Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Executives Take More Cyber Security Risks Than Office Workers

IT software company Ivanti worked with cyber security experts and surveyed 6,500 executive leaders, cybersecurity professionals, and office workers to understand the perception of today’s cybersecurity threats and to find out how companies are preparing for yet-unknown future threats.

The report revealed that despite 97% of leaders and security professionals reporting their organisation is as prepared, or more prepared, to defend against cybersecurity attacks than they were a year ago, one in five wouldn’t bet a chocolate bar that they could prevent a damaging breach.

In fact, the study finds that organisations are racing to fortify against cyber attacks, but the industry still struggles with a reactive, checklist mentality. This is most pronounced in how security teams are prioritising patches. While 92% of security professionals reported they have a method to prioritise patches, they also indicated that all types of patches rank high – meaning none do.

“Patching is not nearly as simple as it sounds,” said Ivanti. “Even well-staffed, well-funded IT and security teams experience prioritisation challenges amidst other pressing demands. To reduce risk without increasing workload, organisations must implement a risk-based patch management solution and leverage automation to identify, prioritise, and even address vulnerabilities without excess manual intervention”.

Cyber security insiders view phishing, ransomware, and software vulnerabilities as top industry-level threats for 2023. Approximately half of respondents indicated they are “very prepared” to meet the growing threat landscape including ransomware, poor encryption, and malicious employees, but the expected safeguards such as deprovisioning credentials is ignored a third of a time and nearly half of those surveyed say they suspect a former employee or contractor still has active access to company systems and files.

The report also revealed that leaders engage in more dangerous behaviour and are four times more likely to be victims of phishing compared to office workers.

Additionally:

• More than 1 in 3 leaders have clicked on a phishing link

• Nearly 1 in 4 use easy-to-remember birthdays as part of their password

• They are much more likely to hang on to passwords for years

• And they are 5x more likely to share their password with people outside the company.

One survey taker shared, “We’ve experienced a few advanced phishing attempts and the employees were totally unaware they were being targeted. These types of attacks have become so much more sophisticated over the last two years – even our most experienced staff are falling prey to it.”

To cope with a rapidly expanding threat landscape, organisations must move beyond a reactive, rules-based approach.

https://www.helpnetsecurity.com/2022/12/16/executives-take-more-cybersecurity-risks-than-office-workers/

• CISO Role is Diversifying from Technology to Leadership & Communication Skills

The role of chief information security officer (CISO), a relatively new executive position, is undergoing some significant changes and an archetype has yet to emerge, a new global report from Marlin Hawk, an executive recruiting and leadership consultant, said.

CISOs are still more likely to serve on advisory boards or industry bodies than on the board of directors. Only 13% of the global CISOs analysed are women; approximately 20% are non-white. Each diversity dimension analysed is down one percentage point year-on-year.

According to James Larkin, managing partner at Marlin Hawk, “Today’s CISOs are taking up the mantle of responsibilities that have traditionally fallen solely to the chief information officer (CIO), which is to act as the primary gateway from the tech department into the wider business and the outside marketplace. This widening scope requires CISOs to be adept communicators to the board, the broader business, as well as the marketplace of shareholders and customers. By thriving in the ‘softer’ skill sets of communication, leadership, and strategy, CISOs are now setting the new industry standards of today and, I predict, will be progressing into the board directors of tomorrow.”

The job does not come without its downsides. For one, according to the search firm, many CISOs change roles and leave their jobs. Their skillset may not be adequate or new leaders get appointed to the job, they lack the necessary internal support, or their company may not have the required commitment to cyber security to make the job effective.

Key findings from the report include:

• 45% of global CISOs have been in their current role for two years or less, down from 53% in 2021, with 18% turnover year-on-year. While there is still a lot of movement in the CISO seat, there is potentially some stabilisation emerging.

• Approximately 62% of global CISOs were hired from another company, indicating a slight increase in the number of CISOs hired internally (38% were hired internally compared to 36% in 2021) but a large gap remains in appropriate successors.

• 36% of CISOs analysed with a graduate degree received a higher degree in business administration or management. This is down 10% from last year (46% in 2021). Conversely, there has been an increase to 61% of CISOs receiving a higher degree in STEM subjects (up from 46% in 2021).

https://www.msspalert.com/cybersecurity-research/ciso-role-is-diversifying-from-technology-to-leadership-communication-skills/

• How Emerging AIs, Like ChatGPT, Can Turn Anyone into a Ransomware and Malware Threat Actor

Ever since OpenAI launched ChatGPT at the end of November, commentators on all sides have been concerned about the impact AI-driven content-creation will have, particularly in the realm of cybersecurity. In fact, many researchers are concerned that generative AI solutions will democratise cyber crime.

With ChatGPT, any user can enter a query and generate malicious code and convincing phishing emails without any technical expertise or coding knowledge.

While security teams can also leverage ChatGPT for defensive purposes such as testing code, by lowering the barrier for entry for cyber attacks, the solution has complicated the threat landscape significantly. From a cyber security perspective, the central challenge created by OpenAI’s creation is that anyone, regardless of technical expertise, can create code to generate malware and ransomware on-demand.

Whilst it can be used for good to assist developers in writing code for good, it can (and already has) been used for malicious purposes. Examples including asking the bot to create convincing phishing emails or assist in reverse engineering code to find zero-day exploits that could be used maliciously instead of reporting them to a vendor.

ChatGPT does have inbuilt guardrails designed to prevent the solution from being used for criminal activity. For instance, it will decline to create shell code or provide specific instructions on how to create shellcode or establish a reverse shell and flag malicious keywords like phishing to block the requests.

The problem with these protections is that they’re reliant on the AI recognising that the user is attempting to write malicious code (which users can obfuscate by rephrasing queries), while there’s no immediate consequences for violating OpenAI’s content policy.

https://venturebeat.com/security/chatgpt-ransomware-malware/

• Cyber Security Drives Improvements in Business Goals

Cyber threats should no longer be viewed as just an IT problem, but also a business problem, Deloitte said in its latest Future of Cyber study. Operational disruption, loss of revenue, and loss of customer trust are the top three significant impacts of cyber incidents. More than half, or 56%, of respondents told Deloitte they suffered related consequences to a moderate or large extent.

In 2021, the top three negative consequences from cyber incidents and breaches were operational disruption, which includes supply chain and the partner ecosystem, intellectual property theft, and a drop in share price. While operational disruption remained the top concern in 2022, loss of revenue and loss of customer trust and negative brand impact moved up in importance. Intellectual property theft and drop in share price dropped to eighth and ninth (out of ten) in ranking. Losing funding for a strategic initiative, loss of confidence in the integrity of the technology, and impact on employee recruitment and retention moved up in ranking in 2022. Respondents were also asked to mark two consequences they felt would be most important in 2023: Operational disruption and loss of revenue topped the list.

"Today, cyber means business, and it is difficult to overstate the importance of cyber as a foundational and integral business imperative," Deloitte noted in its report. "It [cyber] should be included in every functional area, as an essential ingredient for success—to drive continuous business value, not simply mitigate risks to IT."

Deloitte categorised organisations' cyber security maturity based on their adoption of cyber planning, risk management, and board engagement. Risk management included activities such as industry benchmarking, incident response, scenario planning, and qualitative and quantitative risk assessment.

Whether or not the organisation adopted any of these three practices hinged on stakeholders recognising the importance of cyber responsibility and engagement across the whole organisation, Deloitte said in its report. Examples included having a governing body that comprises IT and senior business leaders to oversee the cyber program, conducting incident-response scenario planning and simulation at the organisational and/or board level, regularly providing cyber updates to the board to secure funding, and conducting regular cyber awareness training for all employees.

https://www.darkreading.com/edge-threat-monitor/cybersecurity-drives-improvements-in-business-goals

• Incoming FCA Chair Says Crypto Firms Facilitate Money Laundering

The man who will lead UK efforts to regulate cryptocurrency firms issued a stark condemnation of the sector on Wednesday, telling MPs that in his experience crypto platforms were “deliberately evasive”, facilitated money laundering at scale and created “massively untoward risk”.

The comments from Ashley Alder, the incoming chair of the Financial Conduct Authority, suggest that crypto firms hoping to build businesses in the UK will face an uphill battle when the FCA assumes new powers to regulate broad swaths of the sector.

They also put Alder, who will become FCA chair in February, on a potential collision course with the government’s aspiration to create a high quality crypto hub that fosters innovation, a vision ministers have remained loyal to even as the global crypto market lurches from crisis to crisis, epitomised by the collapse of FTX. The FCA declined to comment on whether their incoming chair’s views were at odds with those of the government.

Alder comments came during a sometimes terse appointment hearing with the cross-party Treasury select committee, where he faced sustained criticism for appearing virtually from Hong Kong and for his lack of familiarity with some parts of the UK market place and its accountability structures.

https://www.ft.com/content/7bf0a760-5fb5-4146-b757-1acc5fc1dee5

• Managing Cyber Risk in 2023: The People Element

2022 has had many challenges from cyber war between Russia and Ukraine, continuing ransomware attacks, and a number of high-profile vulnerabilities and zero day attacks.  With the attack surface constantly expanding, CISOs and security leaders are acutely aware of the need to minimise risk across people, processes, and technology.

Top infrastructure risk: people

It’s common knowledge that it’s not if, but when, your organisation will be the target of a cyber attack. CISOs and security leaders seem to share the same opinion—according to Trend Micro’s latest Cyber Risk Index (CRI) (1H’2022), 85% of 4,100 respondents across four global regions said its somewhat to very likely they will experience a cyber attack in the next 12 months.  More concerning was 90% of respondents had at least one successful cyber attack in the past 12 months.

The CRI (1H’2022) also found that CISOs, IT practitioners, and managers identified that most organisations’ IT security objectives are not aligned with the business objectives, which could cause challenges when trying to implement a sound cyber security strategy.

It’s important to note that while ideal, avoiding a cyber attack isn’t the main goal—companies need to address critical challenges across their growing digital attack surface to enable faster detection and response, therefore minimising cyber risk.

While it's commonly assumed that security efforts should be largely focused on protecting critical servers and infrastructure, the human attack vector shouldn’t be so quickly forgotten.

https://www.trendmicro.com/en_us/ciso/22/e/managing-cyber-risk.html

• What We Can't See Can Hurt Us

In speaking with security and fraud professionals, visibility remains a top priority. This is no surprise, since visibility into the network, application, and user layers is one of the fundamental building blocks of both successful security programs and successful fraud programs. This visibility is required across all environments — whether on-premises, private cloud, public cloud, multicloud, hybrid, or otherwise.

Given this, it is perhaps a bit surprising that visibility in the cloud has lagged behind the move to those environments. This occurred partially because few options for decent visibility were available to businesses as they moved to the cloud. But it also partially happened because higher priority was placed on deploying to the cloud than on protecting those deployments from security and fraud threats.

This is unfortunate, since what we can't see can hurt us. That being said, cloud visibility is becoming a top priority for many businesses. There are a few areas where many businesses are looking for visibility to play a key role, including Compliance, Monitoring, Investigation, Response, API Discovery, Application Breaches, and Malicious User Detection.

Organisation have been a bit behind in terms of ensuring the requisite visibility into cloud environments. Whilst time has been lost, it does seem that gaining visibility into the network, application, and user layers is now a priority for many businesses. This is a positive development, as it enables those businesses to better mitigate the risks that operating blindly creates.

https://www.darkreading.com/edge-articles/what-we-can-t-see-can-hurt-us

• Uber Suffers New Data Breach After Attack on Vendor, Info Leaked Online

Uber has suffered a new data breach after a threat actor leaked employee email addresses, corporate reports, and IT asset information stolen from a third-party vendor in a cyber security incident.

On Saturday last week, a threat actor named 'UberLeaks' began leaking data they claimed was stolen from Uber and Uber Eats on a hacking forum known for publishing data breaches. The leaked data includes numerous archives claiming to be source code associated with mobile device management platforms (MDM) used by Uber and Uber Eats and third-party vendor services.

The threat actor created four separate topics, allegedly for Uber MDM at uberhub.uberinternal.com and Uber Eats MDM, and the third-party Teqtivity MDM and TripActions MDM platforms. Each post refers to a member of the Lapsus$ hacking group who is believed to be responsible for numerous high-profile attacks, including a September cyber attack on Uber where threat actors gained access to the internal network and the company's Slack server.

News outlet BleepingComputer has been told that the newly leaked data consists of source code, IT asset management reports, data destruction reports, Windows domain login names and email addresses, and other corporate information. One of the documents seen by BleepingComputer includes email addresses and Windows Active Directory information for over 77,000 Uber employees.

While BleepingComputer initially thought this data was stolen during the September attack, Uber told BleepingComputer it believes it is related to a security breach on a third-party vendor.

https://www.bleepingcomputer.com/news/security/uber-suffers-new-data-breach-after-attack-on-vendor-info-leaked-online/

• When Companies Compensate the Hackers, We All Foot the Bill

Companies are always absorbing costs that are seen as par for the course of budget planning: maintenance, upgrades, office supplies, wastage, shrinkage, etc. These costs ratchet up the price of a company's products and are then passed on to the consumer. Breaches in cyber security and paying out ransoms to hackers should be outside of this remit, and yet more than half of all companies admit to transferring the costs of data breaches on to consumers. Careless or ill-informed employees and other weaknesses in a company's protections lead to catastrophic losses to businesses of around $1,797,945 per minute — and the consumers are paying it off.

If a company estimates the recovery costs from a ransomware attack to exceed the requested payment from the hacker, then it feels like a no-brainer — they're better off just cutting their losses and giving in to the cyber criminal's demands. The issue is that this creates an unvirtuous circle of paying the hacker, which enforces nefarious behaviour and empowers hackers to increase the number and volume of ransoms.

When it comes to ransomware, 32% of companies pay off hackers, and, of that percentage, the average company only retrieves about 65% of its data. Giving in to hackers is counterintuitive. On an even more disturbing note, one study found that 80% of companies that paid a ransom were targeted a second time, with about 40% paying again and a majority of that 40% paying a higher ransom the second time round. This is ludicrous. With 33% of companies suspending operations following an attack, and nearly 40% resorting to laying off staff, it comes as no surprise that the downstream costs are picked up to some extent by the consumer.

As for smaller companies, about 50% of US small businesses don't have a cyber security plan in place, despite the fact that small businesses are three times more likely to be targeted by cyber criminals than larger companies. An average breach costs these companies around $200,000 and has put many out of business. It isn't simply the cost passed on to consumers, it's also the intangible assets, such as brand reputation.

When data is leaked and a site goes down, customers become rightly anxious when their information is sold to the highest bidder on the Dark Web. To safeguard against this, companies of all sizes should exploit automated solutions while training every single member of staff to recognise and report online threats. Paying a ransom does not guarantee the return of data, and for a smaller business, losing valuable customer information could cause long-term damage way beyond the initial attack.

Cyber security professionals, governments, and law enforcement agencies all advise companies to avoid paying the hackers' ransoms. This strategy is affirmed by the success businesses have had in retrieving the stolen data and turning the lights back on — 78% of organisations who say they did not pay a ransom were able to fully restore systems and data without the decryption key. This evidently is not enough to reassure companies who, at the click of a dangerous email being opened, have lost sensitive information and access to their systems and are desperate to get back online. There are many preventative techniques businesses can take advantage of before it even gets to that stage.

https://www.darkreading.com/attacks-breaches/when-companies-compensate-the-hackers-we-all-foot-the-bill

• HSE Cyber-Attack Costs Ireland $83m So Far

The cost of the cyber-attack that hit the Irish Health Service Executive (HSE) last year has officially reached €80m ($83.75m).

The figures come from a letter from HSE’s chief information officer, seen by The Irish Times. This comes months after the Department of Health suggested in February the attack could end up costing up to €100m ($104m). The letter confirmed that the costs reached €42m ($43.97m) in 2021 and almost €39m ($40.83m) until October of this year.

Ireland has a very capable national cyber security centre and a well-oiled CSIRT team that engages the public/private sector. If the cost does continue to escalate to €100m, that is the equivalent to everyone in the Republic of Ireland having been defrauded by €20. According to The Irish Times, the costs were said to be “enormous,” and the government has been asked to complete a comprehensive assessment of the impact caused by the breach.

The cyber-attack, believed to have been conducted by Russia-based state actors, was reportedly caused by a malicious Microsoft Excel file delivered via a phishing email. According to a December 2021 report, the file was opened at an HSE workstation in March 2021. The malware would have been latent for two months before the breach, which was reportedly discovered in May, two months later. A total of roughly 100,000 people had their personal data stolen during the cyber-attack.

Healthcare continues to be a target of attacks given their enormous attack surface across critical applications, cloud environments and IoT devices.

https://www.infosecurity-magazine.com/news/hse-cyber-attack-ireland-dollar83m/

Threats

Ransomware, Extortion and Destructive Attacks

• HSE Cyber-Attack Costs Ireland $83m So Far - Infosecurity Magazine (infosecurity-magazine.com)

• Ransomware-hit Rackspace email outage enters 12th day • The Register

• The Dark Web is Getting Darker - Ransomware Thrives on Illegal Markets (bleepingcomputer.com)

• Rash of New Ransomware Variants Springs Up in the Wild (darkreading.com)

• Patch Tuesday: Microsoft Plugs Windows Hole Exploited in Ransomware Attacks | SecurityWeek.Com

• Preventing a ransomware attack with intelligence: Strategies for CISOs - Help Net Security

• Agenda Ransomware Switches to Rust to Attack Critical Infrastructure - Infosecurity Magazine (infosecurity-magazine.com)

• LockBit ransomware crew claims attack on California Department of Finance - CyberScoop

• When Companies Compensate the Hackers, We All Foot the Bill (darkreading.com)

• Clop ransomware uses TrueBot malware for access to networks (bleepingcomputer.com)

• TrueBot infections were observed in Clop ransomware attacks - Security Affairs

• Pulling the Curtains on Azov Ransomware: Not a Skidsware but Polymorphic Wiper - Check Point Research

• Play ransomware claims attack on Belgium city of Antwerp (bleepingcomputer.com)

• Brooklyn hospital network victim of cyber hack crash (msn.com)

• Ransomware Group Threatens to Publish Data Stolen From California Department of Finance | SecurityWeek.Com

• Cyber security Experts Uncover Inner Workings of Destructive Azov Ransomware (thehackernews.com)

• Cybereason warns of rapid increase in Royal ransomware | TechTarget

• New Royal ransomware group evades detection with partial encryption | CSO Online

• How ChatGPT can turn anyone into a ransomware and malware threat actor   | VentureBeat

• Check Point classifies Azov as wiper, not ransomware | TechTarget

• The Future of Ransomware - Security News (trendmicro.com)

• Hive ransomware gang claims responsibility for attack on Intersport that left cash registers disabled (bitdefender.com)

Phishing & Email Based Attacks

• Open-source repositories flooded by 144,000 phishing packages (bleepingcomputer.com)

• Phishing attack uses Facebook posts to evade email security (bleepingcomputer.com)

BEC – Business Email Compromise

• US Food Companies Warned of BEC Attacks Stealing Food Product Shipments | SecurityWeek.Com

Other Social Engineering; Smishing, Vishing, etc

• North Korean Hackers Use Impersonation to Steal Intel - Infosecurity Magazine (infosecurity-magazine.com)

Malware

• Microsoft digital certificates have once again been abused to sign malware | Ars Technica

• Hackers target Japanese politicians with new MirrorStealer malware (bleepingcomputer.com)

• Zscaler: Nearly 90% of Cyber attacks Now Use Encrypted Channels, Malware Tops - MSSP Alert

• This Linux-targeting malware just got more powerful | ZDNET

• Crooks use HTML smuggling to spread QBot malware via SVG files - Security Affairs

• A clever trick turns antivirus software into unstoppable data wiping scourges | TechSpot

• How ChatGPT can turn anyone into a ransomware and malware threat actor   | VentureBeat

Mobile

• Android Malware Campaign Leverages Money-Lending Apps to Blackmail Victims (thehackernews.com)

• Why You Should Enable Apple’s New iOS 16.2 Security Feature | Reviews by Wirecutter (nytimes.com)

• NSA Slices Up 5G Mobile Security Risks (darkreading.com)

• Xnspy stalkerware spied on thousands of iPhones and Android devices | TechCrunch

Internet of Things – IoT

• Critical Infrastructure Attacks: Convergence of IoT and OT Gives Hackers a Huge Attack Surface - SSP Alert

• 3.5m IP cameras exposed, with US in the lead - Security Affairs

• Are robots too insecure for lethal use by law enforcement? | CSO Online

• 10 Ways Doorbell Cameras Pose a Threat to Privacy and Security - Listverse

Data Breaches/Leaks

• Uber suffers new data breach after attack on vendor, info leaked online (bleepingcomputer.com)

• Twitter confirms recent user data leak is from 2021 breach (bleepingcomputer.com)

• HR platform Sequoia says hackers accessed customer SSNs and COVID-19 data | TechCrunch

• Parsing LastPass’ data breach notice | TechCrunch

• Social Blade discloses security breach - Security Affairs

• Australia's Telstra suffers privacy breach, 132,000 customers impacted | Reuters

• Unauthorised server access caused AirAsia data leak: Fahmi | Malaysia | The Vibes

• FBI's InfraGard Cyber security Program Breached by Hackers (gizmodo.com)

• Database of the FBI's InfraGard US Critical Infrastructure Intelligence portal available for sale - Security Affairs

• Aussie Data Breaches Surge 489% in Q4 2022 - Infosecurity Magazine (infosecurity-magazine.com)

• Uber staff information leaks after IT supply chain attack • The Register

• TPG reveals emails of 15,000 iiNet and Westnet customers exposed in hack | Telecommunications industry | The Guardian

• TPG Telecom joins list of hacked Australian companies, shares slide | Reuters

• How companies can avoid costly data breaches - Help Net Security

• Hackers leak personal info allegedly stolen from 5.7M Gemini users (bleepingcomputer.com)

Organised Crime & Criminal Actors

• ‘Booter’ sites taken down in global cyber crime bust (gbnews.uk)

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Incoming FCA chair says crypto firms facilitate money laundering | Financial Times (ft.com)

• Britons lose life savings to ‘Ali Baba and the cryptocurrency scammers’ | News | The Times

• Bitcoin miners took on billions in debt to ‘pump their stock’—leading to a crypto catastrophe | Fortune

• Chaos RAT Used to Enhance Linux Cryptomining Attacks - Infosecurity Magazine (infosecurity-magazine.com)

• DOJ divided over charging Binance for alleged crypto crimes, report says | Ars Technica

• Crypto was meant to solve financial corruption. The FTX scandal shows it’s got worse | David A Banks | The Guardian

• Facebook Asks Lawmakers Not to Regulate Crypto Too Harshly Just Because of All the Fraud (vice.com)

• The amateur sleuths who helped to bring down Sam Bankman-Fried - New Statesman

• Hackers leak personal info allegedly stolen from 5.7M Gemini users (bleepingcomputer.com)

Insider Risk and Insider Threats

• Executives take more cyber security risks than office workers - Help Net Security

• Managing Cyber Risk in 2023: The People Element (trendmicro.com)

Fraud, Scams & Financial Crime

• Loan Fee Fraud Surges by a Fifth as Christmas Approaches - Infosecurity Magazine (infosecurity-magazine.com)

• Fraudsters Flooding Retail Markets with Bad Bots, Preying on Unsuspecting Retailers, Consumers - MSSP Alert

• Britons lose life savings to ‘Ali Baba and the cryptocurrency scammers’ | News | The Times

• Australians have lost at least $7.2 million to the 'Hi Mum' scam. How does it work and why is it so lucrative for cyber criminals? - ABC News

• Restaurant closes after fraudsters posing as officials steal thousands | News | The Times

• Woman gets 66 months in prison for role in $3.3 million ID fraud op (bleepingcomputer.com)

• Patrick Giblin conned women all over the US. Now he's going to prison for 5 years | CNN

• UK arrests five for selling dodgy point of sale software • The Register

• The amateur sleuths who helped to bring down Sam Bankman-Fried - New Statesman

• Scammers are pretending to be striking paramedics to trick people into giving donations, ambulance service warns | UK News | Sky News

• 8 charged with conspiracy to commit securities fraud • The Register

AML/CFT/Sanctions

• Incoming FCA chair says crypto firms facilitate money laundering | Financial Times (ft.com)

Insurance

• Most startups have cyber insurance but are uncertain about how much risk is covered - Help Net Security

• Cyber Insurer Cowbell Launches Cyber security Advisory Board - MSSP Alert

Dark Web

• The Dark Web is Getting Darker - Ransomware Thrives on Illegal Markets (bleepingcomputer.com)

Supply Chain and Third Parties

• Uber staff information leaks after IT supply chain attack • The Register

• Report highlights serious cyber security issues with US defence contractors | CSO Online

Software Supply Chain

• How Naming Can Change the Game in Software Supply Chain Security (darkreading.com)

• Microsoft digital certificates have once again been abused to sign malware | Ars Technica

Denial of Service DoS/DDoS

• FBI Charges 6, Seizes 48 Domains Linked to DDoS-for-Hire Service Platforms (thehackernews.com)

• Prosecutors charge 6 people for allegedly waging massive DDoS attacks | Ars Technica

• teiss - Cyber Threats - DDoS attacks on the rise

• How My Startup Survived a DDoS Attack - Bannerbear

• DDoS is not back; it never went away; and PAM is on hand to fight the ‘unstoppable’ menace (techxmedia.com)

• ‘Booter’ sites taken down in global cyber crime bust (gbnews.uk)

• Microsoft discovers Windows/Linux botnet used in DDoS attacks | Ars Technica

Cloud/SaaS

• Top 4 SaaS Security Threats for 2023 (thehackernews.com)

• Microsoft launches EU 'data boundary' from next year • The Register

• What We Can't See Can Hurt Us (darkreading.com)

• HR platform Sequoia says hackers accessed customer SSNs and COVID-19 data | TechCrunch

• Parsing LastPass’ data breach notice | TechCrunch

• Lego fixes dangerous API vulnerability in BrickLink service | TechTarget (computerweekly.com)

• Data Destruction Policies in the Age of Cloud Computing (darkreading.com)

Hybrid/Remote Working

• Remote Work Cyber security Requires a Change in Mindset (informationsecuritybuzz.com)

Encryption

• Zscaler: Nearly 90% of Cyber attacks Now Use Encrypted Channels, Malware Tops - MSSP Alert

• The FBI Says Apple’s New Encryption Is “Deeply Concerning” (futurism.com)

• NIST Retires SHA-1 Cryptographic Algorithm | NIST

• Over 85% of Attacks Hide in Encrypted Channels - Infosecurity Magazine (infosecurity-magazine.com)

• WhatsApp is getting closer to a total UK shutdown | indy100

• Privacy advocates are aghast at UK’s anti-encryption plans (thenextweb.com)

API

• Lego fixes dangerous API vulnerability in BrickLink service | TechTarget (computerweekly.com)

Open Source

• This Linux-targeting malware just got more powerful | ZDNET

• Chaos RAT Used to Enhance Linux Cryptomining Attacks - Infosecurity Magazine (infosecurity-magazine.com)

• Google Launches OSV-Scanner Tool to Identify Open Source Vulnerabilities (thehackernews.com)

• Open-source repositories flooded by 144,000 phishing packages (bleepingcomputer.com)

Passwords, Credential Stuffing & Brute Force Attacks

• New GoTrim botnet brute forces WordPress site admin accounts (bleepingcomputer.com)

Social Media

• Fleeing Twitter users face uncertain privacy, security features on alternative platforms - CyberScoop

• Elon Musk's Twitter dissolves Trust and Safety Council - just days after its members speak out | Science & Tech News | Sky News

• TikTok may push potentially harmful content to teens within minutes, study finds | CNN Business

• Meta warns spyware still being used to target people on social media | Meta | The Guardian

• Elon Musk Bans Journalists From Twitter After Reinstating Nazis (gizmodo.com)

• Russian disinformation rampant on far-right social media platforms - CyberScoop

• HowTo: Fight Cyber-Threats in the Metaverse - Infosecurity Magazine

• US politicians propose TikTok ban over China security concerns (telegraph.co.uk)

• Social Blade discloses security breach - Security Affairs

• Twitter suspends Mastodon’s official account | The Hill

Training, Education and Awareness

• Keep Your Grinch at Bay: Here's How to Stay Safe Online this Holiday Season (thehackernews.com)

• Remote Work Cyber security Requires a Change in Mindset (informationsecuritybuzz.com)

Parental Controls and Child Safety

• Most apps used in US classrooms share students' personal data with advertisers, researchers find - CyberScoop

• TikTok may push potentially harmful content to teens within minutes, study finds | CNN Business

• Microsoft Teams is a vector for child sexual abuse material • The Register

Cyber Bullying, Cyber Stalking and Sextortion

• Xnspy stalkerware spied on thousands of iPhones and Android devices | TechCrunch

• Proposed law offers support to tech-enabled abuse survivors • The Register

Regulations, Fines and Legislation

• Privacy concerns are limiting data usage abilities - Help Net Security

• European Commission takes step toward approving EU-US data privacy pact | Computerworld

Governance, Risk and Compliance

• Managing Cyber Risk in 2023: The People Element (trendmicro.com)

• Executives take more cyber security risks than office workers - Help Net Security

• Cyber security Drives Improvements in Business Goals (darkreading.com)

• Compliance Is Not Enough: How to Manage Your Customer Data (darkreading.com)

• 5 tips for building a culture of cyber security accountability - Help Net Security

• How acceptable is your acceptable use policy? | CSO Online

• Data Destruction Policies in the Age of Cloud Computing (darkreading.com)

• What CISOs consider when building up security resilience - Help Net Security

• CISO Role is Diversifying From Technology to Leadership & Communication Skills - MSSP Alert

Models, Frameworks and Standards

• Why PCI DSS 4.0 Should Be on Your Radar in 2023 (thehackernews.com)

• PCI Secure Software Standard version 1.2 sets out new payment security requirements | CSO Online

Backup and Recovery

• Why Your MSSP Should Offer Backup-as-a-Service (BaaS) - MSSP Alert

• CISA Warns Veeam Backup & Replication Vulnerabilities Exploited in Attacks | SecurityWeek.Com

Data Protection

• OECD Signs "Landmark" Privacy Agreement - Infosecurity Magazine (infosecurity-magazine.com)

Careers, Working in Cyber and Information Security

• Top Reasons Not to Become a Self-Taught Ethical Hacker in 2023 (analyticsinsight.net)

• The Cyber security Industry Doesn't Have a Stress Problem — It Has a Leadership Problem (darkreading.com)

• Two-Thirds of Security Pros Have Burnt Out in Past Year - Infosecurity Magazine (infosecurity-magazine.com)

Law Enforcement Action and Take Downs

• FBI Charges 6, Seizes 48 Domains Linked to DDoS-for-Hire Service Platforms (thehackernews.com)

• Prosecutors charge 6 people for allegedly waging massive DDoS attacks | Ars Technica

• 8 charged with conspiracy to commit securities fraud • The Register

Privacy, Surveillance and Mass Monitoring

• Privacy advocates are aghast at UK’s anti-encryption plans (thenextweb.com)

• WhatsApp is getting closer to a total UK shutdown | indy100

• Most apps used in US classrooms share students' personal data with advertisers, researchers find - CyberScoop

• Apple should pay €6m for tracking users – French official • The Register

• European Commission takes step toward approving EU-US data privacy pact | Computerworld

• Privacy concerns are limiting data usage abilities - Help Net Security

Artificial Intelligence

• Are robots too insecure for lethal use by law enforcement? | CSO Online

• How ChatGPT can turn anyone into a ransomware and malware threat actor   | VentureBeat

Misinformation, Disinformation and Propaganda

• Russian disinformation rampant on far-right social media platforms - Cyberscoop

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Trojanized Windows 10 Operating System Installers Targeted Ukrainian Government | Mandiant

• Meta takes down surveillance-for-hire firms, calls for government action against the industry - CyberScoop

• Reassessing cyberwarfare. Lessons learned in 2022 | Securelist

• As Wiretap Claims Rattle Government, Greece Bans Spyware | SecurityWeek.Com

• Ex-Twitter Worker Gets Prison Time in Saudi 'Spy' Case | SecurityWeek.Com

• Reassessing cyberwarfare. Lessons learned in 2022 | Securelist

Nation State Actors

Nation State Actors – Russia

• Seven accused of smuggling out US military tech for Moscow • The Register

• Neo-Nazi Russian militia appeals for intelligence on Nato member states | Ukraine | The Guardian

• GPS Signals Are Being Disrupted in Russian Cities | WIRED

• NSA cyber director warns of Russian digital assaults on global energy sector - CyberScoop

• Russian disinformation rampant on far-right social media platforms - CyberScoop

Nation State Actors – China

• NSA Outs Chinese Hackers Exploiting Citrix Zero-Day | SecurityWeek.Com

• US politicians propose TikTok ban over China security concerns (telegraph.co.uk)

• Hackers target Japanese politicians with new MirrorStealer malware (bleepingcomputer.com)

• US to add Chinese chipmaker to trade blacklist | Financial Times (ft.com)

• AIIMS cyber attack suspected to have originated in China, Hong Kong - Rediff.com India News

• Spies and Lies by Alex Joske — inside China’s intelligence operation | Financial Times (ft.com)

Nation State Actors – North Korea

• North Korean cyber spies deploy new tactic: tricking foreign experts into writing research for them | Reuters

• North Korean Hackers Use Impersonation to Steal Intel - Infosecurity Magazine (infosecurity-magazine.com)

Nation State Actors – Iran

• MuddyWater APT group is back with updated TTPs - Security Affairs

• Iran-Backed Charming Kitten APT Eyes Kinetic Ops, Kidnapping (darkreading.com)

• Not-so-Charming Kitten targets orgs for espionage and worse • The Register

Vulnerability Management

• Transitive Dependencies Account for 95% of Bugs - Infosecurity Magazine (infosecurity-magazine.com)

• 24% of technology applications contain high-risk security flaws - Help Net Security

Vulnerabilities

• Hackers exploit critical Citrix ADC and Gateway zero day, patch now (bleepingcomputer.com)

• CISA Warns Veeam Backup & Replication Vulnerabilities Exploited in Attacks | SecurityWeek.Com

• Adobe Patches 38 Flaws in Enterprise Software Products | SecurityWeek.Com

• VMware fixed critical VM Escape bug demonstrated at Geekpwn hacking contest - Security Affairs

• Samba Issues Security Updates to Patch Multiple High-Severity Vulnerabilities (thehackernews.com)

• Fortinet says SSL-VPN pre-auth RCE bug is exploited in attacks (bleepingcomputer.com)

• Transitive Dependencies Account for 95% of Bugs - Infosecurity Magazine (infosecurity-magazine.com)

• Citrix Releases Security Updates for Citrix ADC, Citrix Gateway | CISA

• Security Flaw in Atlassian Products Affecting Multiple Companies (darkreading.com)

• Serious Attacks Could Have Been Staged Through This Amazon ECR Public Gallery Vulnerability (thehackernews.com)

• Patch Tuesday: 0-days, RCE bugs, and a curious tale of signed malware – Naked Security (sophos.com)

• Patch Tuesday: Microsoft Plugs Windows Hole Exploited in Ransomware Attacks | SecurityWeek.Com

• New Actively Exploited Zero-Day Vulnerability Discovered in Apple Products (thehackernews.com)

• Apple patches everything, finally reveals mystery of iOS 16.1.2 – Naked Security (sophos.com)

• Apple fixed the tenth actively exploited zero-day this year - Security Affairs

• High-Severity Memory Safety Bugs Patched With Latest Chrome 108 Update | SecurityWeek.Com

• Top 5 Web App Vulnerabilities and How to Find Them (thehackernews.com)

• Microsoft Reclassifies SPNEGO Extended Negotiation Security Vulnerability as 'Critical' (thehackernews.com)

• Severe vulnerabilities found in most industrial controllers - The Washington Post

• Akamai WAF bypassed via Spring Boot to trigger RCE | The Daily Swig (portswigger.net)

Tools and Controls

• CISA Warns Veeam Backup & Replication Vulnerabilities Exploited in Attacks | SecurityWeek.Com

• Why Your MSSP Should Offer Backup-as-a-Service (BaaS) - MSSP Alert

• How My Startup Survived a DDoS Attack - Bannerbear

• Data Destruction Policies in the Age of Cloud Computing (darkreading.com)

• 8 Firewall Best Practices | Enterprise Networking Planet

• Zero Trust Shouldn’t Be The New Normal (darkreading.com)

Other News

• Cyber Threats Loom as 5B People Prepare to Watch World Cup Final (darkreading.com)

• Tech companies must start sharing intelligence to avert global conflicts | Financial Times (ft.com)

• Japan, Australia, to bolster cyber-defences • The Register

• Microsoft Defender, Avast, AVG turned against Windows to permanently delete files - Neowin

• Analysis Shows Attackers Favour PowerShell, File Obfuscation (darkreading.com)

• Automated Cyber campaign Creates Masses of Bogus Software Building Blocks (darkreading.com)

• 12 types of wireless network attacks and how to prevent them | TechTarget

• Windows: Still insecure after all these years | ZDNET

• FuboTV says World Cup streaming outage caused by a cyber attack (bleepingcomputer.com)

• MTTR “not a viable metric” for complex software system reliability and security | CSO Online

• Low-code/no-code security risks climb as tools gain traction | TechTarget

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Cyber Insurers Recoil As Ransomware Attacks ‘Skyrocket’

The Great Fire of London helped forge the property insurance market, as residents feared a repeat of the savage destruction of 1666. In the absence of a state-backed fire service, some insurers even employed their own brigades, betting that limiting the damage to a property would be cheaper than rebuilding it. After a wave of high-profile cyber assaults, Graeme Newman, chief innovation officer at London-based insurance provider CFC, draws a parallel with today’s rapidly evolving market for cyber coverage. Insurance companies now provide emergency support services as well as financial compensation, so “the insurers own the digital fire trucks”, he said.

https://www.ft.com/content/4f91c4e7-973b-4c1a-91c2-7742c3aa9922

US Puts Cyber Crime On Par With Terror After Ransomware Attacks

The US government is raising the fight against cyber criminals to the same level as the battle against terrorists after a surge of ransomware attacks on large corporations. Internal guidance circulated by the Department of Justice instructs prosecutors to pool their information about hackers. The idea, said John Carlin, of the attorney-general’s office, is to “make the connections between actors and work your way up to disrupt the whole chain”.

https://www.thetimes.co.uk/article/us-cybercrime-terror-ransomware-attacks-joe-biden-pzrqbkfwt

Russia Under Fire As Cyber Attack Leaves 7,000 Out Of Work

An attack this week on JBS meatworks in North America and Australia brought the firm to a standstill, and now threatens to turn into a diplomatic row with Russia. JBS are reported to supply 20% of the world meat market and the ransomware attack has left 7,000 workers unable to do their jobs.

https://www.afr.com/politics/russia-under-fire-as-ransomware-attack-leaves-7000-out-of-work-20210602-p57xha

Irish Health Service Confirms Data Of Nearly 520 Patients Is Online After Cyber Attack

The Health Service Executive (HSE) has confirmed the data of nearly 520 patients is online after media reports of their publication. In a statement, the HSE said the data contains correspondence with patients, minutes of meetings and includes sensitive patient data. The HSE also confirmed corporate documents are among the HSE data illegally accessed.  Confirmation of the authenticity of this data follows an analysis carried out by the agency and comments from the Minister for Communications, Eamon Ryan, that reports of patient data being shared online are "very credible".

https://www.irishexaminer.com/news/arid-40301054.html

Enterprise Networks Vulnerable To 20-Year-Old Exploits

While the industry focuses on exotic attacks – like the SolarWinds incident — the real risk to enterprises comes from older exploits, some as much as 20-years old. “While organisations always need to keep up with the latest security patches, it is also vital to ensure older system and well-known vulnerabilities from years past are monitored and patched as well,” says Etay Maor, senior director of security strategy at Cato Networks. “Threat actors are attempting to take advantage of overlooked, vulnerable systems.” Our research showed that attackers often scanned for end-of-life and unsupported systems. Common Vulnerability and Exposures (CVE) identified were exploits targeting software, namely vSphere, Oracle WebLogic, and Big-IP, as well as routers with remote administration vulnerabilities.

https://www.helpnetsecurity.com/2021/05/27/enterprise-networks-vulnerable/

US Authorities Seize Two Domains Used By SolarWinds Intruders For Malware Spear-Phishing Operation

Uncle Sam on Tuesday said it had seized two web domains used to foist malware on victims using spoofed emails from the US Agency for International Development (USAID). The domain takeovers, which occurred on Friday, followed a court order issued in the wake of a Microsoft report warning about the spear-phishing campaign. The phishing effort relied on malware-laden messages sent via marketing service Constant Contact. "Cyber intrusions and spear-phishing email attacks can cause widespread damage throughout affected computer networks, and can result in significant harm to individual victims, government agencies, NGOs, and private businesses,” said Acting US Attorney Raj Parekh for the Eastern District of Virginia, in a statement. "As demonstrated by the court-authorized seizure of these malicious domains, we are committed to using all available tools to protect the public and our government from these worldwide hacking threats."

https://www.theregister.com/2021/06/02/feds_seize_nobelium/

Hacker Group DarkSide Operates In A Similar Way To A Franchise

DarkSide, the hacker group behind the recent Colonial Pipeline ransomware attack, has a business model that’s more familiar than people think, according to New York Times correspondent Andrew Kramer, “It operates something like a franchise, where individual hackers can come and receive the ransomware software and use it, as well as, use DarkSide’s reputation, as it were, to extract money from their targets, mostly in the United States,” Kramer said in an interview that aired Wednesday night.

https://www.cnbc.com/2021/06/02/hacker-group-darksides-operates-in-a-similar-way-to-a-franchise-new-york-times-reporter-says.html?__source=sharebar|twitter&par=sharebar

Interpol Intercepts $83 Million Fighting Financial Cyber Crime

The Interpol (short for International Criminal Police Organisation) has intercepted $83 million belonging to victims of online financial crime from being transferred to the accounts of their attackers. Over 40 law enforcement officers specialized in fighting cyber crime across the Asia Pacific region took part in the Interpol-coordinated Operation HAECHI-I spanning more than six months. Between September 2020 and March 2021, law enforcement focused on battling five types of online financial crimes: investment fraud, romance scams, money laundering associated with illegal online gambling, online sextortion, and voice phishing.

https://www.bleepingcomputer.com/news/security/interpol-intercepts-83-million-fighting-financial-cyber-crime/

Is It Really The Wild West In Cyber Crime? Why We Need To Re-Examine Our Approach To Ransomware

Once again, cyber security has become a headline topic within and well outside technology circles, along with the little-known operator of a significant fuel pipeline: Colonial Pipeline. A ransomware attack, and ensuing panic buying of gasoline, resulted in widespread fuel shortages on the east coast, thrusting the issue of cyber security into the lives of everyday Americans. Colonial Pipeline CEO Joseph Blount later acknowledged that his company ultimately paid the cybercriminals $4.4 million to unlock company systems, generating a great deal of controversy around the simple question (and associated complex potential answers), of whether companies should pay when their systems are held hostage by ransomware.

https://www.techrepublic.com/article/is-it-really-the-wild-west-in-cybercrime-why-we-need-to-re-examine-our-approach-to-ransomware/

Threats

Ransomware

• Anti-Ransomware Biz Exagrid ‘Paid $2.6M Ransomware Demand’

• White House Contacts Russia After Hack Of World’s Largest Meatpacking Company

• This New Ransomware Is Targeting Unpatched Microsoft Exchange Servers

• Fujifilm Becomes Latest Ransomware Victim As White House Urges Business Leaders To Take Action

• Cyber Crime Forum Advertises Alleged Database, Source Code From Russian Firm That Helped Parler

• On The Taxonomy And Evolution Of Ransomware

Phishing

• Phishing Emails Remain in User Inboxes Over 3 Days ... (darkreading.com)

Other Social Engineering

• The Bizarro Streaming Site That Hackers Built From Scratch

Malware

• Malware Can Use This Trick To Bypass Ransomware Defense In Antivirus Solutions

• Exchange Servers Targeted By ‘Epsilon Red’ Malware

Mobile

IOT

• Amazon Sidewalk Poised To Sweep You Into Its Mesh

 Vulnerabilities

• XSS Vulnerability Found In Popular WYSIWYG Website Editor

• Huawei USB LTE Dongles Are Vulnerable To Privilege Escalation Attacks

• Hackers Actively Exploiting 0-Day In WordPress Plugin Installed On Over 17,000 Sites

• EPUB Vulnerabilities: Electronic Reading Systems Riddled With Browser-Like Flaws

• SonicWall Urges Customers To 'Immediately' Patch NSM On-Prem Bug

Data Breaches

• GDPR: EU Privacy Watchdog Probing The Use Of AWS And Azure Cloud Services

Supply Chain

• What Is A Supply Chain Attack?

• Microsoft Office 365 A Major Supply Chain Attack Vector

Nation State Actors

• Chinese Cyber Criminals Spent Three Years Creating A New Backdoor To Spy On Governments

• Kimsuky APT Continues To Target South Korean Government Using Appleseed Backdoor

• Russian Hacker Pavel Sitnikov Arrested For Sharing Malware Source Code

Privacy

• You Have A Week To Opt-Out Of Amazon Sidewalk, Do It Now

Other News

• “Have I Been Pwned” Breach Site Partners With… The FBI!

• 17 Cyber Insurance Application Questions You'll Need To Answer

• Cyber Criminals Go Corporate As Hacking Becomes A Business

• The Human Cost Of Understaffed SOCs

• Security Ops Teams Struggle To Switch Off At Home

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.