Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 23 December 2022
Black Arrow Cyber Threat Briefing 23 December 2022:
-LastPass Users: Your Info and Password Vault Data are Now in Hackers’ Hands
-Ransomware Attacks Increased 41% In November
-The Risk of Escalation from Cyber Attacks Has Never Been Greater
-FBI Recommends Ad Blockers as Cyber Criminals Impersonate Brands in Search Engine Ads
-North Korea-Linked Hackers Stole $626 Million in Virtual Assets in 2022
-UK Security Agency Wants Fresh Approach to Combat Phishing
-GodFather Android malware targets 400 banks, crypto exchanges
-Companies Overwhelmed by Available Tech Solutions
-Nine in 10 Third-party Contractors, Freelancers Use Personal, Unmanaged Devices Likely to be Infected
-UK Privacy Regulator Names and Shames Breached Firms
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
LastPass Admits Attackers have an Encrypted Copy of Customers’ Password Vaults
Password locker LastPass has warned customers that the August 2022 attack on its systems saw unknown parties copy encrypted files that contain the passwords to their accounts.
In a December 22nd update to its advice about the incident, LastPass brings customers up to date by explaining that in the August 2022 attack “some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.” Those creds allowed the attacker to copy information “that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.”
The update reveals that the attacker also copied “customer vault” data, the file LastPass uses to let customers record their passwords. That file “is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.” The passwords are encrypted with “256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password”.
LastPass’ advice is that even though attackers have that file, customers who use its default settings have nothing to do as a result of this update as “it would take millions of years to guess your master password using generally-available password-cracking technology.” One of those default settings is not to re-use the master password that is required to log into LastPass. The outfit suggests you make it a complex credential and use that password for just one thing: accessing LastPass.
LastPass therefore offered the following advice to individual and business users: If your master password does not make use of the defaults above, then it would significantly reduce the number of attempts needed to guess it correctly. In this case, as an extra security measure, you should consider minimising risk by changing passwords of websites you have stored.
LastPass’s update concludes with news it decommissioned the systems breached in August 2022 and has built new infrastructure that adds extra protections.
https://www.theregister.com/2022/12/23/lastpass_attack_update/
Ransomware Attacks Increased 41% In November
Ransomware attacks rose 41% last month as groups shifted among the top spots and increasingly leveraged DDoS attacks, according to new research from NCC Group.
A common thread of NCC Group's November Threat Pulse was a "month full of surprises," particularly related to unexpected shifts in threat actor behaviour. The Cuba ransomware gang resurged with its highest number of attacks recorded by NCC Group. Royal replaced LockBit 3.0 as the most active strain, a first since September of last year.
These factors and more contributed to the significant jump in November attacks, which rose from 188 in October to 265.
"For 2022, this increase represents the most reported incidents in one month since that of April, when there were 289 incidents, and is also the largest month-on-month increase since June-July's marginally larger increase of 47%," NCC Group wrote in the report.
Operators behind Royal ransomware, a strain that emerged earlier this year that operates without affiliates and utilises intermittent encryption to evade detection, surpassed LockBit 3.0 for the number one spot, accounting for 16% of hack and leak incidents last month.
The Risk of Escalation from Cyber Attacks Has Never Been Greater
In 2022, an American dressed in his pyjamas took down North Korea’s Internet from his living room. Fortunately, there was no reprisal against the United States. But Kim Jong Un and his generals must have weighed retaliation and asked themselves whether the so-called independent hacker was a front for a planned and official American attack.
In 2023, the world might not get so lucky. There will almost certainly be a major cyber attack. It could shut down Taiwan’s airports and trains, paralyse British military computers, or swing a US election. This is terrifying, because each time this happens, there is a small risk that the aggrieved side will respond aggressively, maybe at the wrong party, and (worst of all) even if it carries the risk of nuclear escalation.
This is because cyber weapons are different from conventional ones. They are cheaper to design and wield. That means great powers, middle powers, and pariah states can all develop and use them.
More important, missiles come with a return address, but virtual attacks do not. Suppose in 2023, in the coldest weeks of winter, a virus shuts down American or European oil pipelines. It has all the markings of a Russian attack, but intelligence experts warn it could be a Chinese assault in disguise. Others see hints of the Iranian Revolutionary Guard. No one knows for sure. Presidents Biden and Macron have to decide whether to retaliate at all, and if so, against whom … Russia? China? Iran? It's a gamble, and they could get unlucky.
Neither country wants to start a conventional war with one another, let alone a nuclear one. Conflict is so ruinous that most enemies prefer to loathe one another in peace. During the Cold War, the prospect of mutual destruction was a huge deterrent to any great power war. There were almost no circumstances in which it made sense to initiate an attack. But cyber warfare changes that conventional strategic calculus. The attribution problem introduces an immense amount of uncertainty, complicating the decision our leaders have to make.
FBI Recommends Ad Blockers as Cyber Criminals Impersonate Brands in Search Engine Ads
The Federal Bureau of Investigation (FBI) this week raised the alarm on cyber criminals impersonating brands in advertisements that appear in search engine results. The agency has advised consumers to use ad blockers to protect themselves from such threats.
The attackers register domains similar to those of legitimate businesses or services, and use those domains to purchase ads from search engine advertisement services, the FBI says in an alert. These nefarious ads are displayed at the top of the web page when the user searches for that business or service, and the user might mistake them for an actual search result.
Links included in these ads take users to pages that are identical to the official web pages of the impersonated businesses, the FBI explains. If the user searches for an application, they are taken to a fake web page that uses the real name of the program the user searches for, and which contains a link to download software that is, in fact, malware.
“These advertisements have also been used to impersonate websites involved in finances, particularly cryptocurrency exchange platforms,” the FBI notes. Seemingly legitimate exchange platforms, the malicious sites prompt users to provide their login and financial information, which the cyber criminals then use to steal the victim’s funds.
“While search engine advertisements are not malicious in nature, it is important to practice caution when accessing a web page through an advertised link,” the FBI says.
Businesses are advised to use domain protection services to be notified of domain spoofing, and to educate users about spoofed websites and on how to find legitimate downloads for the company’s software.
Users are advised to check URLs to make sure they access authentic websites, to type a business’ URL into the browser instead of searching for that business, and to use ad blockers when performing internet searches. Ad blockers can have a negative impact on the revenues of online businesses and advertisers, but they can be good for online security, and even the NSA and CIA are reportedly using them.
North Korea-Linked Hackers Stole $626 Million in Virtual Assets in 2022
South Korea’s spy agency, the National Intelligence Service, estimated that North Korea-linked threat actors have stolen an estimated 1.5 trillion won ($1.2 billion) in cryptocurrency and other virtual assets in the past five years.
According to the spy agency, more than half the crypto assets (about 800 billion won ($626 million)) have been stolen this year alone, reported the Associated Press. The Government of Pyongyang focuses on crypto hacking to fund its military program following harsh UN sanctions.
“South Korea’s main spy agency, the National Intelligence Service, said North Korea’s capacity to steal digital assets is considered among the best in the world because of the country’s focus on cyber crimes since UN economic sanctions were toughened in 2017 in response to its nuclear and missile tests.” reported the AP agency. North Korea cannot export its products due to the UN sanctions imposed in 2016 and 1017, and the impact on its economy is dramatic.
The NIS added that more than 100 billion won ($78 million) of the total stolen funds came from South Korea. Cyber security and intelligence experts believe that attacks aimed at the cryptocurrency industry will continue to increase next year. National Intelligence Service experts believe that North Korea-linked APT groups will focus on the theft of South Korean technologies and confidential information on South Korean foreign policy and national security.
Data published by the National Intelligence Service agency confirms a report published by South Korean media outlet Chosun early this year that revealed North Korean threat actors have stolen around $1.7 billion (2 trillion won) worth of cryptocurrency from multiple exchanges during the past five years.
https://securityaffairs.co/wordpress/139909/intelligence/north-korea-cryptocurrency-theft.html
UK Security Agency Wants Fresh Approach to Combat Phishing
The UK National Cyber Security Centre (NCSC) has called for a defence-in-depth approach to help mitigate the impact of phishing, combining technical controls with a strong reporting culture.
Writing in the agency’s blog, technical director and principal architect, “Dave C,” argued that many of the well-established tenets of anti-phishing advice simply don’t work. For example, advising users not to click on links in unsolicited emails is not helpful when many need to do exactly that as part of their job.
This is often combined with a culture where users are afraid to report that they’ve accidentally clicked, which can delay incident response, he said. It’s not the user’s responsibility to spot a phish – rather, it’s their organisation’s responsibility to protect them from such threats, Dave C argued.
As such, they should build layered technical defences, consisting of email scanning and DMARC/SPF policies to prevent phishing emails from arriving into inboxes. Then, organisations should consider the following to prevent code from executing:
Allow-listing for executables
Registry settings changes to ensure dangerous scripting or file types are opened in Notepad and not executed
Disabling the mounting of .iso files on user endpoints
Making sure macro settings are locked down
Enabling attack surface reduction rules
Ensuring third-party software is up to date
Keeping up to date about current threats
Additionally, organisations should take steps such as DNS filtering to block suspicious connections and endpoint detection and response (EDR) to monitor for suspicious behaviour, the NCSC advised.
https://www.infosecurity-magazine.com/news/uk-security-agency-combat-phishing/
GodFather Android malware targets 400 banks, crypto exchanges
An Android banking malware named 'Godfather' has been targeting users in 16 countries, attempting to steal account credentials for over 400 online banking sites and cryptocurrency exchanges.
The malware generates login screens overlaid on top of the banking and crypto exchange apps' login forms when victims attempt to log into the site, tricking the user into entering their credentials on well-crafted HTML phishing pages.
The Godfather trojan was discovered by Group-IB analysts, who believe it is the successor of Anubis, a once widely-used banking trojan that gradually fell out of use due to its inability to bypass newer Android defences. ThreatFabric first discovered Godfather in March 2021, but it has undergone massive code upgrades and improvements since then.
Also, Cyble published a report yesterday highlighting a rise in the activity of Godfather, pushing an app that mimics a popular music tool in Turkey, downloaded 10 million times via Google Play. Group-IB has found a limited distribution of the malware in apps on the Google Play Store; however, the main distribution channels haven't been discovered, so the initial infection method is largely unknown.
Almost half of all apps targeted by Godfather, 215, are banking apps, and most of them are in the United States (49), Turkey (31), Spain (30), Canada (22), France (20), Germany (19), and the UK (17).
Apart from banking apps, Godfather targets 110 cryptocurrency exchange platforms and 94 cryptocurrency wallet apps.
Companies Overwhelmed by Available Tech Solutions
92% of executives reported challenges in acquiring new tech solutions, highlighting the complexities that go into the decision-making process, according to GlobalDots.
Moreover, some 34% of respondents said the overwhelming amount of options was a challenge when deciding on the right solutions, and 33% admitted the time needed to conduct research was another challenge in deciding.
Organisations of all varieties rely on technology more than ever before. The constant adoption of innovation is no longer a luxury but rather a necessity to stay on par in today’s fast-paced and competitive digital landscape. In this environment, IT and security leaders are coming under increased pressure to show ROIs from their investment in technology while balancing operational excellence with business innovation. Due to current market realities, IT teams are short-staffed and suffering from a lack of time and expertise, making navigating these challenges even more difficult.
The report investigated how organisations went about finding support for their purchasing decisions. Conferences, exhibitions, and online events served as companies’ top source of information for making purchasing decisions, at 52%. Third-party solutions, such as value-added resellers and consultancies, came in second place at 48%.
54% are already using third parties to purchase, implement, or support their solutions, highlighting the value that dedicated experts with in-depth knowledge of every solution across a wide range of IT fields provide.
We are living in an age of abundance when it comes to tech solutions for organisations, and this makes researching and purchasing the right solutions for your organisation extremely challenging.
https://www.helpnetsecurity.com/2022/12/20/tech-purchasing-decisions/
Nine in 10 Third-party Contractors, Freelancers Use Personal, Unmanaged Devices Likely to be Infected
Talon Cyber Security surveyed 258 third-party providers to better understand the state of third-party working conditions, including work models, types of devices and security technologies used, potentially risky actions taken, and how security and IT tools impact productivity.
Looking at recent high-profile breaches, third parties have consistently been at the epicenter, so they took a step back with their research to better understand the potential root causes. The findings paint a picture of a third-party work landscape where individuals are consistently working from personal, unmanaged devices, conducting risky activities, and having their productivity impacted by legacy security and IT solutions.
Here’s what Talon discovered:
Most third parties (89%) work from personal, unmanaged devices, where organisations lack visibility and cannot enforce the enterprise’s security posture on. Talon pointed to a Microsoft data point that estimated users are 71% more likely to be infected on an unmanaged device.
With third parties working from personal devices, they tend to carry out personal, potentially risky tasks. Respondents note that at least on occasion, they have used their devices to:
Browse the internet for personal needs (76%)
Indulge in online shopping (71%)
Check personal email (75%)
Save weak passwords in the web browser (61%)
Play games (53%)
Allow family members to browse (36%)
Share passwords with co-workers (24%)
Legacy apps such as Virtual Desktop Infrastructure (VDI) and Desktop-as-a-Service (DaaS) solutions are prominent, with 45% of respondents using such technologies while working for organisations.
UK Privacy Regulator Names and Shames Breached Firms
The UK Information Commissioner’s Office (ICO) has taken the unusual step of publishing details of personal data breaches, complaints and civil investigations on its website, according to legal experts.
The data, available from Q4 2021 onwards, includes the organisation’s name and sector, the relevant legislation and the type of issues involved, the date of completion and the outcome.
Given the significance of this development, it’s surprising that the ICO has (1) chosen to release it with limited fanfare, and (2) buried the data sets on its website. Indeed, it seems to have flown almost entirely under the radar.
Understanding whether their breach or complaint will be publicised by European regulators is one of – if not the – main concern that organisations have when working through an incident, and the answer has usually been no. That is particularly the understanding or assumption where the breach or complaint is closed without regulatory enforcement. Now, at least in the UK, the era of relative anonymity looks to be over.
Despite the lack of fanfare around the announcement, this naming and shaming approach could make the ICO one of the more aggressive privacy regulators in Europe. In the future, claimant firms in class action lawsuits may adopt “US-style practices” of scanning the ICO database to find evidence of repeat offending or possible new cases.
The news comes even as data reveals the value of ICO fines issued in the past year tripled from the previous 12 months. In the year ending October 31 2022, the regulator issued fines worth £15.2m, up from £4.8m the previous year. The sharp increase in the value of fines shows the ICO’s increasing willingness selectively to crack down on businesses – particularly those that the ICO perceives has not taken adequate measures to protect customer and employee data.
https://www.infosecurity-magazine.com/news/uk-privacy-regulator-names-and/
Threats
Ransomware, Extortion and Destructive Attacks
20 companies affected by major ransomware attacks in 2021 | TechTarget
NCC Group: Ransomware attacks increased 41% in November | TechTarget
Adversarial risk in the age of ransomware - Help Net Security
FIN7 hackers create auto-attack platform to breach Exchange servers (bleepingcomputer.com)
Ransomware Uses New Exploit to Bypass ProxyNotShell Mitigations | SecurityWeek.Com
British newspaper The Guardian says it’s been hit by ransomware | TechCrunch
Play ransomware actors bypass ProxyNotShell mitigations | TechTarget
FIN7 Cyber crime Syndicate Emerges as Major Player in Ransomware Landscape (thehackernews.com)
Vice Society ransomware gang is using a custom locker - Security Affairs
NIO suffers user data breach, hacker demands $2.25 million worth of bitcoin - CnEVPost
German industrial giant ThyssenKrupp targeted in a cyber attack - Security Affairs
Paying Ransom: Why Manufacturers Shell Out to Cyber criminals (darkreading.com)
France Seeks to Protect Hospitals After Series of Cyber attacks | SecurityWeek.Com
Fire and rescue service in Victoria, Australia, confirms cyber attack - Security Affairs
Play Ransomware Gang Lay Claims For Cyber Attack On H-Hotels (informationsecuritybuzz.com)
Evolving threats and broadening responses to Ransomware in the UAE - Security Boulevard
Phishing & Email Based Attacks
Five Best Practices for Consumers to Beat Phishing Campaigns This Holiday Season - CPO Magazine
Hackers continue to exploit hijacked MailChimp accounts in cyber crime campaigns (bitdefender.com)
Holiday Spam, Phishing Campaigns Challenge Retailers (darkreading.com)
Email hijackers scam food out of businesses, not just money • The Register
Telling users to ‘avoid clicking bad links’ still isn’t working - NCSC.GOV.UK
“Suspicious login” scammers up their game – take care at Christmas – Naked Security (sophos.com)
Simple Steps to Avoid Phishing Attacks During This Festive season | Tripwire
BEC – Business Email Compromise
Telling users to ‘avoid clicking bad links’ still isn’t working - NCSC.GOV.UK
What happens once scammers receive funds from their victims - Help Net Security
Other Social Engineering; Smishing, Vishing, etc
2FA/MFA
Why Security Teams Shouldn't Snooze on MFA Fatigue (darkreading.com)
Comcast Xfinity accounts hacked in widespread 2FA bypass attacks (bleepingcomputer.com)
Malware
Malicious ‘SentinelOne’ PyPI package steals data from developers (bleepingcomputer.com)
Glupteba Botnet Continues to Thrive Despite Google's Attempts to Disrupt It (thehackernews.com)
Ukraine's DELTA military system users targeted by info-stealing malware (bleepingcomputer.com)
Sophisticated DarkTortilla Malware Serves Imposter Cisco, Grammarly Pages (darkreading.com)
Trojanized Windows 10 installers compromised the Ukrainian government | SC Media (scmagazine.com)
Raspberry Robin Worm Targets Telcos & Governments (darkreading.com)
Raspberry Robin worm drops fake malware to confuse researchers (bleepingcomputer.com)
Number of command-and-control servers spiked in 2022: report - The Record by Recorded Future
Mobile
GodFather Android malware targets 400 banks, crypto exchanges (bleepingcomputer.com)
Godfather makes banking apps an offer they can’t refuse • The Register
T-Mobile hacker gets 10 years for $25 million phone unlock scheme (bleepingcomputer.com)
Botnets
Glupteba Botnet Continues to Thrive Despite Google's Attempts to Disrupt It (thehackernews.com)
Zerobot malware now spreads by exploiting Apache vulnerabilities (bleepingcomputer.com)
Flaws within IoT devices exploited by the Zerobot botnet (izoologic.com)
Zerobot Adds Brute Force, DDoS to Its IoT Attack Arsenal (darkreading.com)
Denial of Service/DoS/DDOS
DDoS Attacks are Slowly Growing in the Technology Era (analyticsinsight.net)
Zerobot Adds Brute Force, DDoS to Its IoT Attack Arsenal (darkreading.com)
BYOD
Internet of Things – IoT
Millions of IP cameras around the world are unprotected | TechRadar
Zerobot Adds Brute Force, DDoS to Its IoT Attack Arsenal (darkreading.com)
Throw away all your Eufy cameras right now | Android Central
Read what Anker’s customer support is telling worried Eufy camera owners - The Verge
Amazon Ring Cameras Used in Nationwide ‘Swatting’ Spree, US Says - Bloomberg
Connected homes are expanding, so is attack volume - Help Net Security
Security Risks, Serious Vulnerabilities Rampant Among XIoT Devices in the Workplace - CPO Magazine
Data Breaches/Leaks
LastPass users: Your info and password vault data are now in hackers’ hands | Ars Technica
Okta's source code stolen after GitHub repositories hacked (bleepingcomputer.com)
McGraw Hill's S3 buckets exposed 100,000 students' grades • The Register
NIO suffers user data breach, hacker demands $2.25 million worth of bitcoin - CnEVPost
Shoemaker Ecco leaks over 60GB of sensitive data for 500+ days - Security Affairs
Restaurant CRM platform ‘SevenRooms’ confirms breach after data for sale (bleepingcomputer.com)
Leading sports betting firm BetMGM discloses data breach (bleepingcomputer.com)
Organised Crime & Criminal Actors
'Russian hackers' help two New York men game JFK taxi system - CyberScoop
What happens once scammers receive funds from their victims - Help Net Security
[FIN7] Fin7 Unveiled: A deep dive into notorious cyber crime gang - PRODAFT
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
FTX's alleged run-of-the-mill frauds depended entirely on crypto (yahoo.com)
GodFather Android malware targets 400 banks, crypto exchanges (bleepingcomputer.com)
Two associates of Sam Bankman-Fried plead guilty to fraud charges in FTX fall | FTX | The Guardian
North Korea-linked hackers stole $626M in virtual assets in 2022 - Security Affairs
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
FTX's alleged run-of-the-mill frauds depended entirely on crypto (yahoo.com)
“Suspicious login” scammers up their game – take care at Christmas – Naked Security (sophos.com)
Fraudulent ‘popunder’ Google Ad campaign generated millions of dollars • The Register
Over 67,000 DraftKings Betting Accounts Hit by Hackers (gizmodo.com)
What happens once scammers receive funds from their victims - Help Net Security
T-Mobile hacker gets 10 years for $25 million phone unlock scheme (bleepingcomputer.com)
Google Ad fraud campaign used adult content to make millions (bleepingcomputer.com)
Two associates of Sam Bankman-Fried plead guilty to fraud charges in FTX fall | FTX | The Guardian
Inside The Next-Level Fraud Ring Scamming Billions Off Holiday Retailers (darkreading.com)
Supply Chain and Third Parties
Cloud/SaaS
McGraw Hill's S3 buckets exposed 100,000 students' grades • The Register
AWS simplifies Simple Storage Service to prevent data leaks • The Register
New Brand of Security Threats Surface in the Cloud (darkreading.com)
Google WordPress Plug-in Bug Allows AWS Metadata Theft (darkreading.com)
Security on a Shoestring? Cloud, Consolidation Best Bets for Businesses (darkreading.com)
Hybrid/Remote Working
Attack Surface Management
Encryption
API
Open Source
Passwords, Credential Stuffing & Brute Force Attacks
LastPass admits attackers copied password vaults • The Register
LastPass users: Your info and password vault data are now in hackers’ hands | Ars Technica
Social Media
Malvertising
Fraudulent ‘popunder’ Google Ad campaign generated millions of dollars • The Register
Don't click too quick! FBI warns of malicious search engine ads | Tripwire
Google Ad fraud campaign used adult content to make millions (bleepingcomputer.com)
Parental Controls and Child Safety
Buggy parental-control apps could allow device takeover • The Register
Children And The Dangers Of The Virtual World (informationsecuritybuzz.com)
Regulations, Fines and Legislation
TSB fined nearly $60m for platform migration disaster • The Register
FCC proposes record-breaking $300 million fine against robocaller (bleepingcomputer.com)
France Fines Microsoft 60 Million Euros Over Advertising Cookies | SecurityWeek.Com
The long, long reach of the UK’s national security laws | Financial Times
Governance, Risk and Compliance
Make sure your company is prepared for the holiday hacking season - Help Net Security
The benefit of adopting a hacker mindset for building security strategies - Help Net Security
Careers, Working in Cyber and Information Security
CISO roles continue to expand beyond technical expertise - Help Net Security
UK secret services wants ‘corkscrew thinkers’ for new cyber force | News | The Times
Law Enforcement Action and Take Downs
Privacy, Surveillance and Mass Monitoring
France Fines Microsoft 60 Million Euros Over Advertising Cookies | SecurityWeek.Com
What is surveillance capitalism? - Definition from WhatIs.com (techtarget.com)
Google Maps: Important reason you should blur your house on Street View (ladbible.com)
Blur Your House ASAP if It's on Google Maps. Here's Why - CNET
Artificial Intelligence
Threat Modeling in the Age of OpenAI's Chatbot (darkreading.com)
This is how OpenAI's ChatGPT can be used to launch cyber attacks (techmonitor.ai)
Misinformation, Disinformation and Propaganda
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
State level cyber attacks – Why and how (ukdefencejournal.org.uk)
The risk of escalation from cyber attacks has never been greater | Ars Technica
Ukraine's DELTA military system users targeted by info-stealing malware (bleepingcomputer.com)
Trojanized Windows 10 installers compromised the Ukrainian government | SC Media (scmagazine.com)
NATO-Member Oil Refinery Targeted in Russian APT Blitz Against Ukraine (darkreading.com)
Russian APT Gamaredon Changes Tactics in Attacks Targeting Ukraine | SecurityWeek.Com
Kremlin-linked hackers tried to spy on oil firm in NATO country, researchers say | CNN Politics
‘Our weapons are computers’: Ukrainian coders aim to gain battlefield edge | Ukraine | The Guardian
The long, long reach of the UK’s national security laws | Financial Times
UK secret services wants ‘corkscrew thinkers’ for new cyber force | News | The Times
Nation State Actors
Nation State Actors – Russia
Nation State Actors – China
Apple accused of censoring apps in Hong Kong and Russia • The Register
The long, long reach of the UK’s national security laws | Financial Times
Nation State Actors – North Korea
Vulnerability Management
Open source vulnerabilities add to security debt - Help Net Security
Top 5 Vulnerabilities Routinely Exploited by Threat Actors in 2022 (socradar.io)
Over 50 New CVE Numbering Authorities Announced in 2022 | SecurityWeek.Com
A Guide to Efficient Patch Management with Action1 (thehackernews.com)
Digging into the numbers one year after Log4Shell | SC Media (scmagazine.com)
Vulnerabilities
Critical Windows code-execution vulnerability went undetected until now | Ars Technica
FoxIt Patches Code Execution Flaws in PDF Tools | SecurityWeek.Com
Old vulnerabilities in Cisco products actively exploited in the wild - Security Affairs
OWASSRF: CrowdStrike Identifies New Method for Bypassing ProxyNotShell Mitigations
Microsoft reports macOS Gatekeeper has an 'Achilles' heel • The Register
Microsoft will turn off Exchange Online basic auth in January (bleepingcomputer.com)
Cisco’s Talos security bods predict new wave of Excel Hell • The Register
Microsoft pushes emergency fix for Windows Server Hyper-V VM issues (bleepingcomputer.com)
Ransomware Uses New Exploit to Bypass ProxyNotShell Mitigations | SecurityWeek.Com
Zerobot malware now spreads by exploiting Apache vulnerabilities (bleepingcomputer.com)
Two New Security Flaws Reported in Ghost CMS Blogging Software (thehackernews.com)
Critical Security Flaw Reported in Passwordstate Enterprise Password Manager (thehackernews.com)
This critical Windows security flaw could be as serious as WannaCry, experts claim | TechRadar
Google WordPress Plug-in Bug Allows AWS Metadata Theft (darkreading.com)
Microsoft Details Gatekeeper Bypass Vulnerability in Apple macOS Systems (thehackernews.com)
Tools and Controls
Companies overwhelmed by available tech solutions - Help Net Security
Is Enterprise VPN on Life Support or Ripe for Reinvention? | SecurityWeek.Com
Reports Published in the Last Week
Other News
The Growing Risk Of Malicious QR Codes (informationsecuritybuzz.com)
NASA infosec again falls short of required standard • The Register
US Joint Cyber Force Elevated to Newest Subordinate Unified Command - MSSP Alert
The Rise of the Rookie Hacker - A New Trend to Reckon With (thehackernews.com)
What enumeration attacks are and how to prevent them | TechTarget
US consumers seriously concerned over their personal data | CSO Online
The FBI is worried about wave of crime against small businesses (cnbc.com)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 11 November 2022
Black Arrow Cyber Threat Briefing 11 November 2022:
-Research Finds Organisations Lack Tools and Teams to Address Cyber Security Threats
-Some 98% of Global Firms Suffer Supply Chain Breach in 2021
-Only 30% of Cyber Insurance Holders Say Ransomware is Covered
-Companies Hit by Ransomware Often Targeted Again, Research Says
-Ransomware Remains Top Cyber Risk for Organisations Globally, Says Allianz
-How Geopolitical Turmoil Changed the Cyber Security Threat Landscape
-Swiss Re Wants Government Bail Out academias Cyber Crime Insurance Costs Spike
-Extortion Economics: Ransomware's New Business Model
-Confidence in Data Recovery Tools Low
-Russia’s Sway Over Criminal Ransomware Gangs Is Coming into Focus
-Insider Risk on the Rise: 12% of Employees Take IP When Leaving Jobs
-Why a Clear Cyber Policy is Critical for Companies
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Research Finds Organisations Lack Tools and Teams to Address Cyber Security Threats
In research conducted in the summer of 2022 by BlackBerry, the findings describe the situation facing organisations regardless of size or vertical.
The survey of 405 senior IT, networking, and security decision-makers in the US, Canada, and the UK revealed 83% of organisations agreed building cyber security programs is expensive due to required tools, licenses, and personnel, and 80% agreed it’s challenging to fill specialised security roles. Most organisations (78%) have an incident management process, but about half (49%) agree they lack the teams and tools to be effective 24x7x365. Evolving security threats (53%) and the task of integrating new technology (53%) are cited as top challenges in maintaining security posture.
While it’s likely these findings surprise no one, they do reveal the challenges facing organisations who are caught between limited resources and increased risk. The urgency increases if we look at the critical infrastructure that keeps things running–like utilities, banks, transportation, key suppliers, industrial controls, and more.
Some 98% of Global Firms Suffer Supply Chain Breach in 2021
Just 2% of global organisations didn’t suffer a supply chain breach last year, with visibility into cyber risk getting harder as these ecosystems expand, according to BlueVoyant.
The security firm polled 2100 C-level execs with responsibility for supply chain and cyber risk management from companies with 1000+ employees to compile its study, The State of Supply Chain Defense: Annual Global Insights Report 2022.
It found the top challenges listed by respondents were:
Awareness internally that third-party suppliers are part of their cyber security posture
Meeting regulatory requirements and ensuring third-party cyber security compliance
Working with third-party suppliers to improve their posture.
Supply chains are growing: the number of firms with over 1000 suppliers increased from 38% in 2021’s report to 50%. Although 53% of organisations audited or reported on supplier security more than twice annually, 40% still rely on suppliers to ensure security levels are sufficient. That means they have no way of knowing if an issue arises with a supplier.
Worse, 42% admitted that if they do discover an issue in their supply chain and inform their supplier, they cannot verify that the issue was resolved. Just 3% monitor their supply chain daily, although the number of respondents using security ratings services to enhance visibility and reduce cyber risk increased from 36% last year to 39% in this year’s report.
With the escalating threat landscape and number of high-profile incidents being reported, firms should focus more strategically on addressing supply chain cyber security risk. In the current volatile economic climate, the last thing any business needs is any further disruption to their operations, any unexpected costs, or negative impact on their brand.
https://www.infosecurity-magazine.com/news/98-global-firms-supply-chain/
Only 30% of Cyber Insurance Holders Say Ransomware is Covered
Cyber insurance providers appear to be limiting policy coverage due to surging costs from claimants, according to a new study from Delinea.
The security vendor polled 300 US-based IT decision makers to compile its latest report, Cyber insurance: if you get it be ready to use it.
Although 93% were approved for specialised cyber insurance cover by their provider, just 30% said their policy covered “critical risks” including ransomware, ransom negotiations and payments. Around half (48%) said their policy covers data recovery, while just a third indicated it covers incident response, regulatory fines and third-party damages.
That may be because many organisations are regularly being breached and look to their providers for pay-outs, driving up costs for carriers. Some 80% of those surveyed said they’ve had to call on their insurance, and half of these have submitted claims multiple times, the study noted.
As a result, many insurers are demanding that prospective policyholders implement more comprehensive security controls before they’re allowed to sign up.
Half (51%) of respondents said that security awareness training was a requirement, while (47%) said the same about malware protection, AV software, multi-factor authentication (MFA) and data backups.
However, high-level checks may not be enough to protect insurers from surging losses, as they can’t guarantee customers are properly deploying security controls.
Cyber insurance providers need to start advancing beyond simple checklists for security controls. They must require their customers to validate that their security controls work as designed and expected. They need their customers to simulate their adversaries to ensure that when they are attacked, the attack will not result in a breach. In fact, we're already starting to see government regulations and guidance that includes adversary simulation as part of their proactive response to threats.
https://www.infosecurity-magazine.com/news/cyberinsurance-ransomware-cover/
Companies Hit by Ransomware Often Targeted Again, Research Says
It has been reported that more than a third of companies who paid a ransom to cyber criminals after being hit by a ransomware attack went on to be targeted for a second time, according to a new report.
The Hiscox Cyber Readiness Report found that 36% of companies that made the ransom payment were hit again, while 41% who paid failed to recover all of their data.
The head of the UK’s National Cyber Security Centre (NCSC), Lindy Cameron, said last year that ransomware attacks were the “most immediate danger” to the UK and urged companies to take more steps to protect themselves and their data.
The NCSC urges firms not to pay ransoms as it not only helps fund further crime but offers no guarantee that criminals will return the stolen or locked data. The Hiscox report appeared to back up the NCSC’s warnings, with 43% of the businesses who paid a ransom saying they still had to rebuild their systems while 29% said that despite making the payment their stolen data was still leaked. A further 26% said a ransomware attack had had a significant financial impact on their business.
Ransomware Remains Top Cyber Risk for Organisations Globally, Says Allianz
According to an Allianz Global Corporate & Specialty cyber report, ransomware remains a top cyber risk for organisations globally, while the threat of state-sponsored cyber attacks grows.
There were a record 623 million attacks in 2021, which was double that of 2020, says Allianz.
It also notes that despite the frequency reducing 23% globally during H1 of 2022, the year-to-date total still exceeds that of the full years of 2017, 2018 and 2019, while Europe saw attacks surge over this period. Allianz suggests that ransomware is forecast to cause $30bn in damages to organisations globally by 2023.
It adds that from an Allianz perspective, the value of ransomware claims the company was involved in together with other insurers, accounted for well over 50% of all cyber claims costs during 2020 and 2021.
The cyber risk landscape doesn’t allow for any resting on laurels. Ransomware and phishing scams are as active as ever and on top of that there is the prospect of a hybrid cyber war.
Most companies will not be able to evade a cyber threat. However, it is clear that organisations with good cyber maturity are better equipped to deal with incidents. Even when they are attacked, losses are typically less severe due to established identification and response mechanisms.
Many companies still need to strengthen their cyber controls, particularly around IT security trainings, better network segmentation for critical environments and cyber incident response plans and security governance.
Allianz observes that geopolitical tensions, such as the war in Ukraine, are a major factor reshaping the cyber threat landscape as the risks of espionage, sabotage, and destructive cyber-attacks against companies with ties to Russia and Ukraine increase, as well as allies and those in neighbouring countries.
How Geopolitical Turmoil Changed the Cyber Security Threat Landscape
ENISA, EU’s Agency for Cybersecurity, released its annual Threat Landscape report, covering the period from July 2021 up to July 2022.
With more than 10 terabytes of data stolen monthly, ransomware still fares as one of the prime threats in the new report with phishing now identified as the most common initial vector of such attacks. The other threats to rank highest along ransomware are attacks against availability also called Distributed Denial of Service (DDoS) attacks.
However, the geopolitical situations particularly the Russian invasion of Ukraine have acted as a game changer over the reporting period for the global cyber domain. While we still observe an increase of the number of threats, we also see a wider range of vectors emerge such as zero-day exploits and AI-enabled disinformation and deepfakes. As a result, more malicious and widespread attacks emerge having more damaging impact.
EU Agency for Cybersecurity Executive Director, Juhan Lepassaar stated that “Today’s global context is inevitably driving major changes in the cyber security threat landscape. The new paradigm is shaped by the growing range of threat actors. We enter a phase which will need appropriate mitigation strategies to protect all our critical sectors, our industry partners and therefore all EU citizens.”
State sponsored, cyber crime, hacker-for-hire actors and hacktivists remain the prominent threat actors during the reporting period of July 2021 to July 2022.
ENISA sorted threats into 8 groups. Frequency and impact determine how prominent all of these threats still are.
Ransomware: 60% of affected organisations may have paid ransom demands
Malware: 66 disclosures of zero-day vulnerabilities observed in 2021
Social engineering: Phishing remains a popular technique but we see new forms of phishing arising such as spear-phishing, whaling, smishing and vishing
Threats against data: Increasing in proportionally to the total of data produced
Disinformation – misinformation: Escalating AI-enabled disinformation, deepfakes and disinformation-as-a-service
Supply chain targeting: Third-party incidents account for 17% of the intrusions in 2021 compared to less than 1% in 2020
Threats against availability:
Largest denial of service (DDoS) attack ever was launched in Europe in July 2022
Internet: destruction of infrastructure, outages and rerouting of internet traffic.
https://www.helpnetsecurity.com/2022/11/08/cybersecurity-threat-landscape-2022/
Swiss Re Wants Government Bail Out as Cyber Crime Insurance Costs Spike
As insurance companies struggle to stay afloat amid rising cyber claims, Swiss Re has recommended a public-private partnership insurance scheme with one option being a government-backed fund to help fill the coverage gap.
Global cyber insurance premiums hit $10 billion in 2021, according to Swiss Re's estimates. In a study published this week, the insurance giant forecasted 20 percent annual growth to 2025, with premiums rising to $23 billion over the next few years.
Meanwhile, annual cyber attack-related losses total about $945 billion globally, and about 90% of that risk remains uninsured, according to insurance researchers at the Geneva Association.
While Forrester estimates a typical data breach costs an average $2.4 million for investigation and recovery, only 55 percent of companies currently have cyber insurance policies. Additionally, less than 20 percent have coverage limits in excess of $600,000, which the analyst firm cites as the median ransomware demand in 2021.
https://www.theregister.com/2022/11/08/government_cyber_insurance/
Extortion Economics: Ransomware's New Business Model
Ransomware-as-a-service lowers the barriers to entry, hides attackers’ identities, and creates multitier, specialised roles in service of ill-gotten gains.
Did you know that more than 80% of ransomware attacks can be traced to common configuration errors in software and devices? This ease of access is one of many reasons why cyber criminals have become emboldened by the underground ransomware economy.
And yet many threat actors work within a relatively small and interconnected ecosystem of players. This pool of cyber criminals has created specialised roles and consolidated the cyber crime economy, fuelling ransomware-as-a-service (RaaS) to become the dominant business model. In doing so, they've enabled a wider range of criminals to deploy ransomware regardless of their technical expertise and forced all of us to become cyber security defenders in the process.
Ransomware takes advantage of existing security compromises to gain access to internal networks. In the same way businesses hire gig workers to cut costs, cyber criminals have turned to renting or selling their ransomware tools for a portion of the profits rather than performing the attacks themselves.
This flourishing RaaS economy allows cyber criminals to purchase access to ransomware payloads and data leakage, as well as payment infrastructure. What we think of as ransomware gangs are actually RaaS programs like Conti or REvil, used by the many different actors who switch between RaaS programs and payloads.
RaaS lowers the barrier to entry and obfuscates the identity of the attackers behind the ransoming. Some programs can have 50 or more "affiliates," as they refer to their users, with varying tools, tradecraft, and objectives. Anyone with a laptop and credit card who is willing to search the Dark Web for penetration-testing tools or out-of-the-box malware can join this maximum efficiency economy.
https://www.darkreading.com/microsoft/extortion-economics-ransomware-s-new-business-model
Confidence in Data Recovery Tools Low
A recent IDC and Druva survey asked 505 respondents across 10 industries about their ransomware experiences and found that many organisations struggle to recover after an attack. In the survey, 85% of the respondents said their organisations had a ransomware recovery plan. The challenge seems to lie in effectively executing that plan.
"A majority of organisations suffered significant consequences from ransomware attacks including long recoveries and unrecoverable data despite paying a ransom," states the "You Think Ransomware Is Your Only Problem? Think Again" report.
Data resiliency is such an important element of cyber security that 96% of respondents considered it a top priority for their organisations, with a full 77% placing it in the top 3. What's striking about the survey results is that only 14% of respondents said they were "extremely confident" in their tools, even though 92% called their data resiliency tools "efficient" or "highly efficient."
When data is spread across hybrid, cloud, and edge environments, data resiliency becomes much more complicated. A plan might seem to cover everything, but then you realise that you lost your backup or can't find the latest restore point.
The ability to recover from an attack is vital, since the growth in ransomware makes it likely that your organisation will get hit. This is why agencies like NIST recommend preparing for when an attacker pierces your defences rather than trying to keep out every intruder. That mindset also shifts the priority to preparation and planning; you need to create a disaster recovery plan that includes policy on restore points and recovery tools — and you need to practice implementing that plan before disaster strikes.
The report lists three key performance indicators that reveal the success of an organisation's recovery from a cyber attack:
The ability to fully recover encrypted or deleted data without paying a ransom.
Zero data loss in the process of recovering the data.
Rapid recovery as defined by applicable service-level requirements.
When a recovery fails to meet these criteria, then the organisation may suffer financial loss, loss of reputation, permanently lost customers, and reduced employee productivity.
https://www.darkreading.com/tech-trends/confidence-in-data-recovery-tools-low
Russia’s Sway Over Criminal Ransomware Gangs Is Coming into Focus
Russia-based ransomware gangs are some of the most prolific and aggressive, in part thanks to an apparent safe harbour the Russian government extends to them. The Kremlin doesn't cooperate with international ransomware investigations and typically declines to prosecute cyber criminals operating in the country so long as they don't attack domestic targets. A long-standing question, though, is whether these financially motivated hackers ever receive directives from the Russian government and to what extent the gangs are connected to the Kremlin's offensive hacking. The answer is starting to become clearer.
New research presented at the Cyberwarcon security conference in Arlington, Virginia, this week looked at the frequency and targeting of ransomware attacks against organisations based in the United States, Canada, the United Kingdom, Germany, Italy, and France in the lead-up to these countries' national elections. The findings suggest a loose but visible alignment between Russian government priorities and activities and ransomware attacks leading up to elections in the six countries.
The project analysed a data set of over 4,000 ransomware attacks perpetrated against victims in 102 countries between May 2019 and May 2022. The analysis showed a statistically significant increase in ransomware attacks from Russia-based gangs against organisations in the six victim countries ahead of their national elections. These nations suffered the most total ransomware attacks per year in the data set, about three-quarters of all the attacks.
The data was used to compare the timing of attacks for groups believed to be based out of Russia and groups based everywhere else. They looked at the number of attacks on any given day, and what they found was an interesting relationship where for these Russia-based groups, there was an increase in the number of attacks starting four months before an election and moving three, two, one month in, up to the event.
The findings showed broadly that non-Russian ransomware gangs didn't have a statistically significant increase in attacks in the lead-up to elections. Whereas two months out from a national election, for example, the researchers found that organisations in the six top victim countries were at a 41 percent greater chance of having a ransomware attack from a Russia-based gang on a given day, compared to the baseline.
https://www.wired.com/story/russia-ransomware-gang-connections/
Insider Risk on the Rise: 12% of Employees Take IP When Leaving Jobs
Twelve percent of all employees take sensitive intellectual property (IP) with them when they leave an organisation.
The data comes from workforce cyber intelligence and security company Dtex, which published a report about top insider risk trends for 2022. “Customer data, employee data, health records, sales contacts, and the list goes on,” reads the document. “More and more applications are providing new features that make data exfiltration easier. For example, many now provide the ability to maintain clipboard history and sync across multiple devices.”
Case in point, the report also suggests a 55% increase in unsanctioned application usage, including those making data exfiltration easier by allowing users to maintain clipboard history and sync IP across multiple devices. “Bring Your Own Applications (BYOA) or Shadow IT can be a source of intelligence for business innovation,” Dtex wrote. “Still, they pose a major risk if the security team has not tested these tools thoroughly.”
Further, the new data highlight a 20% increase in resignation letter research and creation from employees taking advantage of the tight labour market to switch positions for higher wages.
“In most cases, an individual planning to leave the business is not pleased with the company’s product, co-workers, work environment, or compensation,” reads the report. “Disgruntled employees are usually jaded by a business that has not shown any steps to alleviate concerns, even after communication attempts.”
Finally, the Dtex report says the industry has witnessed a 200% increase in unsanctioned third-party work on corporate devices from a high prevalence of employees engaged in side gigs.
https://www.infosecurity-magazine.com/news/12-of-employees-take-ip-when/
Why a Clear Cyber Policy is Critical for Companies
In October, Joe Sullivan, Uber’s former head of security, was convicted of covering up a 2016 data breach at the ride hailing giant by hiding details from US regulators and then paying off the hackers.
It was a trial followed nervously by cyber security professionals around the world — coming eight years after an incident that had compromised the personal information of more than 57mn people.
“Any news about another company dealing with a data security incident can strike a bit of fear across industries,” notes Mary Pothos, chief privacy officer at digital travel company Booking.com. She adds that incidents like these cause “many companies to pause, rethink or revisit their internal processes to make sure that they are operating effectively”.
These incidents, and threats, are growing at lightning speed, too. War in Ukraine is now being played out as much in cyber space as on the battlefield. The Covid pandemic has forced businesses to rethink where their employees work, and handle or access data. At the same time, the sheer number of web-connected devices is multiplying.
“We need to be people who can predict what is coming along the line, predict the future, almost” said Victor Shadare, head of cyber security at media company Condé Nast, at a recent FT event on cyber security.
Palo Alto Networks, a specialist security company, found that cyber extortion grew rapidly in 2021. Some 35 new ransomware gangs emerged, the average ransom demand increasing 144 per cent that year to $2.2mn, and the average payment rose by 78 per cent to $541,010.
Meanwhile, cyber security personnel have found themselves hemmed in by increasingly onerous regulations. These include threats of legal action if the right people are not informed about breaches, or if products come to market that are not safe enough. On September 15, for example, the European Commission presented a proposal for a new Cyber Resilience Act to protect consumers from products with inadequate security features.
“New domains of security have sprung up over the past years, so it’s not just an information technology problem any more, it’s really a full company risk issue,” says Kevin Tierney, vice-president of global cyber security at automotive group General Motors. He warns that automated and connected vehicles have thrown up additional threats to be addressed.
“You have to start out with the right governance structure and the right policies and procedures — that’s step one of really getting the company to understand what it needs to do,” he says. These include clear rules on how to disable access to tech equipment, on data protection and storage, on transferring and disposing of data, on using corporate networks, and on reporting any data breaches.
Security experts also tend to agree that there need to be robust systems of governance and accountability, to prevent the sort of trouble that befell Sullivan at Uber. Perhaps most crucially, staff across the organisation, from C-suite to assistants, need to know how to spot and manage a threat.
https://www.ft.com/content/0bb6df09-7d77-4605-aac3-89443ed65a18
Threats
Ransomware and Extortion
Medibank: Hackers release abortion data after stealing Australian medical records - BBC News
Medical data hacked from 10m Australians begins to appear on dark web | World news | The Guardian
How ransomware gangs and malware campaigns are changing - Help Net Security
Thales confirms hackers have released its data on the dark web | Reuters
Most SMBs Fear Ransomware Attack Amid Heightened Geopolitical Tensions - MSSP Alert
Australia to consider banning paying of ransoms to cyber criminals | Reuters
LockBit gang claims to have stolen data from Kearney & Company - Security Affairs
Azov Ransomware is a wiper, destroying data 666 bytes at a time (bleepingcomputer.com)
Ransomware Gang Offers to Sell Files Stolen From Continental for $50 Million | SecurityWeek.Com
Canadian food retail giant Sobeys hit by Black Basta ransomware (bleepingcomputer.com)
LockBit affiliate uses Amadey Bot malware to deploy ransomware (bleepingcomputer.com)
Russia-linked IRIDIUM APT linked to Prestige ransomware attacks against Ukraine - Security Affairs
US Health Dept warns of Venus ransomware targeting healthcare orgs (bleepingcomputer.com)
Ransomware attacks on hospitals take toll on patients (nbcnews.com)
Hackers post Hereford schoolchildren's data records on dark web | Hereford Times
CISA and Spain Partnership to Develop Tool to Help Countries Combat Ransomware - MSSP Alert
Phishing & Email Based Attacks
Phishing threats are increasingly convincing and evasive - Help Net Security
Robin Banks phishing-as-a-service platform continues to evolve - Security Affairs
Phishing drops IceXLoader malware on thousands of home, corporate devices (bleepingcomputer.com)
Massive Phishing Campaigns Target India Banks’ Clients (trendmicro.com)
BEC – Business Email Compromise
Malware
Phishing drops IceXLoader malware on thousands of home, corporate devices (bleepingcomputer.com)
Cloud9 Malware Offers a Paradise of Cyber attack Methods (darkreading.com)
More malware is being hidden in PNG images, so watch out | TechRadar
Attackers Using IPFS for Distributed, Bulletproof Malware Hosting | SecurityWeek.Com
Malicious extension lets attackers control Google Chrome remotely (bleepingcomputer.com)
New hacking group uses custom 'Symatic' Cobalt Strike loaders (bleepingcomputer.com)
New StrelaStealer malware steals your Outlook, Thunderbird accounts (bleepingcomputer.com)
Mobile
5 Common Smartphone Security Myths, Debunked (makeuseof.com)
Oh, look: More malware in the Google Play store • The Register
Malicious app in the Play Store spotted distributing Xenomorph Banking Trojan - Security Affairs
Malicious droppers on Google Play deliver banking malware to victims - Help Net Security
Samsung phones are being targeted by some seriously shady zero-days | TechRadar
New BadBazaar Android malware linked to Chinese cyber spies (bleepingcomputer.com)
Worok hackers hide new malware in PNGs using steganography (bleepingcomputer.com)
Internet of Things – IoT
Organised Crime & Criminal Actors
An initial access broker claims to have hacked Deutsche Bank - Security Affairs
Cyber crime costs to hit $10.5tn by 2025 hears Saudi forum - Arabian Business
Cyber crime Group OPERA1ER Stole $11M From 16 African Businesses (darkreading.com)
Instagram star gets 11 years for $300m BEC conspiracy • The Register
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
FTX says it is probing ‘abnormal transactions’ after potential hack | Financial Times
Kraken's CSO Claims To Have Identified The $600 Million FTX Hacker (coingape.com)
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
Fifth Of 18 To 34-year-olds Have Fallen Victim To Financial Scams – Information Security Buzz
Ukrainian Cyber Cops Bust $200m Fraud Ring - Infosecurity Magazine (infosecurity-magazine.com)
Retail Sector Prepares for Annual Holiday Cyber crime Onslaught (darkreading.com)
US seized 18 web domains used for recruiting money mules (bleepingcomputer.com)
Insurance
Rising cost of cyber attacks sends insurance policy charges soaring | Financial Times (ft.com)
Just 25% of businesses are insured against cyber attacks. Here's why (theconversation.com)
Re-Focusing Cyber Insurance with Security Validation (thehackernews.com)
Swiss Re: Cyber-Insurance Industry Must Reform - Infosecurity Magazine (infosecurity-magazine.com)
Dark Web
DoJ seizes $3.36B Bitcoin from Silk Road hacker - Security Affairs
Silk Road drugs market hacker pleads guilty, faces 20 years inside – Naked Security (sophos.com)
Supply Chain and Third Parties
Hybrid Working
Attack Surface Management
Identity and Access Management
API
Passwords, Credential Stuffing & Brute Force Attacks
Microsoft Password Hacking Increase – Information Security Buzz
False sense of safety undermines good password hygiene - Help Net Security
Password-hacking attacks are on the rise. Here's how to stop your accounts from being stolen | ZDNET
Social Media
Twitter blue check unavailable after impostor accounts erupt on platform | Twitter | The Guardian
Twitter chief information security officer Lea Kissner departs | TechCrunch
Privacy, Surveillance and Mass Monitoring
World Cup apps pose a data security and privacy nightmare • The Register
Surveillance 'Existential' Danger of Tech: Signal Boss | SecurityWeek.Com
Regulations, Fines and Legislation
Careers, Working in Cyber and Information Security
Three million empty seats: What can we do about the cyber skills shortage? (computerweekly.com)
Cyber security, cloud and coding: Why these three skills will lead demand in 2023 | ZDNET
Cyber security leaders want to quit. Here's what is pushing them to leave | ZDNET
Law Enforcement Action and Take Downs
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Red Cross seeks digital equivalent of its emblems • The Register
Russia’s New Cyberwarfare in Ukraine Is Fast, Dirty, and Relentless | WIRED
EU calls for joint cyber defence in response to Russia • The Register
Nation-State Hacker Attacks on Critical Infrastructure Soar: Microsoft | SecurityWeek.Com
What Ukraine’s cyber defence tactics can teach other nations | Financial Times (ft.com)
Russia-linked IRIDIUM APT linked to Prestige ransomware attacks against Ukraine - Security Affairs
APT29 abused Windows Credential Roaming in attacks - Security Affairs
Dutch MEP says illegal spyware ‘a grave threat to democracy’ | European Commission | The Guardian
Greece Is Banning Spyware After Predator Phone-Tapping Scandal (gizmodo.com)
British embassy security guard David Smith admits spying for Russia - BBC News
Nation State Actors
Nation State Actors – Russia
EU calls for joint cyber defence in response to Russia • The Register
Ukraine war: Russians kept in the dark by internet search - BBC News
Microsoft links Russia’s military to cyber attacks in Poland and Ukraine | Ars Technica
Putin ally Yevgeny Prigozhin admits interfering in US elections | Russia | The Guardian
Russia-linked IRIDIUM APT linked to Prestige ransomware attacks against Ukraine - Security Affairs
Nation State Actors – China
Nation State Actors – Misc
Vulnerability Management
Why CVE Management as a Primary Strategy Doesn't Work (darkreading.com)
Why it's time to review your Microsoft patch management options | CSO Online
Risk-Based Vulnerability Management: Understanding the RBVM Trend (darkreading.com)
How can CISOs catch up with the security demands of their ever-growing networks? - Help Net Security
Microsoft: Nation-state threats, zero-day attacks increasing (techtarget.com)
Types of vulnerability scanning and when to use each (techtarget.com)
Vulnerabilities
Microsoft November 2022 Patch Tuesday fixes 6 exploited zero-days, 68 flaws (bleepingcomputer.com)
VMware fixes three critical auth bypass bugs in remote access tool (bleepingcomputer.com)
Citrix ADC and Citrix Gateway are affected by a critical auth bypass - Security Affairs
Cisco Patches 33 Vulnerabilities in Enterprise Firewall Products | SecurityWeek.Com
Microsoft Patches MotW Zero-Day Exploited for Malware Delivery | SecurityWeek.Com
Apple out-of-band patches fix RCE bugs in iOS and macOS - Security Affairs
Microsoft fixes ProxyNotShell Exchange zero-days exploited in attacks (bleepingcomputer.com)
SAP Patches Critical Vulnerabilities in BusinessObjects, SAPUI5 | SecurityWeek.Com
Lenovo driver goof poses security risk for users of 25 notebook models | Ars Technica
Foxit Patches Several Code Execution Vulnerabilities in PDF Reader | SecurityWeek.Com
LiteSpeed Vulnerabilities Can Lead to Complete Web Server Takeover | SecurityWeek.Com
Reports Published in the Last Week
Other News
What Is Threat Hunting? A Definition for MSPs and Channel Partners - MSSP Alert
Cyber security: These are the new things to worry about in 2023 | ZDNET
What We Really Mean When We Talk About ‘Cyber security’ (darkreading.com)
Personal cyber security is now a company problem - Help Net Security
History of Computer Viruses & Malware | What Was Their Impact? (esecurityplanet.com)
5 Reasons to Consolidate Your Tech Stack (thehackernews.com)
Cookies for MFA Bypass Gain Traction Among Cyber attackers (darkreading.com)
Common lateral movement techniques and how to prevent them (techtarget.com)
Beyond the Pen Test: How to Protect Against Sophisticated Cyber criminals (darkreading.com)
5 ways to overcome multifactor authentication vulnerabilities (techtarget.com)
15,000 sites hacked for massive Google SEO poisoning campaign (bleepingcomputer.com)
Unencrypted Traffic Still Undermining Wi-Fi Security (darkreading.com)
Researchers Devise Wi-Peep Drone That Can 'See Through Walls' (gizmodo.com)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.