Threat Intelligence Blog

Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.

Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 12 April 2024

Black Arrow Cyber Threat Intelligence Briefing 12 April 2024:

-UK Cyber Breaches Survey Finds Business Falling Short on Cyber, as Half Suffer Breach and Many Fail to Report

-The Cyber Attack Stopped by a Microsoft Engineer Was Scarier Than We Realise

-UK Government Urged to Get on ‘Front Foot’ with Ransomware Instead of ‘Absorbing the Punches’

-74% of Employees Falling Victim to Phishing Attacks Hit with Disciplinary Actions; Egress Reveals

-Why Are Many Businesses Turning to Third-Party Security Partners?

-60% of SMBs and 74% of Businesses with up to 500 Employees are Concerned About Cyber Security as Attacks Rise

-Cyber Attacks Cost Financial Firms $12bn Says IMF

-LastPass: Hackers Targeted Employee in Failed Deepfake CEO Call

-Most Cyber Criminal Threats are Concentrated in Just a Few Countries

-Why Incident Response is the Best Cyber Security ROI

-Ransomware Attacks are the Canaries in the Cyber Coal Mine

-Cyber Security is Crucial, but What is Risk and How do You Assess it?

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

UK Cyber Breaches Survey Finds Business Falling Short on Cyber, as Half Suffer Breach and Many Fail to Report

Half of UK businesses experienced a cyber breach last year, according to a survey by the UK Government. The figure could be much higher however, as the survey found only 34% report breaches externally.

It is said that a cyber incident is a matter of when, not if. Nonetheless, 78% of organisations lack a dedicated response plan outlining actions to be taken in the event of a cyber incident and only 11% review their immediate suppliers for risks. To improve cyber resilience, there needs to be a paradigm shift.

Sources: [Computer Weekly] [Computing] [Infosecurity Magazine] [Info Risk Today]

Cyber Attacks Cost Financial Firms $12bn Says IMF

A recent International Monetary Fund (IMF) report has highlighted significant financial losses in the financial services sector, totalling $12 billion over the last two decades due to cyber attacks, with losses accelerating post-pandemic. The number of incidents and the scale of extreme losses have sharply increased, prompting the IMF to urge enhanced cross-border cooperation to uphold the stability of the global financial system.

The report underscores the critical threat that cyber attacks pose to financial stability, particularly for banks in advanced economies which are more exposed to such risks. With major institutions like JP Morgan facing up to 45 billion cyber threats daily, the IMF emphasises the need for international collaboration to effectively manage and mitigate these risks.

Source: [Finextra]

The Cyber Attack Stopped by a Microsoft Engineer Was Scarier Than We Realise

A critical security breach was narrowly avoided when a Microsoft developer detected suspicious activity in XZ Utils, an open-source library crucial to internet infrastructure. This discovery revealed that a new developer had implanted a sophisticated backdoor in the software, potentially giving unauthorised access to millions of servers worldwide. This incident has intensified scrutiny on the vulnerabilities of open-source software, which is largely maintained by unpaid or underfunded volunteers and serves as a backbone for the internet economy. The situation has prompted discussions among government officials and cyber security experts about enhancing the protection of open-source environments. This close call, described by some as a moment of "unreasonable luck," underscores the pressing need for sustainable support and rigorous security measures in the open-source community.

Source: [Inc.com]

UK Government Urged to Get on ‘Front Foot’ with Ransomware Instead of ‘Absorbing the Punches’

Amidst a rising tide of ransomware attacks affecting wide range of UK services, officials in Westminster are being pressured to enhance funding for operations aimed at disrupting ransomware gangs. The current strategy focuses on bolstering organisational cyber security and recovery preparedness, a stance under the second pillar of the UK's National Cyber Strategy known as resilience. However, this approach has not curbed the frequency of incidents, which have steadily increased over the past five years, impacting sectors including the NHS and local governments. In contrast to the proactive disruption efforts seen in the US, the UK has yet to allocate new funds for such measures, despite successful disruptions like the recent takedown of the LockBit gang by the US National Crime Agency, which underscored the potential benefits of increased resources for cyber crime disruption.

Source: [The Record Media]

74% of Employees Falling Victim to Phishing Attacks Hit with Disciplinary Actions

The Egress 'Email Threat Landscape 2024' report reveals a surge in phishing attacks, with 94% of companies falling victim to this type of crime in this past year alone, leading to increasingly complex cyber security challenges. According to the report, 96% of these companies suffered significant repercussions, including operational disruption and data breaches, with common attack vectors being malicious URLs, and malware or ransomware attachments.

The human cost is also notable, with 74 per cent of employees involved in attacks having faced disciplinary actions, dismissals, or voluntary departures, underscoring the severity of the issue and the heightened vigilance among companies in addressing the phishing threat. Financial losses primarily stem from customer churn, which accounts for nearly half of the total impact. Amidst rising attacks through compromised third-party accounts, Egress advocates for stronger monitoring and defence strategies to protect critical data and reduce organisational and individual hardships.

Source: [The Fintech Times]

Why Are Many Businesses Turning to Third-Party Security Partners?

In 2023, 71% of organisations reported being impacted by a cyber security skills shortage, leading many to scale back their cyber security initiatives amid escalating threats. To bridge the gap, businesses are increasingly turning to third-party security partnerships, reflecting a shift towards outsourcing crucial cyber security operations to handle complex challenges more efficiently. This approach is driven by the need to fill technical and resource gaps in the face of a severe workforce shortfall, with an estimated 600,000 unfilled security positions in the US alone. Moreover, these strategic partnerships allow organisations to leverage external expertise for scalable and effective security solutions, alleviating the burden of staying updated with the rapidly evolving threat landscape.

Source: [Help Net Security]

74% of Businesses with up to 500 Employees are Concerned About Cyber Security as Attacks Rise

According to a recent poll by the US Chamber of Commerce, 60% of small businesses expressed concerns about threats, with 58% concerned about a supply chain breakdown. The highest concern came from businesses with 20-500 employees (74%). Despite such concern, only 49% had trained staff on cyber security. When it came to the impact of a cyber event, 27% of respondents say they are one disaster or threat away from shutting down their business.

Sources: [Malwcv arebytes][Marketplace] [US Chamber]

LastPass: Hackers Targeted Employee in Failed Deepfake CEO Call

LastPass recently reported a thwarted voice phishing attack targeting one of its employees using deepfake audio technology to impersonate CEO Karim Toubba. The attack, conducted via WhatsApp, was identified by the employee as suspicious due to the unusual communication channel and clear signs of social engineering, such as forced urgency. Despite the failure of this particular attempt, LastPass has shared the incident publicly to highlight the growing use of AI-generated deepfakes in executive impersonation schemes. This incident underscores a broader trend, as indicated by alerts from both the US Department of Health and Human Services and the FBI, pointing to an increase in sophisticated cyber attacks employing deepfake technology for fraud, social engineering, and potential influence operations.

Source: [Bleepingcomputer]

Most Cyber Criminal Threats are Concentrated in Just a Few Countries

Oxford researchers have developed the world's first cyber crime index to identify global hotspots of cyber criminal activity, ranking countries based on the prevalence and sophistication of cyber threats. The index reveals that a significant portion of cyber threats is concentrated in a few countries, with Russia and Ukraine positioned at the top, with the USA and the UK also ranking prominently. The results indicate that countries like China, Russia, Ukraine, the US, Romania, and Nigeria are among the top hubs for activities ranging from technical services to money laundering. This tool aims to refine the focus for cyber crime research and prevention efforts, although the study acknowledges the need for a broader and more representative sample of expert opinions to enhance the accuracy and applicability of the findings. The index underscores that while cyber crime may appear globally fluid, it has pronounced local concentrations.

Sources: [ThisisOxfordshire] [Phys Org]

Why Incident Response is the Best Cyber Security ROI

The Microsoft Incident Response Reference Guide predicts that most organisations will encounter one or more major security incidents where attackers gain administrative control over crucial IT systems and data. While complete prevention of cyber attacks may not be feasible, prompt and effective incident response is essential to mitigate damage and protect reputations. However, many organisations may not be adequately budgeting for incident response, and the recent UK Government report found that 78% of organisations do not have formalised incident response plans, risking prolonged recovery and increased costs. Cyber crime damages hit $23b in 2023, but the true costs of incidents includes non-financial damage such as reputational harm. If a cyber incident is a matter of when, not if, then a prepared incident response plan is the best cyber security ROI.

Black Arrow works with organisations of all sizes and sectors to design and prepare for managing a cyber security incident; this can include an Incident Response Plan and an educational tabletop exercise for the leadership team that highlights the proportionate controls to help the organisation prevent and mitigate an incident.

Source: [CSO Online]

Ransomware Attacks are the Canaries in the Cyber Coal Mine

A recent report has found that ransomware attacks were up 110% compared to the prior month, stating that unreported attacks were up to 6 times higher. The report found that tactics are increasingly using data extortion, with 92% of attacks utilising this method.

Sources: [Silicon Republic] [The Hill]

Cyber Security is Crucial, but What is Risk and How do You Assess it?

Cyber security is an increasingly sophisticated game of cat and mouse, where the landscape is constantly shifting. Your cyber risk is the probability of negative impacts stemming from a cyber incident, but how do you assess risk?

One thing to understand is that there are a multitude of risks: risks from phishing, risks from insiders, risks from network attacks, risks of supply chain compromise, and of course, nation states. To understand risk, an organisation must first identify the information that it needs to protect, to avoid only learning of the information asset’s existence from a successful attacker. Once all assets are identified, then organisations should conduct risk assessments to identify threats and an evaluation the potential damage that can be done.

Sources: [Security Boulevard] [International Banker]


Governance, Risk and Compliance


Threats

Ransomware, Extortion and Destructive Attacks

Ransomware Victims

Phishing & Email Based Attacks

Other Social Engineering

Artificial Intelligence

2FA/MFA

Malware

Mobile

Denial of Service/DoS/DDOS

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Insurance

Supply Chain and Third Parties

Encryption

Linux and Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Regulations, Fines and Legislation

Models, Frameworks and Standards

Backup and Recovery

Data Protection

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Misinformation, Disinformation and Propaganda


Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity

Nation State Actors

China

Russia

Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence


Vulnerability Management

Vulnerabilities




Other News


Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3


As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 30 June 2023

Black Arrow Cyber Threat Briefing 30 June 2023:

-Zurich Insurance Group Secures Data Leak After Leaving Sensitive Data Publicly Accessible

-Employees Worry Less About Cyber Security Best Practices in the Summer

-Businesses are Ignoring Third-Party Security Risks

-Fear Trumps Anger When It Comes to Data Breaches – Angry Customers Vent, But Fearful Customers Don’t Come Back

-Over 130 Organisations and Millions of Individuals Believed to Be Impacted by MOVEit Hack, it Keeps Growing

-Widespread BEC Attacks Threaten European Organisations

-Lloyd’s Syndicates Sued Over Cyber Insurance

-95% Fear Inadequate Cloud Security Detection and Response

-The Growing Use of Generative AI and the Security Risks They Pose

-The CISO’s Toolkit Must Include Political Capital Within The C-Suite

-Microsoft Warns of Widescale Credential Stealing Attacks by Russian Hackers as War Ministers Reliant on Cyber Crime

-SMBs Plagued by Exploits, Trojans and Backdoors

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • Zurich Insurance Group Secures Data Leak After Leaving Sensitive Data Publicly Accessible

Zurich Insurance Group is a major player in the insurance game, with over 55 million clients. They have recently just fixed a sensitive file that they had left publicly accessible. The file in question contained a range of credentials including database credentials, admin credentials, credentials for the actively exploited MOVEit software, credentials for their HR system and more. All of which could be utilised by threat actors to inflict serious damage. This was not the only vulnerability stemming from the insurance group; researchers found that Zurich were also running an outdated website, which contained a large number of vulnerabilities.

The case is alarming as Zurich Insurance Group provides cyber insurance and the instance above reinforces the need for organisations to be proactive in identifying cyber risks in their environment; it is simply not enough to rely on having insurance or meeting insurance requirements.

https://cybernews.com/zurich-insurance-data-leak/

  • Employees Worry Less About Cyber Security Best Practices in the Summer

IT teams are struggling to monitor and enforce BYOD (Bring Your Own Device) policies during summer months according to a new report. The report found that 55% of employees admitted to relying solely on their mobile devices while working remotely in the summer. 25% of all respondents claim that they aren’t concerned about ensuring network connections are secure when accessing their company’s data.

In the same report, 45% of employees in the US and UK said no specific measures to educate and remind employees on security best practices are taken during the summer, with only 24% of UK respondents receiving access to online cyber security training and guides and even less (17%) in the US. This comes as a separate report found that the number of phishing sites targeting mobile devices increased from 75% to 80% year-on-year in 2022, and this is likely to continue rising. Worryingly, it was also found that the average user is between six and ten times more likely to fall for an SMS phishing attack than email.

https://www.helpnetsecurity.com/2023/06/30/summer-byod-policies/

https://www.infosecurity-magazine.com/news/mobile-malware-and-phishing-surge/

  • Businesses are Ignoring Third-Party Security Risks

With 58% of companies managing over 100 vendors, 8% of which manage over 1,000, the need for a robust Third-Party Security Risk Management process becomes abundantly clear. Despite this, only 13% of organisations continuously monitor the security risks of their third parties. This is worrying, when considering the knock-on effects of third party breaches from the likes of Capita, SolarWinds and 3CX, and the recent MOVEit attack, impacting organisations whose only relationship with MOVEit was that their supplier used it.

https://www.helpnetsecurity.com/2023/06/30/third-party-relationships-risks/

  • Fear Trumps Anger When It Comes to Data Breaches – Angry Customers Vent, But Fearful Customers Don’t Come Back

When a person is notified of a data breach involving their personal information, if they react with a feeling of fear, as opposed to anger, they’re more likely to stop using the site. A report found that positive attitudes toward the website before the breach did not meaningfully affect whether consumers reengaged with the website after the breach, as some prior research has indicated. Instead, the emotional response of fear weighed heavily on customers and outweighed any earlier positive sentiment towards the organisation.

When a company has been breached in the past they have dealt with angry customers and negative press. To do so, companies may engage crisis managers to contain the damage, partner with identity protection services, pay fines or settlements, or try to lure back customers with free services. However, the study shows that companies need to address fearful customers differently after a data breach has occurred if they want to avoid customer loss. To do this, companies can work with their IT departments to identify customers who are no longer active after a breach and then reach out to them directly to assuage their fears.

https://theconversation.com/fear-trumps-anger-when-it-comes-to-data-breaches-angry-customers-vent-but-fearful-customers-dont-come-back-203109

  • Over 130 Organisations and Millions of Individuals Believed to be Impacted by MOVEit Hack, it Keeps Growing

The dramatic fallout continues in the mass exploitation of a critical vulnerability in a widely used file-transfer program, with at least three new victims coming to light in the past few days. They include the New York City Department of Education and energy companies Schneider Electric and Siemens Electric. These join others, including PwC, Sony and EY. If the attack has shown us one thing, it’s that any organisation can be a victim.

https://www.securityweek.com/over-130-organizations-millions-of-individuals-believed-to-be-impacted-by-moveit-hack/

https://arstechnica.com/security/2023/06/casualties-keep-growing-in-this-months-mass-exploitation-of-moveit-0-day/

  • Widespread BEC Attacks Threaten European Organisations

Based on an analysis of email attack trends between June 2022 and May 2023, total email attacks in Europe increased by 7 times and the US 5 times. For business email compromise (BEC) specifically, Europe saw an alarming 10 times the amount it had previously and the US saw a 2 times increase.

BEC continues to remain a high priority threat for many organisations and if someone already has a legitimate business email which they have compromised to use for BEC attacks on your organisation, it is very likely that your technical processes will be ineffective, leaving your people and operational processes to stop an attack. Is your organisation cyber aware? Are they undergoing regular awareness training?

This is one of many areas that Black Arrow can help improve your organisation’s security through robust employee cyber security Awareness Behaviour and Culture training.

https://www.helpnetsecurity.com/2023/06/27/bec-attacks-frequency/

  • Lloyd’s Syndicates Sued Over Cyber Insurance

The University of California (UCLA) is suing a number of insurance firms for refusing to pay out on cyber policies nearly 10 years after hackers breached data on millions of patients at its health system. The dispute is over a cyber attack from 2014 through 2015 that exposed personal information of patients at UCLA Health.

UCLA Health allege that the syndicates refused to engage in dispute resolution by asserting that the statue of limitations applying to the claims had expired. The insurers, who could not be named, are said to have refused every claim saying that UCLA Health failed to satisfy cyber security requirements under the contract terms. It’s important for organisations with cyber insurance to understand their insurance in detail and to know where they stand in the event of a cyber incident.

https://www.wsj.com/articles/university-of-california-sues-lloyds-syndicates-over-cyber-insurance-da4675f5

  • 95% Fear Inadequate Cloud Security Detection and Response

A recent report found 95% of respondents expressed concern in their organisation’s ability to detect and respond to a security event in their cloud environment. The same study also found that 50% of total respondents had reported a data breach due to unauthorised access to their cloud environment.

It is often the case that issues in the cloud come from the perception of the responsibility of the cloud environment. Organisations must realise that they share responsibility for securing their cloud environment, including its configuration. The report found that, despite the number of breaches and concerns in their organisation’s ability, more than 80% of respondents still felt their existing tooling and configuration would sufficiently cover their organisation from an attack. Organisations must ask themselves what they are doing to protect their cloud environment.

https://www.helpnetsecurity.com/2023/06/27/cloud-environment-security/

  • The Growing Use of Generative AI and the Security Risks They Pose

A recent survey by Malwarebytes revealed 81% of people are concerned about the security risks posed by ChatGPT and generative AI, and 52% of respondents are calling for a pause on ChatGPT for regulations to catch up, while 7% think it will improve internet security. A key concern about the data produced by generative AI platforms is the risk of "hallucinations" whereby machine learning models produce untruths. This becomes a serious issue for organisations if its content is heavily relied upon to make decisions, particularly those relating to threat detection and response.

Another recent report on the risks brought by Large Language Model AIs showed that the rise in opensource AI adoption is developed insecurely; this results in an increased threat with substantial security risks to organisation.

https://www.csoonline.com/article/643516/survey-reveals-mass-concern-over-generative-ai-security-risks.html

https://www.darkreading.com/operations/malwarebytes-chatgpt-survey-reveals-81-are-concerned-by-generative-ai-security-risks

https://www.darkreading.com/vulnerabilities-threats/generative-ai-projects-cybersecurity-risks-enterprises

  • The CISO’s Toolkit Must Include Political Capital Within The C-Suite

Over the past 18 months, there has been a sea change in the chief information security officer (CISO) role. Fundamentally, the CISO is responsible for the protection of an entity's information. The US Securities and Exchange Commission (SEC) has issued a proposed rule change on cyber security risk management, strategy, governance, and incident response disclosure by public companies that requires publicly traded companies to provide evidence of the board's oversight of cyber security risk. Couple this with the former CISO of Uber being found guilty on charges of "obstruction of the proceedings of the Federal Trade Commission" and it is clear that the hand at the helm must be able to navigate all types of seas in their entity's political milieu. In this regard, the CISO needs to acquire political capital. CISO’s should have the capability to talk in understandable terms and clearly demonstrate value to the other board members.

https://www.csoonline.com/article/643199/the-cisos-toolkit-must-include-political-capital-within-the-c-suite.html

  • Microsoft Warns of Widescale Credential Stealing Attacks by Russian Hackers as War Ministers Reliant on Cyber Crime

Russia's diminishing position on the world stage has limited its physical options on the ground, leaving Putin's regime increasingly reliant on cyber crime to carry out its oppositional activities against Ukraine and Europe. Microsoft has disclosed that it has detected a spike in credential-stealing attacks conducted by the Russian state-affiliated hacker group known as Midnight Blizzard.

This comes as Switzerland's Federal Intelligence Service (FIS) released its 2023 security assessment, predicting that Russia will increasingly launch cyber attacks as part of its war strategy not just in Ukraine, but against NATO member states as well.

https://www.darkreading.com/threat-intelligence/russia-reliant-on-cybercrime-as-international-pariah

https://thehackernews.com/2023/06/microsoft-warns-of-widescale-credential.html

  • SMB’s Plagued as Cyber Attackers Still Rely on Decades Old Security Weaknesses and Tactics

Despite best cyber security efforts, small and mid-sized businesses (SMBs) continue to struggle to thwart attacks and harden defences in response to remote working and other newer challenges.

This future focus can lead to a neglection of older weaknesses. Cyber attackers are typically relying on tried-and-tested tactics and old security weaknesses to target organisations, a recent Barracuda threat spotlight found. Hackers are returning to proven methods to gain remote control of systems, install malware, steal information and disrupt or disable business operations through denial-of-service attacks, Barracuda reports. The report found that between February to April 2023, the top malicious tactics found to be used were vulnerabilities from 2008.

The report highlights the fact that there are no cutoff dates for vulnerabilities and attackers will use whatever is at their disposal to try and infiltrate your organisation. This can be protected by having strong policies and controls in place alongside frequent penetration testing to ensure these vulnerabilities are being patched.

https://www.msspalert.com/cybersecurity-research/cyberattackers-still-rely-on-decades-old-security-weaknesses-tactics-barracuda-reports/

https://www.scmagazine.com/news/malware/smbs-plagued-by-exploits-trojans-and-backdoors



Threats

Ransomware, Extortion and Destructive Attacks

Ransomware Victims

Phishing & Email Based Attacks

BEC – Business Email Compromise

Other Social Engineering; Smishing, Vishing, etc

Artificial Intelligence

2FA/MFA

Malware

Mobile

Denial of Service/DoS/DDOS

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Fraud, Scams & Financial Crime

Deepfakes

Insurance

Dark Web

Supply Chain and Third Parties

Cloud/SaaS

Identity and Access Management

Encryption

Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Travel

Cyber Bullying, Cyber Stalking and Sextortion

Regulations, Fines and Legislation

Models, Frameworks and Standards

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Privacy, Surveillance and Mass Monitoring


Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare and Cyber Espionage

Russia

China

Iran

North Korea

Misc/Other/Unknown


Vulnerability Management

Vulnerabilities




Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3


As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 13 January 2023

Black Arrow Cyber Threat Briefing 13 January 2023:

-Quarter of UK SMBs Hit by Ransomware in 2022

-Global Cyber Attack Volume Surges 38% in 2022

-1 in 3 Organisations Do Not Provide Any Cyber Security Training to Remote Workers Despite the Majority of Employees Having Access to Critical Data

-AI-Generated Phishing Attacks Are Becoming More Convincing

-Customer and Employee Data the Top Prize for Hackers

-Royal Mail hit by Ransomware Attack, Causes ‘Severe Disruption’ to Services

-The Guardian Confirms Personal Information Compromised in Ransomware Attack

-Ransomware Gang Releases Info Stolen from 14 UK Schools, Including Passport Scans

-The Dark Web’s Criminal Minds See Internet of Things as Next Big Hacking Prize

-Corrupted File to Blame for Computer Glitch which Grounded Every US Flight

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • Quarter of UK SMBs Hit by Ransomware in 2022

Over one in four (26%) British SMBs have been targeted by ransomware over the past year, with half (47%) of those compromised paying their extorters, according to new data from anti-virus provider Avast. The security vendor polled 1000 IT decision makers from UK SMBs back in October, to better understand the risk landscape over the previous 12 months.

More than two-thirds (68%) of respondents said they are more concerned about being attacked since the start of the war in Ukraine, fuelling concerns that have led to half (50%) investing in cyber-insurance. They’re wise to do so, considering that 41% of those hit by ransomware lost data, while 34% lost access to devices, according to Avast.

Given that SMBs comprise over 99% of private sector businesses in the country, it’s reassuring that cyber is now being viewed as a major business risk. Nearly half (48%) ranked it as one of the biggest threats they currently face, versus 66% who cited financial risk stemming from surging operational cost. More respondents cited cyber as a top threat than did physical security (35%) and supply chain disruption (33%).

Avast argued that SMBs are among the groups most vulnerable to cyber-threats as they often have very limited budget and resources, and many don’t have somebody on staff managing security holistically. As a result, not only are SMB’s lacking in their defence, but they’re also slower and less able to react to incidents.

https://www.infosecurity-magazine.com/news/quarter-of-uk-smbs-hit-ransomware/

  • Global Cyber Attack Volume Surges 38% in 2022

The number of cyber attacks recorded last year was nearly two-fifths (38%) greater than the total volume observed in 2021, according to Check Point.

The security vendor claimed the increase was largely due to a surge in attacks on healthcare organisations, which saw the largest year-on-year (YoY) increase (74%), and the activities of smaller, more agile hacking groups.

Overall, attacks reached an all-time high in Q4 with an average of 1168 weekly attacks per organisation. The average weekly figures for the year were highest for education sector organisations (2314), government and military (1661) and healthcare (1463).

Threat actors appear to have capitalised on gaps in security created by the shift to remote working. The ransomware ecosystem is continuing to evolve and grow with smaller, more agile criminal groups that form to evade law enforcement. Hackers are also now increasingly widening their aim to target business collaboration tools such as Slack, Teams, OneDrive and Google Drive with phishing exploits. These make for a rich source of sensitive data given that most organisations’ employees continue to work remotely.

It is predicted that AI tools like ChatGPT would help to fuel a continued surge in attacks in 2023 by making it quicker and easier for bad actors to generate malicious code and emails.

Recorded cyber-attacks on US organisations grew 57% YoY in 2022, while the figure was even higher in the UK (77%). This chimes with data from UK ISP Beaming, which found that 2022 was the busiest year on record for attacks. It recorded 687,489 attempts to breach UK businesses in 2022 – the equivalent of one attack every 46 seconds.

https://www.infosecurity-magazine.com/news/global-cyberattack-volume-surges/

  • 1 in 3 Organisations Do Not Provide Any Cyber Security Training to Remote Workers Despite the Majority of Employees Having Access to Critical Data

New research from cyber security provider Hornetsecurity has found that 33% of companies are not providing any cyber security awareness training to users who work remotely.

The study also revealed nearly three-quarters (74%) of remote staff have access to critical data, which is creating more risk for companies in the new hybrid working world.

Despite the current lack of training and employees feeling ill-equipped, almost half (44%) of respondents said their organisation plans to increase the percentage of employees that work remotely. The popularity of hybrid work, and the associated risks, means that companies must prioritise training and education to make remote working safe.

Traditional methods of controlling and securing company data aren't as effective when employees are working in remote locations and greater responsibility falls on the individual. Companies must acknowledge the unique risks associated with remote work and activate relevant security management systems, as well as empower employees to deal with a certain level of risk.

The independent survey, which quizzed 925 IT professionals from a range of business types and sizes globally, highlighted the security management challenges and employee cyber security risk when working remotely. The research revealed two core problems causing risk: employees having access to critical data, and not enough training being provided on how to manage cyber security or how to reduce the risk of a cyber-attack or breach.

https://www.darkreading.com/vulnerabilities-threats/1-in-3-organizations-do-not-provide-any-cybersecurity-training-to-remote-workers-despite-a-majority-of-employees-having-access-to-critical-data

  • AI-Generated Phishing Attacks Are Becoming More Convincing

It's time for you and your colleagues to become more sceptical about what you read.

That's a takeaway from a series of experiments undertaken using GPT-3 AI text-generating interfaces to create malicious messages designed to spear-phish, scam, harass, and spread fake news.

Experts at WithSecure have described their investigations into just how easy it is to automate the creation of credible yet malicious content at incredible speed. Amongst the use cases explored by the research were the use of GPT-3 models to create:

  • Phishing content – emails or messages designed to trick a user into opening a malicious attachment or visiting a malicious link

  • Social opposition – social media messages designed to troll and harass individuals or to cause brand damage

  • Social validation – social media messages designed to advertise or sell, or to legitimise a scam

  • Fake news – research into how well GPT-3 can generate convincing fake news articles of events that weren’t part of its training set

All of these could, of course, be useful to cyber criminals hell-bent on scamming the unwary or spreading unrest.

https://www.tripwire.com/state-of-security/ai-generated-phishing-attacks-are-becoming-more-convincing

  • Customer and Employee Data the Top Prize for Hackers

The theft of customer and employee data accounts for almost half (45%) of all stolen data between July 2021 and June 2022, according to a new report from cyber security solution provider Imperva.

The data is part of a 12-month analysis by Imperva Threat Research on the trends and threats related to data security in its report “More Lessons Learned from Analysing 100 Data Breaches”.

Their analysis found that theft of credit card information and password details dropped by 64% compared to 2021. The decline in stolen credit card and password data pointing to the uptake of basic security tactics like multi-factor authentication (MFA). However, in the long term, PII data is the most valuable data to cyber-criminals. With enough stolen PII, they can engage in full-on identity theft which is hugely profitable and very difficult to prevent. Credit cards and passwords can be changed the second there is a breach, but when PII is stolen, it can be years before it is weaponised by hackers.

The research also revealed the root causes of data breaches, with social engineering (17%) and unsecured databases (15%) two of the biggest culprits. Misconfigured applications were only responsible for 2% of data breaches, but Imperva said that businesses should expect this figure to rise in the near future, particularly with cloud-managed infrastructure where configuring for security requires significant expertise.

It’s really concerning that a third (32%) of data breaches are down to unsecured databases and social engineering attacks, since they’re both straightforward to mitigate. A publicly open database dramatically increases the risk of a breach and, all too often, they are left like this not out of a failure of security practices but rather the total absence of any security posture at all.

https://www.infosecurity-magazine.com/news/customer-employee-data-hackers/

  • Royal Mail hit by Ransomware Attack, Causes ‘Severe Disruption’ to Services

Royal Mail experienced “severe service disruption” to its international export services following a ransomware attack, the company has announced. A statement said it was temporarily unable to despatch export items including letters and parcels to overseas destinations.

Royal Mail said: “We have asked customers temporarily to stop submitting any export items into the network while we work hard to resolve the issue” and advising that “Some customers may experience delay or disruption to items already shipped for export.”

The attack was later attributed to LockBit, a prolific ransomware gang with close ties to Russia. Both the NCSC and the NCA were involved in responding to the incident.

https://www.independent.co.uk/business/royal-mail-cyber-attack-exports-b2260308.html

  • The Guardian Confirms Personal Information Compromised in Ransomware Attack

British news organisation The Guardian has confirmed that personal information was compromised in a ransomware attack in December 2022.

The company fell victim to the attack just days before Christmas, when it instructed staff to work from home, announcing network disruptions that mostly impacted the print newspaper.

Right from the start, the Guardian said it suspected ransomware to have been involved in the incident, and this week the company confirmed that this was indeed the case. In an email to staff on Wednesday, The Guardian Media Group’s chief executive and the Guardian’s editor-in-chief said that the sophisticated cyber attack was likely the result of phishing.

They also announced that the personal information of UK staff members was compromised in the attack, but said that reader data and the information of US and Australia staff was not impacted. “We have seen no evidence that any data has been exposed online thus far and we continue to monitor this very closely,” the Guardian representatives said. While the attack forced the Guardian staff to work from home, online publishing has been unaffected, and production of daily newspapers has continued as well.

“We believe this was a criminal ransomware attack, and not the specific targeting of the Guardian as a media organisation,” the Guardian said.

The company continues to work on recovery and estimates that critical systems would be restored in the next two weeks. Staff, however, will continue to work from home until at least early February. “These attacks have become more frequent and sophisticated in the past three years, against organisations of all sizes, and kinds, in all countries,” the Guardian said.

https://www.securityweek.com/guardian-confirms-personal-information-compromised-ransomware-attack

  • Ransomware Gang Releases Info Stolen from 14 UK Schools, Including Passport Scans

Another month, another release of personal information stolen from a school system. This time, it's a group of 14 schools in the United Kingdom.

Once again, the perpetrator appears to be Vice Society, which is well known for targeting educational systems in the US. As the Cybersecurity and Infrastructure Security Agency (CISA) pointed out in a bulletin from Sept. 6, "K-12 institutions may be seen as particularly lucrative targets due to the amount of sensitive student data accessible through school systems or their managed service providers."

The UK hack may have turned up even more confidential information than the Los Angeles school system breach last year. As the BBC reported on Jan. 6, "One folder marked 'passports' contains passport scans for pupils and parents on school trips going back to 2011, whereas another marked 'contract' contains contractual offers made to staff alongside teaching documents on muscle contractions."

Some prominent school cyber attacks in the US include public school districts in Chicago, Baltimore, and Los Angeles. A new study from digital learning platform Clever claims that one in four schools experienced a cyber-incident over the past year, and according to a new report from security software vendor Emsisoft, at least 45 school districts and 44 higher learning institutions suffered ransomware attacks in 2022.

Schools are an attractive target as they are typically data-rich and resource-poor. Without proper resources in terms of dedicated staffing and the necessary tools and training to protect against cyber-attacks, schools can be a soft target. Many of the 14 schools hit by this latest leak are colleges and universities, but primary and secondary schools were also hit, according to the BBC's list.

https://www.darkreading.com/attacks-breaches/vice-society-releases-info-stolen-uk-schools-passport-scans

  • The Dark Web’s Criminal Minds See Internet of Things as Next Big Hacking Prize

Cyber security experts say 2022 may have marked an inflection point due to the rapid proliferation of IoT (Internet of Things) devices.

Criminal groups buy and sell services, and one hot idea — a business model for a crime — can take off quickly when they realise that it works to do damage or to get people to pay. Attacks are evolving from those that shut down computers or stole data, to include those that could more directly wreak havoc on everyday life. IoT devices can be the entry points for attacks on parts of countries’ critical infrastructure, like electrical grids or pipelines, or they can be the specific targets of criminals, as in the case of cars or medical devices that contain software.

For the past decade, manufacturers, software companies and consumers have been rushing to the promise of Internet of Things devices. Now there are an estimated 17 billion in the world, from printers to garage door openers, each one packed with software (some of it open-source software) that can be easily hacked.

What many experts are anticipating is the day enterprising criminals or hackers affiliated with a nation-state figure out an easy-to-replicate scheme using IoT devices at scale. A group of criminals, perhaps connected to a foreign government, could figure out how to take control of many things at once – like cars, or medical devices. There have already been large-scale attacks using IoT, in the form of IoT botnets. In that case, actors leveraging unpatched vulnerabilities in IoT devices used control of those devices to carry out denial of service attacks against many targets. Those vulnerabilities are found regularly in ubiquitous products that are rarely updated.

In other words, the possibility already exists. It’s only a question of when a criminal or a nation decides to act in a way that targets the physical world at a large scale. There are a handful of companies, new regulatory approaches, a growing focus on cars as a particularly important area, and a new movement within the software engineering world to do a better job of incorporating cyber security from the beginning.

https://www.cnbc.com/2023/01/09/the-dark-webs-criminal-minds-see-iot-as-the-next-big-hacking-prize.html

  • Corrupted File to Blame for Computer Glitch which Grounded Every US Flight

A corrupted file has been blamed for a glitch on the Federal Aviation Administration's computer system which saw every flight grounded across the US.

All outbound flights were grounded until around 9am Eastern Time (2pm GMT) on Wednesday as the FAA worked to restore its Notice to Air Missions (NOTAM) system, which alerts pilots of potential hazards along a flight route.

On Wednesday 4,948 flights within, into or out of the US had been delayed, according to flight tracker FlightAware.com, while 868 had been cancelled. Most delays were concentrated along the East Coast. Normal air traffic operations resumed gradually across the US following the outage to the NOTAM system that provides safety information to flight crews.

A corrupted file affected both the primary and the backup systems, a senior government official told NBC News on Wednesday night, adding that officials continue to investigate. Whilst Government officials said there was no evidence of a cyber attack, it shows the real world impacts that an outage or corrupted file can cause.

https://news.sky.com/story/all-flights-across-us-grounded-due-to-faa-computer-system-glitch-us-media-12784252


Threats

Ransomware, Extortion and Destructive Attacks

Phishing & Email Based Attacks

Malware

Mobile

Denial of Service/DoS/DDOS

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Fraud, Scams & Financial Crime

Insurance

Dark Web

Software Supply Chain

Cloud/SaaS

Attack Surface Management

Identity and Access Management

Encryption

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Training, Education and Awareness

Regulations, Fines and Legislation

Governance, Risk and Compliance

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Privacy, Surveillance and Mass Monitoring

Artificial Intelligence

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine


Nation State Actors

Nation State Actors – Russia

Nation State Actors – China

Nation State Actors – Iran

Nation State Actors – Misc


Vulnerability Management

Applications Five Years or Older Likely to have Security Flaws - Infosecurity Magazine (infosecurity-magazine.com)

Patch Where it Hurts: Effective Vulnerability Management in 2023 (thehackernews.com)

70% of apps contain at least one security flaw after 5 years in production - Help Net Security

Rackspace Ransomware Incident Highlights Risks of Relying on Mitigation Alone (darkreading.com)

Does a hybrid model for vulnerability management make sense? • Graham Cluley

Vulnerabilities




Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3


As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 21 October 2022

Black Arrow Cyber Threat Briefing 21 October 2022:

-Gen Z, Millennials Really Doesn't Care About Workplace Cyber Security

-Supply Chain Attacks Increased Over 600% This Year and Companies Are Falling Behind

-Cyber-Enabled Crimes Are Biggest Police Concerns

-List of Common Passwords Accounts for Nearly All Cyber Attacks

-Shared Responsibility or Shared Fate? Decentralized IT Means We Are All Cyber Defenders

-Ukraine War Cuts Ransomware as Kremlin Co-Opts Hackers

-96% Of Companies Report Insufficient Security for Sensitive Cloud Data

-Your Microsoft Exchange Server Is a Security Liability

-Are Cyber Security Vendors Pushing Snake Oil?

-Ransomware Preparedness, What Are You Doing Wrong?

-NSA Cybersecurity Director's Six Takeaways from the War in Ukraine

-Microsoft Confirms Server Misconfiguration Led to 65,000+ Companies' Data Leak

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • Gen Z, Millennials Really Don’t Care About Workplace Cyber Security

When it comes to cyber security in the workplace, younger employees don’t really seem to care that much, which is putting their organisations in serious harm’s way, new research has claimed.

Surveying approximately 1,000 workers using devices issued by their employers, professional services firm EY found Gen Z enterprise employees were more apathetic about cyber security than their Boomer counterparts in adhering to their employer's safety policies.

This is despite the fact that four in five (83%) of all those surveyed claimed to understand their employer’s security protocol.

When it comes to implementing mandatory IT updates, for example, 58% of Gen Z’ers and 42% of millennials would disregard them for as long as possible. Less than a third (31%) of Gen X’ers, and just 15% of baby boomers said they do the same.

Apathy in the young extends to password reuse between private and business accounts. A third of Gen Z and millennial workers surveyed admitted to this, compared to less than a quarter of all Gen X’ers and baby boomers.

Some say the apathy of young people towards technology is down to their over-familiarity with technology, and never having been without it. Being too comfortable with tech undoubtedly makes an enterprise's younger employees a major target for cyber criminals looking to exploit any hole in security. 

If an organisation's cyber security practices aren't upheld strongly, threat actors can compromise huge networks with simple social engineering attacks.

https://www.techradar.com/news/younger-workers-dont-care-about-workplace-cybersecurity

  • Supply Chain Attacks Increased Over 600% This Year and Companies Are Falling Behind

The number of documented supply chain attacks involving malicious third-party components has increased 633% over the past year, now sitting at over 88,000 known instances, according to a new report from software supply chain management company Sonatype. Meanwhile, instances of transitive vulnerabilities that software components inherit from their own dependencies have also reached unprecedented levels and plague two-thirds of open-source libraries.

“The networked nature of dependencies highlights the importance of having visibility and awareness about these complex supply chains” Sonatype said in its newly released State of the Software Supply Chain report. “These dependencies impact our software, so having an understanding of their origins is critical to vulnerability response. Many organisations did not have the needed visibility and continued their incident response procedures for Log4Shell well beyond the summer of 2022 as a result.”

Log4Shell is a critical vulnerability discovered in November 2021 in Log4j, a widely popular open-source Java library used for logging and bundled in millions of enterprise applications and software products, often as an indirect dependency. According to Sonatype’s monitoring, as of August 2022, the adoption rate for fixed versions of Log4j sits at around 65%. Moreover, this doesn’t even account for the fact that the Log4Shell vulnerability originated in a Java class called JndiManager that is part of Log4j-core, but which has also been borrowed by 783 other projects and is now found in over 19,000 software components.

Log4Shell served as a watershed moment, highlighting the inherent risks that exist in the open-source software ecosystem – which sits at the core of modern software development – and the need to manage them properly. It also led to several initiatives to secure the software supply chain by private organisations, software repository managers, the Linux Foundation, and government bodies. Yet, most organisations are far from where they need to be in terms of open-source supply chain management.

https://www.csoonline.com/article/3677228/supply-chain-attacks-increased-over-600-this-year-and-companies-are-falling-behind.html#tk.rss_news

  • Cyber-Enabled Crimes Are Biggest Police Concerns

Cyber-related crimes such as money laundering, ransomware and phishing pose the biggest threat to society, according to the first ever Interpol Global Crime Trend report.

The inaugural study was compiled from data received from the policing organisation’s 195 member countries, as well as information and analysis from external sources.

Money laundering was ranked the number one threat, with 67% of respondents claiming it to be a “high” or “very high” risk. Ransomware came second (66%) but was the crime type that most (72%) expected to increase in the next 3–5 years.

Of the nine top crime trends identified in the report, six are directly cyber-enabled, including money laundering, ransomware, phishing, financial fraud, computer intrusion and child sexual exploitation.

Interpol warned that the pandemic had fomented new underground offerings like “financial crime-as-a-service,” including digital money laundering tools which help to lower the barrier to entry for criminal gangs. It also claimed that demand for online child sexual exploitation and abuse (OCSEA) content surged during the pandemic. Some 62% of respondents expect it to increase or significantly increase in the coming years.

The findings represent something of a turnaround from pre-pandemic times, when drug trafficking regularly topped the list of police concerns. Thanks to a surge in corporate digitalisation, home working and online shopping, there are now rich pickings to be had from targeting consumers and business users with cyber-scams and attacks, Interpol claimed.

https://www.infosecurity-magazine.com/news/cyberenabled-crimes-are-biggest/

  • List of Common Passwords Accounts for Nearly All Cyber Attacks

Half of a million passwords from the RockYou2021 list account for 99.997% of all credential attacks against a variety of honeypots, suggesting attackers are just taking the easy road.

Tens of millions of credential-based attacks targeting two common types of servers boiled down to a small fraction of the passwords that formed a list of leaked credentials, known as the RockYou2021 list.

Vulnerability management firm Rapid7, via its network of honeypots, recorded every attempt to compromise those servers over a 12-month period, finding that the attempted credential attacks resulted in 512,000 permutations. Almost all of those passwords (99.997%) are included in a common password list — the RockYou2021 file, which has 8.4 billion entries — suggesting that attackers, or the subset of threat actors attacking Rapid7's honeypots, are sticking to a common playbook.

The overlap in all the attacks also suggest attackers are taking the easy road, said Rapid7. "We know now, in a provable and demonstrable way, that nobody — 0% of attackers — is trying to be creative when it comes to unfocused, untargeted attacks across the Internet," they said. "Therefore, it's very easy to avoid this kind of opportunistic attack, and it takes very little effort to take this threat off the table entirely, with modern password managers and configuration controls."

Every year, security firms present research suggesting users are continuing to pick bad passwords. In 2019, an evaluation of passwords leaked to the Internet found that the top password was "123456," followed by "123456789" and "qwerty," and unfortunately things have not got much better since then.

https://www.darkreading.com/endpoint/a-common-password-list-accounts-for-nearly-all-cyberattacks

  • Shared Responsibility or Shared Fate? Decentralised IT Means We Are All Cyber Defenders

Does your organisation truly understand the shared responsibility model? Shared responsibility emerged from the early days of cloud computing as a way to delineate responsibilities between cloud providers and their customers, but often there's a gap between what shared responsibility means and how it is interpreted. With the decentralisation of IT, this gap is getting worse.

Applications, servers, and overall technology used to be under the purview and control of the IT department, yet with the shift to cloud, and specifically software-as-a-service (SaaS), this dynamic has changed. Whether it's the sales team bringing in a customer relationship management (CRM) system like Salesforce, or the HR department operating a human resources information system (HRIS) like Workday, there's a clear "expanding universe" of IT that no longer sits where it used to. Critical business workflows exist in separate business units far from IT and security and are managed as such. Our corporate IT footprints have become decentralised.

This is not some minor, temporary trend. With the ease and speed of adopting new SaaS applications and the desire to "lift and shift" code into cloud-based environments, this is the future. The future is decentralised.

The shift to business-owned and -operated applications puts security teams in a position where risk management is their responsibility; they are not even able to log into some of these critical systems. It's like asking your doctor to keep you healthy but not giving her access to your information or having regular check-ups. It doesn't work that way.

Beyond the challenging human skills gap, there's technical entropy and diversity everywhere, with different configuration settings, event logs, threat vectors, and data sensitivities. On the access side, there are different admins, users, integrations, and APIs. If you think managing security on Windows and Mac is a lot, try it across many huge applications.

With this reality, how can the security team be expected to combat a growing amount of decentralised business technology risk?

We must operate our technology with the understanding that shared responsibility is the vertical view between cloud provider and customer, but that enterprise-owned piece of shared responsibility is the burden of multiple teams horizontally across an organisation. Too often the mentality is us versus them, availability versus security, too busy to care about risk, too concerned with risk to understand "the business."

https://www.darkreading.com/vulnerabilities-threats/shared-responsibility-or-shared-fate-decentralized-it-means-we-are-all-cyber-defenders

  • Ukraine War Cuts Ransomware as Kremlin Co-Opts Hackers

The Ukraine war has helped reduce global ransomware attacks by 10pc in the last few months, a British cyber security company has said.

Criminal hacking gangs, usually engaged in corporate ransomware activities, are increasingly being co-opted by the Russian military to launch cyber attacks on Ukraine, according to Digital Shadows. “The war is likely to continue to motivate ransomware actors to target government and critical infrastructure entities,” according to the firm. Such attacks partly contributed to a 10pc drop in the number of ransomware threats launched during the three months to September, said the London-based company.

The drop in ransomware may also partly be caused by tit-for-tat digital attacks between rival hacking gangs. Researchers said the Lockbit gang, who recently targeted LSE-listed car retailer Pendragon with a $60m (£53.85m) ransom demand, were the target of attacks from their underworld rivals. The group is increasingly inviting resentment from competing threat groups and possibly former members.

Some cyber criminals’ servers went offline in September after what appeared to be an attack from competitors. In the world of cyber criminality, it is not uncommon for tensions to flare among rival groups.

Officials from GCHQ’s National Cyber Security Centre have said ransomware is one of the biggest cyber threats facing the UK. Figures published by the Department for Digital, Culture, Media and Sport this year revealed the average costs to businesses caused by ransomware attacks is around £19,000 per incident.

US-based cyber security company Palo Alto Networks, however, warned that the average ransom payment it saw in the early part of this year was $925,000 (£829,000).

https://www.telegraph.co.uk/business/2022/10/23/ukraine-war-cuts-ransomware-kremlin-co-opts-hackers/

  • 96% Of Companies Report Insufficient Security for Sensitive Cloud Data

The vast majority of organisations lack confidence in securing their data in cloud, while many companies acknowledge they lack sufficient security even for their most sensitive data, according to a new report by the Cloud Security Alliance (CSA).

The CSA report surveyed 1,663 IT and security professionals from organisations of various sizes and in various locations. "Only 4% report sufficient security for 100% of their data in the cloud. This means that 96% of organisations have insufficient security for at least some of their sensitive data," according to the report, which was sponsored by data intelligence firm BigID.

Apart from struggling with securing sensitive data, organisations are also having trouble tracking data in the cloud. Over a quarter of organisations polled aren’t tracking regulated data, nearly a third aren’t tracking confidential or internal data, and 45% aren’t tracking unclassified data, the report said.

“This suggests that organisations’ current methods of classifying data aren’t sufficient for their needs. However, if the tracking is this low, it could be a contributing factor to the issue of dark data. Organisations need to utilise data discovery and classification tools to properly understand the data they have and how to protect it,” the CSA study noted.

https://www.csoonline.com/article/3677491/96-of-companies-report-insufficient-security-for-sensitive-cloud-data.html#tk.rss_news

  • Your Microsoft Exchange Server Is a Security Liability

With endless vulnerabilities, widespread hacking campaigns, slow and technically tough patching, it's time to say goodbye to on-premise Exchange.

Once, reasonable people who cared about security, privacy, and reliability ran their own email servers. Today, the vast majority host their personal email in the cloud, handing off that substantial burden to the capable security and engineering teams at companies like Google and Microsoft. Now, cyber security experts argue that a similar switch is due - or long overdue - for corporate and government networks. For enterprises that use on-premise Microsoft Exchange, still running their own email machine somewhere in a closet or data centre, the time has come to move to a cloud service, if only to avoid the years-long plague of bugs in Exchange servers that has made it nearly impossible to keep determined hackers out.

The latest reminder of that struggle arrived earlier this week, when Taiwanese security researcher Orange Tsai published a blog post laying out the details of a security vulnerability in Microsoft Exchange. Tsai warned Microsoft about this vulnerability as early as June of 2021, and while the company responded by releasing some partial fixes, it took Microsoft 14 months to fully resolve the underlying security problem. Tsai had earlier reported a related vulnerability in Exchange that was massively exploited by a group of Chinese state-sponsored hackers known as Hafnium, which last year penetrated more than 30,000 targets by some counts. Yet according to the timeline described in Tsai’s post this week, Microsoft repeatedly delayed fixing the newer variation of that same vulnerability, assuring Tsai no fewer than four times that it would patch the bug before pushing off a full patch for months longer. When Microsoft finally released a fix, Tsai wrote, it still required manual activation and lacked any documentation for four more months.

Meanwhile, another pair of actively exploited vulnerabilities in Exchange that were revealed last month still remain unpatched after researchers showed that Microsoft’s initial attempts to fix the flaws had failed. Those vulnerabilities were just the latest in a years-long pattern of security bugs in Exchange’s code. And even when Microsoft does release Exchange patches, they’re often not widely implemented, due to the time-consuming technical process of installing them.

The result of those compounding problems, for many who have watched the hacker-induced headaches of running an Exchange server pile up, is a clear message: An Exchange server is itself a security vulnerability, and the fix is to get rid of it.

“You need to move off of on-premise Exchange forever. That’s the bottom line,” says Dustin Childs, the head of threat awareness at security firm Trend Micro’s Zero Day Initiative (ZDI), which pays researchers for finding and reporting vulnerabilities in commonly used software and runs the Pwn2Own hacking competition. “You’re not getting the support, as far as security fixes, that you would expect from a really mission-critical component of your infrastructure.”

https://www.wired.com/story/microsoft-exchange-server-vulnerabilities/

  • Are Cyber Security Vendors Pushing Snake Oil?

Survey: 96 percent of cyber security decision makers confused by vendor marketing.

The availability of new security products increases, the amount of budget spent on cyber security grows, and the number of security breaches seems to outpace both. This basic lack of correlation between increasing cyber security spend and any clear increase in cyber security effectiveness is the subject of a new analytical survey from Egress.

With 52 million data breaches in Q2 2022 alone (Statista), Egress questioned 800 cyber security and IT leaders on why vendor claims and reality aren’t aligned. The headline response in the survey is that 91% of decision makers have difficulty in selecting cyber security vendors due to unclear marketing about their specific offerings.

The financial investment cycle doesn’t help in this. For many investors, the strength of the management team is more important than the product. The argument is not whether this product is a cyber security silver bullet, but whether this management can take the company to a point where it can exit with serious profits.

If investment is achieved, much of it will go into marketing. That marketing must compete against existing, established vendors – so it tends to be louder, more aggressive, and replete with hyperbole. Marketing noise can lead to increased valuation, which can lead to a successful and profitable exit by the investors.

Of course, this is an oversimplification and doesn’t always happen. The point, however, is that it does happen and has no relevance to the real effectiveness of the product in question. Without any doubt, there are many products that have been over-hyped by marketing funds provided by profit-driven investors.

https://www.securityweek.com/are-cybersecurity-vendors-pushing-snake-oil

  • Ransomware Preparedness: What Are You Doing Wrong?

Axio released its 2022 State of Ransomware Preparedness research report, revealing that although notable improvements have been made since Axio’s 2021 report, organisational ransomware preparedness continues to be insufficient to keep pace with new attack vectors.

The report reveals that the lack of fundamental cyber security practices and controls, including critical vulnerability patching and employee cyber security training, continues to undermine organisational attempts to improve ransomware defences.

“Ransomware continues to wreak havoc on global organisations, regardless of size or industry,” remarked the report’s co-author David White, President of Axio. “As the number of attacks will most likely continue on an exponential trajectory, it’s more important than ever for companies to re-evaluate their cyber security practices and make the needed improvements to help combat these attacks.”

The report identifies several emerging patterns that yield insights into why organisations are increasingly susceptible to ransomware attacks. In 2021, seven key areas where organisations were deficient in implementing and sustaining basic cyber security practices were identified, and these patterns dominated the 2022 study results as well:

  • Managing privileged access

  • Improving basic cyber hygiene

  • Reducing exposure to supply chain and third-party risk

  • Monitoring and defending networks

  • Managing ransomware incidents

  • Identifying and addressing vulnerabilities in a timely manner

  • Improving cyber security training and awareness

Overall, most organisations surveyed are not adequately prepared to manage the risk associated with a ransomware attack. Key data findings include:

  • The number of organisations with a functional privileged access management solution in place increased by 10% but remains low at 33% overall.

  • Limitations on the use of service and local administrator accounts remain average overall, with nearly 50% of organisations reporting implementing these practices.

  • Approximately 40% of organisations monitor third-party network access, evaluate third-party cyber security posture, and limit the use of third-party software.

  • Less than 50% of respondents implement basic network segmentation and only 40% monitor for anomalous connections.

  • Critical vulnerability patching within 24 hours was reported by only 24% of organisations.

  • A ransomware-specific playbook for incident management is in place for only 30% of organisations.

  • Active phishing training has improved but is still not practiced by 40% of organisations.

https://www.helpnetsecurity.com/2022/10/20/insufficient-ransomware-preparedness/

  • NSA Cybersecurity Director's Six Takeaways from the War in Ukraine

From the warning banner ‘Be afraid and expect the worst’ that was shown on several Ukrainian government websites on January 13, 2022, after a cyber-attack took them down, the US National Security Agency’s (NSA) cybersecurity director, Rob Joyce, knew that something was going to be different, and very aggressive, between Ukraine and Russia, and that it would be happening in the cyber space as well.

Ten months on, he was invited to speak at one of Mandiant Worldwide Information Security Exchange's (mWISE) opening keynotes on October 18, 2022. Joyce shared six takeaways from the Russia-Ukraine cyber-conflict in terms of what we learned from it and its impact on how nations should protect their organisations.

  1. Both espionage and destructive attacks will occur in conflict

  2. The cyber security industry has unique insight into these conflicts

  3. Sensitive intelligence can make a decisive difference

  4. You can develop resiliency skills

  5. Don’t try to go it alone

  6. You have not planned enough yet for the contingencies

Toward the end of the keynote, Joyce suggested the audience simulate a scenario based on what happened in Ukraine with the China-Taiwan conflict escalating and see what they should put in place to better prepare for such an event.

https://www.infosecurity-magazine.com/news/nsa-6-takeaways-war-ukraine/

  • Microsoft Confirms Server Misconfiguration Led to 65,000+ Companies' Data Leak

Microsoft this week confirmed that it inadvertently exposed information related to thousands of customers following a security lapse that left an endpoint publicly accessible over the internet sans any authentication.

"This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provisioning of Microsoft services," Microsoft said in an alert.

Microsoft also emphasised that the B2B leak was "caused by an unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem and was not the result of a security vulnerability."

The misconfiguration of the Azure Blob Storage was spotted on September 24, 2022, by cyber security company SOCRadar, which termed the leak BlueBleed. Microsoft said it's in the process of directly notifying impacted customers.

The Windows maker did not reveal the scale of the data leak, but according to SOCRadar, it affects more than 65,000 entities in 111 countries. The exposure amounts to 2.4 terabytes of data that consists of invoices, product orders, signed customer documents, partner ecosystem details, among others.

https://thehackernews.com/2022/10/microsoft-confirms-server.html


Threats

Ransomware and Extortion

Phishing & Email Based Attacks

Other Social Engineering; Smishing, Vishing, etc

Malware

Mobile

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Fraud, Scams & Financial Crime

Deepfakes

Insurance

Supply Chain and Third Parties

Software Supply Chain

Denial of Service DoS/DDoS

Cloud/SaaS

Attack Surface Management

Identity and Access Management

Encryption

API

Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Training, Education and Awareness

Privacy, Surveillance and Mass Monitoring

Regulations, Fines and Legislation

Law Enforcement Action and Take Downs

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine




Vulnerabilities




Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3


As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More