Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• 79% Of Companies Only Invest in Cyber Security After Hacking Incidents

The British cyber security company Tanium published a survey on investments in digital protection in UK companies with alarming results: 79% of them only approve investments in cyber security after suffering a data breach; 92% experienced a data attack or breach, of which 74% occurred in 2021. Leadership reticence is also high, with 63% of leaders convinced cyber security is only a concern after an attack.

The complexity of the situation has grown with the digital transformation of work. If it streamlines many processes, it can also open up serious security gaps. A sensitive point is the “home office”: companies need effective solutions to eliminate gaps that may appear between employees’ computers (often shared devices) and the company’s internal network.

Putting in solutions is just the beginning of a necessary strategy and investment effort in virtual protection. Complex scams based on phishing, reverse engineering, and backdoor-type malicious programs (“planted” discreetly on a device and sometimes inactive for months) often combine real-world and virtual-world fraud.

The escalation of corporate data hijacking appears in this scenario. The most notorious case at a global level of such an incident, with a million-dollar ransom demand, was launched in 2021 on Colonial Pipeline. This US company paid $40 million to regain control over strategic data after fuel supplies through its pipelines to several states were threatened for days.

https://informationsecuritybuzz.com/infosec-news/79-of-the-companies-only-invest-in-cybersecurity-after-hacking-incidents/

• Nearly Half of Breaches During First Half of 2022 Involved Stolen Credentials

According to a new report by Acronis, a Switzerland-based cyber security company, nearly half of breaches during the first six months of 2022 involved stolen credentials.

The goal of stealing credentials is to launch ransomware attacks. According to the report, these “continue to be the number one threat to large and medium-sized businesses, including government organisations.”

Attackers usually use phishing techniques to extract these credentials. In the first half of the year, over 600 malicious email campaigns made their way across the internet, of which 58% were phishing attempts and 28% featured malware.

Acronis also added that “as reliance on the cloud increases, attackers have homed in on different entryways to cloud-based networks.”

Additionally, cyber criminals now also target unpatched or software vulnerabilities to extract data, with a recent increase on Linux operating systems and managed service providers (MSPs) and their network of SMB customers.

The third vector spotted by Acronis was “non-traditional entry avenues” such as cryptocurrencies and decentralised finance (DeFi) systems.

https://www.itsecurityguru.org/2022/08/30/nearly-half-of-breaches-during-first-half-of-2022-involved-stolen-credentials/

• Outdated Infrastructure Not Up to Today’s Ransomware Challenges

A global research commissioned by Cohesity reveals that nearly half of respondents say their company depends on outdated, legacy backup and recovery infrastructure to manage and protect their data. In some cases, this technology is more than 20 years old and was designed long before today’s multicloud era and onslaught of sophisticated cyber attacks plaguing enterprises globally.

Challenges pertaining to outdated infrastructure could easily be compounded by the fact that many IT and security teams don’t seem to have a plan in place to mobilise if and when a cyber attack occurs. Nearly 60% of respondents expressed some level of concern that their IT and security teams would be able to mobilise efficiently to respond to the attack.

These are just some of the findings from an April 2022 survey, conducted by Censuswide, of more than 2,000 IT and SecOps professionals (split nearly 50/50 between the two groups) in the United States, the United Kingdom, Australia and New Zealand. All respondents play a role in the decision-making process for IT or security within their organisations.

IT and security teams should raise the alarm bell if their organisation continues to use antiquated technology to manage and secure their most critical digital asset – their data.

Cyber criminals are actively preying on this outdated infrastructure as they know it was not built for today’s dispersed, multicloud environments, nor was it built to help companies protect and rapidly recover from sophisticated cyber attacks.

https://www.helpnetsecurity.com/2022/08/30/outdated-infrastructure-manage-data/

• Ghost Data Increases Enterprise Business Risk

IT has to get its hands around cloud data sprawl. Another area of focus should be on ghost data, as it expands the organisation's cloud attack surface.

Cloud sprawl is a big issue for organisations, with business teams spinning up cloud systems and services on their own, often without IT oversight. That leads to cloud data sprawl as data is scattered across different environments. If IT doesn’t know about the cloud systems and services, then IT is also not managing the data being collected, processed, and stored there.

We all know about shadow IT, the systems and network devices in the organisation’s environment that IT is not managing. Similarly, shadow data refers to unmanaged data store copies and snapshots or log data that are not part of IT’s backup and recovery strategy. Researchers at Cyera estimate that 60% of the data security posture issues that are present in cloud accounts stem from unsecured sensitive data.

Then there is the problem of ghost data. When data gets deleted from cloud systems, it isn’t fully gone. Copies linger in backups or snapshots of data stores. Ghost data refers to those copies left behind after the original has been deleted, and Cyera’s recent analysis show that enterprises have quite a lot of it.

After scanning the three major cloud providers (Amazon Web Services, Azure, and Google Cloud), Cyera researchers found that over 30% of scanned customer cloud data stores are ghost data and more than 58% contain sensitive, or very sensitive, data. For example, researchers found unsecured database snapshots in non-production environments that contained sensitive customer data where the original database had been destroyed. Researchers also uncovered sensitive personal and authentication data in plain text where the production data and application were no longer in use.

Ghost data usually has no business value - the data was deleted for a reason - and having it around unnecessarily increases business risk. Attackers don’t care if they get their hands on the original sensitive information or the copy because to them, all data has value, regardless of the form it takes.

https://www.darkreading.com/edge-threat-monitor/ghost-data-increases-enterprise-business-risk

• Detected Cyber Threats Surge 52% in 1H 2022

A leading cyber security vendor blocked 63 billion threats in the first half of 2022 alone, over 50% more than the same period a year ago.

The findings come from the Trend Micro 2022 Midyear Cybersecurity Report and illustrate the scale of the challenge facing network defenders.

Trend Micro highlighted the persistent threat posed by ransomware-as-a-service (RaaS) groups as one that will continue to cause major challenges for organisations in the years to come.

It said detections of prolific groups such as LockBit and Conti increased by 500% year-on-year in 1H 2022. Such groups will continue to adapt their tactics, techniques and procedures (TTPs) in the race for profits.

The report warned of a surge in threats targeting Linux systems, for example. It said detections of attacks on Linux servers and embedded systems grew 75% year-on-year in the first half of 2022. Both SMBs and larger organisations are now a target, it claimed.

Many RaaS groups exploit vulnerabilities as a primary attack vector. Their job is getting easier as the number of published common vulnerabilities and exposures (CVEs) continues to grow strongly.

Trend Micro’s Zero Day Initiative published advisories on 944 vulnerabilities in the first half of 2021, a 23% year-on-year increase. The number of critical bug advisories it published soared by 400% over the same period.

https://www.infosecurity-magazine.com/news/detected-cyberthreats-surge-52-in/

• An Interview with Initial Access Broker Wazawaka: ‘There Is No Such Money Anywhere as There is in Ransomware’

Last April, a ransomware group threatened to expose police informants and other sensitive information if the Washington, D.C. Metropolitan Police Department did not pay a demand.

The brazen attack was the work of a gang known as Babuk, which in early 2021 gained a reputation for posting stolen databases on its website from victims that refused to pay a ransom. Just days after it tried to extort the Metropolitan Police Department, Babuk announced it was closing its ransomware affiliate program, and would focus on data theft and extortion instead.

Earlier this year, cyber security journalist Brian Krebs uncovered details about one man behind the operation named Mikhail Matveev, who was also connected to a number of other groups and identities, including the handle ‘Wazawaka.’ According to Krebs, Matveev had become more unhinged than usual, “publishing bizarre selfie videos” and creating a Twitter account to share exploit code.

Matveev talked to Recorded Future about his interaction with other hackers, details about ransomware attacks he’s been involved in, and how he settled on the name Babuk.

Click the link below for the full interview but the long and short is ransomware has created a criminal ecosystem the likes of which the world has never seen.

https://therecord.media/an-interview-with-initial-access-broker-wazawaka-there-is-no-such-money-anywhere-as-there-is-in-ransomware/

• Cyber Crime Underground More Dangerous Than Organisations Realise

Kela, a cyber threat intelligence specialist, found in a new study of some 400 security pros in the US that organisations are more at risk from the “cyber crime underground” than they realise.

The Israel-based company surveyed security team members responsible for gathering cyber crime threat intelligence daily to better understand if they’re proactively scanning the dark web and other cyber crime sources, what tools they’re using and the gaps they see in their cyber crime threat intelligence approach. Nearly 60% of the respondents do not believe their current cyber crime prevention is effective, the results showed.

Here are the study’s key findings:

• 69% are concerned about threats from the cyber crime underground.

• 54% wouldn’t be surprised to find their organisation’s data on the cyber crime underground.

• Only 38% believe that they’re very likely to detect it if it was released.

• 48% have no documented cyber crime threat intelligence policy in place.

• Only 41% believe their current security program is very effective.

• 49% are not satisfied with the visibility they have of the cyber crime underground.

• Of the 51% who were satisfied with their visibility into the cyber crime underground, 39% were still unable to prevent an attack.

• Additional training and proficiency in cyber crime intelligence investigations is the most needed capability.

https://www.msspalert.com/cybersecurity-research/cybercrime-underground-more-dangerous-than-organizations-realize-threat-intelligence-firm-warns/

• New Ransomware Group BianLian Activity Exploding

A new ransomware group operating under the name BianLian emerged in late 2021 and has become increasingly active since.

The threat actor already has twenty alleged victims across several industries (insurance, medicine, law and engineering), according to a research paper from US cyber security firm Redacted, published on September 1, 2022. The majority of the victim organisations have been based in Australia, North America and the UK.

The research team has given no attribution yet but believes the threat actor “represents a group of individuals who are very skilled in network penetration but are relatively new to the extortion/ransomware business.”

BianLian uses a custom toolkit, including homemade encryptors and encryption backdoors. Both, as well as the command-and-control (C&C) software the hackers use, are written in Go, an increasingly popular programming language among ransomware threat actors.

Troublingly, the Redacted team of researchers has found evidence that BianLian is likely now trying to up their game.

https://www.infosecurity-magazine.com/news/new-ransomware-group-bianlian/

• Can Your Passwords Withstand Threat Actors’ Dirty Tricks?

Password security hinges on the answer to that seemingly simple question. Unfortunately, you can’t know the answer until you’ve engaged a ruthless penetration tester to find out if your environment can stand up to the frighteningly good password cracking skills of today’s most nefarious hackers.

The whole purpose of hiring skilled penetration testers (“pentesters”) is to find out if your environment is truly impenetrable — and if it’s not, exactly how you should shore up your defences. Good pentesters and red teamers spend their time trying to simulate and emulate the real bad actors. After all, what’s the point of pressure-testing your IT infrastructure if you don’t use the same pressure that you’ll face in the real world?

You should “train like you fight.” Without sparring, how can you expect to jump into a boxing ring and go a few rounds with a skilled boxer? That’s the entire point of goal-based penetration testing and red/purple team engagements that simulate real-world threat actors.

Password cracking will continue to evolve – and so should your penetration testing tactics and plans. By the time you get to your fourth or fifth round with a quality pentesting consultancy, your risk mitigation will have dramatically improved — which means you’ll be able to move on to the next stage of security maturity.

https://www.helpnetsecurity.com/2022/08/30/stand-up-to-password-cracking/

• Ransomware Gangs’ Favourite Targets

Barracuda released its fourth-annual threat research report which looks at ransomware attack patterns that occurred between August 2021 and July 2022.

For the 106 highly publicised attacks our researchers analysed, the dominant targets are still five key industries: education (15%), municipalities (12%), healthcare (12%), infrastructure (8%), and financial (6%). The number of ransomware attacks increased year-over-year across each of these five industry verticals, and attacks against other industries more than doubled compared to last year’s report.

While attacks on municipalities increased only slightly, the analysis over the past 12 months showed that ransomware attacks on educational institutions more than doubled, and attacks on the healthcare and financial verticals tripled. Many choose not to disclose when they get hit.

This year, researchers dug in deeper on these highly publicised attacks to see which other industries are starting to be targeted. Service providers were hit the most, and ransomware attacks on automobile, hospitality, media, retail, software, and technology organisations all increased as well.

Most ransomware attacks don’t make headlines, though. Many victims choose not to disclose when they get hit, and the attacks are often sophisticated and extremely hard to handle for small businesses.

As ransomware and other cyber threats continue to evolve, the need for adequate security solutions has never been greater. Many cyber criminals target small businesses in an attempt to gain access to larger organisations. As a result, it is essential for security providers to create products that are easy to use and implement, regardless of a company’s size.

Additionally, sophisticated security technologies should be available as services, so that businesses of all sizes can protect themselves against these ever-changing threats. By making security solutions more accessible and user-friendly, the entire industry can help to better defend against ransomware and other cyber attacks.

https://www.helpnetsecurity.com/2022/08/31/ransomware-attack-patterns/

• Tentacles of ‘0ktapus’ Threat Group Victimise 130 Firms

Over 130 companies were tangled in sprawling phishing campaign that spoofed a multi-factor authentication system.

Targeted attacks on Twilio and Cloudflare employees are tied to a massive phishing campaign that resulted in 9,931 accounts at over 130 organisations being compromised. The campaigns are tied to focused abuse of identity and access management firm Okta, which gained the threat actors the 0ktapus moniker, by researchers.

The primary goal of the threat actors was to obtain Okta identity credentials and multi-factor authentication (MFA) codes from users of the targeted organisations. These users received text messages containing links to phishing sites that mimicked the Okta authentication page of their organisation.

114 US-based firms were impacted, with additional victims of sprinkled across 68 additional countries. The full scope of the attack is still unknown but the 0ktapus campaign has been incredibly effective, and the full scale of it may not be known for some time.

The 0ktapus attackers are believed to have begun their campaign by targeting telecommunications companies in hopes of winning access to potential targets’ phone numbers.

While unsure exactly how threat actors obtained a list of phone numbers used in MFA-related attacks, one theory researchers posit is that 0ktapus attackers began their campaign targeting telecommunications companies.

https://threatpost.com/0ktapus-victimize-130-firms/180487/

• Organisations Are Spending Billions on Malware Defence That’s Easy to Bypass

Last year, organisations spent $2 billion on products that provide Endpoint Detection and Response, a relatively new type of security protection for detecting and blocking malware targeting network-connected devices. EDRs, as they're commonly called, represent a newer approach to malware detection. Static analysis, one of two more traditional methods, searches for suspicious signs in the DNA of a file itself. Dynamic analysis, the other more established method, runs untrusted code inside a secured "sandbox" to analyse what it does to confirm it's safe before allowing it to have full system access.

EDRs—which are forecasted to generate revenue of $18 billion by 2031 and are sold by dozens of security companies—take an entirely different approach. Rather than analyse the structure or execution of the code ahead of time, EDRs monitor the code's behaviour as it runs inside a machine or network. In theory, it can shut down a ransomware attack in progress by detecting that a process executed on hundreds of machines in the past 15 minutes is encrypting files en masse. Unlike static and dynamic analyses, EDR is akin to a security guard that uses machine learning to keep tabs in real time on the activities inside a machine or network.

Despite the buzz surrounding EDRs, new research suggests that the protection they provide isn't all that hard for skilled malware developers to circumvent. In fact, the researchers behind the study estimate EDR evasion adds only one additional week of development time to the typical infection of a large organisational network. That's because two fairly basic bypass techniques, particularly when combined, appear to work on most EDRs available in the industry.

https://arstechnica.com/information-technology/2022/08/newfangled-edr-malware-detection-generates-billions-but-is-easy-to-bypass/

Threats

Ransomware

• Global Ransomware Damages to Exceed $30bn by 2023 - Infosecurity Magazine (infosecurity-magazine.com)

• Ransomware Research: 10 Key Findings, Five Ways to Defend Against Hijackers - MSSP Alert

• Cyber Attack: Spike in Ransomware Threat to More Than 1.2 Million Per Month Between January-June, Says Report | LatestLY

• LockBit ransomware gang gets aggressive with triple-extortion tactic (bleepingcomputer.com)

• New Golang-based 'Agenda Ransomware' Can Be Customized For Each Victim (thehackernews.com)

• Chile and Montenegro Floored by Ransomware - Infosecurity Magazine (infosecurity-magazine.com)

• Researchers Detail Emerging Cross-Platform BianLian Ransomware Attacks (thehackernews.com)

• Ragnar Locker Brags About TAP Air Portugal Breach (darkreading.com)

• Police ‘negotiating with hackers’ who hit Paris hospital computer system | World | The Times

• Advanced cyber-attack: NHS doctors' paperwork piles up - BBC News

• Another Ransomware For Linux Likely In Development - Security Affairs

• Montenegro hit by ransomware attack, hackers demand $10 million (bleepingcomputer.com)

• Should ransomware payments be banned? A few considerations - Help Net Security

• Researchers Spot Snowballing BianLian Ransomware Gang Activity (darkreading.com)

• Ragnar Locker continues trend of ransomware targeting energy sector | CSO Online

• BlackCat ransomware claims attack on Italian energy agency (bleepingcomputer.com)

• Italian Oil Major Becomes Victim Of Ransomware Attack | OilPrice.com

• Damart clothing store hit by Hive ransomware, $2 million demanded (bleepingcomputer.com)

• Baker & Taylor's Systems Remain Offline a Week After Ransomware Attack - Infosecurity Magazine (infosecurity-magazine.com)

• Gloucester Council planning site still disrupted from cyber attack - BBC News

BEC – Business Email Compromise

• How BEC attacks on human capital management systems are increasing - Help Net Security

Malware

• Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users | McAfee Blog

• A study on malicious plugins in WordPress Marketplaces - Security Affairs

• Prynt Stealer Contains a Backdoor to Steal Victims' Data Stolen by Other Cyber criminals (thehackernews.com)

• New Evidence Links Raspberry Robin Malware to Dridex and Russian Evil Corp Hackers (thehackernews.com)

• BumbleBee a New Modular Backdoor Evolved From BookWorm (trendmicro.com)

• Malicious Chrome Extensions Plague 1.4M Users (darkreading.com)

Mobile

• Mobile banking apps put 300,000 digital fingerprints at risk • The Register

• Researcher unveils smart lock hack for fingerprint theft (techtarget.com)

• Source Code of Over 1800 Android and iOS Apps Gives Access to AWS Credentials - Infosecurity Magazine (infosecurity-magazine.com)

Internet of Things – IoT

• Skyrocketing IoT Bug Disclosures Put Pressure on Security Teams (darkreading.com)

• Singapore clocks higher ransomware attacks, warns of IoT risks | ZDNET

• Standards Body Publishes Guidelines for IoT Security Testing - Infosecurity Magazine (infosecurity-magazine.com)

• ieGeek Vulnerabilities still prevalent in 2022 - Amazon Ft. IG20 (realinfosec.net)

Data Breaches/Leaks

• Evil Corp and Conti Linked to Cisco Data Breach, eSentire Suggests - Infosecurity Magazine (infosecurity-magazine.com)

• Okta Says Customer Data Compromised in Twilio Hack | SecurityWeek.Com

• Password Manager With 25 Million Users Confirms Breach, Expert Weighs In (informationsecuritybuzz.com)

• Neopets says hackers had access to its systems for 18 months (bleepingcomputer.com)

• Akasa Air Suffers Data Leak on First Day of Operation- IT Security Guru

• Samsung says hackers obtained some customer data in newly disclosed breach | Engadget

• Millions of student loan accounts exposed in data breach | TechRadar

• Russian streaming platform confirms data breach affecting 7.5M users (bleepingcomputer.com)

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• FBI: Crooks stole $1b+ in cryptocurrency already this year • The Register

• Ukraine takes down cyber crime group hitting crypto fraud victims (bleepingcomputer.com)

• FBI: Crooks are using these DeFi flaws to steal your money | ZDNET

• Windows malware delays coinminer install by a month to evade detection (bleepingcomputer.com)

• Cryptominer Disguised as Google Translate Targeted 11 Countries - Infosecurity Magazine (infosecurity-magazine.com)

• Crypto-Crooks Spread Trojanized Google Translate App in Watering-Hole Attack (darkreading.com)

• Hackers Use ModernLoader to Infect Systems with Stealers and Cryptominers (thehackernews.com)

Insider Risk and Insider Threats

• West Yorkshire PC due in court over police computer searches - BBC News

Fraud, Scams & Financial Crime

• Big Banks vs. Big Tech: Who Is Liable For Online Fraud? (informationsecuritybuzz.com)

Insurance

• Cyber insurance has been around for 25 years. It’s still a bit of a mess. (slate.com)

• Who Pays for an Act of Cyber War? | WIRED

• Travelers, Policyholder Agree to Void Current Cyber Policy (insurancejournal.com)

• Cyber Frauds Skyrocket: Can Cyber Insurance Protect You in Real World? Experts Explain (news18.com)

• Google Cloud, Microsoft and AWS dive into cyber insurance - Protocol

• Cyber Insurance Price Hike Hits Local Governments Hard (insurancejournal.com)

• Insurers must rethink handling of cyber attacks on states | Financial Times (ft.com)

• Cyber insurance on rise as attacks surge | Mint (livemint.com)

Dark Web

• German man charged for trying to hire fake contract killer on darkweb | Euronews

• COVID-19 data put for sale on Dark Web - Security Affairs

• NATO Investigates Dark Web Leak of Data Stolen From Missile Vendor (darkreading.com)

Supply Chain and Third Parties

• PyPI Phishing Campaign | JuiceLedger Threat Actor Pivots From Fake Apps to Supply Chain Attacks - SentinelOne

Software Supply Chain

• NSA and CISA share tips to secure the software supply chain (bleepingcomputer.com)

Denial of Service DoS/DDoS

• DDoS activity launched by patriotic hacktivists is on the rise - Help Net Security

Cloud/SaaS

• 1 in 3 organisations don't know if their public cloud data was exfiltrated - Help Net Security

• Real-World Cloud Attacks: The True Tasks of Cloud Ransomware Mitigation (darkreading.com)

Encryption

• CISA: Prepare now for quantum computers, not when hackers use them (bleepingcomputer.com)

• Homomorphic encryption: a holy grail for privacy, explained (fastcompany.com)

API

• The 4 Most Common OWASP API Security - IT Security Guru

Open Source

• Linux devices 'increasingly' under attack from hackers, warn security researchers | ZDNET

Passwords, Credential Stuffing & Brute Force Attacks

• LastPass source code breach – do we still recommend password managers? – Naked Security (sophos.com)

Social Media

• Social media is ruining our lives and the public are finally waking up (telegraph.co.uk)

• LinkedIn New Hacking Scam (informationsecuritybuzz.com)

• Thousands lured with blue badges in Instagram phishing attack (bleepingcomputer.com)

Training, Education and Awareness

• (ISC)² Launches 'Certified in Cybersecurity' Entry-Level Certification to Address Global Workforce Gap (darkreading.com)

Privacy

• Trident Royal Navy staff reveal sensitive data on fitness app | News | The Times

• Cops wanted to keep mass surveillance app secret; privacy advocates refused | Ars Technica

• US telcos admit to storing, handing over location data • The Register

• Facebook moves to settle Cambridge Analytica lawsuit | TechCrunch

• Homomorphic encryption: a holy grail for privacy, explained (fastcompany.com)

• Nobody’s special to the WFH software spies | Comment | The Times

Travel

• Cyber Safety for Summer Vacation | SecurityWeek.Com

Parental Controls and Child Safety

• Scammers Targeting Thousands Of Children As Young As Six, Figures Show (informationsecuritybuzz.com)

• Over a Third of Parents Do Not Know What Online Accounts Their Children Use - IT Security Guru

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Why Russia's cyber war in Ukraine hasn't played out as predicted (newatlas.com)

• Ukraine's army of hackers failed to thwart Russia and quickly gave up | New Scientist

• Cyber criminals Apparently Involved in Russia-Linked Attack on Montenegro Government | SecurityWeek.Com

• Who Pays for an Act of Cyber War? | WIRED

• Moscow gridlock as hackers send dozens of taxis to Hotel Ukraine (telegraph.co.uk)

• Finland To Offer Businesses Cybersec Vouchers In Wake Of Nato-related (informationsecuritybuzz.com)

• China-linked APT40 used ScanBox Framework in a long-running espionage campaign - Security Affairs

• Montenegro says Russian cyber attacks threaten key state functions (bleepingcomputer.com)

• Google says it cut off Russian disinformation sites from its vast ad display network - CyberScoop

• Ex-spies banned from arms exports for UAE hack-for-hire work • The Register

Nation State Actors

Nation State Actors – Russia

• Third-party hacking groups lose interest in Russia-Ukraine conflict, study claims | SC Media (scmagazine.com)

• FBI deploys cyber team to Montenegro following massive cyber attack | The Hill

• New Evidence Links Raspberry Robin Malware to Dridex and Russian Evil Corp Hackers (thehackernews.com)

• Montenegro Sent Back to Analog by Unprecedented Cyber Attacks | Balkan Insight

Nation State Actors – China

• Chinese Hackers Target Energy Firms in South China Sea | SecurityWeek.Com

• China-linked APT40 targets wind turbines, Aust. government • The Register

Nation State Actors – Misc

• Insurers must rethink handling of cyber attacks on states | Financial Times (ft.com)

Vulnerabilities

• Apple Quietly Releases Another Patch for Zero-Day RCE Bug (darkreading.com)

• Google Chrome emergency update fixes new zero-day used in attacks (bleepingcomputer.com)

• URGENT! Apple slips out zero-day update for older iPhones and iPads – Naked Security (sophos.com)

• WordPress 6.0.2 Patches Vulnerability That Could Impact Millions of Legacy Sites | SecurityWeek.Com

• Critical hole in Atlassian Bitbucket needs patching now • The Register

Reports Published in the Last Week

• Tackling the Growing and Evolving Digital Attack Surface 2022 Midyear Cybersecurity Report (trendmicro.com)

Other News

• Former Cyber criminal: These Are the Biggest Threats on the Internet (businessinsider.com)

• Stuxnet explained: The first known cyber weapon | CSO Online

• Infra Used in Cisco Hack Also Targeted Workforce Management Solution (thehackernews.com)

• Flicking the kill switch: governments embrace internet shutdowns as a form of control | Internet | The Guardian

• Okta Impersonation Technique Could be Utilized by Attackers | SecurityWeek.Com

• Remote Work Cyber Security: 12 Risks and How to Prevent Them (techtarget.com)

• Does your cyber crime prevention program work? - Help Net Security

• Does Blockchain really offer Better Digital Security? - IT Security Guru

• IT and Employees Don’t Always See Eye to Eye on Cyber Security - IT Security Guru

• New Cyber Security Regulations Are Coming. Here’s How to Prepare. (hbr.org)

• 3 Cyber Security Trends for 2022 - IT Security Guru

• Cyber security budget breakdown and best practices (techtarget.com)

• How Just-in-Time privilege elevation prevents data breaches and lateral movement - Help Net Security

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Turbulent Cyber Insurance Market Sees Rising Prices And Sinking Coverage

As insurers and brokers reckon with unexpected losses, they're charging more for policies and setting higher requirements.

Chaos reigns in the cyber insurance market. Brokers and cyber insurance carriers — the companies that actually offer the policies — are tightening requirements on what applicants need to do to obtain policies due to losses the insurers have suffered from ransomware coverage. During the past year, premiums grew 18% in the first quarter of 2021 and were up 34% in the fourth quarter of 2021, according to Jess Burn, senior analyst at Forrester.

Organisations often find they cannot obtain cyber insurance, are not being renewed for coverage they already have, or are faced with soaring prices and shrinking coverage. Despite the value many organisations put on cyber insurance — in some cases, they're required to carry it to comply with regulations — obtaining such policies is getting more difficult.

While raising premiums, some insurers are reducing coverage. If an organisation bought $10 million worth of coverage for a given price in 2021, for example, renewing that policy in 2022 might see the coverage amount fall to $3 million and the premiums for that lower coverage rise. This phenomenon is due, in part, to insurers trying to strike the right balance of customers' risk profile versus their risk-mitigation efforts.

https://www.darkreading.com/edge-articles/turbulent-cyber-insurance-market-sees-rising-prices-and-sinking-coverage

• Ransomware Attacks Still The #1 Threat To Businesses And Organisations

In 2021, ransomware attacks continued to be one of the most prominent threats targeting businesses and organisations worldwide.

High-profile attacks disrupted operations of companies in various sectors.

For example, the Colonial Pipeline attack interrupted critical infrastructure, the JBS Foods attack influenced food processing, and the CNA breach disrupted the insurance industry.

Following the attacks, pressure of law enforcement on ransomware gangs intensified, though simultaneously these threat actors continued to evolve.

They are not only becoming more technologically sophisticated but are also extensively leveraging the growing cyber crime ecosystem looking to find new partners, services and tools for their operations.

https://www.helpnetsecurity.com/2022/05/30/ransomware-trends-video/

• Third Of UK Firms Have Experienced A Security Breach Since 2020

Cyber threats are behind soaring fraud and economic crime in the UK, where rates are now second only globally to South Africa, according to PwC.

The consulting giant’s latest Global Economic Crime Survey revealed that nearly two-thirds (64%) of UK businesses experienced fraud, corruption or other economic/financial crime during the past 24 months, a significant increase on the 56% recorded in 2020, and 50% in 2018.

It’s also much higher than the 2022 global average of 46%, PwC said.

Cyber crime was the most commonly reported fraud type, although figures here dropped from 42% in 2020 to 32% in 2022. Included for the first time in the report, supply chain incidents accounted for 19%.

Most (51%) reported fraud cases in the UK were traced back to external parties, versus just 43% globally. The top three culprits were cited as customers, hackers and vendors/suppliers.

https://www.infosecurity-magazine.com/news/third-uk-security-breach-2020/

• There Is No Good Digital Transformation Without Cyber Security

Network engineers and CIOs agree that cyber security issues represent the biggest risk for organisations that fail to put networks at the heart of digital transformation plans. According to research commissioned by Opengear, 53% of network engineers and 52% of CIOs polled in the US, UK, France, Germany, and Australia rank cyber security among the list of their biggest risks.

The concerns are fuelled by an escalating number of cyber attacks. In fact, 61% of CIOs report an increase in cyber security attacks/breaches from 2020-21 compared to the preceding two years. For digital transformation of networking, 70% of network engineers say security is the most important focus area, and 31% say network security is their biggest networking priority.

Digital transformation is a priority, but cyber security risk remains. CIOs also understand the importance of the issues. 51% of network engineers say their CIOs have consulted them on investments to deliver digital transformation plans, the highest priority in the survey.

What’s more, 41% of CIOs rank cyber security among their organisation’s most important investment priorities over the next year, with 35% stating it is among the biggest over the next five years. In both cases, cyber security ranks higher than any other factor.

https://www.helpnetsecurity.com/2022/05/31/digital-transformation-cybersecurity-risk/

• Ransomware Gang Now Hacks Corporate Websites To Show Ransom Notes

A ransomware gang is taking extortion to a new level by publicly hacking corporate websites to publicly display ransom notes.

This new extortion strategy is being conducted by Industrial Spy, a data extortion gang that recently began using ransomware. As part of their attacks, Industrial Spy will breach networks, steal data, and deploy ransomware on devices. The threat actors then threaten to sell the stolen data on their Tor marketplace if a ransom is not paid.

When ransomware gangs extort a victim, they typically give them a short window, usually a few weeks, to negotiate and pay a ransom before they start leaking data.

During this negotiation process, the threat actors promise to keep the attack secret, provide a decryption key, and delete all data if a ransom is paid.

After this period, the threat actors will use various methods to increase pressure, including DDoS attacks on corporate websites, emailing customers and business partners, and calling executives with threats.

These tactics are all done privately or with minimal exposure on their data leak sites, which are usually only visited by cyber security researchers and the media.

However, this is the first time we have seen a ransomware gang defacing a website to very publicly display a ransom note.

https://www.bleepingcomputer.com/news/security/ransomware-gang-now-hacks-corporate-websites-to-show-ransom-notes/

• Attackers Are Leveraging Follina, A Critical Microsoft Windows Vulnerability Affecting Nearly All Versions of Windows and Windows Server. What Can You Do?

As the world is waiting for Microsoft to push out a patch for CVE-2022-30190, aka “Follina”, attackers around the world are exploiting the vulnerability in a variety of campaigns.

Microsoft has described CVE-2022-30190 as a Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution vulnerability, confirmed it affects an overwhelming majority of Windows and Windows Server versions, and advised on a workaround to be implemented until a patch is ready.

https://www.helpnetsecurity.com/2022/06/03/patch-cve-2022-30190/

• Ransomware Attacks Need Less Than Four Days To Encrypt Systems

The duration of ransomware attacks in 2021 averaged 92.5 hours, measured from initial network access to payload deployment. In 2020, ransomware actors spent an average of 230 hours to complete their attacks and 1637.6 hours in 2019.

This change reflects a more streamlined approach that developed gradually over the years to make large-scale operations more profitable.

At the same time, improvements in incident response and threat detection have forced threat actors to move quicker, to leave defenders with a smaller reaction margin.

The data was collected by researchers at IBM's X-Force team from incidents analysed in 2021. They also noticed a closer collaboration between initial access brokers and ransomware operators.

Previously, network access brokers might wait for multiple days or even weeks before they found a buyer for their network access.

In addition, some ransomware gangs now have direct control over the initial infection vector, an example being Conti taking over the TrickBot malware operation.

Malware that breaches corporate networks is quickly leveraged to enable post-exploitation stages of the attack, sometimes completing its objectives in mere minutes.

https://www.bleepingcomputer.com/news/security/ransomware-attacks-need-less-than-four-days-to-encrypt-systems/

• 57% Of All Digital Crimes In 2021Were Scams

Group-IB shares its analysis of the landscape of the most widespread cyber threat in the world: scams. Accounting for 57% of all financially motivated cyber crime, the scam industry is becoming more structured and involves more and more parties divided into hierarchical groups.

The number of such groups jumped to a record high of 390, which is 3.5 times more than last year, when the maximum number of active groups was close to 110. Due to SaaS (Scam-as-a-Service), in 2021 the number of cyber criminals in one scam gang increased 10 times compared to 2020 and now reaches 100.

Traffic has become the circulatory system of scam projects: researchers emphasise that the number of websites used for purchasing and providing “grey” and illegal traffic and that lure victims into fraudulent schemes has increased by 1.5 times. Scammers are going into 2022 on a new level of scam attack automation: no more non-targeted users. Scammers are now attracting specific groups of victims to increase conversion rates. Social media are more often becoming the first point of contact between scammers and their potential victims.

https://www.helpnetsecurity.com/2022/05/31/scams-widespread-cyber-threat/

• Intelligence Is Key To Strategic Business Decisions

Businesses have a growing need for greater relevance in the intelligence they use to inform critical decision-making. Currently just 18% of professionals responsible for security, risk, or compliance in their organisation feel that the intelligence they receive is “very specific and focused on their business”, a S-RM research reveals.

6 in 10 respondents also say the intelligence they receive takes too much time to analyse, meaning it does not always result in better informed decision making. This was the top reason behind dissatisfaction with external intelligence, identified by over 200 professionals working at companies with revenues of over $250 million.

The second most likely reason was that information was not tailored to business needs (47%), followed by too much information (35%).

Growing demand for the use of strategic intelligence has been prompted by increasing cyber (51%) and regulatory concerns (50%). And while these two factors have been climbing the boardroom agenda for years, geopolitical uncertainty has made the need to respond to these developments more acute. In particular, the Russia-Ukraine conflict has created a complex sanctions regime for businesses to operate.

Additionally, navigating the complexities of the COVID-19 pandemic has been a key challenge for businesses in the past three years, with 40% citing this as a catalyst in driving a growing need for strategic intelligence.

https://www.helpnetsecurity.com/2022/06/03/intelligence-decision-making/

• How Cyber Criminals Are Targeting Executives At Home And Their Families

Top executives and their families are increasingly being targeted on their personal devices and home networks, as sophisticated threat actors look for new ways to bypass corporate security and get direct access to highly sensitive data.

https://www.helpnetsecurity.com/2022/06/01/cybercriminals-targeting-executives-video/

Threats

Ransomware

• Cyber criminals Expand Attack Radius and Ransomware Pain Points | Threatpost

• FBI, CISA warn: Don't get caught in Karakurt's web • The Register

• Conti ransomware targeted Intel firmware for stealthy attacks (bleepingcomputer.com)

• GoodWill Ransomware victims have to perform socially driven activities to decryption their dataSecurity Affairs

• YourCyanide Ransomware Propagates With PasteBin, Discord, Microsoft Links (darkreading.com)

• Conti Leaks Reveal Ransomware Gang's Interest in Firmware-based Attacks (thehackernews.com)

• Evil Corp switches to LockBit ransomware to evade sanctions (bleepingcomputer.com)

• Ransomware attack sends New Jersey county back to 1977 • The Register

• Ransomware roundup: System-locking malware dominates headlines | CSO Online

• What if ransomware evolved to hit IoT in the enterprise? • The Register

• How Costa Rica found itself at war over ransomware | CSO Online

• Experts warn of ransomware attacks on government orgs of small states - Security Affairs

• Foxconn confirms ransomware attack disrupted production in Mexico (bleepingcomputer.com)

• Hanesbrands says it suffered a ransomware attack on May 24 and has informed law enforcement - MarketWatch

• Why Ransomware Timeline Shrinks By 94%? – Information Security Buzz

• Hundreds of Elasticsearch databases targeted in ransom attacks (bleepingcomputer.com)

BEC – Business Email Compromise

• Why Stopping Business Email Compromise (BEC) Needs To Be A Priority For MSPs - MSSP Alert

• Language-based BEC attacks rising - Help Net Security

Phishing & Email Based Attacks

• Watch out for phishing emails that inject spyware trio • The Register

• Existential Phishing Schemes | The New Yorker

• Telegram’s blogging platform abused in phishing attacks (bleepingcomputer.com)

Other Social Engineering

• Hacker steals Verizon employee database after tricking worker into granting remote access (bitdefender.com)

• Vishing attacks: What they are and how organisations can protect themselves - Help Net Security

• Beware the Smish! Home delivery scams with a professional feel… – Naked Security (sophos.com)

Malware

• New XLoader Botnet Version Using Probability Theory to Hide its C&C Servers (thehackernews.com)

• LuoYu APT delivers WinDealer malware via man-on-the-side attacks - Security Affairs

• EnemyBot malware adds enterprise flaws to exploit arsenal • The Register

• Researchers Uncover Malware Controlling Thousands of Sites in Parrot TDS Network (thehackernews.com)

• Logic bombs explained: Definition, examples, and prevention | CSO Online

Mobile

• Top 10 Android banking trojans target apps with 1 billion downloads (bleepingcomputer.com)

• WhatsApp accounts hijacked by call forwarding | Malwarebytes Labs

• SideWinder Hackers Use Fake Android VPN Apps to Target Pakistani Entities (thehackernews.com)

• SMSFactory Android malware sneakily subscribes to premium services (bleepingcomputer.com)

• Phishers Having a Field Day on WhatsApp, Telegraph (darkreading.com)

• Apple blocked 1.6 millions apps from defrauding users in 2021 (bleepingcomputer.com)

Organised Crime & Criminal Actors

• FBI warns of Ukrainian charities impersonated to steal donations (bleepingcomputer.com)

• Euro Cops Bust $47m Money Laundering Operation - Infosecurity Magazine (infosecurity-magazine.com)

• Three Nigerian Users of Agent Tesla RAT Arrested | SecurityWeek.Com

Cryptocurrency/Cryptomining/Cryptojacking/NFTs

• Americans report losing over $1 billion to cryptocurrency scams (bleepingcomputer.com)

• Clipminer malware gang stole $1.7M by hijacking crypto payments (bleepingcomputer.com)

• Bored Ape Yacht Club, Otherside NFTs stolen in Discord server hack (bleepingcomputer.com)

• WatchDog hacking group launches new Docker cryptojacking campaign (bleepingcomputer.com)

Fraud, Scams & Financial Crime

• $39.5 billion lost to phone scams in last year - Help Net Security

• Fast loan scam: Here's how it works and why Lloyds Bank has put out an urgent warning | This is Money

• Britain's biggest bank issues 'urgent warning' over new scam (telegraph.co.uk)

• Scams account for most of all financially motivated cyber crime - Help Net Security

AML/CFT/Sanctions

• Evil Corp Pivots LockBit to Dodge US Sanctions | Threatpost

Supply Chain and Third Parties

• To better manage cyber security risk, extend zero-trust principles to third parties | TechCrunch

Denial of Service DoS/DDoS

• DDoS threats growing in sophistication, size, and frequency - Help Net Security

• DDoS attackers continue to innovate, devising new threats and altering attack strategies - Help Net Security

Open Source

• Linux malware is on the rise—6 types of attacks to look for | CSO Online

• The Open Source Software Security Mobilization Plan: Takeaways for security leaders | CSO Online

Privacy

• Vodafone plans carrier-level user tracking for targeted ads (bleepingcomputer.com)

• Europe's hope to scan devices for unlawful files criticized • The Register

Passwords & Credential Stuffing

• Why are many businesses still not using a password manager? - Help Net Security

Regulations, Fines and Legislation

• ExpressVPN Removes Servers in India After Refusing to Comply with Government Order (thehackernews.com)

Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• NSA general confirms US offensive cyber ops in Ukraine war • The Register

• Deadly Secret: Electronic Warfare Shapes Russia-Ukraine War | SecurityWeek.Com

• Anonymous: Operation Russia after 100 days of war - Security Affairs

• Chinese LuoYu hackers deploy cyber-espionage malware via app updates (bleepingcomputer.com)

Nation State Actors

Nation State Actors – Russia

• Germany issues fresh warning to banks of cyber attacks due to Ukraine war | Reuters

Nation State Actors – China

• China-linked TA413 group actively exploits Microsoft Follina Zero-Day flawSecurity Affairs

• Chinese state media propaganda found in 88% of Google, Bing news searches - CyberScoop

• Chinese LuoYu Hackers Using Man-on-the-Side Attacks to Deploy WinDealer Backdoor (thehackernews.com)

• How Beijing’s surveillance cameras crept into Britain’s corridors of power (telegraph.co.uk)

Nation State Actors – North Korea

• The day the NHS was held to ransom by North Korean cyber hackers (telegraph.co.uk)

Nation State Actors – Iran

• Microsoft Disables Iran-Linked Lebanese Hacking Group Polonium (darkreading.com)

• Iranian hackers planned attack on Boston Children's Hospital last summer, FBI director says - CyberScoop

Nation State Actors – Misc APT

• Microsoft blocks Polonium hackers from using OneDrive in attacks (bleepingcomputer.com)

• Snake carried out over 1,000 attacks since April 2020 - Security Affairs

• SideWinder Hackers Launched Over a 1,000 Cyber Attacks Over the Past 2 Years (thehackernews.com)

Vulnerability Management

• Focus resources on patching most threatening vulns: research • The Register

Vulnerabilities

• CISA adds 75 vulnerabilities to catalogue in 3 days- IT Security Guru

• Fighting Follina: Application Vulnerabilities and Detection Possibilities (darkreading.com)

• Yet another zero-day (sort of) in Windows “search URL” handling – Naked Security (sophos.com)

• Microsoft Releases Workarounds for Office Vulnerability Under Active Exploitation (thehackernews.com)

• Actively Exploited Atlassian Zero-Day Bug Allows Full System Takeover (darkreading.com)

• Microsoft Azure vulnerabilities pose new cloud security risk - Protocol

• GitLab Issues Security Patch for Critical Account Takeover Vulnerability (thehackernews.com)

• New Unpatched Horde Webmail Bug Lets Hackers Take Over Server by Sending Email (thehackernews.com)

Sector Specific

Financial Services Sector

• Germany issues fresh warning to banks of cyber attacks due to Ukraine war | Reuters

Government

• Experts warn of ransomware attacks on government orgs of small states - Security Affairs

Health/Medical/Pharma Sector

• Twice as Many Healthcare Organisations Now Pay Ransom - Infosecurity Magazine

• Novartis says no sensitive data was compromised in cyber attack (bleepingcomputer.com)

• Costa Rica’s public health agency hit by Hive ransomware (bleepingcomputer.com)

Transport and Aviation

• Turkish airline suffers 6.5TB data leak - IT Security Guru

CNI, OT, ICS, IIoT and SCADA

• Vendor Refuses to Remove Backdoor Account That Can Facilitate Attacks on Industrial Firms | SecurityWeek.Com

• Industrial IoT ransomware attacks control systems directly (scmagazine.com)

• Researchers Demonstrate Ransomware for IoT Devices That Targets IT and OT Networks (thehackernews.com)

Food and Agriculture

• JBS Foods cyber attack highlights industry vulnerabilities to Russian hackers - ABC News

Web3

• Why web3 companies get hacked so often, according to crypto VC Grace Isford | TechCrunch

Other News

• How Failing to Prioritize Cyber Security can Hurt Your Company (analyticsinsight.net)

• Cyber security needs a whole-of-society effort | The Hill

• 40% of enterprises don't include business-critical systems in their cyber security monitoring - Help Net Security

• Bad news: The cyber security skills crisis is about to get even worse | ZDNet

• Nearly Three-Quarters of Firms Suffer Downtime from DNS Attacks - Infosecurity Magazine

• CIOs and network engineers rank cyber security among the biggest risks - Help Net Security

• How USB Drives Can Be a Danger to Your Computer (howtogeek.com)

• Australian digital driver's licenses hackable in minutes • The Register

• Over 3.6 million MySQL servers found exposed on the Internet (bleepingcomputer.com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Many Organisations Lack Basic Cyber Hygiene Despite High Confidence In Their Cyber Defences

A new report released this week analysed IT security leaders’ perceived threat of ransomware attacks and the maturity of their cyber security defences. The report found that while 81% of those surveyed consider their security to be above average or exceptional, many lack basic cyber hygiene – 41% lack a password complexity requirement, one of the cheapest, easiest forms of protection, and only 55.6% have implemented multi-factor authentication (MFA). https://www.helpnetsecurity.com/2021/10/21/organizations-cyber-hygiene/

83% Of Ransomware Victims Paid Ransom

A new survey of 300 US-based IT decision-makers found that 64% have been victims of a ransomware attack in the last 12 months, and 83% of those attack victims paid the ransom demand.

Cybersecurity company ThycoticCentrify released its "2021 State of Ransomware Survey & Report" on Tuesday, featuring the insights of IT leaders who have dealt with ransomware attacks over the last year. https://www.zdnet.com/article/83-of-ransomware-victims-paid-ransom-survey/

Ransomware Affected 72% Of Organisations In Past Year

72% of organisations were affected by ransomware at least once within the past twelve months, with 18% impacted more than six times in the past year. Organizations of all sizes were affected nearly to the same extent, with the exception of those with more than 25,000 employees. https://venturebeat.com/2021/10/20/report-ransomware-affected-72-of-organizations-in-past-year/

Ransomware: Looking For Weaknesses In Your Own Network Is Key To Stopping Attacks

Ransomware is a major cybersecurity threat to organisations around the world, but it's possible to reduce the impact of an attack if you have a thorough understanding of your own network and the correct protections are in place.

While the best form of defence is to stop ransomware infiltrating the network in the first place, thinking about how the network is put together can help slow down or stop the spread of an attack, even if the intruders have successfully breached the perimeter. https://www.zdnet.com/article/ransomware-looking-for-weaknesses-in-your-own-network-is-key-to-stopping-attacks/

A Hacker Warns: Give Up Trying To Keep Me Out — And Focus On Your Data

There is a misconceived notion that the security arena is a battlefield. It is not. It is a chess board and requires foresight and calculated pawn placement to protect the king — your data. If your main focus lies on keeping hackers out of your environment, then it’s already check mate. Your mission should be to buy time, slow hackers down and ultimately contain an attack.

Businesses must therefore make it as hard as possible for adversaries to exploit the relationships that allow them to move laterally through the corporate network. They can do this by distrusting anyone within their data’s environment and repeatedly corroborating that all users are who they say they are, and that they act like it too. That last part is crucial, because while identities are easy to compromise and imitate, behaviours are not. https://www.ft.com/content/93cec8b6-3fe9-4e9e-800a-62e13a0e2eac

Cyber Risk Trends Driving The Surge In Ransomware Incidents

During the COVID-19 crisis, another outbreak took place in the cyber space: a digital pandemic driven by ransomware. In a recent report, Allianz Global Corporate & Specialty (AGCS) analyzes the latest risk developments around ransomware and outlines how companies can strengthen their defenses with good cyber hygiene and IT security practices

The increasing frequency and severity of ransomware incidents is driven by several factors:

·         Growing number of different attack patterns such as double and triple extortion campaigns

·         Criminal business model around ‘ransomware as a service’ and cryptocurrencies

·         Recent skyrocketing of ransom demands

·         Rise of supply chain attacks.

Not all attacks are targeted. Criminals also adopt a scattergun approach to exploit those businesses that aren’t addressing or understanding the vulnerabilities they may have. Businesses must understand the need to strengthen their controls.

Cyber intrusion activity globally jumped 125% in the first half of 2021 compared to the previous year, according to Accenture, with ransomware and extortion operations one of the major contributors behind this increase. According to the FBI, there was a 62% increase in ransomware incidents in the US in the same period that followed an increase of 20% for the full year 2020. https://www.helpnetsecurity.com/2021/10/18/five-ransomware-trends/

US Ransomware Victims Paid $600 Million to Hackers in 1H of 2021

US Ransomware victims coughed up nearly $600 million to cyber hijackers in the first six months of 2021, further stamping cyber extortionists as an “increasing threat” to the U.S. financial, business and public sectors, a recent report released by the Treasury Department said.

Data gathered by the Financial Crimes Enforcement Network (FinCEN) derived from financial institutions’ Suspicious Activity Reports (SARs) revealed that the 635 reports filed for the first six months of this year is already 30 percent greater than the 487 filed for all of last year. Some 458 financial transitions have been reported as of June 30, 2021 with the total value of suspicious activity reported in ransomware-related SARs during the first six months of 2021 amounting to $590 million, or 42 percent more than the $416 million filed for all of 2020. https://www.msspalert.com/cybersecurity-research/victims-paid-600-millon-1h-2021/

Hacking Group Created Fake Cyber Security Companies To Hire Experts And Involve Them In Ransomware Attacks Tricking Them Of Conducting A Pentest

The FIN7 hacking group is attempting to enter in the ransomware business and is doing it with an interesting technique. The gang is creating fake cyber security companies that hire experts requesting them to carry out pen testing attacks under the guise of pentesting activities.

FIN7 is a Russian criminal group that has been active since mid-2015, it focuses on restaurants, gambling, and hospitality industries in the US to harvest financial information that was used in attacks or sold in cybercrime marketplaces.

One of the companies created by the cyber criminal organizations with this purpose is Combi Security, but researchers from Gemini Advisory discovered other similar organizations by analyzing the site of another fake cybersecurity company named Bastion Security. https://securityaffairs.co/wordpress/123673/cyber-crime/fin7-fake-cybersecurity-firm.html

Nearly Three-Quarters of Organisations Victimized by DNS Attacks in Past 12 Months

Domain name system (DNS) attacks are impacting organizations at worrisome rates. According to a new survey from the Neustar International Security Council (NISC) conducted in September 2021, 72% of study participants reported experiencing a DNS attack within the last 12 months. Among those targeted, 61% have seen multiple attacks and 11% said they have been victimized regularly. While one-third of respondents recovered within minutes, 58% saw their businesses disrupted for more than an hour, and 14% took several hours to recover. https://www.darkreading.com/attacks-breaches/nearly-three-quarters-of-organizations-victimized-by-dns-attacks-in-past-12-months

Cyber Crime Matures As Hackers Are Forced To Work Smarter

An analysis of 500 hacking incidents across a wide range of industries has revealed trends that characterize a maturity in the way hacking groups operate today.

Researchers at Kaspersky have focused on the Russian cybercrime underground, which is currently one of the most prolific ecosystems, but many elements in their findings are common denominators for all hackers groups worldwide.

One key finding of the study is that the level of security on office software, web services, email platforms, etc., is getting better, browser vulnerabilities have reduced in numbers, and websites are not as easy to compromise and use as infection vectors today.

This has resulted in making web infections too difficult to pursue for non-sophisticated threat groups.

The case is similar with vulnerabilities, which are fewer and more expensive to discover.

Instead, hacking groups are waiting for a PoC or patch to be released, and then use that information to create their own exploits. https://www.bleepingcomputer.com/news/security/cybercrime-matures-as-hackers-are-forced-to-work-smarter/

Hackers Stealing Browser Cookies to Hijack High-Profile YouTube Accounts

Since at least late 2019, a network of hackers-for-hire have been hijacking the channels of YouTube creators, luring them with bogus collaboration opportunities to broadcast cryptocurrency scams or sell the accounts to the highest bidder.

That's according to a new report published by Google's Threat Analysis Group (TAG), which said it disrupted financially motivated phishing campaigns targeting the video platform with cookie theft malware. The actors behind the infiltration have been attributed to a group of hackers recruited in a Russian-speaking forum. https://thehackernews.com/2021/10/hackers-stealing-browser-cookies-to.html

Threats

Ransomware

• 2021 Ransomware Transactions Already Exceed 2020 Numbers, Treasury Department Says - CyberScoop

• Ransomware: US Financial Institutions Report Major Increase In Payments To Cybercriminals - CNNpolitics

• DarkSide Ransomware Rushes To Cash Out $7 Million In Bitcoin (Bleepingcomputer.Com)

• Gigabyte Allegedly Hit by AvosLocker Ransomware | Threatpost

• Evil Corp Demands $40 Million In New Macaw Ransomware Attacks (Bleepingcomputer.com)

• Olympus US Hack Tied To Sanctioned Russian Ransomware Group | Techcrunch

• 81% of UK Healthcare Organizations Hit by Ransomware in Last Year - Infosecurity Magazine

BEC

• BEC Attacks: Scammers' Latest Tricks - Help Net Security

• Palo Alto Warns of BEC-As-A-Service | ZDNet

Phishing

• This Monster Of A Phishing Campaign Is After Your Passwords | ZDNet

Malware

• Cyber Criminals Have Found A Way To Get Their Malware Certified By Microsoft | Techradar

• Watch Out: ‘Squid Game’ Malware Hits Google Play As Hundreds Of Unofficial Apps Flood Store (forbes.com)

• Minecraft Declared The Most Malware-Infected Game (Hackread.Com)

Mobile

• Experts Hacked A Fully Patched iOS 15 Running On iPhone 13 At Tianfu Cup - Security Affairs

Vulnerabilities

• Update Now! Chrome Fixes More Security Issues - Malwarebytes Labs

• Patch PowerShell Now, Microsoft Tells Admins | TechRadar

• A Flaw In WinRAR Could Lead To Remote Code Execution - Security Affairs

• Injection Vulnerabilities In Popular WordPress Plugin Could Expose Credentials, Allow Admin Access | The Daily Swig (Portswigger.Net)

• SQL Is The Top Critical Risk In The Web Application Layer In Q3, 2021 - IT Security Guru

Data Breaches/Leaks

• Data Scrapers Expose 2.6 Million Instagram and TikTok Users - Infosecurity Magazine

Organised Crime & Criminal Actors

• Criminals Use Fake AI Voice To Swindle UAE Bank Out Of $35m • The Register

Insider Threats

• Most Employees Believe Backing Up Company Data Is Not Their Problem - Help Net Security

Dark Web

• The Dark Web Has Become Darker And Busier, Cyber Crime Services Cost Less Than $500 | Techspot

• Increased Activity Surrounding Stolen Data On The Dark Web - Help Net Security

• The Truth About The Dark Web's Secret Red Rooms (grunge.com)

Supply Chain

• Supply Chain Cybersecurity Breaches Have Hit Alarming Percentage Of Firms: Survey | Fox Business

OT, ICS, IIoT and SCADA

• Shared Responsibility Key to Protecting Critical Infrastructure - Infosecurity Magazine

Nation State Actors

• State-Backed Hackers Breach Telcos With Custom Malware (Bleepingcomputer.Com)

• Suspected Chinese Hackers Behind Attacks On Ten Israeli Hospitals (Bleepingcomputer.Com)

Cloud

• Russian Cyber-Criminals Switch to Cloud - Infosecurity Magazine

Privacy

• Over 80% of Brits Deluged with Scam Calls and Texts - Infosecurity Magazine

• How mobile devices can be tracked via Bluetooth analysis • The Register

• Brave Ditches Google For Its Own Privacy-Centric Search Engine (Bleepingcomputer.Com)

• A Massive ‘Stalkerware’ Leak Puts The Phone Data Of Thousands At Risk | Techcrunch

Reports Published in the Last Week

• Ransomware Report: State of Ransomware Survey & Report (thycotic.com)

Other News

• The Simmering Cybersecurity Risk of Employee Burnout (darkreading.com)

• Acer Hacked Twice In A Week By The Same Threat Actor (Bleepingcomputer.Com)

• Threat Actors Abusing Discord to Spread Malware - Infosecurity Magazine

• Mysterious Hacking Group Is Quietly Breaking Into Global Telecommunications Networks, Research Finds | Sky News

• Hacker Steals Government Id Database For Argentina's Entire Population - The Record By Recorded Future

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

World’s Biggest Meat Producer JBS Pays $11m Cyber Crime Ransom

JBS, the world’s biggest meat processor, has paid an $11m (£7.8m) ransom after a cyber attack shut down operations, including abattoirs in the US, Australia and Canada. While most of its operations have been restored, the Brazilian-headquartered company said it hoped the payment would head off any further complications including data theft. JBS, which supplies more than a fifth of all beef in the US, reportedly made the payment in bitcoin.

https://www.theguardian.com/business/2021/jun/10/worlds-biggest-meat-producer-jbs-pays-11m-cybercrime-ransom

Jackware: A New Type Of Ransomware Could Be 10 Times As Dangerous

Between the attacks on Colonial Pipeline and JBS, which disrupted nearly half of the East Coast’s gasoline supply for a week and threatened 20% of the U.S. meat market, respectively, consumers are finally experiencing the first physical impacts to their daily lives from cyber attacks. As bad as these attacks are, they could get a lot worse. Cyber criminals are constantly evolving, and what is keeping many security professionals up at night is the growing risk of “jackware” — a new type of ransomware that could be 10 times more dangerous because instead of encrypting Windows computers and servers. Jackware hijacks the actual physical devices and machines that make modern life possible. It’s only a matter of when we will see these attacks happen

https://finance.yahoo.com/news/ransomware-jackware-115229732.html?soc_src=social-sh&soc_trk=tw&tsrc=twtr

Lewd Phishing Lures Aimed At Business Explode

Attackers have amped up their use of X-rated phishing lures in business email compromise (BEC) attacks. A new report found a stunning 974-percent spike in social-engineering scams involving suggestive materials, usually aimed at male-sounding names within a company. The Threat Intelligence team with GreatHorn made the discovery and explained it’s not simply libido driving users to click on these suggestive scams. Instead, these emails popping up on people’s screens at work are intended to shock the user, opening the door for them to make a reckless decision to click. It’s a tactic GreatHorn called “dynamite phishing.”

https://threatpost.com/lewd-phishing-lures-business-explode/166734/

UK Schools Forced To Shut Following Critical Ransomware Attack

Two schools in the south of England have been forced to temporarily close their doors after a ransomware attack that encrypted and stole sensitive data. The Skinners' Kent Academy and Skinners' Kent Primary School were attacked on June 2, according to a statement on the trust’s website which said it is currently working with third-party security experts, the police, and the National Cyber Security Centre (NCSC). It revealed that on-premises servers were targeted at the Tunbridge Well-based schools. As student and staff emergency contact details, medical records, timetables, and registers were encrypted by the attackers, the decision was taken to close on Monday.

https://www.infosecurity-magazine.com/news/schools-shut-ransomware-attacl/

Emerging Ransomware Targets Dozens Of Businesses Worldwide

An emerging ransomware strain in the threat landscape claims to have breached 30 organisations in just four months since it went operational by riding on the coattails of a notorious ransomware syndicate. First observed in February 2021, "Prometheus" is an offshoot of another well-known ransomware variant called Thanos, which was previously deployed against state-run organisations in the Middle East and North Africa last year. The affected entities are believed to be government, financial services, manufacturing, logistics, consulting, agriculture, healthcare services, insurance agencies, energy and law firms in the U.S., U.K., and a dozen more countries in Asia, Europe, the Middle East, and South America.

https://thehackernews.com/2021/06/emerging-ransomware-targets-dozens-of.html

COVID-19 Has Transformed Work, But Cyber Security Is Not Keeping Pace, Report Finds

An international survey of tech professionals from the Thales Group finds some bleak news for the current state of data security: the COVID-19 pandemic has upended cyber security norms, and security teams are struggling to keep up. The problems appear to be snowballing; lack of preparation has led to a scramble resulting in poor data protection practices, outdated security infrastructure not receiving needed overhauls, a jumble of new systems that only make matters worse and priority misalignment between security teams and leadership.

https://www.techrepublic.com/article/covid-19-has-transformed-work-but-cybersecurity-isnt-keeping-pace-report-finds/

Colonial Pipeline Ransomware Attack Was The Result Of An Old VPN Password

It took only one dusty, no-longer-used password for the DarkSide cyber criminals to breach the network of Colonial Pipeline Co. last month, resulting in a ransomware attack that caused significant disruption and remains under investigation by the U.S. government and cyber security experts. Attackers used the password to a VPN account that was no longer in use but still allowed them to remotely access Colonial Pipeline’s network, Charles Carmakal, senior vice president at FireEye’s cyber security consulting firm Mandiant, told Bloomberg in an interview, according to a published report on the news outlet’s website.

https://threatpost.com/darkside-pwned-colonial-with-old-vpn-password/166743/

Evil Corp Rebrands Ransomware To Escape Sanctions

Threat actors behind a notorious Russian cyber crime group appear to have rebranded their ransomware once again in a bid to escape US sanctions prohibiting victims from paying them. Experts took to Twitter to point out that a leak site previously run by the Babuk group, which famously attacked Washington DC’s Metropolitan Police Department (MPD), had rebranded to “PayloadBin.” The Babuk group claimed that it was shutting down its affiliate model for encrypting victims and moving to a new model back in April. A ‘new’ ransomware variant with the same name has also been doing the rounds of late, but according to CTO of Emsisoft, Fabian Wosar, it’s nothing more than a copycat effort by Evil Corp.

https://www.infosecurity-magazine.com/news/evil-corp-rebrands-ransomware/

Billions Of Passwords Leaked Online From Past Data Breaches

A list of leaked passwords discovered on a hacker forum may be one of the largest such collections of all time. A 100GB text file leaked by a user on a popular hacker forum contains 8.4 billion passwords, likely gathered from past data breaches.

https://www.techrepublic.com/article/billions-of-passwords-leaked-online-from-past-data-breaches/

Threats

Ransomware

• Emerging 'Prometheus' Ransomware Claims 30 Victims In A Dozen Countries, Palo Alto Networks Says

• Ransomware Gangs Are Increasingly Going After SonicWall Devices

• A Deep Dive Into Nefilim, A Ransomware Group With An Eye For $1BN+ Revenue Companies

• Fujifilm Refuses To Pay Ransomware Demand, Restores Network From Backups

Phishing

• New Sophisticated Email-Based Attack From Nobelium

• Phishing Emails Remain In User Inboxes Over 3 Days Before They're Removed

• This Phishing Email Is Pushing Password-Stealing Malware To Windows PCs

Other Social Engineering

• Dangerous Connections: Sextortion Scams Soar During Lockdown, ITV News Investigation Finds

• WhatsApp Hijack Scam Continues To Spread

Malware

• Pirated Games Helped A Malware Campaign Compromise 3.2 Million PCs

• Steam Gaming Platform Hosting Malware

• Mystery Malware Steals 26M Passwords From Millions Of PCs. Are You Affected?

• Unit 42 Discovers First Known Malware Targeting Windows Containers

• Freakout Malware Worms Its Way Into Vulnerable VMware Servers

Mobile

• Android Banking Malware Sharply Increased In The First Chunk Of 2021, Reckons ESET

Vulnerabilities

• Microsoft June 2021 Patch Tuesday: 50 Vulnerabilities Patched, Six Zero-Days Exploited In The Wild

• Adobe Issues Security Updates For 41 Vulnerabilities In 10 Products

• Update Google Chrome Right Now To Avoid A Zero-Day Vulnerability

• Puzzlemaker Attacks Exploit Windows Zero-Day, Chrome Vulnerabilities

• Another Brick In The Wall: eCrime Groups Leverage SonicWall VPN Vulnerability

• Google Patches Critical Android RCE Bug

• Intel Plugs 29 Holes In CPUs, Bluetooth, Security

• Critical Zero-Day Vulnerabilities Found In ‘Unsupported’ Fedena School Management Software

• Microsoft Office MSGraph Vulnerability Could Lead To Code Execution

• WordPress Force Installs Jetpack Security Update On 5 Million Sites

Data Breaches

• EA Got Hit By A Data Breach, And Hackers Are Selling Source Code

• Dutch Pizza Chain Discloses Breach After Hacker Tries To Extort Company

Organised Crime & Criminal Actors

• ANOM: Hundreds Arrested In Massive Global Crime Sting Using Messaging App

Cryptocurrency

• Bitcoin Falls After US Seizes Most Of Colonial Ransom

• Crypto Currency Dealers Face Closure For Failing Uk Money Laundering Test

Nation State Actors

• Gelsemium: When Threat Actors Go Gardening

• Security Researcher Says Attacks On Russian Government Have Chinese Fingerprints – And Typos, Too

• Novel ‘Victory’ Backdoor Spotted In Chinese APT Campaign

• Chinese Hackers Using Previously Unknown Backdoor

Denial of Service

• ‘Fancy Lazarus’ Cyber Attackers Ramp Up Ransom DDoS Efforts

• DDoS Attacks Increase 341% Amid Pandemic

Charities

• Hackers Stole $650,000 From Nonprofit And Got Away

Other News

• US Investigates Leak Of Records Showing Billionaires Pay Little Tax

• Most Mobile Finance Apps Vulnerable To Data Breaches

• Many Executives Still Don't Understand Basic Tech

• The Rise Of Cyber Security Debt

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.