Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• CFOs’ Overconfidence in Cyber Security Can Cost Millions

Kroll announced its report entitled ‘Cyber Risk and CFOs: Over-Confidence is Costly’ which found chief financial officers (CFOs) to be woefully in the dark regarding cyber security, despite confidence in their company’s ability to respond to an incident.

The report, conducted by StudioID of Industry Dive, exposed three key themes among the 180 senior finance executives surveyed worldwide:

1. Ignorance is bliss. Eighty-seven percent of CFOs are either very or extremely confident in their organisation’s cyber attack response. This is at odds with the level of visibility CFOs have into cyber risk issues, given only four out of 10 surveyed have regular briefings with their cyber teams.

2. Wide-ranging damages. 71% of the represented organisations suffered more than $5 million in financial losses stemming from cyber incidents in the previous 18 months, and 61% had suffered at least three significant cyber incidents in that time. Eighty-two percent of the executives in the survey said their companies suffered a loss of 5% or more in their valuations following their largest cyber security incident in the previous 18 months.

3. Increasing investment in cyber security. Forty-five percent of respondents plan to increase the percentage of their overall IT budget dedicated to information security by at least 10%.

According to Kroll: “We often see that CFOs are not aware enough of the financial risk presented by cyber threats until they face an incident. At that point, it’s clear that they need to be involved not only in the recovery, including permitting access to emergency funds and procuring third-party suppliers, but also in the strategy and investment around cyber both pre- and post-incident.”

“Ultimately, cyber attacks represent a financial risk to the business, and incidents can have a significant impact on value. It is, therefore, critical that this is included in wider business risk considerations. A CFO and CISO should work side-by-side, helping the business navigate the operational and financial risk of cyber.”

https://www.helpnetsecurity.com/2022/09/14/cfos-cybersecurity-confidence/

• Cyber Security Outflanks Inflation, Talent, Logistics in Business Worries

Nearly six in 10 IT leaders in a new study view cyber security as their top business concern, ranking it higher than inflation, retaining talent and supply chain/logistics management.

Less than half of respondents (43%) believe their critical data and assets are protected from cyber threats despite increased cyber security investments by their organisations, greater board visibility and increased collaboration between the security team and the C-suite, Rackspace said in its new survey of 1,420 IT professionals worldwide.

The multi-cloud technology services specialist said that a “large majority” of the survey respondents report being either unprepared or only “somewhat prepared” to respond to major threats, such as identifying and mitigating threats and areas of concern (62%), recovering from cyber attacks (61%) or preventing lapses and breaches (63%).

Cloud native security is where organisations are most likely to rely on an outside partner, such as a managed security service provider, for expertise.

Here are more of the survey’s findings:

• The top three cyber security challenges their organisation is facing: migrating and operating apps (45%); shortage of workers with cyber security skills (39%); lack of visibility of vulnerabilities across all infrastructure (38%).

• 70% of survey respondents report that their cyber security budgets have increased over the past three years.

• The leading recipients of new investment are cloud native security (59%); data security (50%), consultative security services (44%); and application security (41%).

• Investments align closely with the areas where organisations perceive their greatest concentration of threats, led by network security (58%), closely followed by web application attacks (53%) and cloud architecture attacks (50%).

• 70% of respondents said there has been an increase in board visibility for cyber security over the past five years, while 69% cite better collaboration between the security team and members of the C-suite.

• Only 13% of respondents said there were significant communications gaps between the security team and C-suite, while 69% of IT executives view their counterparts in the C-suite as advocates for their concerns.

The authors stated “We are seeing a major shift in how organisations are allocating resources to address cyber threats, even as budgets increase. The cloud brings with it a new array of security challenges that require new expertise, and often reliance on external partners who can help implement cloud native security tools, automate security, provide cloud native application protection, offer container security solutions and other capabilities”.

https://www.msspalert.com/cybersecurity-research/cybersecurity-outflanks-inflation-talent-logistics-in-business-worries-rackspace-research/

• Attackers Can Compromise Most Cloud Data in Just 3 Steps

An analysis of cloud services finds that known vulnerabilities typically open the door for attackers, while insecure cloud architectures allow them to gain access to the crown jewels.

Companies and their cloud providers often leave vulnerabilities open in their system and services, gifting attackers with an easy path to gain access to critical data.

According to an Orca Security analysis of data collected from major cloud services, attackers only need on average three steps to gain access to sensitive data, the so-called "crown jewels," starting most often — in 78% of cases — with the exploitation of a known vulnerability.

While much of the security discussion has focused on the misconfigurations of cloud resources by companies, cloud providers have often been slow to plug vulnerabilities.

The key is to fix the root causes, which is the initial vector, and to increase the number of steps that they attacker needs to take. Proper security controls can make sure that even if there is an initial attack vector, you are still not able to reach the crown jewels.

The report analysed data from Orca's security research team using data from a "billions of cloud assets on AWS, Azure, and Google Cloud," which the company's customers regularly scan. The data included cloud workload and configuration data, environment data, and information on assets collected in the first half of 2022.

https://www.darkreading.com/cloud/cyberattackers-compromise-most-cloud-data-3-steps

• Cyber Insurance Premiums Soar 80% As Claims Surge

Cyber insurance premiums have soared in the past year as claims surged in response to a rise in damaging attacks by hackers.

The cost of taking out cyber cover had doubled on average every year for the past three years, said global insurance broker Marsh. Honan Group, another broker, pointed to an 80 per cent rise in premiums in the past 12 months, following a 20 per cent increase in the cost of cover in each of the previous two years.

Brokers are calling cyber “the new D&O”, referring to sharp rises in directors and officers insurance premiums since 2018. Brokers were hopeful premiums would ease, but have warned insurers would continue to demand companies prove they had strong security systems and policies in place before agreeing to sell them insurance.

There’ll be a number of insurance companies that won’t even look at a business that doesn’t have a bunch of security measures in place. They’ll just turn around and say, ‘we’re not going to insure you’. The chief reason for the price rises is the increase in the number and size of claims relating to ransomware, where criminals use malicious software to block access to an organisation’s computer system until a sum of money is paid. In addition, some insurers left the market, while remaining players attempted to recoup the cost of under-priced contracts written in previous years.

The rise in the premiums is mainly due to ransomware and cyber attacks across the board have risen sharply over the past few years.

https://www.afr.com/work-and-careers/management/cyber-insurance-premiums-soar-80pc-as-claims-surge-20220908-p5bglo

• One In 10 Employees Leaks Sensitive Company Data Every 6 Months

Departing employees are most likely to leak sensitive information to competitors, criminals or the media in exchange for cash.

Insider threats are an ongoing menace that enterprise security teams need to handle. It's a global problem but especially acute in the US, with 47 million Americans quitting their jobs in 2021. The threat of ex-employees taking sensitive information to competitors, selling it to criminals in exchange for cash, and leaking files to media is making data exfiltration a growing concern. 

About 1.4 million people who handle sensitive information in their organisation globally were tracked over the period from January to June 30 this year by cyber security firm Cyberhaven to find out when, how and who is involved in data exfiltration.

On average, 2.5% of employees exfiltrate sensitive information in a month, but over a six-month period, nearly one in 10, or 9.4% of employees, do so, Cyberhaven noted in its report. Data exfiltration incidents occur when data is transferred outside the organisation in unapproved ways.

Among employees that exfiltrated data, the top 1% most prolific “super stealers” were responsible for 7.7% of incidents, and the top 10% were responsible for 34.9% of incidents.

North America accounted for the highest number of incidents at 44%, followed by the Asia Pacific region at 27%. Europe, the Middle East, and Africa accounted for 24% of incidents while 5% of incidents were recorded in South America.

https://www.csoonline.com/article/3673260/one-in-10-employees-leaks-sensitive-company-data-every-6-months-report.html#tk.rss_news

• Business Application Compromise and the Evolving Art of Social Engineering

Social engineering is hardly a new concept, even in the world of cyber security. Phishing scams alone have been around for nearly 30 years, with attackers consistently finding new ways to entice victims into clicking a link, downloading a file, or providing sensitive information.

Business email compromise (BEC) attacks iterated on this concept by having the attacker gain access to a legitimate email account and impersonate its owner. Attackers reason that victims won't question an email that comes from a trusted source — and all too often, they're right.

But email isn't the only effective means cyber criminals use to engage in social engineering attacks. Modern businesses rely on a range of digital applications, from cloud services and VPNs to communications tools and financial services. What's more, these applications are interconnected, so an attacker who can compromise one can compromise others, too. Organisations can't afford to focus exclusively on phishing and BEC attacks — not when business application compromise (BAC) is on the rise.

https://www.darkreading.com/vulnerabilities-threats/business-application-compromise-the-evolving-art-of-social-engineering

• SMBs Are Hardest-Hit By Ransomware

Coalition announced the mid-year update to its 2022 Cyber Claims Report detailing the evolution of cyber trends, revealing that small businesses have become bigger targets, overall incidents are down, and ransomware attacks are declining as demands go unpaid.

During the first half of 2022, the average cost of a claim for a small business owner increased to $139,000, which is 58% higher than levels during the first half of 2021.

“Across industries, we continue to see high-profile attacks targeting organisations with weak or exposed infrastructure — which has become exacerbated by today’s remote working culture and companies’ dependence on third-party vendors,” said Coalition’s Head of Claims.

“Small businesses are especially vulnerable because they often lack resources. For these businesses, avoiding downtime and disruption is essential, and they must understand that Active Insurance is accessible.”

The good news: both Coalition and the broader insurance industry observed a decrease in ransomware attack frequency and the amount of ransom demanded between the second half of 2021 and the first half of 2022. Ransomware demands decreased from $1.37M in H2 2021 to $896,000 in H1 2022.

“Organisations are increasingly aware of the threat ransomware poses. They have started to implement controls such as offline data backups that allow them to refuse to pay the ransom and restore operations through other means,” said Coalition’s Head of Incident Response. “As ransomware is on the decline, attackers are turning to reliable methods. Phishing, for example, has skyrocketed – and only continues to grow.”

https://www.helpnetsecurity.com/2022/09/15/small-businesses-ransomware-targets/

• 65% Say Legacy Backup Solutions Aren’t Up To Ransomware Challenges

HYCU researchers are reporting 65% of respondents lack full confidence in their legacy backup solutions (HYCU is a multi-cloud backup-as-a-service provider).

According to the report, 65% of surveyed enterprise organisations are increasing spending on detection, prevention and recovery, and respondents are beginning to understand that air-gapped or immutable backups are the only ways to ensure that the backups themselves don’t fall prey to encryption worms when ransomware hits.

Key findings include:

• 52% of ransomware victims suffered data loss

• 63% of victims suffered an operational disruption

• Just 41% air gap their backups

• Just 47% routinely test their backups

• Only 35% of respondents believe their current backup and recovery tools are sufficient.

https://informationsecuritybuzz.com/expert-comments/65-say-legacy-backup-solutions-arent-up-to-ransomware-challenges/

• Four-Fifths of Firms Hit by Critical Cloud Security Incident

Some 80% of organisations suffered a “severe” cloud security incident over the past year, while a quarter worry they’ve suffered a cloud data breach and aren’t aware of it, according to new research from Snyk.

The developer security specialist polled 400 cloud engineering and security practitioners from organisations of various sizes and sectors, to compile its State of Cloud Security Report.

Among the incidents flagged by respondents over the past 12 months were breaches, leaks, intrusions, crypto-mining, compliance violations, failed audits and system downtime in the cloud.

Startups (89%) and public sector organisations (88%) were the most likely to have suffered such an incident over the period.

The bad news is that 58% of respondents predict they will suffer another severe incident in the cloud over the coming year. Over three-quarters (77%) of those questioned cited poor training and collaboration as a major challenge in this regard.

“Many cloud security failures result from a lack of effective cross-team collaboration and team training. When different teams use different tools or policy frameworks, reconciling work across those teams and ensuring consistent enforcement can be challenging,” the report argued.

https://www.infosecurity-magazine.com/news/fourfifths-firms-critical-cloud/

• Homeworkers Putting Home and Business Cyber Safety at Risk

BlackBerry published a European research report exposing the cyber security risk created by cost-conscious homeworkers who prioritise security behind price, usability and ease of set up in their purchase of domestic smart devices.

32% of European home workers who own a smart device surveyed said security was a top three factor when choosing a smart device, compared to 50% who prioritised price. 28% of businesses aren’t putting adequate security provisions in place to extend cyber protection as far as homes. This heightens the risk of cyber attacks for businesses and their employees, as hybrid and home working become the norm.

The survey of 4,000 home workers in the UK, France, Germany, and the Netherlands revealed that 28% of people say that their employer has not done or communicated anything about protecting their home network or smart devices, or they don’t know if they are protected.

Furthermore, 75% of Europeans say their employers have taken no steps to secure the home internet connection or provide software protection for home devices. This failure to extend network security to home devices increases risk of the vulnerabilities created by hybrid and home working being successfully exploited. These are particularly sobering findings for small and mid-sized businesses who face upwards of eleven cyber attacks per device, per day, according to the research.

Through even the most innocent of devices, bad actors can access home networks with connections to company devices – or company data on consumer devices – and seize the opportunity to steal data and intellectual property worth millions. It’s likely businesses will bear the brunt of cyber attacks caused by unsecured home devices, with knock-on effects to employees themselves.

https://www.helpnetsecurity.com/2022/09/12/homeworkers-smart-devices-security/

• Uber Hacked, Internal Systems Breached and Vulnerability Reports Stolen

Uber suffered a cyber attack Thursday afternoon with an allegedly 18-year-old hacker downloading HackerOne vulnerability reports and sharing screenshots of the company's internal systems, email dashboard, and Slack server.

The screenshots shared by the hacker and seen by BleepingComputer show what appears to be full access to many critical Uber IT systems, including the company's security software and Windows domain.

Other systems accessed by the hacker include the company's Amazon Web Services console, VMware vSphere/ESXi virtual machines, and the Google Workspace admin dashboard for managing the Uber email accounts.

The threat actor also breached the Uber Slack server, which he used to post messages to employees stating that the company was hacked. However, screenshots from Uber's slack indicate that these announcements were first met with memes and jokes as employees had not realised an actual cyber attack was taking place.

Uber has since confirmed the attack, tweeting that they are in touch with law enforcement and will post additional information as it becomes available. "We are currently responding to a cyber security incident. We are in touch with law enforcement and will post additional updates here as they become available," tweeted the Uber Communications account.

The New York Times, which first reported on the breach, said they spoke to the threat actor, who said they breached Uber after performing a social engineering attack on an employee and stealing their password. The threat actor then gained access to the company's internal systems using the stolen credentials.

https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/

• IHG Hack: 'Vindictive' Couple Deleted Hotel Chain Data for Fun

Hackers have told the BBC they carried out a destructive cyber-attack against Holiday Inn owner Intercontinental Hotels Group (IHG) "for fun".

Describing themselves as a couple from Vietnam, they say they first tried a ransomware attack, then deleted large amounts of data when they were foiled. They accessed the FTSE 100 firm's databases thanks to an easily found and weak password, Qwerty1234. An expert says the case highlights the vindictive side of criminal hackers.

UK-based IHG operates 6,000 hotels around the world, including the Holiday Inn, Crowne Plaza and Regent brands. On Monday last week, customers reported widespread problems with booking and check-in. For 24 hours IHG responded to complaints on social media by saying that the company was "undergoing system maintenance".

Then on the Tuesday afternoon it told investors that it had been hacked.

https://www.bbc.co.uk/news/technology-62937678

Threats

Ransomware and Extortion

• How prepared are organisations to tackle ransomware attacks? - Help Net Security

• Lorenz ransomware breaches corporate network via phone systems (bleepingcomputer.com)

• 3 Iranian nationals are accused of ransomware attacks on US victims (cnbc.com)

• Emotet botnet now pushes Quantum and BlackCat ransomware (bleepingcomputer.com)

• Cisco confirms Yanluowang ransomware leaked stolen company data (bleepingcomputer.com)

• DEV-0270 Hacker Group Uses Windows BitLocker Feature to Encrypt Systems (gbhackers.com)

• New York ambulance service discloses data breach after ransomware attack (bleepingcomputer.com)

• The ransomware problem won't get better until we change one thing | ZDNET

• Iranian Hackers Used Victims’ Printers to Issue Ransom Demands, DOJ Says (vice.com)

• Transparency, disclosure key to fighting ransomware (techtarget.com)

• Researchers Warn of 674% Surge in Deadbolt Ransomware - Infosecurity Magazine (infosecurity-magazine.com)

• Over Three-Quarters of Retailers Hit by Ransomware in 2021 - Infosecurity Magazine (infosecurity-magazine.com)

• Cisco Data Breach Attributed to Lapsus$ Ransomware Group (darkreading.com)

• Ransomware Group Leaks Files Stolen From Cisco | SecurityWeek.Com

• The LA School District Cyber Attack Keeps Unravelling – Expert Comments (informationsecuritybuzz.com)

Phishing & Email Based Attacks

• Revolut hit by ‘phishing’ cyber attack | Business | The Times

• Crooks are using lures related to Her Majesty Queen Elizabeth II in phishing attacks - Security Affairs

• Phishing page embeds keylogger to steal passwords as you type (bleepingcomputer.com)

• Hackers now use ‘sock puppets’ for more realistic phishing attacks (bleepingcomputer.com)

• Phishers take aim at Facebook page owners - Help Net Security

• New Spear Phish Methodology Relies on PuTTY SSH Client to Infect Systems - Infosecurity Magazine (infosecurity-magazine.com)

• Real Estate Phish Swallows 1,000s of Microsoft 365 Credentials (darkreading.com)

• Death of Queen Elizabeth II exploited to steal Microsoft credentials (bleepingcomputer.com)

• Potential phishing activity update - NCSC.GOV.UK

Other Social Engineering; Smishing, Vishing, etc

• Serious Breach at Uber Spotlights Hacker Social Deception | SecurityWeek.Com

Malware

• Hackers Are Using WeTransfer Links To Spread Malware (informationsecuritybuzz.com)

• New malware bundle self-spreads through YouTube gaming videos (bleepingcomputer.com)

• Linux variant of the SideWalk backdoor discovered - Help Net Security

• Malware on Pirated Content Sites a Major WFH Risk for Enterprises (darkreading.com)

• How to spot and avoid scams and malware in search results - The Washington Post

• Gay hookup site typosquatted to push dodgy Chrome extensions, scams (bleepingcomputer.com)

Mobile

• Google Patches Critical Vulnerabilities in Pixel Phones | SecurityWeek.Com

• Apple patches iPhone and macOS flaws under active attack • The Register

Internet of Things – IoT

• Securing your IoT devices against cyber attacks in 5 steps (bleepingcomputer.com)

• EU Wants to Toughen Cyber Security Rules for Smart Devices | SecurityWeek.Com

Data Breaches/Leaks

• Uber hacked, internal systems breached and vulnerability reports stolen (bleepingcomputer.com)

• LastPass says hackers had internal access for four days (bleepingcomputer.com)

• Hacker sells stolen Starbucks data of 219,000 Singapore customers (bleepingcomputer.com)

• U-Haul discloses data breach exposing customer driver licenses (bleepingcomputer.com)

• Hackers Compromise Employee Data at PVC-Maker Eurocell - Infosecurity Magazine (infosecurity-magazine.com)

Organised Crime & Criminal Actors

• Chinese-linked cyber crims nab $529 million from India • The Register

• Cyber Crime Forum Admins Steal from Site Users - Infosecurity Magazine (infosecurity-magazine.com)

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Police arrest man for laundering tens of millions in stolen crypto (bleepingcomputer.com)

• US regulators say multi-billion-dollar crypto lender Celsius was operating like a ponzi scheme | PC Gamer

• Hackers Targeting WebLogic Servers and Docker APIs for Mining Cryptocurrencies (thehackernews.com)

• Fake cryptocurrency giveaway sites have tripled this year (bleepingcomputer.com)

• Crypto Scams Skyrocket - IT Security Guru

• A Post-exploitation Look at Coinminers Abusing WebLogic Vulnerabilities (trendmicro.com)

• DOJ drops report on cryptocurrency crime efforts (techtarget.com)

• 76% Of Financial Institutions Plan On Using Crypto In The Next 3 Years (informationsecuritybuzz.com)

• How Can You Tell if a Cryptocurrency is Legitimate? Read Our Guide To Find Out - IT Security Guru

Insider Risk and Insider Threats

• 5 Ways to Mitigate Your New Insider Threats in the Great Resignation (thehackernews.com)

• Ex-Broadcom engineer asks for no prison in trade secret case • The Register

Fraud, Scams & Financial Crime

• Microsoft Edge’s News Feed ads abused for tech support scams (bleepingcomputer.com)

• Cops Raid Suspected Fraudster Penthouses - Infosecurity Magazine (infosecurity-magazine.com)

• How to spot and avoid scams and malware in search results - The Washington Post

• Tax fraud ring leader jailed for selling children’s stolen identities (bleepingcomputer.com)

AML/CFT/Sanctions

• Spanish police arrest ‘one of Europe’s biggest money launderers’ | Financial Times (ft.com)

Insurance

• Coalition Cyber Insurance - Small Businesses Prime Targets (informationsecuritybuzz.com)

Dark Web

• Documents For Sale on the Dark Web - IT Security Guru

Supply Chain and Third Parties

• Hackers breach software vendor for Magento supply-chain attacks (bleepingcomputer.com)

• WordPress sites backdoored after FishPig supply chain attack • The Register

Denial of Service DoS/DDoS

• DDoS Attacks on UK Firms Surge During Ukraine War - Infosecurity Magazine (infosecurity-magazine.com)

• Akamai stopped new record-breaking DDoS attack in Europe (bleepingcomputer.com)

Cloud/SaaS

• 5 ways to improve your cloud security posture (techtarget.com)

• Excess privilege in the cloud is a universal security problem, IBM says | CSO Online

• Organisations lack visibility into unauthorised public cloud data access - Help Net Security

• One-third of enterprises don’t encrypt sensitive data in the cloud | CSO Online

Attack Surface Management

• Cyber attack trends vs. growing IT complexity - Help Net Security

• Outdated infrastructure remains a problem against sophisticated cyber attacks - Help Net Security

Shadow IT

• Use shadow IT discovery to find unauthorized devices and apps (techtarget.com)

Encryption

• Keep Today's Encrypted Data From Becoming Tomorrow's Treasure (darkreading.com)

API

• Hackers Targeting WebLogic Servers and Docker APIs for Mining Cryptocurrencies (thehackernews.com)

• API security—and even visibility—isn’t getting handled by enterprises | CSO Online

• Bad bots are coming at APIs! How to beat the API bot attacks? - Help Net Security

Open Source

• When It Comes to Security, Don’t Overlook Your Linux Systems | SecurityWeek.Com

• 40% of pros scaled back back open source use over security • The Register

• You never walk alone: The SideWalk backdoor gets a Linux variant | WeLiveSecurity

Passwords, Credential Stuffing & Brute Force Attacks

• IHG Was Hacked Using Password “Qwerty1234” - LoyaltyLobby

Social Media

• Thwarting attackers in their favourite new playground: Social media - Help Net Security

• Twitter whistleblower tells Senate of ‘egregious’ security failings by company | Twitter | The Guardian

• Cyber attackers Abuse Facebook Ad Manager in Savvy Credential-Harvesting Campaign (darkreading.com)

Training, Education and Awareness

• Security Awareness Training Must Evolve to Align With Growing E-Commerce Security Threats (darkreading.com)

Parental Controls and Child Safety

• Cyber Crime Fears for Children as Cost-of-Living Bites - Infosecurity Magazine (infosecurity-magazine.com)

Regulations, Fines and Legislation

• 10 Steps to Successfully Navigate Cyber Security Compliance - MSSP Alert

Models, Frameworks and Standards

• Don’t Put Preparation on Pause: CMMC 2.0 is Coming Quicker Than You Think - MSSP Alert

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Montenegro Under Cyber Attack, Russia Blamed, All NATO States Would Be (informationsecuritybuzz.com)

• DDoS Attacks on UK Firms Surge During Ukraine War - Infosecurity Magazine (infosecurity-magazine.com)

• New Cyberespionage Group 'Worok' Targeting Entities in Asia | SecurityWeek.Com

• ShadowPad Threat Actors Return With Fresh Government Strikes, Updated Tools (darkreading.com)

Nation State Actors

Nation State Actors – Russia

• Montenegro Wrestles With Massive Cyber Attack, Russia Blamed | SecurityWeek.Com

• Russia’s cyber future connected at the waist to Soviet military industrial complex | CSO Online

Nation State Actors – North Korea

• North Korea-linked APT spreads tainted versions of PuTTY via WhatsApp - Security Affairs

Nation State Actors – Iran

• Iranian cyber spies use multi-persona impersonation in phishing threads | CSO Online

• Albania says Iranian hackers hit the country with another cyber attack - CyberScoop

• US, UK, Canada and Australia Link Iranian Government Agency to Ransomware Attacks | SecurityWeek.Com

• Iranian Hackers Target High-Value Targets in Nuclear Security and Genomic Research (thehackernews.com)

• Iranian Hackers Used Victims’ Printers to Issue Ransom Demands, DOJ Says (vice.com)

Vulnerability Management

• Backlogs larger than 100K+ vulnerabilities but too time-consuming to address - Help Net Security

Vulnerabilities

• Microsoft September 2022 Patch Tuesday fixes zero-day used in attacks, 63 flaws (bleepingcomputer.com)

• Adobe Patches 63 Security Flaws in Patch Tuesday Bundle | SecurityWeek.Com

• CISA orders agencies to patch vulnerability used in Stuxnet attacks (bleepingcomputer.com)

• Chrome 105 Update Patches High-Severity Vulnerabilities | SecurityWeek.Com

• Microsoft Teams stores auth tokens as cleartext in Windows, Linux, Macs (bleepingcomputer.com)

• Microsoft Quashes Actively Exploited Zero-Day, Wormable Critical Bugs (darkreading.com)

• Apple fixed the eighth actively exploited zero-day this year - Security Affairs

• Cisco Patches High-Severity Vulnerability in SD-WAN vManage | SecurityWeek.Com

• Over 280,000 WordPress Sites Attacked Using WPGateway Plugin Zero-Day Vulnerability (thehackernews.com)

• Over 280,000 WordPress sites may have been hijacked by zero-day hiding in popular plugin | TechRadar

• High-Severity Firmware Security Flaws Left Unpatched in HP Enterprise Devices (thehackernews.com)

• CISA added 2 more security flaws to its Known Exploited Vulnerabilities Catalog - Security Affairs

• ManageEngine Password Management Vulnerability and Patch: Details for MSPs, MSSPs - MSSP Alert

Reports Published in the Last Week

• Falcon OverWatch Threat Hunting Report 2022 | CrowdStrike

• Cyber Security: Benchmarking Security Gaps & Privileged Access (delinea.com)

Other News

• MSPs and cyber security: The time for turning a blind eye is over - Help Net Security

• Red Teaming to Reduce Cyber Risk (trendmicro.com)

• Organisations should fear misconfigurations more than vulnerabilities - Help Net Security

• Companies need data privacy plan before joining metaverse (techtarget.com)

• Lens reflections may betray your secrets in Zoom video calls • The Register

• US Government Wants Security Guarantees From Software Vendors | SecurityWeek.Com

• Serious Security: Browser-in-the-browser attacks – watch out for windows that aren’t! – Naked Security (sophos.com)

• The Cyber Security Head Game | Psychology Today South Africa

• Cyber Security Report: Average Data Breach in US Costs $9.4 Million - MSSP Alert

• 5 Best Practices for Building Your Data Loss Prevention Strategy (darkreading.com)

• Hands-on cyber attacks jump 50%, CrowdStrike reports | CSO Online

• Penetration Testing Report: Security Misconfiguration Is "Top Vulnerability" - MSSP Alert

• Twitter whistleblower: Lack of access, data controls invite exploitation | SC Media (scmagazine.com)

• Cost of Living Crisis Impact on Online Activity - IT Security Guru

• Attacker Apparently Didn't Have to Breach a Single System to Pwn Uber (darkreading.com)

• Zoom outage left users unable to sign in or join meetings (bleepingcomputer.com)

• Five ways your data may be at risk — and what to do about it (bleepingcomputer.com)

• Notepad++ Plugins Allow Attackers to Infiltrate Systems, Achieve Persistence - Infosecurity Magazine (infosecurity-magazine.com)

• Twitter's ex-security boss Zatko disses biz as dysfunctional • The Register

• Don't Let Your Home Wi-Fi Get Hacked. Here's What to Do - CNET

• How serious are organisations about their data sovereignty strategies? - Help Net Security

• Undermining Microsoft Teams Security By Mining Tokens (informationsecuritybuzz.com)

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Why It’s Mission-Critical That All-Sized Businesses Stay Cyber Secure

A study analysing millions of emails across thousands of companies found that on average, employees of small businesses with less than 100 employees experience 350% more social engineering attacks than employees of larger enterprises. 57% of these are phishing attacks – the most prevalent social engineering attack of 2021.

Add to the mix that the global average cost of a data breach for businesses has skyrocketed. According to IBM Security’s annual Cost of a Data Breach Report, the average global cost is now a phenomenal $4.35 million.

Generally, larger corporations tend to have bigger security budgets, making them less of a target than smaller businesses with lesser budgets, and as such, more attractive to cyber criminals. This means that for small and medium-sized enterprises (SMEs) – with fewer resources and money – protection from cyber-attacks is now a matter of survival.

Ease of attack is not the only reason why criminals attack SMEs either. SMEs are often an entry point to target bigger organisations within the same supply chain. These larger corporations can either be crucial partners, suppliers, or customers, making SMEs prime targets.

But with efficient cyber security measures, every business regardless of size can keep themselves and their network safe.

https://informationsecuritybuzz.com/articles/why-its-mission-critical-that-all-sized-businesses-stay-cyber-secure/

• Half of Firms Report Supply Chain Ransomware Compromise

Over half (52%) of global organisations know a partner that has been compromised by ransomware, yet few are doing anything to improve the security of their supply chain, according to Trend Micro.

The security vendor polled nearly 3,000 IT decision makers across 26 countries to produce its latest report, ‘Everything is connected: Uncovering the ransomware threat from global supply chains’.

It revealed that 90% of global IT leaders believe their partners and customers are making their own organisation a more attractive ransomware target.

That might be down in part to the fact that SMBs comprise a significant chunk of the supply chain for 52% of respondents. The security of SMBs is generally thought to be less effective than protection in larger, better resourced companies.

However, despite their concerns, less than half (47%) of respondents said they share knowledge about ransomware attacks with their suppliers, while a quarter (25%) claimed they don’t share potentially useful threat information with partners.

https://www.infosecurity-magazine.com/news/half-firms-supply-chain-ransomware/

• Vulnerability Exploits, Not Phishing, Are the Top Cyber Attack Vector for Initial Compromise

Breaches involving phishing and credential compromise have received a lot of attention in recent years because of how frequently threat actors have employed the tactics in executing both targeted and opportunistic attacks. But that doesn't mean that enterprise organisations can afford to lessen their focus on vulnerability patching one bit.

A report from Kaspersky this week identified more initial intrusions last year resulting from exploitation of vulnerabilities in Internet-facing applications than breaches involving malicious emails and compromised accounts combined. And data that the company has collected through the second quarter of 2022 suggests the same trend might be playing out this year as well.

Kaspersky's analysis of its 2021 incident-response data showed that breaches involving vulnerability exploits surged from 31.5% of all incidents in 2020 to 53.6% in 2021. Over the same period, attacks associated with the use of compromised accounts to gain initial access declined from 31.6% in 2020 to 17.9% last year. Initial intrusions resulting from phishing emails decreased from 23.7% to 14.3% during the same period.

https://www.darkreading.com/vulnerabilities-threats/vulnerability-exploits-phishing-top-attack-vector-initial-compromise

• Uber’s Ex-Security Chief Faces Landmark Trial Over Data Breach That Hit 57m Users

Uber’s former security officer, Joe Sullivan, is standing trial this week in what is believed to be the first case of an executive facing criminal charges in relation to a data breach.

The US district court in San Francisco will start hearing arguments on whether Sullivan, the former head of security at the ride-share giant, failed to properly disclose a 2016 data breach affecting 57 million Uber riders and drivers around the world.

At a time when reports of ransomware attacks have surged and cyber security insurance premiums have risen, the case could set an important precedent regarding the culpability of US security staffers and executives for the way the companies they work for handle cyber security incidents.

The breach first came to light in November 2017, when Uber’s chief executive, Dara Khosrowshahi, revealed that hackers had gained access to the driver’s licence numbers of 600,000 US Uber drivers as well as the names, email addresses and phone numbers of as many as 57 million Uber riders and drivers.

Public disclosures like Khosrowshahi’s are required by law in many US states, with most regulations mandating that the notification be made “in the most expedient time possible and without unreasonable delay”.

But Khosrowshahi’s announcement came with an admission: a whole year had passed since the information had been breached.

https://www.theguardian.com/technology/2022/sep/06/uber-joe-sullivan-trial-security-data-breach

• Over 10% of Enterprise IT Assets Found With Missing Endpoint Protection

More than 10% of enterprise IT assets are missing endpoint protection and roughly 5% are not covered by enterprise patch management solutions.

The figures come from new research by Sevco Security, which the company has compiled in the State of the Cybersecurity Attack Surface report.

"Attackers are very adept at exploiting enterprise vulnerabilities. Security and IT teams already have their hands full mitigating the vulnerabilities that they know about, and our data confirms that this is just the tip of the iceberg," Sevco told Infosecurity Magazine.

The document analyses data aggregated from visibility into more than 500,000 IT assets, and underlines existential and underreported cyber security issues in relation to securing enterprises’ assets.

“The uncertainty of enterprise inventory – the elements that make up an organisation’s cyber security attack surface – upends the foundation of every major security framework and presents a challenge to security teams: it’s impossible to protect what you can’t see,” they said.

For instance, the data found that roughly 3% of all IT assets are “stale” in endpoint protection, while 1% are stale from the perspective of patch management coverage.

https://www.infosecurity-magazine.com/news/enterprise-assets-miss-endpoint/

• Some Employees Aren't Just Leaving Companies — They're Defrauding Them

Since the Great Resignation in 2021, millions of employees have left their roles with current employers in search of better ones. According to Microsoft, 40% of employees reported they are considering leaving their current roles by the end of 2022. With many still working in remote or hybrid positions due to the pandemic, larger businesses have started implementing measures to gain a better understanding of employee morale and sentiment to prevent turnover.

While most employees leave companies on good terms, some may become extremely unhappy or disgruntled prior to their departure and are more likely to defraud the company either before leaving or on their way out the door. The unfortunate reality is that no business is immune to fraud, but luckily, there are several steps you can take to prevent it from happening.

According to the Cressey Fraud Triangle, fraudulent behaviour often occurs due to three contributing factors. These include pressure or motive to commit a fraud (usually a personal financial problem), perceived opportunity within the organisation to commit a fraud (poor oversight or internal controls), and rationalisation (the ability to justify the crime to make it seem acceptable).

Very often, a fraudster needs all three sides of the triangle to successfully commit a crime. Therefore, it is extremely important for organisations to do their best to create controls and understand the risk associated with each of these areas. For example, an employee may be disgruntled and also have personal financial issues. However, if internal controls are robust and the employee doesn't have access to financial instruments, valuable assets or software systems, their ability to defraud the company is extremely limited or will get identified immediately.

https://www.darkreading.com/vulnerabilities-threats/some-employees-aren-t-just-leaving-companies-they-re-defrauding-them

• Ransomware Gangs Switching to New Intermittent Encryption Tactic

A growing number of ransomware groups are adopting a new tactic that helps them encrypt their victims' systems faster while reducing the chances of being detected and stopped.

This tactic is called intermittent encryption, and it consists of encrypting only parts of the targeted files' content, which would still render the data unrecoverable without using a valid decryption key.

For example, by skipping every other 16 bytes of a file, the encryption process takes almost half of the time required for full encryption but still locks the contents for good.

Additionally, because the encryption is milder, automated detection tools that rely on detecting signs of trouble in the form of intense file IO operations are more likely to fail.

SentinelLabs has posted a report examining a trend started by LockFile in mid-2021 and now adopted by the likes of Black Basta, ALPHV (BlackCat), PLAY, Agenda, and Qyick.

These groups actively promote the presence of intermittent encryption features in their ransomware family to entice affiliates to join the RaaS operation.

"Notably, Qyick features intermittent encryption, which is what the cool kids are using as you read this. Combined with the fact that is written in Go, the speed is unmatched," describes a Qyick advertisement on hacking forums.

https://www.bleepingcomputer.com/news/security/ransomware-gangs-switching-to-new-intermittent-encryption-tactic/

• How Posting Personal and Business Photos Can Be a Security Risk

Image geotags, metadata, and location information can allow competitors, cyber criminals, and even nation-state threat actors to gain knowledge they can use against organisations.

Marketers in every industry enjoy evidencing their reach to their superiors and providing tangible examples of their width and breadth of influence via social networks, media, and other means of engagement. Photos of both customers and employees engaging at hosted social events, trade shows, conferences, and direct one-on-one encounters are often viewed as gold. Couple this with the individual employee’s or customer’s photos working their way onto social network platforms for others to see and admire, and the value of that gold increases, success being quantified by impressions, views and individual engagements.

The value of that gold doubles when not only does the company harvest data and call it a success, but their competitors also analyse such photos capturing a plethora of useful data points, including geotagged data, metadata of the photo, and identity of the individuals caught in the frame. They, too, call it a success. Yes, the digital engagement involving location data and or location hints within photos is a double-edged sword.

It isn’t just competitors who harvest the data. Criminal elements and nation-state intelligence and security elements do as well. Francis Bacon’s adage, “Knowledge itself is power,” applies. With location, time and place, and identity, competitors, criminals, and nation-states are given their initial tidbits of openly acquired information from which to begin to build their mosaic. 

https://www.csoonline.com/article/3672869/how-posting-personal-and-business-photos-can-be-a-security-risk.html#tk.rss_news

• Your Vendors Are Likely Your Biggest Cyber Security Risk

As speed of business increases, more and more organisations are looking to either buy companies or outsource more services to gain market advantage. With organisations expanding their vendor base, there is a critical need for holistic third-party risk management (TPRM) and comprehensive cyber security measures to assess how much risk vendors pose.

While organisations assess and manage risk on a multitude of layers, none present bigger threats to business resiliency than third-party risk and a lack of robust cyber security controls. Breaches and service interruptions tied to these risk areas have brought down critical systems of major organisations. In 2021, 53% of CISOs surveyed by Black Kite reported being hit by at least one ransomware attack.

It bears repeating: Cyber security and third-party risk are the two biggest problems facing your long-term viability. Businesses need to be able to tackle these risk vectors individually to gain a complete view of their risk profile. A cross-functional process is essential to managing the overlap between these risk areas to better protect your organisation and increase workflow efficiency.

Ensuring that the cyber security practices of your vendors align with your organisation’s standards is critical to safeguarding your systems and data. In fact, it is just as important as how stable the business is or how well it delivers products and services.

https://www.helpnetsecurity.com/2022/09/05/vendors-cybersecurity-risk/

• A Recent Chinese Hack Is a Wake-up Call for the Security of the World’s Software Supply Chain

It’s perhaps only a coincidence that there’s a famous Chinese saying ‘No one knows, not even the ghosts’ that neatly summarises a recent hack on MiMi, a Chinese messaging app. According to recent reports, a Chinese state-backed hacking group inserted malicious code into this messaging app, essentially pulling off the equivalent of the infamous SolarWinds hack. Users of MiMi were served a version of the app with malicious code added, thanks to attackers taking control of the servers that delivered the app. In short, this was a software supply chain attack in which the software delivery pipeline was compromised.

Observers could be forgiven for thinking that this is just another hack. Chinese hacking groups, and those of Western countries too, have developed a reputation over the past two decades for spying, surveillance, and sabotage. But this attack is different than typical hacking fare because the attackers rode in on the back of a trusted piece of software. This is a software supply chain attack, where the attackers tamper with either source code, the software build system, or the software publishing pipeline, all of which have become essential to the functioning of the world’s digital economy.

Software supply chain attacks have been rapidly growing in frequency. Twenty years ago, there might have been one or two a year. These days, depending on the methodology, there are either hundreds or thousands a year, and that’s only counting the reported attacks. And increasingly anybody who depends upon software (read: everybody) is or shortly will be a victim: the U.S. government, Microsoft, thousands of other companies and, apparently in this MiMi attack, individuals.

https://thediplomat.com/2022/09/a-recent-chinese-hack-is-a-wake-up-call-for-the-security-of-the-worlds-software-supply-chain/

• Massive Hotels Group IHG Struck by Cyber Attack Which Disrupts Booking Systems

InterContinental Hotels Group (IHG), which owns brands such as InterContinental, Crowne Plaza, Holiday Inn, and many others, has had its IT systems breached by malicious hackers.

In a filing with the London Stock Exchange, the multinational hospitality company reported that "parts of the company's technology systems have been subject to unauthorised activity."

As a result, the company said, "IHG's booking channels and other applications have been significantly disrupted since [Monday], and this is ongoing."

The first indication that the company was experiencing problems appeared early on Monday morning UK time, when anyone who tried to book a hotel room via the company's website or app, or access their IHG One Rewards account was greeted by a maintenance message.

Although it has made no declaration regarding the nature of the security breach, in its filing with the London Stock Exchange, IHG mentioned they were "working to fully restore all systems". This would fit into the scenario of IHG having hit been hit with ransomware, which may not only have encrypted data - locking the company out of its systems and demanding a ransom be paid - but could have also caused even more problems.

https://www.bitdefender.com/blog/hotforsecurity/massive-hotels-group-ihg-struck-by-cyberattack-which-disrupts-booking-systems/

• London's Biggest Bus Operator Hit by Cyber "Incident"

Travellers in London were braced for more delays last week after the city’s largest bus operator revealed it has been hit by a “cyber security incident,” according to reports.

Newcastle-based transportation group Go-Ahead shared a statement with the London Stock Exchange indicating “unauthorised activity” had been discovered on its network yesterday.

“Upon becoming aware of the incident, Go-Ahead immediately engaged external forensic specialists and has taken precautionary measures with its IT infrastructure whilst it continues to investigate the nature and extent of the incident and implement its incident response plans,” it stated. “Go-Ahead will continue to assess the potential impact of the incident but confirms that there is no impact on UK or International rail services which are operating normally.”

However, the same may not be true of its bus services. Sky News reported that bus and driver rosters may have been impacted by the attack, which could disrupt operations.

Go-Ahead operates multiple services in the South, South West, London, North West, East Anglia, East Yorkshire and its native North East. It is London’s largest bus company, operating over 2400 buses in the capital and employing more than 7000 staff.

https://www.infosecurity-magazine.com/news/londons-biggest-bus-operator-hit/

Threats

Ransomware and Extortion

• Ransomware remains the number one threat to businesses and government organisations - Help Net Security

• Interpol dismantles sextortion ring, warns of increased attacks (bleepingcomputer.com)

• Play Ransomware Attack Playbook Similar to that of Hive, Nokoyawa (trendmicro.com)

• Ransomware attacks on Linux to surge - Help Net Security

• LockBit gang leads the way for ransomware (techtarget.com)

• Some Members of Conti Group Targeting Ukraine in Financially Motivated Attacks (thehackernews.com)

• How to Improve Mean Time to Detect for Ransomware | SecurityWeek.Com

• Google: Former Conti ransomware members attacking Ukraine (techtarget.com)

• Hackers Are Using NASA Telescope Images To Push Ransomware (informationsecuritybuzz.com)

• Ransomware gang's Cobalt Strike servers DDoSed with anti-Russia messages (bleepingcomputer.com)

• Everything You Need To Know About BlackCat (AlphaV) (darkreading.com)

• Microsoft: Iranian hackers encrypt Windows systems using BitLocker (bleepingcomputer.com)

• Microsoft Warns of Ransomware Attacks by Iranian Phosphorus Hacker Group (thehackernews.com)

• Clarion Housing: Anger over landlord silence since cyber attack - BBC News

• New Ransomware Hits Windows, Linux Servers Of Chile Govt Agency (informationsecuritybuzz.com)

• QNAP warns new Deadbolt ransomware attacks exploiting 0day - Security Affairs

• Second largest U.S. school district LAUSD hit by ransomware (bleepingcomputer.com)

• Windows Defender identified Chromium, Electron apps as Hive Ransomware - Security Affairs

• BlackCat Ransomware Linked to Italy's Energy Services Firm Hack - Infosecurity Magazine (infosecurity-magazine.com)

Phishing & Email Based Attacks

• EvilProxy Commodifies Reverse-Proxy Tactic for Phishing, Bypassing 2FA (darkreading.com)

• Criminals harvest users' PI by impersonating popular brands - Help Net Security

• Lampion malware returns in phishing attacks abusing WeTransfer (bleepingcomputer.com)

• A new phishing scam targets American Express cardholders - Security Affairs

• EvilProxy phishing-as-a-service with MFA bypass emerged on the dark web - Help Net Security

• GIFShell attack creates reverse shell using Microsoft Teams GIFs (bleepingcomputer.com)

Other Social Engineering; Smishing, Vishing, etc

• Defeat social engineering attacks by growing your cyber resilience - Help Net Security

Malware

• Cyber criminals targeting Minecraft fans with malware • The Register

• Next-Gen Linux Malware Takes Over Devices With Unique Tool Set (darkreading.com)

• TeslaGun Primed to Blast a New Wave of Backdoor Cyber attacks (darkreading.com)

• New Linux malware evades detection using multi-stage deployment (bleepingcomputer.com)

• Bumblebee malware adds post-exploitation tool for stealthy infections (bleepingcomputer.com)

• Botnets in the Age of Remote Work (darkreading.com)

• North Korean Hackers Deploying New MagicRAT Malware in Targeted Campaigns (thehackernews.com)

Mobile

• In-app browser security risks, and what to do about them | CSO Online

• Fake Antivirus and Cleaner Apps Caught Installing SharkBot Android Banking Trojan (thehackernews.com)

• SharkBot Malware Resurfaces on Google Play to Steal Users' Credentials - Infosecurity Magazine (infosecurity-magazine.com)

Internet of Things – IoT

• New Stealthy Shikitega Malware Targeting Linux Systems and IoT Devices (thehackernews.com)

Data Breaches/Leaks

• NATO docs sold on darkweb after they were stolen from Portugal - Security Affairs

• Criminals claim they've stolen NATO missile plans • The Register

• TikTok denies data breach following leak of user data - Security Affairs

• IRS mistakenly published confidential info for roughly 120K taxpayers - Security Affairs

• Samsung US Says Customer Data Compromised in July Data Breach | SecurityWeek.Com

• Digital Identity Provider SDK Leaves Hundreds Of Thousands Of Biometric (informationsecuritybuzz.com)

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Scammers live-streamed on YouTube a fake Apple crypto event - Security Affairs

• FBI: Crooks are using these DeFi flaws to steal your money | ZDNET

• Feds freeze $30m in cryptocurrency stolen from Axie Infinity • The Register

• New Rules for Crypto Exchanges to Stop Sanctions Evaders - Infosecurity Magazine (infosecurity-magazine.com)

Fraud, Scams & Financial Crime

• 62% of consumers see fraud as an inevitable risk of online shopping - Help Net Security

• Islanders in Jersey lose nearly £400,000 to romance fraud | ITV News Channel

• The Advantages of Threat Intelligence for Combating Fraud | SecurityWeek.Com

AML/CFT/Sanctions

• UK forces crypto exchanges to report suspected sanction breaches | Cryptocurrencies | The Guardian

• US Treasury sanctioned Iran ’s Ministry of Intelligence over Albania cyber attack - Security Affairs

Insurance

• Lloyd’s of London defends cyber insurance exclusion for state-backed attacks | Financial Times (ft.com)

• Global Cyber security Insurance Market Size Expected to Top $32.6 Billion by 2028 - MSSP Alert

• With cyber insurance costs increasing, can smaller firms avoid getting priced out? - Help Net Security

Supply Chain and Third Parties

• Supply chain risk is a top security priority as confidence in partners wanes - Help Net Security

• KeyBank: Hackers of third-party provider stole customer data | The Seattle Times

• Government guide for supply chain security: The good, the bad and the ugly - Help Net Security

Software Supply Chain

• Report Highlights Prevalence of Software Supply Chain Risks (darkreading.com)

Denial of Service DoS/DDoS

• Ransomware gang's Cobalt Strike servers DDoSed with anti-Russia messages (bleepingcomputer.com)

Cloud/SaaS

• Defenders Be Prepared: Cyber attacks Surge Against Linux Amid Cloud Migration (darkreading.com)

• Hybrid Cloud Security Challenges & Solutions (trendmicro.com)

• 3 Critical Steps for Reducing Cloud Risk (darkreading.com)

Identity and Access Management

• There is no secure critical infrastructure without identity-based access - Help Net Security

Encryption

• A Pragmatic Response to the Quantum Threat (darkreading.com)

API

• 6 Top API Security Risks! Favoured Targets for Attackers If Left Unmanaged (thehackernews.com)

• API Security for the Modern Enterprise - IT Security Guru

Open Source

• New Linux malware combines unusual stealth with a full suite of capabilities | Ars Technica

Passwords, Credential Stuffing & Brute Force Attacks

• Are Default Passwords Hiding in Your Active Directory? Here's how to check (bleepingcomputer.com)

• 200,000 North Face accounts hacked in credential stuffing attack (bleepingcomputer.com)

Social Media

• TikTok denies security breach after hackers leak user data, source code (bleepingcomputer.com)

• Facebook Engineers Admit They Don’t Know What They Do With Your Data (vice.com)

• Meta axes Responsible Innovation team charged with addressing ethical problems with Facebook, Instagram, WhatsApp | Fortune

Privacy

• You should know that most websites share your in-site search queries with third parties - Help Net Security

• Meta Fined $400m in Ireland For Children's Privacy Breach - Infosecurity Magazine (infosecurity-magazine.com)

Parental Controls and Child Safety

• Google’s image-scanning illustrates how tech firms can penalise the innocent | John Naughton | The Guardian

Cyber Bullying and Cyber Stalking

• ‘I didn’t want it anywhere near me’: how the Apple AirTag became a gift to stalkers | Apple | The Guardian

Regulations, Fines and Legislation

• Tear up decades-old law to save Britain from hackers, say cyber experts (telegraph.co.uk)

• UK Privacy Regulator Fines Halfords for Spam Deluge - Infosecurity Magazine (infosecurity-magazine.com)

• Meta Fined $400m in Ireland For Children's Privacy Breach - Infosecurity Magazine (infosecurity-magazine.com)

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Google Details Recent Ukraine Cyber attacks | SecurityWeek.Com

• Ukraine dismantles more bot farms spreading Russian disinformation (bleepingcomputer.com)

• Ukraine is under attack by hacking tools repurposed from Conti cyber crime group | Ars Technica

• Sprawling, multi-year Iranian cyberespionage and surveillance group exposed in new report - CyberScoop

• Iranian APT42 Launched Over 30 Espionage Attacks Against Activists and Dissidents (thehackernews.com)

• Newly discovered cyber spy group targets Asia • The Register

• New Iranian hacking group APT42 deploys custom Android spyware (bleepingcomputer.com)

• Israeli Defence Minister's Cleaner Sentenced for Spying Attempt | SecurityWeek.Com

• An interview with Ukrainian hacker 'Herm1t' on countering pro-Kremlin attacks - The Record by Recorded Future

• Researchers Find New Android Spyware Campaign Targeting Uyghur Community (thehackernews.com)

• Anonymous hacked Yandex taxi causing a traffic jam in Moscow - Security Affairs

Nation State Actors

Nation State Actors – Russia

• Raspberry Robin Malware Connected to Russian Evil Corp Gang (darkreading.com)

Nation State Actors – China

• US bans ‘advanced tech’ firms from building facilities in China for a decade | Technology sector | The Guardian

Nation State Actors – North Korea

• North Korean Hackers Deploying New MagicRAT Malware in Targeted Campaigns (thehackernews.com)

• North Korea's Lazarus Targets Energy Firms With Three RATs | SecurityWeek.Com

Nation State Actors – Iran

• Microsoft: Iranian hackers encrypt Windows systems using BitLocker (bleepingcomputer.com)

• UK condemns Iran for reckless cyber attack against Albania - GOV.UK (www.gov.uk)

• US Treasury sanctioned Iran ’s Ministry of Intelligence over Albania cyber attack - Security Affairs

• NATO Condemns Alleged Iranian Cyber attack on Albania | SecurityWeek.Com

• New Iranian hacking group APT42 deploys custom Android spyware (bleepingcomputer.com)

• Microsoft investigates Iranian attacks against the Albanian government - Microsoft Security Blog

• Microsoft Warns of Ransomware Attacks by Iranian Phosphorus Hacker Group (thehackernews.com)

Nation State Actors – Misc

• Nation-state attacks are a growing threat to video conferencing - Help Net Security

• Use of machine identities is growing in state-sponsored cyber attacks - Help Net Security

Vulnerability Management

• High-profile vulnerabilities encourage organisations to improve security posture - Help Net Security

Vulnerabilities

• CISA adds 12 new flaws to Known Exploited Vulnerabilities Catalog - Security Affairs

• September 2022 Patch Tuesday forecast: No sign of cooling off - Help Net Security

• High-risk ConnectWise Automate vulnerability fixed, admins urged to patch ASAP - Help Net Security

• Hackers Exploit Zero-Day in WordPress BackupBuddy Plugin in ~5 Million Attempts (thehackernews.com)

• Cisco Releases Security Patches for New Vulnerabilities Impacting Multiple Products (thehackernews.com)

• Mirai Variant MooBot Botnet Exploiting D-Link Router Vulnerabilities (thehackernews.com)

• Cisco won’t fix authentication bypass zero-day in EoL routers (bleepingcomputer.com)

• Critical RCE Vulnerability Affects Zyxel NAS Devices — Firmware Patch Released (thehackernews.com)

• Chrome and Edge fix zero-day security hole – update now! – Naked Security (sophos.com)

• Google Patches Sixth Chrome Zero-Day of 2022 | SecurityWeek.Com

• QNAP patches zero-day used in new Deadbolt ransomware attacks (bleepingcomputer.com)

• HP fixes severe bug in pre-installed Support Assistant tool (bleepingcomputer.com)

Other News

• Top 5 Cyber crime Cases in 2022 (techgenix.com)

• The Heartbleed bug: How a flaw in OpenSSL caused a security crisis | CSO Online

• Cyber Security - the More Things Change, the More They Are The Same | SecurityWeek.Com

• CISOs say stress and burnout are their top personal risks (cnbc.com)

• How to deal with unprecedented levels of regulatory change - Help Net Security

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.