Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Majority of 2023’s Critical Cyber Attacks Stemmed from Fewer Than 1% of Vulnerabilities, with 1 in 4 High Risk Vulnerabilities Exploited Within 24 Hours of Going Public

A new Qualys report reveals that less than 1% of vulnerabilities are responsible for the greatest damage, and a quarter of high-risk vulnerabilities are now being exploited within a day of disclosure. In 2023, a record-breaking 26,000 vulnerabilities have been identified so far, emphasising the need for organisations to accelerate their response times. High-risk vulnerabilities, particularly in network devices and web applications, are the main targets for attackers seeking unauthorised access or privilege escalation. This situation underscores the critical need for organisations to implement a multi-layered defence strategy, automate patching where appropriate especially in areas of critical infrastructure, and adopt zero-trust principles to safeguard against such swift and potent cyber threats.

Sources: [SiliconANGLE] [SC Media]

Ransomware Gangs Are Increasingly Turning to Remote Access Tools for Attacks, As UK Honeypots Attacked 17 million Times Per Day

Nearly three quarters of cyber-attacks across the UK in 2023 targeted technology frequently used for remote working, new data from Coalition has revealed.

Attackers frequently target Remote Desktop Protocol (RDP), a tool that lets users access office computers from home, as it grants the attacker quick access to devices and allows them to execute further attacks.

Honeypot sensors maintained by Coalition have recorded 5.8 billion attacks so far in 2023, averaging around 17 million attacks per day. Of these it was found that 76% of attacks targeted RDP.

Attackers exploit RDP vulnerabilities that often stem from simple configuration mistakes. By taking steps like disabling unnecessary remote access or tightening controls, companies can help shield themselves from these pervasive threats.

Sources: [Insurance Times] [TechRadar] [Infosecurity Magazine]

Why Employees Are a Bigger Security Risk than Hackers

In today's interconnected world, the spotlight is often on cyber criminals attacking from outside, but a worrying trend points inward. A recent study by Imperva reveals that insiders pose a significant threat, being behind 58% of security incidents. The incidents are a mixture of deliberate misuse and accidents, however the majority of organisations lack a strategy to combat these risks. Even when strategies exist, they may be undermined by employees bypassing IT protocols or due to the pressures of adapting to new technologies. With insider incidents on the rise by 47% in two years, the costs are too great to ignore.

Source: [Raconteur]

77% of Financial Services Firms Detected a Cyber Attack in the Last Year, as Finance and Healthcare Continue to Suffer the Most Cyber Attacks

Cyber attacks are more prevalent in the financial services sector than in any other industry. Last year, 77% of financial institutions were targeted, primarily through phishing and ransomware attacks. After financial services the second most targeted sector is healthcare. Both types of institutions are attractive targets not only because of their wealth of sensitive data but also because disruptions to their operations can lead to substantial ransom payments. They face increasingly sophisticated threats and the financial impact is significant, with approximately a quarter of these institutions estimating damages of at least $50,000. To mitigate these risks organisations are turning to cyber insurance, which necessitates further tightening of security practices, including identity and access management, to meet insurers’ stringent standards.

The healthcare sector reported over 179,000 cyber attacks in a single quarter, affecting entities globally. The primary threats were infostealers and ransomware. There have been scores of notable incidents where hospitals have been shut down or otherwise unable to operate. In many cases, this resulted in closing emergency departments, interfering with planned or emergency surgeries and forcing ambulances to divert to other hospitals, potentially causing life threatening delays. Further, a recent report analysing the enterprise risk management for the financial sector found that the two biggest concerns were rising interest rates at 74% and ransomware attacks at 65%.

Sources: [Security Magazine] [MSSP Alert] [PR NewsWire] [Security Magazine]

New Report Data Shows 75% Increase in Suspicious Emails Hitting Inboxes

A new report has unveiled the escalating threat posed by phishing emails, as detected by DMARC software. In the past year, there's been a 70% rise in emails flagged as fraudulent, with almost 18% of total email traffic in the first half of 2023 being intercepted as potential phishing attempts. This surge underscores a pressing need for robust email security measures. Simple yet effective tools like DMARC, which automatically weeds out emails impersonating legitimate domains, are becoming critical in the fight against these sophisticated scams. With the average cost of a cyber attack now well into the millions, and given the high click rates on phishing emails, it is clear that taking proactive steps to strengthen an organisations digital defence is not just sensible, it is essential for safeguarding the businesses in the digital age.

Source: [Dark Reading]

Threat Actors Still Exploiting Old Unpatched Vulnerabilities

A report by Cisco has found that the most targeted vulnerabilities this year, same as previous years, were old unpatched vulnerabilities which should have been fixed a long time ago. Some of these security gaps in widely-used applications like Microsoft Office and or within versions of Windows itself are over a decade old. Unpatched vulnerabilities can leave systems open to exploitation, potentially leading to unauthorised access, data breaches, and widespread security incidents, including being a key enabler of ransomware attacks. This highlights an urgent call to action for organisations to patch known vulnerabilities and secure user accounts to fortify their defences against cyber threats.

Source: [IT Business]

Many Organisations Still Lack Formal Cyber Security Training

As we navigate into 2024, a new report by the SANS Institute found that more than 30% of organisations do not regularly perform cyber readiness exercises, while 40% have yet to establish formal training for cyber security. These findings underline a gap between the need for robust security measures and actual preparedness. On a positive note, most organisations are adopting frameworks like the NIST CSF to shape their security posture, and two-thirds are actively using metrics to gauge the effectiveness of their security operations. Yet, there’s a call to action here: for real progress, intentional investment and commitment to comprehensive training and stringent security operations are non-negotiable. This is the path to mature security operations that can withstand the complexities of today’s cyber threats.

Source: [Security Brief]

Addressing the Growing Threat of Supply Chain Cyber Attacks

As businesses become more interconnected through digital supply chains, supply chain cyber attacks are becoming more of a pressing issue for organisations. The attackers tend to exploit weaknesses in third-party suppliers, often with less guarded entry points, to access larger networks. With companies increasingly outsourcing and using cloud adoption, the need for stringent third-party cyber risk assessments is vital. However, complexities arise with the shared responsibility model for cloud security, where setting out the division of security duties between cloud service providers and clients can blur lines of defence. To tackle these challenges, integration of cyber security into procurement and supply chain processes is essential. This means enforcing collaboration between procurement and cyber security teams, mandating security standards in vendor contracts, and utilising automated tools for continuous risk assessments. Safeguarding modern supply chains is no longer a siloed task but a strategic, organisation wide imperative.

Source: [HackerNoon]

Cyber Incident Costs Surge 11% as Budgets Remain Muted

A new report found an 11% jump in the direct costs of a significant cyber incident, now averaging $1.7 million. The burden is even heavier for those without cyber insurance, with costs escalating to $2.7 million per incident. Cyber risks like fraud, third-party breaches, and data theft remain prevalent. Despite these increasing threats, cyber security budgets have grown modestly and are not keeping pace with the increased level of threat. The report also highlights a concerning gap in understanding cyber threats and a lack of internal training, emphasising the critical need for not just financial investment, but also a deeper engagement with cyber security training and awareness within organisations.

Source: [Infosecurity Magazine]

Attacks on Critical Infrastructure are Harbingers of War: Are We Prepared?

The escalating cyber threats against critical infrastructure, like recent attacks on water authorities, highlight an urgent security concern. These attacks, which are often state-sponsored, are not just targeting financial or data assets but are striking at essential services vital to human survival. The tactics used in these attacks, known as Intelligence Preparation of the Battlefield (IPB), are aimed at weakening a nation by disrupting services like power and water, key to both civil stability and military operations. Nations like Russia, China, and Iran employ these strategies for different purposes, ranging from strategic military advantages to ideological victories. The use of ransomware, as seen in the increasing incidents reported by the FBI, is a tool for both financial gain and geopolitical disruption. As we face these multifaceted threats, the need for robust cyber security measures to protect our critical infrastructure has never been more pressing. It is a call to action for nations and organisations alike to fortify their defences against these evolving and serious cyber threats.

Source: [SC Media]

UK Data Centres to be Classed as Critical Infrastructure Under New Gov Proposals

The UK government is considering new regulations aimed at enhancing the security and resilience of data centres. The Department for Science, Innovation and Technology (DSIT) recognises the vital role of these data hubs and is examining the adequacy of current safety practices. With the identification of varying levels of security across the sector, the prospect of legislating minimum security standards is on the table. This may include establishing a regulatory body to oversee incident reporting and risk mitigation strategies, particularly for third-party service providers. These measures underscore the government's commitment to safeguarding data centres, which are increasingly integral to the UK's economic vitality and national security. As part of a broader initiative, the sector could be designated as critical national infrastructure, aligning it with international best practices and ensuring comprehensive protection from cyber threats and other risks.

Source: [ITPro]

Data Exfiltration and Extortion is the New Ransomware Threat, as 65% of Organisations Say Ransomware Concerns Impact Risk Management

Cyber criminals are escalating their tactics and becoming more aggressive in their effort to maximise disruption and compel the payment of ransom demands. Earlier this year, the ransomware group ALPHV exploited the new US data breach disclosure rules by filing a complaint with the US Securities and Exchange Commission (SEC) against a victim company for not reporting an alleged significant data breach. This marks a strategic evolution from traditional ransomware attacks, where data is encrypted and held hostage, to more nuanced extortion schemes. Such tactics are becoming more sophisticated, with triple extortion attacks threatening not just the target company but also their partners and clients. This shift from encryption to pure extortion requires a fresh understanding of cyber threats and a re-evaluation of defence strategies. It highlights the urgent need for businesses to protect not just their own data but also to consider the security of their entire data supply chain.

Source: [TechCrunch]

Governance, Risk and Compliance

• Cyber Incident Costs Surge 11% as Budgets Remain Muted - Infosecurity Magazine (infosecurity-magazine.com)

• Three Tech Budget Implementations To Help Optimize Your Resources (forbes.com)

• New Report: 85% Firms Face Cyber Incidents, 11% From Shadow IT - Infosecurity Magazine (infosecurity-magazine.com)

• 65% of organisations say ransomware concerns impact risk management | Security Magazine

• Healthcare and Finance Suffer Most Cyber Attacks | MSSP Alert

• CFOs are under the gun as the SEC's new 4-day data breach disclosure window goes into effect | Fortune

• SEC vs SolarWinds: A cyber security game changer for CISOs (securitybrief.co.nz)

• 77% of financial organisations detected a cyber attack in the last year | Security Magazine

• Level of cyber security: the new key indicator of a company's performance | TechRadar

• Managing cyber security risk during challenging economic times (techinformed.com)

• Many organisations still lack formal IT security training in 2024 (securitybrief.co.nz)

• The year in cyber security: 6 stories to read from 2023 | World Economic Forum (weforum.org)

• After-Incident Reports Turn Breaches Into Security Blueprints (pymnts.com)

• What's the Best Way to Communicate After a Data Breach? (darkreading.com)

Threats

Ransomware, Extortion and Destructive Attacks

• Why extortion is the new ransomware threat | TechCrunch

• 65% of organisations say ransomware concerns impact risk management | Security Magazine

• FBI: ALPHV ransomware raked in $300 million from over 1,000 victims (bleepingcomputer.com)

• Ransomware attacks hit new record in November :: Insurance Day

• Ransomware attacks on the rise in the UK (itsecuritywire.com)

• UK at High Risk of ‘Catastrophic’ Cyber Attack Affecting Critical Infrastructure: Report (insurancejournal.com)

• Ransomware surges, despite aggressive defences | SC Media (scmagazine.com)

• BlackCat Strikes Back: Ransomware Gang “Unseizes” Website, Vows No Limits on Targets - Security Week

• A Major Ransomware Takedown Suffers a Strange Setback | WIRED

• Double-Extortion Play Ransomware Strikes 300 Organisations Worldwide (thehackernews.com)

• Ransomware trends and recovery strategies companies should know - Help Net Security

• Ransomware Attacks in November Rise 67% From 2022 (darkreading.com)

• 10 of the biggest ransomware attacks in 2023 | TechTarget

• BianLian, White Rabbit, and Mario Ransomware Gangs Spotted in a Joint Campaign (securityaffairs.com)

• ALPHV Second Most Prominent Ransomware Strain Before Reported Downtime - Infosecurity Magazine (infosecurity-magazine.com)

• CISA releases Play ransomware guidelines | Security Magazine

• US and Australia Warn of Play Ransomware Threat - Infosecurity Magazine (infosecurity-magazine.com)

• Devices (and ransomware) are everywhere: How endpoint security must adapt | SC Media (scmagazine.com)

• Behind the Scenes of Matveev's Ransomware Empire: Tactics and Team (thehackernews.com)

• Ransomware gangs are increasingly turning to remote encryption, and that's a huge problem | TechRadar

• FBI Develops Decryption Tool That Could Tackle Casino Attacks (sbcamericas.com)

Ransomware Victims

• Homebuyers stress as thousands of house purchases frozen by cyber attack - Property Industry Eye

• Ransomware gang behind threats to Fred Hutch cancer patients (bleepingcomputer.com)

• Delta Dental of California data breach exposed info of 7 million people (bleepingcomputer.com)

• Seattle cancer centre confirms cyber attack after ransomware gang threats (therecord.media)

• France International Schools Agency Impacted by Ransomware Hack - Bloomberg

• MOVEit Vulnerability Hits Delta Dental: 7 Million Records Exposed - Infosecurity Magazine (infosecurity-magazine.com)

• Cyber Attack Slams The North Face and Vans Owner, Shares Plunge - The Messenger

• Mr Cooper now says 15M people's data exposed in cyber attack • The Register

• MongoDB shares fall on cyber security incident By Investing.com

• 2.7M medical records exposed in double-extortion ransomware attack | SC Media (scmagazine.com)

• Nearly 3 million affected by ransomware attack on medical software firm (therecord.media)

• Title insurance giant First American offline after cyber attack (bleepingcomputer.com)

• St Vincent’s Health Australia says data stolen in cyber attack (yahoo.com)

• Kansas City-area hospital transfers patients, reschedules appointments after cyber attack (therecord.media)

• Ransomware cyber attack hits Milton Town School District (databreaches.net)

• The ransomware attack on Westpole is disrupting digital services for Italian public administration (securityaffairs.com)

Phishing & Email Based Attacks

• Generative AI is making phishing attacks more dangerous | TechTarget

• New DMARC Data Shows 75% Increase in Suspicious Emails Hitting Inboxes (darkreading.com)

• Anatomy of a Phishing Attack: How Hackers Trick You - Techopedia

• Qakbot is back and targets the Hospitality industry (securityaffairs.com)

• SMTP Smuggling Allows Spoofed Emails to Bypass Authentication Protocols - Security Week

• Fake F5 BIG-IP zero-day warning emails push data wipers (bleepingcomputer.com)

• New phishing attack steals your Instagram backup codes to bypass 2FA (bleepingcomputer.com)

• Cyber espionage group Cloud Atlas targets Russian companies with war-related phishing attacks (therecord.media)

Artificial Intelligence

• Generative AI is making phishing attacks more dangerous | TechTarget

• AI’s efficacy is constrained in cyber security, but limitless in cyber crime - Help Net Security

• 'Unintended harms' of generative AI are national security risk to UK (techmonitor.ai)

• Unequal Risk, Unequal Reward: How Gen AI disproportionately harms countries (ox.ac.uk)

• Anonymous Sudan hacking group pledges to keep targeting OpenAI's ChatGPT (axios.com)

• Security Researchers: ChatGPT Vulnerability Allows Training Data to be Accessed by Telling Chatbot to Endlessly Repeat a Word - CPO Magazine

• AI in Cyber Security: It's All About Being Aware (inforisktoday.com)

• How AI is weaponized for cyber attacks (betanews.com)

• Why 'dark AI' is a top cyber security concern for 2024 | Pension Times

• The cyber security arms race: AI vs. AI | TechRadar

• How AI Is Shaping the Future of Cyber Crime (darkreading.com)

• 4 ways CISOs can manage AI use in the enterprise | CIO

2FA/MFA

• New phishing attack steals your Instagram backup codes to bypass 2FA (bleepingcomputer.com)

Malware

• New KV-Botnet Targeting Cisco, DrayTek, and Fortinet Devices for Stealthy Attacks (thehackernews.com)

• Rhadamanthys Malware: Swiss Army Knife of Information Stealers Emerges (thehackernews.com)

• Hackers Exploiting Old MS Excel Vulnerability to Spread Agent Tesla Malware (thehackernews.com)

• Windows and macOS targeted by new Go-based malware | TechRadar

• QNAP VioStor NVR vulnerability actively exploited by malware botnet (bleepingcomputer.com)

• Over 10K downloads amassed by malicious PyPi packages | SC Media (scmagazine.com)

• Info stealers and how to protect against them (securityaffairs.com)

• 8220 Gang Exploiting Oracle WebLogic Server Vulnerability to Spread Malware (thehackernews.com)

• Qakbot is back and targets the Hospitality industry (securityaffairs.com)

• Qakbot Sightings Confirm Law Enforcement Takedown Was Only a Setback (darkreading.com)

• Hospitality Industry Faces New Password-Stealing Malware - Infosecurity Magazine (infosecurity-magazine.com)

• Cyber criminals target hotel staff for management credentials • The Register

• BattleRoyal Cluster Signals DarkGate Surge - Infosecurity Magazine (infosecurity-magazine.com)

• Scam 'missed parcel' SMS messages: advice on avoiding malware - NCSC.GOV.UK

• 3 Ways to Use Real-Time Intelligence to Defeat Bots (darkreading.com)

• Microsoft: Hackers target defence firms with new FalseFont malware (bleepingcomputer.com)

• Hospitality sector subjected to new malware attacks | SC Media (scmagazine.com)

Mobile

• iOS 17.2 update puts an end to Flipper Zero's iPhone shenanigans | ZDNET

• The 5G risk: How to protect your smartphone from emerging security threats - PhoneArena

• Apple rolls out iOS 17.2.1 with bugfixes and minor improvements - Neowin

• What is spyware and what can you do to stay protected? - Amnesty International

• NSO Group May Be On Its Way Out But There’s No Shortage Of Competitors To Take Its Place | Techdirt

• Suspects can refuse to provide phone passcodes to police, court rules | Ars Technica

Internet of Things – IoT

• IoT security strategy: an arms race for businesses | ITPro

• Porsche To Kill ICE-Powered Macan In Europe Over Cyber Security Laws | Carscoops

• Cyber security and car thefts: how are car makers responding? | CAR Magazine

• Marketer sparks panic with claims it uses smart devices to eavesdrop on people | Ars Technica

• Marketing firm admits it listens to conversations to sell targeted ads (searchengineland.com)

Data Breaches/Leaks

• Data of over a million users of the crypto exchange GokuMarket exposed (securityaffairs.com)

• MongoDB says customer data was exposed in a cyber attack (bleepingcomputer.com)

• Mr Cooper now says 15M people's data exposed in cyber attack • The Register

• Wolverine-developer Insomniac Games sees 1.67TB of secrets leaked in data breach | Ars Technica

• Everything Hackers Just Revealed in Sony Insomniac Games Leak (tech.co)

• Comcast says hackers stole data of close to 36 million Xfinity customers | TechCrunch

• BMW dealer at risk of takeover by cyber criminals - Security Affairs

• Celebrities Found in Unprotected Real Estate Database Exposing 1.5 Billion Records - Security Week

• Data leak exposes users of car-sharing service Blink Mobility (securityaffairs.com)

• Hacked security cam footage from bedrooms, dressing rooms, spas found to be on sale on Telegram group - NotebookCheck.net News

Organised Crime & Criminal Actors

• Ex-Amazon engineer pleads guilty to hacking crypto exchanges (bleepingcomputer.com)

• How Microsoft’s cyber crime unit has evolved to combat increased threats | Ars Technica

• Gang charged with running $80 million "pig butchering" cryptocurrency investment scam (bitdefender.com)

• Microsoft’s Digital Crime Unit Goes Deep on How It Disrupts Cyber Crime | WIRED

• German police takes down Kingdom Market cyber crime marketplace (bleepingcomputer.com)

• INTERPOL celebrates huge cyber crime Christmas present (emergingrisks.co.uk)

• Law enforcement Operation HAECHI IV led to the seizure of $300 Million (securityaffairs.com)

• Two arrested as police investigate Birmingham dark web drugs trade - Birmingham Live (birminghammail.co.uk)

• NSA Blocked 10 Billion Connections to Malicious and Suspicious Domains - Security Week

• BattleRoyal Cluster Signals DarkGate Surge - Infosecurity Magazine (infosecurity-magazine.com)

• Intelligence Researchers to Study Computer Code for Clues to Hackers’ Identities - WSJ

• Dark web marketplace Kingdom Market dismantled | SC Media (scmagazine.com)

• Lapsus$ teen sentenced to indefinite detention in hospital • The Register

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Data of over a million users of the crypto exchange GokuMarket exposed (securityaffairs.com)

• Ex-Amazon engineer pleads guilty to hacking crypto exchanges (bleepingcomputer.com)

• Gang charged with running $80 million "pig butchering" cryptocurrency investment scam (bitdefender.com)

• DeFi’s billion-dollar secret: The insiders responsible for hacks – Cointelegraph Magazine

• Crypto scammers abuse Twitter ‘feature’ to impersonate high-profile accounts (bleepingcomputer.com)

• Crypto drainer steals $59 million from 63k people in Twitter ad push (bleepingcomputer.com)

Insider Risk and Insider Threats

• Insider threats: why employees are a bigger risk than hackers (raconteur.net)

• Former IT manager pleads guilty to attacking high school network (bleepingcomputer.com)

• DeFi’s billion-dollar secret: The insiders responsible for hacks – Cointelegraph Magazine

Insurance

• Mandatory protections, higher premiums and continued growth -- cyber insurance predictions for 2024 (betanews.com)

• Uninsured firms incur 69% higher cyber incident costs - CIR Magazine

Supply Chain and Third Parties

• What is supply chain risk management (SCRM)? | Definition by TechTarget

• Addressing the Growing Threat of Supply Chain Cyber Attacks | HackerNoon

• Homebuyers stress as thousands of house purchases frozen by cyber attack - Property Industry Eye

• Supply chain emerges as major vector in escalating automotive cyber attacks - Help Net Security

• Adapting to the Post-SolarWinds Era: Supply Chain Security in 2024 (darkreading.com)

Cloud/SaaS

• Most cloud transformations are stuck in the middle - Help Net Security

• IoT security strategy: an arms race for businesses | ITPro

• Millions of Microsoft Accounts Power Lattice of Automated Cyber Attacks (darkreading.com)

• Box cloud storage down amid 'critical' outage (bleepingcomputer.com)

Encryption

• Zscaler ThreatLabz Finds Most Cyber Attacks Hide (itsecuritywire.com)

• 86% of cyber attacks are delivered over encrypted channels - Help Net Security

• SSH protects the world’s most sensitive networks. It just got a lot weaker | Ars Technica

Passwords, Credential Stuffing & Brute Force Attacks

• The password attacks of 2023: Lessons learned and next steps (bleepingcomputer.com)

• CISA urges vendors to get rid of default passwords | CyberScoop

• BMW dealer at risk of takeover by cyber criminals - Security Affairs

• Hospitality Industry Faces New Password-Stealing Malware - Infosecurity Magazine (infosecurity-magazine.com)

• Cyber criminals target hotel staff for management credentials • The Register

Social Media

• Social media platform X back up after global outage | Reuters

• Crypto scammers abuse Twitter ‘feature’ to impersonate high-profile accounts (bleepingcomputer.com)

• Crypto drainer steals $59 million from 63k people in Twitter ad push (bleepingcomputer.com)

• New phishing attack steals your Instagram backup codes to bypass 2FA (bleepingcomputer.com)

Malvertising

• Malvertising has been out of control in 2023, and Google needs to do more to stop it | ITPro

Training, Education and Awareness

• Are We Ready to Give Up on Security Awareness Training? (thehackernews.com)

• Many organisations still lack formal IT security training in 2024 (securitybrief.co.nz)

Regulations, Fines and Legislation

• CFOs are under the gun as the SEC's new 4-day data breach disclosure window goes into effect | Fortune

• SEC vs. SolarWinds: A cyber security game changer for CISOs (securitybrief.co.nz)

• Porsche To Kill ICE-Powered Macan In Europe Over Cyber Security Laws | Carscoops

• UK data centres to be classed as critical infrastructure under new gov proposals | ITPro

• Clock Starts on SEC Cyber Attack Rules: What CISOs Should Know (informationweek.com)

• SEC disclosure rule for ‘material’ cyber security incidents goes into effect | CyberScoop

• What Do CISOs Have to Do to Meet New SEC Regulations? (darkreading.com)

• EU agrees amendments to Cyber Solidarity Act in bid to create ‘cyber shield’ for member states | ITPro

• Rules targeting financial criminals will require new filings for startups and small businesses – GeekWire

• A quiet cyber security revolution is touching every corner of the economy as US, allies ‘pull all the levers’ to face new threats | Fortune

Models, Frameworks and Standards

• Cyber Security Frameworks: A Guide for MSSPs | MSSP Alert

• SANS Institute Research Shows the Frameworks Organisations Use (darkreading.com)

Careers, Working in Cyber and Information Security

• How cyber security roles are changing and what to look for when hiring | CSO Online

Law Enforcement Action and Take Downs

• BlackCat Strikes Back: Ransomware Gang “Unseizes” Website, Vows No Limits on Targets - Security Week

• A Major Ransomware Takedown Suffers a Strange Setback | WIRED

• US law enforcement seizes BlackCat ransomware site, distributes decryption key (axios.com)

• Ex-Amazon engineer pleads guilty to hacking crypto exchanges (bleepingcomputer.com)

• How Microsoft’s cyber crime unit has evolved to combat increased threats | Ars Technica

• Gang charged with running $80 million "pig butchering" cryptocurrency investment scam (bitdefender.com)

• Former IT manager pleads guilty to attacking high school network (bleepingcomputer.com)

• Microsoft’s Digital Crime Unit Goes Deep on How It Disrupts Cyber Crime | WIRED

• German police takes down Kingdom Market cyber crime marketplace (bleepingcomputer.com)

• Law enforcement Operation HAECHI IV led to the seizure of $300 Million (securityaffairs.com)

• Two arrested as police investigate Birmingham dark web drugs trade - Birmingham Live (birminghammail.co.uk)

• Interpol op cuffs 3,500 cyber suspects, seizes $300M • The Register

• NSA Blocked 10 Billion Connections to Malicious and Suspicious Domains - Security Week

• Qakbot Sightings Confirm Law Enforcement Takedown Was Only a Setback (darkreading.com)

• Suspects can refuse to provide phone passcodes to police, court rules | Ars Technica

• Dark web marketplace Kingdom Market dismantled | SC Media (scmagazine.com)

• Lapsus$ teen sentenced to indefinite detention in hospital • The Register

Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity

Cyber Warfare and Cyber Espionage

• Attacks on critical infrastructure are harbingers of war: Are we prepared? | SC Media (scmagazine.com)

Nation State Actors

China

• China's Cyber Warfare Surges With Hacking Of US Infrastructure (thefederalist.com)

• Espionage from the East: "Russia Is a Storm, China Is Climate Change" - DER SPIEGEL

• US cyber warriors issue a call to arms - Asia Times

• China's Secret War Preps Inside US Utilities (spytalk.co)

• National Grid drops Beijing-backed supplier over UK power network fears (ft.com)

• Chinese Spacecraft Emitting Strong Signal Over North America (futurism.com)

• A top-secret Chinese spy satellite just launched on a supersized rocket | Ars Technica

• China's MIIT Introduces Color-Coded Action Plan for Data Security Incidents (thehackernews.com)

Russia

• Cyber attack on Kyivstar is likely one of highest-impact disruptive in Ukraine since Feb 2022 - British intelligence (interfax.com.ua)

• The UK Defence Intelligence Analyses Massive Cyber Attack Ukraine Suffered | Defence Express (defence-ua.com)

• Ukraine updates: UK says Ukraine suffered severe cyber attack – DW – 12/16/2023

• Espionage from the East: "Russia Is a Storm, China Is Climate Change" - DER SPIEGEL

• US cyber warriors issue a call to arms - Asia Times

• Anonymous Sudan hacking group pledges to keep targeting OpenAI's ChatGPT (axios.com)

• UK and partners form The Tallinn Mechanism for cyber security - GOV.UK (www.gov.uk)

• Ukraine mobile cyber attack high impact says UK - Emerging Risks Media Ltd

• Russian APT29 Hacked US Biomedical Giant in TeamCity-Linked Breach (hackread.com)

• Cyber espionage group Cloud Atlas targets Russian companies with war-related phishing attacks (therecord.media)

Iran

• Israel-linked hacking group claims it ‘disabled’ gas stations across Iran | World News - Hindustan Times

• Iranian 'Seedworm' Cyber Spies Target African Telcos & ISPs (darkreading.com)

Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence

• Intellexa and Cytrox: From fixer-upper to Intel Agency-grade spyware (talosintelligence.com)

Vulnerability Management

• 2023 Cyber Threats: 26,000+ Vulnerabilities, 97 Beyond CISA List - Infosecurity Magazine (infosecurity-magazine.com)

• Majority of 2023's critical cyber attacks stemmed from fewer than 1% of vulnerabilities - SiliconANGLE

• 1 in 4 high-risk CVEs are exploited within 24 hours of going public | SC Media (scmagazine.com)

• Will Putting a Dollar Value on Vulnerabilities Help Prioritize Them? (darkreading.com)

• Creating a formula for effective vulnerability prioritization - Help Net Security

• Zoom Unveils Open Source Vulnerability Impact Scoring System - Security Week

• Threat actors still exploiting old unpatched vulnerabilities, says Cisco | IT Business

Vulnerabilities

• 80 percent of Struts 2 downloads include critical flaw • The Register

• ESET fixed a high-severity bug in the Secure Traffic Scanning Feature of several products (securityaffairs.com)

• Fortinet Releases Security Updates for Multiple Products | CISA

• Flaws in pfSense firewall can lead to arbitrary code execution (securityaffairs.com)

• QNAP VioStor NVR vulnerability actively exploited by malware botnet (bleepingcomputer.com)

• MOVEit Vulnerability Hits Delta Dental: 7 Million Records Exposed - Infosecurity Magazine (infosecurity-magazine.com)

• Microsoft discovers critical RCE flaw in Perforce Helix Core Server (bleepingcomputer.com)

• Years-Old, Unpatched GWT Vuln Leaves Apps Open to Server-Side RCE (darkreading.com)

• 8220 Gang Exploiting Oracle WebLogic Server Vulnerability to Spread Malware (thehackernews.com)

• 3CX Urges Customers to Disable Integration Due to Potential Vulnerability - Security Week

• Mozilla Patches Firefox Vulnerability Allowing Remote Code Execution, Sandbox Escape - Security Week

• Researchers uncover major security issue in Microsoft Azure - here's what we know | TechRadar

• Microsoft Outlook Zero-Click Security Flaws Triggered by Sound File (darkreading.com)

• 3CX warns customers to disable SQL database integrations (bleepingcomputer.com)

• Dell Urges Customers to Patch Vulnerabilities in PowerProtect Products - Security Week

• Outlook Plays Attacker Tunes: Vulnerability Chain Leading to Zero-Click RCE - Security Week

• Targeted F5 Vulnerability 'Update' Delivers Wiper to Israeli Victims (darkreading.com)

• Urgent: New Chrome Zero-Day Vulnerability Exploited in the Wild - Update ASAP (thehackernews.com)

• Ivanti releases patches for 13 critical Avalanche RCE flaws (bleepingcomputer.com)

• Apple rolls out iOS 17.2.1 with bugfixes and minor improvements - Neowin

• Hackers Exploiting MS Excel Vulnerability to Spread Agent Tesla Malware (thehackernews.com)

• SSH protects the world’s most sensitive networks. It just got a lot weaker | Ars Technica

• Impact of Log4Shell Bug Was Overblown, Say Researchers - Infosecurity Magazine (infosecurity-magazine.com)

• Fake F5 BIG-IP zero-day warning emails push data wipers (bleepingcomputer.com)

• New Security Vulnerabilities Uncovered in pfSense Firewall Software - Patch Now (thehackernews.com)

Tools and Controls

• AI’s efficacy is constrained in cyber security, but limitless in cyber crime - Help Net Security

• More cyber criminals turning to remote desktop protocol attacks | Insurance Times

• Insurer’s UK Honeypots Attacked 17 Million Times Per Day - Infosecurity Magazine (infosecurity-magazine.com)

• The cyber security arms race: AI vs. AI | TechRadar

• Microsoft unveils new, more secure Windows Protected Print Mode (bleepingcomputer.com)

• 65% of organisations say ransomware concerns impact risk management | Security Magazine

• AI in Cyber Security: It's All About Being Aware (inforisktoday.com)

• Demystifying Open XDR: What It Is, How to Do It, and ROI | Binary Defence

• 5 things you need to know about your EDR | CSO Online

• Can you trust Windows Hello biometric authentication | Kaspersky official blog

• Many organisations still lack formal IT security training in 2024 (securitybrief.co.nz)

• How CISOs can manage multiprovider cyber security portfolios | TechTarget

• Intelligence Researchers to Study Computer Code for Clues to Hackers’ Identities - WSJ

• CISA Releases Microsoft 365 Secure Configuration Baselines and SCuBAGear Tool | CISA

• Are Workstation Security Logs Actually Important? | MSSP Alert

• What's the Best Way to Communicate After a Data Breach? (darkreading.com)

• How Segmentation Can Slow a Cyber Attack - ClearanceJobs

Reports Published in the Last Week

• Annual Payment Fraud Intelligence Report: 2023 | Recorded Future

Other News

• The Financial Sector Experiences More Cyber Attacks than Other Verticals, and those Incidents Result in Costlier Outcomes (prnewswire.com)

• 77% of financial organisations detected a cyber attack in the last year | Security Magazine

• Small businesses targeted by cyber criminals for data (securitybrief.co.nz)

• Retailers Are Being Barraged By Cyber Attacks This Holiday Season (forbes.com)

• Complexity leaves energy companies vulnerable to cyber attacks - Verdict

• The MOVEit breach may well have been the biggest cyber attack of the year | TechRadar

• How to bolster security against intellectual property theft (c4isrnet.com)

• In Cyber Security, Some Conventional Wisdom, While Well-Intentioned, Is Off-Base (newsweek.com)

• Navigating The Cyber Security Landscape In 2024 (forbes.com)

• 3 Strategic Insights from Cyber Security Leader Study (trendmicro.com)

• Healthcare sector warned of poor cyber hygiene; CISA doles out remedy advice | SC Media (scmagazine.com)

• The truth behind four small business cyber security myths (themanufacturer.com)

• Conclusion of Crossed Swords: the most exciting offensive cyber operations exercise

• Australia announces cyber security plan after major breaches | World Economic Forum (weforum.org)

• National Grid drops Beijing-backed supplier over UK power network fears (ft.com)

• As British Library faces fallout of cyber attack—what can arts bodies do to combat ransomware threats? (theartnewspaper.com)

• NIST Report Spotlights Cyber, Privacy Risks in Genomic Data (inforisktoday.com)

• Zscaler ThreatLabz Finds Most Cyber Attacks Hide (itsecuritywire.com)

• 86% of cyber attacks are delivered over encrypted channels - Help Net Security

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·         Automotive

·         Construction

·         Critical National Infrastructure (CNI)

·         Defence & Space

·         Education & Academia

·         Energy & Utilities

·         Estate Agencies

·         Financial Services

·         FinTech

·         Food & Agriculture

·         Gaming & Gambling

·         Government & Public Sector (including Law Enforcement)

·         Health/Medical/Pharma

·         Hotels & Hospitality

·         Insurance

·         Legal

·         Manufacturing

·         Maritime

·         Oil, Gas & Mining

·         OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·         Retail & eCommerce

·         Small and Medium Sized Businesses (SMBs)

·         Startups

·         Telecoms

·         Third Sector & Charities

·         Transport & Aviation

·         Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• 1 in 3 Employees Don’t Understand Why Cyber Security Is Important

According to a new Tessian report, 30% of employees do not think they personally play a role in maintaining their company’s cyber security posture.

What’s more, only 39% of employees say they’re very likely to report a security incident, making investigation and remediation even more challenging and time-consuming for security teams. When asked why, 42% of employees said they wouldn’t know if they had caused an incident in the first place, and 25% say they just don’t care enough about cyber security to mention it.

Virtually all IT and security leaders agreed that a strong security culture is important in maintaining a strong security posture. Yet, despite rating their organisation’s security 8 out 10, on average, three-quarters of organisations experienced a security incident in the last 12 months.

The report suggests this could stem from a reliance on traditional training programs: 48% of security leaders say training is one of the most important influences on building a positive security posture. But the reality is that employees aren’t engaged; just 28% of UK and US workers say security awareness training is engaging and only 36% say they’re paying full attention. Of those who are, only half say it’s helpful, while another 50% have had a negative experience with a phishing simulation. With recent headlines depicting how phishing simulations can go awry, negative experiences like these further alienate employees and decrease engagement.

https://www.helpnetsecurity.com/2022/07/28/employees-dont-understand-why-cybersecurity-is-important/

• As Companies Calculate Cyber Risk, the Right Data Makes a Big Difference

The proposed US Securities and Exchange Commission’s stronger rules for reporting cyber attacks will have ramifications beyond increased disclosure of attacks to the public. By requiring not just quick reporting of incidents, but also disclosure of cyber policies and risk management, such regulation will ultimately bring more accountability for cyber security to the highest levels of corporate leadership. Other jurisdictions will very likely follow the US in requiring more stringent cyber controls and governance.

This means that boards and executives everywhere will need to increase their understanding of cyber security, not only from a tech point of view, but from a risk and business exposure point of view. The CFO, CMO and the rest of the C-suite and board will want and need to know what financial exposure the business faces from a data breach, and how likely it is that breaches will happen. This is the only way they will be able to develop cyber policies and plans and react properly to the proposed regulations.

Companies will therefore need to be able to calculate and put a dollar value on their exposure to cyber risk. This is the starting point for the ability to make cyber security decisions not in a vacuum, but as part of overall business decisions. To accurately quantify cyber security exposure, companies need to understand what the threats are and which data and business assets are at risk, and they then need to multiply the cost of a breach by the probability that such an event will take place in order to put a dollar figure on their exposure.

While there are many automated tools, including those that use artificial intelligence (AI), that can help with this, the key to doing this well is to make sure calculations are rooted in real and relevant data – which is different for each company or organisation.

https://venturebeat.com/2022/07/22/as-companies-calculate-cyber-risk-the-right-data-makes-a-big-difference/

• Only 25% Of Organisations Consider Their Biggest Threat to Be from Inside the Business

A worrying 73.5% of organisations feel they have wasted the majority of their cyber security budget on failing to remediate threats, despite having an over-abundance of security tools at their disposal, according to Gurucul.

Only 25% of organisations consider their biggest threat to be from inside the business, despite insider threats increasing by 47% over the past two years. With only a quarter of businesses seeing their biggest threat emanating from inside their organisation, it seems over 70% saw the biggest cyber security challenges emanating from external threats such as ransomware. In fact, although external threats account for many security incidents, we must never forget to look beyond those external malicious and bad actors to insider threats to effectively secure corporate data and IP.

The survey also found 33% of respondents said they are able to detect threats within hours, while 27.07% even claimed they can detect threats in real-time. However, challenges persist with 33% of respondents stating that it still takes their organisation days and weeks to detect threats, with 6% not being able to detect them at all.

https://www.helpnetsecurity.com/2022/07/28/biggest-threat-inside-the-business/

• The Global Average Cost of a Data Breach Reaches an All-Time High of $4.35 Million

IBM Security released the 2022 Cost of a Data Breach Report, revealing costlier and higher-impact data breaches than ever before, with the global average cost of a data breach reaching an all-time high of $4.35 million for studied organisations.

With breach costs increasing nearly 13% over the last two years of the report, the findings suggest these incidents may also be contributing to rising costs of goods and services. In fact, 60% of studied organisations raised their product or services prices due to the breach, when the cost of goods is already soaring worldwide amid inflation and supply chain issues.

The perpetuality of cyber attacks is also shedding light on the “haunting effect” data breaches are having on businesses, with the IBM report finding 83% of studied organisations have experienced more than one data breach in their lifetime. Another factor rising over time is the after-effects of breaches on these organisations, which linger long after they occur, as nearly 50% of breach costs are incurred more than a year after the breach.

The 2022 Cost of a Data Breach Report is based on in-depth analysis of real-world data breaches experienced by 550 organisations globally between March 2021 and March 2022. The research, which was sponsored and analysed by IBM Security, was conducted by the Ponemon Institute.

https://www.helpnetsecurity.com/2022/07/27/2022-cost-of-a-data-breach-report/

• Race Against Time: Hackers Start Hunting for Victims Just 15 Minutes After a Bug Is Disclosed

Attackers are becoming faster at exploiting previously undisclosed zero-day flaws, according to Palo Alto Networks.  This means that the amount of time that system admins have to patch systems before exploitation happens is shrinking fast..

The company warns in its 2022 report covering 600 incident response (IR) cases that attackers typically start scanning for vulnerabilities within 15 minutes of one being announced.

Among this group are 2021's most significant flaws, including the Exchange Server ProxyShell and ProxyLogon sets of flaws, the persistent Apache Log4j flaws aka Log4Shell, the SonicWall zero-day flaws, and Zoho ManageEngine ADSelfService Plus.

While phishing remains the biggest method for initial access, accounting for 37% of IR cases, software vulnerabilities accounted of 31%. Brute-force credential attacks (like password spraying) accounted for 9%, while smaller categories included previously compromised credentials (6%), insider threat (5%), social engineering (5%), and abuse of trusted relationships/tools (4%).    

Over 87% of the flaws identified as the source of initial access fell into one of six vulnerability categories.

https://www.zdnet.com/article/race-against-time-hackers-start-hunting-for-victims-just-15-minutes-after-a-bug-is-disclosed/

• Ransomware-as-a-Service Groups Forced to Change Tack as Payments Decline

Ransomware-as-a-service (RaaS) operators are evolving their tactics yet again in response to more aggressive law enforcement efforts, in a move that is reducing their profits but also making affiliates harder to track, according to Coveware.

The security vendor’s Q2 2022 ransomware report revealed that concerted efforts to crack down on groups like Conti and DarkSide have forced threat actors to adapt yet again.

It identified three characteristics of RaaS operations that used to be beneficial, but are increasingly seen as a hinderance.

The first is RaaS branding, which has helped to cement the reputation of some groups and improve the chances of victims paying, according to Coveware. However, branding also makes attribution easier and can draw the unwanted attention of law enforcement, it said.

“RaaS groups are keeping a lower profile and vetting affiliates and their victims more thoroughly,” Coveware explained.

“More RaaS groups have formed, resulting in less concentration among the top few variants. Affiliates are frequently shifting between RaaS variants on different attacks, making attribution beyond the variant more challenging.”

In some cases, affiliates are also using “unbranded” malware to make attribution more difficult, it added.

The second evolution in RaaS involves back-end infrastructure, which used to enable scale and increase profitability. However, it also means a larger attack surface and a digital footprint that’s more expensive and challenging to maintain.

As a result, RaaS developers are being forced to invest more in obfuscation and redundancy, which is hitting profits and reducing the amount of resources available for expansion, Coveware claimed.

Finally, RaaS shared services used to help affiliates with initial access, stolen data storage, negotiation management and leak site support.

https://www.infosecurity-magazine.com/news/raas-groups-forced-change-payments/

• Phishers Targeted Financial Services Most During H1 2022

Banks received the lion’s share of phishing attacks during the first half of 2022, according to figures published by cyber security company Vade.

The analysis also found that attackers were most likely to send their phishing emails on weekdays, with most arriving between Monday and Wednesday. Attacks tapered off towards the end of the week, Vade said.

While financial services scored highest on a per-sector basis, Microsoft was the most impersonated brand overall. The company’s Microsoft 365 cloud productivity services are a huge draw for cyber-criminals hoping to access accounts using phishing attacks.

Phishing attacks on Microsoft customers have become more creative, according to Vade, which identified several phone-based attacks. It highlighted a campaign impersonating Microsoft’s Defender anti-malware product, fraudulently warning that the company had debited a subscription fee. It encouraged victims to fix the problem by phone.

Facebook came a close second, followed by financial services company Crédit Agricole, WhatsApp and Orange.

https://www.infosecurity-magazine.com/news/phishers-financial-services-h1-2022/

• HR Emails Dupe Employees the Most – KnowBe4 research reveals

In phishing tests conducted on business emails, more than half of the subject lines clicked imitated Human Resources communications.

New research has revealed the top email subjects clicked on in phishing tests were those related to or from Human Resources, according to the latest ‘most clicked phishing tests‘ conducted by KnowBe4. In fact, half of those that were clicked on had subject lines related to Human Resources, including vacation policy updates, dress code changes, and upcoming performance reviews. The second most clicked category were those send from IT, which include requests or actions of password verifications that were needed immediately.

KnowBe4’s CEO commented “More than 80% of company data breaches globally come from human error, so security awareness training for your staff is one of the least costly and most effective methods to thwart social engineering attacks. Training gives employees the ability to rapidly recognise a suspicious email, even if it appears to come from an internal source, causing them to pause before clicking. That moment where they stop and question the email is a critical and often overlooked element of security culture that could significantly reduce your risk surface.”

This research comes hot off the heels of the recent KnowBe4 industry benchmarking report which found one in three untrained employees will click on a phishing link. The worst performing industries were Energy & Utilities, Insurance and Consulting, with all labelled the most at risk for social engineering in the large enterprise category.

https://www.itsecurityguru.org/2022/07/27/hr-emails-dupe-employees-the-most-knowbe4-research-reveals/

• 84% Of Organisations Experienced an Identity-Related Breach in the Past 18 Months

60% of IT security decision makers believe their overall security strategy does not keep pace with the threat landscape, and that they are either lagging behind (20%), treading water (13%), or merely running to keep up (27%), according to a survey by Sapio Research.

The report also highlights differences between the perceived and actual effectiveness of security strategies. While 40% of respondents believe they have the right strategy in place, 84% of organisations reported that they have experienced an identity-related breach or an attack using stolen credentials during the previous year and a half.

Promisingly, many organisations are hungry to make a change, particularly when it comes to protecting identities. In fact, 90% of respondents state that their organisations fully recognise the importance of identity security in enabling them to achieve their business goals, and 87% say that it is one of the most important security priorities for the next 12 months.

However, 75% of IT and security professionals also believe that they’ll fall short of protecting privileged identities because they won’t get the support they need. This is largely due to a lack of budget and executive alignment, with 63% of respondents saying that their company’s board still doesn’t fully understand identity security and the role it plays in enabling better business operations.

While the importance of identity security is acknowledged by business leaders, most security teams will not receive the backing and budget they need to put vital security controls and solutions in place to reduce major risks. This means that the majority of organisations will continue to fall short of protecting privileges, leaving them vulnerable to cyber criminals looking to discover privileged accounts and abuse them.

https://www.helpnetsecurity.com/2022/07/28/identity-related-breach/

• Economic Downturn Raises Risk of Insiders Going Rogue

Declining economic conditions could make insiders more susceptible to recruitment offers from threat actors looking for allies to assist them in carrying out various attacks.

Enterprise security teams need to be aware of the heightened risk and strengthen measures for protecting against, detecting, and responding to insider threats, researchers from Palo Alto Network's Unit 42 threat intelligence team recommended in a report this week.

The security vendor's report highlighted several other important takeaways for security operations teams, including the fact that ransomware and business email compromise attacks continue to dominate incident response cases and vulnerability exploits — accounting for nearly one-third of all breaches.

Unit 42 researchers analysed data from a sampling of over 600 incident response engagements between April 2021 and May 2022 and determined that difficult economic times could lure more actors to cyber crime. This could include both people with technical skills looking to make a fast buck, as well as financially stressed insiders with legitimate access to valuable enterprise data and IT assets. The prevalence of remote and hybrid work models has created an environment where it's easier for workers to steal intellectual property or carry out other malicious activity, the researchers found.

https://www.darkreading.com/risk/economic-downturn-raises-the-risk-of-insiders-going-rogue

• 5 Trends Making Cyber Security Threats Riskier and More Expensive

Since the pandemic the cyber world has become a far riskier place. According to the Hiscox Cyber Readiness Report 2022, almost half (48%) of organisations across the US and Europe experienced a cyber attack in the past 12 months. Even more alarming is that these attacks are happening despite businesses doubling down on their cyber security spend.

Cyber security is at a critical inflection point where five megatrends are making the threat landscape riskier, more complicated, and costlier to manage than previously reported. To better understand the evolution of this threat landscape, let’s examine these trends in more detail.

1. Everything becomes digital

2. Organisations become ecosystems

3. Physical and digital worlds collide

4. New technologies bring new risks

5. Regulations become more complex

Organisations can follow these best practices to elevate cyber security performance:

• Identify, prioritise, and implement controls around risks.

• Adopt a framework such as ISO 27001 or NIST Cyber Security Framework.

• Develop human-layered cyber security.

• Fortify your supply chain.

• Avoid using too many tools.

• Prioritise protection of critical assets.

• Automate where you can.

• Monitor security metrics regularly to help business leaders get insight into security effectiveness, regulatory compliance, and levels of security awareness in the organisation.

Cyber security will always be a work in progress. The key to effective risk management is having proactive visibility and context across the entire attack surface. This helps to understand which vulnerabilities, if exploited, can cause the greatest harm to the business. Not all risks can be mitigated; some risks will have to be accepted and trade-offs will have to be negotiated.

https://www.csoonline.com/article/3667442/5-trends-making-cybersecurity-threats-riskier-and-more-expensive.html#tk.rss_news

• Ransomware: Publicly Reported Incidents Are Only the Tip of the Iceberg

The threat landscape report on ransomware attacks published this week by the European Union Agency for Cybersecurity (ENISA) uncovers the shortcomings of the current reporting mechanisms across the EU.

As one of the most devastating types of cyber security attacks over the last decade, ransomware, has grown to impact organisations of all sizes across the globe.

This threat landscape report analysed a total of 623 ransomware incidents across the EU, the United Kingdom and the United States for a reporting period from May 2021 to June 2022. The data was gathered from governments' and security companies' reports, from the press, verified blogs and in some cases using related sources from the dark web.

Between May 2021 and June 2022 about 10 terabytes of data were stolen each month by ransomware threat actors. 58.2% of the data stolen included employees' personal data.

At least 47 unique ransomware threat actors were found.

For 94.2% of incidents, we do not know whether the company paid the ransom or not. However, when the negotiation fails, the attackers usually expose and make the data available on their webpages. This is what happens in general and is a reality for 37.88% of incidents.

We can therefore conclude that the remaining 62.12% of companies either came to an agreement with the attackers or found another solution.

The study also shows that companies of every size and from all sectors are affected.

The figures in the report can however only portray a part of the overall picture. In reality, the study reveals that the total number of ransomware attacks is much larger. At present this total is impossible to capture since too many organisations still do not make their incidents public or do not report on them to the relevant authorities.

https://www.enisa.europa.eu/news/ransomware-publicly-reported-incidents-are-only-the-tip-of-the-iceberg

Threats

Ransomware

• LockBit 3.0: Significantly Improved Ransomware Helps the Gang Stay on Top (darkreading.com)

• Ransomware looms large over the cyber insurance industry - Help Net Security

• 800,000 businesses fall victim to ransomware each year (komando.com)

• Business services top target of ransomware attacks (securitybrief.co.nz)

• How Crypto is Driving the Ransomware Epidemic | Cryptoland Roundtable - YouTube

• On security researcher's newsletter, exposing cyber criminals behind ransomware - CyberScoop

• LockBit ransomware abuses Windows Defender to load Cobalt Strike (bleepingcomputer.com)

• Mailing List Provider WordFly Scrambling to Recover Following Ransomware Attack | SecurityWeek.Com

• No More Ransom helps millions of ransomware victims in 6 years (bleepingcomputer.com)

• Lockbit ransomware gang claims to have breached the Italian Revenue Agency - Security Affairs

• Lockbit Ramps Up Attacks on Public Sector - Infosecurity Magazine (infosecurity-magazine.com)

• A ‘Top Tier’ Hacking Gang Is Likely To Be Behind Entrust Ransomware (informationsecuritybuzz.com)

• No More Ransom Helped More Than 1.5 Million People Decrypt Their Devices (darkreading.com)

• Ransomware caused American Dental Association outage, led to stolen data (scmagazine.com)

• The road to ransomware recovery starts before an attack • The Register

• LockBit Ransomware Group Augments Its Latest Variant, LockBit 3.0, With BlackMatter Capabilities (trendmicro.com)

BEC – Business Email Compromise

• Crackdown on BEC Schemes: 100 Arrested in Europe, Man Charged in US | SecurityWeek.Com

• European Police Arrest 100 Suspects in BEC Crackdown - Infosecurity Magazine (infosecurity-magazine.com)

Phishing & Email Based Attacks

• Phishing Attacks Skyrocket with Microsoft and Facebook as Most Abused Brands | Threatpost

• Three of the world's most expensive phishing attacks and how they could have been prevented (betanews.com)

• Threat Actors Respond To Microsoft Blocking Macros with New Email Tactics (informationsecuritybuzz.com)

• Phishing scam targeting Bank of America, Citi and Wells Fargo customers (komando.com)

• APT-Like Phishing Threat Mirrors Landing Pages (darkreading.com)

• New Callback Malware Campaign Impersonates Legitimate Cyber Security Providers - MSSP Alert

• Microsoft Tops Brands Phishers Prefer (darkreading.com)

• Phishing Attacks: Microsoft Leads Top 25 of Impersonated Brands - MSSP Alert

• Researchers Warns of Increase in Phishing Attacks Using Decentralized IPFS Network (thehackernews.com)

• 1,000s of Phishing Attacks Blast Off From InterPlanetary File System (darkreading.com)

• New ‘Robin Banks’ phishing service targets BofA, Citi, and Wells Fargo (bleepingcomputer.com)

Other Social Engineering; SMishing, Vishing, etc

• US govt warns Americans of escalating SMS phishing attacks (bleepingcomputer.com)

Malware

• Cisco Incident Response Report: Commodity Malware Top Threat in Q2 - MSSP Alert

• Discovery of new UEFI rootkit exposes an ugly truth: The attacks are invisible to us | Ars Technica

• As Microsoft blocks Office macros, hackers find new attack vectors (bleepingcomputer.com)

• Microsoft Links Raspberry Robin USB Worm to Russian Evil Corp Hackers (thehackernews.com)

• Microsoft links Raspberry Robin malware to Evil Corp attacks (bleepingcomputer.com)

• Malware-laced npm packages used to target Discord users - Security Affairs

• CosmicStrand UEFI malware found in Gigabyte, ASUS motherboards (bleepingcomputer.com)

• Sophisticated UEFI rootkit of Chinese origin shows up again in the wild after 3 years | CSO Online

• Attackers are slowly abandoning malicious macros - Help Net Security

• One of the most beloved Windows tools could actually be a huge security risk | TechRadar

• QBot phishing uses Windows Calculator DLL hijacking to infect devices (bleepingcomputer.com)

• Gootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike (trendmicro.com)

• Microsoft: Austrian company DSIRF selling Subzero malware (techtarget.com)

• Threat actors leverages DLL-SideLoading to spread Qakbot - Security Affairs

• Rare 'CosmicStrand' UEFI Rootkit Swings into Cyber crime Orbit (darkreading.com)

Mobile

• Here are the top phone security threats in 2022 and how to avoid them | ZDNet

• New Android malware apps installed 10 million times from Google Play (bleepingcomputer.com)

• Roaming Mantis Financial Hackers Targeting Android and iPhone Users in France (thehackernews.com)

• Facebook ads push Android adware with 7 million installs on Google Play (bleepingcomputer.com)

• Millions of Android devices infected with wallet-draining malware | TechRadar

• Over a Dozen Android Apps on Google Play Store Caught Dropping Banking Malware (thehackernews.com)

• These 28+ Android Apps with 10 Million Downloads from the Play Store Contain Malware (thehackernews.com)

Internet of Things – IoT

• IoT Botnets Fuels DDoS Attacks – Are You Prepared? | Threatpost

• Dahua IP Camera Vulnerability Could Let Attackers Take Full Control Over Devices (thehackernews.com)

Data Breaches/Leaks

• US court system suffered ‘incredibly significant attack’ • The Register

• Congress Warns of US Court Records System Breach - Infosecurity Magazine (infosecurity-magazine.com)

• Uber admits covering up massive 2016 data breach in settlement with US prosecutors - The Verge

• T-Mobile to pay $500M for one of the largest data breaches in US history [Updated] | Ars Technica

• Data Stolen in Breach at Security Company Entrust | SecurityWeek.Com

• Fallout from massive Shanghai Police data breach reverberates on dark web - CyberScoop

• Big Questions Remain Around Massive Shanghai Police Data Breach (darkreading.com)

Organised Crime & Criminal Actors

• Cyber-mercenaries represent shifting criminal business model • The Register

• Messaging Apps Tapped as Platform for Cyber Criminal Activity | Threatpost

• Teenager Jailed for Snapchat Blackmail Cyber Crimes- IT Security Guru

• DUCKTAIL operation targets Facebook’s Business and Ad accounts - Security Affairs

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Crypto fraud on the rise as consumers fall for fake celebrity endorsements | Cybernews

• Hackers Increasingly Using WebAssembly Coded Cryptominers to Evade Detection (thehackernews.com)

• NFT Hacking Group Attacks On The Rise, Report Finds- IT Security Guru

• Hackers steal $6 million from blockchain music platform Audius (bleepingcomputer.com)

 Fraud, Scams & Financial Crime

• Major shifts and the growing risk of identity fraud - Help Net Security

• Uber's former head of security faces fraud charges after allegedly covering up data breach (bitdefender.com)

• JPMorgan, UBS accused of shoddy identity theft protection • The Register

• Euro Police Bust €3m Internet Fraud Gang - Infosecurity Magazine (infosecurity-magazine.com)

• Romance scammers jailed after tricking Irish OAP out of €250k (bitdefender.com)

• Get a family safeword to make sure you don’t fall for the Mum and Dad scam | Money | The Sunday Times (thetimes.co.uk)

• What the Titanic Can Teach Us About Fraud? | SecurityWeek.Com

AML/CFT/Sanctions

• Russia declares Guernsey an 'unfriendly state' - BBC News

• Crypto exchange Kraken reportedly probed over Iran sanctions • The Register

Insurance

• Ransomware looms large over the cyber insurance industry - Help Net Security

Dark Web

• Cyber crime goods and services are cheap and plentiful - Help Net Security

• Hackers Selling Malware on Dark Web Underground Market (cybersecuritynews.com)

Supply Chain and Third Parties

• Experts warn of hacker claiming access to 50 US companies through breached MSP - The Record by Recorded Future

• Crook calls for help extorting service provider's clients • The Register

• Getting Ahead of Supply Chain Attacks (darkreading.com)

Software Supply Chain

• 8 top SBOM tools to consider | CSO Online

Denial of Service DoS/DDoS

• Akamai blocked the largest DDoS attack ever on its European customers - Security Affairs

• DDoS Attack Trends in 2022: Ultrashort, Powerful, Multivector Attacks (bleepingcomputer.com)

Cloud/SaaS

• Kansas MSP shuts down cloud services to fend off cyber attack (bleepingcomputer.com)

• Organisations are struggling with SaaS security. Why? - Help Net Security

Attack Surface Management

• 4 Steps the Financial Industry Can Take to Cope With Their Growing Attack Surface (thehackernews.com)

Identity and Access Management

• Why firms need to harness identity management before it spirals into an identity crisis - Help Net Security

• Benefits of modern PAM: Efficiency, security, compliance - Help Net Security

Encryption

• Transport Layer Security (TLS): Issues & Protocol (trendmicro.com)

• SSH2 vs. SSH1 and why SSH versions still matter (techtarget.com)

Passwords, Credential Stuffing & Brute Force Attacks

• Inadequate password and authentication requirements found in popular business web apps - Help Net Security

• Using Account Lockout policies to block Windows Brute Force Attacks (bleepingcomputer.com)

• Stop Putting Your Accounts At Risk, and Start Using a Password Manager (thehackernews.com)

Social Media

• Facebook security cracked by Malware made in Vietnam • The Register

• Cyber-Criminal Offers 5.4m Twitter Users’ Data - Infosecurity Magazine (infosecurity-magazine.com)

• Social Media Accounts Hijacked to Post Indecent Images - Infosecurity Magazine (infosecurity-magazine.com)

Training, Education and Awareness

• Poor Training and Communications Hindering Cyber security Efforts - Infosecurity Magazine (infosecurity-magazine.com)

Privacy

• US, UK law enforcement to implement data sharing law, troubling privacy advocates - CyberScoop

Law Enforcement Action and Take Downs

• UK Seizes Nearly $27m in Crypto-Assets - Infosecurity Magazine (infosecurity-magazine.com)

• European Cops Helped 1.5 Million People Decrypt Their Ransomwared Computers (vice.com)

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• World entering 'dangerous new age' of threats, says UK's top national security adviser | World News | Sky News

• Cyberspies use Google Chrome extension to steal emails undetected (bleepingcomputer.com)

• Microsoft says it caught an Austrian spyware group using Windows 0-day exploits - The Verge

• Pegasus spyware: Just 'tip of the iceberg' seen so far • The Register

• Cyber attacks by Iran and Israel now target critical infrastructure. - The Washington Post

• Ukraine Cyber War Fall-out and Ransomware Trends Areas of Focus in New CyberCube Research | Business Wire

• US and Ukraine Sign Agreement to Deepen Cyber security Operational Collaboration - MSSP Alert

• CISA, Ukrainian cyber agency deepen partnership to combat Russian threat - CyberScoop

• How is Anonymous attacking Russia? The top six ways ranked (cnbc.com)

• European Lawmaker Targeted With Cytrox Predator Surveillance Spyware | SecurityWeek.Com

Nation State Actors

Nation State Actors – Russia

• Russia is quietly ramping up its Internet censorship machine | Ars Technica

• Apple network traffic takes mysterious detour through Russia • The Register

• 'Crippling' Western sanctions are hitting Russia much harder than Putin is letting on, say Yale economists (inews.co.uk)

Nation State Actors – China

• Chinese APTs: Interlinked networks and side hustles – Intrusion Truth (wordpress.com)

• OneWeb sale risks giving China a stake in ‘Five Eyes’ spying tech (telegraph.co.uk)

Nation State Actors – North Korea

• North Korean Hackers Using Malicious Browser Extension to Spy on Email Accounts (thehackernews.com)

• North Korean hackers attack EU targets with Konni RAT malware (bleepingcomputer.com)

• US puts $10 million bounty on North Korean threat groups • The Register

• Is APT28 behind the STIFF#BIZON attacks attributed to North Korea-linked APT37? Security Affairs

Nation State Actors – Iran

• Cyber attacks by Iran and Israel now target critical infrastructure. - The Washington Post

Vulnerability Management

• Hackers scan for vulnerabilities within 15 minutes of disclosure (bleepingcomputer.com)

• Attackers Have 'Favourite' Vulnerabilities to Exploit (darkreading.com)

• Taking the Risk-Based Approach to Vulnerability Patching (thehackernews.com)

• Organisations struggle to manage devices and stay ahead of vulnerabilities - Help Net Security

• 2022 Unit 42 Incident Response Report: How Attackers Exploit Zero-Days (paloaltonetworks.com)

• Security Teams Overwhelmed With Bugs, Bitten by Patch Prioritization (darkreading.com)

• Time between vuln disclosures, exploits is getting smaller • The Register

Vulnerabilities

• Critical Samba bug could let anyone become Domain Admin – patch now! – Naked Security (sophos.com)

• Multiple Windows, Adobe Zero-Days Anchor Knotweed Commercial Spyware (darkreading.com)

• How to Fix CVE-2022-30190 vulnerability using Microsoft Intune - CloudInfra

• CISA releases IOCs for attacks exploiting Log4Shell in VMware Horizon and UAG | CSO Online

• Critical FileWave MDM Flaws Open Organisation-Managed Devices to Remote Hackers (thehackernews.com)

• Hackers are abusing IIS extensions to establish covert backdoors - Security Affairs

• FileWave fixes bugs that left 1,000+ orgs open to ransomware • The Register

• Google Chrome Zero-day Vulnerability Discovered By Avast (informationsecuritybuzz.com)

• LibreOffice fixed 3 flaws, including a code execution issue - Security Affairs

• Critical security vulnerability in Grails could lead to remote code execution | The Daily Swig (portswigger.net)

• Drupal developers fixed a code execution flaw in the popular CMS - Security Affairs

• LibreOffice Releases Software Update to Patch 3 New Vulnerabilities (thehackernews.com)

• Hackers Exploit PrestaShop Zero-Day to Steal Payment Data from Online Stores (thehackernews.com)

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

Reports Published in the Last Week

• Hiscox Cyber Readiness Report 2022

• ENISA Threat Landscape for Ransomware Attacks — ENISA (europa.eu)

Other News

• A Retrospective on the 2015 Ashley Madison Breach – Krebs on Security

• The Great BizApp Hack: Cyber-Risks in Your Everyday Business Applications (darkreading.com)

• Threat Actors Pivot Around Microsoft’s Macro-Blocking in Office | Threatpost

• Strong Authentication - Robust Identity and Access Management Is a Strategic Choice - Security Affairs

• You Pay More When Companies Get Hacked | WIRED

• Microsoft again reverses course, will block macros by default (scmagazine.com)

• Is Your Home or Small Business Built on Secure Foundations? Think Again… (darkreading.com)

• Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits - Microsoft Security Blog

• Infosec pros want more industry cooperation and support for open standards - Help Net Security

• We pass cyber attack costs onto customers, businesses admit • The Register

• How to Combat the Biggest Security Risks Posed by Machine Identities (thehackernews.com)

• Discord, Telegram Services Hijacked to Launch Array of Cyber Attacks (darkreading.com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Fifth of Businesses Say Cyber Attack Nearly Broke Them

A fifth of US and European businesses have warned that a serious cyber attack nearly rendered them insolvent, with most (87%) viewing compromise as a bigger threat than an economic downturn, according to Hiscox.

The insurer polled over 5000 businesses in the US, UK, Ireland, France, Spain, Germany, the Netherlands and Belgium to compile its annual Hiscox Cyber Readiness Report.

It revealed the potentially catastrophic financial damage that a serious cyber-attack can wreak. The number claiming to have nearly been brought down by a breach increased 24% compared to the previous year.

Nearly half (48%) of respondents said they suffered an attack over the past 12 months, a 12% increase from the previous report’s findings. Perhaps unsurprisingly, businesses in seven out of eight countries see cyber as their biggest threat.

Yet perception appears to vary greatly depending on whether an organisation has suffered a serious compromise or not. While over half (55%) of total respondents said they view cyber as a high-risk area, the figure among companies that have not yet suffered an attack is just 36%.

https://www.infosecurity-magazine.com/news/fifth-of-businesses-cyber-attack/

• Weak Security Controls and Practices Routinely Exploited for Initial Access

Cyber actors routinely exploit poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system. A joint Cybersecurity Advisory by the cyber security authorities of the United States, Canada, New Zealand, the Netherlands, and the United Kingdom identifies commonly exploited controls and practices and includes best practices to mitigate the issues.

Malicious cyber actors often exploit the following common weak security controls, poor configurations, and poor security practices to employ the initial access techniques.

• Multifactor authentication (MFA) is not enforced

• Incorrectly applied privileges or permissions and errors within access control lists

• Software is not up to date

• Use of vendor-supplied default configurations or default login usernames and passwords

• Remote services, such as a virtual private network (VPN), lack sufficient controls to prevent unauthorised access

• Strong password policies are not implemented

• Cloud services are unprotected

• Open ports and misconfigured services are exposed to the internet

• Failure to detect or block phishing attempts

• Poor endpoint detection and response.

https://www.cisa.gov/uscert/ncas/alerts/aa22-137a

• How Do Ransomware Attacks Impact Victim Organisations’ Stock?

Ransomware has developed into an extremely lucrative business model with little risk involved for the threat actors. Couple this with the willingness of most victim organisations to pay the ransom demand under the assumption it will return business operations to normal - ultimately encouraging more attacks - and we have a big problem with no easy remedies.

Back in 2021, Cybereason published a report titled Ransomware Attacks and the True Cost to Business that revealed the various costs that organisations face after falling victim to a ransomware attack. Here are some of the most significant findings that stood out:

• Two-thirds of ransomware victims said that they endured a significant loss of revenue following the attack

• More than half (53%) of organisations suffered damage to their brand and reputation after a ransomware infection

• A third of those who fell to ransomware lost C-level talent in the attack’s aftermath

• Three in 10 organisations had no choice but to lay off employees due to the financial pressures resulting from a ransomware incident

• A quarter of ransomware victims said that they needed to suspend operations.

https://www.msspalert.com/cybersecurity-guests/how-do-ransomware-attacks-impact-victim-organizations-stock/

• Prioritise Patching Vulnerabilities Associated with Ransomware

In the last quarter, ransomware attacks have made mainstream headlines on a near-daily basis, with groups like Lapsus$ and Conti’s names splashed across the page. Major organisations like Okta, Globant and Kitchenware maker Meyer Corporation have all fallen victim, and they are very much not alone. The data indicates that increasing vulnerabilities, new advanced persistent threat (APT) groups and new ransomware families are contributing to ransomware’s continued prevalence and profitability.

The top stats include:

• 22 new vulnerabilities and nine new weaknesses have been associated with ransomware since January 2022; of the 22, a whopping 21 are considered of critical or high risk severity

• 19 (out of 22) of the newly-added vulnerabilities are associated with the Conti ransomware gang

• Three new APT groups (Exotic Lily, APT 35, DEV-0401) and four new ransomware families (AvosLocker, Karma, BlackCat, Night Sky) are deploying ransomware to attack their targets

• 141 of CISA’s Known Exploited Vulnerabilities (KEVs) are being used by ransomware operators – including 18 newly identified this quarter

• 11 vulnerabilities tied to ransomware remain undetected by popular scanners

• 624 unique vulnerabilities were found within the 846 healthcare products analysed.

https://www.helpnetsecurity.com/2022/05/19/increase-ransomware-vulnerabilities/

• Researchers Warn of Advanced Persistent Threats (APTs), Data Leaks as Serious Threats Against UK Financial Sector

Researchers say that geopolitical tension, ransomware, and cyber attacks using stolen credentials threaten the UK's financial sector.

KELA's security team published a report examining the cyber security issues and attacks that surfaced in 2021 and early 2022, specifically focused on the United Kingdom's banks and other financial services.

The UK was one of the first countries to stand with Ukraine after the invasion by Russia. This could make UK organisations a tempting target for threat actors siding with Russia - whether by state-sponsored advanced persistent threat (APT) groups or hacktivists. The National Cyber Security Centre (NCSC) previously warned businesses to shore up their cyber security following Russia's assault.

APTs are often responsible for attacking the financial sector: account credentials, card numbers, and the personally identifiable information (PII) of customers are useful not only in social engineering and identity theft but also to make fraudulent purchases or for card cloning.

APTs target organisations worldwide, and those located in the UK are no exception. Over the past few years, APTs, including the Chinese APT40 and APT31, have utilised vulnerabilities, including ProxyLogon, to compromise UK businesses.

"In general, APTs may target the financial sector to commit fraud, burglarise ATMs, execute transactions, and penetrate organisations' internal financial systems," KELA says. "Although specific threats to the UK financial sector have not been identified, there is no doubt that the UK has occasionally been a target of APT groups during 2021."

Exposed corporate information and leaked credentials are also of note. After browsing Dark Web forums, the researchers found that UK data is "in demand" by cyber criminals who are seeking PII, access credentials, and internal data.

https://www.zdnet.com/article/researchers-warn-of-apts-data-leaks-as-serious-threats-against-uk-financial-sector/

• Remote Work Hazards: Attackers Exploit Weak WiFi, Endpoints, and the Cloud

Infoblox unveils a global report examining the state of security concerns, costs, and remedies. As the pandemic and uneven shutdowns stretch into a third year, organisations are accelerating digital transformation projects to support remote work. Meanwhile, attackers have seized on vulnerabilities in these environments, creating more work and larger budgets for security teams.

1,100 respondents in IT and cyber security roles in 11 countries – United States, Mexico, Brazil, United Kingdom, Germany, France, the Netherlands, Spain, United Arab Emirates, Australia, and Singapore – participated in the survey.

The surge in remote work has changed the corporate landscape significantly – and permanently. 52% of respondents accelerated digital transformation projects, 42% increased customer portal support for remote engagement, 30% moved apps to third party cloud providers, and 26% shuttered physical offices for good. These changes led to the additions of VPNs and firewalls, a mix of corporate and employee owned devices as well as cloud and on-premises DDI servers to manage data traffic across the expanded network.

The hybrid workforce reality is causing greater concerns with data leakage, ransomware and attacks through remote access tools and cloud services. Respondents indicate concerns about their abilities to counter increasingly sophisticated cyber attacks with limited control over employees, work-from-home technologies, and vulnerable supply chain partners. The sophistication of state-sponsored malware also is a source of worry for many.

Organisations have good reason to worry: 53% of respondents experienced up to five security incidents that led to at least one breach.

https://www.helpnetsecurity.com/2022/05/17/state-of-security/

• Small Businesses Under Fire from Password Stealers

Password-stealing malware and other cyber attacks have increased significantly against small businesses over the past year, according to Kaspersky researchers.

An assessment released this week detailed the number of Trojan Password Stealing Ware (PSW) detections, internet attacks and attacks on Remote Desktop Protocol (RDP) between January and April 2022, compared with the same time frame from 2021. Kaspersky's research showed a jump in the detection of password stealers within small business environments, as well as increases in other types of cyber attacks.

According to Kaspersky, the biggest increase in threats against small businesses was password stealers, specifically Trojan PSWs. There were nearly 1 million more detected Trojan PSWs targeting small and medium-sized businesses in the first trimester of 2022 than the first of 2021, increasing from 3,029,903 to 4,003,323.

https://www.techtarget.com/searchsecurity/news/252518442/Small-businesses-under-fire-from-password-stealers

• Email Is the Riskiest Channel for Data Security

Research from Tessian and the Ponemon Institute reveals that nearly 60% of organisations experienced data loss or exfiltration caused by an employee mistake on email in the last 12 months.

Email was revealed as the riskiest channel for data loss in organisations, as stated by 65% of IT security practitioners. This was closely followed by cloud file-sharing services (62%) and instant messaging platforms (57%).

The research surveyed 614 IT security practitioners across the globe to also reveal that:

• Employee negligence, because of not following policies, is the leading cause of data loss incidents (40%)

• 27% of data loss incidents are caused by malicious insiders

• It takes up to three days for security and risk management teams to detect and remediate a data loss and exfiltration incident caused by a malicious insider on email

• 23% of organisations experience up to 30 security incidents involving employees’ use of email every month (for example, email was sent to an unintended recipient).

The most common types of confidential and sensitive information lost or intentionally stolen include: customer information (61%); intellectual property (56%); and consumer information (47%). User-created data (sensitive email content, text files, M&A documents), regulated data (credit card data, Social Security numbers, national ID numbers, employee data), and intellectual property were identified as the three types of data that are most difficult to protect from data loss.

The top two consequences for data loss incidents were revealed as non-compliance with data protection regulations (57%) and damage to an organisation’s reputation (52%). Furthermore, a previous study from Tessian found that 29% of businesses lost a client or customer because of an employee sending an email to the wrong person.

https://www.helpnetsecurity.com/2022/05/20/data-loss-email/

• Phishing Attacks for Initial Access Surged 54% in Q1

Threat actors doubled down on their use of phishing emails as an initial attack vector during the first quarter of 2022 — and in many cases then used that access to drop ransomware or to extort organisations in other ways.

Researchers from Kroll recently analysed data gathered from security incidents they responded to in the first three months of this year. The analysis showed a 54% increase in incidents of phishing for initial access compared with the same period last year.

For the first time since Microsoft disclosed the so-called ProxyLogon set of vulnerabilities in Exchange Server in the first quarter of 2021, incidents tied to email compromises surpassed those related to ransomware. Kroll described the sharp increase in phishing activity as likely the result of a surge in activity tied to Emotet and IceID malware — threat actors have been using both to drop other malware.

https://www.darkreading.com/risk/phishing-attacks-for-initial-access-surged-q1

• Fears Grow for Smaller Nations After Ransomware Attack on Costa Rica Escalates

Conti demanded $20M in ransom — and the overthrow of the government.

It’s been a rough start for the newly elected Costa Rica president Rodrigo Chaves, who less than a week into office declared his country “at war” with the Conti ransomware gang.

“We’re at war and this is not an exaggeration,” Chaves told local media. “The war is against an international terrorist group, which apparently has operatives in Costa Rica. There are very clear indications that people inside the country are collaborating with Conti.”

Conti’s assault on the Costa Rican government began in April. The country’s Finance Ministry was the first hit by the Russia-linked hacking group, and in a statement on May 16, Chaves said the number of institutions impacted had since grown to 27. This, he admitted, means civil servants wouldn’t be paid on time and will impact the country’s foreign trade.

In a message posted to its dark web leaks blog, Conti urged the citizens of Costa Rica to pressure their government to pay the ransom, which the group doubled from an initial $10 million to $20 million. In a separate statement, the group warned: “We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power.”

Conti is among the most prolific hacking groups. The FBI warned earlier this year that the gang was among “the three top variants” that targeted businesses in the United States, and it has been blamed for ransomware attacks targeting dozens of businesses, including Fat Face, Shutterfly and the Irish healthcare service.

But Conti has picked up its pace in recent months: In January and February it published 31 victims on its leaks blog. In March and April, it posted 133 victims.

https://techcrunch.com/2022/05/20/costa-rica-ransomware-attack/

Threats

Ransomware

• Ransomware Gangs Rely More on Weaponizing Vulnerabilities (bleepingcomputer.com)

• Ransomware Gang Extorted 725 BTC in One Attack, On-Chain Sleuths Find (coindesk.com)

• 5 Critical Questions to Test Your Ransomware Preparedness - Help Net Security

• “Alarming” Surge in Conti Group Activity This Year - Infosecurity Magazine

• Why AI-Powered Ransomware Cyber Attacks Could Be Coming Soon - Protocol

• Nikkei Says Customer Data Likely Impacted in Ransomware Attack | SecurityWeek.Com

• Wizard Spider Hackers Hire Cold Callers to Scare Ransomware Victims Into Paying Up | ZDNet

• Greenland Hit by Cyber Attack, Finds Its Health Service Crippled (bitdefender.com)

• Conti Ransomware Shuts Down Operation, Rebrands into Smaller Units (bleepingcomputer.com)

• No One Is Slowing Down BlackByte Ransomware Gang • The Register

• President Rodrigo Chaves says Costa Rica is at war with Conti hackers - BBC News

• Engineering Firm Parker Discloses Data Breach After Ransomware Attack (bleepingcomputer.com)

• US links Thanos and Jigsaw ransomware to 55-year-old doctor (bleepingcomputer.com)

• Russian Conti Ransomware Gang Threatens to Overthrow New Costa Rican Government (thehackernews.com)

Phishing & Email Based Attacks

• This Phishing Attack Delivers Three Forms of Malware. And They All Want to Steal Your Data | ZDNet

• HTML Attachments Remain Popular Among Phishing Actors In 2022 (bleepingcomputer.com)

• Chatbot Army Deployed in Latest DHL Shipping Phish (darkreading.com)

• Phishing Gang That Stole Over 400,000 Euros Busted in Spain (tripwire.com)

• Long Lost @ Symbol Gets New Life Obscuring Malicious URLs | Malwarebytes Labs

• Spanish Police Dismantle Phishing Gang That Emptied Bank Accounts (bleepingcomputer.com)

Malware

• Emotet is the Most Common Malware - Help Net Security

• Microsoft Identifies Botnet Variant Targeting Windows and Linux Systems - Infosecurity Magazine

• Activity of the Linux XorDdos bot increased by 254% over the last 6 monthsSecurity Affairs

• Fake Domains Offer Windows 11 Installers - But Deliver Malware Instead | ZDNet

• Bruised but Not Broken: The Resurgence of the Emotet Botnet Malware (trendmicro.com)

• Malicious PyPI Pymafka Package Opens Backdoors On Windows, Linux, and Macs (bleepingcomputer.com)

• April VMware Bugs Abused to Deliver Mirai Malware, Exploit Log4Shell | Threatpost

Mobile

• 6 Scary Tactics Used in Mobile App Attacks (darkreading.com)

• Researchers Find Potential Way to Run Malware on iPhone Even When it's OFF (thehackernews.com)

• Google TAG: Cytrox's Predator Spyware Used to Target Android Users | WIRED

IoT

• New Bluetooth Hack Could Let Attackers Remotely Unlock Smart Locks and Cars (thehackernews.com)

Data Breaches/Leaks

• Cornwall Council Data Breach - Information Security Buzz

• Pharmacy Giant Hit By Data Breach Affecting 3.6 Million Customers - Infosecurity Magazine

Organised Crime & Criminal Actors

• Ukrainian Hacker Jailed for 4-Years in U.S. for Selling Access to Hacked Servers (thehackernews.com)

• US Recovers a Record $15m from the 3ve Ad-Fraud Crew • The Register

Cryptocurrency/Cryptomining/Cryptojacking/NFTs

• How Cryptocurrencies Enable Attackers and Defenders (techtarget.com)

• Monero-Mining Sysrv Botnet Targets Windows, Linux Web Servers • The Register

• US Brings First-Of-Its-Kind Bitcoin Sanctions-Busting Case • The Register

• Fake Pixelmon NFT Site Infects You with Password-Stealing Malware (bleepingcomputer.com)

• Hackers Compromise a String of NFT Discord Channels (vice.com)

Fraud, Scams & Financial Crime

• Popularity Of Online Payment Goes Hand-In-Hand with Fraud - Help Net Security

Supply Chain and Third Parties

• MITRE Creates Framework for Supply Chain Security (darkreading.com)

• The Four Horsemen of Software Supply Chain Attacks - MSSP Alert

• Recovering From a Cyber Security Earthquake: The Lessons Organisations Must Learn - Help Net Security

Cloud/SaaS

• 7 Key Findings from the 2022 SaaS Security Survey Report (thehackernews.com)

• New Research Identifies Poor IAM Policies as The Greatest Cloud Vulnerability - CyberScoop

• Are You Investing in Securing Your Data in the Cloud? (thehackernews.com)

• 380K Kubernetes API Servers Exposed to Public Internet | Threatpost

Open Source

• The Industry Must Better Secure Open Source Code From Threat Actors (darkreading.com)

Privacy

• How To Ensure That the Smart Home Doesn’t Jeopardize Data Privacy? - Help Net Security

• Privacy. Ad Bidders Haven't Heard of It, Report Reveals • The Register

• Third-Party Web Trackers Log What You Type Before Submitting (bleepingcomputer.com)

Passwords & Credential Stuffing

• The Most Insecure and Easily Hackable Passwords - Help Net Security

• Half of IT Leaders Store Passwords in Shared Docs - Infosecurity Magazine

Cyber Bullying and Cyber Stalking

• UK Sextortion Cases Doubled in 2021 - Infosecurity Magazine

Regulations, Fines and Legislation

• Europe Moves Closer to Stricter Cyber Security Standards • The Register

• EU's NIS 2 Directive to Strengthen Cyber Security Requirements For Companies - Help Net Security

Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Google TAG: Cytrox's Predator Spyware Used to Target Android Users | WIRED

• Britain can legally launch cyber attacks against hostile states, says Attorney General (telegraph.co.uk)

• How Mobile Networks Have Become a Front in the Battle for Ukraine (darkreading.com)

• China-linked Twisted Panda Caught Spying on Russian R&D Orgs • The Register

• Pro-Russian Hackers Spread Hoaxes to Divide Ukraine, Allies | SecurityWeek.Com

• A custom PowerShell RAT Targets Germany Using Crisis in Ukraine as Bait - Security Affairs

Nation State Actors

Nation State Actors – Russia

• Putin Promises to Bolster Russia's IT Security in Face of Cyber Attacks | Reuters

• Russian Hackers Declare War On 10 Countries After Failed Eurovision DDoS attack | IT PRO

• Pro-Russian Information Operations Escalate in Ukraine War (darkreading.com)

• Russian Undersea Cable Threat Shifts Tech Business to UK (telegraph.co.uk)

• Russians Allegedly Storm Ukrainian ISP, Blackmail It to Switch To Russian Networks - CyberScoop

• Russia-linked Sandworm Continues to Conduct Attacks Against Ukraine - Security Affairs

• Russian Cyber Attack on Eurovision Foiled By Italian Authorities (bitdefender.com)

• This Russian Botnet Does Far More Than DDoS Attacks - And on A Massive Scale | ZDNet

Nation State Actors – China

• Chinese ‘Space Pirates’ are Hacking Russian Aerospace Firms (bleepingcomputer.com)

Nation State Actors – North Korea

• FBI Warns of North Korean Spies Posing as Foreign IT Workers • The Register

Nation State Actors – Iran

• US Charges Venezuelan Doctor with Selling Ransomware Used By Iranian Group | Reuters

Vulnerability Management

• APTs Overwhelmingly Share Known Vulnerabilities Rather Than Attack O-Days | Threatpost

• How Micropatching Could Help Close the Security Update Gap (techtarget.com)

• Partial Patching Still Provides Strong Protection Against APTs (darkreading.com)

Vulnerabilities

• QNAP Urges Users to Update NAS Devices to Prevent Deadbolt Ransomware Attacks (thehackernews.com)

• Cisco Fixes an IOS XR Flaw Actively Exploited in The Wild - Security Affairs

• 2 Vulnerabilities With 9.8 Severity Ratings Are Under Exploit. A 3rd Looms | Ars Technica

• Microsoft Rushes a Fix After May Patch Tuesday Breaks Authentication (darkreading.com)

• Microsoft Fixes New PetitPotam Windows NTLM Relay Attack Vector (bleepingcomputer.com)

• Apple Patches Zero-Day Kernel Hole and Much More – Update Now! – Naked Security (sophos.com)

• Two Business-Grade Netgear VPN Routers Have Security Vulnerabilities That Can't Be Fixed - Help Net Security

• SharePoint RCE Bug Resurfaces Three Months After Being Patched by Microsoft | The Daily Swig (portswigger.net)

• High-Severity Bug Reported in Google's OAuth Client Library for Java (thehackernews.com)

• Over 20,000 Zyxel Firewalls Still Exposed to Critical Bug - Infosecurity Magazine

• Apple Fixes the Sixth Zero-Day Since The Beginning of 2022 - Security Affairs

• Apache Releases Security Advisory for Tomcat | CISA

• Mozilla Patches Wednesday’s Pwn2Own Double-Exploit… on Friday! – Naked Security (sophos.com)

• Critical Vulnerability in Premium WordPress Themes Allows for Site Takeover | Threatpost

• Critical Jupiter WordPress Plugin Flaws Let Hackers Take Over Sites (bleepingcomputer.com)

• Apple Finally Patches Exploited Vulnerabilities in macOS Big Sur, Catalina | SecurityWeek.Com

• NVIDIA Fixes Ten Vulnerabilities in Windows GPU Display Drivers (bleepingcomputer.com)

• Gmail-Linked Facebook Accounts Vulnerable to Attack Using A Chain Of Bugs—Now Fixed | Malwarebytes Labs

• New Brute Force Attacks Against SQL Servers Use PowerShell Wrapper | SecurityWeek.Com

Sector Specific

Retail/eCommerce

• How Crooks Backdoor Sites and Scrape Credit Card Info • The Register

• Digital Skimming is Now the Preserve of Non-Magecart Groups - Infosecurity Magazine

Energy & Utilities

• Water Companies Are Increasingly Uninsurable Due To Ransomware, Industry Execs Say - CyberScoop

• UK Announces Nuclear Cyber Security Strategy - IT Security Guru

Education and Academia

• Ransomware Attack Exposes Data of 500,000 Chicago Students (bleepingcomputer.com)

• Higher Education Institutions Being Targeted for Ransomware Attacks | TechRepublic

• “Incompetent” Council Leaks Details of Students With Special Educational Needs • Graham Cluley

• Researchers Find Backdoor in School Management Plugin for WordPress (thehackernews.com)

Reports Published in the Last Week

• Q2 2022 State of Fraud & Account Security Report - Arkose Labs

• 2022 SaaS Security Survey Report (adaptive-shield.com)

• 2021-2022 UK Financial Sector Dark Web Threat Landscape Report - Kela (ke-la.com)

Other News

• UK Government: Lack of Skills the Number One Issue in Cyber Security - Infosecurity Magazine

• Malicious Hackers Are Finding It Too Easy to Achieve Their Initial Access (tripwire.com)

• NIST’s Cyber Security Framework Has Become The Common Language For International Cyber Security (scmagazine.com)

• How Threat Actors Are a Click Away From Becoming Quasi-APTs (darkreading.com)

• Cyber Security: Global Food Supply Chain at Risk From Malicious Hackers - BBC News

• Cyber Security Agencies Reveal Top Initial Access Attack Vectors (bleepingcomputer.com)

• 50% of Orgs Rely on Email to Manage Security (darkreading.com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.