Threat Intelligence Blog

Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.

Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 10 May 2024

Black Arrow Cyber Threat Intelligence Briefing 10 May 2024:

-China Suspected of Hacking MoD, Through Its Payroll Provider

-Security Tools Fail to Translate Risks for Executives

-Gang Accused of MGM Hack Shifts Attacks to Finance Sector

-Are SMEs Paving the Way for Cyber Attacks on Larger Companies?

-Misconfigurations Drive 80% of Security Exposure, Report Finds

-Only 45% of Organisations Employ MFA Protections

-You Cannot Protect What You Do Not Know You Have, as Criminals are Exploiting Vulnerabilities Faster Than Ever

-The Rise and Stealth of The Socially Engineered Insider

-Over 70% of Staff Use AI At Work, But Only 30% of European Organisations Provide AI Training

-Don't Be the Weakest Link – You and Your Team's Crucial Role in Cyber Security

-Ransomware Activity Thrives, Despite Law enforcement Efforts

-NATO Warns of Russian Hybrid Warfare

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

China Suspected of Hacking UK Ministry of Defence, Through Its Payroll Provider

UK Defence Secretary Grant Shapps has confirmed that over 270,000 personal details have been leaked after the MoD was hacked through its third-party payroll provider, SSCL. The affected systems have been pulled offline since the attack. SSCL’s website describes that it manages HR for the armed forces, the Metropolitan Police and other areas of British government. The commercial supply chain, and in particular HR and payroll providers, is increasing being used as the soft underbelly to attack larger and better protected organisations.

Sources: [LBC] [The Register] [Sky News]

Security Tools Fail to Translate Risks for Executives

Organisations are struggling with internal communication barriers, hindering their ability to address and mitigate cyber security threats, according to a report which found that seven out of 10 C-suite executives said their security teams talk in technical terms without providing business context. However, in contrast, 75% of CISO’s highlight the issue is rooted in security tools that cannot generate the insights C-level executives and boards can use to understand business implications. The role of a good CISO should be to take the output of these tools and turn that data into metrics the Boards can understand.

The issues highlight the necessity for organisations to have someone in their organisation, whether an employee or a third-party, who is able to ingest technical results and translate them into a style that the C-suite can understand for business risk management.

Source: [Help Net Security]

Gang Accused of MGM Hack Shifts Attacks to Finance Sector

The hacking group responsible for the infamous hack on MGM and Caesar’s Palace resorts is engaged in a new campaign targeting the financial sector. The group known as Scattered Spider has targeted 29 companies since 20 April this year, compromising at least 2 insurance companies so far. The research has stated that the attackers are purchasing lookalike domains that match the name of target companies, hosting fake log-in pages. Links to these are sent to employees, in an attempt to direct them there. The most recent attack took place just days ago, with more expected.

Sources: [Bloomberg Law] [Claims Journal]

Are SMEs Paving the Way for Cyber Attacks on Larger Companies?

A recent study highlights the escalating cyber threats facing businesses, particularly SMEs and supply chains. The study found that 32% of UK businesses, including 69% of large and 59% of mid-sized organisations, suffered a cyber attack last year. The situation is worse for SMEs, with weaker security systems and 77% lacking in-house cyber security. SMEs can become entry points for hackers targeting larger partners through interconnected supply chains. Meanwhile, Verizon’s latest data breaches report revealed a 68% increase in supply chain breaches, accounting for 15% of all breaches in 2023, up from 9% in 2022. These breaches are primarily driven by third-party software vulnerabilities exploited in ransomware and extortion attacks. Experts emphasise proactive cyber policies, vulnerability scans, and employee education for SMEs to bolster defences. They also urge organisations to consider third-party bugs as both vulnerability and vendor management problems, make better vendor choices, and use external signals like SEC disclosures in the United States to guide decisions. These measures can help prevent SMEs from becoming gateways for larger attacks and manage the rising threat of supply chain breaches.

Sources: [Insurance Times] [Dark Reading]

Misconfigurations Drive 80% of Security Exposure, Report Finds

A recent report has found that 80% of security exposures are caused by identity and credential misconfigurations, with a third of these putting critical assets at risk of a breach. According to the report, the majority of this is within an organisation’s network user management (Active Directory) and 56% of breaches that impact critical assets are within cloud platforms. There is often the misconception that cloud-based environments are secure by default, but misconfigurations can undo any security benefits and still leave you exposed. Just because someone else built and maintains your house, it is still your responsibility to lock the doors and windows.

Sources: [Security Magazine]

Only 45% of Organisations Employ MFA Protections

A recent report of IT decision-makers has found that 97% are facing challenges with identity verification and 52% are very concerned about credential compromise, followed by account takeover (50%). When it comes to reinforcing identity verification, only 45% used multi-factor authentication (MFA). By using MFA, organisations are forcing two identification verifications: simply knowing a username and password is not enough, especially given the speeds with which attackers can crack passwords, with average 8 character passwords able to be cracked in less than a minute. Whilst no control is 100% impenetrable, enabling MFA will aid in increasing your organisation's cyber resilience.

Source: [Help Net Security]

You Cannot Protect What You Do Not Know You Have, as Criminals are Exploiting Vulnerabilities Faster Than Ever

For many organisations, visibility of their information assets can be incredibly hard to obtain and maintain, with different tools, under-reporting and shadow IT contributing to the problem. Unfortunately, cyber criminals are getting faster at exploiting vulnerabilities, and if you do not know you have the vulnerability in your estate then you cannot patch against it. In their recent report, Fortinet found that attacks started on average 4.76 days after new exploits were publicly disclosed.

Interestingly though, while zero-day threats garner much attention (these are ‘new’ vulnerabilities that are being exploited by attackers but for which there are no security patches yet available), one third of all exploits are for older vulnerabilities. This highlights the need for a comprehensive and robust approach to network security and vulnerability management, beyond simply patching what Microsoft puts out once a month. To have effective patch management, organisations must know what they need to patch and therefore must have visibility of the corporate environment. A good starting block is the creation of a robust information asset register.

Sources: [Security Brief] [Help Net Security] [IT Security Guru]

The Rise and Stealth of The Socially Engineered Insider

Social engineering has become increasingly prevalent as the preferred tactic for foreign adversaries. Insiders are prime targets due to their privileged access to sensitive data. This is particularly affecting the technology, pharma, and critical infrastructure sectors. Advances in AI and social platforms have made it easier to exploit these vulnerabilities. These advances allow threat actors to tailor attacks with unprecedented speed and realism. Using methods like coercion or deception, these actors exploit employees to gain high-value data that can be weaponised. As a result, the threat landscape has become more complex, blurring the lines between internal and external risks. To bolster their defences, organisations are now investing in insider risk management and AI. They are also emphasising employee education and cross-sector collaboration.

Source: [Forbes]

Over 70% of Staff Use AI At Work, But Only 30% of European Organisations Provide AI Training

An ISACA study and the AI Security & Governance Report reveal a complex landscape of AI adoption and security. 73% of European organisations and 54% of global organisations use AI, with 79% increasing their AI budgets, however training and policy development lag behind. Only 30% offer limited training, 40% provide none, and a mere 17% have a comprehensive AI policy. Despite AI’s potential, 80% of data experts find it complicates security, with concerns high around generative AI exploitation (61% of respondents) and AI-powered attacks (over 50% of business leaders). Data poisoning and privacy issues persist, yet 85% of leaders express confidence in their data security strategies, with 83% revising privacy and governance guidelines. With 86% recognising a need for AI training within two years, the call for dynamic governance strategies and formal education is clear to manage evolving threats.

Sources: [Help Net Security] [IT Security Guru]

Don't Be the Weakest Link – You and Your Team's Crucial Role in Cyber Security

Cyber security success depends on more than just technology. Bad actors are always looking for the easiest entry point, meaning that employees’ everyday actions are crucial, when even one careless click or a weak password can be an open door for hackers. However, empowered with the right knowledge and tools, staff can become a robust defence. Nearly 80% of organisations have reported an increase in phishing attacks, but training programs like role-playing exercises and phishing simulations significantly reduce these risks. Effective cyber security also hinges on C-suite leaders promoting a security-first culture, ensuring all employees understand the risks and follow strict protocols like MFA and strong password policies. Consistent training and open communication are vital in fostering a resilient, security-aware workforce.

Source: [JDSupra]

Ransomware Activity Thrives, Despite Law enforcement Efforts

Despite the recent law enforcement takedowns on ransomware groups, ransomware remains rife. Whilst the takedown of a group can come as an initial relief in that the group has gone, it simply forces ransomware affiliates to diversify. This is reflected in ransomware continuing its growth in the first quarter of 2024, with 18 new leak sites, the largest number in a single quarter, emerging over this period. When comes to those at risk, both financial services and healthcare remain a prominent target.

Sources: [Help Net Security ] [Infosecurity Magazine] [Help Net Security]

NATO Warns of Russian Hybrid Warfare

NATO has issued a statement in which it describes it is “deeply concerned about Russia's hybrid actions and the threat that they constitute to NATO security”.  The actions are described to include sabotage, acts of violence, cyber and electronic interference, and disinformation campaigns. This comes as many countries including the UK and US are due to have elections this year.

Sources: [EU Reporter] [Financial Times]

Threats

Ransomware, Extortion and Destructive Attacks

Ransomware Victims

Phishing & Email Based Attacks

Other Social Engineering

Artificial Intelligence

2FA/MFA

Malware

Mobile

Denial of Service/DoS/DDOS

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Supply Chain and Third Parties

Cloud/SaaS

Encryption

Linux and Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Training, Education and Awareness

Regulations, Fines and Legislation

Models, Frameworks and Standards

Data Protection

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity

Cyber Warfare and Cyber Espionage

Nation State Actors

China

Russia

Iran

North Korea

Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence

Tools and Controls

Reports Published in the Last Week

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·         Automotive

·         Construction

·         Critical National Infrastructure (CNI)

·         Defence & Space

·         Education & Academia

·         Energy & Utilities

·         Estate Agencies

·         Financial Services

·         FinTech

·         Food & Agriculture

·         Gaming & Gambling

·         Government & Public Sector (including Law Enforcement)

·         Health/Medical/Pharma

·         Hotels & Hospitality

·         Insurance

·         Legal

·         Manufacturing

·         Maritime

·         Oil, Gas & Mining

·         OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·         Retail & eCommerce

·         Small and Medium Sized Businesses (SMBs)

·         Startups

·         Telecoms

·         Third Sector & Charities

·         Transport & Aviation

·         Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 29 March 2024

Black Arrow Cyber Threat Intelligence Briefing 29 March 2024:

-Only 3% of Organisations Globally are Fully Prepared for Cyber Threats

-China Cyber Attacks a Reminder Beijing Poses ‘Constant and Sophisticated’ Threat to Western Cyber Security

-Companies With Advanced Cyber Security Performance Deliver Nearly Four Times’ Higher Shareholder Return Than Their Peers

-Hackers Hit High-Risk Individuals’ Personal Accounts

-Cyber Security Threats in International Relations: Are We Prepared for a Digital Pearl Harbour?

-High Net Worths Urged to Improve Digital Hygiene in Fight Against Cyber Crime

-Key Lessons from Microsoft’s Password Spray Hack: Secure Every Account

-Mitigating Third-Party Risk Requires a Collaborative, Thorough Approach

-IT Leaders Struggle to Keep up With Emerging Threats, as 92% of IT Leaders Say Cyber Threats Are on the Rise, 51% See AI Attacks for the First Time

-Only 5% of Boards Have Cyber Security Expertise

-Google’s New AI Search Results Promotes Sites Pushing Malware and Scams

-Report Calls Out Cyber Risks to Financial Sector Fuelled by AI

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Only 3% of Organisations Globally are Fully Prepared for Cyber Threats

A new report released by Cisco found that only 3% of organisations globally are considered to be at a “mature” level of readiness that is needed to be resilient against today’s cyber threats. In contrast, 80% of the companies surveyed felt moderately to very confident in their ability to defend against a threat.

Nearly three-quarters of respondents expect a cyber incident to disrupt their business in the next 12 to 24 months. For many, this was based on past experience, with more than half of respondents saying that they had experienced a cyber security incident in the last 12 months, and of those, more than half of said it cost them at least $300,000. To address this, 97% of companies expect to increase their cyber security budgets in the next 12 months.

Sources: [PR Newswire] [SiliconANGLE]

China Cyber Attacks a Reminder Beijing Poses ‘Constant and Sophisticated’ Threat to Western Cyber Security

The UK’s National Cyber Security Centre (NCSC) has now implicated a Chinese-backed hacking group, APT31, in attempts to target a group of MPs. Whilst this shows how advanced the threat from China has become, it should not be a surprise. It has been alleged that the hacking campaign targeted a broad swathe of private individuals, as well as strategically important companies and government officials. Geopolitical tensions are at an all-time high, as Conservative MP Iain Duncan Smith, one of those targeted by the campaign says, “we must now enter a new era of relations with China, dealing with the contemporary Chinese Communist party as it really is, not as we would wish it to be.”

Sources: [Sky News] [GovInfoSecurity] [The Guardian]

Companies With Advanced Cyber Security Performance Deliver Nearly Four Times’ Higher Shareholder Return Than Their Peers

A recent report underscores the pivotal role of cyber security in financial performance, revealing that companies with genuinely advanced levels of cyber security maturity generate a 372% higher shareholder return compared to those with lower levels of maturity, as observed over a five-year period. Notably, companies with engaged board members and specialised risk committees achieve superior cyber security performance. Despite regulatory requirements, only 3% of UK organisations have a cyber security expert on their board, emphasising the need for greater board-level engagement in cyber risk management. Industries like healthcare and financial services lead in cyber security ratings, underscoring the correlation between regulatory environments and cyber security performance.

Source: [Business Wire] [Computer Weekly]

Hackers Hit High-Risk Individuals’ Personal Accounts

Britain’s National Cyber Security Centre (NCSC) is warning that attackers faced with well-managed corporate cyber security defences, are instead turning their efforts to compromise high-risk individuals’ devices and accounts.

A high-risk individual is anyone who has access to or influence over sensitive information. For an attacker, these individuals can present a less complex route. They already know the individual has access to the data they want, it is just a case of compromising that individual.

Source: [Gov Info Security]

Cyber Security Threats in International Relations: Are We Prepared for a Digital Pearl Harbour?

Cyber security threats have reached unprecedented levels, posing significant risks to organisations and nations worldwide, with global costs predicted to soar to $10.5 trillion annually by 2025, a significant increase from $6 trillion in 2021. Recent reports from IBM Security X-Force reveal that organisations face an average of 270 cyber attacks per year, equivalent to an attack every business day, underlining the persistent nature of the threat and reinforcing the old question of ‘when’ not 'if' an organisation will get hit.

The report warns of the possibility of large-scale, coordinated attacks, akin to a “Digital Pearl Harbor,” on vital infrastructure such as power grids and financial markets, with ransomware-based attacks being identified as a major risk. The emergence of cyber warfare blurs the distinction between espionage and acts of war, underscoring the need for international standards and agreements. Despite the focus on cyber threats, many organisations have risk management gaps.

Source: [Eurasia Review]

High Net Worths Urged to Improve Digital Hygiene in Fight Against Cyber Crime

High net worth individuals and their families are often targets for cyber criminals who seek to steal their money, identity, intellectual property and corporate data, and attacks are increasing. With the current state of the world, there is significant information that is publicly available. This, added to the fact that many high-net-worth individuals have lesser security controls than corporations, makes them a more lucrative target.

As these types of attacks continue to increase, it is important for individuals to ensure they are demonstrating good cyber hygiene through actions including the adoption of multi-factor authentication, limiting unnecessary social media from themselves and their family (including holidays) and understanding current tactics to be able to spot and mitigate them.

Source: [Financial Times]

Key Lessons from Microsoft’s Password Spray Hack: Secure Every Account

Earlier this year, Microsoft discovered they had been the victim of a hack orchestrated by Russian-state hackers. The attack was not highly sophisticated; in fact, it involved simply spraying passwords into an old, inactive account. Password spraying is a simple brute force technique, which has the attacker trying the same password against multiple accounts. In this case, it was enough to be able to allow attackers to commit further exfiltration.

Picture your organisation: can you guarantee that no account is using the password “Password123”? Whilst organisations may focus on protecting privileged accounts, the attack shows that every account needs to be secured, as they are all entry points to your organisation. To combat this, organisations should look to implement robust password policies and multi-factor authentication.

Source: [The Hacker News]

Mitigating Third-Party Risk Requires a Collaborative, Thorough Approach

Mitigating third-party risk may seem daunting when considering the slew of incoming regulations coupled with the increasingly advanced tactics of cyber criminals. However, most organisations have more agency and flexibility than they think they do. Third-party risk management can be built on top of existing risk governance practices and security controls that are currently implemented in the organisation. Understanding the vendor landscape, categorising vendors based on criticality, and developing tailored governance plans are crucial steps. Contractual obligations, tailored to industry standards, play a pivotal role in ensuring security measures are upheld. Additionally, establishing a robust exit strategy is imperative to safeguard data integrity post-partnership. By fostering a culture of shared responsibility and continuous improvement, organisations can navigate the complexities of third-party risk management effectively.

Source: [Dark Reading]

IT Leaders Struggle to Keep up With Emerging Threats, as 92% of IT Leaders Say Cyber Threats Are on the Rise, 51% See AI Attacks for the First Time

A recent survey of over 800 IT and security leaders highlights the escalating threat landscape fuelled by emerging technologies, with AI-powered attacks identified as the most serious and challenging. 92% of respondents report a year-over-year increase in cyber attacks with 95% noting heightened sophistication.

Organisations reported facing AI-powered attacks (51%), deepfake technology and supply chain attacks (both 36%), cloud jacking (35%), Internet of Things (IoT) attacks and 5G network exploits (both 34%), and fileless attacks (24%). But it is not just newer attacks; organisations are still contending with prevalent attacks like phishing, malware, and ransomware. The survey found that 84% of respondents say that phishing and smishing have become more difficult to detect with the rise in popularity of AI-powered tools, revealing that AI-powered phishing is their top concern (42%) when it comes to AI security.

With so many constantly evolving threats, and with new ones being added to the mix all the time, it is becoming more and more difficult for IT leaders to keep on top of these emerging threats.

Source: [Beta News] [The Fast Mode]

Only 5% of Boards Have Cyber Security Expertise

There is a concerning gap in cyber expertise on corporate boards, with only 5% of businesses having a cyber expert onboard, despite a direct correlation between strong cyber security and higher financial performance. Countries like France have 10% representation while Canada lags behind at just 1%. Integration of cyber experts into specialised risk committees significantly boosts cyber security performance. Furthermore, advanced security ratings translate to significantly better financial returns over three and five-year periods, underlining the pivotal role of cyber security in overall business health.

Source: [Infosecurity Magazine]

Google’s New AI Search Results Promotes Sites Pushing Malware and Scams

Earlier this month, Google began rolling out a feature called Google Search Generative Experience (SGE) in its search results, which provides AI-generated quick summaries, including site recommendations. These results, however, are pushing scams and malware. BleepingComputer found that the listed sites promoted by SGE tend to use the .online top level domain, the same HTML templates, and the same sites to perform redirects, stating “This similarity indicates that they are all part of the same SEO [search engine optimisation] poisoning campaign that allowed them to be part of the Google index.” When clicking on the site in the Google search results, visitors will go through a series of redirects until they reach a scam site. This matter highlights the need for users to stay cognisant, even when using AI to improve quality of life.

Source: [Bleeping Computer]

Report Calls Out Cyber Risks to Financial Sector Fuelled by AI

A recent report by the US Department of the Treasury has identified AI-driven cyber fraud as the primary concern for financial institutions. Smaller firms, in particular, struggle with AI development, which intensifies security concerns. Despite a focus on cyber security, risk management lapses are common across institutions. The report further notes that nearly a third of these institutions are yet to address the evolving tactics of threat actors, including social engineering, malvertising, and QR code phishing. More than 2 in 5 have pointed to the increasing use of generative AI for scaling and automating attacks as a lingering risk factor. The report emphasises that, even without mandates, there’s an urgent need for financial institutions to bolster their risk management and cyber security practices to counter these AI-driven threats.

Source: [CyberScoop]

Governance, Risk and Compliance

Threats

Ransomware, Extortion and Destructive Attacks

Ransomware Victims

Phishing & Email Based Attacks

Artificial Intelligence

2FA/MFA

Malware

Mobile

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Insurance

Supply Chain and Third Parties

Cloud/SaaS

Identity and Access Management

Encryption

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Malvertising

Training, Education and Awareness

Regulations, Fines and Legislation

Models, Frameworks and Standards

Backup and Recovery

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity

Cyber Warfare and Cyber Espionage

Nation State Actors

China

Russia

Iran

North Korea

Vulnerability Management

Vulnerabilities

Reports Published in the Last Week

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·         Automotive

·         Construction

·         Critical National Infrastructure (CNI)

·         Defence & Space

·         Education & Academia

·         Energy & Utilities

·         Estate Agencies

·         Financial Services

·         FinTech

·         Food & Agriculture

·         Gaming & Gambling

·         Government & Public Sector (including Law Enforcement)

·         Health/Medical/Pharma

·         Hotels & Hospitality

·         Insurance

·         Legal

·         Manufacturing

·         Maritime

·         Oil, Gas & Mining

·         OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·         Retail & eCommerce

·         Small and Medium Sized Businesses (SMBs)

·         Startups

·         Telecoms

·         Third Sector & Charities

·         Transport & Aviation

·         Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 22 December 2023

Black Arrow Cyber Threat Intelligence Briefing 22 December 2023:

-Majority of 2023’s Critical Cyber Attacks Stemmed from Fewer Than 1% of Vulnerabilities, with 1 in 4 High Risk Vulnerabilities Exploited Within 24 Hours of Going Public

-Ransomware Gangs Are Increasingly Turning to Remote Access Tools for Attacks, As UK Honeypots Attacked 17 Million Times Per Day

-Why Employees Are a Bigger Security Risk than Hackers

-77% of Financial Services Firms Detected a Cyber Attack in the Last Year, as Finance and Healthcare Continue to Suffer the Most Cyber Attacks

-New Report Data Shows 75% Increase in Suspicious Emails Hitting Inboxes

-Threat Actors Still Exploiting Old Unpatched Vulnerabilities

-Many Organisations Still Lack Formal Cyber Security Training

-Addressing the Growing Threat of Supply Chain Cyber Attacks

-Cyber Incident Costs Surge 11% as Budgets Remain Muted

-Attacks on Critical Infrastructure are Harbingers of War: Are We Prepared?

-UK Data Centres to be Classed as Critical Infrastructure Under New Gov Proposals

-Data Exfiltration and Extortion is the New Ransomware Threat, as 65% of Organisations Say Ransomware Concerns Impact Risk Management

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Majority of 2023’s Critical Cyber Attacks Stemmed from Fewer Than 1% of Vulnerabilities, with 1 in 4 High Risk Vulnerabilities Exploited Within 24 Hours of Going Public

A new Qualys report reveals that less than 1% of vulnerabilities are responsible for the greatest damage, and a quarter of high-risk vulnerabilities are now being exploited within a day of disclosure. In 2023, a record-breaking 26,000 vulnerabilities have been identified so far, emphasising the need for organisations to accelerate their response times. High-risk vulnerabilities, particularly in network devices and web applications, are the main targets for attackers seeking unauthorised access or privilege escalation. This situation underscores the critical need for organisations to implement a multi-layered defence strategy, automate patching where appropriate especially in areas of critical infrastructure, and adopt zero-trust principles to safeguard against such swift and potent cyber threats.

Sources: [SiliconANGLE] [SC Media]

Ransomware Gangs Are Increasingly Turning to Remote Access Tools for Attacks, As UK Honeypots Attacked 17 million Times Per Day

Nearly three quarters of cyber-attacks across the UK in 2023 targeted technology frequently used for remote working, new data from Coalition has revealed.

Attackers frequently target Remote Desktop Protocol (RDP), a tool that lets users access office computers from home, as it grants the attacker quick access to devices and allows them to execute further attacks.

Honeypot sensors maintained by Coalition have recorded 5.8 billion attacks so far in 2023, averaging around 17 million attacks per day. Of these it was found that 76% of attacks targeted RDP.

Attackers exploit RDP vulnerabilities that often stem from simple configuration mistakes. By taking steps like disabling unnecessary remote access or tightening controls, companies can help shield themselves from these pervasive threats.

Sources: [Insurance Times] [TechRadar] [Infosecurity Magazine]

Why Employees Are a Bigger Security Risk than Hackers

In today's interconnected world, the spotlight is often on cyber criminals attacking from outside, but a worrying trend points inward. A recent study by Imperva reveals that insiders pose a significant threat, being behind 58% of security incidents. The incidents are a mixture of deliberate misuse and accidents, however the majority of organisations lack a strategy to combat these risks. Even when strategies exist, they may be undermined by employees bypassing IT protocols or due to the pressures of adapting to new technologies. With insider incidents on the rise by 47% in two years, the costs are too great to ignore.

Source: [Raconteur]

77% of Financial Services Firms Detected a Cyber Attack in the Last Year, as Finance and Healthcare Continue to Suffer the Most Cyber Attacks

Cyber attacks are more prevalent in the financial services sector than in any other industry. Last year, 77% of financial institutions were targeted, primarily through phishing and ransomware attacks. After financial services the second most targeted sector is healthcare. Both types of institutions are attractive targets not only because of their wealth of sensitive data but also because disruptions to their operations can lead to substantial ransom payments. They face increasingly sophisticated threats and the financial impact is significant, with approximately a quarter of these institutions estimating damages of at least $50,000. To mitigate these risks organisations are turning to cyber insurance, which necessitates further tightening of security practices, including identity and access management, to meet insurers’ stringent standards.

The healthcare sector reported over 179,000 cyber attacks in a single quarter, affecting entities globally. The primary threats were infostealers and ransomware. There have been scores of notable incidents where hospitals have been shut down or otherwise unable to operate. In many cases, this resulted in closing emergency departments, interfering with planned or emergency surgeries and forcing ambulances to divert to other hospitals, potentially causing life threatening delays. Further, a recent report analysing the enterprise risk management for the financial sector found that the two biggest concerns were rising interest rates at 74% and ransomware attacks at 65%.

Sources: [Security Magazine] [MSSP Alert] [PR NewsWire] [Security Magazine]

New Report Data Shows 75% Increase in Suspicious Emails Hitting Inboxes

A new report has unveiled the escalating threat posed by phishing emails, as detected by DMARC software. In the past year, there's been a 70% rise in emails flagged as fraudulent, with almost 18% of total email traffic in the first half of 2023 being intercepted as potential phishing attempts. This surge underscores a pressing need for robust email security measures. Simple yet effective tools like DMARC, which automatically weeds out emails impersonating legitimate domains, are becoming critical in the fight against these sophisticated scams. With the average cost of a cyber attack now well into the millions, and given the high click rates on phishing emails, it is clear that taking proactive steps to strengthen an organisations digital defence is not just sensible, it is essential for safeguarding the businesses in the digital age.

Source: [Dark Reading]

Threat Actors Still Exploiting Old Unpatched Vulnerabilities

A report by Cisco has found that the most targeted vulnerabilities this year, same as previous years, were old unpatched vulnerabilities which should have been fixed a long time ago. Some of these security gaps in widely-used applications like Microsoft Office and or within versions of Windows itself are over a decade old. Unpatched vulnerabilities can leave systems open to exploitation, potentially leading to unauthorised access, data breaches, and widespread security incidents, including being a key enabler of ransomware attacks. This highlights an urgent call to action for organisations to patch known vulnerabilities and secure user accounts to fortify their defences against cyber threats.

Source: [IT Business]

Many Organisations Still Lack Formal Cyber Security Training

As we navigate into 2024, a new report by the SANS Institute found that more than 30% of organisations do not regularly perform cyber readiness exercises, while 40% have yet to establish formal training for cyber security. These findings underline a gap between the need for robust security measures and actual preparedness. On a positive note, most organisations are adopting frameworks like the NIST CSF to shape their security posture, and two-thirds are actively using metrics to gauge the effectiveness of their security operations. Yet, there’s a call to action here: for real progress, intentional investment and commitment to comprehensive training and stringent security operations are non-negotiable. This is the path to mature security operations that can withstand the complexities of today’s cyber threats.

Source: [Security Brief]

Addressing the Growing Threat of Supply Chain Cyber Attacks

As businesses become more interconnected through digital supply chains, supply chain cyber attacks are becoming more of a pressing issue for organisations. The attackers tend to exploit weaknesses in third-party suppliers, often with less guarded entry points, to access larger networks. With companies increasingly outsourcing and using cloud adoption, the need for stringent third-party cyber risk assessments is vital. However, complexities arise with the shared responsibility model for cloud security, where setting out the division of security duties between cloud service providers and clients can blur lines of defence. To tackle these challenges, integration of cyber security into procurement and supply chain processes is essential. This means enforcing collaboration between procurement and cyber security teams, mandating security standards in vendor contracts, and utilising automated tools for continuous risk assessments. Safeguarding modern supply chains is no longer a siloed task but a strategic, organisation wide imperative.

Source: [HackerNoon]

Cyber Incident Costs Surge 11% as Budgets Remain Muted

A new report found an 11% jump in the direct costs of a significant cyber incident, now averaging $1.7 million. The burden is even heavier for those without cyber insurance, with costs escalating to $2.7 million per incident. Cyber risks like fraud, third-party breaches, and data theft remain prevalent. Despite these increasing threats, cyber security budgets have grown modestly and are not keeping pace with the increased level of threat. The report also highlights a concerning gap in understanding cyber threats and a lack of internal training, emphasising the critical need for not just financial investment, but also a deeper engagement with cyber security training and awareness within organisations.

Source: [Infosecurity Magazine]

Attacks on Critical Infrastructure are Harbingers of War: Are We Prepared?

The escalating cyber threats against critical infrastructure, like recent attacks on water authorities, highlight an urgent security concern. These attacks, which are often state-sponsored, are not just targeting financial or data assets but are striking at essential services vital to human survival. The tactics used in these attacks, known as Intelligence Preparation of the Battlefield (IPB), are aimed at weakening a nation by disrupting services like power and water, key to both civil stability and military operations. Nations like Russia, China, and Iran employ these strategies for different purposes, ranging from strategic military advantages to ideological victories. The use of ransomware, as seen in the increasing incidents reported by the FBI, is a tool for both financial gain and geopolitical disruption. As we face these multifaceted threats, the need for robust cyber security measures to protect our critical infrastructure has never been more pressing. It is a call to action for nations and organisations alike to fortify their defences against these evolving and serious cyber threats.

Source: [SC Media]

UK Data Centres to be Classed as Critical Infrastructure Under New Gov Proposals

The UK government is considering new regulations aimed at enhancing the security and resilience of data centres. The Department for Science, Innovation and Technology (DSIT) recognises the vital role of these data hubs and is examining the adequacy of current safety practices. With the identification of varying levels of security across the sector, the prospect of legislating minimum security standards is on the table. This may include establishing a regulatory body to oversee incident reporting and risk mitigation strategies, particularly for third-party service providers. These measures underscore the government's commitment to safeguarding data centres, which are increasingly integral to the UK's economic vitality and national security. As part of a broader initiative, the sector could be designated as critical national infrastructure, aligning it with international best practices and ensuring comprehensive protection from cyber threats and other risks.

Source: [ITPro]

Data Exfiltration and Extortion is the New Ransomware Threat, as 65% of Organisations Say Ransomware Concerns Impact Risk Management

Cyber criminals are escalating their tactics and becoming more aggressive in their effort to maximise disruption and compel the payment of ransom demands. Earlier this year, the ransomware group ALPHV exploited the new US data breach disclosure rules by filing a complaint with the US Securities and Exchange Commission (SEC) against a victim company for not reporting an alleged significant data breach. This marks a strategic evolution from traditional ransomware attacks, where data is encrypted and held hostage, to more nuanced extortion schemes. Such tactics are becoming more sophisticated, with triple extortion attacks threatening not just the target company but also their partners and clients. This shift from encryption to pure extortion requires a fresh understanding of cyber threats and a re-evaluation of defence strategies. It highlights the urgent need for businesses to protect not just their own data but also to consider the security of their entire data supply chain.

Source: [TechCrunch]

Threats

Ransomware, Extortion and Destructive Attacks

Ransomware Victims

Phishing & Email Based Attacks

Artificial Intelligence

2FA/MFA

Malware

Mobile

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Insurance

Supply Chain and Third Parties

Cloud/SaaS

Encryption

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Malvertising

Training, Education and Awareness

Regulations, Fines and Legislation

Models, Frameworks and Standards

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity

Cyber Warfare and Cyber Espionage

Nation State Actors

China

Russia

Iran

Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence

Vulnerability Management

Vulnerabilities

Other News

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·         Automotive

·         Construction

·         Critical National Infrastructure (CNI)

·         Defence & Space

·         Education & Academia

·         Energy & Utilities

·         Estate Agencies

·         Financial Services

·         FinTech

·         Food & Agriculture

·         Gaming & Gambling

·         Government & Public Sector (including Law Enforcement)

·         Health/Medical/Pharma

·         Hotels & Hospitality

·         Insurance

·         Legal

·         Manufacturing

·         Maritime

·         Oil, Gas & Mining

·         OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·         Retail & eCommerce

·         Small and Medium Sized Businesses (SMBs)

·         Startups

·         Telecoms

·         Third Sector & Charities

·         Transport & Aviation

·         Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 03 November 2023

Black Arrow Cyber Threat Intelligence Briefing 03 November 2023:

-Surviving a Ransomware Attack Begins by Acknowledging it’s Inevitable

-Are You and Your Clients Soft Targets?

-Cyber Attacks Cause Revenue Losses in 42% of Small Businesses

-Executives May be The Biggest Risk to Your Business

-Organisations Can Only Stop 57 Percent of Cyber Attacks

-Many Businesses Remain Unprepared for AI as Phishing Attacks Rise 1,265% Since Launch of ChatGPT

-Business Email Compromise is Most Common Entry Point for Cyber Attack

-US Regulator Charges Firm and its CISO For Fraud and Cyber Security Failures

-Companies Scramble to Integrate Immediate Recovery into Ransomware Plans

-Your End-Users are Reusing Passwords, That’s a Big Problem

-Cyber Workforce Demand is Outpacing Supply

-What the Boardroom Is Missing: CISOs

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Surviving a Ransomware Attack Begins by Acknowledging it’s Inevitable

The best defence against a ransomware attack is assuming it will happen before it does.  Research by Visa Inc found that ransomware continues to rapidly rise. One of the main factors is the use of AI services to mass produce highly personalised and plausible emails. The second is the proliferation of highly professional do-it-yourself ransomware kits, which frequently come with 24/7 tech support. These two factors drastically lower the skill level required for cyber criminals to successfully pull off an attack.

Another new ransomware trend is “dual ransomware attacks”. This is where criminals carry out two or more attacks in close proximity of each other, ranging between 48 hours to a maximum of 10 days. With an 80% chance of re-attack, small and medium sized businesses in hard-hit industries including healthcare and manufacturing are primary targets; organisations must be extra vigilant as the holidays approach because this is when cyber criminals are most likely to attack.

Black Arrow works with organisations of all sizes and sectors to design and prepare for managing a cyber security incident; this can include an Incident Response Plan and an educational tabletop exercise for the leadership team that highlights the proportionate controls to help the organisation prevent and mitigate an incident.

Source: [Venture Beat] [SC Media] [Help Net Security] [Infosecurity Magazine] [Help Net Security] [Tech Crunch]

Are You and Your Clients Soft Targets?

Cyber attacks are not a matter of "if" but "when," and the question you need to ask yourself is, ‘Are you a soft target?’. A soft target is a network or organisation that is relatively unprotected or vulnerable to cyber attacks.

You may feel confident in your ability to recover from an attack, but if you've never thoroughly tested your backup and recovery procedures, and when the time comes you find that it does not work, the result will leave you more likely to pay a ransom in an encryption based ransomware scenario. Reliance on legacy antivirus, which often fails to detect modern threats, can also render your network a soft target. Additionally, the absence of a rigorous vulnerability scanning and patching process leaves vulnerabilities undiscovered, and attackers are quick to exploit them. If you rely solely on prevention measures like firewalls and endpoint protection platforms, you are making yourself an appealing soft target for cyber criminals.

No organisation is entirely immune to cyber attacks. The key to defending you and your client's information effectively is to anticipate attacks, understand your security posture, recognise potential adversaries, and recover correctly in the event of an attack.

Source: [MSSP Alert]

Cyber Attacks Cause Revenue Losses in 42% of Small Businesses

Small businesses may be discouraged from investing in preventive cyber security measures due to the expense involved and the mistaken belief that only larger companies are the target of cyber crimes. However, according to a recent report nearly 8 in 10 small business leaders admit they are anxious about the safety of their company’s sensitive data and information. The report found that employee and customer data continue to be the most impacted categories of information in data breaches with 42% of small businesses losing revenue due to a cyber event.

The widespread use of internet-connected devices has given rise to a substantial surge in threat actors targeting small and medium-sized businesses, with malware, phishing and botnets being the most common threats. Daily malware activity has doubled year over year, and peaks in holiday seasons.

Sources: [Help Net Security] [Security Magazine] [Help Net Security] [JDSupra]

Executives May be The Biggest Risk to Your Business as One in Five Share Work Passwords Outside the Company

According to a recent report, nearly half (49%) of C-level executives have requested to bypass one or more security measures in the past year, highlighting a concerning disparity between what business leaders say about cyber and what they do. The research reported one in five sharing their work password with someone outside the company, 77% using easy-to-remember passwords including birth dates, and a third admitting to accessing unauthorised files and data with nearly two-thirds having the ability to edit those files/data.

Additionally, the C-suite was found to be more than three times as likely than regular users to share work devices with unauthorised users. An essential approach to reducing the risks is a tailored training programme that enables all users, including the C-suite, to understand the objective of security controls and the risks caused by bypassing them. Black Arrow offers bespoke training to all roles within the organisation as well as upskilling tailored to those at the board level.

Sources: [Infosecurity Magazine] [Tech Radar] [Security Magazine] [Help Net Security]

Organisations Can Only Stop 57 Percent of Cyber Attacks

According to a report from Tenable, over the last two years, the average organisation's cyber security program was prepared to preventatively defend against, or block, just 57 percent of the cyber attacks it encountered. The report found that 58% of respondents focus almost entirely on fighting successful attacks rather than working to prevent them in the first place. This is put down largely to a struggle to obtain an accurate picture of their attack surface. When it came to risks, 75% viewed cloud infrastructure as the greatest source of exposure risk in their organisation.

Source: [Beta News]

Many Businesses Remain Unprepared for AI as Phishing Attacks Rise 1,265% Since Launch of ChatGPT

Generative AI has revolutionised many aspects of life, offering new opportunities that have also greatly benefited malicious actors. A report has found that since the launch of ChatGPT, phishing attacks have increased by 1,265%. A separate report found that many businesses remain unprepared for the impact of AI, with just 16% of respondents satisfied in their organisation’s understanding of these AI tools.

Sources: [Decrypt] [Infosecurity Magazine] [Emerging Risks]

Business Email Compromise is Most Common Entry Point for Cyber Attack

According to cyber insurance provider Hiscox, almost half of UK businesses have experienced a cyber attack in the last year, an increase of 9% from the previous year. Business email compromise was recorded as the most common point of entry, mentioned by 35% of companies who suffered an attack.

The report found that 20% of attacked organisations received a ransomware demand, slightly up from 19% the previous year. The proportion paying the ransom fell from 66% to 63%, but the median ransom rose 13%.

Sources: [Hiscox] [Digital Journal]

US Regulator Charges Firm and its CISO For Fraud and Cyber Security Failures

The US Securities and Exchange Commission (SEC) announced plans to charge a Chief Information Security Officer (CISO) with fraud for their role in allegedly lying to investors, overstating cyber security practices, and understating or failing to disclose known risks. A key piece of evidence presented by the SEC involved a presentation that was shared with the CISO, detailing a lack of security in the CISO employer’s setup. The presentation highlighted how exploitation could lead to major reputational and financial loss.

The case represents a larger shift in the dynamics and corporate reporting of security issues and within this, lies the professionalism of the CISO role. It is likely that this incident could become the start of something larger.

Sources: [The Record] [Security Week ] [Forbes]

Companies Scramble to Integrate Immediate Recovery into Ransomware Plans

A survey found that 66% of companies are reevaluating their data protection and cyber resilience strategies. Despite this, 35% are not prioritising recovery and only half (56.6%) focused on both recovery and prevention.

Whilst it is important to prevent attacks, nothing is 100% secure and organisations need to ensure that their ransomware plans include recovery as a part of this. If, or when, you experience an attack, you will not want to improvise your recovery.

Source: [Help Net Security]

Your End-Users are Reusing Passwords: That’s a Big Problem

Password reuse is a difficult vulnerability for IT teams to get full visibility over. The danger is often hidden until it turns up in the form of hackers using compromised credentials as an initial access vector. A recent survey revealed that 53% of people admit to reusing passwords, making it easier for attackers to gain access to multiple applications with a single compromised password.

While it is difficult for organisations to maintain visibility over who is reusing passwords, especially if employees are reusing passwords outside of the organisation, there are still ways to combat this. Implementing tools that can check for compromised passwords, using multi-factor authentication and ensuring all employees carry out cyber security and awareness training are a few methods to help combat password re-use.

Source: [Bleeping Computer]

Cyber Workforce Demand is Outpacing Supply

A study by ISC2 stated that we would need to double the cyber workforce to adequately protect organisations and their critical assets. The study found that the gap between the demand and supply grew 12.6%. For organisations, this can mean a struggle in hiring cyber expertise.

To address the challenge of attracting and retaining quality senior security professionals, Black Arrow offers a fractional CISO service that gives flexible access to a whole team of specialists with wide expertise, experience and backgrounds in technology, governance and transformation, for less than the cost of hiring one individual.

Source: [Cyber Scoop]

What the Boardroom Is Missing: CISOs

According to a new study only 12% of S&P 500 companies have board directors with relevant cyber credentials, highlighting a major gap in expertise needed to keep organisations secure. As most organisations shift to digital and cloud-first strategies, businesses of all shapes and sizes must protect their assets. Unfortunately, there's a considerable gap between security leaders and the board directors responsible for managing businesses. A recent Harvard Business Review survey revealed just 47% regularly interact with their company's Chief Information Security Officer (CISO). That's a severe knowledge gap for a company's security and business leaders.

Introducing CISOs to the boardroom is not just about compliance, it's also about ensuring transparency and accountability. CISOs are already building security programs from the ground up. They provide business compliance, hire the right people, and find the right technology to supplement their team's efforts. Security posture is critical to an enterprise's future success, and having a CISO on the board that speaks the language can help a board understand if their business is making suitable security investments.

Source: [Dark Reading]

Top Cyber Stories of the Last Week

Governance, Risk and Compliance

Threats

Ransomware, Extortion and Destructive Attacks

Ransomware Victims

Phishing & Email Based Attacks

Artificial Intelligence

Malware

Mobile

Denial of Service/DoS/DDOS

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Insurance

Supply Chain and Third Parties

Cloud/SaaS

Identity and Access Management

Encryption

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Malvertising

Training, Education and Awareness

Regulations, Fines and Legislation

Models, Frameworks and Standards

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity

Misc Nation State/Cyber Warfare/Cyber Espionage

Geopolitical Threats/Activity

China

Russia

Iran

North Korea

Vulnerability Management

Vulnerabilities

Reports Published in the Last Week

Cyber Readiness Report 2023 UK - Hiscox

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 27 October 2023

Black Arrow Cyber Threat Intelligence Briefing 27 October 2023:

-More Companies Adopt Board-Level Cyber Security Committees

-Ransomware Attacks Rise by More Than 95% Over 2022, to All Time High

-Security Still Not a Priority for a Third of SMBs Despite 73% Suffering Cyber Attack Last Year

-More Than 46 Million Potential Cyber Attacks Logged Every Day

-Fighting Cyber Attacks Requires Top-Down Approach

-Email Security Threats are More Dangerous This Year as Over 200 Million Malicious Emails Detected in Q3 2023

-98% of Security Leaders Worry About Risks of Generative AI as Fears Drive Spending

-48% of Organisations Predict Cyber Attack Recovery Could Take Weeks

-Cyber Security Awareness Doesn't Cut It; It's Time to Focus on Behaviour

-How Cyber Security Has Evolved in The Past 20 Years

-Rising Global Tensions Could Portend Destructive Hacks

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

More Companies Adopt Board-Level Cyber Security Committees

In a recent CISO Report by Splunk, 78% of CISOs and other security leaders reported a dedicated board-level cyber security committee at their organisations. These committees may be made up of qualified individuals or potentially even third parties - not necessarily company employees - that give guidance to the board around matters like risk assessment and cyber security strategy. These board-level cyber security committees can potentially bridge communication barriers between IT, security teams and boards. Black Arrow supports business leaders in organisations of all sizes to demonstrate governance of their cyber risks, by participating in board meetings to upskill and guide the board in requesting and challenging the appropriate information from their internal and external sources.

Source: [Decipher]

Ransomware Attacks Rise by More Than 95% Over 2022, to All Time High

A recent report by Corvus has found that ransomware attacks continued at a record-breaking pace, with Q3 frequency up 11% over Q2 and 95% year-over-year. Even if there were no more ransomware attacks this year, the victim account has already surpassed what was observed for 2021 and 2022. In a separate report, analysis conducted by Sophos has found that dwell times, which is the length of time an attacker is in a victim’s system before they are discovered, has fallen, leaving less time for organisations to detect attacks.

Sources: [Dark Reading] [SC Magazine] [Reinsurance News]

Security Still Not a Priority for a Third of SMBs Despite 73% Suffering Cyber Attack Last Year

Multiple reports highlighting different aspects of small and medium businesses (SMBs) all have one thing in common: the lack of priority that is given to cyber security. One example is a survey conducted by Amazon Web Services (AWS) which found that cyber security is not even a strategic priority for 35% of SMBs when considering moving to the cloud. This comes as a report by Identity Theft Resource Center (ITRC) found that 73% of US SMBs reported a cyber attack last year, with employee and customer data being the target in data breaches. Despite the rise in SMB attacks, relatively few organisations are following cyber security best practices to help prevent a breach in the first place. Every business, regardless of size, should do everything it reasonably can to protect its data and ensure connectivity, and smaller organisations may be more likely to be a victim of a cyber attack. Security is an enabler for the wider IT and business strategy to help users build the organisation in greater security. It should be hard-baked from the outset; seeking expert advice can help ensure the right proportionate security decisions are being made.

Sources: [Insider Media] [Infosecurity Magazine] [IT Reseller Magazine] [Infosecurity Magazine]

More Than 46 Million Potential Cyber Attacks Logged Every Day

New data released by the UK’s BT Group has found that more than 500 potential cyber attacks are logged every second. The BT data showed that over the last 12 months the most targeted sectors by cyber criminals were IT, defence, banking and insurance sectors; this was followed by the retail, hospitality and education industries. According to the figures 785,000 charities fell victim to cyber attacks. The data found that hackers are relentlessly scanning devices for vulnerabilities by using automation, and artificial intelligence is now being included by attackers to identify weaknesses in an organisation’s cyber defences.

Sources: [Evening Standard] [Proactive] [The Independent]

Fighting Cyber Attacks Requires Top-Down Approach

Organisations must move away from the posture that their IT division owns responsibility for safeguarding against cyber attacks. Instead, what we really need is for cyber security to come down from the top of the organisation, into the departments so that we have an enterprise-wide culture of security. It is the board’s responsibility to work with the executive team to ensure it is not just an IT-centric issue. By aligning cyber risk management with business needs, creating a cyber security strategy as a business enabler, and incorporating cyber security expertise into board and governance, the organisation will create a solid foundation for this top-down approach.

Source: [Chief Investment Officer]

Email Security Threats are More Dangerous This Year as Over 200 million Malicious Emails Detected in Q3 2023

The use of generative artificial intelligence (AI) tools such as ChatGPT has made spam and phishing emails infinitely more dangerous, with over 200 million sent in Q3 2023. A recent report found that link-based malware delivery made up 58% of all malicious emails for the quarter, while attachments made up the remaining 42%. Worryingly, 33% of these were delivered through legitimate but compromised websites.

Phishing does not come through emails alone however, there is also phishing via SMS, QR codes, calls and genuine, but compromised accounts. Black Arrow supports organisations of all sizes in designing and delivering proportionate user education and awareness programmes, including in-person and online training as well as simulated phishing campaigns. Our programmes help secure employee engagement and build a cyber security culture to protect the organisation. 

Sources: [Security Magazine] [MSSP Alert] [TechRadar]

98% of Security Leaders Worry About Risks of Generative AI as Fears Drive Spending

Generative AI is playing a significant role in reshaping the phishing email threat landscape, according to a recent report from Abnormal Security. The report found that 98% of security leaders are highly concerned about generative AI's potential to create more sophisticated email attacks, with four-fifths (80.3%) of respondents confirming that their organisation had already received AI-generated email attacks or strongly suspecting that this was the case. A separate report by IBM found that attackers only needed five simple prompts to get the AI to develop a highly convincing phishing email. In a separate report, Gartner stated that AI has created a new scare, which contributed to 80% of CIO’s reporting that they plan to increase spending on cyber security, including AI.

Sources: [Infosecurity Magazine] [CSO Online] [Business Wire] [Help Net Security]

48% of Organisations Predict Cyber Attack Recovery Could Take Weeks

A recent report has found that 48% of respondents predicted that it would take days or weeks for their company to recover from cyber attacks, representing a potentially devastating risk to their business. Attacks are a matter of when, not if. Organisations should have plans and procedures in place to be able to recover from an attack; this includes having an incident response plan and regularly testing the organisation’s ability to backup and recover.

Black Arrow works with organisations of all sizes and sectors to design and prepare for managing a cyber security incident; this can include an incident response plan and an educational tabletop exercise for the leadership team that highlights the proportionate controls to help the organisation prevent and mitigate an incident.

Sources: [Security Magazine]

Cyber Security Awareness Doesn't Cut It; It's Time to Focus on Behaviour

The human element remains a significant vulnerability in cyber security, as reinforced by recent analysis. Repeated studies show that knowledge alone does not change behaviour, and that simply giving people more training is unlikely to change outcomes. The study underscores that even with heightened cyber security awareness, there has not been a notable decline in successful cyber attacks that exploit human errors.

We need to draw parallels to real-world skills. The report suggests that cyber security education should be as continuous and context-driven as learning to drive: no one learnt to drive by having a single lesson once a year. For instance, rather than educating employees on using multifactor authentication (MFA) in isolation, it's more impactful to provide an explanation of the additional security that that control provides and the reasons why it is being used to protect the organisation. This contextual approach, accentuated with insights on the advantages of these controls, is poised to foster the right behaviours and bolster security outcomes. However, the challenges persist, with many employees still bypassing recommended security protocols, underscoring the need for a more hands-on, real-time approach to cyber security education.

Source: [Dark Reading]

How Cyber Security Has Evolved in The Past 20 Years

Twenty years ago, the cloud as we know it didn’t exist. There were no Internet of Things (IoT) sensors, not even Gmail was around. Cyber threats have evolved significantly since then, but so too have the solutions. We’ve transitioned from manual, on-site vulnerability scanning and lengthy breach investigations, to automated tools and remote work capabilities that have reduced investigation times from months to weeks. Alongside technological advancements, laws and regulations surrounding cyber security have also tightened, imposing stricter rules on organisations to protect customer data and penalties for attackers.

The bigger picture is staying a step ahead of threat actors in the automation race. Whether that’s accomplished with AI or some other yet-to-be-discovered technology remains to be seen. In the meantime, as is always the case in this industry, regardless of the latest innovation, everyone needs to stay vigilant for threat actors’ attacks and remember that what was adequate to protect technology 20 years ago will not be sufficient to defend against the threat landscape today, and certainly not against the threats of tomorrow.

Source: [Forbes]

Rising Global Tensions Could Portend Destructive Hacks

Governments in the West are warning public and private sector organisations to "remain on heightened alert" for disruptive cyber attacks targeting critical infrastructure and key sectors amid a series of escalating global conflicts.

Source: [Info Risk Today]

Threats

Ransomware, Extortion and Destructive Attacks

Ransomware Victims

Phishing & Email Based Attacks

Other Social Engineering; Smishing, Vishing, etc

Artificial Intelligence

2FA/MFA

Malware

Mobile

Denial of Service/DoS/DDOS

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Fraud, Scams & Financial Crime

Deepfakes

Insurance

Dark Web

Supply Chain and Third Parties

Software Supply Chain

Cloud/SaaS

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Malvertising

Training, Education and Awareness

Regulations, Fines and Legislation

Models, Frameworks and Standards

Backup and Recovery

Law Enforcement Action and Take Downs

Privacy, Surveillance and Mass Monitoring

Misinformation, Disinformation and Propaganda

Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity

Misc Nation State/Cyber Warfare/Cyber Espionage

Geopolitical Threats/Activity

China

Russia

Iran

North Korea

Vulnerability Management

Vulnerabilities

Other News

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·         Automotive

·         Construction

·         Critical National Infrastructure (CNI)

·         Defence & Space

·         Education & Academia

·         Energy & Utilities

·         Estate Agencies

·         Financial Services

·         FinTech

·         Food & Agriculture

·         Gaming & Gambling

·         Government & Public Sector (including Law Enforcement)

·         Health/Medical/Pharma

·         Hotels & Hospitality

·         Insurance

·         Legal

·         Manufacturing

·         Maritime

·         Oil, Gas & Mining

·         OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·         Retail & eCommerce

·         Small and Medium Sized Businesses (SMBs)

·         Startups

·         Telecoms

·         Third Sector & Charities

·         Transport & Aviation

·         Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 03 February 2023

Black Arrow Cyber Threat Briefing 03 February 2023:

-Business Leaders Need a Hands-on Approach to Stop Cyber Crime, Says Spy Chief

-Rising ‘Firebrick Ostrich’ BEC Group Launches Industrial Scale Cyber Attacks

-The Corporate World is Losing its Grip on Cyber Risk

-Microsoft Reveals Over 100 Threat Actors are Deploying Ransomware in Attacks

-Greater Incident Complexity, a Shift in How Threat Actors Use Stolen Data Will Drive the Cyber Threat Landscape in 2023

-The Threat from Within: 71% of Business Leaders Surveyed Think Next Cyber Security Breach Will come from the Inside

-98% of Organisations Have a Supply Chain Relationship That Has Been Breached

-New Survey Reveals 40% of Companies Experienced a Data Leak in the Past Year

-Russian Hackers Launch Cyber Attack on Germany in Leopard Tank Retaliation

-Financial Services Targeted in 28% of UK Cyber Attacks Last Year

-Phishing Attacks are Getting Scarily Sophisticated. Here’s what to Watch Out For

-City of London on High Alert After Ransomware Attack

-Ransomware Conversations: Why the CFO is Pivotal to Discussing and Preparing for Risk

-JD Sports Warns of 10 Million Customers Put at Risk in Cyber Attack

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • Business Leaders Need a Hands-on Approach to Stop Cyber Crime, Says Spy Chief

Business leaders must not see cyber crime as “just a technical issue” that can be left up to IT departments, said Lindy Cameron, chief executive of the National Cyber Security Centre (NCSC).  Ms Cameron later commented that “In the world of cyber security, the new year has brought with it some sadly familiar themes - a continuation of cyber incidents affecting organisations large and small as well as the British public”.

Along with this, came the urge for business leaders to step up their efforts in combating cyber crime by taking an active interest and educating themselves on the subject.  When commenting upon board members’ level of understanding, Ms Cameron said “I’d also encourage board members to develop a basic understanding of cyber security, which can help when seeking assurances from IT teams about the resilience of an organisation - in a similar way that leaders have a certain level of understanding of finance to assess financial health”.

https://www.telegraph.co.uk/news/2023/01/28/business-leaders-need-hands-on-approach-stop-cyber-crime-says/

  • Rising ‘Firebrick Ostrich’ BEC Group Launches Industrial Scale Cyber Attacks

Business email compromise (BEC) has become one of the most popular methods of financially motivated hacking. And over the past year, one group in particular has demonstrated just how quick, easy, and lucrative it really is.

"Firebrick Ostrich" is a threat actor that's been performing BEC at a near-industrial scale. Since April 2021, the group has carried out more than 350 BEC campaigns, impersonating 151 organisations and utilising 212 malicious domains in the process. This volume of attacks is made possible by the group's wholesale gunslinging approach. Firebrick Ostrich doesn't discriminate much when it comes to targets, or gather exceptional intelligence in order to craft the perfect phishing bait. It throws darts at a wall because, evidently, when it comes to BEC at scale, that's enough.

BEC is attractive to bad actors due to the lower barriers to entry than malware, less risk, faster scaling opportunities, and way more profit potential to higher echelons than other methods of attack. These factors may explain why such attacks are absolutely the emerging trend, potentially even leaving even ransomware in the dust. There are literally hundreds, if not thousands, of these groups out there.

https://www.darkreading.com/remote-workforce/rising-firebrick-ostrich-bec-group-launches-industrial-scale-cyberattacks

  • The Corporate World is Losing its Grip on Cyber Risk

Lloyd's of London’s insurance market prides itself on being able to put a price on anything, from Tina Turner’s legs or Bruce Springsteen’s vocal cords, to the risk that a bounty hunter might claim the reward from Cutty Sark Whisky in the 1970s for capturing the Loch Ness monster.

But from the end of March, there will be something it won’t price: systemic cyber risk, or the type of major, catastrophic disruption caused by state-backed cyber warfare. In one sense, this isn’t surprising. Insurance policies typically exclude acts of war. Russia’s NotPetya attack on Ukraine in 2017 showed how state-backed cyber assaults can surpass traditional definitions of armed conflict and overspill their sovereign target to hit global businesses. It caused an estimated $10bn in damages and years of wrangling between companies like pharma group Merck and snack maker Mondelez and their insurers.

But the move is prompting broader questions about the growing pains in this corner of the insurance world. “Cyber insurance isn’t working anywhere at the moment as a public good for society,” says Ciaran Martin, former head of the UK National Cyber Security Centre. “It has a huge role to play in improving defences in a market-based economy and it has been a huge disappointment in that sense so far.”

The Lloyd’s move is designed, say insurers, to clarify rather than restrict coverage. Whether it succeeds is another matter: this is a murky world, where cyber crime groups operate with impunity in certain jurisdictions.

https://www.ft.com/content/78bfdf29-1e20-4c12-a348-06e98d5ae906

  • Microsoft Reveals Over 100 Threat Actors are Deploying Ransomware in Attacks

Microsoft revealed this week that its security teams are tracking over 100 threat actors deploying ransomware during attacks. In all, the company says it monitors over 50 unique ransomware families, with some of the most prominent ransomware payloads in recent campaigns including Lockbit, BlackCat (aka ALPHV), Play, Vice Society, Black Basta, and Royal.

Microsoft said that defence strategies should focus less on payloads themselves but more on the chain of activities that lead to their deployment, since ransomware gangs are still targeting servers and devices not yet patched against common or recently addressed vulnerabilities.

Furthermore, while new ransomware families launch all the time, most threat actors utilise the same tactics when breaching and spreading through networks, making the effort of detecting such behaviour even more helpful in thwarting their attacks.

Attackers are increasingly relying on tactics beyond phishing to conduct their attacks, with threat actors for example capitalising on recently patched Exchange Server vulnerabilities to hack vulnerable servers and deploy Cuba and Play ransomware.

https://www.bleepingcomputer.com/news/security/microsoft-over-100-threat-actors-deploy-ransomware-in-attacks/

  • Ransomware Conversations: Why the CFO is Pivotal to Discussing and Preparing for Risk

With the amount of cyber attacks in all industries, organisations are beginning to grasp the significance of cyber risk and how it is integral to protecting and maintaining an efficient business. In fact, the first half of 2022 alone saw 236.1 million cases of ransomware.

Whilst the expectation for responsibility has typically fallen on Chief Information Security Officers (CISOs), Chief Financial Officers (CFOs) are just as vital in managing cyber risk, which is now inherently also business risk.  The CFO plays an important part in determining whether cyber security incidents will become material and affect the business more seriously. Their insight is critical across many areas which include ransomware, cyber insurance, regulatory compliance and budget management.

https://www.itsecurityguru.org/2023/02/02/ransomware-conversations-why-the-cfo-is-pivotal-to-discussing-and-preparing-for-risk

  • Greater Incident Complexity, a Shift in How Threat Actors Use Stolen Data Will Drive the Cyber Threat Landscape in 2023

Insurance provider Beazley released their Cyber Services Snapshot Report which claims the cyber security landscape will be influenced by greater complexity and the way threat actors use stolen data. The report also found that as a category, fraudulent instruction experienced a growth as a cause of loss in 2022, up 13% year-over year. 

In response to vulnerabilities such as fraudulent instructions, the report suggests organisations must get smarter about educating users to spot things such as spoofed emails or domain names. The report also cautions organisations to watch for social engineering, spear phishing, bypassing of multi-factor authentication (MFA), targeting of managed service providers (MSP) and the compromise of cloud environments as areas of vulnerability.

https://www.darkreading.com/attacks-breaches/greater-incident-complexity-a-shift-in-the-way-threat-actors-use-stolen-data-and-a-rise-in-us-class-actions-will-drive-the-cyber-threat-landscape-in-2023-according-to-beazley-report

  • The Threat from Within: 71% of Business Leaders Surveyed Think Next Cyber Security Breach Will Come from the Inside

A survey conducted by IT provider EisnerAmper found that 71% of business executives worry about accidental internal staff error as one of the top threats facing their organisation and 23% of these worried about malicious intent by an employee. In comparison, 75% of business executives had concerns about external hackers. The survey also asked about current safety measures, with 51% responding that they were “somewhat prepared”. Despite this, only 50% of respondents reported conducting regular cyber security training. 

https://www.darkreading.com/vulnerabilities-threats/the-threat-from-within-71-of-business-leaders-surveyed-think-next-cybersecurity-breach-will-come-from-the-inside

  • 98% of Organisations Have a Supply Chain Relationship That Has Been Breached

A report from SecurityScorecard found that 98% of organisations have a relationship with at least one third party that has experienced a breach in the last two years, while more than 50% have an indirect relationship with more than 200 fourth parties that have been breached. Of course, this is keeping in mind that not all organisations disclose or even know they have been breached.

https://www.securityweek.com/98-of-firms-have-a-supply-chain-relationship-that-has-been-breached-analysis/

  • New Survey Reveals 40% of Companies Experienced a Data Leak in the Past Year

Software provider SysKit has published a report on the effects of digital transformation on IT administrators and the current governance landscape. The report found that 40% of organisations experienced a data leak in the previous year. A data leak can have severe consequences on an organisation's efficiency and the impact can lead to large fines, downtime, and loss of business-critical certifications and customers.

In addition, the Survey found that the biggest challenge for IT administrators was a lack of understanding from superiors, huge workloads and misalignment of IT and business strategies.

https://www.darkreading.com/attacks-breaches/new-survey-reveals-40-of-companies-experienced-a-data-leak-in-the-past-year

  • Russian Hackers Launch Cyber Attack on Germany in Leopard Tank Retaliation

The websites of key German administrations, including companies and airports, have been targeted by cyber attacks, the German Federal Office for Information Security (BSI) stated.

The BSI commented they had been informed of DDoS (distributed denial of service) attacks “currently in progress against targets in Germany". This was followed by the statement that “Individual targets in the financial sector” and federal government sites were also attacked, with some websites becoming temporarily unavailable.  It is believed that this is due to the approved deployment of Leopard 2 tanks to Ukraine, with Russian hacker site Killnet taking credit.

https://www.euronews.com/2023/01/26/russian-hackers-launch-cyberattack-on-germany-in-leopard-retaliation

  • Financial Services Targeted in 28% of UK Cyber Attacks Last Year

Based on data from security provider Imperva, security researchers have identified that over a quarter (28%) of all cyber attacks in the UK hit the financial services and insurance (FSI) industry in the last 12 months. The data also found that Application Programme Interface (API) attacks, malicious automated software and distributed denial of service (DDoS) attacks were the most challenging for the industry. In addition, the data found that roughly 40% of all account takeover attempts were targeted at the FSI industry.

https://www.infosecurity-magazine.com/news/quarter-cyber-attacks-uk-financial/

  • Phishing Attacks are Getting Scarily Sophisticated. Here’s What to Watch Out For

Hackers are going to great lengths, including mimicking real people and creating and updating fake social media profiles, to trick victims into clicking phishing links and handing over usernames and passwords. The National Cyber Security Centre (NCSC) warns that these phishing attacks are targeting a range of sectors.

The NCSC has also released mitigation advice to help organisations and individuals protect themselves online. The mitigation advice included the use of strong passwords, separate to other accounts; enabling multi-factor authentication (MFA); and applying the latest security updates.

https://www.zdnet.com/article/phishing-attacks-are-getting-scarily-sophisticated-heres-what-to-watch-out-for/

  • City of London on High Alert After Ransomware Attack

A suspected ransomware attack on a key supplier of trading software to the City of London this week appears to have disrupted activity in the derivatives market. The company impacted, Ion Cleared Derivatives, is investigating. It is reported that 42 clients were impacted by the attack.

https://www.infosecurity-magazine.com/news/city-of-london-high-alert/

  • JD Sports Warns of 10 Million Customers Put at Risk in Cyber Attack

Sportswear retailer JD Sports said it was the victim of a cyber attack that exposed the data of 10 million customers, in the latest spate of hacks on UK companies.

JD Sports explained that the attack involved unauthorised access to a system that contained “the name, billing address, delivery address, phone number, order details and the final four digits of payment cards”. The data related to customers’ orders made between November 2018 and October 2020, with outdoor gear companies Millets and Blacks also impacted. A full review with cyber security and external specialists is underway.

https://www.ft.com/content/afe00f2f-afcd-478f-9e4d-1cf9c943fa79

Threats

Ransomware, Extortion and Destructive Attacks

Phishing & Email Based Attacks

BEC – Business Email Compromise

Other Social Engineering; Smishing, Vishing, etc

2FA/MFA

Malware

Mobile

Botnets

Denial of Service/DoS/DDOS

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Fraud, Scams & Financial Crime

Impersonation Attacks

AML/CFT/Sanctions

Insurance

Dark Web

Supply Chain and Third Parties

Cloud/SaaS

Containers

Encryption

API

Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Malvertising

Training, Education and Awareness

Regulations, Fines and Legislation

Governance, Risk and Compliance

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Privacy, Surveillance and Mass Monitoring

Artificial Intelligence

Misinformation, Disinformation and Propaganda

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

Nation State Actors

Nation State Actors – Russia

Nation State Actors – China

Nation State Actors – North Korea

Nation State Actors – Iran

Nation State Actors – Misc

Vulnerability Management

Vulnerabilities

Tools and Controls

Other News

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 18 November 2022

Black Arrow Cyber Threat Briefing 18 November 2022:

-Amid Legal Fallout, Cyber Insurers Redefine State-Sponsored Attacks as Act of War

-Supply Chains Need Shoring Up Against Cyber Attacks, C-Suite Executives Say

-Is Your Board Prepared for New Cyber Security Regulations?

-Unwanted Emails Steadily Creeping into Inboxes

-People Are Still Using the Dumbest Passwords Available

-Zero-Trust Initiatives Stall, as Cyber Attack Costs Rocket to $1M per Incident

-44% of Financial Institutions Believe Their Own IT Teams Are the Main Risk to Cloud Security

-MFA Fatigue Attacks Are Putting Your Organisation at Risk

-Cyber Security Training Boosts Risk Posture, Research Finds

-MI5 Chief: UK will have to tackle Russian Aggression ‘for Years to Come’

-Offboarding Processes Pose Security Risks as Job Turnover Increases: Report

-Do Companies Need Cyber Insurance?

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • Amid Legal Fallout, Cyber Insurers Redefine State-Sponsored Attacks as Act of War

As carriers rewrite their act-of-war exclusions following the NotPetya settlement between Mondelez and Zurich, organisations should read their cyber insurance policies carefully to see what is still covered.

The consequences from NotPetya, which the US government said was caused by a Russian cyber attack on Ukraine in 2017, continue to be felt as cyber insurers modify coverage exclusions, expanding the definition of an "act of war." Indeed, the 5-year-old cyber attack appears to be turning the cyber insurance market on its head.

Mondelez International, parent of such popular brands as Cadbury, Oreo, Ritz, and Triscuit, was hit hard by NotPetya, with factories and production disrupted. It took days for the company's staff to regain control of its computer systems. The company filed a claim with its property and casualty insurer, Zurich American, for $100 million in losses. After initially approving a fraction of the claim — $10 million — Zurich declined to pay, stating the attack was an act of war and thus excluded from the coverage. Mondelez filed a lawsuit.

Late last month Mondelez and Zurich American reportedly agreed to the original $100 million claim, but that wasn't until after Merck won its $1.4 billion lawsuit against Ace American Insurance Company in January 2022 for its NotPetya-related losses. Merck's claims also were against its property and casualty policy, not a cyber insurance policy.

Back in 2017, cyber insurance policies were still nascent, and so many large corporations filed claims for damages related to NotPetya — the scourge that caused an estimated $10 billion in damage worldwide — against corporate property and casualty policies.

What's Changed? The significance of these settlements illustrates an ongoing maturation of the cyber insurance market, says Forrester Research.

Until 2020 and the COVID-19 pandemic, cyber insurance policies were sold in a fashion akin to traditional home or auto policies, with little concern for a company's cyber security profile, the tools it had in place to defend its networks and data, or its general cyber hygiene.

Once a large number of ransomware attacks occurred that built off of the lax cyber security many organisations demonstrated, insurance carriers began tightening the requirements for obtaining such policies.

https://www.darkreading.com/edge-articles/amid-notpetya-fallout-cyber-insurers-define-state-sponsored-attacks-as-act-of-war

  • Is Your Board Prepared For New Cyber Security Regulations?

Boards are now paying attention to the need to participate in cyber security oversight. Not only are the consequences sparking concern, but the new regulations are upping the ante and changing the game.

Boards have a particularly important role to ensure appropriate management of cyber risk as part of their fiduciary and oversight role. As cyber threats increase and companies worldwide bolster their cyber security budgets, the regulatory community, including the U.S. Securities and Exchange Commission (SEC), is advancing new requirements that companies will need to know about as they reinforce their cyber strategy.

Most organisations focus on cyber protection rather than cyber resilience, and that could be a mistake. Resiliency is more than just protection; it’s a plan for recovery and business continuation. Being resilient means that you’ve done as much as you can to protect and detect a cyber incident, and you have also done as much as you can to make sure you can continue to operate when an incident occurs. A company who invests only in protection is not managing the risk associated with getting up and running again in the event of a cyber incident.

Research indicates that most board members believe it is not a matter of if, but when, their company will experience a cyber event. The ultimate goal of a cyber-resilient organisation would be zero disruption from a cyber breach. That makes the focus on resilience more important.

In March 2022, the SEC issued a proposed rule titled Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.  In it, the SEC describes its intention to require public companies to disclose whether their boards have members with cyber security expertise: “Cyber security is already among the top priorities of many boards of directors and cyber security incidents and other risks are considered one of the largest threats to companies. Accordingly, investors may find disclosure of whether any board members have cyber security expertise to be important as they consider their investment in the registrant as well as their votes on the election of directors of the registrant.”

The SEC will soon require companies to disclose their cyber security governance capabilities, including the board’s oversight of cyber risk, a description of management’s role in assessing and managing cyber risks, the relevant expertise of such management, and management’s role in implementing the registrant’s cyber security policies, procedures, and strategies. Specifically, where pertinent to board oversight, registrants will be required to disclose:

  • whether the entire board, a specific board member, or a board committee is responsible for the oversight of cyber risks,

  • the processes by which the board is informed about cyber risks, and the frequency of its discussions on this topic,

  • whether and how the board or specified board committee considers cyber risks as part of its business strategy, risk management, and financial oversight.

https://hbr.org/2022/11/is-your-board-prepared-for-new-cybersecurity-regulations

  • Unwanted Emails Steadily Creeping into Inboxes

A research from cloud security provider Hornetsecurity has revealed that 40.5% of work emails are unwanted. The Cyber Security Report 2023, which analysed more than 25 billion work emails, also reveals significant changes to the nature of cyber attacks in 2022 – indicating the constant, growing threats to email security, and need for caution in digital workplace communications.

Phishing remains the most common style of email attack, representing 39.6% of detected threats. Threat actors used the following file types sent via email to deliver payloads: Archive files (Zip, 7z, etc.) sent via email make up 28% of threats, down slightly from last year’s 33.6%, with HTML files increasing from 15.3% to 21%, and DOC(X) from 4.8% to 12.7%.

This year’s cyber security report shows the steady creep of threats into inboxes around the world. The rise in unwanted emails, now found to be nearly 41%, is putting email users and businesses at significant risk.

HornetSecurity’s analysis identified both the enduring risk and changing landscape of ransomware attacks – highlighting the need for businesses and their employees to be more vigilant than ever.

New cyber security trends and techniques for organisations to watch out for were also tracked. Since Microsoft disabled macros settings in Office 365, there has been a significant increase in HTML smuggling attacks using embedded LNK or ZIP files to deliver malware. Microsoft 365 makes it easy to share documents, and end users often overlook the ramifications of how files are shared, as well as the security implications. Hornetsecurity found 25% of respondents were either unsure or assumed that Microsoft 365 was immune to ransomware threats.

For these attackers, every industry is a target. Companies must therefore ensure comprehensive security awareness training while implementing next-generation preventative measures to ward off threats.

https://www.helpnetsecurity.com/2022/11/14/email-security-threats/

  • People Are Still Using the Dumbest Passwords Available

If you were thinking that most people would have learned by now not to use “password” as the password for their sensitive systems, then you would be giving too much credit to the general scrolling public.

Cyber security researchers from Cybernews and password manager company NordPass both independently reported this week on data surrounding the most commonly-used passwords. Trying to discern the frequently used words, phrases, and numbers among the general public wouldn’t be simple if it weren’t for the troves of leaked passwords being sold on the dark web.

Cybernews said it based its data on a list of 56 million breached or leaked passwords in 2022 found via databases in darknet and clearnet hacker forums. Some of the most-used passwords were exactly what you expect, easy-to-remember junk passwords for company accounts, including “123456,” “root,” and “guest” all looking pretty in the top three.

NordPass, on the other hand, listed its top passwords by country and the supposed gender of the user. In their case, “password” sat in the number one spot for most-used password throughout the globe. Some countries had very specific passwords that were commonly used, such as “liverpool” being the number 4 most-used password in the UK despite it being 197 in the world. The number 2 most-used password for Brazil accounts is “Brasil” while in Germany, number 5 is “hallo.”

NordPass said the list of passwords was built by a team of independent researchers who compiled 3TB of data from listings on the dark web, including some data that was leaked in data breaches that occurred in 2022. The company noted that some data might be from late 2021, though the passwords were listed on the dark web in the new year.

https://gizmodo.com/passwords-hacker-best-passwords-cybersecurity-1849792818

  • Zero-Trust Initiatives Stall, as Cyber Attack Costs Rocket to $1M per Incident

Researchers find current data protection strategies are failing to get the job done, and IT leaders are concerned, while a lack of qualified IT security talent hampers cyber-defence initiatives.

Organisations are struggling with mounting data losses, increased downtime, and rising recovery costs due to cyber attacks — to the tune of $1.06 million in costs per incident. Meanwhile, IT security teams are stalled on getting defences up to speed.

That's according to the 2022 Dell Global Data Protection Index (GDPI) survey of 1,000 IT decision-makers across 15 countries and 14 industries, which found that organisations that experienced disruption have also suffered an average of 2TB data loss and 19 hours of downtime.

Most respondents (67%) said they lack confidence that their existing data protection measures are sufficient to cope with malware and ransomware threats. A full 63% said they are not very confident that all business-critical data can be reliably recovered in the event of a destructive cyber attack.

Their fears seem founded: Nearly half of respondents (48%) experienced a cyber attack in the past 12 months that prevented access to their data (a 23% increase from 2021) — and that's a trend that will likely continue.

The growth and increased distribution of data across edge, core data centre and multiple public cloud environments are making it exceedingly difficult for IT admins to protect their data.

On the protection front, most organisations are falling behind; for instance, 91% are aware of or planning to deploy a zero-trust architecture, but only 12% are fully deployed.

And it's not just advanced defence that's lacking: Keegan points out that 69% of respondents stated they simply cannot meet their backup windows to be prepared for a ransomware attack.

https://www.darkreading.com/endpoint/zero-trust-initiatives-stall-cyberattack-costs-1m-per-incident

  • 44% of Financial Institutions Believe Their Own IT Teams Are the Main Risk to Cloud Security

Netwrix, a cyber security vendor, today announced additional findings for the financial and banking sector from its global 2022 Cloud Security Report.

Compared to other industries surveyed, financial institutions are much more concerned about users who have legitimate access to their cloud infrastructure. Indeed, 44% of respondents in this sector say their own IT staff poses the biggest risk to data security in the cloud and 47% worry about contractors and partners, compared to 30% and 36% respectively in other verticals surveyed.

Financial organisations experience accidental data leakage more often than companies in other verticals: 32% of them reported this type of security incident within the last 12 months, compared to the average of 25%. This is a good reason for them to be concerned about users who might unintentionally expose sensitive information. To address this threat, organisations need to implement a zero-standing privilege approach in which elevated access rights are granted only when they are needed and only for as long as needed. Cloud misconfigurations are another common reason for accidental data leakage. Therefore, security teams must continually monitor the integrity of their cloud configurations, ideally with a dedicated solution that automates the process.

All sectors say phishing is the most common type of attack they experience. However, 91% of financial institutions say they can spot phishing within minutes or hours, compared to 82% of respondents in other verticals.

Even though mature financial organisations detect phishing quickly, it is still crucial for them to keep educating their personnel on this threat because attacks are becoming more sophisticated. To increase the likelihood of a user clicking a malicious link, attackers are crafting custom spear phishing messages that are directed at the person responsible for a certain task in the organisation and that appear to come from an authority figure. Regular staff training, along with continuous activity monitoring, will help reduce the risk of infiltration.

https://www.darkreading.com/cloud/44-of-financial-institutions-believe-their-own-it-teams-are-the-main-risk-to-cloud-security

  • MFA Fatigue Attacks Are Putting Your Organisation at Risk

The rapid advancement of technology in all industries has led to the threat of ever-increasing cyber attacks that target businesses, governments, and individuals alike. A common threat targeting businesses is MFA Fatigue attacks—a technique where a cyber criminal attempts to gain access to a corporate network by bombarding a user with MFA prompts until they finally accept one.

MFA refers to multi-factor authentication, a layered end-user verification strategy to secure data and applications. For a user to log in, an MFA system needs them to submit various combinations of two or more credentials.

Using MFA Fatigue attacks, cyber criminals bombard their victims with repeated 2FA (two-factor authentication) push notifications to trick them into authenticating their login attempts, to increase their chances of gaining access to sensitive information. This attempt can be successful, especially when the target victim is distracted or overwhelmed by the notifications or misinterprets them as legitimate authentication requests.

One major MFA Fatigue attack, also known as MFA bombing, targeted the ride-sharing giant Uber in September 2022. Uber attributed the attack to Lapsus$, a hacking group that started by compromising an external contractor’s credentials.

Cyber criminals increasingly use social engineering attacks to access their targets’ sensitive credentials. Social engineering is a manipulative technique used by hackers to exploit human error to gain private information.

MFA Fatigue is a technique that has gained popularity among hackers in recent years as part of their social engineering attacks. This is a simple yet effective technique with destructive consequences as the hackers are banking on their targets’ lack of training and understanding of attack vectors. Since many MFA users are unfamiliar with this style of attack, they would not understand that they are approving a fraudulent notification.

https://www.bleepingcomputer.com/news/security/mfa-fatigue-attacks-are-putting-your-organization-at-risk/

  • Cyber Security Training Boosts Risk Posture, Research Finds

Business executives worldwide see the economic advantages of continuing professional cyber security education and the steep downside from a workforce of under-trained individuals, Cybrary, a training platform provider, said in a new report.

The survey of 275 executives, directors and security professionals in North America and the UK who either procure or influence professional cyber security training, was conducted by consultancy Omdia. The results showed that the benefits of professional training boost an employee’s impact on the organisation, the overall risk posture of the organisation, and in the costs associated with finding and retaining highly skilled employees, the analyst said.

The study’s key findings include:

  • 73% of respondents said their team’s cyber security performance was more efficient because of ongoing professional cyber security training.

  • 62% of respondents said that training improved their organisation’s cyber security effectiveness (which encompasses decreases in the number of breach attempts and overall security events).

  • 79% of respondents ranked professional cyber security training at the top or near the top of importance for the organisation’s ability to prevent and rapidly remediate breaches and ensuing consequences such as reputational damage.

  • 70% of companies reported a relationship between an incident and training, and two-thirds of respondents reported increased investments in ongoing cyber security training after a security incident.

  • Large enterprises are the least likely to delay upskilling until after an incident, indicating that companies with larger cyber security teams firmly understand the importance of ongoing professional training.

  • 67% of surveyed SMBs invested in cyber security training after a security incident, which served as a call to action.

  • 53% invested in professional cyber security training due to a cyber security insurance audit.

  • 48% of organisations said that cyber security training drives retention and decreases the likelihood that a cyber security professional will leave the organisation that trains them.

  • 41% said that ongoing cyber security training has no significant impact on if a cyber security professional leaves.

Cybrary said the research shows the rewards that organisations enjoy by investing in training and upskilling their security professionals. The data “codifies the fiscal and reputational paybacks in proactively improving cyber security defences versus responding to attacks. It also codifies an often-underrecognised benefit of cyber security upskilling: helping the organisation retain invaluable security talent despite market and organisational uncertainty”.

https://www.msspalert.com/cybersecurity-research/cybersecurity-training-boosts-risk-posture-research-finds/

  • MI5 Chief: UK Will Have to Tackle Russian Aggression ‘for Years to Come’

Britain will have to tackle Russian aggression for years to come, said the MI5’s chief on Wednesday, adding that his agency had blocked more than 100 attempts by the Kremlin to insert suspected spies into the UK since the Salisbury poisonings.

Ken McCallum, giving an annual threat update, said state-based threats were increasing and said the UK also faced a heightened direct threat from Iran, which had threatened “to kidnap or even kill” 10 people based in Britain in the past year.

The spy chief said Russia had suffered a “strategic blow” after 400 spies were expelled from around Europe following the start of the war in Ukraine, but he said the Kremlin was actively trying to rebuild its espionage network.

Britain had expelled 23 Russian spies posing as diplomats after the poisoning of Sergei and Yulia Skripal in Salisbury in 2018, yet since then “over 100 Russian diplomatic visa applications” had been rejected on national security grounds.

McCallum accused Russia of making “silly claims” about British activities without evidence, such as that UK was involved in attacking the Nord Stream gas pipelines. But the head of MI5 said “the serious point” was that “the UK must be ready for Russian aggression for years to come”.

Iran’s “aggressive intelligence services” were actively targeting Britain and had made “at least 10” attempts to “kidnap or even kill” British or UK-based individuals since January as the regime felt greater pressure than ever before.

https://www.theguardian.com/uk-news/2022/nov/16/mi5-chief-uk-will-have-to-tackle-russian-aggression-for-years-to-come

  • Offboarding Processes Pose Security Risks as Job Turnover Increases: Report

Research from YouGov finds that poor offboarding practices across industries including healthcare and tech are putting companies at risk, including for loss of end-user devices and unauthorised SaaS application use.

Organisations across multiple industries are struggling to mitigate potential risks, including loss of end-user and storage devices as well as unauthorised use of SaaS applications, during their offboarding process, according to new research conducted by YouGov in partnership with Enterprise Technology Management (ETM) firm Oomnitza.

Over the last 18 months, employee turnover has increased, with the US Department of Labor estimating that by the end of 2021, a total of 69 million people, more than 20% of Americans, had either lost or changed their job. Although these figures could initially be attributed to the so-called Great Resignation, this figure is likely to increase due to the numerous job cuts that are now being reported, including layoffs at major technology companies, as organisations look to reduce operational costs.

Although the circumstances of an employee’s departure can sometimes make the offboarding process more complex, ultimately offboarding should aim to prevent disruption and mitigate any potential risks.

However, in YouGov’s 2022 State of Corporate Offboarding Process Automation report, the research found that although implementing a secure offboarding processes is now seen as a business imperative for enterprises, 48% of the survey’s respondents expressed deficiencies in or lack of automated workflows across departments and IT tools to facilitate the secure offboarding of employees.

https://www.computerworld.com/article/3680368/offboarding-processes-pose-security-risks-as-job-turnover-increases-report.html#tk.rss_news

  • Supply Chains Need Shoring Up Against Cyber Attacks, C-Suite Executives Say

Nearly every organisation (98%) in a new survey of some 2,100 C-suite executives has been hit by a supply chain cyber attack in the last year, security provider BlueVoyant said in a newly released study.

The study gleaned data from interviews with chief technology officers (CTOs), chief security officers (CSOs), chief operating officers (COOs), chief information officers (CIOs), chief information security officers (CISOs), and chief procurement officers (CPOs) responsible for supply chain and cyber risk management in organisations of more than 1,000 employees across business services, financial services, healthcare and pharmaceutical, manufacturing, utilities and energy, and defence industries.

While the number of companies experiencing digital supply chain attacks has stayed relatively static year-over-year, the attention paid by organisations to that attack vector has increased, BlueVoyant said. Still, the New York-based cyber defender said, there’s a lot of room for organisations to better monitor suppliers and “work with them to remediate issues to reduce their supply chain risks.”

Here are some macro highlights from the survey:

  • 40% of respondents rely on the third-party vendor or supplier to ensure adequate security.

  • In 2021, 53% of companies said they audited or reported on supplier security more than twice per year. That number has improved to 67% in 2022. These numbers include enterprises monitoring in real time.

  • Budgets for supply chain defence are increasing, with 84% of respondents saying their budget has increased in the past 12 months.

  • The top pain points reported are internal understanding across the enterprise that suppliers are part of their cyber security posture, meeting regulatory requirements, and working with suppliers to improve their security.

https://www.msspalert.com/cybersecurity-research/supply-chains-need-shoring-up-against-cyberattacks-c-suite-executives-say/

  • Do Companies Need Cyber Insurance?

Companies are increasingly seeking to transfer risk with cyber insurance. This trend has been influenced by a greater severity in cyber attacks and the resulting skyrocketing costs of incident response, business disruption and recovery.

Companies struggle to afford the high prices of cyber insurance, however. One market index reported the price of cyber insurance increased 79% in the second quarter of 2022. Without it, however, companies risk shouldering the full cost of any resulting harm. Furthermore, insurance companies that lack traditional decades of actuarial data must consider whether to provide cyber insurance to clients unable or unwilling to show their cyber security maturity through independent risk analysis.

This combination of circumstances leaves businesses vulnerable, financially drained and facing potential reputational damage. But does it have to be this way? And is cyber insurance truly necessary? For the majority of organisations, the answer is that cyber insurance is a worthwhile investment as part of their overall risk treatment plans. There are a number of activities, however, that should be undertaken to optimise the benefits and reduce the costs of cyber-risk insurance.

A rise in high-profile attacks, in tandem with increased regulation and compliance surrounding cyber security and privacy, has shifted the conversation around digital safety. No longer is cyber security an optional aspect of the business model with a fixed, stagnant cost. Businesses today have become too digitally dependent to ignore cyber security, with classified, internal information stored online; communication largely conducted via email or another platform; and the workforce transitioned to hybrid and remote work environments. Effective cyber security and privacy, as well as mitigating financial and operational risks, can be strategic enablers to modern digital business.

Cyber insurance is not a solution -- it's a piece of the puzzle. Regardless of industry or company size, all businesses should conduct an independent cyber audit prior to committing to cyber insurance. In doing so, organisations can determine the need for cyber insurance and better understand their organisations' risk posture and weak points.

Even if insurance is needed, the audit further adds value as it lets insurance companies support the company specific to its digital landscape and help it become more digitally strong. Additionally, the existence of an independent audit and risk review may indeed enable the insurance company to offer higher levels of coverage without the need for excessive premiums.

https://www.techtarget.com/searchsecurity/post/Do-companies-need-cyber-insurance

Threats

Ransomware and Extortion

Phishing & Email Based Attacks

Malware

Mobile

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Fraud, Scams & Financial Crime

Impersonation Attacks

Dark Web

Supply Chain and Third Parties

Software Supply Chain

Denial of Service DoS/DDoS

Cloud/SaaS

Encryption

Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Privacy, Surveillance and Mass Monitoring

Governance, Risk and Compliance

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

Nation State Actors

Nation State Actors – Russia

Nation State Actors – China

Nation State Actors – North Korea

Nation State Actors – Iran

Nation State Actors – Misc

Vulnerability Management

Vulnerabilities

Tools and Controls

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 21 October 2022

Black Arrow Cyber Threat Briefing 21 October 2022:

-Gen Z, Millennials Really Doesn't Care About Workplace Cyber Security

-Supply Chain Attacks Increased Over 600% This Year and Companies Are Falling Behind

-Cyber-Enabled Crimes Are Biggest Police Concerns

-List of Common Passwords Accounts for Nearly All Cyber Attacks

-Shared Responsibility or Shared Fate? Decentralized IT Means We Are All Cyber Defenders

-Ukraine War Cuts Ransomware as Kremlin Co-Opts Hackers

-96% Of Companies Report Insufficient Security for Sensitive Cloud Data

-Your Microsoft Exchange Server Is a Security Liability

-Are Cyber Security Vendors Pushing Snake Oil?

-Ransomware Preparedness, What Are You Doing Wrong?

-NSA Cybersecurity Director's Six Takeaways from the War in Ukraine

-Microsoft Confirms Server Misconfiguration Led to 65,000+ Companies' Data Leak

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • Gen Z, Millennials Really Don’t Care About Workplace Cyber Security

When it comes to cyber security in the workplace, younger employees don’t really seem to care that much, which is putting their organisations in serious harm’s way, new research has claimed.

Surveying approximately 1,000 workers using devices issued by their employers, professional services firm EY found Gen Z enterprise employees were more apathetic about cyber security than their Boomer counterparts in adhering to their employer's safety policies.

This is despite the fact that four in five (83%) of all those surveyed claimed to understand their employer’s security protocol.

When it comes to implementing mandatory IT updates, for example, 58% of Gen Z’ers and 42% of millennials would disregard them for as long as possible. Less than a third (31%) of Gen X’ers, and just 15% of baby boomers said they do the same.

Apathy in the young extends to password reuse between private and business accounts. A third of Gen Z and millennial workers surveyed admitted to this, compared to less than a quarter of all Gen X’ers and baby boomers.

Some say the apathy of young people towards technology is down to their over-familiarity with technology, and never having been without it. Being too comfortable with tech undoubtedly makes an enterprise's younger employees a major target for cyber criminals looking to exploit any hole in security. 

If an organisation's cyber security practices aren't upheld strongly, threat actors can compromise huge networks with simple social engineering attacks.

https://www.techradar.com/news/younger-workers-dont-care-about-workplace-cybersecurity

  • Supply Chain Attacks Increased Over 600% This Year and Companies Are Falling Behind

The number of documented supply chain attacks involving malicious third-party components has increased 633% over the past year, now sitting at over 88,000 known instances, according to a new report from software supply chain management company Sonatype. Meanwhile, instances of transitive vulnerabilities that software components inherit from their own dependencies have also reached unprecedented levels and plague two-thirds of open-source libraries.

“The networked nature of dependencies highlights the importance of having visibility and awareness about these complex supply chains” Sonatype said in its newly released State of the Software Supply Chain report. “These dependencies impact our software, so having an understanding of their origins is critical to vulnerability response. Many organisations did not have the needed visibility and continued their incident response procedures for Log4Shell well beyond the summer of 2022 as a result.”

Log4Shell is a critical vulnerability discovered in November 2021 in Log4j, a widely popular open-source Java library used for logging and bundled in millions of enterprise applications and software products, often as an indirect dependency. According to Sonatype’s monitoring, as of August 2022, the adoption rate for fixed versions of Log4j sits at around 65%. Moreover, this doesn’t even account for the fact that the Log4Shell vulnerability originated in a Java class called JndiManager that is part of Log4j-core, but which has also been borrowed by 783 other projects and is now found in over 19,000 software components.

Log4Shell served as a watershed moment, highlighting the inherent risks that exist in the open-source software ecosystem – which sits at the core of modern software development – and the need to manage them properly. It also led to several initiatives to secure the software supply chain by private organisations, software repository managers, the Linux Foundation, and government bodies. Yet, most organisations are far from where they need to be in terms of open-source supply chain management.

https://www.csoonline.com/article/3677228/supply-chain-attacks-increased-over-600-this-year-and-companies-are-falling-behind.html#tk.rss_news

  • Cyber-Enabled Crimes Are Biggest Police Concerns

Cyber-related crimes such as money laundering, ransomware and phishing pose the biggest threat to society, according to the first ever Interpol Global Crime Trend report.

The inaugural study was compiled from data received from the policing organisation’s 195 member countries, as well as information and analysis from external sources.

Money laundering was ranked the number one threat, with 67% of respondents claiming it to be a “high” or “very high” risk. Ransomware came second (66%) but was the crime type that most (72%) expected to increase in the next 3–5 years.

Of the nine top crime trends identified in the report, six are directly cyber-enabled, including money laundering, ransomware, phishing, financial fraud, computer intrusion and child sexual exploitation.

Interpol warned that the pandemic had fomented new underground offerings like “financial crime-as-a-service,” including digital money laundering tools which help to lower the barrier to entry for criminal gangs. It also claimed that demand for online child sexual exploitation and abuse (OCSEA) content surged during the pandemic. Some 62% of respondents expect it to increase or significantly increase in the coming years.

The findings represent something of a turnaround from pre-pandemic times, when drug trafficking regularly topped the list of police concerns. Thanks to a surge in corporate digitalisation, home working and online shopping, there are now rich pickings to be had from targeting consumers and business users with cyber-scams and attacks, Interpol claimed.

https://www.infosecurity-magazine.com/news/cyberenabled-crimes-are-biggest/

  • List of Common Passwords Accounts for Nearly All Cyber Attacks

Half of a million passwords from the RockYou2021 list account for 99.997% of all credential attacks against a variety of honeypots, suggesting attackers are just taking the easy road.

Tens of millions of credential-based attacks targeting two common types of servers boiled down to a small fraction of the passwords that formed a list of leaked credentials, known as the RockYou2021 list.

Vulnerability management firm Rapid7, via its network of honeypots, recorded every attempt to compromise those servers over a 12-month period, finding that the attempted credential attacks resulted in 512,000 permutations. Almost all of those passwords (99.997%) are included in a common password list — the RockYou2021 file, which has 8.4 billion entries — suggesting that attackers, or the subset of threat actors attacking Rapid7's honeypots, are sticking to a common playbook.

The overlap in all the attacks also suggest attackers are taking the easy road, said Rapid7. "We know now, in a provable and demonstrable way, that nobody — 0% of attackers — is trying to be creative when it comes to unfocused, untargeted attacks across the Internet," they said. "Therefore, it's very easy to avoid this kind of opportunistic attack, and it takes very little effort to take this threat off the table entirely, with modern password managers and configuration controls."

Every year, security firms present research suggesting users are continuing to pick bad passwords. In 2019, an evaluation of passwords leaked to the Internet found that the top password was "123456," followed by "123456789" and "qwerty," and unfortunately things have not got much better since then.

https://www.darkreading.com/endpoint/a-common-password-list-accounts-for-nearly-all-cyberattacks

  • Shared Responsibility or Shared Fate? Decentralised IT Means We Are All Cyber Defenders

Does your organisation truly understand the shared responsibility model? Shared responsibility emerged from the early days of cloud computing as a way to delineate responsibilities between cloud providers and their customers, but often there's a gap between what shared responsibility means and how it is interpreted. With the decentralisation of IT, this gap is getting worse.

Applications, servers, and overall technology used to be under the purview and control of the IT department, yet with the shift to cloud, and specifically software-as-a-service (SaaS), this dynamic has changed. Whether it's the sales team bringing in a customer relationship management (CRM) system like Salesforce, or the HR department operating a human resources information system (HRIS) like Workday, there's a clear "expanding universe" of IT that no longer sits where it used to. Critical business workflows exist in separate business units far from IT and security and are managed as such. Our corporate IT footprints have become decentralised.

This is not some minor, temporary trend. With the ease and speed of adopting new SaaS applications and the desire to "lift and shift" code into cloud-based environments, this is the future. The future is decentralised.

The shift to business-owned and -operated applications puts security teams in a position where risk management is their responsibility; they are not even able to log into some of these critical systems. It's like asking your doctor to keep you healthy but not giving her access to your information or having regular check-ups. It doesn't work that way.

Beyond the challenging human skills gap, there's technical entropy and diversity everywhere, with different configuration settings, event logs, threat vectors, and data sensitivities. On the access side, there are different admins, users, integrations, and APIs. If you think managing security on Windows and Mac is a lot, try it across many huge applications.

With this reality, how can the security team be expected to combat a growing amount of decentralised business technology risk?

We must operate our technology with the understanding that shared responsibility is the vertical view between cloud provider and customer, but that enterprise-owned piece of shared responsibility is the burden of multiple teams horizontally across an organisation. Too often the mentality is us versus them, availability versus security, too busy to care about risk, too concerned with risk to understand "the business."

https://www.darkreading.com/vulnerabilities-threats/shared-responsibility-or-shared-fate-decentralized-it-means-we-are-all-cyber-defenders

  • Ukraine War Cuts Ransomware as Kremlin Co-Opts Hackers

The Ukraine war has helped reduce global ransomware attacks by 10pc in the last few months, a British cyber security company has said.

Criminal hacking gangs, usually engaged in corporate ransomware activities, are increasingly being co-opted by the Russian military to launch cyber attacks on Ukraine, according to Digital Shadows. “The war is likely to continue to motivate ransomware actors to target government and critical infrastructure entities,” according to the firm. Such attacks partly contributed to a 10pc drop in the number of ransomware threats launched during the three months to September, said the London-based company.

The drop in ransomware may also partly be caused by tit-for-tat digital attacks between rival hacking gangs. Researchers said the Lockbit gang, who recently targeted LSE-listed car retailer Pendragon with a $60m (£53.85m) ransom demand, were the target of attacks from their underworld rivals. The group is increasingly inviting resentment from competing threat groups and possibly former members.

Some cyber criminals’ servers went offline in September after what appeared to be an attack from competitors. In the world of cyber criminality, it is not uncommon for tensions to flare among rival groups.

Officials from GCHQ’s National Cyber Security Centre have said ransomware is one of the biggest cyber threats facing the UK. Figures published by the Department for Digital, Culture, Media and Sport this year revealed the average costs to businesses caused by ransomware attacks is around £19,000 per incident.

US-based cyber security company Palo Alto Networks, however, warned that the average ransom payment it saw in the early part of this year was $925,000 (£829,000).

https://www.telegraph.co.uk/business/2022/10/23/ukraine-war-cuts-ransomware-kremlin-co-opts-hackers/

  • 96% Of Companies Report Insufficient Security for Sensitive Cloud Data

The vast majority of organisations lack confidence in securing their data in cloud, while many companies acknowledge they lack sufficient security even for their most sensitive data, according to a new report by the Cloud Security Alliance (CSA).

The CSA report surveyed 1,663 IT and security professionals from organisations of various sizes and in various locations. "Only 4% report sufficient security for 100% of their data in the cloud. This means that 96% of organisations have insufficient security for at least some of their sensitive data," according to the report, which was sponsored by data intelligence firm BigID.

Apart from struggling with securing sensitive data, organisations are also having trouble tracking data in the cloud. Over a quarter of organisations polled aren’t tracking regulated data, nearly a third aren’t tracking confidential or internal data, and 45% aren’t tracking unclassified data, the report said.

“This suggests that organisations’ current methods of classifying data aren’t sufficient for their needs. However, if the tracking is this low, it could be a contributing factor to the issue of dark data. Organisations need to utilise data discovery and classification tools to properly understand the data they have and how to protect it,” the CSA study noted.

https://www.csoonline.com/article/3677491/96-of-companies-report-insufficient-security-for-sensitive-cloud-data.html#tk.rss_news

  • Your Microsoft Exchange Server Is a Security Liability

With endless vulnerabilities, widespread hacking campaigns, slow and technically tough patching, it's time to say goodbye to on-premise Exchange.

Once, reasonable people who cared about security, privacy, and reliability ran their own email servers. Today, the vast majority host their personal email in the cloud, handing off that substantial burden to the capable security and engineering teams at companies like Google and Microsoft. Now, cyber security experts argue that a similar switch is due - or long overdue - for corporate and government networks. For enterprises that use on-premise Microsoft Exchange, still running their own email machine somewhere in a closet or data centre, the time has come to move to a cloud service, if only to avoid the years-long plague of bugs in Exchange servers that has made it nearly impossible to keep determined hackers out.

The latest reminder of that struggle arrived earlier this week, when Taiwanese security researcher Orange Tsai published a blog post laying out the details of a security vulnerability in Microsoft Exchange. Tsai warned Microsoft about this vulnerability as early as June of 2021, and while the company responded by releasing some partial fixes, it took Microsoft 14 months to fully resolve the underlying security problem. Tsai had earlier reported a related vulnerability in Exchange that was massively exploited by a group of Chinese state-sponsored hackers known as Hafnium, which last year penetrated more than 30,000 targets by some counts. Yet according to the timeline described in Tsai’s post this week, Microsoft repeatedly delayed fixing the newer variation of that same vulnerability, assuring Tsai no fewer than four times that it would patch the bug before pushing off a full patch for months longer. When Microsoft finally released a fix, Tsai wrote, it still required manual activation and lacked any documentation for four more months.

Meanwhile, another pair of actively exploited vulnerabilities in Exchange that were revealed last month still remain unpatched after researchers showed that Microsoft’s initial attempts to fix the flaws had failed. Those vulnerabilities were just the latest in a years-long pattern of security bugs in Exchange’s code. And even when Microsoft does release Exchange patches, they’re often not widely implemented, due to the time-consuming technical process of installing them.

The result of those compounding problems, for many who have watched the hacker-induced headaches of running an Exchange server pile up, is a clear message: An Exchange server is itself a security vulnerability, and the fix is to get rid of it.

“You need to move off of on-premise Exchange forever. That’s the bottom line,” says Dustin Childs, the head of threat awareness at security firm Trend Micro’s Zero Day Initiative (ZDI), which pays researchers for finding and reporting vulnerabilities in commonly used software and runs the Pwn2Own hacking competition. “You’re not getting the support, as far as security fixes, that you would expect from a really mission-critical component of your infrastructure.”

https://www.wired.com/story/microsoft-exchange-server-vulnerabilities/

  • Are Cyber Security Vendors Pushing Snake Oil?

Survey: 96 percent of cyber security decision makers confused by vendor marketing.

The availability of new security products increases, the amount of budget spent on cyber security grows, and the number of security breaches seems to outpace both. This basic lack of correlation between increasing cyber security spend and any clear increase in cyber security effectiveness is the subject of a new analytical survey from Egress.

With 52 million data breaches in Q2 2022 alone (Statista), Egress questioned 800 cyber security and IT leaders on why vendor claims and reality aren’t aligned. The headline response in the survey is that 91% of decision makers have difficulty in selecting cyber security vendors due to unclear marketing about their specific offerings.

The financial investment cycle doesn’t help in this. For many investors, the strength of the management team is more important than the product. The argument is not whether this product is a cyber security silver bullet, but whether this management can take the company to a point where it can exit with serious profits.

If investment is achieved, much of it will go into marketing. That marketing must compete against existing, established vendors – so it tends to be louder, more aggressive, and replete with hyperbole. Marketing noise can lead to increased valuation, which can lead to a successful and profitable exit by the investors.

Of course, this is an oversimplification and doesn’t always happen. The point, however, is that it does happen and has no relevance to the real effectiveness of the product in question. Without any doubt, there are many products that have been over-hyped by marketing funds provided by profit-driven investors.

https://www.securityweek.com/are-cybersecurity-vendors-pushing-snake-oil

  • Ransomware Preparedness: What Are You Doing Wrong?

Axio released its 2022 State of Ransomware Preparedness research report, revealing that although notable improvements have been made since Axio’s 2021 report, organisational ransomware preparedness continues to be insufficient to keep pace with new attack vectors.

The report reveals that the lack of fundamental cyber security practices and controls, including critical vulnerability patching and employee cyber security training, continues to undermine organisational attempts to improve ransomware defences.

“Ransomware continues to wreak havoc on global organisations, regardless of size or industry,” remarked the report’s co-author David White, President of Axio. “As the number of attacks will most likely continue on an exponential trajectory, it’s more important than ever for companies to re-evaluate their cyber security practices and make the needed improvements to help combat these attacks.”

The report identifies several emerging patterns that yield insights into why organisations are increasingly susceptible to ransomware attacks. In 2021, seven key areas where organisations were deficient in implementing and sustaining basic cyber security practices were identified, and these patterns dominated the 2022 study results as well:

  • Managing privileged access

  • Improving basic cyber hygiene

  • Reducing exposure to supply chain and third-party risk

  • Monitoring and defending networks

  • Managing ransomware incidents

  • Identifying and addressing vulnerabilities in a timely manner

  • Improving cyber security training and awareness

Overall, most organisations surveyed are not adequately prepared to manage the risk associated with a ransomware attack. Key data findings include:

  • The number of organisations with a functional privileged access management solution in place increased by 10% but remains low at 33% overall.

  • Limitations on the use of service and local administrator accounts remain average overall, with nearly 50% of organisations reporting implementing these practices.

  • Approximately 40% of organisations monitor third-party network access, evaluate third-party cyber security posture, and limit the use of third-party software.

  • Less than 50% of respondents implement basic network segmentation and only 40% monitor for anomalous connections.

  • Critical vulnerability patching within 24 hours was reported by only 24% of organisations.

  • A ransomware-specific playbook for incident management is in place for only 30% of organisations.

  • Active phishing training has improved but is still not practiced by 40% of organisations.

https://www.helpnetsecurity.com/2022/10/20/insufficient-ransomware-preparedness/

  • NSA Cybersecurity Director's Six Takeaways from the War in Ukraine

From the warning banner ‘Be afraid and expect the worst’ that was shown on several Ukrainian government websites on January 13, 2022, after a cyber-attack took them down, the US National Security Agency’s (NSA) cybersecurity director, Rob Joyce, knew that something was going to be different, and very aggressive, between Ukraine and Russia, and that it would be happening in the cyber space as well.

Ten months on, he was invited to speak at one of Mandiant Worldwide Information Security Exchange's (mWISE) opening keynotes on October 18, 2022. Joyce shared six takeaways from the Russia-Ukraine cyber-conflict in terms of what we learned from it and its impact on how nations should protect their organisations.

  1. Both espionage and destructive attacks will occur in conflict

  2. The cyber security industry has unique insight into these conflicts

  3. Sensitive intelligence can make a decisive difference

  4. You can develop resiliency skills

  5. Don’t try to go it alone

  6. You have not planned enough yet for the contingencies

Toward the end of the keynote, Joyce suggested the audience simulate a scenario based on what happened in Ukraine with the China-Taiwan conflict escalating and see what they should put in place to better prepare for such an event.

https://www.infosecurity-magazine.com/news/nsa-6-takeaways-war-ukraine/

  • Microsoft Confirms Server Misconfiguration Led to 65,000+ Companies' Data Leak

Microsoft this week confirmed that it inadvertently exposed information related to thousands of customers following a security lapse that left an endpoint publicly accessible over the internet sans any authentication.

"This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provisioning of Microsoft services," Microsoft said in an alert.

Microsoft also emphasised that the B2B leak was "caused by an unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem and was not the result of a security vulnerability."

The misconfiguration of the Azure Blob Storage was spotted on September 24, 2022, by cyber security company SOCRadar, which termed the leak BlueBleed. Microsoft said it's in the process of directly notifying impacted customers.

The Windows maker did not reveal the scale of the data leak, but according to SOCRadar, it affects more than 65,000 entities in 111 countries. The exposure amounts to 2.4 terabytes of data that consists of invoices, product orders, signed customer documents, partner ecosystem details, among others.

https://thehackernews.com/2022/10/microsoft-confirms-server.html

Threats

Ransomware and Extortion

Phishing & Email Based Attacks

Other Social Engineering; Smishing, Vishing, etc

Malware

Mobile

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Fraud, Scams & Financial Crime

Deepfakes

Insurance

Supply Chain and Third Parties

Software Supply Chain

Denial of Service DoS/DDoS

Cloud/SaaS

Attack Surface Management

Identity and Access Management

Encryption

API

Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Training, Education and Awareness

Privacy, Surveillance and Mass Monitoring

Regulations, Fines and Legislation

Law Enforcement Action and Take Downs

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

Vulnerabilities

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 05 August 2022

Black Arrow Cyber Threat Briefing 05 August 2022

-Average Cost of Data Breaches Hits Record High of $4.35 Million: IBM

-Researchers Warns of Large-Scale Adversary-in-the-Middle (AiTM) Attacks Targeting Enterprise Users

-UK NHS Suffers Outage After Cyber Attack on Managed Service Provider

-A Third of Organisations Experience a Ransomware Attack Once a Week

-Ransomware Products, Services Ads on Dark Web Show Clues to Danger

-Wolf In Sheep’s Clothing, How Malware Tricks Users and Antivirus

-Microsoft Accounts Targeted with New MFA-Bypassing Phishing Kit

-Cyber Attack Prevention Is Cost-Effective, So Why Aren’t Businesses Investing to Protect?

-Securing Your Move to the Hybrid Cloud

-Lessons from the Russian Cyber Warfare Attacks

-Four Sneaky Attacker Evasion Techniques You Should Know About

-Zero-Day Defence: Tips for Defusing the Threat

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • Average Cost of Data Breaches Hits Record High of $4.35 Million: IBM

The global average cost of data breaches reached an all-time high of $4.35 million in 2022 compared with $4.24 million in 2021, according to a new IBM Security report. About 60% of the breached organisations raised product and services prices due to the breaches.

The annual report, conducted by Ponemon Institute and analysed and sponsored by IBM Security, is based on the analysis of real-world data breaches experienced by 550 organisations globally between March 2021 and March 2022.

According to the report, about 83% of the organisations have experienced more than one breach in their lifetime, with nearly half of the costs reported to be incurred more than a year after the breach.

The report revealed that ransomware and destructive attacks represented 28% of breaches among the critical infrastructure organisations studied, indicating that threat actors are specifically targeting the sector to disrupt global supply chains. The critical infrastructure sector includes financial services, industrial, transportation, and healthcare companies.

https://www.csoonline.com/article/3668655/average-cost-of-data-breaches-hits-record-high-of-435-million-ibm.html#tk.rss_news

  • Researchers Warns of Large-Scale Adversary-in-the-Middle (AiTM) Attacks Targeting Enterprise Users

A new, large-scale phishing campaign has been observed using adversary-in-the-middle (AitM) techniques to get around security protections and compromise enterprise email accounts.

It uses a technique capable of bypassing multi-factor authentication. The campaign is specifically designed to reach end users in enterprises that use Microsoft's email services.

Prominent targets include fintech, lending, insurance, energy, manufacturing, and federal credit union verticals located in the US, UK, New Zealand, and Australia.

This is not the first time such a phishing attack has come to light. Last month, Microsoft disclosed that over 10,000 organisations had been targeted since September 2021 by means of AitM techniques to breach accounts secured with multi-factor authentication (MFA).

The ongoing campaign, effective June 2022, commences with an invoice-themed email sent to targets containing an HTML attachment, which includes a phishing URL embedded within it.

https://thehackernews.com/2022/08/researchers-warns-of-large-scale-aitm.html

  • UK NHS Suffers Outage After Cyber Attack on Managed Service Provider

The UK National Health Service (NHS) 111 emergency services were affected by a significant and ongoing outage triggered by a cyber attack that hit the systems of British managed service provider (MSP) Advanced.

Advanced's Adastra client patient management solution, which is used by 85% of NHS 111 services, was hit by a major outage together with several other services provided by the MSP, according to a status page.

"There was a major outage of a computer system that is used to refer patients from NHS 111 Wales to out-of-hours GP providers," the Welsh Ambulance Services said. "This system is used by Local Health Boards to coordinate these services for patients. The ongoing outage is significant and has been far-reaching, impacting each of the four nations in the UK."

The UK public was advised to access the NHS 111 emergency services using the online platform until the incident is resolved.

While no details were provided regarding the nature of the cyber attack, based on the wording, it is likely that this was a ransomware or data extortion attack.

https://www.bleepingcomputer.com/news/security/uk-nhs-suffers-outage-after-cyberattack-on-managed-service-provider/

  • A Third of Organisations Experience a Ransomware Attack Once a Week

Ransomware attacks show no sign of slowing. According to new research published by Menlo Security, a third of organisations experience a ransomware attack at least once a week, with one in 10 experiencing them more than once a day.

The research, conducted among 500+ IT security decision makers at US and UK organisations with more than 1,000 employees, highlights the impact this is having on security professionals’ own wellbeing. When asked what keeps them awake at night, 41% of respondents say they worry about ransomware attacks evolving beyond their team’s knowledge and skillset, while 39% worry about them evolving beyond their company’s security capabilities.

Their biggest concern, however, is the risk of employees ignoring corporate security advice and clicking on links or attachments containing malware (46%). Respondents worry more about this than they do their own job security, with just a quarter (26%) of respondents worried about losing their job.

According to the report, around half of organisations (61% US and 44% UK) have been the victim of a successful ransomware attack in the last 18 months, with customers and prospects the most likely entry point for an attack.

Partners/suppliers and employees/contractors are also seen as serious security risks, although one in 10 admit they are unable to identify how the attacks got in. The top three ransomware attack vectors are email (54%), web browsers via a desktop or laptop (49%) and mobile devices (39%).

https://www.helpnetsecurity.com/2022/08/04/organizations-experience-ransomware-attack/

  • Ransomware Products and Services Ads on Dark Web Show Clues to Danger

Why is ransomware’s destructive potential so daunting? Some clues are in the “for sale” ads. In an examination of some 35 million dark web URLs, a provider of machine identity management and a forensic specialist found some 475 web pages peddling sophisticated ransomware products and services with a number of high profile crews hawking ransomware-as-a-service.

The work is a joint effort between the Salt Lake City-based Venafi and Forensic Pathways, which took place between November 2021 and March 2022. Researchers used Forensic’s Dark Search Engine to carry out the investigation.

Here are some of the research findings:

  • 87% of the ransomware found on the dark web has been delivered via malicious macros to infect targeted systems.

  • 30 different “brands” of ransomware were identified within marketplace listings and forum discussions.

  • Many strains of ransomware being sold — such as Babuk, GoldenEye, Darkside/BlackCat, Egregor, HiddenTear and WannaCry — have been successfully used in high-profile attacks.

  • Ransomware strains used in high-profile attacks command a higher price for associated services. For example, the most expensive listing was $1,262 for a customised version of Darkside ransomware, which was used in the Colonial Pipeline ransomware attack.

  • Source code listings for well-known ransomware generally command higher price points. For example, Babuk source code is listed for $950 and Paradise source code is selling for $593.

Ransomware Sold for as Little as $1: In addition to a variety of ransomware at various price points, a wide range of services and tools that help make it easier for attackers with minimal technical skills to launch ransomware attacks are for sale on the dark web, Venafi said. Services with the greatest number of listings include those offering source code, build services, custom development services and ransomware packages that include step-by-step tutorials.

https://www.msspalert.com/cybersecurity-breaches-and-attacks/ransomware/ransomware-products-services-ads-on-dark-web-show-clues-to-danger/

  • Wolf In Sheep’s Clothing: How Malware Tricks Users and Antivirus

One of the primary methods used by malware distributors to infect devices is by deceiving people into downloading and running malicious files, and to achieve this deception, malware authors are using a variety of tricks.

Some of these tricks include masquerading malware executables as legitimate applications, signing them with valid certificates, or compromising trustworthy sites to use them as distribution points.

According to VirusTotal, a security platform for scanning uploaded files for malware, some of these tricks are happening on a much larger scale than initially thought.

The platform has compiled a report presenting stats from January 2021 until July 2022, based on the submission of two million files daily, illustrating trends in how malware is distributed.

  • Abusing legitimate domains: Distributing malware through legitimate, popular, and high-ranking websites allows threat actors to evade IP-based blocklists, enjoy high availability, and provide a greater level of trust.

  • Using stolen code-signing certificates: Signing malware samples with valid certificates stolen from companies is a reliable way to evade AV detection and security warnings on the host. Of all the malicious samples uploaded to VirusTotal between January 2021 and April 2022, over a million were signed, and 87% used a valid certificate.

  • Disguised as popular software: Masquerading a malware executable as a legitimate, popular application has seen an upward trend in 2022. Victims download these files thinking they’re getting the applications they need, but upon running the installers, they infect their systems with malware. The most mimicked applications are Skype, Adobe Acrobat, VLC, and 7zip.

  • Lacing legitimate installers - Finally, there’s the trick of hiding malware inside legitimate application installers and running the infection process in the background while the real apps execute in the foreground. Based on VirusTotal stats, this practice also appears to be on the rise this year, using Google Chrome, Malwarebytes, Windows Updates, Zoom, Brave, Firefox, ProtonVPN, and Telegram as lures.

https://www.bleepingcomputer.com/news/security/wolf-in-sheep-s-clothing-how-malware-tricks-users-and-antivirus/

  • Microsoft Accounts Targeted with New MFA-Bypassing Phishing Kit

A new large-scale phishing campaign targeting credentials for Microsoft email services use a custom proxy-based phishing kit to bypass multi-factor authentication.

Researchers believe the campaign's goal is to breach corporate accounts to conduct BEC (business email compromise) attacks, diverting payments to bank accounts under their control using falsified documents.

The phishing campaign's targets include fin-tech, lending, accounting, insurance, and Federal Credit Union organisations in the US, UK, New Zealand, and Australia.

The campaign was discovered by Zscaler's ThreatLabz researchers, who report that the operation is still ongoing, and the phishing actors register new phishing domains almost daily.

Starting in June 2022, Zscaler's analysts noticed a spike in sophisticated phishing attempts against specific sectors and users of Microsoft email services.

Some of the newly registered domains used in the campaign are typo-squatted versions of legitimate domains.

Notably, many phishing emails originated from the accounts of executives working in these organisations, whom the threat actors most likely compromised earlier.

https://www.bleepingcomputer.com/news/security/microsoft-accounts-targeted-with-new-mfa-bypassing-phishing-kit/

  • Cyber Attack Prevention Is Cost-Effective, So Why Aren’t Businesses Investing to Protect?

Cyber attacks like ransomware, BEC scams and data breaches are some of the key issues businesses are facing today, but despite the number of high-profile incidents, many boardrooms are reluctant to free up budget to invest in the cyber security measures necessary to avoid becoming the next victim.

In a Help Net Security interview, Former Pentagon Chief Strategy Officer Jonathan Reiber, VP Cyber security Strategy and Policy, AttackIQ, discusses how now, more than ever, companies need to protect themselves from cyber threat actors. He offers insight for CISOs, from talking to the Board to proper budget allocation.

https://www.helpnetsecurity.com/2022/08/01/cyberattack-prevention-investing/

  • Securing Your Move to the Hybrid Cloud

The combination of private and public cloud infrastructure, which most organisations are already using, poses unique security challenges. There are many reasons why organisations adopt the public cloud, from enabling rapid growth without the burden of capacity planning to leveraging flexibility and agility in delivering customer-centric services. However, this use can leave companies open to threats.

Since regulatory requirements or other preferences dictate that certain applications remain on private (on-prem) infrastructure, many organisations choose to maintain a mix of private and public infrastructure. Additionally, organisations typically use multiple cloud providers simultaneously or preserve the option to move between providers. However, this hybrid approach presents unique and diverse security challenges. Different cloud providers and private cloud platforms may offer similar capabilities but different ways of implementing security controls, along with disparate management tools.

The question then becomes: How can an organisation maintain consistent governance, policy enforcement and controls across different clouds? And how can it ensure that it maintains its security posture when moving between them? Fortunately, there are steps professionals can take to ensure that applications are continuously secure, starting from the early stages of development and extending throughout the lifecycle.

https://threatpost.com/secure-move-cloud/180335/

  • Lessons from the Russian Cyber Warfare Attacks

Cyber warfare tactics may not involve tanks and bombs, but they often go hand-in-hand with real combat.

The Russian invasion of Ukraine is a prime example. Before Russian troops crossed the border, Russian hackers had already taken down Ukrainian government websites. And after the conflict started, the hacktivist group Anonymous turned the tables by hacking Russian media to shut down propaganda about the war.

In these unprecedented times of targeted attacks against governments and financial institutions, every organisation should be on heightened alert about protecting their critical infrastructure and digital attack surface.

With the Russia-Ukraine conflict as a backdrop, two Trend Micro security experts recently discussed cyber warfare techniques and how they’re an important reminder for every business to proactively manage cyber risk.

https://www.trendmicro.com/en_us/ciso/22/h/russian-cyber-warfare-attacks.html

  • Four Sneaky Attacker Evasion Techniques You Should Know About

Remember those portrayals of hackers in the 80s and 90s where you just knew when you got pwned? A blue screen of death, a scary message, a back-and-forth text exchange with a hacker—if you got pwned in a movie in the 80s and 90s, you knew it right off the bat.

What a shame that today’s hackers have learned to be quiet when infiltrating an environment. Sure, “loud” attacks like ransomware still exist, but threat actors have learned that if they keep themselves hidden, they can usually do far more damage. For hackers, a little stealth can go a long way. Some attack tactics are inherently quiet, making them arguably more dangerous as they can be harder to detect. Here are four of these attack tactics you should know about.

  1. Trusted Application Abuse: Attackers know that many people have applications that they inherently trust, making those trusted applications the perfect launchpad for cyber attacks. Threat actors know that defenders and the tools they use are often on the hunt for new malware presenting itself in environments. What isn’t so easy to detect is when the malware masquerades under legitimate applications.

  2. Trusted Infrastructure Abuse: Much like trusted application abuse, trusted infrastructure abuse is the act of using legitimate, publicly hosted services and toolsets (such as Dropbox or Google Drive) as part of the attack infrastructure. Threat actors know that people tend to trust Dropbox and Google Drive. As a result, this makes these tools a prime means for threat actors to carry out malicious activity. Threat actors often find trusted infrastructure abuse easy because these services aren’t usually blocked at an enterprise’s gateway. In turn, outbound communications can hide in plain sight.

  3. Obfuscation: Although cyber security has more than its fair share of tedious acronyms, the good news is that many terms can be broken down by their generic dictionary definitions. According to dictionary.com, this is what obfuscate means: “To make something unclear, obscure or difficult to understand.” And that’s exactly what it means in cyber security: finding ways to conceal malicious behaviour. In turn, this makes it more difficult for analysts and the tools they use to flag suspicious or malicious activity.

  4. Persistence: Imagine writing up documentation using your computer, something you may well do in your role. You’ve spent a ton of time doing the research required, finding the right sources and compiling all your information into a document. Now, imagine not hitting save on that document and losing it as soon as you reboot your computer. Sound like a nightmare—or perhaps a real anxiety-inducing experience you’ve been through before? Threat actors agree. And that’s why they establish persistence. They don’t want all of their hard work to get into your systems in the first place to be in vain just because you restart your computer. They establish persistence to make sure they can still hang around even after you reboot.

https://www.msspalert.com/cybersecurity-guests/four-sneaky-attacker-evasion-techniques-you-should-know-about/

  • Zero-Day Defence: Tips for Defusing the Threat

Because they leave so little time to patch and defuse, zero-day threats require a proactive, multi-layered approach based on zero trust.

The recent Atlassian Confluence remote code execution bug is just the latest example of zero-day threats targeting critical vulnerabilities within major infrastructure providers. The specific threat, an Object-Graph Navigation Language (OGNL) injection, has been around for years but took on new significance given the scope of the Atlassian exploit. And OGNL attacks are on the rise.

Once bad actors find such a vulnerability, proof-of-concept exploits start knocking at the door, seeking unauthenticated access to create new admin accounts, execute remote commands, and take over servers. In the Atlassian case, Akamai's threat research team identified that the number of unique IP addresses attempting these exploits grew to more than 200 within just 24 hours.

Defending against these exploits becomes a race against time worthy of a 007 movie. The clock is ticking and you don't have much time to implement a patch and "defuse" the threat before it's too late. But first you need to know that an exploit is underway. That requires a proactive, multi-layered approach to online security based on zero trust.

What do these layers look like? There are a number of different practices that security teams — and their third-party Web application and infrastructure partners — should be aware of.

https://www.darkreading.com/attacks-breaches/zero-day-defense-tips-for-defusing-the-threat

Threats

Ransomware

Phishing & Email Based Attacks

Other Social Engineering; SMishing, Vishing, etc

Malware

Mobile

Internet of Things – IoT

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Fraud, Scams & Financial Crime

AML/CFT/Sanctions

Dark Web

Software Supply Chain

Cloud/SaaS

Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Privacy

Cyber Bullying and Cyber Stalking

Regulations, Fines and Legislation

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

Other News

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 13 May 2022

Black Arrow Cyber Threat Briefing 13 May 2022

-UK, US Intelligence Agencies Warn Managed Service Providers, including External IT Providers, Are Now Prime Targets for Cyber Attacks

-Wannacry – 5 Years On, 68% Of Enterprises Are Still At Risk

-You Can’t Eliminate Cyber Attacks, So Focus on Reducing the Blast Radius

-Just In Time? Bosses Are Finally Waking Up to The Cyber Security Threat

-Most Organisations Hit by Ransomware Would Pay Up If Hit Again

-31,000 FTSE 100 Logins Found on Dark Web

-Ransomware: How Executives Should Prepare Given the Current Threat Landscape

-What Your Cyber Insurance Application Form Can Tell You About Ransomware Readiness

-NCSC Shut Down 2.7 Million Scams in 2021

-Top 6 Security Threats Targeting Remote Workers

-Password Reuse Is Rampant Among Employees in All Sectors

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • UK, US Intelligence Agencies Warn Managed Service Providers, including External IT Providers, Are Now Prime Targets for Cyber Attacks

The Five Eyes coalition of international cyber security authorities, this week issued an advisory to warn managed service providers (MSPs), including external IT providers, of an escalating threat of attack from both everyday cyber criminals and state-sponsored threat actors.

MSPs provide or operate information and communications technology services.

With input from cyber security leaders from Australia, Canada, New Zealand, the UK and the US, the NSA provided recommendations to help bolster their cyber defences, including:

  • Finding and disabling dormant accounts.

  • Implementing and enforcing multifactor authentication on accounts.

  • Ensuring contracts clearly map out who owns and is responsible for securing data.

Malicious actors are targeting MSPs to break into their customers' networks and deploy ransomware, steal data, and spy on them, the Five Eyes authorities have formally warned in a joint security alert.

"The UK, Australian, Canadian, New Zealand, and US cyber security authorities expect malicious cyber actors — including state-sponsored advanced persistent threat (APT) groups — to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships," the alert warned.

These types of supply-chain or "island-hopping" attacks can prove very lucrative for cyber criminals because once they break into an MSP, they gain access to all of the customers' networks and data being managed, and in turn commit computer crimes and fraud against those customers' customers.

https://www.darkreading.com/attacks-breaches/nsa-warns-managed-service-providers-are-now-prime-targets-for-cyberattacks

  • Wannacry – 5 Years On, 68% Of Enterprises Are Still at Risk

5 years on from one of the world’s most damaging ransomware attacks, research from network detection and response leader ExtraHop has found that 68% of enterprises are still running insecure protocol that were exploited by the North Korean ransomware.

The events of 12 May 2017 live on in cyber security lore. WannaCry revealed just how extensive the damage caused by ransomware can be if deployed in large scale – from downtime to ransom paid to reputational damage. Yet despite the danger, huge numbers of organisations are still running SMBv1, the protocol exploited in the WannaCry attacks that has been publicly deprecated since 2014.

https://informationsecuritybuzz.com/expert-comments/wannacry-5-years-on-68-of-enterprises-are-still-at-risk/

  • You Can’t Eliminate Cyber Attacks, So Focus on Reducing the Blast Radius

Given it is impossible to prevent all cyber attacks, many organisations should look to reduce the size of the company’s attack surface and the limit the “blast radius” of a potential attack.

There is a danger that the biggest risk concerning cyber attacks is that we’re becoming desensitised to them. After all, businesses experience a ransomware attack every 11 seconds—the majority of which the public never hears about. Faced with this reality, it may seem like efforts to safeguard the enterprise are futile. But that’s all the more reason to strengthen your resolve—and switch up your cyber defence strategy.

The core of this strategy should be the concept of “reducing the blast radius” of an attack, and since you can’t completely eliminate cyber attacks, you need to take steps to contain the impact.

This strategy should contain basic blocking and also consider things such as Zero Trust for remote access, traffic inspection, software-based micro-segmentation and other practical measures to reduce your attack surface.

https://threatpost.com/cyberattacks-blast-radius/179612/

  • Just In Time? Bosses Are Finally Waking Up to The Cyber Security Threat

Boardrooms have a reputation for not paying much attention to cyber security, but it could be that executives are finally keen to take more interest in securing the systems and networks their businesses rely on.

Senior figures from American, British and Australian cyber security agencies have said that business execs are now more aware of cyber threats and are actively engaging with their chief information security officer (CISO) and information security teams.

Chief execs are starting to ask their CISOs the right questions, rather than leaving them to it because they don't have to understand complex technology. It does feel like a much more engaging strategic conversation, but there can still be a disconnect between knowing what needs to happen, then actually budgeting for and implementing a cyber security strategy.

https://www.zdnet.com/article/just-in-time-bosses-are-finally-waking-up-to-the-cybersecurity-threat/

  • Most Organisations Hit by Ransomware Would Pay Up If Hit Again

Almost nine in 10 organisations that have suffered a ransomware attack would choose to pay the ransom if hit again, according to a new report, compared with two-thirds of those that have not experienced an attack.

The findings come from a report titled "How business executives perceive ransomware threat" by security company Kaspersky, which states that ransomware has become an ever-present threat, with 64 percent of companies surveyed already having suffered an attack, but more worryingly, that executives seem to believe that paying the ransom is a reliable way of addressing the issue.

The report is based on research involving 900 respondents across North America, South America, Africa, Russia, Europe, and Asia-Pacific. The respondents were in senior non-IT management roles at companies between 50 and 1,000 employees.

Kaspersky claims that in 88 percent of organisations that have had to deal with a ransomware incident, business leaders said they would choose to pay the money if faced with another attack. In contrast, among those that have not so far suffered a ransomware attack, only 67 percent would be willing to pay, and they would be less inclined to do so immediately.

https://www.theregister.com/2022/05/13/organizations_pay_ransomware/

  • 31,000 FTSE 100 Logins Found on Dark Web

Researchers with Outpost24 are reporting over 31,000 corporate credentials for many of the UK’s leading FTSE 100 firms on the dark web. These are the 100 biggest companies listed on the London Stock Exchange by market capitalisation. The researchers used their threat monitoring and auditing tool Blueliv to search dark web sites for the breached credentials.

Key findings from stolen and leaked credentials study:

  • The majority (81%) of the companies within the FTSE 100 had at least one credential compromised and exposed on the dark web

  • 31,135 total stolen and leaked credentials detected for FTSE 100 companies, with 38% disclosed on the underground in the past 12 months

  • Nearly half (42%) of FTSE 100 companies have more than 500 compromised credentials exposed on the dark web

  • Up to 20% of credentials are stolen via malware infection and stealers

  • 11% disclosed in the last 3 months (21% in the last 6 months and over 68% have been exposed for over 12 months)

  • Over 60% of stolen credentials came from 3 industries – IT/Telecom (23%), Energy and Utility (22%) and Finance (21%)

  • IT/Telecoms industry is the most at risk with the highest total amount (7,303) and average stolen credentials per company (730), they are most affected by malware infection and have the most amount of stolen credentials disclosed in the last 3 months

  • On average, healthcare has the highest number of stolen credentials per company (485) from data breach as they found themselves increasingly in the cyber criminals’ crosshairs since the pandemic.

https://informationsecuritybuzz.com/expert-comments/31000-ftse-100-logins-found-on-dark-web/

  • Ransomware: How Executives Should Prepare Given the Current Threat Landscape

As the number of ransomware attacks continue to increase, the response at C-level must be swift and decisive.

Top executives are increasingly dreading the phone call from their fellow employee notifying them that their company has been hit by a cyber attack. Nearly every week in 2021 and early 2022, a prominent organisation has been in the media spotlight as their public relations team struggles to explain how they were attacked and how they can regain consumer confidence. A recent survey showed that 37 percent of organisations surveyed had been affected by ransomware attacks in the last year.

Worse, the days when executive leadership teams could fully delegate responsibility to a CISO are over. Regardless of reality, surveys have shown that about 40 percent of the public perception of fault for a ransomware attack lands squarely on the CEO’s shoulders, and that 36 percent of attacks result in the loss of C-level talent. While executive involvement in the security program does not guarantee a successful defence, it does give the executive leadership team (ELT) a degree of ownership of the final product, as well as the ability to speak confidently and knowledgeably to the public.

https://www.techrepublic.com/article/ransomware-how-executives-should-prepare-given-the-current-threat-landscape/

  • What Your Cyber Insurance Application Form Can Tell You About Ransomware Readiness

The annual cyber insurance application form shows what the carriers think you should be doing to best prevent and recover from ransomware attacks. Pay attention.

If it’s the time of year for you to fill out the annual cyber insurance policy application, you will see how the focus for insurance firms is changing. Each year you can get an insight into what insurance vendors are using to rate the risks and threats to your business and what they are stressing firms should have in place as best practice or what they are expecting you should have in place as a baseline set of controls. Not having them in place could affect insurance rates, whether you are able to get cyber coverage at all, or crucially whether they would pay out in the event of you having to make a claim.

This year you might find more questions specifically around ransomware prevention techniques and protections, from Multi Factor Authentication (MFA) to Endpoint Detection and Response (EDR), and email filtering protections to the robustness of your backups.

Make sure to review your cyber insurance policy and its related questionnaire. And ask whether you are doing everything you can to protect your firm and tailoring your actions to align with what your insurance provider has deemed as a best practice.

https://www.csoonline.com/article/3659831/what-your-cyber-insurance-application-form-can-tell-you-about-ransomware-readiness.html#tk.rss_news

  • NCSC Shut Down 2.7 Million Scams in 2021

The UK National Cyber Security Centre (NCSC) removed 2.7 million online scams last year, it was revealed this week, four times as many scams compared to 2020.

The announcement comes as the security agency shared the most recent data from its Active Cyber Defence initiative at the CYBERUK summit earlier in the week.

According to the NCSC, neutralised scams included fake celebrity endorsements and spoof extortion emails.

It has also been revealed that fraud campaigns used common themes, with NHS vaccines and vaccine passports being particularly popular.

Some cyber criminals even posed as NCSC CEO Lindy Cameron – victims received an email claiming the NCSC had prevented £5m of their money from being stolen, and were urged to supply personal information to retrieve the funds.

https://www.itsecurityguru.org/2022/05/10/ncsc-shut-down-2-7-million-scams-in-2021/

  • Security Threats Targeting Remote Workers

Remote work offers great benefits, like reduced commute time, increased freedom, and more time to spend with loved ones. But there can be security downsides if sufficient controls are not in place to protect remote workers against the digital threats that come with working via unsecured connections.

Being on a home network lacks the layered network security of the company environment. Remote work itself is not new, but the dramatic shift to working from home over the past two years means there are more security-naive people who are not in the office.

Not all security threats are the fault of technology. Much of it also comes from human error.

Remote work greatly exacerbates human-activated risk, and people are working in more distracting environments where they may have to answer the door for deliveries or might multitask with household chores. That means mistakes are more likely to happen, like sending an email to the wrong recipient or falling for a malicious email attack.

Recent research by Egress found that 77% of IT leaders said they have seen an increase in security compromises since going remote two years ago.

https://www.darkreading.com/endpoint/top-6-security-threats-targeting-remote-workers

  • Password Reuse Is Rampant Among Employees in All Sectors

SpyCloud published an annual analysis of identity exposure among employees of Fortune 1000 companies in key sectors such as technology, finance, retail and telecommunications.

Drawing on a database of over 200 billion recaptured assets, researchers identified over 687 million exposed credentials and PII tied to Fortune 1000 employees, a 26% increase from last year’s analysis.

Analysis of this data showed a 64% password reuse rate, widespread use of easy-to-guess passwords, and a spike in malware-infected devices –– all sources of cyber risk for both employers and consumers who rely on businesses to safeguard their personal data. With remote work blurring the lines between work and personal device use, a larger attack surface compounds the risk of cyber attacks proliferating beyond compromised employee and consumer identities to penetrate corporate networks.

https://www.helpnetsecurity.com/2022/05/11/fortune-1000-identity-exposure/

Threats

Ransomware

Phishing & Email Based Attacks

Malware

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs

Insider Risk and Insider Threats

Fraud, Scams & Financial Crime

Insurance

Supply Chain and Third Parties

Denial of Service DoS/DDoS

Cloud

Open Source

Travel

Parental Controls and Child Safety

Cyber Bullying and Cyber Stalking

Regulations, Fines and Legislation

Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 05 May 2022

Black Arrow Cyber Threat Briefing 05 May 2022

-Cyber Scams Cost Victims $6.9b-Plus Worldwide in 2021

-Bad Actors Are Maximizing Remote Everything

-New Hacker Group Pursuing Corporate Employees Focused on Mergers and Acquisitions

-FBI: Business Email Compromise: The $43 Billion Scam

-Disgruntled Employees Cashing in On Confidential Information Over Dark Web

-Google Sees More APTs Using Ukraine War-Related Themes

-Cryptocurrency Regulators Are Scrambling to Catch Up with Hackers Who Are Swiping Billions

-Tackling the Threats Posed by Shadow IT

-Hackers Used the Log4j Flaw to Gain Access Before Moving Across a Company's Network, Say Security Researchers

-This Sneaky Hacking Group Hid Inside Networks For 18 Months Without Being Detected

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • Cyber Scams Cost Victims $6.9b-Plus Worldwide in 2021

Cyber-scams cost victims around the globe at least $6.9 billion last year, according to the FBI's latest Internet Crime Report.

Since 2017, the bureau's Internet Crime Complaint Center (IC3) received an average of 552,000 complaints per year. This includes reports of extortion, identity theft, phishing, fraud, and a slew of other nefarious schemes that cost victims no less than $18.7 billion in losses over the five-year period.

Unsurprisingly, the volume of these crimes — and related costs — have grown every year; 2021 set records for the total number of complaints (847,376) as well as losses exceeding $6.9 billion, a jump from the $4.2 billion reported a year earlier.

As with earlier years, phishing attacks were by far the most commonly reported crimes, with 323,972 last year. A subset of this category, business email compromise (BEC), is proving very lucrative and cost victims almost $2.4 billion from 19,954 victims, according to the Feds.

BEC involves a cyber criminal compromising a legitimate email account, and then tricking a business or individual into transferring funds, sending employees' personal data, or unlocking cryptocurrency wallets. The fraudster then steals the cash, drains the crypto wallet and/or sells employees' identities and credentials on the dark web.

https://www.theregister.com/2022/05/05/fbi_cyber_scams/

  • Bad Actors Are Maximising Remote Everything

The rise of remote work and learning opened new opportunities for many people – as we’ve seen by the number of people who have moved to new places or adapted to “workcations.” Cyber criminals are taking advantage of the same opportunities – just in a different way. Evaluating the prevalence of malware variants by region reveals a sustained interest by cyber adversaries in maximising the remote work and learning attack vector.

As hybrid work and learning become embedded paradigms in our culture, there are fewer layers of protection between malware and would-be victims. And bad actors are gaining access to more tools to help them pull off their nefarious deeds – like exploit kits. At the same time, the attack surface has rapidly expanded and continues to do so.

That means enterprises must take a work-from-anywhere approach to their security. They need to deploy solutions capable of following, enabling and protecting users no matter where they are located. They need security on the endpoint (EDR) combined with zero trust network access (ZTNA) approaches.

https://threatpost.com/bad-actors-remote-everything/179458/

  • This Sneaky Hacking Group Hid Inside Networks For 18 Months Without Being Detected

A previously undisclosed cyber-espionage group is using clever techniques to breach corporate networks and steal information related to mergers, acquisitions and other large financial transactions – and they've been able to remain undetected by victims for periods of more than 18 months.

Detailed by cyber security researchers at Mandiant, who've named it UNC3524, the hacking operation has been active since at least December 2019 and uses a range of advanced methods to infiltrate and maintain persistence on compromised networks that set it apart from most other hacking groups. These methods include the ability to immediately re-infect environments after access is removed. It's currently unknown how initial access is achieved. 

One of the reasons UNC3524 is so successful at maintaining persistence on networks for such a long time is because it installs backdoors on applications and services that don't support security tools, such as anti-virus or endpoint protection.

https://www.zdnet.com/article/this-sneaky-hacking-group-hid-inside-networks-for-18-months-without-being-detected/

  • FBI: Business Email Compromise: The $43 Billion Scam

According to the FBI, business email compromise (BEC) and email account compromise (EAC) losses have surpassed $43 billion globally. BEC/EAC is a sophisticated scam that targets both businesses and individuals who perform legitimate transfer-of-funds requests.

The BEC/EAC scam continues to grow and evolve, targeting small local businesses to larger corporations, and personal transactions. Between July 2019 and December 2021, there was a 65% increase in identified global exposed losses, meaning the dollar loss that includes both actual and attempted loss in United States dollars.

The following information was derived from filings with financial institutions between June 2016 and December 2021:

  • Domestic and international incidents: 241,206

  • Domestic and international exposed dollar loss: $43,312,749,946

The following BEC/EAC statistics were reported in victim complaints to the IC3 between October 2013 and December 2021:

  • Total US victims: 116,401

  • Total US exposed dollar loss: $14,762,978,290

  • Total non-US victims: 5,260

  • Total non-US exposed dollar loss: $1,277,131,099

https://informationsecuritybuzz.com/expert-comments/fbi-business-email-compromise-the-43-billion-scam/

  • Disgruntled Employees Cashing in On Confidential Information Over Dark Web

Disgruntled employees are making hundreds of thousands of dollars by leaking confidential information over a new platform on the so-called dark web, cyber researchers have said.

Hidden in a part of the internet that is only accessible using special software, the Industrial Spy platform promises huge payouts to staff willing to hand over "dirty secrets" to competitors, according to experts at intelligence business Cyberint.

Industrial Spy currently has data on twelve companies from a range of industries available to people who sign up, Cyberint said.

The platform recently managed to sell two tranches of company data for $400,000 (£318,236) and $750,000 each.

An individual has advertised the platform to potential purchasers of the data on the dark web.

The post said: "With our information you could refuse partnership with an unscrupulous partner, reveal dirty secrets of your competitors and earn millions of dollars using insider information."

Cyber criminals have long approached employees individually and offered a bribe to release sensitive information such as internal data and passwords to access computer systems.

But this new platform allows employees to act on their own initiative to steal data and sell it online.

https://www.telegraph.co.uk/business/2022/05/02/disgruntled-employees-cashing-confidential-information-dark/

  • Google Sees More APTs Using Ukraine War-Related Themes

Researchers at Google's Threat Analysis Group (TAG) say the number of advanced threat actors using Ukraine war-related themes in cyber attacks went up in April with a surge in malware attacks targeting critical infrastructure.

According to Google, known state-backed APT groups from China, Iran, North Korea, and Russia, along with various unattributed groups have been using war-related themes in phishing and malware distribution campaigns.

Looking at the cyber attacks that target Eastern Europe, however, a new Google report notes there hasn't been a significant change from the normal levels of activity, despite the increased adoption of lures related to the Ukraine war.

https://www.securityweek.com/google-sees-more-apts-using-ukraine-war-related-themes

  • Cryptocurrency Regulators Are Scrambling to Catch Up with Hackers Who Are Swiping Billions

Just four months in, 2022 has been a banner year for hackers, and fraudsters targeting the industry have swindled more than $1 billion from cryptocurrency investors, according to separate estimates by cryptocurrency analysis firm Immunefi.

The rise in fraud has put US regulators on the offensive. The US Securities and Exchange Commission, which has positioned itself as the industry’s main regulator and enforcer, announced on Tuesday that it was going to double its staff working to resources to combat the rise in fraud.

“Crypto markets have exploded in recent years, with retail investors bearing the brunt of abuses in this space. Meanwhile, cyber-related threats continue to pose existential risks to our financial markets and participants,” Gurbir Grewal, director of the SEC’s Division of Enforcement said in a statement. “The bolstered Crypto Assets and Cyber Unit will be at the forefront of protecting investors and ensuring fair and orderly markets in the face of these critical challenges.”

https://www.cyberscoop.com/cryptocurrency-sec-cybersecurity-bitcoin-regulation-enforcement/

  • Tackling the Threats Posed by Shadow IT

While remote technologies have allowed businesses to shift their workforces online, this flexibility has created a swathe of challenges for IT teams who must provide a robust security framework for their organisation – encompassing all the personnel and devices within their remit. In addition to the ever-increasing number of personal devices, corporate devices and programs, more and more applications are moving to the cloud as workloads become increasingly distributed across public clouds and software-as-a-service (SaaS).

This means IT teams are even harder pressed to secure and manage the complex environments they operate in. The unsanctioned use of corporate IT systems, devices, and software – known as shadow IT – has increased significantly during the shift to remote work, and recent research found almost one in seven (68%) are concerned about information security because of employees following shadow IT practices.

Shadow IT can allow hackers to steal employee and customer identities, company intellectual property, and cause companies to fail compliance audits. It can also open the door to enterprises accidentally breaking laws and exposes organisations to data exfiltration, malware, and phishing.

https://www.helpnetsecurity.com/2022/05/05/shadow-it-risk/

  • Hackers Used the Log4j Flaw to Gain Access Before Moving Across a Company's Network, Say Security Researchers

State-backed hacking groups are some of the most advanced cyber attack operations in the world - but criminals don't need to rely on them if they can exploit unpatched cyber security flaws.

A North Korean hacking and cyber espionage operation breached the network of an engineering firm linked to military and energy organisations by exploiting a cyber security vulnerability in Log4j.

First detailed in December, the vulnerability (CVE-2021-44228) allows attackers to remotely execute code and gain access to systems that use Log4j, a widely used Java logging library.

The ubiquitous nature of Log4j meant cyber security agencies urged organisations globally to apply security updates as quickly as possible, but months on from disclosure, many are still vulnerable to the flaw.

According to cyber security researchers at Symantec, one of those companies that was still vulnerable was an undisclosed engineering firm that works in the energy and military sectors. That vulnerability resulted in the company being breached when attackers exploited the gap on a public-facing VMware View server in February this year. From there, attackers were able to move around the network and compromise at least 18 computers.

https://www.zdnet.com/article/heres-how-hackers-used-the-log4j-flaw-to-gain-access-before-moving-across-a-companys-network/

  • New Hacker Group Pursuing Corporate Employees Focused on Mergers and Acquisitions

[Explanatory note from Black Arrow: When a group of cyber attackers is identified by the cyber security community, it is given a code name usually composed of letters and digits. These groups are also sometimes referred to as APTs., or Advanced Persistent Threats, because the groups are highly skilled and are persistent in their attacks; they are often supported by their state government].

A newly discovered suspected espionage threat actor has been targeting employees focusing on mergers and acquisitions as well as large corporate transactions to facilitate bulk email collection from victim environments.

Mandiant is tracking the activity cluster under the uncategorised moniker UNC3524, citing a lack of evidence linking it to an existing group. However, some of the intrusions are said to mirror techniques used by different Russia-based hacking crews like APT28 and APT29.

"The high level of operational security, low malware footprint, adept evasive skills, and a large Internet of Things (IoT) device botnet set this group apart and emphasise the 'advanced' in Advanced Persistent Threat," the threat intelligence firm said in a report.

The initial access route is unknown but upon gaining a foothold, attack chains involving UNC3524 culminate in the deployment of a novel backdoor called QUIETEXIT for persistent remote access for as long as 18 months without getting detected in some cases.

https://thehackernews.com/2022/05/new-hacker-group-pursuing-corporate.html

Threats

Ransomware

Phishing & Email Based Attacks

Malware

Mobile

IoT

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs

Supply Chain

Open Source

Passwords & Credential Stuffing

Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine

Nation State Actors

Nation State Actors – Russia

Nation State Actors – China

Nation State Actors – North Korea

Nation State Actors – Misc

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 21 January 2022

Black Arrow Cyber Threat Briefing 21 January 2022

-Cyber Risks Top Worldwide Business Concerns In 2022

-Bosses Think That Security Is Taken Care Of: CISOs Aren't So Sure

-Fraud Is On the Rise, and It's Going to Get Worse

-Two-Fifths of Ransomware Victims Still Paying Up

-Less Than a Fifth of Cyber Leaders Feel Confident Their Organisation is Cyber-Resilient

-Endpoint Malware And Ransomware Detections Hit All-Time High

-End Users Remain Organisations' Biggest Security Risk

-Supply Chain Disruptions Rose In 2021

-Red Cross Begs Attackers Not to Leak Stolen Data for 515K People

-DHL Dethrones Microsoft As Most Imitated Brand In Phishing Attacks

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Cyber Risks Top Worldwide Business Concerns In 2022

Cyber perils are the biggest concern for companies globally in 2022, according to the Allianz Risk Barometer. The threat of ransomware attacks, data breaches or major IT outages worries companies even more than business and supply chain disruption, natural disasters or the COVID-19 pandemic, all of which have heavily affected firms in the past year.

Cyber incidents tops the Allianz Risk Barometer for only the second time in the survey’s history (44% of responses), Business interruption drops to a close second (42%) and Natural catastrophes ranks third (25%), up from sixth in 2021. Climate change climbs to its highest-ever ranking of sixth (17%, up from ninth), while Pandemic outbreak drops to fourth (22%).

The annual survey incorporates the views of 2,650 experts in 89 countries and territories, including CEOs, risk managers, brokers and insurance experts. View the full global and country risk rankings.

https://www.helpnetsecurity.com/2022/01/20/cyber-concern-2022/

Bosses Think That Security Is Taken Care Of: CISOs Aren't So Sure

The World Economic Forum warns about a significant gap in understanding between C-suites and information security staff - but it's possible to close the gap.

Organisations could find themselves at risk from cyberattacks because of a significant gap between the views of their own security experts and the boardroom.

The World Economic Forum's new report, The Global Cyber Security Outlook 2022, warns there are big discrepancies between bosses and information security personnel when it comes to the state of cyber resilience within organisations.

According to the paper, 92% of business executives surveyed agree that cyber resilience is integrated into enterprise risk management strategies – or in other words, protecting the organisation against falling victim to a cyberattack, or mitigating the incident so it doesn't result in significant disruption.

However, only 55% of security-focused executives believe that cyber resilience is integrated into risk management strategies – indicating a significant divide in attitudes to cyber security.

This gap can leave organisations vulnerable to cyberattacks, because boardrooms believe enough has been done in order to mitigate threats, while in reality there could be unconsidered vulnerabilities or extra measures put in place.

https://www.zdnet.com/article/managers-think-their-systems-are-unbreakable-cybersecurity-teams-arent-so-sure/

Fraud Is On the Rise, and It's Going to Get Worse

The acceleration of the digital transformation resulted in a surge of online transactions, greater adoption of digital payments, and increased fraud.

As more daily activities — work, education, shopping, and entertainment — shift online, fraud is also on the rise. A trio of recent reports paint a bleak picture, highlighting concerns that companies are experiencing increasing losses from fraud and that the situation will get worse over the coming year.

In KPMG's survey of senior risk executives, 67% say their companies have experienced external fraud in the past 12 months, and 38% expect the risk of fraud committed by external perpetrators to somewhat increase in the next year. External fraud, which includes credit card fraud and identity theft, is specifically referring to incidents perpetuated by individuals outside the company. For most of these respondents, there was a financial impact: Forty-two percent say their organisations experienced 0.5% to 1% of loss as a result of fraud and cybercrime.

https://www.darkreading.com/edge-articles/fraud-is-on-the-rise-and-its-going-to-get-worse

Two-Fifths of Ransomware Victims Still Paying Up

Two-fifths (39%) of ransomware victims paid their extorters over the past three years, with the majority of these spending at least $100,000, according to new Anomali research.

The security vendor hired The Harris Poll to complete its Cyber Resiliency Survey – interviewing 800 security decision-makers in the US, Canada, the UK, Australia, Singapore, Hong Kong, India, New Zealand, the UAE, Mexico and Brazil.

Some 87% said their organisation had been the victim of a successful attack resulting in damage, disruption, or a breach since 2019. However, 83% said they’d experienced more attacks since the start of the pandemic.

Over half (52%) were ransomware victims, with 39% paying up. Of these, 58% gave their attackers between $100,000 and $1m, while 7% handed over more than $1m.

https://www.infosecurity-magazine.com/news/two-fifths-ransomware-victims/

Less Than a Fifth of Cyber Leaders Feel Confident Their Organisation is Cyber-Resilient

Less than one-fifth (17%) of cyber leaders feel confident that their organisations are cyber-resilient, according to the World Economic Forum (WEF)’s inaugural Global Cyber Security Outlook 2022 report.

The study, written in collaboration with Accenture, revealed there is a wide perception gap between business executives and security leaders on the issue of cyber security. For example, 92% of businesses believe cyber-resilience is integrated into their enterprise risk-management strategies, compared to just 55% of cyber leaders.

This difference in attitude appears to be having worrying consequences. The WEF said that many security leaders feel that they are not consulted in security decisions, and only 68% believe cyber-resilience forms a major part of their organisation’s overall corporate risk management.

In addition, over half (59%) of all cyber leaders admitted they would find it challenging to respond to a cyber security incident due to a shortage of skills within their team.

Supply chain security was another major concern among cyber leaders, with almost nine in 10 (88%) viewing SMEs as a key threat to supply chains.

Interestingly, 59% of cyber leaders said cyber-resilience and cyber security are synonymous, with the differences not well understood.

https://www.infosecurity-magazine.com/news/cyber-leaders-organisation/

Endpoint Malware And Ransomware Detections Hit All-Time High

Endpoint malware and ransomware detections surpassed the total volume seen in 2020 by the end of Q3 2021, according to researchers at the WatchGuard Threat Lab. In its latest report, WatchGuard also highlights that a significant percentage of malware continues to arrive over encrypted connections.

While zero-day malware increased by just 3% to 67.2% in Q3 2021, the percentage of malware that arrived via Transport Layer Security (TLS) jumped from 31.6% to 47%. Data shows that many organisations are not decrypting these connections and therefore have poor visibility into the amount of malware hitting their networks.

https://www.helpnetsecurity.com/2022/01/20/endpoint-malware-ransomware-detections-q3-2021/

End Users Remain Organisations' Biggest Security Risk

With the rapid adoption of hybrid working environments and increased attacks, IT and security professionals worry that future data breaches will most likely be the result of end users who are negligent of or break security policy, according to a recent Dark Reading survey. The percentage of respondents in Dark Reading's 2021 Strategic Security Survey who perceive users breaking policy as the biggest risk fell slightly, however, from 51% in 2020 to 48% in 2021. Other potential issues involving end users showed improvements as well, with social engineering falling in concern from 20% to 15% and remote work worries halving from 26% to 13%.

While this trend is positive, it's unclear where the increased confidence comes from, since more people now report ineffective end-user security awareness training (11%, to 2020's 7%).

Respondents shared their heightened concern about well-funded attacks. In 2021, 25% predicted an attack targeted at their organisations (a rise from 2020, when 20% said the same), and fear of a nation-state-sponsored action rose to 16% from 9% the year before. Yet only 16% reported sophisticated, automated malware as a top concern, a 10% drop from 2020, and fear of a gap between security and IT advances only merited 9%. A tiny 3% worried that their security tools wouldn't work well together, dropping from the previous year's 10%.

https://www.darkreading.com/edge-threat-monitor/despite-rise-of-third-party-concerns-end-users-still-the-biggest-security-risk

Supply Chain Disruptions Rose In 2021

56% of businesses experienced more supply chain disruptions in 2021 than 2020, a Hubs report reveals.

Last year was marked by a number of challenges, including computer chip shortages, port congestion, the ongoing impacts of COVID-19, logistics impediments, and energy crises, though with every hurdle faced, solutions are being sought. It is increasingly clear that while certain risks are hard to anticipate and difficult to plan for, it is possible to mitigate the effects of supply chain disruptions by establishing a robust and agile supply chain.

Over 98% of global companies are now planning to boost the resilience of their manufacturing supply chains, however, 37% have yet to implement any measures. As businesses develop long term strategies, over 57% of companies say diversification of their supply chains is the most effective way of building resilience. This report explores last year’s most disruptive events, how disruptions have changed over time, industry trends and strategies for strengthening manufacturing supply chains.

https://www.helpnetsecurity.com/2022/01/19/supply-chain-disruptions-2021/

Red Cross Begs Attackers Not to Leak Stolen Data for 515K People

A cyber attack forced the Red Cross to shut down IT systems running the Restoring Family Links system, which reunites families fractured by war, disaster or migration. UPDATE: The ICRC says it’s open to confidentially communicating with the attacker.

The Red Cross is imploring threat actors to show mercy by abstaining from leaking data belonging to 515,000+ “highly vulnerable” people. The data was stolen from a program used to reunite family members split apart by war, disaster or migration.

“While we don’t know who is responsible for this attack, or why they carried it out, we do have this appeal to make to them,” Robert Mardini, the director general of the International Committee for the Red Cross (ICRC), said in a release on Wednesday. “Your actions could potentially cause yet more harm and pain to those who have already endured untold suffering. The real people, the real families behind the information you now have are among the world’s least powerful. Please do the right thing. Do not share, sell, leak or otherwise use this data.”

https://threatpost.com/red-cross-begs-attackers-not-to-leak-515k-peoples-stolen-data/177799/

DHL Dethrones Microsoft As Most Imitated Brand In Phishing Attacks

DHL was the most imitated brand in phishing campaigns throughout Q4 2021, pushing Microsoft to second place, and Google to fourth.

This isn't surprising considering that the final quarter of every year includes the Black Friday, Cyber Monday, and Christmas shopping season, so phishing lures based on package deliveries naturally increase.

DHL is an international package delivery and express mail service, delivering over 1.6 billion parcels per year.

As such, phishing campaigns impersonating the brand have good chances of reaching people who are waiting for a DHL package to arrive during the holiday season.

The specific lures range from a package that is stuck at customs and requires action for clearance to supposed tracking numbers that hide inside document attachments or embedded links.

https://www.bleepingcomputer.com/news/security/dhl-dethrones-microsoft-as-most-imitated-brand-in-phishing-attacks/

Threats

Ransomware

BEC – Business Email Compromise

Phishing

Malware

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking

Insider Risk and Insider Threats

Fraud, Scams & Financial Crime

Insurance

CNI, OT, ICS, IIoT and SCADA

Nation State Actors

Cloud

Privacy

Passwords & Credential Stuffing

Spyware, Espionage & Cyber Warfare

Vulnerabilities

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 27 August 2021

Black Arrow Cyber Threat Briefing 27 August 2021

-Cyber Crime Losses Triple To £1.3bn In 1h 2021

-New Ransomware Wake-Up Call

-22% Of Cyber Security Incidents In H1 2021 Were Ransomware Attacks

-Key Email Threats And The High Cost Of Business Email Compromise

-Microsoft Warns Thousands Of Cloud Customers Of Exposed Databases

-58% Of IT Leaders Worried Their Business Could Become A Target Of Rising Nation State Attacks

-Cyber Insurance Market Encounters ‘Crisis Moment’ As Ransomware Costs Pile Up

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Cyber Crime Losses Triple To £1.3bn In H1 2021

Individuals and organisations lost three times more money to cyber crime and fraud in the first half of the year compared to the same period in 2020, as incidents soared, according to new figures. The report revealed that between January 1 and July 31 2020, victims lost £414.7m to cyber crime and fraud. However, the figure surged to £1.3bn for the same period in 2021. This can be partly explained by the huge increase in cases from last year to this. In the first half of 2020, there were just 39,160 reported to Action Fraud, versus 289,437 in the first six months of 2021. https://www.infosecurity-magazine.com/news/cybercrime-losses-triple-to-13bn/

Ransomware On A Rampage; A New Wake-Up Call

The ransomware rampage is continuing at pace and continues to create significant cyber security challenges. The use of ransomware by hackers to leverage exploits and extract financial benefits is not new. Ransomware has been around for over 2 decades, (early use of basic ransomware malware was used in the late 1980s) but as of late, it has become a trending and more dangerous cybersecurity threat. The inter-connectivity of digital commerce and expanding attack surfaces have enhanced the utility of ransomware as cyber weapon of choice for bad actors. Like bank robbers, cyber criminals go where the money is accessible. And it is now easier for them to reap benefits from extortion. Hackers can now demand cryptocurrencies payments or pre-paid cards that can be anonymously transacted. Those means of digital payments are difficult to trace by law enforcement. https://www.forbes.com/sites/chuckbrooks/2021/08/21/ransomware-on-a-rampage-a-new-wake-up-call/?sh=64a622362e81

22% Of Cyber Security Incidents In H1 2021 Were Ransomware Attacks

A report uncovered the number and nature of UK cyber security breaches reported to the UK Information Commissioner’s Office (ICO) in 2020 and 2021. So far in 2021 phishing was to blame for most incidents, accounting for 40% of all cyber security cases reported to the ICO, slightly down from 44% the year before. However, ransomware is surging, up from 11% of all reported incidents in the first half of 2020 to 22% in 2021. https://www.helpnetsecurity.com/2021/08/25/cybersecurity-incidents-h1-2021/

Ransomware: These Four Rising Gangs Could Be Your Next Major Cyber Security Threat

In recent months some significant ransomware operators have seemingly disappeared. But that doesn't mean that ransomware is any less of a problem, quite the opposite – new groups are emerging to fill the gaps and are often worse than the gangs that went before them. Cyber security researchers have detailed four upcoming families of ransomware discovered during investigations – and under the right circumstances, any of them could become the next big ransomware threat. One of these is LockBit 2.0, a ransomware-as-a-service operation that has existed since September 2019 but has gained major traction over the course of this summer. Those behind it revamped their dark web operations in June – when they launched the 2.0 version of LockBit – and aggressive advertising has drawn attention from cyber criminals. https://www.zdnet.com/article/ransomware-these-four-rising-threats-could-be-the-next-major-cybersecurity-risk-facing-your-business/

Key Email Threats And The High Cost Of Business Email Compromise

Researchers published the results of a study analysing over 31 million threats across multiple organisations and industries, with new findings and warnings issued by technical experts that every organisation should be aware of. A key aspect to preventing attacks is having a deep understanding of cyber actor patterns and continuously monitoring and deconstructing campaigns to anticipate future ones. Phishing can be a profitable business model, and most breaches begin with a phishing email. What appears to be an innocent email from a trusted vendor or internal department can lead to firm-wide shutdowns, loss of crucial data, and millions in financial costs. As detailed in the report, threats ranging from ransomware, credential harvesters to difficult-to-discover but costly Business Email Compromise (BEC) targeted inboxes, could have resulted in over $354 million in direct losses had they been successful. https://www.helpnetsecurity.com/2021/08/23/key-email-threats/

Microsoft Warns Thousands Of Cloud Customers Of Exposed Databases

Microsoft on Thursday warned thousands of its cloud computing customers, including some of the world's largest companies, that intruders could have the ability to read, change or even delete their main databases, according to a copy of the email and a cyber security researcher. The vulnerability is in Microsoft Azure's flagship Cosmos DB database. A research team at security a company discovered it was able to access keys that control access to databases held by thousands of companies. https://www.reuters.com/technology/exclusive-microsoft-warns-thousands-cloud-customers-exposed-databases-emails-2021-08-26/

58% Of IT Leaders Worried Their Business Could Become A Target Of Rising Nation State Attacks

Researchers released the findings of a global survey of 1,100 IT decision makers (ITDMs), examining their concerns around rising nation state attacks. 72% of respondents said they worry that nation state tools, techniques, and procedures (TTPs) could filter through to the dark net and be used to attack their business. https://www.helpnetsecurity.com/2021/08/23/rising-nation-state-attacks/

Cyber Insurance Market Encounters ‘Crisis Moment’ As Ransomware Costs Pile Up

It’s a sure sign of trouble when leading insurance industry executives are worried about their own prices going up. Ransomware now accounts for 75% of all cyber insurance claims, up from 55% in 2016, according to the credit ratings agency. The percentage increase in claims is outpacing that of premiums, said a June report which concluded that “the prospects for the cyber insurance market are grim.” Fitch Ratings in April found that the ratio of losses to premiums earned was at 73% last year, jeopardizing the profitability of the industry. https://www.cyberscoop.com/cyber-insurance-ransomware-crisis/

Security Teams Report Rise In Cyber Risk

Do you feel like you are gaining in your ability to protect your data and your network? If you are like 80% of respondents to the a recent report, you expect to experience a data breach that compromises customer data in the next 12 months. The report surveyed more than 3,600 businesses of all sizes and industries across North America, Europe, Asia-Pacific, and Latin America for their thoughts on cyber risk. Despite an increased focus on security due to high-profile ransomware and other attacks in the past year, respondents reported a rise in risk due to inadequate security processes like backing up key assets. https://www.csoonline.com/article/3629477/security-teams-report-rise-in-cyber-risk.html

WARNING: Microsoft Exchange Under Attack With ProxyShell Flaws

The U.S. Cyber security and Infrastructure Security Agency is warning of active exploitation attempts that leverage the latest line of "ProxyShell" Microsoft Exchange vulnerabilities that were patched earlier this May, including deploying LockFile ransomware on compromised systems. The vulnerabilities enable adversaries to bypass ACL controls, elevate privileges on the Exchange PowerShell backend, effectively permitting the attacker to perform unauthenticated, remote code execution. While the former two were addressed by Microsoft on April 13, a patch for CVE-2021-31207 was shipped as part of the Windows maker's May Patch Tuesday updates. https://thehackernews.com/2021/08/microsoft-exchange-under-attack-with.html

Threats

Ransomware

Phishing

Other Social Engineering

Malware

Mobile

IOT

Vulnerabilities

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptojacking

Insider Threats

DoS/DDoS

OT, ICS, IIoT and SCADA

Nation State Actors

Cloud

Privacy

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 26 March 2021

Black Arrow Cyber Threat Briefing 26 March 2021: Cyber Warfare Will Grind Britain’s Economy To A Halt; $2 Billion Lost To BEC Scams In 2020; Ransomware Gangs Targets Firms With Cyber Insurance; Three Billion Phishing Emails Are Sent Every Day; $50 Million Ransomware For Computer Maker Acer; Office 365 Phishing Attack Targets Financial Execs; MS Exchange Hacking, Thousands Of Email Servers Still Compromised; Average Ransom Payment Surged 171% in 2020; Phishers’ Perfect Targets: Employees Getting Back To The Office; Nasty Malware Stealing Amazon, Facebook And Google Passwords

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Cyber Warfare Will Grind Britain’s Economy To A Halt

The UK Integrated Security, Defence, Development and Foreign Policy Review was published this week, reflecting on current concerns and previously announced initiatives. The policy made it clear that emerging networks and technologies, such as electric vehicle charging points, provide an opportunity for adversaries to unbalance, paralyse or even defeat us, and a large scale attack on the UK could grind Britain’s economy to a halt.

https://www.telegraph.co.uk/technology/2021/03/22/cyber-warfare-will-grind-britains-economy-halt/

Almost $2 Billion Lost To BEC Scams In 2020

Losses emanating from Business Email Compromise (BEC) and Email Account Compromise (EAC) scams surpassed US$1.86 billion last year, which is more than the combined losses stemming from the next six costliest types of cyber crime. 19,000 reports of BEC/EAC scams last year, a decrease compared to the almost 24,000 incidents reported in 2019. The associated losses, however, increased by over US$90 million and accounted for 45 percent of the total losses (US$4.2 billion).

https://www.welivesecurity.com/2021/03/23/almost-2billion-lost-bec-scams-2020/

Ransomware Gang Says It Targets Firms Who Have Cyber Insurance

What I found particularly fascinating was a claim made by “Unknown” that the REvil gang specifically targets firms who have taken out insurance against ransomware attacks – presumably in the understandable belief that those corporate victims are more likely to pay up.

https://grahamcluley.com/ransomware-gang-says-it-targets-firms-with-cyber-insurance/

Three Billion Phishing Emails Are Sent Every Day

Cyber criminals are sending over three billion emails a day as part of phishing attacks designed to look like they come from trusted senders. By spoofing the sender identity used in the 'from' field in messages, cyber criminals attempt to lure potential victims into opening emails from names they trust. This could be the name of a trusted brand like a retailer or delivery company, or even, in more sophisticated attacks, the name of their CEO or a colleague.

https://www.zdnet.com/article/three-billion-phishing-emails-are-sent-every-day-but-one-change-could-make-life-much-harder-for-scammers/

Ransomware Gang Demands $50 Million From Computer Maker Acer

Acer has suffered a ransomware attack over the past weekend at the hands of the REvil ransomware gang, which is now demanding a whopping $50 million ransom payment to decrypt the company’s computers and not leak its data on the dark web. The attack has not disrupted production systems but only hit the company’s back-office network. The security breach was not deemed disruptive enough to prevent or delay the computer maker from announcing its Q4 2020 financial results on Wednesday.

https://therecord.media/ransomware-gang-demands-50-million-from-computer-maker-acer/

Office 365 Phishing Attack Targets Financial Execs

A new phishing scam is on the rise, targeting executives in the insurance and financial services industries to harvest their Microsoft 365 credentials and launch business email compromise (BEC) attacks. These new, sophisticated attacks are aimed at C-suite executives, their assistants, and financial departments, and can work around email security and Office 365 defences.

https://threatpost.com/office-365-phishing-attack-financial-execs/164925/

Microsoft Exchange Hacking: Thousands Of Email Servers Still Compromised – Ransomware Operators Still Piling In On Already Hacked Servers

Thousands of Microsoft Exchange servers are still compromised by hackers even after applying fixes. Owners of email servers that were compromised before Microsoft Corp. issued a patch nearly three weeks ago must take additional measures to remove the hackers from their networks. Microsoft has previously warned that patching will not evict a hacker who has already compromised a server.

https://www.livemint.com/technology/tech-news/microsoft-exchange-hacking-thousands-of-email-servers-still-compromised-11616462322125.html

Average Ransom Payment Surged 171% in 2020

The average ransomware payment soared by 171% year-on-year in 2020 as cyber crime gangs queued up to exploit the pandemic. The security vendor’s Unit 42 division compiled its Ransomware Threat Report 2021 from analysis of over 19,000 network sessions, 252 ransomware leak sites and 337 victim organizations.

https://www.infosecurity-magazine.com/news/average-ransom-payment-surged-171/

Phishers’ Perfect Targets: Employees Getting Back To The Office

Phishers have been exploiting people’s fear and curiosity regarding breakthroughs and general news related to the COVID-19 pandemic from the very start and will continue to do it for as long it affects out private and working lives. Cyber criminals continually exploit public interest in COVID-19 relief, vaccines, and variant news, spoofing the Centers for Disease Control (CDC), U.S. Internal Revenue Service (IRS), U.S. Department of Health and Human Services (HHS), World Health Organization (WHO), and other agencies and businesses.

https://www.helpnetsecurity.com/2021/03/22/phishers-employees/

Nasty Malware Stealing Amazon, Facebook And Google Passwords

A new piece of malware called CopperStealer is lurking in “cracked” software downloads available on pirated-content sites, and the malware can compromise your login info for Amazon, Apple, Facebook and Google, among other services. Notably, CopperStealer runs on the same basic principles as SilentFade, a pernicious piece of malware that ravaged Facebook accounts back in 2019.

https://www.tomsguide.com/news/cracked-software-copperstealer-malware

Threats

Ransomware

Phishing

Malware

IOT

Vulnerabilities

Data Breaches

Organised Crime & Criminal Actors

OT, ICS, IIoT and SCADA

Nation State Actors

Privacy

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 12 March 2021

Black Arrow Cyber Threat Briefing 12 March 2021: ‘Really Messy’: Why The Hack of Microsoft’s Email System Is Getting Worse - Attacks Doubling Every Two Hours; Trickbot Malware Becoming Huge Security Headache; Criminals Targeting Browser Zero Days; More Than 1m Small Businesses ‘At Risk Of Collapse’ Due To Cyber Threats; Ransomware Attacks Up 150%; Massive Supply-Chain Cyber Attack Breaches Several Airlines; Millions Of Windows Devices Are Still Infested With Malware; Browser Extensions Looking at Bank Accounts?

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Image by Tumisu from Pixabay

Top Cyber Stories of the Last Week

‘Really Messy’: Why The Hack of Microsoft’s Email System Is Getting Worse, With Attacks Doubling Every Two Hours

The cyber security community sprang into action after Microsoft first announced a series of vulnerabilities that let hackers break into the company's Exchange email and calendar programs. China has used it to spy on a wide range of industries in the United States ranging from medical research to law firms to defence contractors, the company said. China has denied responsibility. In the past 24 hours, the team has observed "exploitation attempts on organizations doubling every two to three hours." The countries feeling the brunt of attack attempts are Turkey, the United States, and Italy, accounting for 19%, 18%, and 10% of all tracked exploit attempts, respectively.

https://www.nbcnews.com/tech/security/really-messy-hack-microsofts-email-system-getting-worse-rcna377

https://www.zdnet.com/article/microsoft-exchange-server-hacks-doubling-every-two-hours/

Trickbot Malware Is Now Your Biggest Security Headache

Trickbot malware has risen to fill the gap left by the takedown of the Emotet botnet, with a higher number of criminals shifting towards it to distribute malware attacks. Emotet was the world's most prolific and dangerous malware botnet before it was disrupted by an international law enforcement operation in January this year.

https://www.zdnet.com/article/this-trojan-malware-is-now-your-biggest-security-headache/

Cyber Criminals Are Increasingly Targeting Browser Zero Days

As more and more of our work is done within our browsers, cyber criminals have begun to leverage web browser exploits to compromise endpoint systems, according to new research from Menlo Security. At the same time, enterprises around the world were forced to make an almost overnight transition to remote work last year and this surge in employees working from home along with the shift to cloud computing have resulted in a greatly increased attack surface.

https://www.techradar.com/news/cybercriminals-are-increasingly-targeting-browser-zero-days

More Than 1m Small Businesses ‘At Risk Of Collapse’ Due To Cyber Threats

The research, commissioned by Vodafone, also showed that 16 per cent of firms would likely be forced to lay off staff in the event of a hack. As a result, the report called on ministers to beef up the country’s corporate cyber defences, warning that a failure to do so could hamper the post-pandemic economic recovery. It urged the government to expand a dedicated business cyber security within the National Cyber Security Centre (NCSC), which is part of GCHQ, and introduce a five per cent VAT cut on cybersecurity products for small companies.

Number Of Ransomware Attacks Grew By More Than 150%

By the end of 2020, the ransomware market, fueled by the pandemic turbulence, had turned into the biggest cyber crime money artery. Based on the analysis of more than 500 attacks observed during Group-IB’s own incident response engagements and cyber threat intelligence activity, researchers estimate that the number of ransomware attacks grew by more than 150% in 2020.

https://www.helpnetsecurity.com/2021/03/08/ransomware-attacks-grew-2020/

Hackers Are Using Home Office Selfies To Steal Your Personal Data

The pandemic has been the source of plenty of memes and new internet trends, not least the remote working selfie, which involves people taking photos of their home office setup or video conferencing sessions. However, a new blog suggests cyber criminals are capitalizing on this new genre of selfie to steal a range of personal data that could be used to execute identity or financial fraud.

https://www.techradar.com/uk/news/hackers-are-using-home-office-selfies-to-steal-your-personal-data

Massive Supply-Chain Cyber Attack Breaches Several Airlines

A communications and IT vendor for 90 percent of the world’s airlines, SITA, has been breached, compromising passenger data stored on the company’s U.S. servers in what the company is calling a “highly sophisticated attack.” The affected servers are in Atlanta, and belong to the SITA Passenger Service System (SITA PSS).

https://threatpost.com/supply-chain-cyberattack-airlines/164549/

Millions Of Windows Devices Are Still Infested With Malware

Over 100 million Windows consumer and business devices across the world were infected with malware last year, new analysis has found. While examining the recent Malwarebytes "State of Malware" report, Atlas VPN noted that whilst the number of infected Windows machines seems high, this landmark figure was actually 12% drop when compared to 2019.

https://www.techradar.com/uk/news/millions-of-windows-devices-are-still-infested-with-malware

Did You Know Browser Extensions Are Looking at Your Bank Account?

Browser extensions have full access to all the web pages you visit. It can see which web pages you are browsing, read their contents, and watch everything you type. It could even modify the web pages—for example, by inserting extra advertisements. If the extension is malicious, it could gather all that private data of yours—from web browsing activity and the emails you type to your passwords and financial information—and send it to a remote server on the internet.

https://www.howtogeek.com/716771/did-you-know-browser-extensions-are-looking-at-your-bank-account/

Threats

Ransomware

Phishing

Malware

Mobile

Vulnerabilities

Organised Crime

Dark Web

OT, ICS, IIoT and SCADA

Nation-State Actors

Privacy

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 18 December 2020

Black Arrow Cyber Threat Briefing 18 December 2020: The great hack attack - SolarWinds breach exposes big gaps in cyber security; A wake-up for the world on cyber security; White House activates cyber emergency response; US nuclear weapons agency targeted; UK companies targeted; Increasing Risk of Cyber Attacks; millions of users install malicious browser extensions; C19 Vaccines sold on dark web

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.

Top Cyber Headlines of the Week

The great hack attack: SolarWinds breach exposes big gaps in cyber security

Until this week, SolarWinds was a little known IT software group from Texas. Its deserted lobby has a framed magazine article from a few years ago when it was on a list of America’s “Best Small Companies”.

Now the Austin-based company is at the heart of one of the biggest and most startling cyber hacks in recent history, with ramifications that extend into the fields of geopolitics, espionage and national security.

For nine months, sophisticated state-backed hackers have exploited a ubiquitous SolarWinds software product in order to spy on government and business networks around the world, including in the US, UK, Israel and Canada. Wielding innovative tools and tradecraft, the cyber spies lurked in email services, and posed as legitimate staffers to tap confidential information stored in the cloud.

The bombshell revelations have sent 18,000 exposed SolarWinds customers scrambling to assess whether outsiders did indeed enter their systems, what the damage was and how to fix it.

https://www.ft.com/content/c13dbb51-907b-4db7-8347-30921ef931c2

A wake-up for the world on cyber security

Imagine intruders break into your home and loiter undetected for months, spying on you and deciding which contents to steal. This in essence is the kind of access that hackers, assumed to be Russian, achieved in recent months at US government institutions including the Treasury and departments of commerce and homeland security, and potentially many US companies. If the fear in the Cold War was of occasional “moles” gaining access to secrets, this is akin to a small army of moles burrowing through computer systems. The impact is still being assessed, but it marks one of the biggest security breaches of the digital era.

https://www.ft.com/content/d3fc0b14-4a82-4671-b023-078516ea714e

US government, thousands of businesses now thought to have been affected by SolarWinds security attack

Thousands of businesses and several branches of the US government are now thought to have been affected by the attack on software firm SolarWinds.

The Austin-based company has fallen victim to a massive supply chain attack believed to be the work of state-sponsored hackers.

Along with the US treasury and commerce departments, the Department of Homeland Security is now thought to have been affected by the attack. In a statement to the SEC today, SolarWinds said it had notified 33,000 customers of its recent hack, but that only 18,000 of these used the affected version of its Orion platform.

https://www.techradar.com/uk/news/solarwinds-suffers-massive-supply-chain-attack

White House activates cyber emergency response under Obama-era directive

In the wake of the SolarWinds breach, the National Security Council has activated an emergency cyber security process that is intended to help the government plan its response and recovery efforts, according to White House officials and other sources.

The move is a sign of just how seriously the Trump administration is taking the foreign espionage operation, former NSC officials told CyberScoop.

The action is rooted in a presidential directive issued during the Obama administration known as PPD-41, which establishes a Cyber Unified Coordination Group (UCG) that is intended to help the U.S. government coordinate multiple agencies’ responses to the significant hacking incident.

The UCG is generally led by the Department of Justice — through the FBI and the National Cyber Investigative Joint Task Force — as well as the Office of the Director of National Intelligence and the Department of Homeland Security.

https://www.cyberscoop.com/solarwinds-white-house-national-security-council-emergency-meetings/

Hackers targeted US nuclear weapons agency in massive cyber security breach, reports say

The National Nuclear Security Administration and Energy Department, which safeguard the US stockpile of nuclear weapons, have had their networks hacked as part of the widespread cyber espionage attack on a number of federal agencies.

Politico reports that officials have begun coordinating notifications about the security breach to the relevant congressional oversight bodies.

Suspicious activity was identified in the networks of the Federal Energy Regulatory Commission (FERC), Los Alamos and Sandia national laboratories in New Mexico and Washington, the Office of Secure Transportation, and the Richland Field Office of the Department of Energy.

Officials with direct knowledge of the matter said hackers have been able to do more damage to the network at FERC, according to the report.

https://www.independent.co.uk/news/world/americas/us-politics/hackers-nuclear-weapons-cybersecurity-b1775864.html

Microsoft warns UK companies were targeted by SolarWinds hackers

Microsoft has warned that some of its UK customers have been exposed to the malware used in the Russia-linked SolarWinds hack that targeted US states and government agencies.

More than 40 of the tech giant's customers are thought to have used breached SolarWinds software, including clients in Britain, the US, Canada, Mexico, Belgium, Spain, Israel, and the UAE.

The company would not name the victims, but said they include government agencies, think tanks, non-governmental organisations and IT firms. Microsoft said four in five were in the US, with nearly half of them tech companies.

“This is not ‘espionage as usual,’ even in the digital age,” said Brad Smith, Microsoft's president. “Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world.”

The attackers, believed to be working for the Russian government, got into computer networks by installing a vulnerability in Orion software from SolarWinds.

https://www.telegraph.co.uk/technology/2020/12/18/microsoft-warns-uk-companies-targeted-solarwinds-hackers/

Society at Increasingly High Risk of Cyber Attacks

Cyber attacks are becoming easier to conduct while conversely security is getting increasingly difficult, according to Kevin Curran, senior IEEE member and professor of cyber security, Ulster University, during a virtual media roundtable.

“Any company you can think of has had a data breach,” he commented. “Whenever a data breach happens it weakens our credentials because our passwords are often reused on different websites.”

He observed that the art of hacking doesn’t necessarily require a significant amount of technical expertise anymore, and bad actors can receive substantial help from numerous and readily accessible tools online. “You don’t have to spend seven years in college to learn how to hack, you just have to know about these sites and what terms to use,” noted Curran.

A number of legitimate online mechanisms that can help damaging attacks to be launched by hackers were highlighted by Curran in his presentation. These include Google Dorks, which are “search strings which point to website vulnerabilities.” This means vulnerable accounts can be identified simply via Google searches.

https://www.infosecurity-magazine.com/news/society-increasingly-risk-cyber/

Three million users installed 28 malicious Chrome or Edge extensions

More than three million internet users are believed to have installed 15 Chrome, and 13 Edge extensions that contain malicious code, security firm Avast said today.

The 28 extensions contained code that could perform several malicious operations, including:

-redirect user traffic to ads

-redirect user traffic to phishing sites

-collect personal data, such as birth dates, email addresses, and active devices

-collect browsing history

-download further malware onto a user's device

But despite the presence of code to power all the above malicious features, Avast researchers said they believe the primary objective of this campaign was to hijack user traffic for monetary gains.

https://www.zdnet.com/article/three-million-users-installed-28-malicious-chrome-or-edge-extensions/

Vaccines for sale on dark web as criminals target pandemic profits

Black market vendors were offering coronavirus vaccines for sale on hidden parts of the internet days after the first Covid-19 shot was approved this month, as criminals seek to profit from global demand for inoculations.

One such offer on the so-called dark web, traced by cyber security company Check Point Software, was priced at $250 with the seller promising “stealth” delivery in double-wrapped packaging. Shipping from the US via post or a leading courier company would cost $20, with an extra $5 securing overnight delivery.

https://www.ft.com/content/8bfc674e-efe6-4ee0-b860-7fcb5716bed6

Threats

Ransomware

Phishing

IoT

Malware

Vulnerabilities

Data Breaches

Organised Crime

Nation State Actors

Privacy

Other News

Reports Published in the Last Week

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Cyber Weekly Flash Briefing 31 July 2020: 386M user records stolen, Twitter spear-phishing, Garmin may have paid ransom, 27% of consumers hit with Covid19 phishing scams, Netflix phishing scam

Cyber Weekly Flash Briefing 31 July 2020: 386M user records stolen, Twitter says attack was spear-phishing, Criminals still exploiting COVID19, Netwalker ransomware, Garmin may have paid ransom, QNAP NAS devices infected, Hackers exploit networking vulns, 27% of consumers hit with pandemic-themed phishing scams, New Netflix phishing scam

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

386 million user records stolen in data breaches — and they're being given away for free

A notorious hacker or group of hackers is giving away copies of databases said to contain 386 million user records, after posting links to the databases on a marketplace used by cyber criminals.

The threat actor, who goes by the name ShinyHunters, claims to have data stolen from 18 different websites in the past seven months. According to reports, ShinyHungers last week began uploading the databases to a forum where anyone can download them free of charge.

ShinyHunters is believed to have played a role in high-profile data breaches at HomeChef, Promo.com, Mathway, Chatbooks, Dave.com, Wattpad and even Microsoft's GitHub account. Many of these records were previously offered for sale online.

Why this matters:

Any details stolen from one site or service will be used against other sites and services, this is why it is critical that passwords are not reused across different sites and that all passwords are unique. Using multi factor authentication is also very effective at safeguarding against these types of attacks.

Read more here: https://www.tomsguide.com/news/shinyhunters-breach-giveaway

Twitter says spear-phishing attack on employees led to breach

Twitter said a large hack two weeks ago targeted a small number of employees through a phone “spear-phishing” attack.

The social media platform said the hackers targeted about 130 accounts, tweeted from 45, accessed the inboxes of 36, and were able to download Twitter data from seven.

Attackers also targeted specific employees who had access to account support tools, Twitter said. The company added it has since restricted access to its internal tools and systems.

Twitter suffered a major security breach on 15 July that saw hackers take control of the accounts of major public figures and corporations, including Joe Biden, Barack Obama, Elon Musk, Bill Gates, Jeff Bezos and Apple.

The hack unfolded over the course of several hours, and in the course of halting it, Twitter stopped all verified accounts from tweeting – an unprecedented measure.

Publicly available blockchain records show the apparent scammers received more than $100,000 worth of cryptocurrency.

Why this matters?

It is nearly always a lot easier for attackers to attack your users than it is to attack your systems. IT controls alone cannot protect against social engineering attacks so making sure your staff are trained so they don’t fall for social engineering attacks is a critical part of your defence.

Read more here: https://www.theguardian.com/technology/2020/jul/30/twitter-breach-hackers-spear-phishing-attack

Cyber-Criminals Continue to Exploit #COVID19 During Q2

Cyber-criminals’ exploitation of the COVID-19 pandemic to target individuals and businesses has continued unabated during the second quarter of 2020, according to one Cyber Security firm’s Q2 2020 Threat Report published today. The findings highlight how the crisis is defining the cybersecurity landscape in Q2 in a similar way as it did in Q1 after the pandemic first struck.

The firm observed a continuous focus on phishing using COVID-19 lures in this period. This included criminals taking advantage of the rise in online shopping that has occurred during the pandemic, with a 10-fold increase in phishing emails impersonating one of the world’s leading package delivery services found in comparison to Q1.

The shift to remote working as a result of the pandemic has also led to increased targeting of Remote Desktop Protocol’s in recent months.

Ransomware tactics were found to be “rapidly developing” in this period, with operators moving away from doxing and random data leaking towards auctioning the stolen data on dedicated underground sites.

Why does this matter?

The Coronavirus crisis gave criminals an efficient lure to bait phishing emails with and for as long as it is working they will continue to exploit this crisis. It’s like we always say “cyber criminals will never let a good crisis or tragedy go to waste”

Read more here: https://www.infosecurity-magazine.com/news/cyber-criminals-exploit-covid/

FBI Releases Flash Alert on Netwalker Ransomware

The US Federal Bureau of Investigations (FBI) released a flash alert in which it warned organisations about the dangers of Netwalker ransomware.

The FBI said that it had received notifications of attacks involving Netwalker against U.S. and foreign government organisations along with entities operating in the healthcare and education sectors.

In its alert, the FBI noted that those responsible for Netwalker had used COVID-19 phishing emails and unpatched vulnerabilities affecting VPN apps to gain entry into an organisation. The malicious actors had then used their crypto-malware to harvest administrator credentials and steal data from their victims. Ultimately, the attackers uploaded that stolen information to a file-sharing service.

Once they had come into possession of a victim’s data, the nefarious individuals activated the ransomware’s encryption routine. This step led the threat to encrypt all connected Windows-based devices and information before dropping a ransom note on the infected machine.

Why does this matter?

Ransomware remains one of the biggest risks for all firms, organisations and individuals, and the majority of the time the ransomware infection will stem from a phishing email that a user within an organisation clicked on. As with all social engineering attacks IT controls alone are of limited effectiveness and defending against these attacks comes down to educating your users and instilling in them the importance of the role they play in defending an organisation.

Read more here: https://www.tripwire.com/state-of-security/security-data-protection/fbi-releases-flash-alert-on-netwalker-ransomware/

Garmin may have paid hackers ransom, reports suggest

Fitness wearable and Navtech supplier Garmin may have given in to the demands of cyber criminals who encrypted its systems with ransomware, according to news reports that suggest the firm has obtained a decryption key to recover its files, strongly suggesting it has either paid up, or brokered some kind of deal.

In a statement issued four days after its services first went offline, Garmin finally confirmed it had been the victim of a cyber attack, having previously limited its response to saying it was experiencing an outage. It has not yet confirmed it was the victim of a ransomware incident, although this is now all but certain.

A spokesperson said: “Garmin today announced it was the victim of a cyber attack that encrypted some of our systems on July 23, 2020. As a result, many of our online services were interrupted including website functions, customer support, customer-facing applications, and company communications. We immediately began to assess the nature of the attack and started remediation,” said the firm.

“We have no indication that any customer data, including payment information from Garmin Pay, was accessed, lost or stolen. Additionally, the functionality of Garmin products was not affected, other than the ability to access online services.

Why does this matter?

Ransomware can affect firms of any size, from the smallest to the largest, no firm or organisation is immune and even firms that are spending millions or tens of millions on advanced protections and controls can still fall victim. These types of attacks go after the people working for an organisation, not the organisations technical infrastructure and technical controls are of limited use in defending against these types of attacks. An organisation needs to ensure their users are efficient at spotting phishing emails, it only takes one user clicking on one malicious email to take down a multinational corporation.

Read more here: https://www.computerweekly.com/news/252486775/Garmin-may-have-paid-hackers-ransom-reports-suggest

Cyber-security agencies from the UK and the US say 62,000 QNAP NAS devices have been infected with the QSnatch malware

The UK NCSC and US CISA published a joint security alert this week about QSnatch, a strain of malware that has been infecting network-attached storage (NAS) devices from Taiwanese device maker QNAP.

In alerts  by the United States Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom's National Cyber Security Centre (NCSC), the two agencies say that attacks with the QSnatch malware have been traced back to 2014, but attacks intensified over the last year when the number of reported infections grew from 7,000 devices in October 2019 to more than 62,000 in mid-June 2020.

Of these, CISA and the NSCS say that approximately 7,600 of the infected devices are located in the US, and around 3,900 in the UK.

Why this matters?

Vulnerable devices can be used to steal credentials (usernames and passwords) and exfiltrate information from devices on the network. It is important to keep devices up to date with the latest security patches to close any vulnerabilities before they can be exploited.

Read more here: https://www.zdnet.com/article/cisa-says-62000-qnap-nas-devices-have-been-infected-with-the-qsnatch-malware/

Hackers actively exploit high-severity networking vulnerabilities

Hackers are actively exploiting two unrelated high-severity vulnerabilities that allow unauthenticated access or even a complete takeover of networks run by FTSE100/Fortune 500 companies and government organisations.

The most serious exploits are targeting a critical vulnerability in F5’s Big-IP advanced delivery controller, a device that’s typically placed between a perimeter firewall and a Web application to handle load balancing and other tasks. The vulnerability, which F5 patched three weeks ago, allows unauthenticated attackers to remotely run commands or code of their choice. Attackers can then use their control of the device to hijack the internal network it’s connected to.

Why this matters?

Vulnerable devices such as this can be used to gain access to internal networks. It is important to keep devices up to date with the latest security patches to close any vulnerabilities before they can be exploited. When a vendor releases updates they should be installed as soon as possible, ideally having been tested before updates are applied in your live environment.

Read more here: https://arstechnica.com/information-technology/2020/07/hackers-actively-exploit-high-severity-networking-vulnerabilities/

27% of consumers hit with pandemic-themed phishing scams

Phishing is the top digital fraud scheme worldwide related to the COVID-19 pandemic, according to new research.

Among consumers reporting being targeted with digital COVID-19 schemes globally, 27% said they were hit with pandemic-themed phishing scams.

Identity fraud is a primary way fraudsters leverage stolen consumer data from phishing and other social engineering schemes. It can have long-term impacts for consumers such as the compromise of multiple online accounts and bringing down credit scores, which we anticipate will increase during pandemic reconstruction.

To better understand the impacts of COVID-19 on consumers, 7,384 adults in Canada, Colombia, Hong Kong, South Africa, the U.K., and the U.S. have been surveyed between June 30 and July 6, 2020.

It asked the consumers if they had been targeted by digital COVID-19 fraud and if so, which digital fraud scheme(s) related to COVID-19 were they targeted with. Globally, 32% said they had been targeted by digital fraud related to COVID-19 with the below being the top types of COVID-19 fraud they faced:

Top global online COVID-19 scams targeting consumers:

Why this matters?

Whatever works for criminals they will continue doing. Until consumers, as well as businesses, get better at detecting these scams and get better at spotting phishing emails criminals will carry on using the latest crisis or tragedy to get users to click on malicious emails and open their networks to attackers.

Read more here: https://www.helpnetsecurity.com/2020/07/24/pandemic-themed-phishing-scams/

New Netflix phishing scam uncovered - here’s how to stay safe

Security analysts have uncovered a dangerous and highly convincing new Netflix phishing scam, capable of evading traditional email security software.

The phishing email masquerades as a billing error alert, pressing the victim to update their payment details within 24 hours or have their Netflix subscription voided.

The link provided in the email redirects to a functioning CAPTCHA form, used in legitimate scenarios to distinguish between humans and AI. Although this step adds a layer of friction to the process, it serves to enhance the sense of legitimacy the attacker is attempting to cultivate.

After handing over account credentials, billing address and payment card information, the victim is then redirected to the genuine Netflix home page, unaware their data has been compromised.

Why does this matter?

Phishing campaigns like this cast a wide net and only need a small number of victims to fall for it to turn a profit, and that means these types of scams are not going to go away any time soon. If no one fell for them they would stop. Always question any email that urges you to take action quickly under the guise of some threat.

Read more here: https://www.techradar.com/news/dangerous-new-netflix-phishing-scam-hits-the-scene-heres-what-you-need-to-know

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Read More