Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Russian Sanctions Instigator Lloyd's Possibly Hit by Cyber Attack

Lloyd’s of London, the London-based insurance market heavily involved in implementing sanctions against Russia, may have been hit by a cyber-attack. On Wednesday, October 5, 2022, the British insurance market revealed it had detected “unusual activity” on its systems and has turned off all external connectivity “as a precautionary measure.”

“We have informed market participants and relevant parties, and we will provide more information once our investigations have concluded,” said a Lloyd’s spokesperson.

The company did not comment on whether or not it has been contacted by hackers, if a ransom demand has been issued, or on the possible source of the attack.

However, the insurance market has been closely involved with the design and implementation of sanctions imposed on Russia in response to its invasion of Ukraine – a potential motive for the attack. Lloyd’s itself has confirmed it was working closely with British and international governments to implement such sanctions.

Around 100 insurance syndicates operate at Lloyd's.

Earlier in 2022, Lloyd’s instructed its 76 insurance syndicates to remove “nation-state-backed cyber attacks” from insurance policies by March 2023, as well as losses “arising from a war.”

https://www.infosecurity-magazine.com/news/lloyds-possibly-hit-by-cyberattack/

• Former Uber Security Chief Convicted of Covering Up Data Breach

Uber’s former head of security has been convicted of covering up a 2016 data breach at the rideshare giant, hiding details from US regulators and paying off a pair of hackers in return for their discretion.

The trial, closely watched in cyber security circles, is believed to be the first criminal prosecution of a company executive over the handling of a data breach.

Joe Sullivan, who was fired in 2017 over the incident, was found guilty by a San Francisco jury of obstructing an investigation by the Federal Trade Commission. At the time of the 2016 breach, the regulator had been investigating the car-booking service over a different cyber security lapse that had occurred two years earlier.

Jurors also convicted Sullivan of a second count related to having knowledge of but failing to report the 2016 breach to the appropriate government authorities. The incident eventually became public in 2017 when Dara Khosrowshahi, who had just taken over as chief executive, disclosed details of the attack.

Prosecutors said Sullivan had taken steps to make sure data compromised in the attack would not be revealed. According to court documents, two hackers approached Sullivan’s team to notify Uber of a security flaw that exposed the personal information of almost 60mn drivers and riders on the platform.

https://www.ft.com/content/051af6a1-41d1-4a6c-9e5a-d23d46b2a9c9

• First 72 Hours of Incident Response Critical to Taming Cyber Attack Chaos

Cyber security professionals tasked with responding to attacks experience stress, burnout, and mental health issues that are exacerbated by a lack of breach preparedness and sufficient incident response practice in their organisations.

A new IBM Security-sponsored survey published this week found that two-thirds (67%) of incident responders suffer stress and anxiety during at least some of their engagements, while 44% have sacrificed the well-being of their relationships, and 42% have suffered burnout, according to the survey conducted by Morning Consult. In addition, 68% of incidents responders often have to work on two or more incidents at the same time, increasing their stress, according to the survey's results.

Companies that plan and practice responding to a variety of incidents can lower the stress levels of their incident responders, employees, and executives, says John Dwyer, head of research for IBM Security's X-Force response team.

"Organisations are not effectively establishing their response strategies with the responders in mind — it does not need to be as stressful as it is," he says. "There is a lot of time when the responders are managing organisations during an incident, because those organisations were not prepared for the crisis that occurs. These attacks happen every day."

The IBM Security-funded study underscores why the cyber security community has focused increasingly on the mental health of its members. About half (51%) of cyber security defenders have suffered burnout or extreme stress in the past year, according to a VMware survey released in August 2021. Cyber security executives have also spotlighted the issue as one that affects the community and companies' ability to retain skilled workers.

https://www.darkreading.com/attacks-breaches/incident-response-s-first-72-hours-critical-to-taming-chaos

• Email Defences Under Siege: Phishing Attacks Dramatically Improve

This week's report that cyber attackers are laser-focused on crafting attacks specialised to bypass Microsoft's default security showcases an alarming evolution in phishing tactics, security experts said this week.

Threat actors are getting better at slipping phishing attacks through the weak spots in platform email defences, using a variety of techniques, such as zero-point font obfuscation, hiding behind cloud-messaging services, and delaying payload activation, for instance. They're also doing more targeting and research on victims.

As a result, nearly 1 in 5 phishing emails (18.8%) bypassed Microsoft's platform defences and landed in workers' inboxes in 2022, a rate that increased 74% compared to 2020, according to research published by cyber security firm Check Point Software. Attackers increasingly used techniques to pass security checks, such as Sender Policy Framework (SPF), and obfuscate functional components of an e-mail, such as using zero-size fonts or hiding malicious URLs from analysis.

The increasing capabilities of attackers is due to the better understanding of current defences, says Avanan, an email security firm acquired by Check Point in August 2021.

"It is a family of 10 to 20 techniques, but they all lead to the objective of deceiving a company's security layers," he says. "The end result is always an email that looks genuine to the recipient but looks different to the algorithm that analyses the content."

Microsoft declined to comment on the research. However, the company has warned of advanced techniques, such as adversary-in-the-middle phishing (AiTM), which uses a custom URL to place a proxy server between a victim and their desired site, allowing the attacker to capture sensitive data, such as usernames and passwords. In July, the company warned that more than 10,000 organisations had been targeted during one AiTM campaign.

https://www.darkreading.com/remote-workforce/email-defenses-under-siege-phishing-attacks-dramatically-improve

• Remote Services Are Becoming an Attractive Target for Ransomware

Stolen credentials are no longer the number one initial access vector for ransomware operators looking to infect a target network and its endpoints - instead, they’ve become more interested in exploiting vulnerabilities found in internet-facing systems.

A report from Secureworks claims ransomware-as-a-service developers are quick to add newly discovered vulnerabilities into their arsenals, allowing even less competent hackers to exploit them swiftly, and with relative ease.

In fact, the company's annual State of the Threat Report reveals that flaw exploitation in remote services accounted for 52% of all ransomware incidents the company analysed over the last 12 months.

Besides remote services, Secureworks also spotted a 150% increase in the use of infostealers, which became a “key precursor” to ransomware. Both these factors, the report stresses, kept ransomware as the number one threat for businesses of all sizes, “who must fight to stay abreast of the demands of new vulnerability prioritisation and patching”.

All things considered, ransomware is still the biggest threat for businesses. It takes up almost a quarter of all attacks that were reported in the last 12 months, Secureworks says, and despite law enforcement being actively involved, operators remained highly active.

https://www.techradar.com/news/remote-services-are-becoming-an-attractive-target-for-ransomware

• Growing Reliance on Cloud Brings New Security Challenges

There was a time when cloud was just a small subset of IT infrastructure, and cloud security referred to a very specific set of tasks. The current reality is very different, organisations are heavily dependent on cloud technologies and cloud security has become a much more complex endeavour.

Organisations increasingly rely on the cloud to deliver new applications, reduce costs, and support business operations. One in every four organisations already have majority workloads in the cloud, and 44% of workloads currently run in some form of public cloud, says Omdia, a research and advisory group.

Practically every midsize and large organisation now operates in some kind of a hybrid cloud environment, with a mix of cloud and on-premises systems. For most organisations, software-as-a-service constitute the bulk (80%) of their cloud environments, followed by infrastructure-as-a-service and platform-as-a-service deployments.

In the past, cloud security conversations tended to focus on making sure cloud environments are being configured properly, but cloud security nowadays goes far beyond just configuration management. The sprawling cloud environment means security management has to be centralised, Omdia said. Security functions also need to be integrated into existing application deployment workflows.

On top of all of this, multicloud is becoming more common among organisations as they shift their workloads to avoid being dependent on a single platform. The three major cloud providers – Amazon Web Services, Microsoft Azure, and Google Cloud Platform – account for 65% of the cloud market.

https://www.darkreading.com/dr-tech/growing-reliance-on-cloud-brings-new-security-challenges

• Many IT Pros Don’t Think a Ransomware Attack Can Impact Microsoft 365 Data

The 2022 Ransomware Report, which surveyed over 2,000 IT leaders, revealed that 24% have been victims of a ransomware attack, with 20% of attacks happening in the last year.

Cyber attacks are happening more frequently. Last year’s ransomware survey revealed that 21% of companies experienced an attack. This year it rose by three percent to 24%.

“Attacks on businesses are increasing, and there is a shocking lack of awareness and preparation by IT pros. Our survey shows that many in the IT community have a false sense of security. As bad actors develop new techniques, companies like ours have to do what it takes to come out ahead and protect businesses around the world,” said Hornetsecurity.

The report highlighted a lack of knowledge on the security available to businesses. 25% of IT professionals either don’t know or don’t think that Microsoft 365 data can be impacted by a ransomware attack.

Just as worryingly, 40% of IT professionals that use Microsoft 365 in their organisation admitted they do not have a recovery plan in case their Microsoft 365 data was compromised by a ransomware attack.

“Microsoft 365 is vulnerable to phishing attacks and ransomware attacks, but with the help of third-party tools, IT admins can backup their Microsoft 365 data securely and protect themselves from such attacks,” said Hofmann.

https://www.helpnetsecurity.com/2022/10/03/ransomware-attack-impact-microsoft-365-data/

• Ransomware Group Bypasses "Enormous" Range of EDR Tools

A notorious ransomware group has been spotted leveraging sophisticated techniques to bypass endpoint detection and response (EDR) tools.

BlackByte, which the US government has said poses a serious threat to critical infrastructure, used a “Bring Your Own Driver” technique to circumvent over 1000 drivers used by commercially available EDR products, according to Sophos. The UK cyber security vendor explained in a new report that the group had exploited a known vulnerability, CVE-2019-16098, in Windows graphics utility driver RTCorec6.sys. This enabled it to communicate directly with a victim system’s kernel and issue commands to disable callback routines used by EDR tools.

The group also used EDR bypass techniques borrowed from open source tool EDRSandblast to deactivate the Microsoft-Windows-Threat-Intelligence ETW (Event Tracing for Windows) provider. This is a Windows feature “that provides logs about the use of commonly maliciously abused API calls such as NtReadVirtualMemory to inject into another process’s memory,” explained Sophos. Neutralising it in this way renders any security tool relying on the feature also useless, the firm argued.

“If you think of computers as a fortress, for many EDR providers, ETW is the guard at the front gate,” said Sophos. “If the guard goes down, then that leaves the rest of the system extremely vulnerable. And, because ETW is used by so many different providers, BlackByte’s pool of potential targets for deploying this EDR bypass is enormous.”

BlackByte is not the only ransomware group using these advanced techniques to get around existing detection tools, illustrating the continued arms race between attackers and defenders. AvosLocker used a similar method in May, Sophos said. “Anecdotally, from what we’re seeing in the field, it does appear that EDR bypass is becoming a more popular technique for ransomware threat groups,” the firm confirmed. “This is not surprising. Threat actors often leverage tools and techniques developed by the ‘offensive security’ industry to launch attacks faster and with minimal effort.”

https://www.infosecurity-magazine.com/news/ransomware-bypasses-enormous-range/

• MS Exchange Zero-Days: The Calm Before the Storm?

Two exploited MS Exchange zero-days that still have no official fix, have been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog.

But mitigating the risk of exploitation until patches are ready will require patience and doggedness, as Microsoft is still revising its advice to admins and network defenders, and still working on the patches.

The two vulnerabilities were publicly documented last Wednesday, by researchers with Vietnamese company GTSC, and Microsoft soon after sprung into (discernible) action by offering customer guidance, followed by an analysis of the attacks exploiting the two vulnerabilities. Several changes have been made to the documents since then, after the company found and other researchers pointed out several shortcomings.

Microsoft says its threat analysts observed “activity related to a single activity group in August 2022 that achieved initial access and compromised Exchange servers by chaining CVE-2022-41040 and CVE-2022-41082 in a small number of targeted attacks,” and that the attackers breached fewer than 10 organisations globally. “MSTIC assesses with medium confidence that the single activity group is likely to be a state-sponsored organisation,” they added.

The other good news is there are still no public exploits for the two vulnerabilities. But, Microsoft says, “Prior Exchange vulnerabilities that require authentication have been adopted into the toolkits of attackers who deploy ransomware, and these vulnerabilities are likely to be included in similar attacks due to the highly privileged access Exchange systems confer onto an attacker.”

Enterprise defenders should expect trouble via this attack path in the near future, it seems, so keeping abreast of the changing situation and springing into action as quickly as possible once the patches are made available is advised. Scammers have since started impersonating security researchers and offering non-existing PoC exploits for CVE-2022-41082 for sale via GitHub

https://www.helpnetsecurity.com/2022/10/03/ms-exchange-cve-2022-41040-cve-2022-41082/

• Average Company with Data in the Cloud Faces $28 Million in Data-Breach Risk

Hard-to-control collaboration, complex SaaS permissions, and risky misconfigurations — such as admin accounts without multi-factor authentication (MFA) — have left a dangerous amount of cloud data exposed to insider threats and cyber attacks, according to Varonis.

For the report, researchers analysed nearly 10 billion cloud objects (more than 15 petabytes of data) across a random sample of data risk assessments performed at more than 700 companies worldwide. In the average company, 157,000 sensitive records are exposed to everyone on the internet by SaaS sharing features, representing $28 million in data-breach risk, Varonis researchers have found.

One out of every 10 records in the cloud is exposed to all employees — creating an impossibly large internal blast radius, which maximises damage during a ransomware attack. The average company has 4,468 user accounts without MFA enabled, making it easier for attackers to compromise internally exposed data.

Out of 33 super admin accounts in the average organisation, more than half did not have MFA enabled. This makes it easier for attackers to compromise these powerful accounts, steal more data, and create backdoors. Companies have more than 40 million unique permissions across SaaS applications, creating a nightmare for IT and security teams responsible for managing and reducing cloud data risk.

“Cloud security shouldn’t be taken for granted. When security teams lack critical visibility to manage and protect SaaS and IaaS apps and services, it’s nearly impossible to ensure your data isn’t walking out the door,” said Varonis. “This report is a true-to-life picture of over 700 real-world risk assessments of production SaaS environments. The results underscore the urgent need for CISOs to uncover and remediate their cloud risk as quickly as possible.”

https://www.helpnetsecurity.com/2022/10/05/company-data-breach-risk/

• Secureworks Finds Network Intruders See Little Resistance

Attackers who break into networks only need to take a few basic measures in order to avoid detection.

Security vendor Secureworks said in its annual State of the Threat report that it observed several data breaches between June 2021 and June 2022 and found that, by and large, once network intruders gained a foothold on the targets' environment, they had to do relatively little to stay concealed.

"One thing that is notable about them is that none of these techniques are particularly sophisticated," the vendor said. "That is because threat actors do not need them to be; the adversary will only innovate enough to achieve their objectives. So there is a direct relationship between the maturity of the controls in a target environment and the techniques they employ to bypass those controls."

Among the more basic measures taken by the attackers was coding their tools in newer languages such as Go or Rust. This tweak created enough of a difference in the software to evade signature-checking tools, according to Secureworks' report. In other cases, the network intruders hid their activity by packing their malware within a trusted Windows installer or by sneaking it into the Authenticode signature of a trusted DLL. In another case, a malware infection was seen moving data out of the victim's network via TOR nodes. While effective, Secureworks said the techniques are hardly innovative. Rather, they indicate that threat actors find themselves only needing to do the bare minimum to conceal themselves from detection.

https://www.techtarget.com/searchsecurity/news/252525696/Secureworks-finds-network-intruders-see-little-resistance

• Regulations, Laws and Accountability are Changing the Cyber Security Landscape

As cyber criminals continue to develop new ways to wreak havoc, regulators have been working to catch up. They aim to protect data and consumers while avoiding nation-state attacks that are a risk to national and economic security. But some of these regulations may provide an opportunity for MSSPs.

Some of these regulations are a response to what’s generally been a hands-off approach to telling organisations what to do. Unfortunately, cyber security isn’t always prioritised when budgets and resources are allocated. The result is a steadily rising tide of breaches and exploits that have held organisations hostage and made private information available on the dark web.

The new regulations are coming from all directions: at the state and federal levels in the US and around the world. While many of these regulations aren’t yet final, there’s no reason not to start aligning with where trends will ease the impact of changing rules. At the same time, many organisations want to hold the government responsible for some kinds of attacks. It will be interesting to see how regulating works, as most politicians and bureaucrats aren’t known for their technological savvy.

In the US, for example, new regulations are in development in the Federal Trade Commission, Food and Drug Administration, Department of Homeland Security, Department of Transportation, Department of Energy, and the Cybersecurity and Infrastructure Security Agency. Thirty-six states have enacted cyber security legislation, and the count increases as other countries join.

One of the motivating factors for all these new regulations is that most cyber attacks aren’t reported. Lawmakers realise cyber security threats continue to be one of the top national security and economic risks. In the last year and a half (2020-2022), there have been attacks on America’s gas supply, meat supply, and various other companies, courts, and government agencies. One FBI cyber security official estimated the government only learns about 20% to 25% of intrusions at US business and academic institutions.

In March, Congress passed legislation requiring critical infrastructure operators to report significant cyber attacks to CISA within 72 hours of learning about the attack. It also required them to report a ransomware payment within 24 hours. These regulations will also consider reporting “near misses” so that this data can also be studied and tracked. The problem is, how does one define a “near miss”?

https://www.msspalert.com/cybersecurity-guests/regulations-laws-and-accountability-are-changing-the-cybersecurity-landscape/

• This Year’s Biggest Cyber Threats

OpenText announced the Nastiest Malware of 2022, a ranking of the year’s biggest cyber threats. For the fifth year running, experts combed through the data, analysed different behaviours, and determined which malicious payloads are the nastiest.

Emotet regained its place at the top, reminding the world that while affiliates may be taken down, the masterminds are resilient. LockBit evolved its tactics into something never seen before: triple extortion. Analysis also revealed an almost 1100% increase in phishing during the first four months of 2022 compared to the same period in 2021, indicating a possible end to the “hacker holiday,” a hacker rest period following the busy holiday season.

“The key takeaway from this year’s findings is that malware remains centre stage in the threats posed towards individuals, businesses, and governments,” said OpenText.

“Cyber criminals continue to evolve their tactics, leaving the infosec community in a constant state of catch-up. With the mainstream adoption of ransomware payloads and cryptocurrency facilitating payments, the battle will continue. No person, no business—regardless of size—is immune to these threats.”

While this year’s list may designate payloads into different categories of malware, it’s important to note many of these bad actor groups contract work from others. This allows each group to specialise in their respective payload and perfect it.

https://www.helpnetsecurity.com/2022/10/06/2022-nastiest-malware/

Threats

Ransomware and Extortion

• Ransomware Attacks On The Rise, Secureworks Reveals in its State of the Threat Report - MSSP Alert

• Ransomware: This is how half of attacks begin, and this is how you can stop them | ZDNET

• Fake adult sites push data wipers disguised as ransomware (bleepingcomputer.com)

• Ferrari Hit By Ransomware Attack: 7 GB Of Data Published Online – Expert (informationsecuritybuzz.com)

• BlackByte Ransomware Abuses Vulnerable Windows Driver to Disable Security Solutions (thehackernews.com)

• BlackByte ransomware abuses legit driver to disable security products (bleepingcomputer.com)

• Ransomware attacks ravage schools, municipal governments (techtarget.com)

• Ransomware 3.0: The Next Frontier (darkreading.com)

• More and more ransomware is just data theft, no encryption • The Register

• Netwalker ransomware affiliate sentenced to 20 years in prison (bleepingcomputer.com)

• Cheerscrypt ransomware is linked to Chinese DEV-0401 APT group - Security Affairs

• ADATA denies RansomHouse cyber attack, says leaked data from 2021 breach (bleepingcomputer.com)

• Avast releases a free decryptor for some Hades ransomware variants - Security Affairs

• Cyber criminals Leak LA School Data After It Refuses to Ransom (vice.com)

• How Ransomware Is Causing Chaos in American Schools (vice.com)

• Ransomware hunters: the self-taught tech geniuses fighting cyber crime | Cyber crime | The Guardian

BEC – Business Email Compromise

• BEC fraudster and romance scammer sent to prison for 25 years – Naked Security (sophos.com)

• Hackers Target Homebuyers’ Life Savings in Real Estate Scam - Bloomberg

Phishing & Email Based Attacks

• Hackers Can Use 'App Mode' in Chromium Browsers' for Stealth Phishing Attacks (thehackernews.com)

• Phishing Campaigns Target KFC, McDonald's in Saudi Arabia, UAE, Singapore - Infosecurity Magazine (infosecurity-magazine.com)

Other Social Engineering; Smishing, Vishing, etc

• Callback phishing attacks evolve their social engineering tactics (bleepingcomputer.com)

• 3 ways enterprises can mitigate social engineering risks - Help Net Security

Malware

• OpenText Releases List Of The Year’s “Nastiest” Malware - MSSP Alert

• This devious malware is able to disable your antivirus | TechRadar

• Bumblebee Malware Loader's Payloads Significantly Vary by Victim System (darkreading.com)

• Eternity Group Hackers Offering New LilithBot Malware-as-a-Service to Cyber criminals (thehackernews.com)

• Live support service hacked to spread malware in supply chain attack (bleepingcomputer.com)

• NullMixer Dropper Delivers a Multimalware Code Bomb (darkreading.com)

• Maggie malware already infected over 250 Microsoft SQL servers - Security Affairs

Mobile

• Android Spyware 'RatMilad' Targets Enterprise Devices in Iran - Infosecurity Magazine (infosecurity-magazine.com)

Internet of Things – IoT

• 7 IoT Devices That Make Security Pros Cringe (darkreading.com)

• Ikea Smart Light System Flaw Lets Attackers Turn Bulbs on Full Blast (darkreading.com)

• Acronis founder is afraid of his own vacuum cleaner • The Register

Data Breaches/Leaks

• “Egypt Leaks” – Hacktivists are Leaking Financial Data - Security Affairs

• No Shangri-La for you: Top hotel chain confirms data leak • The Register

• Home Office reprimanded after sensitive counter-terror documents left at London venue | The Independent

• NSA: Someone hacked military contractor and stole data • The Register

• City of Tucson discloses data breach affecting over 123,000 people (bleepingcomputer.com)

• Optus Says ID Numbers of 2.1 Million Compromised in Data Breach | SecurityWeek.Com

• Aussie Telco Telstra Breached, Reportedly Exposing 30,000 Employees' Data (darkreading.com)

• 2K warns users their info has been stolen following breach of its help desk | Ars Technica

• Russian retail chain 'DNS' confirms hack after data leaked online (bleepingcomputer.com)

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Breaking: Scams Linked To Crypto Soared By 335% (informationsecuritybuzz.com)

• Hacker steals $566 million worth of crypto from Binance Bridge (bleepingcomputer.com)

• Hackers are breaching scam sites to hijack crypto transactions (bleepingcomputer.com)

• Binance Says $100 Million Stolen in Latest Crypto Hack (gizmodo.com)

• Hackers are breaching scam sites to hijack crypto transactions (bleepingcomputer.com)

Insider Risk and Insider Threats

• Why Don't CISOs Trust Their Employees? (darkreading.com)

• Meta sues app dev for stealing over 1 million WhatsApp accounts (bleepingcomputer.com)

• To avoid insider threats, try empathy - Help Net Security

• Microsoft publishes report on holistic insider risk management - Microsoft Security Blog

• Unearth offboarding risks before your employees say goodbye - Help Net Security

• Splunk alleges source code theft by former employee • The Register

• Ex-NSA Employee Arrested for Trying to Sell U.S. Secrets to a Foreign Government (thehackernews.com)

Fraud, Scams & Financial Crime

• ICO Fines Four "Predatory" Privacy-Invading Firms - Infosecurity Magazine (infosecurity-magazine.com)

• Consumers Feel Hopeless in Protecting Themselves Against Cyber crime, ISACA Reports - MSSP Alert

• BEC fraudster and romance scammer sent to prison for 25 years – Naked Security (sophos.com)

• Hackers Target Homebuyers’ Life Savings in Real Estate Scam - Bloomberg

• Russians dodging mobilization behind flourishing scam market (bleepingcomputer.com)

• Scammers and rogue callers – can anything ever stop them? – Naked Security (sophos.com)

• Healthcare Company Owners Get Jail Time for $7m Fraud Scheme - Infosecurity Magazine (infosecurity-magazine.com)

• Online romance scam boss netted $9.5m, jailed for 25 years • The Register

Deepfakes

• How a deepfake Mark Ruffalo scammed half a million dollars from a lonely heart • Graham Cluley

Supply Chain and Third Parties

• Live support service hacked to spread malware in supply chain attack (bleepingcomputer.com)

• Supply Chain Attack Targets Customer Engagement Firm Comm100 | SecurityWeek.Com

Denial of Service DoS/DDoS

• DDoS Attacks Spike in First Half of 2022 to Highest Levels in Four Years - MSSP Alert

Cloud/SaaS

• How Will the Metaverse Affect Cloud Security? (trendmicro.com)

• Hardening data security in the cloud • The Register

• Monitoring Your Cloud And Hybrid IT Infrastructure: How To Find The Right Monitoring Solution (informationsecuritybuzz.com)

Encryption

• Loads of connected PostgreSQL systems do not use SSL • The Register

API

• More Than 30% of All Malicious Attacks Target Shadow APIs (darkreading.com)

• APIs are quickly becoming the most popular attack vector - Help Net Security

• The Problem of API Security and How To Fix It (informationsecuritybuzz.com)

• API authentication failures demonstrate the need for zero trust - Help Net Security

• Shadow APIs hit with 5 billion malicious requests - Help Net Security

Open Source

• When transparency is also obscurity: The conundrum that is open-source security - Help Net Security

• How Secure is Using Open Source Components? - IT Security Guru

Passwords, Credential Stuffing & Brute Force Attacks

• Microsoft warns Basic Auth users over password spray attacks • The Register

• Is mandatory password expiration helping or hurting your password security? - Help Net Security

• Detecting and preventing LSASS credential dumping attacks - Microsoft Security Blog

• Meta Says It Has Busted More Than 400 Login-Stealing Apps This Year | WIRED

Privacy, Surveillance and Mass Monitoring

• The gap between security and privacy, and what it will take to bridge it - Help Net Security

• ICO Fines Four "Predatory" Privacy-Invading Firms - Infosecurity Magazine (infosecurity-magazine.com)

Regulations, Fines and Legislation

• New Telecoms Security Framework Comes Into Force (informationsecuritybuzz.com)

Models, Frameworks and Standards

• CIS Controls v8: Safeguards to mitigate the most prevalent cyber-attacks - Help Net Security

Secure Disposal

• The astronomical costs of an asset disposal program gone wrong | CSO Online

• New forensic analysis of electronical devices unveils dangers of inadequate data disposal for individuals and businesses - Business in the News

Backup and Recovery

• Giving Away the Keys to Your Backups? Here’s How to Keep Out Hackers (darkreading.com)

Law Enforcement Action and Take Downs

• Police arrest teen for using leaked Optus data to extort victims (bleepingcomputer.com)

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Relentless Russian Cyber attacks on Ukraine Raise Important Policy Questions (darkreading.com)

• Finnish intelligence warns of Russia's cyber espionage activities - Security Affairs

• Kazakhstan Pins Wave Of Cyber attacks On Foreign Actors | OilPrice.com

• Albania weighed invoking NATO’s Article 5 over Iranian cyber attack - POLITICO

• Russian Hackers Take Aim at Kremlin Targets: Report - Infosecurity Magazine (infosecurity-magazine.com)

• We breached Russian satellite network, say pro-Ukraine partisans | Cybernews

• Ukrainian forces report Starlink outages during push against Russia | Financial Times (ft.com)

• Android Spyware 'RatMilad' Targets Enterprise Devices in Iran - Infosecurity Magazine (infosecurity-magazine.com)

• Report: Mexico Continued to Use Spyware Against Activists | SecurityWeek.Com

Nation State Actors

Nation State Actors – China

• US authorities name China's 20 favourite vulns to exploit • The Register

• Cheerscrypt ransomware is linked to Chinese DEV-0401 APT group - Security Affairs

Nation State Actors – North Korea

• Lazarus employed an exploit in a Dell firmware driver in recent attacks - Security Affairs

Vulnerability Management

• CISA mandates vulnerability detection and reporting rules • The Register

• The Zero Day Dilemma | SecurityWeek.Com

Vulnerabilities

• Microsoft Issues Improved Mitigations for Unpatched Exchange Server Vulnerabilities (thehackernews.com)

• Fortinet warns admins to patch critical auth bypass bug immediately (bleepingcomputer.com)

• Cisco Patches High-Severity Vulnerabilities in Communications, Networking Products | SecurityWeek.Com

• Atlassian, Microsoft bugs make CISA’s must-patch list • The Register

• US authorities name China's 20 favourite vulns to exploit • The Register

• October 2022 Patch Tuesday forecast: Looking for treats, not more tricks - Help Net Security

• Fake Microsoft Exchange ProxyNotShell exploits for sale on GitHub (bleepingcomputer.com)

• CISA Warns of Attacks Exploiting Recent Atlassian Bitbucket Vulnerability | SecurityWeek.Com

• No fix in sight for mile-wide loophole plaguing a key Windows defence for years | Ars Technica

• Hackers Exploiting Unpatched RCE Flaw in Zimbra Collaboration Suite (thehackernews.com)

• Lazarus employed an exploit in a Dell firmware driver in recent attacks - Security Affairs

• Unpatched Zimbra flaw under attack is letting hackers backdoor servers | Ars Technica

• macOS Archive Utility Bug Lets Malicious Apps Bypass Security Checks (darkreading.com)

• Fortinet Warns of New Auth Bypass Flaw Affecting FortiGate and FortiProxy (thehackernews.com)

• VMware fixed a high-severity bug in vCenter Server - Security Affairs

• BlackByte Ransomware Abuses Vulnerable Windows Driver to Disable Security Solutions (thehackernews.com)

Reports Published in the Last Week

• 2022 State of the Threat Report | Secureworks

• Building a Holistic Insider Risk Management Program

Other News

• Guilty verdict in the Uber breach case makes personal liability real for CISOs | CSO Online

• Cyber attackers view smaller organisations as easier targets - Help Net Security

• Moody's turns up the heat on 'riskiest' sectors for attacks • The Register

• 5 reasons why security operations are getting harder | CSO Online

• Former NSA Employee Faces Death Penalty for Selling Secrets (darkreading.com)

• Fast Company Is Back From the Dead After Being Hacked (gizmodo.com)

• Ready Or Not, Web 3 Is Coming And With It Comes Cybersquatting 2.0 (informationsecuritybuzz.com)

• Cyber Hygiene: 5 Best Practices for Company Buy-In (trendmicro.com)

• School Is in Session: 5 Lessons for Future Cyber Security Pros (darkreading.com)

• Want More Secure Software? Start Recognizing Security-Skilled Developers (thehackernews.com)

• Incident responders increasingly seek out mental health assistance - Help Net Security

• You Are Not Alone If You're Unclear About Extended Detection and Response (XDR) - MSSP Alert

• Why digital trust is the bedrock of business relationships - Help Net Security

• Incident Responders Driven by Sense of Duty, Handcuffed by Volume of Cyber attacks, IBM Reports - MSSP Alert

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Why It’s Mission-Critical That All-Sized Businesses Stay Cyber Secure

A study analysing millions of emails across thousands of companies found that on average, employees of small businesses with less than 100 employees experience 350% more social engineering attacks than employees of larger enterprises. 57% of these are phishing attacks – the most prevalent social engineering attack of 2021.

Add to the mix that the global average cost of a data breach for businesses has skyrocketed. According to IBM Security’s annual Cost of a Data Breach Report, the average global cost is now a phenomenal $4.35 million.

Generally, larger corporations tend to have bigger security budgets, making them less of a target than smaller businesses with lesser budgets, and as such, more attractive to cyber criminals. This means that for small and medium-sized enterprises (SMEs) – with fewer resources and money – protection from cyber-attacks is now a matter of survival.

Ease of attack is not the only reason why criminals attack SMEs either. SMEs are often an entry point to target bigger organisations within the same supply chain. These larger corporations can either be crucial partners, suppliers, or customers, making SMEs prime targets.

But with efficient cyber security measures, every business regardless of size can keep themselves and their network safe.

https://informationsecuritybuzz.com/articles/why-its-mission-critical-that-all-sized-businesses-stay-cyber-secure/

• Half of Firms Report Supply Chain Ransomware Compromise

Over half (52%) of global organisations know a partner that has been compromised by ransomware, yet few are doing anything to improve the security of their supply chain, according to Trend Micro.

The security vendor polled nearly 3,000 IT decision makers across 26 countries to produce its latest report, ‘Everything is connected: Uncovering the ransomware threat from global supply chains’.

It revealed that 90% of global IT leaders believe their partners and customers are making their own organisation a more attractive ransomware target.

That might be down in part to the fact that SMBs comprise a significant chunk of the supply chain for 52% of respondents. The security of SMBs is generally thought to be less effective than protection in larger, better resourced companies.

However, despite their concerns, less than half (47%) of respondents said they share knowledge about ransomware attacks with their suppliers, while a quarter (25%) claimed they don’t share potentially useful threat information with partners.

https://www.infosecurity-magazine.com/news/half-firms-supply-chain-ransomware/

• Vulnerability Exploits, Not Phishing, Are the Top Cyber Attack Vector for Initial Compromise

Breaches involving phishing and credential compromise have received a lot of attention in recent years because of how frequently threat actors have employed the tactics in executing both targeted and opportunistic attacks. But that doesn't mean that enterprise organisations can afford to lessen their focus on vulnerability patching one bit.

A report from Kaspersky this week identified more initial intrusions last year resulting from exploitation of vulnerabilities in Internet-facing applications than breaches involving malicious emails and compromised accounts combined. And data that the company has collected through the second quarter of 2022 suggests the same trend might be playing out this year as well.

Kaspersky's analysis of its 2021 incident-response data showed that breaches involving vulnerability exploits surged from 31.5% of all incidents in 2020 to 53.6% in 2021. Over the same period, attacks associated with the use of compromised accounts to gain initial access declined from 31.6% in 2020 to 17.9% last year. Initial intrusions resulting from phishing emails decreased from 23.7% to 14.3% during the same period.

https://www.darkreading.com/vulnerabilities-threats/vulnerability-exploits-phishing-top-attack-vector-initial-compromise

• Uber’s Ex-Security Chief Faces Landmark Trial Over Data Breach That Hit 57m Users

Uber’s former security officer, Joe Sullivan, is standing trial this week in what is believed to be the first case of an executive facing criminal charges in relation to a data breach.

The US district court in San Francisco will start hearing arguments on whether Sullivan, the former head of security at the ride-share giant, failed to properly disclose a 2016 data breach affecting 57 million Uber riders and drivers around the world.

At a time when reports of ransomware attacks have surged and cyber security insurance premiums have risen, the case could set an important precedent regarding the culpability of US security staffers and executives for the way the companies they work for handle cyber security incidents.

The breach first came to light in November 2017, when Uber’s chief executive, Dara Khosrowshahi, revealed that hackers had gained access to the driver’s licence numbers of 600,000 US Uber drivers as well as the names, email addresses and phone numbers of as many as 57 million Uber riders and drivers.

Public disclosures like Khosrowshahi’s are required by law in many US states, with most regulations mandating that the notification be made “in the most expedient time possible and without unreasonable delay”.

But Khosrowshahi’s announcement came with an admission: a whole year had passed since the information had been breached.

https://www.theguardian.com/technology/2022/sep/06/uber-joe-sullivan-trial-security-data-breach

• Over 10% of Enterprise IT Assets Found With Missing Endpoint Protection

More than 10% of enterprise IT assets are missing endpoint protection and roughly 5% are not covered by enterprise patch management solutions.

The figures come from new research by Sevco Security, which the company has compiled in the State of the Cybersecurity Attack Surface report.

"Attackers are very adept at exploiting enterprise vulnerabilities. Security and IT teams already have their hands full mitigating the vulnerabilities that they know about, and our data confirms that this is just the tip of the iceberg," Sevco told Infosecurity Magazine.

The document analyses data aggregated from visibility into more than 500,000 IT assets, and underlines existential and underreported cyber security issues in relation to securing enterprises’ assets.

“The uncertainty of enterprise inventory – the elements that make up an organisation’s cyber security attack surface – upends the foundation of every major security framework and presents a challenge to security teams: it’s impossible to protect what you can’t see,” they said.

For instance, the data found that roughly 3% of all IT assets are “stale” in endpoint protection, while 1% are stale from the perspective of patch management coverage.

https://www.infosecurity-magazine.com/news/enterprise-assets-miss-endpoint/

• Some Employees Aren't Just Leaving Companies — They're Defrauding Them

Since the Great Resignation in 2021, millions of employees have left their roles with current employers in search of better ones. According to Microsoft, 40% of employees reported they are considering leaving their current roles by the end of 2022. With many still working in remote or hybrid positions due to the pandemic, larger businesses have started implementing measures to gain a better understanding of employee morale and sentiment to prevent turnover.

While most employees leave companies on good terms, some may become extremely unhappy or disgruntled prior to their departure and are more likely to defraud the company either before leaving or on their way out the door. The unfortunate reality is that no business is immune to fraud, but luckily, there are several steps you can take to prevent it from happening.

According to the Cressey Fraud Triangle, fraudulent behaviour often occurs due to three contributing factors. These include pressure or motive to commit a fraud (usually a personal financial problem), perceived opportunity within the organisation to commit a fraud (poor oversight or internal controls), and rationalisation (the ability to justify the crime to make it seem acceptable).

Very often, a fraudster needs all three sides of the triangle to successfully commit a crime. Therefore, it is extremely important for organisations to do their best to create controls and understand the risk associated with each of these areas. For example, an employee may be disgruntled and also have personal financial issues. However, if internal controls are robust and the employee doesn't have access to financial instruments, valuable assets or software systems, their ability to defraud the company is extremely limited or will get identified immediately.

https://www.darkreading.com/vulnerabilities-threats/some-employees-aren-t-just-leaving-companies-they-re-defrauding-them

• Ransomware Gangs Switching to New Intermittent Encryption Tactic

A growing number of ransomware groups are adopting a new tactic that helps them encrypt their victims' systems faster while reducing the chances of being detected and stopped.

This tactic is called intermittent encryption, and it consists of encrypting only parts of the targeted files' content, which would still render the data unrecoverable without using a valid decryption key.

For example, by skipping every other 16 bytes of a file, the encryption process takes almost half of the time required for full encryption but still locks the contents for good.

Additionally, because the encryption is milder, automated detection tools that rely on detecting signs of trouble in the form of intense file IO operations are more likely to fail.

SentinelLabs has posted a report examining a trend started by LockFile in mid-2021 and now adopted by the likes of Black Basta, ALPHV (BlackCat), PLAY, Agenda, and Qyick.

These groups actively promote the presence of intermittent encryption features in their ransomware family to entice affiliates to join the RaaS operation.

"Notably, Qyick features intermittent encryption, which is what the cool kids are using as you read this. Combined with the fact that is written in Go, the speed is unmatched," describes a Qyick advertisement on hacking forums.

https://www.bleepingcomputer.com/news/security/ransomware-gangs-switching-to-new-intermittent-encryption-tactic/

• How Posting Personal and Business Photos Can Be a Security Risk

Image geotags, metadata, and location information can allow competitors, cyber criminals, and even nation-state threat actors to gain knowledge they can use against organisations.

Marketers in every industry enjoy evidencing their reach to their superiors and providing tangible examples of their width and breadth of influence via social networks, media, and other means of engagement. Photos of both customers and employees engaging at hosted social events, trade shows, conferences, and direct one-on-one encounters are often viewed as gold. Couple this with the individual employee’s or customer’s photos working their way onto social network platforms for others to see and admire, and the value of that gold increases, success being quantified by impressions, views and individual engagements.

The value of that gold doubles when not only does the company harvest data and call it a success, but their competitors also analyse such photos capturing a plethora of useful data points, including geotagged data, metadata of the photo, and identity of the individuals caught in the frame. They, too, call it a success. Yes, the digital engagement involving location data and or location hints within photos is a double-edged sword.

It isn’t just competitors who harvest the data. Criminal elements and nation-state intelligence and security elements do as well. Francis Bacon’s adage, “Knowledge itself is power,” applies. With location, time and place, and identity, competitors, criminals, and nation-states are given their initial tidbits of openly acquired information from which to begin to build their mosaic. 

https://www.csoonline.com/article/3672869/how-posting-personal-and-business-photos-can-be-a-security-risk.html#tk.rss_news

• Your Vendors Are Likely Your Biggest Cyber Security Risk

As speed of business increases, more and more organisations are looking to either buy companies or outsource more services to gain market advantage. With organisations expanding their vendor base, there is a critical need for holistic third-party risk management (TPRM) and comprehensive cyber security measures to assess how much risk vendors pose.

While organisations assess and manage risk on a multitude of layers, none present bigger threats to business resiliency than third-party risk and a lack of robust cyber security controls. Breaches and service interruptions tied to these risk areas have brought down critical systems of major organisations. In 2021, 53% of CISOs surveyed by Black Kite reported being hit by at least one ransomware attack.

It bears repeating: Cyber security and third-party risk are the two biggest problems facing your long-term viability. Businesses need to be able to tackle these risk vectors individually to gain a complete view of their risk profile. A cross-functional process is essential to managing the overlap between these risk areas to better protect your organisation and increase workflow efficiency.

Ensuring that the cyber security practices of your vendors align with your organisation’s standards is critical to safeguarding your systems and data. In fact, it is just as important as how stable the business is or how well it delivers products and services.

https://www.helpnetsecurity.com/2022/09/05/vendors-cybersecurity-risk/

• A Recent Chinese Hack Is a Wake-up Call for the Security of the World’s Software Supply Chain

It’s perhaps only a coincidence that there’s a famous Chinese saying ‘No one knows, not even the ghosts’ that neatly summarises a recent hack on MiMi, a Chinese messaging app. According to recent reports, a Chinese state-backed hacking group inserted malicious code into this messaging app, essentially pulling off the equivalent of the infamous SolarWinds hack. Users of MiMi were served a version of the app with malicious code added, thanks to attackers taking control of the servers that delivered the app. In short, this was a software supply chain attack in which the software delivery pipeline was compromised.

Observers could be forgiven for thinking that this is just another hack. Chinese hacking groups, and those of Western countries too, have developed a reputation over the past two decades for spying, surveillance, and sabotage. But this attack is different than typical hacking fare because the attackers rode in on the back of a trusted piece of software. This is a software supply chain attack, where the attackers tamper with either source code, the software build system, or the software publishing pipeline, all of which have become essential to the functioning of the world’s digital economy.

Software supply chain attacks have been rapidly growing in frequency. Twenty years ago, there might have been one or two a year. These days, depending on the methodology, there are either hundreds or thousands a year, and that’s only counting the reported attacks. And increasingly anybody who depends upon software (read: everybody) is or shortly will be a victim: the U.S. government, Microsoft, thousands of other companies and, apparently in this MiMi attack, individuals.

https://thediplomat.com/2022/09/a-recent-chinese-hack-is-a-wake-up-call-for-the-security-of-the-worlds-software-supply-chain/

• Massive Hotels Group IHG Struck by Cyber Attack Which Disrupts Booking Systems

InterContinental Hotels Group (IHG), which owns brands such as InterContinental, Crowne Plaza, Holiday Inn, and many others, has had its IT systems breached by malicious hackers.

In a filing with the London Stock Exchange, the multinational hospitality company reported that "parts of the company's technology systems have been subject to unauthorised activity."

As a result, the company said, "IHG's booking channels and other applications have been significantly disrupted since [Monday], and this is ongoing."

The first indication that the company was experiencing problems appeared early on Monday morning UK time, when anyone who tried to book a hotel room via the company's website or app, or access their IHG One Rewards account was greeted by a maintenance message.

Although it has made no declaration regarding the nature of the security breach, in its filing with the London Stock Exchange, IHG mentioned they were "working to fully restore all systems". This would fit into the scenario of IHG having hit been hit with ransomware, which may not only have encrypted data - locking the company out of its systems and demanding a ransom be paid - but could have also caused even more problems.

https://www.bitdefender.com/blog/hotforsecurity/massive-hotels-group-ihg-struck-by-cyberattack-which-disrupts-booking-systems/

• London's Biggest Bus Operator Hit by Cyber "Incident"

Travellers in London were braced for more delays last week after the city’s largest bus operator revealed it has been hit by a “cyber security incident,” according to reports.

Newcastle-based transportation group Go-Ahead shared a statement with the London Stock Exchange indicating “unauthorised activity” had been discovered on its network yesterday.

“Upon becoming aware of the incident, Go-Ahead immediately engaged external forensic specialists and has taken precautionary measures with its IT infrastructure whilst it continues to investigate the nature and extent of the incident and implement its incident response plans,” it stated. “Go-Ahead will continue to assess the potential impact of the incident but confirms that there is no impact on UK or International rail services which are operating normally.”

However, the same may not be true of its bus services. Sky News reported that bus and driver rosters may have been impacted by the attack, which could disrupt operations.

Go-Ahead operates multiple services in the South, South West, London, North West, East Anglia, East Yorkshire and its native North East. It is London’s largest bus company, operating over 2400 buses in the capital and employing more than 7000 staff.

https://www.infosecurity-magazine.com/news/londons-biggest-bus-operator-hit/

Threats

Ransomware and Extortion

• Ransomware remains the number one threat to businesses and government organisations - Help Net Security

• Interpol dismantles sextortion ring, warns of increased attacks (bleepingcomputer.com)

• Play Ransomware Attack Playbook Similar to that of Hive, Nokoyawa (trendmicro.com)

• Ransomware attacks on Linux to surge - Help Net Security

• LockBit gang leads the way for ransomware (techtarget.com)

• Some Members of Conti Group Targeting Ukraine in Financially Motivated Attacks (thehackernews.com)

• How to Improve Mean Time to Detect for Ransomware | SecurityWeek.Com

• Google: Former Conti ransomware members attacking Ukraine (techtarget.com)

• Hackers Are Using NASA Telescope Images To Push Ransomware (informationsecuritybuzz.com)

• Ransomware gang's Cobalt Strike servers DDoSed with anti-Russia messages (bleepingcomputer.com)

• Everything You Need To Know About BlackCat (AlphaV) (darkreading.com)

• Microsoft: Iranian hackers encrypt Windows systems using BitLocker (bleepingcomputer.com)

• Microsoft Warns of Ransomware Attacks by Iranian Phosphorus Hacker Group (thehackernews.com)

• Clarion Housing: Anger over landlord silence since cyber attack - BBC News

• New Ransomware Hits Windows, Linux Servers Of Chile Govt Agency (informationsecuritybuzz.com)

• QNAP warns new Deadbolt ransomware attacks exploiting 0day - Security Affairs

• Second largest U.S. school district LAUSD hit by ransomware (bleepingcomputer.com)

• Windows Defender identified Chromium, Electron apps as Hive Ransomware - Security Affairs

• BlackCat Ransomware Linked to Italy's Energy Services Firm Hack - Infosecurity Magazine (infosecurity-magazine.com)

Phishing & Email Based Attacks

• EvilProxy Commodifies Reverse-Proxy Tactic for Phishing, Bypassing 2FA (darkreading.com)

• Criminals harvest users' PI by impersonating popular brands - Help Net Security

• Lampion malware returns in phishing attacks abusing WeTransfer (bleepingcomputer.com)

• A new phishing scam targets American Express cardholders - Security Affairs

• EvilProxy phishing-as-a-service with MFA bypass emerged on the dark web - Help Net Security

• GIFShell attack creates reverse shell using Microsoft Teams GIFs (bleepingcomputer.com)

Other Social Engineering; Smishing, Vishing, etc

• Defeat social engineering attacks by growing your cyber resilience - Help Net Security

Malware

• Cyber criminals targeting Minecraft fans with malware • The Register

• Next-Gen Linux Malware Takes Over Devices With Unique Tool Set (darkreading.com)

• TeslaGun Primed to Blast a New Wave of Backdoor Cyber attacks (darkreading.com)

• New Linux malware evades detection using multi-stage deployment (bleepingcomputer.com)

• Bumblebee malware adds post-exploitation tool for stealthy infections (bleepingcomputer.com)

• Botnets in the Age of Remote Work (darkreading.com)

• North Korean Hackers Deploying New MagicRAT Malware in Targeted Campaigns (thehackernews.com)

Mobile

• In-app browser security risks, and what to do about them | CSO Online

• Fake Antivirus and Cleaner Apps Caught Installing SharkBot Android Banking Trojan (thehackernews.com)

• SharkBot Malware Resurfaces on Google Play to Steal Users' Credentials - Infosecurity Magazine (infosecurity-magazine.com)

Internet of Things – IoT

• New Stealthy Shikitega Malware Targeting Linux Systems and IoT Devices (thehackernews.com)

Data Breaches/Leaks

• NATO docs sold on darkweb after they were stolen from Portugal - Security Affairs

• Criminals claim they've stolen NATO missile plans • The Register

• TikTok denies data breach following leak of user data - Security Affairs

• IRS mistakenly published confidential info for roughly 120K taxpayers - Security Affairs

• Samsung US Says Customer Data Compromised in July Data Breach | SecurityWeek.Com

• Digital Identity Provider SDK Leaves Hundreds Of Thousands Of Biometric (informationsecuritybuzz.com)

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Scammers live-streamed on YouTube a fake Apple crypto event - Security Affairs

• FBI: Crooks are using these DeFi flaws to steal your money | ZDNET

• Feds freeze $30m in cryptocurrency stolen from Axie Infinity • The Register

• New Rules for Crypto Exchanges to Stop Sanctions Evaders - Infosecurity Magazine (infosecurity-magazine.com)

Fraud, Scams & Financial Crime

• 62% of consumers see fraud as an inevitable risk of online shopping - Help Net Security

• Islanders in Jersey lose nearly £400,000 to romance fraud | ITV News Channel

• The Advantages of Threat Intelligence for Combating Fraud | SecurityWeek.Com

AML/CFT/Sanctions

• UK forces crypto exchanges to report suspected sanction breaches | Cryptocurrencies | The Guardian

• US Treasury sanctioned Iran ’s Ministry of Intelligence over Albania cyber attack - Security Affairs

Insurance

• Lloyd’s of London defends cyber insurance exclusion for state-backed attacks | Financial Times (ft.com)

• Global Cyber security Insurance Market Size Expected to Top $32.6 Billion by 2028 - MSSP Alert

• With cyber insurance costs increasing, can smaller firms avoid getting priced out? - Help Net Security

Supply Chain and Third Parties

• Supply chain risk is a top security priority as confidence in partners wanes - Help Net Security

• KeyBank: Hackers of third-party provider stole customer data | The Seattle Times

• Government guide for supply chain security: The good, the bad and the ugly - Help Net Security

Software Supply Chain

• Report Highlights Prevalence of Software Supply Chain Risks (darkreading.com)

Denial of Service DoS/DDoS

• Ransomware gang's Cobalt Strike servers DDoSed with anti-Russia messages (bleepingcomputer.com)

Cloud/SaaS

• Defenders Be Prepared: Cyber attacks Surge Against Linux Amid Cloud Migration (darkreading.com)

• Hybrid Cloud Security Challenges & Solutions (trendmicro.com)

• 3 Critical Steps for Reducing Cloud Risk (darkreading.com)

Identity and Access Management

• There is no secure critical infrastructure without identity-based access - Help Net Security

Encryption

• A Pragmatic Response to the Quantum Threat (darkreading.com)

API

• 6 Top API Security Risks! Favoured Targets for Attackers If Left Unmanaged (thehackernews.com)

• API Security for the Modern Enterprise - IT Security Guru

Open Source

• New Linux malware combines unusual stealth with a full suite of capabilities | Ars Technica

Passwords, Credential Stuffing & Brute Force Attacks

• Are Default Passwords Hiding in Your Active Directory? Here's how to check (bleepingcomputer.com)

• 200,000 North Face accounts hacked in credential stuffing attack (bleepingcomputer.com)

Social Media

• TikTok denies security breach after hackers leak user data, source code (bleepingcomputer.com)

• Facebook Engineers Admit They Don’t Know What They Do With Your Data (vice.com)

• Meta axes Responsible Innovation team charged with addressing ethical problems with Facebook, Instagram, WhatsApp | Fortune

Privacy

• You should know that most websites share your in-site search queries with third parties - Help Net Security

• Meta Fined $400m in Ireland For Children's Privacy Breach - Infosecurity Magazine (infosecurity-magazine.com)

Parental Controls and Child Safety

• Google’s image-scanning illustrates how tech firms can penalise the innocent | John Naughton | The Guardian

Cyber Bullying and Cyber Stalking

• ‘I didn’t want it anywhere near me’: how the Apple AirTag became a gift to stalkers | Apple | The Guardian

Regulations, Fines and Legislation

• Tear up decades-old law to save Britain from hackers, say cyber experts (telegraph.co.uk)

• UK Privacy Regulator Fines Halfords for Spam Deluge - Infosecurity Magazine (infosecurity-magazine.com)

• Meta Fined $400m in Ireland For Children's Privacy Breach - Infosecurity Magazine (infosecurity-magazine.com)

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Google Details Recent Ukraine Cyber attacks | SecurityWeek.Com

• Ukraine dismantles more bot farms spreading Russian disinformation (bleepingcomputer.com)

• Ukraine is under attack by hacking tools repurposed from Conti cyber crime group | Ars Technica

• Sprawling, multi-year Iranian cyberespionage and surveillance group exposed in new report - CyberScoop

• Iranian APT42 Launched Over 30 Espionage Attacks Against Activists and Dissidents (thehackernews.com)

• Newly discovered cyber spy group targets Asia • The Register

• New Iranian hacking group APT42 deploys custom Android spyware (bleepingcomputer.com)

• Israeli Defence Minister's Cleaner Sentenced for Spying Attempt | SecurityWeek.Com

• An interview with Ukrainian hacker 'Herm1t' on countering pro-Kremlin attacks - The Record by Recorded Future

• Researchers Find New Android Spyware Campaign Targeting Uyghur Community (thehackernews.com)

• Anonymous hacked Yandex taxi causing a traffic jam in Moscow - Security Affairs

Nation State Actors

Nation State Actors – Russia

• Raspberry Robin Malware Connected to Russian Evil Corp Gang (darkreading.com)

Nation State Actors – China

• US bans ‘advanced tech’ firms from building facilities in China for a decade | Technology sector | The Guardian

Nation State Actors – North Korea

• North Korean Hackers Deploying New MagicRAT Malware in Targeted Campaigns (thehackernews.com)

• North Korea's Lazarus Targets Energy Firms With Three RATs | SecurityWeek.Com

Nation State Actors – Iran

• Microsoft: Iranian hackers encrypt Windows systems using BitLocker (bleepingcomputer.com)

• UK condemns Iran for reckless cyber attack against Albania - GOV.UK (www.gov.uk)

• US Treasury sanctioned Iran ’s Ministry of Intelligence over Albania cyber attack - Security Affairs

• NATO Condemns Alleged Iranian Cyber attack on Albania | SecurityWeek.Com

• New Iranian hacking group APT42 deploys custom Android spyware (bleepingcomputer.com)

• Microsoft investigates Iranian attacks against the Albanian government - Microsoft Security Blog

• Microsoft Warns of Ransomware Attacks by Iranian Phosphorus Hacker Group (thehackernews.com)

Nation State Actors – Misc

• Nation-state attacks are a growing threat to video conferencing - Help Net Security

• Use of machine identities is growing in state-sponsored cyber attacks - Help Net Security

Vulnerability Management

• High-profile vulnerabilities encourage organisations to improve security posture - Help Net Security

Vulnerabilities

• CISA adds 12 new flaws to Known Exploited Vulnerabilities Catalog - Security Affairs

• September 2022 Patch Tuesday forecast: No sign of cooling off - Help Net Security

• High-risk ConnectWise Automate vulnerability fixed, admins urged to patch ASAP - Help Net Security

• Hackers Exploit Zero-Day in WordPress BackupBuddy Plugin in ~5 Million Attempts (thehackernews.com)

• Cisco Releases Security Patches for New Vulnerabilities Impacting Multiple Products (thehackernews.com)

• Mirai Variant MooBot Botnet Exploiting D-Link Router Vulnerabilities (thehackernews.com)

• Cisco won’t fix authentication bypass zero-day in EoL routers (bleepingcomputer.com)

• Critical RCE Vulnerability Affects Zyxel NAS Devices — Firmware Patch Released (thehackernews.com)

• Chrome and Edge fix zero-day security hole – update now! – Naked Security (sophos.com)

• Google Patches Sixth Chrome Zero-Day of 2022 | SecurityWeek.Com

• QNAP patches zero-day used in new Deadbolt ransomware attacks (bleepingcomputer.com)

• HP fixes severe bug in pre-installed Support Assistant tool (bleepingcomputer.com)

Other News

• Top 5 Cyber crime Cases in 2022 (techgenix.com)

• The Heartbleed bug: How a flaw in OpenSSL caused a security crisis | CSO Online

• Cyber Security - the More Things Change, the More They Are The Same | SecurityWeek.Com

• CISOs say stress and burnout are their top personal risks (cnbc.com)

• How to deal with unprecedented levels of regulatory change - Help Net Security

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.