government, defence, thinktanks and the media against clicking on malicious links from people posing as conference hosts, journalists or even colleagues.

Both groups have been active for some years, but it is understood they have recently stepped up their activities in the UK as the war in Ukraine continues, as well as operating in the US and other NATO countries.

The hackers typically seek to gain confidence of a target by impersonating somebody likely to make contact with them, such as by falsely impersonating a journalist, and ultimately luring them to click on a malicious link, sometimes over the course of several emails and other online interactions.

NCSC encourages people to use strong email passwords. One technique is to use three random words, and not replicate it as a login credential on other websites. It recommends people use two-factor authentication, using a mobile phone as part of the log on process, ideally by using a special authenticator app.

The cyber agency also advises people exercise particular caution when receiving plausible sounding messages from strangers who rely on Gmail, Yahoo, Outlook or other webmail accounts, sometimes impersonating “known contacts” of the target culled from social media.

https://www.theguardian.com/technology/2023/jan/26/state-linked-hackers-in-russia-and-iran-are-targeting-uk-groups-ncsc-warns

3.7 Million Customers’ Data of Hilton Hotels Put Up For Sale

A member of a hacker forum going by the name IntelBroker, has offered a database allegedly containing the personal information of 3.7 million people participating in the Hilton Hotels Honors program. According to the actor, the data in question includes personally identifying information such as name, address and Honors IDs. According to the Hilton Hotel, no guest login credentials, contacts, or financial information have been leaked.

https://informationsecuritybuzz.com/3-7-millions-customers-data-hilton-hotel-up-for-sale/

Threats