Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Advisory 14 June 2023 – June Microsoft Patch Tuesday Addresses 78 Security Issues, 6 Critical Updates
Black Arrow Cyber Advisory 14 June 2023 – June Microsoft Patch Tuesday Addresses 78 Security Issues, 6 Critical Updates
Executive summary
Microsoft’s June Patch Tuesday provides updates to address 78 security issues across its product range, including 6 critical vulnerabilities. June’s patch Tuesday does not include any zero-day vulnerabilities or actively exploited bugs. The critical vulnerabilities include privilege escalation in Microsoft SharePoint, remote code execution in Microsoft Exchange Server, Windows PGM, .NET, .NET Framework and Visual Studio and finally, a denial of service in Windows Hyper-V.
What’s the risk to me or my business?
The vulnerabilities, if actively exploited allow an attacker to gain system privileges, remotely execute code and cause a denial of service compromising the confidentiality, integrity and availability of data stored by an organisation.
What can I do?
Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible, especially those that have a critical severity rating.
Further details on other specific updates within this patch Tuesday can be found here: https://www.ghacks.net/2023/06/13/the-windows-june-2023-security-patches-are-here-and-address-these-issues/
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity
Black Arrow Cyber Advisory 03/10/2022 – Microsoft Exchange Zero-Days
Black Arrow Cyber Advisory 03/10/2022 – Microsoft Exchange Zero-Days
Updated on 02/11/2022 to reflect the updated mitigation from Microsoft
Updated on 04/10/2022 with additional information on Mitigations and risk to Hybrid Cloud setups.
Updated on 05/10/2022 with updated information on Mitigations from Microsoft
Executive Summary
Two zero-day vulnerabilities have been identified which affect Microsoft Exchange on-premises servers. One of the zero-days allow an attacker to remotely trigger the second zero-day, which would allow a malicious actor to remotely execute code on the server. Both vulnerabilities require authentication with the exchange server, meaning that the attacker would need to already have standard user working credentials.
What’s the risk to me or my business?
Successful exploitation of these vulnerabilities would grant an attacker the ability to remotely execute code on the underlying server, allowing them to perform reconnaissance on the environment and exfiltrate data off the network.
What can I do?
Microsoft is currently working on patches for the vulnerabilities and has released mitigations which are detailed below. Microsoft also recommends disabling remote PowerShell access for non-administrator users to further lower the attack surface. Update: Security researchers have identified that affected Exchange servers are still vulnerable with the Microsoft recommended mitigations in place, and recommend using a more specific block URL when applying the Microsoft Mitigation: “(?=.*autodiscover)(?=.*powershell)” Update 2: Microsoft has updated their mitigation guidance and associated scripts. Please see the “Customer Guidance for Reported Zero-Day” linked below for the latest guidance.
Technical Summary
Microsoft Exchange Online users are not affected by this vulnerability. Update: Hybrid setups which combine Exchange Online with Exchange on-premise are vulnerable to exploitation. The first vulnerability CVE-2022-41040, is a Server-Side Request Forgery (SSRF) Vulnerability, which allows an authenticated attacker to remotely trigger the second vulnerability, which is identified as CVE-2022-41082, and allows Remote Code Execution (RCE) through PowerShell.
Further information on the zero-day vulnerabilities can be found here: Warning: New attack campaign utilized a new 0-day RCE vulnerability on Microsoft Exchange Server | Blog | GTSC - Cung cấp các dịch vụ bảo mật toàn diện (gteltsc.vn) with the recommended mitigations are available here Update 2: this link has been updated by Microsoft with the latest guidance: : Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server – Microsoft Security Response Center Update: Information on latest recommended mitigations can be found here: Microsoft Exchange server zero-day mitigation can be bypassed (bleepingcomputer.com)
Need help understanding your gaps, or just want some advice? Get in touch with us.
Black Arrow Cyber Advisory 26/04/2022 – Actively exploited vulnerability affecting Microsoft Exchange Server (on-premise)
Black Arrow Cyber Advisory 26/04/2022 – Actively exploited vulnerability affecting Microsoft Exchange Server (on-premise)
Executive Summary
A vulnerability which was previously disclosed in May 2021 and confirmed to be actively exploited in August 2021 is still being actively exploited by malicious actors on Microsoft Exchange systems that have not been patched. This vulnerability can be exploited by any compromised user account that can access an unpatched exchange server using PowerShell, and is a potential ingress point for further attacks including ransomware. This vulnerability relates to Microsoft Exchange instances that are either ‘on premises’, importantly this includes any IT provider hosted private cloud instances.
What’s the risk to my business?
The initial exploit required related CVE notices for the three vulnerabilities known as ‘ProxyShell’ were classified as two critical and one medium. However, it is now being actively exploited with only the medium vulnerability used to deliver ransomware attacks to unpatched systems. The compromised account does not need administrative access and could be any account which makes phishing a very likely vector for initial compromise.
What can I do?
If your business is using Microsoft Exchange on-premise, ensure that the appropriate security updates have been applied. If Microsoft Exchange is being hosted by an MSP, then ensure that the MSP confirms the vulnerabilities have been patched. As these security updates are for Exchange which facilitates business email, the application of these patches can involve system downtime. Since these vulnerabilities are being actively exploited it is now recommended that the patches are applied as soon as possible.
Technical Summary
The following Microsoft Exchange products are affected by this vulnerability: Microsoft Exchange Server 2019, 2016 and 2013. To address this, KB5003435 was issued which targets four CVE vulnerabilities: CVE-2021-31195, CVE-2021-31198, CVE-2021-31207 and CVE-2021-31209.
Further information on the security update can be found here, including the specific updates for different systems, and troubleshooting steps if the update is not applying correctly. Details on each individual CVE can also be found through this link: Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: May 11, 2021 (KB5003435)
Need help understanding your gaps, or just want some advice? Get in touch with us.
Black Arrow Cyber Threat Briefing 01 April 2022
Black Arrow Cyber Threat Briefing 01 April 2022
-One Tenth of UK Staff Bypass Corporate Security
-Majority Of Data Security Incidents Caused by Insiders
-One-Third of UK Firms Suffer A Cyber Attack Every Week
-Russia's Cyber Criminals Fear Sanctions Will Erase Their Wealth
-86% Of Organisations Believe They Have Suffered a Nation-State Cyber Attack
-Multiple Hacking Groups Are Using the War in Ukraine As A Lure In Phishing Attempts
-4 Ways Attackers Target Humans to Gain Network Access
-Security Incidents Reported to FCA Surge 52% in 2021
-NCSC Suggests Rethinking Russian Supply Chain Risks
-25% Of Workers Lost Their Jobs In The Past 12 Months After Making Cyber Security Mistakes: Report
-Attackers Compromise 94% Of Critical Assets Within Four Steps Of Initial Breach
-UK Spy Chief Warns Russia Looking for Cyber Targets
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
One Tenth of UK Staff Bypass Corporate Security
A new study from Cisco has found that a tenth of UK employees actively circumvent their organisation’s security measures.
The network technology company polled over 1000 UK professionals working for organisations that allow hybrid working, in order to better understand the potential security risks of the modern, flexible workplace.
The research has revealed that many hybrid workers do not see cyber security as their responsibility, with many actively finding workarounds or engaging in risky behaviours such as password reuse.
19% of employees said they reuse passwords for multiple accounts and applications, with only 15% using password managers.
The problem seems to stem from user friction in existing security measures. Only 44% of survey participants said they found it easy to securely access their IT equipment.
A majority said they would be willing to use biometric authentication, a reflection of how enterprise security is still catching up to consumer functionality.
https://www.itsecurityguru.org/2022/03/28/one-tenth-of-uk-staff-bypass-corporate-security/
Majority Of Data Security Incidents Caused by Insiders
New research from Imperva has revealed that 70% of EMEA organisations have no insider risk strategy, despite 59% of data security incidents being caused by employees.
The shocking revelation comes as part of a wider study carried out by Forrester: Insider Threats Drive Data Protection Improvements. The study involved interviewing 150 security and IT professionals in EMEA.
An insider threat is defined by Imperva as originating from “inappropriate use of legitimate authorised user accounts” by either their rightful owner or a threat actor who has managed to compromise them.
The study found that insider threats were responsible for 59% of incidents impacting sensitive data in the past 12 months. This supports a previous Imperva analysis of the most significant breaches of the past five years, revealing that 24% were caused by either human error or compromised credentials.
https://www.itsecurityguru.org/2022/04/01/majority-of-data-security-incidents-caused-by-insiders/
One-Third of UK Firms Suffer a Cyber Attack Every Week
Cyber attacks and related incidents at UK organisations continue their seemingly unstoppable upward trajectory, with new statistics from the Department for Digital, Culture, Media and Sport (DCMS) revealing that 31% of businesses and 26% of charity organisations now experience incidents on a weekly basis.
The data, contained in the annual cyber security breaches survey report, paints a stark picture of the scale of the threat facing the average organisation, and the urgent need to boost standards and defences.
It is vital that every organisation takes cyber security seriously as more and more business is done online and we live in a time of increasing cyber risk. No matter how big or small your organisation is, you need to take steps to improve digital resilience.
Some 20% of businesses and 19% of charities said they had experienced a negative outcome as a direct consequence of an attack. The average cost of an attack, spread out across all organisations, now works out at £4,200, or £19,400 if only medium and large businesses are considered, although there is probably a vast amount of under-reporting, so the true figures are certainly higher.
Meanwhile, 35% of businesses and 38% of charities said they had experienced some kind of negative impact during the incident, such as service downtime.
https://www.computerweekly.com/news/252515288/One-third-of-UK-firms-suffer-a-cyber-attack-every-week
Russia's Cyber Criminals Fear Sanctions Will Erase Their Wealth
Punitive economic sanctions over Russia's invasion of Ukraine had crooks discussing the best ways to adapt to the new reality.
Members of Russian-language underground forums are not immune to the latest news. Russia's invasion of Ukraine and subsequent economic sanctions against Moscow got forum users to discuss how to live in this new world they find themselves in.
According to a report by the Digital Shadows Photon team, dark web forums are teeming with questions on how to ensure the safety of funds held in Russia-based accounts.
One user sought advice on what to do with dollars held in a Russian bank, with others suggesting converting dollars to rubles for a few months.
"I hope you were joking about [holding the funds in rubles for] half a year? After half a year, your rubles will only be good for lighting a fire, they will not be good for anything else," a forum user responded.
https://cybernews.com/news/russias-cybercriminals-fear-sanctions-will-erase-their-wealth/
86% Of Organisations Believe They Have Suffered a Nation-State Cyber Attack
A new study by Trellix and the Center for Strategic and International Studies (CSIS) has revealed that 86% of organisations believe they have fallen victim to a nation-state cyber attack.
The research surveyed 800 IT decision-makers in Australia, France, Germany, India, Japan, the UK and US.
It has also been revealed that 92% of respondents have faced, or suspect they have faced, a nation-state backed cyber attack in the past 18 months, or anticipate one in the future.
Russia and China were identified as the most likely suspects behind said attacks. 39% of organisations that believe they have been hit with a nation-state cyber attack believe Russia were the perpetrators.
Multiple Hacking Groups Are Using the War in Ukraine as A Lure in Phishing Attempts
Hostile hacking groups are exploiting Russia's invasion of Ukraine to carry out cyber attacks designed to steal login credentials, sensitive information, money and more from victims around the world.
According to cyber security researchers at Google's Threat Analysis Group (TAG), government-backed hackers from Russia, China, Iran and North Korea, as well as various unattributed groups and cyber criminal gangs, are using various themes related to the war in Ukraine to lure people into becoming victims of cyber attacks.
In just the last two weeks alone, Google has seen several hacking groups looking to take advantage of the war to fulfil their malicious aims, whether that's stealing information, stealing money, or something else.
4 Ways Attackers Target Humans to Gain Network Access
Since the day we started receiving email, we hope that our antivirus or endpoint protection software alerts us to problems. In reality, it often does not. When technology fails, it’s likely because the attacker made an end run around it by targeting humans. Here are four ways they do it:
1. The targeted human attack
2. Fraudulent wire transfer email
3. Tricking users into handing over credentials
4. Bypassing multi-factor authentication
Security Incidents Reported to FCA Surge 52% in 2021
The number of cyber security incidents reported to the UK’s financial regulator surged by over 50% last year after a significant increase in cyber-attacks, according to new figures from Picus Security.
The security vendor submitted Freedom of Information (FoI) requests to the Financial Conduct Authority (FCA) to compile its latest report, Cyber Security Incidents in the UK Financial Sector.
The 52% year-on-year increase in “material” security incidents reported to the FCA seems to have been driven by cyber-attacks, which comprised nearly two-thirds (65%) of these reports.
Picus Security claimed that the rest are likely explained by “system and process failures and employee errors.”
In addition, a third of incident reports were about corporate or personal data breaches, and a fifth involved ransomware.
Picus Security explained that to qualify as a material incident, there needs to have been a significant loss of data, operational IT outages, unauthorized IT access, and/or an impact on a large number of customers.
https://www.infosecurity-magazine.com/news/security-incidents-reported-fca/
NCSC Suggests Rethinking Russian Supply Chain Risks
The National Cyber Security Centre (NCSC) of the UK has urged organisations to reconsider the risks associated with “Russian-controlled” parts of their supply chains.
Ian Levy, technical director of the NCSC argued that “Russian law already contains legal obligations on companies to assist the Russian Federal Security Service (FSB), and the pressure to do so may increase in a time of war. We also have hacktivists on each side, further complicating matters, so the overall risk has materially changed.”
Levy has suggested that while there is currently nothing to suggest that the Russian state intends to force commercial providers to sabotage UK interests, that doesn’t mean it will not happen in the future.
https://www.itsecurityguru.org/2022/03/30/ncsc-suggests-rethinking-russian-supply-chain-risks/
25% Of Workers Lost Their Jobs in The Past 12 Months After Making Cyber Security Mistakes: Report
For business leaders, there is never a good time for their employees to make mistakes on the job. This is especially true now for workers who have anything to do with the cyber security of their companies and organisations. Given the growing risks of cyber attacks across the world and the increased threats posed by Russia in the aftermath of their invasion of Ukraine, these are certainly perilous times.
Indeed, a new study released by email security company Tessian found that one in four employees (26%) lost their job in the last 12 months after making a mistake that compromised their company’s security.
According to the second edition of Tessian’s Psychology of Human Error report, people are falling for more advanced phishing scams—and the business stakes for mistakes are much higher.
The study also found that:
Two-fifths (40%) of employees sent an email to the wrong person, with almost one-third (29%) saying their business lost a client or customer because of the error
Over one-third (36%) of employees have made a mistake at work that compromised security and fewer are reporting their mistakes to IT.
Attackers Compromise 94% of Critical Assets Within Four Steps of Initial Breach
New research from XM Cyber analysing the methods, attack paths, and impacts of cyber attacks has discovered that attackers can compromise 94% of critical assets within just four steps of initial breach points. The hybrid cloud security company’s Attack Path Management Impact Report incorporates insights from nearly two million endpoints, files, folders, and cloud resources throughout 2021, highlighting key findings on attack trends and techniques impacting critical assets across on-prem, multi-cloud, and hybrid environments.
The findings showed that 75% of an organisation’s critical assets are open to compromise in their current security state, while 73% of the top attack techniques used last year involved mismanaged or stolen credentials. Just over a quarter (27%) of most common attack techniques exploited a vulnerability or misconfiguration.
UK Spy Chief Warns Russia Looking for Cyber Targets
A UK intelligence chief warned that the Kremlin is hunting for cyber targets and bringing in mercenaries to shore up its stalled military campaign in Ukraine.
Jeremy Fleming, who heads the GCHQ electronic spy agency, praised Ukrainian President Volodymyr Zelenskyy’s “information operation” for being highly effective at countering Russia’s massive disinformation drive spreading propaganda about the war.
While there were expectations that Russia would launch a major cyber attack as part of its military campaign, Fleming said such a move was never a central part of Moscow’s standard playbook for war.
“That’s not to say that we haven’t seen cyber in this conflict. We have — and lots of it,” Fleming said in a speech in Canberra, Australia, according to a transcript released in London on Wednesday.
He said GCHQ’s National Cyber Security Centre has picked up signs of “sustained intent” by Russia to disrupt Ukrainian government and military systems.
“We’ve seen what looks like some spillover of activity affecting surrounding countries,” Fleming said. “And we’ve certainly seen indicators which suggest Russia’s cyber actors are looking for targets in the countries that oppose their actions.”
He provided no further details. He said the UK and other Western allies will continue to support Ukraine in beefing up its cyber security defences.
https://www.securityweek.com/uk-spy-chief-warns-russia-looking-cyber-targets
Threats
Ransomware
Ransomware Payments Hitting New Records In 2021 - Help Net Security
UK Ransomware Attacks Double In Past Year, Expert Insight - Information Security Buzz
Ransomware, Endpoint Risks Are Top Concerns for DFIR Professionals | CSO Online
Not Enough Businesses Have A Formal Ransomware Plan In Place - Help Net Security
Ukraine, Conti, and the law of unintended consequences | CSO Online
FBI Investigating More than 100 Ransomware Variants - Infosecurity Magazine
Precursor Malware Is an Early Warning Sign for Ransomware (darkreading.com)
Cyber Blackmail Gains Traction in Ransomware Hijackers' Tool Set - MSSP Alert
Services Giant Admits $42m Fallout from Ransomware Attack - Infosecurity Magazine
Hive Ransomware Uses New 'IPfuscation' Trick to Hide Payload (bleepingcomputer.com)
Shutterfly, Hit By Conti Ransomware Group, Warns Staff Their Data Has Been Stolen • Graham Cluley
FBI: Ransomware Attacks Are Piling Up The Pressure On Public Services | ZDNet
BEC – Business Email Compromise
Phishing & Email Based Attacks
Calendly Actively Abused in Microsoft Credentials Phishing (bleepingcomputer.com)
Phishing Attacks: Malicious URLs May Outpace Email Attachment Risks - MSSP Alert
Phishing uses Azure Static Web Pages to impersonate Microsoft (bleepingcomputer.com)
Other Social Engineering
5 Old Social Engineering Tricks Employees Still Fall For, And 4 New Gotchas | CSO Online
Fraudsters Use 'Fake Emergency Data Requests' To Steal Info • The Register
Malware
Mobile
IoT
Organised Crime & Criminal Actors
Sanctions Hitting Russian Cyber-Criminals Hard - Infosecurity Magazine
Secret World of Pro-Russia Hacking Group Exposed in Leak - WSJ
UK Police Charges Two Teenagers for Their Alleged Role in Lapsus$ Group - Security Affairs
LAPSUS$ Hacks Globant. 70GB of Data Leaked from IT Firm (bitdefender.com)
Cryptocurrency/Cryptomining/Cryptojacking
How CISOs can Mitigate Cryptomining Malware (trendmicro.com)
Ronin Blockchain Hit With $620 Million Crypto Heist - IT Security Guru
Insider Risk and Insider Threats
Yale Finance Director Stole $40m In Computers to Resell • The Register
Making Security Mistakes May Come With A High Price For Employees - Help Net Security
Fraud, Scams & Financial Crime
Europol Dismantles Massive Call Centre Investment Scam Operation (bleepingcomputer.com)
Emily Maitlis Opens Up About Terrifying Bank Scam: ‘I Feel Sick’ | The Independent
Supply Chain
Denial of Service DoS/DDoS
DDoS Attacks Becoming Larger And More Complex, Finance Most Targeted Sector - Help Net Security
Number of DDoS Attacks in 2021 Reached 9.75 Million - Help Net Security
Beastmode Botnet Boosts DDoS Power With New Router Exploits (bleepingcomputer.com)
Passwords & Credential Stuffing
Spyware, Espionage & Cyber Warfare
Russian Invasion of Ukraine
Anonymous Targets Oligarchs' Russian Businesses - Security Affairs
With War Next Door, EU is Warned on Cyber Security Gaps | SecurityWeek.Com
Ukraine Intelligence Leaks Names of 620 Alleged Russian FSB Agents - Security Affairs
Russian Credential Thieves Target NATO, European Military • The Register
Viasat Confirms Satellite Modems Were Wiped with AcidRain Malware (bleepingcomputer.com)
Internet Provider to Ukrainian Military Hit With Major Cyber Attack - WSJ
GhostWriter APT Targets State Entities of Ukraine with Cobalt Strike Beacon - Security Affairs
Hacked WordPress Sites Force Visitors to DDoS Ukrainian Targets (bleepingcomputer.com)
Russia Facing Internet Outages Due to Equipment Shortage (bleepingcomputer.com)
Anonymous Is Working On A Huge Data Dump That Will Blow Russia Away - Security Affairs
Phishing Campaign Targets Russian Govt Dissidents With Cobalt Strike (bleepingcomputer.com)
Leaked Hacker Logs Show Weaknesses of Russia’s Cyber Proxy Ecosystem | CSO Online
Russian Aviation Authority Switches to Paper After Losing 65TB of Data | CyberNews
Anonymous Hacked Russian Thozis Corp, But Denies Attacks on Rosaviatsia - Security Affairs
ZTE Whistleblower: Chinese Companies Will Sell to Russia • The Register
Nation State Actors
Nation State Actors – Russia
UK Spy Boss Warns About Russia-China Tech Collaboration • The Register
UK Cyber Security Centre Advises Review of Russian Tech • The Register
Russia Ranks Top For State-Linked Online Misinformation • The Register
Google: Russian phishing attacks target NATO, European military (bleepingcomputer.com)
Russian Spies Unmasked In Embarrassing Blow For Vladimir Putin (telegraph.co.uk)
Nation State Actors – China
Vulnerabilities
CISA Adds 66 Vulnerabilities to 'Must Patch' List | SecurityWeek.Com
Apple Rushes Out Patches for Two 0-days Threatening iOS and macOS Users | Ars Technica
Chrome Browser Gets Major Security Update | SecurityWeek.Com
Critical SonicOS Vulnerability Affects SonicWall Firewall Appliances (thehackernews.com)
Log4JShell Used to Swarm VMware Servers with Miners, Backdoors | Threatpost
Experts Warn Defenders: Don't Relax on Log4j | SecurityWeek.Com
Google Chrome, Microsoft Edge Updated to Close Security Hole • The Register
RCE Bug in Spring Cloud Could Be the Next Log4Shell, Researchers Warn | Threatpost
Spring4Shell: No need To Panic, But Mitigations Are Advised - Help Net Security
Sophos Firewall Affected by A Critical Authentication Bypass Flaw - Security Affairs
CVE-2022-1162 Flaw in GitLab Allowed Threat Actors To Take Over Accounts - Security Affairs
Trend Micro Fixed High Severity Flaw In Apex Central Product Console - Security Affairs
Zyxel Urges Customers To Patch Critical Firewall Bypass Vulnerability | ZDNet
QNAP Warns of OpenSSL Infinite Loop Vulnerability Affecting NAS Devices (thehackernews.com)
Sector Specific
Health/Medical/Pharma Sector
Hive Ransomware Group Claims Partnership HealthPlan of California Data Breach | CSO Online
LockBit Victim Estimates Cost of Ransomware Attack To Be $42 Million (bleepingcomputer.com)
Retail/eCommerce
Shopping Trap: The Online Stores’ Scam That Hits Users Worldwide - Security Affairs
Automotive
Automaker Cyber Security Lagging Behind Tech Adoption, Experts Warn | Threatpost
CNI, OT, ICS, IIoT and SCADA
The Spectre of Stuxnet: CISA Issues Alert on Rockwell Automation ICS Vulnerabilities | ZDNet
Other News
Protecting Your Organisation Against a New Class of Cyber Threats: HEAT (darkreading.com)
Why Do Organisations Need To Prioritize Cyber Resiliency? - Help Net Security
How Security Complexity Is Being Weaponized (darkreading.com)
In Charts: Cyber Security Risks And Companies’ Readiness | Financial Times (ft.com)
CISA Warns of Attacks Against Internet-Connected UPS Devices | CSO Online
Hackers Posing as Police Convinced Apple and Meta to Share Basic Subscriber Info (softpedia.com)
Exploring the Intersection of Physical Security and Cyber Security (darkreading.com)
The Current State Of Enterprise Backup And Recovery - Help Net Security
Why Metrics Are Crucial To Proving Cyber Security Programs’ Value | CSO Online
COVID Bounce: A Massive 2021 Resurgence of Cyber Threats - Help Net Security
Rapid7 Finds Zero-Day Attacks Surged In 2021 (techtarget.com)
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 25 February 2022
Black Arrow Cyber Threat Briefing 25 February 2022
-Britain Warns of Cyber Attacks as Russia-Ukraine Crisis Escalates
-Ransomware Extortion Doesn't Stop After Paying The Ransom
-Ukraine Calls For Volunteer Hackers To Protect Its Critical Infrastructure And Spy On Russian Forces
-Study: UK Firms Most Likely To Pay Ransomware Hackers
-Conti Ransomware Group Announces Support of Russia, Threatens Retaliatory Attacks
-91% of UK Organisations Compromised by an Email Phishing Attack in 2021
-Almost 100,000 New Mobile Banking Trojan Strains Detected In 2021
-Anonymous Collective Has Hacked The Russian Defence Ministry And Leaked The Data Of Its Employees In Response To The Ukraine Invasion
-Email Remains Go-To Method for Cyber Attacks, Phishing Research Report Finds
-The Future of Cyber Insurance
-Businesses Are at Significant Risk of Cyber Security Breaches Due to Immature Security Hygiene and Posture Management Practices
-Microsoft Teams Is The New Frontier For Phishing Attacks
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Britain Warns of Cyber Attacks as Russia-Ukraine Crisis Escalates
Britain warned of potential cyber attacks with "international consequences" this week after Russian President Vladimir Puitin ordered troops to two breakaway regions in eastern Ukraine.
Britain's National Cyber Security Centre (NCSC), a part of the GCHQ eavesdropping intelligence agency, called on British organisations to "bolster their online defences" following the developments.
"While the NCSC is not aware of any current specific threats to UK organisations in relation to events in and around Ukraine, there has been an historical pattern of cyber attacks on Ukraine with international consequences," it said in a statement.
Last week, Ukranian banking and government websites were briefly knocked offline by a spate of distributed denial of service (DDoS) attacks which the United States and Britain said were carried out by Russian military hackers.
Ransomware Extortion Doesn't Stop After Paying The Ransom
A global survey that looked into the experience of ransomware victims highlights the lack of trustworthiness of ransomware actors, as in most cases of paying the ransom, the extortion simply continues.
This is not a surprising or new discovery, but when seeing it reflected in actual statistics, one can appreciate the scale of the problem in full.
The survey was conducted by cyber security specialist Venafi, and the most important findings that emerge from the respondents are the following:
18% of victims who paid the ransom still had their data exposed on the dark web.
8% refused to pay the ransom, and the attackers tried to extort their customers.
35% of victims paid the ransom but were still unable to retrieve their data.
As for the ransomware actor extortion tactics, these are summarized as follows:
83% of all successful ransomware attacks featured double and triple extortion.
38% of ransomware attacks threatened to use stolen data to extort customers.
35% of ransomware attacks threatened to expose stolen data on the dark web.
32% of attacks threatened to directly inform the victim's customers of the data breach incident.
Ukraine Calls For Volunteer Hackers To Protect Its Critical Infrastructure And Spy On Russian Forces
The government of Ukraine is calling on the hacking community to volunteer its expertise and capabilities, following the invasion of the country by Russian forces.
Reuters reports that Yegor Aushev, the CEO of Kyiv-based Cyber Unit Technologies which has worked with Ukraine's government on the defence of critical infrastructure, claims to have been asked to post a digital call-to-arms after being asked by "a senior Defence Ministry official."
The message, which was posted on hacking forums by Aushev on Thursday, begins "Ukrainian cybercommunity! It’s time to get involved in the cyber defense of our country," and calls for cybersecurity experts and hackers to apply as a volunteer via a Google Docs link. The page volunteers are directed to asks applicants to list their specialities, such as if they have developed malware, and professional references.
According to Aushev, volunteers will be divided into two groups - tasked with offensive and defensive cyber operations.
Study: UK Firms Most Likely To Pay Ransomware Hackers
Some 82% of British firms which have been victims of ransomware attacks paid the hackers in order to get back their data, a new report suggests.
The global average was 58%, making the UK the most likely country to pay cyber-criminals.
Security firm Proofpoint's research also found that more than three-quarters of UK businesses were affected by ransomware in 2021.
Phishing attacks remain the key way criminals access networks, it found.
Phishing happens when someone in a firm is lured into clicking on a link in an email that contains malware, which in turn can help cyber-criminals access company networks.
https://www.bbc.co.uk/news/business-60478725
Conti Ransomware Group Announces Support of Russia, Threatens Retaliatory Attacks
An infamous ransomware group with potential ties to Russian intelligence and known for attacking health care providers and hundreds of other targets posted a warning Friday saying it was “officially announcing a full support of Russian government.”
The gang said that it would use “all possible resources to strike back at the critical infrastructures” of any entity that organises a cyberattack “or any war activities against Russia.” The message appeared Friday on the dark-web site used by ransomware group Conti to post threats and its victims’ data. Security researchers believe the gang to be Russia-based.
Conti ransomware was part of more than 400 attacks against mostly U.S. targets between spring 2020 and spring 2021, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the FBI reported in September.
https://www.cyberscoop.com/conti-ransomware-russia-ukraine-critical-infrastructure/
91% of UK Organisations Compromised by an Email Phishing Attack in 2021
More than nine in 10 (91%) UK organizations were successfully compromised by an email phishing attack last year, according to Proofpoint’s 2022 State of the Phish report.
The study observed a significant rise in email-based attacks globally in 2021 compared to 2020. Over three-quarters (78%) of organizations were targeted by email-based ransomware attacks last year and 77% faced business email compromise (BEC) attacks, the latter an 18% year-on-year increase from 2020.
The survey of 600 information and IT security professionals and 3500 workers in the US, Australia, France, Germany, Japan, Spain and the UK also found that attacks in 2021 were more likely to be successful than in 2020. More than four in five (83%) respondents said their organization experienced at least one successful email-based phishing attack last year, up from 57% in 2020. In addition, 68% of organizations admitted they had to deal with at least one ransomware infection stemming from a direct email payload, second-stage malware delivery or other exploit.
Worryingly, 60% of organizations infected with ransomware admitted to paying a ransom, with around a third (32%) paying additional sums to regain access to data and systems.
https://www.infosecurity-magazine.com/news/uk-organizations-email-phishing/
Almost 100,000 New Mobile Banking Trojan Strains Detected In 2021
Researchers have found almost 100,000 new variants of mobile banking Trojans in just a year.
As our digital lives have begun to centre more on handsets rather than just desktop PCs, many malware developers have shifted part of their focus to the creation of mobile threats.
Many of the traditional infection routes are still workable -- including phishing and the download and execution of suspicious software -- but cyber attackers are also known to infiltrate official app stores, including Google Play, to lure handset owners into downloading software that appears to be trustworthy.
This technique is often associated with the distribution of Remote Access Trojans (RATs). While Google maintains security barriers to stop malicious apps from being hosted in its store, there are methods to circumvent these controls quietly.
https://www.zdnet.com/article/almost-100000-new-mobile-banking-trojans-detected-in-2021/
Anonymous Collective Has Hacked The Russian Defence Ministry And Leaked The Data Of Its Employees In Response To The Ukraine Invasion
A few hours after the Anonymous collective has called to action against Russia following the illegitimate invasion of Ukraine its members have taken down the website of the Russian propaganda station RT News and news of the day is the attack against the servers of the Russian Defense Ministry.
“Anonymous, a group of hacktivists, successfully hacked and leaked the database of the website of the Ministry of Defense of Russia.” reported the Pravda agency.
The website of the Kremlin (Kremlin.ru) is also unreachable, but it is unclear if it is the result of the Anonymous attack or if the government has taken offline it to prevent disruptive attacks.
The Russian Government’s portal, and the websites of other ministries are running very slow.
The collective is also threatening the Russian Federation and private organizations of attacks, it is a retaliation against Putin’s tyranny.
Anonymous pointed out that it is not targeting Russian citizens, but only their government.
“We want the Russian people to understand that we know it’s hard for them to speak out against their dictator for fear of reprisals.”
https://securityaffairs.co/wordpress/128428/hacking/anonymous-russian-defense-ministry.html
Email Remains Go-To Method for Cyber Attacks, Phishing Research Report Finds
If you don’t know what it is, if you can’t identify it and if you can’t make sure you don’t topple into its traps, then you can’t fight it, suggests a new report by security provider Proofpoint in its eighth annual State of the Phish report.
The “it” is email-based malware attacks, the kingpin of all hacking methods, that victims often fall for out of a lack of awareness, inadequate training or risky behaviours, such as using a company mobile device for home use.
Proofpoint’s report takes an in-depth look at user phishing awareness, vulnerability and resilience and comes away with some startling numbers: More than three-quarters of organizations associated with the 4,100 IT security professionals and staffers in the worldwide study were hit by email-based ransomware attacks in 2021 and an equal number were victimized by business email compromise attacks, an 18 percent spike from 2020.
What explains the year-over-year climb? Answer: Cyber criminals continue to focus on compromising people, not necessarily systems, Proofpoint said. Email remains cyber criminals’ go-to attack strategy, said Alan Lefort, Proofpoint security awareness training senior vice president and general manager. “Infosec and IT survey participants experienced an increase in targeted attacks in 2021 compared to 2020, yet our analysis showed the recognition of key security terminology such as phishing, malware, smishing (text-based ruse), and vishing (telephone trickery) dropped significantly,” said Lefort. “The awareness gaps and lax security behaviors demonstrated by workers creates substantial risk for organizations and their bottom line.”
The Future of Cyber Insurance
In 2016, just 26% of insurance clients had cyber coverage. That number rose to 47% in 2020, according to a US Government Accountability Office (GAO) report. But the demand for cyber coverage isn't the only thing soaring.
At the end of 2020, insurance prices jumped anywhere from 10% to 30%. In the third quarter of 2021, the average cost of cyber insurance premiums climbed a record 27.6%.
If the rates continue to rise, companies might decide it's not worth the cost. That is, if insurers continue to cover their industry.
https://www.darkreading.com/risk/the-future-of-cyber-insurance
Businesses Are at Significant Risk of Cyber Security Breaches Due to Immature Security Hygiene and Posture Management Practices
Enterprise Strategy Group (ESG), a leading IT analyst, research, and strategy firm, and a division of TechTarget, Inc., today announced new research into security hygiene and posture management – a foundational part of a strong security program. The study reveals that many aspects of cyber security are managed independently and with antiquated tools, leaving organisations with limited visibility and weak defenses against an ever-evolving threat landscape. Since strong cybersecurity starts with the basics, like knowing about all IT assets deployed, this situation makes organisations vulnerable to advanced threats among strategic, yet often hurried, cloud and digital transformation initiatives.
The new report, Security Hygiene and Posture Management, summarizes a survey of 398 IT and cyber security professionals responsible for evaluating, purchasing, and utilizing products and services for security hygiene and posture management, including vulnerability management, asset management, attack surface management, and security testing tools. The data reveals that organisations must aim to further assess security posture management processes, examine vendor risk management requirements, and test security tool and processes more frequently.
Microsoft Teams Is The New Frontier For Phishing Attacks
Even with email-based phishing attacks proving to be more successful than ever, cyberattackers are ramping up their efforts to target employees on additional platforms, such as Microsoft Teams and Slack.
One advantage is that in those applications, most employees still assume that they’re actually talking to their boss or coworker when they receive a message.
“The scary part is that we trust these programs implicitly — unlike our email inboxes, where we’ve learned to be suspicious of messages where we don’t recognize the sender’s address,” said anti-fraud technology firm Outseer.
Notably, traditional phishing has seen no slowdown: Proofpoint reported that 83% of organizations experienced a successful email-based phishing attack in 2021 — a massive jump from 57% in 2020. And outside of email, SMS attacks (smishing) and voice-based attacks (vishing) both grew in 2021, as well, according to the email security vendor.
However, it appears that attackers now view widely used collaboration platforms, such as Microsoft Teams and Slack, as another growing opportunity for targeting workers, security researchers and executives say. For some threat actors, it’s also a chance to leverage the additional capabilities of collaboration apps as part of the trickery.
https://venturebeat.com/2022/02/23/microsoft-teams-is-the-new-frontier-for-phishing-attacks/
Threats
Ransomware
Russia-Based Ransomware Group Conti Issues Warning To Kremlin Foes | Reuters
Conti Ransomware 'Acquires' TrickBot as It Thrives Amid Crackdowns | SecurityWeek.Com
Ransomware Is Top Attack Vector On Critical Infrastructure | CSO Online
TrickBot Malware Operation Shuts Down, Devs Move To Stealthier Malware (bleepingcomputer.com)
Microsoft Exchange Servers Hacked To Deploy Cuba Ransomware (bleepingcomputer.com)
Attackers Used Dridex To Deliver Entropy Ransomware, Code Resemblance Uncovered - Help Net Security
Expeditors Shuts Down Global Operations After Likely Ransomware Attack (bleepingcomputer.com)
Chipmaker Giant Nvidia Hit By A Ransomware Attack - Security Affairs
Backups ‘No Longer Effective’ For Stopping Ransomware Attacks (computerweekly.com)
BEC – Business Email Compromise
Phishing & Email
Cyber Attackers Leverage DocuSign to Steal Microsoft Outlook Logins | Threatpost
New Phishing Campaign Targets Monzo Online-Banking Customers (bleepingcomputer.com)
Devious Phishing Method Bypasses MFA Using Remote Access Software (bleepingcomputer.com)
Other Social Engineering
Malware
Over 2.7 Million Cases Of Emotet Malware Detected Globally - Japan Today
Jester Stealer Malware Adds More Capabilities To Entice Hackers (bleepingcomputer.com)
Beware: New Kraken Botnet Easily Fools Windows Defender And Steals Crypto Wallet Data - Neowin
Threat Actors Target Poorly Protected Microsoft SQL Servers - Security Affairs
New Golang Botnet Empties Windows Users’ Cryptocurrency Wallets (bleepingcomputer.com)
Revamped CryptBot Malware Spread By Pirated Software Sites (bleepingcomputer.com)
Social Media Hijacking Malware Spreading Through Gaming Apps on Microsoft Store (thehackernews.com)
Mobile
New Xenomorph Android Malware Targets Customers Of 56 Banks (bleepingcomputer.com)
Gaming, Banking Trojans Dominate Mobile Malware Scene | Threatpost
Samsung Shipped '100m' Android Phones With Flawed Encryption • The Register
Data Breaches/Leaks
Organised Crime & Criminal Actors
Police Dismantled Gang That Used Phishing Sites To Steal Credit Cards - Security Affairs
Nigerian Hacker Pleads Guilty To Stealing Payroll Deposits (bleepingcomputer.com)
Cryptocurrency/Cryptomining/Cryptojacking
Insider Risk and Insider Threats
Employees Are Often Using Devices In Seriously Risky Ways - Help Net Security
Insider Threats Are More Than Just Malicious Employees (darkreading.com)
83% Of Employees Continue Accessing Old Employer's Accounts - Help Net Security
Motorola Case Shows Importance Of Detecting Insider IP Theft Quickly | CSO Online
Fraud, Scams & Financial Crime
Think You Couldn't Be Duped By a Con Artist? Think Again | Psychology Today
French Speakers Blasted By Sextortion Scams With No Text Or Links – Naked Security (sophos.com)
Digital Ad Fraud Set to Hit $68bn in 2022 - Infosecurity Magazine
Supply Chain
Nation State Actors
Russia-Backed Hackers Behind Powerful New Malware, UK and US Say | Russia | The Guardian
Ransomware Used as Decoy in Destructive Cyber Attacks on Ukraine | SecurityWeek.Com
Data Wiper Attacks On Ukraine Were Planned At Least In November - Security Affairs
Russia’s Sandworm Hackers Have Built a Botnet of Firewalls | WIRED
China-linked APT10 Target Taiwan's Financial Trading Industry - Security Affairs
US and UK Details a New Python Backdoor Used by MuddyWater APT - Security Affairs
Privacy
Spyware, Espionage & Cyber Warfare
Sector Specific
Financial Services Sector
Defence
Health/Medical/Pharma Sector
Construction
Reports Published in the Last Week
Other News
War in Ukraine Risks Scrambling the Logic of Cyber Security | Financial Times (ft.com)
Russia-Ukraine War: Phishing, Malware and Hacker Groups Taking Sides (thehackernews.com)
22 Very Bad Stats On The Growth Of Phishing, Ransomware | VentureBeat
Data Leaks And Shadow Assets Greatly Exposing Organisations To Cyber Attacks - Help Net Security
50% of Websites Vulnerable to Hacking All Year in 2021, New Report Says - MSSP Alert
Is Multifactor Authentication Less Effective Than It Used To Be? (slate.com)
How To Keep Pace With Rising Data Protection Demands - Help Net Security
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 14 January 2022
Black Arrow Cyber Threat Briefing 14 January 2022
-Businesses Suffered 50% More Cyber Attack Attempts per Week in 2021
-Cyber Attacks Against MSPs Jump 67%
-SMEs Still An Easy Target For Cyber Criminals
-World Economic Forum: Cyber Security Failures an Increasing Global Threat
-Microsoft Faces Wormable, Critical RCE Bug & 6 Zero-Days
-Russia Arrests REvil Ransomware Gang Responsible for High-Profile Cyber Attacks
-North Korea Hackers Stole $400m Of Cryptocurrency In 2021, Report Says
-No Lights, No Heat, No Money - That's Life In Ukraine During Cyber Warfare
-Ukrainian Police Arrest Five Members Of Ransomware Affiliate
-Fingers Point To Lazarus, Cobalt, Fin7 As Key Hacking Groups Attacking Finance Industry
-Ransomware, Supply Chain, And Deepfakes: The Top Threats The Finance Industry Needs To Prepare For
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Businesses Suffered 50% More Cyber Attack Attempts per Week in 2021
Cyberattack attempts reached an all-time high in the fourth quarter of 2021, jumping to 925 a week per organisation, partly due to attempts stemming from the Log4j vulnerability, according to new data.
Check Point Research on Monday reported that it found 50% more attack attempts per week on corporate networks globally in calendar year 2021 compared with 2020.
The researchers define a cyberattack attempt as a single isolated cyber occurrence that could be at any point in the attack chain — scanning/exploiting vulnerabilities, sending phishing emails, malicious website access, malicious file downloads (from Web/email), second-stage downloads, and command-and-control communications.
Cyber Attacks Against MSPs Jump 67%
Cyber attacks spiked by 50 percent in 2021 as compared to 2020, aided by millions of attacks in December by hackers attempting to exploit the Log4J vulnerability, according to a Check Point Software Technologies research report.
In terming 2021 a “record breaking year,” the security provider pointed to a worldwide peak of 925 cyber attacks per organisation weekly and an October 2021 measure that showed a 40 percent increase in cyberattacks, with one out of every 61 entities hit by ransomware each week. The number of cyberattacks on managed service providers (MSPs) and internet service providers (ISPs) rose by nearly 70 percent year over year.
https://www.msspalert.com/cybersecurity-news/cyberattacks-vs-msps-skyrocket/
SMEs Still An Easy Target For Cyber Criminals
Cyber crime continues to be a major concern, with 51% of SMEs experiencing a cyber security breach, a Markel Direct survey reveals.
In this survey that polled 1000 respondents, Markel Direct explored the issue of cybercrime and its impact on the self-employed and SMEs. The survey found the most common cybersecurity attacks were malware/virus related (24%) followed by a data breach (16%) and phishing attack (15%), with 68% reporting the cost of their breach was up to £5,000.
This comes after the latest Quarterly Fraud and Cyber Crime Report revealed that Britons lost over £1 billion in the first six months of 2021, due to the considerable increase in fraudulent activity.
https://www.helpnetsecurity.com/2022/01/12/smes-cybersecurity-breach/
World Economic Forum: Cyber Security Failures an Increasing Global Threat
Cybersecurity was once again identified as a major short and medium-term threat to the world in this year’s World Economic Forum’s (WEF’s) The Global Risk Report. The analysis was based on insights from nearly 1000 global experts and leaders who responded to the WEF’s Global Risks Perception Survey (GRPS).
Perhaps unsurprisingly, environmental issues like climate action failure and extreme weather ranked highest on the risks facing the world over the short (0-2 years), medium (2-5 years) and long-term (5-10 years). In addition, a number of challenges exacerbated by the pandemic, such as livelihood crises, infectious diseases and mental health deterioration, also scored highly. Overall, this added up to a pessimistic assessment, with 84.2% of respondents stating they were either “worried” or “concerned” about the global outlook.
Digital challenges, such as “cyber security failures,” were also viewed as a significant and growing problem to the world. Nearly one in five (19.5%) respondents believe cybersecurity failures will be a critical threat to the world in just the next 0-2 years, and 14.6% said it would be in 2-5 years
https://www.infosecurity-magazine.com/news/world-economic-forum-cybersecurity/
Microsoft Faces Wormable, Critical RCE Bug & 6 Zero-Days
Microsoft started 2022 with a large January Patch Tuesday update covering nine critical CVEs, including a self-propagator with a 9.8 CVSS score.
Microsoft has addressed a total of 97 security vulnerabilities in its January 2022 Patch Tuesday update – nine of them rated critical – including six that are listed as publicly known zero-days.
The fixes cover a swath of the computing giant’s portfolio, including: Microsoft Windows and Windows Components, Microsoft Edge (Chromium-based), Exchange Server, Microsoft Office and Office Components, SharePoint Server, .NET Framework, Microsoft Dynamics, Open-Source Software, Windows Hyper-V, Windows Defender, and Windows Remote Desktop Protocol (RDP).
https://threatpost.com/microsoft-wormable-critical-rce-bug-zero-day/177564/
Russia Arrests REvil Ransomware Gang Responsible for High-Profile Cyber Attacks
In an unprecedented move, Russia's Federal Security Service (FSB), the country's principal security agency, on Friday disclosed that it arrested several members belonging to the notorious REvil ransomware gang and neutralized its operations.
The surprise takedown, which it said was carried out at the request of the US authorities, saw the law enforcement agency conduct raids at 25 addresses in the cities of Moscow, St. Petersburg, Moscow, Leningrad and Lipetsk regions that belonged to 14 suspected members of the organised cyber crime syndicate.
"In order to implement the criminal plan, these persons developed malicious software, organised the theft of funds from the bank accounts of foreign citizens and their cashing, including through the purchase of expensive goods on the Internet," the FSB said in a statement.
In addition, the FSB seized over 426 million rubles, including in cryptocurrency, $600,000, €500,000, as well as computer equipment, crypto wallets used to commit crimes, and 20 luxury cars that were purchased with money obtained by illicit means.
https://thehackernews.com/2022/01/russia-arrests-revil-ransomware-gang.html
North Korea Hackers Stole $400m Of Cryptocurrency In 2021, Report Says
North Korean hackers stole almost $400m (£291m) worth of digital assets in at least seven attacks on cryptocurrency platforms last year, a report claims.
Blockchain analysis company Chainalysis said it was one of most successful years on record for cyber-criminals in the closed east Asian state.
The attacks mainly targeted investment firms and centralised exchanges.
North Korea has routinely denied being involved in hack attacks attributed to them.
"From 2020 to 2021, the number of North Korean-linked hacks jumped from four to seven, and the value extracted from these hacks grew by 40%," Chainalysis said in a report.
https://www.bbc.co.uk/news/business-59990477
No Lights, No Heat, No Money - That's Life In Ukraine During Cyber Warfare
Hackers who defaced and interrupted access to numerous Ukrainian government websites on Friday could be setting the stage for more serious cyberattacks that would disrupt the lives of ordinary Ukrainians, experts said.
"As tensions grow, we can expect more aggressive cyber activity in Ukraine and potentially elsewhere," said John Hultquist, an intelligence analyst at US cyber security company Mandiant, possibly including "destructive attacks that target critical infrastructure."
"Organisations need to begin preparing," Hultquist added.
Intrusions by hackers on hospitals, power utility companies, and the financial system were until recently rare. But organised cyber criminals, many of them living in Russia, have gone after institutions aggressively in the past two years with ransomware, freezing data and computerized equipment needed to care for hospital patients.
In some cases, those extortion attacks have led to patient deaths, according to litigation, media reports and medical professionals.
Ukrainian Police Arrest Five Members Of Ransomware Affiliate
Ukrainian police announced the arrest of five members of a ransomware affiliate on Thursday, noting that the group was behind attacks on more than 50 companies across Europe and the US.
In a statement, both the Ukrainian Security Service and Ukrainian Cyber Police said the group made at least $1 million through their attacks on the companies.
US and UK law enforcement officials worked with Ukrainian officials on the operation.
Officials said the leader of the group was a 36-year-old who worked with his wife and three other people out of Kyiv. The five are facing a variety of charges in Ukraine related to money laundering, hacking, and selling malware.
One of the people charged is wanted by law enforcement agencies in UK after "using a virus to obtain bank card details of the customers of British banks," according to the police statement.
The bank card details were used to buy things online that were then resold.
https://www.zdnet.com/article/ukrainian-police-arrest-members-of-ransomware-affiliate/
Fingers Point To Lazarus, Cobalt, Fin7 As Key Hacking Groups Attacking Finance Industry
The Lazarus, Cobalt, and FIN7 hacking groups have been labeled as the most prevalent threat actors striking financial organisations today.
According to "Follow the Money," a new report (.PDF) published on the financial sector by Outpost24's Blueliv on Thursday, members of these groups are the major culprits of theft and fraud in the industry today.
The financial sector has always been, and possibly always will be, a key target for cybercriminal groups. Organisations in this area are often custodians of sensitive personally identifiable information (PII) belonging to customers and clients, financial accounts, and cash.
They also often underpin the economy: if a payment processor or bank's systems go down due to malware, this can cause irreparable harm not only to the victim company in question, but this can also have severe financial and operational consequences for customers.
Ransomware, Supply Chain, And Deepfakes: The Top Threats The Finance Industry Needs To Prepare For
The finance industry is constantly targeted by numerous threat actors, and they are always innovating and trying new techniques (such as deepfakes) to outsmart security teams and breach an organisation’s network.
In addition to that, there is currently a huge demand for data and new tools on the dark web. In fact, users are selling access to point-of-sale (PoS) terminals and login details to the websites of financial services organisations all the time.
How can financial organisations protect themselves from existing threats and combat new ones at the same time?
https://www.helpnetsecurity.com/2022/01/12/finance-industry-threats/
Threats
Ransomware
Night Sky Ransomware Is Attacking Corporate Networks For 800k Ransom - The Cybersecurity Times
One Of The REvil Members Arrested Was Behind Colonial Pipeline Attack - Security Affairs
Ransomware Is Being Rewritten In Go For Joint Attacks On Windows, Linux Users | IT PRO
Watch Out, That Microsoft Edge Update Is Actually Ransomware | TechRadar
Qlocker Ransomware Returns To Target QNAP NAS Devices Worldwide (bleepingcomputer.com)
Trends That Shaped Ransomware – And Why It’s Not Slowing Down - CyberScoop
Phishing
Check Your SPF Records: Wide IP Ranges Undo Email Security And Make For Tasty Phishes | ZDNet
Phishers Are Targeting Office 365 Users By Exploiting Adobe Cloud - Help Net Security
Real Big Phish: Mobile Phishing & Managing User Fallibility | Threatpost
Malware
Microsoft Defender Weakness Lets Hackers Bypass Malware Detection (bleepingcomputer.com)
New RedLine Malware Version Spread As Fake Omicron Stat Counter (bleepingcomputer.com)
‘Fully Undetected’ SysJoker Backdoor Malware Targets Windows, Linux & macOS | Threatpost
FluBot Malware Continues To Evolve. What's New In Ver 5.0 And Beyond? Security Affairs
Oops: Cyberspies Infect Themselves With Their Own Malware (bleepingcomputer.com)
Mobile
Android Users Can Now Disable 2G to Block Stingray Attacks (bleepingcomputer.com)
EFF Praises Android’s New 2G Kill Switch, Wants Apple To Follow Suit | Ars Technica
How To Protect Yourself Against Sim-Swapping Scams With Mobile Phone Fraud On The Rise (inews.co.uk)
IoT
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking
Abcbot Botnet Is Linked To Xanthe Cryptojacking Group | ZDNet
North Korean Hackers Impersonate Major Crypto Investment Firm to Scam Startups (vice.com)
Insider Risk and Insider Threats
Data Security In The Age Of Insider Threats: A Primer - Help Net Security
Former DHS Official Charged With Stealing Govt Employees' PII (bleepingcomputer.com)
Forensics Expert Kept Murder Snaps on PC - Infosecurity Magazine
Fraud, Scams & Financial Crime
DoS/DDoS
Extortion DDoS Attacks Grow Stronger And More Common (Bleepingcomputer.Com)
DDoS Attacks That Come Combined With Extortion Demands Are On The Rise | ZDNet
CNI, OT, ICS, IIoT and SCADA
Manufacturers Are Starting To Realize The Importance Of OT Security - Help Net Security
FBI, NSA and CISA Warns of Russian Hackers Targeting Critical Infrastructure (thehackernews.com)
Critical Infrastructure Falls Short on Ransomware Readiness, Mitigation, Recovery - MSSP Alert
Nation State Actors
Ukraine Hacks Add to Worries of Cyber Conflict With Russia | SecurityWeek.Com
Destructive Malware Targeting Ukrainian Organisations - Microsoft Security Blog
US Olympic Athletes Urged to Leave Phones Behind (gizmodo.com)
Russian Submarines Threatening Undersea Cables, UK Defence Chief Warns - Security Affairs
Iranian Hackers Exploit Log4j Vulnerability to Deploy PowerShell Backdoor (thehackernews.com)
US Cyber Command Links 'MuddyWater' Hacking Group to Iranian Intelligence (thehackernews.com)
Cloud
Passwords & Credential Stuffing
Parental Controls and Child Safety
Vulnerabilities
Threat Actors Can Bypass Malware Detection Due To Microsoft Defender Weakness - Security Affairs
noPac Exploit: Microsoft AD Flaw May Lead to Total Domain Compromise | CrowdStrike
Adobe Fixes 4 Critical Reader Bugs That Were Demonstrated At Tianfu Cup - Security Affairs
WordPress 5.8.3 Security Update Fixes SQL Injection, XSS Flaws (bleepingcomputer.com)
WordPress Bugs Exploded in 2021, Most Exploitable | Threatpost
Sonicwall SMA 100 VPN Box Security Hole Exploit Info Shared • The Register
Cisco Patches Critical Vulnerability in Contact Center Products | SecurityWeek.Com
Millions of Routers Exposed to RCE by USB Kernel Bug | Threatpost
Mozilla Patches High-Risk Firefox, Thunderbird Security Flaws | SecurityWeek.Com
Sector Specific
Financial Services Sector
SMBs – Small and Medium Businesses
Reports Published in the Last Week
Other News
Hackers Penetrate 93% of Local Company Networks, Cyber Simulation Finds - MSSP Alert
URL Parsing: A Ticking Time Bomb Of Security Exploits - TechRepublic
Europol Told to Delete Vast Trove of Personal Information - Infosecurity Magazine
The Race Towards Renewable Energy Is Creating New Cyber Security Risks | ZDNet
What Is Clipboard Hijacking? How to Avoid Becoming a Victim (makeuseof.com)
White House Reminds Tech Giants Open Source Is A National Security Issue (bleepingcomputer.com)
Want To Improve Corporate Security? Prioritize Personal Security | ZDNet
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 03 December 2021
Black Arrow Cyber Threat Briefing 03 December 2021
-Double Extortion Ransomware Victims Soar 935%
-MI6 Boss: Digital Attack Surface Growing "Exponentially"
-How Phishing Kits Are Enabling A New Legion Of Pro Phishers
-Crooks Are Selling Access To Hacked Networks. Ransomware Gangs Are Their Biggest Customers
-Omicron Phishing Scam Already Spotted in UK
-Phishing Remains the Most Common Cause of Data Breaches, Survey Says
-Ransomware Victims Increase Security Budgets Due To Surge In Attacks
-Control Failures Are Behind A Growing Number Of Cyber Security Incidents
-MI6 Spy Chief Says China, Russia, Iran Top UK Threat List
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Double Extortion Ransomware Victims Soar 935%
Researchers have recorded a 935% year-on-year increase in double extortion attacks, with data from over 2300 companies posted onto ransomware extortion sites.
Group-IB’s Hi-Tech Crime Trends 2021/2022 report covers the period from the second half of 2020 to the first half of 2021.
During that time, an “unholy alliance” of initial access brokers and ransomware-as-a-service (RaaS) affiliate programs has led to a surge in breaches, it claimed.
In total, the number of breach victims on ransomware data leak sites surged from 229 in the previous reporting period to 2371, Group-IB noted. During the same period, the number of leak sites more than doubled to 28, and the number of RaaS affiliates increased 19%, with 21 new groups discovered.
Group-IB warned that, even if victim organisations pay the ransom, their data often end up on these sites.
https://www.infosecurity-magazine.com/news/double-extortion-ransomware-soar/
MI6 Boss: Digital Attack Surface Growing "Exponentially"
Head of the Secret Intelligence Service (SIS), Richard Moore, explained in a rare speech this week that, unlike the character Q from the James Bond films, even MI6 cannot source all of its tech capabilities in-house.
New partners and tech capabilities will help address MI6’s four key priorities: Russia, China, Iran and global terrorism. It’s a challenge made more acute as technology rapidly advances, he said.
“The ‘digital attack surface’ that criminals, terrorists and hostile states threats seek to exploit against us is growing exponentially. We may experience more technological progress in the next ten years than in the last century, with a disruptive impact equal to the industrial revolution,” Moore argued.
https://www.infosecurity-magazine.com/news/mi6-digital-attack-surface-growing/
How Phishing Kits Are Enabling A New Legion Of Pro Phishers
Some cybercriminals are motivated by political ideals, others by malice or mischief, but most are only interested in cold, hard cash. To ensure their criminal endeavours are profitable, they need to balance the potential payday against the time, resources and risk required.
It’s no wonder then that so many use phishing as their default attack method. Malicious emails can be used to reach many targets with relative ease, and criminals can purchase ready-made phishing kits that bundle together everything they need for a lucrative campaign.
https://www.helpnetsecurity.com/2021/12/02/phishing-kits-pro/
Crooks Are Selling Access To Hacked Networks. Ransomware Gangs Are Their Biggest Customers
Dark web forum posts offering compromised VPN, RDP credentials and other ways into networks have tripled in the last year.
There's been a surge in cyber criminals selling access to compromised corporate networks as hackers look to cash in on the demand for vulnerable networks from gangs looking to initiate ransomware attacks.
Researchers at cybersecurity company Group-IB analysed activity on underground forums and said there's been a sharp increase in the number of offers to sell access to compromised corporate networks, with the number of posts offering access tripling between 2020 and 2021
Omicron Phishing Scam Already Spotted in UK
The global pandemic has provided cover for all sorts of phishing scams over the past couple of years, and the rise in alarm over the spread of the latest COVID-19 variant, Omicron, is no exception.
As public health professionals across the globe grapple with what they fear could be an even more dangerous COVID-19 variant than Delta, threat actors have grabbed the opportunity to turn uncertainty into cash.
UK consumer watchdog “Which?” has raised the alarm that a new phishing scam, doctored up to look like official communications from the National Health Service (NHS), is targeting people with fraud offers for free PCR tests for the COVID-19 Omicron variant
https://threatpost.com/omicron-phishing-scam-uk/176771/
Phishing Remains the Most Common Cause of Data Breaches, Survey Says
Phishing, malware, and denial-of-service attacks remained the most common causes for data breaches in 2021. Data from Dark Reading’s latest Strategic Security Survey shows that more companies experienced a data breach over the past year due to phishing than any other cause. The percentage of organisations reporting a phishing-related breach is slightly higher in the 2021 survey (53%) than in the 2020 survey (51%). The survey found that malware was the second biggest cause of data breaches over the past year, as 41% of the respondents said they experienced a data breach where malware was the primary vector.
Ransomware Victims Increase Security Budgets Due To Surge In Attacks
As the end of 2021 approaches, there’s no doubt ransomware became a top cybersecurity concern across multiple industries. Successful ransomware attacks like the Colonial Pipeline, which took down critical US infrastructure, and Kaseya, which hit over 1,500 companies in a single attack, became a popular topic in the news.
Research conducted by Cymulate, however, shows that despite the increase in the number of attacks this past year, overall victims suffered limited damage in both severity and duration. Potential victims have improved their level of preparedness, with 70% reporting an increase of awareness at the boardroom and business management level. The majority (55%) undertook proactive measures to prevent ransomware attacks before they could cause any significant damage, and many of those respondents (38%) prevented attacks even before they could cause any serious downtime. Only 14% of respondents that experienced an attack were down for a week or more.
Control Failures Are Behind A Growing Number Of Cyber Security Incidents
Data from a survey of 1,200 enterprise security leaders reveals that an increase in tools and manual reporting combined with control failures are contributing to the success of threats such as ransomware, which costs organisations an average of $1.85 million in recovery, according to Panaseer.
Currently, only 36% of security leaders feel very confident in their ability to prove controls were working as intended. This is despite 99% of respondents believing it’s valuable to know that all controls are fully deployed and operating within policy, and cybersecurity control failures are currently being listed as the top emerging risk in the latest Gartner Emerging Risks Monitor Report. Attacks only succeed when they hit systems that haven’t been patched or don’t have security controls monitoring them.
https://www.helpnetsecurity.com/2021/12/01/control-failures-cybersecurity/
MI6 Spy Chief Says China, Russia, Iran Top UK Threat List
China, Russia and Iran pose three of the biggest threats to the U.K. in a fast-changing, unstable world, the head of Britain’s foreign intelligence agency said Tuesday.
MI6 chief Richard Moore said the three countries and international terrorism make up the “big four” security issues confronting Britain’s spies.
In his first public speech since becoming head of the Secret Intelligence Service, also known as MI6, in October 2020, Moore said China is the intelligence agency’s “single greatest priority” as the country’s leadership increasingly backs “bold and decisive action” to further its interests.
Calling China “an authoritarian state with different values than ours,” he said Beijing conducts “large-scale espionage operations” against the U.K. and its allies, tries to ”distort public discourse and political decision-making” and exports technology that enables a “web of authoritarian control” around the world.
Moore said the U.K. also continues “to face an acute threat from Russia.” He said Moscow has sponsored killing attempts, such as the poisoning of former spy Sergei Skripal in England in 2018, mounts cyber attacks and attempts to interfere in other countries’ democratic processes.
https://www.securityweek.com/mi6-spy-chief-says-china-russia-iran-top-uk-threat-list
Threats
Ransomware
Microsoft Exchange Servers Hacked To Deploy BlackByte Ransomware (Bleepingcomputer.Com)
New Ransomware Variant Could Become Next Big Threat (darkreading.com)
Yanluowang Ransomware Tied to Thieflock Threat Actor | Threatpost
Yanluowang Ransomware Operation Matures With Experienced Affiliates (Bleepingcomputer.Com)
Ransomware Attack On Planned Parenthood Exposes 400,000 Patients' Personal Data - CNN
Phishing
APT Groups Adopt New Phishing Method. Will Cybercriminals Follow? (darkreading.com)
Hackers Increasingly Using RTF Template Injection Technique in Phishing Attacks (thehackernews.com)
Malware
Emotet Now Spreads Via Fake Adobe Windows App Installer Packages (Bleepingcomputer.Com)
New Malvertising Campaigns Spreading Backdoors, Malicious Chrome Extensions (thehackernews.com)
Password-Stealing And Keylogging Malware Is Being Spread Through Fake Downloads | ZDNet
Malware Variants In 2021: Harder To Detect And Respond To - Help Net Security
Mobile
Surge Of Info-Stealing Android Malware FluBot Detected Again • The Register
Fake Support Agents Call Victims To Install Android Banking Malware (Bleepingcomputer.Com)
Multi-Platform Spyware Tracks Users Across Windows And Android | Techradar
IOT
Vulnerabilities
Pretty Much All Wi-Fi Routers Are Vulnerable To Attack, Study Finds | Techradar
Warning: Yet Another Zoho ManageEngine Product Found Under Active Attacks (thehackernews.com)
New Ubuntu Linux Kernel Security Patches Address 6 Vulnerabilities, Update Now - 9to5Linux
Netgear Router Vulnerabilities Affecting SME Products Fixed • The Register
Data Breaches/Leaks
UK Government Fined £500,000 For New Year Honours Data Breach - BBC News
Panasonic Discloses Four-Months-Long Data Breach - The Record By Recorded Future
Organised Crime & Criminal Actors
Cryptocurrency/Cryptojacking
Iranians Charged for Cryptojacking After U.S. Firm Gets $760,000 Cloud Bill | SecurityWeek.Com
Threat Actors Stole $120 M In Crypto From BadgerDAO DeFi Platform - Security Affairs
Vulnerabilities Exploited for Monero Mining Malware Delivered via GitHub, Netlify (trendmicro.com)
How Do Criminals Exploit Cryptocurrencies? | Financial Times (ft.com)
Insider Threats
Fraud & Financial Crime
Insurance
Lloyd’s Carves Out Cyber-Insurance Exclusions for State-Sponsored Attacks | Threatpost
Cyber War Victims Might Not Get Payouts – Insurer • The Register
OT, ICS, IIoT and SCADA
Nation State Actors
MI6 Spy Chief Says China, Russia, Iran Top UK Threat List | SecurityWeek.Com
Lloyd’s Carves Out Cyber-Insurance Exclusions for State-Sponsored Attacks | Threatpost
Jumping The Air Gap: 15 Years Of Nation‑State Effort | WeLiveSecurity
Israel and Iran Broaden Cyberwar to Attack Civilian Targets - The New York Times (nytimes.com)
North Korea-Linked Zinc APT Posed As Samsung Recruiters To Target Security Firms - Security Affairs
Cloud
Parental Controls
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 13 August 2021
Black Arrow Cyber Threat Briefing 13 August 2021:
-SMBs Increasingly Vulnerable To Ransomware, Despite The Perception They Are Too Small To Target
-440% Increase In Phishing
-Users Can Be Just As Dangerous As Hackers
-With Crime-As-A-Service, Anyone Can Be An Attacker
-Move To Cloud Creating Security Blindspots
-Connected Devices Increasingly At Risk Of Ransomware Attacks
-Ransomware Payments Explode Amid ‘Quadruple Extortion’
-Accenture Hit With $50M Ransomware
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
SMBs Increasingly Vulnerable To Ransomware, Despite The Perception They Are Too Small To Target
A new report this week warns that small and medium-sized businesses (SMBs) are at particular risk based on the attack trends seen during the first six months of the year. The report revealed that during the first half of 2021, 4 out of 5 organisations experienced a cyber security breach originating from a vulnerability in their third-party vendor ecosystem. That’s at a time when the average cost of a data breach rose to around $3.56 million, with the average ransomware payment jumping 33% to more than $100,000.
https://www.helpnetsecurity.com/2021/08/10/smbs-ransomware/
May 2021 Saw A 440% Increase In Phishing, The Single Largest Phishing Spike On Record
In May 2021, a report revealed a 440% increase in phishing, holding the record for the single largest phishing spike in a single month. It also showed that industries such as oil, gas and mining saw a 47% increase in the same six-month period, with manufacturing and wholesale traders seeing a 32% increase. The report extends its yearly threat intelligence report, with updated metrics between January 1 and June 30 2021. It also investigates the latest trends in malware, phishing and crypto exchanges.
https://www.infosecurity-magazine.com/news/may-phishing-increase-webroot/
Users Can Be Just As Dangerous As Hackers
Most organisations should be at least as worried about user management as they are about Bond villain-type hackers launching compromises from abroad. Most organisations have deployed single sign-on and modern identity-management solutions. These generally allow easy on-boarding, user management, and off-boarding. However, on mobile devices, these solutions have been less effective. Examples include mobile applications such as WhatsApp, Signal, Telegram, or even SMS-which are common in the workforce. All these tools allow for low-friction, agile communication in an increasingly mobile business environment. Today, many of these tools offer end-to-end encryption (e2ee), which is a boon when viewed through the lens of protecting against outside attackers. However, e2ee also resists internal governance and compliance programs.
https://thehackernews.com/2021/08/users-can-be-just-as-dangerous-as.html?m=1
With Crime-As-A-Service, Anyone Can Be An Attacker
Crime-as-a-Service (CaaS) is the practice of experienced cybercriminals selling access to the tools and knowledge needed to execute cyber crime – in particular, it’s often used to create phishing attacks. For hackers, phishing is one of the easiest ways to steal your organisation’s data. Traditionally, executing a successful phishing campaign required a seasoned cyber criminal with technical expertise and knowledge of social engineering. However, with the emergence of CaaS, just about anyone can become a master of phishing for a small fee.
https://www.helpnetsecurity.com/2021/08/03/crime-as-a-service/
The Rise Of Cloud Is Creating Security Blindspots
Businesses are growing increasingly reliant on cloud services, but with all the good, businesses must also face the bad, according to a new report which says that the rise of cloud means greater complexity and more security blind spots.
Increased expansion into the cloud has led to new risks. All of the respondents in the report had suffered at least one incident in their public cloud environment in the last year, with 30 percent saying they had no formal sign-off before pushing to production.
https://www.itproportal.com/news/the-rise-of-cloud-is-creating-security-blindspots/
Connected Devices Increasingly At Risk As New Ransomware Attacks Are Reported Almost Daily
A report has been released on the state of connected devices. The 2021 study addresses pandemic-related cyber security challenges, including the growth of connected devices and related increase of security risks from these devices as threat actors took advantage of chaos to launch attacks. The study incorporates security risk and trend analysis of anonymized data for the past 12 months (June 2020 through June 2021) across the company’s 500+ deployments in healthcare, life sciences, retail, and manufacturing verticals. The number of agentless and un-agentable devices increased to 42% in this year’s report (compared to 32% of agentless or un-agentable devices in 2020).
https://www.helpnetsecurity.com/2021/08/12/connected-devices-risks/
The Value Of PII And How It Still Fuels Malign Activities In The Digital Ecosystem
The COVID-19 pandemic engendered new vulnerabilities in the digital ecosystem for threat actors to exploit, resulting in items like vaccines, fraudulent vaccine certificates, and other COVID-19 related items being sold in dark marketplaces and underground forums, an Intelligence report reveals. The research analysed the value of personally identifiable information (PII), drawing links between the breach economy, PII, and a range of emerging digital threats to executives and brands.
https://www.helpnetsecurity.com/2021/08/10/pii-value-digital-ecosystem/
Ransomware Payments Explode Amid ‘Quadruple Extortion’
Two reports slap hard figures on what’s already crystal clear: Ransomware attacks have skyrocketed, and ransomware payments are the comet trails that have followed them skyward. The average ransomware payment spiked 82 percent year over year: It’s now over half a million dollars, according to the first-half 2021 update report. As far as the sheer multitude of attacks goes, researchers on Thursday reported that they’ve identified and analysed 121 ransomware incidents so far in 2021, a 64 percent increase in attacks, year-over-year.
https://threatpost.com/ransomware-payments-quadruple-extortion/168622/
Hackers Netting Average Of Nearly $10,000 For Stolen Network Access
A new report from a cyber security company has spotlighted the thriving market on the dark web for network access that nets cyber criminals thousands of dollars. Researchers have examined network access sales on underground Russian and English-language forums before compiling a study on why criminals sell their network access and how criminals transfer their network access to buyers. More than 37% of all victims in a sample of the data were based in North America while there was an average price of $9,640 and a median price of $3,000.
https://www.zdnet.com/article/hackers-netting-average-of-nearly-10000-for-stolen-network-access/
1M Stolen Credit Cards Hit Dark Web For Free
Threat actors have leaked 1 million stolen credit cards for free online as a way to promote a fairly new and increasingly popular cyber criminal site dedicated to…selling payment-card credentials. Researchers noticed the leak of the payment-card data during a “routine monitoring of cyber crime and Dark Web marketplaces,” researchers said in a post published over the weekend. The cards were published on an underground card-selling market, AllWorld.Cards, and stolen between 2018 and 2019, according to info posted on the forum.
https://threatpost.com/1m-stolen-credit-cards-dark-web/168514/
Ransomware Group Demanding $50M In Accenture Security Breach
The hacker group behind a ransomware attack on global solution provider giant Accenture has made a ransom demand for $50 million, according to a cyber security firm that reports seeing the demand. The threat actor is demanding the $50 million in exchange for more than 6 TB of data, according to a tweet.
Threats
Ransomware
Ransomware Gangs Exploiting Windows Print Spooler Vulnerabilities
Hackers Reportedly Threaten To Leak Data From Gigabyte Ransomware Attack
Synology Warns Of Malware Infecting NAS Devices With Ransomware
Phishing
Other Social Engineering
Malware
Discord Malware Is A Persistent And Growing Threat Warns Sophos
Microsoft Warning: This Unusual Malware Attack Has Just Added Some New Tricks
Experts Shed Light On New Russian Malware-As-A-Service Written In Rust
IISpy: A Complex Server‑Side Backdoor With Anti‑Forensic Features
Mobile
A 5G Shortcut Leaves Phones Exposed to Stingray Surveillance
Beware! New Android Malware Hacks Thousands of Facebook Accounts
IOT
Vulnerabilities
Microsoft Confirms There's Yet Another New Windows Print Spooler Security Bug
Magento Update Released To Fix Critical Flaws Affecting E-Commerce Sites
Organised Crime & Criminal Actors
Attackers Started Exploiting a Router Vulnerability Just 2 Days After Its Disclosure
Hackers Steal $600 Million In Crypto From DeFi Site Poly Network
Dark Web
Supply Chain
DoS/DDoS
Nation State Actors
Cloud
Privacy
Other News
The Challenges Healthcare CISOs Face In An Evolving Threat Landscape
Researchers Develop RISC-V Chip for Quantum-Resistant Encryption
Quantum Computers Could Threaten Blockchain Security. These New Defenses Might Be The Answer
Saving Money By Holding Onto Old Tech Is Costing Us All Billions
Attacks Against Industrial Networks Will Become A Bigger Problem. We Need To Fix Security Now
Kaseya's Universal Revil Decryption Key Leaked On A Hacking Forum
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 04 June 2021
Black Arrow Cyber Threat Briefing 04 June 2021: Cyber Insurers Recoil As Ransomware Attacks ‘Skyrocket’; US Puts Cyber Crime On Par With Terror After Ransomware Attacks; Cyber Attack Leaves 7,000 Out Of Work; Irish Health Service Patient Data Leaked Online; Enterprise Networks Vulnerable To 20-Year-Old Exploits; US Seize Domains Used By SolarWinds Intruders For Spear-Phishing; Hacker Group DarkSide Operates Like A Franchise; Interpol Intercepts $83M Fighting Financial Cyber Crime
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Cyber Insurers Recoil As Ransomware Attacks ‘Skyrocket’
The Great Fire of London helped forge the property insurance market, as residents feared a repeat of the savage destruction of 1666. In the absence of a state-backed fire service, some insurers even employed their own brigades, betting that limiting the damage to a property would be cheaper than rebuilding it. After a wave of high-profile cyber assaults, Graeme Newman, chief innovation officer at London-based insurance provider CFC, draws a parallel with today’s rapidly evolving market for cyber coverage. Insurance companies now provide emergency support services as well as financial compensation, so “the insurers own the digital fire trucks”, he said.
https://www.ft.com/content/4f91c4e7-973b-4c1a-91c2-7742c3aa9922
US Puts Cyber Crime On Par With Terror After Ransomware Attacks
The US government is raising the fight against cyber criminals to the same level as the battle against terrorists after a surge of ransomware attacks on large corporations. Internal guidance circulated by the Department of Justice instructs prosecutors to pool their information about hackers. The idea, said John Carlin, of the attorney-general’s office, is to “make the connections between actors and work your way up to disrupt the whole chain”.
https://www.thetimes.co.uk/article/us-cybercrime-terror-ransomware-attacks-joe-biden-pzrqbkfwt
Russia Under Fire As Cyber Attack Leaves 7,000 Out Of Work
An attack this week on JBS meatworks in North America and Australia brought the firm to a standstill, and now threatens to turn into a diplomatic row with Russia. JBS are reported to supply 20% of the world meat market and the ransomware attack has left 7,000 workers unable to do their jobs.
Irish Health Service Confirms Data Of Nearly 520 Patients Is Online After Cyber Attack
The Health Service Executive (HSE) has confirmed the data of nearly 520 patients is online after media reports of their publication. In a statement, the HSE said the data contains correspondence with patients, minutes of meetings and includes sensitive patient data. The HSE also confirmed corporate documents are among the HSE data illegally accessed. Confirmation of the authenticity of this data follows an analysis carried out by the agency and comments from the Minister for Communications, Eamon Ryan, that reports of patient data being shared online are "very credible".
https://www.irishexaminer.com/news/arid-40301054.html
Enterprise Networks Vulnerable To 20-Year-Old Exploits
While the industry focuses on exotic attacks – like the SolarWinds incident — the real risk to enterprises comes from older exploits, some as much as 20-years old. “While organisations always need to keep up with the latest security patches, it is also vital to ensure older system and well-known vulnerabilities from years past are monitored and patched as well,” says Etay Maor, senior director of security strategy at Cato Networks. “Threat actors are attempting to take advantage of overlooked, vulnerable systems.” Our research showed that attackers often scanned for end-of-life and unsupported systems. Common Vulnerability and Exposures (CVE) identified were exploits targeting software, namely vSphere, Oracle WebLogic, and Big-IP, as well as routers with remote administration vulnerabilities.
https://www.helpnetsecurity.com/2021/05/27/enterprise-networks-vulnerable/
US Authorities Seize Two Domains Used By SolarWinds Intruders For Malware Spear-Phishing Operation
Uncle Sam on Tuesday said it had seized two web domains used to foist malware on victims using spoofed emails from the US Agency for International Development (USAID). The domain takeovers, which occurred on Friday, followed a court order issued in the wake of a Microsoft report warning about the spear-phishing campaign. The phishing effort relied on malware-laden messages sent via marketing service Constant Contact. "Cyber intrusions and spear-phishing email attacks can cause widespread damage throughout affected computer networks, and can result in significant harm to individual victims, government agencies, NGOs, and private businesses,” said Acting US Attorney Raj Parekh for the Eastern District of Virginia, in a statement. "As demonstrated by the court-authorized seizure of these malicious domains, we are committed to using all available tools to protect the public and our government from these worldwide hacking threats."
https://www.theregister.com/2021/06/02/feds_seize_nobelium/
Hacker Group DarkSide Operates In A Similar Way To A Franchise
DarkSide, the hacker group behind the recent Colonial Pipeline ransomware attack, has a business model that’s more familiar than people think, according to New York Times correspondent Andrew Kramer, “It operates something like a franchise, where individual hackers can come and receive the ransomware software and use it, as well as, use DarkSide’s reputation, as it were, to extract money from their targets, mostly in the United States,” Kramer said in an interview that aired Wednesday night.
Interpol Intercepts $83 Million Fighting Financial Cyber Crime
The Interpol (short for International Criminal Police Organisation) has intercepted $83 million belonging to victims of online financial crime from being transferred to the accounts of their attackers. Over 40 law enforcement officers specialized in fighting cyber crime across the Asia Pacific region took part in the Interpol-coordinated Operation HAECHI-I spanning more than six months. Between September 2020 and March 2021, law enforcement focused on battling five types of online financial crimes: investment fraud, romance scams, money laundering associated with illegal online gambling, online sextortion, and voice phishing.
Is It Really The Wild West In Cyber Crime? Why We Need To Re-Examine Our Approach To Ransomware
Once again, cyber security has become a headline topic within and well outside technology circles, along with the little-known operator of a significant fuel pipeline: Colonial Pipeline. A ransomware attack, and ensuing panic buying of gasoline, resulted in widespread fuel shortages on the east coast, thrusting the issue of cyber security into the lives of everyday Americans. Colonial Pipeline CEO Joseph Blount later acknowledged that his company ultimately paid the cybercriminals $4.4 million to unlock company systems, generating a great deal of controversy around the simple question (and associated complex potential answers), of whether companies should pay when their systems are held hostage by ransomware.
Threats
Ransomware
White House Contacts Russia After Hack Of World’s Largest Meatpacking Company
This New Ransomware Is Targeting Unpatched Microsoft Exchange Servers
Fujifilm Becomes Latest Ransomware Victim As White House Urges Business Leaders To Take Action
Cyber Crime Forum Advertises Alleged Database, Source Code From Russian Firm That Helped Parler
Phishing
Other Social Engineering
Malware
Mobile
IOT
Vulnerabilities
Huawei USB LTE Dongles Are Vulnerable To Privilege Escalation Attacks
Hackers Actively Exploiting 0-Day In WordPress Plugin Installed On Over 17,000 Sites
EPUB Vulnerabilities: Electronic Reading Systems Riddled With Browser-Like Flaws
SonicWall Urges Customers To 'Immediately' Patch NSM On-Prem Bug
Data Breaches
Supply Chain
Nation State Actors
Chinese Cyber Criminals Spent Three Years Creating A New Backdoor To Spy On Governments
Kimsuky APT Continues To Target South Korean Government Using Appleseed Backdoor
Russian Hacker Pavel Sitnikov Arrested For Sharing Malware Source Code
Privacy
Other News
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.