Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 16 June 2023
Black Arrow Cyber Threat Briefing 16 June 2023:
-Hacker Gang Clop Deploys Extortion Tactics Against Global Companies
-Social Engineering Drives BEC Losses to $50B Globally
-Creating A Cyber-Conscious Culture—It Must Be Driven from the Top
-Artificial Intelligence is Coming to Windows: Are Your Security Policy Settings Ready?
-Cyber Crooks Targeting Employees, Organisations Fight Back with Training Programs
-Massive Phishing Campaign Uses 6,000 Sites to Impersonate 100 Brands
-A Recent Study Shows Over One in Ten Brits are Willing to Engage in ‘Illegal or Illicit’ Online Behaviour as the Cost of Living Crisis Worsens, Driving Insider Threat Concerns
-Microsoft Office 365 Phishing Reveals Signs of Much Larger BEC Campaign
-Europol Warns of Metaverse and AI Terror Threat
-What is AI, and is it Dangerous?
-Cyber Liability Insurance Vs. Data Breach Insurance: What's the Difference?
-Exploring the Dark Web: Hitmen for Hire and the Realities of Online Activities
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Hacker Gang Clop Deploys Extortion Tactics Against Global Companies
The Russian-speaking gang of hackers that compromised UK groups such as British Airways and the BBC has claimed it has siphoned off sensitive data from more institutions including US-based investment firms, European manufacturers and US universities. Eight other companies this week made it onto Clop’s list on the dark web. That adds to the news last week that UK groups, including Walgreens-owned Boots, informed employees that their data had been compromised. The issue also targeted customers of Zellis, a UK-based payroll provider that about half of the companies on the FTSE 100 use.
The hacking group is pushing for contact with the companies on the list, according to a post on Clop’s dark web site, as the gang demands a ransom that cyber security experts and negotiators said could be as much as several million dollars.
https://www.ft.com/content/c1db9c5c-cdf1-48bc-8e6b-2c2444b66dc9
Social Engineering Drives BEC Losses to $50B Globally
Business email compromise (BEC) continues to evolve on the back of sophisticated targeting and social engineering, costing businesses worldwide more than $50 billion in the last 10 years - a figure that reflected a growth in business losses to BEC of 17% year-over-year in 2022, according to the FBI.
Security professionals attribute BEC's continued dominance in the cyber threat landscape to several reasons. A key one is that attackers have become increasingly savvy in how to socially-engineer messages so that they appear authentic to users, which is the key to being successful at this scam. And with the increase in availability of artificial intelligence, the continued success of BEC means these attacks are here to stay. Organisations will be forced to respond with even stronger security measures, security experts say.
https://www.darkreading.com/threat-intelligence/social-engineering-drives-bec-losses-to-50b-globally
Creating A Cyber Conscious Culture—It Must Be Driven from the Top
Businesses are facing more frequent and sophisticated cyber threats and they must continuously learn new ways to protect their revenues, reputation and maintain regulatory compliance. With hybrid and remote working blurring traditional security perimeters and expanding the attack surface, the high volumes of sensitive information held by organisations are at increased risk of cyber attacks.
The increase had led to cyber elevating to the board level; after all the board is responsible for cyber security. It doesn’t stop there however, as everyone in an organisation has responsibility for upholding cyber security. The board must aim to create a cyber-conscious culture, where users are aware of their role in cyber security. One important way such a culture can be achieved is through providing regular education and training to all users.
Artificial Intelligence is Coming to Windows: Are Your Security Policy Settings Ready?
What’s in your Windows security policy? Do you review your settings on an annual basis or more often? Do you provide education and training regarding the topics in the policy? Does it get revised when the impact of an incident showcases that an internal policy violation led to the root cause of the issue? And, importantly, do you have a security policy that includes your firm’s overall policies around the increasing race towards artificial intelligence, which is seemingly in nearly every application released these days?
From word processing documents to the upcoming enhancements to Windows 11, which will include AI prompting in the Explorer platform, organisations should review how they want their employees to treat customer data or other confidential information when using AI platforms. Many will want to build limits and guidelines into their security plans that specify what is allowed to be entered into platforms and websites that may store or share the information online. However, confidential information should not be included in any application that doesn’t have clearly defined protections around the handling of such data. The bottom line is that AI is coming to your network and your desktop sooner than you think. Build your policies now and review your processes to determine if you are ready for it today.
Cyber Crooks Targeting Employees, Organisations Fight Back with Training Programs
Cyber criminals are increasingly targeting an organisation’s employees, figuring to trick an untrained staffer to click on a malicious link that starts a malware attack, Fortinet said in a newly released study of security awareness and training.
More than 80% of organisations faced malware, phishing and password attacks last year, which were mainly targeted at users. This underscores that employees can be an organisation’s weakest point or one of its most powerful defences.
Fortinet’s research revealed that more than 90% of the survey’s respondents believe that increased employee cyber security awareness would help decrease the occurrence of cyber attacks. As organisations face increasing cyber risks, employees serving as an organisation’s first line of defence in protecting their organisation from cyber crime becomes of paramount importance.
Massive Phishing Campaign Uses 6,000 Sites to Impersonate 100 Brands
A widespread brand impersonation campaign targeting over a hundred popular apparel, footwear, and clothing brands has been underway since June 2022, tricking people into entering their account credentials and financial information on fake websites. The brands impersonated by the phony sites include Nike, Puma, Asics, Vans, Adidas, Columbia, Superdry, Converse, Casio, Timberland, Salomon, Crocs, Sketchers, The North Face and others.
A recent report found the campaign relies on at least 3,000 domains and roughly 6,000 sites, including inactive ones. The campaign had a significant activity spike between January and February 2023, adding 300 new fake sites monthly. The domain names follow a pattern of using the brand name together with a city or country, followed by a generic TLD such as ".com." Additionally, any details entered on the checkout pages, most notably the credit card details, may be stored by the website operators and resold to cyber criminals.
Over One in Ten Brits are Willing to Engage in ‘Illegal or Illicit’ Online Behaviour
A recent study found that 11% of Brits were tempted to engage in ‘illegal or illicit online behaviour’ in order to help manage the fallout from the cost of living crisis. This statistic becomes even more concerning when focused on younger people, with almost a quarter of 25–35 year old respondents (23%) willing to consider illegal or illicit online activity. Of those willing to engage in this kind of behaviour, 56% suggested it was because they are desperate and struggling to get by, and need to find alternative means of supporting their families.
Nearly half (47%) of UK business leaders believe their organisation has been at a greater risk of attack since the start of the cost-of-living crisis. Against this backdrop, many SME business leaders are understandably worried about the impact on employees. Of those who think their organisation is more exposed to attack, 38% believe it’s due to malicious insiders and 35% to overworked and distracted staff making mistakes. Organisations not doing so already, should look to incorporate insider threat into their security plans. Insider threat should focus on areas such as regular education and monitoring and detection.
The report found that 44% of respondents have also noticed an uptick in online scams hitting their inboxes since the cost of living crisis began in late 2021/early 2022. Another worrying finding is that this uptick is proving devastatingly effective for scammers: over one in ten (13%) of UK respondents have already been scammed since the cost of living crisis began. This rises to a quarter (26%) of respondents in the 18-25 age range, reflecting a hyper-online lifestyle and culture that scammers can work to exploit effectively.
https://www.infosecurity-magazine.com/news/costofliving-crisis-drives-insider/
Microsoft Office 365 Phishing Reveals Signs of Much Larger BEC Campaign
Recently, Microsoft discovered multi-stage adversary-in-the-middle (AitM) phishing and business email compromise (BEC) attacks against banking and financial services organisations. The attackers are successfully phishing employees’ accounts with fake Office 365 domains. This allows them to bypass authentication, exfiltrate data and send further phishing emails against other employees and several targeted external organisations. In some cases, threat actors have registered their own device to the employee’s account, to evade MFA defences and achieve persistent access.
https://securityaffairs.com/147327/hacking/aitm-bec-attacks.html
https://thehackernews.com/2023/06/adversary-in-middle-attack-campaign.html
Europol Warns of Metaverse and AI Terror Threat
New and emerging technologies like conversational AI, deepfakes and the metaverse could be utilised by terrorists and extremists to radicalise and recruit converts to their cause, Europol has warned. The report stated that the online environment lowers the bar for entering the world of terrorism and extremism, broadens the range of people that can become exposed to radicalisation and increases the unpredictability of terrorism and extremism.
Europol also pointed to the potential use of deepfakes, augmented reality and conversational AI to enhance the efficiency of terrorist propaganda. Both these technologies and internet of things (IoT) tools can also be deployed in more practical tasks such as the remote operation of vehicles and weapons used in attacks or setting up virtual training camps. Digital currencies are also playing a role in helping to finance such groups while maintaining the anonymity of those contributing the funding, Europol said.
https://www.infosecurity-magazine.com/news/europol-warns-metaverse-and-ai/
What is AI, and is it Dangerous?
Recently, we saw the release of the first piece of EU regulation on AI. This comes after a significant rise in the usage of tools such as ChatGPT. Such tools allow for even those with limited technical ability to perform sophisticated actions. In fact, usage has risen 44% over the last three months alone, according to a report.
Rather worryingly, there is a lack of governance on the usage of AI, and this extends to how AI is used within your own organisation. Whilst the usage can greatly improve actions performed within an organisation, the report found that 6% of employees using AI had pasted sensitive company data into an AI tool. Would your organisation know if this happened, and how damaging could it be to your organisation if this data was to be leaked? Continuous monitoring, risk analysis and real-time governance can help aid an organisation in having an overview of the usage of AI.
https://www.bbc.co.uk/news/technology-65855333
https://thehackernews.com/2023/06/new-research-6-of-employees-paste.html
Cyber Liability Insurance Vs. Data Breach Insurance: What's the Difference?
With an ever-increasing number of cyber security threats and attacks, companies are becoming motivated to protect their businesses and customer data both technically and financially. Finding the right insurance has become a key part of the security equation.
Companies looking to protect themselves have most likely heard the terms “cyber liability insurance” and “data breach insurance.” Put simply, cyber liability insurance refers to coverage for third-party claims asserted against a company stemming from a network security event or data breach. Data breach insurance, on the other hand, refers to coverage for first-party losses incurred by the insured organisation that has suffered a loss of data.
Exploring the Dark Web: Hitmen for Hire and the Realities of Online Activities
The dark web makes up a significant portion of the internet. Access can be gained through special browser, TOR, also known as the onion Router. The service bounces around IP addresses, constantly changing to protect the anonymity of the user.
This dark web contains an array of activities and sites, which include hitmen for hire, drugs for sale, and stolen credit card databases amongst others. Sometimes these aren’t real however, and are actually a trap to steal money from users on the basis that these users are unlikely to report it to law enforcement when the victim was trying to break the law in the first place. What we do know however, is that the dark web contains a plethora of information, and this could include data from your organisation.
Governance, Risk and Compliance
Creating A Cyber-Conscious Culture—It Must Be Driven From The Top (forbes.com)
Most businesses vulnerable to attacks on the cyber battlefield - The Globe and Mail
10 Important Security Tasks You Shouldn't Skip (darkreading.com)
Enhancing security team capabilities in tough economic times - Help Net Security
Ignoring digital transformation is more dangerous than a recession - Help Net Security
Ransomware Insurance: Security Strategies to Obtain Coverage (trendmicro.com)
Lax security measures, sophisticated hackers reason for rise in cyber breaches (ewn.co.za)
Cyber Crooks Targeting Employees, Organisations Fight Back with Training Programs - MSSP Alert
Cyber liability insurance vs. data breach insurance: What's the difference? | CSO Online
Red teaming can be the ground truth for CISOs and execs - Help Net Security
Threats
Ransomware, Extortion and Destructive Attacks
CL0P Ransomware Gang Hits Multiple Governments, Businesses in Wide-Scale Attack - MSSP Alert
How Continuous Monitoring and Threat Intel Can Help Prevent Ransomware (darkreading.com)
Researchers Report First Instance of Automated SaaS Ransomware Extortion (darkreading.com)
Why Critical Infrastructure Remains a Ransomware Target (darkreading.com)
Ransomware Insurance: Security Strategies to Obtain Coverage (trendmicro.com)
CISA: LockBit ransomware extorted $91 million in 1,700 US attacks (bleepingcomputer.com)
Microsoft links data wiping attacks to new Russian GRU hacking group (bleepingcomputer.com)
To Fight Cyber Extortion and Ransomware, Shift Left (trendmicro.com)
Ransomware Hackers and Scammers Utilizing Cloud Mining to Launder Cryptocurrency (thehackernews.com)
Russian ransomware hacker extorted tens of millions, says DOJ (cnbc.com)
Ransomware Victims
Ofcom, Minnesota Dept of Ed among latest MOVEit victims • The Register
Confidential data downloaded from UK regulator Ofcom in cyber attack (therecord.media)
Oil and gas giant Shell confirms it was impacted by Clop ransomware attacks (therecord.media)TfL warns 13,000 staff that it was raided by Russian hackers (telegraph.co.uk)
Russian hackers steal data on thousands of Ulez drivers (telegraph.co.uk)
An Illinois hospital links closure to ransomware attack (nbcnews.com)
US energy department, other agencies hit in global hacking spree | Reuters
iTWire - Financial services firm FIIG hit by cyber attack, ALPHV claims credit
Xplain data breach also impacted national Swiss railway FSS - Security Affairs
Rhysida ransomware leaks documents stolen from Chilean Army (bleepingcomputer.com)
Phishing & Email Based Attacks
Microsoft Office 365 AitM phishing reveals signs of much larger BEC campaign | CSO Online
Adversary-in-the-Middle Attack Campaign Hits Dozens of Global Organisations (thehackernews.com)
Log4J exploits may rise further as Microsoft continues war on phishing | ITPro
Popular Apparel, Clothing Brands Being Used in Massive Phishing Scam (darkreading.com)
Massive phishing campaign uses 6,000 sites to impersonate 100 brands (bleepingcomputer.com)
BEC – Business Email Compromise
Microsoft warns of multi-stage AiTM phishing and BEC attacks - Security Affairs
Analysis: Social Engineering Drives BEC Losses to $50B Globally (darkreading.com)
Other Social Engineering; Smishing, Vishing, etc
Artificial Intelligence
New Research: 6% of Employees Paste Sensitive Data into GenAI tools as ChatGPT (thehackernews.com)
Artificial intelligence is coming to Windows: Are your security policy settings ready? | CSO Online
Europol Warns of Metaverse and AI Terror Threat - Infosecurity Magazine (infosecurity-magazine.com)
How Europe is Leading the World in the Push to Regulate AI - SecurityWeek
AI is moving too fast to regulate, security minister warns (telegraph.co.uk)
AI to render humans 'second most intelligent creations' | ITWeb
LLM meets Malware: Starting the Era of Autonomous Threat - Security Affairs
What is AI, is it dangerous and what jobs are at risk? - BBC News
Calculations Suggest It'll Be Impossible to Control a Super-Intelligent AI : ScienceAlert
2FA/MFA
Multi-Factor Authentication Usage Nearly Doubles Since 2020, New Okta Report Finds - MSSP Alert
Small organisations outpace large enterprises in MFA adoption - Help Net Security
Malware
New SPECTRALVIPER Backdoor Targeting Vietnamese Public Companies (thehackernews.com)
New Loader Delivering Spyware via Image Steals Cryptocurrency Info (darkreading.com)
Pirated Windows 10 ISOs install clipper malware via EFI partitions (bleepingcomputer.com)
Chinese hackers use DNS-over-HTTPS for Linux malware communication (bleepingcomputer.com)
Fake zero-day PoC exploits on GitHub push Windows, Linux malware (bleepingcomputer.com)
LLM meets Malware: Starting the Era of Autonomous Threat - Security Affairs
New ‘Shampoo’ Chromeloader malware pushed via fake warez sites (bleepingcomputer.com)
Russian hackers use PowerShell USB malware to drop backdoors (bleepingcomputer.com)
Fake Security Researcher Accounts Pushing Malware Disguised as Zero-Day Exploits - SecurityWeek
Vidar Malware Using New Tactics to Evade Detection and Anonymize Activities (thehackernews.com)
Mobile
Denial of Service/DoS/DDOS
Microsoft’s Azure portal down following new claims of DDoS attacks (bleepingcomputer.com)
DOS Attacks Dominate, but System Intrusions Cause Most Pain (darkreading.com)
Swiss government warns of ongoing DDoS attacks, data leak (bleepingcomputer.com)
IoT Botnet DDoS Attacks Threaten Global Telecom Networks, Nokia (hackread.com)
10 Different Types of DDoS Attacks and How to Prevent Them (geekflare.com)
Exclusive: Inside FXStreet's DDoS Attack (financemagnates.com)
Internet of Things – IoT
IoT Botnet DDoS Attacks Threaten Global Telecom Networks, Nokia (hackread.com)
How secure is your vehicle with digital key technology? - Help Net Security
Flipper Zero “Smoking” A Smart Meter Is A Bad Look For Hardware Hackers | Hackaday
Data Breaches/Leaks
Another huge US medical data breach confirmed after Fortra mass-hack | TechCrunch
New Research: 6% of Employees Paste Sensitive Data into GenAI tools as ChatGPT (thehackernews.com)
Top 10 cyber security findings from Verizon's 2023 data breach report | VentureBeat
Xplain data breach also impacted national Swiss railway FSS - Security Affairs
Examining the long-term effects of data privacy violations - Help Net Security
A Massive Vaccine Database Leak Exposes IDs of Millions of Indians | WIRED
Swiss Fear Government Data Stolen in Cyber attack - SecurityWeek
Ofcom, Minnesota Dept of Ed among latest MOVEit victims • The Register
Have I Been Pwned warns of new Zacks data breach impacting 8 million (bleepingcomputer.com)
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Hackers steal $3 million by impersonating crypto news journalists (bleepingcomputer.com)
Beware: 1,000+ Fake Cryptocurrency Sites Trap Users in Bogus Rewards Scheme (thehackernews.com)
New Loader Delivering Spyware via Image Steals Cryptocurrency Info (darkreading.com)
Cryptocurrency Attacks Quadrupled as Cyber criminals Cash In (darkreading.com)
Ransomware Hackers and Scammers Utilizing Cloud Mining to Launder Cryptocurrency (thehackernews.com)
Insider Risk and Insider Threats
Cyber Crooks Targeting Employees, Organisations Fight Back with Training Programs - MSSP Alert
Insider Threat Vs Outsider Threat: Which Is Worse? (informationsecuritybuzz.com)
Fraud, Scams & Financial Crime
Impersonation Attacks
Insurance
Ransomware Insurance: Security Strategies to Obtain Coverage (trendmicro.com)
Cyber liability insurance vs. data breach insurance: What's the difference? | CSO Online
Dark Web
Supply Chain and Third Parties
Cloud/SaaS
SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint - SecurityWeek
New MOVEit Transfer critical flaws found after security audit, patch now (bleepingcomputer.com)
Seven steps for using zero trust to protect your multicloud • The Register
New cloud security guidance: it's all about the config - NCSC.GOV.UK
Microsoft keeps quiet on talk of possible Azure DDoS attack • The Register
Encryption
Open Source
Chinese hackers use DNS-over-HTTPS for Linux malware communication (bleepingcomputer.com)
Fake zero-day PoC exploits on GitHub push Windows, Linux malware (bleepingcomputer.com)
Passwords, Credential Stuffing & Brute Force Attacks
Thoughts on scheduled password changes (don’t call them rotations!) – Naked Security (sophos.com)
Microsoft misused our dark web data, says security vendor • The Register
RDP honeypot targeted 3.5 million times in brute-force attacks (bleepingcomputer.com)
Want to be hacked? Just make these password mistakes | Tom's Guide (tomsguide.com)
Training, Education and Awareness
Digital Transformation
Regulations, Fines and Legislation
AI is moving too fast to regulate, security minister warns (telegraph.co.uk)
Ofcom, Minnesota Dept of Ed among latest MOVEit victims • The Register
Confidential data downloaded from UK regulator Ofcom in cyber attack (therecord.media)
Yet more direct calling fiends fined by UK's data watchdog • The Register
How Europe is Leading the World in the Push to Regulate AI - SecurityWeek
Feds extend deadline for software security attestations • The Register
Models, Frameworks and Standards
Data Protection
Careers, Working in Cyber and Information Security
Law Enforcement Action and Take Downs
Privacy, Surveillance and Mass Monitoring
Examining the long-term effects of data privacy violations - Help Net Security
Strava heatmap feature can be abused to find home addresses (bleepingcomputer.com)
US Intelligence Has Admitted Amassed Data on 'Nearly Everyone' (gizmodo.com)
Feds Say Facial Recognition IDed Bosnian War Criminal Miljkovic (gizmodo.com)
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Putin’s little cyber helpers turn their sights on the UK (telegraph.co.uk)
Russia-Ukraine war sending shockwaves into cyber-ecosystem • The Register
Ukrainian hackers take down service provider for Russian banks (bleepingcomputer.com)
RomCom Threat Actor Targets Ukrainian Politicians, US Healthcare (darkreading.com)
Pro-Russian hackers step up attacks against Swiss targets, authorities say | Reuters
Russian hackers steal data on thousands of Ulez drivers (telegraph.co.uk)
Microsoft links data wiping attacks to new Russian GRU hacking group (bleepingcomputer.com)
Russian hackers use PowerShell USB malware to drop backdoors (bleepingcomputer.com)
Pro-Russian Hackers Target Website of Europe’s Largest Port in Rotterdam - Bloomberg
Russia-linked APT Gamaredon update TTPs in recent attacks against Ukraine - Security Affairs
Russia-backed hackers unleash new USB-based malware on Ukraine’s military | Ars Technica
Nation State Actors
Chinese hackers use DNS-over-HTTPS for Linux malware communication (bleepingcomputer.com)
Iran's 'quantum processor' turned out to be a $600 dev board | PC Gamer
China-based threat actors target UIDAI, AIIMS, ICMR: Govt advisory (moneycontrol.com)
Subsea cables: how the US is pushing China out of the internet’s plumbing
Ukraine information sharing a model for countering China, top cyber official says | CyberScoop
Chinese Threat Actor Abused ESXi Zero-Day to Pilfer Files From Guest VMs (darkreading.com)
North Korea created evil twin of South Korea's Naver.com • The Register
Behind the Scenes Unveiling the Hidden Workings of Earth Preta (trendmicro.com)
Gloucester: Russian hackers behind cyber-attack on council - BBC News
Critical Barracuda ESG Zero-Day Linked to Novel Chinese APT (darkreading.com)
Russian ransomware hacker extorted tens of millions, says DOJ (cnbc.com)
Vulnerability Management
Vulnerabilities
Third Flaw Uncovered in MOVEit Transfer App Amidst Cl0p Ransomware Mass Attack (thehackernews.com)
Bitwarden update corrects password manager access vulnerability on Windows - gHacks Tech News
Fortinet: Patched Critical Flaw May Have Been Exploited (darkreading.com)
Bitwarden update corrects password manager access vulnerability on Windows - gHacks Tech News
CISA orders federal agencies to secure Internet-exposed network devices (bleepingcomputer.com)
Microsoft June 2023 Patch Tuesday fixes 78 flaws, 38 RCE bugs (bleepingcomputer.com)
Log4J exploits may rise further as Microsoft continues war on phishing | ITPro
New Critical Google Chrome Payments Security Issue Confirmed (forbes.com)
Critical Security Vulnerability Discovered in WooCommerce Stripe Gateway Plugin (thehackernews.com)
VMware fixes critical flaws in Aria Operations for Networks (CVE-2023-20887) - Help Net Security
US energy department, other agencies hit in global hacking spree | Reuters
Tools and Controls
Ignoring digital transformation is more dangerous than a recession - Help Net Security
Cyber Crooks Targeting Employees, Organisations Fight Back with Training Programs - MSSP Alert
Cyber liability insurance vs. data breach insurance: What's the difference? | CSO Online
Red teaming can be the ground truth for CISOs and execs - Help Net Security
How Continuous Monitoring and Threat Intel Can Help Prevent Ransomware (darkreading.com)
What is Dark Web Monitoring and How Does It Work? | Trend Micro News
New cloud security guidance: it's all about the config - NCSC.GOV.UK
Why Now? The Rise of Attack Surface Management (thehackernews.com)
Exploring the All-Time Best Book for Ethical Hacking – Codelivly
Enhancing security team capabilities in tough economic times - Help Net Security
Small organisations outpace large enterprises in MFA adoption - Help Net Security
MSSQL makes up 93% of all activity on honeypots tracking 10 databases | SC Media (scmagazine.com)
5 best practices to ensure the security of third-party APIs | CSO Online
Multi-Factor Authentication Usage Nearly Doubles Since 2020, New Okta Report Finds - MSSP Alert
Reports Published in the Last Week
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 24 June 2022
Black Arrow Cyber Threat Briefing 24 June 2022:
-The NCSC Sets Out the UK’s Cyber Threat Landscape
-We're Now Truly in The Era of Ransomware as Pure Extortion Without the Encryption
-5 Social Engineering Assumptions That Are Wrong
-Gartner: Regulation, Human Costs Will Create Stormy Cyber Security Weather Ahead
-Ransomware Attacks - This Is the Data That Cyber Criminals Really Want to Steal
-Cloud Email Threats Soar 101% in a Year
-80% of Firms Suffered Identity-Related Breaches in Last 12 Months
-After Being Breached Once, Many Companies Are Likely to Be Hit Again
-Do You Have Ransomware Insurance? Look at the Fine Print
-The Price of Stolen Info: Everything on Sale On The Dark Web
-How Companies Are Prioritizing Infosec and Compliance
-Businesses Risk ‘Catastrophic Financial Loss’ from Cyber Attacks, US Watchdog Warns
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
The NCSC Sets Out the UK’s Cyber Threat Landscape
The current state of the UK’s cyber threat landscape was outlined by the National Cyber Security Centre (NCSC), during a keynote address on the final day of Infosecurity Europe 2022.
They described the cyber threats posed by nation-states, particularly Russia and China. Russia remains “one of the world’s most prolific cyber actors and dedicates significant resources to conducting cyber operations across the globe.” The NCSC and international partner organisations have attributed a number of high-profile attacks related to the conflict to Russian state actors, including the Viasat incident on the eve of the invasion of Ukraine on February 24. Therefore, the NCSC recommends that organisations prepare for a dynamic situation that is liable to change rapidly.
The NCSC emphasised that a more significant long-term threat comes from China, citing GCHQ director Jeremy Fleming’s assertion that “Russia is affecting the weather, but China is shaping the climate.” She described the nation’s “highly sophisticated” activities in cyberspace, born out of its “increasing ambitions to project its influence beyond its borders.” This includes a keen interest in the UK’s commercial secrets.
In addition to nation-state attacks, the NCSC noted that cyber crime is continuing to rise, with ransomware a continuing concern. Attacks are expected to grow in scale, with threat actors likely to increasingly target managed service providers (MSPs) to gain access to a wider range of targets. More generally, cyber capabilities will become more commoditised over the next few years, meaning they are increasingly available to a larger group of would-be attackers who are willing to pay.
https://www.infosecurity-magazine.com/news/ncsc-uk-cyber-threat-landscape/
We're Now Truly in The Era of Ransomware as Pure Extortion Without the Encryption
Increasingly cyber crime rings tracked as ransomware operators are turning toward primarily data theft and extortion – and skipping the encryption step altogether. Rather than scramble files and demand payment for the decryption keys, and all the faff in between in facilitating that, simply exfiltrating the data and demanding a fee to not leak it all is just as effective. This shift has been ongoing for many months, and is now virtually unavoidable.
The FBI and CISA this month warned about a lesser-known extortion gang called Karakurt, which demands ransoms as high as $13 million. Karakurt doesn't target any specific sectors or industries, and the gang's victims haven't had any of their documents encrypted and held to ransom. Instead, the crooks claim to have stolen data, with screenshots or copies of exfiltrated files as proof, and they threaten to sell it or leak it publicly if they don't receive a payment.
Some of these thieves offer discounted ransoms to corporations to encourage them to pay sooner, with the demanded payment getting larger the longer it takes to cough up the cash (or Bitcoin, as the case may be).
Additionally, some crime groups offer sliding-scale payment systems. So you pay for what you get, and depending on the amount of ransom paid you get a control panel, you get customer support, you get all of the tools you need."
https://www.theregister.com/2022/06/25/ransomware_gangs_extortion_feature/
5 Social Engineering Assumptions That Are Wrong
Social engineering is involved in the vast majority of cyber attacks, but a new report from Proofpoint has revealed five common social engineering assumptions that are not only wrong but are repeatedly subverted by malicious actors in their attacks.
Threat actors don’t have conversations with targets.
Legitimate services are safe from social engineering abuse.
Attackers only use computers, not telephones.
Replying to existing email conversations is safe.
Fraudsters only use business-related content as lures.
Commenting on the report’s findings, Sherrod DeGrippo, Proofpoint’s Vice-President Threat Research and Detection, stated that the vendor has attempted to debunk faulty assumptions made by organisations and security teams so they can better protect employees against cyber crime. “Despite defenders’ best efforts, cyber criminals continue to defraud, extort and ransom companies for billions of dollars annually. Security-focused decision makers have prioritised bolstering defences around physical and cloud-based infrastructure, which has led to human beings becoming the most relied upon entry point for compromise. As a result, a wide array of content and techniques continue to be developed to exploit human behaviours and interests.”
Indeed, cyber criminals will go to creative and occasionally unusual lengths to carry out social engineering campaigns, making it more difficult for users to avoid falling victim to them.
Gartner: Regulation, Human Costs Will Create Stormy Cyber Security Weather Ahead
Security teams should prepare for what researchers say will be a challenging environment through 2023, with increased pressure from government regulators, partners, and threat actors.
Gartner kicked off its Security & Risk Management Summit with the release of its analysts' assessments of the work ahead, which Richard Addiscott, the company's senior director analyst, discussed during his opening keynote address.
“We can’t fall into old habits and try to treat everything the same as we did in the past,” Addiscott said. “Most security and risk leaders now recognise that major disruption is only one crisis away. We can’t control it, but we can evolve our thinking, our philosophy, our program, and our architecture.”
Topping Gartner's list of eight predictions is a rise in the government regulation of consumer privacy rights and ransomware response, a widespread shift by enterprises to unify security platforms, more zero trust, and, troublingly, the prediction that by 2025 threat actors will likely have figured out how to "weaponise operational technology environments successfully to cause human casualties”, the cyber security report said.
Ransomware Attacks - This Is the Data That Cyber Criminals Really Want to Steal
There are certain types of data that criminals target the most, according to an analysis of attacks.
Data theft and extortion has become a common – and unfortunately effective – part of ransomware attacks, where in addition to encrypting data and demanding a ransom payment for the decryption key, gangs steal information and threaten to publish it if a payment isn't received.
These so-called double extortion attacks have become an effective tool in the arsenal of ransomware gangs, who leverage them to force victims to pay up, even in cases where data could be restored from offline backups, because the threat of sensitive information being published is too great.
Any stolen data is potentially useful to ransomware gangs, but according to analysis by researchers at cyber security company Rapid7, of 161 disclosed ransomware incidents where data was published, some data is seen as more valuable than others.
According to the report, financial services is the sector that is most likely to have customer data exposed, with 82% of incidents involving ransomware gangs accessing and making threats to release this data. Stealing and publishing sensitive customer information would undermine consumer trust in financial services organisations: while being hacked in the first place would be damaging enough, some business leaders might view paying a ransom to avoid further damage caused by data leaks to be worth it.
The second most-leaked type of file in ransomware attacks against financial services firms, featuring in 59% of disclosures from victims, is employee personally identifiable information (PII) and data related to human resources.
Cloud Email Threats Soar 101% in a Year
The number of email-borne cyber-threats blocked by Trend Micro surged by triple digits last year, highlighting the continued risk from conventional attack vectors.
The vendor stopped over 33.6 million such threats reaching customers via cloud-based email in 2021, a 101% increase. This included 16.5 million phishing emails, a 138% year-on-year increase, of which 6.5 million were credential phishing attempts.
Trend Micro also blocked 3.3 million malicious files in cloud-based emails, including a 134% increase in known threats and a 221% increase in unknown malware.
The news comes as Proofpoint warned in a new report of the continued dangers posed by social engineering, and the mistaken assumptions many users make.
Many users don’t realise that threat actors may spend considerable time and effort building a rapport over email with their victims, especially if they’re trying to conduct a business email compromise (BEC) attack, it said.
https://www.infosecurity-magazine.com/news/cloud-email-threats-soar-101-in-a/
80% of Firms Suffered Identity-Related Breaches in Last 12 Months
Rapidly growing employee identities, third-party partners, and machine nodes have companies scrambling to secure credential information, software secrets, and cloud identities, according to researchers.
In a survey of IT and identity professionals from Dimensional Research, almost every organisation — 98% — experienced rapid growth in the number of identities that have to be managed, with that growth driven by expanding cloud usage, more third-party partners, and machine identities. Furthermore, businesses are also seeing an increase in breaches because of this, with 84% of firms suffering an identity-related breach in the past 12 months, compared with 79% in a previous study covering two years.
The number and complexity of identities organisations are having to manage and secure is increasing. Whenever there is an increase in identities, there is a corresponding heightened risk of identity-related breaches due to them not being properly managed and secured, and with the attack surfaces also growing exponentially, these breaches can occur on multiple fronts.
For the most part, organisations focus on employee identities, which 70% consider to be the most likely to be breached and 58% believe to have the greatest impact, according to the 2022 "Trends in Securing Digital Identities" report based on the survey. Yet third-party partners and business customers are significant sources of risk as well, with 35% and 25% of respondents considering those to be a major source of breaches, respectively.
https://www.darkreading.com/operations/identity-related-breaches-last-12-months
After Being Breached Once, Many Companies Are Likely to Be Hit Again
Cymulate announced the results of a survey, revealing that two-thirds of companies who have been hit by cyber crime in the past year have been hit more than once, with almost 10% experiencing 10 or so more attacks a year.
Research taken from 858 security professionals surveyed across North America, EMEA, APAC and LATAM across a wide range of industries including technology, banking, finance and government, also highlighted larger companies hit by cyber crime are experiencing shorter disruption time and damage to business with 40% reported low damage compared with medium-size businesses (less than 2,500 employees) which had longer recovery times and more business affecting damage.
Other highlights
40% of respondents admitted to being breached over the past 12 months.
After being breached once, statistics showed they were more likely to be hit again than not (66%).
Malware (55%), and more specifically ransomware (40%) and DDoS (32%) were the main forms of cyber attacks experienced by those surveyed.
Attacks primarily occurred via end-user phishing (56%), via third parties connected to the enterprise (37%) or direct attacks on enterprise networks (34%).
22% of companies publicly disclosed cyber attacks in the worst-case breaches, with 35% needing to hire security consultants, 12% dismissing their current security professionals and 12% hiring public relations consultants to deal with the repercussions to their reputations. Top three best practices for cyber attack prevention, mitigation and remediation include multi-factor authentication (67%), proactive corporate phishing and awareness campaigns (53%), and well-planned and practiced incident response plans (44%). Least privilege also ranked highly, at 43%.
29% of attacks come from insider threats – intentionally or unintentionally.
Leadership and cyber security teams who meet regularly to discuss risk reduction are more cyber security-ready – those who met 15 times a year incurred zero breaches whereas those who suffered six or more breaches met under nine times on average.
https://www.helpnetsecurity.com/2022/06/21/companies-hit-by-cybercrime/
Do You Have Ransomware Insurance? Look at the Fine Print
Insurance exists to protect the insured party against catastrophe, but the insurer needs protection so that its policies are not abused – and that's where the fine print comes in. However, in the case of ransomware insurance, the fine print is becoming contentious and arguably undermining the usefulness of ransomware insurance.
In recent years, ransomware insurance has grown as a product field because organisations are trying to buy protection against the catastrophic effects of a successful ransomware attack. Why try to buy insurance? Well, a single, successful attack can just about wipe out a large organisation, or lead to crippling costs – NotPetya alone led to a total of $10bn in damages.
Ransomware attacks are notoriously difficult to protect against completely. Like any other potentially catastrophic event, insurers stepped in to offer an insurance product. In exchange for a premium, insurers promise to cover many of the damages resulting from a ransomware attack.
Depending on the policy, a ransomware policy could cover loss of income if the attack disrupts operations, or loss of valuable data, if data is erased due to the ransomware event. A policy may also cover you for extortion – in others, it will refund the ransom demanded by the criminal.
The exact payout and terms will of course be defined in the policy document, also called the "fine print." Critically, fine print also contains exclusions, in other words circumstances under which the policy won't pay out. And therein lies the problem.
https://thehackernews.com/2022/06/do-you-have-ransomware-insurance-look.html
The Price of Stolen Info: Everything on Sale on The Dark Web
What is the price for personal information, including credit cards and bank accounts, on the dark web?
Privacy Affairs researchers concluded that criminals using the dark web need only spend $1,115 for a complete set of a person’s account details, enabling them to create fake IDs and forge private documents, such as passports and driver’s licenses.
Access to other information is becoming even cheaper. The Dark Web Price Index 2022 – based on data scanning dark web marketplaces, forums, and websites, revealed:
Credit card details and associated information cost between $17-$120
Online banking login information costs $45
Hacked Facebook accounts cost $45
Cloned VISA with PIN cost $20
Stolen PayPal account details, with minimum $1000 balances, cost $20.
In December 2021, about 4.5 million credit cards went up for sale on the dark web, the study found. The average price ranged from $1-$20.
Scammers can buy full credit card details, including CVV number, card number, associated dates, and even the email, physical address and phone number. This enables them to penetrate the credit card processing chain, overriding any security countermeasures.
https://www.helpnetsecurity.com/2022/06/22/stolen-info-sale-dark-web/
How Companies Are Prioritising Infosec and Compliance
New research conducted by Enterprise Management Associates (EMA), examines the impact of the compliance budget on security strategy and priorities. It describes areas for which companies prioritise information security and compliance, which leaders control information security spending, how compliance has shifted the overall security strategy of the organisation, and the solutions and tools on which organisations are focusing their technology spending.
The findings cover three critical areas of an organisation’s security and compliance posture: information security and IT audit and compliance, data security and data privacy, and security and compliance spending.
One key takeaway is that merging security and compliance priorities addresses regulatory control gaps while improving the organisation’s security posture. Respondents revealed insights on how they handle compliance, who is responsible for compliance and security responsibilities, and what compliance-related security challenges organisations face.
Additional findings:
Companies found the need to shift their information security strategy to address compliance priorities (93%).
Information security and IT compliance priorities are generally aligned (89%).
Existing security tools have to address data privacy considerations going forward (76%).
Managing an organisation’s multiple IT environments and the controls that govern those environments is the greatest challenge in the IT audit and compliance space (39%).
https://www.helpnetsecurity.com/2022/06/24/companies-infosec-compliance-priorities/
Businesses Risk ‘Catastrophic Financial Loss’ from Cyber Attacks, US Watchdog Warns
A US Government watchdog has warned that private insurance companies are increasingly backing out of covering damages from major cyber attacks — leaving businesses facing “catastrophic financial loss” unless another insurance model can be found.
The growing challenge of covering cyber risk is outlined in a new report from the Government Accountability Office (GAO), which calls for a government assessment of whether a federal cyber insurance option is needed.
The report draws on threat assessments from the National Security Agency (NSA), Office of the Director of National Intelligence (ODNI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Justice, to quantify the risk of cyber attacks on critical infrastructure, identifying vulnerable technologies that might be attacked and a range of threat actors capable of exploiting them.
Citing an annual threat assessment released by the ODNI, the report finds that hacking groups linked to Russia, China, Iran, and North Korea pose the greatest threat to US infrastructure — along with certain non-state actors like organised cyber criminal gangs.
Given the wide and increasingly skilled range of actors willing to target US entities, the number of cyber incidents is rising at an alarming rate.
Threats
Ransomware
Attackers exploited a Mitel VOIP zero-day to compromise a network Security Affairs
Chinese hackers use ransomware as decoy for cyber espionage (bleepingcomputer.com)
If you don't store valuable data, ransomware is impotent • The Register
Ransomware-as-a-Service: Learn to Enhance Cyber security Approaches (analyticsinsight.net)
Mitigate Ransomware in a Remote-First World (thehackernews.com)
Delivery Firm Yodel Scrambling to Restore Operations Following Cyber attack | SecurityWeek.Com
Black Basta Ransomware Becomes Major Threat in Two Months | SecurityWeek.Com
These hackers are spreading ransomware as a distraction - to hide their cyber spying | ZDNet
Conti ransomware hacking spree breaches over 40 orgs in a month (bleepingcomputer.com)
Conti effectively created an extortion-oriented IT company, says Group-IB - Help Net Security
Conti ransomware finally shuts down data leak, negotiation sites (bleepingcomputer.com)
Conti ransomware group's pulse stops, but did it fake its own death? | Malwarebytes Labs
Without Conti on the Scene, LockBit 2.0 Leads Ransomware Attacks (darkreading.com)
Cyber attack: Gloucester council services still not back to normal - BBC News
Phishing & Email Based Attacks
Your email is a major source of security risks and it's getting worse | ZDNet
New Phishing Attack Infects Devices with Cobalt Strike- IT Security Guru
Voicemail phishing emails steal Microsoft credentials • The Register
The Risk of Multichannel Phishing Is on the Horizon (darkreading.com)
Cops arrests nine suspected of stealing millions via email • The Register
Cyber criminals Use Azure Front Door in Phishing Attacks - Security Affairs
Microsoft Exchange servers hacked by new ToddyCat APT gang (bleepingcomputer.com)
Cyber attackers Abuse QuickBooks Cloud Service in 'Double-Spear' Campaign (darkreading.com)
Other Social Engineering
Proofpoint: Social engineering attacks slipping past users (techtarget.com)
Inside a large-scale phishing campaign targeting millions of Facebook users - Help Net Security
Malware
RIG Exploit Kit Now Infects Victims' PCs With Dridex Instead of Raccoon Stealer (thehackernews.com)
Organisations Battling Phishing Malware, Viruses the Most (darkreading.com)
This Linux botnet has found a novel way of spreading to new devices | ZDNet
New 'Quantum' Builder Lets Attackers Easily Create Malicious Windows Shortcuts (thehackernews.com)
NSA warns against silly mistake in the fight against Windows malware | TechRadar
Mobile
This Android malware is so dangerous, even Google is worried | TechRadar
Google is notifying Android users targeted by Hermit government-grade spyware | TechCrunch
This phone-wiping Android banking trojan is getting nastier | ZDNet
BRATA Android Malware Group Now Classified As Advanced Persistent Threat - Infosecurity Magazine
Spurred by Roe overturn, senators seek FTC probe of iOS and Android tracking | Ars Technica
Internet of Things – IoT
Data Breaches/Leaks
US Bank Data Breach Impacts Over 1.5 Million Customers - Infosecurity Magazine
CafePress fined $500,000 for breach affecting 23 million users (bleepingcomputer.com)
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Hackers steal $100 million from California cryptocurrency firm - CNN
DARPA study finds blockchain not as decentralised as assumed • The Register
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
Supply Chain and Third Parties
Cloud/SaaS
Microsoft 365 Users in US Face Raging Spate of Attacks (darkreading.com)
Getting a Better Handle on Identity Management in the Cloud (darkreading.com)
Researchers Uncover Ways to Break the Encryption of 'MEGA' Cloud Storage Service (thehackernews.com)
Identity and Access Management
Risky behaviour reduced when executives put focus on identity security - Help Net Security
Access management issues may create security holes (techtarget.com)
IAM Research: Inadequate Programs Leave Organisations Open to Cyber Attacks - MSSP Alert
Why 84% Of US Firms Hit With Identity-Related Breaches In 2021 – Information Security Buzz
Open Source
Open-source software risks persist, according to new reports | CSO Online
Less Than Half of Organisations Have Open Source Security Policy - Infosecurity Magazine
Blind trust in open source security is hurting us: Report | ZDNet
Training, Education and Awareness
Privacy
Privacy-focused Brave Search grew by 5,000% in a year (bleepingcomputer.com)
Supreme Court's Roe v. Wade reversal sparks calls for strengthening privacy - CyberScoop
Regulations, Fines and Legislation
Do Privacy and Data Protection Regulations Create as Many Problems as They Solve? | SecurityWeek.Com
Law Enforcement Action and Take Downs
Phishing gang behind millions in losses dismantled by police (bleepingcomputer.com)
Euro Police Target Crime Groups Grooming Ukrainian Refugees Online - Infosecurity Magazine
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Microsoft: Russian Cyber Spying Targets 42 Ukraine Allies | SecurityWeek.Com
Italian spyware firm is hacking into iOS and Android devices, Google says | Computerworld
NSO claims 'more than 5' EU states used its Pegasus spyware • The Register
#InfosecurityEurope2022: Geopolitical Tensions a “Danger” to Cyber security - Infosecurity Magazine
Examples of Cyber Warfare #TrendTalksBizSec (trendmicro.com)
Ukraine deploys a DDoS protection service to survive the cyberwar | VentureBeat
Lithuania warns of rise in DDoS attacks against government sites (bleepingcomputer.com)
Russia's APT28 Launches Nuke-Themed Follina Exploit Campaign (darkreading.com)
Ukrainian cyber security officials disclose two new hacking campaigns - IT Security Guru
Scalper bots out of control in Israel, selling state appointments (bleepingcomputer.com)
Research questions potentially dangerous implications of Ukraine's IT Army - CyberScoop
Lithuania under cyber-attack after ban on Russian railway goodsSecurity Affairs
Nation State Actors
Nation State Actors – Russia
Russia Steps Up Cyber-Espionage Against Ukraine Allies - Infosecurity Magazine
Fancy Bear Uses Nuke Threat Lure to Exploit 1-Click Bug | Threatpost
Russian APT28 hacker accused of the NATO think tank hack in Germany - Security Affairs
Russia fines Google for spreading ‘unreliable’ info defaming its army (bleepingcomputer.com)
Nation State Actors – China
Chinese APT 'Bronze Starlight' Uses Ransomware to Disguise Cyberespionage | SecurityWeek.Com
Chinese Tropic Trooper APT spreads a hacking tool laced with a backdoor - Security Affairs
Chinese hackers target script kiddies with info-stealer trojan (bleepingcomputer.com)
Nation State Actors – Iran
Nation State Actors – Misc APT
Vulnerability Management
Vulnerabilities
Cisco warns of security holes in its security appliances • The Register
Google Patches 14 Vulnerabilities With Release of Chrome 103 | SecurityWeek.Com
Cisco will not address critical RCE in end-of-life Small Business RV routers - Security Affairs
Google expert detailed a 5-Year-Old flaw in Apple Safari exploited in the wild - Security Affairs
Oracle spent 6 months to fix 'Mega' flaws in the Fusion Middleware - Security Affairs
Researchers criticize Oracle's vulnerability disclosure process (techtarget.com)
Critical PHP Vulnerability Exposes QNAP NAS Devices to Remote Attacks (thehackernews.com)
Sector Specific
Financial Services Sector
Flagstar Bank discloses data breach impacting 1.5 million customers (bleepingcomputer.com)
7 Cyber security Best Practices for Financial Services Firms - MSSP Alert
Why Financial Institutions Must Double Down on Open Source Investments (darkreading.com)
SMBs – Small and Medium Businesses
How tool sprawl is becoming a common issue for SMEs - Help Net Security
Middle market companies under attack: Threats coming from all directions - Help Net Security
#InfosecurityEurope2022: How Should SMEs Defend Against Cyber-Risks? - Infosecurity Magazine
Legal
Health/Medical/Pharma Sector
Retail/eCommerce
Magecart attacks are still around. And they are becoming more stealthy | ZDNet
Newly Discovered Magecart Infrastructure Reveals the Scale of Ongoing Campaign- IT Security Guru
Manufacturing
CNI, OT, ICS, IIoT and SCADA
Reports Published in the Last Week
Other News
Threat Intelligence Services Are Universally Valued by IT Staff (darkreading.com)
Security pros increasingly plan to adopt MDR services in the next 12 months - Help Net Security
Board members and the C-suite need secure communication tools - Help Net Security
Adobe Acrobat may block antivirus tools from monitoring PDF files (bleepingcomputer.com)
7 Ways to Avoid Worst-Case Cyber Scenarios (darkreading.com)
3 threats dirty data poses to the enterprise (techtarget.com)
Data recovery depends on how good your backup strategy is - Help Net Security
Unsecured APIs Could Be Costing Firms $75bn Per Year - Infosecurity Magazine
The Rise, Fall, and Rebirth of the Presumption of Compromise (darkreading.com)
#InfosecurityEurope2022: Are You Prepared For The Next Big Crisis? - Infosecurity Magazine
Ongoing PowerShell security threats prompt a call to action (techtarget.com)
Despite known security issues, VPN usage continues to thrive - Help Net Security
Space-based assets aren’t immune to cyber attacks | CSO Online
Cyber security expert on how $13K of fuel was stolen from station (wtvr.com)
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 10 June 2022
Black Arrow Cyber Threat Briefing 10 June 2022
-Business Email Compromise (BEC) Attacks Have Risen 53% Year-Over-Year
-Ransomware Attacks Setting New Records
-Hackers Are Now Hiding Inside Networks for Longer. That's Not a Good Sign
-Paying Ransomware Paints Bigger Bullseye on Target’s Back
-Organisations Fix Only 1 in 10 Vulnerabilities Monthly
-Cyber Attack Surface "Spiralling Out of Control"
-Phishing Hits All-Time High in Q1 2022
-Ransomware's ROI Retreat Will Drive More BEC Attacks
-The Real Cost of Cyber Attacks: What Organisations Should Be Prepared For
-Why Smishing and Vishing Attempts Surged In 2021?
-Know Your Enemy! Learn How Cyber Crime Adversaries Get In…
-Small Businesses Struggle with an Increase in Cyber Attacks
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Business Email Compromise (BEC) Attacks Have Risen 53% Year-Over-Year
Armorblox released a report which highlights the use of language-based attacks that bypass existing email security controls. The report uncovers how the continued increase in remote working has made critical business workflows even more vulnerable to new forms of email-based attacks, often resulting in financial fraud or credential theft.
Language-based attacks have become the new normal for business email compromise (BEC) with 74% of these attacks using language as the main attack vector.
Security teams spend a massive amount of time configuring rules and exceptions in their email security solutions to block impersonation emails – both for executives and other employees. Despite all of that manual work and rule writing, 70% of impersonation emails evaded email security controls.
https://www.helpnetsecurity.com/2022/06/06/language-based-attacks-email-video/
Ransomware Attacks Setting New Records
Zscaler released the findings of its annual ThreatLabz Ransomware Report, which revealed an 80 percent increase in ransomware attacks year-over-year.
In 2022, the most prevalent ransomware trends include double-extortion, supply chain attacks, ransomware-as-a-service, ransomware rebranding, and geo-political incited ransomware attacks. The report details which industries are being targeted the most by cyber criminals, explains the damage caused by double-extortion and supply chain attacks, and catalogues the most active ransomware groups operating today.
Modern ransomware attacks require a single successful asset compromise to gain initial entry, move laterally, and breach the entire environment, making legacy VPN and flat networks extremely vulnerable. Attackers are finding success exploiting weaknesses across businesses’ supply chains as well as critical vulnerabilities like Log4Shell, PrintNightmare, and others. And with ransomware-as-a-service available on the darkweb, more and more criminals are turning to ransomware, realising that the odds of receiving a big payday are high.
The tactics and scope of ransomware attacks have been steadily evolving, but the end goal continues to be a disruption of the target organisation and theft of sensitive information for the purposes of ransom. The size of the ransom often depends on the number of systems infected and the value of the data stolen: the higher the stakes, the higher the payment. In 2019, many ransomware groups updated their tactics to include data exfiltration, commonly referred to as a ‘double extortion’ ransomware.
https://www.helpnetsecurity.com/2022/06/07/ransomware-attacks-increase/
Hackers Are Now Hiding Inside Networks for Longer. That's Not a Good Sign
Cyber criminals are spending more time inside networks before they're discovered, and that's allowing them to do more damage.
The amount of time cyber criminal intruders are spending inside victims' networks is increasing, providing them with the ability to carry out higher complexity campaigns and more damaging cyber attacks.
According to analysis by cyber security researchers at Sophos, who examined incidents targeting organisations around the world and across a wide range of industry sectors, the median dwell time that cyber criminals spend inside compromised networks is now 15 days, up from 11 days the previous year.
Dwell time is the amount of time hackers are inside the network before they're discovered or before they leave – and being able to spend an increased amount of time inside a compromised network undetected means they're able to more carefully conduct malicious activity, such as monitoring users, stealing data or laying the foundations for a malware or ransomware attack.
Paying Ransomware Paints Bigger Bullseye on Target’s Back
Ransomware attackers often strike targets twice, regardless of whether the ransom was paid.
Paying ransomware attackers doesn’t pay off and often paints a bigger target on a victim’s back. Eighty percent of ransomware victims that paid their attackers were hit a second time by the malware scourge.
New ransomware numbers come from a Cybereason’s April ransomware survey of 1,456 cyber security professionals. According to the gated report (registration required), victims that were successfully extorted were not only targeted a second time, but frequently data encrypted by criminals later became unusable during the decryption process because of corruption issues.
The fact that ransomware gangs strike so quickly a second and third time isn’t surprising, because they will try to profit in any possible way so why not hit the same company, demand a higher ransom, and get paid again?
https://threatpost.com/paying-ransomware-bullseye-back/179915/
Organisations Fix Only 1 in 10 Vulnerabilities Monthly
New research from SecurityScorecard features a couple of eye-popping “only” findings: Only 10 percent of vulnerabilities are remediated each month, and only 60 percent of companies have improved their security profile despite a 15-fold increase in the number of cyber incidents in the last three years.
That’s not good. The research, which sought to measure how long it took the 1.6 million organisations assessed to remediate vulnerabilities in the three-year period from 2019 to 2022, also found the following:
· 53% had at least one exposed vulnerability to the internet, while 22% of organisations amassed more than 1,000 vulnerabilities each, confirming more progress is required to protect organisations’ critical assets.
· The financial sector is among the slowest remediation rates (median to fix 50% = 426 days), while utilities ranked among the fastest (median = 270 days).
· Despite a 15-fold increase in exploitation activity for vulnerabilities with published exploit code, there was little evidence that organisations in the financial sector fixed exploited flaws faster.
· The IT sector (62.6%) and public sector (61.6%) had the highest prevalence of open vulnerabilities.
· The financial sector (48.6%) exhibited the lowest proportion of open vulnerabilities; however, there is less than a 10% difference between this and other sectors in terms of industries with the most open vulnerabilities.
· It typically takes organisations 12 months to remediate half of the vulnerabilities in their internet-facing infrastructure.
· When firms have fewer than 10 open vulnerabilities, it can take about a month to close just half of them, but when the list grows into the hundreds, it takes up to a year to reach the halfway point.
Cyber Attack Surface "Spiralling Out of Control"
Global organisations are still beset with cyber visibility and control challenges, with two-fifths (43%) admitting their digital attack surface is out of control as a result, according to new Trend Micro research.
The security vendor polled over 6200 IT and business decision-makers to compile its new study, ‘Mapping the digital attack surface: Why global organisations are struggling to manage cyber risk’.
It revealed that nearly three-quarters (73%) are concerned about the increasing size of their attack surface. Over a third (37%) said it is “constantly evolving and messy,” and just half (51%) thought they were able to fully define its extent.
These visibility challenges are greatest in cloud environments, although problems persist across the board. The report highlights complex supply chains, tool bloat and home working-driven shadow IT as additional contributory factors.
On average, respondents estimated having just 62% visibility of their attack surface.
https://www.infosecurity-magazine.com/news/cyberattack-surface-out-of-control/
Phishing Hits All-Time High in Q1 2022
The first quarter of 2022 saw phishing attacks hit a record high, topping one million for the first time, according to data from the Anti Phishing Working Group (APWG).
The industry, law enforcement and government coalition’s new Phishing Activity Trends Report also revealed that March was the worst month on record for phishing, with 384,291 attacks detected.
The financial sector was the worst hit, accounting for 24% of all detected attacks, although webmail and SaaS providers were also popular targets.
Attacks spoofing retailers dropped 17% from the previous quarter to 15% following the busy holiday shopping season, while those against social media services rose significantly, from nearly 9% percent of all attacks to 13% over the same period.
https://www.infosecurity-magazine.com/news/phishing-hits-all-time-high-q1/
Ransomware's ROI Retreat Will Drive More BEC Attacks
Law enforcement crackdowns, tighter cryptocurrency regulations, and ransomware-as-a-service (RaaS) operator shutdowns are driving down the return on investment for ransomware operations across the globe.
A presentation at the RSA Conference last week laid out analysis of the ransomware threat landscape, predicting that there will be a pivot from ransomware toward renewed interest in basic business email compromise (BEC) attacks in the next 6 to 12 months.
Ransomware attacks grab headlines and have been supercharged by a few prolific RaaS operators, but crackdowns on just one group can make an enormous dent.
Ransomware is a centralised ecosystem with small numbers of operators responsible for the majority of attacks.
The recent disappearance of Pysa, left just two groups, Conti and Lockbit, with more than 50% of the share of the total ransomware attacks in the first half of 2022. BEC groups, on the other hand, are diffuse and scattered, making them much harder to eradicate.
Although they're not as quick to make the headlines, BEC attacks have cost business more than $43 billion since 2016, according to the FBI, and make up $1 out of every $3 lost to cyber attacks, far outpacing ransomware losses.
Ransomware has had a moment over the past couple of years, in part because once threat actors were able to abandon arcane wire transfers to collect ransoms and rely on cryptocurrency, caps on transactions were lifted and it became simple to collect much larger amounts. But new crypto regulations are chilling the ability of these cyber criminals to rely on its infrastructure to do business, adding "friction" to the transactions.
BEC attacks, by comparison, rely on social engineering to corrupt a business's financial supply chain to get employees to willingly part with the cash, making them exponentially harder to track and stop.
The Real Cost of Cyber Attacks: What Organisations Should Be Prepared For
With each passing year, hackers and cyber criminals of all kinds are becoming more sophisticated, malicious, and greedy conducting brazen and often destructive cyber-attacks that can severely disrupt a company’s business operations. And this is a big problem, because, first and foremost, customers rely on a company’s ability to deliver services or products in a timely manner. Cyber attacks not only can affect customers’ data, but they can impact service delivery.
Data breaches and costs associated with them have been on the rise for the past few years, but, according to a 2021 report, the average cost per breach increased from $3.86 million in 2020 to $4.24 million in 2021. The report also identified four categories contributing most global data breach costs – Lost business cost (38%), Detection and escalation (29%), Post breach response (27%), and Notification (6%).
Ransomware attacks cost an average of $4.62 million (the cost of a ransom is not included), and destructive wiper-style attacks cost an average of $4.69 million, the report said.
For a business, a data breach is not just a loss of data, it can also have a long-lasting impact on operations and undermine customers’ trust in the company. In fact, a survey revealed that 87% of consumers are willing to take their business elsewhere if they don’t trust a company is handling their data responsibly. Therefore, the reputational damage might be detrimental to a business’ ability to attract new customers.
Why Smishing and Vishing Attempts Surged In 2021
In The Human Factor Report 2022, security vendor Proofpoint found that SMS phishing (smishing) attacks more than doubled year-on-year in 2021. The report is based on their analysis of over 2.6 billion email messages, 49 billion URLs, 1.9 billion attachments, 28 million cloud accounts and 1.7 billion mobile messages.
The study details the most common attack surfaces and methods including categories of risk, vulnerabilities, attacks, Russian Aligned APT’s, and Privilege as a vector.
Key Findings:
Managers and executives make up only 10% of users, but almost 50% of the most severe attack risk
Attackers attempt to initiate more than 100,000 telephone-oriented attacks every day.
Malicious URLS are 3-4x more common than malicious attachments.
Smishing attempts more than doubled in the US over the year, while in the UK over 50% of lures are themed around delivery notification.
More than 20 million messages attempted to deliver malware linked to eventual ransomware attack
Data loss prevention alerts have stabilised as businesses adopt permanent hybrid work models.
80% of businesses are attacked by a compromised supplier account in any given month.
35% of cloud tenants that received a suspicious login also saw suspicious post-access activity.
Know Your Enemy! Learn How Cyber Crime Adversaries Get In…
Cyber security vendor Sophos dug into the incident reports of 144 real-life cyber attacks investigated by its Rapid Response team during 2021.
What they found might not surprise you, but it’s vital information nevertheless, because it’s what really happened, not merely what might have.
Notably:
Unpatched vulnerabilities were the entry point for close to 50% of the attackers.
Attackers stuck around for more than a month on average when ransomware wasn’t their primary goal.
Attackers were known to have stolen data in about 40% of incidents. (Not all data thefts can be proved, of course, given that there isn’t a gaping hole where your copy of the data used to be, so the true number could be much higher.)
RDP was abused to circumnavigate the network by more than 80% of attackers once they’d broken in.
Intriguingly, if perhaps unsurprisingly, the smaller the organisation, the longer the crooks had generally been in the network before anyone noticed and decided it was time to kick them out.
In businesses with 250 staff and below, the crooks stuck around (in the jargon, this is known by the quaintly archaic automotive metaphor of dwell time) for more than seven weeks on average.
This compared with an average dwell time of just under three weeks for organisations with more than 3000 employees.
As you can imagine, however, ransomware criminals typically stayed hidden for much shorter periods (just under two weeks, instead of just over a month), not least because ransomware attacks are inherently self-limiting.
After all, once ransomware crooks have scrambled all your data, they’re out of hiding and straight into their in-your-face blackmail phase.
https://nakedsecurity.sophos.com/2022/06/07/know-your-enemy-learn-how-cybercrime-adversaries-get-in/
Small Businesses Struggle with an Increase in Cyber Attacks
Part of the problem: They don’t believe they are targets, so they don’t make security a priority. Cyber attacks are becoming more common for small businesses, and many aren’t prepared to deal with an attack.
As small businesses have accelerated their adoption of new technologies for remote work, communication, production and sales during the pandemic, their expanded computer networks have created new vulnerabilities to phishing and ransomware attacks. But many small businesses still don’t expect to be targeted by hackers, so preparing for a cyber attack is well down their list of priorities.
https://www.wsj.com/articles/small-business-cyberattacks-increase-11654540786
Threats
Ransomware
Ransomware attacks have increased by 80% year-over-year - Help Net Security
How the Russia-Ukraine war makes ransomware payments harder | CSO Online
How Poor Communication Opens the Door to Ransomware and Extortion (darkreading.com)
Cuba ransomware returns to extorting victims with updated encryptor (bleepingcomputer.com)
Vice Society gang adds the Italian City of Palermo to its data leak site - Security Affairs
Qbot - known channel for ransomware - delivered via phishing and Follina exploit - Help Net Security
Black Basta Ransomware Targets ESXi Servers in Active Campaign (darkreading.com)
Mandiant: Cyber extortion schemes increasing pressure to pay (techtarget.com)
Roblox Game Pass store used to sell ransomware decryptor (bleepingcomputer.com)
Costa Rican government held up by ransomware … again • The Register
BEEF ALERT: Ransomware Group Very Mad at Being Associated with Lavish Russian Hackers (vice.com)
Ransomware Pressure Forcing UK CISOs to Consider Quitting - Infosecurity Magazine
BEC – Business Email Compromise
Phishing & Email Based Attacks
Evasive phishing mixes reverse tunnels and URL shortening services (bleepingcomputer.com)
Proofpoint: We Block Up to Two Million Extortion Emails Daily - Infosecurity Magazine
Massive Facebook Messenger phishing operation generates millions (bleepingcomputer.com)
Facebook phishing campaign nets millions in IDs and cash • The Register
Other Social Engineering
Malware
Symantec sees more malware operators exploiting Follina • The Register
Potent Emotet Variant Spreads Via Stolen Email Credentials | Threatpost
Symbiote Malware Poses Stealthy, Linux-Based Threat to Financial Industry (darkreading.com)
This advanced new malware strain leaves you practically defenceless | TechRadar
MacOS malware attacks slipping through the cracks (techtarget.com)
11 infamous malware attacks: The first and the worst | CSO Online
9 types of computer virus and how they do their dirty work | CSO Online
Mobile
IoT
New Privacy Framework for IoT Devices Gives Users Control Over Data Sharing (thehackernews.com)
How to Compromise a Printer in Three Simple Steps | CrowdStrike
Data Breaches/Leaks
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking/NFTs
Researchers Detail How Cyber Criminals Targeting Cryptocurrency Users (thehackernews.com)
7 NFT Scams That Could Be Targeting Your Brand (darkreading.com)
Hackers stole +$250,000 in Ethereum from Bored Ape Yacht ClubSecurity Affairs
Fraud, Scams & Financial Crime
Pandemic-related identity fraud: How serious is it? - Help Net Security
Apple Release 2021 Fraud Prevention Analysis- IT Security Guru
AML/CFT/Sanctions
Insurance
Dark Web
Software Supply Chain
82% of CIOs believe their software supply chains are vulnerable - Help Net Security
Boards, CEOs demand software supply chain security improvements - Help Net Security
Denial of Service DoS/DDoS
Cloud/SaaS
Cloud Security Tops Ransomware As Primary RSA Conference Attendee Concern - MSSP Alert
Only 13.5% of IT pros have mastered security in the cloud native space - Help Net Security
OMIGOD: Cloud providers still using secret middleware • The Register
Attack Surface Management
Open Source
Privacy
Researchers Find Bluetooth Signals Can be Fingerprinted to Track Smartphones (thehackernews.com)
New Privacy Framework for IoT Devices Gives Users Control Over Data Sharing (thehackernews.com)
Parental Controls and Child Safety
Law Enforcement Action and Take Downs
Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine
“Cyber Spetsnaz” is Attacking Government Agencies - Security Affairs
Russian Ministry Website Reportedly Hacked- IT Security Guru
Ordinary Ukrainians wage war with digital tools and drones | Financial Times (ft.com)
Ukraine's secret cyber-defence: Excellent backups • The Register
Major DDoS attacks increasing after invasion of Ukraine (techtarget.com)
Nation State Actors
Nation State Actors – Russia
Russia escalates threats against West in response to cyber attacks - CyberScoop
Russia, China, oppose US cyber support of Ukraine • The Register
Nation State Actors – China
Russia, China, oppose US cyber support of Ukraine • The Register
Chinese hacking group Aoqin Dragon quietly spied orgs for a decade (bleepingcomputer.com)
People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices | CISA
US: Chinese govt hackers breached telcos to snoop on network traffic (bleepingcomputer.com)
Nation State Actors – Iran
Microsoft seized 41 domains used by Iran-linked Bohrium APT - Security Affairs
Iranian hackers target energy sector with new DNS backdoor (bleepingcomputer.com)
Nation State Actors – Misc APT
Vulnerability Management
Vulnerabilities
Windows zero-day exploited in US local govt phishing attacks (bleepingcomputer.com)
DogWalk zero-day Windows bug receives patch - but not from Microsoft (bitdefender.com)
Chrome 102 Update Patches High-Severity Vulnerabilities | SecurityWeek.Com
NSA, FBI warning: Hackers are using these flaws to target VPNs and network devices | ZDNet
Ubuntu Users Get a Massive Linux Kernel Update, 35 Security Vulnerabilities Patched - 9to5Linux
Critical U-Boot Vulnerability Allows Rooting of Embedded Systems | SecurityWeek.Com
Sector Specific
Financial Services Sector
Telecoms
US: Chinese govt hackers breached telcos to snoop on network traffic (bleepingcomputer.com)
People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices | CISA
Health/Medical/Pharma Sector
Healthcare-specific cyber security problems and how to address them - Help Net Security
Data for 2 million patients stolen in largest healthcare breach so far of 2022 (scmagazine.com)
Retail/eCommerce
Energy & Utilities
Iranian hackers target energy sector with new DNS backdoor (bleepingcomputer.com)
US Water Utilities Prime Cyber Attack Target, Experts | Threatpost
Education and Academia
Reports Published in the Last Week
Other News
This hacking group quietly spied on their targets for 10 years | ZDNet
Identity-based Attacks and Living-of-the-land Tactics Represent Top Threats - MSSP Alert
Over Half of CISOs Struggling for Board Investment - Infosecurity Magazine
Cisco EVP: Cyber security poverty line is human-rights issue • The Register
Top three most critical areas of web security - Help Net Security
How the Colonial Pipeline attack has changed cyber security | CSO Online
Five Eyes alliance’s top cop: tech is the future of Policing • The Register
An Emerging Threat: Attacking 5G Via Network Slices (darkreading.com)
How AI Is Useful — and Not Useful — for Cyber security (darkreading.com)
Only 43% of security pros can respond to critical alerts in less than an hour - Help Net Security
Now Is the Time to Plan for Post-Quantum Cryptography (darkreading.com)
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.