Threat Intelligence Blog

Subscribe to our Weekly Cyber Threat Intelligence Briefing

Black Arrow Admin 10/07/2021 Black Arrow Admin 10/07/2021

Black Arrow Cyber Threat Briefing 09 July 2021

Black Arrow Cyber Threat Briefing 09 July 2021: Hackers Demand $70 Million To End Biggest Ransomware Attack On Record; Zero Day Malware Reached An All-Time High In Q1 2021; New Trojan Malware Steals Millions Of Login Credentials; MacOS Targeted In WildPressure APT Malware Campaign; The Cost Of Cyber Insurance Increased 32% Last Year And Shows No Signs Of Easing; Critical Flaws In Windows Print Spooler Service Could Allow For Remote Attacks; British Airways Settles Over Record Claim For Data Breach; Hackers On Loose As 9,000 Data Leaks A Year Recorded

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Hackers Demand $70 Million To End Biggest Ransomware Attack On Record

An affiliate of the notorious REvil gang, best known for extorting $11 million from the meat-processor JBS after a Memorial Day attack, infected thousands of victims in at least 17 countries on Friday, largely through firms that remotely manage IT infrastructure for multiple customers. REvil was demanding ransoms of up to $5 million, the researchers said. But late Sunday it offered in a posting on its dark web site a universal decryptor software key that would unscramble all affected machines in exchange for $70 million in crypto currency.

https://www.cbsnews.com/news/ransomware-attack-revil-hackers-demand-70-million/

Zero Day Malware Reached An All-Time High Of 74% In Q1 2021

74% of threats detected in Q1 2021 were zero day malware – or those for which a signature-based antivirus solution did not detect at the time of the malware release – capable of circumventing conventional antivirus solutions. The report also covers new threat intelligence on rising network attack rates, how attackers are trying to disguise and repurpose old exploits, the quarter’s top malware attacks, and more.

https://www.helpnetsecurity.com/2021/06/29/zero-day-malware-q1-2021/

New Trojan Malware Steals Millions Of Login Credentials

There is a new custom Trojan-type malware that managed to infiltrate over three million Windows computers and steal nearly 26 million login credentials for about a million websites. The findings suggest that the Trojan classifies the websites into a dozen categories, which include virtually all popular email services, social media platforms, file storage and sharing services, ecommerce platforms, financial platforms, and more. In all, the unnamed malware managed to siphon away 1.2 terabytes of personal data including over a million unique email addresses, over two billion cookies, and more than six million other files.

https://www.techradar.com/news/malware-steals-millions-of-login-credentials-for-popular-websites

Ransomware As A Service: Negotiators Are Now In High Demand

The Ransomware-as-a-Service (RaaS) ecosystem is evolving into something akin to a corporate structure, with new openings available for "negotiators" -- a role focused on extorting victims to pay a ransom. A study in RaaS trends has recently come out saying that one-man-band operations have almost "completely dissolved" due to the lucrative nature of the criminal ransomware business. Showing the potential financial gains squeezed from companies desperate to unlock their systems have given rise to specialists in cyber crime and extortion and have also led to a high demand for individuals to take over the negotiation part of an attack chain.

https://www.zdnet.com/article/ransomware-as-a-service-negotiators-between-hackers-and-victims-are-now-in-high-demand/

MacOS Targeted In WildPressure APT Malware Campaign

Recently, threat actors known as WildPressure have added a MacOS malware variant to their latest campaign targeting energy sector businesses, while enlisting compromised WordPress websites to carry out attacks. Furthermore, known novel malware, initially identified in March 2020 and dubbed Milum, has now been retooled with a PyInstaller bundle containing a trojan dropper compatible with Windows and MacOS systems, according to researchers. Compromised endpoints allow the advanced persistent threat (APT) group to download and upload files and executing commands.

https://threatpost.com/macos-wildpressure-apt/167606/

The Cost Of Cyber Insurance Increased 32% Last Year And Shows No Signs Of Easing

The cost of insurance to protect businesses and organisations against the ever-increasing threat of cyber crimes has soared by a third in the last year. Also adding that global cyber insurance pricing has increased by an average of 32 percent in the year to June. Not only are premiums going through the roof, insurers are also attaching more strings to their policies, demanding ever more assurances that firms taking out cover have the necessary systems and processes in place to prevent a cyber mishap. Previous research also suggests that the upward squeeze on premiums shows no sign of easing, which, in turn, is putting more strain on the sector.

https://www.theregister.com/2021/07/05/cyber_insurance_report/

Critical Flaws In Windows Print Spooler Service Could Allow For Remote Attacks

Administrators are urged to apply the latest patches from Microsoft and disable the Windows Print spooler service in domain controllers and systems not used for printing. This is because Microsoft is currently grappling with a couple of security holes in its Windows Print spooler service that could allow attackers to remotely control an affected system. Anyone able to exploit the more recent vulnerability of the two would be able to run code on the compromised computer with full system privileges. That attacker could then install software, modify data and create new user accounts.

https://www.techrepublic.com/article/critical-flaws-in-windows-print-spooler-service-could-allow-for-remote-attacks/

End Users In The Dark About Latest Cyber Threats, Attacks

According to a recent survey, which polled consumers and end users, high-profile incidents such as the ransomware attack on Colonial Pipeline Co. and the breach of a Florida city's water utilities were either overlooked or ignored by many outside the IT and information security fields. As a result, the responsibility for keeping users informed and aware of the need for heightened security appears to fall on administrators and IT staff.

https://searchsecurity.techtarget.com/news/252503223/End-users-in-the-dark-about-latest-cyber-threats-attacks

British Airways Settles Over Record Claim For Data Breach

British Airways has settled what is thought to be the biggest claim for a data breach in British legal history, involving 16,000 victims. However, the amount was not disclosed. When The breach took place three years ago, multiple data sources and customer data was leaked, including the leakage of names, addresses and card payment details which affected 420,000 customers and staff. As a result, in 2019 the Information Commissioner’s Office hit BA with its largest ever fine at £20 million.

https://www.thetimes.co.uk/article/british-airways-settles-over-record-claim-for-data-breach-g0f63dnst

Hackers On Loose As 9,000 Data Leaks A Year Recorded

Public bodies and the private sector suffered nearly 9,000 data security incidents in 12 months with sensitive and private information hacked, lost or accidentally given to the wrong people. This Data was seen to lists more than 500 organisations hit by ransomware attacks and a further 562 incidents of hacking. There was also a total of 8,815 data security incidents in 2020/21 with the most breaches in the health and education sectors. Furthermore, over the past three years, police forces across England and Wales suffered an average eight breaches a week. Even security experts announced that these figures were “alarming” and that the public would be “disturbed” to learn how often important information/data was being lost.

https://www.thetimes.co.uk/article/hackers-9000-data-leaks-recorded-cyber-crime-56nvs7t6w

Threats

Ransomware

Phishing

Attackers Use ‘Offensive AI’ To Create Deepfakes For Phishing Campaigns

Malware

Vulnerabilities

Data Breaches

Organised Crime & Criminal Actors

Supply Chain

Kaseya Supply Chain Attack Hits Nearly 40 Service Providers With REvil Ransomware

OT, ICS, IIoT and SCADA

Oil & Gas Targeted in Year-Long Cyber Espionage Campaign

Nation State Actors

Cloud

Privacy

Other News

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Black Arrow Admin 04/10/2020 Black Arrow Admin 04/10/2020

Cyber Weekly Flash Briefing 2 October 2020: Entry to Ransom in 45 Mins; Cyber War Collateral; Gallagher Hit with Ransomware; Adapting to Permanent WFH; Consumers Ditch Breached Firms; Awareness Month

Cyber Weekly Flash Briefing 02 October 2020: Ransomware - Entry to Ransom in 45 Minutes; Business concerned by collateral damage in cyber war; Gallagher insurance hit with ransomware; paying ransoms could land you in hot water with regulators; security must adapt to permanent WFH; DDoS attacks are getting more powerful; Consumers Vote to Ditch Breached Firms; New Botnet now Infects Mac and Android Devices; Spyware Variant Snoops on WhatsApp & Telegram Messages; It’s Cyber Security Awareness Month

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Ransomware: from Entry to Ransom in Under 45 Minutes

Ransomware gangs are performing wide-ranging internet scans to find vulnerable systems and then accelerating attacks to just minutes to capitalize on COVID-19, Microsoft has warned in a blog post introducing the firm’s latest Digital Defense Report

The report claimed that threat actors have “rapidly increased sophistication” over the past year, with ransomware the number one reason for Microsoft incident response between October 2019 and July 2020.

“Attackers have exploited the COVID-19 crisis to reduce their dwell time within a victim’s system — compromising, exfiltrating data and, in some cases, ransoming quickly — apparently believing that there would be an increased willingness to pay as a result of the outbreak. In some instances, cyber-criminals went from initial entry to ransoming the entire network in under 45 minutes”.

“At the same time, we also see that human-operated ransomware gangs are performing massive, wide-ranging sweeps of the internet, searching for vulnerable entry points, as they ‘bank’ access – waiting for a time that is advantageous to their purpose.”

Why this matters:

Not only are attackers speeding up attacks, attackers have also become more sophisticated in performing reconnaissance on high-value targets, so that they appear to know when certain factors like holidays will reduce the victim organisation’s chances of patching, or otherwise hardening their networks.

They’re also aware of how billing cycles operate in certain industries, and thus when specific targets may be more willing to pay.

Business are concerned their companies will be collateral damage in a future cyber-war

Businesses are worrying about being caught in the crossfire of cyber warfare, according to research from Bitdefender – while industry figures warn that the gap between common-or-garden cyber threats and what nation states are doing is becoming smaller and smaller.

Bitdefender’s latest report, titled 10 in 10, surveyed around 6,000 C-suite executives responsible for cyber security and found “over a fifth” said that cyber warfare was one of the most challenging topics they had to convince their colleagues to take seriously.

Bitdefender don’t think these executives are afraid of cyber warfare in the sense of directly being targeted, more in line with being collateral victims of cyber warfare taking out electric power grids, internet. They need to be prepared for these kind of attacks.

Why this matters:

Cyber warfare, at its simplest, involves disrupting computers to achieve a real-world effect. This could be something like a denial-of-service (DoS) attack against a power grid, intended to cause a power outage, or the infamous Stuxnet malware infection that set back Iran’s nuclear weapon ambitions by several years. It could also include attacks designed to degrade an adversary’s own ability to mount cyber attacks; cyber on cyber.

An attack by one nation against another nation could have significant impact on the ability of a business to continue to operate, either in the short term or over the longer term.

Ransomware hits US-based Arthur J. Gallagher insurance giant

US-based Arthur J. Gallagher (AJG) global insurance brokerage and risk management firm confirmed a ransomware attack that hit its systems on Saturday.

AJG is one of the largest insurance brokers in the world with more than 33,300 employees and operations in 49 countries, including Rossborough in Guernsey.

The company is ranked 429 on the Fortune 500 list and it provides insurance services to customers in over 150 countries.

AJG says that it detected the ransomware attack on September 26, 2020, with only a limited number of the company's internal systems being affected, but that they shut down all computing systems to block the attack

"We promptly took all of our global systems offline as a precautionary measure, initiated response protocols, launched an investigation, engaged the services of external cyber security and forensics professionals, and implemented our business continuity plans to minimize disruption to our customers," the company added on September 28th in an filing with US regulators.

Why this matters:

Firms everywhere are being hit with ransomware and the speed, frequency, and sophistication of these attacks is only going to carry on getting worse. Firms must ensure they are prepared for an attack ahead of an attack happening and ensure they have plans in place to be able to recover. Most ransomware starts with a user clicking on a link in an email or downloading an attachment so firms must ensure their staff realise the role they play in defending their organisations – this is not something that IT alone can protect firms against.

Paying ransomware demands could land you in hot water with authorities and regulators

Businesses, governments, and organisations that are hit by crippling ransomware attacks now have a new worry to contend with—big fines from authorities and regulators, such as the US Department of Treasury, in the event that they pay to recover their data.

US Treasury Department officials made that guidance official in an advisory published this week. It warns that payments made to specific entities or to any entity in certain countries—specifically, those with a designated “sanctions nexus”—could subject the payer to financial penalties levied by the US Office of Foreign Assets Control, or OFAC.

The prohibition applies not only to the group that is infected but also to any companies or contractors the hacked group’s security or insurance engages with, including those who provide insurance, digital forensics, and incident response, as well as all financial services that help facilitate or process ransom payments.

Why this matters:

Payments made to criminal groups, sanctioned groups or individuals, or otherwise making a payment that could be funding terrorism will fall foul of regulations in most regulated jurisdictions. The last thing a firm will need is having to recover from the ransomware attack and also then being hit with fines from regulators and authorities.

CIOs say security must adapt to permanent work-from-home

Both private- and public-sector CIOs see many more employees permanently working remotely, and say security needs to adapt to new threats and how they communicate.

Much of the public and private sector was forced to shut down in-person facilities and operations almost overnight in March as COVID quarantines began. The new conditions forced organisations to quickly find ways to secure tens of millions of new, vulnerable endpoints created by at-home workers. Now, six months later, technology leaders are taking stock of what happened and considering how a post-COVID landscape might look.

Why this matters:

COVID has resulted in a lot of changes and is behind a lot of innovation but it looks like some places will be putting up with these short term measures for longer than originally planned.

What might have been OK as a short term fix needs to become ‘business as usual’ and security controls will need to be adapted to these more permanent new ways of working.

DDoS attacks are getting more powerful as attackers change tactics

There's been a surge in Distributed Denial of Service (DDoS) attacks throughout the course of this year, and the attacks are getting more powerful and more disruptive.

Why this matters:

DDoS attacks are launched against websites or web services with the aim of disrupting them to the extent that they are taken offline. Attackers direct the traffic from a botnet army of hundreds of thousands of PCs, servers and other internet-connected devices they've gained control of via malware towards the target, with the aim of overwhelming it.

An attack can last for just seconds, or hours or days and prevent legitimate users from accessing the online service for that time.

And while DDoS attacks have been a nuisance for years, the prospect of corporate, e-commerce, healthcare, educational and other services being disrupted at a time when the ongoing global pandemic means more people are reliant on online services than ever could create huge problems.

KPMG: Consumers Vote to Ditch Breached Firms

Most consumers would take their business elsewhere if they discovered an organisation had suffered a major cyber-attack or data breach, according to new data from KPMG.

The global consulting firm polled over 2000 Canadians in September to better understand the impact of security incidents and the risks for online firms that fail to adequately protect customer data.

As many as 90% of respondents said they would feel wary about sharing personal or financial information with a company that had suffered such an incident, and over two-thirds (67%) are more worried than ever about their data being breached.

Why this matters:

The findings come at a time when consumers are spending more of their lives, and sharing more of their data, online.

Over half (54%) of respondents said they are shopping more online than they used to pre-COVID, rising to 64% for the 18-44 age group. The same number (54%) said they had received a lot more suspicious emails in the first half of 2020, and even more (84%) claimed they were being “extra careful” when shopping online for fear of their data being stolen.

Phishing (38%) and spear-phishing (13%) were revealed as the most common attacks likely to face Canadians, as they are consumers in other Western countries. Unfortunately for brands, they are likely to get the blame for successful attacks on consumers even though it is the email recipients themselves who make the mistake of clicking through.

InterPlanetary Storm Botnet Infects 13K Mac, Android Devices

A new variant of the InterPlanetary Storm malware has been discovered, which comes with fresh detection-evasion tactics and now targets Mac and Android devices (in addition to Windows and Linux, which were targeted by previous variants of the malware).

Researchers say the malware is building a botnet with a current estimated 13,500 infected machines across 84 countries worldwide – and that number continues to grow. Half of the infected machines are in Hong Kong, South Korea and Taiwan. Other infected systems are in Russia, Brazil, the U.S., Sweden and China.

Why this matters:

While the botnet that this malware is building does not have clear functionality yet, it gives the campaign operators a backdoor into the infected devices so they can later be used for cryptomining, DDoS, or other large-scale attacks.

Android Spyware Variant Snoops on WhatsApp, Telegram Messages

Researchers say they have uncovered a new Android spyware variant with an updated command-and-control communication strategy and extended surveillance capabilities that snoops on social media apps WhatsApp and Telegram.

The malware, Android/SpyC32.A, is currently being used in active campaigns targeting victims in the Middle East. It is a new variant of an existing malware operated by threat group APT-C-23 (also known as Two-Tailed Scorpion and Desert Scorpion). APT-C-23 is known to utilize both Windows and Android components, and has previously targeted victims in the Middle East with apps in order to compromise Android smartphones.

Why this matters:

APT groups are increasing activity and they are continually, enhancing their toolsets and running new operations. This the group’s newest spyware version features several improvements making it more dangerous to victims. Whilst these attacks are targeting victims in the Middle East different groups will be using similar tactics against different targets in different locations.

It’s Cyber Security Awareness Month

October is Cyber Security Awareness Month, and annual initiative by the National Cyber Security Alliance. How cyber security aware are you? How cyber security aware are your staff? What about your Board?

Why this matters:

Fundamentally attackers find it easier to your people than to break in via technical means – so cyber security awareness, and instilling in your staff that they have a role to play in helping to secure your organisation is absolutely key.

If you need help raising cyber amongst your staff, users or executives drop us a line – we can help

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.