Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 31 December 2020
Black Arrow Cyber Threat Briefing 31 December 2020: SolarWinds hack may be much worse than originally feared; Threat actor selling 368.8 million records from 26 data breaches; The Worst Hacks of 2020; Nasty Strain of malware is back and hits 100K recipients per day; Ransomware in 2020: A Banner Year for Extortion; Russia’s global hacking efforts are going to unwind in 2021
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.
Top Cyber Headlines of the Week
SolarWinds hack may be much worse than originally feared
The Russia-linked SolarWinds hack which targeted US government agencies and private corporations may be even worse than officials first realized, with some 250 federal agencies and business now believed affected.
Microsoft has said the hackers compromised SolarWinds’ Orion monitoring and management software, allowing them to “impersonate any of the organisation’s existing users and accounts, including highly privileged accounts.” The Times reports that Russia exploited layers of the supply chain to access the agencies’ systems.
https://www.theverge.com/2021/1/2/22210667/solarwinds-hack-worse-government-microsoft-cybersecurity
Threat actor is selling 368.8 million records from 26 data breaches
Security experts reported that a threat actor is selling user records allegedly stolen from twenty-six companies on a hacker forum.
The total volume of data available for sale is composed of 368.8 million stolen user records.
For some of these companies, the data breaches have not been previously disclosed, including Teespring.com, MyON.com, Chqbook.com, Anyvan.com, Eventials.com, Wahoofitness.com, Sitepoint.com, and ClickIndia.com.
https://securityaffairs.co/wordpress/112842/data-breach/data-breaches-records-sale.html
The Worst Hacks of 2020, a Surreal Pandemic Year
WHAT A WAY to kick off a new decade. 2020 showcased all of the digital risks and cybersecurity woes you've come to expect in the modern era, but this year was unique in the ways Covid-19 radically and tragically transformed life around the world. The pandemic also created unprecedented conditions in cyberspace, reshaping networks by pushing people to work from home en masse, creating a scramble to access vaccine research by any means, generating new fodder for criminals to launch extortion attempts and scams, and producing novel opportunities for nation-state espionage.
https://www.wired.com/story/worst-hacks-2020-surreal-pandemic-year/
A Nasty Strain of malware is back and hits 100K recipients per day
The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542. In the middle-August, the malware was employed in fresh COVID19-themed spam campaign Recent spam campaigns used messages with malicious Word documents, or links to them, pretending to be an invoice, shipping information, COVID-19 information, resumes, financial documents, or scanned documents.
https://securityaffairs.co/wordpress/112650/malware/december-emotet-redacted.html
Ransomware in 2020: A Banner Year for Extortion
From attacks on the UVM Health Network that delayed chemotherapy appointments, to ones on public schools that delayed students going back to the classroom, ransomware gangs disrupted organizations to inordinate levels in 2020. Remote learning platforms shut down. Hospital chemotherapy appointments cancelled. Ransomware attacks in 2020 dominated as a top threat vector this past year. Couple that with the COVID-19 pandemic, putting strains on the healthcare sector, and we witnessed ransomware exact a particularly cruel human toll as well. Attacks had an impact on nearly all sectors of the global economy – costing business $20 billion collectively and creating major cybersecurity headaches for others.
https://threatpost.com/ransomware-2020-extortion/162319/
Ransomware Is Headed Down a Dire Path
AT THE END of September, an emergency room technician in the United States gave WIRED a real-time account of what it was like inside their hospital as a ransomware attack raged. With their digital systems locked down by hackers, health care workers were forced onto backup paper systems. They were already straining to manage patients during the pandemic; the last thing they needed was more chaos. "It is a life-or-death situation," the technician said at the time.
The same scenario was repeated around the country this year, as waves of ransomware attacks crashed down on hospitals and health care provider networks, peaking in September and October. School districts, meanwhile, were walloped by attacks that crippled their systems just as students were attempting to come back to class, either in person or remotely. Corporations and local and state governments faced similar attacks at equally alarming rates.
https://www.wired.com/story/ransomware-2020-headed-down-dire-path/
Russia’s global hacking efforts are going to unwind in 2021
Russia has become adept at using cyberattacks and digital-media manipulation to influence events in other countries. We know there was Russian digital interference in the 2016 US general election and the 2017 presidential election in France: both involved fake social-media accounts and “hack-and-leak” operations to steal emails. The UK government has not investigated whether, as must be probable, Russia had also been using its tools of covert subversion during the Scottish independence and Brexit referenda, but it has said that it is almost certain that Russian actors sought to interfere in the 2019 general election through the online dissemination of illicitly acquired government documents, thought to relate to US/UK trade negotiations.
Threats
IOT
FBI Warn Hackers are Using Hijacked Home Security Devices for ‘Swatting’
Malware
New Golang worm turns Windows and Linux servers into monero miners
Emotet malware hits Lithuania's National Public Health Centre
GitHub-hosted malware calculates Cobalt Strike payload from Imgur pic
Vulnerabilities
Cross-layer attacks: New hacking technique raises DNS cache poisoning, user tracking risk
Windows Zero-Day Still Circulating After Faulty Fix
Backdoor account discovered in more than 100,000 Zyxel firewalls, VPN gateways
Data Breaches
T-Mobile warns customers of second data breach in less than a year
Kawasaki discloses security breach, potential data leak
Finland says hackers accessed MPs' emails accounts
Organised Crime
21 arrests in nationwide cyber crackdown
Nation State Actors
India: A Growing Cyber Security Threat
Denial of Service
Citrix devices are being abused as DDoS attack vectors
Privacy
Mapped: The Top Surveillance Cities Worldwide
Cryptocurrency
Voyager cryptocurrency broker halted trading due to cyber attack
Other News
Brexit deal mentions Netscape browser and Mozilla Mail
6 Questions Attackers Ask Before Choosing an Asset to Exploit
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Week in review 29 December 2019 Round up of the most significant open source stories of the last week
Black Arrow Cyber Security review of top open source news articles for week ending 29 December 2019: 10 biggest hacks of the decade, biggest malware threats, MI6 floorplans lost, Citrix vulnerabilities, popular chat app actually spying tool, jobs in infosec
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Consulting would like to wish everyone a happy, prosperous, and cyber safe, 2020
A bit of a quiet week as one would expect with Christmas festivities. As it’s the end of the year, and indeed the end of a decade, there are lots of round ups of the last year and the last decade, and a lot of predictions for what 2020 will hold (we suspect more bad stuff, more ransomware and more devious and nasty strains of ransomware at that, and more breaches) and in that vein on to our first story:
The 10 biggest data hacks of the decade
This article comes from CNBC in the US and whilst the content is US centric a lot of people on this side of the Atlantic would have been caught up in a lot of these breaches too.
Since 2010, data breaches have exposed over 38 billion records, and there have been at least 40,650 data hacks in this time. And while many were smaller data breaches, there were a few mega hacks that will likely remain records for years to come.
Amongst the biggest breaches are:
UnderArmour (MyFitnessPal), from March 2018 with 143.6 million records hacked
Equifax from September 2017 with 147 million records hacked
Marriott (Starwood) from November 2018 with 383 million records hacked
Veeam from September 2018 with 445 million records hacked
Yahoo! from September and December 2016 with up to 3 billion records hacked
There have been many other breaches affecting other companies, such as WhatsApp and Fortnite, who have reported security flaws in the past year that could have exposed millions of customers’ data, but the extent of the accessed data has not yet been fully ascertained.
Read the full article here: https://www.cnbc.com/2019/12/23/the-10-biggest-data-hacks-of-the-decade.html
Live visualisations of the World’s Biggest Data Breaches and Hacks can be found anytime by clicking here or on the image below: https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Biggest Malware Threats of 2019
2019 was another banner year for bots, trojans, RATS and ransomware. Let’s take a look back.
One out of five computer users were subject to at least one malware-class web attack in 2019. This past year cities such as New Orleans were under ransomware siege by the likes of malware Ryuk. Zero-day vulnerabilities were also in no short supply with targets such as Google Chrome and Operation WizardOpium.
Threatpost have taken a look back over their coverage from the last 12 months.
Remote desktop protocol vulnerabilities BlueKeep, and then DejaBlue, allowed unauthenticated, remote attackers to exploit and take complete control of targeted endpoints. The fear of BlueKeep and its wormable potential to mimic the WannaCry forced Microsoft’s hand to patch systems as old as Windows XP and Windows 2000.
This past year had its fair share of zero-day vulnerabilities. One of the most prominent of the zero days was Urgent/11, impacting 11 remote code execution vulnerabilities in the real-time OS VxWorks. Because of VxWorks use in so many critical infrastructure devices, the U.S. Food and Drug Administration took the unusual step and released a warning, urging admins to patch.
We were warned last year when mitigating against Meltdown and Spectre that we would face more side-channel related CPU flaws in the future. And this year we did, with variants ranging from ZombieLoad to Bounds Check Bypass Store, Netspectre and NetCAT. For 2020? Expect even more variants, say experts.
2019 was the year ransomware criminals turned their attention away from consumers and started focusing on big targets such as hospitals, municipalities and schools. There was the Ryuk attack against New Orleans, Maze ransomware behind Pensacola attack and rash of attacks against hospitals that resulted in some care facilities turning patients away.
Botnets continued to be a key tool in cyberattacks in 2019. This past year saw the return of the notorious Emotet botnet. Crooks behind Trickbot partnered with bank trojan cybercriminals from IcedID and Ursif. Lastly, Echobot, an IoT botnet, casts a wider net in 2019 with raft of exploit additions.
Perhaps the highest-profile cryptominer attack occurred in May when researchers found 50,000 servers were infected for over four months as part of a high-profile cryptojacking campaign featuring the malware Nansh0u. The past year also saw a new XMRig-based cryptominer called Norman emerge, which stood apart because of its clever ability to go undetected.
Even though the target is smaller, mobile devices offer criminals top-tier data. Not only are APTs shifting focus on mobile, but so are garden-variety crooks. Take, for example, the Anubis mobile banking trojan that only goes into action after it senses the targeted device is in motion. Then there was the Instagram-initiated campaign using the Gustuff Android mobile banking trojan that rolled out in October.
Google’s Project Zero, in August, found 14 iOS vulnerabilities in the wild since September 2016. According to Google's Threat Analysis Group (TAG) the flaws could allow malware easily steal messages, photos and GPS coordinates. These flaws highlighted five exploit chains in a watering hole attack that has lasted years. Google said malware payload used in the attack is a custom job, built for monitoring.
In May, researchers uncovered a unique Linux-based malware dubbed HiddenWasp that targeted systems to remotely control them. The malware is believed to be used as part of a second-stage attack against already-compromised systems and is composed of a rootkit, trojan and deployment script.
Discussing malware without touching on business email compromise-based attacks would be like talking about the New England Patriots without mentioning Tom Brady. Fake Greta Thunberg emails used to lure victims to download Emotet malware. Of course the Swedish climate-change activist was just one of the lures that in 2018 contributed to 351,000 scams with losses exceeding $2.7 billion.
Read the original article here: https://threatpost.com/biggest-malware-threats-of-2019/151423/
7 types of virus – a short glossary of contemporary cyberbadness
Technically, this article is about malware in general, not about viruses in particular.
These days, however, the crooks don’t really need to program auto-spreading into their malware – thanks to always-on internet connectivity, the “spreading” part is easier than ever, so that’s one attention-grabbing step the crooks no longer need to use.
But the word virus has remained as a synonym for malware in general, and that’s how we’re using the word here.
So, for the record, here are seven categories of malware that give you a fair idea of the breadth and the depth of the risk that malware can pose to your organisation.
Read the full article here: https://nakedsecurity.sophos.com/2019/12/28/7-types-of-virus-a-short-glossary-of-contemporary-cyberbadness/
MI6 floor plans lost by building contractor
Floor plans of MI6's central London headquarters were lost by building contractors during a refurbishment.
The documents, most of which were recovered inside the building, held sensitive information on the layout, including entry and exit points.
Balfour Beatty, the company working on the refurbishment at the headquarters in Vauxhall, is reportedly no longer working on the project.
The Foreign Office said it did not comment on intelligence matters.
The documents, which went missing a few weeks ago, were produced and owned by Balfour Beatty and designed to be used for the refurbishment.
The contractor kept the plans on the site at Vauxhall Cross in a secure location.
BBC security correspondent Gordon Corera said the missing plans were not classified or intelligence documents, but the pages did hold sensitive details.
Most, but not all, of the documents were recovered inside the building after it was noticed they were missing, he said.
Balfour Beatty said it could not comment because of sensitivities.
The incident, first reported by the Sun newspaper, is reportedly a result of carelessness, rather than any hostile activity.
Read the original article here: https://www.bbc.co.uk/news/uk-50927854
Citrix vulnerability allowed criminals to hack 80,000 companies
Researchers have found a vulnerability in popular enterprise software offerings from Citrix which puts tens of thousands of companies at risk of cyber attack.
A security researcher uncovered a critical vulnerability in Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway), which allows direct access to a company network from the internet.
According to a report on the flaw, around 80,000 companies in 158 countries around the world could be at risk. Most companies are located in the US, with the UK, Germany, the Netherlands and Australia sharing a significant portion.
Read the full article here: http://www.itproportal.com/news/citrix-vulnerability-allows-criminals-to-hack-80000-companies
Popular chat app ToTok is actually a spying tool of UAE government – report
A chat app that quickly became popular in the United Arab Emirates for communicating with friends and family is actually a spying tool used by the government to track its users, according to a New York Times report.
The government uses ToTok to track conversations, locations, images and other data of those who install the app on their phones, the Times reported, citing US officials familiar with a classified intelligence assessment and the newspaper’s own investigation.
The Emirates has long blocked Apple’s FaceTime, Facebook’s WhatsApp and other calling apps. Emirati media has been playing up ToTok as an alternative for expatriates living in the country to call home to their loved ones for free.
The Times says ToTok is a few months old and has been downloaded millions of times, with most of its users in the Emirates, a US-allied federation of seven sheikhdoms on the Arabian peninsula. Government surveillance in the Emirates is prolific, and the Emirates long has been suspected of using so-called “zero day” exploits to target human rights activists and others. Zero days exploits can be expensive to obtain on the black market because they represent software vulnerabilities for which fixes have yet to be developed.
The Times described ToTok as a way to give the government free access to personal information, as millions of users are willingly downloading and installing the app on their phones and unknowingly giving permission to enable features.
As with many apps, ToTok requests location information, purportedly to provide accurate weather forecasts, according to the Times. It also requests access to a phone’s contacts, supposedly to help users connect with friends. The app also has access to microphones, cameras, calendar and other data.
Read the full article here: https://www.theguardian.com/world/2019/dec/23/totok-popular-chat-app-spying-tool-uae-government
Jobs in Information Security (InfoSec)
For anyone considering a career in cyber or information security (infosec) there is a useful article detailing different roles and different potential areas of work in this field.
We also run a free mentoring program for anyone either looking to move into cyber security or currently in a cyber security role wanting to progress their careers. Contact us for more information.
Read the article here: https://medium.com/bugbountywriteup/jobs-in-information-security-infosec-93a5efc12ca2