Threat Intelligence Blog

Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.

Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 05 May 2022

Black Arrow Cyber Threat Briefing 05 May 2022

-Cyber Scams Cost Victims $6.9b-Plus Worldwide in 2021

-Bad Actors Are Maximizing Remote Everything

-New Hacker Group Pursuing Corporate Employees Focused on Mergers and Acquisitions

-FBI: Business Email Compromise: The $43 Billion Scam

-Disgruntled Employees Cashing in On Confidential Information Over Dark Web

-Google Sees More APTs Using Ukraine War-Related Themes

-Cryptocurrency Regulators Are Scrambling to Catch Up with Hackers Who Are Swiping Billions

-Tackling the Threats Posed by Shadow IT

-Hackers Used the Log4j Flaw to Gain Access Before Moving Across a Company's Network, Say Security Researchers

-This Sneaky Hacking Group Hid Inside Networks For 18 Months Without Being Detected

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • Cyber Scams Cost Victims $6.9b-Plus Worldwide in 2021

Cyber-scams cost victims around the globe at least $6.9 billion last year, according to the FBI's latest Internet Crime Report.

Since 2017, the bureau's Internet Crime Complaint Center (IC3) received an average of 552,000 complaints per year. This includes reports of extortion, identity theft, phishing, fraud, and a slew of other nefarious schemes that cost victims no less than $18.7 billion in losses over the five-year period.

Unsurprisingly, the volume of these crimes — and related costs — have grown every year; 2021 set records for the total number of complaints (847,376) as well as losses exceeding $6.9 billion, a jump from the $4.2 billion reported a year earlier.

As with earlier years, phishing attacks were by far the most commonly reported crimes, with 323,972 last year. A subset of this category, business email compromise (BEC), is proving very lucrative and cost victims almost $2.4 billion from 19,954 victims, according to the Feds.

BEC involves a cyber criminal compromising a legitimate email account, and then tricking a business or individual into transferring funds, sending employees' personal data, or unlocking cryptocurrency wallets. The fraudster then steals the cash, drains the crypto wallet and/or sells employees' identities and credentials on the dark web.

https://www.theregister.com/2022/05/05/fbi_cyber_scams/

  • Bad Actors Are Maximising Remote Everything

The rise of remote work and learning opened new opportunities for many people – as we’ve seen by the number of people who have moved to new places or adapted to “workcations.” Cyber criminals are taking advantage of the same opportunities – just in a different way. Evaluating the prevalence of malware variants by region reveals a sustained interest by cyber adversaries in maximising the remote work and learning attack vector.

As hybrid work and learning become embedded paradigms in our culture, there are fewer layers of protection between malware and would-be victims. And bad actors are gaining access to more tools to help them pull off their nefarious deeds – like exploit kits. At the same time, the attack surface has rapidly expanded and continues to do so.

That means enterprises must take a work-from-anywhere approach to their security. They need to deploy solutions capable of following, enabling and protecting users no matter where they are located. They need security on the endpoint (EDR) combined with zero trust network access (ZTNA) approaches.

https://threatpost.com/bad-actors-remote-everything/179458/

  • This Sneaky Hacking Group Hid Inside Networks For 18 Months Without Being Detected

A previously undisclosed cyber-espionage group is using clever techniques to breach corporate networks and steal information related to mergers, acquisitions and other large financial transactions – and they've been able to remain undetected by victims for periods of more than 18 months.

Detailed by cyber security researchers at Mandiant, who've named it UNC3524, the hacking operation has been active since at least December 2019 and uses a range of advanced methods to infiltrate and maintain persistence on compromised networks that set it apart from most other hacking groups. These methods include the ability to immediately re-infect environments after access is removed. It's currently unknown how initial access is achieved. 

One of the reasons UNC3524 is so successful at maintaining persistence on networks for such a long time is because it installs backdoors on applications and services that don't support security tools, such as anti-virus or endpoint protection.

https://www.zdnet.com/article/this-sneaky-hacking-group-hid-inside-networks-for-18-months-without-being-detected/

  • FBI: Business Email Compromise: The $43 Billion Scam

According to the FBI, business email compromise (BEC) and email account compromise (EAC) losses have surpassed $43 billion globally. BEC/EAC is a sophisticated scam that targets both businesses and individuals who perform legitimate transfer-of-funds requests.

The BEC/EAC scam continues to grow and evolve, targeting small local businesses to larger corporations, and personal transactions. Between July 2019 and December 2021, there was a 65% increase in identified global exposed losses, meaning the dollar loss that includes both actual and attempted loss in United States dollars.

The following information was derived from filings with financial institutions between June 2016 and December 2021:

  • Domestic and international incidents: 241,206

  • Domestic and international exposed dollar loss: $43,312,749,946

The following BEC/EAC statistics were reported in victim complaints to the IC3 between October 2013 and December 2021:

  • Total US victims: 116,401

  • Total US exposed dollar loss: $14,762,978,290

  • Total non-US victims: 5,260

  • Total non-US exposed dollar loss: $1,277,131,099

https://informationsecuritybuzz.com/expert-comments/fbi-business-email-compromise-the-43-billion-scam/

  • Disgruntled Employees Cashing in On Confidential Information Over Dark Web

Disgruntled employees are making hundreds of thousands of dollars by leaking confidential information over a new platform on the so-called dark web, cyber researchers have said.

Hidden in a part of the internet that is only accessible using special software, the Industrial Spy platform promises huge payouts to staff willing to hand over "dirty secrets" to competitors, according to experts at intelligence business Cyberint.

Industrial Spy currently has data on twelve companies from a range of industries available to people who sign up, Cyberint said.

The platform recently managed to sell two tranches of company data for $400,000 (£318,236) and $750,000 each.

An individual has advertised the platform to potential purchasers of the data on the dark web.

The post said: "With our information you could refuse partnership with an unscrupulous partner, reveal dirty secrets of your competitors and earn millions of dollars using insider information."

Cyber criminals have long approached employees individually and offered a bribe to release sensitive information such as internal data and passwords to access computer systems.

But this new platform allows employees to act on their own initiative to steal data and sell it online.

https://www.telegraph.co.uk/business/2022/05/02/disgruntled-employees-cashing-confidential-information-dark/

  • Google Sees More APTs Using Ukraine War-Related Themes

Researchers at Google's Threat Analysis Group (TAG) say the number of advanced threat actors using Ukraine war-related themes in cyber attacks went up in April with a surge in malware attacks targeting critical infrastructure.

According to Google, known state-backed APT groups from China, Iran, North Korea, and Russia, along with various unattributed groups have been using war-related themes in phishing and malware distribution campaigns.

Looking at the cyber attacks that target Eastern Europe, however, a new Google report notes there hasn't been a significant change from the normal levels of activity, despite the increased adoption of lures related to the Ukraine war.

https://www.securityweek.com/google-sees-more-apts-using-ukraine-war-related-themes

  • Cryptocurrency Regulators Are Scrambling to Catch Up with Hackers Who Are Swiping Billions

Just four months in, 2022 has been a banner year for hackers, and fraudsters targeting the industry have swindled more than $1 billion from cryptocurrency investors, according to separate estimates by cryptocurrency analysis firm Immunefi.

The rise in fraud has put US regulators on the offensive. The US Securities and Exchange Commission, which has positioned itself as the industry’s main regulator and enforcer, announced on Tuesday that it was going to double its staff working to resources to combat the rise in fraud.

“Crypto markets have exploded in recent years, with retail investors bearing the brunt of abuses in this space. Meanwhile, cyber-related threats continue to pose existential risks to our financial markets and participants,” Gurbir Grewal, director of the SEC’s Division of Enforcement said in a statement. “The bolstered Crypto Assets and Cyber Unit will be at the forefront of protecting investors and ensuring fair and orderly markets in the face of these critical challenges.”

https://www.cyberscoop.com/cryptocurrency-sec-cybersecurity-bitcoin-regulation-enforcement/

  • Tackling the Threats Posed by Shadow IT

While remote technologies have allowed businesses to shift their workforces online, this flexibility has created a swathe of challenges for IT teams who must provide a robust security framework for their organisation – encompassing all the personnel and devices within their remit. In addition to the ever-increasing number of personal devices, corporate devices and programs, more and more applications are moving to the cloud as workloads become increasingly distributed across public clouds and software-as-a-service (SaaS).

This means IT teams are even harder pressed to secure and manage the complex environments they operate in. The unsanctioned use of corporate IT systems, devices, and software – known as shadow IT – has increased significantly during the shift to remote work, and recent research found almost one in seven (68%) are concerned about information security because of employees following shadow IT practices.

Shadow IT can allow hackers to steal employee and customer identities, company intellectual property, and cause companies to fail compliance audits. It can also open the door to enterprises accidentally breaking laws and exposes organisations to data exfiltration, malware, and phishing.

https://www.helpnetsecurity.com/2022/05/05/shadow-it-risk/

  • Hackers Used the Log4j Flaw to Gain Access Before Moving Across a Company's Network, Say Security Researchers

State-backed hacking groups are some of the most advanced cyber attack operations in the world - but criminals don't need to rely on them if they can exploit unpatched cyber security flaws.

A North Korean hacking and cyber espionage operation breached the network of an engineering firm linked to military and energy organisations by exploiting a cyber security vulnerability in Log4j.

First detailed in December, the vulnerability (CVE-2021-44228) allows attackers to remotely execute code and gain access to systems that use Log4j, a widely used Java logging library.

The ubiquitous nature of Log4j meant cyber security agencies urged organisations globally to apply security updates as quickly as possible, but months on from disclosure, many are still vulnerable to the flaw.

According to cyber security researchers at Symantec, one of those companies that was still vulnerable was an undisclosed engineering firm that works in the energy and military sectors. That vulnerability resulted in the company being breached when attackers exploited the gap on a public-facing VMware View server in February this year. From there, attackers were able to move around the network and compromise at least 18 computers.

https://www.zdnet.com/article/heres-how-hackers-used-the-log4j-flaw-to-gain-access-before-moving-across-a-companys-network/

  • New Hacker Group Pursuing Corporate Employees Focused on Mergers and Acquisitions

[Explanatory note from Black Arrow: When a group of cyber attackers is identified by the cyber security community, it is given a code name usually composed of letters and digits. These groups are also sometimes referred to as APTs., or Advanced Persistent Threats, because the groups are highly skilled and are persistent in their attacks; they are often supported by their state government].

A newly discovered suspected espionage threat actor has been targeting employees focusing on mergers and acquisitions as well as large corporate transactions to facilitate bulk email collection from victim environments.

Mandiant is tracking the activity cluster under the uncategorised moniker UNC3524, citing a lack of evidence linking it to an existing group. However, some of the intrusions are said to mirror techniques used by different Russia-based hacking crews like APT28 and APT29.

"The high level of operational security, low malware footprint, adept evasive skills, and a large Internet of Things (IoT) device botnet set this group apart and emphasise the 'advanced' in Advanced Persistent Threat," the threat intelligence firm said in a report.

The initial access route is unknown but upon gaining a foothold, attack chains involving UNC3524 culminate in the deployment of a novel backdoor called QUIETEXIT for persistent remote access for as long as 18 months without getting detected in some cases.

https://thehackernews.com/2022/05/new-hacker-group-pursuing-corporate.html


Threats

Ransomware

Phishing & Email Based Attacks

Malware

Mobile

IoT

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs

Supply Chain

Open Source

Passwords & Credential Stuffing

Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine


Nation State Actors

Nation State Actors – Russia

Nation State Actors – China

Nation State Actors – North Korea

Nation State Actors – Misc





As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More