Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 25 June 2021
Black Arrow Cyber Threat Briefing 25 June 2021: BEC Losses Top $1.8B As Tactics Evolve; 30M Dell Devices At Risk For Remote BIOS Attacks, Remote Code Exploits; Bad Employee Behaviours Picked Up During Remote Working Pose Serious Security Risks; Ways Technical Debt Increases Security Risk; Orgs Ill-Equipped To Deal With Growing BYOD Security Threats; Firewall Manufacturer Sees 226.3 Million Ransomware Attack Attempts This Year; Ransomware Criminals Look To Other Hackers To Provide Them With Network Access
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
BEC Losses Top $1.8B As Tactics Evolve
Business email compromise (BEC) attacks ramped up significantly in 2020, with more than $1.8 billion stolen from organisations with these types of attacks last year alone — and things are getting worse. BEC attacks are carried out by cyber criminals either impersonating someone inside an organisation, or masquerading as a partner or vendor, bent on financial scamming. A new report from Cisco’s Talos Intelligence examined the tactics of some of the most dangerous BEC attacks observed in the wild in 2020 and reminded the security community that in addition to technology, smart users armed with a healthy scepticism of outside communications and the right questions to ask are the best line of defence. “The reality is, these types of emails and requests happen legitimately all over the world every day, which is what makes this such a challenge to stop,” the report said.
https://threatpost.com/bec-losses-top-18b/167148/
30M Dell Devices At Risk For Remote BIOS Attacks, Remote Code Execution
A high-severity series of four vulnerabilities can allow remote adversaries to gain arbitrary code execution in the pre-boot environment on Dell devices, researchers said. They affect an estimated 30 million individual Dell endpoints worldwide. According to analysis the bugs affect 129 models of laptops, tablet, and desktops, including enterprise and consumer devices, that are protected by Secure Boot. Secure Boot is a security standard aimed at making sure that a device boots using only software that is trusted by the device original equipment manufacturer (OEM), to prevent rogue takeovers.
https://threatpost.com/dell-bios-attacks-rce/167195/
Bad Employee Behaviours Picked Up During Remote Working Pose Serious Security Risks in the New Hybrid Workplace
Most employers are wary that the post-pandemic hybrid workforce would bring bad cyber security behaviours. More than half (56%) of employers believed that employees had picked bad security practices while working remotely. Similarly, nearly two-fifths (39%) of employees also admitted that their employee behaviours differed significantly while working from home compared to the office. Additionally, nearly a third (36%) admitted discovering ‘workarounds’ since they started working remotely. Younger workers were more prone to these bad employee behaviours, with 51% of 16-24, 46% of 25-34, and 35% of 35-44-year-olds using ‘workarounds.’ Close to half (49%) of workers adopted the risky behaviour because they felt that they were not being watched by IT departments. Nearly a third (30%) said they felt that they could get away with the risky employee behaviours while working away from the office.
7 Ways Technical Debt Increases Security Risk
Two in three CISOs believe that technical debt, the difference between what's needed in a project and what's finally deployed, to be a significant cause of security vulnerability, according to the 2021 Voice of the CISO report. Most technical debt is created by taking shortcuts while placing crucial aspects such as architecture, code quality, performance, usability, and, ultimately, security on hold. Many large organisations are carrying tens or hundreds of thousands of discovered but un-remediated risks in their vulnerability management systems,. In many sectors there's this insidious idea that underfunded security efforts, plus risk management, are almost as good as actually doing the security work required, which is dangerously wrong.
https://www.csoonline.com/article/3621754/7-ways-technical-debt-increases-security-risk.html
Organisations Ill-Equipped To Deal With Growing BYOD Security Threats
A report shows the rapid adoption of unmanaged personal devices connecting to work-related resources (aka BYOD) and why organisations are ill-equipped to deal with growing security threats such as malware and data theft. The study surveyed hundreds of cyber security professionals across industries to better understand how COVID-19’s resulting surge of remote work has affected security and privacy risks introduced using personal mobile devices. The insights in this report are especially relevant as more enterprises are shifting to permanent remote work or hybrid work models, connecting more devices to corporate networks and, as a result, expanding the attack surface.
https://www.helpnetsecurity.com/2021/06/17/byod-security/
Firewall Manufacturer SonicWall Sees 226.3 Million Ransomware Attack Attempts This Year
Firewall manufacturer SonicWall said it saw dramatic increases in almost every market, even in those such as the US and UK, where ransomware attacks were already common. The US saw a 149% spike, and the UK 69%. “The bombardment of ransomware attacks is forcing organisations into a constant state of defence rather than an offensive stance,” said the SonicWall CEO. “And as the tidal wave of ransomware attacks continues to crush company after company, there is a lot of speculation on how to keep individual organisations safe, but no real consensus on how to move forward when it comes to combating ransomware.
Ransomware Criminals Look To Other Hackers To Provide Them With Network Access
According to a new report, cyber criminals distributing ransomware are increasingly turning to other hackers to buy access into corporate networks.
Researchers said a robust and lucrative criminal ecosystem exists where criminals work together to carry out ransomware attacks. In this ecosystem, ransomware operators buy access from independent cyber criminal groups who infiltrate major targets for part of the ransom proceeds.
Cyber criminal threat groups already distributing banking malware or other trojans may also become part of a ransomware affiliate network said researchers.
5 Biggest Healthcare Security Threats For 2021
Cyber Attacks targeting the healthcare sector have surged because of the COVID-19 pandemic and the resulting rush to enable remote delivery of healthcare services. Security vendors and researchers tracking the industry have reported a major increase in phishing attacks, ransomware, web application attacks, and other threats targeting healthcare providers. The trend has put enormous strain on healthcare security organisations that already had their hands full dealing with the usual volume of threats before the pandemic. “The healthcare industry is under siege from a range of complex security risks," says Terry Ray. Cyber Criminals are hunting for the sensitive and valuable data that healthcare has access to, both patient data and corporate data, he says. Many organisations are struggling to meet the challenge because they are under-resourced and rely on vulnerable systems, third-party applications, and APIs to deliver services.
https://www.csoonline.com/article/3262187/biggest-healthcare-security-threats.html
Threats
Ransomware
Ransomware: Now Gangs Are Using Virtual Machines To Disguise Their Attacks
Clop Ransomware Gang Doxes Two New Victims Days After Police Raids
Wormable Bash DarkRadiation Ransomware Targets Linux Distros And Docker Containers
Faux ‘DarkSide’ Gang Takes Aim At Global Energy, Food Sectors
A Deep Dive Into The Operations Of The LockBIT Ransomware Group
Fashion titan French Connection Says 'FCUK' Ss REvil-Linked Ransomware Makes Off With Data
BEC
Phishing
Phishing Attack's Unusual File Attachment Is A Double-Edged Sword
Man Arrested After 26,000 'Phishing' Text Messages Sent Out In A Single Day
Other Social Engineering
Malware
50% Of Misconfigured Containers Hit By Botnets In Under An Hour
Dirtymoe Malware Has Infected More Than 100,000 Windows Systems
Mobile
Vulnerabilities
Google Confirms 7th Chrome ‘Zero Day’ Vulnerability, Upgrade Now
Linux Marketplaces Vulnerable To RCE And Supply Chain Attacks
Critical Palo Alto Cyber-Defense Bug Allows Remote ‘War Room’ Access
Sonicwall Bug Affecting 800k Firewalls Was Only Partially Fixed
Hackers Are Using Unknown User Accounts To Target Zyxel Firewalls And VPNs
Data Breaches
Cryptocurrency
Dark Web
OT, ICS, IIoT and SCADA
Nation State Actors
The Lazarus Heist: How North Korea Almost Pulled Off A Billion-Dollar Hack
Cyber Espionage By Chinese Hackers In Neighbouring Nations Is On The Rise
Cyber Attack On Polish Government Officials Linked To Russian Hackers
Cloud
Privacy
Other News
IT Leaders Say Cyber Security Funding Being Wasted On Remote Work Support
Hackers Are Trying To Attack Big Companies. Small Suppliers Are The Weakest Link
APNIC Left A Dump From Its WhoIS SQL Database In A Public Google Cloud bucket
Average Time To Fix Critical Cyber Security Vulnerabilities Is 205 Days
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 21 May 2021
Black Arrow Cyber Threat Briefing 21 May 2021: Ransomware Attacks Are Spiking. Is Your Company Prepared?; Ban Ransom Payments To Hackers, Urges Ex-GCHQ Boss; How Penetration Testing Can Promote A False Sense Of Security; Ransomware’s New Swindle - Triple Extortion; ‘It’s A Battle, It’s Warfare’ - Experts Seek To Defeat Ransomware Attackers; 5 Reasons Why Enterprises Need Cyber Security Awareness And Training; 10 Emerging Cyber Security Trends To Watch In 2021
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
5 Reasons Why Enterprises Need Cyber Security Awareness And Training
Research shows that most cyber attacks rely on exploiting the human factor with the help of creative and innovative phishing techniques and other attack vectors. Almost 90% of all data breaches are caused due to human error. Therefore, even if an organisation has a robust cyber security infrastructure in place, the absence of cyber security awareness among employees can leave a huge gap in its cyber security framework. This gap can be easily exploited by cyber criminals to launch various types of cyber attacks. Hence, cyber security awareness and training are very much needed for any enterprise to secure it against cyber attacks.
Ban Ransom Payments To Hackers, Urges Ex-GCHQ Boss
Britain’s former cyber security chief has called for a ban on ransomware payments after the Irish health service became the latest to be hit by a major attack from international criminals. Ciaran Martin, the founding chief executive of GCHQ’s National Cyber Security Centre (NCSC), said that making payments illegal would help to break the lucrative global hacking business model. Martin said that businesses were helping to fund the organised criminals who locked and stole their data. “At the moment you can pay to make it quietly go away. There’s no legal obligations involved,” he said. “There’s no obligation to report to anybody, there’s no traceability of payment of crypto currency. We have allowed this to spiral in an invisible way.”
Ransomware’s New Swindle: Triple Extortion
Ransomware attacks are exploding at a staggering rate, and so are the ransoms being demanded. Now experts are warning against a new threat — triple extortion — which means that attackers are expanding out to demand payments from customers, partners and other third parties related to the initial breach to grab even more cash for their crimes. Check Point’s latest ransomware report found that over the past year, ransomware payments have spiked by 171 percent, averaging about $310,000 — and that globally, the number of attacks has surged by 102 percent.
https://threatpost.com/ransomwares-swindle-triple-extortion/166149/
‘It’s A Battle, It’s Warfare’: Experts Seek To Defeat Ransomware Attackers
Cyber security experts like to joke that the hackers who have turned ransomware attacks into a multibillion-dollar industry are often more professional than even their biggest victims. Ransomware attacks — when cyber attackers lock up their target’s computer systems or data until a ransom is paid — returned to the spotlight this week after attacks hit one of the biggest petroleum pipelines in the US, Toshiba’s European business, and Ireland’s health service. While governments have pledged to tackle the problem, experts said the criminal gangs have become more enterprising and continue to have the upper hand. For businesses, they said, there is more pain to come. “This is probably the biggest conundrum in security because companies have to decide how far they participate in this cat-and-mouse game,” said Myrna Soto, former chief strategy and trust officer at Forcepoint and current board member of gas and electricity group Consumers Energy. “It’s a battle, it’s warfare, to be honest.”
https://www.ft.com/content/b48a2d70-4a8c-4407-83a2-59cd055068f8
Colonial Pipeline Boss Confirms $4.4M Ransom Payment
Its boss told the Wall Street Journal he authorised the payment on 7 May because of uncertainty over how long the shutdown would continue. "I know that's a highly controversial decision," Joseph Blount said in his first interview since the hack. The 5,500-mile (8,900-km) pipeline carries 2.5 million barrels a day. According to the firm, it carries 45% of the East Coast's supply of diesel, petrol and jet fuel. Chief executive Mr Blount told the newspaper that the firm decided to pay the ransom after discussions with experts who had previously dealt with DarkSide, the criminal organisation behind the attack.
https://www.bbc.co.uk/news/business-57178503
10 Emerging Cyber Security Trends To Watch In 2021
A flurry of new threats, technologies and business models have emerged in the cyber security space as the world shifted to a remote work model in response to the COVID-19 pandemic. The lack of a network perimeter in this new world accelerated the adoption of SASE (secure access service edge), zero trust and XDR (extended detection and response) to ensure remote users and their data are protected. Adversaries have taken advantage of the complexity introduced by newly remote workforces to falsely impersonate legitimate users through credential theft and have upped the ante by targeting customers in the victim’s supply chain. The ability to monetize ransomware attacks by threatening to publicly leak victim data has made it more lucrative, while employers continue to fend off insiders with an agenda.
https://www.crn.com/news/security/10-emerging-cybersecurity-trends-to-watch-in-2021
How Penetration Testing Can Promote A False Sense Of Security
Rob Gurzeev is concerned about blind spots—past and present. In his DarkReading article Defending the Castle: How World History Can Teach Cyber security a Lesson, Gurzeev mentioned, "Military battles bring direct lessons and, I find, often serve as a reminder that attack surface blind spots have been an Achilles' heel for defenders for a long time." "Cyber security attackers follow this same principle today," wrote Gurzeev. "Companies typically have a sizable number of IT assets within their external attack surface they neither monitor nor defend and probably do not know about in the first place."
https://www.techrepublic.com/article/how-penetration-testing-can-promote-a-false-sense-of-security/
Ransomware Attacks Are Only Getting Worse, Darkside Group "Quits," But That May Just Be A Strategy
Earlier this month, a hacker group named DarkSide launched a ransomware attack against the business network of the Colonial Pipeline, forcing the company to shut down the 5,500-mile main pipeline and leading to fuel shortages in 17 states and Washington DC last week. According to a Bloomberg report, Colonial paid 75 Bitcoin (around $5 million on the day of the transaction) in ransom to the Eastern European hackers, but officially the company has maintained a different narrative of not having any intention of paying the extortion fee in crypto currency, as the DarkSide group had demanded. However, the Georgia-based company is said to have made the payment within hours of the attack, possibly using a cyber insurance policy to cover it.
https://www.techspot.com/news/89689-ransomware-attacks-only-getting-worse-darkside-group-quits.html
Learning From Cyber Attacks Could Be The Key To Stopping Them
Organisations should use major cyber incidents as a way to think through the core of their security strategies in order to prevent or recover better from similar attacks. "A significant cyber incident is really an opportunity; because it's an opportunity to focus on the core issues that led to these cyber incidents," said Anne Neuberger, deputy national security advisor for cyber and emerging technology at the White House, speaking at the UK National Cyber Security Centre's (NCSC) CYBERUK 21 virtual conference. Neuberger said that whether it's something like the SolarWinds sophisticated supply chain attack or the Colonial Pipeline ransomware incident, "we know that vulnerabilities across software and hardware can bring on larger concerns", but that looking at the core issues can help everyone improve their security.
https://www.zdnet.com/article/learning-from-cyber-attacks-could-be-the-key-to-stopping-them/
Microsoft Remote Desktop Protocol (RDP) Allegedly Has An Alarming Active Vulnerability
The Remote Desktop Protocol (RDP) is an incredibly useful feature used by likely millions of people every day. Considering it is free and preinstalled from Microsoft, it beats out most other Windows-based remote desktop software with ease. This, however, does not give it a free pass from having flaws; however, as a security researcher has discovered his password in cleartext within the RDP service’s memory. Researcher Jonas Lykkegård of the Secret Club, a group of hackers, seems to stumble across interesting things from time to time. He recently posted to Twitter about finding a password in cleartext in memory after using the RDP service. It seems he could not believe what he had found, as he tested it again and produced the same results using a new local account.
Amazon’s Ring Is The Largest Civilian Surveillance Network The US Has Ever Seen
In a 2020 letter to management, Max Eliaser, an Amazon software engineer, said Ring is “simply not compatible with a free society”. We should take his claim seriously. Ring video doorbells, Amazon’s signature home security product, pose a serious threat to a free and democratic society. Not only is Ring’s surveillance network spreading rapidly, it is extending the reach of law enforcement into private property and expanding the surveillance of everyday life. What’s more, once Ring users agree to release video content to law enforcement, there is no way to revoke access and few limitations on how that content can be used, stored, and with whom it can be shared.
Ransomware Attacks Are Spiking. Is Your Company Prepared?
With the migration to remote work over the last year, cyber attacks have increased exponentially. We saw more attacks of every kind, but the headline for 2020 was ransom attacks, which were up 150% over the previous year. The amount paid by victims of these attacks increased more than 300% in 2020. Already 2021 has seen a dramatic increase in this activity, with high-profile ransom attacks against critical infrastructure, private companies, and municipalities grabbing headlines on a daily basis. The amount of ransom demanded also has significantly increased this year, with some demands reaching tens of millions of dollars. And the attacks have become more sophisticated, with threat actors seizing sensitive company data and holding it hostage for payment.
https://hbr.org/2021/05/ransomware-attacks-are-spiking-is-your-company-prepared
Threats
Ransomware
Insurer AXA Hit By Ransomware After Dropping Support For Ransom Payments
One Of The US’s Largest Insurance Companies Reportedly Paid $40 Million To Ransomware Hackers
Ransomware’s Dangerous New Trick Is Double-Encrypting Your Data
Phishing
Other Social Engineering
Malware
Mobile
IoT
Four New Video Doorbells And Home Security Cameras Are Vulnerable To Hacking
EufyCam Users Should Turn Off Their Security Cams Immediately
Vulnerabilities
QNAP Warns Of eCh0raix Ransomware Attacks, Roon Server Zero-Day
Cross-Browser Tracking Vulnerability Tracks You Via Installed Apps
Cryptocurrency
Supply Chain
Nation State Actors
Denial of Service
Cloud
Governance, Risk and Compliance
Reports Published in the Last Week
Other News
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 27 November 2020
Black Arrow Cyber Threat Briefing 27 November 2020: Hundreds of C-level executives’ credentials available for $100 to $1500; Bluetooth Attack Can Steal a Tesla Model X in Minutes; Three members of TMT cybercrime group arrested in Nigeria; Cyber criminals make £2.5m raid on law firms in lockdown; Hackers post athletes’ naked photos online
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.
Top Cyber Headlines of the Week
Hundreds of C-level executives’ credentials available for $100 to $1500 per account
A credible threat actor is offering access to the email accounts of hundreds of C-level executives for $100 to $1500 per account.
The availability of access to the email accounts of C-level executives could allow threat actors to carry out multiple malicious activities, from cyber espionage to BEC scams.
The threat actor is selling login credentials for Office 365 and Microsoft accounts and the price depends on the size of the C-level executives’ companies and the internal role of the executive.
The threat actor claims its database includes login credentials of high-level executives such as:
CEO, CTO, COO, CFO, CMO. President, Vice President, Executive Assistant, Finance Manager, Accountant, Director, Finance Director, Financial Controller and Accounts Payables
https://securityaffairs.co/wordpress/111588/cyber-crime/executives-credentials-dark-web.html
This Bluetooth Attack Can Steal a Tesla Model X in Minutes
Tesla has always prided itself on its so-called over-the-air updates, pushing out new code automatically to fix bugs and add features. But one security researcher has shown how vulnerabilities in the Tesla Model X's keyless entry system allow a different sort of update:
A hacker could rewrite the firmware of a key fob via Bluetooth connection, lift an unlock code from the fob, and use it to steal a Model X in just a matter of minutes.
https://www.wired.com/story/tesla-model-x-hack-bluetooth/
Three members of TMT cybercrime group arrested in Nigeria
Three Nigerians suspected of being part of a cybercrime group that has made tens of thousands of victims around the world have been arrested today in Lagos, Nigeria, Interpol reported.
In a report disclosing its involvement in the investigation, security firm Group-IB said the three suspects are members of a cybercrime group they have been tracking since 2019 and which they have been tracking under the codename of TMT.
Group-IB said the group primarily operated by sending out mass email spam campaigns containing files laced with malware.
https://www.zdnet.com/article/three-members-of-tmt-cybercrime-group-arrested-in-nigeria/
Cyber criminals make £2.5m raid on law firms in lockdown
The large number of lawyers working from home has become a magnet for cyber criminals, the Solicitors Regulation Authority has said, revealing a 300% increase in phishing scams in the first two months of lockdown alone.
In the first half of 2020, firms reported that nearly £2.5m held by them had been stolen by cybercriminals, more than three times the amount reported in the same period in 2019.
Law firm staff working remotely on less secure devices than the office network and those without dedicated office space finding it hard to keep information confidential. Those using video meetings also need to make sure that unauthorised parties cannot overhear or see a confidential meeting.
Hackers post athletes’ naked photos online
Four British athletes are among hundreds of female sports stars and celebrities whose intimate photographs and videos have been posted online in a targeted cyberattack.
The hack, which the athletes became aware of this week, has caused panic and one leading sports agency has advised its clients to take extra measures to protect their private data.
The athletes, who had photographs and videos stolen from their phones, were considering steps last night to have the material removed from the dark net.
https://www.thetimes.co.uk/article/hackers-post-athletes-naked-photos-online-86sq27hgl
Threats
Ransomware
Manchester United hackers 'demanding million-pound ransom'
Manchester United are still suffering the effects of a significant cyberattack that targeted the club earlier this week.
Following last weekend's 'sophisticated' attack, the club has revealed it is still suffering severe disruption to its internal systems, several of which had to be shut down following the incident.
Reports have also claimed that the hackers are demanding "millions of pounds" before they let the club regain full control.
https://www.techradar.com/sg/news/manchester-united-hackers-demanding-million-pound-ransom
Egregor Ransomware Attack Hijacks Printers to Spit Out Ransom Notes
The South American retail giant Cencosud was hit with ransomware last week? The retailer was infected by an Egregor ransomware attack which, in time honoured fashion, stole sensitive files that it found on the compromised network, and encrypted data on Cencosud’s drives to lock workers out of the company’s data.
A text file was left on infected Windows computers, telling the store that private data would be shared with the media if it was not prepared to begin negotiating with the hackers within three days.
That’s nothing unusual, but Egregor’s novel twist is that it can also tell businesses that their computer systems are well and truly breached by sending its ransom note to attached printers.
Sopra Steria: Adding up outages and ransomware clean-up, Ryuk attack will cost us up to €50m
Sopra Steria has said a previously announced Ryuk ransomware infection will not only cost it "between €40m and €50m" but will also deepen expected financial losses by several percentage points.
The admission comes weeks after the French-headquartered IT outsourcing firm's Active Directory infrastructure was compromised by malicious people who deployed the Ryuk ransomware, using what the company called "a previously unknown strain."
https://www.theregister.com/2020/11/25/sopra_steria_ransomware_damage_50m_euros/
Phishing
GoDaddy scam shows how voice phishing can be more deceptive than email schemes
Companies can protect employees from phishing schemes through a combination of training, secure email gateways and filtering technologies. But what protects workers from phone-based voice phishing (vishing) scams, like the kind that recently targeted GoDaddy and a group of cryptocurrency platforms that use the Internet domain registrar service?
Experts indicate that there are few easy answers, but organizations intent on putting a stop to such activity may have to push for more secure forms of verification, escalation procedures for sensitive requests, and better security awareness of account support staffers and other lower-level employees.
Google Services Weaponized to Bypass Security in Phishing, BEC Campaigns
A spike in recent phishing and business email compromise (BEC) attacks can be traced back to criminals learning how to exploit Google Services, according to research from Armorblox.
Social distancing has driven entire businesses into the arms of the Google ecosystem looking for a reliable, simple way to digitize the traditional office. A report detailing how now-ubiquitous services like Google Forms, Google Docs and others are being used by malicious actors to give their spoofing attempts a false veneer of legitimacy, both to security filters and victims.
Malware
Malware creates scam online stores on top of hacked WordPress sites
A new cybercrime gang has been seen taking over vulnerable WordPress sites to install hidden e-commerce stores with the purpose of hijacking the original site's search engine ranking and reputation and promote online scams.
The attacks were discovered earlier this month targeting a WordPress honeypot which was set up and managed.
The attackers leveraged brute-force attacks to gain access to the site's admin account, after which they overwrote the WordPress site's main index file and appended malicious code.
https://www.zdnet.com/article/malware-creates-online-stores-on-top-of-hacked-wordpress-sites/
Enter WAPDropper – An Android Malware Subscribing Victims to Premium Services by Telecom Companies
WAPDropper, a new malware which downloads and executes an additional payload. In the current campaign, it drops a WAP premium dialler which subscribes its victims to premium services without their knowledge or consent.
The malware, which belongs to a newly discovered family, consists of two different modules: the dropper module, which is responsible for downloading the 2nd stage malware, and a premium dialler module that subscribes the victims to premium services offered by legitimate sources – In this campaign, telecommunication providers in Thailand and Malaysia.
https://research.checkpoint.com/2020/enter-wapdropper-subscribe-users-to-premium-services-by-telecom-companies/
LightBot: TrickBot’s new reconnaissance malware for high-value targets
The notorious TrickBot gang has released a new lightweight reconnaissance tool used to scope out an infected victim's network for high-value targets.
Over the past week, security researchers began to see a phishing campaign normally used to distribute TrickBot's BazarLoader malware switch to installing a new malicious PowerShell script.
IoT
The smart video doorbells letting hackers into your home
Smart doorbells with cameras let you see who’s at the door without getting up off the sofa, but in-depth security testing has found some are leaving your home wide open to uninvited guests.
With internet-connected smart tech on the rise, smart doorbells are a common sight on UK streets. Popular models, such as Ring and Nest doorbells, are expensive, but scores of similar looking devices have popped up on Amazon, eBay and Wish at a fraction of the price.
https://www.which.co.uk/news/2020/11/the-smart-video-doorbells-letting-hackers-into-your-home/
Password Attacks
Up to 350,000 Spotify accounts hacked in credential stuffing attacks
An unsecured internet-facing database containing over 380 million individual records, including login credentials that were leveraged for breaking into 300,000 to 350,000 Spotify accounts. The exposed records included a variety of sensitive information such as people’s usernames and passwords, email addresses, and countries of residence.
The treasure trove of data was stored on an unsecured Elasticsearch server that was uncovered. Both the origin and owners of the database remain unknown. However, the researchers were able to validate the veracity of the data as Spotify confirmed that the information had been used to defraud both the company and its users.
Passwords exposed for almost 50,000 vulnerable Fortinet VPNs
A hacker has now leaked the credentials for almost 50,000 vulnerable Fortinet VPNs.
Over the weekend a hacker had posted a list of one-line exploits to steal VPN credentials from these devices.
Present on the list of vulnerable targets are IPs belonging to high street banks, telecoms, and government organizations from around the world.
Vulnerabilities
UK urges orgs to patch critical MobileIron RCE bug
The UK National Cyber Security Centre (NCSC) issued an alert yesterday, prompting all organizations to patch the critical CVE-2020-15505 remote code execution (RCE) vulnerability in MobileIron mobile device management (MDM) systems.
An MDM is a software platform that allows administrators to remotely manage mobile devices in their organization, including the pushing out of apps, updates, and the ability to change settings. This management is all done from a central location, such as an admin console running on the organization's server, making it a prime target for attackers.
Critical Unpatched VMware Flaw Affects Multiple Corporates Products
VMware has released temporary workarounds to address a critical vulnerability in its products that could be exploited by an attacker to take control of an affected system.
"A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system," the virtualization software and services firm noted in its advisory.
Tracked as CVE-2020-4006, the command injection vulnerability has a CVSS score of 9.1 out of 10 and impacts VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector.
https://thehackernews.com/2020/11/critical-unpatched-vmware-flaw-affects.html
GitHub fixes 'high severity' security flaw spotted by Google
GitHub has finally fixed a high severity security flaw reported to it by Google Project Zero more than three months ago.
The bug affected GitHub's Actions feature – a developer workflow automation tool was "highly vulnerable to injection attacks".
GitHub's Actions support a feature called workflow commands as a communication channel between the Action runner and the executed action.
https://www.zdnet.com/article/github-fixes-high-severity-security-flaw-spotted-by-google/
Google Chrome users still vulnerable to multiple zero-day attacks
As business users and consumers have moved most of their workloads to the cloud, more and more of their work is being done in web browsers such as Google Chrome as opposed to in applications installed locally on their systems.
This means that the web browser is now an essential yet vulnerable entry point that if compromised, could give cybercriminals access to a user's entire digital life including their email, online banking, social networks and more. However, despite this risk, users are failing to update to the latest version of Google Chrome.
https://www.techradar.com/news/google-chrome-users-still-vulnerable-to-multiple-zero-day-attacks
Microsoft releases patching guidance for Kerberos security bug
Released details on how to fully mitigate a security feature bypass vulnerability in Kerberos KDC (Key Distribution Centre) patched during this month's Patch Tuesday.
The remotely exploitable security bug tracked as CVE-2020-17049 exists in the way KDC decides if service tickets can be used for delegation via Kerberos Constrained Delegation (KCD).
Kerberos is the default authentication protocol for domain connected devices running Windows 2000 or later. Kerberos KDC is a feature that manages service tickets used for encrypting messages between network servers and clients.
Data Breaches
Sophos notifies customers of data exposure after database misconfiguration
UK-based cyber-security vendor Sophos is currently notifying customers via email about a security breach the company suffered earlier this week.
Exposed information included details such as customer first and last names, email addresses, and phone numbers (if provided).
Privacy
Microsoft productivity score feature criticised as workplace surveillance
Microsoft has been criticised for enabling “workplace surveillance” after privacy campaigners warned that the company’s “productivity score” feature allows managers to use Microsoft 365 to track their employees’ activity at an individual level.
The tools, first released in 2019, are designed to “provide you visibility into how your organisation works”, according to a Microsoft blogpost, and aggregate information about everything from email use to network connectivity into a headline percentage for office productivity.
Other News
Robot vacuum cleaners can eavesdrop on your conversations, researchers reveal - Bitdefender
You can protect the company from hackers, but can you protect the company from the CEO?
Botnets have been silently mass-scanning the internet for unsecured ENV files | ZDNet
Windows 10 KB4586819 update fixes gaming and USB 3.0 issues (bleepingcomputer.com)
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.