Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Cyber Security Industry Still Fighting to Recruit and Retain Talent

Cyber security teams are struggling to find the right talent, with the right skills, and to retain experienced employees. The situation is only likely to worsen, as inflation and a tight labour market push up wages. Universities produce graduates with a strong focus on technical knowledge, but not always the broader skills they need to operate in a business environment. This includes the lack of communications skills, understanding of how businesses operate and even emotional intelligence. One solution is to outsource to a corporate cyber security provider or outsource to infill shortages whilst trying to recruit permanent staff.

https://www.infosecurity-magazine.com/news/cybersecurity-industry-recruit/

• How the MOVEit Breach Shows Hackers' Interest in Corporate File Transfer Tools

The world of managed file transfer (MFT) software has become a lucrative target for ransom-seeking hackers, with significant breaches including those of Accellion Inc's File Transfer Appliance in 2021 and Fortra's GoAnywhere MFT earlier this year. These MFT programs, corporate versions of popular file sharing programs like Dropbox or WeTransfer, are highly desirable to hackers for the sensitive data they often transfer between organisations and partners. The recent mass compromise tied to Progress Software Corp's MOVEit transfer product has prompted governments and companies worldwide to scramble in response.

Hackers are shifting their tactics, with an increasing focus on MFT programs which typically face the open internet, making them more vulnerable to breaches. Once inside these file transfer points, hackers have direct access to a wealth of data. In addition, there's a noticeable shift from ransomware groups encrypting a company's network and demanding payment to unscramble it, to a simpler tactic of pure extortion by threatening to leak the data.

https://www.reuters.com/technology/how-moveit-breach-shows-hackers-interest-corporate-file-transfer-tools-2023-06-16/

• Attackers Discovering Exposed Cloud Assets within Minutes

The shift to cloud services, increased remote work, and reliance on third-parties has led to widespread use of Software-as-a-Service (SaaS) applications. This has also opened avenues for attackers to exploit weak security configurations and identities. Over the past year, attackers have intercepted authorisation tokens, bypassed multifactor authentication, and exploited misconfigured systems, targeting critical applications like GitHub, Microsoft 365, Google Workspace, Slack, and Okta. A study revealed alarmingly fast rates of breach discovery and compromise of exposed cloud assets, with assets being discovered within as little as two minutes for some and others within an hour.

https://www.techtarget.com/searchsecurity/news/366542352/Attackers-discovering-exposed-cloud-assets-within-minutes

https://www.darkreading.com/dr-tech/growing-saas-usage-means-larger-attack-surface

• Majority of Users Neglect Best Password Practices

The latest Password Management Report by Keeper Security has shed light on the concerning state of password security practices. The survey found that only 25% of respondents used solid and unique passwords. In comparison, 34% admitted to using repeat variations of passwords, and 30% still relied on simple and easily guessable passwords. The survey also found that 44% of individuals who claimed to have well-managed passwords still admitted to using repeated variations, while 20% acknowledged having had at least one password involved in a data breach or available on the dark web. The document also revealed that 35% of respondents feel overwhelmed when it comes to improving their cyber security. Furthermore, 10% admitted to neglecting password management altogether. More generally, Keeper Security said the survey’s findings highlight a significant gap between perception and reality regarding password security.

https://www.infosecurity-magazine.com/news/users-neglect-best-password/

• One in Three Workers Susceptible to Phishing

More than one in three workers in the UK and Ireland are susceptible to falling for phishing attacks, according to the new 2023 Phishing by Industry Benchmarking Report by KnowBe4. The study found that 35% of users who had received no security training were prone to clicking on suspicious links or engaging in fraudulent actions. Regular training and continual reinforcement can get this figure down but even with training very few organisations ever get click rates down to zero, and you only need one person to click to cause potentially devastating consequences.

Globally, ransomware was responsible for 24% of all data breaches in 2023, with human error accounting for 74% of these incidents. Phishing attacks can often lead to significant reputational damage, financial loss and disruption to business operations.

https://www.infosecurity-magazine.com/news/one-in-three-phishing/

• Ransomware Misconceptions Abound, to the Benefit of Attackers

There is a common ransomware misperception that there's no capability to fight this all too common hostage taking of business data. This is not true. Proactive organisations are increasingly making more strategic use of threat intelligence to prevent or disrupt attacks.

Ransomware has evolved into a massive, often state-sponsored, industry where operators buy, develop, and resell ransomware code, infiltrate networks, and collect ransoms. The perception that a speedy response is critical to prevent data encryption and loss is outdated; attackers now focus on data exfiltration, using ransomware as a distraction. They often target smaller organisations that are linked to larger ones through supply chains, using them as stepping stones. It is important to use in-depth defence measures, including email security to prevent phishing and efficient detection and response systems to identify and recover from changes.

https://www.darkreading.com/vulnerabilities-threats/ransomware-misconceptions-abound-to-the-benefit-of-attackers

• Threat Actors Scale and Commoditise Uncommon Tools and Techniques

Proofpoint’s 2023 Human Factor report highlights significant developments in the cyber attack landscape in 2022. Following two years of pandemic-induced disruption, cyber criminals returned to their usual operations, honing their social engineering skills and commoditising once sophisticated attack techniques. There was a noticeable increase in brute-force and targeted attacks on cloud tenants, conversational smishing attacks, and multifactor authentication (MFA) bypasses. Microsoft 365 formed a large part of organisations' attack surfaces and faced broad abuse, from Office macros to OneNote documents.

Despite some advances in security controls, threat actors continue to innovate and scale their bypasses. Techniques like MFA bypass and telephone-oriented attack delivery are now commonplace. Attackers consistently exploit people, who remain the most critical variable in the attack chain.

https://www.proofpoint.com/uk/newsroom/press-releases/proofpoints-2023-human-factor-report-threat-actors-scale-and-commoditise

• Goodbyes are Difficult, IT Offboarding Processes Make Them Harder

A recent survey found that 68% of organisations recognise the offboarding process as a major cyber security risk, but only 36% have adequate controls in place to secure data access when employees depart. The study revealed that 60% of organisations have discovered former employees still had access to corporate applications after leaving, and 52% have had security incidents linked to former employees. Interestingly, IT professionals are not always alerted when employees leave, leading to access not being revoked and IT assets being mishandled 34% of the time.

https://www.helpnetsecurity.com/2023/06/19/it-offboarding-processes/

• Security Budget Hikes are Missing the Mark, CISOs Say

Misguided expectations on security spend are causing problems for CISOs despite notable budget increases. A recent report found that while most CISOs are experiencing noteworthy increases in security funding, impractical expectations of budget holders are leading to significant amounts being spent on what’s hitting the headlines instead of strategic, business-centric investment in security defences. This lack of understanding shows that a lot of work needs to be done to ensure that information security receives the attention it deserves, especially in the boardroom.

The report found that just 9% of CISOs said information security is always in the top three priorities on the boardroom’s meeting agenda, and less than a quarter (22%) of CISOs are actively participating in business strategy and decision-making processes. Talking to the board about cyber security in a way that is productive can be a significant challenge for CISOs, and failing to do so effectively can result in confusion, disillusionment, and a lack of cohesion among directors, the security function, and the rest of the organisation.

https://www.csoonline.com/article/3700073/security-budget-hikes-are-missing-the-mark-cisos-say.html

https://www.helpnetsecurity.com/2023/06/22/average-cybersecurity-budget-increase/

• Understanding Cyber Resilience: Building a Holistic Approach to Cyber Security

In today’s interconnected world, the threat of cyber attacks is a constant concern for organisations of all sizes and across all industries. Cyber resilience entails not only making it difficult for attackers to infiltrate your systems but also ensuring that your organisation can bounce back quickly and continue operations successfully.

Cyber resilience offers a holistic approach to cyber security, emphasising the ability to withstand and recover from cyber attacks. By adopting the right mindset, leveraging advanced technology, addressing cyber hygiene, and measuring key metrics, organisations can enhance their cyber resilience. Additionally, collaboration within industries and proactive board engagement are crucial for effective risk management. As cyber threats continue to evolve, organisations must prioritise cyber resilience as an ongoing journey, continuously adapting and refining their strategies to stay ahead of malicious actors.

https://informationsecuritybuzz.com/understanding-cyber-resilience-building-a-holistic-approach-to-cybersecurity/

• Emerging Ransomware Group 8Base Releasing Confidential Data from SMBs Globally

A ransomware group that operated under the radar for over a year has come to light in recent weeks, thanks to a series of business data leaks on the Dark Web. Since at least April 2022, 8base has been conducting double-extortion attacks against small and midsized businesses (SMBs). It all came to a head in May, when the group dumped data belonging to 67 organisations on the cyber underground.

Not much is known yet about the group's tactics, techniques, and procedures (TTPs), likely due to the low profile of their victims. The victims span science and technology, manufacturing, retail, construction, healthcare, and more, with victims from as far afield as India, Peru, Madagascar and Brazil, amongst others.

https://www.darkreading.com/vulnerabilities-threats/emerging-ransomware-8base-doxxes-smbs-globally

• Financial Firms to Build Resilience in Face of Growing Cyber-Threats

Cyber resilience is now a key component of operational resilience for the UK’s financial markets, according to a Bank of England official. Cyber attacks have increased by 38% in 2022, and the range of firms and organisations being impacted seems to grow broader and broader.

Regulators want to see how financial firms will cope with an attack, and its impact on the wider financial services ecosystem. Similar work is being done at an international level by the G7, which has its own cyber expert group. In the UK, the main tools for improving resilience are threat intelligence sharing, better coordination between firms, regulators, the Bank and the Treasury, and penetration testing including CBEST. Financial services firms should have scenario specific playbooks, to set out how to contain intruders and stop them spreading to clients and counterparties. In the past, simulation exercises have been used to model terrorist incidents and pandemics and they are now being used to model cyber attacks.

https://www.infosecurity-magazine.com/news/financial-firms-to-build-resilience/

• Fulfilling Expected SEC Requirements for Cyber Security Expertise at Board Level

The US Securities and Exchange Commission (SEC) is expected to introduce a rule requiring demonstration of cyber security expertise at the board level for public companies. A recent study found that currently up to 90% of companies in the Russell 3000 lack even a single director with the necessary cyber expertise. The simplest and speediest solution would be to promote the existing CISO, provided they have the appropriate qualities and experience, to the board but that would require transplanting a focused operational executive into a strategic business advisory role. A credible alternative is to bring in a cyber focused Non-Executive Director with the appropriate skills and experience.

https://www.securityweek.com/fulfilling-expected-sec-requirements-for-cybersecurity-expertise-at-board-level/

Governance, Risk and Compliance

• Why assessing third parties for security risk is still an unsolved problem | CSO Online

• How DORA Will Force Financial Firms to Adopt Cyber Resilience - Infosecurity Magazine (infosecurity-magazine.com)

• Navigating the Complex World of Cyber security Compliance - MSSP Alert

• Security budget hikes are missing the mark, CISOs say | CSO Online

• Understanding Cyber Resilience: Building A Holistic Approach To Cyber security (informationsecuritybuzz.com)

• How to Weather the Coming Cyber security Storm - Infosecurity Magazine (infosecurity-magazine.com)

• Certifications are no guarantee of security - Infosecurity Magazine (infosecurity-magazine.com)

• Increased spending doesn't translate to improved cyber security posture - Help Net Security

• Placing People & Realism at the Center of Your Cyber security Strategy (darkreading.com)

• CISOs’ New Stressors Brought on by Digitalization: Report - SecurityWeek

• Fulfilling Expected SEC Requirements for Cyber security Expertise at Board Level - SecurityWeek

• Decrypting Cyber Risk Quantification (trendmicro.com)

• From details to big picture: how to improve security effectiveness | CIO

• IT Staff Increasingly Saddled with Data Protection Compliance (darkreading.com)

Threats

Ransomware, Extortion and Destructive Attacks

• Explainer: How MOVEit breach shows hackers' interest in corporate file transfer tools | Reuters

• Embattled consulting firm PwC swept up in global cyber breach of file service MOVEit by cyber crime group C10p (afr.com)

• Ransomware Misconceptions Abound, to the Benefit of Attackers (darkreading.com)

• US Offers $10m Reward For MOVEit Attackers - Infosecurity Magazine (infosecurity-magazine.com)

• Data leak at Australian law firm spooks government, business • The Register

• Moveit hack: attack on BBC and BA offers glimpse into the future of cyber crime (theconversation.com)

• Fresh Ransomware Gangs Emerge As Market Leaders Decline (darkreading.com)

• Emerging Ransomware Group 8Base Doxxes SMBs Globally (darkreading.com)

• A Russian national charged for committing LockBit Ransomware attacks - Security Affairs

• Rorschach Ransomware: What You Need to Know (darkreading.com)

• Ransomware is only getting faster: Six steps to a stronger defence (bleepingcomputer.com)

• Ransomware gang preys on cancer centers, triggers alert | SC Media (scmagazine.com)

• Ransomware attacks pose communications dilemmas for local governments | CSO Online

• LockBit Developing Ransomware for Apple M1 Chips, Embedded Systems (darkreading.com)

Ransomware Victims

• MOVEit victim list | KonBriefing.com

• PwC and EY impacted by MOVEit cyber attack (cshub.com)

• Australian Government Says Its Data Was Stolen in Law Firm Ransomware Attack - SecurityWeek

• Hackers threaten to release photos of Beverly Hills plastic surgery patients (bitdefender.com)

• Norton Parent Says Employee Data Stolen in MOVEit Ransomware Attack - SecurityWeek

• BlackCat gang threatens to leak plastic surgery photos • The Register

• Reddit confirms BlackCat ransomware gang stole its data • The Register

• Adur and Worthing Councils investigating after contractor data breach | The Argus

• Iowa’s largest school district confirms ransomware attack, data theft (bleepingcomputer.com)

• Hackers warn University of Manchester students’ of imminent data leak (bleepingcomputer.com)

• MOVEit cyber attack: US Energy Department gets two ransom notices as MOVEit hack claims more victims - The Economic Times (indiatimes.com)

• USDA is investigating a 'possible data breach' related to global Russian cyber criminal hack | CNN

• Avast, Norton Parent Latest Victim of MOVEit Ransomware Attacks (darkreading.com)

• MOVEit Vulnerability Breaches Targeted Fed Agencies (trendmicro.com)

Phishing & Email Based Attacks

• One in Three UK&I Workers Susceptible to Phishing - Infosecurity Magazine (infosecurity-magazine.com)

• Cyber crime: what does psychology have to do with phishing? – podcast | Science | The Guardian

• Hackers Will Be Quick to Bypass Gmail's Blue Check Verification System (darkreading.com)

• UPS discloses data breach after exposed customer info used in SMS phishing (bleepingcomputer.com)

• Insurance companies neglect basic email security - Help Net Security

Other Social Engineering; Smishing, Vishing, etc

• The Simplest Social Engineering Hack Of Them All | Hackaday

• Attackers Create Synthetic Security Researchers to Steal IP (darkreading.com)

Artificial Intelligence

• Civil servants told not to share state secrets with ChatGPT, leaked guidance reveals (telegraph.co.uk)

• How generative AI is creating new classes of security threats | VentureBeat

• Over 100,000 Stolen ChatGPT Account Credentials Sold on Dark Web Marketplaces (thehackernews.com)

• ‘With hackers adopting AI, it’s a cat-and-mouse game’ | Mint (livemint.com)

• ChatGPT and data protection laws: Compliance challenges for businesses - Help Net Security

• Biden Discusses Risks and Promises of Artificial Intelligence With Tech Leaders in San Francisco - SecurityWeek

• The next wave of cyber threats: Defending your company against cyber criminals empowered by generative AI | VentureBeat

• Google Tells Employees to Stay Away from Its Bard Chatbot (gizmodo.com)

Malware

• Experts Uncover Year-Long Cyber Attack on IT Firm Utilising Custom Malware RDStealer (thehackernews.com)

• Attacker seizes abandoned S3 bucket to launch malicious payloads | SC Media (scmagazine.com)

• Hackers use fake OnlyFans pics to drop info-stealing malware (bleepingcomputer.com)

• Researchers Discover New Sophisticated Toolkit Targeting Apple macOS Systems (thehackernews.com)

• Mysterious Mystic Stealer Spreads Like Wildfire in Mere Months (darkreading.com)

• Hackers infect Linux SSH servers with Tsunami botnet malware (bleepingcomputer.com)

• To kill BlackLotus malware, patching is a good start, but... • The Register

• Microsoft Teams bug allows malware delivery from external accounts (bleepingcomputer.com)

• APT37 hackers deploy new FadeStealer eavesdropping malware (bleepingcomputer.com)

• ScarCruft Hackers Exploit Ably Service for Stealthy Wiretapping Attacks (thehackernews.com)

• Chinese Hacker Group 'Flea' Targets American Ministries with Graphican Backdoor (thehackernews.com)

• USB Drives Spread Spyware as China's Mustang Panda APT Goes Global (darkreading.com)

• NSA shares tips on blocking BlackLotus UEFI malware attacks (bleepingcomputer.com)

• Chinese malware accidentally infects networked storage • The Register

• ChamelDoH: New Linux Backdoor Utilising DNS-over-HTTPS Tunneling for Covert CnC (thehackernews.com)

Mobile

• New Version of Android GravityRAT Spyware Targets WhatsApp Backups - Infosecurity Magazine (infosecurity-magazine.com)

• SMS delivery reports can be used to infer recipient's location (bleepingcomputer.com)

• Apple fixes zero-days used to deploy Triangulation spyware via iMessage (bleepingcomputer.com)

• This Android app with over 50,000 installs steals your files and microphone recordings — what to do | Tom's Guide (tomsguide.com)

• Android spyware camouflaged as VPN, chat apps on Google Play (bleepingcomputer.com)

Botnets

• Romanian cyber crime gang Diicot builds DDoS botnet with Mirai variant | CSO Online

• New Condi malware builds DDoS botnet out of TP-Link AX21 routers (bleepingcomputer.com)

• Hackers infect Linux SSH servers with Tsunami botnet malware (bleepingcomputer.com)

• Mirai botnet targets 22 flaws in D-Link, Zyxel, Netgear devices (bleepingcomputer.com)

Denial of Service/DoS/DDOS

• Police crack down on DDoS-for-hire service active since 2013 (bleepingcomputer.com)

• Hackers behind Microsoft outage most likely Russian-backed group aiming to ‘drive division’ in the west | Cyber crime | The Guardian

• European Investment Bank hit by cyber attack after Russian hackers vow to bring down financial system (telegraph.co.uk)

• New Condi malware builds DDoS botnet out of TP-Link AX21 routers (bleepingcomputer.com)

• Zeeland port website hit by DDOS attack, possibly by Russian hackers | NL Times

• From Cryptojacking to DDoS Attacks: Diicot Expands Tactics with Cayosin Botnet (thehackernews.com)

Internet of Things – IoT

• Thousands left vulnerable after severe weakness is discovered in home security system's mobile app | TechSpot

• Romanian cyber crime gang Diicot builds DDoS botnet with Mirai variant | CSO Online

• Smart Pet Feeders Expose Personal Data - Infosecurity Magazine (infosecurity-magazine.com)

• Security for embedded devices is ignored by too many companies, expert says | Fierce Electronics

• Our cities are becoming increasingly automated—and we’re not ready (fastcompany.com)

• US Military Personnel Receiving Unsolicited, Suspicious Smartwatches - SecurityWeek

• Mirai botnet targets 22 flaws in D-Link, Zyxel, Netgear devices (bleepingcomputer.com)

Data Breaches/Leaks

• Data leak at Australian law firm spooks government, business • The Register

• Australian Government Says Its Data Was Stolen in Law Firm Ransomware Attack - SecurityWeek

• 3CX data exposed, third-party to blame - Security Affairs

• Mondelez says crooks stole staff data in security breach • The Register

• UPS discloses data breach after exposed customer info used in SMS phishing (bleepingcomputer.com)

• Reddit hackers threaten to leak data stolen in February breach (bleepingcomputer.com)

• Australia Inc roiled by raft of cyber attacks since late 2022 - The Economic Times (indiatimes.com)

• SSD missing from SAP datacenter turns up on eBay • The Register

• Millions of UK University Credentials Found on Dark Web - Infosecurity Magazine (infosecurity-magazine.com)

• Smart Pet Feeders Expose Personal Data - Infosecurity Magazine (infosecurity-magazine.com)

• Hackers warn University of Manchester students’ of imminent data leak (bleepingcomputer.com)

Organised Crime & Criminal Actors

• Darknet Parliament is now a thing | Cybernews

• Crypto and Cyber Security: A Complex Relationship (analyticsinsight.net)

• Moveit hack: attack on BBC and BA offers glimpse into the future of cyber crime (theconversation.com)

• Cyber attackers Got More Creative Post-Pandemic, Proofpoint Study Finds - MSSP Alert

• The Great Exodus to Telegram: A Tour of the New Cyber crime Underground (bleepingcomputer.com)

• Cyber crime Doesn't Take a Vacation (darkreading.com)

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Crypto and Cyber Security: A Complex Relationship (analyticsinsight.net)

• Blockchain security: Everything you should know for safe use | TechTarget

• From Cryptojacking to DDoS Attacks: Diicot Expands Tactics with Cayosin Botnet (thehackernews.com)

Insider Risk and Insider Threats

• Cost-of-Living Crisis increasing chances of Insider threats - IT Security Guru

• Preventing breaches through cyber awareness: How every federal employee contributes to cyber security | Federal News Network

Fraud, Scams & Financial Crime

• Influencers in firing line as France tackles scams - BBC News

• Keep Job Scams From Hurting Your Organisation (darkreading.com)

• Job Seekers, Look Out for Job Scams (darkreading.com)

Impersonation Attacks

• Attackers Create Synthetic Security Researchers to Steal IP (darkreading.com)

AML/CFT/Sanctions

• EU agrees new sanctions against Russia, targeting Chinese companies suspected of circumvention | Euronews

Dark Web

• Darknet Parliament is now a thing | Cybernews

• Over 100,000 Stolen ChatGPT Account Credentials Sold on Dark Web Marketplaces (thehackernews.com)

• Millions of UK University Credentials Found on Dark Web - Infosecurity Magazine (infosecurity-magazine.com)

Supply Chain and Third Parties

• Capita faces first legal Letter of Claim over mega breach • The Register

• Why assessing third parties for security risk is still an unsolved problem | CSO Online

• 3CX data exposed, third-party to blame - Security Affairs

• Mondelez says crooks stole staff data in security breach • The Register

• Untangling the web of supply chain security with Tony Turner - Help Net Security

Software Supply Chain

• CISA SBOM standards efforts stymied by confusion, inertia | TechTarget

Cloud/SaaS

• Growing SaaS Usage Means Larger Attack Surface (darkreading.com)

• Explainer: How MOVEit breach shows hackers' interest in corporate file transfer tools | Reuters

• A new threat to financial stability lurks in the cloud | Financial Times (ft.com)

• Cloud CISO Perspectives: Early June 2023 | Google Cloud Blog

• Hackers behind Microsoft outage most likely Russian-backed group aiming to ‘drive division’ in the west | Cyber crime | The Guardian

• Western Digital Blocks Unpatched Devices From Cloud Services - SecurityWeek

• Attacker seizes abandoned S3 bucket to launch malicious payloads | SC Media (scmagazine.com)

• Attackers discovering exposed cloud assets within minutes | TechTarget

• Cloud-native security hinges on open source - Help Net Security

• Hybrid Microsoft network/cloud legacy settings may impact your future security posture | CSO Online

• US cyber ambassador says China can win on AI, cloud • The Register

Hybrid/Remote Working

• Home working puts confidential data at risk, GCHQ warns law firms (telegraph.co.uk)

Shadow IT

• Ending the ‘forever war’ against shadow IT | CIO

Identity and Access Management

• The future of passwords and authentication - Help Net Security

Encryption

• Intel to start shipping a quantum processor | Ars Technica

• Quantum hacking alert: Critical vulnerabilities found in quantum key distribution (techxplore.com)

• The US Navy, NATO, and NASA are using a shady Chinese company’s encryption chips | Ars Technica

• Physics - Long-Range Quantum Cryptography Gets Simpler (aps.org)

API

• Why API Security Could Be the Next Big Thing in Cyber - Infosecurity Magazine (infosecurity-magazine.com)

Open Source

• Hackers infect Linux SSH servers with Tsunami botnet malware (bleepingcomputer.com)

• Beware bad passwords as attackers co-opt Linux servers into cyber crime – Naked Security (sophos.com)

• Cloud-native security hinges on open source - Help Net Security

• ChamelDoH: New Linux Backdoor Utilising DNS-over-HTTPS Tunneling for Covert CnC (thehackernews.com)

Passwords, Credential Stuffing & Brute Force Attacks

• Majority of Users Neglect Best Password Practices: Keeper Security - Infosecurity Magazine (infosecurity-magazine.com)

• Forging a Path to Account Takeover: Copy Password Reset Link Vulnerability worth $$$$. | by Manav Bankatwala | Jun, 2023 | InfoSec Write-ups (infosecwriteups.com)

• The future of passwords and authentication - Help Net Security

• These are the most hacked passwords. Is yours on the list? | ZDNET

• Beware bad passwords as attackers co-opt Linux servers into cyber crime – Naked Security (sophos.com)

Social Media

• Influencers in firing line as France tackles scams - BBC News

• Reddit hackers threaten to leak data stolen in February breach (bleepingcomputer.com)

Training, Education and Awareness

• Preventing breaches through cyber awareness: How every federal employee contributes to cyber security | Federal News Network

• Security Training Fail Impacting Digital Transformation - Infosecurity Magazine (infosecurity-magazine.com)

• Security Training Needs to Nudge, Not Nag - Infosecurity Magazine (infosecurity-magazine.com)

Digital Transformation

• Security Training Fail Impacting Digital Transformation - Infosecurity Magazine (infosecurity-magazine.com)

Regulations, Fines and Legislation

• ChatGPT and data protection laws: Compliance challenges for businesses - Help Net Security

• Bill allowing CISA to assist foreign governments passes Senate committee | SC Media (scmagazine.com)

• Fulfilling Expected SEC Requirements for Cyber security Expertise at Board Level - SecurityWeek

Models, Frameworks and Standards

• The significance of CIS Control mapping in the 2023 Verizon DBIR - Help Net Security

• What is PCI Compliance? 12 Requirements and More Explained | Definition from TechTarget

Secure Disposal

• SSD missing from SAP datacenter turns up on eBay • The Register

Data Protection

• ChatGPT and data protection laws: Compliance challenges for businesses - Help Net Security

• Consumer Data: The Risk and Reward for Manufacturing Companies (darkreading.com)

• IT Staff Increasingly Saddled with Data Protection Compliance (darkreading.com)

Careers, Working in Cyber and Information Security

• 8 notable entry-level cyber security career and skills initiatives in 2023 | CSO Online

• UK military is struggling to recruit tech experts, says report | Financial Times (ft.com)

• Certifications are no guarantee of security - Infosecurity Magazine (infosecurity-magazine.com)

• The Quintessential Toolkit: Five Essential Skills For Advancing In The Cyber security Realm (informationsecuritybuzz.com)

• Cyber security Industry Still Fighting to Recruit and Retain Talent - Infosecurity Magazine (infosecurity-magazine.com)

• It’s Time to Think Creatively to Combat Skills Shortages - Infosecurity Magazine (infosecurity-magazine.com)

• Google announces $20 million investment for cyber clinics | CyberScoop

Law Enforcement Action and Take Downs

• Police crack down on DDoS-for-hire service active since 2013 (bleepingcomputer.com)

• Megaupload duo will go to prison at last, but Kim Dotcom fights on… – Naked Security (sophos.com)

• A Russian national charged for committing LockBit Ransomware attacks - Security Affairs

Privacy, Surveillance and Mass Monitoring

• SMS delivery reports can be used to infer recipient's location (bleepingcomputer.com)

• US Military Personnel Receiving Unsolicited, Suspicious Smartwatches - SecurityWeek

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Killnet Threatens Imminent SWIFT, World Banking Attacks (darkreading.com)

• A Newly Named Group of GRU Hackers is Wreaking Havoc in Ukraine | WIRED

• Hackers behind Microsoft outage most likely Russian-backed group aiming to ‘drive division’ in the west | Cyber crime | The Guardian

• UK Pledges Millions in Cyber-Defence Aid to Ukraine - Infosecurity Magazine (infosecurity-magazine.com)

• European Investment Bank hit by cyber attack after Russian hackers vow to bring down financial system (telegraph.co.uk)

• Russia sent its reserve team to wipe Ukrainian hard drives • The Register

• Russian APT Group Caught Hacking Roundcube Email Servers - SecurityWeek

• Hacktivist group Anonymous Sudan a ‘bear in wolf’s clothing’ | SC Media (scmagazine.com)

• Russian APT28 hackers breach Ukrainian govt email servers (bleepingcomputer.com)

• Strategies for staying ahead of modern cyber warfare - CyberTalk

• German intelligence services point to increased hybrid security threats – EURACTIV.com

Nation State Actors

• Microsoft Pins Early June DDoS Attacks on Russian-linked Cyber Crew - MSSP Alert

• US DOJ Launches Cyber Unit to Prosecute Nation-State Threat Actors - SecurityWeek

• Cooperation or Competition? China’s Security Industry Sees the US, Not AI, as the Bigger Threat - SecurityWeek

• US Military Personnel Receiving Unsolicited, Suspicious Smartwatches - SecurityWeek

• USB Drives Spread Spyware as China's Mustang Panda APT Goes Global (darkreading.com)

• CISA orders govt agencies to patch bugs exploited by Russian hackers (bleepingcomputer.com)

• US Cyber Ambassador says China can win on AI, cloud • The Register

• Cadet Blizzard emerges as a novel and distinct Russian threat actor | Microsoft Security Blog

• State-Backed Hackers Employ Advanced Methods to Target Middle Eastern and African Governments (thehackernews.com)

• The Israeli weapons and spyware falling into the hands of despots | Financial Times (ft.com)

• The US Navy, NATO, and NASA are using a shady Chinese company’s encryption chips | Ars Technica

• Zeeland port website hit by DDOS attack, possibly by Russian hackers | NL Times

• A Russian national charged for committing LockBit Ransomware attacks - Security Affairs

• Hacktivist group Anonymous Sudan a ‘bear in wolf’s clothing’ | SC Media (scmagazine.com)

• APT37 hackers deploy new FadeStealer eavesdropping malware (bleepingcomputer.com)

• ScarCruft Hackers Exploit Ably Service for Stealthy Wiretapping Attacks (thehackernews.com)

• 20-Year-Old Chinese APT15 Finds New Life in Foreign Ministry Attacks (darkreading.com)

• Chinese Hacker Group 'Flea' Targets American Ministries with Graphican Backdoor (thehackernews.com)

• North Korean APT targets defectors, activists with infostealer malware | SC Media (scmagazine.com)

• RedEyes Group Targets Individuals with Wiretapping Malware - Infosecurity Magazine (infosecurity-magazine.com)

• US Justice Department Launches New National Security Cyber Section - Infosecurity Magazine (infosecurity-magazine.com)

• China-sponsored APT group targets government ministries in the Americas | CSO Online

• Chinese malware accidentally infects networked storage • The Register

• Trellix Detects Leading Threat Actor Countries Behind Nation-State Activity - MSSP Alert

Vulnerability Management

• Guess what happened to this US agency that didn't patch? • The Register

• EU Council mulls pan-European platform to handle cyber vulnerabilities – EURACTIV.com

• The Benefits of Red Zone Threat Intelligence - SecurityWeek

Vulnerabilities

• VMware warns of critical vRealize flaw exploited in attacks (bleepingcomputer.com)

• Microsoft Teams Vulnerability: The GIFShell Attack (latesthackingnews.com)

• Zero-Day Alert: Apple Releases Patches for Actively Exploited Flaws in iOS, macOS, and Safari (thehackernews.com)

• Patch Now: Cisco AnyConnect Bug Exploit Released in the Wild (darkreading.com)

• Zyxel addressed critical flaw CVE-2023-27992 in NAS Devices - Security Affairs

• Microsoft Teams bug allows malware delivery from external accounts (bleepingcomputer.com)

• Chrome and Its Vulnerabilities - Is the Web Browser Safe to Use? - SecurityWeek

• Critical WordPress Plugin Vulnerabilities Impact Thousands of Sites - SecurityWeek

• SMB Edge Devices Walloped With Asus, Zyxel Patch Warnings (darkreading.com)

• VMware fixes vCenter Server bugs allowing code execution, auth bypass (bleepingcomputer.com)

• Azure AD 'Log in With Microsoft' Authentication Bypass Affects Thousands (darkreading.com)

• Western Digital Blocks Unpatched Devices From Cloud Services - SecurityWeek

• Risk & Repeat: Mandiant sheds light on Barracuda ESG attacks | TechTarget

• ASUS warns router customers: Patch now, or block all inbound requests – Naked Security (sophos.com)

• Firmware Backdoor Discovered in Gigabyte Motherboards, Hundreds of Models Affected - CPO Magazine

• Apple fixes zero-days used to deploy Triangulation spyware via iMessage (bleepingcomputer.com)

• A (cautionary) tale of two patched bugs, both under exploit • The Register

• Millions of GitHub repos likely vulnerable to RepoJacking, researchers say (bleepingcomputer.com)

• Windows 11 KB5027231 also breaks Chrome for Cisco, WatchGuard EDR users (bleepingcomputer.com)

• Gaps in Azure Service Fabric’s Security Call for User Vigilance (trendmicro.com)

Tools and Controls

• Getting Over the DNS Security Awareness Gap (darkreading.com)

• Zscaler CEO: Firewalls Are Going The Way Of The Mainframe | CRN

• The future of passwords and authentication - Help Net Security

• Understanding Cyber Resilience: Building A Holistic Approach To Cyber security (informationsecuritybuzz.com)

• Increased spending doesn't translate to improved cyber security posture - Help Net Security

• Placing People & Realism at the Center of Your Cyber security Strategy (darkreading.com)

• Security investments that help companies navigate the macroeconomic climate - Help Net Security

• The Benefits of Red Zone Threat Intelligence - SecurityWeek

Reports Published in the Last Week

• Proofpoint’s 2023 Human Factor Report: Threat Actors Scale and Commoditise Uncommon Tools and Techniques | Proofpoint UK

• Trellix Detects Leading Threat Actor Countries Behind Nation-State Activity - MSSP Alert

• The Threat Report: June 2023 | Trellix

• Navigating The Cyber Threat Landscape: Key Insights From Trellix ARC's Q1 2023 Report (informationsecuritybuzz.com)

Other News

• Boris Johnson’s notebooks cause national security alarm (thetimes.co.uk)

• ‘It could be taken down by an enthusiastic child’: Whitehall wide open to cyber attack, warn campaigners | Cyber crime | The Guardian

• Keep it, Tweak it, Trash it – What to do with Aging Tech in an Era of Consolidation - SecurityWeek

• Cyber attacks on OT, ICS Lay Groundwork for Kinetic Warfare (darkreading.com)

• Why CISOs should be concerned about space-based attacks | CSO Online

• Legal firms urged to strengthen cyber defences with latest... - NCSC.GOV.UK

• 6 Attack Surfaces You Must Protect (darkreading.com)

• GCHQ’s top hacker James Babbage quits to join NCA in blow to UK cyber force (telegraph.co.uk)

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Why It’s Mission-Critical That All-Sized Businesses Stay Cyber Secure

A study analysing millions of emails across thousands of companies found that on average, employees of small businesses with less than 100 employees experience 350% more social engineering attacks than employees of larger enterprises. 57% of these are phishing attacks – the most prevalent social engineering attack of 2021.

Add to the mix that the global average cost of a data breach for businesses has skyrocketed. According to IBM Security’s annual Cost of a Data Breach Report, the average global cost is now a phenomenal $4.35 million.

Generally, larger corporations tend to have bigger security budgets, making them less of a target than smaller businesses with lesser budgets, and as such, more attractive to cyber criminals. This means that for small and medium-sized enterprises (SMEs) – with fewer resources and money – protection from cyber-attacks is now a matter of survival.

Ease of attack is not the only reason why criminals attack SMEs either. SMEs are often an entry point to target bigger organisations within the same supply chain. These larger corporations can either be crucial partners, suppliers, or customers, making SMEs prime targets.

But with efficient cyber security measures, every business regardless of size can keep themselves and their network safe.

https://informationsecuritybuzz.com/articles/why-its-mission-critical-that-all-sized-businesses-stay-cyber-secure/

• Half of Firms Report Supply Chain Ransomware Compromise

Over half (52%) of global organisations know a partner that has been compromised by ransomware, yet few are doing anything to improve the security of their supply chain, according to Trend Micro.

The security vendor polled nearly 3,000 IT decision makers across 26 countries to produce its latest report, ‘Everything is connected: Uncovering the ransomware threat from global supply chains’.

It revealed that 90% of global IT leaders believe their partners and customers are making their own organisation a more attractive ransomware target.

That might be down in part to the fact that SMBs comprise a significant chunk of the supply chain for 52% of respondents. The security of SMBs is generally thought to be less effective than protection in larger, better resourced companies.

However, despite their concerns, less than half (47%) of respondents said they share knowledge about ransomware attacks with their suppliers, while a quarter (25%) claimed they don’t share potentially useful threat information with partners.

https://www.infosecurity-magazine.com/news/half-firms-supply-chain-ransomware/

• Vulnerability Exploits, Not Phishing, Are the Top Cyber Attack Vector for Initial Compromise

Breaches involving phishing and credential compromise have received a lot of attention in recent years because of how frequently threat actors have employed the tactics in executing both targeted and opportunistic attacks. But that doesn't mean that enterprise organisations can afford to lessen their focus on vulnerability patching one bit.

A report from Kaspersky this week identified more initial intrusions last year resulting from exploitation of vulnerabilities in Internet-facing applications than breaches involving malicious emails and compromised accounts combined. And data that the company has collected through the second quarter of 2022 suggests the same trend might be playing out this year as well.

Kaspersky's analysis of its 2021 incident-response data showed that breaches involving vulnerability exploits surged from 31.5% of all incidents in 2020 to 53.6% in 2021. Over the same period, attacks associated with the use of compromised accounts to gain initial access declined from 31.6% in 2020 to 17.9% last year. Initial intrusions resulting from phishing emails decreased from 23.7% to 14.3% during the same period.

https://www.darkreading.com/vulnerabilities-threats/vulnerability-exploits-phishing-top-attack-vector-initial-compromise

• Uber’s Ex-Security Chief Faces Landmark Trial Over Data Breach That Hit 57m Users

Uber’s former security officer, Joe Sullivan, is standing trial this week in what is believed to be the first case of an executive facing criminal charges in relation to a data breach.

The US district court in San Francisco will start hearing arguments on whether Sullivan, the former head of security at the ride-share giant, failed to properly disclose a 2016 data breach affecting 57 million Uber riders and drivers around the world.

At a time when reports of ransomware attacks have surged and cyber security insurance premiums have risen, the case could set an important precedent regarding the culpability of US security staffers and executives for the way the companies they work for handle cyber security incidents.

The breach first came to light in November 2017, when Uber’s chief executive, Dara Khosrowshahi, revealed that hackers had gained access to the driver’s licence numbers of 600,000 US Uber drivers as well as the names, email addresses and phone numbers of as many as 57 million Uber riders and drivers.

Public disclosures like Khosrowshahi’s are required by law in many US states, with most regulations mandating that the notification be made “in the most expedient time possible and without unreasonable delay”.

But Khosrowshahi’s announcement came with an admission: a whole year had passed since the information had been breached.

https://www.theguardian.com/technology/2022/sep/06/uber-joe-sullivan-trial-security-data-breach

• Over 10% of Enterprise IT Assets Found With Missing Endpoint Protection

More than 10% of enterprise IT assets are missing endpoint protection and roughly 5% are not covered by enterprise patch management solutions.

The figures come from new research by Sevco Security, which the company has compiled in the State of the Cybersecurity Attack Surface report.

"Attackers are very adept at exploiting enterprise vulnerabilities. Security and IT teams already have their hands full mitigating the vulnerabilities that they know about, and our data confirms that this is just the tip of the iceberg," Sevco told Infosecurity Magazine.

The document analyses data aggregated from visibility into more than 500,000 IT assets, and underlines existential and underreported cyber security issues in relation to securing enterprises’ assets.

“The uncertainty of enterprise inventory – the elements that make up an organisation’s cyber security attack surface – upends the foundation of every major security framework and presents a challenge to security teams: it’s impossible to protect what you can’t see,” they said.

For instance, the data found that roughly 3% of all IT assets are “stale” in endpoint protection, while 1% are stale from the perspective of patch management coverage.

https://www.infosecurity-magazine.com/news/enterprise-assets-miss-endpoint/

• Some Employees Aren't Just Leaving Companies — They're Defrauding Them

Since the Great Resignation in 2021, millions of employees have left their roles with current employers in search of better ones. According to Microsoft, 40% of employees reported they are considering leaving their current roles by the end of 2022. With many still working in remote or hybrid positions due to the pandemic, larger businesses have started implementing measures to gain a better understanding of employee morale and sentiment to prevent turnover.

While most employees leave companies on good terms, some may become extremely unhappy or disgruntled prior to their departure and are more likely to defraud the company either before leaving or on their way out the door. The unfortunate reality is that no business is immune to fraud, but luckily, there are several steps you can take to prevent it from happening.

According to the Cressey Fraud Triangle, fraudulent behaviour often occurs due to three contributing factors. These include pressure or motive to commit a fraud (usually a personal financial problem), perceived opportunity within the organisation to commit a fraud (poor oversight or internal controls), and rationalisation (the ability to justify the crime to make it seem acceptable).

Very often, a fraudster needs all three sides of the triangle to successfully commit a crime. Therefore, it is extremely important for organisations to do their best to create controls and understand the risk associated with each of these areas. For example, an employee may be disgruntled and also have personal financial issues. However, if internal controls are robust and the employee doesn't have access to financial instruments, valuable assets or software systems, their ability to defraud the company is extremely limited or will get identified immediately.

https://www.darkreading.com/vulnerabilities-threats/some-employees-aren-t-just-leaving-companies-they-re-defrauding-them

• Ransomware Gangs Switching to New Intermittent Encryption Tactic

A growing number of ransomware groups are adopting a new tactic that helps them encrypt their victims' systems faster while reducing the chances of being detected and stopped.

This tactic is called intermittent encryption, and it consists of encrypting only parts of the targeted files' content, which would still render the data unrecoverable without using a valid decryption key.

For example, by skipping every other 16 bytes of a file, the encryption process takes almost half of the time required for full encryption but still locks the contents for good.

Additionally, because the encryption is milder, automated detection tools that rely on detecting signs of trouble in the form of intense file IO operations are more likely to fail.

SentinelLabs has posted a report examining a trend started by LockFile in mid-2021 and now adopted by the likes of Black Basta, ALPHV (BlackCat), PLAY, Agenda, and Qyick.

These groups actively promote the presence of intermittent encryption features in their ransomware family to entice affiliates to join the RaaS operation.

"Notably, Qyick features intermittent encryption, which is what the cool kids are using as you read this. Combined with the fact that is written in Go, the speed is unmatched," describes a Qyick advertisement on hacking forums.

https://www.bleepingcomputer.com/news/security/ransomware-gangs-switching-to-new-intermittent-encryption-tactic/

• How Posting Personal and Business Photos Can Be a Security Risk

Image geotags, metadata, and location information can allow competitors, cyber criminals, and even nation-state threat actors to gain knowledge they can use against organisations.

Marketers in every industry enjoy evidencing their reach to their superiors and providing tangible examples of their width and breadth of influence via social networks, media, and other means of engagement. Photos of both customers and employees engaging at hosted social events, trade shows, conferences, and direct one-on-one encounters are often viewed as gold. Couple this with the individual employee’s or customer’s photos working their way onto social network platforms for others to see and admire, and the value of that gold increases, success being quantified by impressions, views and individual engagements.

The value of that gold doubles when not only does the company harvest data and call it a success, but their competitors also analyse such photos capturing a plethora of useful data points, including geotagged data, metadata of the photo, and identity of the individuals caught in the frame. They, too, call it a success. Yes, the digital engagement involving location data and or location hints within photos is a double-edged sword.

It isn’t just competitors who harvest the data. Criminal elements and nation-state intelligence and security elements do as well. Francis Bacon’s adage, “Knowledge itself is power,” applies. With location, time and place, and identity, competitors, criminals, and nation-states are given their initial tidbits of openly acquired information from which to begin to build their mosaic. 

https://www.csoonline.com/article/3672869/how-posting-personal-and-business-photos-can-be-a-security-risk.html#tk.rss_news

• Your Vendors Are Likely Your Biggest Cyber Security Risk

As speed of business increases, more and more organisations are looking to either buy companies or outsource more services to gain market advantage. With organisations expanding their vendor base, there is a critical need for holistic third-party risk management (TPRM) and comprehensive cyber security measures to assess how much risk vendors pose.

While organisations assess and manage risk on a multitude of layers, none present bigger threats to business resiliency than third-party risk and a lack of robust cyber security controls. Breaches and service interruptions tied to these risk areas have brought down critical systems of major organisations. In 2021, 53% of CISOs surveyed by Black Kite reported being hit by at least one ransomware attack.

It bears repeating: Cyber security and third-party risk are the two biggest problems facing your long-term viability. Businesses need to be able to tackle these risk vectors individually to gain a complete view of their risk profile. A cross-functional process is essential to managing the overlap between these risk areas to better protect your organisation and increase workflow efficiency.

Ensuring that the cyber security practices of your vendors align with your organisation’s standards is critical to safeguarding your systems and data. In fact, it is just as important as how stable the business is or how well it delivers products and services.

https://www.helpnetsecurity.com/2022/09/05/vendors-cybersecurity-risk/

• A Recent Chinese Hack Is a Wake-up Call for the Security of the World’s Software Supply Chain

It’s perhaps only a coincidence that there’s a famous Chinese saying ‘No one knows, not even the ghosts’ that neatly summarises a recent hack on MiMi, a Chinese messaging app. According to recent reports, a Chinese state-backed hacking group inserted malicious code into this messaging app, essentially pulling off the equivalent of the infamous SolarWinds hack. Users of MiMi were served a version of the app with malicious code added, thanks to attackers taking control of the servers that delivered the app. In short, this was a software supply chain attack in which the software delivery pipeline was compromised.

Observers could be forgiven for thinking that this is just another hack. Chinese hacking groups, and those of Western countries too, have developed a reputation over the past two decades for spying, surveillance, and sabotage. But this attack is different than typical hacking fare because the attackers rode in on the back of a trusted piece of software. This is a software supply chain attack, where the attackers tamper with either source code, the software build system, or the software publishing pipeline, all of which have become essential to the functioning of the world’s digital economy.

Software supply chain attacks have been rapidly growing in frequency. Twenty years ago, there might have been one or two a year. These days, depending on the methodology, there are either hundreds or thousands a year, and that’s only counting the reported attacks. And increasingly anybody who depends upon software (read: everybody) is or shortly will be a victim: the U.S. government, Microsoft, thousands of other companies and, apparently in this MiMi attack, individuals.

https://thediplomat.com/2022/09/a-recent-chinese-hack-is-a-wake-up-call-for-the-security-of-the-worlds-software-supply-chain/

• Massive Hotels Group IHG Struck by Cyber Attack Which Disrupts Booking Systems

InterContinental Hotels Group (IHG), which owns brands such as InterContinental, Crowne Plaza, Holiday Inn, and many others, has had its IT systems breached by malicious hackers.

In a filing with the London Stock Exchange, the multinational hospitality company reported that "parts of the company's technology systems have been subject to unauthorised activity."

As a result, the company said, "IHG's booking channels and other applications have been significantly disrupted since [Monday], and this is ongoing."

The first indication that the company was experiencing problems appeared early on Monday morning UK time, when anyone who tried to book a hotel room via the company's website or app, or access their IHG One Rewards account was greeted by a maintenance message.

Although it has made no declaration regarding the nature of the security breach, in its filing with the London Stock Exchange, IHG mentioned they were "working to fully restore all systems". This would fit into the scenario of IHG having hit been hit with ransomware, which may not only have encrypted data - locking the company out of its systems and demanding a ransom be paid - but could have also caused even more problems.

https://www.bitdefender.com/blog/hotforsecurity/massive-hotels-group-ihg-struck-by-cyberattack-which-disrupts-booking-systems/

• London's Biggest Bus Operator Hit by Cyber "Incident"

Travellers in London were braced for more delays last week after the city’s largest bus operator revealed it has been hit by a “cyber security incident,” according to reports.

Newcastle-based transportation group Go-Ahead shared a statement with the London Stock Exchange indicating “unauthorised activity” had been discovered on its network yesterday.

“Upon becoming aware of the incident, Go-Ahead immediately engaged external forensic specialists and has taken precautionary measures with its IT infrastructure whilst it continues to investigate the nature and extent of the incident and implement its incident response plans,” it stated. “Go-Ahead will continue to assess the potential impact of the incident but confirms that there is no impact on UK or International rail services which are operating normally.”

However, the same may not be true of its bus services. Sky News reported that bus and driver rosters may have been impacted by the attack, which could disrupt operations.

Go-Ahead operates multiple services in the South, South West, London, North West, East Anglia, East Yorkshire and its native North East. It is London’s largest bus company, operating over 2400 buses in the capital and employing more than 7000 staff.

https://www.infosecurity-magazine.com/news/londons-biggest-bus-operator-hit/

Threats

Ransomware and Extortion

• Ransomware remains the number one threat to businesses and government organisations - Help Net Security

• Interpol dismantles sextortion ring, warns of increased attacks (bleepingcomputer.com)

• Play Ransomware Attack Playbook Similar to that of Hive, Nokoyawa (trendmicro.com)

• Ransomware attacks on Linux to surge - Help Net Security

• LockBit gang leads the way for ransomware (techtarget.com)

• Some Members of Conti Group Targeting Ukraine in Financially Motivated Attacks (thehackernews.com)

• How to Improve Mean Time to Detect for Ransomware | SecurityWeek.Com

• Google: Former Conti ransomware members attacking Ukraine (techtarget.com)

• Hackers Are Using NASA Telescope Images To Push Ransomware (informationsecuritybuzz.com)

• Ransomware gang's Cobalt Strike servers DDoSed with anti-Russia messages (bleepingcomputer.com)

• Everything You Need To Know About BlackCat (AlphaV) (darkreading.com)

• Microsoft: Iranian hackers encrypt Windows systems using BitLocker (bleepingcomputer.com)

• Microsoft Warns of Ransomware Attacks by Iranian Phosphorus Hacker Group (thehackernews.com)

• Clarion Housing: Anger over landlord silence since cyber attack - BBC News

• New Ransomware Hits Windows, Linux Servers Of Chile Govt Agency (informationsecuritybuzz.com)

• QNAP warns new Deadbolt ransomware attacks exploiting 0day - Security Affairs

• Second largest U.S. school district LAUSD hit by ransomware (bleepingcomputer.com)

• Windows Defender identified Chromium, Electron apps as Hive Ransomware - Security Affairs

• BlackCat Ransomware Linked to Italy's Energy Services Firm Hack - Infosecurity Magazine (infosecurity-magazine.com)

Phishing & Email Based Attacks

• EvilProxy Commodifies Reverse-Proxy Tactic for Phishing, Bypassing 2FA (darkreading.com)

• Criminals harvest users' PI by impersonating popular brands - Help Net Security

• Lampion malware returns in phishing attacks abusing WeTransfer (bleepingcomputer.com)

• A new phishing scam targets American Express cardholders - Security Affairs

• EvilProxy phishing-as-a-service with MFA bypass emerged on the dark web - Help Net Security

• GIFShell attack creates reverse shell using Microsoft Teams GIFs (bleepingcomputer.com)

Other Social Engineering; Smishing, Vishing, etc

• Defeat social engineering attacks by growing your cyber resilience - Help Net Security

Malware

• Cyber criminals targeting Minecraft fans with malware • The Register

• Next-Gen Linux Malware Takes Over Devices With Unique Tool Set (darkreading.com)

• TeslaGun Primed to Blast a New Wave of Backdoor Cyber attacks (darkreading.com)

• New Linux malware evades detection using multi-stage deployment (bleepingcomputer.com)

• Bumblebee malware adds post-exploitation tool for stealthy infections (bleepingcomputer.com)

• Botnets in the Age of Remote Work (darkreading.com)

• North Korean Hackers Deploying New MagicRAT Malware in Targeted Campaigns (thehackernews.com)

Mobile

• In-app browser security risks, and what to do about them | CSO Online

• Fake Antivirus and Cleaner Apps Caught Installing SharkBot Android Banking Trojan (thehackernews.com)

• SharkBot Malware Resurfaces on Google Play to Steal Users' Credentials - Infosecurity Magazine (infosecurity-magazine.com)

Internet of Things – IoT

• New Stealthy Shikitega Malware Targeting Linux Systems and IoT Devices (thehackernews.com)

Data Breaches/Leaks

• NATO docs sold on darkweb after they were stolen from Portugal - Security Affairs

• Criminals claim they've stolen NATO missile plans • The Register

• TikTok denies data breach following leak of user data - Security Affairs

• IRS mistakenly published confidential info for roughly 120K taxpayers - Security Affairs

• Samsung US Says Customer Data Compromised in July Data Breach | SecurityWeek.Com

• Digital Identity Provider SDK Leaves Hundreds Of Thousands Of Biometric (informationsecuritybuzz.com)

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Scammers live-streamed on YouTube a fake Apple crypto event - Security Affairs

• FBI: Crooks are using these DeFi flaws to steal your money | ZDNET

• Feds freeze $30m in cryptocurrency stolen from Axie Infinity • The Register

• New Rules for Crypto Exchanges to Stop Sanctions Evaders - Infosecurity Magazine (infosecurity-magazine.com)

Fraud, Scams & Financial Crime

• 62% of consumers see fraud as an inevitable risk of online shopping - Help Net Security

• Islanders in Jersey lose nearly £400,000 to romance fraud | ITV News Channel

• The Advantages of Threat Intelligence for Combating Fraud | SecurityWeek.Com

AML/CFT/Sanctions

• UK forces crypto exchanges to report suspected sanction breaches | Cryptocurrencies | The Guardian

• US Treasury sanctioned Iran ’s Ministry of Intelligence over Albania cyber attack - Security Affairs

Insurance

• Lloyd’s of London defends cyber insurance exclusion for state-backed attacks | Financial Times (ft.com)

• Global Cyber security Insurance Market Size Expected to Top $32.6 Billion by 2028 - MSSP Alert

• With cyber insurance costs increasing, can smaller firms avoid getting priced out? - Help Net Security

Supply Chain and Third Parties

• Supply chain risk is a top security priority as confidence in partners wanes - Help Net Security

• KeyBank: Hackers of third-party provider stole customer data | The Seattle Times

• Government guide for supply chain security: The good, the bad and the ugly - Help Net Security

Software Supply Chain

• Report Highlights Prevalence of Software Supply Chain Risks (darkreading.com)

Denial of Service DoS/DDoS

• Ransomware gang's Cobalt Strike servers DDoSed with anti-Russia messages (bleepingcomputer.com)

Cloud/SaaS

• Defenders Be Prepared: Cyber attacks Surge Against Linux Amid Cloud Migration (darkreading.com)

• Hybrid Cloud Security Challenges & Solutions (trendmicro.com)

• 3 Critical Steps for Reducing Cloud Risk (darkreading.com)

Identity and Access Management

• There is no secure critical infrastructure without identity-based access - Help Net Security

Encryption

• A Pragmatic Response to the Quantum Threat (darkreading.com)

API

• 6 Top API Security Risks! Favoured Targets for Attackers If Left Unmanaged (thehackernews.com)

• API Security for the Modern Enterprise - IT Security Guru

Open Source

• New Linux malware combines unusual stealth with a full suite of capabilities | Ars Technica

Passwords, Credential Stuffing & Brute Force Attacks

• Are Default Passwords Hiding in Your Active Directory? Here's how to check (bleepingcomputer.com)

• 200,000 North Face accounts hacked in credential stuffing attack (bleepingcomputer.com)

Social Media

• TikTok denies security breach after hackers leak user data, source code (bleepingcomputer.com)

• Facebook Engineers Admit They Don’t Know What They Do With Your Data (vice.com)

• Meta axes Responsible Innovation team charged with addressing ethical problems with Facebook, Instagram, WhatsApp | Fortune

Privacy

• You should know that most websites share your in-site search queries with third parties - Help Net Security

• Meta Fined $400m in Ireland For Children's Privacy Breach - Infosecurity Magazine (infosecurity-magazine.com)

Parental Controls and Child Safety

• Google’s image-scanning illustrates how tech firms can penalise the innocent | John Naughton | The Guardian

Cyber Bullying and Cyber Stalking

• ‘I didn’t want it anywhere near me’: how the Apple AirTag became a gift to stalkers | Apple | The Guardian

Regulations, Fines and Legislation

• Tear up decades-old law to save Britain from hackers, say cyber experts (telegraph.co.uk)

• UK Privacy Regulator Fines Halfords for Spam Deluge - Infosecurity Magazine (infosecurity-magazine.com)

• Meta Fined $400m in Ireland For Children's Privacy Breach - Infosecurity Magazine (infosecurity-magazine.com)

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Google Details Recent Ukraine Cyber attacks | SecurityWeek.Com

• Ukraine dismantles more bot farms spreading Russian disinformation (bleepingcomputer.com)

• Ukraine is under attack by hacking tools repurposed from Conti cyber crime group | Ars Technica

• Sprawling, multi-year Iranian cyberespionage and surveillance group exposed in new report - CyberScoop

• Iranian APT42 Launched Over 30 Espionage Attacks Against Activists and Dissidents (thehackernews.com)

• Newly discovered cyber spy group targets Asia • The Register

• New Iranian hacking group APT42 deploys custom Android spyware (bleepingcomputer.com)

• Israeli Defence Minister's Cleaner Sentenced for Spying Attempt | SecurityWeek.Com

• An interview with Ukrainian hacker 'Herm1t' on countering pro-Kremlin attacks - The Record by Recorded Future

• Researchers Find New Android Spyware Campaign Targeting Uyghur Community (thehackernews.com)

• Anonymous hacked Yandex taxi causing a traffic jam in Moscow - Security Affairs

Nation State Actors

Nation State Actors – Russia

• Raspberry Robin Malware Connected to Russian Evil Corp Gang (darkreading.com)

Nation State Actors – China

• US bans ‘advanced tech’ firms from building facilities in China for a decade | Technology sector | The Guardian

Nation State Actors – North Korea

• North Korean Hackers Deploying New MagicRAT Malware in Targeted Campaigns (thehackernews.com)

• North Korea's Lazarus Targets Energy Firms With Three RATs | SecurityWeek.Com

Nation State Actors – Iran

• Microsoft: Iranian hackers encrypt Windows systems using BitLocker (bleepingcomputer.com)

• UK condemns Iran for reckless cyber attack against Albania - GOV.UK (www.gov.uk)

• US Treasury sanctioned Iran ’s Ministry of Intelligence over Albania cyber attack - Security Affairs

• NATO Condemns Alleged Iranian Cyber attack on Albania | SecurityWeek.Com

• New Iranian hacking group APT42 deploys custom Android spyware (bleepingcomputer.com)

• Microsoft investigates Iranian attacks against the Albanian government - Microsoft Security Blog

• Microsoft Warns of Ransomware Attacks by Iranian Phosphorus Hacker Group (thehackernews.com)

Nation State Actors – Misc

• Nation-state attacks are a growing threat to video conferencing - Help Net Security

• Use of machine identities is growing in state-sponsored cyber attacks - Help Net Security

Vulnerability Management

• High-profile vulnerabilities encourage organisations to improve security posture - Help Net Security

Vulnerabilities

• CISA adds 12 new flaws to Known Exploited Vulnerabilities Catalog - Security Affairs

• September 2022 Patch Tuesday forecast: No sign of cooling off - Help Net Security

• High-risk ConnectWise Automate vulnerability fixed, admins urged to patch ASAP - Help Net Security

• Hackers Exploit Zero-Day in WordPress BackupBuddy Plugin in ~5 Million Attempts (thehackernews.com)

• Cisco Releases Security Patches for New Vulnerabilities Impacting Multiple Products (thehackernews.com)

• Mirai Variant MooBot Botnet Exploiting D-Link Router Vulnerabilities (thehackernews.com)

• Cisco won’t fix authentication bypass zero-day in EoL routers (bleepingcomputer.com)

• Critical RCE Vulnerability Affects Zyxel NAS Devices — Firmware Patch Released (thehackernews.com)

• Chrome and Edge fix zero-day security hole – update now! – Naked Security (sophos.com)

• Google Patches Sixth Chrome Zero-Day of 2022 | SecurityWeek.Com

• QNAP patches zero-day used in new Deadbolt ransomware attacks (bleepingcomputer.com)

• HP fixes severe bug in pre-installed Support Assistant tool (bleepingcomputer.com)

Other News

• Top 5 Cyber crime Cases in 2022 (techgenix.com)

• The Heartbleed bug: How a flaw in OpenSSL caused a security crisis | CSO Online

• Cyber Security - the More Things Change, the More They Are The Same | SecurityWeek.Com

• CISOs say stress and burnout are their top personal risks (cnbc.com)

• How to deal with unprecedented levels of regulatory change - Help Net Security

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.