Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 15 September 2023
Black Arrow Cyber Threat Intelligence Briefing 15 September 2023:
-Overconfident Organisations Prone to Cyber Breaches
-Board Members Struggling to Understand Cyber Risks
-Cyber Criminals are Targeting Top Executives and Could be Using Sensitive Information to Extort Them
-Cyber Attacks Reach Fever Pitch in Q2 2023
-Ransomware Attacks Hit Record Levels in UK as More Companies Fail to Tackle Growing Threats
-Microsoft Warns of More Attacks as Ransomware Spreads Through Teams Phishing
-Europol - Financial Crime Makes “Billions” and Impacts “Millions”
-Almost One in Three Parents Have Never Spoken to Their Children About Cyber Security
-Hackers are Dropping USB Drives Outside Buildings to Target Networks
-Data Theft is Now the No. 1 Cyber Security Threat Keeping Execs Awake at Night
-If You Didn’t Change Your Passwords After the LastPass Data Breach, Do It Now
-Cloud Vulnerabilities Surge Nearly 200% as Cloud Credentials Become the New Hot Ticket on the Dark Web
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Overconfident Organisations Prone to Cyber Breaches
A study found that 95% of UK enterprises were very confident or somewhat confident that they do not have gaps in their security controls, yet despite this, 69% have fallen victim to a cyber attack in the last two years. One of the reasons given for this false sense of confidence was the belief that more tools meant more security; worryingly, 45% of organisations struggled with the implementation of tools due to the need for expertise. Attackers are constantly adapting their tactics to bypass the security controls that most organisations implement. It is difficult for IT teams and business leaders to maintain an objective assessment of how effective their chosen security controls are against today’s attackers. Black Arrow provides the impartial and expert advice that businesses require, including a free initial assessment, with no vested interest other than helping our clients achieve pragmatic and proportionate security.
Source: [IT Security Guru]
Board Members Struggling to Understand Cyber Risks
Board members frequently struggle to understand cyber risks, putting businesses at higher risk of attacks, a new report has found. The report noted that Board interest is being piqued as a result of growing media reporting of cyber incidents, a heightened Board focus on operational resilience post-pandemic, investor pressure and a tightening regulatory environment.
Worryingly, despite the increase in interest and increased internal and external focus on cyber risk, a number of Board-level respondents reported that they felt scared or embarrassed to ask their CISO for fear of exposing their lack of understanding.
Source: [Infosecurity Magazine]
Cyber Criminals are Targeting Top Executives and Could be Using Sensitive Information to Extort Them
Senior executives in today's evolving work landscape face growing cyber security threats, including extortion and device theft. The rise of ‘workcations’, which blend work and leisure, has blurred professional and personal boundaries, exposing leaders to heightened risks, and necessitating a strong focus on cyber security.
These executives are particularly attractive targets due to their access to critical information and decision-making authority. To protect their organisations, they must prioritise robust security measures, such as stronger passwords, anti-theft safeguards for devices, multi factor authentication, and, where appropriate or necessary, the use of virtual private networks. As guardians of their businesses' well-being, executives carry the responsibility of upholding stringent cyber security practices, ensuring that the benefits of remote work do not compromise their organisations' security.
Source: [Fortune]
Cyber Attacks Reach Fever Pitch in Q2 2023
A report has found the global landscape of increasing digitisation, political unrest, the emergence of AI and the widespread adoption of work from home, have all contributed to an increase in attacks, which have increased 314% in the first half of this year compared the first half of 2022. Rather worryingly, between the first and second quarter this year, there was a 387% increase in activity.
Source: [Data Centre & Network News]
Ransomware Attacks Hit Record Levels in UK as More Companies Fail to Tackle Growing Threats
A report from the Information Commissioner’s Office (ICO) in the UK found ransomware attacks on UK organisations reached record levels last year, impacting over 700 organisations. This isn’t the true count though, as it does not factor the overwhelming majority of victims who do not report attacks, so the true number will be many times this. This increase comes as reports are finding that UK companies are struggling to address the growing threats, and this includes a lack of understanding at the Board level. In fact, 59% of directors say their Board is not very effective in understanding the drivers and impacts of cyber risks for their organisation.
Sources: [The Record] [The Fintech Times] [Financial Times]
Microsoft Warns of More Attacks as Ransomware Spreads Through Teams Phishing
Microsoft says an initial access broker known for working with ransomware groups has recently switched to Microsoft Teams phishing attacks to breach corporate networks. Referring to one of the groups, Microsoft said “In July 2023, Storm-0324 began using phishing lures sent over Teams with malicious links leading to a malicious SharePoint-hosted file,". This tactic has also been used by Russian Nation State Actors.
Source: [Bleeping Computer]
Europol - Financial Crime Makes “Billions” and Impacts “Millions”
The European policing alliance’s first ever European Financial and Economic Crime Threat Assessment was compiled from “operational insights and strategic intelligence” contributed by member states and Europol partners. The assessment highlighted a criminal economy worth billions of euros and that impacts millions of victims each year.
Source: [Infosecurity Magazine]
Almost One in Three Parents Have Never Spoken to Their Children About Cyber Security
A recent report found that 30% of parents have never spoken to their children about cyber security. Additionally, over 40% of parents, who themselves admitted that they didn’t know how to create strong passwords, still give their child access to their mobile phones and almost a third (32%) give them access to their computers. By doing so, parents are not only putting their children at risk, but inadvertently, themselves and the organisations they work for as well.
Black Arrow offers a range of training, including formal and informal training, for individuals, employees and business leaders. Contact us today for a free initial conversation.
Source: [IT Security Guru]
Hackers are Dropping USB Drives Outside Buildings to Target Networks
A mid-year cyber security report found that along with the explosive growth in AI, bad actors are still using tried and tested, but unfortunately still very effective, tactics such as dropping USB drives outside target buildings in the hope that an employee will pick them up and plug them into devices connected to the corporate network. Many times, these actors are banking on their targets lacking protections against these attacks. Think about your organisation, would someone plug a device they found in the street into their work computer out of curiosity? Does your organisation have controls in place to prevent this type of attack?
Source: [Tech Republic]
Data Theft is Now the No. 1 Cyber Security Threat Keeping Execs Awake at Night
According to a recent survey, 55% of IT decision-makers cited data theft as their main concern, with ransomware placed third, after phishing. This comes as ransomware attackers are moving towards more exfiltration-based techniques. Exfiltration creates a significant number of issues for an organisation including the regulatory requirements of telling customers, to not knowing what data has been exfiltrated.
Source: [Information Security Buzz]
If You Didn’t Change Your Passwords After the LastPass Data Breach, Do It Now
Criminals have had plenty of time to use encryption keys stolen in the 2022 LastPass hack to open vaults, and there has been a reported increase in the number of vaults that have been cracked. For those attackers that haven’t been able to crack your password, they're under no time constraints.
Whilst successful attackers may not directly target your email accounts, PayPal wallets, or banks, these assets can be packaged and sold to other criminal third parties. If any of the passwords stored in a LastPass vault prior to 2022 are still in use, you should change them immediately.
Source: [Make Use Of]
Cloud Vulnerabilities Surge Nearly 200% as Cloud Credentials Become the New Hot Ticket on the Dark Web
IBM tracked 632 new cloud-related vulnerabilities (CVEs) between June 2022 and June 2023, a 194% increase from the previous year, according to a new report. The latest haul of new CVEs brings the total number tracked by the vendor to 3,900; a number that has doubled since 2019. Similarly, a separate report from Palo Alto Networks found that 80% of security exposures exist in the cloud.
IBM highlighted that this has led to a number of cloud credentials being actively sold on the dark web, in some cases for the same price as a dozen doughnuts. These credentials are believed to account for almost 90% of goods and services for sale on the dark web.
Sources: [Infosecurity Magazine] [The Register] [TechTarget]
Governance, Risk and Compliance
Deputy PM urges UK plc not to lose focus on cyber | Computer Weekly
Overconfident Organisations Prone to Cyber Breaches, Study Finds - IT Security Guru
Global companies to hike security spending as threats rise - survey | Reuters
CISOs need to be forceful to gain leverage in the boardroom - Help Net Security
Don't Leave Cyber Security to Chance, the Hidden Risk when Staff Depart - IT Security Guru
Evaluating & Managing Service Provider Security Risks (in 2023) | UpGuard
Cyber Security risks dampen corporate enthusiasm for tech investments - Help Net Security
CISOs and Board Reporting – an Ongoing Problem - SecurityWeek
Threats
Ransomware, Extortion and Destructive Attacks
Ransomware attacks hit record level in UK, according to neglected official data (therecord.media)
Ransomware tracker: The latest figures [September 2023] (therecord.media)
Ransomware access broker steals accounts via Microsoft Teams phishing (bleepingcomputer.com)
Ransomware thrives as cyber security remains lax, says UK report | Financial Times (ft.com)
Rust-Written 3AM Ransomware: A Sneak Peek into a New Malware Family (thehackernews.com)
Ransomware in top three threats for 65% of organisations | Security Magazine
TrickBot & Conti Sanctions for CISOs & Board Members (trendmicro.com)
Don’t focus on ransomware variants, say UK’s national cyber and crime agencies (therecord.media)
Cuba Ransomware Gang Continues to Evolve With Dangerous Backdoor (darkreading.com)
Recent Rhysida Attacks Show Focus on Healthcare By Ransomware Actors (darkreading.com)
Ransomware Victims
A phone call to helpdesk was likely all it took to hack MGM | Ars Technica
MGM, Caesars File SEC Disclosures on Cyber Security Incidents (darkreading.com)
Caesars paid millions in ransom to cybercrime group prior to MGM hack – NECN
Group in Casino Hacks Skilled at Duping Workers for Access (1) (bloomberglaw.com)
Ransomware tracker: The latest figures [September 2023] (therecord.media)
Rhysida gang claims to have hacked three more US hospitals (securityaffairs.com)
Ransomware crew claims to have hit Save The Children • The Register
Shell says Australian unit BG Group hit by MOVEit cyber security breach | Reuters
Dutch football association pays ransom to Russian cyber criminals – EURACTIV.com
Cyber security incident affects services at The Weather Network | CFJC Today Kamloops
Phishing & Email Based Attacks
Email forwarding flaws enable attackers to impersonate high-profile domains - Help Net Security
Attackers Abuse Google Looker Studio to Evade DMARC, Email Security (darkreading.com)
$24 Million Worth of Crypto Wiped out Overnight in Massive Phishing Attack
Thousands of Microsoft 365 accounts under threat from W3LL phishing kit | TechRadar
Ransomware access broker steals accounts via Microsoft Teams phishing (bleepingcomputer.com)
Facebook Messenger phishing wave targets 100K business accounts per week (bleepingcomputer.com)
Journalists, authors, and other writers targeted by phishing emails | TechRadar
Associated Press Stylebook Users Targeted in Phishing Attack Following Data Breach - SecurityWeek
How should SMBs navigate the phishing minefield? - Help Net Security
Other Social Engineering; Smishing, Vishing, etc
Understanding the dangers of social engineering - Help Net Security
How to Avoid Smishing Attacks Targeting Subscription Service Users (securityintelligence.com)
Artificial Intelligence
Cyber Criminals Feasting On Artificial Intelligence (forbes.com)
ChatGPT Jailbreaking Forums Proliferate in Dark Web Communities (darkreading.com)
Cloud security in the era of artificial intelligence (securityintelligence.com)
Deepfake cyberthreats keep rising. Here's how to prevent them - SiliconANGLE
2FA/MFA
Malware
Microsoft Teams phishing attack pushes DarkGate malware (bleepingcomputer.com)
Millions of Facebook Business Accounts Bitten by Python Malware (darkreading.com)
Free Download Manager site redirected Linux users to malware for years (bleepingcomputer.com)
Protecting Your Microsoft IIS Servers Against Malware Attacks (thehackernews.com)
3 Strategies to Defend Against Resurging Infostealers (darkreading.com)
New HijackLoader Modular Malware Loader Making Waves in the Cybercrime World (thehackernews.com)
Iranian hackers backdoor 34 orgs with new Sponsor malware (bleepingcomputer.com)
'Steal-It' Campaign Uses OnlyFans Models as Lures (darkreading.com)
Sponsor with batch-filed whiskers: Ballistic Bobcat’s scan and strike backdoor (welivesecurity.com)
Cybersecurity alert: Malware hidden in Microsoft Teams messages targeting users - OnMSFT.com
Iranian Cyberspies Deployed New Backdoor to 34 Organizations - SecurityWeek
Mobile
'Evil Telegram' Spyware Campaign Infects 60K+ Mobile Users (darkreading.com)
France halts iPhone 12 sales over radiation levels - BBC News
Denial of Service/DoS/DDOS
Massive DDoS attack on US financial company thwarted by cyber firm (therecord.media)
Akamai prevented largest DDoS attack on a US financial company (securityaffairs.com)
After Microsoft and X, Hackers Launch DDoS Attack on Telegram - SecurityWeek
Yukon gov't website back after cyber attack, Nunavut gov't site still down | CBC News
Internet of Things – IoT
Co-op to ban Chinese CCTV after security risk warnings (telegraph.co.uk)
Wyze security camera owners report seeing strangers' camera feeds | Mashable
Hackers will hack anything — including your sex toys - The Hustle
Data Breaches/Leaks
Overconfident Organisations Prone to Cyber Breaches, Study Finds - IT Security Guru
LastPass Hackers Cracking Password Vaults - Experts Warns - Cyber Kendra
Dymocks Booksellers suffers data breach impacting 836k customers (bleepingcomputer.com)
How Do Hackers Sell and Trade Your Data in the Metaverse? (makeuseof.com)
Capita class action: 2,000 sign up in wake of data theft • The Register
Airbus data leaked via infected customer computer • The Register
Threat actor leaks sensitive data belonging to Airbus (securityaffairs.com)
Organised Crime & Criminal Actors
How Next-Gen Threats Are Taking a Page From APTs - SecurityWeek
How Do Hackers Sell and Trade Your Data in the Metaverse? (makeuseof.com)
Europol's spotlight report sheds light on evolving cyber attacks (amlintelligence.com)
Cyber criminals Use Webex Brand to Target Corporate Users (darkreading.com)
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Top blockchain Cyber security threats to watch out for (att.com)
$24 Million Worth of Crypto Wiped out Overnight in Massive Phishing Attack
Blockchain Security Firm Unveils APT Attack by Lazarus Group - DailyCoin
Hackers steal $53 million worth of cryptocurrency from CoinEx (bleepingcomputer.com)
Cryptoqueen: Accomplice jailed for 20 years for OneCoin financial scam - BBC News
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
Latest fraud schemes targeting the payments ecosystem - Help Net Security
Cryptoqueen: Accomplice jailed for 20 years for OneCoin financial scam - BBC News
Glasgow firm issues warning following recent cyber attack | Glasgow Times
Impersonation Attacks
Email forwarding flaws enable attackers to impersonate high-profile domains - Help Net Security
Cyber criminals Use Webex Brand to Target Corporate Users (darkreading.com)
Deepfakes
AML/CFT/Sanctions
Insurance
Dark Web
ChatGPT Jailbreaking Forums Proliferate in Dark Web Communities (darkreading.com)
Cloud credentials are the hot ticket item on the dark web • The Register
Supply Chain and Third Parties
Evaluating & Managing Service Provider Security Risks (in 2023) | UpGuard
Airbus Cyber Attack: Over 3,200 Vendor Data Accessed by Hackers (cybersecuritynews.com)
Capita class action: 2,000 sign up in wake of data theft • The Register
The rise and evolution of supply chain attacks - Help Net Security
A 2-Week Prescription for Eliminating Supply Chain Threats (darkreading.com)
Cloud/SaaS
Thousands of Microsoft 365 accounts under threat from W3LL phishing kit | TechRadar
7 Steps to Kickstart Your SaaS Security Program (thehackernews.com)
Cloud storage security: What's new in the threat matrix | Microsoft Security Blog
Cloud CVEs Surge 200% in a Year - Infosecurity Magazine (infosecurity-magazine.com)
Cloud credentials are the hot ticket item on the dark web • The Register
Palo Alto Networks: 80% of security exposures exist in cloud | TechTarget
Cloud security in the era of artificial intelligence (securityintelligence.com)
Containers
Kubernetes Admins Warned to Patch Clusters Against New RCE Vulns (darkreading.com)
Alert: New Kubernetes Vulnerabilities Enable Remote Attacks on Windows Endpoints (thehackernews.com)
Identity and Access Management
Root Admin User: When Do Common Usernames Pose a Threat? (databreachtoday.co.uk)
Companies need to rethink how they implement identity security - Help Net Security
Enterprises persist with outdated authentication strategies - Help Net Security
Why Identity Management Is the Key to Stopping APT Cyber Attacks (darkreading.com)
Encryption
API
How to Prevent API Breaches: A Guide to Robust Security (thehackernews.com)
Elevating API security to reinforce cyber defence - Help Net Security
Machine Learning is a Must for API Security - IT Security Guru
Open Source
Free Download Manager site redirected Linux users to malware for years (bleepingcomputer.com)
Linux Malware! Read This If You Use Free Download Manager (itsfoss.com)
Passwords, Credential Stuffing & Brute Force Attacks
If You Didn’t Change Your Passwords After the LastPass Data Breach, Do It Now (makeuseof.com)
Root Admin User: When Do Common Usernames Pose a Threat? (databreachtoday.co.uk)
New WiKI-Eve attack can steal numerical passwords over WiFi (bleepingcomputer.com)
Wi-Fi radio signal data can be used 'to predict passwords' • The Register
Cloud credentials are the hot ticket item on the dark web • The Register
Iranian hackers breach defence orgs in password spray attacks (bleepingcomputer.com)
Social Media
Facebook Messenger phishing wave targets 100K business accounts per week (bleepingcomputer.com)
After Microsoft and X, Hackers Launch DDoS Attack on Telegram - SecurityWeek
How Do Hackers Sell and Trade Your Data in the Metaverse? (makeuseof.com)
Millions of Facebook Business Accounts Bitten by Python Malware (darkreading.com)
Training, Education and Awareness
How to Transform Security Awareness Into Security Culture (darkreading.com)
Elevating Cyber Awareness: A Strategic Approach (informationweek.com)
How end-user phishing training works (and why it doesn’t) (bleepingcomputer.com)
Great security training is a real challenge - Help Net Security
Digital Transformation
Parental Controls and Child Safety
Cyber Bullying, Cyber Stalking and Sextortion
Regulations, Fines and Legislation
SEC Issues Final Rules on Cyber Security Disclosures | Kelley Drye & Warren LLP - JDSupra
What Makes an Incident ‘Material’? | Calloquy, PBC - JDSupra
The International Criminal Court will now prosecute cyberwar crimes | Ars Technica
Preparing For Cyber Security Disclosures Set For Public Companies (forbes.com)
Models, Frameworks and Standards
Backup and Recovery
How to develop a cloud backup ransomware protection strategy | TechTarget
How To Backup Data From NAS: A Complete Guide (informationsecuritybuzz.com)
Data Protection
Careers, Working in Cyber and Information Security
Cyber Security Skills Gap: Roadies & Gamers Are Untapped Talent (darkreading.com)
Three ways to overcome cyber security staff shortages (securitybrief.co.nz)
Privacy, Surveillance and Mass Monitoring
Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare and Cyber Espionage
Russia
China
Risk & Repeat: Big questions remain on Storm-0558 attacks | TechTarget
Parliamentary researcher ‘who spied for China’ arrested | UK news | The Guardian
Arrest of alleged spy raises questions around UK’s China policy | Financial Times (ft.com)
Microsoft, Apple versus China, spyware actors (techrepublic.com)
Co-op to ban Chinese CCTV after security risk warnings (telegraph.co.uk)
Spies, Hackers, Informants: How China Snoops on the West - SecurityWeek
China caught with its malware in another nation's power grid • The Register
China Threat Recap: A Deeper Insight (informationsecuritybuzz.com)
Iran
Iranian hackers backdoor 34 orgs with new Sponsor malware (bleepingcomputer.com)
‘Scan-and-exploit’ campaign snares unpatched Exchange servers | SC Media (scmagazine.com)
North Korea
Misc Nation State/Cyber Warfare
Vulnerability Management
Severe vulnerability found in all browsers, and it's being attacked | PCWorldOvercoming the Rising Threat of Session Hijacking (darkreading.com)
Cloud CVEs Surge 200% in a Year - Infosecurity Magazine (infosecurity-magazine.com)
With 0-days hitting Chrome, iOS, and dozens more this month, is no software safe? | Ars Technica
Vulnerabilities
Microsoft September 2023 Patch Tuesday fixes 2 zero-days, 59 flaws (bleepingcomputer.com)
Unpatched Cisco ASA flaw exploited by attackers (CVE-2023-20269) - Help Net Security
Severe vulnerability found in all browsers, and it's being attacked | PCWorld
After Apple and Google, Mozilla Also Patches Zero-Day Exploited for Spyware Delivery - SecurityWeek
Notepad++ 8.5.7 released with fixes for four security vulnerabilities (bleepingcomputer.com)
Adobe warns of critical Acrobat and Reader zero-day exploited in attacks (bleepingcomputer.com)
Alert: New Kubernetes Vulnerabilities Enable Remote Attacks on Windows Endpoints (thehackernews.com)
Cisco warns of VPN zero-day exploited by ransomware gangs (bleepingcomputer.com)
Cloud CVEs Surge 200% in a Year - Infosecurity Magazine (infosecurity-magazine.com)
Tools and Controls
Global companies to hike security spending as threats rise - survey | Reuters
Don't Leave Cyber Security to Chance, the Hidden Risk when Staff Depart - IT Security Guru
What Is XDR and Why It's Changing the Security Industry - ReadWrite
Remote Desktop Protocol exposures leave 85% of organisations vulnerable to attack - SiliconANGLE
The Dark Web Is Expanding (As Is the Value of Monitoring It) (darkreading.com)
How to Prevent API Breaches: A Guide to Robust Security (thehackernews.com)
Elevating Cyber Awareness: A Strategic Approach (informationweek.com)
Great security training is a real challenge - Help Net Security
Companies need to rethink how they implement identity security - Help Net Security
Enterprises persist with outdated authentication strategies - Help Net Security
Why Identity Management Is the Key to Stopping APT Cyber Attacks (darkreading.com)
Easy Configuration Fixes Can Protect Your Server from Attack (securityintelligence.com)
Other News
The Weaponization of Operational Technology (securityintelligence.com)
ICS Computers in Western Countries See Increasing Attacks: Report - SecurityWeek
Cyber Trends: The Gunpowder of the Twenty-First Century (e-ir.info)
The 9 Top Technology Trends That Are Shaping the Future of Cyber Security (makeuseof.com)
The Cyber Security Risks In Education Cannot Be Ignored (forbes.com)
A new Repojacking attack exposed over 4,000 GitHub repositories to hack (securityaffairs.com)
Cyber attacks reach fever pitch in Q2 2023 - Data Centre & Network News (dcnnmagazine.com)
Rising OT/ICS cyber security incidents reveal alarming trend - Help Net Security
Brits happy to break cyber law if the price is right | Computer Weekly
British Military Hit by Six Million Cyber Attacks in 2022 (thedefensepost.com)
Trustwave report on hospitality industry security threats | Cyber Magazine
Cyber security impact on construction, engineering projects (csemag.com)
Cyber criminals come for schools — and schools aren’t ready (hechingerreport.org)
Professional Sports: The Next Frontier of Cyber Security? (darkreading.com)
How Dangerous Is the Cyber Attack Risk to Transportation? (securityintelligence.com)
Poison in the Water: The Physical Repercussions of IoT Security Threats (securityintelligence.com)
Australia Inc roiled by raft of cyber attacks since late 2022 | Reuters
Death by digital: attacks on healthcare put people at risk (synack.com)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 20 January 2023
Black Arrow Cyber Threat Briefing 20 January 2023:
-Experts at Davos 2023 Call for a Global Response to the Gathering 'Cyber Storm'
-Cost of Data Breaches to Global Businesses at Five-Year High
-European Data Protection Authorities Issue Record €2.92 Billion In GDPR Fines, an Increase of 168%
-PayPal Accounts Breached in Large-Scale Credential Stuffing Attack
-Royal Mail Boss to Face MPs’ Questions Over Russian Ransomware Attack
-Third-Party Risk Management: Why 2023 Could be the Perfect Time to Overhaul your TPRM Program
-EU Cyber Resilience Regulation Could Translate into Millions in Fines
-Russian Hackers Try to Bypass ChatGPT's Restrictions for Malicious Purposes
-New Report Reveals CISOs Rising Influence
-ChatGPT and its Perilous Use as a "Force Multiplier" for Cyber Attacks
-Mailchimp Discloses a New Security Breach, the Second One in 6 Months
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Experts at Davos 2023 Call for a Global Response to the Gathering 'Cyber Storm'
As economic and geopolitical instability spills into the new year, experts predict that 2023 will be a consequential year for cyber security. The developments, they say, will include an expanded threat landscape and increasingly sophisticated cyber attacks.
"There's a gathering cyber storm," Sadie Creese, a Professor of Cyber Security at the University of Oxford, said during an interview at the World Economic Forum’s Annual Meeting 2023 in Davos, Switzerland. "This storm is brewing, and it's really hard to anticipate just how bad that will be."
Already, cyber attacks such as phishing, ransomware and distributed denial-of-service (DDoS) attacks are on the rise. Cloudflare, a major US cyber security firm that provides protection services for over 30% of Fortune 500 companies, found that DDoS attacks—which entail overwhelming a server with a flood of traffic to disrupt a network or webpage—increased last year by 79% year-over-year.
"There's been an enormous amount of insecurity around the world," Matthew Prince, the CEO of Cloudflare, stated during the Annual Meeting. "I think 2023 is going to be a busy year in terms of cyber attacks."
https://www.weforum.org/agenda/2023/01/cybersecurity-storm-2023-experts-davos23/
Cost of Data Breaches to Global Businesses at Five-Year High
Research from business insurer Hiscox shows that the cost of dealing with cyber events for businesses has more than tripled since 2018. The study, which collated data from the organisation’s previous five annual Cyber Readiness reports, has revealed that:
Since 2018 the median IT budgets for cyber security more than tripled.
Between 2020 and 2022 cyber-attacks increased by over a quarter.
Businesses are increasing their cyber security budgets year-on-year.
In the Hiscox 2022 Cyber Readiness report, the financial toll of cyber incidents, including data breaches, was estimated to be $16,950 (£15,265) on average. As the cost of cyber crime grew, so did organisations’ cyber security budgets – average spending on cyber security tripled from 2018 to 2022, rocketing from $1,470,196 (£1,323,973) to $5,235,162 (£4,714,482).
Hiscox has also revealed that half of all companies surveyed suffered at least one cyber attack in 2022, up 11% from 2020. Financial Services, as well as Technology, Media and Telecom (TMT) sectors even reported a minimum of one attack for three consecutive years. Financial Services firms, however, seemed to be hit the hardest, with 66% reporting being impacted by cyber attacks in 2021-2022.
Cyber risk has risen to the same strategic level as traditional financial and operational risks, thanks to a growing realisation by businesses that the impact can be just as severe.
European Data Protection Authorities Issue Record €2.92 Billion in GDPR Fines, an Increase of 168%
European data regulators issued a record €2.92 billion in fines last year, a 168% increase from 2021. That’s according to the latest GDPR and Data Breach survey from international law firm DLA Piper, which covers all 27 Member States of the European Union, plus the UK, Norway, Iceland, and Liechtenstein. This year’s biggest fine of €405 million was imposed by the Irish Data Protection Commissioner (DPC) against Meta Platforms Ireland Limited relating to Instagram for alleged failures to protect children’s personal data. The Irish DPC also fined Meta €265 million for failing to comply with the GDPR obligation for Data Protection by Design and Default. Both fines are currently under appeal.
Despite the overall increase in fines since January 28, 2022, the fine of €746 million that Luxembourg authorities levied against Amazon last year remains the biggest to be issued by an EU-based data regulator to date (though the retail giant is still believed to be appealing).
The report also revealed a notable increase in focus by supervisory authorities on the use of artificial intelligence (AI), while the volume of data breaches reported to regulators decreased slightly against the previous year’s total.
PayPal Accounts Breached in Large-Scale Credential Stuffing Attack
PayPal is sending out data breach notifications to thousands of users who had their accounts accessed through credential stuffing attacks that exposed some personal data.
Credential stuffing are attacks where hackers attempt to access an account by trying out username and password pairs sourced from data leaks on various websites. This type of attack relies on an automated approach with bots running lists of credentials to "stuff" into login portals for various services. Credential stuffing targets users that employ the same password for multiple online accounts, which is known as "password recycling."
PayPal explains that the credential stuffing attack occurred between December 6 and December 8, 2022. The company detected and mitigated it at the time but also started an internal investigation to find out how the hackers obtained access to the accounts. By December 20, 2022, PayPal concluded its investigation, confirming that unauthorised third parties logged into the accounts with valid credentials. The electronic payments platform claims that this was not due to a breach on its systems and has no evidence that the user credentials were obtained directly from them.
According to the data breach reporting from PayPal, 34,942 of its users have been impacted by the incident. During the two days, hackers had access to account holders' full names, dates of birth, postal addresses, social security numbers, and individual tax identification numbers. Transaction histories, connected credit or debit card details, and PayPal invoicing data are also accessible on PayPal accounts.
Royal Mail Boss to Face MPs’ Questions Over Russian Ransomware Attack
Royal Mail’s chief executive faced questions from MPs last week over the Russia-linked ransomware attack that caused international deliveries to grind to a halt.
Simon Thompson, chief executive of Royal Mail, was asked about the recent cyber attack when he appeared before the Commons Business Select Committee to discuss Royal Mail’s response to the cyber attack at the evidence session on Tuesday Jan 17.
A Royal Mail spokesman said: “Royal Mail has been subject to a cyber incident that is affecting our international export service. We are focused on restoring this service as soon as we are able.”
Royal Mail was forced to suspend all outbound international post after machines used for printing customs dockets were disabled by the Russia-linked Lockbit cyber crime gang. Lockbit’s attackers used ransomware, malicious software that scrambles vital computer files before the gang demands payment to unlock them again. The software also took over printers at Royal Mail’s international sorting offices and caused ransom notes to “spout” from them, according to reports.
Cyber security industry sources cautioned that while Lockbit is known to be Russian in origin, it is not known whether a stolen copy of the gang’s signature ransomware had been deployed by rival hackers.
Third-Party Risk Management: Why 2023 Could be the Perfect Time to Overhaul your TPRM Program
Ensuring risk caused by third parties does not occur to your organisation is becoming increasingly difficult. Every business outsources some aspects of its operations, and ensuring these external entities are a strength and not a weakness isn’t always a straightforward process.
In the coming years we’ll see organisations dedicate more time and resources to developing detailed standards and assessments for potential third-party vendors. Not only will this help to mitigate risk within their supply chain network, it will also provide better security.
As demand for third-party risk management (TPRM) grows, there are key reasons why we believe 2023 could be pivotal for the future of your organisation’s TPRM program, cyber risk being principal amongst them.
Forrester predicted that 60% of security incidents in 2022 would stem from third parties. In 2021 there was a 300% increase in supply chain attacks, a trend that has continued to increase over the past 12 months also. For example, Japanese car manufacturer Toyota was forced to completely shut down its operations due to a security breach with a third-party plastics supplier.
It’s not only the frequency of third-party attacks that has increased, but also the methods that cyber criminals are using are becoming increasingly sophisticated. For example, the SolarWinds cyber breach in 2020 was so advanced that Microsoft estimated it took over a thousand engineers to stop the impact of the attack.
As the sophistication and frequency of supply chain attacks increases, the impact they have on businesses reputations and valuations is also becoming apparent. There is a need for organisations to conduct thorough due diligence of the third parties they choose to work with, otherwise the consequences could be disastrous.
Remember always that cyber security should be a non-negotiable feature of all business transactions.
EU Cyber Resilience Regulation Could Translate into Millions in Fines
The EU Commission’s Cyber Resilience Act (CRA) is intended to close the digital fragmentation problem surrounding devices and systems with network connections – from printers and routers to smart household appliances and industrial control systems. Industrial networks and critical infrastructures require special protection.
According to the European Union, there is currently a ransomware attack every eleven seconds. In the last few weeks alone, among others, a leading German children’s food manufacturer and a global Tier1 automotive supplier headquartered in Germany were hit, with the latter becoming the victim of a massive ransomware attack. Such an attack even led to insolvency at the German manufacturer Prophete in January 2023. To press manufacturers, distributors and importers into action, they face significant penalties if security vulnerabilities in devices are discovered and not properly reported and closed.
“The pressure on the industry – manufacturers, distributors and importers – is growing immensely. The EU will implement this regulation without compromise, even though there are still some work packages to be done, for example regarding local country authorities,” says Jan Wendenburg, CEO, ONEKEY.
The financial fines for affected manufacturers and distributors are therefore severe: up to 15 million euros or 2.5 percent of global annual revenues in the past fiscal year – the larger number counts. “This makes it absolutely clear: there will be substantial penalties on manufacturers if the requirements are not implemented,” Wendenburg continues.
Manufacturers, distributors and importers are required to notify ENISA – the European Union’s cyber security agency – within 24 hours if a security vulnerability in one of their products is exploited. Exceeding the notification deadlines is already subject to sanctions.
https://www.helpnetsecurity.com/2023/01/19/eu-cyber-resilience-regulation-fines/
Russian Hackers Try to Bypass ChatGPT's Restrictions for Malicious Purposes
Russian cyber-criminals have been observed on dark web forums trying to bypass OpenAI’s API restrictions to gain access to the ChatGPT chatbot for nefarious purposes.
Various individuals have been observed, for instance, discussing how to use stolen payment cards to pay for upgraded users on OpenAI (thus circumventing the limitations of free accounts). Others have created blog posts on how to bypass the geo controls of OpenAI, and others still have created tutorials explaining how to use semi-legal online SMS services to register to ChatGPT.
“Generally, there are a lot of tutorials in Russian semi-legal online SMS services on how to use it to register to ChatGPT, and we have examples that it is already being used,” wrote Check Point Research (CPR). “It is not extremely difficult to bypass OpenAI’s restricting measures for specific countries to access ChatGPT,” said Check Point. “Right now, we are seeing Russian hackers already discussing and checking how to get past the geofencing to use ChatGPT for their malicious purposes.”
They added that they believe these hackers are most likely trying to implement and test ChatGPT in their day-to-day criminal operations. “Cyber-criminals are growing more and more interested in ChatGPT because the AI technology behind it can make a hacker more cost-efficient,” they explained.
Case in point, just last week, Check Point Research published a separate advisory highlighting how threat actors had already created malicious tools using ChatGPT. These included infostealers, multi-layer encryption tools and dark web marketplace scripts.
More generally, the cyber security firm is not the only one believing ChatGPT could democratise cyber crime, with various experts warning that the AI bot could be used by potential cyber-criminals to teach them how to create attacks and even write ransomware.
https://www.infosecurity-magazine.com/news/russian-hackers-to-bypass-chatgpt/
New Report Reveals CISOs Rising Influence
Cyber security firm Coalfire this week unveiled its second annual State of CISO Influence report, which explores the expanding influence of Chief Information Security Officers (CISOs) and other security leaders.
The report revealed that the CISO role is maturing quickly, and the position is experiencing more equity in the boardroom. In the last year alone, there was a 10-point uptick in CISOs doing monthly reporting to the board. These positive outcomes likely stem from the increasingly metrics-driven reporting CISOs provide, where data is more effectively leveraged to connect security outcomes to business objectives.
An especially promising development in this year's report is how security teams are being looped into corporate projects. Of the security leaders surveyed, 78% say they are consulted early in project development when business objectives are first identified, and two-thirds are now making presentations to the highest levels of enterprise authority. 56% of CISOs present security metrics to their CEOs, up from 43% in 2021.
Cloud migration was universally identified as one of those top business objectives. The move to the cloud saddles CISOs with many challenges. The top priorities listed by CISOs include dealing with an expanding attack surface, staffing, and new compliance requirements — all within constrained budgets. In fact, 43% of security leaders said their budgets remained static or were reduced following business migration to the cloud.
Given these challenges, leading CISOs are transforming their approaches. To address multiple cloud compliance requirements, security leaders are focusing on the most onerous set of rules and creating separate environments for different requirements. Risk assessments were identified as the key tool used to secure funding for these and other cyber initiatives and to set top priorities.
"Costs and risks are up, while at the same time, cyber budgets are trending flat or down," said Colefire. "Cyber security has historically been lower in priority for organisations, but we are witnessing a big shift in enterprise cyber expectations. CISOs are rising to meet those expectations, speaking to the business, and as a result, solidifying their role in the C-suite."
https://www.darkreading.com/threat-intelligence/new-coalfire-report-reveals-cisos-rising-influence
ChatGPT and its Perilous Use as a "Force Multiplier" for Cyber Attacks
As a form of OpenAI technology, ChatGPT has the ability to mimic natural language and human interaction with remarkable efficiency. However, from a cyber security perspective, this also means it can be used in a variety of ways to lower the bar for threat actors.
One key method is the ability for ChatGPT to draft cunning phishing emails en masse. By feeding ChatGPT with minimal information, it can create content and entire emails that will lure unsuspecting victims to provide their passwords. With the right API setup, thousands of unique, tailored, and sophisticated phishing emails can be sent almost simultaneously.
Another interesting capability of ChatGPT is the ability to write malicious code. While OpenAI has put some controls in place to prevent ChatGPT from creating malware, it is possible to convince ChatGPT to create ransomware and other forms of malware as code that can be copied and pasted into an integrated development environment (IDE) and used to compile actual malware. ChatGPT can also be used to identify vulnerabilities in code segments and reverse engineer applications.
ChatGPT will expedite a trend that is already wreaking havoc across sectors – lowering the bar for less sophisticated threat actors, enabling them to conduct attacks while evading security controls and bypassing advanced detection mechanisms. And currently, there is not much that organisations can do about it. ChatGPT represents a technological marvel that will usher in a new era, not just for the cyber security space.
https://www.calcalistech.com/ctechnews/article/sj0lfp11oi
Mailchimp Discloses a New Security Breach, the Second One in 6 Months
The popular email marketing and newsletter platform Mailchimp was hacked twice in the past six months. The news of a new security breach was confirmed by the company; the incident exposed the data of 133 customers.
Threat actors targeted the company’s employees and contractors to gain access to an internal support and account admin tool.
“On January 11, the Mailchimp Security team identified an unauthorised actor accessing one of our tools used by Mailchimp customer-facing teams for customer support and account administration. The unauthorised actor conducted a social engineering attack on Mailchimp employees and contractors, and obtained access to select Mailchimp accounts using employee credentials compromised in that attack.” reads the notice published by the company. “Based on our investigation to date, this targeted incident has been limited to 133 Mailchimp accounts.”
The malicious activity was discovered on January 11, 2023; in response to the intrusion the company temporarily suspended access for impacted accounts. The company also notified the primary contacts for all affected accounts less than 24 hours after the initial discovery.
https://securityaffairs.com/140997/data-breach/mailchimp-security-breach.html
Threats
Ransomware, Extortion and Destructive Attacks
Yum Brands says nearly 300 restaurants in UK impacted due to cyber attack | Reuters
Royal Mail boss to face MPs’ questions over Russian ransomware attack (telegraph.co.uk)
What is LockBit ransomware and how does it operate? | Royal Mail | The Guardian
How cyber-attack on Royal Mail has left firms in limbo - BBC News
Royal Mail restarts limited overseas post after cyber-attack - BBC News
How Royal Mail’s hacker became the world’s most prolific ransomware group | Financial Times (ft.com)
Ransomware Trends In Q4 2022: Key Findings And Recommendations (informationsecuritybuzz.com)
Microsoft: Cuba ransomware hacking Exchange servers via OWASSRF flaw (bleepingcomputer.com)
Microsoft retracts its report on Mac ransomware (techrepublic.com)
Ransomware Dips During 2022: Are Cyber attacks Slowing or Just a Blip? - MSSP Alert
Up to 1,000 ships affected by DNV ransomware attack - Splash247
Avast releases free BianLian ransomware decryptor (bleepingcomputer.com)
Vice Society ransomware leaks University of Duisburg-Essen’s data (bleepingcomputer.com)
Ransomware attack cuts 1,000 ships off from on-shore servers • The Register
Royal Mail promises ‘workarounds’ to restore services after ransomware attack | Computer Weekly
Cyber-crime gangs' earnings slide as victims refuse to pay - BBC News
Ransomware gang steals data from KFC, Taco Bell, and Pizza Hut brand owner (bleepingcomputer.com)
Phishing & Email Based Attacks
How AI chatbot ChatGPT changes the phishing game | CSO Online
The big risk in the most-popular, and aging, big tech email programs (cnbc.com)
Why encrypting emails isn't as simple as it sounds - Help Net Security
Fake DHL emails allow hackers to breach Microsoft 365 accounts (msn.com)
Other Social Engineering; Smishing, Vishing, etc
Techniques that attackers use to trick victims into visiting malicious content - Help Net Security
As Social Engineering Tactics Change, So Must Your Security Training (darkreading.com)
2FA/MFA
CircleCI's hack caused by malware stealing engineer's 2FA-backed session (bleepingcomputer.com)
The Importance of Multi-Factor Authentication (MFA) - MSSP Alert
Malware
New Backdoor Created Using Leaked CIA's Hive Malware Discovered in the Wild (thehackernews.com)
Experts spotted a backdoor that borrows code from CIA's Hive malware - Security Affairs
ChatGPT Creates Polymorphic Malware - Infosecurity Magazine (infosecurity-magazine.com)
Attackers Crafted Custom Malware for Fortinet Zero-Day (darkreading.com)
New Chinese Malware Spotted Exploiting Recent Fortinet Firewall Vulnerability (thehackernews.com)
Malicious ‘Lolip0p’ PyPi packages install info-stealing malware (bleepingcomputer.com)
Hackers exploit Cacti critical bug to install malware, open reverse shells (bleepingcomputer.com)
Hackers can use GitHub Codespaces to host and deliver malware (bleepingcomputer.com)
Hackers turn to Google search ads to push info-stealing malware (bleepingcomputer.com)
How to spot a cyberbot – five tips to keep your device safe (theconversation.com)
Mobile
New 'Hook' Android malware lets hackers remotely control your phone (bleepingcomputer.com)
Roaming Mantis’ Android malware adds DNS changer to hack WiFi routers (bleepingcomputer.com)
Botnets
Denial of Service/DoS/DDOS
Internet of Things – IoT
Data Breaches/Leaks
6,000+ Customer Accounts Breached, NortonLifeLock Alert Users (informationsecuritybuzz.com)
1.7 TB of data from digital intelligence firm Cellebrite leaked online - Security Affairs
LastPass faces mounting criticism over recent breach | TechTarget
Mailchimp discloses a new incident, the second one in 6 months - Security Affairs
PayPal Breach Exposed PII of Nearly 35K Accounts (darkreading.com)
T-Mobile US says hacker accessed personal data of 37 million customers • TechCrunch
Twitter says leaked emails not hacked from its systems - BBC News
Hacked! My Twitter user data is out on the dark web -- now what? | ZDNET
Twitter sued over data leak that it denied was caused by a flaw | Business
Nissan North America data breach caused by vendor-exposed database (bleepingcomputer.com)
18k Nissan Customers Affected by Data Breach at Third-Party Software Developer | SecurityWeek.Com
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Crypto exchanges freeze accounts tied to North Korea • The Register
Europol arrested cryptocurrency scammers that stole millions from victims - Security Affairs
FTX Says $415 Million Of Its Crypto Assets Was Hacked (informationsecuritybuzz.com)
Google Ads-delivered malware drains NFT influencer’s entire crypto wallet (cointelegraph.com)
Bitcoin is a ‘hyped-up fraud’, says JP Morgan chief (telegraph.co.uk)
International Arrests Over 'Criminal' Crypto Exchange | SecurityWeek.Com
Fraud, Scams & Financial Crime
Hacker stole credit cards from Canada alcohol retailer LCBO - Security Affairs
Europol arrested cryptocurrency scammers that stole millions from victims - Security Affairs
New York man defrauded thousands using credit cards sold on dark web (bleepingcomputer.com)
FTX Says $415 Million Of Its Crypto Assets Was Hacked (informationsecuritybuzz.com)
The US Has a Massive Money Transfer Surveillance Apparatus (gizmodo.com)
The threat of location spoofing and fraud - Help Net Security
HUMAN Security Stops VASTFLUX Digital Ad Fraud Operation - MSSP Alert
International Arrests Over 'Criminal' Crypto Exchange | SecurityWeek.Com
Insurance
Dark Web
New York man defrauded thousands using credit cards sold on dark web (bleepingcomputer.com)
Illegal Solaris darknet market hijacked by competitor Kraken (bleepingcomputer.com)
Supply Chain and Third Parties
Cloud/SaaS
The Dangers of Default Cloud Configurations (darkreading.com)
Report: Cloud-based networks under growing attack • The Register
Data Security in Multicloud: Limit Access, Increase Visibility (darkreading.com)
Hybrid/Remote Working
Encryption
Vulnerabilities in cryptographic libraries found through modern fuzzing - Help Net Security
teiss - Cyber Threats - Managing the treat from quantum computers
Threats Of Quantum: The Solution Lies In Quantum Cryptography (informationsecuritybuzz.com)
Why encrypting emails isn't as simple as it sounds - Help Net Security
TLS Connection Cryptographic Protocol Vulnerabilities (trendmicro.com)
Passwords, Credential Stuffing & Brute Force Attacks
Compromise of employee device, credentials led to CircleCI breach | SC Media (scmagazine.com)
PayPal accounts breached in large-scale credential stuffing attack (bleepingcomputer.com)
NortonLifeLock: threat actors breached Norton Password Manager accounts - Security Affairs
Social Media
Twitter says leaked emails not hacked from its systems - BBC News
Hacked! My Twitter user data is out on the dark web -- now what? | ZDNET
French CNIL fined Tiktok $5.4 Million for violating cookie laws - Security Affairs
Malvertising
Hackers turn to Google search ads to push info-stealing malware (bleepingcomputer.com)
Google Ads-delivered malware drains NFT influencer’s entire crypto wallet (cointelegraph.com)
HUMAN Security Stops VASTFLUX Digital Ad Fraud Operation - MSSP Alert
Training, Education and Awareness
Training, endpoint management reduce remote working cyber security risks - Help Net Security
As Social Engineering Tactics Change, So Must Your Security Training (darkreading.com)
Regulations, Fines and Legislation
GDPR Fines Surge 168% in a Year - Infosecurity Magazine (infosecurity-magazine.com)
European data protection authorities issue record €2.92 billion in GDPR fines | CSO Online
How data protection is evolving in a digital world - Help Net Security
EU cyber resilience regulation could translate into millions in fines - Help Net Security
Online safety bill: Attempt to jail tech bosses ‘could backfire’ | News | The Times
Culture secretary examines plans to punish tech bosses over online harms | Financial Times (ft.com)
French CNIL fined Tiktok $5.4 Million for violating cookie laws - Security Affairs
State legislators aren't waiting for Congress to regulate children's online privacy - CyberScoop
How Would the FTC Rule on Noncompetes Affect Data Security? (darkreading.com)
The US Has a Massive Money Transfer Surveillance Apparatus (gizmodo.com)
Governance, Risk and Compliance
Technology is a fragile machine that seems to power everything | Android Central
Training, endpoint management reduce remote working cyber security risks - Help Net Security
New Coalfire Report Reveals CISOs Rising Influence (darkreading.com)
Cost of data breaches to global businesses at five-year high- IT Security Guru
Experts at Davos 2023 sound the alarm on cyber security | World Economic Forum (weforum.org)
Why Mean Time to Repair Is Not Always A Useful Security Metric (darkreading.com)
Why are there so many cyber attacks lately? An explainer on the rising trend | Globalnews.ca
How To Build A Network Of Security Champions In Your Organisation (forbes.com)
EU cyber resilience regulation could translate into millions in fines - Help Net Security
What is Business Attack Surface Management? (trendmicro.com)
How to build a cyber-resilience culture in the enterprise | TechTarget
Why Businesses Need to Think Like Hackers This Year (darkreading.com)
How to prioritize resilience in the face of cyber-attacks | World Economic Forum (weforum.org)
Cyber-attack contributes to major Harrogate district firm posting £4.1m loss - The Stray Ferret
Data Protection
GDPR Fines Surge 168% in a Year - Infosecurity Magazine (infosecurity-magazine.com)
European data protection authorities issue record €2.92 billion in GDPR fines | CSO Online
How data protection is evolving in a digital world - Help Net Security
State legislators aren't waiting for Congress to regulate children's online privacy - CyberScoop
Careers, Working in Cyber and Information Security
New Coalfire Report Reveals CISOs Rising Influence (darkreading.com)
IT Burnout may be Putting Your Organisation at Risk (bleepingcomputer.com)
Sophos Joins List of Cyber security Companies Cutting Staff | SecurityWeek.Com
Law Enforcement Action and Take Downs
Privacy, Surveillance and Mass Monitoring
UK supermarket uses facial recognition tech to track shoppers - Coda Story
State legislators aren't waiting for Congress to regulate children's online privacy - CyberScoop
Artificial Intelligence
How AI chatbot ChatGPT changes the phishing game | CSO Online
ChatGPT and its perilous use as a "Force Multiplier" for cyber attacks | Ctech (calcalistech.com)
Potential threats and sinister implications of ChatGPT - Help Net Security
Criminals seek OpenAI guardrail bypass, use ChatGPT for evil • The Register
ChatGPT Creates Polymorphic Malware - Infosecurity Magazine (infosecurity-magazine.com)
Misinformation, Disinformation and Propaganda
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Putin’s Russian cyber attacks could target UK’s infrastructure | News | The Times
Industrial espionage: How China sneaks out America's technology secrets - BBC News
Ukraine blames Russia for most of over 2,000 cyber attacks in 2022 | Reuters
Beware: Tainted VPNs Being Used to Spread EyeSpy Surveillanceware (thehackernews.com)
Is Elon Musk’s Starlink winning the war for Ukraine? | World | The Sunday Times (thetimes.co.uk)
Pro-Russia Hacktivist Group NoName057(16) Strikes Again (informationsecuritybuzz.com)
Russian hacktivists NoName057 offer cash for DDoS attacks (techmonitor.ai)
Ukraine links data-wiping attack on news agency to Russian hackers (bleepingcomputer.com)
Russian hackers target Ukrainian press briefing about cyber attacks (axios.com)
Chinese hackers targeted Iranian government entities for months: Report | CSO Online
Nation State Actors
Nation State Actors – Russia
Putin’s Russian cyber attacks could target UK’s infrastructure | News | The Times
Ukraine blames Russia for most of over 2,000 cyber attacks in 2022 | Reuters
Is Elon Musk’s Starlink winning the war for Ukraine? | World | The Sunday Times (thetimes.co.uk)
Pro-Russia Hacktivist Group NoName057(16) Strikes Again (informationsecuritybuzz.com)
Russian hacktivists NoName057 offer cash for DDoS attacks (techmonitor.ai)
Ukraine links data-wiping attack on news agency to Russian hackers (bleepingcomputer.com)
Russian hackers target Ukrainian press briefing about cyber attacks (axios.com)
Russians say they can download software from Intel again • The Register
Nation State Actors – China
Industrial espionage: How China sneaks out America's technology secrets - BBC News
Attackers Crafted Custom Malware for Fortinet Zero-Day (darkreading.com)
New Chinese Malware Spotted Exploiting Recent Fortinet Firewall Vulnerability (thehackernews.com)
China wants 30 percent CAGR for its infosec industry • The Register
Chinese hackers targeted Iranian government entities for months: Report | CSO Online
Nation State Actors – North Korea
Nation State Actors – Iran
Nation State Actors – Misc
Vulnerability Management
The Top 10 Vulnerabilities of 2022: Mastering Vulnerability Management - Security Boulevard
3 Lessons Learned in Vulnerability Management (darkreading.com)
Vulnerabilities
Cisco won’t fix critical flaw in small business routers • The Register
Unpatched Zoho ManageEngine Products Under Active Cyber attack (darkreading.com)
Oracle's First Security Update for 2023 Includes 327 New Patches | SecurityWeek.Com
Why it's time to review your on-premises Microsoft Exchange patch status | CSO Online
Attackers Crafted Custom Malware for Fortinet Zero-Day (darkreading.com)
New Chinese Malware Spotted Exploiting Recent Fortinet Firewall Vulnerability (thehackernews.com)
Cacti Servers Under Attack as Majority Fail to Patch Critical Vulnerability (thehackernews.com)
PoC exploits released for critical bugs in popular WordPress plugins (bleepingcomputer.com)
Vulnerabilities in cryptographic libraries found through modern fuzzing - Help Net Security
Microsoft: Exchange Server 2013 reaches end of support in 90 days (bleepingcomputer.com)
Hackers are using this old trick to dodge security protections | ZDNET
Attackers deploy sophisticated Linux implant on Fortinet network security devices | CSO Online
Researchers to release PoC exploit for critical Zoho RCE bug, patch now (bleepingcomputer.com)
MSI accidentally breaks Secure Boot for hundreds of motherboards (bleepingcomputer.com)
Microsoft fixes SSRF vulnerabilities found in Azure services | TechTarget
Over 4,000 Sophos Firewall devices vulnerable to RCE attacks (bleepingcomputer.com)
Critical Security Vulnerabilities Discovered in Netcomm and TP-Link Routers (thehackernews.com)
Exploited Control Web Panel Flaw Added to CISA 'Must-Patch' List | SecurityWeek.Com
Two critical flaws discovered in Git system - Security Affairs
Vendors Actively Bypass Security Patch for Year-Old Magento Vulnerability | SecurityWeek.Com
Cisco Patches High-Severity SQL Injection Vulnerability in Unified CM | SecurityWeek.Com
CVE-2022-47966: Rapid7 Observed Exploitation of Critical ManageEngine Vulnerability | Rapid7 Blog
Critical Microsoft Azure RCE flaw impacted multiple services - Security Affairs
New Microsoft Azure Vulnerability Uncovered — EmojiDeploy for RCE Attacks (thehackernews.com)
Tools and Controls
Training, endpoint management reduce remote working cyber security risks - Help Net Security
Why encrypting emails isn't as simple as it sounds - Help Net Security
As Social Engineering Tactics Change, So Must Your Security Training (darkreading.com)
Zero trust network access for Desktop as a Service - Help Net Security
How to prioritize resilience in the face of cyber-attacks | World Economic Forum (weforum.org)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 30 December 2022
Black Arrow Cyber Threat Briefing 30 December 2022:
-Cyber Attacks Set to Become ‘Uninsurable’, Says Zurich Chief
-Your Business Should Compensate for Modern Ransomware Capabilities Right Now
-Reported Phishing Attacks Have Quintupled
-Ransomware, DDoS See Major Upsurge Led by Upstart Hacker Group
-Videoconferencing Worries Grow, With SMBs in Cyber Attack Crosshairs
-Will the Crypto Crash Impact Cyber Security in 2023? Maybe.
-The Worst Hacks of 2022
-Geopolitical Tensions Expected to Further Impact Cyber Security in 2023
-Fraudsters’ Working Patterns Have Changed in Recent Years
-Hacktivism is Back and Messier Than Ever
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Cyber Attacks Set to Become ‘Uninsurable’, Says Zurich Chief
The chief executive of one of Europe’s biggest insurance companies has warned that cyber attacks, rather than natural catastrophes, will become “uninsurable” as the disruption from hacks continues to grow.
Insurance executives have been increasingly vocal in recent years about systemic risks, such as pandemics and climate change, that test the sector’s ability to provide coverage. For the second year in a row, natural catastrophe-related claims are expected to top $100bn.
But Mario Greco, chief executive at insurer Zurich, told the Financial Times that cyber was the risk to watch. “What will become uninsurable is going to be cyber,” he said. “What if someone takes control of vital parts of our infrastructure, the consequences of that?” Recent attacks that have disrupted hospitals, shut down pipelines and targeted government departments have all fed concern about this expanding risk among industry executives. Focusing on the privacy risk to individuals was missing the bigger picture, Greco added: “First off, there must be a perception that this is not just data . . . this is about civilisation. These people can severely disrupt our lives.”
Spiralling cyber losses in recent years have prompted emergency measures by the sector’s underwriters to limit their exposure. As well as pushing up prices, some insurers have responded by tweaking policies so clients retain more losses. There are exemptions written into policies for certain types of attacks. In 2019, Zurich initially denied a $100mn claim from food company Mondelez, arising from the NotPetya attack, on the basis that the policy excluded a “warlike action”. The two sides later settled. In September, Lloyd’s of London defended a move to limit systemic risk from cyber attacks by requesting that insurance policies written in the market have an exemption for state-backed attacks.
https://www.ft.com/content/63ea94fa-c6fc-449f-b2b8-ea29cc83637d
Your Business Should Compensate for Modern Ransomware Capabilities Right Now
The “if, not when” mentality surrounding ransomware may be the biggest modern threat to business longevity. Companies of all sizes and across all industries are increasingly common targets for ransomware attacks, and we know that 94% of organisations experienced a cyber security incident last year alone. Yet, many enterprises continue to operate with decades-old security protocols that are unequipped to combat modern ransomware. Leaders have prioritised improving physical security measures in light of the pandemic — so why haven’t ransomware protections improved?
Maybe it’s the mistaken notion that ransomware attacks are declining. In reality, Q1 of 2022 saw a 200% YoY increase in ransomware incidents. Meanwhile, the rise in Ransomware as a Service (RaaS) offerings suggests that cyber threats have become a commodity for bad actors.
The RaaS market presents a new and troubling trend for business leaders and IT professionals. With RaaS — a subscription ransomware model that allows affiliates to deploy malware for a fee — the barrier to entry for hackers is lower than ever. The relatively unskilled nature of RaaS hackers may explain why the average ransomware downtime has plummeted to just 3.85 days (compared to an average attack duration of over two months in 2019).
While the decrease in attack duration is promising, the rise of RaaS still suggests an inconvenient truth for business leaders: All organisations are at risk. And in time, all organisations will become a target, which is why it’s time for IT and business leaders to implement tough cyber security protocols.
Reported Phishing Attacks Have Quintupled
In the third quarter of 2022, the international Anti-Phishing Working Group (APWG) consortium observed 1,270,883 total phishing attacks; the worst quarter for phishing that APWG has ever observed. The total for August 2022 was 430,141 phishing sites, the highest monthly total ever reported to APWG.
Over recent years, reported phishing attacks submitted to APWG have more than quintupled since the first quarter of 2020, when APWG observed 230,554 attacks. The rise in Q3 2022 was attributable, in part, to increasing numbers of attacks reported against several specific targeted brands. These target companies and their customers suffered from large numbers of attacks from persistent phishers.
Threat researchers at the cyber security solution provider Fortra noted a 488 percent increase in response-based email attacks in Q3 2022 compared to the prior quarter. While every subtype of these attacks increased compared to Q2, the largest increase was in Advance Fee Fraud schemes, which rose by a staggering 1,074 percent.
In the third quarter of 2022, APWG founding member OpSec Security found that phishing attacks against the financial sector, which includes banks, remained the largest set of attacks, accounting for 23.2 percent of all phishing. Attacks against webmail and software-as-a-service (SaaS) providers remained prevalent as well. Phishing against social media services fell to 11 percent of the total, down from 15.3 percent.
Phishing against cryptocurrency targets — such as cryptocurrency exchanges and wallet providers — fell from 4.5 percent of all phishing attacks in Q2 2022 to 2 percent in Q3. This mirrored the fall in value of many cryptocurrencies since mid-year.
https://www.helpnetsecurity.com/2022/12/28/reported-phishing-attacks-quintupled/
Ransomware, DDoS See Major Upsurge Led by Upstart Hacker Group
Cyber threat actors Cuba and Royal are driving a 41% boom in ransomware and other attacks hitting industry and consumer goods and services.
According to the Global Threat Intelligence team of information assurance firm NCC Group, November saw a 41% increase in ransomware attacks from 188 incidents to 265. In its most recent Monthly Threat Pulse, the group reported that the month was the most active for ransomware attacks since April this year.
Key takeaways from the study:
Ransomware attacks rose by 41% in November.
Threat group Royal (16%) was the most active, replacing LockBit as the worst offender for the first time since September 2021.
Industrials (32%) and consumer cyclicals (44%) remain the top two most targeted sectors, but technology experienced a large 75% increase over the last month.
Regional data remains consistent with last month — North America (45%), Europe (25%) and Asia (14%)
DDoS attacks continue to increase.
Recent examples in the services sector include the Play ransomware group’s claimed attack of the German H-Hotels chain, resulting in communications outages. This attack reportedly uses a vulnerability in Microsoft Exchange called ProxyNotShell, which as the name implies, has similarities to the ProxyShell zero-day vulnerability revealed in 2021.
Also, back on the scene is the TrueBot malware downloader (a.k.a., the silence.downloader), which is showing up in an increasing number of devices. TrueBot Windows malware, designed by a Russian-speaking hacking group identified as Silence, has resurfaced bearing Ransom.Clop, which first appeared in 2019. Clop ransomware encrypts systems and exfiltrates data with the threat that if no ransom is forthcoming, the data will show up on a leak site.
https://www.techrepublic.com/article/ransomware-ddos-major-upsurge-led-upstart-hacker-group/
Videoconferencing Worries Grow, With SMBs in Cyber Attack Crosshairs
Securing videoconferencing solutions is just one of many IT security challenges small businesses are facing, often with limited financial and human resources.
It's no secret that the acceleration of work-from-home and distributed workforce trends — infamously spurred on by the pandemic — has occurred in tandem with the rise of video communications and collaboration platforms, led by Zoom, Microsoft, and Cisco.
But given that videoconferencing now plays a critical role in how businesses interact with their employees, customers, clients, vendors, and others, these platforms carry significant potential security risks, researchers say.
Organisations use videoconferencing to discuss M&A, legal, military, healthcare, intellectual property and other topics, and even corporate strategies. A loss of that data could be catastrophic for a company, its employees, its clients, and its customers.
However, a recent report on videoconferencing security showed that 93% of IT professionals surveyed acknowledged security vulnerabilities and gaping risks in their videoconferencing solutions.
Among the most relevant risks is the lack of controlled access to conversations that could result in disruption, sabotage, compromise, or exposure of sensitive information, while use of nonsecure, outdated, or unpatched videoconferencing applications can expose security flaws.
The risks include the potential for interruptions, unauthorised access, and perhaps most concerning, the opportunity for a bad actor to acquire sensitive information.
Will the Crypto Crash Impact Cyber Security in 2023? Maybe.
With the implosion of the FTX exchange putting a punctuation mark on the cryptocurrency crash of 2022, one of the natural questions for those in the cyber security world is, how will this rapid decline of cryptocurrency valuations change the cyber crime economy?
Throughout the most recent crypto boom, and even before then, cyber criminals have used and abused cryptocurrency to build up their empires. The cryptocurrency market provides the extortionary medium for ransomware; it's a hotbed of scams against consumers to steal their wallets and accounts. Traditionally, it's provided a ton of anonymous cover for money laundering on the back end of a range of cyber criminal enterprises.
Even so, according to cyber security experts and intelligence analysts, while there certainly have been some shifts in trends and tactics that they believe are loosely tied to the crypto crash, the jury's still out on long-term impacts.
Regardless of crypto values, cyber criminals this year have definitely become more sophisticated in how they use cryptocurrencies to monetise their attacks including the use by some ransomware groups taking advantage of yield farming within decentralised finance (DeFi), as an example.
The concept of yield farming is the same as lending money, with a contract in place that clearly shows how much interest will need to be paid. The advantage for ransomware groups is that the 'interest' will be legitimate proceeds, so there will be no need to launder or hide it.
Threat actors are increasingly turning toward 'stablecoins,' which are usually tied to fiat currencies or gold to stem their volatility. In many ways, the downturn in crypto values has increased the risk appetite of cyber criminals and is spurring them into more investment fraud and cryptocurrency scams.
https://www.darkreading.com/threat-intelligence/crypto-crash-impact-cybersecurity-2023-maybe
The Worst Hacks of 2022
The year was marked by sinister new twists on cyber security classics, including phishing, breaches, and ransomware attacks.
With the pandemic evolving into an amorphous new phase and political polarisation on the rise around the world, 2022 was an uneasy and often perplexing year in digital security. And while hackers frequently leaned on old chestnuts like phishing and ransomware attacks, they still found vicious new variations to subvert defences.
Technology magazine Wired looked back on the year's worst breaches, leaks, ransomware attacks, state-sponsored hacking campaigns, and digital takeovers. If the first years of the 2020s are any indication, the digital security field in 2023 will be more bizarre and unpredictable than ever. Stay alert, and stay safe out there.
Russia Hacking Ukraine
For years, Russia has pummelled Ukraine with brutal digital attacks causing blackouts, stealing and destroying data, meddling in elections, and releasing destructive malware to ravage the country's networks. Since invading Ukraine in February, though, times have changed for some of Russia's most prominent and most dangerous military hackers. Shrewd long-term campaigns and grimly ingenious hacks have largely given way to a stricter and more regimented clip of quick intrusions into Ukrainian institutions, reconnaissance, and widespread destruction on the network—and then repeated access over and over again, whether through a new breach or by maintaining the old access.
Twilio and the 0ktapus Phishing Spree
Over the summer, a group of researchers dubbed 0ktapus went on a massive phishing bender, compromising nearly 10,000 accounts within more than 130 organisations. The majority of the victim institutions were US-based, but there were dozens in other countries as well.
Ransomware Still Hitting the Most Vulnerable Targets
In recent years, countries around the world and the cyber security industry have increasingly focused on countering ransomware attacks. While there has been some progress on deterrence, ransomware gangs were still on a rampage in 2022 and continued to target vulnerable and vital social institutions, including health care providers and schools. The Russian-speaking group Vice Society, for example, has long specialised in targeting both categories, and it focused its attacks on the education sector this year.
The Lapsus$ Rampage Continues
The digital extortion gang Lapsus$ was on an intense hacking spree at the beginning of 2022, stealing source code and other sensitive information from companies like Nvidia, Samsung, Ubisoft, and Microsoft and then leaking samples as part of apparent extortion attempts. Lapsus$ has a sinister talent for phishing, and in March, it compromised a contractor with access to the ubiquitous authentication service Okta.
LastPass
The beleaguered password manager giant LastPass, which has repeatedly dealt with data breaches and security incidents over the years, said at the end of December that a breach of its cloud storage in August led to a further incident in which hackers targeted a LastPass employee to compromise credentials and cloud storage keys.
Vanuatu
At the beginning of November, Vanuatu, an island nation in the Pacific, was hit by a cyber attack that took down virtually all of the government's digital networks. Agencies had to move to conducting their work on paper because emergency systems, medical records, vehicle registrations, driver's license databases, and tax systems were all down.
Honourable Mention: Twitter-Related Bedlam
Twitter has been in chaos mode for months following Elon Musk's acquisition of the company earlier this year. Amidst the tumult, reports surfaced in July and then again in November of a trove of 5.4 million Twitter users' data that has been circulating on criminal forums since at least July, if not earlier. The data was stolen by exploiting a vulnerability in a Twitter application programming interface, or API.
https://www.wired.com/story/worst-hacks-2022/
Geopolitical Tensions Expected to Further Impact Cyber Security in 2023
Geopolitics will continue to have an impact on cyber security and the security posture of organisations long into 2023.
The impact of global conflicts on cyber security was thrust into the spotlight when Russia made moves to invade Ukraine in February 2022. Ukraine’s Western allies were quick to recognise that with this came the threat of Russian-backed cyber-attacks against critical national infrastructure (CNI), especially in retaliation to hefty sanctions. While this may not have materialised in the way many expected, geopolitics is still front of mind for many cyber security experts looking to 2023.
Russia has always been among a handful of states recognised for their cyber prowess and being the source of many cyber criminal gangs. As previously mentioned, we have failed to see a significant cyber-attack, at least one comparable to the Colonial Pipeline incident, in 2022. However the cyber security services provider, e2e-assure, warned: “We have underestimated Russia’s cyber capability. There is a wide view that Russian cyber activity leading up to and during their invasion of Ukraine indicated that they aren’t the cyber power we once thought. Patterns and evidence will emerge in 2023 that shows this wasn’t the case, instead Russia was directing its cyber efforts elsewhere, with non-military goals (financial and political).”
NordVPN, the virtual private network (VPN) provider, warns that the cyber-war is only just starting: “With China’s leader securing his third term and Russia’s war in Ukraine, many experts predict an increase in state-sponsored cyber-attacks. China may increase cyber-attacks on Taiwan, Hong Kong, and other countries opposing the regime. Meanwhile, Russia is predicted to sponsor attacks on countries supporting Ukraine.”
We are used to seeing cyber-attacks that encrypt data and ask for ransom, but it is likely in this era of nation-state sponsored attacks we could experience attacks for the sake of disruption.
https://www.infosecurity-magazine.com/news/geopolitical-tensions-impact/
Fraudsters’ Working Patterns Have Changed in Recent Years
Less sophisticated fraud — in which doctored identity documents are readily spotted — has jumped 37% in 2022, according to the identify verfication provider Onfido. Fraudsters can scale these attacks on an organisation’s systems around the clock.
It is estimated that the current global financial cost of fraud is $5.38 trillion (£4.37 trillion), which is 6.4% of the world’s GDP. With most fraud now happening online (80% of reported fraud is cyber-enabled), Onfido’s Identity Fraud Report uncovers patterns of fraudster behaviour, attack techniques, and emerging tactics.
Over the last four years, fraudsters’ working patterns have dramatically changed. In 2019, attacks mirrored a typical working week, peaking Monday to Friday and dropping off during the weekends. Yet over the last three years, fraudulent activity started to shift so that levels of fraud span every day of the week.
In 2022, fraud levels were consistent across 24 hours, seven days a week. With technology, fraudsters are more connected across the globe and are able to traverse regions and time zones, and can easily take advantage of businesses’ closed hours when staff are likely offline. This hyperconnectivity means there are no more ‘business hours’ for fraudsters and sophisticated fraud rings — they will scam and defraud 24/7.
“As criminals look to take advantage of digitisation processes, they’re able to commit financial crimes with increasing efficiency and sophistication, to the extent that financial crime and cyber crime are now invariably linked,” said Interpol. “A significant amount of financial fraud takes place through digital technologies, and the pandemic has only hastened the emergence of digital money laundering tools and other cyber-enabled financial crimes.”
https://www.helpnetsecurity.com/2022/12/29/less-sophisticated-fraud/
Hacktivism is Back and Messier Than Ever
Throughout 2022, geopolitics has given rise to a new wave of politically motivated attacks with an undercurrent of state-sponsored meddling.
During its brutal war in Ukraine, Russian troops have burnt cities to the ground, raped and tortured civilians, and committed scores of potential war crimes. On November 23, lawmakers across Europe overwhelmingly labelled Russia a “state sponsor” of terrorism and called for ties with the country to be reduced further. The response to the declaration was instant. The European Parliament’s website was knocked offline by a DDoS attack.
The unsophisticated attack—which involves flooding a website with traffic to make it inaccessible—disrupted the Parliament’s website offline for several hours. Pro-Russian hacktivist group Killnet claimed responsibility for the attack. The hacktivist group has targeted hundreds of organisations around the world this year, having some limited small-scale successes knocking websites offline for short periods of time. It’s been one player in a bigger hacktivism surge.
Following years of sporadic hacktivist activity, 2022 has seen the re-emergence of hacktivism on a large scale. Russia’s full-scale invasion of Ukraine spawned scores of hacktivist groups on both sides of the conflict, while in Iran and Israel, so-called hacktivist groups are launching increasingly destructive attacks. This new wave of hacktivism, which varies between groups and countries, comes with new tactics and approaches and, increasingly, is blurring lines between hacktivism and government-sponsored attacks.
Threats
Ransomware, Extortion and Destructive Attacks
Jersey school locked out of systems as hackers demand "ransom" | Bailiwick Express Jersey
Vice Society Ransomware Attackers Adopt Robust Encryption Methods (thehackernews.com)
Global counter-ransomware task force to become active in January - CyberScoop
Fool Me Thrice? How to Avoid Double and Triple Ransomware Extortion (darkreading.com)
Rackspace criticized for PR response to ransomware attack (expressnews.com)
Ransomware, DDoS see major upsurge led by upstart hacker group (techrepublic.com)
6 Ways to Protect Your Organisation Against LAPSUS$ (darkreading.com)
Your business should compensate for modern ransomware capabilities right now | VentureBeat
Vice Society Adds Custom-branded Payload PolyVice to its Arsenal | Cyware Alerts - Hacker News
Hackers stole data from multiple electric utilities in recent ransomware attack | CNN Politics
Ransomware attack at Louisiana hospital impacts 270,000 patients (bleepingcomputer.com)
The mounting death toll of hospital cyber attacks - POLITICO
Royal ransomware claims attack on Intrado telecom provider (bleepingcomputer.com)
Healthcare Providers and Hospitals Under Ransomware's Siege (darkreading.com)
Guardian Australia staff sent home after cyber attack takes out systems (theage.com.au)
Dumfries Arnold Clark garages hit by company-wide cyber attack - Daily Record
Ransom Deadline Given By LockBit In Port Of Lisbon Attack (informationsecuritybuzz.com)
Phishing & Email Based Attacks
Reported phishing attacks have quintupled - Help Net Security
6 Ways to Protect Your Organisation Against LAPSUS$ (darkreading.com)
Other Social Engineering; Smishing, Vishing, etc
Malware
GuLoader implements new evasion techniques - Security Affairs
PrivateLoader PPI Service Found Distributing Info-Stealing RisePro Malware (thehackernews.com)
2022 sees over 5000 times new Windows malware vs macOS, over 60 times vs Linux - Neowin
APT Hackers Turn to Malicious Excel Add-ins as Initial Intrusion Vector (thehackernews.com)
New information-stealing malware is being spread by fake pirate sites | TechSpot
Mobile
Denial of Service/DoS/DDOS
Internet of Things – IoT
Smart Home Cyber security Hubs: Protecting Endpoints in Your Smarthome (compuquip.com)
Google Home speakers allowed hackers to snoop on conversations (bleepingcomputer.com)
Data Breaches/Leaks
BetMGM discloses security breach impacting 1.5 Million customers - Security Affairs
Massive Twitter data leak investigated by EU privacy watchdog (bleepingcomputer.com)
Massive EDiscovery Provider Shut Down Over 'Unauthorized Access' - Above the LawAbove the Law
Data of 400 Million Twitter users up for sale - Security Affairs
It’s all in the (lack of) details: 2022’s badly handled data breaches | TechCrunch
Military device with biometric database of 2K people sold on eBay for $68 | Ars Technica
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
How ‘brazen’ multibillion-dollar crypto fraud fell to pieces | Business | The Times
BTC.com lost $3 million worth of cryptocurrency in cyber attack (bleepingcomputer.com)
Hackers steal $8 million from users running trojanized BitKeep apps (bleepingcomputer.com)
Bitcoin Mining Pool Btc.com Suffers $3 Million Cyber attack – Mining Bitcoin News
Crypto wallet BitKeep lost over $9M over a cyber attack - Security Affairs
Case for blockchain in financial services dented by failures | Financial Times (ft.com)
Digital Assets Of $9.9 Million Stolen In BitKeep Cyber Attack (informationsecuritybuzz.com)
Crypto platform 3Commas admits hackers stole API keys (bleepingcomputer.com)
Fraud, Scams & Financial Crime
Linkedin Is Full Of Job Scams – Be Careful Out There (informationsecuritybuzz.com)
Scam complaints from Revolut users more than double since 2020 (telegraph.co.uk)
Fraudsters’ working patterns have changed in recent years - Help Net Security
Experts warn of attacks exploiting WordPress gift card plugin - Security Affairs
North Korean Hackers Created 70 Fake Bank, Venture Capital Firm Domains | SecurityWeek.Com
Ukraine shuts down fraudulent call center claiming 18,000 victims (bleepingcomputer.com)
Insurance
Supply Chain and Third Parties
Software Supply Chain
Why Attackers Target GitHub, and How You Can Secure It (darkreading.com)
Improving Software Supply Chain Cyber security (trendmicro.com)
Cloud/SaaS
Identity and Access Management
Enterprises waste money on identity tools they don't use - Help Net Security
Steps To Planning And Implementation Of PAM Solutions (informationsecuritybuzz.com)
Encryption
API
Crypto platform 3Commas admits hackers stole API keys (bleepingcomputer.com)
Google: With Cloud Comes APIs & Security Headaches (darkreading.com)
Passwords, Credential Stuffing & Brute Force Attacks
Biometrics
Social Media
TikTok User Data Has Been Compromised (giantfreakinrobot.com)
Elon Musk ‘orders Twitter to remove suicide prevention feature’ | Twitter | The Guardian
Massive Twitter data leak investigated by EU privacy watchdog (bleepingcomputer.com)
Meta settles Cambridge Analytica scandal case for $725m - BBC News
TikTok bans haven't really banned much of anything - The Washington Post
Twitter restores suicide prevention feature | Twitter | The Guardian
Data of 400 Million Twitter users up for sale - Security Affairs
Hacker claims to be selling Twitter data of 400 million users (bleepingcomputer.com)
Malvertising
Privacy
Regulations, Fines and Legislation
Governance, Risk and Compliance
IBM and 70 Global Banks Co-Create New Cyber security, Risk Framework (accelerationeconomy.com)
Economic uncertainty compels IT leaders to rethink their strategy - Help Net Security
3 important changes in how data will be used and treated - Help Net Security
2022 Top Five Immediate Threats in Geopolitical Context (thehackernews.com)
Secure Disposal
Careers, Working in Cyber and Information Security
IT Jobs: How To Become An Information Security Analyst (informationsecuritybuzz.com)
‘There's a career in cyber security for everyone,’ Microsoft Security CVP says | Fortune
Law Enforcement Action and Take Downs
Privacy, Surveillance and Mass Monitoring
Google Home speakers allowed hackers to snoop on conversations (bleepingcomputer.com)
Police in China can track protests by enabling ‘alarms’ on Hikvision software | China | The Guardian
The Threat of Predictive Policing to Data Privacy and Personal Liberty (darkreading.com)
Meta settles Cambridge Analytica scandal case for $725m - BBC News
78% of Employers Are Using Remote Work Tools to Spy on You (entrepreneur.com)
Germany: Police surveillance software a legal headache – DW – 12/22/2022
Artificial Intelligence
Code-generating AI can introduce security vulnerabilities, study finds | TechCrunch
AI cyber attacks are a ‘critical threat’. This is how NATO is countering them | Euronews
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
2022 Top Five Immediate Threats in Geopolitical Context (thehackernews.com)
Russia’s Cyberwar Foreshadowed Deadly Attacks on Civilians | WIRED
Hundreds of Russian cyber attacks on CHPPs, regional power plants prevented - SBU
Ukrainian Hackers Gather Data on Russian Soldiers, Minister Says - Bloomberg
North Korean hackers targeted nearly 1,000 South Korean foreign policy experts
German double agent ‘passed Ukraine intelligence to Russia’ (telegraph.co.uk)
Nation State Actors
Nation State Actors – Russia
Hundreds of Russian cyber attacks on CHPPs, regional power plants prevented - SBU
Russian mobile calls, internet seen deteriorating after Nokia, Ericsson leave – EURACTIV.com
Nation State Actors – China
Police in China can track protests by enabling ‘alarms’ on Hikvision software | China | The Guardian
Nation State Actors – North Korea
BlueNoroff APT Hackers Using New Ways to Bypass Windows MotW Protection (thehackernews.com)
North Korean Hackers Created 70 Fake Bank, Venture Capital Firm Domains | SecurityWeek.Com
North Korean hacking outfit impersonating venture capital firms | SC Media (scmagazine.com)
North Korean hackers targeted nearly 1,000 South Korean foreign policy experts
Nation State Actors – Iran
Nation State Actors – Misc
Vulnerability Management
Vulnerabilities
Patch now: Serious Linux kernel security hole uncovered | ZDNET
Microsoft Patches Azure Cross-Tenant Data Access Flaw | SecurityWeek.Com
Critical Linux Kernel flaw affects SMB servers with ksmbd enabled - Security Affairs
Critical “10-out-of-10” Linux kernel SMB hole – should you worry? – Naked Security (sophos.com)
Log4Shell remains a big threat and a common cause for security breaches | CSO Online
Thousands of Citrix servers vulnerable to patched critical flaws (bleepingcomputer.com)
Netgear warns users to patch recently fixed WiFi router bug (bleepingcomputer.com)
CISA Warns of Active exploitation of JasperReports Vulnerabilities (thehackernews.com)
Tools and Controls
Other News
AI cyber attacks are a ‘critical threat’. This is how NATO is countering them | Euronews
Review: 10 Biggest Hacks And Cyber Security Threats Of 2022 (informationsecuritybuzz.com)
New information-stealing malware is being spread by fake pirate sites | TechSpot
Trend Micro: Expect 2023 to Bring Uncertainty to Cyber Attackers and Defenders - MSSP Alert
After the Uber Breach: 3 Questions All CISOs Should Ask Themselves (darkreading.com)
Top 10 Cyber Security Predictions For 2023 Based On Expert Responses (informationsecuritybuzz.com)
The Five Stories That Shaped Cyber security in 2022 | SecurityWeek.Com
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 28 October 2022
Black Arrow Cyber Threat Briefing 28 October 2022:
-‘Biggest Cyber Risk Is Complacency, Not Hackers’ - UK Information Commissioner Issues Warning as Construction Company Fined £4.4 Million
-Ransomware Threat Shifts from US to EMEA and APAC
-Phishing Attacks Increase by Over 31% In Third Quarter
-UK Urged to Watch for Fraud as People Aim to Make Extra Cash in Cost of Living Crisis
-HR Departments Play a Key Role in Cyber Security
-The Long-Term Psychological Effects of Ransomware Attacks
-7 Hidden Social Media Cyber Risks for Enterprises
-54% of Staff Would Reconsider Working for a Firm That Had Experienced a Cyber Breach, Research Finds
-Evolve as Fast as the Cyber Criminals: Protect Your Business Now, Before it’s Too Late
-Enterprise Ransomware Preparedness Improving but Still Lacking
-Why Are There So Many Data Breaches? A Growing Industry of Criminals is Brokering in Stolen Data
-How The "pizza123" Password Could Take Down an Organisation
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
‘Biggest Cyber Risk Is Complacency, Not Hackers’ - UK Information Commissioner Issues Warning as Construction Company Fined £4.4 Million
The UK Information Commissioner has warned that companies are leaving themselves open to cyber attack by ignoring crucial measures like updating software and training staff.
The warning comes as the Information Commissioner’s Office (ICO) issued a fine of £4,400,000 to Interserve Group Ltd, a Berkshire based construction company, for failing to keep personal information of its staff secure. This is a breach of data protection law.
The ICO found that the company failed to put appropriate security measures in place to prevent a cyber attack, which enabled hackers to access the personal data of up to 113,000 employees through a phishing email.
The compromised data included personal information such as contact details, national insurance numbers, and bank account details, as well as special category data including ethnic origin, religion, details of any disabilities, sexual orientation, and health information.
John Edwards, UK Information Commissioner, said:
“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn't regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn't update software and fails to provide training to staff, you can expect a similar fine from my office.
“Leaving the door open to cyber attackers is never acceptable, especially when dealing with people’s most sensitive information. This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud.
“Cyber attacks are a global concern, and businesses around the world need to take steps to guard against complacency. The ICO and NCSC already work together to offer advice and support to businesses, and this week I will be meeting with regulators from around the world, to work towards consistent international cyber guidance so that people’s data is protected wherever a company is based.”
Ransomware Threat Shifts from US to EMEA and APAC
The volume of ransomware detections in Q3 2022 was the lowest in two years, but certain geographical regions have become bigger targets as attacks on US organisations wane, according to SonicWall. The security vendor used its own threat detection network, including over one million security sensors in more than 200 countries, to reveal the current landscape.
The good news is that global malware volumes have remained flat for the past three quarters, amounting to a total of over four billion detections in the year to date. Of these, ransomware is also trending down after a record-breaking 2021. Even so, SonicWall detected 338 million compromise attempts in the first three quarters of the year.
Year-to-date ransomware attempts in 2022 have already exceeded the full-year totals from four of the past five years, the vendor claimed. While attacks on US organisations dipped by 51% year-on-year during the period, they increased significantly in the UK (20%), EMEA (38%) and APAC (56%).
The cyber-warfare battlefront continues to shift, posing dangerous threats to organisations of all sizes. With expanding attack surfaces, growing numbers of threats and the current geopolitical landscape, it should be no surprise that even the most seasoned IT professional can feel overwhelmed.
https://www.infosecurity-magazine.com/news/ransomware-threat-shifts-from-us/
Phishing Attacks Increase by Over 31% In Third Quarter
Email security and threat detection company Vade has found that phishing emails in the third quarter this year increased by more than 31% quarter on quarter, with the number of emails containing malware in the first three quarters surpassing the 2021 level by 55.8 million.
Malware emails in the third quarter of 2022 alone increased by 217% compared to same period in 2021. Malware email volume peaked in July, reaching 19.2 million, before month-over-month declines in August and September, with numbers dropping to 16.8 million and 16.5 million respectively.
According to the report, email is the preferred attack vector for phishing and malware, as it gives hackers a direct channel to users, the weakest link in an organisation’s attack surface. The report analyses phishing and malware data captured by Vade, which does business internationally.
As attacks become more sophisticated, Vade said, they also become increasingly capable of evading the basic security offered by email providers, which almost eight in 10 businesses still rely on, according to Vade’s research.
While the activity of threat actors fluctuates, Vade’s research found that impersonating trusted and established brands remains the most popular strategy for hackers. In the third quarter of 2022, Facebook was the most impersonated brand for the second consecutive quarter, followed by Google, MTB, PayPal, and Microsoft.
The financial services sector remains the most impersonated industry, representing 32% of phishing emails detected by Vade, followed by cloud at 25%, social media at 22%, and internet/telco at 13%.
As phishing attacks increase, the techniques used by threat actors continue to evolve. While phishing campaigns were traditionally large scale and random, more recent campaigns seen by Vade suggest that hackers have pivoted to using more targeted campaigns.
UK Urged to Watch for Fraud as People Aim to Make Extra Cash in Cost of Living Crisis
Brits have been warned to “stay alert for fraud” as more people are out to make extra cash as the cost of living rises across the country.
UK Finance said that more than half (56%) of people admitted that they are likely to look for opportunities to make extra money in the coming months, which could leave some people more susceptible to fraud.
According to the trade association’s Take Five To Stop Fraud campaign, one in six, or 16%, of people said the rising cost of living means they are more likely to respond to an unprompted approach from someone offering an investment opportunity or a loan.
Young people were more likely to be at risk, the data suggested, which surveyed 2,000 people across the UK. More than a third (34%) of 18 to 34-year-olds said they are more likely to respond to an unprompted approach from someone, with three in 10 (30%) also more likely to provide their personal or financial details to secure the arrangement.
Overall, three in five people (60%) said they are concerned about falling victim to financial fraud or a scam. It comes as recent figures from UK Finance showed that £609.8m was lost due to fraud and scams in the first half of this year.
https://uk.news.yahoo.com/uk-watch-for-fraud-extra-cash-cost-of-living-crisis-230154352.html
HR Departments Play a Key Role in Cyber Security
A common shortcoming of human resources (HR) departments is that — despite being an operation designed to put humans at the centre of how an organisation is run — they often fail to adequately align with their IT counterparts and the core technology systems that define how a business is run and protected from cyber-risk.
Insufficient coordination between HR and IT processes and procedures remains common and gives rise to security gaps that can represent some of the most dangerous vulnerabilities on a company's attack surface. Let's examine the scope of the challenge and some key cyber-asset management priorities that can close the schism for a more robust cyber security posture.
Gone are the days when HR's role in securing the enterprise relied on basic tutorials for employees about protecting passwords on company equipment. Today's threat environment intersects with the workforce in more ways than ever — from bring-your-own-device (BYOD) and authentication gaps to user vulnerabilities that make spear-phishing seem quaint. Traditional social engineering attacks are now being augmented by zero-click exploits that compromise employee devices without the user ever having to click a link or take any action at all.
Beyond malicious threats, even routine HR processes can introduce risk to the organisation when they're not adequately aligned with the IT processes in an organisation. As just one example, when an employee leaves a company, the offboarding goes far beyond just the exit interview to also include removing access to multiple enterprise systems, accounts, and devices — all of which require close coordination between HR and IT personnel and systems.
To better secure the enterprise, it's mission-critical to get HR and IT more united in a common and advanced understanding of cyber hygiene and risk mitigation. This relies on enhanced awareness of the impact that HR processes have on cyber assets in other parts of the organisation, as well as the HR role in access management for employees and contractors. This requires asset visibility that must be ongoing and in real time, since our roles, devices, and access to data and systems may change multiple times over the course of our employment.
https://www.darkreading.com/vulnerabilities-threats/hr-departments-play-a-key-role-in-cybersecurity
The Long-Term Psychological Effects of Ransomware Attacks
Northwave has conducted scientific research into the psychological effects of a ransomware crisis on both organisations and individuals. The findings reveal the deep marks that a ransomware crisis leaves on all those affected. It also shows how their IT and security teams can turn in disarray long after the crisis itself has passed.
The research reveals how the psychological impact of ransomware attacks can persist on people in affected organisations for a very long time. It shows that crisis team members may develop serious symptoms far later. Top management and HR need to take measures against this, in fact right from the very beginning of the crisis. They are the ones bearing responsibility for the well-being of their staff.
They also discovered how teams have fallen apart some time after the crisis, with members leaving or staying home on sick-leave. The study reveals that effects can linger throughout the organisation. All in all the investigation shows that this invisible impact of a cyber crisis is an issue for the general business management, and certainly also for HR.
Northwave regards the response to a cyber attack as occurring in three phases. First comes the actual crisis situation, which evolves into an incident phase after about a week. A plan of action is then in place, and recovery measures are launched. The fire has been largely extinguished after a month or so, with the first (basic) functionalities available again.
Full recovery can take one to two years. Each phase has its specific effects on the minds and bodies of those involved, and by extension, on the organisation or parts of it. “On average a company is down for three weeks following a malware attack,” notes Van der Beijl. “But it surprised us that the impact persists for so long afterwards. Psychological issues are still surfacing a year after the actual crisis.”
One of every seven employees involved in the attack, either directly or indirectly, exhibits severe enough symptoms several months later, at a level considered to be above the clinical threshold at which professional trauma treatment help is needed. One in five employees say they would actually have needed more professional help subsequently in coming to terms with the attack. One in three liked to have more knowledge and concrete tools to deal with the psychological effects of the attack.
A ransomware attack has enduring psychological effects on the way employees view the world. Two-thirds of employees, including those not actually involved in the attack, now believe the world is less safe. As one IT manager pointed out, “I’ve become far more suspicious. The outside world is a dangerous place.”
https://www.helpnetsecurity.com/2022/10/25/psychological-effects-ransomware/
7 Hidden Social Media Cyber Risks for Enterprises
Whether they use it to amplify the brand, recruit new employees, advertise new products, or even sell directly to consumers, corporate brands love social media.
According to recent figures, brand advertising on social media is up by 53% in the last year, and that's not accounting for further investments that brands are making in developing and distributing content. They're pushing viral videos, funny memes, podcasts, written material, and more to increase engagement with their customers.
And brands are doing it across not only the old reliable social networks like Facebook and Twitter, but also emerging platforms like TikTok. In fact, according to another recent study, in 2022 marketers are expanding their horizons, with their increased content investments focused on areas like live streaming, long-form and short-form video content, virtual reality and augmented reality content, experimental content, and live audio chat rooms. The top platforms they're focused on most for increasing spending are now TikTok, Instagram, YouTube, and LinkedIn.
With the broadening of these social-media marketing strategies comes more risk. Whether an organisation uses social media to amplify its brand, or its executives and employees leverage social channels to bolster their professional and personal brands, these marketing platforms are a breeding ground for a wide range of cyber attacks and scams, including in the areas of artificial intelligence, deepfakes, and biometrics.
Cyber criminals, fraudsters, spies, and activists work around the clock to take advantage of emerging attack surfaces that arise from enterprise use of social media. The article below presents just a few avenues that organisations may overlook when they double-down on their social media investments.
https://www.darkreading.com/application-security/7-hidden-social-media-cyber-risks-enterprises
54% of Staff Would Reconsider Working for a Firm That Had Experienced a Cyber Breach, Research Finds
Over half (54%) of office workers would reconsider working for a company that had recently experienced a cyber breach. That's according to a new study by cyber security technology provider, Encore.
An independent study of 100 C-level executives, 100 Chief Information Security Officers (CISOs) and 500 office workers in the US and the UK, conducted by Censuswide, sought to uncover the gap that remains between boards and security teams when it comes to addressing cyber demands.
Only a third (33%) of staff said they would be "completely unphased" if their employer suffered a cyber break-in. The majority (57%) of C-level executives polled said they have been breached in the last 12 months alone. Most office workers, however, were unaware, with only 39% believing their organisation had been the victim of a successful attack.
The immediate financial cost of a cyber-attack remains the number one concern for businesses, but security teams are learning that there is a long tail to these breaches, with employees at risk of losing faith in their company, its ethics and values and its overarching responsibilities to the general public. In a competitive market, this is a stark warning to businesses across the world. Keeping your staff in the dark about cyber risk is a fundamental error, not to mention the additional impact of delayed disclosure to customers.
41% of C-level executives polled named reputational damage as one of the biggest costs to their business following a cyber-attack, with 34% agreeing that loss of clientele or their trust was a significant cost.
Despite many admitting to suffering a cyber breach in the last year, the overwhelming majority (92%) of CISOs and C-level executives polled believe their business is secure at any given moment. Encore believes that a mindset shift is needed at an organisational level, treating cyber incidents and the security of employee and customer data as a fundamental part of normal business operations, not a function that sits on the outside, looking in.
Evolve as Fast as the Cyber Criminals: Protect Your Business Now, Before It’s Too Late
According to the 2022 Cyber Threat Report, 2021 saw a global average increase of 105% in the number of ransomware attacks. Proofpoint's 2022 State of the Phish report said that a staggering 82% of UK businesses that experienced a ransomware attack sent payment to the cyber criminals – believing this was the cheapest and easiest way to regain access to their data. However, in many cases criminals simply took the payment without restoring access and the organisation finds itself on criminal target lists as it has demonstrated that attacks pay off. Even when decryption keys are handed over it can take an extended period of time to restore data.
One attack, on a hospital in Dusseldorf, Germany, was implicated in the death of a patient who had to be diverted to an alternative site as the A&E department had been forced to close due to the loss of core computer systems. It appears that the attack had been misdirected, and the hackers – who were quickly apprehended by the police – handed over the encryption keys immediately when they realised what had happened. Nevertheless, the decryption process was slow. It began in the early hours of September 11 and by September 20 the hospital was still unable to add or retrieve information, or even send emails. 30 servers had been corrupted.
The methods and techniques required to conduct a cyber-attack have never been more accessible. Whether it is on the darknet or through open-source content, the ability to purchase material that allows a malicious user to conduct a cyber-attack is readily available. Conducting a ransomware attack and using it to extort money from companies and government services alike, is now viewed as a viable business model by organised criminals.
Enterprise Ransomware Preparedness Improving but Still Lacking
The majority of organisations have made ransomware preparedness a top-five business priority, yet only half believe their preparedness is stronger than it was two years ago. That is according to a recent survey, "The Long Road Ahead to Ransomware Preparedness" by Enterprise Strategy Group, a division of TechTarget.
Despite warnings and available preparedness resources, ransomware continues to distress companies. Seventy-nine percent of survey respondents said they suffered a successful attack within the last year, and 73% reported they had one or more attacks that caused negative financial impact or disrupted business operations in the same time period.
The good news is the board and the C-suite are finally getting the message that more needs to be done to address impending ransomware attempts. In fact, 79% of respondents said business leaders made ransomware preparedness a top business priority, and 82% of organisations plan to invest more in ransomware preparedness over the next 12 to 18 months.
With preparedness investments expected to grow, the survey asked how organisations currently tackle ransomware. Respondents said the most important prevention tactics involve efforts in the following:
network security (43%)
backup infrastructure security (40%)
endpoint security (39%)
email security (36%)
data encryption (36%)
Ongoing activities cited included data recovery testing, employee security awareness training, response readiness assessments, incident response functional exercises, penetration testing, incident planning and playbook development, phishing simulation programs, tabletop exercises, and blue/red/purple team engagements.
Why Are There So Many Data Breaches? A Growing Industry of Criminals is Brokering in Stolen Data
New details have emerged on the severity of the Australian Medibank hack, which has now affected all users. Optus, Medibank, Woolworths, and, last Friday, electricity provider Energy Australia are all now among the Australian household names that have fallen victim to a data breach.
If it seems like barely a week goes by without news of another incident like this, you would be right. Cyber crime is on the rise – seven major Australian businesses were affected by data breaches in the past month alone.
But why now? And who is responsible for this latest wave of cyber attacks?
In large part, the increasing number of data breaches is being driven by the growth of a global illicit industry that trades in your data. In particular, hackers known as “initial access brokers” specialise in illegally gaining access to victim networks and then selling this access to other cyber criminals.
Hackers and initial access brokers are just one part of a complex and diversifying cyber crime ecosystem. This ecosystem contains various cyber criminal groups who increasingly specialise in one particular aspect of online crime and then work together to carry out the attacks.
Ransomware attacks are complex, involving up to nine different stages. These include gaining access to a victim’s network, stealing data, encrypting a victim’s network, and issuing a ransom demand. Increasingly, these attacks are carried out not by lone cyber criminal groups, but rather by networks of different cyber crime groups, each of which specialises in a different stage of the attack.
Initial access brokers will often carry out the first stage of a ransomware attack. Described by Google’s Threat Analysis Group as “the opportunistic locksmiths of the security world”, it’s their job to gain access to a victim’s network.
How The "pizza123" Password Could Take Down an Organisation
Criminal hackers took responsibility for a recent FastCompany breach, saying they exploited an easily guessed default password, "pizza123." The business magazine reused the weak password across a dozen WordPress accounts, according to the hackers, who described the attack in their own article on FastCompany.com before the publication took the site down.
The breach, the bitter taste of pizza123, and the plight of malicious push notifications, demand caution when selecting and managing passwords.
The hackers claimed to have used the vulnerable password pizza123 to access authentication tokens, Apple News API keys, and Amazon Simple Email Service (SES) tokens. Then they sent offensive push notifications to the home screens of subscribers of the FastCompany channel on the Apple News service.
After decades of investment in sculpting the organisation's brand image, a business can watch its reputation flounder in the face of an obscene push notification. The sentiment of millions of faithful customers can turn sour in an instant. By the time organisations block the messages and make public apologies, the harm is done.
Customers can swap to a competitor, or even sue for the offence when they have entrusted a publisher to provide safe content. Regulatory bodies can fine organisations. The company can spend time and money defending itself in court and restoring its image. But malicious push notifications can do a lot worse than offend customers—criminal hackers can load messages with malware and infect consumer devices, leading to privacy violations and consumer financial fraud.
People often build passwords using the first word that comes to mind and a brief series of numbers. Pizza123 is a perfect example of an easy-to-guess password. Employees will create passwords already appearing on breached password lists. Criminal hackers use brute force attacks to confirm working passwords from the same lists.
Nearly two-thirds of employees reuse their passwords. The more they reuse them across business and personal accounts, the more likely criminal hackers will breach them and test them on the organisation. Hackers know to try the same passwords on different companies they hack because of password reuse.
Robust password management enables fine-grained password policies and policy customisation. With a custom password policy, organisations can increase complexity requirements, like length and previous-password change minimums. A custom password policy with increased complexity requirements will block 95% of weak and breached passwords.
Password length is a particularly critical component of strong passwords. Ninety-three percent of the passwords used in brute force attacks include eight or more characters. A custom password policy can require a minimum password length, decreasing password entropy.
Threats
Ransomware and Extortion
SonicWall: Ransomware down this year, but there’s a catch • The Register
Health insurer Medibank's infosec diagnosis is getting worse • The Register
Microsoft links Raspberry Robin worm to Clop ransomware attacks (bleepingcomputer.com)
How to detect Windows worm that now distributes ransomware • The Register
Ransomware Barrage Aimed at US Healthcare Sector, Feds Warn (darkreading.com)
BlackByte ransomware affiliate also steals victims' data • The Register
Cuba ransomware affiliate targets Ukraine, CERT-UA warns - Security Affairs
OldGremlin Ransomware Fierce Comeback Against Russian Targets (informationsecuritybuzz.com)
CISA warns of ransomware attacks on healthcare providers (techtarget.com)
Ransom Cartel - REvil Rebrand? (informationsecuritybuzz.com)
Addressing Ransomware in Hospitals & Medical Devices (trendmicro.com)
Australian Clinical Labs says patient data stolen in ransomware attack (bleepingcomputer.com)
Vice Society Hackers Confess To Education Sector Ransomware Attacks (informationsecuritybuzz.com)
Why Ransomware in Education on the Rise and What That Means for 2023 (thehackernews.com)
Largest EU copper producer Aurubis suffers cyber attack, IT outage (bleepingcomputer.com)
Hive Ransomware Hackers Begin Leaking Data Stolen from Tata Power Energy Company (thehackernews.com)
Ransomware Gangs Ramp Up Industrial Attacks in US (darkreading.com)
Phishing & Email Based Attacks
Other Social Engineering; Smishing, Vishing, etc
Social engineering attacks anybody could fall victim to - Help Net Security
Twilio Says Employees Targeted in Separate Smishing, Vishing Attacks | SecurityWeek.Com
Malware
Threat Groups Repurpose Banking Trojans into Backdoors (darkreading.com)
Types of cloud malware and how to defend against them (techtarget.com)
Chrome extensions with 1 million installs hijack targets’ browsers (bleepingcomputer.com)
Hackers use Microsoft IIS web server logs to control malware (bleepingcomputer.com)
Mobile
Internet of Things – IoT
IoT Fingerprinting Helps Authenticate and Secure All Those Devices (darkreading.com)
IoT security strategy from enterprises using connected devices | Network World
Your CCTV devices can be hacked and weaponized - Help Net Security
Data Breaches/Leaks
Thomson Reuters leaked at least 3TB of sensitive data | Cybernews
See Tickets discloses 2.5 years-long credit card theft breach (bleepingcomputer.com)
Twilio discloses another hack from June, blames voice phishing (bleepingcomputer.com)
Organised Crime & Criminal Actors
Ukrainian charged for operating Raccoon Stealer malware service (bleepingcomputer.com)
Interpol says metaverse opens up new world of cyber crime | Reuters
From Bounty to Exploit Observations About Cyber criminal Contests (trendmicro.com)
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Purpleurchin: Cryptocurrency miners scour GitHub, Heroku • The Register
Cryptomining campaign abused free GitHub account trials (techtarget.com)
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
Dealers Report Dramatic Increase in Identity Fraud: Most Lack Effective Protection (darkreading.com)
LinkedIn Releases New Security Features To Combat Fraud (informationsecuritybuzz.com)
Beware Of SCAMS As Cost Of Living Bites Finances, Expert Comments (informationsecuritybuzz.com)
Insurance
Health insurer Medibank's infosec diagnosis is getting worse • The Register
Cyber Insurance Market 2022: FAQs & Updates with iBynd (trendmicro.com)
Dark Web
Notorious ‘BestBuy’ hacker arraigned for running dark web market (bleepingcomputer.com)
Student arrested for running one of Germany’s largest dark web markets (bleepingcomputer.com)
British hacker arraigned for running The Real Deal dark web marketplace - Security Affairs
Software Supply Chain
How the Software Supply Chain Security is Threatened by Hackers (thehackernews.com)
Open Source Is Just the Tip of the Iceberg in Software Supply Chain Security (darkreading.com)
Consumer behaviours are the root of open source risk - Help Net Security
Denial of Service DoS/DDoS
Key observations on DDoS attacks in H1 2022 - Help Net Security
Meet the Windows servers that have been fuelling massive DDoSes for months | Ars Technica
Cloud/SaaS
Everything you Need to Know about Cloud Hacking and its Methodologies (analyticsinsight.net)
Top Cloud Security Challenges & How to Beat Them (trendmicro.com)
Atlassian Vulnerabilities Highlight Criticality of Cloud Services (darkreading.com)
Threat Actors Target AWS EC2 Workloads to Steal Credentials (trendmicro.com)
Cloud and Hybrid Working Security Concerns Surge - Infosecurity Magazine (infosecurity-magazine.com)
4 Reasons Open Source Matters for Cloud Security (darkreading.com)
Cloud Providers Throw Their Weight Behind Confidential Computing (darkreading.com)
Hybrid Working
Balancing remote work privacy vs. productivity monitoring (techtarget.com)
Cloud and Hybrid Working Security Concerns Surge - Infosecurity Magazine (infosecurity-magazine.com)
Attack Surface Management
Attack Surface Management 2022 Midyear Review Part 2 (trendmicro.com)
Asset risk management: Getting the basics right - Help Net Security
Encryption
New Critical Vuln In Component That Allow Encryption Across Internet - (informationsecuritybuzz.com)
API
Open Source
Open Source Is Just the Tip of the Iceberg in Software Supply Chain Security (darkreading.com)
4 Reasons Open Source Matters for Cloud Security (darkreading.com)
Passwords, Credential Stuffing & Brute Force Attacks
Why it's time to expire mandatory password expiration policies (techtarget.com)
Feds say Ukrainian man running malware service amassed 50M unique credentials | Ars Technica
Biometrics
Social Media
LinkedIn Phishing Spoof Bypasses Google Workspace Security (darkreading.com)
LinkedIn's new security features combat fake profiles, threat actors (bleepingcomputer.com)
Cyber security event cancelled after scammers disrupt LinkedIn live chat (bitdefender.com)
Expert Opinion: What Does Musk's Takeover Mean For Cyber security? (informationsecuritybuzz.com)
Cyber attackers Target Instagram Users With Threats of Copyright Infringement (darkreading.com)
Cyber Bullying, Cyber Stalking and Sextortion
Regulations, Fines and Legislation
Data Protection
Law Enforcement Action and Take Downs
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Ukraine: Russian cyber attacks aimless and opportunistic (techtarget.com)
Unknown Actors are Deploying RomCom RAT to Target Ukrainian Military (thehackernews.com)
Slovak, Polish Parliaments Hit by Cyber attacks | SecurityWeek.Com
Cuba ransomware affiliate targets Ukraine, CERT-UA warns - Security Affairs
Ukraine Warns of Cuba Ransomware Attacks - Infosecurity Magazine (infosecurity-magazine.com)
Nation State Actors
Nation State Actors – Russia
Russia says Starlink satellites could become military target • The Register
Calls for inquiry mount after reports that Truss’s phone was hacked | Financial Times
OldGremlin Ransomware Fierce Comeback Against Russian Targets (informationsecuritybuzz.com)
Nation State Actors – China
Chinese Connected Cyber Crew Unleashes Disinformation Campaign Ahead of US Elections - MSSP Alert
Federal bans don't stop US states from buying Chinese kit • The Register
Nation State Actors – North Korea
Nation State Actors – Iran
Vulnerabilities
OpenSSL to fix the second critical flaw ever - Security Affairs
Urgent: Google Issues Emergency Patch for Chrome Zero-Day (darkreading.com)
ConnectWise fixes RCE bug exposing thousands of servers to attacks (bleepingcomputer.com)
Apple megaupdate: Ventura out, iOS and iPad kernel zero-day – act now! – Naked Security (sophos.com)
Windows Mark of the Web Zero-Days Remain Patchless, Under Exploit (darkreading.com)
22-Year-Old Vulnerability Reported in Widely Used SQLite Database Library (thehackernews.com)
Cisco warns admins to patch AnyConnect flaws exploited in attacks (bleepingcomputer.com)
Exploit released for critical VMware RCE vulnerability, patch now (bleepingcomputer.com)
Cisco Confirms In-the-Wild Exploitation of Two VPN Vulnerabilities | SecurityWeek.Com
Incoming OpenSSL critical fix: Organisations, users, get ready! - Help Net Security
Cisco Users Informed of Vulnerabilities in Identity Services Engine | SecurityWeek.Com
VMware fixes critical RCE in VMware Cloud Foundation - Security Affairs
VMware Patches Critical Vulnerability in End-of-Life Product | SecurityWeek.Com
Multiple vulnerabilities affect the Juniper Junos OS - Security Affairs
Other News
Cyber Security Risks & Stats This Spooky Season (darkreading.com)
Cyber Certification Skills Are For Life, Not Just For Linkedin (informationsecuritybuzz.com)
Implementing Defence in Depth to Prevent and Mitigate Cyber Attacks (thehackernews.com)
Cyber security’s importance and impact reaches all levels of the tech workforce - Help Net Security
Stress Is Driving Cyber Security Professionals to Rethink Roles (darkreading.com)
Equifax's Lessons Are Still Relevant, 5 Years Later (darkreading.com)
Why dark data is a growing danger for corporations - Help Net Security
Know the dangers you're facing: 4 notable TTPs used by cyber criminals worldwide - Help Net Security
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 12 August 2022
Black Arrow Cyber Threat Briefing 12 August 2022
-Three Ransomware Gangs Consecutively Attacked the Same Network
-As The Cost of Cyber Insurance Rises, The Number of Organisations Who Can’t Afford It Is Set to Double
-Identity Cyber Attacks, Microsoft 365 Dominate Cybersecurity Incidents, Expel Research Finds
-Exploit Activity Surges 150% in Q2 Thanks to Log4Shell
-Ransomware Is Not Going Anywhere: Attacks Are Up 24%
-Email Is the Single Biggest Threat to Businesses, And Here’s What You Can Do About It
-Realtek SDK Vulnerability Exposes Routers from Many Vendors to Remote Attacks
-Most Companies Are at An Entry-Level When It Comes to Cloud Security
-The Impact of Exploitable Misconfigurations on Network Security
-Industrial Spy Ransomware: New Threat Group Emerges to Exfiltrate Data, Extort Victims
-UK NHS Service Recovery May Take a Month After MSP Ransomware Attack
-A Single Flaw Broke Every Layer of Security in MacOS
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Three Ransomware Gangs Consecutively Attacked the Same Network
Hive, LockBit and BlackCat, three prominent ransomware gangs, consecutively attacked the same network, according to Sophos. The first two attacks took place within two hours, and the third attack took place two weeks later. Each ransomware gang left its own ransom demand, and some of the files were triple encrypted.
It’s bad enough to get one ransomware note, let alone three. Multiple attackers create a whole new level of complexity for recovery, particularly when network files are triple encrypted. Cyber security that includes prevention, detection and response is critical for organisations of any size and type—no business is immune.
The “Multiple Attackers: A Clear and Present Danger” whitepaper further outlines additional cases of overlapping cyber attacks, including cryptominers, remote access trojans (RATs) and bots. In the past, when multiple attackers have targeted the same system, the attacks usually occurred across many months or multiple years. The attacks described in Sophos’ whitepaper took place within days or weeks of each other—and, in one case, simultaneously—often with the different attackers accessing a target’s network through the same vulnerable entry point.
Typically, criminal groups compete for resources, making it more difficult for multiple attackers to operate simultaneously. Cryptominers normally kill their competitors on the same system, and today’s RATs often highlight bot killing as a feature on criminal forums. However, in the attack involving the three ransomware groups, for example, BlackCat—the last ransomware group on the system—not only deleted traces of its own activity, but also deleted the activity of LockBit and Hive.
In another case, a system was infected by LockBit ransomware. Then, about three months later, members of Karakurt Team, a group with reported ties to Conti, was able to leverage the backdoor LockBit created to steal data and hold it for ransom.
https://www.helpnetsecurity.com/2022/08/09/ransomware-gangs-attacks/
As The Cost of Cyber Insurance Rises, The Number of Organisations Who Can’t Afford It Is Set to Double
The number of organisations that will be either unable to afford cyber insurance, be declined cover, or experience significant coverage limitations is set to double in 2023, according to Huntsman Security.
Even for those insured, the perfect storm of ongoing attacks, tightening regulations and growing financial pressures is making it more likely that any attack on an organisation will leave it exposed.
Factors like the supply chain crisis, inflation and skill shortages are all adding to the difficulty for organisations trying to execute on their cyber security strategy. At the same time, increases in insurance premiums, limits on coverage, increasing underwriting rigour, and capacity constraints are all limiting the accessibility of cyber insurance, for many.
Loss ratios will not improve until premium incomes better match the current level of pay-outs. With this reduced insurance access alongside increasing cyber threats and tightening regulations, many organisations are losing cyber insurance as an important risk management tool. Even those who can still get insurance are paying a prohibitively high cost.
With a third of UK firms subject to cyber attacks at least once a week, cyber insurance as part of overall risk management is crucial. To bridge this accessibility gap insurers are seeking to improve the quality of risk information, so premiums better reflect the true cost of that risk. Unless organisations can demonstrate they have insurers’ specified controls in place to manage their security risks, insurers will continue to have difficulty quantifying that risk. It’s for these reasons that insurers have changed the basis upon which their products are offered to reflect the risk being underwritten more accurately.
In this environment, improving and demonstrating the effectiveness of security controls will now be essential: both for organisations looking to improve their cyber resilience and oversight while enhancing their eligibility for insurers, and for insurers who need to minimise their own exposure by ensuring the accuracy of their risk pricing process.
https://www.helpnetsecurity.com/2022/08/11/afford-cyber-insurance/
Identity Cyber Attacks, Microsoft 365 Dominate Cyber Security Incidents, Expel Research Finds
Identity-based cyber attacks (including credential theft, credential abuse and long-term access key theft) accounted for 56% of all incidents in Q2 of 2022, and Microsoft 365 remained the prime target for SaaS attacks, according to Expel’s Quarterly Threat Report.
Among the key findings:
Business email compromise (BEC) and business application compromise (BAC) access to application data represented 51% of all incidents.
Identity-based attacks in popular cloud environments like Amazon Web Services (AWS) accounted for 5%.
Ransomware groups change tactics, with threat groups and their affiliates all but abandoning the use of Visual Basic for Application (VBA) macros and Excel 4.0 macros to gain initial entry to Windows-based environments. In Q1, a macro-enabled Microsoft Word document (VBA macro) or Excel 4.0 macro was the initial attack vector in 55% of all pre-ransomware incidents. In Q2, that figure fell sharply to 9%. Instead, ransomware operators opted to use disk image (ISO), short-cut (LNK) and HTML application (HTA) files to gain initial entry.
Cloud attacks are becoming more sophisticated, with 14% of identity attacks against cloud identity providers tackling the multi-factor authentication (MFA) requirement by continuously sending push notifications.
Microsoft 365 is a common threat target, with BEC in Microsoft Office 365 (O365) remaining the top threat to organisations in Q2. 45% of all Q2 incidents were BEC attempts in O365. No BEC attempts were identified in Google Workspaces. 19% of BEC attempts bypassed MFA in O365 using legacy protocols, a 16% increase of compared to Q1.
Exploit Activity Surges 150% in Q2 Thanks to Log4Shell
Detections of malware events, botnet activity and exploits all increased significantly in the second quarter of 2022, according to new data from Nuspire.
The managed security services provider (MSSP) gathered the data from its endpoint detection and response (EDR) and managed detection and response (MDR) tools to produce its Q2 2022 Quarterly Threat Report.
The company recorded an increase in malware events of over 25%, a doubling of botnet detections and a rise in exploit activity of 150% versus the first quarter.
Botnet activity in particular surged towards the end of Q2, thanks to the Torpig Mebroot botnet – a banking trojan designed to scrape credit card and payment information from infected devices, the report revealed. Nuspire claimed it is particularly difficult to detect and remove, because it targets a machine’s master boot record.
It attributed much of the surge in exploit activity to the persistent threat posed by the Log4j bugs discovered at the end of December 2021. At the time, experts warned that the ubiquity of the utility, and the difficulty many organisations have in finding all instances of the CVE due to complex Java dependencies, means it may be exploited for years.
https://www.infosecurity-magazine.com/news/exploit-activity-150-q2-log4shell/
Ransomware Is Not Going Anywhere: Attacks Are Up 24%
Avast released a report revealing a significant increase in global ransomware attacks, up 24% from Q1/2022. Researchers also uncovered a new zero-day exploit in Chrome, as well as signals of how cyber criminals are preparing to move away from macros as an infection vector.
After months of decline, global ransomware attacks increased significantly in Q2/2022, up 24% from the previous quarter. The highest quarter-on-quarter increases in ransomware risk ratio occurred in Argentina (+56%), UK (+55%), Brazil (+50%), France (+42%), and India (+37%).
Businesses and consumers should be on guard and prepared for encounters with ransomware, as the threat is not going anywhere anytime soon.
The decline in ransomware attacks observed in Q4/2021 and Q1/2022 were thanks to law enforcement agencies busting ransomware group members, and caused by the war in Ukraine, which also led to disagreements within the Conti ransomware group, halting their operations. Things dramatically changed in Q2/2022. Conti members have now branched off to create new ransomware groups, like Black Basta and Karakurt, or may join other existing groups, like Hive, BlackCat, or Quantum, causing an uptick in activity.
https://www.helpnetsecurity.com/2022/08/12/increase-ransomware-attacks/
Email Is the Single Biggest Threat to Businesses, And Here’s What You Can Do About It
Email remains one of the most popular methods of communication, particularly for business communications. There were 316.9 billion emails sent and received every day in 2021, and this is set to increase to 376.4 billion by 2025. But despite the scale of its use and how much people exchange confidential information over email, it is not a secure system by design.
Consequently, email is a major attack vector for organisations of all sizes. Deloitte found that 91% of all cyber attacks originate from a phishing email (an email that attempts to steal money, identity or personal information through a spoof website link that looks legitimate). The cost to organisations can be catastrophic with the National Cyber Security Centre (NCSC) reporting in August 2021 that phishing email attacks had cost UK organisations more than £5 million in the past 13 months.
It’s not enough for individuals to create complex passwords or rely on the security services of their email provider. Spam filters are not enough to stop malicious emails creeping into inboxes. Fortunately, safeguarding your emails with enterprise-grade email security doesn’t have to cost the earth or be hard to integrate so businesses of any size can protect themselves.
Realtek SDK Vulnerability Exposes Routers from Many Vendors to Remote Attacks
A serious vulnerability affecting the embedded Configurable Operating System (eCos) software development kit (SDK) made by Taiwanese semiconductor company Realtek could expose the networking devices of many vendors to remote attacks.
The security hole, tracked as CVE-2022-27255 and rated ‘high severity’, has been described as a stack-based buffer overflow that can allow a remote attacker to cause a crash or achieve arbitrary code execution on devices that use the SDK. An attack can be carried out through the wide area network (WAN) interface using specially crafted session initiation protocol (SIP) packets.
The Realtek eCos SDK is provided to companies that manufacture routers, access points and repeaters powered by RTL819x family SoCs. The SDK implements the base functionalities of the router, including the web administration interface and the networking stack. Vendors can build on top of this SDK to add custom functionality and their branding to the device.
Realtek informed customers about the eCos SDK vulnerability in March, when it announced the availability of a patch. However, it’s up to the original equipment manufacturer (OEM) using the SDK to ensure that the patch is distributed to end-user devices.
The vulnerability can be exploited remotely — directly from the internet — to hack affected routers running with default settings. No user interaction is required for successful exploitation.
https://www.securityweek.com/realtek-sdk-vulnerability-exposes-routers-many-vendors-remote-attacks
Most Companies Are at An Entry-Level When It Comes to Cloud Security
Ermetic released a study by Osterman Research that found 84% of respondents were at an entry-level (one or two rating, with four being the highest) in terms of their cloud security capabilities.
The study found that only 16% ranked on the Ermetic Cloud Security Model at the top two levels, and 80% of companies said they lack a dedicated security team responsible for protecting cloud resources from threats.
“One of the most unexpected findings that emerged from this study was the lack of cloud security maturity among the largest enterprises surveyed,” said the author of the report. “Less than 10% of companies with more than 10,000 employees reported being at the top two maturity levels, while nearly 20% of smaller enterprises have achieved repeatable or automated & integrated cloud security capabilities.”
The report shows why new cloud data breaches are being reported all the time. Multi-cloud deployments, plus low investment in security, does not make for a good combination.
The new frontiers of cyber security, such as cloud security or internet of things (IoT) security are often at early stages of maturity. Organisations that are mature in their IT and data centre security are already overwhelmed and stretched thin and that’s why automation and simplification will help organisations accelerate their maturity in areas like cloud security.
There’s a mistaken belief that cloud computing environments inherently have security built-in — they don’t.
The Impact of Exploitable Misconfigurations on Network Security
Network professionals feel confident with their security and compliance practices but data suggests that they also leave their organisations open to risk, which is costing a significant amount of revenue, according to Titania.
In addition, some businesses are not minimising their attack surface effectively. Companies are prioritising firewall security and chronicle a fast time to respond to misconfigurations when detected in annual audits. However, switches and routers are only included in 4% of audits and these devices play a vital role in reducing an organisation’s attack surface and preventing lateral movement across the network.
Respondents also indicated that financial resources allocated to mitigating network configuration, which currently stands around 3.4% of the total IT budget, and a lack of accurate automation are limiting factors in misconfiguration risk management.
The study, which surveyed 160 senior cyber security decision-makers revealed:
Misconfigurations cost organisations millions, up to 9% of their annual revenue but the true cost is likely to be higher.
Compliance is a top priority, with 75% of organisations across all sectors saying their business relies on compliance to deliver security. Whilst almost every organisation reported that it is meeting its security and compliance requirements, this is at odds with a number of the other findings from the survey and other reports that show a decline in organisations maintaining full compliance with regulated data security standards.
Remediation prioritisation is a challenge. 75% said their network security tools meant they could categorise and prioritise compliance risks ‘very effectively’. However, 70% report difficulties prioritising remediation based on risk and also claim inaccurate automation as the top challenges when meeting security and compliance requirements.
Routers and switches are mostly overlooked. 96% of organisations prioritise the configuration and auditing of firewalls, but not routers or switches. This leaves these devices exposed to potentially significant and unidentified risks.
https://www.helpnetsecurity.com/2022/08/12/impact-exploitable-misconfigurations-network-security/
Industrial Spy Ransomware: New Threat Group Emerges to Exfiltrate Data, Extort Victims
A new ransomware group dubbed Industrial Spy that first emerged in April 2022 is specialising in exfiltration and double extortion tactics and has the potential to do significant damage, Zscaler’s threat tracking team said.
The threat crew has shown that it possesses the capability to breach organisations and have been “actively adding unencrypted data from two or three victims every month,” Zscaler said. In some instances, the threat group appears to only exfiltrate and ransom data. In other cases, they encrypt, exfiltrate and ransom the data, the cloud security provider said.
At this point, it’s not clear who’s behind the threat entry or if it’s nation-state affiliated. The group started as a data extortion marketplace where criminals could buy large companies’ internal data, promoting the marketplace through Readme.txt files downloaded using malware downloaders.
In May, 2022, the threat group introduced their own ransomware to create double extortion attacks that combine data theft with file encryption.
What you need to know:
Industrial Spy started by ransoming stolen data and more recently has combined these attacks with ransomware.
The threat group exfiltrates and sells data on their dark web marketplace, but does not always encrypt a victim’s files.
The ransomware utilises a combination of RSA and 3DES to encrypt files.
Industrial Spy lacks many common features present in modern ransomware families.
The Industrial Spy ransomware family is relatively basic, and parts of the code appear to be in development.
UK NHS Service Recovery May Take a Month After MSP Ransomware Attack
Managed service provider (MSP) Advanced confirmed that a ransomware attack on its systems disrupted emergency services (111) from the United Kingdom's National Health Service (NHS). Customers of seven solutions from the British MSP have been impacted either directly or indirectly, the company said. The first has stated it could take a month to recover systems to full service.
The ransomware attack started to disrupt Advanced systems on Thursday, August 4 and was identified around 7 AM. It caused a major outage to NHS emergency services across the UK.
Advanced did not disclose the ransomware group behind the attack but said that it took immediate action to mitigate the risk and isolated Health and Care environments where the incident was detected. The company is working with forensic experts from Microsoft (DART) and Mandiant, who are also helping bring the affected systems back online securely and with added defences:
Implementing additional blocking rules and further restricting privileged accounts for Advanced staff
Scanning all impacted systems and ensuring they are fully patched
Resetting credentials
Deploying additional endpoint detection and response agents
Conducting 24/7 monitoring
After implementing the security measures above, Advanced said it would restore connectivity to its environments and assist customers to gradually reconnect safely and securely.
A Single Flaw Broke Every Layer of Security in MacOS
Every time you shut down your Mac, a pop-up appears: “Are you sure you want to shut down your computer now?” Nestled under the prompt is another option most of us likely overlook: the choice to reopen the apps and windows you have open now when your machine is turned back on. Researchers have now found a way to exploit a vulnerability in this “saved state” feature—and it can be used to break the key layers of Apple’s security protections.
The vulnerability, which is susceptible to a process injection attack to break macOS security, could allow an attacker to read every file on a Mac or take control of the webcam. It's basically one vulnerability that could be applied to three different locations.
https://www.wired.com/story/a-single-flaw-broke-every-layer-of-security-in-macos/
Threats
Ransomware
Cisco hacked by Yanluowang ransomware gang, 2.8GB allegedly stolen (bleepingcomputer.com)
Ransomware, email compromise are top security threats, but deepfakes increase | CSO Online
Feds: Zeppelin Ransomware Resurfaces with New Compromise, Encryption Tactics | Threatpost
Black Basta: New ransomware threat aiming for the big league | CSO Online
Could criminalizing ransomware payments put a stop to the current crime wave? - Help Net Security
7-Eleven Denmark confirms ransomware attack behind store closures (bleepingcomputer.com)
Update: Colosseum Dental Benelux pays ransom to threat actors (databreaches.net)
SolidBit Ransomware Group Recruiting New Affiliates on Dark Web - Infosecurity Magazine
Fears for patient data after ransomware attack on NHS software supplier | NHS | The Guardian
US reveals 'Target' pic of Conti man with $10m reward offer • The Register
Organisations would like the government to help with ransomware demand costs - Help Net Security
Hacker uses new RAT malware in Cuba Ransomware attacks (bleepingcomputer.com)
Maui ransomware linked to North Korean group Andariel • The Register
How to Stop Zeppelin Ransomware Attacks: CISA, FBI Mitigation Guidance - MSSP Alert
Novel Ransomware Comes to the Sophisticated SOVA Android Banking Trojan (darkreading.com)
US govt will pay you $10 million for info on Conti ransomware members (bleepingcomputer.com)
Phishing & Email Based Attacks
Other Social Engineering; SMishing, Vishing, etc
Hackers Behind Twilio Breach Also Targeted Cloudflare Employees (thehackernews.com)
SMS phishing nabs Twilio employee credentials, allowed access customer data (scmagazine.com)
Malware
Emotet Tops List of July's Most Widely Used Malware - Infosecurity Magazine
Microsoft blocks UEFI bootloaders enabling Windows Secure Boot bypass (bleepingcomputer.com)
Mobile
Google researchers dissect Android spyware, zero days (techtarget.com)
Novel Ransomware Comes to the Sophisticated SOVA Android Banking Trojan (darkreading.com)
Xiaomi Phones with MediaTek Chips Found Vulnerable to Forged Payments (thehackernews.com)
Hackers install Dracarys Android malware using modified Signal app (bleepingcomputer.com)
Internet of Things – IoT
The Time Is Now for IoT Security Standards (darkreading.com)
Introducing the book: If It's Smart, It's Vulnerable - Help Net Security
Organised Crime & Criminal Actors
Cisco hacked by access broker with Lapsus$ ties (techtarget.com)
New dark web markets claim association with criminal cartels (bleepingcomputer.com)
Dark Utilities C2 service draws thousands of cyber criminals • The Register
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Email marketing firm hacked to steal crypto-focused mailing lists (bleepingcomputer.com)
Swan Bitcoin Discloses Data Leak Due to Phishing Attack on Newsletter Provider - Decrypt
Phishers Swim Around 2FA in Coinbase Account Heists | Threatpost
Crypto and the US government are headed for a decisive showdown | Ars Technica
Cameo’s CEO fell victim to the latest Bored Ape NFT heist - The Verge
Fraud, Scams & Financial Crime
“Hi Mum” Phishing Scam Swindles Unsuspecting Parents (informationsecuritybuzz.com)
How hackers are stealing credit cards from classifieds sites (bleepingcomputer.com)
AML/CFT/Sanctions
US Sanctions Crypto 'Laundering' Service Tornado | SecurityWeek.Com
Virtual Currency Platform ‘Tornado Cash’ Accused of Aiding APTs | Threatpost
Greece Flies Russian Money Launderer to US: Lawyer | SecurityWeek.Com
Insurance
BlackBerry Study: Most SMBs Have Less Than $600K in Ransomware Coverage - MSSP Alert
Number Of Firms Unable To Access Cyber-Insurance Set To Double (informationsecuritybuzz.com)
Australian court finds insurer not liable for ransomware clean-up costs - Security - iTnews
Cloud/SaaS
Implementing zero trust for a secure hybrid working enterprise - Help Net Security
How to Clear Security Obstacles and Achieve Cloud Nirvana (darkreading.com)
Why SAP systems need to be brought into the cyber security fold - Help Net Security
Open Source
Social Media
Facebook's Metaverse is Expanding the Attack Surface (trendmicro.com)
Meta's chatbot says the company 'exploits people' - BBC News
Facebook’s In-app Browser on iOS Tracks ‘Anything You Do on Any Website’ | Threatpost
Training, Education and Awareness
Privacy
Travel
Parental Controls and Child Safety
Predator Pleads Guilty After Targeting Thousands of Young Girls Online - Infosecurity Magazine
Online sexual blackmail of primary school children surges since lockdown (telegraph.co.uk)
Models, Frameworks and Standards
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Russia's digital attacks are haphazard, chaotic, says top Ukrainian cyber official - CyberScoop
Cyberspying Aimed at Industrial Enterprises in Russia and Ukraine Linked to China | SecurityWeek.Com
Killnet Releases 'Proof' of its Attack Against Lockheed Martin | SecurityWeek.Com
Meta Cracks Down on Cyber Espionage Operations in South Asia Abusing Facebook (thehackernews.com)
Ex Twitter employee found guilty of spying for Saudi Arabia - Security Affairs
Ex-CIA security boss predicts coming crackdown on spyware • The Register
Nation State Actors
Nation State Actors – Russia
Russia Is Escalating Ukraine Hacking, Black Hat Research Says (gizmodo.com)
Russian invasion has destabilized cyber security norms • The Register
Russia-Ukraine Conflict Holds Cyberwar Lessons (darkreading.com)
Industroyer2: How Ukraine avoided another blackout attack (techtarget.com)
Nation State Actors – China
China-linked spies used six backdoors to steal defence info • The Register
Mandiant researchers uncover significant new disinformation campaign (securitybrief.co.nz)
Stats say Chinese researchers are not deterred by China's vulnerability law (scmagazine.com)
Chinese scammers target kids with promise of extra gaming • The Register
Chinese hackers backdoor chat app with new Linux, macOS malware (bleepingcomputer.com)
Nation State Actors – North Korea
Vulnerabilities
Microsoft Patches ‘Dogwalk’ Zero-Day and 17 Critical Flaws | Threatpost
Cisco Patches High-Severity Vulnerability Affecting ASA and Firepower Solutions (thehackernews.com)
Yet another Microsoft RCE bug under active exploit • The Register
Palo Alto Networks: New PAN-OS DDoS flaw exploited in attacks (bleepingcomputer.com)
CISA adds UnRAR and Windows flaws to Known Exploited Vulnerabilities Catalog - Security Affairs
Zimbra auth bypass bug exploited to breach over 1,000 servers (bleepingcomputer.com)
Researchers Debut Fresh RCE Vector for Common Google API Tool (darkreading.com)
Surge in CVEs as Microsoft Fixes Exploited Zero Day Bugs - Infosecurity Magazine
Risky Business: Enterprises Can’t Shake Log4j flaw - Security Affairs
Three flaws allow attackers to bypass UEFI Secure Boot feature - Security Affairs
Windows devices with newest CPUs are susceptible to data damage (bleepingcomputer.com)
Critical Flaws Disclosed in Device42 IT Asset Management Software (thehackernews.com)
Cisco fixed a flaw in ASA, FTD devices that can give access to RSA private key - Security Affairs
Organisations Warned of Critical Vulnerabilities in NetModule Routers | SecurityWeek.Com
4 Flaws, Other Weaknesses Undermine Cisco ASA Firewalls (darkreading.com)
New vulnerability in AMD Ryzen CPUs could seriously jeopardize performance | TechRadar
ÆPIC Leak: Architectural Bug in Intel CPUs Exposes Protected Data | SecurityWeek.Com
Microsoft Paid $13.7 Million via Bug Bounty Programs Over Past Year | SecurityWeek.Com
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
Other News
Microsoft 365 outage triggered by Meraki firewall false positive (bleepingcomputer.com)
Why VPN no longer has a place in a secure work environment | TechRadar
VMware: The threat of lateral movement is growing (techtarget.com)
5 key things learned from CISOs of smaller enterprises survey - Help Net Security
Stolen credentials are the most common attack vector companies face - Help Net Security
Your cyber security staff are burned out - and many have thought about quitting | ZDNet
Researchers Use ‘Invisible Finger’ to Remotely Control Touchscreens (vice.com)
Businesses are struggling to balance security and end-user experience - Help Net Security
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 25 February 2022
Black Arrow Cyber Threat Briefing 25 February 2022
-Britain Warns of Cyber Attacks as Russia-Ukraine Crisis Escalates
-Ransomware Extortion Doesn't Stop After Paying The Ransom
-Ukraine Calls For Volunteer Hackers To Protect Its Critical Infrastructure And Spy On Russian Forces
-Study: UK Firms Most Likely To Pay Ransomware Hackers
-Conti Ransomware Group Announces Support of Russia, Threatens Retaliatory Attacks
-91% of UK Organisations Compromised by an Email Phishing Attack in 2021
-Almost 100,000 New Mobile Banking Trojan Strains Detected In 2021
-Anonymous Collective Has Hacked The Russian Defence Ministry And Leaked The Data Of Its Employees In Response To The Ukraine Invasion
-Email Remains Go-To Method for Cyber Attacks, Phishing Research Report Finds
-The Future of Cyber Insurance
-Businesses Are at Significant Risk of Cyber Security Breaches Due to Immature Security Hygiene and Posture Management Practices
-Microsoft Teams Is The New Frontier For Phishing Attacks
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Britain Warns of Cyber Attacks as Russia-Ukraine Crisis Escalates
Britain warned of potential cyber attacks with "international consequences" this week after Russian President Vladimir Puitin ordered troops to two breakaway regions in eastern Ukraine.
Britain's National Cyber Security Centre (NCSC), a part of the GCHQ eavesdropping intelligence agency, called on British organisations to "bolster their online defences" following the developments.
"While the NCSC is not aware of any current specific threats to UK organisations in relation to events in and around Ukraine, there has been an historical pattern of cyber attacks on Ukraine with international consequences," it said in a statement.
Last week, Ukranian banking and government websites were briefly knocked offline by a spate of distributed denial of service (DDoS) attacks which the United States and Britain said were carried out by Russian military hackers.
Ransomware Extortion Doesn't Stop After Paying The Ransom
A global survey that looked into the experience of ransomware victims highlights the lack of trustworthiness of ransomware actors, as in most cases of paying the ransom, the extortion simply continues.
This is not a surprising or new discovery, but when seeing it reflected in actual statistics, one can appreciate the scale of the problem in full.
The survey was conducted by cyber security specialist Venafi, and the most important findings that emerge from the respondents are the following:
18% of victims who paid the ransom still had their data exposed on the dark web.
8% refused to pay the ransom, and the attackers tried to extort their customers.
35% of victims paid the ransom but were still unable to retrieve their data.
As for the ransomware actor extortion tactics, these are summarized as follows:
83% of all successful ransomware attacks featured double and triple extortion.
38% of ransomware attacks threatened to use stolen data to extort customers.
35% of ransomware attacks threatened to expose stolen data on the dark web.
32% of attacks threatened to directly inform the victim's customers of the data breach incident.
Ukraine Calls For Volunteer Hackers To Protect Its Critical Infrastructure And Spy On Russian Forces
The government of Ukraine is calling on the hacking community to volunteer its expertise and capabilities, following the invasion of the country by Russian forces.
Reuters reports that Yegor Aushev, the CEO of Kyiv-based Cyber Unit Technologies which has worked with Ukraine's government on the defence of critical infrastructure, claims to have been asked to post a digital call-to-arms after being asked by "a senior Defence Ministry official."
The message, which was posted on hacking forums by Aushev on Thursday, begins "Ukrainian cybercommunity! It’s time to get involved in the cyber defense of our country," and calls for cybersecurity experts and hackers to apply as a volunteer via a Google Docs link. The page volunteers are directed to asks applicants to list their specialities, such as if they have developed malware, and professional references.
According to Aushev, volunteers will be divided into two groups - tasked with offensive and defensive cyber operations.
Study: UK Firms Most Likely To Pay Ransomware Hackers
Some 82% of British firms which have been victims of ransomware attacks paid the hackers in order to get back their data, a new report suggests.
The global average was 58%, making the UK the most likely country to pay cyber-criminals.
Security firm Proofpoint's research also found that more than three-quarters of UK businesses were affected by ransomware in 2021.
Phishing attacks remain the key way criminals access networks, it found.
Phishing happens when someone in a firm is lured into clicking on a link in an email that contains malware, which in turn can help cyber-criminals access company networks.
https://www.bbc.co.uk/news/business-60478725
Conti Ransomware Group Announces Support of Russia, Threatens Retaliatory Attacks
An infamous ransomware group with potential ties to Russian intelligence and known for attacking health care providers and hundreds of other targets posted a warning Friday saying it was “officially announcing a full support of Russian government.”
The gang said that it would use “all possible resources to strike back at the critical infrastructures” of any entity that organises a cyberattack “or any war activities against Russia.” The message appeared Friday on the dark-web site used by ransomware group Conti to post threats and its victims’ data. Security researchers believe the gang to be Russia-based.
Conti ransomware was part of more than 400 attacks against mostly U.S. targets between spring 2020 and spring 2021, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the FBI reported in September.
https://www.cyberscoop.com/conti-ransomware-russia-ukraine-critical-infrastructure/
91% of UK Organisations Compromised by an Email Phishing Attack in 2021
More than nine in 10 (91%) UK organizations were successfully compromised by an email phishing attack last year, according to Proofpoint’s 2022 State of the Phish report.
The study observed a significant rise in email-based attacks globally in 2021 compared to 2020. Over three-quarters (78%) of organizations were targeted by email-based ransomware attacks last year and 77% faced business email compromise (BEC) attacks, the latter an 18% year-on-year increase from 2020.
The survey of 600 information and IT security professionals and 3500 workers in the US, Australia, France, Germany, Japan, Spain and the UK also found that attacks in 2021 were more likely to be successful than in 2020. More than four in five (83%) respondents said their organization experienced at least one successful email-based phishing attack last year, up from 57% in 2020. In addition, 68% of organizations admitted they had to deal with at least one ransomware infection stemming from a direct email payload, second-stage malware delivery or other exploit.
Worryingly, 60% of organizations infected with ransomware admitted to paying a ransom, with around a third (32%) paying additional sums to regain access to data and systems.
https://www.infosecurity-magazine.com/news/uk-organizations-email-phishing/
Almost 100,000 New Mobile Banking Trojan Strains Detected In 2021
Researchers have found almost 100,000 new variants of mobile banking Trojans in just a year.
As our digital lives have begun to centre more on handsets rather than just desktop PCs, many malware developers have shifted part of their focus to the creation of mobile threats.
Many of the traditional infection routes are still workable -- including phishing and the download and execution of suspicious software -- but cyber attackers are also known to infiltrate official app stores, including Google Play, to lure handset owners into downloading software that appears to be trustworthy.
This technique is often associated with the distribution of Remote Access Trojans (RATs). While Google maintains security barriers to stop malicious apps from being hosted in its store, there are methods to circumvent these controls quietly.
https://www.zdnet.com/article/almost-100000-new-mobile-banking-trojans-detected-in-2021/
Anonymous Collective Has Hacked The Russian Defence Ministry And Leaked The Data Of Its Employees In Response To The Ukraine Invasion
A few hours after the Anonymous collective has called to action against Russia following the illegitimate invasion of Ukraine its members have taken down the website of the Russian propaganda station RT News and news of the day is the attack against the servers of the Russian Defense Ministry.
“Anonymous, a group of hacktivists, successfully hacked and leaked the database of the website of the Ministry of Defense of Russia.” reported the Pravda agency.
The website of the Kremlin (Kremlin.ru) is also unreachable, but it is unclear if it is the result of the Anonymous attack or if the government has taken offline it to prevent disruptive attacks.
The Russian Government’s portal, and the websites of other ministries are running very slow.
The collective is also threatening the Russian Federation and private organizations of attacks, it is a retaliation against Putin’s tyranny.
Anonymous pointed out that it is not targeting Russian citizens, but only their government.
“We want the Russian people to understand that we know it’s hard for them to speak out against their dictator for fear of reprisals.”
https://securityaffairs.co/wordpress/128428/hacking/anonymous-russian-defense-ministry.html
Email Remains Go-To Method for Cyber Attacks, Phishing Research Report Finds
If you don’t know what it is, if you can’t identify it and if you can’t make sure you don’t topple into its traps, then you can’t fight it, suggests a new report by security provider Proofpoint in its eighth annual State of the Phish report.
The “it” is email-based malware attacks, the kingpin of all hacking methods, that victims often fall for out of a lack of awareness, inadequate training or risky behaviours, such as using a company mobile device for home use.
Proofpoint’s report takes an in-depth look at user phishing awareness, vulnerability and resilience and comes away with some startling numbers: More than three-quarters of organizations associated with the 4,100 IT security professionals and staffers in the worldwide study were hit by email-based ransomware attacks in 2021 and an equal number were victimized by business email compromise attacks, an 18 percent spike from 2020.
What explains the year-over-year climb? Answer: Cyber criminals continue to focus on compromising people, not necessarily systems, Proofpoint said. Email remains cyber criminals’ go-to attack strategy, said Alan Lefort, Proofpoint security awareness training senior vice president and general manager. “Infosec and IT survey participants experienced an increase in targeted attacks in 2021 compared to 2020, yet our analysis showed the recognition of key security terminology such as phishing, malware, smishing (text-based ruse), and vishing (telephone trickery) dropped significantly,” said Lefort. “The awareness gaps and lax security behaviors demonstrated by workers creates substantial risk for organizations and their bottom line.”
The Future of Cyber Insurance
In 2016, just 26% of insurance clients had cyber coverage. That number rose to 47% in 2020, according to a US Government Accountability Office (GAO) report. But the demand for cyber coverage isn't the only thing soaring.
At the end of 2020, insurance prices jumped anywhere from 10% to 30%. In the third quarter of 2021, the average cost of cyber insurance premiums climbed a record 27.6%.
If the rates continue to rise, companies might decide it's not worth the cost. That is, if insurers continue to cover their industry.
https://www.darkreading.com/risk/the-future-of-cyber-insurance
Businesses Are at Significant Risk of Cyber Security Breaches Due to Immature Security Hygiene and Posture Management Practices
Enterprise Strategy Group (ESG), a leading IT analyst, research, and strategy firm, and a division of TechTarget, Inc., today announced new research into security hygiene and posture management – a foundational part of a strong security program. The study reveals that many aspects of cyber security are managed independently and with antiquated tools, leaving organisations with limited visibility and weak defenses against an ever-evolving threat landscape. Since strong cybersecurity starts with the basics, like knowing about all IT assets deployed, this situation makes organisations vulnerable to advanced threats among strategic, yet often hurried, cloud and digital transformation initiatives.
The new report, Security Hygiene and Posture Management, summarizes a survey of 398 IT and cyber security professionals responsible for evaluating, purchasing, and utilizing products and services for security hygiene and posture management, including vulnerability management, asset management, attack surface management, and security testing tools. The data reveals that organisations must aim to further assess security posture management processes, examine vendor risk management requirements, and test security tool and processes more frequently.
Microsoft Teams Is The New Frontier For Phishing Attacks
Even with email-based phishing attacks proving to be more successful than ever, cyberattackers are ramping up their efforts to target employees on additional platforms, such as Microsoft Teams and Slack.
One advantage is that in those applications, most employees still assume that they’re actually talking to their boss or coworker when they receive a message.
“The scary part is that we trust these programs implicitly — unlike our email inboxes, where we’ve learned to be suspicious of messages where we don’t recognize the sender’s address,” said anti-fraud technology firm Outseer.
Notably, traditional phishing has seen no slowdown: Proofpoint reported that 83% of organizations experienced a successful email-based phishing attack in 2021 — a massive jump from 57% in 2020. And outside of email, SMS attacks (smishing) and voice-based attacks (vishing) both grew in 2021, as well, according to the email security vendor.
However, it appears that attackers now view widely used collaboration platforms, such as Microsoft Teams and Slack, as another growing opportunity for targeting workers, security researchers and executives say. For some threat actors, it’s also a chance to leverage the additional capabilities of collaboration apps as part of the trickery.
https://venturebeat.com/2022/02/23/microsoft-teams-is-the-new-frontier-for-phishing-attacks/
Threats
Ransomware
Russia-Based Ransomware Group Conti Issues Warning To Kremlin Foes | Reuters
Conti Ransomware 'Acquires' TrickBot as It Thrives Amid Crackdowns | SecurityWeek.Com
Ransomware Is Top Attack Vector On Critical Infrastructure | CSO Online
TrickBot Malware Operation Shuts Down, Devs Move To Stealthier Malware (bleepingcomputer.com)
Microsoft Exchange Servers Hacked To Deploy Cuba Ransomware (bleepingcomputer.com)
Attackers Used Dridex To Deliver Entropy Ransomware, Code Resemblance Uncovered - Help Net Security
Expeditors Shuts Down Global Operations After Likely Ransomware Attack (bleepingcomputer.com)
Chipmaker Giant Nvidia Hit By A Ransomware Attack - Security Affairs
Backups ‘No Longer Effective’ For Stopping Ransomware Attacks (computerweekly.com)
BEC – Business Email Compromise
Phishing & Email
Cyber Attackers Leverage DocuSign to Steal Microsoft Outlook Logins | Threatpost
New Phishing Campaign Targets Monzo Online-Banking Customers (bleepingcomputer.com)
Devious Phishing Method Bypasses MFA Using Remote Access Software (bleepingcomputer.com)
Other Social Engineering
Malware
Over 2.7 Million Cases Of Emotet Malware Detected Globally - Japan Today
Jester Stealer Malware Adds More Capabilities To Entice Hackers (bleepingcomputer.com)
Beware: New Kraken Botnet Easily Fools Windows Defender And Steals Crypto Wallet Data - Neowin
Threat Actors Target Poorly Protected Microsoft SQL Servers - Security Affairs
New Golang Botnet Empties Windows Users’ Cryptocurrency Wallets (bleepingcomputer.com)
Revamped CryptBot Malware Spread By Pirated Software Sites (bleepingcomputer.com)
Social Media Hijacking Malware Spreading Through Gaming Apps on Microsoft Store (thehackernews.com)
Mobile
New Xenomorph Android Malware Targets Customers Of 56 Banks (bleepingcomputer.com)
Gaming, Banking Trojans Dominate Mobile Malware Scene | Threatpost
Samsung Shipped '100m' Android Phones With Flawed Encryption • The Register
Data Breaches/Leaks
Organised Crime & Criminal Actors
Police Dismantled Gang That Used Phishing Sites To Steal Credit Cards - Security Affairs
Nigerian Hacker Pleads Guilty To Stealing Payroll Deposits (bleepingcomputer.com)
Cryptocurrency/Cryptomining/Cryptojacking
Insider Risk and Insider Threats
Employees Are Often Using Devices In Seriously Risky Ways - Help Net Security
Insider Threats Are More Than Just Malicious Employees (darkreading.com)
83% Of Employees Continue Accessing Old Employer's Accounts - Help Net Security
Motorola Case Shows Importance Of Detecting Insider IP Theft Quickly | CSO Online
Fraud, Scams & Financial Crime
Think You Couldn't Be Duped By a Con Artist? Think Again | Psychology Today
French Speakers Blasted By Sextortion Scams With No Text Or Links – Naked Security (sophos.com)
Digital Ad Fraud Set to Hit $68bn in 2022 - Infosecurity Magazine
Supply Chain
Nation State Actors
Russia-Backed Hackers Behind Powerful New Malware, UK and US Say | Russia | The Guardian
Ransomware Used as Decoy in Destructive Cyber Attacks on Ukraine | SecurityWeek.Com
Data Wiper Attacks On Ukraine Were Planned At Least In November - Security Affairs
Russia’s Sandworm Hackers Have Built a Botnet of Firewalls | WIRED
China-linked APT10 Target Taiwan's Financial Trading Industry - Security Affairs
US and UK Details a New Python Backdoor Used by MuddyWater APT - Security Affairs
Privacy
Spyware, Espionage & Cyber Warfare
Sector Specific
Financial Services Sector
Defence
Health/Medical/Pharma Sector
Construction
Reports Published in the Last Week
Other News
War in Ukraine Risks Scrambling the Logic of Cyber Security | Financial Times (ft.com)
Russia-Ukraine War: Phishing, Malware and Hacker Groups Taking Sides (thehackernews.com)
22 Very Bad Stats On The Growth Of Phishing, Ransomware | VentureBeat
Data Leaks And Shadow Assets Greatly Exposing Organisations To Cyber Attacks - Help Net Security
50% of Websites Vulnerable to Hacking All Year in 2021, New Report Says - MSSP Alert
Is Multifactor Authentication Less Effective Than It Used To Be? (slate.com)
How To Keep Pace With Rising Data Protection Demands - Help Net Security
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 03 December 2021
Black Arrow Cyber Threat Briefing 03 December 2021
-Double Extortion Ransomware Victims Soar 935%
-MI6 Boss: Digital Attack Surface Growing "Exponentially"
-How Phishing Kits Are Enabling A New Legion Of Pro Phishers
-Crooks Are Selling Access To Hacked Networks. Ransomware Gangs Are Their Biggest Customers
-Omicron Phishing Scam Already Spotted in UK
-Phishing Remains the Most Common Cause of Data Breaches, Survey Says
-Ransomware Victims Increase Security Budgets Due To Surge In Attacks
-Control Failures Are Behind A Growing Number Of Cyber Security Incidents
-MI6 Spy Chief Says China, Russia, Iran Top UK Threat List
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Double Extortion Ransomware Victims Soar 935%
Researchers have recorded a 935% year-on-year increase in double extortion attacks, with data from over 2300 companies posted onto ransomware extortion sites.
Group-IB’s Hi-Tech Crime Trends 2021/2022 report covers the period from the second half of 2020 to the first half of 2021.
During that time, an “unholy alliance” of initial access brokers and ransomware-as-a-service (RaaS) affiliate programs has led to a surge in breaches, it claimed.
In total, the number of breach victims on ransomware data leak sites surged from 229 in the previous reporting period to 2371, Group-IB noted. During the same period, the number of leak sites more than doubled to 28, and the number of RaaS affiliates increased 19%, with 21 new groups discovered.
Group-IB warned that, even if victim organisations pay the ransom, their data often end up on these sites.
https://www.infosecurity-magazine.com/news/double-extortion-ransomware-soar/
MI6 Boss: Digital Attack Surface Growing "Exponentially"
Head of the Secret Intelligence Service (SIS), Richard Moore, explained in a rare speech this week that, unlike the character Q from the James Bond films, even MI6 cannot source all of its tech capabilities in-house.
New partners and tech capabilities will help address MI6’s four key priorities: Russia, China, Iran and global terrorism. It’s a challenge made more acute as technology rapidly advances, he said.
“The ‘digital attack surface’ that criminals, terrorists and hostile states threats seek to exploit against us is growing exponentially. We may experience more technological progress in the next ten years than in the last century, with a disruptive impact equal to the industrial revolution,” Moore argued.
https://www.infosecurity-magazine.com/news/mi6-digital-attack-surface-growing/
How Phishing Kits Are Enabling A New Legion Of Pro Phishers
Some cybercriminals are motivated by political ideals, others by malice or mischief, but most are only interested in cold, hard cash. To ensure their criminal endeavours are profitable, they need to balance the potential payday against the time, resources and risk required.
It’s no wonder then that so many use phishing as their default attack method. Malicious emails can be used to reach many targets with relative ease, and criminals can purchase ready-made phishing kits that bundle together everything they need for a lucrative campaign.
https://www.helpnetsecurity.com/2021/12/02/phishing-kits-pro/
Crooks Are Selling Access To Hacked Networks. Ransomware Gangs Are Their Biggest Customers
Dark web forum posts offering compromised VPN, RDP credentials and other ways into networks have tripled in the last year.
There's been a surge in cyber criminals selling access to compromised corporate networks as hackers look to cash in on the demand for vulnerable networks from gangs looking to initiate ransomware attacks.
Researchers at cybersecurity company Group-IB analysed activity on underground forums and said there's been a sharp increase in the number of offers to sell access to compromised corporate networks, with the number of posts offering access tripling between 2020 and 2021
Omicron Phishing Scam Already Spotted in UK
The global pandemic has provided cover for all sorts of phishing scams over the past couple of years, and the rise in alarm over the spread of the latest COVID-19 variant, Omicron, is no exception.
As public health professionals across the globe grapple with what they fear could be an even more dangerous COVID-19 variant than Delta, threat actors have grabbed the opportunity to turn uncertainty into cash.
UK consumer watchdog “Which?” has raised the alarm that a new phishing scam, doctored up to look like official communications from the National Health Service (NHS), is targeting people with fraud offers for free PCR tests for the COVID-19 Omicron variant
https://threatpost.com/omicron-phishing-scam-uk/176771/
Phishing Remains the Most Common Cause of Data Breaches, Survey Says
Phishing, malware, and denial-of-service attacks remained the most common causes for data breaches in 2021. Data from Dark Reading’s latest Strategic Security Survey shows that more companies experienced a data breach over the past year due to phishing than any other cause. The percentage of organisations reporting a phishing-related breach is slightly higher in the 2021 survey (53%) than in the 2020 survey (51%). The survey found that malware was the second biggest cause of data breaches over the past year, as 41% of the respondents said they experienced a data breach where malware was the primary vector.
Ransomware Victims Increase Security Budgets Due To Surge In Attacks
As the end of 2021 approaches, there’s no doubt ransomware became a top cybersecurity concern across multiple industries. Successful ransomware attacks like the Colonial Pipeline, which took down critical US infrastructure, and Kaseya, which hit over 1,500 companies in a single attack, became a popular topic in the news.
Research conducted by Cymulate, however, shows that despite the increase in the number of attacks this past year, overall victims suffered limited damage in both severity and duration. Potential victims have improved their level of preparedness, with 70% reporting an increase of awareness at the boardroom and business management level. The majority (55%) undertook proactive measures to prevent ransomware attacks before they could cause any significant damage, and many of those respondents (38%) prevented attacks even before they could cause any serious downtime. Only 14% of respondents that experienced an attack were down for a week or more.
Control Failures Are Behind A Growing Number Of Cyber Security Incidents
Data from a survey of 1,200 enterprise security leaders reveals that an increase in tools and manual reporting combined with control failures are contributing to the success of threats such as ransomware, which costs organisations an average of $1.85 million in recovery, according to Panaseer.
Currently, only 36% of security leaders feel very confident in their ability to prove controls were working as intended. This is despite 99% of respondents believing it’s valuable to know that all controls are fully deployed and operating within policy, and cybersecurity control failures are currently being listed as the top emerging risk in the latest Gartner Emerging Risks Monitor Report. Attacks only succeed when they hit systems that haven’t been patched or don’t have security controls monitoring them.
https://www.helpnetsecurity.com/2021/12/01/control-failures-cybersecurity/
MI6 Spy Chief Says China, Russia, Iran Top UK Threat List
China, Russia and Iran pose three of the biggest threats to the U.K. in a fast-changing, unstable world, the head of Britain’s foreign intelligence agency said Tuesday.
MI6 chief Richard Moore said the three countries and international terrorism make up the “big four” security issues confronting Britain’s spies.
In his first public speech since becoming head of the Secret Intelligence Service, also known as MI6, in October 2020, Moore said China is the intelligence agency’s “single greatest priority” as the country’s leadership increasingly backs “bold and decisive action” to further its interests.
Calling China “an authoritarian state with different values than ours,” he said Beijing conducts “large-scale espionage operations” against the U.K. and its allies, tries to ”distort public discourse and political decision-making” and exports technology that enables a “web of authoritarian control” around the world.
Moore said the U.K. also continues “to face an acute threat from Russia.” He said Moscow has sponsored killing attempts, such as the poisoning of former spy Sergei Skripal in England in 2018, mounts cyber attacks and attempts to interfere in other countries’ democratic processes.
https://www.securityweek.com/mi6-spy-chief-says-china-russia-iran-top-uk-threat-list
Threats
Ransomware
Microsoft Exchange Servers Hacked To Deploy BlackByte Ransomware (Bleepingcomputer.Com)
New Ransomware Variant Could Become Next Big Threat (darkreading.com)
Yanluowang Ransomware Tied to Thieflock Threat Actor | Threatpost
Yanluowang Ransomware Operation Matures With Experienced Affiliates (Bleepingcomputer.Com)
Ransomware Attack On Planned Parenthood Exposes 400,000 Patients' Personal Data - CNN
Phishing
APT Groups Adopt New Phishing Method. Will Cybercriminals Follow? (darkreading.com)
Hackers Increasingly Using RTF Template Injection Technique in Phishing Attacks (thehackernews.com)
Malware
Emotet Now Spreads Via Fake Adobe Windows App Installer Packages (Bleepingcomputer.Com)
New Malvertising Campaigns Spreading Backdoors, Malicious Chrome Extensions (thehackernews.com)
Password-Stealing And Keylogging Malware Is Being Spread Through Fake Downloads | ZDNet
Malware Variants In 2021: Harder To Detect And Respond To - Help Net Security
Mobile
Surge Of Info-Stealing Android Malware FluBot Detected Again • The Register
Fake Support Agents Call Victims To Install Android Banking Malware (Bleepingcomputer.Com)
Multi-Platform Spyware Tracks Users Across Windows And Android | Techradar
IOT
Vulnerabilities
Pretty Much All Wi-Fi Routers Are Vulnerable To Attack, Study Finds | Techradar
Warning: Yet Another Zoho ManageEngine Product Found Under Active Attacks (thehackernews.com)
New Ubuntu Linux Kernel Security Patches Address 6 Vulnerabilities, Update Now - 9to5Linux
Netgear Router Vulnerabilities Affecting SME Products Fixed • The Register
Data Breaches/Leaks
UK Government Fined £500,000 For New Year Honours Data Breach - BBC News
Panasonic Discloses Four-Months-Long Data Breach - The Record By Recorded Future
Organised Crime & Criminal Actors
Cryptocurrency/Cryptojacking
Iranians Charged for Cryptojacking After U.S. Firm Gets $760,000 Cloud Bill | SecurityWeek.Com
Threat Actors Stole $120 M In Crypto From BadgerDAO DeFi Platform - Security Affairs
Vulnerabilities Exploited for Monero Mining Malware Delivered via GitHub, Netlify (trendmicro.com)
How Do Criminals Exploit Cryptocurrencies? | Financial Times (ft.com)
Insider Threats
Fraud & Financial Crime
Insurance
Lloyd’s Carves Out Cyber-Insurance Exclusions for State-Sponsored Attacks | Threatpost
Cyber War Victims Might Not Get Payouts – Insurer • The Register
OT, ICS, IIoT and SCADA
Nation State Actors
MI6 Spy Chief Says China, Russia, Iran Top UK Threat List | SecurityWeek.Com
Lloyd’s Carves Out Cyber-Insurance Exclusions for State-Sponsored Attacks | Threatpost
Jumping The Air Gap: 15 Years Of Nation‑State Effort | WeLiveSecurity
Israel and Iran Broaden Cyberwar to Attack Civilian Targets - The New York Times (nytimes.com)
North Korea-Linked Zinc APT Posed As Samsung Recruiters To Target Security Firms - Security Affairs
Cloud
Parental Controls
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.