Threat Intelligence Blog

Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.

Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 24 May 2024

Black Arrow Cyber Threat Intelligence Briefing 24 May 2024:

-Human Error and AI Tops Cyber Threats as 70% of CISOs Worry About Risk

-Threat Research Highlights Growing Mobile Security Risks

-The State of Cyber Security: AI and Geopolitics Mean a Bigger Threat Than Ever

-Family Offices Become Prime Targets for Cyber Hacks and Ransomware

-Ransomware Fallout - 94% Experience Downtime, 40% Face Work Stoppage

-Employee Discontent - Insider Threat No. 1

-Report Reveals 341% Rise in Advanced Phishing Attacks

-Ransomware and GenAI Raise Security Challenges, Driving Cyber Investment

-New Rules Prompt 93% of Organisations to Rethink Cyber Security Plans

-HR and IT Related Phishing Scams Still Most Popular According to KnowBe4’s Latest Phishing Report

-80% of Exposures from Misconfigurations, as 15 Vendors Account for 62% of Global Attack Surface

-UK to Propose Mandatory Reporting for Ransomware Attacks and Licensing Regime for all Payments

-UK’s Legal Sector Needs to Improve its Cyber Security, Says Experts

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Human Error and AI Tops Cyber Threats as 70% of CISOs Worry About Risk

According to a survey of 1,600 CISOs, 70% worry about the risk of a material cyber attack over the next 12 months. Additionally, nearly 31% believe an attack is very likely, compared to 25% in 2023.  Amongst the largest concerns were human error, with 75% of CISOs identifying it as their most significant cyber vulnerability, up from 60% in 2023. Furthermore, 80% anticipate that human risk and employee negligence in particular will be major cyber security issues in the next two years.  Additionally, artificial intelligence was identified as an emerging concern for 54% of CISOs.

Sources: [The Register] [Infosecurity Magazine] [Cryptopolitan]

The State of Cyber Security: AI and Geopolitics Mean a Bigger Threat Than Ever

A recent report by Check Point reveals that global organisations faced an average of 1,158 weekly cyber attacks in 2023, an increase from 2022. In the UK, 50% of businesses experienced cyber attacks in the past year, with medium and large-sized businesses more affected at 70% and 74%, respectively. A ClubCISO survey found 62% of CISOs believe organisations are ill-equipped for AI-driven attacks, yet 77% haven't increased cyber security spending.

Additionally, a British Foreign Policy Group (BFPG) article highlights cyber threats from geopolitical tensions, with a recent attack on the Ministry of Defence exposing HR and payroll data. The National Cyber Security Centre attributes such attacks to state-affiliated actors like China and Russia. Despite efforts to establish international cyber norms, enforcement remains challenging. Businesses must recognise that cyber security is now deeply intertwined with geopolitics, affecting strategic partnerships and procurement.

Sources: [Verdict] [BFPG]

Threat Research Highlights Growing Mobile Security Risks

A recent report by a cloud security vendor focusing on the mobile threat landscape found that in the first quarter of 2024, the number of phishing, malicious, denylisted and offensive links delivered to their customers’ mobile devices tripled compared to Q1 2023. The report, which bases its data on 220 million devices, 325 million apps and billions of web items, found that the most common misconfiguration in mobiles was out of date operating systems (37%). When it came to the prevalence of attacks, 75% of organisations reported experiencing mobile phishing attempts targeting their employees.

This comes as a representative from the US Cybersecurity and Infrastructure Security Agency told the Federal Communications Commission earlier this year that there had been “numerous incidents of successful, unauthorised attempts” to steal location data, monitor voice and text messages, and deliver spyware.

Sources: [Economist] [Business Wire]

Family Offices Become Prime Targets for Cyber Hacks and Ransomware

A recent Dentons survey reveals that nearly 80% of family offices perceive a dramatic increase in cyber attack threats, with a quarter experiencing an attack in 2023, up from 17% in 2020. Despite their wealth, family offices often lack the staff and technology to manage these risks effectively. Less than a third report well-developed cyber risk management processes, and only 29% believe their cyber training programs are sufficient. This gap between awareness and action highlights the need for family offices to prioritise comprehensive cyber security measures, including better training, updated policies, and secure communication practices.

Source: [CNBC]

Ransomware Fallout: 94% Experience Downtime, 40% Face Work Stoppage

According to a report by cyber security provider Arctic Wolf, within the last 12 months 48% of organisations identified evidence of a successful breach within their environment and 70% of organisations were the targets of attempted Business Email Compromise (BEC) attacks, with 29% of these targets becoming victims of one or more successful BEC occurrences.

In its survey, the company says “45% of the organizations we spoke with admitted to being the victim of a ransomware attack within the last 12 months”,  an increase from the prior year. Of those impacted by ransomware, 86% of attacks including successful data exfiltration and 94% of those impacted by a ransom event experienced a significant downtime and delays. 40% of victims stated they experienced a period of total work stoppage due to ransomware.

Source: [Help Net Security]

Employee Discontent: Insider Threat No. 1

Chief Information Security Officers (CISOs) must integrate human factors into insider risk management (IRM), not just rely on detection technologies. IRM must consider factors such as those raised by recent research where only half of US workers are very satisfied with their jobs, and 28% feel their employers don't care about them. CISOs themselves are affected by job satisfaction; the 2024 IANS/Artico report shows three out of four CISOs are ready to leave their roles. DTEX Systems found 77% of malicious insiders concealed their activities, emphasising the importance of human engagement and feedback in mitigating risks.

Source: [CSO]

Report Reveals 341% Rise in Advanced Phishing Attacks

A recent report has revealed malicious emails increased by 341% over the past 6 months. This included a 217% increase in credential harvesting phishing attacks and a 29% increase in Business Email Compromise (BEC) attacks. The report highlighted the impact of artificial intelligence, noting that since the launch of ChatGPT in November 2022, there has been a 4,151% surge in malicious phishing messages.

Source: [Security Magazine] [ Infosecurity Magazine]

Ransomware and GenAI Raise Security Challenges, Driving Cyber Investment

A recent study by Infosecurity Europe reveals that nearly 40% of cyber security leaders are increasing investments to combat the growing threats of ransomware and AI-generated attacks. A separate survey found 94% of organisations have or plan to implement generative AI use policies, and a third strictly forbid AI tech in their environment. This data highlights the ongoing effort to balance AI benefits with security risks, indicating that there isn’t a one-size-fits-all strategy for formalising AI adoption and usage policies.

Source: [Security Boulevard] [Infosecurity Magazine]

New Rules Prompt 93% of Organisations to Rethink Cyber Security Plans

A recent report reveals that 93% of organisations have re-evaluated their cyber security strategies due to new regulations, with 58% reconsidering their entire approach. The survey, which included 500 cyber security decision-makers from the US and UK, found that 92% reported increased security budgets, with 36% seeing rises of 20-49% and 23% experiencing over 50% increases. Despite this, only 40% feel confident in their resources to comply with regulations, and just one-third believe they can meet all requirements, highlighting significant gaps in preparedness.

Source: [security magazine]

HR and IT Related Phishing Scams Still Most Popular According to KnowBe4’s Latest Phishing Report

A recent KnowBe4 report reveals that HR-related phishing emails account for 42% of top-clicked phishing attempts, followed by IT-related emails at 30%. These phishing tactics exploit employees' trust and evoke immediate responses by mimicking legitimate business communications about dress code changes, tax updates, and training notifications. The report also highlights that nearly a third of users are vulnerable to phishing, emphasising the need for robust security awareness training. A well-trained workforce is essential in defending against increasingly sophisticated phishing attacks that leverage AI and emotional manipulation.

Source: [IT Security Guru]

80% of Exposures from Misconfigurations, as 15 Vendors Account for 62% of Global Attack Surface

A recent XM Cyber report highlights a significant gap in cyber security focus with identity and credential misconfigurations accounting for 80% of security exposures. The study, based on hundreds of thousands of attack path assessments, found that 62% of the global attack surface is concentrated in just 15 vendors. Furthermore, 41% of organisations had at least one compromised device, and 11% experienced ransomware incidents. The report underscores the need for a shift from patching all vulnerabilities to addressing high-impact exposures, especially those around identity management and critical asset protection.

Sources: [Security Magazine] [The Hacker News]

UK to Propose Mandatory Reporting for Ransomware Attacks and Licensing Regime for all Payments

A forthcoming proposal in Britain aims to overhaul the response to ransomware by mandating victims to report incidents and obtain a license before making extortion payments. This initiative, part of a public consultation, includes a ban on ransom payments for critical national infrastructure to deter attacks. The National Cyber Security Centre has highlighted concerns over underreporting, with a 2023 increase in ransomware-related data breaches. The plan’s success hinges on replacing the delayed Action Fraud reporting platform. This proposal marks a significant step in global ransomware policy, with Britain leading international efforts against cyber criminals.

Source: [The Record Media]

UK’s Legal Sector Needs to Improve its Cyber Security, Says Experts

One in ten UK data breaches in 2023 occurred in the legal sector, highlighting that UK law firms are attractive targets for cyber criminals. A recent analysis of the UK’s Information Commissioner's Office (ICO) data found that the legal sector is one of the worst performing sectors for data breaches, with nearly 86 per cent of the incidents within the legal sector involving breaches of personal identifiable information, including instances also affecting sensitive economic and financial data.

Sources [CITY AM]

Governance, Risk and Compliance

Threats

Ransomware, Extortion and Destructive Attacks

Ransomware Victims

Phishing & Email Based Attacks

BEC

Other Social Engineering

Artificial Intelligence

2FA/MFA

Malware

Mobile

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Insurance

Supply Chain and Third Parties

Cloud/SaaS

Identity and Access Management

Encryption

Linux and Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Malvertising

Training, Education and Awareness

Regulations, Fines and Legislation

Backup and Recovery

Data Protection

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity

Cyber Warfare and Cyber Espionage

Nation State Actors

China

Russia

Iran

North Korea

Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence

Vulnerability Management

Vulnerabilities

Tools and Controls

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·         Automotive

·         Construction

·         Critical National Infrastructure (CNI)

·         Defence & Space

·         Education & Academia

·         Energy & Utilities

·         Estate Agencies

·         Financial Services

·         FinTech

·         Food & Agriculture

·         Gaming & Gambling

·         Government & Public Sector (including Law Enforcement)

·         Health/Medical/Pharma

·         Hotels & Hospitality

·         Insurance

·         Legal

·         Manufacturing

·         Maritime

·         Oil, Gas & Mining

·         OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·         Retail & eCommerce

·         Small and Medium Sized Businesses (SMBs)

·         Startups

·         Telecoms

·         Third Sector & Charities

·         Transport & Aviation

·         Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 03 May 2024

Black Arrow Cyber Threat Intelligence Briefing 03 May 2024:

-Most Attacks Impacting SMB’s Target Older, Unpatched Vulnerabilities

-91% of Ransomware Victims Paid At least One Ransom in the Past Year, as 1 in 5 Ransomware Attacks Triggers Lawsuit

-BEC and Fund Transfer Fraud Top Insurance Claims

-Correlating Cyber Investments with Business Outcomes

-Vulnerability Exploitation up 180%, 68% of Breaches involved Humans and Supply Chain Weak Link

-MOVEit & Change Healthcare Attacks Designated as Cyber Catastrophe Loss Events by Insurer

-Securing Your Organisation’s Supply Chain: Reducing the Risks of Third Parties

-Why Remote Desktop Tools are Facing an Onslaught of Cyber Threats

-95% of Organisations Revamped Cyber Security Strategies in the Last Year: Make Sure Yours is Right

-Human Factor a Significant Risk for Small and Medium-Sized Businesses.

-Microsoft CEO Says it is Putting Security Above All Else in Major Refocus

-Ending the Culture of Silence in Cyber Security; Three Ways to Empower Teams

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Most Attacks Impacting SMB’s Target Older, Unpatched Vulnerabilities

Attackers continue to aggressively target small and mid-size businesses using specific high-profile vulnerabilities dating back a decade or more, network telemetry shows. Findings have shown that this is due to these vulnerabilities featuring in a wide range of products. Due to their prevalence, they can often become missed by organisations conducting patch management and therefore leave the organisation open.

For this reason it is critical that all organisations, including smaller organisations, have internal as well as external vulnerability scanning. You might believe your systems are patched up to date but there is no way to confirm without scanning , or to know which patches might have been missed.

Sources: [Infosecurity Magazine]

91% of Ransomware Victims Paid At least One Ransom in the Past Year, as 1 in 5 Ransomware Attacks Triggers Lawsuit

Ransomware attacks saw a significant surge in 2023, following a dip in 2022. The number of victims increased by 66% from 2022 to 2023, with 91% of those affected paying at least one ransom. 58% of organisations have been targeted six times or more.

The Sophos State of Ransomware 2023 report highlighted ransom payments rose by 500%; nearly two-thirds exceeded $1m or more, with an average payment of $2m. Furthermore, 30% of the demands were for over $5m.

In the US, 18% of incidents led to litigation, with 123 lawsuits filed in 2023 and 355 over five years. Data breaches, affecting 283.3 million records, primarily triggered these lawsuits, especially in healthcare and finance sectors. The resolution rate is 59%, with the highest settlement at $8.7m. Regulatory fines added nearly $10m to the financial impact. These figures underscore the significant financial implications of ransomware attacks and the urgent need for robust cyber security measures.

Sources: [ZD Net] [Infosecurity Magazine] [Security Magazine] [PrNewsWire] [Infosecurity Magazine]

BEC and Fund Transfer Fraud Top Insurance Claims

Cyber Insurer Coalition's 2024 Cyber Claims Report highlights a significant trend in cyber security threats, identifying email-based fraud as the predominant cause of insurance claims in 2023, accounting for 53% of all claims. Business email compromise (BEC) and funds transfer fraud (FTF) topped the list, contributing to 28% of claims and increasing claim amounts by 24% to an average loss exceeding $278,000. In contrast, ransomware, while less frequent at 19% of claims, also saw a rise in both frequency and severity, with average losses climbing to over $263,000. The report also notes a 13% year-on-year surge in overall claims, with substantial losses tied to compromised network security devices and a notable vulnerability in organisations using exposed remote desktop protocols.

Source: [Infosecurity Magazine]

Correlating Cyber Investments with Business Outcomes

The US Securities and Exchange Commission (SEC) has implemented stringent new rules compelling organisations to report significant cyber incidents within four days and to annually disclose details concerning their cyber security risk management, strategy, and governance. These mandates are seen as giving “more teeth to the idea that cyber security is a business problem” and “bringing an element of cyber security to the boardroom” according to cyber security solutions provider SecurityGate. Highlighted in the "Cybersecurity Insights" podcast, experts argue for simplifying cyber security strategies, advocating sustained resource allocation over reactive measures, and emphasising the importance of training over expensive solutions. These steps are deemed crucial for enhancing organisational resilience and security in a landscape where cyber threats are increasingly sophisticated and pervasive.

Source: [InfoRisk Today

Verizon: Vulnerability Exploitation up 180%, 68% of Breaches involved Humans and Supply Chain Weak Link

Verizon has released the findings of its 17th Annual Data Breach Investigations Report, which showed security incidents doubled year over year in 2023 to a record high 30,458 security events and 10,626 confirmed breaches. Some of the key takeaways from the 100-page report include zero-day attacks on unpatched systems and devices rising 180% in 2023, most breaches (68%) involving a non-malicious human element and the median time for users to fall for phishing emails falling just south of 60 seconds. In its first inclusion as a separate metric, supply chain attacks were found to contribute to 15% of all attacks.

Sources: [MSSP Alert] [Verizon]

MOVEit & Change Healthcare Attacks Designated as Cyber Catastrophe Loss Events by Insurer

Verisk’s Property Claim Services (PCS) has recently identified the MOVEit and Change Healthcare cyber attacks as significant Cyber Catastrophe Loss Events. These designations are part of PCS’s Global Cyber solution, which tracks cyber incidents and their potential impact on the insurance market. The designation indicates that each attack is anticipated to result in insurance industry losses exceeding USD 250 million.

The MOVEit attack, linked to the Russian-affiliated group Cl0p, compromised over 2,700 organisations globally, affecting up to 90 million individuals. The Change Healthcare attack, attributed to the ALPHV/Blackcat gang, notably disrupted UnitedHealth Group’s operations, with projected costs and lost revenue totalling up to USD 1.6 billion. These designations highlight the escalating scale and financial impact of cyber incidents on global markets.

Source: [Reinsurance News]

Securing Your Organisation’s Supply Chain: Reducing the Risks of Third Parties

Nearly every organisation is part of a supply chain, where a significant amount of data is transferred. When data leaves your infrastructure, its security depends on the third party. The risks of a cyber incident increases as the supply chain increases.

Organisations need to mitigate the risks that their third party brings. This requires an understanding of the supply chain actors, and performing cyber security assessments of the most critical ones. The objective is to ensure that your organisation is satisfied with the third party’s security controls, or to work together to remediate any gaps.

Source: [Help Net Security]

Why Remote Desktop Tools are Facing an Onslaught of Cyber Threats

In the era of hybrid work, remote desktop tools have become crucial yet vulnerable points within corporate networks, attracting significant cyber criminal attention. A study by Barracuda Networks underscores the challenges of securing these tools. Virtual Network Computing (VNC) is particularly susceptible; it is targeted in 98% of these types of attacks due to its use of multiple, sometimes unsecured ports. VNC attacks predominantly exploit weak password practices, notably through brute force methods. Conversely, Remote Desktop Protocol (RDP) accounts for about 1.6% of these attacks but is favoured for more extensive network breaches, often involving ransomware or crypto mining. The study highlights a pressing need for robust endpoint management and heightened security measures to mitigate these threats.

Source: [ITPro]

95% of Organisations Revamped Cyber Security Strategies in the Last Year: Make Sure Yours is Right

A recent report found that 95% of companies have altered their cyber security strategies in the last twelve months. This was driven by keeping pace with the shifting regulatory landscape (98%), the need to meet customer expectations for data protection and privacy (89%), and the rise of AI-driven threats and solutions (65%). Almost half (44%) of non-security executives do not understand the regulatory requirements their organisation must adhere to.

When it came to reporting, the study found that security teams aren’t reporting on key operational metrics that define whether their security investments and strategy changes have a measurable impact. It is evident that there is a disconnect between security and non-security professionals when it comes to the business strategy.

Sources: [Business Wire] [Security Magazine]

Human Factor a Significant Risk for Small and Medium-Sized Businesses.

A survey of business and IT security in small and medium-sized businesses (SMBs) conducted by LastPass found that roughly one in five business leaders admits to circumventing security policies, as do one in 10 IT security leaders. The survey found that password management is critically important to cyber security, with nearly half (47%) reporting recent breaches due to compromised passwords.

Sources: [Beta News] [Business Wire]

Microsoft CEO Says it is Putting Security Above All Else in Major Refocus

Following a series of high-profile attacks in recent months and a report by the US Cyber Safety Review Board (CSRB), Microsoft’s CEO has revealed it will now focus its efforts on an increase in the commitment to security. Investigating a summer 2023 attack, Microsoft was deemed to have made a series of “avoidable errors”, including the failure to detect several compromises, the CSRB said.

Sources: [TechRadar]

Ending the Culture of Silence in Cyber Security; Three Ways to Empower Teams

A recent discussion on workplace errors highlights the significant repercussions of cyber breaches compared to typical office mistakes. In the UK, nearly a third of businesses face cyber attacks weekly, with each breach costing approximately £4,000. However, a concerning trend is that 41% of these breaches are not reported to internal leadership, often due to fears among staff about the consequences of admitting faults. A three-pronged approach has been suggested to foster a blame-free culture: providing tailored and evolving cyber training, establishing safe zones for admitting mistakes, and implementing robust recovery plans. This approach not only prepares employees to handle potential breaches more effectively but also encourages them to report incidents promptly, reducing the overall impact and aiding quicker recovery. Such strategies are essential for maintaining resilience against increasingly sophisticated cyber threats.

Source: [Minute Hack]

Governance, Risk and Compliance

Threats

Ransomware, Extortion and Destructive Attacks

Ransomware Victims

Phishing & Email Based Attacks

BEC

Other Social Engineering

Artificial Intelligence

2FA/MFA

Malware

Mobile

Denial of Service/DoS/DDOS

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Insider Risk and Insider Threats

Insurance

Supply Chain and Third Parties

Cloud/SaaS

Encryption

Linux and Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Training, Education and Awareness

Regulations, Fines and Legislation

Data Protection

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Misinformation, Disinformation and Propaganda

Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity

Cyber Warfare and Cyber Espionage

Nation State Actors

China

Russia

Iran

North Korea

Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence

Vulnerability Management

Vulnerabilities

Tools and Controls

Other News

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·         Automotive

·         Construction

·         Critical National Infrastructure (CNI)

·         Defence & Space

·         Education & Academia

·         Energy & Utilities

·         Estate Agencies

·         Financial Services

·         FinTech

·         Food & Agriculture

·         Gaming & Gambling

·         Government & Public Sector (including Law Enforcement)

·         Health/Medical/Pharma

·         Hotels & Hospitality

·         Insurance

·         Legal

·         Manufacturing

·         Maritime

·         Oil, Gas & Mining

·         OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·         Retail & eCommerce

·         Small and Medium Sized Businesses (SMBs)

·         Startups

·         Telecoms

·         Third Sector & Charities

·         Transport & Aviation

·         Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 15 March 2024

Black Arrow Cyber Threat Intelligence Briefing 15 March 2024:

-Mind The Gap - Mimecast Report Finds Humans Are Biggest Security Flaw

-Three-Quarters of Cyber Victim Are SMBs - Why SMBs are Becoming More Vulnerable

-Cyber Security Skills Gap and Lack of Boardroom Engagement Invite Hacker Havoc

-UK Government’s Ransomware Failings Leave Country ‘Exposed and Unprepared’

-Data Breaches up 72% to New Record High: Cyber Security Incidents Rank as #1 Global Business Threat in 2024

-Finance Sector Facing Huge Number of Cyber Attacks That Could Leave It On its Knees, Highlights the Need to Build a Robust Security Culture

-Microsoft Confirms Russian Hackers Stole Source Code, Some Customer Secrets

-Independent Cyber Security Audits Are Powerful Tools for Boards

-Navigating Cyber Security in The Era of Mergers

-Phishing Tactics Evolve as Sophisticated Vishing and Image-based Phishing Take World by Storm

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Mind The Gap: Mimecast Report Finds Humans Are Biggest Security Flaw

A global report from Mimecast has found that 74% of all cyber breaches are caused by human factors, including errors, misuse of access privileges or social engineering. Email remains the primary attack vector for cyber threats. Further, 67% of respondents expect AI-driven attacks to soon be the norm and 69% believe their company will be harmed by an attack.

No matter the size, sector or budget of an organisation, people remain a consistent risk factor. Even with strong technology controls, people can still be the risk that brings down the organisation. It is therefore important for organisations to integrate people into their cyber security investments. This should include awareness and education training, and fostering a cyber secure culture in the organisation.

Sources: [IT Security Guru] [Beta News] [Verdict]

Three-Quarters of Cyber Victim Are SMBs: Why SMBs are Becoming More Vulnerable

According to a recent Sophos report, over three-quarters of cyber incidents impacted smaller businesses in 2023, with ransomware having the largest impact. The research also found that in 90% of attacks, data or credential theft was involved and in 43%, data theft was the main focus.

The report found significant usage of initial access brokers; these are attackers whose speciality is to break into computer networks and sell ready-to-go access to other attackers. In fact, the report found that almost half of all malware detected in SMBs were malicious programs used to steal sensitive data and login credentials. Unfortunately, many SMBs struggle to keep up due to a lack of resources and budget; instead, they must be able to prioritise their cyber security efforts to get the most return on investment.

Sources: [Infosecurity Magazine]  [Help Net Security] [TechRadar] [Nairametrics] [TechTarget]

Cyber Security Skills Gap and Lack of Boardroom Engagement Invite Hacker Havoc

The Ipsos report on Cyber Security Skills in the UK Labour Market 2023 sheds light on the persistent challenges faced in recruiting, training, and retaining cyber security professionals across various domains. With approximately 739,000 businesses lacking basic cyber skills and 487,000 facing advanced skills gaps, the demand for trained professionals is escalating. The shortage of incident response skills highlights the need for comprehensive education and training programs. Senior management and board-level executives must also be equipped with the knowledge to manage incidents effectively, emphasising reporting, seeking external assistance, and maintaining a no-blame culture. Understanding cyber risks at the business level is crucial, as cyber crime has evolved into a well-organised industry with distinct roles and profit-sharing mechanisms among cyber criminal groups. Conducting tabletop incident response exercises can effectively prepare senior leadership for cyber incidents, ensuring a proactive and coordinated response to mitigate risks and safeguard organisational resilience.

Source: [TechRadar]

UK Government’s Ransomware Failings Leave Country ‘Exposed and Unprepared’

The recent response from the British government to warnings about the looming ransomware threat has sparked criticism, with accusations of adopting an "ostrich strategy" by downplaying the severity of the national cyber threat. Despite alarming assessments from the Joint Committee on the National Security Strategy (JCNSS) regarding the high risk of a catastrophic ransomware attack, the government's formal response has been met with scepticism. Key recommendations, such as reallocating responsibility for tackling ransomware away from the Home Office, were rejected, with the government arguing that its existing regulations and the current National Cyber Strategy were sufficient. This argument has raised concerns about the government's preparedness and resource allocation. With ransomware attacks escalating in the UK, the Committee underscores the urgency for a proactive national security response to mitigate the potentially devastating impacts on the economy and national security.

Source: [The Record Media]

Data Breaches up 72% to New Record High: Cyber Security Incidents Rank as #1 Global Business Threat in 2024

Research conducted by the Identity Theft Resource Center (ITRC) found that 2023 set an all time high in data breaches, 72% more than the prior year. Separately, the Allianz Risk Barometer identified cyber incidents as the biggest global business threat for 2024, ranking above regulatory concerns, climate change and a shortage of skilled workers. It is crucial that the severity of this risk is reflected in the actions taken by organisations, who must effectively govern and implement their cyber security strategy.

Sources: [JDSupra]

Finance Sector Facing Huge Number of Cyber Attacks That Could Leave It On its Knees, Highlights the Need to Build a Robust Security Culture

Cyber security has become a pressing issue on financial institutions due to the rise in cyber attacks, as highlighted by the February attack on Bank of America via a third-party service. The involvement of the LockBit ransomware group underlines the persistent nature of these threats, particularly targeting the financial sector. These attacks disrupt services and undermine trust in the financial system, necessitating robust cyber security frameworks. The new US Securities and Exchange Commission (SEC) rule requiring immediate disclosure of cyber security incidents presents both benefits and challenges, calling for clear guidelines and industry-wide collaboration. BlackBerry’s Global Threat Intelligence Report revealed a staggering million attacks globally in just 120 days last year. These attacks, often using commodity malware, make up almost two-thirds of all industry-related incidents. The 27% increase in novel malware samples highlights the need for improved defences. These findings emphasise the need for AI-driven detection and defence strategies. While critical infrastructure remains a primary focus, commercial enterprises must remain vigilant, with a third of threats targeting various sectors, emphasising the pervasive nature of cyber threats across industries.

Source:[ SC Media] [TechRadar]

Microsoft Confirms Russian Hackers Stole Source Code, Some Customer Secrets

In a recent revelation, Microsoft disclosed that the Kremlin-backed threat group known as Midnight Blizzard successfully accessed some of Microsoft’s source code repositories and internal systems following a hack in January 2024. The breach, believed to have originally occurred in November 2023, exploited a legacy test account lacking multi-factor authentication by employing a password spray attack. Microsoft assured no compromise to customer-facing systems but warned of ongoing attempts by Midnight Blizzard to exploit stolen corporate email data. The extent of the breach remains under investigation, with concerns raised over the potential accumulation of attack vectors by the threat actor. The incident underscores the escalating sophistication of nation-state cyber threats and prompts a re-evaluation of security measures, highlighting the imperative for robust defences against such adversaries.

Source: [The Hacker News]

Independent Cyber Security Audits Are Powerful Tools for Boards

Board members are increasingly held accountable for their organisation's cyber posture, facing personal liability for lapses. To gain insight and demonstrate proactive leadership, independent cyber security audits have become indispensable. These audits not only aid in regulatory compliance but also uncover blind spots in the organisation's security measures. Recent regulations, such as by  the US Securities and Exchange Commission (SEC) underscore the imperative for robust cyber security oversight at the board level. The audit process involves defining the scope, conducting assessments, validating findings through simulations, and presenting comprehensive reports to leadership. By embracing cyber security audits, boards can fulfil their duty of overseeing and enhancing the organisation's cyber resilience in an ever-evolving threat landscape.

Source: [Bloomberg Law]

Navigating Cyber Security in The Era of Mergers

In today's landscape of frequent mergers and acquisitions (M&A), organisations grapple with the challenge of aligning cyber security measures across subsidiaries, posing a risk to overall security. According to an IBM survey, over one in three executives attribute data breaches to M&A activity during integration. This complexity arises as security teams may lack insight into subsidiary infrastructure, hindering risk assessment and mitigation efforts. Historical incidents like the NotPetya attack on Merck and the Talk Talk hack highlight vulnerabilities post-acquisition, emphasising the need for a proactive approach to subsidiary cyber security. To address these challenges, organisations must conduct comprehensive risk assessments, standardise security protocols, foster collaboration, and consider unified security platforms. By proactively addressing visibility gaps and implementing standardised protocols, organisations can fortify their defences against evolving cyber threats amidst M&A activities.

Source: [Forbes]

Phishing Tactics Evolve as Sophisticated Vishing and Image-based Phishing Take World by Storm

According to a recent report, 76% of organisations were compromised by QR-code phishing in the last 12 months. Along with this, there has also been a rise in the number of sophisticated vishing attacks, with recent attacks costing organisations millions. The introduction of artificial intelligence has only added fuel to this fire already impacting security controls such as call-back procedures. With the tactics of phishing evolving, organisations need to ensure they are up-to-date and that employees are trained effectively to mitigate the risk of these.

Sources: [Help Net Security] [Dark Reading]

Threats

Ransomware, Extortion and Destructive Attacks

Ransomware Victims

Phishing & Email Based Attacks

Other Social Engineering

Artificial Intelligence

2FA/MFA

Malware

Mobile

Denial of Service/DoS/DDOS

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Insurance

Supply Chain and Third Parties

Cloud/SaaS

Encryption

Linux and Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Training, Education and Awareness

Regulations, Fines and Legislation

Models, Frameworks and Standards

Backup and Recovery

Data Protection

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity

Nation State Actors

China

Russia

North Korea

Vulnerability Management

Vulnerabilities

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·         Automotive

·         Construction

·         Critical National Infrastructure (CNI)

·         Defence & Space

·         Education & Academia

·         Energy & Utilities

·         Estate Agencies

·         Financial Services

·         FinTech

·         Food & Agriculture

·         Gaming & Gambling

·         Government & Public Sector (including Law Enforcement)

·         Health/Medical/Pharma

·         Hotels & Hospitality

·         Insurance

·         Legal

·         Manufacturing

·         Maritime

·         Oil, Gas & Mining

·         OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·         Retail & eCommerce

·         Small and Medium Sized Businesses (SMBs)

·         Startups

·         Telecoms

·         Third Sector & Charities

·         Transport & Aviation

·         Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 23rd June 2023

Black Arrow Cyber Threat Briefing 23 June 2023:

-How the MOVEit Breach Shows Hackers' Interest in Corporate File Transfer Tools

-Attackers Discovering Exposed Cloud Assets Within Minutes

-Majority of Users Neglect Best Password Practices

-One in Three Workers Susceptible to Phishing

-Ransomware Misconceptions Abound, to the Benefit of Attackers

-Threat Actors Scale and Commoditise Uncommon Tools and Techniques

-Goodbyes are Difficult, IT Offboarding Processes Make Them Harder

-Security Budget Hikes are Missing the Mark, CISOs Say

-Understanding Cyber Resilience: Building a Holistic Approach to Cyber Security

-Emerging Ransomware Group 8Base Releasing Data on SMBs Globally

-Cyber Security Industry Still Fighting to Recruit and Retain Talent

-Financial Firms to Build Resilience in Face of Growing Cyber-Threats

-Fulfilling Expected SEC Requirements for Cyber Security Expertise at Board Level

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • Cyber Security Industry Still Fighting to Recruit and Retain Talent

Cyber security teams are struggling to find the right talent, with the right skills, and to retain experienced employees. The situation is only likely to worsen, as inflation and a tight labour market push up wages. Universities produce graduates with a strong focus on technical knowledge, but not always the broader skills they need to operate in a business environment. This includes the lack of communications skills, understanding of how businesses operate and even emotional intelligence. One solution is to outsource to a corporate cyber security provider or outsource to infill shortages whilst trying to recruit permanent staff.

https://www.infosecurity-magazine.com/news/cybersecurity-industry-recruit/

  • How the MOVEit Breach Shows Hackers' Interest in Corporate File Transfer Tools

The world of managed file transfer (MFT) software has become a lucrative target for ransom-seeking hackers, with significant breaches including those of Accellion Inc's File Transfer Appliance in 2021 and Fortra's GoAnywhere MFT earlier this year. These MFT programs, corporate versions of popular file sharing programs like Dropbox or WeTransfer, are highly desirable to hackers for the sensitive data they often transfer between organisations and partners. The recent mass compromise tied to Progress Software Corp's MOVEit transfer product has prompted governments and companies worldwide to scramble in response.

Hackers are shifting their tactics, with an increasing focus on MFT programs which typically face the open internet, making them more vulnerable to breaches. Once inside these file transfer points, hackers have direct access to a wealth of data. In addition, there's a noticeable shift from ransomware groups encrypting a company's network and demanding payment to unscramble it, to a simpler tactic of pure extortion by threatening to leak the data.

https://www.reuters.com/technology/how-moveit-breach-shows-hackers-interest-corporate-file-transfer-tools-2023-06-16/

  • Attackers Discovering Exposed Cloud Assets within Minutes

The shift to cloud services, increased remote work, and reliance on third-parties has led to widespread use of Software-as-a-Service (SaaS) applications. This has also opened avenues for attackers to exploit weak security configurations and identities. Over the past year, attackers have intercepted authorisation tokens, bypassed multifactor authentication, and exploited misconfigured systems, targeting critical applications like GitHub, Microsoft 365, Google Workspace, Slack, and Okta. A study revealed alarmingly fast rates of breach discovery and compromise of exposed cloud assets, with assets being discovered within as little as two minutes for some and others within an hour.

https://www.techtarget.com/searchsecurity/news/366542352/Attackers-discovering-exposed-cloud-assets-within-minutes

https://www.darkreading.com/dr-tech/growing-saas-usage-means-larger-attack-surface

  • Majority of Users Neglect Best Password Practices

The latest Password Management Report by Keeper Security has shed light on the concerning state of password security practices. The survey found that only 25% of respondents used solid and unique passwords. In comparison, 34% admitted to using repeat variations of passwords, and 30% still relied on simple and easily guessable passwords. The survey also found that 44% of individuals who claimed to have well-managed passwords still admitted to using repeated variations, while 20% acknowledged having had at least one password involved in a data breach or available on the dark web. The document also revealed that 35% of respondents feel overwhelmed when it comes to improving their cyber security. Furthermore, 10% admitted to neglecting password management altogether. More generally, Keeper Security said the survey’s findings highlight a significant gap between perception and reality regarding password security.

https://www.infosecurity-magazine.com/news/users-neglect-best-password/

  • One in Three Workers Susceptible to Phishing

More than one in three workers in the UK and Ireland are susceptible to falling for phishing attacks, according to the new 2023 Phishing by Industry Benchmarking Report by KnowBe4. The study found that 35% of users who had received no security training were prone to clicking on suspicious links or engaging in fraudulent actions. Regular training and continual reinforcement can get this figure down but even with training very few organisations ever get click rates down to zero, and you only need one person to click to cause potentially devastating consequences.

Globally, ransomware was responsible for 24% of all data breaches in 2023, with human error accounting for 74% of these incidents. Phishing attacks can often lead to significant reputational damage, financial loss and disruption to business operations.

https://www.infosecurity-magazine.com/news/one-in-three-phishing/

  • Ransomware Misconceptions Abound, to the Benefit of Attackers

There is a common ransomware misperception that there's no capability to fight this all too common hostage taking of business data. This is not true. Proactive organisations are increasingly making more strategic use of threat intelligence to prevent or disrupt attacks.

Ransomware has evolved into a massive, often state-sponsored, industry where operators buy, develop, and resell ransomware code, infiltrate networks, and collect ransoms. The perception that a speedy response is critical to prevent data encryption and loss is outdated; attackers now focus on data exfiltration, using ransomware as a distraction. They often target smaller organisations that are linked to larger ones through supply chains, using them as stepping stones. It is important to use in-depth defence measures, including email security to prevent phishing and efficient detection and response systems to identify and recover from changes.

https://www.darkreading.com/vulnerabilities-threats/ransomware-misconceptions-abound-to-the-benefit-of-attackers

  • Threat Actors Scale and Commoditise Uncommon Tools and Techniques

Proofpoint’s 2023 Human Factor report highlights significant developments in the cyber attack landscape in 2022. Following two years of pandemic-induced disruption, cyber criminals returned to their usual operations, honing their social engineering skills and commoditising once sophisticated attack techniques. There was a noticeable increase in brute-force and targeted attacks on cloud tenants, conversational smishing attacks, and multifactor authentication (MFA) bypasses. Microsoft 365 formed a large part of organisations' attack surfaces and faced broad abuse, from Office macros to OneNote documents.

Despite some advances in security controls, threat actors continue to innovate and scale their bypasses. Techniques like MFA bypass and telephone-oriented attack delivery are now commonplace. Attackers consistently exploit people, who remain the most critical variable in the attack chain.

https://www.proofpoint.com/uk/newsroom/press-releases/proofpoints-2023-human-factor-report-threat-actors-scale-and-commoditise

  • Goodbyes are Difficult, IT Offboarding Processes Make Them Harder

A recent survey found that 68% of organisations recognise the offboarding process as a major cyber security risk, but only 36% have adequate controls in place to secure data access when employees depart. The study revealed that 60% of organisations have discovered former employees still had access to corporate applications after leaving, and 52% have had security incidents linked to former employees. Interestingly, IT professionals are not always alerted when employees leave, leading to access not being revoked and IT assets being mishandled 34% of the time.

https://www.helpnetsecurity.com/2023/06/19/it-offboarding-processes/

  • Security Budget Hikes are Missing the Mark, CISOs Say

Misguided expectations on security spend are causing problems for CISOs despite notable budget increases. A recent report found that while most CISOs are experiencing noteworthy increases in security funding, impractical expectations of budget holders are leading to significant amounts being spent on what’s hitting the headlines instead of strategic, business-centric investment in security defences. This lack of understanding shows that a lot of work needs to be done to ensure that information security receives the attention it deserves, especially in the boardroom.

The report found that just 9% of CISOs said information security is always in the top three priorities on the boardroom’s meeting agenda, and less than a quarter (22%) of CISOs are actively participating in business strategy and decision-making processes. Talking to the board about cyber security in a way that is productive can be a significant challenge for CISOs, and failing to do so effectively can result in confusion, disillusionment, and a lack of cohesion among directors, the security function, and the rest of the organisation.

https://www.csoonline.com/article/3700073/security-budget-hikes-are-missing-the-mark-cisos-say.html

https://www.helpnetsecurity.com/2023/06/22/average-cybersecurity-budget-increase/

  • Understanding Cyber Resilience: Building a Holistic Approach to Cyber Security

In today’s interconnected world, the threat of cyber attacks is a constant concern for organisations of all sizes and across all industries. Cyber resilience entails not only making it difficult for attackers to infiltrate your systems but also ensuring that your organisation can bounce back quickly and continue operations successfully.

Cyber resilience offers a holistic approach to cyber security, emphasising the ability to withstand and recover from cyber attacks. By adopting the right mindset, leveraging advanced technology, addressing cyber hygiene, and measuring key metrics, organisations can enhance their cyber resilience. Additionally, collaboration within industries and proactive board engagement are crucial for effective risk management. As cyber threats continue to evolve, organisations must prioritise cyber resilience as an ongoing journey, continuously adapting and refining their strategies to stay ahead of malicious actors.

https://informationsecuritybuzz.com/understanding-cyber-resilience-building-a-holistic-approach-to-cybersecurity/

  • Emerging Ransomware Group 8Base Releasing Confidential Data from SMBs Globally

A ransomware group that operated under the radar for over a year has come to light in recent weeks, thanks to a series of business data leaks on the Dark Web. Since at least April 2022, 8base has been conducting double-extortion attacks against small and midsized businesses (SMBs). It all came to a head in May, when the group dumped data belonging to 67 organisations on the cyber underground.

Not much is known yet about the group's tactics, techniques, and procedures (TTPs), likely due to the low profile of their victims. The victims span science and technology, manufacturing, retail, construction, healthcare, and more, with victims from as far afield as India, Peru, Madagascar and Brazil, amongst others.

https://www.darkreading.com/vulnerabilities-threats/emerging-ransomware-8base-doxxes-smbs-globally

  • Financial Firms to Build Resilience in Face of Growing Cyber-Threats

Cyber resilience is now a key component of operational resilience for the UK’s financial markets, according to a Bank of England official. Cyber attacks have increased by 38% in 2022, and the range of firms and organisations being impacted seems to grow broader and broader.

Regulators want to see how financial firms will cope with an attack, and its impact on the wider financial services ecosystem. Similar work is being done at an international level by the G7, which has its own cyber expert group. In the UK, the main tools for improving resilience are threat intelligence sharing, better coordination between firms, regulators, the Bank and the Treasury, and penetration testing including CBEST. Financial services firms should have scenario specific playbooks, to set out how to contain intruders and stop them spreading to clients and counterparties. In the past, simulation exercises have been used to model terrorist incidents and pandemics and they are now being used to model cyber attacks.

https://www.infosecurity-magazine.com/news/financial-firms-to-build-resilience/

  • Fulfilling Expected SEC Requirements for Cyber Security Expertise at Board Level

The US Securities and Exchange Commission (SEC) is expected to introduce a rule requiring demonstration of cyber security expertise at the board level for public companies. A recent study found that currently up to 90% of companies in the Russell 3000 lack even a single director with the necessary cyber expertise. The simplest and speediest solution would be to promote the existing CISO, provided they have the appropriate qualities and experience, to the board but that would require transplanting a focused operational executive into a strategic business advisory role. A credible alternative is to bring in a cyber focused Non-Executive Director with the appropriate skills and experience.

https://www.securityweek.com/fulfilling-expected-sec-requirements-for-cybersecurity-expertise-at-board-level/

Threats

Ransomware, Extortion and Destructive Attacks

Ransomware Victims

Phishing & Email Based Attacks

Other Social Engineering; Smishing, Vishing, etc

Artificial Intelligence

Malware

Mobile

Botnets

Denial of Service/DoS/DDOS

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Fraud, Scams & Financial Crime

Impersonation Attacks

AML/CFT/Sanctions

Dark Web

Supply Chain and Third Parties

Software Supply Chain

Cloud/SaaS

Hybrid/Remote Working

Shadow IT

Identity and Access Management

Encryption

API

Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Training, Education and Awareness

Digital Transformation

Regulations, Fines and Legislation

Models, Frameworks and Standards

Secure Disposal

Data Protection

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Privacy, Surveillance and Mass Monitoring

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

Nation State Actors

Vulnerability Management

Vulnerabilities

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 04 November 2022

Black Arrow Cyber Threat Briefing 04 November 2022:

-NCSC Looks Back on Year Of ‘Profound Change’ for Cyber

-LastPass Research Finds False Sense of Cyber Security Running Rampant

-Insurance Giant Settles NotPetya ‘Act of War’ Lawsuit, Signaling Cyber Insurance Shakeup

-Microsoft Warns of Uptick in Hackers Leveraging Publicly-Disclosed 0-Day Vulnerabilities

-Chinese Mob Has 100K Slaves Working in Cambodian Cyber Crime Mills

-Ransomware Research: 17 Leaked Databases Operated by Threat Actors Threaten Third Party Organisations

-Not Enough Ransomware Victims Are Reporting Attacks, And That's a Problem for Everyone

-Hackers Selling Access to 576 Corporate Networks for $4 Million

-Cyber Security Recovery is a Process That Starts Long Before a Cyber Attack Occurs

-Geopolitics Plays Major Role in Cyber Attacks, Says EU Cyber Security Agency

-Russian Hackers Account for Most 2021 Ransomware Schemes, US Says

-Exposed: The Global Hacking Network That Targets VIPs

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • NCSC Looks Back on Year Of ‘Profound Change’ for Cyber

The UK’s National Cyber Security Centre (NCSC) provided support for 18 nationally significant ransomware attacks; removed 2.1 million cyber-enabled commodity campaigns; issued 34 million early warning alerts about attacks, compromises, vulnerabilities or open ports; and received 6.5 million reports of suspicious emails in the past 12 months – but in a year of “profound change” in the cyber security landscape, it was Russia’s invasion of Ukraine that dominated the agenda.

Reflecting on the past 12 months as she launched the NCSC’s latest annual report on 1 November at an event in London, NCSC CEO Lindy Cameron said that the return of war to Europe with Russia’s invasion of Ukraine presented a unique set of challenges in cyber space for the NCSC and its partners and allies.

Cameron added that while the cyber threat from Russia has perhaps been the most visible security issue of 2022, it was also important not to forget that when it comes to nation-state actors, it will likely be the technical development and evolution of China that ultimately has the more lasting impact on the UK’s national cyber security.

https://www.computerweekly.com/news/252526766/NCSC-looks-back-on-year-of-profound-change-for-cyber

  • LastPass Research Finds False Sense of Cyber Security Running Rampant

LastPass released findings from its fifth annual Psychology of Password findings, which revealed even with cyber security education on the rise, password hygiene has not improved. Regardless of generational differences across Boomers, Millennials and Gen Z, the research shows a false sense of password security given current behaviours across the board. In addition, LastPass found that while 65% of all respondents have some form of cyber security education — through school, work, social media, books or via online courses — the reality is that 62% almost always or mostly use the same or variation of a password.

The survey, which explored the password security behaviours of 3,750 professionals across seven countries, asked about respondents’ mindset and behaviours surrounding their online security. The findings highlighted a clear disconnect between high confidence when it comes to their password management and their unsafe actions. While the majority of professionals surveyed claimed to be confident in their current password management, this doesn’t translate to safer online behaviour and can create a detrimental false sense of safety.

Key findings from the research include:

  • Gen Z is confident when it comes to their password management, while also being the biggest offenders of poor password hygiene.

  • Cyber security education doesn’t necessarily translate to action.

  • Confidence creates a false sense of password security.

The latest research showcases that even in the face of a pandemic, where we spent more time online amid rising cyber attacks, there continues to be a disconnect for people when it comes to protecting their digital lives. Even though nearly two-thirds of respondents had some form of cyber security education, it is not being put into practice for varying reasons.

https://www.darkreading.com/vulnerabilities-threats/untitled

  • Insurance Giant Settles NotPetya ‘Act of War’ Lawsuit, Signaling Cyber Insurance Shakeup

The settlement last week in a $100 million lawsuit over whether insurance giant Zurich should cover losses Mondelez International suffered from NotPetya may very well reshape the entire cyber insurance marketplace.

Zurich initially denied claims from Mondelez after the malware, which experts estimate caused some $10 billion in damages globally, wreaked havoc on its computer networks. The insurance provider claimed an act of war exemption since it’s widely believed Russian military hackers unleashed NotPetya on a Ukrainian company before it spread around the world.

Now, however, it’s increasingly clear insurers aren’t off the hook for NotPetya payouts or from covering losses from other attacks with clear links to nation-state hackers.

That’s because in this case, what Mondelez and many other corporations endured was not an act of war, but “collateral damage” in a much larger cyber conflict that had nothing to do with them, said the Center for Strategic and International Studies.

There needs to be a rethink what act of war means in cyber space when it comes to insurance. The current definitions come out of the 19th century when we had pirates, navies and privateers.

Last week’s ruling in favour of Mondelez follows a January ruling in a New Jersey court that sided with global pharmaceutical company Merck in a similar case. Its insurance companies initially refused to pay for damages from NotPetya. Merck claimed losses that amounted to $1.4 billion. The insurers are appealing the ruling.

Insurers seized on the NotPetya episode to test how courts would rule on cyber coverage questions, particularly when there’s so much evidence pointing to one particular nation-state actor. Since NotPetya was widely attributed to the Russian government it gave the industry a “really strong opportunity” to set legal precedent limiting their responsibility in these instances.

Insurers will start to be much more upfront about the fact that they aren’t going to cover acts of cyber war or limit payouts for NotPetya type incidents in the future.

https://www.cyberscoop.com/insurance-giant-settles-notpetya-lawsuit/

  • Microsoft Warns of Uptick in Hackers Leveraging Publicly-Disclosed 0-Day Vulnerabilities

Microsoft is warning of an uptick among nation-state and criminal actors increasingly leveraging publicly-disclosed zero-day vulnerabilities for breaching target environments.

The tech giant, in its 114-page Digital Defense Report, said it has "observed a reduction in the time between the announcement of a vulnerability and the commoditisation of that vulnerability," making it imperative that organisations patch such exploits in a timely manner.

This also corroborates with an April 2022 advisory from the US Cybersecurity and Infrastructure Security Agency (CISA), which found that bad actors are "aggressively" targeting newly disclosed software bugs against broad targets globally.

Microsoft noted that it only takes 14 days on average for an exploit to be available in the wild after public disclosure of a flaw, stating that while zero-day attacks are initially limited in scope, they tend to be swiftly adopted by other threat actors, leading to indiscriminate probing events before the patches are installed.

It further accused Chinese state-sponsored groups of being "particularly proficient" at discovering and developing zero-day exploits. This has been compounded by the fact that the Cyberspace Administration of China (CAC) enacted a new vulnerability reporting regulation in September 2021 that requires security flaws to be reported to the government prior to them being shared with the product developers.

Redmond further said the law could enable government-backed elements to stockpile and weaponise the reported bugs, resulting in the increased use of zero-days for espionage activities designed to advance China's economic and military interests.

https://thehackernews.com/2022/11/microsoft-warns-of-uptick-in-hackers.html

  • Chinese Mob Has 100K Slaves Working in Cambodian Cyber Crime Mills

Up to 100,000 people from across Asia have been lured to Cambodia by Chinese crime syndicates with the promise of good jobs. When they arrive, their passports are seized and they are put to work in modern-day sweatshops, running cyber crime campaigns.

The Los Angeles Times reported that Cambodia, which was hit hard economically by the pandemic, has allowed Chinese mobsters to set up enormous cyber crime operations using human trafficked labour without consequence, because of the revenue it generates for the country. The campaigns they carry out run the gamut from romance scams to fake sports betting.

Although the Cambodian government acknowledges that as many as 100,000 workers are involved in these activities, it denies anyone is being held against their will. However, the stories from traumatised victims rescued from cyber crime mills include tales of beatings and torture for failing to meet quotas, and of being sold and passed around from gang to gang.

https://www.darkreading.com/attacks-breaches/chinese-mob-100k-slaves-cambodian-cybercrime-mills

  • Ransomware Research: 17 Leaked Databases Operated by Threat Actors Threaten Third Party Organisations

Ransomware remains a serious threat to organisations, Deep Instinct, a New York-based deep learning cyber security specialist, said in its recently released 2022 Interim Cyber Threat Report.

It’s no surprise, the company said, as there are currently 17 leaked databases operated by threat actors who are leveraging the data for attacks on third-party companies, most notably social engineering, credential theft, and triple-extortion attacks.

Here are the report’s key findings:

  • Changes in ransomware gangs, including LockBit, Hive, BlackCat, and Conti. The latter has spawned “Conti Splinters” made up of former affiliates Quantum, BlackBasta, and BlackByte.

  • Significant changes to tactics by Emotet, Agent Tesla, NanoCore, and others. For example, Emotet uses highly obfuscated VBA macros to avoid detection.

  • The use of documents for malware has decreased as the top attack vector, following Microsoft’s move to disable macros by default in Microsoft Office files. Threat actors have already pivoted to other methods such as LNK, HTML, and archive email attachments.

  • Vulnerabilities such as SpoolFool, Follina and DirtyPipe highlighted the exploitability of both Windows and Linux systems despite efforts to enhance their security.

  • The number of exploited in-the-wild vulnerabilities spikes every 3-4 months. The next spike is expected to occur by the end of the year.

  • Threat actor groups are extending data exfiltration attacks to demand ransoms from third-party companies if the leaked data contains their sensitive information.

The report also makes three predictions:

  • More inside jobs. Malicious threat actors look for the weakest link, which is often in the supply chain. Groups like Lapsus$ do not rely on exploits but instead look for insiders who are willing to sell access to data within their organisation.

  • Rise of protestware. Look for a spike in protestware, which is self-sabotaging one’s software and weaponising it with malware capabilities in an effort to harm all or some of its users. The war between Russia and Ukraine has caused a surge in protestware.

  • End of year attacks. While no major vulnerability in 2022 has emerged similar to the Log4J or the Exchange cases in 2021, there is an increase year-over-year in the number of publicly assigned CVEs for reported vulnerabilities. For now, threat actors are still exploiting old vulnerabilities during 2022 simply because there is a plethora of unpatched systems for 2021 CVEs but that will change.

Organisations are warned to be on their guard. 2022 has been another record year for cyber criminals and ransomware gangs. It’s no secret that these threat actors are constantly upping their game with new and improved tactics designed to evade traditional cyber defences. Defenders must continue to be vigilant and find new approaches to prevent these attacks from happening.

https://www.msspalert.com/cybersecurity-research/ransomware-research-17-leaked-databases-operated-by-threat-actors-threaten-third-party-organizations/

  • Ransomware: Not Enough Victims Are Reporting Attacks, And That's a Problem for Everyone

Ransomware continues to be a significant cyber threat to businesses and the general public – but it's difficult to know the true impact of attacks because many victims aren't coming forward to report them.

The warning comes in the National Cyber Security Centre (NCSC) Annual Review for 2022, which looks back at key developments and incidents in cyber crime over the last year, with ransomware described as an "ever present" threat and a "major challenge" to businesses and public services.

That's demonstrated by how the review details how in the 12-month period between 1 September 2021 and 31 August 2022 there were 18 ransomware incidents that needed a "nationally coordinated" response. These included attacks on a supplier to the National Health Service (NHS) and a ransomware attack against South Staffordshire Water.

However, the true impact of ransomware remains unclear, because the NCSC says that many organisations that fall prey to ransomware attacks aren't disclosing them.

That lack of reporting is despite the significant and disruptive consequences ransomware attacks can have, not only for organisations that fall victim, but for wider society – which is why it's vital that cyber security is taken seriously and incidents are reported.

https://www.zdnet.com/article/ransomware-not-enough-victims-are-reporting-attacks-and-that-increases-the-threat-for-everyone/

  • Hackers Selling Access to 576 Corporate Networks for $4 Million

A new report shows that hackers are selling access to 576 corporate networks worldwide for a total cumulative sales price of $4,000,000, fuelling attacks on the enterprise.

The research comes from Israeli cyber-intelligence firm KELA which published its Q3 2022 ransomware report, reflecting stable activity in the sector of initial access sales but a steep rise in the value of the offerings.

Although the number of sales for network access remained about the same as in the previous two quarters, the cumulative requested price has now reached $4,000,000. For comparison, the total value of initial access listings in Q2 2022 was $660,000, recording a drop in value that coincided with the summer ransomware hiatus that hurt demand.

Initial access brokers (IABs) are hackers who sell access to corporate networks, usually achieved through credential theft, webshells, or exploiting vulnerabilities in publicly exposed hardware. After establishing a foothold on the network, the threat actors sell this corporate access to other hackers who use it to steal valuable data, deploy ransomware, or conduct other malicious activity. The reasons IABs choose not to leverage network access vary, ranging from lacking diverse intrusion skills to preferring not to risk increased legal trouble.

IABs still play a crucial role in the ransomware infection chain, even if they got sidelined last year when big ransomware gangs that operated as crime syndicates operated their own IAB departments.

https://www.bleepingcomputer.com/news/security/hackers-selling-access-to-576-corporate-networks-for-4-million/

  • Cyber Security Recovery is a Process That Starts Long Before a Cyber Attack Occurs

Organisations are racing to stay ahead of cyber criminals, and as a result, we see businesses investing a lot of money on identifying and detecting attacks, on preventing attacks in the first place, and in responding to live attacks. But they are not spending the same amounts on attack recovery. They may have followed all the relevant guidelines, and even implemented the ISO 27000 standard, but none of that helps them to understand how to build the business back after a serious cyber attack.

Until recent years, this cyber security recovery investment would be spent on an annual tabletop exercise or disaster recovery test and auditing recovery plans. While this should be done, it isn’t enough on its own.

Cyber security insurance is also critical, of course, but it only covers some of the losses. It won’t cover future loss. The reality is most organisations find it very difficult to fully recover from an attack. Those that invest more in disaster recovery and business continuity recover from these attacks far more swiftly than their less-prepared competitors.

The four core components of an effective cyber security recovery program

  1. Pre-emptive action

  2. Responsibilities and accountability

  3. Having the right IT architecture, security and recovery process in place

  4. Learning lessons and implementing changes.

Once these factors are understood, and any weak spots identified, the organisation can focus on re-designing or updating architecture and procedures, and on retraining employees (something that should happen regularly).

Recovery is a process that starts long before a cyber attack occurs. It concludes not when the data is secured, but when the organisation can say that it’s learned everything it can from the event and has made the changes necessary to avoid it happening again.

https://www.helpnetsecurity.com/2022/11/03/cybersecurity-recovery/

  • Geopolitics Plays Major Role in Cyber Attacks, Says EU Cyber Security Agency

The ongoing Russia-Ukraine conflict has resulted in an increase in hacktivist activity in the past year, with state-sponsored threat actors targeting 128 governmental organisations in 42 countries that support Ukraine, according to the European Union Agency for Cybersecurity (ENISA).

In addition, some threat actors targeted Ukrainian and Russian entities during the early days of the conflict, likely for the collection of intelligence, according to the 10th edition of the ENISA threat landscape report. The report, this year titled Volatile Geopolitics Shake the Trends of the 2022 Cybersecurity Threat Landscape, notes that in general geopolitical situations continue to have a high impact on cyber security.

This year's report identified several attack types frequently used by state-sponsored attackers. These include zero-day and critical vulnerability exploitation; attacks on operational technology (OT) networks; wiper attacks to destroy and disrupt networks of governmental agencies and critical infrastructure entities; and supply chain attacks. Attacks also featured social engineering, disinformation, and threats against data.

State-sponsored threat actors have also been observed targeting entities from countries in Southeast Asia, Japan, Australia, and Taiwan. Due to increased tensions between specific countries in Asia, state-sponsored threat actors have targeted countries (including EU member states) that had established closer ties with Taiwan.

Ransomware remains the top cyber crime attack type this year as well. More than 10 terabytes of data were stolen monthly during the period studied, with phishing identified as the most common initial vector of such attacks. The report also noted that 60% of affected organisations likely have paid the ransom demanded.

The second most used form of attack was DDoS. The largest DDoS attack ever was launched in Europe in July 2022 against a European customer of Akamai. The attack hit a peak at 853.7Gbps and 659.6Mpps (megapackets per second) over 14 hours.

While all sectors fell victim to attacks, public administration and government entities were the most affected, making up 24% of all cyber attack victims. This was followed by digital service providers at 13% and the general public at 12%. These three sectors alone accounted for 50% of all the attacks during this year.

https://www.csoonline.com/article/3678771/geopolitics-plays-major-role-in-cyberattacks-says-eu-cybersecurity-agency.html#tk.rss_news

  • Russian Hackers Account for Most 2021 Ransomware Schemes, US Says

Payment-seeking software made by Russian hackers was used in three quarters of all the ransomware schemes reported to a US financial crime agency in the second half of 2021, a Treasury Department analysis released on Tuesday showed.

In an analysis issued in response to the increase in number and severity of ransomware attacks against critical infrastructure in the United States since late 2020, the US Financial Crimes Enforcement Network (FinCEN) said it had received 1,489 ransomware-related filings worth nearly $1.2 billion in 2021, a 188% jump from the year before.

Out of 793 ransomware incidents reported to FinCEN in the second half of 2021, 75% "had a nexus to Russia, its proxies, or persons acting on its behalf," the report said.

Washington last week hosted a meeting with officials from 36 countries and the European Union, as well as 13 global companies to address the growing threat of ransomware and other cyber crime, including the illicit use of cryptocurrencies.

https://www.reuters.com/technology/us-says-many-ransomware-attacks-late-2021-were-connected-russian-actors-2022-11-01/

  • Exposed: The Global Hacking Network That Targets VIPs

Private investigators linked to the City of London are using an India-based computer hacking gang to target British businesses, government officials and journalists.

The Sunday Times and the Bureau of Investigative Journalism have been given access to the gang’s database, which reveals the extraordinary scale of the attacks. It shows the criminals targeted the private email accounts of more than 100 victims on behalf of investigators working for autocratic states, British lawyers and their wealthy clients. Critics of Qatar who threatened to expose wrongdoing by the Gulf state in the run-up to this month’s World Cup were among those hacked.

It is the first time the inner workings of a major “hack-for-hire” gang have been leaked to the media and it reveals multiple criminal conspiracies. Some of the hackers’ clients are private investigators used by major law firms with bases in the City of London.

The investigation — based on the leaked documents and undercover work in India — reveals:

  • Orders went out to the gang to target the BBC’s political editor Chris Mason in May, three weeks after his appointment was announced.

  • The president of Switzerland and his deputy were targeted just days after he met Boris Johnson and Liz Truss in Downing Street to discuss Russian sanctions.

  • Philip Hammond, then chancellor, was hacked as he was dealing with the fallout of Russia’s novichok poisonings in Salisbury.

  • A private investigator hired by a London law firm acting for the Russian state ordered the gang to target a British-based oligarch fleeing President Putin.

  • Michel Platini, the former head of European football, was hacked shortly before he was due to talk to French police about corruption allegations relating to this year’s World Cup.

  • The hackers broke into the email inboxes of the Formula One motor racing bosses Ruth Buscombe, the British head of race strategy at the Alfa Romeo team, and Otmar Szafnauer, who was chief executive of the Aston Martin team.

  • The gang seized control of computers owned by Pakistan’s politicians, generals and diplomats and eavesdropped on their private conversations apparently at the behest of the Indian secret services.

The commissioning of hacking is a criminal offence punishable with a maximum sentence of ten years in jail in Britain. The Metropolitan Police was tipped off about the allegations regarding Qatar in October last year, yet chose not to take any action. David Davis, the former cabinet minister, said that the force should reopen its investigation into the cyber attacks against British citizens. Davis said the investigation exposed how London has become “the global centre of hacking”.

https://www.thetimes.co.uk/article/exposed-the-global-hacking-network-that-targets-vips-nff67j67z

Threats

Ransomware and Extortion

Phishing & Email Based Attacks

BEC – Business Email Compromise

Malware

Mobile

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Fraud, Scams & Financial Crime

Insurance

Dark Web

Supply Chain and Third Parties

Software Supply Chain

Denial of Service DoS/DDoS

Cloud/SaaS

API

Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Training, Education and Awareness

Travel

Regulations, Fines and Legislation

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

Other News

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Cyber Weekly Flash Briefing 26 June 2020: Covid changes infosec landscape, ransomware actors lurk post attack, hacker earns millions, rogue bank staff steal $3.2m, massive DDoS against European bank

Cyber Weekly Flash Briefing 26 June 2020: Covid changes infosec landscape, ransomware actors lurk post attack, hacker earns millions, rogue bank staff steal $3.2m, massive DDoS against European bank

If you’re pressed for time watch the 60 second quick fire video summary of the top Cyber and InfoSec stories from the last week:

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Businesses believe the pandemic will change the security landscape forever

After Covid-19, nothing will ever be the same again, at least in terms of how businesses approach cyber security. This is according to a new report based on a poll of 6,700 infosec professionals around the world.

The report states that 81 percent expect long-term changes to the way their business operates, mostly because of remote working.

With this in mind, examining how remote employees approach cyber security will become paramount if an organisation is to maintain a strong security posture.

A third of respondents said they worry employees may feel more relaxed about cyber security than when they are working out of the office. Employees may also be less likely to follow protocol at home, particularly when it comes to identifying and flagging suspicious activity.

Further, almost a third (31 percent) fear employees might unintentionally leak sensitive data or fall prey to a phishing scam and a quarter are afraid staff might fall victim to malware attacks.

Of the largest risks associated with remote working, respondents singled out “using untrusted networks” as the most significant. Other people accessing employees' company devices, the use of personal messaging services for work, and the unintentional sharing of company data are also high on the list of risks.

Read more: https://www.itproportal.com/news/businesses-believe-the-pandemic-will-change-the-security-landscape-forever/

Ransomware operators lurk on your network after their attack

When a company suffers a ransomware attack, many victims feel that the attackers quickly deploy the ransomware and leave so they won't get caught. Unfortunately, the reality is much different as threat actors are not so quick to give up a resource that they worked so hard to control.

Instead, ransomware attacks are conducted over time, ranging from a day to even a month, starting with a ransomware operator breaching a network.

This breach is through exposed remote desktop services, vulnerabilities in VPN software, or via remote access given by malware such as TrickBot, Dridex, and QakBot.

Once they gain access, they use tools such as Mimikatz, PowerShell Empire, PSExec, and others to gather login credentials and spread laterally throughout the network.

As they gain access to computers on the network, they use these credentials to steal unencrypted files from backup devices and servers before deploying the ransomware attack.

Once the ransomware is deployed, many victims believe that while their network is still compromised, they think the ransomware operators are now gone from the system.

This belief is far from the truth, as illustrated by a recent attack by the Maze Ransomware operators.

Read the full article here: https://www.bleepingcomputer.com/news/security/ransomware-operators-lurk-on-your-network-after-their-attack/

Prolific Hacker Made Millions Selling Network Access

A notorious Russian cyber-criminal made over $1.5m in just the past three years selling access to corporate networks around the world, according to a new report.

The study profiles the work of “Fxmsp” on underground forums where he published his first ad selling access to business networks in 2017.

Over the following years he would compromise banks, hotels, utilities, retailers, tech companies and organisations in many more verticals.

In just three years he claimed to have compromised over 130 targets in 44 countries, including four Fortune 500 firms. Some 9% of his victims were governments.

The report calculated the $1.5m figure purely from publicised sales, although 20% of those Fxmsp compromised were made through private sales, meaning the hacker’s trawl is likely to be even bigger.

Fxmsp even hired a sales manager in early 2018.

Read more here: https://www.infosecurity-magazine.com/news/infamous-hacker-millions-selling/

Rogue Postbank employees steal master encryption key; make off with $3.2 million

South Africa's Postbank has been forced to replace 12 million bank cards after a calamitous security breach that saw the bank's master encryption key printed off in plain, unencrypted language.

According to internal documents acquired by the Sunday Times of South Africa, the 36-digit code security key “allows anyone who has it to gain unfettered access to the bank’s systems, and allows them to read and rewrite account balances, and change information and data on any of the bank’s 12-million cards".

The master key was apparently printed out on plain paper in a data centre in Pretoria in 2018, enabling the fraudsters to make over 25,000 fraudulent transactions, mostly from cards used by people receiving social benefits from the government.

The crime, which is being pinned on a number of rogue bank employees, went unnoticed for months. More than $3.2 million was stolen in the raid.

The cost to the bank of replacing all the compromised cards is expected to reach $58 million.

Read more here: https://www.finextra.com/newsarticle/36059/rogue-postbank-employees-steal-master-encryption-key-make-off-with-32-million

Massive Distributed Denial of Service (DDoS) attack launched against European bank

This week, security firm Akamai mitigated what it claims to be the “largest ever packet per second (pps) DDoS attack”, launched against an unnamed European bank.

The attack reportedly generated 809 million packets per second (Mpps) - a new high for pps-focused attacks, and well over double the size of the previous record attack identified by the Akamai platform.

What also makes this DDoS attack unique is the “massive increase” in the quantity of source IP addresses observed. During the attack, Akamai identified more than 600 times average number of source IP addresses per minute, suggesting the attack was highly distributed in nature.

Further, most of the traffic came from previously unknown IP addresses (96.2 percent), which could indicate the assault was driven by an emerging botnet. Given that most of the source IP addresses could be identified within large ISPs via AS lookups, Akamai believes most of the devices used were compromised end user machines.

The speed at which the attack reached its peak was also remarkable. The company claims it grew from normal traffic levels to 418 Gbps in seconds, and took roughly two minutes to hit 809 Mpps. The attack lasted for a total of 10 minutes and was fully mitigated.

Read more here: https://www.itproportal.com/news/massive-ddos-attack-launched-against-european-bank/

'Unstoppable' Malware Uses Bitcoin To Retrieve Secret Messages - Report

Glupteba, a sneaky malware that can be controlled from afar includes a range of components to cover its tracks, and it updates itself using encrypted messages hidden in the Bitcoin blockchain.

The Glupteba bot is a malware campaign that creates backdoors with full access to contaminated devices, which are added to its growing botnet. The analysis describes it as a “highly self-defending malware” with “enhancing features that enable the malware to evade detection.”

The most interesting aspect of Glupteba is that it uses the Bitcoin blockchain as a communication channel for receiving updated configuration information, given that bitcoin transactions can also include a comment of up to 80 characters.

Glupteba uses this messaging space for encrypted messages. These messages contain secrets, such as command-and-control server names, thus cleverly hiding them in the public blockchain - in plane sight.

Read more: https://cryptonews.com/news/unstoppable-malware-uses-bitcoin-to-retrieve-secret-messages-6947.htm

Woman who deliberately deleted firm’s Dropbox is sentenced

58-year-old Danielle Bulley may not look like your typical cyber criminal, but the act of revenge she committed against a company had just as much impact as a conventional hacker breaking into a business’s servers and causing havoc.

Bulley has been successfully prosecuted under the UK’s Computer Misuse Act after deleting thousands of important files from a company that went on to collapse.

She was a director of a business called Property Press that produced a weekly property newspaper focused on south east Devon. Things turned sour, and Bulley resigned her position at the firm in 2018 before the company went into liquidation. However, fellow director Alan Marriott started a new business venture – without Bulley’s involvement – using the assets of the old firm.

Things clearly didn’t sit well with Bulley after her departure from the business, and several months after her resignation she managed to gain unauthorised access to the new company’s Dropbox account.

More than 5,000 documents were permanently erased, and the company claimed that the damage to business was so great that it could no longer operate, with people losing their jobs and a loss of almost £100,000.

The Police warned other companies of the threat which can be posed by former employees:

Ex-employees can pose a serious risk to a business because they are familiar with the company’s IT infrastructure and procedures. This can make it easier for them to carry out cyber crimes against their former organisation.

If someone is leaving your company, especially if they are quitting your firm under something of a cloud, you would be wise to check that they don’t know your business’s passwords or have retained access to sensitive information.

Passwords should be changed, and additional authentication methods should be in place to prevent unauthorised access. Dropbox, for instance, provides a two-step verification feature which all users would be wise to enable.

Read more: https://hotforsecurity.bitdefender.com/blog/woman-who-deliberately-deleted-firms-dropbox-is-sentenced-23552.html

EasyJet Lawsuit Over Data Breach Attracts 10,000 Passengers

EasyJet Plc faces a lawsuit over a data breach disclosed last month that potentially exposed private details of 9 million passengers.

More than 10,000 people have joined the suit since it was filed last month, according to the law firm handling the lawsuit. Victims are entitled to as much as £2,000 in compensation, meaning the case could be worth as much as £18 billion.

EasyJet said last month that the email addresses and travel data of about 9 million customers were taken by hackers in one of the biggest privacy breaches to hit the airline industry. The credit card details of roughly 2,200 people was also accessed.

“This is a monumental data breach and a terrible failure of responsibility that has a serious impact on EasyJet’s customers, who are coming forward in their thousands,” the law firm said in a statement. “This is personal information that we trust companies with, and customers should expect that every effort is made to protect their privacy.”

Read more here: https://www.bloomberg.com/news/articles/2020-06-24/easyjet-lawsuit-over-data-breach-attracts-10-000-passengers

Twitter apologises for business data breach

Twitter has emailed its business clients to tell them that personal information may have been compromised.

Unbeknownst to users, billing information of some clients was stored in the browser's cache, it said.

In an email to its clients, Twitter said it was "possible" others could have accessed personal information.

The personal data includes email addresses, phone numbers and the last four digits of clients' credit card numbers.

The tech company says that there is no evidence that clients' billing information was compromised.

Read more here: https://www.bbc.co.uk/news/technology-53150157

Huge Data Dump of Police Files Dubbed “Blue Leaks” Leaked Online

Nearly 270 gigabytes worth of sensitive files including FBI, “fusion center” and police department data from across the US dubbed “Blue Leaks” has been stolen and leaked online on June 19 by a collective called DDoSecrets.

Fusion centres are hubs for threat and intelligence sharing. The concept was created after September 11, in a bid by the Department of Homeland Security to improve cooperation between state, local, and territorial law enforcement

The National Fusion Centre Association (NFCA) says that the data was taken after a security breach at web development firm Netsential in Houston, Texas. It includes 490 documents pertaining to the UK. Computer Business Review was not immediately able to open these to assess the contents.

DDoSecrets stated that the Blue Leaks archive spans “ten years of data from over 200 police departments, fusion centres and other law enforcement training and support resources […] among the hundreds of thousands of documents are police and FBI reports, bulletins, guides and more”.

Read more here: https://www.cbronline.com/news/blue-leaks-data-dump

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Read More