Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 06 August 2021
Black Arrow Cyber Threat Briefing 06 August 2021:
-Ransomware Volumes Hit Record High
-Ransomware Gangs Recruiting Insiders To Breach Corporate Networks
-More Than 12,500 Vulnerabilities Disclosed In First Half Of 2021
-New DNS Vulnerability Allows 'Nation-State Level Spying' On Companies
-Constant Review Of Third Party Security Critical As Ransomware Threat Climbs
-Kaseya Ransomware Attack Sets Off Race To Hack Service Providers
-Joint UK/US Advisory Detailing Top 30 Vulnerabilities Include Plenty Of Usual Suspects
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Ransomware Volumes Hit Record Highs As 2021 Wears On
Ransomware has seen a significant uptick so far in 2021, with global attack volume increasing by 151 percent for the first six months of the year as compared with the year-ago half. Meanwhile, the FBI has warned that there are now 100 different strains circulating around the world. From a hard-number perspective, the ransomware scourge hit a staggering 304.7 million attempted attacks. To put that in perspective, the firm logged 304.6 million ransomware attempts for the entirety of 2020.
https://threatpost.com/ransomware-volumes-record-highs-2021/168327/
Ransomware Gangs Recruiting Insiders To Breach Corporate Networks
The LockBit 2.0 ransomware gang is actively recruiting corporate insiders to help them breach and encrypt networks. In return, the insider is promised million-dollar payouts. Many ransomware gangs operate as a Ransomware-as-a-Service, which consists of a core group of developers, who maintain the ransomware and payment sites, and recruited affiliates who breach victims' networks and encrypt devices. Any ransom payments that victims make are then split between the core group and the affiliate, with the affiliate usually receiving 70-80% of the total amount. However, in many cases, the affiliates purchase access to networks from other third-party pentesters rather than breaching the company themselves. With LockBit 2.0, the ransomware gang is trying to remove the middleman and instead recruit insiders to provide them access to a corporate network.
More Than 12,500 Vulnerabilities Disclosed In First Half Of 2021
Two new reports were released, covering data breaches and vulnerabilities in the first half of 2021, finding that there was a decline in the overall number of reported breaches but an increase in the number of vulnerabilities disclosed. The company's data breach report found that there were 1,767 publicly reported breaches in the first six months of 2021, a 24% decline compared to the same period last year. The number of reported breaches grew in the US by 1.5% while 18.8 billion records were exposed year to date, a 32% decline compared to the 27.8 billion records leaked in the first half of 2020.
New DNS Vulnerability Allows 'Nation-State Level Spying' On Companies
Security researchers found a new class of DNS vulnerabilities impacting major DNS-as-a-Service (DNSaaS) providers that could allow attackers to access sensitive information from corporate networks.
DNSaaS providers (also known as managed DNS providers) provide DNS renting services to other organisations that do not want to manage and secure yet another network asset on their own.
These DNS flaws provide threat actors with nation-state intelligence harvesting capabilities with a simple domain registration.
Constant Review Of Third Party Security Critical As Ransomware Threat Climbs
Enterprises typically would give their third-party suppliers "the keys to their castle" after carrying out the usual checks on the vendor's track history and systems, according to a New York-based Forrester analyst who focuses on security and risk. They believed they had done their due diligence before establishing a relationship with the supplier, but they failed to understand that they should be conducting reviews on a regular basis, especially with their critical systems suppliers. Third-party suppliers should have the ability to deal with irregular activities in their systems and the appropriate security architecture in place to prevent any downstream effects, he added.
Kaseya Ransomware Attack Sets Off Race To Hack Service Providers
A ransomware attack in July that paralyzed as many as 1,500 organisations by compromising tech-management software from a company called Kaseya has set off a race among criminals looking for similar vulnerabilities, cyber security experts said. An affiliate of a top Russian-speaking ransomware gang known as REvil used two gaping flaws in software from Florida-based Kaseya to break into about 50 managed services providers (MSPs) that used its products, investigators said. Now that criminals see how powerful MSP attacks can be, "they are already busy, they have already moved on and we don’t know where," said head of the non-profit Dutch Institute for Vulnerability Disclosure, which warned Kaseya of the weaknesses before the attack.
‘It’s Quite Feasible To Start A War’: Just How Dangerous Are Ransomware Hackers?
Secretive gangs are hacking the computers of governments, firms, even hospitals, and demanding huge sums. But if we pay these ransoms, are we creating a ticking time bomb? They have the sort of names that only teenage boys or aspiring Bond villains would dream up (REvil, Grief, Wizard Spider, Ragnar), they base themselves in countries that do not cooperate with international law enforcement and they don’t care whether they attack a hospital or a multinational corporation. Ransomware gangs are suddenly everywhere, seemingly unstoppable – and very successful.
Joint UK/US Advisory Detailing Top 30 Vulnerabilities Include Plenty Of Usual Suspects
A joint advisory from law enforcement agencies in the US, UK, and Australia this week tallied the 30 most-frequently exploited vulnerabilities. Perhaps not surprisingly, the list includes a preponderance of flaws that were disclosed years ago; everything on the list has a patch available for whoever wants to install it. But as we've written about time and again, many companies are slow to push updates through for all kinds of reasons, whether it's a matter of resources, know-how, or an unwillingness to accommodate the downtime often necessary for a software refresh. Given how many of these vulnerabilities can cause remote code execution—you don't want this—hopefully they'll start to make patching more of a priority.
https://www.wired.com/story/top-vulnerabilities-russia-nso-group-iran-security-news/
Average Total Cost Of A Data Breach Increased By Nearly 10% Year Over Year
Based on in-depth analysis of real-world data breaches experienced by over 500 organisations, the global study suggests that security incidents became more costly and harder to contain due to drastic operational shifts during the pandemic, with costs rising 10% compared to the prior year. Businesses were forced to quickly adapt their technology approaches last year, with many companies encouraging or requiring employees to work from home, and 60% of organisations moving further into cloud-based activities during the pandemic. The new findings suggest that security may have lagged behind these rapid IT changes, hindering organizations’ ability to respond to data breaches.
https://www.helpnetsecurity.com/2021/07/29/total-cost-data-breach/
65% Of All DDoS Attacks Target US And UK
Distributed denial of service (DDoS) attacks are common for cyber criminals who want to disrupt online-dependent businesses. According to the data analysed by a VPN team, 65% of all distributed denial of service (DDoS) attacks are directed at the US or UK. Computers and the internet industry are the favourite among cyber criminals. The United States was a target for 35% of all DDoS attacks in June 2021. Cyber criminals launched DDoS attacks against Amazon Web Services, Google, and other prominent US-based companies in the past. The United Kingdom comes second as it fell victim to 29% of all DDoS attacks. As the UK has many huge businesses, they often are targeted by hackers for valuable data or even a ransom. China was threatened by 18% of all DDoS attacks in June 2021. Assaults from and to China happen primarily due to political reasons, to interrupt some government agency.
https://www.pcr-online.biz/2021/08/05/65-of-all-ddos-attacks-target-us-and-uk/
Threats
Ransomware
Ransomware Attacks Rise Despite US Call For Clampdown On Cyber Criminals
BlackMatter Ransomware Gang Rises From The Ashes Of DarkSide, Revil
Criminals Are Using Call Centres To Spread Ransomware In A Crafty Scheme
Phishing
Microsoft Warns Office 365 Users Over This Sneaky Phishing Campaign
Spear Phishing Now Targets Employees Outside The Finance And Executive Teams, Report Says
Other Social Engineering
Malware
A Wide Range Of Cyber Attacks Leveraging Prometheus TDS Malware Service
Several Malware Families Targeting IIS Web Servers With Malicious Modules
Microsoft: This Windows And Linux Malware Does Everything It Can To Stay On Your Network
Mobile
An Explosive Spyware Report Shows Limits Of IOS, Android Security
This Android Malware Steals Your Data In The Most Devious Way
The Latest Android Bank-Fraud Malware Uses A Clever Tactic To Steal Credentials
Vulnerabilities
Code Execution Flaw Found In Cisco Firepower Device Manager On-Box Software
Cisco Issues Critical Security Patches To Fix Small Business VPN Router Bugs
Decade-Long Vulnerability In Multiple Routers Could Allow Network Compromise
Security Researchers Warn Of TCP/IP Stack Flaws In Operational Technology Devices
PwnedPiper PTS Security Flaws Threaten 80% of Hospitals In The U.S.
Data Breaches
Threat Actors Leaked Data Stolen From EA, Including FIFA Code
Hackers Breach San Diego Hospital, Gaining Access To Patients'... Well, Uh, Everything
OT, ICS, IIoT and SCADA
Organised Crime & Criminal Actors
Cryptocurrency/Cryptojacking
Supply Chain
Nation State Actors
Here's 30 Servers Russian Intelligence Uses To Fling Malware At The West, Beams RiskIQ
Russian Federal Agencies Were Attacked With Chinese Webdav-O Virus
New Chinese Spyware Being Used In Widespread Cyber Espionage Attacks
Suspected Chinese Hackers Took Advantage Of Microsoft Exchange Vulnerability To Steal Call Records
Iranian APT Lures Defense Contractor In Catfishing-Malware Scam
Chinese Hackers Target Major Southeast Asian Telecom Companies
Cloud
Reports Published in the Last Week
Other News
Leaked Document Says Google Fired Dozens Of Employees For Data Misuse
Hybrid Work Is Here To Stay – But What Does That Mean For Cyber Security?
Huawei To America: You're Not Taking Cyber Security Seriously Until You Let China Vouch For Us
Trusted Platform Module Security Defeated In 30 Minutes, No Soldering Required
Credit-Card-Stealing, Backdoored Packages Found In Python's PyPi Library Hub
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 09 July 2021
Black Arrow Cyber Threat Briefing 09 July 2021: Hackers Demand $70 Million To End Biggest Ransomware Attack On Record; Zero Day Malware Reached An All-Time High In Q1 2021; New Trojan Malware Steals Millions Of Login Credentials; MacOS Targeted In WildPressure APT Malware Campaign; The Cost Of Cyber Insurance Increased 32% Last Year And Shows No Signs Of Easing; Critical Flaws In Windows Print Spooler Service Could Allow For Remote Attacks; British Airways Settles Over Record Claim For Data Breach; Hackers On Loose As 9,000 Data Leaks A Year Recorded
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Hackers Demand $70 Million To End Biggest Ransomware Attack On Record
An affiliate of the notorious REvil gang, best known for extorting $11 million from the meat-processor JBS after a Memorial Day attack, infected thousands of victims in at least 17 countries on Friday, largely through firms that remotely manage IT infrastructure for multiple customers. REvil was demanding ransoms of up to $5 million, the researchers said. But late Sunday it offered in a posting on its dark web site a universal decryptor software key that would unscramble all affected machines in exchange for $70 million in crypto currency.
https://www.cbsnews.com/news/ransomware-attack-revil-hackers-demand-70-million/
Zero Day Malware Reached An All-Time High Of 74% In Q1 2021
74% of threats detected in Q1 2021 were zero day malware – or those for which a signature-based antivirus solution did not detect at the time of the malware release – capable of circumventing conventional antivirus solutions. The report also covers new threat intelligence on rising network attack rates, how attackers are trying to disguise and repurpose old exploits, the quarter’s top malware attacks, and more.
https://www.helpnetsecurity.com/2021/06/29/zero-day-malware-q1-2021/
New Trojan Malware Steals Millions Of Login Credentials
There is a new custom Trojan-type malware that managed to infiltrate over three million Windows computers and steal nearly 26 million login credentials for about a million websites. The findings suggest that the Trojan classifies the websites into a dozen categories, which include virtually all popular email services, social media platforms, file storage and sharing services, ecommerce platforms, financial platforms, and more. In all, the unnamed malware managed to siphon away 1.2 terabytes of personal data including over a million unique email addresses, over two billion cookies, and more than six million other files.
https://www.techradar.com/news/malware-steals-millions-of-login-credentials-for-popular-websites
Ransomware As A Service: Negotiators Are Now In High Demand
The Ransomware-as-a-Service (RaaS) ecosystem is evolving into something akin to a corporate structure, with new openings available for "negotiators" -- a role focused on extorting victims to pay a ransom. A study in RaaS trends has recently come out saying that one-man-band operations have almost "completely dissolved" due to the lucrative nature of the criminal ransomware business. Showing the potential financial gains squeezed from companies desperate to unlock their systems have given rise to specialists in cyber crime and extortion and have also led to a high demand for individuals to take over the negotiation part of an attack chain.
MacOS Targeted In WildPressure APT Malware Campaign
Recently, threat actors known as WildPressure have added a MacOS malware variant to their latest campaign targeting energy sector businesses, while enlisting compromised WordPress websites to carry out attacks. Furthermore, known novel malware, initially identified in March 2020 and dubbed Milum, has now been retooled with a PyInstaller bundle containing a trojan dropper compatible with Windows and MacOS systems, according to researchers. Compromised endpoints allow the advanced persistent threat (APT) group to download and upload files and executing commands.
The Cost Of Cyber Insurance Increased 32% Last Year And Shows No Signs Of Easing
The cost of insurance to protect businesses and organisations against the ever-increasing threat of cyber crimes has soared by a third in the last year. Also adding that global cyber insurance pricing has increased by an average of 32 percent in the year to June. Not only are premiums going through the roof, insurers are also attaching more strings to their policies, demanding ever more assurances that firms taking out cover have the necessary systems and processes in place to prevent a cyber mishap. Previous research also suggests that the upward squeeze on premiums shows no sign of easing, which, in turn, is putting more strain on the sector.
https://www.theregister.com/2021/07/05/cyber_insurance_report/
Critical Flaws In Windows Print Spooler Service Could Allow For Remote Attacks
Administrators are urged to apply the latest patches from Microsoft and disable the Windows Print spooler service in domain controllers and systems not used for printing. This is because Microsoft is currently grappling with a couple of security holes in its Windows Print spooler service that could allow attackers to remotely control an affected system. Anyone able to exploit the more recent vulnerability of the two would be able to run code on the compromised computer with full system privileges. That attacker could then install software, modify data and create new user accounts.
End Users In The Dark About Latest Cyber Threats, Attacks
According to a recent survey, which polled consumers and end users, high-profile incidents such as the ransomware attack on Colonial Pipeline Co. and the breach of a Florida city's water utilities were either overlooked or ignored by many outside the IT and information security fields. As a result, the responsibility for keeping users informed and aware of the need for heightened security appears to fall on administrators and IT staff.
British Airways Settles Over Record Claim For Data Breach
British Airways has settled what is thought to be the biggest claim for a data breach in British legal history, involving 16,000 victims. However, the amount was not disclosed. When The breach took place three years ago, multiple data sources and customer data was leaked, including the leakage of names, addresses and card payment details which affected 420,000 customers and staff. As a result, in 2019 the Information Commissioner’s Office hit BA with its largest ever fine at £20 million.
Hackers On Loose As 9,000 Data Leaks A Year Recorded
Public bodies and the private sector suffered nearly 9,000 data security incidents in 12 months with sensitive and private information hacked, lost or accidentally given to the wrong people. This Data was seen to lists more than 500 organisations hit by ransomware attacks and a further 562 incidents of hacking. There was also a total of 8,815 data security incidents in 2020/21 with the most breaches in the health and education sectors. Furthermore, over the past three years, police forces across England and Wales suffered an average eight breaches a week. Even security experts announced that these figures were “alarming” and that the public would be “disturbed” to learn how often important information/data was being lost.
https://www.thetimes.co.uk/article/hackers-9000-data-leaks-recorded-cyber-crime-56nvs7t6w
Threats
Ransomware
Swedish Coop Supermarkets Shut Due To US Ransomware Cyber Attack
Ransomware-Hit Law Firm Gets Court Order Asking Crooks Not To Publish The Data They Stole
This Crowd Sourced Ransomware Payment Tracker Shows How Much Cyber Criminals Have Heisted
Ransomware: US Warns Russia To Take Action After Latest Attacks
Kaseya Says Up To 1,500 Businesses Compromised In Massive Ransomware Attack
Phishing
Malware
Vulnerabilities
Microsoft Issues Emergency Patch for Critical Windows PrintNightmare Vulnerability
Microsoft Warns Of Critical PowerShell 7 Code Execution Vulnerability
Researchers Briefly Posted PoC For Windows Print Spooler RCE Flaw
Kaseya Patches Imminent After Zero-Day Exploits, 1,500 Impacted
SonicWall Addresses Critical CVE-2021-20026 Flaw In NSM Devices
Kaseya Left Customer Portal Vulnerable To 2015 Flaw In Its Own Software
Morgan Stanley Announces Breach Of Customer SSNs Through Accellion FTA Vulnerability
Data Breaches
Organised Crime & Criminal Actors
UK, US Agencies Warn Of Large-Scale Brute-Force Attacks Carried Out By Russian APT
Moroccan Hacker Dr Hex Arrested For Phishing Attacks, Malware Distribution
Supply Chain
OT, ICS, IIoT and SCADA
Nation State Actors
SolarWinds Hackers Breached RNC Via Synnex In New Attack: Report
Lazarus gang targets engineers with job offers using poisoned emails (tripwire.com)
Cloud
Privacy
Other News
IT Manager Who Swindled Essex Hospital Trust Out Of £800k Gets 5 Years In Prison
Website Of Mongolian Certificate Authority Served Backdoored Client Installer
Security Problems Worsen As Enterprises Build Hybrid And Multiloud Systems
Leaked infrastructure code, credentials and keys costing orgs an average of $1.2 million per year
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.