Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 01 July 2022
Black Arrow Cyber Threat Briefing 01 July 2022:
-Ransomware Is the Biggest Global Cyber Threat. And The Attacks Are Still Evolving
-Study Reveals Traditional Data Security Tools Have a 60% Failure Rate Against Ransomware and Extortion
-Patchable and Preventable Security Issues Lead Causes of Q1 Attacks
-Three in Four Vulnerability Management Programs Ineffective, NopSec Research Finds
-EMEA Continues to Be a Hotspot for Malware Threats
-A New, Remarkably Sophisticated Malware Is Attacking Home and Small Office Routers
-What Are Shadow IDs, and How Are They Crucial in 2022?
-Zero-Days Aren't Going Away Anytime Soon & What Leaders Need to Know
-Half of 2022's Zero-Days Are Variants of Previous Vulnerabilities
-Human Error Remains the Top Security Issue
-Carnival Cruises Torpedoed by US States, Agrees to Pay $6m After Wave of Cyber Attacks
-Uber Ex-Security Chief Accused of Hacking Coverup Must Face Fraud Charges, Judge Rules
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Ransomware Is the Biggest Global Cyber Threat. And The Attacks Are Still Evolving
Ransomware is the biggest cyber security threat facing the world today, with the potential to significantly affect whole societies and economies – and the attacks are unrelenting, the head of the National Cyber Security Centre (NCSC) has warned.
"Even with a war raging in Ukraine – the biggest global cyber threat we still face is ransomware. That tells you something of the scale of the problem. Ransomware attacks strike hard and fast. They are evolving rapidly, they are all-pervasive, they're increasingly offered by gangs as a service, lowering the bar for entry into cyber crime," said Lindy Cameron, CEO of the NCSC in a speech at Tel Aviv Cyber Week.
She added that the NCSC has dealt with "nationally significant incidents" along with hundreds of general cyber incidents that "affect the UK more widely every year".
While she didn't detail any specific instances of responding to ransomware incidents, Cameron warned that "these complex attacks have the potential to affect our societies and economies significantly", and implied that if it weren't for the work of NCSC incident responders, alongside their counterparts in the industry and international counterparts, the attacks could have had a major impact.
Study Reveals Traditional Data Security Tools Have a 60% Failure Rate Against Ransomware and Extortion
Titaniam, Inc., the data security platform, announced the ‘State of Data Exfiltration & Extortion Report.’ The survey revealed that while over 70% of organisations have an existing set of prevention, detection, and backup solutions, nearly 40% of organisations have been hit with ransomware attacks in the last year, and more than 70% have experienced one in the previous five years, proving existing solutions to be woefully inadequate in managing the risks and impacts from these attacks.
Data exfiltration during ransomware attacks is up 106% relative to where it was five years ago. We are seeing the emergence of a new trend where cyber criminals are no longer limiting themselves to just encrypting entire systems—they are making sure to steal data ahead of the encryption so that they can have additional leverage on the victim. The survey found that 65% of those who have experienced a ransomware attack have also experienced data theft or exfiltration due to the incident. Of those victims, 60% say the hackers used the data theft to extort them further, known as double extortion. Most of them, i.e., 59% of victims, paid the hackers, implying that they were not helped by their backup or data security tools to prevent this fate.
Data is being exposed for theft and extortion in other ways too. Nearly half (47%) uncovered publicly exposed data in their systems in the last 24 months. It was found that respondents have a mix of data security & protection (78%), prevention & detection (75%), and backup and recovery (73%) in their cyber security stacks. Still, exposure and extortion numbers imply a missing puzzle piece regarding attacks.
Patchable and Preventable Security Issues Lead Causes of Q1 Attacks
Attacks against companies spiked in Q1 2022 with patchable and preventable external vulnerabilities responsible for the bulk of attacks.
Eighty-two percent of attacks on organisations in Q1 2022 were caused by the external exposure of known vulnerabilities in the victim’s external-facing perimeter or attack surface. Those unpatched bugs overshadowed breach-related financial losses tied to human error, which accounted for 18 percent.
The numbers come from Tetra Defense and its quarterly report that sheds light on a notable uptick in cyber attacks against United States organisations between January and March 2022.
The report did not let employee security hygiene, or a lack thereof, off the hook. Tetra revealed that a lack of multi-factor authentication (MFA) mechanisms adopted by firms and compromised credentials are still major factors in attacks against organisations.
https://threatpost.com/lead-causes-of-q1-attacks/180096/
Three in Four Vulnerability Management Programs Ineffective
How at risk are organisations to unsecured vulnerabilities in their networks? NopSec, a threat and exposure management provider, gives us the answers in a new study of some 430 cyber security professionals.
Are security teams finding successful approaches to their vulnerability management, or are “open doors around their attack surface” leaving them susceptible to disaster in their organisation? The answer, as it turns out, is that some organisations are better at detection, response and remediation of their vulnerabilities.
Perhaps more importantly, others are not as locked down as they believe, according to the report. Keeping track of known vulnerabilities and responding quickly is one thing, but locating flaws they did not previously know existed is quite another.
Seventy percent of respondent say their vulnerability management program (VMP) is only somewhat effective or worse, blind spots and shadow IT remain top challenges, and vulnerabilities take too long to patch.
EMEA Continues to Be a Hotspot for Malware Threats
Ransomware detections in the first quarter of this year doubled the total volume reported for 2021, according to the latest quarterly Internet Security Report from the WatchGuard Threat Lab. Researchers also found that the Emotet botnet came back in a big way, the infamous Log4Shell vulnerability tripled its attack efforts and malicious cryptomining activity increased.
Although findings from the Threat Lab’s Q4 2021 report showed ransomware attacks trending down year over year, that all changed in Q1 2022 with a massive explosion in ransomware detections. While Q4 2021 saw the downfall of the infamous REvil cybergang, WatchGuard analysis suggests that this opened the door for the LAPSUS$ extortion group to emerge, which along with many new ransomware variants such as BlackCat – the first known ransomware written in the Rust programming language – could be contributing factors to an ever-increasing ransomware and cyber-extortion threat landscape.
The report also shows that EMEA continues to be a hotspot for malware threats. Overall regional detections of basic and evasive malware show WatchGuard Fireboxes in EMEA were hit harder than those in North, Central and South America (AMER) at 57% and 22%, respectively, followed by Asia-Pacific (APAC) at 21%.
https://www.helpnetsecurity.com/2022/06/30/emea-malware-threats/
A New, Remarkably Sophisticated Malware Is Attacking Home and Small Office Routers
An unusually advanced hacking group has spent almost two years infecting a wide range of routers in North America and Europe with malware that takes full control of connected devices running Windows, macOS, and Linux, researchers reported on June 28.
So far, researchers from Lumen Technologies' Black Lotus Labs say they've identified at least 80 targets infected by the stealthy malware, including routers made by Cisco, Netgear, Asus, and DrayTek. Dubbed ZuoRAT, the remote access Trojan is part of a broader hacking campaign that has existed since at least the fourth quarter of 2020 and continues to operate.
The discovery of custom-built malware written for the MIPS architecture and compiled for small-office and home-office routers is significant, particularly given its range of capabilities. Its ability to enumerate all devices connected to an infected router and collect the DNS lookups and network traffic they send and receive, and remain undetected, is the hallmark of a highly sophisticated threat actor.
"While compromising small office/home office (SOHO) routers as a vector to gain access to an adjacent LAN is not a novel technique, it has seldom been reported," Black Lotus Labs researchers wrote. "Similarly, reports of person-in-the-middle style attacks, such as DNS and HTTP hijacking, are even rarer and a mark of a complex and targeted operation. The use of these two techniques congruently demonstrated a high level of sophistication by a threat actor, indicating that this campaign was possibly performed by a state-sponsored organisation."
The campaign comprises at least four pieces of malware, three of them written from scratch by the threat actor. The first piece is the MIPS-based ZuoRAT, which closely resembles the Mirai internet-of-things malware that achieved record-breaking distributed denial-of-service attacks that crippled some Internet services for days. ZuoRAT often gets installed by exploiting unpatched vulnerabilities in SOHO devices.
https://www.wired.com/story/zuorat-trojan-malware-hacking-routers/
What Are Shadow IDs, and How Are They Crucial in 2022?
Just before last Christmas, in a first-of-a-kind case, JPMorgan was fined $200M for employees using non-sanctioned applications for communicating about financial strategy. No mention of insider trading, naked shorting, or any malevolence. Just employees circumventing regulation using, well, Shadow IT. Not because they tried to obfuscate or hide anything, simply because it was a convenient tool that they preferred over any other sanctioned products (which JPMorgan certainly has quite a few of.)
Visibility into unknown and unsanctioned applications has been required by regulators and also recommended by the Center for Internet Security community for a long time. Yet it seems that new and better approaches are still in demand. Gartner has identified External Attack Surface Management, Digital Supply Chain Risk, and Identity Threat Detection as the top three trends to focus on in 2022, all of which are closely intertwined with Shadow IT.
"Shadow IDs," or in other words, unmanaged employee identities and accounts in third-party services, are often created using a simple email-and-password-based registration. Cloud access security broker (CASB) and corporate single-sign-on (SSO) solutions are limited to a few sanctioned applications, and are not widely adopted on most websites and services either. This means, that a large part of an organisation's external surface - as well as its user identities - may be completely invisible.
https://thehackernews.com/2022/06/what-are-shadow-ids-and-how-are-they.html
Zero-Days Aren't Going Away Anytime Soon, and What Leaders Need to Know
Few security exploits are the source of more sleepless nights for security professionals than zero-day attacks. Just recently, researchers discovered a new vulnerability enabling hackers to achieve remote code execution within Microsoft Office. Dubbing the evolving threat the Follina exploit, researchers say all versions of Office are at risk. And because the internal security teams have no time to prepare or patch their systems to defend against these software vulnerabilities, crafty threat actors can take advantage, taking their time after they've accessed an organisation's environment to observe and exfiltrate data while remaining completely unseen.
And though sophisticated threat actors and nations have exploited zero-days for nearly two decades, last year saw a historic rise in the number of vulnerabilities detected. Both Google and Mandiant tracked a record number of zero-days last year, with the caveat that more zero-days are being discovered because security companies are getting better at finding them — not necessarily because hackers are coming up with new vulnerabilities. Not all zero-days are created equal, though. Some require sophisticated and novel techniques, like the attack on SolarWinds, and others exploit simple vulnerabilities in commonly used programs like Windows. Thankfully, there's some basic cyber hygiene strategies that can keep your organisation sufficiently prepared to mitigate zero-day exploits.
Half of 2022's Zero-Days Are Variants of Previous Vulnerabilities
Google Project Zero has observed a total of 18 exploited zero-day vulnerabilities in the first half of 2022, at least half of which exist because previous bugs were not properly addressed.
According to Google Project Zero researcher Maddie Stone, nine of the in-the-wild zero-days seen so far this year could have been prevented had organisations applied more comprehensive patching.
“On top of that, four of the 2022 zero-days are variants of 2021 in-the-wild zero-days. Just 12 months from the original in-the-wild zero-day being patched, attackers came back with a variant of the original bug,” Stone says.
The most recent of these issues is the Follina vulnerability in the Windows platform. Tracked as CVE-2022-30190, it is a variant of an MSHTML zero-day tracked as CVE-2021-40444.
CVE-2022-21882 is another Windows vulnerability that is a variant of an in-the-wild zero-day that was improperly resolved last year, namely CVE-2021-1732.
An iOS IOMobileFrameBuffer bug (CVE-2022-22587) and a type confusion flaw in Chrome’s V8 engine (CVE-2022-1096) are two other zero-days that are variants of exploited security flaws found last year – CVE-2021-30983 and CVE-2021-30551, respectively.
Other 2022 zero-days that are variants of improperly addressed security defects are CVE-2022-1364 (Chrome), CVE-2022-22620 (WebKit), CVE-2021-39793 (Google Pixel), CVE-2022-26134 (Atlassian Confluence), and CVE-2022-26925 (Windows flaw called PetitPotam).
https://www.securityweek.com/google-half-2022s-zero-days-are-variants-previous-vulnerabilities
Human Error Remains the Top Security Issue
Human error remains the most effective vector for conducting network infiltrations and data breaches.
The SANS Institute security centre issued its annual security awareness report Wednesday, which was based on data from 1,000 infosec professionals and found that employees and their lack of security training remain common points of failure for data breaches and network attacks. The report also tracked the maturity level of respondents' security awareness programs and their effectiveness in reducing human risk.
"This year's report once again identifies what we have seen over the past three years: that the most mature security awareness programs are those that have the most people dedicated to managing and supporting it," the cyber security training and education organisation said.
"These larger teams are more effective at working with the security team to identify, track, and prioritise their top human risks, and at engaging, motivating, and training their workforce to manage those risks."
The SANS Institute study ranked maturity by five levels, from lowest to highest: nonexistent, compliance-focused, promoting awareness and behaviour change, long-term sustainment and culture change, and metrics framework. The report found that while approximately 400 respondents said their programs promote awareness and behaviour change - the highest such response for any maturity level - the number represented a 10% decrease from the previous year's report.
Carnival Cruises Torpedoed by US States, Agrees to Pay $6m After Wave of Cyber Attacks
Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyber attacks.
A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based business revealed intruders had not only encrypted some of its data but also downloaded a collection of names and addresses; Social Security info, driver's license, and passport numbers; and health and payment information of thousands of people in almost every American state.
It all started to go wrong more than a year prior, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn't disclosed until 10 months later, in March 2020.
Back in 2019, the security operations team spotted an internal email account sending spam to other addresses. It turned out miscreants had hijacked 124 employee Microsoft Office 365 email accounts, and were using them to send phishing emails to harvest more credentials. This, we're told, gave the intruders access to personal data on 180,000 Carnival employees and customers. It's likely the miscreants first broke in using phishing mails or brute-forcing passwords; either way, there was no multi-factor authentication.
Then in August 2020, the company said it was hit with the aforementioned ransomware, and copies of its files were siphoned. In January 2021, it was infected again with malware, and again sensitive information – specifically, customer passport numbers and dates of birth, and employee credit card numbers – were downloaded. And in March that year, a staffer's work email account was compromised again to send out a phishing email; more sensitive information was exposed.
https://www.theregister.com/2022/06/28/carnival-cybersecurity-fines/
Uber Ex-Security Chief Accused of Hacking Coverup Must Face Fraud Charges, Judge Rules
A federal judge on Tuesday said a former Uber Technologies Inc. security chief must face wire fraud charges over his alleged role in trying to cover up a 2016 hacking that exposed personal information of 57 million passengers and drivers.
The US Department of Justice had in December added the three charges against Joseph Sullivan to an earlier indictment, saying he arranged to pay money to two hackers in exchange for their silence, while trying to conceal the hacking from passengers, drivers and the US Federal Trade Commission.
Threats
Ransomware
Record-Breaking Year for Ransomware Attacks, WatchGuard Research Predicts - MSSP Alert
Cyber Security Experts Warn of Emerging Threat of "Black Basta" Ransomware (thehackernews.com)
AstraLocker 2.0 infects users directly from Word attachments (bleepingcomputer.com)
Black Basta Ransomware Gang Attacks 50 Companies, Cybereason Reports - MSSP Alert
How Dangerous Is BlackBasta Ransomware? (informationsecuritybuzz.com)
LockBit 3.0 Debuts With Ransomware Bug Bounty Program (darkreading.com)
Son of Conti: Ransomware tries its hand at politics - The Record by Recorded Future
Kaseya Ransomware - Cyber Leader’s Thoughts & Learnings One Year Later (informationsecuritybuzz.com)
Are Protection Payments the Future of Ransomware? (tripwire.com)
Conti vs. LockBit: A Comparative Analysis of Ransomware Groups (trendmicro.com)
This new malware is at the heart of the ransomware ecosystem | ZDNet
Macmillan Publishing shuts down systems after likely ransomware attack (bleepingcomputer.com)
Walmart denies being hit by Yanluowang ransomware attack (bleepingcomputer.com)
Fake copyright infringement emails install LockBit ransomware (bleepingcomputer.com)
Cisco Talos techniques uncover ransomware sites on dark web (techtarget.com)
RansomHouse gang claims to have some stolen AMD data • The Register
'Prolific' NetWalker extortionist pleads guilty • The Register
Phishing & Email Based Attacks
Google Warns About Hacker-for-Hire Services Trying to Phish Users (pcmag.com)
Clever phishing method bypasses MFA using Microsoft WebView2 apps (bleepingcomputer.com)
Cyber Attacks via Unpatched Systems Cost Orgs More Than Phishing (darkreading.com)
How phishing attacks are becoming more sophisticated - Help Net Security
How Evilnum Cyber Attacks Target Microsoft Office Files - MSSP Alert
New Matanbuchus Campaign drops Cobalt Strike beacons - Security Affairs
Kaspersky Reveals Phishing Emails That Employees Find Most Confusing (darkreading.com)
Ukraine arrests cyber crime gang operating over 400 phishing sites (bleepingcomputer.com)
Malware
Microsoft finds Raspberry Robin worm in hundreds of Windows networks (bleepingcomputer.com)
Microsoft Exchange servers worldwide backdoored with new malware (bleepingcomputer.com)
Microsoft warning: This malware that targets Linux just got a big update | ZDNet
ZuoRAT Hijacks SOHO Routers From Cisco, Netgear (darkreading.com)
XFiles info-stealing malware adds support for Follina delivery (bleepingcomputer.com)
Raccoon Stealer is back with a new version to steal your passwords (bleepingcomputer.com)
PyPi python packages caught sending stolen AWS keys to unsecured sites (bleepingcomputer.com)
Mobile
Android Spyware 'Revive' Upgraded to Banking Trojan - Infosecurity Magazine
Phone Hackers: 9 Ways To Tell If You Have Fallen Victim (informationsecuritybuzz.com)
Google Warns of New Spyware Targeting iOS and Android Users - IT Security Guru
Internet of Things – IoT
Data Breaches/Leaks
Leaky Access Tokens Exposed Amazon Photos of Users | Threatpost
California gun dashboards expose 10 years of personal data • The Register
Organised Crime & Criminal Actors
Russia-China cyber criminal collaboration could “destabilize” international order | CSO Online
Canadian admits to hacking spree with Russian cyber-gang - BBC News
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Pentagon finds concerning vulnerabilities on blockchain | TechRepublic
Hackers steal $100m from another breached crypto bridge | TechRadar
Santander Warns of 87% Surge in UK Crypto Scams - Infosecurity Magazine
Dozens of cryptography libraries vulnerable to private key theft | The Daily Swig (portswigger.net)
Missing Cryptoqueen: FBI adds Ruja Ignatova to top ten most wanted - BBC News
Singapore warns of ‘brutal, unrelentingly hard’ crypto regs • The Register
Insider Risk and Insider Threats
Rogue HackerOne employee steals bug reports to sell on the side (bleepingcomputer.com)
Japanese worker loses city's personal data in USB fail • The Register
How you handle independent contractors may determine your insider threat risk | CSO Online
Fraud, Scams & Financial Crime
Threat actors increasingly use third parties to run their scams - Help Net Security
Santander Warns of 87% Surge in UK Crypto Scams - Infosecurity Magazine
Evolving online habits have paved the way for fraud. What can we do about it? - Help Net Security
Insurance
Software Supply Chain
It's a Race to Secure the Software Supply Chain — Have You Already Stumbled? (darkreading.com)
Over a Decade in Software Security: What Have We learned? - IT Security Guru
Denial of Service DoS/DDoS
Attack Surface Management
Shadow IT
Open Source
Passwords, Credential Stuffing & Brute Force Attacks
RansomHouse Hackers Claim to Breach AMD With Bad Passwords (gizmodo.com)
Breaking Down the Zola Hack and Why Password Reuse is so Dangerous (bleepingcomputer.com)
Raccoon Stealer is back with a new version to steal your passwords (bleepingcomputer.com)
Social Media
Verified Twitter accounts hacked to send fake suspension notices (bleepingcomputer.com)
Facebook Business Pages Targeted via Chatbot in Data-Harvesting Campaign (darkreading.com)
New YTStealer malware steals accounts from YouTube Creators (bleepingcomputer.com)
Facebook 2FA phish arrives just 28 minutes after scam domain created – Naked Security (sophos.com)
Training, Education and Awareness
Privacy
‘Supercookies’ Have Privacy Experts Sounding the Alarm | WIRED
UK should immediately ban use of live facial recognition, warns report | Financial Times (ft.com)
Snoopers’ Charter Ruled Partially Unlawful - Infosecurity Magazine
We must stop sleepwalking towards a surveillance state | Financial Times (ft.com)
Parental Controls and Child Safety
Regulations, Fines and Legislation
Manx government department fined over data breach - BBC News
Clearview fine: The unacceptable face of modern surveillance - Help Net Security
Law Enforcement Action and Take Downs
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
NATO to create cyber rapid response force, increase cyber defence aid to Ukraine - CyberScoop
Evilnum hackers return in new operation targeting migration orgs (bleepingcomputer.com)
Commercial cyber products must be used responsibly, says NCSC CEO (computerweekly.com)
G7 to tackle cyber threats and disinformation from Russia: communique | Reuters
Google Warns of New Spyware Targeting iOS and Android Users - IT Security Guru
China lured graduate jobseekers into digital espionage | Ars Technica
Nation State Actors
Nation State Actors – Russia
Ukraine targeted by almost 800 cyber attacks since the war started (bleepingcomputer.com)
Russian Hacker Group Says Cyber Attacks Continue On Lithuania (informationsecuritybuzz.com)
Russian hacktivists take down Norway govt sites in DDoS attacks (bleepingcomputer.com)
Russia's Killnet hacker group says it attacked Lithuania | Reuters
Nation State Actors – China
Chinese Hackers Target Building Management Systems | SecurityWeek.Com
China lured graduate jobseekers into digital espionage | Ars Technica
Nation State Actors – North Korea
Vulnerability Management
Why more zero-day vulnerabilities are being found in the wild | CSO Online
Cyber Attacks via Unpatched Systems Cost Orgs More Than Phishing (darkreading.com)
Microsoft's quiet mishandling of vulnerabilities is becoming a public mess - OnMSFT.com
Vulnerabilities
MITRE shares this year's list of most dangerous software bugs (bleepingcomputer.com)
How and why threat actors target Microsoft Active Directory | CSO Online
Atlassian Confluence Exploits Peak at 100K Daily (darkreading.com)
Patch Now: Linux Container-Escape Flaw in Azure Service Fabric (darkreading.com)
Zoho ManageEngine ADAudit Plus bug gets public RCE exploit (bleepingcomputer.com)
OpenSSL 3.0.5 awaits release to fix potential security flaw • The Register
CISA: Adopt Modern Auth now for Exchange Online • The Register
CISA Warns of Active Exploitation of 'PwnKit' Linux Vulnerability in the Wild (thehackernews.com)
CISA orders agencies to patch Windows LSA bug exploited in the wild (bleepingcomputer.com)
Log4Shell Vulnerability in VMware Leads to Data Exfiltration and Ransomware (trendmicro.com)
Jenkins discloses dozens of zero-day bugs in multiple plugins (bleepingcomputer.com)
New UnRAR Vulnerability Could Let Attackers Hack Zimbra Webmail Servers (thehackernews.com)
Sector Specific
Critical National Infrastructure (CNI)
Financial Services Sector
FinTech
A Fintech Horror Story: How One Company Prioritizes Cyber Security (darkreading.com)
Security and compliance concerns limit ‘open finance’ expansion, say executives (scmagazine.com)
Telecoms
OT, ICS, IIoT, SCADA and Cyber-Physical Systems
APT Hackers Targeting Industrial Control Systems with ShadowPad Backdoor (thehackernews.com)
Cyber-Physical Security: Benchmarking to Advance Your Journey | SecurityWeek.Com
Critical Security Flaws Identified in CODESYS ICS Automation Software (thehackernews.com)
Microsoft Exchange bug abused to hack building automation systems (bleepingcomputer.com)
5 Cyber Security Tips for Smart Buildings - IT Security Guru
Chinese Hackers Target Building Management Systems | SecurityWeek.Com
OT security: Helping under-resourced critical infrastructure organisations - Help Net Security
Energy & Utilities
Oil, Gas and Mining
Food and Agriculture
Education and Academia
Web3
Reports Published in the Last Week
Q1 2022 Incident Response Insights from Tetra Defense | Arctic Wolf
Defending Ukraine: Early Lessons from the Cyber War - Microsoft On the Issues
Other News
Cyber Attacks Gain Steam in Early '22: Tetra Defense Report - MSSP Alert
FBI warns crooks are using deepfake videos in job interviews • The Register
Destructive firmware attacks pose a significant threat to businesses - Help Net Security
48% of security practitioners seeing 3x increase in alerts per day - Help Net Security
Adversarial machine learning explained: How attackers disrupt AI and ML systems | CSO Online
82% Cyber Breaches In Verizon’s Report Preventable, Says MyCena (informationsecuritybuzz.com)
SolarWinds hack explained: Everything you need to know (techtarget.com)
Properly securing APIs is becoming increasingly urgent - Help Net Security
97% Of UK Business Leaders Expect Quantum Computing to Disrupt Their Sectors - Infosecurity Magazine
LGBTQ+ folks warned of dating app extortion scams • The Register
What is Zero Trust and why would you want it? • The Register
Tencent admits to poisoned QR code attack on QQ accounts • The Register
Exploring the insecurity of readily available Wi-Fi networks - Help Net Security
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 01 April 2022
Black Arrow Cyber Threat Briefing 01 April 2022
-One Tenth of UK Staff Bypass Corporate Security
-Majority Of Data Security Incidents Caused by Insiders
-One-Third of UK Firms Suffer A Cyber Attack Every Week
-Russia's Cyber Criminals Fear Sanctions Will Erase Their Wealth
-86% Of Organisations Believe They Have Suffered a Nation-State Cyber Attack
-Multiple Hacking Groups Are Using the War in Ukraine As A Lure In Phishing Attempts
-4 Ways Attackers Target Humans to Gain Network Access
-Security Incidents Reported to FCA Surge 52% in 2021
-NCSC Suggests Rethinking Russian Supply Chain Risks
-25% Of Workers Lost Their Jobs In The Past 12 Months After Making Cyber Security Mistakes: Report
-Attackers Compromise 94% Of Critical Assets Within Four Steps Of Initial Breach
-UK Spy Chief Warns Russia Looking for Cyber Targets
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
One Tenth of UK Staff Bypass Corporate Security
A new study from Cisco has found that a tenth of UK employees actively circumvent their organisation’s security measures.
The network technology company polled over 1000 UK professionals working for organisations that allow hybrid working, in order to better understand the potential security risks of the modern, flexible workplace.
The research has revealed that many hybrid workers do not see cyber security as their responsibility, with many actively finding workarounds or engaging in risky behaviours such as password reuse.
19% of employees said they reuse passwords for multiple accounts and applications, with only 15% using password managers.
The problem seems to stem from user friction in existing security measures. Only 44% of survey participants said they found it easy to securely access their IT equipment.
A majority said they would be willing to use biometric authentication, a reflection of how enterprise security is still catching up to consumer functionality.
https://www.itsecurityguru.org/2022/03/28/one-tenth-of-uk-staff-bypass-corporate-security/
Majority Of Data Security Incidents Caused by Insiders
New research from Imperva has revealed that 70% of EMEA organisations have no insider risk strategy, despite 59% of data security incidents being caused by employees.
The shocking revelation comes as part of a wider study carried out by Forrester: Insider Threats Drive Data Protection Improvements. The study involved interviewing 150 security and IT professionals in EMEA.
An insider threat is defined by Imperva as originating from “inappropriate use of legitimate authorised user accounts” by either their rightful owner or a threat actor who has managed to compromise them.
The study found that insider threats were responsible for 59% of incidents impacting sensitive data in the past 12 months. This supports a previous Imperva analysis of the most significant breaches of the past five years, revealing that 24% were caused by either human error or compromised credentials.
https://www.itsecurityguru.org/2022/04/01/majority-of-data-security-incidents-caused-by-insiders/
One-Third of UK Firms Suffer a Cyber Attack Every Week
Cyber attacks and related incidents at UK organisations continue their seemingly unstoppable upward trajectory, with new statistics from the Department for Digital, Culture, Media and Sport (DCMS) revealing that 31% of businesses and 26% of charity organisations now experience incidents on a weekly basis.
The data, contained in the annual cyber security breaches survey report, paints a stark picture of the scale of the threat facing the average organisation, and the urgent need to boost standards and defences.
It is vital that every organisation takes cyber security seriously as more and more business is done online and we live in a time of increasing cyber risk. No matter how big or small your organisation is, you need to take steps to improve digital resilience.
Some 20% of businesses and 19% of charities said they had experienced a negative outcome as a direct consequence of an attack. The average cost of an attack, spread out across all organisations, now works out at £4,200, or £19,400 if only medium and large businesses are considered, although there is probably a vast amount of under-reporting, so the true figures are certainly higher.
Meanwhile, 35% of businesses and 38% of charities said they had experienced some kind of negative impact during the incident, such as service downtime.
https://www.computerweekly.com/news/252515288/One-third-of-UK-firms-suffer-a-cyber-attack-every-week
Russia's Cyber Criminals Fear Sanctions Will Erase Their Wealth
Punitive economic sanctions over Russia's invasion of Ukraine had crooks discussing the best ways to adapt to the new reality.
Members of Russian-language underground forums are not immune to the latest news. Russia's invasion of Ukraine and subsequent economic sanctions against Moscow got forum users to discuss how to live in this new world they find themselves in.
According to a report by the Digital Shadows Photon team, dark web forums are teeming with questions on how to ensure the safety of funds held in Russia-based accounts.
One user sought advice on what to do with dollars held in a Russian bank, with others suggesting converting dollars to rubles for a few months.
"I hope you were joking about [holding the funds in rubles for] half a year? After half a year, your rubles will only be good for lighting a fire, they will not be good for anything else," a forum user responded.
https://cybernews.com/news/russias-cybercriminals-fear-sanctions-will-erase-their-wealth/
86% Of Organisations Believe They Have Suffered a Nation-State Cyber Attack
A new study by Trellix and the Center for Strategic and International Studies (CSIS) has revealed that 86% of organisations believe they have fallen victim to a nation-state cyber attack.
The research surveyed 800 IT decision-makers in Australia, France, Germany, India, Japan, the UK and US.
It has also been revealed that 92% of respondents have faced, or suspect they have faced, a nation-state backed cyber attack in the past 18 months, or anticipate one in the future.
Russia and China were identified as the most likely suspects behind said attacks. 39% of organisations that believe they have been hit with a nation-state cyber attack believe Russia were the perpetrators.
Multiple Hacking Groups Are Using the War in Ukraine as A Lure in Phishing Attempts
Hostile hacking groups are exploiting Russia's invasion of Ukraine to carry out cyber attacks designed to steal login credentials, sensitive information, money and more from victims around the world.
According to cyber security researchers at Google's Threat Analysis Group (TAG), government-backed hackers from Russia, China, Iran and North Korea, as well as various unattributed groups and cyber criminal gangs, are using various themes related to the war in Ukraine to lure people into becoming victims of cyber attacks.
In just the last two weeks alone, Google has seen several hacking groups looking to take advantage of the war to fulfil their malicious aims, whether that's stealing information, stealing money, or something else.
4 Ways Attackers Target Humans to Gain Network Access
Since the day we started receiving email, we hope that our antivirus or endpoint protection software alerts us to problems. In reality, it often does not. When technology fails, it’s likely because the attacker made an end run around it by targeting humans. Here are four ways they do it:
1. The targeted human attack
2. Fraudulent wire transfer email
3. Tricking users into handing over credentials
4. Bypassing multi-factor authentication
Security Incidents Reported to FCA Surge 52% in 2021
The number of cyber security incidents reported to the UK’s financial regulator surged by over 50% last year after a significant increase in cyber-attacks, according to new figures from Picus Security.
The security vendor submitted Freedom of Information (FoI) requests to the Financial Conduct Authority (FCA) to compile its latest report, Cyber Security Incidents in the UK Financial Sector.
The 52% year-on-year increase in “material” security incidents reported to the FCA seems to have been driven by cyber-attacks, which comprised nearly two-thirds (65%) of these reports.
Picus Security claimed that the rest are likely explained by “system and process failures and employee errors.”
In addition, a third of incident reports were about corporate or personal data breaches, and a fifth involved ransomware.
Picus Security explained that to qualify as a material incident, there needs to have been a significant loss of data, operational IT outages, unauthorized IT access, and/or an impact on a large number of customers.
https://www.infosecurity-magazine.com/news/security-incidents-reported-fca/
NCSC Suggests Rethinking Russian Supply Chain Risks
The National Cyber Security Centre (NCSC) of the UK has urged organisations to reconsider the risks associated with “Russian-controlled” parts of their supply chains.
Ian Levy, technical director of the NCSC argued that “Russian law already contains legal obligations on companies to assist the Russian Federal Security Service (FSB), and the pressure to do so may increase in a time of war. We also have hacktivists on each side, further complicating matters, so the overall risk has materially changed.”
Levy has suggested that while there is currently nothing to suggest that the Russian state intends to force commercial providers to sabotage UK interests, that doesn’t mean it will not happen in the future.
https://www.itsecurityguru.org/2022/03/30/ncsc-suggests-rethinking-russian-supply-chain-risks/
25% Of Workers Lost Their Jobs in The Past 12 Months After Making Cyber Security Mistakes: Report
For business leaders, there is never a good time for their employees to make mistakes on the job. This is especially true now for workers who have anything to do with the cyber security of their companies and organisations. Given the growing risks of cyber attacks across the world and the increased threats posed by Russia in the aftermath of their invasion of Ukraine, these are certainly perilous times.
Indeed, a new study released by email security company Tessian found that one in four employees (26%) lost their job in the last 12 months after making a mistake that compromised their company’s security.
According to the second edition of Tessian’s Psychology of Human Error report, people are falling for more advanced phishing scams—and the business stakes for mistakes are much higher.
The study also found that:
Two-fifths (40%) of employees sent an email to the wrong person, with almost one-third (29%) saying their business lost a client or customer because of the error
Over one-third (36%) of employees have made a mistake at work that compromised security and fewer are reporting their mistakes to IT.
Attackers Compromise 94% of Critical Assets Within Four Steps of Initial Breach
New research from XM Cyber analysing the methods, attack paths, and impacts of cyber attacks has discovered that attackers can compromise 94% of critical assets within just four steps of initial breach points. The hybrid cloud security company’s Attack Path Management Impact Report incorporates insights from nearly two million endpoints, files, folders, and cloud resources throughout 2021, highlighting key findings on attack trends and techniques impacting critical assets across on-prem, multi-cloud, and hybrid environments.
The findings showed that 75% of an organisation’s critical assets are open to compromise in their current security state, while 73% of the top attack techniques used last year involved mismanaged or stolen credentials. Just over a quarter (27%) of most common attack techniques exploited a vulnerability or misconfiguration.
UK Spy Chief Warns Russia Looking for Cyber Targets
A UK intelligence chief warned that the Kremlin is hunting for cyber targets and bringing in mercenaries to shore up its stalled military campaign in Ukraine.
Jeremy Fleming, who heads the GCHQ electronic spy agency, praised Ukrainian President Volodymyr Zelenskyy’s “information operation” for being highly effective at countering Russia’s massive disinformation drive spreading propaganda about the war.
While there were expectations that Russia would launch a major cyber attack as part of its military campaign, Fleming said such a move was never a central part of Moscow’s standard playbook for war.
“That’s not to say that we haven’t seen cyber in this conflict. We have — and lots of it,” Fleming said in a speech in Canberra, Australia, according to a transcript released in London on Wednesday.
He said GCHQ’s National Cyber Security Centre has picked up signs of “sustained intent” by Russia to disrupt Ukrainian government and military systems.
“We’ve seen what looks like some spillover of activity affecting surrounding countries,” Fleming said. “And we’ve certainly seen indicators which suggest Russia’s cyber actors are looking for targets in the countries that oppose their actions.”
He provided no further details. He said the UK and other Western allies will continue to support Ukraine in beefing up its cyber security defences.
https://www.securityweek.com/uk-spy-chief-warns-russia-looking-cyber-targets
Threats
Ransomware
Ransomware Payments Hitting New Records In 2021 - Help Net Security
UK Ransomware Attacks Double In Past Year, Expert Insight - Information Security Buzz
Ransomware, Endpoint Risks Are Top Concerns for DFIR Professionals | CSO Online
Not Enough Businesses Have A Formal Ransomware Plan In Place - Help Net Security
Ukraine, Conti, and the law of unintended consequences | CSO Online
FBI Investigating More than 100 Ransomware Variants - Infosecurity Magazine
Precursor Malware Is an Early Warning Sign for Ransomware (darkreading.com)
Cyber Blackmail Gains Traction in Ransomware Hijackers' Tool Set - MSSP Alert
Services Giant Admits $42m Fallout from Ransomware Attack - Infosecurity Magazine
Hive Ransomware Uses New 'IPfuscation' Trick to Hide Payload (bleepingcomputer.com)
Shutterfly, Hit By Conti Ransomware Group, Warns Staff Their Data Has Been Stolen • Graham Cluley
FBI: Ransomware Attacks Are Piling Up The Pressure On Public Services | ZDNet
BEC – Business Email Compromise
Phishing & Email Based Attacks
Calendly Actively Abused in Microsoft Credentials Phishing (bleepingcomputer.com)
Phishing Attacks: Malicious URLs May Outpace Email Attachment Risks - MSSP Alert
Phishing uses Azure Static Web Pages to impersonate Microsoft (bleepingcomputer.com)
Other Social Engineering
5 Old Social Engineering Tricks Employees Still Fall For, And 4 New Gotchas | CSO Online
Fraudsters Use 'Fake Emergency Data Requests' To Steal Info • The Register
Malware
Mobile
IoT
Organised Crime & Criminal Actors
Sanctions Hitting Russian Cyber-Criminals Hard - Infosecurity Magazine
Secret World of Pro-Russia Hacking Group Exposed in Leak - WSJ
UK Police Charges Two Teenagers for Their Alleged Role in Lapsus$ Group - Security Affairs
LAPSUS$ Hacks Globant. 70GB of Data Leaked from IT Firm (bitdefender.com)
Cryptocurrency/Cryptomining/Cryptojacking
How CISOs can Mitigate Cryptomining Malware (trendmicro.com)
Ronin Blockchain Hit With $620 Million Crypto Heist - IT Security Guru
Insider Risk and Insider Threats
Yale Finance Director Stole $40m In Computers to Resell • The Register
Making Security Mistakes May Come With A High Price For Employees - Help Net Security
Fraud, Scams & Financial Crime
Europol Dismantles Massive Call Centre Investment Scam Operation (bleepingcomputer.com)
Emily Maitlis Opens Up About Terrifying Bank Scam: ‘I Feel Sick’ | The Independent
Supply Chain
Denial of Service DoS/DDoS
DDoS Attacks Becoming Larger And More Complex, Finance Most Targeted Sector - Help Net Security
Number of DDoS Attacks in 2021 Reached 9.75 Million - Help Net Security
Beastmode Botnet Boosts DDoS Power With New Router Exploits (bleepingcomputer.com)
Passwords & Credential Stuffing
Spyware, Espionage & Cyber Warfare
Russian Invasion of Ukraine
Anonymous Targets Oligarchs' Russian Businesses - Security Affairs
With War Next Door, EU is Warned on Cyber Security Gaps | SecurityWeek.Com
Ukraine Intelligence Leaks Names of 620 Alleged Russian FSB Agents - Security Affairs
Russian Credential Thieves Target NATO, European Military • The Register
Viasat Confirms Satellite Modems Were Wiped with AcidRain Malware (bleepingcomputer.com)
Internet Provider to Ukrainian Military Hit With Major Cyber Attack - WSJ
GhostWriter APT Targets State Entities of Ukraine with Cobalt Strike Beacon - Security Affairs
Hacked WordPress Sites Force Visitors to DDoS Ukrainian Targets (bleepingcomputer.com)
Russia Facing Internet Outages Due to Equipment Shortage (bleepingcomputer.com)
Anonymous Is Working On A Huge Data Dump That Will Blow Russia Away - Security Affairs
Phishing Campaign Targets Russian Govt Dissidents With Cobalt Strike (bleepingcomputer.com)
Leaked Hacker Logs Show Weaknesses of Russia’s Cyber Proxy Ecosystem | CSO Online
Russian Aviation Authority Switches to Paper After Losing 65TB of Data | CyberNews
Anonymous Hacked Russian Thozis Corp, But Denies Attacks on Rosaviatsia - Security Affairs
ZTE Whistleblower: Chinese Companies Will Sell to Russia • The Register
Nation State Actors
Nation State Actors – Russia
UK Spy Boss Warns About Russia-China Tech Collaboration • The Register
UK Cyber Security Centre Advises Review of Russian Tech • The Register
Russia Ranks Top For State-Linked Online Misinformation • The Register
Google: Russian phishing attacks target NATO, European military (bleepingcomputer.com)
Russian Spies Unmasked In Embarrassing Blow For Vladimir Putin (telegraph.co.uk)
Nation State Actors – China
Vulnerabilities
CISA Adds 66 Vulnerabilities to 'Must Patch' List | SecurityWeek.Com
Apple Rushes Out Patches for Two 0-days Threatening iOS and macOS Users | Ars Technica
Chrome Browser Gets Major Security Update | SecurityWeek.Com
Critical SonicOS Vulnerability Affects SonicWall Firewall Appliances (thehackernews.com)
Log4JShell Used to Swarm VMware Servers with Miners, Backdoors | Threatpost
Experts Warn Defenders: Don't Relax on Log4j | SecurityWeek.Com
Google Chrome, Microsoft Edge Updated to Close Security Hole • The Register
RCE Bug in Spring Cloud Could Be the Next Log4Shell, Researchers Warn | Threatpost
Spring4Shell: No need To Panic, But Mitigations Are Advised - Help Net Security
Sophos Firewall Affected by A Critical Authentication Bypass Flaw - Security Affairs
CVE-2022-1162 Flaw in GitLab Allowed Threat Actors To Take Over Accounts - Security Affairs
Trend Micro Fixed High Severity Flaw In Apex Central Product Console - Security Affairs
Zyxel Urges Customers To Patch Critical Firewall Bypass Vulnerability | ZDNet
QNAP Warns of OpenSSL Infinite Loop Vulnerability Affecting NAS Devices (thehackernews.com)
Sector Specific
Health/Medical/Pharma Sector
Hive Ransomware Group Claims Partnership HealthPlan of California Data Breach | CSO Online
LockBit Victim Estimates Cost of Ransomware Attack To Be $42 Million (bleepingcomputer.com)
Retail/eCommerce
Shopping Trap: The Online Stores’ Scam That Hits Users Worldwide - Security Affairs
Automotive
Automaker Cyber Security Lagging Behind Tech Adoption, Experts Warn | Threatpost
CNI, OT, ICS, IIoT and SCADA
The Spectre of Stuxnet: CISA Issues Alert on Rockwell Automation ICS Vulnerabilities | ZDNet
Other News
Protecting Your Organisation Against a New Class of Cyber Threats: HEAT (darkreading.com)
Why Do Organisations Need To Prioritize Cyber Resiliency? - Help Net Security
How Security Complexity Is Being Weaponized (darkreading.com)
In Charts: Cyber Security Risks And Companies’ Readiness | Financial Times (ft.com)
CISA Warns of Attacks Against Internet-Connected UPS Devices | CSO Online
Hackers Posing as Police Convinced Apple and Meta to Share Basic Subscriber Info (softpedia.com)
Exploring the Intersection of Physical Security and Cyber Security (darkreading.com)
The Current State Of Enterprise Backup And Recovery - Help Net Security
Why Metrics Are Crucial To Proving Cyber Security Programs’ Value | CSO Online
COVID Bounce: A Massive 2021 Resurgence of Cyber Threats - Help Net Security
Rapid7 Finds Zero-Day Attacks Surged In 2021 (techtarget.com)
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.