Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Turbulent Cyber Insurance Market Sees Rising Prices And Sinking Coverage

As insurers and brokers reckon with unexpected losses, they're charging more for policies and setting higher requirements.

Chaos reigns in the cyber insurance market. Brokers and cyber insurance carriers — the companies that actually offer the policies — are tightening requirements on what applicants need to do to obtain policies due to losses the insurers have suffered from ransomware coverage. During the past year, premiums grew 18% in the first quarter of 2021 and were up 34% in the fourth quarter of 2021, according to Jess Burn, senior analyst at Forrester.

Organisations often find they cannot obtain cyber insurance, are not being renewed for coverage they already have, or are faced with soaring prices and shrinking coverage. Despite the value many organisations put on cyber insurance — in some cases, they're required to carry it to comply with regulations — obtaining such policies is getting more difficult.

While raising premiums, some insurers are reducing coverage. If an organisation bought $10 million worth of coverage for a given price in 2021, for example, renewing that policy in 2022 might see the coverage amount fall to $3 million and the premiums for that lower coverage rise. This phenomenon is due, in part, to insurers trying to strike the right balance of customers' risk profile versus their risk-mitigation efforts.

https://www.darkreading.com/edge-articles/turbulent-cyber-insurance-market-sees-rising-prices-and-sinking-coverage

• Ransomware Attacks Still The #1 Threat To Businesses And Organisations

In 2021, ransomware attacks continued to be one of the most prominent threats targeting businesses and organisations worldwide.

High-profile attacks disrupted operations of companies in various sectors.

For example, the Colonial Pipeline attack interrupted critical infrastructure, the JBS Foods attack influenced food processing, and the CNA breach disrupted the insurance industry.

Following the attacks, pressure of law enforcement on ransomware gangs intensified, though simultaneously these threat actors continued to evolve.

They are not only becoming more technologically sophisticated but are also extensively leveraging the growing cyber crime ecosystem looking to find new partners, services and tools for their operations.

https://www.helpnetsecurity.com/2022/05/30/ransomware-trends-video/

• Third Of UK Firms Have Experienced A Security Breach Since 2020

Cyber threats are behind soaring fraud and economic crime in the UK, where rates are now second only globally to South Africa, according to PwC.

The consulting giant’s latest Global Economic Crime Survey revealed that nearly two-thirds (64%) of UK businesses experienced fraud, corruption or other economic/financial crime during the past 24 months, a significant increase on the 56% recorded in 2020, and 50% in 2018.

It’s also much higher than the 2022 global average of 46%, PwC said.

Cyber crime was the most commonly reported fraud type, although figures here dropped from 42% in 2020 to 32% in 2022. Included for the first time in the report, supply chain incidents accounted for 19%.

Most (51%) reported fraud cases in the UK were traced back to external parties, versus just 43% globally. The top three culprits were cited as customers, hackers and vendors/suppliers.

https://www.infosecurity-magazine.com/news/third-uk-security-breach-2020/

• There Is No Good Digital Transformation Without Cyber Security

Network engineers and CIOs agree that cyber security issues represent the biggest risk for organisations that fail to put networks at the heart of digital transformation plans. According to research commissioned by Opengear, 53% of network engineers and 52% of CIOs polled in the US, UK, France, Germany, and Australia rank cyber security among the list of their biggest risks.

The concerns are fuelled by an escalating number of cyber attacks. In fact, 61% of CIOs report an increase in cyber security attacks/breaches from 2020-21 compared to the preceding two years. For digital transformation of networking, 70% of network engineers say security is the most important focus area, and 31% say network security is their biggest networking priority.

Digital transformation is a priority, but cyber security risk remains. CIOs also understand the importance of the issues. 51% of network engineers say their CIOs have consulted them on investments to deliver digital transformation plans, the highest priority in the survey.

What’s more, 41% of CIOs rank cyber security among their organisation’s most important investment priorities over the next year, with 35% stating it is among the biggest over the next five years. In both cases, cyber security ranks higher than any other factor.

https://www.helpnetsecurity.com/2022/05/31/digital-transformation-cybersecurity-risk/

• Ransomware Gang Now Hacks Corporate Websites To Show Ransom Notes

A ransomware gang is taking extortion to a new level by publicly hacking corporate websites to publicly display ransom notes.

This new extortion strategy is being conducted by Industrial Spy, a data extortion gang that recently began using ransomware. As part of their attacks, Industrial Spy will breach networks, steal data, and deploy ransomware on devices. The threat actors then threaten to sell the stolen data on their Tor marketplace if a ransom is not paid.

When ransomware gangs extort a victim, they typically give them a short window, usually a few weeks, to negotiate and pay a ransom before they start leaking data.

During this negotiation process, the threat actors promise to keep the attack secret, provide a decryption key, and delete all data if a ransom is paid.

After this period, the threat actors will use various methods to increase pressure, including DDoS attacks on corporate websites, emailing customers and business partners, and calling executives with threats.

These tactics are all done privately or with minimal exposure on their data leak sites, which are usually only visited by cyber security researchers and the media.

However, this is the first time we have seen a ransomware gang defacing a website to very publicly display a ransom note.

https://www.bleepingcomputer.com/news/security/ransomware-gang-now-hacks-corporate-websites-to-show-ransom-notes/

• Attackers Are Leveraging Follina, A Critical Microsoft Windows Vulnerability Affecting Nearly All Versions of Windows and Windows Server. What Can You Do?

As the world is waiting for Microsoft to push out a patch for CVE-2022-30190, aka “Follina”, attackers around the world are exploiting the vulnerability in a variety of campaigns.

Microsoft has described CVE-2022-30190 as a Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution vulnerability, confirmed it affects an overwhelming majority of Windows and Windows Server versions, and advised on a workaround to be implemented until a patch is ready.

https://www.helpnetsecurity.com/2022/06/03/patch-cve-2022-30190/

• Ransomware Attacks Need Less Than Four Days To Encrypt Systems

The duration of ransomware attacks in 2021 averaged 92.5 hours, measured from initial network access to payload deployment. In 2020, ransomware actors spent an average of 230 hours to complete their attacks and 1637.6 hours in 2019.

This change reflects a more streamlined approach that developed gradually over the years to make large-scale operations more profitable.

At the same time, improvements in incident response and threat detection have forced threat actors to move quicker, to leave defenders with a smaller reaction margin.

The data was collected by researchers at IBM's X-Force team from incidents analysed in 2021. They also noticed a closer collaboration between initial access brokers and ransomware operators.

Previously, network access brokers might wait for multiple days or even weeks before they found a buyer for their network access.

In addition, some ransomware gangs now have direct control over the initial infection vector, an example being Conti taking over the TrickBot malware operation.

Malware that breaches corporate networks is quickly leveraged to enable post-exploitation stages of the attack, sometimes completing its objectives in mere minutes.

https://www.bleepingcomputer.com/news/security/ransomware-attacks-need-less-than-four-days-to-encrypt-systems/

• 57% Of All Digital Crimes In 2021Were Scams

Group-IB shares its analysis of the landscape of the most widespread cyber threat in the world: scams. Accounting for 57% of all financially motivated cyber crime, the scam industry is becoming more structured and involves more and more parties divided into hierarchical groups.

The number of such groups jumped to a record high of 390, which is 3.5 times more than last year, when the maximum number of active groups was close to 110. Due to SaaS (Scam-as-a-Service), in 2021 the number of cyber criminals in one scam gang increased 10 times compared to 2020 and now reaches 100.

Traffic has become the circulatory system of scam projects: researchers emphasise that the number of websites used for purchasing and providing “grey” and illegal traffic and that lure victims into fraudulent schemes has increased by 1.5 times. Scammers are going into 2022 on a new level of scam attack automation: no more non-targeted users. Scammers are now attracting specific groups of victims to increase conversion rates. Social media are more often becoming the first point of contact between scammers and their potential victims.

https://www.helpnetsecurity.com/2022/05/31/scams-widespread-cyber-threat/

• Intelligence Is Key To Strategic Business Decisions

Businesses have a growing need for greater relevance in the intelligence they use to inform critical decision-making. Currently just 18% of professionals responsible for security, risk, or compliance in their organisation feel that the intelligence they receive is “very specific and focused on their business”, a S-RM research reveals.

6 in 10 respondents also say the intelligence they receive takes too much time to analyse, meaning it does not always result in better informed decision making. This was the top reason behind dissatisfaction with external intelligence, identified by over 200 professionals working at companies with revenues of over $250 million.

The second most likely reason was that information was not tailored to business needs (47%), followed by too much information (35%).

Growing demand for the use of strategic intelligence has been prompted by increasing cyber (51%) and regulatory concerns (50%). And while these two factors have been climbing the boardroom agenda for years, geopolitical uncertainty has made the need to respond to these developments more acute. In particular, the Russia-Ukraine conflict has created a complex sanctions regime for businesses to operate.

Additionally, navigating the complexities of the COVID-19 pandemic has been a key challenge for businesses in the past three years, with 40% citing this as a catalyst in driving a growing need for strategic intelligence.

https://www.helpnetsecurity.com/2022/06/03/intelligence-decision-making/

• How Cyber Criminals Are Targeting Executives At Home And Their Families

Top executives and their families are increasingly being targeted on their personal devices and home networks, as sophisticated threat actors look for new ways to bypass corporate security and get direct access to highly sensitive data.

https://www.helpnetsecurity.com/2022/06/01/cybercriminals-targeting-executives-video/

Threats

Ransomware

• Cyber criminals Expand Attack Radius and Ransomware Pain Points | Threatpost

• FBI, CISA warn: Don't get caught in Karakurt's web • The Register

• Conti ransomware targeted Intel firmware for stealthy attacks (bleepingcomputer.com)

• GoodWill Ransomware victims have to perform socially driven activities to decryption their dataSecurity Affairs

• YourCyanide Ransomware Propagates With PasteBin, Discord, Microsoft Links (darkreading.com)

• Conti Leaks Reveal Ransomware Gang's Interest in Firmware-based Attacks (thehackernews.com)

• Evil Corp switches to LockBit ransomware to evade sanctions (bleepingcomputer.com)

• Ransomware attack sends New Jersey county back to 1977 • The Register

• Ransomware roundup: System-locking malware dominates headlines | CSO Online

• What if ransomware evolved to hit IoT in the enterprise? • The Register

• How Costa Rica found itself at war over ransomware | CSO Online

• Experts warn of ransomware attacks on government orgs of small states - Security Affairs

• Foxconn confirms ransomware attack disrupted production in Mexico (bleepingcomputer.com)

• Hanesbrands says it suffered a ransomware attack on May 24 and has informed law enforcement - MarketWatch

• Why Ransomware Timeline Shrinks By 94%? – Information Security Buzz

• Hundreds of Elasticsearch databases targeted in ransom attacks (bleepingcomputer.com)

BEC – Business Email Compromise

• Why Stopping Business Email Compromise (BEC) Needs To Be A Priority For MSPs - MSSP Alert

• Language-based BEC attacks rising - Help Net Security

Phishing & Email Based Attacks

• Watch out for phishing emails that inject spyware trio • The Register

• Existential Phishing Schemes | The New Yorker

• Telegram’s blogging platform abused in phishing attacks (bleepingcomputer.com)

Other Social Engineering

• Hacker steals Verizon employee database after tricking worker into granting remote access (bitdefender.com)

• Vishing attacks: What they are and how organisations can protect themselves - Help Net Security

• Beware the Smish! Home delivery scams with a professional feel… – Naked Security (sophos.com)

Malware

• New XLoader Botnet Version Using Probability Theory to Hide its C&C Servers (thehackernews.com)

• LuoYu APT delivers WinDealer malware via man-on-the-side attacks - Security Affairs

• EnemyBot malware adds enterprise flaws to exploit arsenal • The Register

• Researchers Uncover Malware Controlling Thousands of Sites in Parrot TDS Network (thehackernews.com)

• Logic bombs explained: Definition, examples, and prevention | CSO Online

Mobile

• Top 10 Android banking trojans target apps with 1 billion downloads (bleepingcomputer.com)

• WhatsApp accounts hijacked by call forwarding | Malwarebytes Labs

• SideWinder Hackers Use Fake Android VPN Apps to Target Pakistani Entities (thehackernews.com)

• SMSFactory Android malware sneakily subscribes to premium services (bleepingcomputer.com)

• Phishers Having a Field Day on WhatsApp, Telegraph (darkreading.com)

• Apple blocked 1.6 millions apps from defrauding users in 2021 (bleepingcomputer.com)

Organised Crime & Criminal Actors

• FBI warns of Ukrainian charities impersonated to steal donations (bleepingcomputer.com)

• Euro Cops Bust $47m Money Laundering Operation - Infosecurity Magazine (infosecurity-magazine.com)

• Three Nigerian Users of Agent Tesla RAT Arrested | SecurityWeek.Com

Cryptocurrency/Cryptomining/Cryptojacking/NFTs

• Americans report losing over $1 billion to cryptocurrency scams (bleepingcomputer.com)

• Clipminer malware gang stole $1.7M by hijacking crypto payments (bleepingcomputer.com)

• Bored Ape Yacht Club, Otherside NFTs stolen in Discord server hack (bleepingcomputer.com)

• WatchDog hacking group launches new Docker cryptojacking campaign (bleepingcomputer.com)

Fraud, Scams & Financial Crime

• $39.5 billion lost to phone scams in last year - Help Net Security

• Fast loan scam: Here's how it works and why Lloyds Bank has put out an urgent warning | This is Money

• Britain's biggest bank issues 'urgent warning' over new scam (telegraph.co.uk)

• Scams account for most of all financially motivated cyber crime - Help Net Security

AML/CFT/Sanctions

• Evil Corp Pivots LockBit to Dodge US Sanctions | Threatpost

Supply Chain and Third Parties

• To better manage cyber security risk, extend zero-trust principles to third parties | TechCrunch

Denial of Service DoS/DDoS

• DDoS threats growing in sophistication, size, and frequency - Help Net Security

• DDoS attackers continue to innovate, devising new threats and altering attack strategies - Help Net Security

Open Source

• Linux malware is on the rise—6 types of attacks to look for | CSO Online

• The Open Source Software Security Mobilization Plan: Takeaways for security leaders | CSO Online

Privacy

• Vodafone plans carrier-level user tracking for targeted ads (bleepingcomputer.com)

• Europe's hope to scan devices for unlawful files criticized • The Register

Passwords & Credential Stuffing

• Why are many businesses still not using a password manager? - Help Net Security

Regulations, Fines and Legislation

• ExpressVPN Removes Servers in India After Refusing to Comply with Government Order (thehackernews.com)

Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• NSA general confirms US offensive cyber ops in Ukraine war • The Register

• Deadly Secret: Electronic Warfare Shapes Russia-Ukraine War | SecurityWeek.Com

• Anonymous: Operation Russia after 100 days of war - Security Affairs

• Chinese LuoYu hackers deploy cyber-espionage malware via app updates (bleepingcomputer.com)

Nation State Actors

Nation State Actors – Russia

• Germany issues fresh warning to banks of cyber attacks due to Ukraine war | Reuters

Nation State Actors – China

• China-linked TA413 group actively exploits Microsoft Follina Zero-Day flawSecurity Affairs

• Chinese state media propaganda found in 88% of Google, Bing news searches - CyberScoop

• Chinese LuoYu Hackers Using Man-on-the-Side Attacks to Deploy WinDealer Backdoor (thehackernews.com)

• How Beijing’s surveillance cameras crept into Britain’s corridors of power (telegraph.co.uk)

Nation State Actors – North Korea

• The day the NHS was held to ransom by North Korean cyber hackers (telegraph.co.uk)

Nation State Actors – Iran

• Microsoft Disables Iran-Linked Lebanese Hacking Group Polonium (darkreading.com)

• Iranian hackers planned attack on Boston Children's Hospital last summer, FBI director says - CyberScoop

Nation State Actors – Misc APT

• Microsoft blocks Polonium hackers from using OneDrive in attacks (bleepingcomputer.com)

• Snake carried out over 1,000 attacks since April 2020 - Security Affairs

• SideWinder Hackers Launched Over a 1,000 Cyber Attacks Over the Past 2 Years (thehackernews.com)

Vulnerability Management

• Focus resources on patching most threatening vulns: research • The Register

Vulnerabilities

• CISA adds 75 vulnerabilities to catalogue in 3 days- IT Security Guru

• Fighting Follina: Application Vulnerabilities and Detection Possibilities (darkreading.com)

• Yet another zero-day (sort of) in Windows “search URL” handling – Naked Security (sophos.com)

• Microsoft Releases Workarounds for Office Vulnerability Under Active Exploitation (thehackernews.com)

• Actively Exploited Atlassian Zero-Day Bug Allows Full System Takeover (darkreading.com)

• Microsoft Azure vulnerabilities pose new cloud security risk - Protocol

• GitLab Issues Security Patch for Critical Account Takeover Vulnerability (thehackernews.com)

• New Unpatched Horde Webmail Bug Lets Hackers Take Over Server by Sending Email (thehackernews.com)

Sector Specific

Financial Services Sector

• Germany issues fresh warning to banks of cyber attacks due to Ukraine war | Reuters

Government

• Experts warn of ransomware attacks on government orgs of small states - Security Affairs

Health/Medical/Pharma Sector

• Twice as Many Healthcare Organisations Now Pay Ransom - Infosecurity Magazine

• Novartis says no sensitive data was compromised in cyber attack (bleepingcomputer.com)

• Costa Rica’s public health agency hit by Hive ransomware (bleepingcomputer.com)

Transport and Aviation

• Turkish airline suffers 6.5TB data leak - IT Security Guru

CNI, OT, ICS, IIoT and SCADA

• Vendor Refuses to Remove Backdoor Account That Can Facilitate Attacks on Industrial Firms | SecurityWeek.Com

• Industrial IoT ransomware attacks control systems directly (scmagazine.com)

• Researchers Demonstrate Ransomware for IoT Devices That Targets IT and OT Networks (thehackernews.com)

Food and Agriculture

• JBS Foods cyber attack highlights industry vulnerabilities to Russian hackers - ABC News

Web3

• Why web3 companies get hacked so often, according to crypto VC Grace Isford | TechCrunch

Other News

• How Failing to Prioritize Cyber Security can Hurt Your Company (analyticsinsight.net)

• Cyber security needs a whole-of-society effort | The Hill

• 40% of enterprises don't include business-critical systems in their cyber security monitoring - Help Net Security

• Bad news: The cyber security skills crisis is about to get even worse | ZDNet

• Nearly Three-Quarters of Firms Suffer Downtime from DNS Attacks - Infosecurity Magazine

• CIOs and network engineers rank cyber security among the biggest risks - Help Net Security

• How USB Drives Can Be a Danger to Your Computer (howtogeek.com)

• Australian digital driver's licenses hackable in minutes • The Register

• Over 3.6 million MySQL servers found exposed on the Internet (bleepingcomputer.com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• How Confident Are Companies In Managing Their Current Threat Exposure?

Crossword Cybersecurity has released a report based on the findings of a survey of over 200 CISOs and senior UK cyber security professionals. The paper reveals companies are more concerned and exposed to cyber threats than ever before, with 61 percent describing themselves as at best only “fairly confident” at managing their current cyber security threat exposure, which should raise some eyebrows around the boardroom.

Respondents also feared their cyber strategy would not keep pace with the rate of tech innovation and changes in the threat landscape. 40 percent of organisations believe their existing cyber strategy will be outdated in two years, and a further 37 percent within three years. Additional investment is needed to address longer term planning, with 44 percent saying they only have sufficient resources in their organisation to focus on the immediate and mid-term cyber threats and tech trends.

https://www.helpnetsecurity.com/2022/05/26/organizations-cyber-strategy/

• 'There's No Ceiling': Ransomware's Alarming Growth Signals A New Era, Verizon DBIR Finds

Ransomware has become so efficient, and the underground economy so professional, that traditional monetisation of stolen data may be on its way out.

The past year has seen a staggering acceleration in ransomware incidents, with 25% of all breaches containing a ransomware component.

That's the top-line finding in the 2022 Verizon Data Breach Investigations Report (DBIR), which found that ransomware events in conjunction with breaches ballooned 13% in the past year — last year's report found that just 12% of incidents were ransomware-related. That translates into a rate of increase that's more than the previous five years of growth combined.

The 15th annual DBIR analysed 23,896 security incidents, of which 5,212 were confirmed breaches. About four in five of those were the handiwork of external cyber criminal gangs and threat groups, according to Verizon. And according to Alex Pinto, manager of the Verizon Security Research team, these nefarious types are finding it easier and easier to earn an ill-gotten living with ransomware, making other types of breaches increasingly obsolete.

"Everything in cyber crime has become so commoditised, so much like a business now, and it's just too darn efficient of a methodology for monetising their activity," he tells Dark Reading, noting that with the emergence of ransomware as-a-service (RaaS) and initial-access brokers, it takes very little skill or effort to get into the extortion game.

"Before, you had to get in somehow, look around, and find something worth stealing that would have a reseller on the other end," he explains. "In 2008 when we started the DBIR, it was by and large payment-card data that was stolen. Now, that has fallen precipitously because they can just pay for access someone else established and install rented ransomware, and it's so much simpler to reach the same goal of getting money."

https://www.darkreading.com/attacks-breaches/ransomware-alarming-growth-verizon-dbir

• Paying Ransom Doesn’t Guarantee Data Recovery

A Veeam report has found that 72% of organisations had partial or complete attacks on their backup repositories, dramatically impacting the ability to recover data without paying the ransom.

Additionally, 76% of organisations admitted to paying the ransom. But while 52% paid the ransom and were able to recover data, 24% paid the ransom but were still not able to recover data.

https://www.helpnetsecurity.com/2022/05/24/paying-ransom-recover-data-video/

• Report: Frequency Of Cyber Attacks in 2022 Has Increased By Almost 3M

Kaspersky has released a new report revealing a growing number of cyber attacks on small businesses in 2022 so far. Researchers compared the period between January and April 2022 to the same period in 2021, finding increases in the numbers of Trojan-PSW detections, internet attacks and attacks on Remote Desktop Protocol.

In 2022, the number of Trojan-PSW (Password Stealing Ware) detections increased globally by almost a quarter compared to the same period in 2021 一 4,003,323 to 3,029,903. Trojan-PSW is a malware that steals passwords, along with other account information, which then allows attackers to gain access to the company network and steal sensitive information.

Internet attacks grew from 32,500,000 globally in the analysed period of 2021 to almost 35,400,000 in 2022. These can include web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet command & control centres and more.

The number of attacks on Remote Desktop Protocol grew in the U.S. (while dropping slightly globally), going from 47.5 million attacks in the first trimester of 2021 to 51 million in the same period of 2022. With the widespread shift toward remote work, many companies have introduced Remote Desktop Protocol (RDP), a technology that enables computers on the same corporate network to be linked together and accessed remotely, even when the employees are at home.

With small business owners typically handling numerous responsibilities at the same time, cyber security is often an afterthought. However, this disregard for IT security is being exploited by cyber criminals. The Kaspersky study sought to assess the threats that pose an increasing danger to entrepreneurs.

https://venturebeat.com/2022/05/20/report-frequency-of-cyberattacks-in-2022-has-increased-by-almost-3m/

• New Zoom Flaws Could Let Attackers Hack Victims Just By Sending Them A Message

Popular video conferencing service Zoom has resolved as many as four security vulnerabilities, which could be exploited to compromise another user over chat by sending specially crafted Extensible Messaging and Presence Protocol (XMPP) messages and execute malicious code.

With Zoom's chat functionality built on top of the XMPP standard, successful exploitation of the issues could enable an attacker to force a vulnerable client to masquerade a Zoom user, connect to a malicious server, and even download a rogue update, resulting in arbitrary code execution stemming from a downgrade attack.

https://thehackernews.com/2022/05/new-zoom-flaws-could-let-attackers-hack.html

• VMware, Airline Targeted As Ransomware Chaos Reigns

Global ransomware incidents target everything from enterprise servers to grounding an airline, with one India-based group even taking a Robin Hood approach to extortion with the "GoodWill" strain.

Ransomware incidents are on the rise and this week proved no exception, with the discovery of a Linux-based ransomware family called Cheerscrypt targeting VMware ESXi servers and an attack on SpiceJet, India’s second largest airline.

Meanwhile, an oddball "GoodWill" variant purports to help the needy.

The Cheerscrypt ransomware variant was uncovered by Trend Micro and relies on the double-extortion scheme to coerce victims to pay the ransom – i.e., stealing data as well and threatening to leak it if victims don’t pay up.

Because of the popularity of ESXi servers for creating and running multiple virtual machines (VMs) in enterprise settings, the Cheerscrypt ransomware could be appealing to malicious actors looking to rapidly distribute ransomware across many devices.

Meanwhile, low-cost carrier SpiceJet faced a ransomware attack this week, causing flight delays of between two and five hours as well as rendering unavailable online booking systems and customer service portals.

While the company’s IT team announced on Twitter that it had successfully prevented the attempted attack before it was able to fully breach all internal systems and take them over, customers and employees are still experiencing the ramifications.

https://www.darkreading.com/attacks-breaches/vmware-airline-targeted-as-ransomware-chaos-reigns

• Crypto Hacks Aren't A Niche Concern; They Impact Wider Society

Million-dollar crypto heists are becoming more common as the currency starts to go mainstream; prevention and enforcement haven't kept pace.

The attack against the Ronin Network in March was quickly speculated to be one of the largest cryptocurrency hacks of all time. Approximately $540 million was stolen from the cryptocurrency and NFT games company in a combination of USDC and Etherium, with $400 million of the stolen funds owned by customers playing the game Axie Infinity.

This attack was the latest in a string of thefts perpetrated against crypto and should be a jolt to both the digital asset and cyber security communities to bring the security of cryptocurrencies into line.

The current vogue of large-scale crypto heists goes as far back as the 2014 Mt. Gox hack (another cryptocurrency exchange built around a game, Magic: The Gathering), which went into bankruptcy after losing $460 million of assets.

However, the trend has been gathering pace. In the months leading up to the Ronin Network attack, cyber criminals stole nearly $200 million worth of cryptocurrency from the crypto trading platform BitMart, attacked 400 Crypto.com users, and orchestrated NFT-related scams, to name but a few incidents.

There is often an uncomfortable tendency to see these attacks as something that takes place in isolation in a remote part of the Internet when they actually have a huge impact on thousands of people.

https://www.darkreading.com/attacks-breaches/crypto-hacks-aren-t-a-niche-concern-they-impact-wider-society

• State Of Cyber Security Report 2022 Names Ransomware And Nation-State Attacks As Biggest Threats

Ransomware is the biggest concern for cyber security professionals, according to results of the Infosecurity Group’s 2022 State of Cybersecurity Report, produced by Infosecurity Europe and Infosecurity Magazine.

Cyber Security Professionals' Number One Concern: Ransomware.

This attack vector was voted as the biggest cyber security trend (28%) by the survey respondents (including CISOs, CTOs, CIOs and academics), marking a significant change from the previous report in 2020, where ransomware did not break the top three. This follows surging ransomware incidents in 2021, with ransom demands and payments growing significantly last year. A number of these attacks have also impacted critical industries, for example, taking down the US’ largest fuel pipeline.

The survey respondents also highlighted the evolving tactics and capabilities of ransomware attackers. This includes threat actors becoming more sophisticated as they evolve into loosely coupled service-based operations.

A number of cyber security professionals believe that cyber-criminal groups will become more guarded in their approach due to new initiatives by governments and law enforcement to tackle these activities.

Cyber Security Professionals' Number Two Concern: Nation-State Attacks.

The second biggest concern for survey respondents was geopolitics/nation-state attacks (24%), particularly the shifting hostilities from the Russia-Ukraine conflict into cyberspace. Russia already had a reputation for conducting offensive cyber operations prior to the conflict, and the Ukrainian government and critical services have experienced numerous attacks both before and since the war began.

https://www.infosecurity-magazine.com/news/2022-state-industry-report/

• Vishing (Voice Phishing) Cases Reach All Time High

Vishing (voice phishing) cases have increased almost 550 percent over the last twelve months (Q1 2021 to Q1 2022), according to the latest Quarterly Threat Trends & Intelligence Report from Agari and PhishLabs.

In Q1 2022, Agari and PhishLabs detected and mitigated hundreds of thousands of phishing, social media, email, and dark web threats targeting a broad range of enterprises and brands. The report provides an analysis of the latest findings and insights into key trends shaping the threat landscape.

According to the findings, vishing attacks have overtaken business email compromise (BEC) as the second most reported response-based email threat since Q3 2021. By the end of the year, more than one in four of every reported response-based threat was a vishing attack, and this makeup continued through Q1 2022.

https://www.helpnetsecurity.com/2022/05/24/vishing-cases-increased/

• DeFi (Decentralised Finance) Is Getting Pummelled By Cyber Criminals

Decentralised finance lost $1.8 billion to cyber attacks last year — and 80% of those events were the result of vulnerable code, analysts say.

Decentralised finance (DeFi) platforms — which connect various cryptocurrency blockchains to create a decentralised infrastructure for borrowing, trading, and other transactions — promise to replace banks as a secure and convenient way to invest in and spend cryptocurrency. But in addition to attracting hordes of new users with dreams of digital fortune, cyber criminals have discovered them to be an easy target, wiping out wallets to zero balances in a moment, tanking whole markets while profiting, and more, according to a new report.

Analysts with Bishop Fox found that DeFi platforms lost $1.8 billion to cyber attacks in 2021 alone. With a total of 65 events observed, 90% of the losses came from unsophisticated attacks, according to the report, which points to the lax cyber security practices of the sector.

DeFi averaged five attacks per week last year, with most of them (51%) coming from the exploitation of "smart contracts" bugs, the analysts found. Smart contracts are essentially records of transactions, stored on the blockchain.

Other top DeFi attack vectors include cryptowallets, protocol design flaws, and so-called "rug-pull" scams (where investors are lured to a new cryptocurrency project that is then abandoned, leaving targets with a worthless currency). But taken together, 80% of all events were caused by the use (and re-use) of buggy code, according to the report.

https://www.darkreading.com/attacks-breaches/defi-pummeled-by-cybercriminals

Threats

Ransomware

• Ransomware Attacks Increasing at “Alarming” Rate - Infosecurity Magazine

• VMware, Airline Targeted as Ransomware Chaos Reigns (darkreading.com)

• Clop ransomware gang is back, hits 21 victims in a single month (bleepingcomputer.com)

• Link Found Connecting Chaos, Onyx and Yashma Ransomware | Threatpost

• Ransomware demands three good demands to restore files • The Register

• Ransomware Cheerscrypt targets VMware ESXi systems • The Register

• New Chaos Malware Variant Ditches Wiper for Encryption (darkreading.com)

• CLOP Ransomware Activity Spiked in April (darkreading.com)

• Industrial Spy data extortion market gets into the ransomware game (bleepingcomputer.com)

• BlackCat/ALPHV ransomware asks $5 million to unlock Austrian state (bleepingcomputer.com)

• Conti Ransomware Operation Shut Down After Splitting into Smaller Groups (thehackernews.com)

• Suspected phishing email crime boss arrested in Nigeria • The Register

BEC – Business Email Compromise

• Interpol arrests alleged leader of the SilverTerrier BEC gang (bleepingcomputer.com)

• Cyber security breach at the city of Portland led to fraudulent $1.4M transaction | KATU

Phishing & Email Based Attacks

• Intuit warns of QuickBooks phishing threatening to suspend accounts (bleepingcomputer.com)

• NCSC Report Reveals Phishing Lures Increasingly Disguised as Vaccine Appointments - Infosecurity Magazine

• Suspected phishing email crime boss arrested in Nigeria • The Register

Other Social Engineering

• Vishing Attacks Reach All Time High, According to Latest Agari and PhishLabs Report (darkreading.com)

Malware

• BPFDoor malware uses Solaris vulnerability to get root privileges (bleepingcomputer.com)

• Snake Keylogger Spreads Through Malicious PDFs | Threatpost

• New Windows Subsystem for Linux malware steals browser auth cookies (bleepingcomputer.com)

• This Windows malware uses PowerShell to subvert Chrome • The Register

• Hackers have found a new way to smuggle malware onto your device | TechRadar

• Cyber Security Community Warned of Fake PoC Exploits Delivering Malware | SecurityWeek.Com

• Popular Python and PHP libraries hijacked to steal AWS keys (bleepingcomputer.com)

• New Attack Shows Weaponized PDF Files Remain a Threat (darkreading.com)

Mobile

• Microsoft finds severe bugs in Android apps from large mobile providers (bleepingcomputer.com)

• Google warns Android smartphones targeted by dangerous Predator spyware | TechRadar

• New ERMAC 2.0 Android malware steals accounts, wallets from 467 apps (bleepingcomputer.com)

BYOD

• Spring Cleaning Checklist for Keeping Your Devices Safe at Work (darkreading.com)

Data Breaches/Leaks

• GM Discloses Data Breach of Cars' Locations, Mileage, Service (gizmodo.com)

• MGM Resorts' customer data now leaked on Telegram for free • The Register

Organised Crime & Criminal Actors

• REvil prosecutions reach a 'dead end,' Russian media reports - CyberScoop

• Scammer Behind $568M International Cyber Crime Syndicate Gets 4 Years (darkreading.com)

• Multi-Continental Operation Leads to Arrest of Cyber Crime Gang Leader - Infosecurity Magazine

Cryptocurrency/Cryptomining/Cryptojacking/NFTs

• Hacker Steals $1.4 Million in NFTs From Collector In One Sweep (vice.com)

• 8 ways to avoid NFT scams (techtarget.com)

Insider Risk and Insider Threats

• 68% of Legal Sector Data Breaches Caused by Insider Threats - Infosecurity Magazine

• Verizon Report: Ransomware, Human Error Among Top Security Risks | Threatpost

Dark Web

• Military cyber weapons could become available on dark web: Interpol (cnbc.com)

• Darknet market Versus shuts down after hacker leaks security flaw (bleepingcomputer.com)

Supply Chain and Third Parties

• Use of Obfuscated Beacons in ‘pymafka’ Supply Chain Attack Signals a New Trend in macOS Attack TTPs - SentinelOne

Denial of Service DoS/DDoS

• Cybergang Claims REvil is Back, Executes DDoS Attacks | Threatpost

• DDoS Extortion Attack Flagged as Possible REvil Resurgence (darkreading.com)

• Anatomy of a DDoS amplification attack - Microsoft Security Blog

Cloud/SaaS

• Security has become more difficult, IT leaders say - Help Net Security

Attack Surface Management

• Where is attack surface management headed? - Help Net Security

Open Source

• Open source is becoming a national security risk | CSO Online

Privacy

• Twitter fined $150M for misusing 2FA data (techtarget.com)

• Zuckerberg sued by DC attorney general over Cambridge Analytica data scandal | Meta | The Guardian

Passwords & Credential Stuffing

• Strong Password Policy Isn't Enough, Study Shows (darkreading.com)

• Verizon DBIR: Stolen credentials led to nearly 50% of attacks (techtarget.com)

Regulations, Fines and Legislation

• How to navigate GDPR complexity - Help Net Security

• GDPR Anniversary, Expert Insight On What Lead To GDPR Fines – Information Security Buzz

• Indian stock markets given ten day deadline to file reports • The Register

Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Network of hyperlocal Russian Telegram channels spew disinformation in occupied Ukraine - CyberScoop

• Predator spyware uses in Chrome, Android zero-day exploits • The Register

• Unknown APT group is targeting Russian government entities - Security Affairs

• Hackers target Russian govt with fake Windows updates pushing RATs (bleepingcomputer.com)

• Remote bricking of Ukrainian tractors raises agriculture security concerns | CSO Online

• Anonymous Declares Cyber-War On Pro-Russian Hacker Gang Killnet – Information Security Buzz

• Ex-spymaster and fellow Brexiteers' emails stolen, leaked • The Register

Nation State Actors

Nation State Actors – Russia

• Fronton: Russian IoT Botnet Designed to Run Social Media Disinformation Campaigns (thehackernews.com)

• Russian Hackers Believed to Be Behind Leak of Hard Brexit Plans - Infosecurity Magazine

• Russian Gamaredon APT could fuel a new round of DDoS attacks - Security Affairs

• Putin aimed cyber attack at me, says former MI6 chief Sir Richard Dearlove | News | The Times

Nation State Actors – China

• Trend Micro Patches Vulnerability Exploited by Chinese Cyber Spies | SecurityWeek.Com

• Chinese "Twisted Panda" Hackers Caught Spying on Russian Defense Institutes (thehackernews.com)

Nation State Actors – Iran

• Pro-Iran Group ALtahrea Hits Port of London Website by DDoS Attack (hackread.com)

Vulnerabilities

• CISA ‘Strongly Urges’ You To Patch 75 Actively Exploited Security Bugs (forbes.com)

• CISA adds 41 vulnerabilities to list of bugs used in cyber attacks (bleepingcomputer.com)

• Exploit released for critical VMware auth bypass bug, patch now (bleepingcomputer.com)

• Zoom Patches ‘Zero-Click’ RCE Bug | Threatpost

• Zyxel addresses four flaws affecting APs, AP controllers, and firewalls - Security Affairs

• Critical New Google Chrome Security Warning For All Users, Update Now (forbes.com)

• Patching the latest Active Directory vulnerabilities is not enough | CSO Online

• Microsoft Elevation-of-Privilege Vulnerabilities Spiked Again in 2021 (darkreading.com)

• Tails OS Users Advised Not to Use Tor Browser Until Critical Firefox Bugs are Patched (thehackernews.com)

• 'Fixed' Chrome extension flaw could allow hackers to record both your webcam and desktop feeds | PC Gamer

Sector Specific

SMBs – Small and Medium Businesses

• Small Business Cyber Security: Do SMB Owners Underestimate Risk? - MSSP Alert

Legal

• 68% of Legal Sector Data Breaches Caused by Insider Threats - Infosecurity Magazine

Health/Medical/Pharma Sector

• teiss - News - American healthcare tech giant Omnicell suffers a major ransomware attack

• Web app attacks on the rise in healthcare as insider challenges remain (scmagazine.com)

Retail/eCommerce

• Microsoft: Credit card stealers are getting much stealthier (bleepingcomputer.com)

• Microsoft warns of new highly evasive web skimming campaigns - Security Affairs

Transport and Aviation

• Hundreds Stranded After Ransomware Attack on Indian Airline | SecurityWeek.Com

• SpiceJet airline passengers stranded after ransomware attack (bleepingcomputer.com)

CNI, OT, ICS, IIoT and SCADA

• Taking the Danger Out of IT/OT Convergence (darkreading.com)

• Critical Flaws in Popular ICS Platform Can Trigger RCE | Threatpost

Energy & Utilities

• Can we trust the cyber security of the energy sector? - Help Net Security

Oil, Gas and Mining

• Oil and gas companies take cyber resilience pledge - IT Security Guru

Education and Academia

• FBI: compromised US academic credentials available on crime forums - Security Affairs

• Ed tech illegally tracked school children during pandemic - IT Security Guru

Reports Published in the Last Week

• 2022 Data Breach Investigations Report | Verizon

• State of Cyber Security Report 2022 - Infosecurity Magazine

• 2022 Voice of the CISO | Proofpoint US

Other News

• IP and cyber security disputes are top legal concerns for tech companies | TechCrunch

• Verizon DBIR: Stolen credentials led to nearly 50% of attacks (techtarget.com)

• Managed Detection and Response (MDR): Who's Responsible for the R? - MSSP Alert

• Survey Evidences Leaders Lack Confidence in Cyber-Risk Management - Infosecurity Magazine

• Flaw in PayPal can allow attackers to steal money from users' account - Security Affairs

• When it comes to remote work, 71% of IT leaders say security is the main challenge - Help Net Security

• Most organisations do not follow data backup best practices - Help Net Security

• There are systems 'guarding' your data in cyberspace – but who is guarding the guards? (theconversation.com)

• Why are current cyber security incident response efforts failing? - Help Net Security

• Nation-state malware will be a commodity on dark web soon, Interpol warns - Security Affairs

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.