Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 16 April 2021
Black Arrow Cyber Threat Briefing 16 April 2021: 61% Of Employees Fail Basic Cyber Security Quiz; More Than 1,900 Hacking Groups Active Today; Ransomware Crisis Worsens; Enterprise Security Attackers Are One Password Away From Your Worst Day; Microsoft’s April Update Patches 114 Bugs; Nation-State Attacks Targeting Businesses Rise; Criminals Installing Cryptojacking Malware On Unpatched Exchange Servers; Network Vulns Affect Over 100 Million Devices; Brits Still Confused By Multi-Factor Authentication
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
61 Percent Of Employees Fail Basic Cyber Security Quiz
Nearly 70% of employees polled in a new survey said they recently received cyber security training from their employers, yet 61% nevertheless failed when asked to take a basic quiz on the topic. This was one of the leading findings of a research study that sought to understand the cyber security habits of some 1,200 workers, as well as their knowledge of best practices and ability to recognize security threats.
https://www.scmagazine.com/home/security-news/61-percent-of-employees-fail-basic-cybersecurity-quiz/
More Than 1,900 Distinct Hacking Groups Are Active Today
There are currently more than 1,900 distinct hacking groups that are active today, a number that grew from 1,800 groups recorded at the end of 2019. In its yearly cyber crime report, the company said it discovered 650 new threat actors during 2020, but new evidence also allowed it to remove 500 groups from its threat actor tracker due to overlaps in activity and hacking infrastructure with previously known clusters.
https://therecord.media/fireeye-more-than-1900-distinct-hacking-groups-are-active-today/
Ransomware: The Internet's Biggest Security Crisis Is Getting Worse
Organisations continue to fall victim to ransomware, and yet progress on tackling these attacks, which now constitute one of the biggest security problems on the internet, remains slow. From small companies to councils, government agencies and big business, the number and range of organisations hit by ransomware is rising. One recent example; schools with 36,000 students have been hit, leaving pupils without access to email as attempts were made to get systems back online. That is at least four chains of schools attacked in the last month.
Enterprise Security Attackers Are One Password Away From Your Worst Day
If the definition of insanity is doing the same thing over and over and expecting a different outcome, then one might say the cyber security industry is insane.
Criminals continue to innovate with highly sophisticated attack methods, but many security organisations still use the same technological approaches they did 10 years ago. The world has changed, but cyber security hasn’t kept pace.
Distributed systems, with people and data everywhere, mean the perimeter has disappeared. And the hackers couldn’t be more excited. The same technology approaches, like correlation rules, manual processes and reviewing alerts in isolation, do little more than remedy symptoms while hardly addressing the underlying problem.
Credentials are supposed to be the front gates of the castle, but as the SOC is failing to change, it is failing to detect. The cyber security industry must rethink its strategy to analyse how credentials are used and stop breaches before they become bigger problems.
Microsoft’s April Update Patches 114 Bugs—Half Of Which Allow Remote Code Execution
The fourth Patch Tuesday of 2021 is another big one. Today, Microsoft revealed 114 vulnerabilities fixed in the monthly security, over half of which could potentially be exploited for remote code execution by attackers. Of the 55 remote execution bugs, over half were tied to Windows’ Remote Procedure Call (RPC) interface. Four more were Microsoft Exchange bugs (all urgent fixes) reported to Microsoft by the National Security Agency. In addition, six Chrome vulnerabilities that were previously addressed by Google are included in the roll-up.
Nation-State Cyber Attacks Targeting Businesses Are On The Rise
Businesses are increasingly coming under fire from nation state-backed hackers as governments around the world engage in attacks to steal secrets or lay the foundations for future attacks. Nation States, Cyberconflict and the Web of Profit, a study by cyber security researchers at HP and criminologists at the University of Surrey, warns that the number of key nation-state attacks has risen significantly over the past three years – and that enterprises and businesses are increasingly being targeted. An analysis of nation-state cyber attacks between 2017 and 2020 reveals that just over a third of organisations targeted were businesses: cyber defence, media, government, and critical infrastructure are all also common targets in these attacks, but enterprise has risen to the top of the list.
https://www.zdnet.com/article/nation-state-cyber-attacks-targeting-businesses-are-on-the-rise/
Cyber Criminals Are Installing Cryptojacking Malware On Unpatched Microsoft Exchange Servers
Cyber criminals are targeting vulnerable Microsoft Exchange servers with cryptocurrency mining malware in a campaign designed to secretly use the processing power of compromised systems to make money. Zero-day vulnerabilities in Microsoft Exchange Server were detailed last month when Microsoft released critical security updates to prevent the exploitation of vulnerable systems. Cyber attackers ranging from nation-state-linked hacking groups to ransomware gangs have rushed to take advantage of unpatched Exchange servers -- but they are not the only ones.
NAME:WRECK DNS Vulnerabilities Affect Over 100 Million Devices
Security researchers have disclosed nine vulnerabilities affecting network communication stacks running on at least 100 million devices. Collectively referred to as NAME: WRECK, the flaws could be leveraged to take offline affected devices or to gain control over them. The vulnerabilities were found in a wide range of products, from high-performance servers and networking equipment to operational technology (OT) systems that monitor and control industrial equipment. According to researchers threat actors could exploit NAME:WRECK vulnerabilities to deal significant damage to government or enterprise servers, healthcare facilities, retailers, or companies in the manufacturing business by stealing sensitive data, modifying or taking equipment offline for sabotage purposes.
Brits Still Confused By Multi-Factor Authentication
The British public are still woefully underinformed and unaware of the security benefits of multi-factor authentication (MFA). The industry association, founded in 2012 to promote authentication standards and reduce global reliance on passwords, recently polled over 4000 consumers in the UK, France, Germany, and the US. It revealed that half (49%) UK consumers have had their social media accounts compromised or know a friend or family member who has. However, despite a continued number of high-profile account takeovers, 43% said this does not make them enhance security on their accounts, even though they “feel like” they should. Part of the problem seems to be a general lack of understanding about the benefits of MFA in protecting account holders from phishing, as well as credential stuffing and other brute force attack types. Although such features are offered by all social media companies today, over a quarter (26%) of respondents said they were not using or didn’t know about them.
https://www.infosecurity-magazine.com/news/brits-still-confused-by/
623K Payment Cards Stolen From Cyber Crime Forum
The Swarmshop cyber underground “card shop” has been hit by hackers, who lifted the site’s database of stolen payment-card data and leaked it online. That is according to researchers, who said that the database was posted on a rival underground forum. Card shops, are online cyber criminal forums where stolen payment-card data is bought and sold. Researchers said the database in question contains 623,036 payment-card records from card-issuers in Brazil, Canada, China, France, Mexico, Saudi Arabia, Singapore, the U.K., and the U.S.
https://threatpost.com/623m-payment-cards-stolen-from-cybercrime-forum/165336/
Threats
Ransomware
Dutch Supermarkets Run Out Of Cheese After Ransomware Attack
This Nasty Ransomware Hacks Your VPN To Break Into Your Device
Phishing
Other Social Engineering
7 New Social Engineering Tactics Threat Actors Are Using Now
Cloud-Native Watering Hole Attack: Simple And Potentially Devastating
Malware
Mobile
Vulnerabilities
Adobe Patches Slew of Critical Security Bugs in Bridge, Photoshop
Microsoft Security Update Fixes Zero-Day Vulnerabilities In Windows And Other Software
Data Breaches
Organised Crime & Criminal Actors
Nation State Actors
Iran Vows Revenge For 'Israeli' Attack On Natanz Nuclear Site
NSA: Top 5 Vulnerabilities Actively Abused By Russian Govt Hackers
Privacy
Reports Published in the Last Week
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Week in review 01 December 2019: staff susceptible to phishing, businesses fail to implement IT disaster plans, ransomware unlikely to go away, the most notable cyber events of the last 10 years
A summary of the top cyber news from the last week and how they relate to business and individuals in Guernsey and the CI. This week: staff members susceptible to phishing attacks, businesses failing to implement IT disaster plans, ransomware unlikely to go away when chance of being caught is so slim, the most notable cyber events of the last 10 years, authorities take down remote access trojan.
A summary of the top cyber news events from the last week and how they relate to business and individuals in Guernsey and the wider Channel Islands.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Nearly half of workers have clicked on a phishing email
New research released this week has revealed that almost a quarter of businesses have fallen victim to a phishing attack.
A survey of 714 people working in businesses across the US discovered that many organizations are not taking the proper measures to protect themselves from phishing attacks including employee training and the implementation of two-factor authentication.
Of those surveyed, only 64 percent said they currently use a two-factor authentication system to help protect their organization's data. This means that over one third of organizations are potentially leaving themselves exposed to phishing attacks.
Some phishing schemes, such as spear phishing, target specific members of staff within an organisation and this is typically accomplished through social engineering.
In order to combat these phishing scams firms should ensure the provide staff with suitable social engineering training.
https://www.techradar.com/news/nearly-half-of-workers-have-clicked-on-a-phishing-email
Phishing emails are still managing to catch everyone out
Staying with Phishing, another article this week points out that workers are still finding it too hard to spot phishing emails, with nearly three-quarters of companies seeing staff hand over passwords when tested by a security company.
A security consultancy tested 525 businesses for their susceptibility to a range of different hacking techniques and security vulnerabilities. It found that employees at 71% of these businesses handed over access credentials when targeted with phishing attacks by penetration testers -- up from 63% last year.
In 20% of cases, login details were shared by more than half of employees, compared to just 10% last year.
The firm doing the research carried out 623 penetration tests across the US, Europe and the UK, aiming to simulate a range of cyberattacks to assess how well companies were able to cope with them.
Weak passwords and insecure internal procedures, such as improper file-access restrictions and a lack of staff training, along with using out-of-date software, were the three most common vulnerabilities discovered during the tests.
The original article can be found here: https://www.zdnet.com/article/phishing-emails-are-still-managing-to-catch-everyone-out/
Many UK businesses have no IT disaster recovery plan
Disaster recovery plan, a set of steps designed to help businesses get back on their feet after an incident as soon as possible, is not something many UK businesses have.
A Survey of 1,125 IT workers came to the conclusion that a quarter of SMEs don’t have such a plan set up and this equates to “gambling with the continuity of business”.
In the report, it stresses that four fifths of all businesses who suffered a major incident failed within a year and a half.
Among businesses that do have a disaster recovery plan created – more than half (54 per cent) don’t regularly test it. A third has never tested it, at all. A small portion of the firms don’t have automated backups set up, either.
“The message to business leaders is get a DR plan in place and test, test, test!”
https://www.itproportal.com/news/many-uk-businesses-have-no-it-disaster-recovery-plan/
Ransomware: Big paydays and little chance of getting caught means boom time for crooks
Ransomware will continue to plague organisations in 2020 because there's little risk of the cyber criminals behind the network-encrypting malware attacks getting caught; so for them there's only a small amount of risk, but a potentially large reward.
During the last year, there's been many examples of ransomware attacks where victims have given into the extortion demands of the attackers, often paying hundreds of thousands of dollars in bitcoin in exchange for the safe return of their networks.
In many cases, the victims will pay the ransom because it's seen as the quickest – and cheapest – means of restoring the network.
The full article can be found here: https://www.zdnet.com/article/ransomware-big-paydays-and-little-chance-of-getting-caught-means-boom-time-for-crooks/
A decade of hacking: The most notable cyber-security events of the 2010s
The 2010s decade is drawing to a close and ZDNet have taken a look back at the most important cyber-security events that have taken place during the past ten years.
There have been monstrous data breaches, years of prolific hacktivism, plenty of nation-state cyber-espionage operations, almost non-stop financially-motivated cybercrime, and destructive malware that has rendered systems unusable.
Read the full article for the full list here:
Authorities take down 'Imminent Monitor' RAT malware operation
Law enforcement agencies from all over the world announced this week that they took down the infrastructure of the Imminent Monitor remote access trojan (IM-RAT), a hacking tool that has been on sale online for the past six years.
According to a press release from Europol, the operation had two stages. The first occurred in June 2019, when Australian and Belgian police forces searched the homes of the IM-RAT author and one of his employees.
The second stage took place earlier this week, when authorities took down the IM-RAT website, its backend servers, and arrested the malware's author and 13 of the tool's most prolific users.
Europol reported arrests in Australia, Colombia, Czechia, the Netherlands, Poland, Spain, Sweden, and the United Kingdom.
Authorities also served search warrants at 85 locations and seized 430 devices they believed were used to spread the malware.
The UK National Crime Agency (NCA) took credit for a good chunk of the bounty, with 21 search warrants, nine arrests, and more than 100 seized devices.
More here: https://www.zdnet.com/article/authorities-take-down-imminent-monitor-rat-malware-operation/
Contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our new regular ‘Cyber Tip Tuesday’ video blog, here and on our YouTube channel.
Week in review 24 November 2019: data leak from Cayman National Bank in IOM, WhatsApp users urged to update, Social Engineering explainer, tricks hackers use to hijack mail, cyber top Board priority
Week in review 24 November 2019: data leak from Cayman National Bank in IOM, WhatsApp users urged to update, Social Engineering explainer, tricks hackers use to hijack mail, cyber top Board priority
Round up of the most significant open source stories of the last week
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Leaker Claims to Have Published 2TB of Data From Cayman National Bank
The biggest story this week affecting the offshore finance world is news that 2TB of data (equivalent to 620,000 photographs, and photos are normally much larger than Word documents, so conceivably millions of Word documents) from the Isle of Man branches of the Cayman National Bank and Cayman National Trust.
A pseudonymous Twitter account called Distributed Denial of Secrets--a play on the distributed-denial of service attacks that can bring down even the largest websites-- said that it was releasing "copies of the servers of Cayman National Bank and Trust." The account has also claimed to have released more information over the last few days and to have upgraded its servers to cope with traffic spikes.
https://www.tomshardware.com/news/cayman-islands-national-bank-hack-2tb
Whatsapp Users Urged To Update App Immediately Over Spying Fears
Users of WhatsApp, the popular cross-platform messaging app, have been urged this week to address fears that their devices could be used to spy on them thanks to a major security vulnerability:
Social Engineering: The Insider Threat to Cybersecurity
SecurityBoulevard has an interesting piece this week with a useful explainer on Social Engineering and Social Engineering Prevention that is worth a read if this not an area you are familiar with.
https://securityboulevard.com/2019/11/social-engineering-the-insider-threat-to-cybersecurity/
These are the tricks hackers are using to hijack your email
TechRadar have a piece on Business Email Compromise (BEC) something that is a significant risk to all firms but especially to financial services firms and something that has affected firms in the offshore finance world with some firms locally having experienced losses running to hundreds of thousands.
Most BEC attacks take place on weekdays and during business hours to maximise effectiveness and normally only target small numbers of users.
Read the full article here: https://www.techradar.com/uk/news/these-are-the-tricks-hackers-are-using-to-hijack-your-email
Cyber security becoming top priority in the boardroom, say industry leaders
It looks like cyber is becoming more of a priority in Boardrooms according to a report from the London Business summit by PortSwigger.net.
In Guernsey cyber is getting a lot more focus with the recent Cyber Thematic review carried out by the GFSC and the findings presented to industry in the last couple of weeks, and new regulations coming into effect last year. The GFSC have made it clear to firms that this is Board level issue and Boards need to start being able to take an educated and informed approach to cyber and what their firms are doing to protect themselves against the risks the firm faces.
Mystery surrounds leak of four billion user records
Threat researchers recently uncovered four billion user records on a wide-open Elasticsearch server, but who left them there is a mystery.
Different datasets contained, among other things, data on 1.5 billion unique individuals, a billion personal email addresses including work emails for millions of decision makers in Canada, the UK and the US, 420 million LinkedIn URLs, a billion Facebook URLs and IDs, over 400 million phone numbers and 200 million valid US mobile phone numbers. The second dataset contained scraped data from LinkedIn profiles, including information on recruiters.
The actual source of this data is shrouded in mystery but so much data on so many people means it is highly likely there will be records leaked relating to individuals and businesses in Guernsey and the other Channel Islands.
https://www.computerweekly.com/news/252474411/Mystery-surrounds-leak-of-four-billion-user-records
110 Nursing Homes Cut Off from Health Records in Ransomware Attack
Looking at healthcare but showing the impact ransomware can have on any and all sectors, a ransomware outbreak in the US has affected an IT company that provides cloud data hosting, security and access management to more than 100 nursing homes over there. The ongoing attack is preventing these care centres from accessing crucial patient medical records, and the IT company’s owner says she fears this incident could soon lead not only to the closure of her business, but also to the untimely demise of some patients.
OnePlus Data Breach: What you need to know about customer hack
Mobile phone manufacturer and direct to market seller OnePlus sent an email this week notifying affected customers that their order information had been obtained by an unauthorised third-party.
The company informed customers that name, contact number, email and shipping addresses may have been exposed, but the firm prefaced this by telling them that payment information as well as their account passwords were not obtained during the intrusion.
Anyone in the Bailiwick who has recently purchased a device from OnePlus should be alert to anyone impersonating OnePlus in trying to obtain further information or trying to sell products or services.
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our new regular ‘Cyber Tip Tuesday’ video blog, here and on our YouTube channel.