Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 10 September 2021
Black Arrow Cyber Threat Briefing 10 September 2021
-91% Of IT Teams Have Felt 'Forced' To Trade Security For Business Operations
-Ransomware Attacks Increased Exponentially In 2021
-One In Three Suspect Phishing Emails Reported By Employees Really Are Malicious
-Hackers Shift From Malware To Credential Hijacking
-Attacker Breakout Time Now Less Than 30 Minutes
-Hackers Leak VPN Account Passwords From 87,000 Fortinet FortiGate Devices
-The Impact Of Ransomware On Cyber Insurance Driving The Need For Broader Cyber Security Knowledge
-Hackers Exploit Camera Vulnerabilities To Spy On Parents
-39% Of All Internet Traffic Is From Bad Bots
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
91% Of IT Teams Have Felt 'Forced' To Trade Security For Business Operations
A new survey suggests that most IT staff have felt pressured to ignore security concerns in favour of business operations. On Thursday, a new study report was released, which combines data from an online YouGov survey targeting office workers that adopted WFH and global research conducted with IT decision-makers. In total, 91% of those surveyed said that they have felt "pressured" to compromise security due to the need for business continuity during the COVID-19 pandemic. 76% of respondents said that security had taken a backseat, and furthermore, 83% believe that working from home has created a "ticking time bomb" for corporate security incidents. https://www.zdnet.com/article/91-of-it-teams-have-felt-forced-to-trade-security-for-business-operations/
Ransomware Attacks Increased Exponentially In 2021
The growing threat of ransomware has been highlighted by NCC Group's Research Intelligence and Fusion Team (RIFT) analysis. Between January-March 2021 and April-June 2021, the number of ransomware assaults studied by the team climbed by 288%, indicating that enterprises are still facing waves of digital extortion in the form of targeted ransomware. https://www.ehackingnews.com/2021/09/ransomware-attacks-increased.html
Phishing Attacks: One In Three Suspect Emails Reported By Employees Really Are Malicious
All the time spent ticking boxes in cyber security training sessions seems to be paying off after all: according to a new report, about a third of emails reported by employees really are malicious or highly suspect, demonstrating the effectiveness of the well-established maxim "Think before you click". Researchers analysed over 200,000 emails that were flagged by employees from organisations across the globe in the first half of 2021 and found that 33% of the reports could be classified as phishing. https://www.zdnet.com/article/phishing-attacks-one-in-three-suspect-emails-reported-by-employees-really-are-malicious/
Hackers Shift From Malware To Credential Hijacking
Adversaries are relying less on malware to conduct attacks that are consequently more difficult to detect, according to an annual report conducted by researchers. “According to data from our customer base indexed by Threat Graph, 68% of detections from the last three months were not malware-based,” reads the report released Wednesday. “Attackers are increasingly attempting to accomplish their objectives without writing malware to the endpoint, using legitimate credentials and built-in tools (living off the land)—which are deliberate efforts to evade detection by traditional antivirus products.” https://www.nextgov.com/cybersecurity/2021/09/report-hackers-shift-malware-credential-hacking/185209/
Attacker Breakout Time Now Less Than 30 Minutes
The average time it takes threat actors to move from initial access to lateral movement has fallen by 67% over the past year, putting extra pressure on security operations (SecOps) teams, according to researchers. The findings come from researchers own investigations with customers across around 248,000 unique global endpoints. For incidents where this “breakout time” could be derived over the past year, it averaged just 1 hour 32 minutes. However, in over a third (36%) of intrusions, adversaries managed to move laterally to additional hosts in under 30 minutes. https://www.infosecurity-magazine.com/news/attacker-breakout-time-now-less/
Hackers Leak VPN Account Passwords From 87,000 Fortinet FortiGate Devices
Network security solutions provider Fortinet confirmed that a malicious actor had unauthorizedly disclosed VPN login names and passwords associated with 87,000 FortiGate SSL-VPN devices. "These credentials were obtained from systems that remained unpatched at the time of the actor's scan. While they may have since been patched, if the passwords were not reset, they remain vulnerable," the company said in a statement on Wednesday. https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html
53% Find It Difficult To Prevent An Insider Attack During Data Aggregation
Recent data from researchers found that 53% of companies find it impossible or very difficult to prevent an insider attack when data is being aggregated, a key indicator of intent of an attack. The vast majority of security threats follow a pattern or sequence of activity leading up to an attack, and insider threats are no exception. To fully understand any insider incident, visibility into the entire kill chain of an attack is imperative to preventing the exfiltration of critical data. https://venturebeat.com/2021/09/02/53-find-it-difficult-to-prevent-an-insider-attack-during-data-aggregation/
The Impact Of Ransomware On Cyber Insurance Driving The Need For Broader Cyber Security Knowledge
Not only have ransomware attacks spiked, the amount of ransom demanded has grown exponentially—to somewhere between $50 and $70 million dollars. Cyber Insurers can’t cover “whatever amount the hacker demands”—so major policies lost money. Insurers have responded by raising premiums, restricting coverage, or even getting out of the cyber-insurance game altogether in vulnerable markets. https://www.helpnetsecurity.com/2021/09/10/cyber-insurance-ransomware/
Hackers Exploit Camera Vulnerabilities To Spy On Parents
Various zero day vulnerabilities in home baby monitor could be compromised that lets threat actors hack into camera feed and put malicious codes like malware. The security issues were found in the IoT gadgets, made by China based developer Victure, that were found by researchers. In a security report, researchers revealed about the stack-based buffer flaw present in ONVIF server Victure PC420 component camera that allows hackers to plant remote codes on the victim device. When compromised, hacker can discover cameras (not owned by them) and command devices to broadcast camera feeds to third party and exploit the camera firmware. https://www.ehackingnews.com/2021/09/hackers-exploit-camera-vulnerabilities.html
39% Of All Internet Traffic Is From Bad Bots
Automated traffic takes up 64% of internet traffic – and whilst just 25% of automated traffic was made up by good bots, such as search engine crawlers and social network bots, 39% of all traffic was from bad bots, a Barracuda report reveals.
These bad bots include both basic web scrapers and attack scripts, as well as advanced persistent bots. These advanced bots try their best to evade standard defences and attempt to perform their malicious activities under the radar. The report revealed that the most common of these persistent bots were ones that went after e-commerce applications and login portals. https://www.helpnetsecurity.com/2021/09/07/bad-bots-internet-traffic/
Threats
Ransomware
BEC
Phishing
Other Social Engineering
Malware
Traffic Exchange Networks Distributing Malware Disguised As Cracked Software
New Malware Uses Novel Fileless Technique To Evade Detection
Mobile
IOT
Vulnerabilities
Zoho ManageEngine Password Manager Zero-Day Gets A Fix, Amid Attacks
New CPU Side-Channel Attack Takes Aim At Chrome’s Site Isolation Feature
Microsoft, CISA Urge Mitigations For Zero-Day RCE Flaw In Windows
Atlassian CISO Defends Company's Confluence Vulnerability Response, Urges Patching
PoC Released For GhostScript Vulnerability That Exposed Airbnb, Dropbox
New 0-Day Attack Targeting Windows Users With Microsoft Office Documents
Cisco Patches Critical Authentication Bug With Public Exploit
Data Breaches/Leaks
Organised Crime & Criminal Actors
Cryptocurrency/Cryptojacking
Insider Threats
DoS/DDoS
Nation State Actors
Cloud
Privacy
Other News
OWASP Shakes Up Web App Threat Categories With Release Of Draft Top 10
A Zero-Trust Future: Why Cyber Security Should Be Prioritized For The Hybrid Working World
Microsoft Has A $20 Billion Hacking Plan, But Cyber Security Has A Big Spending Problem
Misbehaving Microsoft Teams Ad Brings Down The Entire Windows 11 Desktop
This Seemingly Normal Lightning Cable Will Leak Everything You Type
HSE Cyber Attack: Irish Health Service Still Recovering Months After Hack
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 03 September 2021
Black Arrow Cyber Threat Briefing 03 September 2021
-Ransomware Attacks Soar 288% in H1 2021
-Ransomware Costs Expected To Reach $265 Billion By 2031
-Brute Force Email Attacks and Account Takeover Attempts Rise 671%, Reaching Unprecedented Levels, Causing Financial And Reputational Damage
-Investigation Into Hacked "Map" Of UK Gun Owners
-Eight US Financial Services Firms Given Six-Figure Fines Over BEC Data Breaches
-Ransomware Has Been A ‘Game Changer’ For Cyber Insurance
-WhatsApp hit with $267 million GDPR fine for bungling user privacy disclosure
-Microsoft Warns About Open Redirect Phishing Campaign
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Ransomware Attacks Soar 288% in First Half of 2021
The number of ransomware attacks surged by 288% between the first and second quarters of 2021 as double extortion attempts grew, according to the latest data.
Nearly a quarter (22%) of data leaks in the second quarter came from the Conti ransomware group, who typically gain initial network access to victim organisations via phishing emails.
It’s an unfortunate fact that no organisation in any sector is safe from ransomware today.
Targets range from IT companies and suppliers to financial institutions and critical national infrastructure providers, with ransomware-as-a-service increasingly being sold by ransomware gangs in a subscription model. https://www.infosecurity-magazine.com/news/ransomware-attacks-soar-half-2021/
Ransomware Costs Expected To Reach $265 Billion By 2031
Think ransomware is expensive now? It’s not predicted to get any cheaper over the next decade. Ransoms could cost victims a collective total of $265 billion by 2031. The estimate is based on the prediction that the price tag will increase 30% every year over the next 10 years. https://securityintelligence.com/news/ransomware-costs-expected-265-billion-2031/
Brute Force Email Attacks and Account Takeover Attempts Rise 671%, Reaching Unprecedented Levels, Causing Financial And Reputational Damage
A new Email Threat Report for Q3 2021 examines the escalating adverse impact of socially-engineered and never-seen-before email attacks, and other advanced email threats—both financial and reputational—to organisations worldwide. The report surveyed advanced email attacks across eight major industry sectors, including retail and consumer goods, manufacturing, technology, energy and infrastructure services, medical, media and television, finance, and hospitality.
The report also finds 61% of organisations experienced a vendor email compromise/supply chain attack in Q2 2021.
Key report findings include:
32.5% of all companies were targeted by brute force attacks in early June 2021
137 account takeovers occurred per 100,000 mailboxes for members of the C-suite
61% of organisations experienced a vendor email compromise attack this quarter
22% more business email compromise attacks since Q4 2020
60% chance of a successful account takeover each week for organisations with 50,000+ employees
73% of all advanced threats were credential phishing attacks
80% probability of attack every week for retail and consumer goods, technology, and media and television companies
https://finance.yahoo.com/news/brute-force-email-attacks-account-120100299.html
Investigation Into Hacked "Map" Of UK Gun Owners
Gun-selling site Guntrader announced a data breach affecting more than 100,000 customers in July. This week, reports emerged that an animal rights activist blog had published the information. The group had formatted the data so it could be easily imported into mapping software to show individual homes. The National Crime Agency, which has been investigating the data breach and its fallout, said it "is aware that information has been published online as a result of a recent data breach which impacted Guntrader". https://www.bbc.co.uk/news/technology-58413847
Eight US Financial Services Firms Given Six-Figure Fines Over BEC Data Breaches
The US Securities and Exchange Commission (SEC) has sanctioned multiple financial services firms for cyber security failures that led to the compromise of corporate email accounts and the personal data of thousands of individuals. The case was brought after the unauthorised takeover of cloud-based email accounts at Seattle-based KMS Financial Services, and subsidiaries of California-headquartered Cetera Financial Group and Iowa-based Cambridge Investment Group. https://portswigger.net/daily-swig/eight-us-financial-services-firms-given-six-figure-fines-over-bec-data-breaches
Ransomware Has Been A ‘Game Changer’ For Cyber Insurance
Ransomware attacks accounted for nearly one quarter of all cyber incidents globally last year, according to a software company. The researchers “think of December 2019 as the tipping point for when we started to see ransomware take hold”. The U.S. was hit by a barrage of ransomware attacks in 2019 that impacted at least 966 government agencies, educational establishments, and healthcare providers at a potential cost in excess of $7.5 billion. All of this has a massive knock-on affect for the Insurance firms. https://www.insurancejournal.com/news/national/2021/08/30/628672.htm
Getting Ahead Of A Major Blind Spot For CISOs: Third-Party Risk
For many CISOs and security leaders, it was not long ago that their remit focused on the networks and digital ecosystems for their organisation alone. In today’s digital world, those days are a thing of the past with a growing number of businesses relying on third-party vendors to scale, save time and outsource expertise to stay ahead. With this change, new security risks affiliated with third-party vendors are more prevalent than ever before. https://www.helpnetsecurity.com/2021/09/01/getting-ahead-of-a-major-blind-spot-for-cisos-third-party-risk/
WhatsApp Hit With $267 Million GDPR Fine For Bungling User Privacy Disclosure
Ireland’s Data Protection Commission fined Facebook-owned messenger WhatsApp for $225 million for failing to provide users enough information about the data it shared with other Facebook companies.
The fine is the largest penalty that the Irish regulator has waged since the European Union data protection law, the General Data Protection Regulation, or GDPR, went into effect in 2018. https://www.cyberscoop.com/whatsapp-hit-with-267-million-gdpr-fine-for-bungling-user-privacy-disclosure/
Microsoft Warns About Open Redirect Phishing Campaign
Microsoft’s Security Intelligence team is warning over phishing campaigns using open redirector links, links crafted to subvert normal inspection efforts. Smart users know to hover over links to see where they're going to lead, but these links are prepared for that type of user and display a safe destination designed to lure targets into a false sense of security. Click the link and you'll be redirected to a domain that appears legit (such as a Microsoft 365 login page, for example) and sets the stage for you to voluntarily hand over credentials to bad actors without even realising it until it's too late. https://www.windowscentral.com/microsoft-warns-about-open-redirect-phishing-campaign
Previous Employees With Access To Corporate Data Remain A Threat To Businesses
Offboarding employees securely is a key problem for business leaders, with 40% concerned that employees who leave a company retain knowledge of passwords that grant access to corporate data. This is according to a report, which found few organisations are implementing access management solutions that work with all applications, meaning most lack the ability to revoke access to all corporate data as soon as an employee leaves. https://www.helpnetsecurity.com/2021/09/02/previous-employees-access-data/
BEC Scammers Seek Native English Speakers On Underground
Looking for work? Speak fluent English? Capable of convincingly portraying a professional – as in, somebody a highly ranked corporate leader would talk to? If you lack scruples and disregard those pesky things called “laws,” it could be your lucky day: Cyber Crooks are putting up help-wanted ads, looking for native English speakers to carry out the social-engineering elements of business email compromise (BEC) attacks. https://threatpost.com/bec-scammers-native-english-speakers/169092/
Half Of Businesses Can't Spot These Signs Of Insider Cyber Security Threats
Most businesses are struggling to identify and detect early indicators that could suggest an insider is plotting to steal data or carry out other cyber attacks. Research suggests that over half of companies find it impossible or very difficult to prevent insider attacks. These businesses are missing indicators that something might be wrong. Those include unusual amounts of files being opened, attempts to use USB devices, staff purposefully circumventing security controls, masking their online activities, or moving and saving files to unusual locations. All these and more might suggest that a user is planning malicious activity, including the theft of company data. https://www.zdnet.com/article/half-of-businesses-cant-spot-these-signs-of-insider-cybersecurity-threats/
Threats
Ransomware
Conti Ransomware Now Hacking Exchange Servers With ProxyShell Exploits
LockFile Ransomware Bypasses Protection Using Intermittent File Encryption
FBI, CISA: Ransomware Attack Risk Increases On Holidays, Weekends
LockBit Jumps Its Own Countdown, Publishes Bangkok Air Files
Phishing
Malware
Cyber Attackers Are Now Quietly Selling Off Their Victim's Internet Bandwidth
Cyber Criminal Sells Tool To Hide Malware In AMD, NVIDIA GPUS
Cyber Criminals Abusing Internet-Sharing Services To Monetise Malware Campaigns
Mobile
Snowden Slams Apple CSAM: Warns iPad, iPhone, Mac Users Worldwide
Kaspersky Lab Has Reported About Android Viruses Designed To Steal Money Automatically
Dangerous Android Malware Is Spreading — Beware Of Text Message Scam
Vulnerabilities
New BrakTooth Flaws Leave Millions Of Bluetooth-Enabled Devices Vulnerable
Meltdown-Like Vulnerability Disclosed For AMD Zen+ And Zen 2 Processors
NPM Package With 3 Million Weekly Downloads Had A Severe Vulnerability
Cisco Patches Critical Authentication Bug With Public Exploit
QNAP Working On Patches For OpenSSL Flaws Affecting Its NAS Devices
This Top TP-Link Router Ships With Some Serious Security Flaws
Data Breaches/Leaks
Organised Crime & Criminal Actors
Dark Web
DoS/DDoS
OT, ICS, IIoT and SCADA
Cloud
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 16 July 2021
Black Arrow Cyber Threat Briefing 16 July 2021: 84% Of Orgs Experienced Phishing Or Ransomware Attacks In The Last Year; Phishing continues to be one of the easiest paths for ransomware; Only Half Of Orgs Can Defend Against Ransomware; MI5 Chief Warns Public Of Cyber-Threat From Hostile States Such As China & Russia; Almost All Orgs Suffered Insider Data Breaches; Cyber Crime Costs Orgs Nearly $1.79 Million Per Minute; Sonicwall Releases Urgent Notice About 'Imminent' Ransomware Targeting Firmware; Google Finds Zero-Day Security Flaws In All Your Favourite Browsers
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
84% Of Organisations Experienced Phishing Or Ransomware Attacks In The Last Year
A new report from Trend Micro has found that 84% of organisations have reported phishing or ransomware security incidents in the last 12 months.
The findings come from an Osterman Research study commissioned by Trend Micro that was compiled from interviews with cyber security professionals in midsize and large organisations nationwide. The research also found that half of organisations are not effective at countering phishing and ransomware threats.
Phishing continues to be one of the easiest paths for ransomware
Ransomware gangs are still using phishing as one of the main ways to attack an organisation, according to a new survey from Cloudian featuring the insights of 200 IT decision-makers who experienced a ransomware attack over the last two years.
More than half of all respondents have held anti-phishing training among employees, and 49% had perimeter defenses in place when they were attacked.
Nearly 25% of all survey respondents said their ransomware attacks started through phishing, and of those victims, 65% had conducted anti-phishing training sessions. For enterprises with fewer than 500 employees, 41% said their attacks started with phishing. About one-third of all victims said their public cloud was the entry point ransomware groups used to attack them.
Ransomware: Only Half Of Organisations Can Effectively Defend Against Attacks, Warns Report
Around half of firms don't have the technology to prevent or detect ransomware attacks, according to research by cybersecurity company Trend Micro. It suggests that many organisations don't have the cybersecurity capabilities required to prevent ransomware attacks, such as the ability to detect phishing emails, remote desktop protocol (RDP) compromise or other common techniques deployed by cyber attackers during ransomware campaigns.
For example, the report warns that many organisations struggle with detecting the suspicious activity associated with ransomware and attacks that could provide early evidence that cyber criminals have compromised the network. That includes failing to identify unusual lateral movement across corporate networks, or being able to spot unauthorised users gaining access to corporate data.
MI5 Chief Warns Public Of Cyber-Threat From Hostile States Such As China & Russia
Head of Britain's MI5, Ken McCallum, is urging the public to be as vigilant about threats from "hostile states" as from terrorism.
These include disruptive cyber-attacks, misinformation, espionage and interference in politics - and are usually linked to Russia and China.
McCallum is warning that "less visible threats... have the potential to affect us all," affecting UK jobs and public services and could even lead to a loss of life.
The head of the Security Service wants to challenge the idea that activity by so-called "hostile states", usually taken to mean primarily Russia and China, only affects governments or certain institutions.
Instead, he is to argue in an annual threat update, that the British public are not immune to the "tentacles" of covert action by other states.
In the speech at MI5's Thames House headquarters, Mr McCallum will warn the "consequences range from frustration and inconvenience, through loss of livelihood, potentially up to loss of life".
Almost All Organisations Have Suffered Insider Data Breaches
Egress’ Insider Data Breach Survey 2021 claims that 94 percent of organisations have experienced insider data breaches in the last year. Human error was the top cause of serious incidents, according to 84 percent of IT leaders surveyed.
However, IT leaders are more concerned about malicious insiders, with 28 percent indicating that intentionally malicious behaviour is their biggest fear. Despite causing the most incidents, human error came bottom of the list, with just over one-fifth (21 percent) saying that it’s their biggest concern.
Additionally, almost three-quarters (74 percent) of organisations have been breached because of employees breaking security rules, and 73 percent have been the victim of phishing attacks.
The survey, independently conducted by Arlington Research on behalf of Egress, surveyed 500 IT leaders and 3,000 employees in the US and UK across vertical sectors including financial services, healthcare and legal.
https://workplaceinsight.net/almost-all-organisations-have-suffered-insider-data-breaches/
Cyber Crime Costs Organisations Nearly $1.79 Million Per Minute
Cybercrime costs organisations an incredible $1.79m every minute, according to RiskIQ’s 2021 Evil Internet Minute Report.
The study, which analysed the volume of malicious activity on the internet, laid bare the scale and damage of cyber-attacks in the past year, finding that 648 cyber-threats occurred every minute.
The researchers calculated that the average cost of a breach is $7.2 per minute, while the overall predicted cybersecurity spend is $280,060 every minute.
E-commerce has been heavily hit by online payment fraud in the past year, with cyber-criminals taking advantage of the shift to online shopping during the COVID-19 pandemic. While the e-commerce industry saw a record $861.1bn in sales, it lost $38,052 to online payment fraud every minute.
https://www.infosecurity-magazine.com/news/cybercrime-costs-orgs-per-minute/
Phishing, Ransomware Driving Wave of Data Breaches
Data compromises have increased every month this year except May.
If that trend continues, or even if there is only an average of 141 new compromises per month for the next six months, the total will still exceed the previous high of 1,632 breaches set in 2017.
These were among the findings of the nonprofit organization Identity Theft Resource Center’s (ITRC) latest data breach analysis report, which revealed publicly reported U.S. data breaches are up 38% in the second quarter of 2021, for a total of 491 compromises, compared to Q1.
https://securityboulevard.com/2021/07/phishing-ransomware-driving-wave-of-data-breaches/
Top CVEs Trending with Cybercriminals
An analysis of criminal forums reveal what publicly known vulnerabilities attackers are most interested in.
Criminal small talk in underground forums offer critical clues about which known Common Vulnerabilities and Exposures (CVEs) threat actors are most focused on. This, in turn, offers defenders clues on what to watch out for.
An analysis of such chatter, by Cognyte, examined 15 cybercrime forums between Jan. 2020 and March 2021. In its report, researchers highlight what CVEs are the most frequently mentioned and try to determine where attackers might strike next.
“Our findings revealed that there is no 100 percent correlation between the two parameters, since the top five CVEs that received the highest number of posts are not exactly the ones that were mentioned on the highest number of Dark Web forums examined,” the report said. “However, it is still enough to understand which CVEs were popular among threat actors on the Dark Web during the time examined.”
https://threatpost.com/top-cves-trending-with-cybercriminals/167889/
Sonicwall Releases Urgent Notice About 'Imminent' Ransomware Targeting Firmware
Networking device maker SonicWall sent out an urgent notice to its customers about "an imminent ransomware campaign using stolen credentials" that is targeting Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and end-of-life 8.x firmware.
In addition to the notice posted to its website, SonicWall sent an email to anyone using SMA and SRA devices, urging some to disconnect their devices immediately. They worked with Mandiant and other security companies on the issue, according to the release.
Google Finds Zero-Day Security Flaws In All Your Favourite Browsers
Researchers at Google have shared insight into four zero-day security vulnerabilities in popular web browsers which were exploited in the wild earlier this year.
DIscovered by Google's Threat Analysis Group (TAG), the four vulnerabilities in Google Chrome, Internet Explorer, and WebKit, the browser engine used by Apple's Safari, were used as a part of three different campaigns.
https://www.techradar.com/news/google-finds-zero-day-security-flaws-in-all-your-favorite-browsers
Threats
Ransomware
Ransomware attackers are growing bolder and using new extortion methods
REvil ransomware gang's websites vanish soon after Kaseya fiasco, Uncle Sam threatens retaliation
What it's really like to negotiate with ransomware attackers
This ransomware gang hunts for evidence of crime to pressure victims into paying a ransom
BEC
Phishing
Other Social Engineering
Malware
Trickbot Malware Rebounds with Virtual-Desktop Espionage Module
Hackers Spread BIOPASS Malware via Chinese Online Gambling Sites
Mobile
Vulnerabilities
Microsoft July 2021 Patch Tuesday: 117 vulnerabilities, Pwn2Own Exchange Server bug fixed
SonicWall vulnerability allows attackers to obtain full control of device and underlying OS
Microsoft's Emergency Patch Fails to Fully Fix PrintNightmare RCE Vulnerability
Serious Security Vulnerability Hits DrayTek’s UK Fibre Routers
Kaseya issues patch for on-premise customers, SaaS rollout underway
Data Breaches
Morgan Stanley suffered data breach of customers after supply chain hack
Fashion retailer Guess discloses data breach after ransomware attack
Insurance giant CNA reports data breach after ransomware attack
Organised Crime & Criminal Actors
SolarWinds 0-day gave Chinese hackers privileged access to customer servers
Magecart hackers hide stolen credit card data into images and bogus CSS files
Cryptocurrency/Cryptojacking
Insider Threats
Dark Web
Supply Chain
OT, ICS, IIoT and SCADA
Vulnerability in Schneider Electric PLCs allows for undetectable remote takeover
Unpatched Critical RCE Bug Allows Industrial, Utility Takeovers
Nation State Actors
Privacy
User Education, Awareness and Training
Other News
Kaseya's Staff Sounded the Alarm About Security Flaws for Years Before Ransomware Attack
Israeli Firm Helped Governments Target Journalists, Activists with 0-Days and Spyware
Endpoint Detection (alone) won’t protect your organisation from advanced hacking groups
Kaseya hack proves we need better cyber metrics
Instagram's Security Checkup will help users secure their accounts after a hack
79% of organisations identify threat modelling as a top priority in 2021
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 09 April 2021
Black Arrow Cyber Threat Briefing 09 April 2021: Ransomware Attacks Grew By 485% In 2020; Cyber Insurance Firm Suffers Cyber Attack; Ransom Gangs Emailing Victim Customers For Leverage; 'We Have Your Porn Collection' - The Rise Of Extortionware; Should Firms Be More Worried About Firmware Cyber Attacks; Armed Conflict Draws Closer As State-Backed Cyber Attacks Intensify; Coca-Cola Trade Secret Theft Underscores Importance Of Insider Threat Early Detection; Attackers Blowing Up Discord, Slack With Malware
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Ransomware Attacks Grew By 485% In 2020
Ransomware attacks increased by an astonishing 485% in 2020 compared to 2019, according to Bitdefender’s 2020 Consumer Threat Landscape Report, which highlighted the ways cyber criminals targeted the COVID-19 pandemic. Interestingly, nearly two-thirds (64%) of the ransomware attacks took place in the first two quarters of 2020.
https://www.infosecurity-magazine.com/news/ransomware-attacks-grow-2020/
Cyber Insurance Firm Suffers Sophisticated Ransomware Cyber Attack; Data Obtained May Help Hackers Better Target Firm’s Customers
One of the largest insurance firms in the US CNA Financial was reportedly hit by a “sophisticated cyber security attack” on March 21, 2021. The cyber attack disrupted the company’s employee and customer services for three days as the company shut down “out of an abundance of caution” to prevent further compromise.
Ransom Gangs Emailing Victim Customers For Leverage
Some of the top ransomware gangs are deploying a new pressure tactic to push more victim organisations into paying an extortion demand: Emailing the victim’s customers and partners directly, warning that their data will be leaked to the dark web unless they can convince the victim firm to pay up.
https://krebsonsecurity.com/2021/04/ransom-gangs-emailing-victim-customers-for-leverage/
'We Have Your Porn Collection': The Rise Of Extortionware
Experts say the trend towards ransoming sensitive private information could affect companies not just operationally but through reputation damage. It comes as hackers bragged after discovering an IT Director's secret porn collection. The targeted US firm has not publicly acknowledged that it was hacked. In its darknet blog post about the hack last month, the cyber-criminal gang named the IT director whose work computer allegedly contained the files.
https://www.bbc.co.uk/news/technology-56570862
Should Firms Be More Worried About Firmware Cyber Attacks?
Microsoft recently put out a report claiming that businesses globally are neglecting a key aspect of their cyber security - the need to protect computers, servers, and other devices from firmware attacks. Its survey of 1,000 cyber security decision makers at enterprises across multiple industries in the UK, US, Germany, Japan, and China has revealed that 80% of firms have experienced at least one firmware attack in the past two years. Yet only 29% of security budgets have been allocated to protect firmware.
https://www.bbc.co.uk/news/business-56671419
Armed Conflict Draws Closer As State-Backed Cyber Attacks Intensify
The world is coming perilously close to nation states retaliating against cyber attacks with conventional weapons, according to a new HP report. Publicly available reports into state-sponsored attacks and interviews with scores of experts. It claimed there has been a 100% increase in “significant” state-backed attacks between 2017-20, and an average of over 10 publicly attributed attacks per month in 2020 alone.
https://www.infosecurity-magazine.com/news/armed-conflict-closer-state/
Coca-Cola Trade Secret Theft Underscores Importance Of Insider Threat Early Detection
The trial of Xiaorong You started in Greenville, TN, this week. She is accused of trade secret theft and economic espionage after allegedly stealing technologies owned by several companies, including her former employers Coca-Cola and Eastman Chemical Company. The value placed on the development of the stolen technologies is $119.6 million. Other affected companies include Azko-Nobel, Dow Chemical, PPG, TSI, Sherwin Williams and ToyoChem.
The details of the case suggest that the damages the accused is allegedly responsible for could have been minimized if better real-time insider threat detection methods had been in place. They also outline possible motives for the theft of the intellectual property: ego and money.
Attackers Blowing Up Discord, Slack With Malware
Workflow and collaboration tools like Slack and Discord have been infiltrated by threat actors, who are abusing their legitimate functions to evade security and deliver info-stealers, remote-access trojans (RATs) and other malware. The pandemic-induced shift to remote work drove business processes onto these collaboration platforms in 2020, and predictably, 2021 has ushered in a new level cyber criminal expertise in attacking them.
https://threatpost.com/attackers-discord-slack-malware/165295/
Scraped Data Of 500 Million LinkedIn Users Being Sold Online, 2 Million Records Leaked As Proof
An archive containing data purportedly scraped from 500 million LinkedIn profiles has been put for sale on a popular hacker forum, with another 2 million records leaked as a proof-of-concept sample by the post author. The four leaked files contain information about the LinkedIn users whose data has been allegedly scraped by the threat actor, including their full names, email addresses, phone numbers, workplace information, and more.
While users on the hacker forum can view the leaked samples for about $2 worth of forum credits, the threat actor appears to be auctioning the much-larger 500 million user database for at least a 4-digit sum, presumably in bitcoin.
Massive Facebook Data Breach Leaks Info On Millions Of Users
The personal information of hundreds of millions of Facebook users across the globe has been leaked online. Around 533 million Facebook users are thought to have been affected by the data breach, with phone numbers, Facebook ID, full name, location, past location, birthdate, email address, account creation date, relationship status, and personal bios all available. The data is thought to be the same set that was leaked in January 2021 and was available to purchase online, meaning Facebook has failed to secure its users once again.
https://www.techradar.com/uk/news/massive-facebook-data-breach-leaks-info-on-millions-of-users
Threats
Ransomware
Phishing
Malware
Mobile
IOT
Vulnerabilities
Critical Zoom vulnerability triggers remote code execution without user input
Bug allows attackers to hijack Windows time sync software used to track security incidents
AMD admits Zen 3 processors are vulnerable to Spectre-like side-channel attack
SAP Bugs Under Active Cyberattack, Causing Widespread Compromise
Data Breaches
Adult content from hundreds of OnlyFans creators leaked online
A huge trove of credit card records and Social Security numbers just got hacked
Booking.com fined €475,000 for late reporting of data breach
Nation State Actors
Privacy
Other News
Ubiquiti is accused of covering up a ‘catastrophic’ data breach — and it’s not denying it
VISA: Hackers increasingly using web shells to steal credit cards
Cloud-native watering hole attack: Simple and potentially devastating
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 29 January 2021
Black Arrow Cyber Threat Briefing 29 January 2021: Phishing Attacks Show High-Ranking Execs ‘Most Valuable Asset’ and ‘Greatest Vulnerability’; Paying Ransomware Funding Organised Crime; Police take down botnet that hacked millions of computers; After SolarWinds Hack, Who Knows What Cyber Dangers We Face; Russian businesses warned of retaliatory cyber attacks; iOS vulns actively exploited; Top Cyber Attacks of 2020
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.
Top Cyber Headlines of the Week
Phishing Attacks Show High-Ranking Execs May Be ‘Most Valuable Asset,’ and ‘Greatest Vulnerability’
Cyber criminals have been using a phishing kit featuring fake Office 365 password alerts as a lure to target the credentials of chief executives, business owners and other high-level corporate leaders. The scheme highlights the role and responsibility upper management plays in ensuring the security of their own company’s assets.
Insurers 'Funding Organised Crime' by Paying Ransomware Claims
Insurers are inadvertently funding organised crime by paying out claims from companies who have paid ransoms to regain access to data and systems after a hacking attack, Britain’s former top cybersecurity official has warned.
Emotet: Police raids take down botnet that hacked 'millions of computers worldwide'
Emotet, one of the world's most dangerous cyber crime services, has been taken down following one of the largest ever internationally-coordinated actions against cyber criminals. Although it began as banking malware designed to steal financial credentials, Emotet had become an infrastructure tool leased out to cyber criminals to break into victim computer networks and install additional malicious software.
After the SolarWinds Hack, We Have No Idea What Cyber Dangers We Face
Months before insurgents breached the Capitol and rampaged through the halls of Congress, a stealthier invader was muscling its way into the computers of government officials, stealing documents, monitoring e-mails, and setting traps for future incursions. Last March, a hacking team, believed to be affiliated with Russian intelligence, planted malware in a routine software upgrade from a Texas-based I.T. company called SolarWinds, which provides network-management systems to more than three hundred thousand clients.
FSB warns Russian businesses of cyber attacks as retaliation for SolarWinds hack
Russian authorities are alerting Russian organizations of potential cyberattacks launched by the United States in response to SolarWinds attack. The Russian intelligence agency FSB has issued a security alert this week warning Russian organizations of potential cyberattacks launched by the United States in response to the SolarWinds supply chain attack.
Update your iPhone — Apple just disclosed hackers may have 'actively exploited' a vulnerability in its iOS
On Tuesday released a new iOS software update that includes fixes for three security weaknesses in the former version. Its support website that it is aware of the three security bugs and that they "may have been actively exploited. “Also, it does not disclose details regarding security issues "until an investigation has occurred."
Top Cyber Attacks of 2020
"Zoombomb" became the new photobomb—hackers would gain access to a private meeting or online class hosted on Zoom and shout profanities and racial slurs or flash pornographic images. Nation-state hacker groups mounted attacks against organisations involved in the coronavirus pandemic response, including the World Health Organization and Centres for Disease Control and Prevention, some in an attempt to politicize the pandemic.
https://thehackernews.com/2021/01/top-cyber-attacks-of-2020.html
Threats
Ransomware
Cyber Criminals use deceased staff accounts to spread Nemty ransomware
US and Bulgarian authorities disrupt NetWalker ransomware operation
Former UK Cyber Security Chief Says Laws Are Needed to Stop Ransomware Payouts
BEC
Phishing
Other Social Engineering
Malware
DreamBus botnet targets enterprise apps running on Linux servers
Trickbot is back again - with fresh phishing and malware attacks
Mobile
Vulnerabilities
Heap-based buffer overflow in Linux Sudo allows local users to gain root privileges
Vulnerability found in top messaging apps let hackers eavesdrop
Experts Detail A Recent Remotely Exploitable Windows Vulnerability
Former LulzSec Hacker Releases VPN Exploit Used to Hack Hacking Team
KindleDrip exploit – Hacking a Kindle device with a simple email
Data Breaches
Charities
Insider Threats
Nation-State Actors
Denial of Service
Privacy
Reports Published in the Last Week
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 11 December 2020
Black Arrow Cyber Threat Briefing 11 December 2020: Cyber crime costs the world more than $1 trillion, 50% increase from 2018; One of the world's largest security firms breached; Chinese Breakthrough in Quantum Computing a Warning for Security Teams; Ransom payouts hit record-highs, surging 178% in a year; Ransomware Set to Continue to Evolve
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.
Top Cyber Headlines of the Week
Cyber crime costs the world more than $1 trillion, a 50% increase from 2018
Cyber crime costs the world economy more than $1 trillion, or just more than one percent of global GDP, which is up more than 50 percent from a 2018 study that put global losses at close to $600 billion. Beyond the global figure, the report also explored the damage reported beyond financial losses, finding 92 percent of companies felt effects beyond monetary losses.
https://www.helpnetsecurity.com/2020/12/07/cybercrime-costs-world/
FireEye, one of the world's largest security firms, discloses security breach
FireEye, one of the world largest security firms, said today it was hacked and that a "highly sophisticated threat actor" accessed its internal network and stole hacking tools FireEye uses to test the networks of its customers.
The firm said the threat actor also searched for information related to some of the company's government customers.
The attacker was described as a "highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack."
Chinese Breakthrough in Quantum Computing a Warning for Security Teams
China’s top quantum-computer researchers have reported that they have achieved quantum supremacy, i.e., the ability to perform tasks a traditional supercomputer cannot. And while it’s a thrilling development, the inevitable rise of quantum computing means security teams are one step closer to facing a threat more formidable than anything before.
https://threatpost.com/chinese-quantum-computing-warning-security/161935/
Ransom payouts hit record-highs, surging 178% in a year
Average ransom payouts increased by 178% in the third quarter of this year, from $84,000 (£63,000) to almost £234,000, compared with the year before. Ransomware payments reached record-highs in 2020 as employees shifted to remote working to curb the spread of the coronavirus pandemic, creating more attack vectors for hackers.
Ransomware Set for Evolution in Attack Capabilities in 2021
Ransomware is set to evolve into a greater threat in 2021 as service offerings and collaborations increase. The year turned out “different than predicted” and the shift to working from home also impacted the e-crime landscape. “This created an industrialization of e-crime groups and their abilities to extend from single groups into business pipelines”
https://www.infosecurity-magazine.com/news/ransomware-evolution-capabilities/
How Organisations Can Prevent Users from Using Breached Passwords
There is no question that attackers are going after your sensitive account data. Passwords have long been a target of those looking to compromise your environment. Why would an attacker take the long, complicated way if they have the keys to the front door?
https://thehackernews.com/2020/12/how-organizations-can-prevent-users.html
Threats
Ransomware
Hackers demand $34.7 million in Bitcoin after ransomware attack on Foxconn
Ransomware forces hosting provider Netgain to take down data centers
Ransomware-struck schools reject £1m demand from crims in timely reminder to always mind the air-gap
Phishing
IOT
Malware
Qbot malware switched to stealthy new Windows autostart method
Microsoft exposes Adrozek, malware that hijacks Chrome, Edge, and Firefox
Social media sharing icons could harbor info-stealing malware
All-new Windows 10 malware is excellent at evading detection
Rana Android Malware Updates Allow WhatsApp, Telegram IM Snooping
Vulnerabilities
Critical, Unpatched Bugs Open GE Radiological Devices to Remote Code Execution
Amnesia:33 vulnerabilities impact millions of smart and industrial devices
Expert discloses zero-click, wormable flaw in Microsoft Teams
Data Breaches
FireEye, one of the world's largest security firms, discloses security breach
Hackers leak data from Embraer, world's third-largest airplane maker
Threat Actors
Insider Threats
Other News
Reports Published in the Last Week
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 04 December 2020
Black Arrow Cyber Threat Briefing 4 December 2020: Covid vaccine supply chain targeted by hackers; Criminals Favour Ransomware and BEC; Bank Employee Sells Personal Data of 200,000 Clients; 2020 Pandemic changing short- and long-term approaches to risk; Cyber risks take the fun out of connected toys; Remote Workers Admit Lack of Security Training
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.
Top Cyber Headlines of the Week
Covid vaccine supply chain targeted by hackers, say security experts
Cyber attackers have targeted the cold supply chain needed to deliver Covid-19 vaccines, according to a report detailing a sophisticated operation likely backed by a nation state.
The hackers appeared to be trying to disrupt or steal information about the vital processes to keep vaccines cold as they travel from factories to hospitals and doctors’ offices.
https://www.ft.com/content/9c303207-8f4a-42b7-b0e4-cf421f036b2f
Criminals to Favour Ransomware and BEC Over Breaches in 2021
The era of the mega-breach may be coming to an end as cyber-criminals eschew consumers’ personal data and focus on phishing and ransomware.
Cyber-criminals are relying less on stolen personal information and more on “poor consumer behaviors” such as password reuse to monetize attacks.
https://www.infosecurity-magazine.com/news/criminals-favor-ransomware-bec/
Bank Employee Sells Personal Data of 200,000 Clients
South Africa–based financial services group Absa has stated that one of its employees sold the personal information of 200,000 clients to third parties.
The group confirmed on Wednesday that the illegal activity had occurred and that 2% of Absa's retail customer base had been impacted.
The employee allegedly responsible for it was a credit analyst who had access to the group's risk-modeling processes.
Data exposed as a result of the security incident included clients' ID numbers, addresses, contact details, and descriptions of vehicles that they had purchased on finance.
https://www.infosecurity-magazine.com/news/bank-employee-sells-personal-data/
LastPass review: Still the leading password manager, despite security history
"'Don't put all your eggs in one basket' is all wrong. I tell you 'put all your eggs in one basket, and then watch that basket,'" said industrialist Andrew Carnegie in 1885. When it comes to privacy tools, he's usually dead wrong. In the case of password managers, however, Carnegie is usually more dead than wrong. To wit, I have been using LastPass so long I don't know when I started using LastPass and, for now, I've got no reason to change that.
The most significant security innovations of 2020
Who gets access? That is the question that drives every security measure and innovation that’s landed on PopSci’s annual compendium since we launched the category in 2008. Every year, that question gets bigger and bigger. In 2020, the world quaked under a global pandemic that took 1.4 million lives, the US saw a rebirth in its civil rights movement, and a spate of record-breaking wildfires forced entire regions to evacuate. And those are just the new scares. A buildup of angst against ad trackers and app snooping led to major changes in hardware and software alike. It was a year full of lessons, nuances, and mini revolutions, and we strive to match that with our choices.
https://www.popsci.com/story/technology/most-important-security-innovations-2020/
2020 security priorities: Pandemic changing short- and long-term approaches to risk
Security planning and budgeting is always an adventure. You can assess current risk and project the most likely threats, but the only real constant in cybersecurity risk is its unpredictability. Layer a global pandemic on top of that and CISOs suddenly have the nearly impossible task of deciding where to request and allocate resources in 2021.
Show how the COVID pandemic has changed what security focuses on now and what will drive security priorities and spending in 2021. Based on a survey of 522 security professionals from the US, Asia/Pacific and Europe, the study reveals how the pandemic has changed the way organizations assess risk and respond to threats—permanently.
Cyber risks take the fun out of connected toys
As Christmas approaches, internet-enabled smart toys are likely to feature heavily under festive trees. While some dolls of decades past were only capable of speaking pre-recorded phrases, modern equivalents boast speech recognition and can search for answers online in real time.
Other connected gadgets include drones or cars such as Nintendo’s Mario Kart Live Home Circuit, where players race each other in a virtual world modelled after their home surroundings.
But for all the fun that such items can bring, there is a risk — poorly-secured Internet of Things toys can be turned into convenient tools for hackers.
https://www.ft.com/content/c653e977-435f-4553-8401-9fa9b0faf632
Remote Workers Admit Lack of Security Training
A third of remote working employees have not received security training in the last six months.
400 remote workers in the UK across multiple industries, while 83% have had access to security best practice training and 88% are familiar with IT security policies, 32% have received no security training in the last six months.
Also, 50% spend two or more hours a week on IT issues, and 42% felt they had to go around the security policies of their organization to do their job.
https://www.infosecurity-magazine.com/news/remote-workers-training/
Threats
Ransomware
Delaware County Pays $500,000 Ransom After Outages
A US county is in the process of paying half-a-million dollars to ransomware extorters who locked its local government network, according to reports.
Pennsylvania’s Delaware County revealed the attack last week, claiming in a notice that it had disrupted “portions of its computer network.
“We commenced an immediate investigation that included taking certain systems offline and working with computer forensic specialists to determine the nature and scope of the event. We are working diligently to restore the functionality of our systems,” it said.
https://www.infosecurity-magazine.com/news/delaware-county-pays-500k-ransom/
MasterChef Producer Hit by Double Extortion Ransomware
A multibillion-dollar TV production company has become the latest big corporate name caught out by ransomware, it emerged late last week.
The firm owns over 120 production firms around the world, delivering TV shows ranging from MasterChef and Big Brother to Black Mirror and The Island with Bear Grylls.
In a short update last Thursday, it claimed to be managing a “cyber-incident” affecting the networks of Endemol Shine Group and Endemol Shine International, Dutch firms it acquired in a $2.2bn deal in July.
Although ransomware isn’t named in the notice, previous reports suggest the firm is being extorted.
https://www.infosecurity-magazine.com/news/masterchef-producer-double/
Sopra Steria to take multi-million euro hit on ransomware attack
The company revealed in October that it had been hit by hackers using a new version of Ryuk ransomware.
It now says that the fallout, with various systems out of action, is likely to have a gross negative impact on operating margin of between €40 million and €50 million.
The group's insurance coverage for cyber risks is EUR30 million, meaning that negative organic revenue growth for the year is now expected to be between 4.5% and five per cent (previously between two per cent and four per cent). Free cash flow is now expected to be between €50 million and €100 million (previously between €80 million and €120 million).
BEC
FBI: BEC Scams Are Using Email Auto-Forwarding
The agency notes in an alert made public this week that since the COVID-19 pandemic began, leading to an increasingly remote workforce, BEC scammers have been taking advantage of the auto-forwarding feature within compromised email inboxes to trick employees to send them money under the guise of legitimate payments to third parties.
This tactic works because most organizations do not sync their web-based email client forwarding features with their desktop client counterparts. This limits the ability of system administrators to detect any suspicious activities and enables the fraudsters to send malicious emails from the compromised accounts without being detected, the alert, sent to organizations in November and made public this week, notes.
https://www.bankinfosecurity.com/fbi-bec-scams-are-using-email-auto-forwarding-a-15498
Phishing
Phishing lures employees with fake 'back to work' internal memos
Scammers are trying to steal email credentials from employees by impersonating their organization's human resources (HR) department in phishing emails camouflaged as internal 'back to work' company memos.
These phishing messages have managed to land in thousands of targeted individuals' mailboxes after bypassing G Suite email defences according to stats provided by researchers at email security company Abnormal Security who spotted this phishing campaign.
There is a high probability that some of the targets will fall for the scammers' tricks given that during this year's COVID-19 pandemic most companies have regularly emailed their employees with updates regarding remote working policy changes.
Warning: Massive Zoom phishing targets Thanksgiving meetings
Everyone should be on the lookout for a massive ongoing phishing attack today, pretending to be an invite for a Zoom meeting. Hosted on numerous landing pages, BleepingComputer has learned that thousands of users' credentials have already been stolen by the attack.
With many in the USA hosting virtual Thanksgiving dinners and people in other countries conducting Zoom business meetings, as usual, today is a prime opportunity to perform a phishing attack using Zoom invite lures.
Malware
All-new Windows 10 malware is excellent at evading detection
Security researchers at Kaspersky have discovered a new malware strain developed by the hacker-for-hire group DeathStalker that has been designed to avoid detection on Windows PCs.
While the threat actor has been active since at least 2012, DeathStalker first drew Kaspersky's attention back in 2018 because of its distinctive attack characteristics which didn't resemble those employed by cybercriminals or state-sponsored hackers.
https://www.techradar.com/news/all-new-windows-10-malware-is-excellent-at-evading-detection
New TrickBot version can tamper with UEFI/BIOS firmware
The operators of the TrickBot malware botnet have added a new capability that can allow them to interact with an infected computer's BIOS or UEFI firmware.
The new capability was spotted inside part of a new TrickBot module, first seen in the wild at the end of October, security firms Advanced Intelligence and Eclypsium said in a joint report published today.
The new module has security researchers worried as its features would allow the TrickBot malware to establish more persistent footholds on infected systems, footholds that could allow the malware to survive OS reinstalls.
https://www.zdnet.com/article/new-trickbot-version-can-tamper-with-uefibios-firmware/
Russia-linked APT Turla used a new malware toolset named Crutch
Russian-linked APT group Turla has used a previously undocumented malware toolset, named Crutch, in cyberespionage campaigns aimed at high-profile targets, including the Ministry of Foreign Affairs of a European Union country.
The Turla APT group (aka Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON) has been active since at least 2007 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.
https://securityaffairs.co/wordpress/111813/apt/turla-crutch-malware-platform.html
MacBooks under attack by dangerous malware: What to do
a recent spate of malware attacks targeting macOS of late that installs backdoors to steal sensitive personal information. The security firm discovered that a new malware variant is being used online and backed by a rogue nation-state hacking group known as OceanLotus, which also operates under the name AKTP2 and is based in Vietnam.
The new malware was created by OceanLotus due to the “similarities in dynamic behavior and code” from previous malware connected to the Vietnamese-based hacking group.
https://www.laptopmag.com/news/macbooks-under-attack-by-dangerous-malware-what-to-do
Hackers Using Monero Mining Malware as Decoy, Warns Microsoft
The company’s intelligence team said a group called BISMUTH hit government targets in France and Vietnam with relatively conspicuous monero mining trojans this summer. Mining the crypto generated side cash for the group, but it also distracted victims from BISMUTH’s true campaign: credential theft.
Crypto-jacking “allowed BISMUTH to hide its more nefarious activities behind threats that may be perceived to be less alarming because they’re ‘commodity’ malware,” Microsoft concluded. It said the conspicuousness of monero mining fits BISMUTH’s “hide in plain sight” MO.
Microsoft recommended organizations stay vigilant against crypto-jacking as a possible decoy tactic.
https://www.coindesk.com/hackers-using-monero-mining-malware-as-decoy-warns-microsoft
Vulnerabilities
Zerologon is now detected by Microsoft Defender for Identity
There has been a huge focus on the recently patched CVE-2020-1472 Netlogon Elevation of Privilege vulnerability, widely known as ZeroLogon. While Microsoft strongly recommends that you deploy the latest security updates to your servers and devices, we also want to provide you with the best detection coverage possible for your domain controllers. Microsoft Defender for Identity along with other Microsoft 365 Defender solutions detect adversaries as they try to exploit this vulnerability against your domain controllers.
Privacy
'We've heard the feedback...' Microsoft 365 axes per-user productivity monitoring after privacy backlash
If you heard a strange noise coming from Redmond today, it was the sound of some rapid back-pedalling regarding the Productivity Score feature in its Microsoft 365 cloud platform.
Following outcry from subscribers and privacy campaigners, the Windows giant has now vowed to wind back the functionality so that it no longer produces scores for individual users, and instead just summarizes the output of a whole organization. It was feared the dashboard could have been used by bad bosses to measure the productivity of specific employees using daft metrics like the volume of emails or chat messages sent through Microsoft 365.
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 06 November 2020
Cyber Threat Briefing 06 November 2020
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest of open source intelligence (OSINT), collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.
Top Cyber Headlines of the Week
2020 could be 'the worst year in cyber security history'
Businesses around the world are severely unprepared to face the sheer scale of cyber threats facing us today, new research has claimed.
The latest 2020 Business Threat Landscape report from security firm Bitdefender has said that this could be the worst year in cyber security history, as despite multiple warnings, many firms still aren't ready to protect themselves.
Bitdefender's report found that the "new normal" of remote working had led many businesses to face difficulties in ensuring their online protection, with 50% of organisations "completely unprepared" to face a scenario in which they had to migrate their entire workforce in a working from home environment.
https://www.techradar.com/news/2020-could-be-the-worst-year-in-cybersecurity-history
Two-Thirds of Financial Services Firms Suffered Cyber-Attack in the Past Year
Almost two-thirds (65%) of large financial services companies have suffered a cyber attack in the past year, while 45% have experienced a rise in attack attempts since the start of the COVID-19 pandemic.
This is according to new research from HelpSystems, which surveyed 250 CISOs and CIOs in global financial services firms about the impact of the pandemic on their cybersecurity.
It highlighted that these organisations are taking cybersecurity increasingly seriously, with 92% stating that they have increased investment in this area over the past 12 months, with 26% doing so by a significant amount. The main targets of this investment have included secure file transfer (64%), protecting the remote workforce (63%) and cloud/office365 (56%).
https://www.infosecurity-magazine.com/news/two-thirds-financial-services/
Proofpoint survey: IT security leaders worry about and are ill-prepared to defeat cyber-attacks
IT security leaders say they are ill-prepared for a cyber attack and believe that human error and a lack of security awareness are major risk factors for their organisations, according to a series of reports and surveys from cyber security vendor Proofpoint. But there are some marked variations in both the rates and the types of cyber attack between the regions surveyed.
It’s a dynamic attack landscape: in the DACH countries of Germany, Austria and Switzerland 67 per cent of IT security leaders say they have suffered at least one attack in the last 12 months, while in Benelux 72 per cent of respondents say their business has suffered at least one cyber attack in the same time period. In Sweden 59 per cent of businesses have been attacked at least once, while in the UAE the figure is much higher at 82 per cent - with 51 per cent of IT security leaders in the UAE saying their business has been targeted multiple times.
https://www.theregister.com/2020/11/05/proofpoint_survey_it_security_leaders/
Akamai sees doubling in malicious internet traffic as remote world’s bad actors boom, too
Akamai Technologies’ CEO said he is impressed by the amazing traffic levels on the internet during the coronavirus pandemic, and the world technology infrastructure’s ability to handle it. But during the stay-at-home boom, the web and cyber security expert also has been closely watching a boom in bad actors.
With so many people working from home, hackers are taking advantage, and massively increasing the number of attacks as daily routine changes caused by the pandemic are prolonged, and become potentially permanent.
“I think the threat actors are trying to take advantage of the pandemic, and of course, the prize is greater now that so much business has moved online”
Quarter-over-quarter — Akamai reported its Q3 results this week — the cyber security and cloud computing company has tracked a doubling of malicious traffic as telecommuting makes for easier targets.
Attacks Against Microsoft’s Remote Desktop Protocol Soar Under Work From Home Measures
The number of Remote Desktop Protocol (RDP) attacks soared by 140% in Q3 compared with the previous quarter, as cyber criminals looked to take advantage of companies relying on remote access while working from home.
RDP makes it possible for one computer to connect to another over a network and control it as though the individual was sat at the keyboard themselves. While the Microsoft tool is useful for businesses and popular among IT administrators, it has increasingly been targeted by hackers who try to gain administrator access to company servers. Once inside they are able to disable security software, steal files, delete data and install malicious software.
Slovak internet security firm ESET detected the surge between July and September, with the number of separate companies reporting brute-force attacks against their RDP connection increasing by 37% quarter-over-quarter.
Threats
Ransomware
Ransomware gangs that steal your data don't always delete it
Ransomware gangs that steal a company's data and then get paid a ransom fee to delete it don't always follow through on their promise.
The number of cases where something like this has happened has increased, according to a report published by Coveware this week and according to several incidents shared by security researchers with ZDNet researchers over the past few months.
https://www.zdnet.com/article/ransomware-gangs-that-steal-your-data-dont-always-delete-it/
Spike in Emotet activity could mean big payday for ransomware gangs
There's been a massive increase in Emotet attacks and cyber criminals are taking advantage of machines compromised by the malware to launch more malware infections as well as ransomware campaigns.
The October 2020 HP-Bromium Threat Insights Report reports a 1,200% increase in Emotet detections from July to September compared to the previous three months in which deployment of the malware appeared to decline.
https://www.zdnet.com/article/spike-in-emotet-activity-could-mean-big-payday-for-ransomware-gangs/
Italian beverage vendor Campari knocked offline after ransomware attack
Campari Group, the famed Italian beverage vendor behind brands like Campari, Cinzano, and Appleton, has been hit by a ransomware attack and has taken down a large part of its IT network.
The attack took place last Sunday, on November 1, and has been linked to the RagnarLocker ransomware gang, according to a copy of the ransom note shared with ZDNet by a malware researcher who goes online by the name of Pancak3.
Hackney Council still working to restore services as IT boss describes horror at cyber attack
Hackney’s director of information communication technology (ICT) Rob Miller was playing football with his family on a Sunday morning early in October when he got a message letting him know there was a systems outage being investigated at the Town Hall.
By the end of Sunday, the council had moved swiftly to shut down its systems, declared an emergency and notified national agencies after Miller’s team found “clear markers” that the local authority had been hit by a serious cyber attack.
Leading toy maker Mattel hit by ransomware
Toy industry giant Mattel disclosed that they suffered a ransomware attack in July that impacted some of its business functions but did not lead to data theft.
Mattel is the second-largest toymaker in the world with 24,000 employees and $5.7 billion in revenue for 2019. Mattel is known for its popular brands, including Barbie, Hot Wheels, Fisher-Price, American Girl, and Thomas & Friends.
https://www.bleepingcomputer.com/news/security/leading-toy-maker-mattel-hit-by-ransomware/
Business Email Compromise (BEC)
BEC attacks increase in most industries, invoice and payment fraud rise by 155%
BEC attacks increased 15% quarter-over-quarter, driven by an explosion in invoice and payment fraud, Abnormal Security research reveals.
“As the industry’s only measure of BEC attack volume by industry, our quarterly BEC research is important for CISOs to prepare and stay ahead of attackers,” said Evan Reiser, CEO of Abnormal Security.
“Not only are BEC campaigns continuing to increase overall, they are rising in 75% of industries that we track. Since these attacks are targeted and sophisticated, these increases could indicate an ability for threat actors to scale that may overwhelm some businesses.”
For this research, BEC campaigns across eight major industries were tracked, including retail/consumer goods and manufacturing, technology, energy/infrastructure, services, medical, media/tv, finance and hospitality.
https://www.helpnetsecurity.com/2020/11/03/bec-attacks-increase-quarter-over-quarter/
Phishing
Sneaky Office 365 phishing inverts images to evade detection
A creative Office 365 phishing campaign has been inverting images used as backgrounds for landing pages to avoid getting flagged as malicious by crawlers designed to spot phishing sites.
These inverted backgrounds are commonly used as part of phishing kits that attempt to clone legitimate login pages as closely as possible to harvest a target's credentials by tricking them into entering them into a fake login form.
The BBC Experiences Over 250,000 Malicious Email Attacks Per Day
The British Broadcasting Corporation (BBC), the UK’s public service broadcaster, faces in excess of a quarter of a million malicious email attacks every day, according to data obtained following a Freedom of Information (FoI) request.
The corporation blocked an average of 283,597 malicious emails per day during the first eight months of 2020.
According to the data, every month the BBC receives an average of 6,704,188 emails that are classified as scam or spam as well as 18,662 malware attacks such as viruses, ransomware and spyware. In total, 51,898,393 infected emails were blocked in the period from January to August 2020.
The month which contained the highest amount of recorded incidents was July, when the BBC received 6,787,635 spam and 13,592 malware attempts. The next highest was March, when the COVID-19 first struck the UK, with 6,768,632 spam emails and 14,089 malware attacks.
https://www.infosecurity-magazine.com/news/bbc-experiences-malicious-email/
Malware
US Cyber Command exposes new Russian malware
US Cyber Command has exposed eight new malware samples that were developed and deployed by Russian hackers in recent attacks
Six of the eight samples are for the ComRAT malware (used by the Turla hacking group), while the other two are samples for the Zebrocy malware (used by the APT28 hacking group).
Both ComRAT and Zebrocy are malware families that have been used by Russia hacking groups for years, with ComRAT being deployed in attacks for more than a decade, having evolved from the old Agent.BTZ malware.
https://www.zdnet.com/article/us-cyber-command-exposes-new-russian-malware/
IoT
New data shows just how badly home users overestimate IoT security
A new survey from the National Cyber Security Alliance (NCSA) shows adult workers vastly overestimate the security of the internet devices in their homes.
The survey polled 1,000 adults – 500 aged 18-34 and 500 aged 50-75 – and found that the overwhelming majority of both believed the internet of things devices they owned were secure.
IoT devices, particularly those that are cheap, outdated and hard to upgrade, are widely considered to be an easy target for hackers. Yet 87 percent of the younger group and 77 percent of the older group said they were either “somewhat” or “very confident” in the security of their connected things
Vulnerabilities
Windows 10 zero-day could allow hackers to seize control of your computer
A security bug has been discovered that affects every version of the Windows operating system, from Windows 7 to Windows 10. The vulnerability can be found within the Windows Kernel Cryptography Driver and enables attackers to gain admin-level control of a victim’s computer.
The flaw was discovered by Google’s Project Zero security team, which subsequently notified Microsoft. The Redmond-based firm was given seven days to patch the bug before Google published further details – a task that proved beyond the company.
Adobe warns Windows, MacOS users of critical acrobat and reader flaws
Adobe has fixed critical-severity flaws tied to four CVEs in the Windows and macOS versions of its Acrobat and Reader family of application software services. The vulnerabilities could be exploited to execute arbitrary code on affected products.
These critical flaws include a heap-based buffer overflow, out-of-bounds write glitch and two use-after free flaws. The bugs are part of Adobe’s regularly scheduled patches, which overall patched critical-, important- and moderate-severity vulnerabilities tied to 14 CVEs.
https://threatpost.com/adobe-windows-macos-critical-acrobat-reader-flaws/160903/
Zero-day in Cisco AnyConnect Secure Mobility Client yet to be fixed
Cisco has disclosed a zero-day vulnerability, in the Cisco AnyConnect Secure Mobility Client software with the public availability of a proof-of-concept exploit code.
The flaw resided in the inter-process communication (IPC) channel of Cisco AnyConnect Client, it can be exploited by authenticated and local attackers to execute malicious scripts via a targeted user.
Critical bug actively used to deploy Cobalt Strike on Oracle servers
Threat actors are actively exploiting Oracle WebLogic servers unpatched against CVE-2020-14882 to deploy Cobalt Strike beacons which allow for persistent remote access to compromised devices.
Cobalt Strike is a legitimate penetration testing tool also used by threat actors in post-exploitation tasks and to deploy so-called beacons that enable them to gain persistent remote access.
This later allows them to access the compromised servers to harvest data and to deploy second stage malware payloads.
Oracle Solaris Zero-Day Attack Revealed
A previously known threat group, called UNC1945, has been compromising telecommunications companies and targeting financial and professional consulting industries, by exploiting a security flaw in Oracle’s Solaris operating system.
Researchers said that the group was exploiting the bug when it was a zero-day, long before a patch arrived.
The bug, was recently addressed in Oracle’s October 2020 Critical Patch Update. The vulnerability exists in the Oracle Solaris Pluggable Authentication Module (PAM) and allows an unauthenticated attacker with network access via multiple protocols to exploit and compromise the operating system. Threat actors utilized a remote exploitation tool, which researchers call “EVILSUN,” to exploit the flaw.
https://threatpost.com/oracle-solaris-zero-day-attack/160929/
Data Breaches
Marriott Hotels fined £18.4m for data breach that hit millions
The UK's data privacy watchdog has fined the Marriott Hotels chain £18.4m for a major data breach that may have affected up to 339 million guests.
The Information Commissioner's Office (ICO) said names, contact information, and passport details may all have been compromised in a cyber-attack.
The breach included seven million guest records for people in the UK.
The ICO said the company failed to put appropriate safeguards in place but acknowledged it had improved.
https://www.bbc.co.uk/news/technology-54748843
23,600 hacked databases have leaked from a defunct 'data breach index' site
More than 23,000 hacked databases have been made available for download on several hacking forums and Telegram channels in what threat intel analysts are calling the biggest leak of its kind.
The database collection is said to have originated from Cit0Day.in, a private service advertised on hacking forums to other cybercriminals.
Cit0day operated by collecting hacked databases and then providing access to usernames, emails, addresses, and even cleartext passwords to other hackers for a daily or monthly fee.
Cybercriminals would then use the site to identify possible passwords for targeted users and then attempt to breach their accounts at other, more high-profile sites.
Other News
Deloitte's 'Test your Hacker IQ' site fails itself after exposing database user name, password in config file
Suspended sentence for bank IT worker who hacked his boss's webcam because he didn't get a payrise
APT Groups Finding Success with Mix of Old and New Tools
Quantum computing may make current encryption obsolete, a quantum internet could be the solution
Reports Published in the Last Week
NCSC defends UK from more than 700 cyber attacks while supporting national pandemic response
The NCSC's fourth Annual Review reveals its ongoing work against cyber attacks, support for the UK during the coronavirus pandemic.
https://www.ncsc.gov.uk/news/ncsc-defends-uk-700-cyber-attack-national-pandemic
Ransomware Demands continue to rise as Data Exfiltration becomes common, and Maze subdues
The Coveware Quarterly Ransomware Report describes ransomware incident response trends during Q3 of 2020. Ransomware groups continue to leverage data exfiltration as a tactic, though trust that stolen data will be deleted is eroding as defaults become more frequent when exfiltrated data is made public despite the victim paying. In Q3, Coveware saw the Maze group sunset their operations as the active affiliates migrated to Egregor (a fork of Maze). We also saw the return of the original Ryuk group, which has been dormant since the end of Q1.
https://www.coveware.com/blog/q3-2020-ransomware-marketplace-report
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Cyber Weekly Flash Briefing 11 September 2020: Ransomware 41% of H1 2020 cyber insurance claims, MS Critical RCE Bugs, 60% of emails May/June fraudulent, Insider Data Breaches, Linux Targeting More
Cyber Weekly Flash Briefing 11 September 2020: Ransomware 41% of all H1 2020 cyber insurance claims, MS Patch Tuesday Critical RCE Bugs, 60 percent of emails May/ June were fraudulent, Insider-Enabled Data Breaches, Linux-Based Devices Targeted More, Chilean bank shut down following ransomware, meddling in US politics by Russia, China & Iran, TikTok battles to remove video of livestreamed suicide
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Ransomware accounted for 41% of all cyber insurance claims in H1 2020
Ransomware incidents have accounted for 41% of cyber insurance claims filed in the first half of 2020, according to a report published today by one of the largest providers of cyber insurance services in North America.
The high number of claims comes to confirm previous reports from multiple cyber-security firms that ransomware is one of today's most prevalent and destructive threats.
Ransomware doesn't discriminate by industry. An increase in ransom attacks has been seen across almost every industry.
In the first half of 2020 alone, they observed a 260% increase in the frequency of ransomware attacks amongst their policyholders, with the average ransom demand increasing 47%.
Among the most aggressive gangs, the cyber insurer listed Maze and DoppelPaymer, which have recently begun exfiltrating data from hacked networks, and threatening to release data on specialized leak sites, as part of double extortion schemes.
Why this matters:
Ransomware remains, and is likely to remain, by far one of the biggest menaces on the web, it is indiscriminate, anyone can be affected, it can be business destroying, and it is getting worse all the time.
Read more: https://www.zdnet.com/article/ransomware-accounts-to-41-of-all-cyber-insurance-claims/
Microsoft’s Patch Tuesday Packed with Critical RCE Bugs
Microsoft has released patches for 129 security bugs in its September Patch Tuesday update. These include 23 critical flaws, 105 that are important in severity and one moderate bug. Fortunately, none are publicly known or under active exploitation, Microsoft said.
The most severe issue in the bunch is CVE-2020-16875, according to researchers. This is a memory-corruption problem in Microsoft Exchange that allows remote code-execution (RCE) just by sending an email to a target. Running arbitrary code could grant attackers the access they need to create new accounts, access, modify or remove data, and install programs.
Why this matters:
Many organisations are struggling to keep up with the volume of updates and keeping on top of them, or knowing which to prioritise, is critical for firms. At a time while many organisations continue to struggle to support the ongoing distribution of remote workers, Microsoft continues to pile on the updates and finding an efficient method for rolling out these patches has become even more imperative as companies begin to abandon the idea of a short-term fix and shift operations to embrace remote work as part of a lasting, long-term progression of how organisations operate moving forward.
Firms are beginning to realise the negative outcomes of the lenient security measures put in place to quickly adapt to a decentralised workforce and it’s become more important than ever to establish patching policies that can securely support remote endpoints for the foreseeable future.
Read more: https://threatpost.com/microsofts-patch-tuesday-critical-rce-bugs/159044/
60 percent of emails in May and June were fraudulent
The COVID-19 pandemic has seen a spike in scams, phishing and malware across all platforms and attack vectors. The latest mid-year threat landscape report from Bitdefender shows that in May and June, an average of 60 percent of all received emails were fraudulent.
In addition there’s been a five-fold increase in the number of coronavirus-themed attacks and a 46 percent increase in attacks aimed at home IoT devices.
IoT malware has become versatile, robust, and is constantly updated. IrcFlu, Dark_Nexus7 and InterPLanetary Storm are some of the examples malware that gained in popularity during the first half of 2020.
Mobile malware has been quick to capitalise too, with malware developers rushing to weaponise popular applications, such as the Zoom video conferencing application, used by employees now working from home. Packing RAT (Remote Access Trojan) capabilities, or bundling them with ransomware, banking malware, or even highly aggressive adware, Android malware developers were also fully exploiting the pandemic wave.
Why this matters:
As we keep saying malicious actors never let a good crisis or tragedy go to waste and will exploit whatever is going on in the world or anything there is a collective interest in to real in unsuspecting victims.
Good awareness and education are key in keeping your employees and users safe and ensuring users at all levels, including board members – who present a significant risk, are up to date with latest tactics and threats.
Email in particular will remain primary vector for attack and this is unlikely to change any time soon.
Read more: https://betanews.com/2020/09/08/60-percent-of-emails-in-may-and-june-were-fraudulent/
Businesses [should] Fear Insider-Enabled Data Breaches
Businesses fear suffering a data breach and expect it to be caused by an insider or internal error.
A survey of 500 IT professionals found that 94% of respondents have experienced a data breach, and 79% were worried their organisation could be next.
The fear associated with breaches stems from the security culture within the organisation, along with the security reporting structure.
Having security teams in close dialogue with executive leadership, supporting the leadership to make informed risk-based decisions and driving the business strategy, including the technologies used, reduces this fear significantly.
Secondly, not understanding information security, its components and principles drives fear and anxiety of the unknown, so having security education training, and developing awareness and consciousness of threats, will enable and empower the entire organisation to act with a ‘security first’ mindset.
Finally, recognising the importance of access control to protect systems and data is a foundational level control that organisations can apply to reduce the risk of a data breach. Hand in hand with this is partnering with trusted identity and access control platform providers who can provide enterprises with that security expertise and industry leadership.
Why this matters:
In terms of what is causing the breaches, 40% of respondents to the survey said accidental employee incidents were to blame, compared to 21% who said it is external attackers. Asked if this is a case of businesses not having a handle on what leaves their organisations (either intentionally or accidentally), insiders already have access and can leave with data invisibly, which might turn up somewhere embarrassing later.
Read more: https://www.infosecurity-magazine.com/news/businesses-insider-breaches/
4 top vulnerabilities ransomware attackers exploited in 2020
As more employees work from home, attackers have more endpoints to target. These unpatched vulnerabilities in remote access tools and Windows makes their job easier.
The biggest security trend for 2020 has been the increase of COVID-19-related phishing and other attacks targeting remote workers. New York City, for example, has gone from having to protect 80,000 endpoints to around 750,000 endpoints in its threat management since work-from-home edicts took place.
As noted in a recent Check Point Software Technologies mid-year review, “The first impact of the pandemic was the proliferation of malware attacks that used social engineering techniques with COVID-19 thematic lures for the delivery stage.” Domain names were set up and parked with names relating to the pandemic. As workers started to use videoconferencing platforms, attacks moved to attacking Zoom, Teams and other videoconferencing platforms.
One disturbing trend is that 80% of the observed attacks in the first half of 2020 used vulnerabilities reported and registered in 2017 and earlier, according to the Check Point report, and more than 20% of the attacks used vulnerabilities that are at least seven years old. This showcases that we have a problem in keeping our software up to date.
Why this matters:
Ransomware remains a big threat 2020 and expanding attack surfaces with staff working from home is making the situation worse. Attackers use vulnerabilities in tools used for remote access into Windows networks.
Click read more below to find out the top four vulnerabilities the researchers identified.
APT Groups Increasingly Targeting Linux-Based Devices
APT groups are increasingly executing targeted attacks against Linux-based devices as well as developing more Linux-focused tools, according to an investigation by Kaspersky.
This is as a result of a growing number of organisations’ selecting Linux ahead of Windows to run their strategically important servers and systems, and the perception that the Linux operating system is safer and less likely to be targeted by malware as it is less popular.
However, threat-actors have been observed to adapt their tactics to take advantage of this trend, and Kaspersky noted that “over a dozen APT actors have been observed to use Linux malware or some Linux-based modules” during the past eight years.
These include notorious groups such as Turla, Lazarus, Barium, Sofacy, the Lamberts and Equation. Kaspersky highlighted the example of Russian speaking APT group Turla using Linux backdoors as part of its changing toolset in recent years.
Why this matters:
Attacks that target Linux-based systems are still fewer in number than attacks on Windows based systems, but there is still malware designed to target them, including webshells, backdoors, rootkits and even custom-made exploits.
Read more: https://www.infosecurity-magazine.com/news/apt-targeting-linux-based-devices/
Major Chilean bank shuts down all branches following ransomware attack
Banco Estado, the only public bank in Chile and one of the three largest in the country, had to shut down its nationwide operations on Monday due to a cyberattack that turned out to be a ransomware launched by REvil.
According to a public statement, the branches will remain closed for at least one day, but clarified that customers’ funds have not been affected by the incident.
Sources close to the investigation reported that the REvil ransomware gang is behind the attack. It reportedly originated from an Office document infected with the malware that an employee received and proceeded to open.
The incident was reported to the Chilean authorities, who issued a cyber-security alert that warned about a massive ransomware campaign targeting the private sector in the country.
Why this matters:
As above ransomware is not going away and is getting worse all the time. Too many users don’t realise that simply opening a document or clicking on a link in an email could bring down their entire organisations. Staff and users need to be educated about the role they play in securing their organisations.
Vulnerabilities discovered in PAN-OS, which powers Palo Alto Networks’ firewalls
Palo Alto Networks this week remediated vulnerabilities in PAN-OS (operating systems version 8.1 or later) which command injection, cross site scripting and the ability to upload unauhtoised files to a directory which might lead to denial of service.
Why this matters:
Attackers can use these vulnerabilities to gain access to sensitive data or develop the attack to gain access to the internal segments of the network of a company that uses vulnerable protection tools.
Any security fixes for known vulnerabilities across any different product, software or firmware should be tested and applied as soon as possible, so those vulnerabilities cannot be used against you or your organisation.
Read more: https://www.helpnetsecurity.com/2020/09/10/vulnerabilities-discovered-in-pan-os/
Russia, China and Iran hackers target Trump and Biden, Microsoft says
Hackers with ties to Russia, China and Iran are attempting to snoop on people and groups involved with the US 2020 presidential election, Microsoft says.
The Russian hackers who breached the 2016 Democratic campaign are again involved, said the US tech firm.
Microsoft said it was "clear that foreign activity groups have stepped up their efforts" targeting the election.
Both President Donald Trump and Democrat Joe Biden's campaigns are in the cyber-raiders' sights.
Russian hackers from the Strontium group have targeted more than 200 organisations, many of which are linked to US political parties - both Republicans and Democrats, Microsoft said in a statement.
Why this matters:
The same attackers have also targeted British political parties, said Microsoft, without specifying which ones. Any meddling in politics by foreign states is a clear threat to the democratic process and shows that unfriendly states will interfere to further their own agendas.
Read more: https://www.bbc.co.uk/news/world-us-canada-54110457
TikTok battles to remove video of livestreamed suicide
TikTok is battling to remove a graphic video of a livestreamed suicide, after the footage was uploaded to the service on Sunday night from Facebook, where it was initially broadcast.
Although the footage was rapidly taken down from TikTok, users spent much of Monday re-uploading it, initially unchanged, but later incorporated into so-called bait-and-switch videos, which are designed to shock and upset unsuspecting users.
One such video, for instance, begins with a conventional video of an influencer talking to camera, before cutting without warning to the graphic footage.
Why this matters:
Parents, especially of younger children, may think that certain sites and social media channels are safe for children and the content is suitable vetted and controlled, but as this illustrates that is often not the case and caution should be exercised in allow young children unfettered access to social media.
Cyber Weekly Flash Briefing 28 August 2020: cyber crime cost per minute $11.4m by 2021, Trend block 28 billion Cyber Threats H1 2020, Malicious Attachments Top Threat, NK hackers ramp up bank heists
Cyber Weekly Flash Briefing 28 August 2020: global cost of cybercrime per minute to reach $11.4 million by 2021, Trend blocks 28 Billion Cyber-Threats in H1 2020, Malicious Attachments Remain a Cyber Criminal Threat Vector Favourite, 80% of Exploits Published Faster than CVEs, North Korean hackers ramp up bank heists
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
The global cost of cyber crime per minute to reach $11.4 million by 2021
Cyber crime costs organisations $24.7, YOY increase of more than $2 every minute, according to a new report. It will also have a per-minute global cost of $11.4 million by 2021, a 100% increase over 2015.
The report covers the top threats facing today’s organizations, which are proliferating at a clip of 375 per minute, and reflects the current surge in attacks leveraging the COVID-19 pandemic.
Other malicious activity
1.5 attacks on computers with an Internet connection per minute
375 new threats per minute
16,172 records compromised per minute
1 vulnerability disclosed every 24 minutes
5.5 vomain infringements detected per minute
1 Magecart attack every 16 minutes
1 COVID-19 blacklisted domain every 15 minutes
35 COVID-19 spam emails analysed per minute
Why this matters:
The sheer scale of today’s threat activity is driven by a variety of factors, including that cyber crime is easier than ever to participate in and better threat technology makes cyber criminals more effective and wealthier than in the past.
Read more: https://www.helpnetsecurity.com/2020/08/28/global-cost-of-cybercrime-per-minute/
Trend Micro Blocks 28 Billion Cyber-Threats in H1 2020
Trend Micro blocked nearly nine million COVID-related threats in the first half of 2020, the vast majority of which were email-borne, it revealed in a new mid-year roundup report.
The security giant said it detected 8.8 million cyber-threats leveraging the virus as a lure or theme for attacks, 92% of which were delivered by spam emails.
However, the figure represents less than 1% of the total of 27.8 billion threats the vendor blocked in the first six months of the year.
This chimes with data from Microsoft and others which suggests that cyber-criminals merely repurposed existing campaigns to take advantage of COVID-19. As such, the pandemic itself has not prompted a rise in overall cyber crime levels.
However, the data does show conclusively that email remains the number one threat vector: 93% of total blocked threats were heading for users’ inboxes.
As part of this trend, Business Email Compromise (BEC) detections increased by 19% from the second half of 2019. This is due in part to scammers trying to capitalize on distracted home workers who may be more exposed to social engineering, and less able to check with colleagues if a money transfer request is legitimate or not.
Why this matters:
Email remains the number one threat to all firms and by far the most likely way firms will end up being breached, and this depends on your users being aware and switched on and efficient at spotting email borne attacks as technology solutions alone are not good at blocking email based attacks. Criminals will always exploit current events and crises to improve their effectiveness of their attacks.
Read more: https://www.infosecurity-magazine.com/news/trend-micro-blocks-28-billion/
Malicious Attachments Remain a Cyber Criminal Threat Vector Favourite
Malicious attachments continue to be a top threat vector in the cybercriminal world, even as public awareness increases and tech companies amp up their defences.
While attachment threat vectors are one of the oldest malware-spreading tricks in the books, email users are still clicking on malicious attachments that hit their inbox, whether it’s a purported “job offer” or a pretend “critical invoice.”
The reason why threat actors are still relying on this age-old tactic, researchers say, is that the attack is still working. Even with widespread public awareness about malicious file attachments, attackers are upping their game with new tricks to avoid detection, bypass email protections and more. The attack vector is still widespread enough where tech giants are re-inventing new ways to try to stomp it out, with Microsoft just this week rolling out a feature for Office 365 that aims to protect users against malicious attachments sent via email, for instance.
Why this matters:
Email attachments, such as PDF or Office files, are an easy vector to deliver malicious content to end users. For enterprises, the risk is that malicious actors can use these attachments to establish a toe-hold at the outermost edges of the enterprise, and then wait and wind their way to the crown jewels in their data stores.
Read more here: https://threatpost.com/malicious-attachments-remain-a-cybercriminal-threat-vector-favorite/158631/
The State of Exploit Development: 80% of Exploits Publish Faster than CVEs
With the ever-increasing number of new vulnerabilities, vulnerability management becomes one of the most critical processes in ensuring continuous business operation. While it is clear that timely patching is essential, it’s also important to know quantitatively how a delay could increase risk. What are the chances that attackers breach an organisation using a CVE just disclosed or using an unknown (zero-day) vulnerability? To understand the state of vulnerability disclosure and exploit development, researchers analysed 45,450 the publicly available exploits in the Exploit Database at the time of this writing. The research correlated the exploit data with vulnerability and patch information to study exploit development in multiple facets.
The research reveals that:
Of the 45,450 public exploits in Exploit Database, there are 11,079 (~26%) exploits in Exploit Database that have mapped CVE numbers.
Among those 11,079 exploits:
14% are zero-day (published before the vendors release the patch), 23% are published within a week after the patch release and 50% are published within a month after the patch release. On average, an exploit is published 37 days after the patch is released. Patch as soon as possible – the risk of a vulnerability being exploited increases quickly after vendors release the patches.
80% of public exploits are published before the CVEs are published. On average, an exploit is published 23 days before the CVE is published. Software and hardware may also have vulnerabilities with public exploits that don’t have CVEs. Check security updates from vendors frequently and apply updates as soon as possible.
Analysis of the entire CVE list since 1999 found that, on average, a CVE is published 40 days after its CVE-ID is assigned. Of the 177,043 entries analysed more than 10,000 CVEs have been in “reserved” status for more than two years. It shows that there is a long delay between vulnerability discovery and CVE publication.
Why this matters:
Patches should always be applied as soon as possible, exploits either follow very soon after vulnerability disclosure but as this study shows sometimes vulnerabilities are being exploited before fixes are released. The longer between fixes being released and being applied the more vulnerable you are to attack.
Read more here: https://unit42.paloaltonetworks.com/state-of-exploit-development/
Forget your space-age IT security systems. It might just take a $1m bribe and a willing employee to be pwned
A Russian citizen is accused of flying to America in a bid to bribe a Tesla employee to infect their bosses' IT network with ransomware.
Egor Kriuchkov has been charged with one count of conspiracy to intentionally cause damage to a protected computer. He was nabbed by the Feds at Los Angeles airport and is behind bars awaiting trial.
It is claimed Kriuchkov, 27, was the point man of a plot to get data-stealing malware onto the network of an unspecified US company in Nevada and then use the lifted data to extort the corporation for millions of dollars: paid up, or the internal files get leaked and file systems scrambled.
To do this, Kriuchkov and his associates back in Russia had recruited a worker at the business, it is claimed, and promised to pay $500,000 for placing the malware onto its network. The bribe was later increased to $1m to persuade the employee, along with an $11,000 advance, yet instead he went to his bosses, and the FBI was brought in, we're told.
According special agent Michael Hughes, in late July Kriuchkov travelled from Russia to Reno, Nevada, where the employee worked, and over the early weeks of August tried to win over the employee to join the conspiracy. This included a night out for the worker and friends at a Lake Tahoe resort, followed by Kriuchkov pulling the worker aside and convincing them to play a key role in the operation, it is claimed.
Why this matters:
Again this shows that employees are more likely than your technical systems to be exploited by malicious actors, fortuitously for Tesla the employee didn’t take the bribe but many staff in different organisations would be tempted. Imagine if the employee that was approached was already feeling disgruntled against their employer.
Read more here: https://www.theregister.com/2020/08/26/russian_malware_plot/
Ex-Cisco staffer charged with deliberately deleting 400+ VMs
A disgruntled former Cisco employee has pleaded guilty to intentionally deleting hundreds of the networking firm's virtual machines (VMs), according to an IT News report.
Sudhish Kasaba Ramesh, an ex-Cisco engineer who left the company in April 2018, accessed the firm's AWS environment months later and deleted a total of 456 VMs, which the company used to run the WebEx Teams application.
In a statement, issued before a US federal court in San Jose by the US Department of Justice and the FBI, it was said that Ramesh “intentionally accessed a protected computer without authorization and recklessly caused damage”.
“During his unauthorized access, Ramesh admitted that he deployed a code from his Google Cloud Project account that resulted in the deletion of 456 virtual machines for Cisco’s WebEx Teams application, which provided video meetings, video messaging, file sharing, and other collaboration tools,” the statement said.
Why this matters:
Insiders will always be amongst the biggest threats to every organisation and the damage a disgruntled employee or former employer could cause should never be underestimated. Any time a member of staff leaves an organisation it must be ensured that they no longer have access to any accounts accessed in the course of the performing their duties, and doubly so for accounts with privileged or elevated permissions, for the very reason they could do so much damage.
Read more: https://www.itproportal.com/news/ex-cisco-staffer-charged-with-deliberately-deleting-400-vms/
North Korean hackers ramp up bank heists: U.S. government cyber alert
North Korean hackers are tapping into banks around the globe to make fraudulent money transfers and cause ATMs to spit out cash, the U.S. government warned on Wednesday.
A technical cyber security alert jointly written by four different federal agencies, including the Treasury Department and FBI, said there had been a resurgence in financially motivated hacking efforts by the North Korean regime this year after a lull in activity.
“Since February 2020, North Korea has resumed targeting banks in multiple countries to initiate fraudulent international money transfers and ATM cash outs,” the warning reads.
U.S. law enforcement titled the hacking campaign “Fast Cash” and blamed North Korea’s Reconnaissance General Bureau, a spy agency, for it. They described the operation as going on since at least 2016 but ramping up in sophistication and volume recently.
Why this matters:
Over the last several years, North Korea has been blamed by U.S. authorities and private sector cyber security companies for hacking numerous banks in Asia, South America and Africa.
North Korean cyber actors have demonstrated an imaginative knack for adjusting their tactics to exploit the financial sector as well as any other sector through illicit cyber operations.
Read more here: https://www.reuters.com/article/us-cyber-usa-north-korea-idUSKBN25M2FU
New Zealand stock exchange resumes trade after cyber attacks, government activates security systems
New Zealand’s stock exchange resumed trading on Friday, after facing disruptions for four consecutive days in the wake of cyber attacks this week, while the government said national security systems had been activated to support the bourse.
There is no clarity on who was behind these two “offshore” attacks, but the failure to stop them has raised questions about New Zealand’s security systems, experts said.
NZX Ltd had to halt trading until afternoon on Friday, after crashing earlier due to network connectivity issues, marking the fourth day that trading has been hit.
Why this matters:
Organisations of all sizes are vulnerable to attacks, larger firms are vulnerable because of the sheer number of users and the complexity of their systems, smaller firms because they often lack maturity and don’t have the most appropriate controls and protections in place. Firms also need to make sure they have plans in place to recover and return to operational effectiveness as quickly as possible.
Read more here: https://www.reuters.com/article/uk-nzx-cyber-idUSKBN25O03Q
Cyber Weekly Flash Briefing 14 August 2020: Travelex goes bust following ransomware, Microsoft fix 120 vulns inc two zero-days, more ransomware victims paying up, Cloud misconfigurations create risks
Cyber Weekly Flash Briefing 14 August 2020: Travelex Forced into Administration After Ransomware Attack, Microsoft fixes 120 vulnerabilities inc two zero-days, More ransomware victims are paying up, Misconfiguration #1 Cloud Security Threat, Beware What You Ask Amazon Alexa, Ex-Uber engineer sentenced to 18 months in prison for stealing driverless car secrets from Google, Google and Amazon are now the most imitated brands for phishing
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Travelex Forced into Administration After Ransomware Attack
Ransomware victim Travelex has been forced into administration, with the loss of over 1000 jobs.
PwC announced late last week that it had been appointed joint administrators of the currency exchange business.
The Sodinokibi (REvil) ransomware variant is believed to have struck the firm on New Year’s Eve last year, forcing its website offline and impacting its bricks-and-mortar stores and banking services. It took until January 17 for the firm to get its first customer-facing systems live again in the UK.
Why this matters:
Firms of any size can call victim to ransomware and many firms will not survive a significant cyber event such as this. Unconfirmed reports at the time suggested that a critical unpatched vulnerability in a VPN (Virtual Private Network) may have allowed attackers to remotely execute malicious code. A security researcher said he reached out to the firm in September 2019 to flag the issue but was ignored. This again shows the importance of ensuring all security updates are applied quickly. Has this software had the security updates applied those vulnerabilities would not have been able to be used in this attack.
Read more: https://www.infosecurity-magazine.com/news/travelex-forced-administration/
Microsoft August 2020 Patch Tuesday fixes 120 vulnerabilities, two zero-days
Microsoft’s August 2020 Patch Tuesday security updates fell this week and this month the company has patched 120 vulnerabilities across 13 different products, from Edge to Windows, and from SQL Server to the .NET Framework.
Among these 120 vulnerabilities, 17 bugs have received the highest severity rating of "Critical," and there are also two zero-days — vulnerabilities that have been exploited by hackers before Microsoft was able to provide a fix.
Why this matters:
All security updates should be applied as soon as possible to prevent vulnerabilities from being exploited in attacks. When vulnerabilities are announced criminals will waste no time in weaponizing them (creating exploits to use in attacks) so the quicker the vulnerabilities are closed the safer you will be.
More ransomware victims are paying up, even when data recovery is possible
The proportion of ransomware attack victims actually paying ransoms increased in the last quarter, even in instances where ransomed data could be recovered, new figures have revealed.
According to a commercial ransomware recovery service, data exfiltration attacks are becoming more common and blending with traditional ransomware hacks. Data exfiltration extortion involves an attacker taking possession of stolen data and putting it up for sale on forums or marketplaces. Once monetised, the hacker asks the victim to pay a ransom to prevent the information’s release.
The recover firm added that tools currently on the market vary wildly when it comes to data recovery success following a ransomware attack. What’s more, the company has noted an uptick in the number of companies experiencing operating system and registry corruption even after ransomed data is restored.
Why this matters:
It used to be that backups were the best defence against ransomware attacks, but if your data is stolen a backup won’t help you avoid having to pay out to keep your sensitive or confidential data out of the public domain.
Intel, SAP, and Citrix release critical security updates
Intel released 18 advisories, including fixes for Denial of Service, Information Disclosure and Elevation of Privilege flaws affecting various products on Windows, Chrome OS and Linux OS.
SAP’s released 15 security notes and an update to a previously released one to address flaws in a variety of offerings, including SAP ERP, SAP Business Objects Business Intelligence Platform, SAP S/4 HANA and various SAP NetWeaver components.
Citrix’s has released patches for a set of vulnerabilities in certain on-premises instances of Citrix Endpoint Management (aka XenMobile Server).
Why this matters:
Security upgrades should always be applied as soon as possible. Whether announced vulnerabilities are already being exploited or not as they become known they likely will be exploited and patching them (applied the fixes made available) prevent them from being exploited.
Read more: https://www.helpnetsecurity.com/2020/08/12/intel-sap-citrix-security-updates-august-2020/
IT Pros Name Misconfiguration #1 Cloud Security Threat
Configuration errors are the number one threat to cloud security, according to a new poll of IT and security professionals.
A security vendor interviewed 653 industry professionals to compile its 2020 Cloud Security Report.
Three-quarters (75%) claimed to be “very” or “extremely” concerned about cloud security, with most (52%) believing that the risks are higher in the public cloud than on-premises.
The top four threats were cited as: misconfiguration (68%), unauthorized cloud access (58%), insecure interfaces (52%), and account hijacking (50%).
These security concerns have created multiple barriers to further adoption of cloud services. The top inhibitor of adoption was a lack of qualified staff (55%), up from fifth place last year.
This may go some way to explaining respondents’ concerns around configuration errors, especially as 68% of these organisations are using two or more public cloud providers — adding to the complexity.
Why this matters?
Organisations’ cloud migrations and deployments are racing ahead of their security teams’ abilities to defend them against attacks and breaches. Their existing security solutions only provide limited protections against cloud threats, and teams often lack the expertise needed to improve security and compliance processes
Read more: https://www.infosecurity-magazine.com/news/misconfiguration-error-cloud/
RedCurl cybercrime group has hacked companies for three years
Security researchers have uncovered a new Russian-speaking hacking group that they claim has been focusing on the past three years on corporate espionage, targeting companies across the world to steal documents that contain commercial secrets and employee personal data.
Named RedCurl, the activities of this new group have been detailed in a 57-page report released this week.
Researchers have been tracking the group since the summer of 2019 and have since identified 26 other RedCurl attacks, carried out against 14 organisations, going as far back as 2018.
Why this matters:
This Russian group have targeted victims across different countries and industry sectors, and included construction companies, retailers, travel agencies, insurance companies, banks, and law and consulting firms from countries like Russia, Ukraine, Canada, Germany, Norway, and the UK. Many firms could fall victim to cyber crime groups like this if their defences are not able to withstand such attackers.
Read more: https://www.zdnet.com/article/redcurl-cybercrime-group-has-hacked-companies-for-three-years/
Why You Must Beware What You Ask Amazon Alexa
The same cyber team that cracked open TikTok, WhatsApp, Microsoft’s cloud and even Philips lightbulbs has just turned its attention to Amazon’s Alexa. And, unsurprisingly, it hasn’t disappointed. After “speculating” that Amazon’s 200 million devices “could be a prime entry-point for hackers,” Check Point Research has just lifted the lid to unmask “serious security flaws in Alexa.” According to the team, “in just one click, a user could have given up their voice history, home address and control of their Amazon account.”
Why this matters:
Warnings about the dangers of smart speakers and their extended families of virtual assistants are not new. These are the same devices that causes such scandal last year, when it transpired humans were listening to conversations to better train the AI. The issue here is different, much more akin to the broader problem of IoT security. Every different gadget you connect to the internet becomes a potential vulnerability and the methods needed to crack Amazon’s devices were not particularly sophisticated.
Ex-Uber engineer sentenced to 18 months in prison for stealing driverless car secrets from Google
A star engineer who admitted stealing self-driving car secrets from Google has been sentenced to 18 months in prison.
Anthony Levandowski, who helped found Google's self-driving car project, now known as Waymo, pleaded guilty to downloading documents containing data about the company's work and accessing one of them after he had left to found his own trucking startup.
Sentencing him in a San Francisco court, the judge said he was imposing prison time as a deterrent.
An early star in the self-driving car scene, Mr Levandowski pushed for Google to develop the technology but later became disillusioned, leaving in early 2016 to start trucking company Otto, which was bought by Uber less than eight months later.
Waymo sued Uber, a case which was settled in 2018, with Uber paying out $245m (£187m) in equity and agreeing not to use its technology.
Uber had signed an indemnification agreement with Mr Levandowski, forcing it to pay his legal fees, but has refused to pay a $179m debt he owes to the Google spin-out, a consequence of separate legal action relating to his departure.
Why this matters:
Your staff present one of your biggest risks, and a disgruntled or disillusioned employee can be very dangerous. The theft of intellectual property for personal gain is a classic example of this kind of behaviour. Data Loss Prevention (DLP) systems can help to spot unusual behaviour in employees and detect sensitive data being extracted from corporate systems.
Google and Amazon are now the most imitated brands for phishing
You may want to think twice about opening that email claiming to be from Google or Amazon, after new research found the tech giants were being used as lures for phishing scams.
Earlier this year, Check Point revealed that Apple was the most imitated brand for phishing, but over the course of the last few months, the iPhone maker has fallen to seventh place with Google and Amazon now taking the top spots.
Why this matters:
Phishing is estimated to be the starting point of over 90 percent of all cyberattacks and according to Verizon's 2019 Data Breach Investigations Report, nearly one third (32%) of all data breaches involved phishing activity. Additionally phishing was present in 78 percent of cyber espionage incidents and the installation and use of backdoors in company networks.
Read more: https://www.techradar.com/news/google-and-amazon-are-now-the-most-imitated-brands-for-phishing
Cyber Weekly Flash Briefing 26 June 2020: Covid changes infosec landscape, ransomware actors lurk post attack, hacker earns millions, rogue bank staff steal $3.2m, massive DDoS against European bank
Cyber Weekly Flash Briefing 26 June 2020: Covid changes infosec landscape, ransomware actors lurk post attack, hacker earns millions, rogue bank staff steal $3.2m, massive DDoS against European bank
If you’re pressed for time watch the 60 second quick fire video summary of the top Cyber and InfoSec stories from the last week:
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Businesses believe the pandemic will change the security landscape forever
After Covid-19, nothing will ever be the same again, at least in terms of how businesses approach cyber security. This is according to a new report based on a poll of 6,700 infosec professionals around the world.
The report states that 81 percent expect long-term changes to the way their business operates, mostly because of remote working.
With this in mind, examining how remote employees approach cyber security will become paramount if an organisation is to maintain a strong security posture.
A third of respondents said they worry employees may feel more relaxed about cyber security than when they are working out of the office. Employees may also be less likely to follow protocol at home, particularly when it comes to identifying and flagging suspicious activity.
Further, almost a third (31 percent) fear employees might unintentionally leak sensitive data or fall prey to a phishing scam and a quarter are afraid staff might fall victim to malware attacks.
Of the largest risks associated with remote working, respondents singled out “using untrusted networks” as the most significant. Other people accessing employees' company devices, the use of personal messaging services for work, and the unintentional sharing of company data are also high on the list of risks.
Ransomware operators lurk on your network after their attack
When a company suffers a ransomware attack, many victims feel that the attackers quickly deploy the ransomware and leave so they won't get caught. Unfortunately, the reality is much different as threat actors are not so quick to give up a resource that they worked so hard to control.
Instead, ransomware attacks are conducted over time, ranging from a day to even a month, starting with a ransomware operator breaching a network.
This breach is through exposed remote desktop services, vulnerabilities in VPN software, or via remote access given by malware such as TrickBot, Dridex, and QakBot.
Once they gain access, they use tools such as Mimikatz, PowerShell Empire, PSExec, and others to gather login credentials and spread laterally throughout the network.
As they gain access to computers on the network, they use these credentials to steal unencrypted files from backup devices and servers before deploying the ransomware attack.
Once the ransomware is deployed, many victims believe that while their network is still compromised, they think the ransomware operators are now gone from the system.
This belief is far from the truth, as illustrated by a recent attack by the Maze Ransomware operators.
Read the full article here: https://www.bleepingcomputer.com/news/security/ransomware-operators-lurk-on-your-network-after-their-attack/
Prolific Hacker Made Millions Selling Network Access
A notorious Russian cyber-criminal made over $1.5m in just the past three years selling access to corporate networks around the world, according to a new report.
The study profiles the work of “Fxmsp” on underground forums where he published his first ad selling access to business networks in 2017.
Over the following years he would compromise banks, hotels, utilities, retailers, tech companies and organisations in many more verticals.
In just three years he claimed to have compromised over 130 targets in 44 countries, including four Fortune 500 firms. Some 9% of his victims were governments.
The report calculated the $1.5m figure purely from publicised sales, although 20% of those Fxmsp compromised were made through private sales, meaning the hacker’s trawl is likely to be even bigger.
Fxmsp even hired a sales manager in early 2018.
Read more here: https://www.infosecurity-magazine.com/news/infamous-hacker-millions-selling/
Rogue Postbank employees steal master encryption key; make off with $3.2 million
South Africa's Postbank has been forced to replace 12 million bank cards after a calamitous security breach that saw the bank's master encryption key printed off in plain, unencrypted language.
According to internal documents acquired by the Sunday Times of South Africa, the 36-digit code security key “allows anyone who has it to gain unfettered access to the bank’s systems, and allows them to read and rewrite account balances, and change information and data on any of the bank’s 12-million cards".
The master key was apparently printed out on plain paper in a data centre in Pretoria in 2018, enabling the fraudsters to make over 25,000 fraudulent transactions, mostly from cards used by people receiving social benefits from the government.
The crime, which is being pinned on a number of rogue bank employees, went unnoticed for months. More than $3.2 million was stolen in the raid.
The cost to the bank of replacing all the compromised cards is expected to reach $58 million.
Read more here: https://www.finextra.com/newsarticle/36059/rogue-postbank-employees-steal-master-encryption-key-make-off-with-32-million
Massive Distributed Denial of Service (DDoS) attack launched against European bank
This week, security firm Akamai mitigated what it claims to be the “largest ever packet per second (pps) DDoS attack”, launched against an unnamed European bank.
The attack reportedly generated 809 million packets per second (Mpps) - a new high for pps-focused attacks, and well over double the size of the previous record attack identified by the Akamai platform.
What also makes this DDoS attack unique is the “massive increase” in the quantity of source IP addresses observed. During the attack, Akamai identified more than 600 times average number of source IP addresses per minute, suggesting the attack was highly distributed in nature.
Further, most of the traffic came from previously unknown IP addresses (96.2 percent), which could indicate the assault was driven by an emerging botnet. Given that most of the source IP addresses could be identified within large ISPs via AS lookups, Akamai believes most of the devices used were compromised end user machines.
The speed at which the attack reached its peak was also remarkable. The company claims it grew from normal traffic levels to 418 Gbps in seconds, and took roughly two minutes to hit 809 Mpps. The attack lasted for a total of 10 minutes and was fully mitigated.
Read more here: https://www.itproportal.com/news/massive-ddos-attack-launched-against-european-bank/
'Unstoppable' Malware Uses Bitcoin To Retrieve Secret Messages - Report
Glupteba, a sneaky malware that can be controlled from afar includes a range of components to cover its tracks, and it updates itself using encrypted messages hidden in the Bitcoin blockchain.
The Glupteba bot is a malware campaign that creates backdoors with full access to contaminated devices, which are added to its growing botnet. The analysis describes it as a “highly self-defending malware” with “enhancing features that enable the malware to evade detection.”
The most interesting aspect of Glupteba is that it uses the Bitcoin blockchain as a communication channel for receiving updated configuration information, given that bitcoin transactions can also include a comment of up to 80 characters.
Glupteba uses this messaging space for encrypted messages. These messages contain secrets, such as command-and-control server names, thus cleverly hiding them in the public blockchain - in plane sight.
Read more: https://cryptonews.com/news/unstoppable-malware-uses-bitcoin-to-retrieve-secret-messages-6947.htm
Woman who deliberately deleted firm’s Dropbox is sentenced
58-year-old Danielle Bulley may not look like your typical cyber criminal, but the act of revenge she committed against a company had just as much impact as a conventional hacker breaking into a business’s servers and causing havoc.
Bulley has been successfully prosecuted under the UK’s Computer Misuse Act after deleting thousands of important files from a company that went on to collapse.
She was a director of a business called Property Press that produced a weekly property newspaper focused on south east Devon. Things turned sour, and Bulley resigned her position at the firm in 2018 before the company went into liquidation. However, fellow director Alan Marriott started a new business venture – without Bulley’s involvement – using the assets of the old firm.
Things clearly didn’t sit well with Bulley after her departure from the business, and several months after her resignation she managed to gain unauthorised access to the new company’s Dropbox account.
More than 5,000 documents were permanently erased, and the company claimed that the damage to business was so great that it could no longer operate, with people losing their jobs and a loss of almost £100,000.
The Police warned other companies of the threat which can be posed by former employees:
Ex-employees can pose a serious risk to a business because they are familiar with the company’s IT infrastructure and procedures. This can make it easier for them to carry out cyber crimes against their former organisation.
If someone is leaving your company, especially if they are quitting your firm under something of a cloud, you would be wise to check that they don’t know your business’s passwords or have retained access to sensitive information.
Passwords should be changed, and additional authentication methods should be in place to prevent unauthorised access. Dropbox, for instance, provides a two-step verification feature which all users would be wise to enable.
EasyJet Lawsuit Over Data Breach Attracts 10,000 Passengers
EasyJet Plc faces a lawsuit over a data breach disclosed last month that potentially exposed private details of 9 million passengers.
More than 10,000 people have joined the suit since it was filed last month, according to the law firm handling the lawsuit. Victims are entitled to as much as £2,000 in compensation, meaning the case could be worth as much as £18 billion.
EasyJet said last month that the email addresses and travel data of about 9 million customers were taken by hackers in one of the biggest privacy breaches to hit the airline industry. The credit card details of roughly 2,200 people was also accessed.
“This is a monumental data breach and a terrible failure of responsibility that has a serious impact on EasyJet’s customers, who are coming forward in their thousands,” the law firm said in a statement. “This is personal information that we trust companies with, and customers should expect that every effort is made to protect their privacy.”
Read more here: https://www.bloomberg.com/news/articles/2020-06-24/easyjet-lawsuit-over-data-breach-attracts-10-000-passengers
Twitter apologises for business data breach
Twitter has emailed its business clients to tell them that personal information may have been compromised.
Unbeknownst to users, billing information of some clients was stored in the browser's cache, it said.
In an email to its clients, Twitter said it was "possible" others could have accessed personal information.
The personal data includes email addresses, phone numbers and the last four digits of clients' credit card numbers.
The tech company says that there is no evidence that clients' billing information was compromised.
Read more here: https://www.bbc.co.uk/news/technology-53150157
Huge Data Dump of Police Files Dubbed “Blue Leaks” Leaked Online
Nearly 270 gigabytes worth of sensitive files including FBI, “fusion center” and police department data from across the US dubbed “Blue Leaks” has been stolen and leaked online on June 19 by a collective called DDoSecrets.
Fusion centres are hubs for threat and intelligence sharing. The concept was created after September 11, in a bid by the Department of Homeland Security to improve cooperation between state, local, and territorial law enforcement
The National Fusion Centre Association (NFCA) says that the data was taken after a security breach at web development firm Netsential in Houston, Texas. It includes 490 documents pertaining to the UK. Computer Business Review was not immediately able to open these to assess the contents.
DDoSecrets stated that the Blue Leaks archive spans “ten years of data from over 200 police departments, fusion centres and other law enforcement training and support resources […] among the hundreds of thousands of documents are police and FBI reports, bulletins, guides and more”.
Read more here: https://www.cbronline.com/news/blue-leaks-data-dump
Why Execs Present One Of The Biggest Insider Risks to Any Organisation - Cyber Tip Tuesday Video Blog
Why Execs Present One Of The Biggest Insider Risks to Any Organisation - Cyber Tip Tuesday Video Blog
Cyber Weekly Flash Briefing 22 May 2020: EasyJet say 9m customers hacked, firm phishes its own staff and 20% fail, 60% insider threats involve staff planning to leave, 1 in 10 WFH Brits breach GDPR
Cyber Weekly Flash Briefing 22 May 2020: EasyJet say 9m customers hacked, firm phishes its own staff and 20% fail, 60% insider threats involve staff planning to leave, 1 in 10 WFH Brits breach GDPR
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
If you’re pressed for time watch the 60 second quick fire video summary of the top cyber and infosec stories from the last week:
EasyJet admits data of nine million hacked
EasyJet has admitted that a "highly sophisticated cyber-attack" has affected approximately nine million customers.
It said email addresses and travel details had been stolen and that 2,208 customers had also had their credit and debit card details "accessed".
The firm has informed the UK's Information Commissioner's Office while it investigates the breach.
EasyJet first became aware of the attack in January.
It told the BBC that it was only able to notify customers whose credit card details were stolen in early April.
"This was a highly sophisticated attacker. It took time to understand the scope of the attack and to identify who had been impacted," the airline told the BBC.
Read more here: https://www.bbc.co.uk/news/technology-52722626
To test its security mid-pandemic, GitLab tried phishing its own work-from-home staff. 1 in 5 fell for it
Code hosting site GitLab recently concluded a security exercise to test the susceptibility of its all-remote workforce to phishing – and a fifth of the participants submitted their credentials to the fake login page.
The mock attack simulated a targeted phishing campaign designed to get GitLab employees to give up their credentials.
The GitLab security personnel playing the role of an attacker – obtained the domain name gitlab.company and set it up using the open source GoPhish framework and Google's GSuite to send phishing emails. The messages were designed to look like a laptop upgrade notification from GitLab's IT department.
Targets were asked to click on a link in order to accept their upgrade and this link was instead a fake GitLab.com login page hosted on the domain 'gitlab.company'.
Fifty emails went out and 17 (34 per cent) clicked on the link in the messages that led to the simulated phishing website. Of those, 10 (59 per cent of those who clicked through or 20 per cent of the total test group) went on to enter credentials. And just 6 of the 50 message recipients (12 per cent) reported the phishing attempt to GitLab security personnel.
According to Verizon's 2020 Data Breach Investigations Report, 22 per cent of data exposure incidents involved phishing or about 90 per cent of incidents involving social interaction.
Read the original article here: https://www.theregister.co.uk/2020/05/21/gitlab_phishing_pentest/
60% of Insider Threats Involve Employees Planning to Leave
More than 80% of employees planning to leave an organization bring its data with them. These "flight-risk" individuals were involved in roughly 60% of insider threats analysed in a new study.
Researchers analysed more than 300 confirmed incidents as part of the "2020 Securonix Insider Threat Report." They found most insider threats involve exfiltration of sensitive data (62%), though others include privilege misuse (19%), data aggregation (9.5%), and infrastructure sabotage (5.1%). Employees planning an exit start to show so-called flight-risk behaviour between two weeks and two months ahead of their last day, the researchers discovered.
Most people who exfiltrate sensitive information do so over email, a pattern detected in nearly 44% of cases. The next most-popular method is uploading the information to cloud storage websites (16%), a technique growing popular as more organizations rely on cloud collaboration software such as Box and Dropbox. Employees are also known to steal corporate information using data downloads (10.7%), unauthorized removable devices (8.9%), and data snooping through SharePoint (8%).
Today's insider threats look different from those a few years ago. Cloud tools have made it easier for employees to share files with non-business accounts, creating a challenge for security teams.
Read more here: https://www.darkreading.com/risk/60--of-insider-threats-involve-employees-planning-to-leave/d/d-id/1337876
One in ten home working Brits are not GDPR compliant
Remote working may have improved the work-life balance of many Brits, but it has also made organisations more likely to fall foul of GDPR.
This is according to a new report from IT support company ILUX, which found that a tenth of workers in the UK do not believe their remote working practices are compliant.
Based on a poll of 2,000 UK-based home workers, the report hints the problem could stem from the adoption of BYOD initiatives, explaining that personal technology for work could be the catalyst for respondents' concerns.
There is also the issue of support, with two thirds of respondents feeling they have lacked sufficient support from business owners during the pandemic. One tenth of the respondents considered their managers too busy or stressed to warrant approaching.
Asking employees to work from home and then not providing the right computer systems and security measures is a recipe for disaster.
The last thing any business needs at this time is to lose valuable data, leave themselves open to cyber attacks or phishing and leave themselves vulnerable to the unknown. It may only seem like a small number, but it’s best not to be in that ten percent.
Remote staff should be provided with company devices on which to work, protected with the latest security patches and cyber security solutions.
Read more here: https://www.itproportal.com/news/one-in-ten-home-working-brits-are-not-gdpr-compliant/
SMBs see cyberattacks that rhyme with large enterprises due to cloud shift
Small businesses are increasingly seeing the same cyberattacks and techniques as large enterprises in contrast with previous years, according to the 2020 Verizon Data Breach Investigations Report.
The last time Verizon researchers tracked small business attacks was in the 2013 DBIR. At that time, SMBs were hit with payment card cybercrime. Today, the attacks are aimed at web applications and errors due to configurations. Meanwhile, the external attackers are targeting SMBs just like large enterprises, according to Verizon.
Verizon found that small companies with less than 1,000 employees are seeing the same attacks as large enterprises. Why? SMBs have adjusted their business models to be more cloud based and rhyme more with large companies.
Read the full article: https://www.zdnet.com/article/smbs-see-cyberattacks-that-rhyme-with-large-enterprises-due-to-cloud-shift/
Microsoft warns of huge email phishing scam - here's how to stay protected
Microsoft has issued an alert to users concerning a new widespread Covid-19 themed phishing campaign.
The threat installs a remote administration tool to completely take over a user's system and even execute commands on it remotely.
The Microsoft Security Intelligence team provided further details on this ongoing campaign in a series of tweets in which it said that cybercriminals are using malicious Excel attachments to infect user's devices with a remote access trojan (RAT).
The attack begins with potential victims receiving an email that impersonates the John Hopkins Center. This email claims to provide victims with an update on the number of coronavirus-related deaths in the US. However, attached to the email is an Excel file that displays a chart showing the number of deaths in the US.
Read more here: https://www.techradar.com/uk/news/microsoft-warns-of-huge-phishing-attack-heres-how-to-stay-safe
Security threats associated with shadow IT
As cyber threats and remote working challenges linked to COVID-19 continue to rise, IT teams are increasingly pressured to keep organisations’ security posture intact. When it comes to remote working, one of the major issues facing enterprises is shadow IT.
End users eager to adopt the newest cloud applications to support their remote work are bypassing IT administrators and in doing so, unknowingly opening both themselves and their organization up to new threats.
You’ve probably heard the saying, “What you don’t know can’t hurt you.” In the case of shadow IT, it’s the exact opposite – what your organisation doesn’t know truly can and will hurt it.
Shadow IT might sound great at surface level if you think of it as tech-savvy employees and departments deploying collaborative cloud apps to increase productivity and meet business goals. However, there’s a lot more going on below the surface, including increased risk of data breaches, regulation violations and compliance issues, as well as the potential for missed financial goals due to unforeseen costs.
One solution to risks associated with shadow IT is to have workers only use cloud apps that have been vetted and approved by your IT department. However, that approach is oftentimes not possible when shadow apps are acquired by non-IT professionals who have little to no knowledge of software standardization. Additionally, when shadow SaaS apps are used by employees or departments the attack area is hugely increased because many are not secure or patched. If IT departments are unaware of an app’s existence, they can’t take measures to protect companies’ data or its users.
Another solution that organisations use is attempting to block access to cloud services that don’t meet security and compliance standards. Unfortunately, there is a vast discrepancy in the intended block rate and the actual block rate, called the “cloud enforcement gap” and represents shadow IT acquisition and usage.
Read more here: https://www.helpnetsecurity.com/2020/05/18/security-shadow-it/
Supercomputers hacked across Europe to mine cryptocurrency
Multiple supercomputers across Europe have been infected this week with cryptocurrency mining malware and have shut down to investigate the intrusions.
Security incidents have been reported in the UK, Germany, and Switzerland, while a similar intrusion is rumoured to have also happened at a high-performance computing centre located in Spain.
The first report of an attack came to light on Monday from the University of Edinburgh, which runs the ARCHER supercomputer. The organization reported "security exploitation on the ARCHER login nodes," shut down the ARCHER system to investigate, and reset SSH passwords to prevent further intrusions.
Read more here: https://www.zdnet.com/article/supercomputers-hacked-across-europe-to-mine-cryptocurrency/
Powerful Android malware stayed hidden for years, infecting tens of thousands of smartphones
A carefully managed hacking and espionage campaign is infecting smartphones with a potent form of Android malware, providing those behind it with total control of the device, while also remaining completely hidden from the user.
Mandrake spyware abuses legitimate Android functions to help gain access to everything on the compromised device in attacks that can gather almost any information about the user.
The attacker can browse and collect all data on the device, steal account credentials for accounts including banking applications. secretly take recordings of activity on the screen, track the GPS location of the user and more, all while continuously covering their tracks.
Read the original article here: https://www.zdnet.com/article/this-powerful-android-malware-stayed-hidden-years-infected-tens-of-thousands-of-smartphones/
Strain of ransomware goes fileless to make attacks untraceable
Malicious actors have been spotted using an especially sneaky fileless malware technique — reflective dynamic-link library (DLL) injection — to infect victims with Netwalker ransomware in hopes of making the attacks untraceable while frustrating security analysts.
Instead of compiling the malware and storing it into the disk, the adversaries are writing it in PowerShell and executing it directly into memory making this technique is stealthier than regular DLL injection because aside from not needing the actual DLL file on disk, it also does not need any windows loader for it to be injected. This eliminates the need for registering the DLL as a loaded module of a process, and allowing evasion from DLL load monitoring tools.
Read more here: https://www.scmagazine.com/home/security-news/ransomware/netwalker-ransomware-actors-go-fileless-to-make-attacks-untraceable/
Smartphones, laptops, IoT devices vulnerable to new Bluetooth attack
Academics have disclosed today a new vulnerability in the Bluetooth wireless protocol, broadly used to interconnect modern devices, such as smartphones, tablets, laptops, and smart IoT devices.
The vulnerability, codenamed BIAS (Bluetooth Impersonation AttackS), impacts the classic version of the Bluetooth protocol, also known as Basic Rate / Enhanced Data Rate, Bluetooth BR/EDR, or just Bluetooth Classic.
A bug in the bonding authentication process can allow an attacker to spoof the identity of a previously paired/bonded device and successfully authenticate and connect to another device without knowing the long-term pairing key that was previously established between the two.
Once a BIAS attack is successful, the attacker can then access or take control of another Bluetooth Classic device.
Read more here: https://www.zdnet.com/article/smartphones-laptops-iot-devices-vulnerable-to-new-bias-bluetooth-attack/
Cyber Weekly Flash Briefing 15 May 2020: Attacks on UK up 30% in Q1, 238% surge against banks, Microsoft fixes 111 vulns, Adobe patches 36 vulns, Thunderspy, 73m user records for sale on dark web
Cyber Weekly Flash Briefing 15 May 2020: Attacks on UK up 30% in Q1, 238% surge against banks, Microsoft fixes 111 vulns, Adobe patches 36 vulns, Thunderspy, 73m user records for sale on dark web
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Cyber-Attacks on UK Organisations Up 30% in Q1 2020
New research has revealed that the volume of cyber-attacks on UK businesses increased by almost a third in the first three months of 2020.
Analysts identified 394,000 unique IP addresses used to attack UK businesses in the first quarter of 2020, discovering that companies with internet connections experienced 157,000 attacks each, on average – the equivalent of more than one a minute.
This rate of attack was 30% higher than the same period in 2019 when UK businesses received 120,000 internet-borne attempts to breach their systems each.
IoT applications were cited as the most common targets for cyber-criminals in the first quarter, attracting almost 19,000 online attacks per company. Company databases and file-sharing systems were also targeted frequently, with companies experiencing approximately 5000 attacks for each application, on average.
Read more here: https://www.infosecurity-magazine.com/news/cyberattacks-uk-orgs-up-30-q1/
COVID-19 blamed for 238% surge in cyber attacks against banks
The coronavirus pandemic has been connected to a 238% surge in cyber attacks against banks, new research claims.
On Thursday, VMware Carbon Black released the third edition of the Modern Bank Heists report, which says that financial organizations experienced a massive uptick in cyber attack attempts between February and April this year -- the same months in which COVID-19 began to spread rapidly across the globe.
The cyber security firm's research, which includes input from 25 CIOS at major financial institutions, adds that 80% of firms surveyed have experienced more cyber attacks over the past 12 months, an increase of 13% year-over-year.
VMware Carbon Black data already indicates that close to a third -- 27% -- of all cyber attacks target either banks or the healthcare sector.
An interesting point in the report is how there appears to have been an uptick in financially-motivated attacks around pinnacles in the news cycle, such as when the US confirmed its first case of COVID-19.
In total, 82% of chief information officers contributing to the report said that alongside a spike in attacks, techniques also appear to be improving -- including the use of social engineering and more advanced tactics to exploit not only the human factor but also weak links caused by processes and technologies in use by the supply chain.
Read more here: https://www.zdnet.com/article/covid-19-blamed-for-238-surge-in-cyberattacks-against-banks/
May 2020 Patch Tuesday: Microsoft fixes 111 vulnerabilities, 13 Critical
Microsoft's May 2020 Patch Tuesday fell this week, and Microsoft have released fixes for 111 vulnerabilities in Microsoft products. Of these vulnerabilities, 13 are classified as Critical, 91 as Important, 3 as Moderate, and 4 as Low.
This month there are no zero-day or unpatched vulnerabilities.
Users should install these security updates as soon as possible to protect Windows from known security risks.
Read more here: https://www.bleepingcomputer.com/news/microsoft/may-2020-patch-tuesday-microsoft-fixes-111-vulnerabilities-13-critical/
Adobe issues patches for 36 vulnerabilities in DNG, Reader, Acrobat
Adobe has released security patches to resolve 36 vulnerabilities present in DNG, Reader, and Acrobat software.
On Tuesday, the software giant issued two security advisories (1, 2) detailing the bugs, the worst of which can be exploited by attackers to trigger remote code execution attacks and information leaks.
The first set of patches relate to Adobe Acrobat and Reader for Windows and macOS, including Acrobat / Acrobat Reader versions 2015 and 2017, as well as Acrobat and Acrobat Reader DC.
In total, 12 critical security flaws have been resolved. Six of the bugs, a single heap overflow problem, two out-of-bounds write errors, two buffer overflow issues, and two use-after-free vulnerabilities can all lead to arbitrary code execution in the context of the current user.
Read more here: https://www.zdnet.com/article/adobe-issues-patches-for-36-vulnerabilities-in-dng-reader-acrobat/
Thunderbolt flaw ‘Thunderspy’ allows access to a PC’s data in minutes
Vulnerabilities discovered in the Thunderbolt connection standard could allow hackers to access the contents of a locked laptop’s hard drive within minutes, a security researcher from the Eindhoven University of Technology has announced. Reports state that the vulnerabilities affect all Thunderbolt-enabled PCs manufactured before 2019.
Although hackers need physical access to a Windows or Linux computer to exploit the flaws, they could theoretically gain access to all data in about five minutes even if the laptop is locked, password protected, and has an encrypted hard drive. The entire process can reportedly be completed with a series of off-the-shelf components costing just a few hundred dollars. Perhaps most worryingly, the researcher says the flaws cannot be patched in software, and that a hardware redesign will be needed to completely fix the issues.
Read more here: https://www.theverge.com/2020/5/11/21254290/thunderbolt-security-vulnerability-thunderspy-encryption-access-intel-laptops
A hacker group is selling more than 73 million user records on the dark web
A hacker group going by the name of ShinyHunters claims to have breached ten companies and is currently selling their respective user databases on a dark web marketplace for illegal products.
The hackers are the same group who breached last week Tokopedia, Indonesia's largest online store. Hackers initially leaked 15 million user records online, for free, but later put the company's entire database of 91 million user records on sale for $5,000.
Encouraged and emboldened by the profits from the Tokopedia sale, the same group has, over the course of the current week, listed the databases of 10 more companies.
This includes user databases allegedly stolen from organizations such as:
· Online dating app Zoosk (30 million user records)
· Printing service Chatbooks (15 million user records)
· South Korean fashion platform SocialShare (6 million user records)
· Food delivery service Home Chef (8 million user records)
· Online marketplace Minted (5 million user records)
· Online newspaper Chronicle of Higher Education (3 million user records)
· South Korean furniture magazine GGuMim (2 million user records)
· Health magazine Mindful (2 million user records)
· Indonesia online store Bhinneka (1.2 million user records)
· US newspaper StarTribune (1 million user records)
The listed databases total for 73.2 million user records, which the hacker is selling for around $18,000, with each database sold separately.
Read more here: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
A cybercrime store is selling access to more than 43,000 hacked servers
MagBo, a shadowy online marketplace where hackers sell and buy hacked servers, is doing better than ever and has soared in popularity to become the largest criminal marketplace of its kind since its launch in the summer of 2018.
Two years later, the MagBo portal has grown more than 14 times in size and is currently selling access to more than 43,000 hacked websites, up from the 3,000 sites listed in September 2018.
Today, MagBo has become the de-facto go-to marketplace for many cybercrime operations. Some groups register on the MagBo platform to sell hacked servers, while others are there just to buy.
Those who buy, do it either in bulk (for black-hat SEO or for malware distribution) or selectively, for intrusions at high-value target (e-commerce stores for web skimming, intranets for ransomware).
All in all, the MagBo platform cannot be ignored anymore, as it appears to be here to stay, and is placing itself at the heart of many of today's cybercrime operations.
Ransomware: Why paying the crooks can actually cost you more in the long run
Ransomware is so dangerous because in many cases the victim doesn't feel like they have any other option other than to pay up – especially if the alternative is the whole organisation being out of operation for weeks, or even months, as it attempts to rebuild the network from scratch.
But handing over a bitcoin ransom to cyber criminals can actually double the cost of recovery according to analysis by researchers at Sophos, published in the new State of Ransomware 2020 report, which has been released three years to the day from the start of the global WannaCry ransomware outbreak.
A survey of organisations affected by ransomware attacks found that the average total cost of a ransomware attack for organisations that paid the ransom is almost $1.4m, while for those who didn't give into ransom demands, the average cost is half of that, coming in at $732,000.
Often, this is because retrieving the encryption key from the attackers isn't a simple fix for the mess they created, meaning that not only does the organisation pay out a ransom, they also have additional costs around restoring the network when some portions of it are still locked down after the cyber criminals have taken their money.
According to the report, one in four organisations said they paid the ransom in order to get their files back. It's one of the key reasons why ransomware remains a successful tactic for crooks, because victims pay up – often sums of six-figures or more – and are therefore encouraging cyber criminals to continue with attacks that often can't be traced back to a culprit.
Read the full article here: https://www.zdnet.com/article/ransomware-why-paying-the-crooks-can-actually-cost-you-more-in-the-long-run/
This powerful Android malware stayed hidden for years, infecting tens of thousands of smartphones
A carefully managed hacking and espionage campaign is infecting smartphones with a potent form of Android malware, providing those behind it with total control of the device, while also remaining completely hidden from the user.
Mandrake spyware abuses legitimate Android functions to help gain access to everything on the compromised device in attacks that can gather almost any information about the user.
The attacker can browse and collect all data on the device, steal account credentials for accounts including banking applications. secretly take recordings of activity on the screen, track the GPS location of the user and more, all while continuously covering their tracks.
The full capabilities of Mandrake – which has been observed targeting users across Europe and the Americas – are detailed in a paper released by cybersecurity researchers this week. Mandrake has been active since 2016 and researchers previously detailed how the spyware operation was specifically targeting Australian users – but now it's targeting victims around the world.
Companies wrestle with growing cyber security threat: their own employees
Businesses deploy analytic tools to monitor staff as remote working increases data breach risk
As cyber criminals and hackers ramp up their attacks on businesses amid coronavirus-related disruption, companies are also facing another equally grave security threat: their own employees.
Companies are increasingly turning to Big Brother-style surveillance tools to stop staff from leaking or stealing sensitive data, as millions work away from the watchful eyes of their bosses and waves of job cuts leave some workers disgruntled.
In particular, a brisk market has sprung up for cyber security groups that wield machine learning and analytics to crunch data on employees’ activity and proactively flag worrying behaviours.
Read more here: https://www.ft.com/content/cae7905e-ced7-4562-b093-1ab58a557ff4
Cognizant: Ransomware Costs Could Reach $70m
IT services giant Cognizant has admitted that a ransomware attack it suffered back in April may end up costing the company as much as $70m.
The firm announced revenue of $4.2bn for the first quarter of 2020, an increase of 2.8% year-on-year. In this context, the $50-70m hit it expects to take in Q2 from the ransomware attack will not make a huge impact on the company.
However, the big numbers involved are illustrative of the persistent financial threat posed by ransomware, not to mention the reputational impact on customers.
The firm claimed on an earnings call that the company responded immediately to the threat, proactively taking systems offline after some internal assets were compromised. However, the resulting downtime and suspension of some customer accounts took their toll financially.
“Some clients opted to suspend our access to their networks,” they explained. “Billing was therefore impacted for a period of time, yet the cost of staffing these projects remained on our books.”
Remote workers were also affected as the attack hit the firm’s system for supporting its distributed workforce during the current pandemic.
Read more: https://www.infosecurity-magazine.com/news/cognizant-ransomware-costs-could/
Package delivery giant Pitney Bowes confirms second ransomware attack in 7 months
Package and mail delivery giant Pitney Bowes has suffered a second ransomware attack in the past seven months, ZDNet has learned.
The incident came to light earlier in the week after a ransomware gang known as Maze published a blog post claiming to have breached and encrypted the company's network.
The Maze crew provided proof of access in the form of 11 screenshots portraying directory listings from inside the company's computer network.
Pitney Bowes confirmed the incident stating they had detected a security incident related to Maze ransomware.
The company said it worked with third-party security consultants to take steps to stop the attack before any of its data was encrypted.
This is the second ransomware incident for Pitney Bowes in seven months.
In October 2019, Pitney Bowes disclosed a first ransomware attack. At the time, the company said it had some critical systems infected and encrypted by the Ryuk ransomware gang. The incident caused limited downtime to some package tracking systems.
Both the Ryuk and Maze ransomware gangs are what experts call "human-operated" ransomware strains. These types of ransomware infections take place after hackers breach a company's network, and take manual control of the malware to expand access to as many internal systems as possible before executing the actual ransomware to encrypt data and demand a ransom.
Read more here: https://www.zdnet.com/article/package-delivery-giant-pitney-bowes-confirms-second-ransomware-attack-in-7-months/
Law Firm Representing Drake, Lady Gaga, Madonna And More Hit By Cyber Attack As Hackers Claim To Have Stolen Personal Information And Contracts
A law firm representing many of the world's most famous celebrities has been hacked.
The website of Grubman Shire Meiselas & Sacks has been taken offline, and hackers claim to have stolen some 756GB of data relating to its clients.
Singers, actors and other stars have worked with the law firm, according to old versions of its website, with more than 200 very high-profile celebrities and companies said to have used its services.
They include Madonna, Lady Gaga, Elton John and Drake.
The hackers behind the attack claim to have person information on celebrities including letters, as well as official contracts.
Hackers have already released a purported screenshot of a Madonna contract in an attempt to prove they have access to personal files.
It is not known what the hackers are demanding in return for the files, or whether negotiations are ongoing.
"We can confirm that we've been victimised by a cyber-attack," the firm said in a media statement. "We have notified our clients and our staff.
"We have hired the world's experts who specialise in this area, and we are working around the clock to address these matters."
The hack used a piece of software known as REvil or Sodinokibi. Similar software took foreign exchange company Travelex offline in January, as part of a major hack.
Traditionally, such ransomware has been used to lock down computers and demand money from their owners to unlock them again, and grant access to files.
Increasingly, hackers threaten to release those files to the public if their demands are not met.
Read the original article: https://www.independent.co.uk/life-style/gadgets-and-tech/news/celebrity-hack-law-firm-cyber-attack-drake-madonna-lady-gaga-a9511976.html
Lights stay on despite cyber-attack on UK's electricity system
Britain’s energy system has fallen victim to a cyber-attack targeting the IT infrastructure used to run the electricity market.
The electricity system’s administrator, Elexon, confirmed that it was affected by a cyber-attack on Thursday afternoon but that the key systems used to govern the electricity market were not affected.
National Grid is investigating whether the attack could affect the part of its business tasked with keeping the lights on.
A spokesman for the energy system operator said electricity supplies had not been affected, and there were “robust cybersecurity measures in place” to make sure the UK continues to receive reliable electricity.
“We’re aware of a cyber intrusion on Elexon’s internal IT systems. We’re investigating the matter and any potential impact on our own IT networks,” he said.
Elexon is a vital part of the UK electricity market because it carefully monitors the electricity generated by energy companies to match this with what National Grid expects to receive, and to make sure that generators are paid the correct amount for the energy they generate.
Cyber Weekly Flash Briefing for 21 February 2020 – Adobe out-of-band fix, critical Cisco bugs, Insider Threats, PayPal phishing, Supply Chain Risks
Cyber Weekly Flash Briefing for 21 February 2020 – Adobe out of band fix, critical Cisco bugs, Insider Threats, PayPal phishing, Supply Chain Risks
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Adobe releases out-of-band patch for critical code execution vulnerabilities
Adobe has released an out-of-schedule fix to resolve two vulnerabilities that may expose user systems to code execution attacks.
On Wednesday, the software vendor released two separate security advisories describing the issues, warning that each bug is deemed critical, the highest severity score available. However, there is at present no evidence the vulnerabilities are being exploited in the wild.
The first vulnerability impacts Adobe Media Encoder versions 14.0 and earlier on the Microsoft Windows platform. The second vulnerability impacts Adobe After Effects versions 16.1.2 and earlier also on Windows machines.
Read more on ZDnet here: https://www.zdnet.com/article/adobe-releases-out-of-schedule-fixes-for-critical-vulnerabilities/
Critical Cisco Bug Opens Software Licencing Manager to Remote Attack
A default password would let anyone access the Cisco Smart Software Manager On-Prem Base platform, even if it’s not directly connected to the internet.
A critical flaw in the High Availability (HA) service of Cisco Smart Software Manager On-Prem Base has been uncovered, which would open the door to remote attackers thanks to its use of a static, default password, even if the platform isn’t directly connected to the internet.
Cisco Smart Software Manager On-Prem Base is used to manage a customer or partner’s product licenses, providing near real-time visibility and reporting of the Cisco licenses that an organisation purchases and consumes. According to Cisco’s product literature, the platform is aimed at “customers who have strict security requirements and do not want their products to communicate with the central licensing database on Smart Software Manager over a direct Internet connection,” like financial institutions, utilities, service providers and government organisations.
Read the full article on ThreatPost here: https://threatpost.com/critical-cisco-bug-software-licencing-remote-attack/153086/
97% of IT leaders majorly concerned by insider data breaches
A study has found that 97% of IT leaders are concerned that data will be exposed by their own employees, leading to insider breaches
This findings from the survey spelled a lack of reassurance for decision makers regarding insider breaches over the past 12 months.
Also, 78% of IT leaders surveyed said that employees have put data at risk accidentally within the last year, while 75% say that intentional compromise of data security has occurred.
While the former statistic has remained stable since 2019, the latter saw a 14% jump.
In the UK, 63% declared intentional data security compromise, while 68% said this was accidental. This contrasted with leaders in the Benelux region, 89% of whom said that data was put at risk intentionally, and 91% accidentally.
Read more here: https://www.information-age.com/it-leaders-majorly-concerned-insider-data-breaches-123487769/
PayPal remains the most‑spoofed brand in phishing scams
PayPal, Facebook, Microsoft, Netflix, and WhatsApp were the most commonly impersonated brands in phishing campaigns in the fourth quarter of 2019.
The payment services provider retained its top spot from the previous quarter, according to data gleaned from the number of unique phishing URLs detected by the company. Thanks to the immediate financial payback and a pool of 305 million active users worldwide, PayPal’s continued popularity among phishers isn’t all that surprising.
PayPal-themed phishing campaigns usually target both consumers and SMB employees, with researchers pointing to an example of a recent fraudulent email that alerted users to an “unusual activity on your account”. A similar campaign was recently uncovered by researchers.
Social media phishing continues to grow with Facebook taking second place on the list. Meanwhile, WhatsApp jumped a whopping 63 spots to take fifth place and Instagram surged 16 places to take the 13th spot.
More: https://www.welivesecurity.com/2020/02/14/paypal-remains-most-spoofed-brand-phishing-scams/
Windows 10 update: Microsoft admits serious problem, here's how to fix it
It was recently discovered that the newest Windows 10 update was somehow deleting users’ files. The update has been live for over a week now, but fear not (or at least not too much) Windows fans, Microsoft has now said (unofficially) that it’s found a fix.
Thanks to Windows Latest (via TechRadar), we now know how Windows is responding to the problem. The site interviewed unnamed Microsoft support team staff, one of which was quoted as saying: “Microsoft is aware of this known issue and our engineers are working diligently to find a solution for it.” In addition, it’s been reported that the Windows team have been able to replicate the bug and find one potential way of restoring any lost files.
Read the full article here: https://www.tomsguide.com/news/windows-10-update-microsoft-admits-serious-problem-heres-how-to-fix-it
Mitigating Risk in Supply Chain Attacks
In the last year, the number of global businesses falling victim to supply chain attacks more than doubled from 16 to 34 per cent – in the UK the picture is even worse with a staggering 42 per cent reporting they fell victim to these sorts of attacks.
This kind of attack is a powerful threat as it enables malicious code to slip into an organisation through trusted sources. What is worse is that it’s a tougher threat for traditional security approaches to account for.
Of even more concern though is that this particular attack vector doesn’t appear to be a top priority for businesses. The same survey found only 42 per cent of respondents have vetted all new and existing software suppliers in the past 12 months. While this has led to 30 per cent of respondents believing with absolute certainty that their organisation will become more resilient to supply chain attacks over the next 12 months, the increasing scale and frequency of these attacks demands a proportionate response.
The problem is that many businesses fail to understand how quickly adversaries can move laterally through the network via this sort of compromise and how much damage can be done in that short amount of time. There is an educational need for the cyber industry to broadcast the potential consequences of supply chain attacks, and to share best practices around their defence and mitigation.
Adversaries use supply chain attacks as a sneaky weak point through which to creep into the enterprise and attack software further up the supply chain rather than going straight for their final target: An organisation with funds or information they wish to pilfer, or whom they will ‘merely’ disrupt. Once an adversary successfully compromises the chain, their M.O. is to modify the trusted software to perform additional, malicious activities. If not discovered, compromised software can then be delivered throughout an organisation via software updates.
Read the original article here: https://www.cbronline.com/opinion/mitigating-risk-in-supply-chain-attacks
Russia’s GRU was behind cyber attacks on Georgian government and media, says NCSC
British security officials have identified a Russian military intelligence unit as the source of a series of “large-scale, disruptive cyber attacks” on Georgia last autumn.
The former Soviet Union state suffered a spree of attacks on its government websites, national broadcasters and NGOs over several hours on 28 October 2019.
Analysts at the National Cyber Security Centre have concluded “with the highest level of probability” that the attacks, aimed at web hosting providers, were carried out by the GRU in a bid to destabilise the country.
Read more here: https://tech.newstatesman.com/security/russia-gru-cyber-attacks-georgia-ncsc
UK Google users could lose EU GDPR data protections
Google is to move the data and user accounts of its British users from the EU to the US, placing them outside the strong privacy protections offered by European regulators.
The shift, prompted by Britain’s exit from the EU, will leave the sensitive personal information of tens of millions not covered by Europe’s world-leading General Data Protection Regulation (GDPR) and therefore with less protection and within easier reach of British law enforcement.
Google intends to require its British users to acknowledge new terms of service including the new jurisdiction, according to people familiar with the plans.
ISS World “malware attack” leaves employees offline
Global facilities company ISS World, headquartered in Denmark, has shuttered most of its computer systems worldwide after suffering what it describes as a “security incident impacting parts of the IT environment.”
The company’s website currently shows a holding page, with no clickable links on it.
Some media outlets – for example, the BBC – have mentioned ransomware prominently in their coverage of the issue, perhaps because of the suddenness of the story, but at the moment we simply don’t know what sort of malware was involved.
As you can imagine, facilities companies that provide services such as cleaning and catering rely heavily on IT systems for managing their operations.
Read the full article here: https://nakedsecurity.sophos.com/2020/02/20/iss-world-malware-attack-leaves-employees-offline/
Google is trying to scare Microsoft Edge users into switching to Chrome
Could Google be worried about the new Edge browser stealing away Chrome users? It seems that way, with the company now displaying a warning to people using Microsoft’s new web browser when they access the Chrome web store.
Originally, Microsoft’s Edge web browser was a deeply unpopular piece of software, despite it being the default web browser in Windows 10, which led Microsoft to overhaul the app, and it’s now based on the same Chromium engine as Chrome.
Edge users who visit the Chrome web store are seeing a warning message that says “Google recommends switching to Chrome to use extensions securely.”
Read more here: https://www.techradar.com/uk/news/google-is-trying-to-scare-microsoft-edge-users-into-switching-to-chrome
Your home PC is twice as likely to get infected as your work laptop
Outdated operating systems and poor security put consumer PCs at risk
Consumer PCs are twice as likely to get infected as business PCs, new research has revealed.
According to the findings, the reason consumer PCs are more susceptible to infections is due to the fact that many are running outdated operating systems such as Windows 7 and because consumers aren't employing the same security solutions used by businesses which offer greater protection.
Of the infected consumer devices, more than 35 percent were infected over three times and nearly 10 percent encountered six or more infections.
Week in review 17 November 2019: phishing targeting webmail, insider threats, how ransomware strikes, cyber skills shortages
Week in review 17 November 2019: phishing targeting webmail, insider threats, how ransomware strikes, cyber skills shortages
Round up of the most significant open source stories of the last week
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Phishing Increasingly Targets SaaS, Webmail
How can companies protect their sensitive data and prevent employees from falling prey to phishing attacks?
In today’s digital age, virtually every organisation must wage a cybersecurity battle to protect its data. Winning this battle requires engaging security experts, securing assets, strengthening authentication and educating users.
According to the Anti-Phishing Working Group’s (APWG) Phishing Activity Trends Report, 1st Quarter 2019, phishing of software-as-a-service (SaaS) and webmail services has surpassed phishing of payment services for the first time. SaaS and webmail are now the most-targeted sectors, suffering 36% of phishing attacks (compared to 27% for payment services). The report emphasizes that usernames and passwords are not enough to protect against phishing and underscores the need for strong authentication.
Phishing, one of the most prevalent types of cybersecurity attacks, attempts to steal user credentials and corporate data via users’ email inboxes. Hackers posing as legitimate businesses send e-mails with links that lead unsuspecting users to bogus websites. The hackers’ goal is to deceive recipients into revealing usernames and passwords, which allow them to gain access to private company data.
Read the full article here: https://securityboulevard.com/2019/11/phishing-increasingly-targets-saas-webmail/
Insider Threats, a Cybercriminal Favourite, Not Easy to Mitigate
Rogue employees — not just external threat groups — pose a formidable threat to incident response teams.
Insider threats are an ongoing top danger for companies — but when it comes to mitigation efforts, incident-response teams face an array of challenges.
Discussions with various incident-response teams revealed that between 25 to 30 percent of data breaches involved an external actor working with an internal person in an organisation, according to a senior security architect with OpenText.
We used to focus on external threat actors, but now, when compromising the network, many have someone on the inside, whether it’s because they bribed them or blackmailed them
Read the full article here: https://threatpost.com/insider-threats-cybercriminal-favorite/150128/
How ransomware attacks
More than a decade after it first emerged, is the world any closer to stopping ransomware?
Judging from the growing toll of large organisations caught out by what has become the weapon of choice for so many criminals, it’s tempting to conclude not.
The problem for defenders, as documented in SophosLabs’ new report How Ransomware Attacks, is that although almost all ransomware uses the same trick – encrypting files or entire disks and extorting a ransom for their safe return – how it evades defences to reach data keeps evolving.
This means that a static analysis technique that stopped a strain of ransomware today may not stop an evolved counterpart in just a few weeks time. This creates a major challenge for organisations and security companies alike.
As the growing number of high-profile ransomware attacks reminds us, sugar coating the issue would be deluded – ransomware has grown as an industry because it works for the people who use it, which means it beats the defences of victims often enough to deliver a significant revenue stream.
For the full article click here: https://nakedsecurity.sophos.com/2019/11/15/how-ransomware-attacks/
To go straight to the Sophos report click here: https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-ransomware-behavior-report.pdf
Cybersecurity Skills Shortage Tops Four Million
Global IT security skills shortages have now surpassed four million, according to (ISC)2.
The certifications organization compiled its latest Cybersecurity Workforce Study from interviews with over 3200 security professionals around the world.
The number of unfilled positions now stands at 4.07 million professionals, up from 2.93 million this time last year. This includes 561,000 in North America and a staggering 2.6 million shortfall in APAC.
The shortage of skilled workers in the industry in Europe has soared by more than 100% over the same period, from 142,000 to 291,000.
The report estimated the current global workforce at 2.93 million, including 289,000 in the UK and 805,000 in the US.
Nearly two-thirds (65%) of responding organizations reported a shortage of cybersecurity staff, with a lack of skilled or experienced security personnel their number one workplace concern (36%).
Read the full article here: https://www.infosecurity-magazine.com/news/cybersecurity-skills-shortage-tops/
Week in review 13 October 2019: Europol state ransomware dominated in 2019, 11 ways employees can be the weak link in your security, steps firms should take to improve their incident response strategy
Week in review 13 October 2019: Europol state ransomware dominated in 2019, 11 ways employees can be the weak link in your security, steps firms should take to improve their incident response strategy
Round up of the most significant open source stories of the last week
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Ransomware still dominates the cyber threat landscape in 2019 – Europol report
Despite ransomware attack rates waning, Europol says a shift in tailored campaigns against business targets has ensured the malware holds the top spot in this year’s Internet Organised Crime Threat Assessment (IOCTA) report.
According to the European law enforcement body's annual report, published today (Wednesday), attacks utilising ransomware are now “more targeted, more profitable and cause greater economic damage”.
The 63-page IOCTA report says that since ransomware entered the spotlight in 2016 with global attacks like WannaCry and NotPetya, the malware has remained a “relatively easy income” for cybercriminals – offering a more stable return than banking trojans.
Ransomware notably locks and encrypts infected systems and files with the promise of returning functionality once a fee is paid.
11 Ways Employees Can Be Your Weak Link for Cybersecurity
Each year, incidences of cyberattacks on companies are increasing with the intent to steal sensitive information. There are cybersecurity tools made to protect organisations, but many of these tools focus on external attacks, not internal weaknesses. Many security systems do not focus on the possibility of employees unknowingly becoming a security threat and do nothing to mitigate accidental internal threats. Employee cybersecurity is an important issue.
The 2018 Insider Threat Report asserted that 90% of organisations are likely to be attacked or exposed to attacks through an insider, and more than 50% experienced an attack through an insider. Furthermore, about 44% of top companies are exposed to potential threats as a result of exposure of passwords on the internet by their employees or theft of login details.
Read the full article for the full list here:
11 steps organisations should take to improve their incident response strategy
As the year draws to a close, it is time for businesses across all industries and sectors to reflect and prepare for the upcoming new year. With this in mind, FIRST has produced 11 vital steps that organisations should take to improve their incident response strategy.
It is highly likely that an organisation will face a cybersecurity incident of some sort at some point in its lifetime, regardless of the level of cybersecurity defence in place.
According to a global survey undertaken by Marsh in partnership with Microsoft, two-thirds of respondents ranked cybersecurity as a top five risk management priority, but only 19% expressed high confidence in their organisation’s ability to manage and respond to a cyber event, and only 30% have developed a plan to do so.
More info and the full list of steps organisations can take here:
https://www.helpnetsecurity.com/2019/10/11/organizations-incident-response-strategy/
APT Actors Hitting UK Organisations via Trio of VPN Vulnerabilities: NCSC
Hundreds of British organisations are vulnerable to VPN attacks being launched by sophisticated Advanced Persistent Threat (APT) actors, who are actively exploiting vulnerabilities in a trio of commercial VPN products, the NCSC has warned.
The organisation, overseen by GCHQ, warned: “This activity is ongoing, targeting both UK and international organisations. Affected sectors include government, military, academic, business and healthcare. These vulnerabilities are well documented in open source, and industry data indicates that hundreds of UK hosts may be vulnerable.”
Phishing attempts increase 400%
1 in 50 URLs are malicious, nearly one-third of phishing sites use HTTPS and Windows 7 exploits have grown 75% since January.
A new report also highlights the importance of user education, as phishing lures have become more personalized as hackers use stolen data for more than just account takeover.
Hackers are using trusted domains and HTTPS to trick victims, with nearly a quarter (24%) of malicious URLs found to be hosted on trusted domains, as hackers know trusted domain URLs raise less suspicion among users and are more difficult for security measures to block. Nearly a third (29%) of detected phishing web pages use HTTPS as a method to trick users into believing they’re on a trusted site via the padlock symbol.
Phishing grew rapidly, with a 400% increase in URLs discovered from January to July 2019.
The top industries impersonated by phishing include:
· 25% are SaaS/Webmail providers
· 19% are financial institutions
· 16% social media
· 14% retail
· 11% file hosting
· 8% payment services companies
Phishing lures are also becoming more personalised and users still using Windows 7 face more risks with infections increasing by 71%
https://www.helpnetsecurity.com/2019/10/09/phishing-increase-2019/
Email Threat Report Summary
FireEye at Cyber Defense Summit announced the release of its latest email threat update. The analysis of more than two billion emails is visually depicted within their new infographic (these findings are the result of FireEye analysis against a sample set of more than two billion emails from April through June 2019).
To summarise, FireEye has identified several significant themes:
Attackers Are Getting Ahead in the Cloud: As companies continue migrating to the cloud, bad actors are abusing cloud services to deploy phishing attacks. Some of the most common tactics include hosting Microsoft-themed phishing pages with Microsoft Azure, nesting embedded phish URLs in documents hosted on popular file sharing services, and establishing phishing URL redirects on popular email delivery platforms.
Microsoft Continues to Be the Most Popular Brand Used in Phishing Lures: A typical phishing email impersonates a well-known contact or trusted company to induce the recipient to click on an embedded link, with the ultimate goal of credential or credit card harvesting. During the evaluated period, FireEye saw Microsoft- and Office 365-themed phishing attacks increase by 12 percent quarter over quarter, as Microsoft continues to be the most popular brand utilised in phishing attacks, with 68 percent of all phishing detections.
Entertainment/Media/Hospitality Most Targeted Vertical: Q2 saw a shakeup in the most targeted vertical industries. Entertainment/Media/Hospitality has stolen the number one spot from Financial Services, which dropped to number two. Other highly targeted verticals for email-based attacks include Manufacturing, Service Providers, Telecom, State & Local Government, Services/Consulting, and Insurance.
Insider threats are security’s new reality - the biggest danger to data security yet prevention solutions aren’t working
Insider threats expose companies to breaches and put corporate data at risk. New research questions whether the right data security solutions are being funded and deployed to stop insider threats and asserts that legacy data loss prevention solutions fall short in getting the job done.
79% of information security leaders believe that employees are an effective frontline of defence against data breaches. However, this year’s report disputes that notion.
Recognising that employees are the power behind any organisation, companies are increasingly implementing strategies for collaboration to make information sharing easier than ever.
69% of organisations that were breached due to insider threats already had a prevention solution in place at the time of the breach that did little to prevent it.
Unfortunately, some organizations have not put in appropriate detection and response data security controls, and instead simply trust employees to keep data safe. However, this trust is frequently abused.
The study showed that employees take more risks with data than employers think, which leaves organizations open to insider threat.
https://www.helpnetsecurity.com/2019/10/07/insider-threat-risk/
Many companies are failing to secure their data in the cloud
A large proportion of businesses are failing to secure the data they have stored in the cloud, a new report has claimed.
The report argues that almost half (48 per cent) of all corporate data is stored in the cloud nowadays, however just a third of organisations (32 per cent) go for a security-first approach with this data. Further on, the report uncovers that less than a third of organisations (31 per cent) believe it’s their responsibility to keep data safe, at all.
To make matters worse, companies are planning on using the cloud even more. Almost half (48 per cent) have a multi-cloud strategy, opting for the likes of Amazon Web Services (AWS), Microsoft Azure and IBM. On average, organisations use three different cloud service providers, with a quarter (28 per cent) using four or more.
Despite having its sights locked onto the cloud, almost half of organisations still see it as a security risk, particularly when saving consumer data. In most cases, they also see it as a compliance risk. However, not everyone believes that it’s entirely their obligation to keep the data safe – a third believes they should share this responsibility with the cloud providers, and another third believes this is entirely the cloud provider’s job.
https://www.itproportal.com/news/many-companies-are-failing-to-secure-their-data-in-the-cloud/
Cyber Attacks Are North Korea's New Weapon of Choice
According to The Associated Press, North Korea has reportedly generated nearly two billion dollars to fund its nuclear weapons programs with unprecedented cyber activities against financial institutions and cryptocurrency exchanges all around the world. As a result, United Nations experts are currently investigating at least thirty-five instances in seventeen victim countries, including Costa Rica, Gambia, Guatemala, Kuwait, and Liberia. Of the many targets for cyberattacks, South Korea is often the hardest-hit.
https://nationalinterest.org/blog/korea-watch/cyber-attacks-are-north-koreas-new-weapon-choice-87526