Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Three Ransomware Gangs Consecutively Attacked the Same Network

Hive, LockBit and BlackCat, three prominent ransomware gangs, consecutively attacked the same network, according to Sophos. The first two attacks took place within two hours, and the third attack took place two weeks later. Each ransomware gang left its own ransom demand, and some of the files were triple encrypted.

It’s bad enough to get one ransomware note, let alone three. Multiple attackers create a whole new level of complexity for recovery, particularly when network files are triple encrypted. Cyber security that includes prevention, detection and response is critical for organisations of any size and type—no business is immune.

The “Multiple Attackers: A Clear and Present Danger” whitepaper further outlines additional cases of overlapping cyber attacks, including cryptominers, remote access trojans (RATs) and bots. In the past, when multiple attackers have targeted the same system, the attacks usually occurred across many months or multiple years. The attacks described in Sophos’ whitepaper took place within days or weeks of each other—and, in one case, simultaneously—often with the different attackers accessing a target’s network through the same vulnerable entry point.

Typically, criminal groups compete for resources, making it more difficult for multiple attackers to operate simultaneously. Cryptominers normally kill their competitors on the same system, and today’s RATs often highlight bot killing as a feature on criminal forums. However, in the attack involving the three ransomware groups, for example, BlackCat—the last ransomware group on the system—not only deleted traces of its own activity, but also deleted the activity of LockBit and Hive.

In another case, a system was infected by LockBit ransomware. Then, about three months later, members of Karakurt Team, a group with reported ties to Conti, was able to leverage the backdoor LockBit created to steal data and hold it for ransom.

https://www.helpnetsecurity.com/2022/08/09/ransomware-gangs-attacks/

• As The Cost of Cyber Insurance Rises, The Number of Organisations Who Can’t Afford It Is Set to Double

The number of organisations that will be either unable to afford cyber insurance, be declined cover, or experience significant coverage limitations is set to double in 2023, according to Huntsman Security.

Even for those insured, the perfect storm of ongoing attacks, tightening regulations and growing financial pressures is making it more likely that any attack on an organisation will leave it exposed.

Factors like the supply chain crisis, inflation and skill shortages are all adding to the difficulty for organisations trying to execute on their cyber security strategy. At the same time, increases in insurance premiums, limits on coverage, increasing underwriting rigour, and capacity constraints are all limiting the accessibility of cyber insurance, for many.

Loss ratios will not improve until premium incomes better match the current level of pay-outs. With this reduced insurance access alongside increasing cyber threats and tightening regulations, many organisations are losing cyber insurance as an important risk management tool. Even those who can still get insurance are paying a prohibitively high cost.

With a third of UK firms subject to cyber attacks at least once a week, cyber insurance as part of overall risk management is crucial. To bridge this accessibility gap insurers are seeking to improve the quality of risk information, so premiums better reflect the true cost of that risk. Unless organisations can demonstrate they have insurers’ specified controls in place to manage their security risks, insurers will continue to have difficulty quantifying that risk. It’s for these reasons that insurers have changed the basis upon which their products are offered to reflect the risk being underwritten more accurately.

In this environment, improving and demonstrating the effectiveness of security controls will now be essential: both for organisations looking to improve their cyber resilience and oversight while enhancing their eligibility for insurers, and for insurers who need to minimise their own exposure by ensuring the accuracy of their risk pricing process.

https://www.helpnetsecurity.com/2022/08/11/afford-cyber-insurance/

• Identity Cyber Attacks, Microsoft 365 Dominate Cyber Security Incidents, Expel Research Finds

Identity-based cyber attacks (including credential theft, credential abuse and long-term access key theft) accounted for 56% of all incidents in Q2 of 2022, and Microsoft 365 remained the prime target for SaaS attacks, according to Expel’s Quarterly Threat Report.

Among the key findings:

• Business email compromise (BEC) and business application compromise (BAC) access to application data represented 51% of all incidents.

• Identity-based attacks in popular cloud environments like Amazon Web Services (AWS) accounted for 5%.

• Ransomware groups change tactics, with threat groups and their affiliates all but abandoning the use of Visual Basic for Application (VBA) macros and Excel 4.0 macros to gain initial entry to Windows-based environments. In Q1, a macro-enabled Microsoft Word document (VBA macro) or Excel 4.0 macro was the initial attack vector in 55% of all pre-ransomware incidents. In Q2, that figure fell sharply to 9%. Instead, ransomware operators opted to use disk image (ISO), short-cut (LNK) and HTML application (HTA) files to gain initial entry.

• Cloud attacks are becoming more sophisticated, with 14% of identity attacks against cloud identity providers tackling the multi-factor authentication (MFA) requirement by continuously sending push notifications.

• Microsoft 365 is a common threat target, with BEC in Microsoft Office 365 (O365) remaining the top threat to organisations in Q2. 45% of all Q2 incidents were BEC attempts in O365. No BEC attempts were identified in Google Workspaces. 19% of BEC attempts bypassed MFA in O365 using legacy protocols, a 16% increase of compared to Q1.

https://www.msspalert.com/cybersecurity-research/identity-cyberattacks-targeting-microsoft-365-dominate-cybersecurity-incidents-expel-research-finds/

• Exploit Activity Surges 150% in Q2 Thanks to Log4Shell

Detections of malware events, botnet activity and exploits all increased significantly in the second quarter of 2022, according to new data from Nuspire.

The managed security services provider (MSSP) gathered the data from its endpoint detection and response (EDR) and managed detection and response (MDR) tools to produce its Q2 2022 Quarterly Threat Report.

The company recorded an increase in malware events of over 25%, a doubling of botnet detections and a rise in exploit activity of 150% versus the first quarter.

Botnet activity in particular surged towards the end of Q2, thanks to the Torpig Mebroot botnet – a banking trojan designed to scrape credit card and payment information from infected devices, the report revealed. Nuspire claimed it is particularly difficult to detect and remove, because it targets a machine’s master boot record.

It attributed much of the surge in exploit activity to the persistent threat posed by the Log4j bugs discovered at the end of December 2021. At the time, experts warned that the ubiquity of the utility, and the difficulty many organisations have in finding all instances of the CVE due to complex Java dependencies, means it may be exploited for years.

https://www.infosecurity-magazine.com/news/exploit-activity-150-q2-log4shell/

• Ransomware Is Not Going Anywhere: Attacks Are Up 24%

Avast released a report revealing a significant increase in global ransomware attacks, up 24% from Q1/2022. Researchers also uncovered a new zero-day exploit in Chrome, as well as signals of how cyber criminals are preparing to move away from macros as an infection vector.

After months of decline, global ransomware attacks increased significantly in Q2/2022, up 24% from the previous quarter. The highest quarter-on-quarter increases in ransomware risk ratio occurred in Argentina (+56%), UK (+55%), Brazil (+50%), France (+42%), and India (+37%).

Businesses and consumers should be on guard and prepared for encounters with ransomware, as the threat is not going anywhere anytime soon.

The decline in ransomware attacks observed in Q4/2021 and Q1/2022 were thanks to law enforcement agencies busting ransomware group members, and caused by the war in Ukraine, which also led to disagreements within the Conti ransomware group, halting their operations. Things dramatically changed in Q2/2022. Conti members have now branched off to create new ransomware groups, like Black Basta and Karakurt, or may join other existing groups, like Hive, BlackCat, or Quantum, causing an uptick in activity.

https://www.helpnetsecurity.com/2022/08/12/increase-ransomware-attacks/

• Email Is the Single Biggest Threat to Businesses, And Here’s What You Can Do About It

Email remains one of the most popular methods of communication, particularly for business communications. There were 316.9 billion emails sent and received every day in 2021, and this is set to increase to 376.4 billion by 2025. But despite the scale of its use and how much people exchange confidential information over email, it is not a secure system by design.

Consequently, email is a major attack vector for organisations of all sizes. Deloitte found that 91% of all cyber attacks originate from a phishing email (an email that attempts to steal money, identity or personal information through a spoof website link that looks legitimate). The cost to organisations can be catastrophic with the National Cyber Security Centre (NCSC) reporting in August 2021 that phishing email attacks had cost UK organisations more than £5 million in the past 13 months.

It’s not enough for individuals to create complex passwords or rely on the security services of their email provider. Spam filters are not enough to stop malicious emails creeping into inboxes. Fortunately, safeguarding your emails with enterprise-grade email security doesn’t have to cost the earth or be hard to integrate so businesses of any size can protect themselves.

https://informationsecuritybuzz.com/articles/email-is-the-single-biggest-threat-to-businesses-and-heres-what-you-can-do-about-it/

• Realtek SDK Vulnerability Exposes Routers from Many Vendors to Remote Attacks

A serious vulnerability affecting the embedded Configurable Operating System (eCos) software development kit (SDK) made by Taiwanese semiconductor company Realtek could expose the networking devices of many vendors to remote attacks.

The security hole, tracked as CVE-2022-27255 and rated ‘high severity’, has been described as a stack-based buffer overflow that can allow a remote attacker to cause a crash or achieve arbitrary code execution on devices that use the SDK. An attack can be carried out through the wide area network (WAN) interface using specially crafted session initiation protocol (SIP) packets.

The Realtek eCos SDK is provided to companies that manufacture routers, access points and repeaters powered by RTL819x family SoCs. The SDK implements the base functionalities of the router, including the web administration interface and the networking stack. Vendors can build on top of this SDK to add custom functionality and their branding to the device.

Realtek informed customers about the eCos SDK vulnerability in March, when it announced the availability of a patch. However, it’s up to the original equipment manufacturer (OEM) using the SDK to ensure that the patch is distributed to end-user devices.

The vulnerability can be exploited remotely — directly from the internet — to hack affected routers running with default settings. No user interaction is required for successful exploitation.

https://www.securityweek.com/realtek-sdk-vulnerability-exposes-routers-many-vendors-remote-attacks

• Most Companies Are at An Entry-Level When It Comes to Cloud Security

Ermetic released a study by Osterman Research that found 84% of respondents were at an entry-level (one or two rating, with four being the highest) in terms of their cloud security capabilities.

The study found that only 16% ranked on the Ermetic Cloud Security Model at the top two levels, and 80% of companies said they lack a dedicated security team responsible for protecting cloud resources from threats.

“One of the most unexpected findings that emerged from this study was the lack of cloud security maturity among the largest enterprises surveyed,” said the author of the report. “Less than 10% of companies with more than 10,000 employees reported being at the top two maturity levels, while nearly 20% of smaller enterprises have achieved repeatable or automated & integrated cloud security capabilities.”

The report shows why new cloud data breaches are being reported all the time. Multi-cloud deployments, plus low investment in security, does not make for a good combination.

The new frontiers of cyber security, such as cloud security or internet of things (IoT) security are often at early stages of maturity. Organisations that are mature in their IT and data centre security are already overwhelmed and stretched thin and that’s why automation and simplification will help organisations accelerate their maturity in areas like cloud security.

There’s a mistaken belief that cloud computing environments inherently have security built-in — they don’t.

https://www.scmagazine.com/news/cloud-security/most-companies-are-at-an-entry-level-when-it-comes-to-cloud-security

• The Impact of Exploitable Misconfigurations on Network Security

Network professionals feel confident with their security and compliance practices but data suggests that they also leave their organisations open to risk, which is costing a significant amount of revenue, according to Titania.

In addition, some businesses are not minimising their attack surface effectively. Companies are prioritising firewall security and chronicle a fast time to respond to misconfigurations when detected in annual audits. However, switches and routers are only included in 4% of audits and these devices play a vital role in reducing an organisation’s attack surface and preventing lateral movement across the network.

Respondents also indicated that financial resources allocated to mitigating network configuration, which currently stands around 3.4% of the total IT budget, and a lack of accurate automation are limiting factors in misconfiguration risk management.

The study, which surveyed 160 senior cyber security decision-makers revealed:

• Misconfigurations cost organisations millions, up to 9% of their annual revenue but the true cost is likely to be higher.

• Compliance is a top priority, with 75% of organisations across all sectors saying their business relies on compliance to deliver security. Whilst almost every organisation reported that it is meeting its security and compliance requirements, this is at odds with a number of the other findings from the survey and other reports that show a decline in organisations maintaining full compliance with regulated data security standards.

• Remediation prioritisation is a challenge. 75% said their network security tools meant they could categorise and prioritise compliance risks ‘very effectively’. However, 70% report difficulties prioritising remediation based on risk and also claim inaccurate automation as the top challenges when meeting security and compliance requirements.

• Routers and switches are mostly overlooked. 96% of organisations prioritise the configuration and auditing of firewalls, but not routers or switches. This leaves these devices exposed to potentially significant and unidentified risks.

https://www.helpnetsecurity.com/2022/08/12/impact-exploitable-misconfigurations-network-security/

• Industrial Spy Ransomware: New Threat Group Emerges to Exfiltrate Data, Extort Victims

A new ransomware group dubbed Industrial Spy that first emerged in April 2022 is specialising in exfiltration and double extortion tactics and has the potential to do significant damage, Zscaler’s threat tracking team said.

The threat crew has shown that it possesses the capability to breach organisations and have been “actively adding unencrypted data from two or three victims every month,” Zscaler said. In some instances, the threat group appears to only exfiltrate and ransom data. In other cases, they encrypt, exfiltrate and ransom the data, the cloud security provider said.

At this point, it’s not clear who’s behind the threat entry or if it’s nation-state affiliated. The group started as a data extortion marketplace where criminals could buy large companies’ internal data, promoting the marketplace through Readme.txt files downloaded using malware downloaders.

In May, 2022, the threat group introduced their own ransomware to create double extortion attacks that combine data theft with file encryption.

What you need to know:

• Industrial Spy started by ransoming stolen data and more recently has combined these attacks with ransomware.

• The threat group exfiltrates and sells data on their dark web marketplace, but does not always encrypt a victim’s files.

• The ransomware utilises a combination of RSA and 3DES to encrypt files.

• Industrial Spy lacks many common features present in modern ransomware families.

• The Industrial Spy ransomware family is relatively basic, and parts of the code appear to be in development.

https://www.msspalert.com/cybersecurity-breaches-and-attacks/ransomware/new-ransomware-family-industrial-spy-emerges-to-exfiltrate-data-extort-victims/

• UK NHS Service Recovery May Take a Month After MSP Ransomware Attack

Managed service provider (MSP) Advanced confirmed that a ransomware attack on its systems disrupted emergency services (111) from the United Kingdom's National Health Service (NHS). Customers of seven solutions from the British MSP have been impacted either directly or indirectly, the company said. The first has stated it could take a month to recover systems to full service.

The ransomware attack started to disrupt Advanced systems on Thursday, August 4 and was identified around 7 AM. It caused a major outage to NHS emergency services across the UK.

Advanced did not disclose the ransomware group behind the attack but said that it took immediate action to mitigate the risk and isolated Health and Care environments where the incident was detected. The company is working with forensic experts from Microsoft (DART) and Mandiant, who are also helping bring the affected systems back online securely and with added defences:

• Implementing additional blocking rules and further restricting privileged accounts for Advanced staff

• Scanning all impacted systems and ensuring they are fully patched

• Resetting credentials

• Deploying additional endpoint detection and response agents

• Conducting 24/7 monitoring

After implementing the security measures above, Advanced said it would restore connectivity to its environments and assist customers to gradually reconnect safely and securely.

https://www.bleepingcomputer.com/news/security/uk-nhs-service-recovery-may-take-a-month-after-msp-ransomware-attack/

• A Single Flaw Broke Every Layer of Security in MacOS

Every time you shut down your Mac, a pop-up appears: “Are you sure you want to shut down your computer now?” Nestled under the prompt is another option most of us likely overlook: the choice to reopen the apps and windows you have open now when your machine is turned back on. Researchers have now found a way to exploit a vulnerability in this “saved state” feature—and it can be used to break the key layers of Apple’s security protections.

The vulnerability, which is susceptible to a process injection attack to break macOS security, could allow an attacker to read every file on a Mac or take control of the webcam. It's basically one vulnerability that could be applied to three different locations.

https://www.wired.com/story/a-single-flaw-broke-every-layer-of-security-in-macos/

Threats

Ransomware

• Cisco hacked by Yanluowang ransomware gang, 2.8GB allegedly stolen (bleepingcomputer.com)

• Ransomware, email compromise are top security threats, but deepfakes increase | CSO Online

• Feds: Zeppelin Ransomware Resurfaces with New Compromise, Encryption Tactics | Threatpost

• Black Basta: New ransomware threat aiming for the big league | CSO Online

• Could criminalizing ransomware payments put a stop to the current crime wave? - Help Net Security

• 7-Eleven Denmark confirms ransomware attack behind store closures (bleepingcomputer.com)

• Update: Colosseum Dental Benelux pays ransom to threat actors (databreaches.net)

• SolidBit Ransomware Group Recruiting New Affiliates on Dark Web - Infosecurity Magazine

• Fears for patient data after ransomware attack on NHS software supplier | NHS | The Guardian

• US reveals 'Target' pic of Conti man with $10m reward offer • The Register

• Organisations would like the government to help with ransomware demand costs - Help Net Security

• Hacker uses new RAT malware in Cuba Ransomware attacks (bleepingcomputer.com)

• Maui ransomware linked to North Korean group Andariel • The Register

• How to Stop Zeppelin Ransomware Attacks: CISA, FBI Mitigation Guidance - MSSP Alert

• Novel Ransomware Comes to the Sophisticated SOVA Android Banking Trojan (darkreading.com)

• US govt will pay you $10 million for info on Conti ransomware members (bleepingcomputer.com)

Phishing & Email Based Attacks

• LogoKit update: The phishing kit leveraging open redirect vulnerabilities - Help Net Security

• Phishing site masquerading "Have I Been Pwned" website detected. Be careful as very similar URL (exploitone.com)

Other Social Engineering; SMishing, Vishing, etc

• Hackers Behind Twilio Breach Also Targeted Cloudflare Employees (thehackernews.com)

• SMS phishing nabs Twilio employee credentials, allowed access customer data (scmagazine.com)

Malware

• Cyber criminals Shift From Macros to Shortcut Files to Hack Business PCs, HP Reports - Infosecurity Magazine

• Emotet Tops List of July's Most Widely Used Malware - Infosecurity Magazine

• Top malware strains observed in 2021 | Security Magazine

• Microsoft blocks UEFI bootloaders enabling Windows Secure Boot bypass (bleepingcomputer.com)

Mobile

• Google researchers dissect Android spyware, zero days (techtarget.com)

• Novel Ransomware Comes to the Sophisticated SOVA Android Banking Trojan (darkreading.com)

• Xiaomi Phones with MediaTek Chips Found Vulnerable to Forged Payments (thehackernews.com)

• Hackers install Dracarys Android malware using modified Signal app (bleepingcomputer.com)

Internet of Things – IoT

• The Time Is Now for IoT Security Standards (darkreading.com)

• Introducing the book: If It's Smart, It's Vulnerable - Help Net Security

Organised Crime & Criminal Actors

• Cisco hacked by access broker with Lapsus$ ties (techtarget.com)

• New dark web markets claim association with criminal cartels (bleepingcomputer.com)

• Dark Utilities C2 service draws thousands of cyber criminals • The Register

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Email marketing firm hacked to steal crypto-focused mailing lists (bleepingcomputer.com)

• Swan Bitcoin Discloses Data Leak Due to Phishing Attack on Newsletter Provider - Decrypt

• Phishers Swim Around 2FA in Coinbase Account Heists | Threatpost

• Crypto and the US government are headed for a decisive showdown | Ars Technica

• Cameo’s CEO fell victim to the latest Bored Ape NFT heist - The Verge

Fraud, Scams & Financial Crime

• “Hi Mum” Phishing Scam Swindles Unsuspecting Parents (informationsecuritybuzz.com)

• How hackers are stealing credit cards from classifieds sites (bleepingcomputer.com)

• Why robotexts are scammers' favourite new tool - CyberScoop

AML/CFT/Sanctions

• US Sanctions Crypto 'Laundering' Service Tornado | SecurityWeek.Com

• Virtual Currency Platform ‘Tornado Cash’ Accused of Aiding APTs | Threatpost

• Greece Flies Russian Money Launderer to US: Lawyer | SecurityWeek.Com

Insurance

• BlackBerry Study: Most SMBs Have Less Than $600K in Ransomware Coverage - MSSP Alert

• Number Of Firms Unable To Access Cyber-Insurance Set To Double (informationsecuritybuzz.com)

• Australian court finds insurer not liable for ransomware clean-up costs - Security - iTnews

Cloud/SaaS

• Implementing zero trust for a secure hybrid working enterprise - Help Net Security

• How to Clear Security Obstacles and Achieve Cloud Nirvana (darkreading.com)

• Why SAP systems need to be brought into the cyber security fold - Help Net Security

Open Source

• Chinese hackers backdoor chat app with new Linux, macOS malware (bleepingcomputer.com)

Social Media

• Facebook's Metaverse is Expanding the Attack Surface (trendmicro.com)

• Meta's chatbot says the company 'exploits people' - BBC News

• Facebook’s In-app Browser on iOS Tracks ‘Anything You Do on Any Website’ | Threatpost

Training, Education and Awareness

• 25% of employees don't care enough about cyber security to report a security incident - Help Net Security

Privacy

• Facebook’s In-app Browser on iOS Tracks ‘Anything You Do on Any Website’ | Threatpost

Travel

• Don't get stung by these fake holiday cyber-scams this summer | TechRadar

Parental Controls and Child Safety

• Predator Pleads Guilty After Targeting Thousands of Young Girls Online - Infosecurity Magazine

• Huge rise in self-generated child sexual abuse content online, report finds | Internet safety | The Guardian

• Online sexual blackmail of primary school children surges since lockdown (telegraph.co.uk)

Models, Frameworks and Standards

• Compliance Certifications: Worth the Effort? (darkreading.com)

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Russia's digital attacks are haphazard, chaotic, says top Ukrainian cyber official - CyberScoop

• Cyberspying Aimed at Industrial Enterprises in Russia and Ukraine Linked to China | SecurityWeek.Com

• Killnet Releases 'Proof' of its Attack Against Lockheed Martin | SecurityWeek.Com

• Meta Cracks Down on Cyber Espionage Operations in South Asia Abusing Facebook (thehackernews.com)

• New Hacker Forum Takes Pro-Ukraine Stance | Threatpost

• Ex Twitter employee found guilty of spying for Saudi Arabia - Security Affairs

• Ex-CIA security boss predicts coming crackdown on spyware • The Register

Nation State Actors

Nation State Actors – Russia

• Russia Is Escalating Ukraine Hacking, Black Hat Research Says (gizmodo.com)

• Russian invasion has destabilized cyber security norms • The Register

• Russia-Ukraine Conflict Holds Cyberwar Lessons (darkreading.com)

• Industroyer2: How Ukraine avoided another blackout attack (techtarget.com)

Nation State Actors – China

• Chinese Hackers May Be Behind Attacks Targeting Eastern Europe and Afghanistan - Infosecurity Magazine

• China-linked spies used six backdoors to steal defence info • The Register

• Mandiant researchers uncover significant new disinformation campaign (securitybrief.co.nz)

• Stats say Chinese researchers are not deterred by China's vulnerability law (scmagazine.com)

• Chinese scammers target kids with promise of extra gaming • The Register

• Chinese hackers backdoor chat app with new Linux, macOS malware (bleepingcomputer.com)

Nation State Actors – North Korea

• North Korea Allegedly Stole Millions of Dollars Worth of Crypto Assets - IT Security Guru

• Maui ransomware linked to North Korean group Andariel • The Register

• North Korean hackers target crypto experts with fake Coinbase job offers (bleepingcomputer.com)

Vulnerability Management

• Google's bug bounty boss: Finding vulns is 'totally useless' • The Register

• Patch Madness: Vendor Bug Advisories Are Broken, So Broken (darkreading.com)

• Human Threat Hunters Are Essential to Thwarting Zero-Day Attacks (darkreading.com)

Vulnerabilities

• Microsoft Patches ‘Dogwalk’ Zero-Day and 17 Critical Flaws | Threatpost

• Cisco Patches High-Severity Vulnerability Affecting ASA and Firepower Solutions (thehackernews.com)

• Yet another Microsoft RCE bug under active exploit • The Register

• Palo Alto Networks: New PAN-OS DDoS flaw exploited in attacks (bleepingcomputer.com)

• CISA adds UnRAR and Windows flaws to Known Exploited Vulnerabilities Catalog - Security Affairs

• Zimbra auth bypass bug exploited to breach over 1,000 servers (bleepingcomputer.com)

• Researchers Debut Fresh RCE Vector for Common Google API Tool (darkreading.com)

• Surge in CVEs as Microsoft Fixes Exploited Zero Day Bugs - Infosecurity Magazine

• Risky Business: Enterprises Can’t Shake Log4j flaw - Security Affairs

• Years after claiming DogWalk wasn't a vulnerability, Microsoft confirms flaw is being exploited and issues patch (bitdefender.com)

• Three flaws allow attackers to bypass UEFI Secure Boot feature - Security Affairs

• Windows devices with newest CPUs are susceptible to data damage (bleepingcomputer.com)

• Critical Flaws Disclosed in Device42 IT Asset Management Software (thehackernews.com)

• Cisco fixed a flaw in ASA, FTD devices that can give access to RSA private key - Security Affairs

• Organisations Warned of Critical Vulnerabilities in NetModule Routers | SecurityWeek.Com

• 4 Flaws, Other Weaknesses Undermine Cisco ASA Firewalls (darkreading.com)

• New vulnerability in AMD Ryzen CPUs could seriously jeopardize performance | TechRadar

• ÆPIC Leak: Architectural Bug in Intel CPUs Exposes Protected Data | SecurityWeek.Com

• Microsoft Paid $13.7 Million via Bug Bounty Programs Over Past Year | SecurityWeek.Com

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

Other News

• Microsoft 365 outage triggered by Meraki firewall false positive (bleepingcomputer.com)

• Why VPN no longer has a place in a secure work environment | TechRadar

• VMware: The threat of lateral movement is growing (techtarget.com)

• 36% of orgs expose insecure FTP protocol to the internet, and some still use Telnet - Help Net Security

• 5 key things learned from CISOs of smaller enterprises survey - Help Net Security

• Stolen credentials are the most common attack vector companies face - Help Net Security

• Your cyber security staff are burned out - and many have thought about quitting | ZDNet

• Researchers Use ‘Invisible Finger’ to Remotely Control Touchscreens (vice.com)

• Businesses are struggling to balance security and end-user experience - Help Net Security

• Starlink Successfully Hacked Using $25 Modchip | Threatpost

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Cyber Insurers Recoil As Ransomware Attacks ‘Skyrocket’

The Great Fire of London helped forge the property insurance market, as residents feared a repeat of the savage destruction of 1666. In the absence of a state-backed fire service, some insurers even employed their own brigades, betting that limiting the damage to a property would be cheaper than rebuilding it. After a wave of high-profile cyber assaults, Graeme Newman, chief innovation officer at London-based insurance provider CFC, draws a parallel with today’s rapidly evolving market for cyber coverage. Insurance companies now provide emergency support services as well as financial compensation, so “the insurers own the digital fire trucks”, he said.

https://www.ft.com/content/4f91c4e7-973b-4c1a-91c2-7742c3aa9922

US Puts Cyber Crime On Par With Terror After Ransomware Attacks

The US government is raising the fight against cyber criminals to the same level as the battle against terrorists after a surge of ransomware attacks on large corporations. Internal guidance circulated by the Department of Justice instructs prosecutors to pool their information about hackers. The idea, said John Carlin, of the attorney-general’s office, is to “make the connections between actors and work your way up to disrupt the whole chain”.

https://www.thetimes.co.uk/article/us-cybercrime-terror-ransomware-attacks-joe-biden-pzrqbkfwt

Russia Under Fire As Cyber Attack Leaves 7,000 Out Of Work

An attack this week on JBS meatworks in North America and Australia brought the firm to a standstill, and now threatens to turn into a diplomatic row with Russia. JBS are reported to supply 20% of the world meat market and the ransomware attack has left 7,000 workers unable to do their jobs.

https://www.afr.com/politics/russia-under-fire-as-ransomware-attack-leaves-7000-out-of-work-20210602-p57xha

Irish Health Service Confirms Data Of Nearly 520 Patients Is Online After Cyber Attack

The Health Service Executive (HSE) has confirmed the data of nearly 520 patients is online after media reports of their publication. In a statement, the HSE said the data contains correspondence with patients, minutes of meetings and includes sensitive patient data. The HSE also confirmed corporate documents are among the HSE data illegally accessed.  Confirmation of the authenticity of this data follows an analysis carried out by the agency and comments from the Minister for Communications, Eamon Ryan, that reports of patient data being shared online are "very credible".

https://www.irishexaminer.com/news/arid-40301054.html

Enterprise Networks Vulnerable To 20-Year-Old Exploits

While the industry focuses on exotic attacks – like the SolarWinds incident — the real risk to enterprises comes from older exploits, some as much as 20-years old. “While organisations always need to keep up with the latest security patches, it is also vital to ensure older system and well-known vulnerabilities from years past are monitored and patched as well,” says Etay Maor, senior director of security strategy at Cato Networks. “Threat actors are attempting to take advantage of overlooked, vulnerable systems.” Our research showed that attackers often scanned for end-of-life and unsupported systems. Common Vulnerability and Exposures (CVE) identified were exploits targeting software, namely vSphere, Oracle WebLogic, and Big-IP, as well as routers with remote administration vulnerabilities.

https://www.helpnetsecurity.com/2021/05/27/enterprise-networks-vulnerable/

US Authorities Seize Two Domains Used By SolarWinds Intruders For Malware Spear-Phishing Operation

Uncle Sam on Tuesday said it had seized two web domains used to foist malware on victims using spoofed emails from the US Agency for International Development (USAID). The domain takeovers, which occurred on Friday, followed a court order issued in the wake of a Microsoft report warning about the spear-phishing campaign. The phishing effort relied on malware-laden messages sent via marketing service Constant Contact. "Cyber intrusions and spear-phishing email attacks can cause widespread damage throughout affected computer networks, and can result in significant harm to individual victims, government agencies, NGOs, and private businesses,” said Acting US Attorney Raj Parekh for the Eastern District of Virginia, in a statement. "As demonstrated by the court-authorized seizure of these malicious domains, we are committed to using all available tools to protect the public and our government from these worldwide hacking threats."

https://www.theregister.com/2021/06/02/feds_seize_nobelium/

Hacker Group DarkSide Operates In A Similar Way To A Franchise

DarkSide, the hacker group behind the recent Colonial Pipeline ransomware attack, has a business model that’s more familiar than people think, according to New York Times correspondent Andrew Kramer, “It operates something like a franchise, where individual hackers can come and receive the ransomware software and use it, as well as, use DarkSide’s reputation, as it were, to extract money from their targets, mostly in the United States,” Kramer said in an interview that aired Wednesday night.

https://www.cnbc.com/2021/06/02/hacker-group-darksides-operates-in-a-similar-way-to-a-franchise-new-york-times-reporter-says.html?__source=sharebar|twitter&par=sharebar

Interpol Intercepts $83 Million Fighting Financial Cyber Crime

The Interpol (short for International Criminal Police Organisation) has intercepted $83 million belonging to victims of online financial crime from being transferred to the accounts of their attackers. Over 40 law enforcement officers specialized in fighting cyber crime across the Asia Pacific region took part in the Interpol-coordinated Operation HAECHI-I spanning more than six months. Between September 2020 and March 2021, law enforcement focused on battling five types of online financial crimes: investment fraud, romance scams, money laundering associated with illegal online gambling, online sextortion, and voice phishing.

https://www.bleepingcomputer.com/news/security/interpol-intercepts-83-million-fighting-financial-cyber-crime/

Is It Really The Wild West In Cyber Crime? Why We Need To Re-Examine Our Approach To Ransomware

Once again, cyber security has become a headline topic within and well outside technology circles, along with the little-known operator of a significant fuel pipeline: Colonial Pipeline. A ransomware attack, and ensuing panic buying of gasoline, resulted in widespread fuel shortages on the east coast, thrusting the issue of cyber security into the lives of everyday Americans. Colonial Pipeline CEO Joseph Blount later acknowledged that his company ultimately paid the cybercriminals $4.4 million to unlock company systems, generating a great deal of controversy around the simple question (and associated complex potential answers), of whether companies should pay when their systems are held hostage by ransomware.

https://www.techrepublic.com/article/is-it-really-the-wild-west-in-cybercrime-why-we-need-to-re-examine-our-approach-to-ransomware/

Threats

Ransomware

• Anti-Ransomware Biz Exagrid ‘Paid $2.6M Ransomware Demand’

• White House Contacts Russia After Hack Of World’s Largest Meatpacking Company

• This New Ransomware Is Targeting Unpatched Microsoft Exchange Servers

• Fujifilm Becomes Latest Ransomware Victim As White House Urges Business Leaders To Take Action

• Cyber Crime Forum Advertises Alleged Database, Source Code From Russian Firm That Helped Parler

• On The Taxonomy And Evolution Of Ransomware

Phishing

• Phishing Emails Remain in User Inboxes Over 3 Days ... (darkreading.com)

Other Social Engineering

• The Bizarro Streaming Site That Hackers Built From Scratch

Malware

• Malware Can Use This Trick To Bypass Ransomware Defense In Antivirus Solutions

• Exchange Servers Targeted By ‘Epsilon Red’ Malware

Mobile

IOT

• Amazon Sidewalk Poised To Sweep You Into Its Mesh

 Vulnerabilities

• XSS Vulnerability Found In Popular WYSIWYG Website Editor

• Huawei USB LTE Dongles Are Vulnerable To Privilege Escalation Attacks

• Hackers Actively Exploiting 0-Day In WordPress Plugin Installed On Over 17,000 Sites

• EPUB Vulnerabilities: Electronic Reading Systems Riddled With Browser-Like Flaws

• SonicWall Urges Customers To 'Immediately' Patch NSM On-Prem Bug

Data Breaches

• GDPR: EU Privacy Watchdog Probing The Use Of AWS And Azure Cloud Services

Supply Chain

• What Is A Supply Chain Attack?

• Microsoft Office 365 A Major Supply Chain Attack Vector

Nation State Actors

• Chinese Cyber Criminals Spent Three Years Creating A New Backdoor To Spy On Governments

• Kimsuky APT Continues To Target South Korean Government Using Appleseed Backdoor

• Russian Hacker Pavel Sitnikov Arrested For Sharing Malware Source Code

Privacy

• You Have A Week To Opt-Out Of Amazon Sidewalk, Do It Now

Other News

• “Have I Been Pwned” Breach Site Partners With… The FBI!

• 17 Cyber Insurance Application Questions You'll Need To Answer

• Cyber Criminals Go Corporate As Hacking Becomes A Business

• The Human Cost Of Understaffed SOCs

• Security Ops Teams Struggle To Switch Off At Home

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.