Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• How Confident Are Companies In Managing Their Current Threat Exposure?

Crossword Cybersecurity has released a report based on the findings of a survey of over 200 CISOs and senior UK cyber security professionals. The paper reveals companies are more concerned and exposed to cyber threats than ever before, with 61 percent describing themselves as at best only “fairly confident” at managing their current cyber security threat exposure, which should raise some eyebrows around the boardroom.

Respondents also feared their cyber strategy would not keep pace with the rate of tech innovation and changes in the threat landscape. 40 percent of organisations believe their existing cyber strategy will be outdated in two years, and a further 37 percent within three years. Additional investment is needed to address longer term planning, with 44 percent saying they only have sufficient resources in their organisation to focus on the immediate and mid-term cyber threats and tech trends.

https://www.helpnetsecurity.com/2022/05/26/organizations-cyber-strategy/

• 'There's No Ceiling': Ransomware's Alarming Growth Signals A New Era, Verizon DBIR Finds

Ransomware has become so efficient, and the underground economy so professional, that traditional monetisation of stolen data may be on its way out.

The past year has seen a staggering acceleration in ransomware incidents, with 25% of all breaches containing a ransomware component.

That's the top-line finding in the 2022 Verizon Data Breach Investigations Report (DBIR), which found that ransomware events in conjunction with breaches ballooned 13% in the past year — last year's report found that just 12% of incidents were ransomware-related. That translates into a rate of increase that's more than the previous five years of growth combined.

The 15th annual DBIR analysed 23,896 security incidents, of which 5,212 were confirmed breaches. About four in five of those were the handiwork of external cyber criminal gangs and threat groups, according to Verizon. And according to Alex Pinto, manager of the Verizon Security Research team, these nefarious types are finding it easier and easier to earn an ill-gotten living with ransomware, making other types of breaches increasingly obsolete.

"Everything in cyber crime has become so commoditised, so much like a business now, and it's just too darn efficient of a methodology for monetising their activity," he tells Dark Reading, noting that with the emergence of ransomware as-a-service (RaaS) and initial-access brokers, it takes very little skill or effort to get into the extortion game.

"Before, you had to get in somehow, look around, and find something worth stealing that would have a reseller on the other end," he explains. "In 2008 when we started the DBIR, it was by and large payment-card data that was stolen. Now, that has fallen precipitously because they can just pay for access someone else established and install rented ransomware, and it's so much simpler to reach the same goal of getting money."

https://www.darkreading.com/attacks-breaches/ransomware-alarming-growth-verizon-dbir

• Paying Ransom Doesn’t Guarantee Data Recovery

A Veeam report has found that 72% of organisations had partial or complete attacks on their backup repositories, dramatically impacting the ability to recover data without paying the ransom.

Additionally, 76% of organisations admitted to paying the ransom. But while 52% paid the ransom and were able to recover data, 24% paid the ransom but were still not able to recover data.

https://www.helpnetsecurity.com/2022/05/24/paying-ransom-recover-data-video/

• Report: Frequency Of Cyber Attacks in 2022 Has Increased By Almost 3M

Kaspersky has released a new report revealing a growing number of cyber attacks on small businesses in 2022 so far. Researchers compared the period between January and April 2022 to the same period in 2021, finding increases in the numbers of Trojan-PSW detections, internet attacks and attacks on Remote Desktop Protocol.

In 2022, the number of Trojan-PSW (Password Stealing Ware) detections increased globally by almost a quarter compared to the same period in 2021 一 4,003,323 to 3,029,903. Trojan-PSW is a malware that steals passwords, along with other account information, which then allows attackers to gain access to the company network and steal sensitive information.

Internet attacks grew from 32,500,000 globally in the analysed period of 2021 to almost 35,400,000 in 2022. These can include web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet command & control centres and more.

The number of attacks on Remote Desktop Protocol grew in the U.S. (while dropping slightly globally), going from 47.5 million attacks in the first trimester of 2021 to 51 million in the same period of 2022. With the widespread shift toward remote work, many companies have introduced Remote Desktop Protocol (RDP), a technology that enables computers on the same corporate network to be linked together and accessed remotely, even when the employees are at home.

With small business owners typically handling numerous responsibilities at the same time, cyber security is often an afterthought. However, this disregard for IT security is being exploited by cyber criminals. The Kaspersky study sought to assess the threats that pose an increasing danger to entrepreneurs.

https://venturebeat.com/2022/05/20/report-frequency-of-cyberattacks-in-2022-has-increased-by-almost-3m/

• New Zoom Flaws Could Let Attackers Hack Victims Just By Sending Them A Message

Popular video conferencing service Zoom has resolved as many as four security vulnerabilities, which could be exploited to compromise another user over chat by sending specially crafted Extensible Messaging and Presence Protocol (XMPP) messages and execute malicious code.

With Zoom's chat functionality built on top of the XMPP standard, successful exploitation of the issues could enable an attacker to force a vulnerable client to masquerade a Zoom user, connect to a malicious server, and even download a rogue update, resulting in arbitrary code execution stemming from a downgrade attack.

https://thehackernews.com/2022/05/new-zoom-flaws-could-let-attackers-hack.html

• VMware, Airline Targeted As Ransomware Chaos Reigns

Global ransomware incidents target everything from enterprise servers to grounding an airline, with one India-based group even taking a Robin Hood approach to extortion with the "GoodWill" strain.

Ransomware incidents are on the rise and this week proved no exception, with the discovery of a Linux-based ransomware family called Cheerscrypt targeting VMware ESXi servers and an attack on SpiceJet, India’s second largest airline.

Meanwhile, an oddball "GoodWill" variant purports to help the needy.

The Cheerscrypt ransomware variant was uncovered by Trend Micro and relies on the double-extortion scheme to coerce victims to pay the ransom – i.e., stealing data as well and threatening to leak it if victims don’t pay up.

Because of the popularity of ESXi servers for creating and running multiple virtual machines (VMs) in enterprise settings, the Cheerscrypt ransomware could be appealing to malicious actors looking to rapidly distribute ransomware across many devices.

Meanwhile, low-cost carrier SpiceJet faced a ransomware attack this week, causing flight delays of between two and five hours as well as rendering unavailable online booking systems and customer service portals.

While the company’s IT team announced on Twitter that it had successfully prevented the attempted attack before it was able to fully breach all internal systems and take them over, customers and employees are still experiencing the ramifications.

https://www.darkreading.com/attacks-breaches/vmware-airline-targeted-as-ransomware-chaos-reigns

• Crypto Hacks Aren't A Niche Concern; They Impact Wider Society

Million-dollar crypto heists are becoming more common as the currency starts to go mainstream; prevention and enforcement haven't kept pace.

The attack against the Ronin Network in March was quickly speculated to be one of the largest cryptocurrency hacks of all time. Approximately $540 million was stolen from the cryptocurrency and NFT games company in a combination of USDC and Etherium, with $400 million of the stolen funds owned by customers playing the game Axie Infinity.

This attack was the latest in a string of thefts perpetrated against crypto and should be a jolt to both the digital asset and cyber security communities to bring the security of cryptocurrencies into line.

The current vogue of large-scale crypto heists goes as far back as the 2014 Mt. Gox hack (another cryptocurrency exchange built around a game, Magic: The Gathering), which went into bankruptcy after losing $460 million of assets.

However, the trend has been gathering pace. In the months leading up to the Ronin Network attack, cyber criminals stole nearly $200 million worth of cryptocurrency from the crypto trading platform BitMart, attacked 400 Crypto.com users, and orchestrated NFT-related scams, to name but a few incidents.

There is often an uncomfortable tendency to see these attacks as something that takes place in isolation in a remote part of the Internet when they actually have a huge impact on thousands of people.

https://www.darkreading.com/attacks-breaches/crypto-hacks-aren-t-a-niche-concern-they-impact-wider-society

• State Of Cyber Security Report 2022 Names Ransomware And Nation-State Attacks As Biggest Threats

Ransomware is the biggest concern for cyber security professionals, according to results of the Infosecurity Group’s 2022 State of Cybersecurity Report, produced by Infosecurity Europe and Infosecurity Magazine.

Cyber Security Professionals' Number One Concern: Ransomware.

This attack vector was voted as the biggest cyber security trend (28%) by the survey respondents (including CISOs, CTOs, CIOs and academics), marking a significant change from the previous report in 2020, where ransomware did not break the top three. This follows surging ransomware incidents in 2021, with ransom demands and payments growing significantly last year. A number of these attacks have also impacted critical industries, for example, taking down the US’ largest fuel pipeline.

The survey respondents also highlighted the evolving tactics and capabilities of ransomware attackers. This includes threat actors becoming more sophisticated as they evolve into loosely coupled service-based operations.

A number of cyber security professionals believe that cyber-criminal groups will become more guarded in their approach due to new initiatives by governments and law enforcement to tackle these activities.

Cyber Security Professionals' Number Two Concern: Nation-State Attacks.

The second biggest concern for survey respondents was geopolitics/nation-state attacks (24%), particularly the shifting hostilities from the Russia-Ukraine conflict into cyberspace. Russia already had a reputation for conducting offensive cyber operations prior to the conflict, and the Ukrainian government and critical services have experienced numerous attacks both before and since the war began.

https://www.infosecurity-magazine.com/news/2022-state-industry-report/

• Vishing (Voice Phishing) Cases Reach All Time High

Vishing (voice phishing) cases have increased almost 550 percent over the last twelve months (Q1 2021 to Q1 2022), according to the latest Quarterly Threat Trends & Intelligence Report from Agari and PhishLabs.

In Q1 2022, Agari and PhishLabs detected and mitigated hundreds of thousands of phishing, social media, email, and dark web threats targeting a broad range of enterprises and brands. The report provides an analysis of the latest findings and insights into key trends shaping the threat landscape.

According to the findings, vishing attacks have overtaken business email compromise (BEC) as the second most reported response-based email threat since Q3 2021. By the end of the year, more than one in four of every reported response-based threat was a vishing attack, and this makeup continued through Q1 2022.

https://www.helpnetsecurity.com/2022/05/24/vishing-cases-increased/

• DeFi (Decentralised Finance) Is Getting Pummelled By Cyber Criminals

Decentralised finance lost $1.8 billion to cyber attacks last year — and 80% of those events were the result of vulnerable code, analysts say.

Decentralised finance (DeFi) platforms — which connect various cryptocurrency blockchains to create a decentralised infrastructure for borrowing, trading, and other transactions — promise to replace banks as a secure and convenient way to invest in and spend cryptocurrency. But in addition to attracting hordes of new users with dreams of digital fortune, cyber criminals have discovered them to be an easy target, wiping out wallets to zero balances in a moment, tanking whole markets while profiting, and more, according to a new report.

Analysts with Bishop Fox found that DeFi platforms lost $1.8 billion to cyber attacks in 2021 alone. With a total of 65 events observed, 90% of the losses came from unsophisticated attacks, according to the report, which points to the lax cyber security practices of the sector.

DeFi averaged five attacks per week last year, with most of them (51%) coming from the exploitation of "smart contracts" bugs, the analysts found. Smart contracts are essentially records of transactions, stored on the blockchain.

Other top DeFi attack vectors include cryptowallets, protocol design flaws, and so-called "rug-pull" scams (where investors are lured to a new cryptocurrency project that is then abandoned, leaving targets with a worthless currency). But taken together, 80% of all events were caused by the use (and re-use) of buggy code, according to the report.

https://www.darkreading.com/attacks-breaches/defi-pummeled-by-cybercriminals

Threats

Ransomware

• Ransomware Attacks Increasing at “Alarming” Rate - Infosecurity Magazine

• VMware, Airline Targeted as Ransomware Chaos Reigns (darkreading.com)

• Clop ransomware gang is back, hits 21 victims in a single month (bleepingcomputer.com)

• Link Found Connecting Chaos, Onyx and Yashma Ransomware | Threatpost

• Ransomware demands three good demands to restore files • The Register

• Ransomware Cheerscrypt targets VMware ESXi systems • The Register

• New Chaos Malware Variant Ditches Wiper for Encryption (darkreading.com)

• CLOP Ransomware Activity Spiked in April (darkreading.com)

• Industrial Spy data extortion market gets into the ransomware game (bleepingcomputer.com)

• BlackCat/ALPHV ransomware asks $5 million to unlock Austrian state (bleepingcomputer.com)

• Conti Ransomware Operation Shut Down After Splitting into Smaller Groups (thehackernews.com)

• Suspected phishing email crime boss arrested in Nigeria • The Register

BEC – Business Email Compromise

• Interpol arrests alleged leader of the SilverTerrier BEC gang (bleepingcomputer.com)

• Cyber security breach at the city of Portland led to fraudulent $1.4M transaction | KATU

Phishing & Email Based Attacks

• Intuit warns of QuickBooks phishing threatening to suspend accounts (bleepingcomputer.com)

• NCSC Report Reveals Phishing Lures Increasingly Disguised as Vaccine Appointments - Infosecurity Magazine

• Suspected phishing email crime boss arrested in Nigeria • The Register

Other Social Engineering

• Vishing Attacks Reach All Time High, According to Latest Agari and PhishLabs Report (darkreading.com)

Malware

• BPFDoor malware uses Solaris vulnerability to get root privileges (bleepingcomputer.com)

• Snake Keylogger Spreads Through Malicious PDFs | Threatpost

• New Windows Subsystem for Linux malware steals browser auth cookies (bleepingcomputer.com)

• This Windows malware uses PowerShell to subvert Chrome • The Register

• Hackers have found a new way to smuggle malware onto your device | TechRadar

• Cyber Security Community Warned of Fake PoC Exploits Delivering Malware | SecurityWeek.Com

• Popular Python and PHP libraries hijacked to steal AWS keys (bleepingcomputer.com)

• New Attack Shows Weaponized PDF Files Remain a Threat (darkreading.com)

Mobile

• Microsoft finds severe bugs in Android apps from large mobile providers (bleepingcomputer.com)

• Google warns Android smartphones targeted by dangerous Predator spyware | TechRadar

• New ERMAC 2.0 Android malware steals accounts, wallets from 467 apps (bleepingcomputer.com)

BYOD

• Spring Cleaning Checklist for Keeping Your Devices Safe at Work (darkreading.com)

Data Breaches/Leaks

• GM Discloses Data Breach of Cars' Locations, Mileage, Service (gizmodo.com)

• MGM Resorts' customer data now leaked on Telegram for free • The Register

Organised Crime & Criminal Actors

• REvil prosecutions reach a 'dead end,' Russian media reports - CyberScoop

• Scammer Behind $568M International Cyber Crime Syndicate Gets 4 Years (darkreading.com)

• Multi-Continental Operation Leads to Arrest of Cyber Crime Gang Leader - Infosecurity Magazine

Cryptocurrency/Cryptomining/Cryptojacking/NFTs

• Hacker Steals $1.4 Million in NFTs From Collector In One Sweep (vice.com)

• 8 ways to avoid NFT scams (techtarget.com)

Insider Risk and Insider Threats

• 68% of Legal Sector Data Breaches Caused by Insider Threats - Infosecurity Magazine

• Verizon Report: Ransomware, Human Error Among Top Security Risks | Threatpost

Dark Web

• Military cyber weapons could become available on dark web: Interpol (cnbc.com)

• Darknet market Versus shuts down after hacker leaks security flaw (bleepingcomputer.com)

Supply Chain and Third Parties

• Use of Obfuscated Beacons in ‘pymafka’ Supply Chain Attack Signals a New Trend in macOS Attack TTPs - SentinelOne

Denial of Service DoS/DDoS

• Cybergang Claims REvil is Back, Executes DDoS Attacks | Threatpost

• DDoS Extortion Attack Flagged as Possible REvil Resurgence (darkreading.com)

• Anatomy of a DDoS amplification attack - Microsoft Security Blog

Cloud/SaaS

• Security has become more difficult, IT leaders say - Help Net Security

Attack Surface Management

• Where is attack surface management headed? - Help Net Security

Open Source

• Open source is becoming a national security risk | CSO Online

Privacy

• Twitter fined $150M for misusing 2FA data (techtarget.com)

• Zuckerberg sued by DC attorney general over Cambridge Analytica data scandal | Meta | The Guardian

Passwords & Credential Stuffing

• Strong Password Policy Isn't Enough, Study Shows (darkreading.com)

• Verizon DBIR: Stolen credentials led to nearly 50% of attacks (techtarget.com)

Regulations, Fines and Legislation

• How to navigate GDPR complexity - Help Net Security

• GDPR Anniversary, Expert Insight On What Lead To GDPR Fines – Information Security Buzz

• Indian stock markets given ten day deadline to file reports • The Register

Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Network of hyperlocal Russian Telegram channels spew disinformation in occupied Ukraine - CyberScoop

• Predator spyware uses in Chrome, Android zero-day exploits • The Register

• Unknown APT group is targeting Russian government entities - Security Affairs

• Hackers target Russian govt with fake Windows updates pushing RATs (bleepingcomputer.com)

• Remote bricking of Ukrainian tractors raises agriculture security concerns | CSO Online

• Anonymous Declares Cyber-War On Pro-Russian Hacker Gang Killnet – Information Security Buzz

• Ex-spymaster and fellow Brexiteers' emails stolen, leaked • The Register

Nation State Actors

Nation State Actors – Russia

• Fronton: Russian IoT Botnet Designed to Run Social Media Disinformation Campaigns (thehackernews.com)

• Russian Hackers Believed to Be Behind Leak of Hard Brexit Plans - Infosecurity Magazine

• Russian Gamaredon APT could fuel a new round of DDoS attacks - Security Affairs

• Putin aimed cyber attack at me, says former MI6 chief Sir Richard Dearlove | News | The Times

Nation State Actors – China

• Trend Micro Patches Vulnerability Exploited by Chinese Cyber Spies | SecurityWeek.Com

• Chinese "Twisted Panda" Hackers Caught Spying on Russian Defense Institutes (thehackernews.com)

Nation State Actors – Iran

• Pro-Iran Group ALtahrea Hits Port of London Website by DDoS Attack (hackread.com)

Vulnerabilities

• CISA ‘Strongly Urges’ You To Patch 75 Actively Exploited Security Bugs (forbes.com)

• CISA adds 41 vulnerabilities to list of bugs used in cyber attacks (bleepingcomputer.com)

• Exploit released for critical VMware auth bypass bug, patch now (bleepingcomputer.com)

• Zoom Patches ‘Zero-Click’ RCE Bug | Threatpost

• Zyxel addresses four flaws affecting APs, AP controllers, and firewalls - Security Affairs

• Critical New Google Chrome Security Warning For All Users, Update Now (forbes.com)

• Patching the latest Active Directory vulnerabilities is not enough | CSO Online

• Microsoft Elevation-of-Privilege Vulnerabilities Spiked Again in 2021 (darkreading.com)

• Tails OS Users Advised Not to Use Tor Browser Until Critical Firefox Bugs are Patched (thehackernews.com)

• 'Fixed' Chrome extension flaw could allow hackers to record both your webcam and desktop feeds | PC Gamer

Sector Specific

SMBs – Small and Medium Businesses

• Small Business Cyber Security: Do SMB Owners Underestimate Risk? - MSSP Alert

Legal

• 68% of Legal Sector Data Breaches Caused by Insider Threats - Infosecurity Magazine

Health/Medical/Pharma Sector

• teiss - News - American healthcare tech giant Omnicell suffers a major ransomware attack

• Web app attacks on the rise in healthcare as insider challenges remain (scmagazine.com)

Retail/eCommerce

• Microsoft: Credit card stealers are getting much stealthier (bleepingcomputer.com)

• Microsoft warns of new highly evasive web skimming campaigns - Security Affairs

Transport and Aviation

• Hundreds Stranded After Ransomware Attack on Indian Airline | SecurityWeek.Com

• SpiceJet airline passengers stranded after ransomware attack (bleepingcomputer.com)

CNI, OT, ICS, IIoT and SCADA

• Taking the Danger Out of IT/OT Convergence (darkreading.com)

• Critical Flaws in Popular ICS Platform Can Trigger RCE | Threatpost

Energy & Utilities

• Can we trust the cyber security of the energy sector? - Help Net Security

Oil, Gas and Mining

• Oil and gas companies take cyber resilience pledge - IT Security Guru

Education and Academia

• FBI: compromised US academic credentials available on crime forums - Security Affairs

• Ed tech illegally tracked school children during pandemic - IT Security Guru

Reports Published in the Last Week

• 2022 Data Breach Investigations Report | Verizon

• State of Cyber Security Report 2022 - Infosecurity Magazine

• 2022 Voice of the CISO | Proofpoint US

Other News

• IP and cyber security disputes are top legal concerns for tech companies | TechCrunch

• Verizon DBIR: Stolen credentials led to nearly 50% of attacks (techtarget.com)

• Managed Detection and Response (MDR): Who's Responsible for the R? - MSSP Alert

• Survey Evidences Leaders Lack Confidence in Cyber-Risk Management - Infosecurity Magazine

• Flaw in PayPal can allow attackers to steal money from users' account - Security Affairs

• When it comes to remote work, 71% of IT leaders say security is the main challenge - Help Net Security

• Most organisations do not follow data backup best practices - Help Net Security

• There are systems 'guarding' your data in cyberspace – but who is guarding the guards? (theconversation.com)

• Why are current cyber security incident response efforts failing? - Help Net Security

• Nation-state malware will be a commodity on dark web soon, Interpol warns - Security Affairs

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Cyber Change Outpaces Boardroom Engagement

We all know the story of the past two years. Mass digital investments in SaaS collaboration suites, cloud infrastructure and other tools helped to keep organisations operational when they needed it most. The money continues to flow today, as those same companies realize they must keep on pumping funds into digital to stay competitive amidst rising customer expectations. Gartner predicted public cloud spending growth would hit 23% year-on-year in 2021 and increase 20% this year to top $397bn.

From a cyber security perspective, these business decisions are loaded with risk if protections are not built into projects from the start. A recent global poll revealed that of 90% of business and IT decision makers are concerned about the impact of ransomware. It also found generally poor levels of cyber-awareness among board members. Less than half (46%) of respondents claimed concepts like “cyber risk” and “cyber risk management” were known extensively in their organisation.

The truth is that many board leaders do understand the need for greater investment in security as a strategic growth driver. But they find it hard to keep pace with a threat landscape that moves at the speed of light. Vulnerabilities used to go months or years before they were exploited, for example, but today threat actors are working on exploits for bugs like Log4Shell within hours of their discovery. That makes the fast-changing risk landscape difficult to grasp for even tech-savvy C-suite leaders. As a result, cyber risk continues to be managed reactively, which puts the organisation perpetually on the back foot.

https://www.trendmicro.com/en_us/research/22/b/why-cyber-change-outpaces-boardroom-engagement.html

NCSC Alerts UK Orgs to Brace for Destructive Russian Cyber Attacks

The UK’s National Cyber Security Centre (NCSC) is urging organisations to bolster security and prepare for a potential wave of destructive cyber attacks after recent breaches of Ukrainian entities.

The NCSC openly warns that Russian state-sponsored threat actors will likely conduct the attacks and reminds of the damage done in previous destructive cyber attacks, like NotPetya in 2017 and the GRU campaign against Georgia in 2019.

These warnings come after Ukrainian government agencies and corporate entities suffered cyber attacks where websites were defaced, and data-wiping malware was deployed to destroy data and make Windows devices inoperable.

The cause for the resurgence of attacks is the tensions between Russia and Ukraine, and attempts to negotiate a way out of the Ukraine crisis have failed so far.

Ukraine and Russia have engaged in cyber warfare for many years, but recent Russian military mobilization was accompanied by new waves of attacks, with European countries and the USA expected to be targeted next.

https://www.bleepingcomputer.com/news/security/ncsc-alerts-uk-orgs-to-brace-for-destructive-russian-cyberattacks/

Over Half of Ransomware Attacks are Targeting Financial Services, Utilities and Retail

Three sectors have been the most common target for ransomware attacks, but researchers warn "no business or industry is safe".

Over half of ransomware attacks are targeting one of three industries; banking, utilities and retail, according to analysis by cyber security researchers – but they've also warned that all industries are at risk from attacks.

The data has been gathered by Trellix – formerly McAfee Enterprise and FireEye – from detected attacks between July and September 2021, a period when some of the most high-profile ransomware attacks of the past year happened.

According to detections by Trellix, banking and finance was the most common target for ransomware during the reporting period, accounting for 22% of detected attacks. That's followed by 20% of attacks targeting the utilities sector and 16% of attacks targeting retailers. Attacks against the three sectors in combination accounted for 58% of all of those detected.

https://www.zdnet.com/article/ransomware-over-half-of-attacks-are-targeting-these-three-industries/

Third of Employees Admit to Exfiltrating Data When Leaving Their Job

Nearly one-third (29%) of employees admitted taking data with them when they leave their job, according to new research from Tessian.

The findings follow the ‘great resignation’ of 2021, when workers quit their jobs in huge waves following the COVID-19 pandemic. Unsurprisingly, close to three-quarters (71%) of IT leaders believe this trend has increased security risks in their organisations.

In addition, nearly half (45%) of IT leaders said they had seen incidents of data exfiltration increase in the past year due to staff taking data with them when they left.

The survey of 2000 UK workers also looked at employees' motives for taking such information. The most common reason was that the data would help them in their new job (58%). This was followed by the belief that the information belonged to them because they worked on the document (53%) and to share it with their new employer (44%).

The employees most likely to take data with them when leaving their job worked in marketing (63%), HR (37%) and IT (37%).

https://www.infosecurity-magazine.com/news/third-employees-exfiltrating-data/

Massive Social Engineering Waves Have Impacted Banks in Several Countries

A massive social engineering campaign has been delivered in the last two years in several countries, including Portugal, Spain, Brazil, Mexico, Chile, the UK, and France. According to Segurança Informática publication, the malicious waves have impacted banking organisations with the goal of stealing the users’ secrets, accessing the home banking portals, and also controlling all the operations on the fly via Command and Control (C2) servers geolocated in Brazil.

In short, criminal groups are targeting victims’ from different countries to collect their home banking secrets and payment cards. The campaigns are carried out by using social engineering schemas, namely smishing, and spear-phishing through fake emails.

Criminals obtain lists of valid and tested phone numbers and emails from other malicious groups, and the process is performed on underground forums, Telegram channels or Discord chats.

The spear-phishing campaigns try to lure victims with fake emails that impersonate the banking institutions. The emails are extremely similar to the originals, exception their content, mainly related to debts or lack of payments.

https://securityaffairs.co/wordpress/127516/cyber-crime/massive-social-engineering-banks.html

Ransomware is Terrifying – But Never Underestimate the Damage an Employee with Unmonitored Access Can Do

Is the biggest threat to your data a mysterious ransomware merchant or an advanced persistent threat cartel?

Or is it a security system that will show you that data has been exfiltrated from your organisation – but only after the fact, leaving open the possibility that your valuable IP could have already been shared with unauthorized parties?

It was the latter scenario that allegedly resulted in 12,000 internal documents being lifted from Pfizer’s systems by a soon-to-depart employee last year. Those documents reportedly included details of COVID-19 vaccine research and a new melanoma drug.

The incident shows how today’s cloud infrastructure can exacerbate security gaps and why simply detecting a potential data leak isn’t enough. Companies need to have deep insight into what their employees are doing, as well as technology that can actively enforce policy and prevent unencrypted data from ever leaving the enterprise.

https://www.theregister.com/2022/02/03/ransomware_terrifying/

People Working in IT Related Roles Equally Susceptible to Phishing Attempts as the General Population

Phishing emails that mimic HR announcements or ask for assistance with invoicing get the most clicks from recipients, according to a study from F-Secure.

The study, which included 82,402 participants, tested how employees from four different organisations responded to emails that simulated one of four commonly used phishing tactics.

22% of recipients that received an email simulating a human resources announcement about vacation time clicked, making emails that mimic those sent by HR the most frequent source of clicks in the study.

An email asking the recipient to help with an invoice (referred to as CEO Fraud in the report) was the second most frequently engaged with email type, receiving clicks from 16% of recipients.

https://www.helpnetsecurity.com/2022/02/03/phishing-emails-clicks/

FBI Says More Cyber Attacks Come from China than Everywhere Else Combined

US Federal Bureau of Investigation director Christopher Wray has named China as the source of more cyber-attacks on the USA than all other nations combined.

In a Monday speech titled Countering Threats Posed by the Chinese Government Inside the US, Wray said the FBI is probing over 2,000 investigations of incidents assessed as attempts by China's government "to steal our information and technology."

"The Chinese government steals staggering volumes of information and causes deep, job-destroying damage across a wide range of industries – so much so that, as you heard, we're constantly opening new cases to counter their intelligence operations, about every 12 hours or so."

Wray rated China's online offensive as "bigger than those of every other major nation combined," adding it has "a lot of funding and sophisticated tools, and often joining forces with cyber criminals – in effect, cyber mercenaries."

https://www.theregister.com/2022/02/03/fbi_china_threat_to_usa/

Managing Detections is Not the Same as Stopping Breaches

Enterprises interested in managed detection and response (MDR) services to monitor endpoints and workloads should make sure the providers have rock-solid expertise in detecting and responding to threats.

The fundamental challenge in cyber security is that adversaries move quickly. We know from observation that attackers go from initial intrusion to lateral movement in a matter of a couple hours or less.

If security teams are going to successfully stop a breach, they need to operate within the same timeframe, containing and remediating threats within minutes, 24 hours a day, 7 days a week. Such constant vigilance can be challenging for in-house staff. This is why many organisations engage a provider of managed detection and response (MDR) security services, which monitors endpoints, workloads, and other systems to detect and monitor threats.

Unfortunately, even most managed services have several fundamental flaws that prevent them from executing on the core mission of stopping breaches.

https://www.darkreading.com/crowdstrike/managing-detections-is-not-the-same-as-stopping-breaches

From War to Web Security, Protect Your Attack Surface from the Weakest Link

With the rapid proliferation of data, increasing number of domains and subdomains as well as rise in third-party providers, the number of entry points through which attackers can infiltrate a company’s web environment is endless. Attacks are increasingly causing consequences felt beyond the perimeter of an organisation, as demonstrated earlier this year with the Colonial Pipeline breach, which caused fuel prices along the US East Coast to soar, and the attack on software provider Kaseya that forced hundreds of grocery stores in the Nordics to shut down business for days.

Security breaches often happen through an avenue that no one saw coming — a server no one knew existed, an old landing page, weak passwords or an application that was missing a patch. It’s perhaps never been clearer than today that a company is only as strong as the weakest link in its growing attack surface.

https://thenewstack.io/from-war-to-web-security-protect-your-attack-surface-from-the-weakest-link/

Number of Data Compromises Reaching All-Time High

According to an Identity Theft Resource Center (ITRC) report, the overall number of data compromises (1,862) is up more than 68 percent compared to 2020.

The new record number of data compromises is 23 percent over the previous all-time high (1,506) set in 2017. The number of data events that involved sensitive information (Ex: Social Security numbers) increased slightly compared to 2020 (83 percent vs. 80 percent). However, it remained well below the previous high of 95 percent set in 2017.

The number of victims continues to decrease (down five (5) percent in 2021 compared to the previous year) as identity criminals focus more on specific data types rather than mass data acquisition. However, the number of consumers whose data was compromised multiple times per year remains alarmingly high.

https://www.helpnetsecurity.com/2022/01/31/data-compromises-up/

Threats

Ransomware

• Inside Trickbot, Russia’s Notorious Ransomware Gang | WIRED

• Aggressive BlackCat Ransomware on the Rise (darkreading.com)

• A Look At The New Sugar Ransomware Demanding Low Ransoms (bleepingcomputer.com)

• BlackCat Ransomware - What You Need To Know | The State of Security (tripwire.com)

• KP Snacks Giant Hit By Conti Ransomware, Deliveries Disrupted (bleepingcomputer.com)

• Hacker Group 'Moses Staff' Using New StrifeWater RAT in Ransomware Attacks (thehackernews.com)

• Financially Motivated Hackers Use Leaked Conti Ransomware Techniques in Attacks | SecurityWeek.Com

• FBI Shares Lockbit Ransomware Technical Details, Defense Tips (bleepingcomputer.com)

• BlackCat (ALPHV) Ransomware Linked To BlackMatter, DarkSide Gangs (bleepingcomputer.com)

• Over 500,000 People Impacted By A Ransomware Attack That Hit Morley - Security Affairs

• Scottish Agency Still Recovering from 2020 Ransomware Attack - Infosecurity Magazine

• Conti Ransomware Encrypted 80% of Ireland's HSE IT Systems (bleepingcomputer.com)

• Ransomware Wants You to Like and Subscribe, Or Else (vice.com)

• Ransomware Means Your Database IS The Front Line. How Are You Defending It? • The Register

Phishing

• Low-Detection Phishing Kits Increasingly Bypass MFA | Threatpost

• MFA Adoption Pushes Phishing Actors To Reverse-Proxy Solutions (bleepingcomputer.com)

• Intuit Warns Of Phishing Emails Threatening To Delete Accounts (bleepingcomputer.com)

• Strong Authentication Protects Against Phishing. So Why Aren't More People Using It? | ZDNet

• Microsoft Blocked Billions Of Brute-Force And Phishing Attacks Last Year (bleepingcomputer.com)

Other Social Engineering

• FBI Warning: Scammers Are Posting Fake Job Ads On Networking Sites To Steal Your Money And Identity | ZDNet

Malware

• Malicious CSV Text Files Used To Install BazarBackdoor Malware (bleepingcomputer.com)

• New Malware Used by SolarWinds Attackers Went Undetected for Years (thehackernews.com)

• Microsoft: This Mac Malware Is Getting Smarter And More Dangerous | ZDNet

Data Breaches/Leaks

• The 3 Most Common Causes of Data Breaches in 2021 (darkreading.com)

• British Council Exposed More Than 100,000 Files With Student Records (bleepingcomputer.com)

Insider Risk and Insider Threats

• How Costly Is An Insider Threat? - Help Net Security

Fraud, Scams & Financial Crime

• Americans Lost $770 Million From Social Media Fraud In 2021, FTC Reports - Security Affairs

Supply Chain

• Supply Chain Security Is Not a Problem…It’s a Predicament | Threatpost

DoS/DDoS

• Reasons Why Every Business is a Target of DDoS Attacks (thehackernews.com)

CNI, OT, ICS, IIoT and SCADA

• Ransomware Often Hits Industrial Systems, With Significant Impact: Survey | SecurityWeek.Com

Nation State Actors

• Russian 'Gamaredon' Hackers Use 8 New Malware Payloads In Attacks (bleepingcomputer.com)

• State Hackers' New Malware Helped Them Stay Undetected For 250 Days (bleepingcomputer.com)

• Charming Kitten Sharpens Its Claws with PowerShell Backdoor | Threatpost

• FBI's Warning About Iranian Firm Highlights Common Cyber Attack Tactics | CSO Online

• Iranian APT Group Uses Previously Undocumented Trojan For Destructive Access To Organisations | CSO Online

Cloud

• If My Organisation Is Mostly in the Cloud, Do I Need a Firewall? (darkreading.com)

Passwords & Credential Stuffing

• The Account Takeover Cat-and-Mouse Game | Threatpost

• Reducing The Blast Radius Of Credential Theft - Help Net Security

Spyware, Espionage & Cyber Warfare

• Ukraine Continues to Face Cyber Espionage Attacks from Russian Hackers (thehackernews.com)

• Gamaredon (Primitive Bear) Russian APT Group Actively Targeting Ukraine (paloaltonetworks.com)

• Hackers Exploited 0-Day Vulnerability in Zimbra Email Platform to Spy on Users (thehackernews.com)

• Cyber Spies Linked To Memento Ransomware Use New PowerShell Malware (bleepingcomputer.com)

• NSO Group's Pegasus Spyware and Phantom Encryption Cracker Trigger Fresh Concerns - MSSP Alert

Vulnerabilities

• Apple, SonicWall, Internet Explorer Vulnerabilities Added To CISA List | ZDNet

• Samba 'Fruit' Bug Allows RCE, Full Root User Access | Threatpost

• Tens of Thousands of Websites Vulnerable to RCE Flaw in WordPress Plug-in (darkreading.com)

• Cisco Fixes Critical Bugs In SMB Routers, Exploits Available (bleepingcomputer.com)

• UEFI Firmware Vulnerabilities Affect At Least 25 Computer Vendors (bleepingcomputer.com)

• Google Patches 27 Vulnerabilities With Release of Chrome 98 | SecurityWeek.Com

• Intel Patched 226 Vulnerabilities in 2021 | SecurityWeek.Com

• Public Exploit Released for Windows 10 Bug | Threatpost

• 600K WordPress Sites Impacted By Critical Plugin RCE Vulnerability (bleepingcomputer.com)

• Critical Log4j Vulnerabilities Are the Ultimate Gift for Cyber Criminals (darkreading.com)

• ESET Antivirus Bug Let Attackers Gain Windows SYSTEM Privileges (bleepingcomputer.com)

Sector Specific

Financial Services Sector

• Bank Executives Mostly Concerned About Cyber Crime - Help Net Security

Retail

• Why Buy Now, Pay Later Is The Next Big Fraud Risk For Retailers | CSO Online

Transport and Aviation

• Ransomware Spree Hitting European Oil, Transport Companies - CyberScoop
  

Reports Published in the Last Week

• Identity Theft Resource Center’s 2021 Annual Data Breach Report Sets New Record for Number of Compromises - ITRC (idtheftcenter.org)

Other News

• Hackers Went Wild in 2021 — Every Company Should Do These 5 Things in 2022 (darkreading.com)

• Rush To Remote Work Left Sysadmins Struggling To Keep Businesses Safe - Help Net Security

• Telco Fined €9 Million For Hiding Cyber Attack Impact From Customers (bleepingcomputer.com)

• Are There Holes In Your Cyber Security Map? | VentureBeat

• 90% of Security Leaders Warn of Skills Shortage - Infosecurity Magazine (infosecurity-magazine.com)

• The Real-World Impact of the Global Cyber Security Workforce Gap on Cyber Defenders (darkreading.com)

• Hundreds Of Thousands Of Routers Exposed To Eternal Silence Campaign Via UPnP - Security Affairs

• Social Security Numbers Most Targeted Sensitive Data - Infosecurity Magazine

• NIST's New Cyber-Resiliency Guidance: 3 Steps For Getting Started | CSO Online

• Organisations Neglecting Microsoft 365 Cyber Security Features - Help Net Security

• Microsoft Says MFA Adoption Remains Low, Only 22% Among Enterprise Customers - The Record by Recorded Future

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.