Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 09 December 2022
Black Arrow Cyber Threat Briefing 09 December 2022:
-Economic Uncertainty Will Greatly Impact the Spread of Cyber Crime
-Cyber Security Resilience Emerges as Top Priority as 62% of Companies Say Security Incidents Impacted Business Operations
-Cyber Security Should Focus on Managing Risk
-Fear of Cyber Attacks Drives SMBs to Spend More on Software
-Business Email Compromise (BEC) Fraud Attacks Expand Beyond Email and Toward Mobile Devices
-Ransomware Professionalisation Grows as Ransomware-as-a-Service (RaaS) Takes Hold
-Automated Dark Web Markets Sell Corporate Email Accounts For $2
-Cloud Hosting Provider Rackspace Warns of Phishing Risks Following Ransomware Attack
-Security Concerns Scupper Deals for Two-Thirds of Firms
-Microsoft Encourages 'Strong Cyber Hygiene' in Light of Increasing Russian Cyber Attacks
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Economic Uncertainty Will Greatly Impact the Spread of Cyber Crime
Norton released its top cyber trends to watch in 2023, emphasising that the economy will have the greatest impact on the spread of cyber crime next year. Experts predict the pressures associated with economic uncertainty and rising costs will create the perfect environment for scammers to take advantage of people when they are more vulnerable.
It’s expected that cyber criminals will trick victims into surrendering personal information, emptying their bank accounts, or spending money for products, services or “lottery winnings” that never arrive. “We anticipate scammers will continue to prey on the vulnerability of people as economic pressures rise in 2023,” said Norton.
“Cyber criminals love to exploit seasonal opportunities, and consumers are facing a perfect storm of rising prices in the middle of the busiest shopping season of the year when scammers are particularly active. Scams are always harder to detect during the holiday season because consumers expect deep discounts and may believe prices that would normally seem too good to be true. This year, inflation and other unfavourable macroeconomic factors are likely to make people particularly eager to find good deals and they may therefore be at greater risk than in previous years. Taking a few proactive steps today could help you to be safer all year long.”
https://www.helpnetsecurity.com/2022/12/06/economic-uncertainty-cybercrime/
Cyber Security Resilience Emerges as Top Priority, as 62% of Companies Say Security Incidents Impacted Business Operations
Cyber security resilience is a top priority for companies as they look to defend against a rapidly evolving threat landscape, according to the latest edition of Cisco's annual Security Outcomes Report.
Resilience has emerged as a top priority as a staggering 62 percent of organisations surveyed said they had experienced a security event that impacted business in the past two years. The leading types of incidents were network or data breaches (51.5 percent), network or system outages (51.1 percent), ransomware events (46.7 percent) and distributed denial of service attacks (46.4 percent).
These incidents resulted in severe repercussions for the companies that experienced them, along with the ecosystem of organisations they do business with. The leading impacts cited include IT and communications interruption (62.6 percent), supply chain disruption (43 percent), impaired internal operations (41.4 percent) and lasting brand damage (39.7 percent).
With stakes this high, it is no surprise that 96 percent of executives surveyed for the report said that security resilience is high priority for them. The findings further highlight that the main objectives of security resilience for security leaders and their teams are to prevent incidents, and mitigate losses when they occur.
Technology is transforming businesses at a scale and speed never seen before. While this is creating new opportunities, it also brings with it challenges, especially on the security front. To be able to tackle these effectively, companies need the ability to anticipate, identify, and withstand cyber threats, and if breached be able to rapidly recover from one. That is what building resilience is all about.
Security, after all, is a risk business. As companies don't secure everything, everywhere, security resilience allows them to focus their security resources on the pieces of the business that add the most value to an organisation, and ensure that value is protected.
Cyber Security Should Focus on Managing Risk
Preventing all data breaches is an unrealistic goal. Instead, focus on finding and minimising the greatest risks.
There is a common misconception that all problems have clear, straightforward solutions — as long as you look hard enough. While this is a bold and ambitious goal, it's misguided when applied to cyber security. Organisations cannot prevent data breaches or cyberattacks altogether, and avoiding a breach or cyber incident is nearly impossible in the modern era. Organisations can, however, take steps to reduce an attack's negative impacts.
Eradicating risk is an impractical goal because you cannot "solve" something that constantly changes. To understand the risks you need to think like an attacker.
Threat actors are, first and foremost, opportunistic. They will always look for the easiest targets to maximise their financial gain. So intimately understanding an organisation's level of risk is the first step to managing and reducing it — and making yourself less of a target.
In line with Verizon’s "Data Breach Investigations Report" (DBIR) the four critical ways that threat actors most frequently use to compromise organisations large and small are credential compromise, phishing, vulnerability exploitation, and botnets, and these are the areas organisations should look reduce risks.
https://www.darkreading.com/edge-articles/cybersecurity-should-focus-on-managing-risk
Fear of Cyber Attacks Drives SMBs to Spend More on Software
Despite fears of a looming recession, small and medium sized businesses (SMBs) are spending more on software in 2023, according to Capterra’s 2023 SMB Software Buying Trends Survey. 75% of US SMBs estimate they’ll spend more on software in 2023 compared to 2022.
Alongside increased software budgets, Capterra’s survey of over 500 SMBs reveals four other major trends in software buying behaviours and challenges that will impact businesses in 2023:
Fearful of cyber attacks, US businesses rate security as a top motivator for software purchases
Implementation concerns are SMBs’ biggest purchase barrier
Most SMB software purchases are solely handled by IT, disregarding other important stakeholders
Customer reviews sway purchase decisions, and verified reviews are critical
Despite the expected increase in software investments, many US SMBs regret their technology purchases. 61% of US SMBs say they have buyer’s remorse over a technology purchase in the past 12-18 months. Inadequate support services (39%) and higher-than-anticipated costs (34%) are the top reasons behind such regrets.
https://www.helpnetsecurity.com/2022/12/07/smbs-software-spending-2023/
Business Email Compromise (BEC) Fraud Attacks Expand Beyond Email and Toward Mobile Devices
Business email compromise (BEC) scams have been increasingly targeting mobile devices, particularly with SMS-focused attacks. According to a new advisory by cyber security specialists at Trustwave, the trend indicates a broader shift towards phishing scams via text messages.
“Phishing scams are prevalent in the SMS threat landscape, and now, BEC attacks are also going mobile,” reads the report. Trustwave further added that scammers typically obtain mobile numbers from data breaches, social media and data brokers, among other methods. After that, attackers ask victims for a wire transfer, send a copy of an aging report or change a payroll account, luring them into paying for something that should be reimbursed later (but never will).
BEC attacks will always be here so long as they remain profitable. Their continued profitability proves that employee cyber security behaviour is neglected and mismanaged by the compliance-based approach to security awareness.
Security culture needs a reformation that begins with transforming the human layer into an asset which, when empowered by the right training and platform, augments the protect-detect-respond pillars of the [National Institute of Standards and Technology] NIST framework.
Trustwave’s findings were also confirmed in SlashNext’s State of Phishing 2022 report, which recently highlighted a 50% increase in attacks on mobile devices, with scams and credential theft at the top of the list of payloads. The document also suggested 83% of organisations reported that mobile device threats had been growing more quickly than other device threats.
https://www.infosecurity-magazine.com/news/bec-attacks-expand-toward-mobile/
Ransomware Professionalisation Grows as Ransomware-as-a-Service (RaaS) Takes Hold
Ransomware groups are getting their acts together, growing in sophistication and business acumen while monetising ransomware beyond encryption, including double and triple extortion, as the market for ransomware-as-a-service (RaaS) matures.
In first half of 2022, LockBit, Conti, Alphv, Black Basta, and Vice Society were among the most prolific ransomware gangs, focusing their attack on US-based organisations, according to a LookingGlass report on the topic.
The report confirmed and attributed 1,133 ransomware attacks in the first six months of the year and attributed 207 data leaks across all active threat actor groups throughout the same period. Of the more than 1,300 incidents, the bulk came from the top 15 most active ransomware groups, led by LockBit, Conti, and Alphv.
Ransomware gangs have primarily targeted two sectors during the analysis period: manufacturing and industrial products, followed by engineering and construction and healthcare and life sciences, with the consumer and retail industry rounding out the top five.
The report highlighted the rise of sophisticated software and networks as a principal contributor to the professionalisation of ransomware, with malicious actors now offering RaaS, bug bounties, sales teams, and even customer support.
“This new, more professional ransomware structure can only mean that the problem will continue to grow in the months ahead," the report noted. "We anticipate the adoption of more traditional business practices as the underground economy continues to remain robust”.
Automated Dark Web Markets Sell Corporate Email Accounts For $2
Cyber crime marketplaces are increasingly selling stolen corporate email addresses for as low as $2 to fill a growing demand by hackers who use them for business email compromise and phishing attacks or initial access to networks.
Analysts at Israeli cyber-intelligence firm KELA have closely followed this trend, reporting at least 225,000 email accounts for sale on underground markets.
The largest webmail shops are Xleet and Lufix, claiming to offer access to over 100k breached corporate email accounts, with prices ranging between $2 and $30, if not more, for highly-desirable organisations.
Typically, these accounts were stolen via password cracking (brute-forcing) or credential stuffing, had their credentials stolen through phishing, or were bought from other cyber criminals.
Hackers use their access to corporate email accounts in targeted attacks like business email compromise (BEC), social engineering, spear-phishing, and deeper network infiltration.
Cloud Hosting Provider Rackspace Warns of Phishing Risks Following Ransomware Attack
Cloud computing provider Rackspace warned customers on Thursday of increased risks of phishing attacks following a ransomware attack affecting its hosted Microsoft Exchange environment.
While the company is still investigating the incident and is working on bringing affected systems back online, it says that cyber criminals might also take advantage and exploit this incident for their own purposes.
"If you do receive a message from an individual you do not recognise, do not reply. Please login to your control panel and create a ticket, including details about the message you received," Rackspace said. "We understand that contact such as this may be alarming, but we currently have no evidence to suggest that you are at increased risk as a result of this direct contact."
Rackspace added that customers could easily spot scammers attempting to steal their sensitive information since:
Emails from Rackspace will be sent from @rackspace.com emails (although attackers might still use a spoofed email address and redirect their targets to a landing phishing page)
Rackspace support will not ask for login credentials or personal information (e.g., social security number, driver's license) during phone calls
Even though the company is yet to reveal if it has any evidence that the attackers have stolen data from its systems during the breach, customers were advised to remain vigilant and monitor their credit reports and banking account statements for suspicious activity.
Some customers are also reporting an increase in phishing emails impersonating Rackspace since the ransomware attack. Those affected by the Rackspace ransomware attack and outage should not open any suspicious email attachments or click any suspicious links.
Security Concerns Scupper Deals for Two-Thirds of Firms
Two-thirds (67%) of global organisations have admitted to losing out on acquiring potential customers due to concerns about their security posture, according to LogRhythm.
The security vendor polled 1175 security professionals and executives across five continents to compile its latest report, The State of the Security Team 2022. It found that security due diligence among customers and partners is increasingly rigorous.
Some 91% of respondents said that their security strategy must now align with customers’ security policies and standards, while 85% claimed their company must provide proof that they meet partners’ security requirements.
There was more worrying news from the report: 70% of respondents reported an increase in workplace stress for security teams, with nearly a third (30%) citing a “significant” increase. Among the key stress factors highlighted in the study were growing attack sophistication, greater responsibilities and increasing attack frequency.
Two-fifths (41%) claimed that better integrated solutions would help to relieve these pressures, while a similar number (42%) pointed to the need for more experienced security professionals. The latter would seem unlikely, given the coming recession’s likely impact on budgets, and persistent industry skills shortages. The gap is now 3.4 million globally, including 56,800 in the UK, a massive 73% year-on-year increase, according to ISC2.
https://www.infosecurity-magazine.com/news/security-concerns-scupper-deals/
Microsoft Encourages 'Strong Cyber Hygiene' in Light of Increasing Russian Cyber Attacks
Microsoft is gearing up for a slew of Russian cyber attacks this winter, and warns others to stay vigilant. Between missiles, drones, and cyber attacks the onslaught against Ukraine has been a brutal one, and reportedly only set to get worse in the coming months.
"Moscow has intensified its multi-pronged hybrid technology approach to pressure the sources of Kyiv’s military and political support," says Microsoft in a recent blog post. "Recent attacks in Poland suggest that Russian state-sponsored cyber attacks may increasingly be used outside Ukraine in an effort to undermine foreign-based supply chains."
In late October, Russian forces were pushed from formerly occupied territory, retaliating with missile, drone, and cyber strikes that left much of Kyiv in need of simple running water.
The Russian group known to Microsoft as IRIDIUM (aka Sandworm) is thought to be working with the Russian intelligence service, the GRU, in coordinated efforts to inflict suffering on the people of Ukraine. The group has been at large for almost a decade, as Microsoft notes, "Following Russia’s annexation of Crimea in 2014, IRIDIUM launched a series of wintertime operations against Ukrainian electricity providers, cutting power to hundreds of thousands of citizens in 2015 and 2016."
Threats
Ransomware, Extortion and Destructive Attacks
Ransomware Professionalization Grows as RaaS Takes Hold (darkreading.com)
Medibank share price slumps ahead of major shutdown and cyber security overhaul (fool.com.au)
Rackspace confirms ransomware behind days-long email outage • The Register
Vice Society: Profiling a Persistent Threat to the Education Sector (paloaltonetworks.com)
Wiper, Disguised as Fake Ransomware, Targets Russian Orgs (darkreading.com)
Never-before-seen malware is nuking data in Russia’s courts and mayors’ offices | Ars Technica
Rackspace rocked by ‘security incident’ in hosted Exchange • The Register
Open Source Ransomware Toolkit Cryptonite Turns Into Accidental Wiper Malware (thehackernews.com)
Understanding NIST CSF to assess your organisation's Ransomware readiness (thehackernews.com)
New Ransom Payment Schemes Target Executives, Telemedicine – Krebs on Security
South Pacific vacations may be wrecked by ransomware • The Register
Gartner: 5 Considerations for I&O Leaders Planning Against Ransomware Attacks - IT Security Guru
Intersport Data Posted On Hive Dark Web Blog - Information Security Buzz
Vice Society Ransomware Attackers Targeted Dozens of Schools in 2022 (thehackernews.com)
Education sector hit by Hive ransomware in November | TechTarget
Ransomware attack forces French hospital to transfer patients (bleepingcomputer.com)
CommonSpirit Health ransomware attack exposed data of 623,000 patients (bleepingcomputer.com)
Ransomware Gang Steals Employee and Customer Data From LJ Hooker (vice.com)
Phishing & Email Based Attacks
Rackspace warns of phishing risks following ransomware attack (bleepingcomputer.com)
Phishing in the Cloud: We're Gonna Need a Bigger Boat (darkreading.com)
Phishing scammers impersonate WhatsApp by buying a top ad spot on Google | PC Gamer
How to Recognize Phishing Emails: Cyber security Experts Give Advice - WSJ
Investment Fraud Gang May Have Made $500m - Infosecurity Magazine (infosecurity-magazine.com)
BEC – Business Email Compromise
Other Social Engineering; Smishing, Vishing, etc
Infostealer Malware Market Booms, as MFA Fatigue Sets In (darkreading.com)
Hardening Identities With Phish-Resistant MFA (darkreading.com)
'I had £8,000 stolen but Revolut won't refund it' - BBC News
Malware
Infostealer Malware Market Booms, as MFA Fatigue Sets In (darkreading.com)
Malware Authors Inadvertently Take Down Own Botnet (darkreading.com)
Artifact Poisoning in GitHub Actions Imports Malware via Software Pipelines (darkreading.com)
Mobile
Code of practice for app store operators and app developers - GOV.UK (www.gov.uk)
Android malware apps with 2 million installs spotted on Google Play (bleepingcomputer.com)
Privacy changes set Apple at odds with UK government over online safety bill | Apple | The Guardian
Android malware infected 300,000 devices to steal Facebook accounts (bleepingcomputer.com)
Android December 2022 security updates fix 81 vulnerabilities (bleepingcomputer.com)
Telcom and BPO Companies Under Attack by SIM Swapping Hackers (thehackernews.com)
Darknet's Largest Mobile Malware Marketplace Threatens Users Worldwide (thehackernews.com)
SIM swapper gets 18-months for involvement in $22 million crypto heist (bleepingcomputer.com)
Compromised Android keys used to sign info-stealing malware • The Register
Largest mobile malware marketplace identified by Resecurity in the Dark Web - Security Affairs
Internet of Things – IoT
How IoT is changing the threat landscape for businesses - Help Net Security
What's the Matter with digital trust in smart home devices? - Help Net Security
Security Risks Found in Millions of XIoT Devices - Infosecurity Magazine (infosecurity-magazine.com)
Self-Propagating 'Zerobot' Botnet Targeting Spring4Shell, IoT Vulnerabilities | SecurityWeek.Com
Data Breaches/Leaks
Popular HR and Payroll Company Sequoia Discloses a Data Breach | WIRED
Personal data of 10,000 Australians found for sale online | 7NEWS
Stolen data of 600,000 Indians sold on bot markets so far - study | Reuters
Organised Crime & Criminal Actors
Of Exploits and Experts: The Professionalization of Cyber Crime (darkreading.com)
Economic uncertainty will greatly impact the spread of cyber crime - Help Net Security
Automated dark web markets sell corporate email accounts for $2 (bleepingcomputer.com)
DHS Cyber Safety Board to review Lapsus$ gang’s hacking tactics (bleepingcomputer.com)
BlackProxies proxy service increasingly popular among hackers (bleepingcomputer.com)
Chart: Cyber crime Expected To Skyrocket in Coming Years | Statista
Metaparasites: The cyber criminals who rip each other off • Graham Cluley
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
North Korean Hackers Spread AppleJeus Malware Disguised as Cryptocurrency Apps (thehackernews.com)
Microsoft: Hackers target cryptocurrency firms over Telegram (bleepingcomputer.com)
UK finalises plans for regulation of ‘wild west’ crypto sector | Financial Times (ft.com)
North Korean Lazarus Group Linked to New Cryptocurrency Hacking Scheme – Security Bitcoin News
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
Even cyber criminals fall for online scams: $2.5m last year • The Register
'I had £8,000 stolen but Revolut won't refund it' - BBC News
Suspects arrested for hacking US networks to steal employee data (bleepingcomputer.com)
Australia arrests 'Pig Butchering' suspects for stealing $100 million (bleepingcomputer.com)
Cyber criminals are scamming each other, tipping off law enforcement - Help Net Security
Elon Musk "Freedom Giveaway" crypto scam promoted via Twitter lists (bleepingcomputer.com)
SIM swapper gets 18-months for involvement in $22 million crypto heist (bleepingcomputer.com)
Metaparasites: The cyber criminals who rip each other off • Graham Cluley
Investment Fraud Gang May Have Made $500m - Infosecurity Magazine (infosecurity-magazine.com)
Deepfakes
AML/CFT/Sanctions
Insurance
What you should know when considering cyber insurance in 2023 | CSO Online
Cyber Insurance Policy Underwriting Explained (trendmicro.com)
Dark Web
Supply Chain and Third Parties
Antwerp's city services down after hackers attack digital partner (bleepingcomputer.com)
Transport And Shipping Beware – Supply Chains Under Attack - Information Security Buzz
Popular HR and Payroll Company Sequoia Discloses a Data Breach | WIRED
Software Supply Chain
Denial of Service DoS/DDoS
3 Types Of DDoS Attack Types You Should Care About - Information Security Buzz
Microsoft warning after DDoS attack disrupts Russian bank • The Register
Cloud/SaaS
Phishing in the Cloud: We're Gonna Need a Bigger Boat (darkreading.com)
How to implement least privilege access in the cloud | TechTarget
Hybrid/Remote Working
Encryption
WhatsApp raises threat of UK shutdown in encryption row (telegraph.co.uk)
Governments want to avert quantum's encryption apocalypse (axios.com)
API
Open Source
Ping of death! FreeBSD fixes crashtastic bug in network tool – Naked Security (sophos.com)
Research reveals where 95% of open source vulnerabilities lie - Help Net Security
Critical Ping Vulnerability Allows Remote Attackers to Take Over FreeBSD Systems (thehackernews.com)
Passwords, Credential Stuffing & Brute Force Attacks
Social Media
Taiwan bans state-owned devices from running TikTok • The Register
Critical Vulnerabilities Force Twitter Alternative Hive Social Offline | SecurityWeek.Com
Does Hive's Security Problem Make It Unsafe to Use? (lifehacker.com)
Elon Musk "Freedom Giveaway" crypto scam promoted via Twitter lists (bleepingcomputer.com)
US States label TikTok a malicious and menacing threat • The Register
Training, Education and Awareness
Engage your employees with better cyber security training - Help Net Security
Lack of Cyber security Expertise Poses Threat for Public-Safety Orgs (darkreading.com)
4 cyber security predictions for 2023 --- SANS analysts look ahead | VentureBeat
Parental Controls and Child Safety
Regulations, Fines and Legislation
UK finalises plans for regulation of ‘wild west’ crypto sector | Financial Times (ft.com)
What Stricter Data Privacy Laws Mean for Your Cyber security Policies (thehackernews.com)
Governance, Risk and Compliance
Cyber security Risk Management In The Real World - Information Security Buzz
Economic uncertainty will greatly impact the spread of cyber crime - Help Net Security
Models, Frameworks and Standards
Understanding NIST CSF to assess your organisation's Ransomware readiness (thehackernews.com)
PCI Secure Software Standard 1.2 released - Help Net Security
How compliance leaders can encourage employees to report misconduct - Help Net Security
The changing role of the MITRE ATT@CK framework | CSO Online
Don't Wait to Become CMMC Compliant - Information Security Buzz
Three Ways to Improve Defence Readiness Using MITRE D3FEND | SecurityWeek.Com
Data Protection
Remote workers losing laptops are bigger threat to companies than hackers (telegraph.co.uk)
How companies time data leak disclosures - Help Net Security
What Stricter Data Privacy Laws Mean for Your Cyber security Policies (thehackernews.com)
Careers, Working in Cyber and Information Security
Law Enforcement Action and Take Downs
Suspects arrested for hacking US networks to steal employee data (bleepingcomputer.com)
Australia arrests 'Pig Butchering' suspects for stealing $100 million (bleepingcomputer.com)
Privacy, Surveillance and Mass Monitoring
Apple Faces Critics Over Its Privacy Policies | SecurityWeek.Com
Privacy changes set Apple at odds with UK government over online safety bill | Apple | The Guardian
Apple announces new security and privacy measures amid surge in cyber-attacks | Apple | The Guardian
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
NATO Readies for Cyber War: Simulation Shows Unified Front Against Attack - MSSP Alert
Microsoft warns of Russian cyber attacks throughout the winter (bleepingcomputer.com)
Microsoft warning after DDoS attack disrupts Russian bank • The Register
Russian Espionage APT Callisto Focuses on Ukraine War Support Organisations | SecurityWeek.Com
Russian Actors Use Compromised Healthcare Networks Against Ukrainian Orgs (darkreading.com)
Security Firms Aiding Ukraine During War Could Be Considered Participants in Conflict (substack.com)
Nation State Actors
Nation State Actors – Russia
Microsoft encourages 'strong cyber hygiene' in light of increasing Russian cyber attacks | PC Gamer
Russian Hackers Spotted Targeting US Military Weapons and Hardware Supplier (thehackernews.com)
The surprising ineffectiveness of Russia’s cyber-war | The Economist
Nation State Actors – China
Chinese Hackers Target Middle East Telecoms in Latest Cyber Attacks (thehackernews.com)
Chinese hackers stole millions worth of US COVID relief money, Secret Service says | Reuters
Amnesty International Canada breached by suspected Chinese hackers (bleepingcomputer.com)
China Operates More Than 100 Secret 'Police Stations' Globally: Report (businessinsider.com)
US Congress rolls back proposal to restrict use of Chinese chips | Computerworld
Nation State Actors – North Korea
North Korean tech freelancers' earnings fund nukes, missiles • The Register
North Korean Hackers Spread AppleJesus Malware Disguised as Cryptocurrency Apps (thehackernews.com)
Google Documents IE Browser Zero-Day Exploited by North Korean Hackers | SecurityWeek.Com
APT37 Uses Internet Explorer Zero-Day to Spread Malware (darkreading.com)
Google: State hackers still exploiting Internet Explorer zero-days (bleepingcomputer.com)
North Korean Lazarus Group Linked to New Cryptocurrency Hacking Scheme – Security Bitcoin News
Nation State Actors – Iran
Vulnerabilities
Attackers take over expired domain to deliver web skimming scripts - Help Net Security
Google discovers Windows exploit framework used to deploy spyware (bleepingcomputer.com)
Cisco discloses high-severity IP phone bug with exploit code (bleepingcomputer.com)
Google Chrome emergency update fixes 9th zero-day of the year (bleepingcomputer.com)
Google Documents IE Browser Zero-Day Exploited by North Korean Hackers | SecurityWeek.Com
For Cyber attackers, Popular EDR Tools Can Turn into Destructive Data Wipers (darkreading.com)
A new Linux flaw can be chained with other two bugs to gain full root privileges - Security Affairs
Self-Propagating 'Zerobot' Botnet Targeting Spring4Shell, IoT Vulnerabilities | SecurityWeek.Com
Google Chrome Flaw Added to CISA Patch List (darkreading.com)
Fortinet Patches High-Severity Authentication Bypass Vulnerability in FortiOS | SecurityWeek.Com
Research reveals where 95% of open source vulnerabilities lie - Help Net Security
Critical Ping Vulnerability Allows Remote Attackers to Take Over FreeBSD Systems (thehackernews.com)
Google: State hackers still exploiting Internet Explorer zero-days (bleepingcomputer.com)
APT37 Uses Internet Explorer Zero-Day to Spread Malware (darkreading.com)
WAFs of Several Major Vendors Bypassed With Generic Attack Method | SecurityWeek.Com
Google Chrome zero-day exploited in the wild (CVE-2022-4262) - Help Net Security
Sophos fixed a critical flaw in its Sophos Firewall version 19.5 - Security Affairs
Tools and Controls
Security pros feel threat detection and response workloads have increased - Help Net Security
Single Sign-on: It's Only as Good as Your Ability to Use It (darkreading.com)
Leveraging the full potential of zero trust - Help Net Security
Understanding malware analysis and its challenges | TechTarget
Using XDR to Consolidate and Optimize Cyber security Technology (thehackernews.com)
Reports Published in the Last Week
Other News
Over 4,000 Vulnerable Pulse Connect Secure Hosts Exposed to Internet | SecurityWeek.Com
Where Advanced Cyber attackers Are Heading Next: Disruptive Hits, New Tech (darkreading.com)
43 Trillion Security Data Points Illuminate Our Most Pressing Threats (darkreading.com)
7 reasons why you must embed trust into the core of your business - Help Net Security
Risky online behaviour ‘almost normalised’ among young people, says study | Internet | The Guardian
Top 7 factors boosting enterprise cyber security resilience - Help Net Security
Machine Learning Models: A Dangerous New Attack Vector (darkreading.com)
Consumers want convenience without sacrificing security - Help Net Security
4 cyber security predictions for 2023 --- SANS analysts look ahead | VentureBeat
3 of the Worst Data Breaches in the World That Could Have Been Prevented - Security Affairs
Removing the Barriers to Security Automation Implementation | SecurityWeek.Com
Cyber security Should Focus on Managing Risk (darkreading.com)
Deal with sophisticated bot attacks: Learn, adapt, improve - Help Net Security
Want to detect Cobalt Strike? Look to process memory • The Register
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 04 November 2022
Black Arrow Cyber Threat Briefing 04 November 2022:
-NCSC Looks Back on Year Of ‘Profound Change’ for Cyber
-LastPass Research Finds False Sense of Cyber Security Running Rampant
-Insurance Giant Settles NotPetya ‘Act of War’ Lawsuit, Signaling Cyber Insurance Shakeup
-Microsoft Warns of Uptick in Hackers Leveraging Publicly-Disclosed 0-Day Vulnerabilities
-Chinese Mob Has 100K Slaves Working in Cambodian Cyber Crime Mills
-Ransomware Research: 17 Leaked Databases Operated by Threat Actors Threaten Third Party Organisations
-Not Enough Ransomware Victims Are Reporting Attacks, And That's a Problem for Everyone
-Hackers Selling Access to 576 Corporate Networks for $4 Million
-Cyber Security Recovery is a Process That Starts Long Before a Cyber Attack Occurs
-Geopolitics Plays Major Role in Cyber Attacks, Says EU Cyber Security Agency
-Russian Hackers Account for Most 2021 Ransomware Schemes, US Says
-Exposed: The Global Hacking Network That Targets VIPs
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
NCSC Looks Back on Year Of ‘Profound Change’ for Cyber
The UK’s National Cyber Security Centre (NCSC) provided support for 18 nationally significant ransomware attacks; removed 2.1 million cyber-enabled commodity campaigns; issued 34 million early warning alerts about attacks, compromises, vulnerabilities or open ports; and received 6.5 million reports of suspicious emails in the past 12 months – but in a year of “profound change” in the cyber security landscape, it was Russia’s invasion of Ukraine that dominated the agenda.
Reflecting on the past 12 months as she launched the NCSC’s latest annual report on 1 November at an event in London, NCSC CEO Lindy Cameron said that the return of war to Europe with Russia’s invasion of Ukraine presented a unique set of challenges in cyber space for the NCSC and its partners and allies.
Cameron added that while the cyber threat from Russia has perhaps been the most visible security issue of 2022, it was also important not to forget that when it comes to nation-state actors, it will likely be the technical development and evolution of China that ultimately has the more lasting impact on the UK’s national cyber security.
https://www.computerweekly.com/news/252526766/NCSC-looks-back-on-year-of-profound-change-for-cyber
LastPass Research Finds False Sense of Cyber Security Running Rampant
LastPass released findings from its fifth annual Psychology of Password findings, which revealed even with cyber security education on the rise, password hygiene has not improved. Regardless of generational differences across Boomers, Millennials and Gen Z, the research shows a false sense of password security given current behaviours across the board. In addition, LastPass found that while 65% of all respondents have some form of cyber security education — through school, work, social media, books or via online courses — the reality is that 62% almost always or mostly use the same or variation of a password.
The survey, which explored the password security behaviours of 3,750 professionals across seven countries, asked about respondents’ mindset and behaviours surrounding their online security. The findings highlighted a clear disconnect between high confidence when it comes to their password management and their unsafe actions. While the majority of professionals surveyed claimed to be confident in their current password management, this doesn’t translate to safer online behaviour and can create a detrimental false sense of safety.
Key findings from the research include:
Gen Z is confident when it comes to their password management, while also being the biggest offenders of poor password hygiene.
Cyber security education doesn’t necessarily translate to action.
Confidence creates a false sense of password security.
The latest research showcases that even in the face of a pandemic, where we spent more time online amid rising cyber attacks, there continues to be a disconnect for people when it comes to protecting their digital lives. Even though nearly two-thirds of respondents had some form of cyber security education, it is not being put into practice for varying reasons.
https://www.darkreading.com/vulnerabilities-threats/untitled
Insurance Giant Settles NotPetya ‘Act of War’ Lawsuit, Signaling Cyber Insurance Shakeup
The settlement last week in a $100 million lawsuit over whether insurance giant Zurich should cover losses Mondelez International suffered from NotPetya may very well reshape the entire cyber insurance marketplace.
Zurich initially denied claims from Mondelez after the malware, which experts estimate caused some $10 billion in damages globally, wreaked havoc on its computer networks. The insurance provider claimed an act of war exemption since it’s widely believed Russian military hackers unleashed NotPetya on a Ukrainian company before it spread around the world.
Now, however, it’s increasingly clear insurers aren’t off the hook for NotPetya payouts or from covering losses from other attacks with clear links to nation-state hackers.
That’s because in this case, what Mondelez and many other corporations endured was not an act of war, but “collateral damage” in a much larger cyber conflict that had nothing to do with them, said the Center for Strategic and International Studies.
There needs to be a rethink what act of war means in cyber space when it comes to insurance. The current definitions come out of the 19th century when we had pirates, navies and privateers.
Last week’s ruling in favour of Mondelez follows a January ruling in a New Jersey court that sided with global pharmaceutical company Merck in a similar case. Its insurance companies initially refused to pay for damages from NotPetya. Merck claimed losses that amounted to $1.4 billion. The insurers are appealing the ruling.
Insurers seized on the NotPetya episode to test how courts would rule on cyber coverage questions, particularly when there’s so much evidence pointing to one particular nation-state actor. Since NotPetya was widely attributed to the Russian government it gave the industry a “really strong opportunity” to set legal precedent limiting their responsibility in these instances.
Insurers will start to be much more upfront about the fact that they aren’t going to cover acts of cyber war or limit payouts for NotPetya type incidents in the future.
https://www.cyberscoop.com/insurance-giant-settles-notpetya-lawsuit/
Microsoft Warns of Uptick in Hackers Leveraging Publicly-Disclosed 0-Day Vulnerabilities
Microsoft is warning of an uptick among nation-state and criminal actors increasingly leveraging publicly-disclosed zero-day vulnerabilities for breaching target environments.
The tech giant, in its 114-page Digital Defense Report, said it has "observed a reduction in the time between the announcement of a vulnerability and the commoditisation of that vulnerability," making it imperative that organisations patch such exploits in a timely manner.
This also corroborates with an April 2022 advisory from the US Cybersecurity and Infrastructure Security Agency (CISA), which found that bad actors are "aggressively" targeting newly disclosed software bugs against broad targets globally.
Microsoft noted that it only takes 14 days on average for an exploit to be available in the wild after public disclosure of a flaw, stating that while zero-day attacks are initially limited in scope, they tend to be swiftly adopted by other threat actors, leading to indiscriminate probing events before the patches are installed.
It further accused Chinese state-sponsored groups of being "particularly proficient" at discovering and developing zero-day exploits. This has been compounded by the fact that the Cyberspace Administration of China (CAC) enacted a new vulnerability reporting regulation in September 2021 that requires security flaws to be reported to the government prior to them being shared with the product developers.
Redmond further said the law could enable government-backed elements to stockpile and weaponise the reported bugs, resulting in the increased use of zero-days for espionage activities designed to advance China's economic and military interests.
https://thehackernews.com/2022/11/microsoft-warns-of-uptick-in-hackers.html
Chinese Mob Has 100K Slaves Working in Cambodian Cyber Crime Mills
Up to 100,000 people from across Asia have been lured to Cambodia by Chinese crime syndicates with the promise of good jobs. When they arrive, their passports are seized and they are put to work in modern-day sweatshops, running cyber crime campaigns.
The Los Angeles Times reported that Cambodia, which was hit hard economically by the pandemic, has allowed Chinese mobsters to set up enormous cyber crime operations using human trafficked labour without consequence, because of the revenue it generates for the country. The campaigns they carry out run the gamut from romance scams to fake sports betting.
Although the Cambodian government acknowledges that as many as 100,000 workers are involved in these activities, it denies anyone is being held against their will. However, the stories from traumatised victims rescued from cyber crime mills include tales of beatings and torture for failing to meet quotas, and of being sold and passed around from gang to gang.
https://www.darkreading.com/attacks-breaches/chinese-mob-100k-slaves-cambodian-cybercrime-mills
Ransomware Research: 17 Leaked Databases Operated by Threat Actors Threaten Third Party Organisations
Ransomware remains a serious threat to organisations, Deep Instinct, a New York-based deep learning cyber security specialist, said in its recently released 2022 Interim Cyber Threat Report.
It’s no surprise, the company said, as there are currently 17 leaked databases operated by threat actors who are leveraging the data for attacks on third-party companies, most notably social engineering, credential theft, and triple-extortion attacks.
Here are the report’s key findings:
Changes in ransomware gangs, including LockBit, Hive, BlackCat, and Conti. The latter has spawned “Conti Splinters” made up of former affiliates Quantum, BlackBasta, and BlackByte.
Significant changes to tactics by Emotet, Agent Tesla, NanoCore, and others. For example, Emotet uses highly obfuscated VBA macros to avoid detection.
The use of documents for malware has decreased as the top attack vector, following Microsoft’s move to disable macros by default in Microsoft Office files. Threat actors have already pivoted to other methods such as LNK, HTML, and archive email attachments.
Vulnerabilities such as SpoolFool, Follina and DirtyPipe highlighted the exploitability of both Windows and Linux systems despite efforts to enhance their security.
The number of exploited in-the-wild vulnerabilities spikes every 3-4 months. The next spike is expected to occur by the end of the year.
Threat actor groups are extending data exfiltration attacks to demand ransoms from third-party companies if the leaked data contains their sensitive information.
The report also makes three predictions:
More inside jobs. Malicious threat actors look for the weakest link, which is often in the supply chain. Groups like Lapsus$ do not rely on exploits but instead look for insiders who are willing to sell access to data within their organisation.
Rise of protestware. Look for a spike in protestware, which is self-sabotaging one’s software and weaponising it with malware capabilities in an effort to harm all or some of its users. The war between Russia and Ukraine has caused a surge in protestware.
End of year attacks. While no major vulnerability in 2022 has emerged similar to the Log4J or the Exchange cases in 2021, there is an increase year-over-year in the number of publicly assigned CVEs for reported vulnerabilities. For now, threat actors are still exploiting old vulnerabilities during 2022 simply because there is a plethora of unpatched systems for 2021 CVEs but that will change.
Organisations are warned to be on their guard. 2022 has been another record year for cyber criminals and ransomware gangs. It’s no secret that these threat actors are constantly upping their game with new and improved tactics designed to evade traditional cyber defences. Defenders must continue to be vigilant and find new approaches to prevent these attacks from happening.
Ransomware: Not Enough Victims Are Reporting Attacks, And That's a Problem for Everyone
Ransomware continues to be a significant cyber threat to businesses and the general public – but it's difficult to know the true impact of attacks because many victims aren't coming forward to report them.
The warning comes in the National Cyber Security Centre (NCSC) Annual Review for 2022, which looks back at key developments and incidents in cyber crime over the last year, with ransomware described as an "ever present" threat and a "major challenge" to businesses and public services.
That's demonstrated by how the review details how in the 12-month period between 1 September 2021 and 31 August 2022 there were 18 ransomware incidents that needed a "nationally coordinated" response. These included attacks on a supplier to the National Health Service (NHS) and a ransomware attack against South Staffordshire Water.
However, the true impact of ransomware remains unclear, because the NCSC says that many organisations that fall prey to ransomware attacks aren't disclosing them.
That lack of reporting is despite the significant and disruptive consequences ransomware attacks can have, not only for organisations that fall victim, but for wider society – which is why it's vital that cyber security is taken seriously and incidents are reported.
Hackers Selling Access to 576 Corporate Networks for $4 Million
A new report shows that hackers are selling access to 576 corporate networks worldwide for a total cumulative sales price of $4,000,000, fuelling attacks on the enterprise.
The research comes from Israeli cyber-intelligence firm KELA which published its Q3 2022 ransomware report, reflecting stable activity in the sector of initial access sales but a steep rise in the value of the offerings.
Although the number of sales for network access remained about the same as in the previous two quarters, the cumulative requested price has now reached $4,000,000. For comparison, the total value of initial access listings in Q2 2022 was $660,000, recording a drop in value that coincided with the summer ransomware hiatus that hurt demand.
Initial access brokers (IABs) are hackers who sell access to corporate networks, usually achieved through credential theft, webshells, or exploiting vulnerabilities in publicly exposed hardware. After establishing a foothold on the network, the threat actors sell this corporate access to other hackers who use it to steal valuable data, deploy ransomware, or conduct other malicious activity. The reasons IABs choose not to leverage network access vary, ranging from lacking diverse intrusion skills to preferring not to risk increased legal trouble.
IABs still play a crucial role in the ransomware infection chain, even if they got sidelined last year when big ransomware gangs that operated as crime syndicates operated their own IAB departments.
Cyber Security Recovery is a Process That Starts Long Before a Cyber Attack Occurs
Organisations are racing to stay ahead of cyber criminals, and as a result, we see businesses investing a lot of money on identifying and detecting attacks, on preventing attacks in the first place, and in responding to live attacks. But they are not spending the same amounts on attack recovery. They may have followed all the relevant guidelines, and even implemented the ISO 27000 standard, but none of that helps them to understand how to build the business back after a serious cyber attack.
Until recent years, this cyber security recovery investment would be spent on an annual tabletop exercise or disaster recovery test and auditing recovery plans. While this should be done, it isn’t enough on its own.
Cyber security insurance is also critical, of course, but it only covers some of the losses. It won’t cover future loss. The reality is most organisations find it very difficult to fully recover from an attack. Those that invest more in disaster recovery and business continuity recover from these attacks far more swiftly than their less-prepared competitors.
The four core components of an effective cyber security recovery program
Pre-emptive action
Responsibilities and accountability
Having the right IT architecture, security and recovery process in place
Learning lessons and implementing changes.
Once these factors are understood, and any weak spots identified, the organisation can focus on re-designing or updating architecture and procedures, and on retraining employees (something that should happen regularly).
Recovery is a process that starts long before a cyber attack occurs. It concludes not when the data is secured, but when the organisation can say that it’s learned everything it can from the event and has made the changes necessary to avoid it happening again.
https://www.helpnetsecurity.com/2022/11/03/cybersecurity-recovery/
Geopolitics Plays Major Role in Cyber Attacks, Says EU Cyber Security Agency
The ongoing Russia-Ukraine conflict has resulted in an increase in hacktivist activity in the past year, with state-sponsored threat actors targeting 128 governmental organisations in 42 countries that support Ukraine, according to the European Union Agency for Cybersecurity (ENISA).
In addition, some threat actors targeted Ukrainian and Russian entities during the early days of the conflict, likely for the collection of intelligence, according to the 10th edition of the ENISA threat landscape report. The report, this year titled Volatile Geopolitics Shake the Trends of the 2022 Cybersecurity Threat Landscape, notes that in general geopolitical situations continue to have a high impact on cyber security.
This year's report identified several attack types frequently used by state-sponsored attackers. These include zero-day and critical vulnerability exploitation; attacks on operational technology (OT) networks; wiper attacks to destroy and disrupt networks of governmental agencies and critical infrastructure entities; and supply chain attacks. Attacks also featured social engineering, disinformation, and threats against data.
State-sponsored threat actors have also been observed targeting entities from countries in Southeast Asia, Japan, Australia, and Taiwan. Due to increased tensions between specific countries in Asia, state-sponsored threat actors have targeted countries (including EU member states) that had established closer ties with Taiwan.
Ransomware remains the top cyber crime attack type this year as well. More than 10 terabytes of data were stolen monthly during the period studied, with phishing identified as the most common initial vector of such attacks. The report also noted that 60% of affected organisations likely have paid the ransom demanded.
The second most used form of attack was DDoS. The largest DDoS attack ever was launched in Europe in July 2022 against a European customer of Akamai. The attack hit a peak at 853.7Gbps and 659.6Mpps (megapackets per second) over 14 hours.
While all sectors fell victim to attacks, public administration and government entities were the most affected, making up 24% of all cyber attack victims. This was followed by digital service providers at 13% and the general public at 12%. These three sectors alone accounted for 50% of all the attacks during this year.
Russian Hackers Account for Most 2021 Ransomware Schemes, US Says
Payment-seeking software made by Russian hackers was used in three quarters of all the ransomware schemes reported to a US financial crime agency in the second half of 2021, a Treasury Department analysis released on Tuesday showed.
In an analysis issued in response to the increase in number and severity of ransomware attacks against critical infrastructure in the United States since late 2020, the US Financial Crimes Enforcement Network (FinCEN) said it had received 1,489 ransomware-related filings worth nearly $1.2 billion in 2021, a 188% jump from the year before.
Out of 793 ransomware incidents reported to FinCEN in the second half of 2021, 75% "had a nexus to Russia, its proxies, or persons acting on its behalf," the report said.
Washington last week hosted a meeting with officials from 36 countries and the European Union, as well as 13 global companies to address the growing threat of ransomware and other cyber crime, including the illicit use of cryptocurrencies.
Exposed: The Global Hacking Network That Targets VIPs
Private investigators linked to the City of London are using an India-based computer hacking gang to target British businesses, government officials and journalists.
The Sunday Times and the Bureau of Investigative Journalism have been given access to the gang’s database, which reveals the extraordinary scale of the attacks. It shows the criminals targeted the private email accounts of more than 100 victims on behalf of investigators working for autocratic states, British lawyers and their wealthy clients. Critics of Qatar who threatened to expose wrongdoing by the Gulf state in the run-up to this month’s World Cup were among those hacked.
It is the first time the inner workings of a major “hack-for-hire” gang have been leaked to the media and it reveals multiple criminal conspiracies. Some of the hackers’ clients are private investigators used by major law firms with bases in the City of London.
The investigation — based on the leaked documents and undercover work in India — reveals:
Orders went out to the gang to target the BBC’s political editor Chris Mason in May, three weeks after his appointment was announced.
The president of Switzerland and his deputy were targeted just days after he met Boris Johnson and Liz Truss in Downing Street to discuss Russian sanctions.
Philip Hammond, then chancellor, was hacked as he was dealing with the fallout of Russia’s novichok poisonings in Salisbury.
A private investigator hired by a London law firm acting for the Russian state ordered the gang to target a British-based oligarch fleeing President Putin.
Michel Platini, the former head of European football, was hacked shortly before he was due to talk to French police about corruption allegations relating to this year’s World Cup.
The hackers broke into the email inboxes of the Formula One motor racing bosses Ruth Buscombe, the British head of race strategy at the Alfa Romeo team, and Otmar Szafnauer, who was chief executive of the Aston Martin team.
The gang seized control of computers owned by Pakistan’s politicians, generals and diplomats and eavesdropped on their private conversations apparently at the behest of the Indian secret services.
The commissioning of hacking is a criminal offence punishable with a maximum sentence of ten years in jail in Britain. The Metropolitan Police was tipped off about the allegations regarding Qatar in October last year, yet chose not to take any action. David Davis, the former cabinet minister, said that the force should reopen its investigation into the cyber attacks against British citizens. Davis said the investigation exposed how London has become “the global centre of hacking”.
https://www.thetimes.co.uk/article/exposed-the-global-hacking-network-that-targets-vips-nff67j67z
Threats
Ransomware and Extortion
International Counter Ransomware Initiative 2022 Joint Statement | The White House
Oreo Giant Mondelez Settles NotPetya 'Act of War' Insurance Suit (darkreading.com)
Extortion fears after hacker stole patient files from Dutch mental health clinics (bitdefender.com)
Ransomware activity and network access sales in Q3 2022 - Security Affairs
Ransomware costs top $1 billion as White House inks new threat-sharing initiative - CyberScoop
FIN7 Cyber crime Group Likely Behind Black Basta Ransomware Campaign (darkreading.com)
Yanluowang ransomware gang goes dark after leaks (techtarget.com)
LockBit 3.0 gang claims to have stolen data from Thales - Security Affairs
Ransomware cost US banks $1.2 billion last year • The Register
Australia sees rise in cyber crimes on back of 'destructive' ransomware, state actors | ZDNET
Australian Defence Department Impacted In Ransomware Attack (informationsecuritybuzz.com)
LockBit ransomware gang claims the hack of the Continental automotive group - Security Affairs
Cyber attack Strikes Global Copper Conglomerate (darkreading.com)
ALMA Observatory shuts down operations due to a cyber attack (bleepingcomputer.com)
Phishing & Email Based Attacks
Robin Banks phishing service returns to steal banking accounts (bleepingcomputer.com)
Attackers leverage Microsoft Dynamics 365 to phish users - Help Net Security
CISA Urges Organisations to Implement Phishing-Resistant MFA | SecurityWeek.Com
130 private Dropbox GitHub repos copied after phish attack • The Register
As Twitter brings on $8 fee, phishing emails target verified accounts (bleepingcomputer.com)
BEC – Business Email Compromise
New Crimson Kingsnake gang impersonates law firms in BEC attacks (bleepingcomputer.com)
Double-check those demand-payment emails from law firms • The Register
Malware
RomCom RAT malware campaign impersonates KeePass, SolarWinds NPM, Veeam (bleepingcomputer.com)
Emotet botnet starts blasting malware again after 4 month break (bleepingcomputer.com)
Drinik banking malware returns: Things you can do to keep your data safe | Mint (livemint.com)
Hacking group abuses antivirus software to launch LODEINFO malware (bleepingcomputer.com)
This stealthy hacking campaign uses a new trick to deliver its malware | ZDNET
Cranefly threat group uses innocent-looking info-stealer • The Register
250+ US news sites spotted spreading FakeUpdates malware in a supply-chain attack - Security Affairs
New Azov data wiper tries to frame researchers and BleepingComputer
Dozens of PyPI packages caught dropping 'W4SP' info-stealing malware (bleepingcomputer.com)
Mobile
US govt employees exposed to mobile attacks from outdated Android, iOS (bleepingcomputer.com)
Cyber-Threat Actor Uses Booby-Trapped VPN App to Deploy Android Spyware (darkreading.com)
Malicious dropper apps on Play Store totaled 30.000+ installations - Security Affairs
New SandStrike spyware infects Android devices via malicious VPN app (bleepingcomputer.com)
Internet of Things – IoT
IoT devices can undermine your security. Here are four ways to boost your defences | ZDNET
Understanding The Importance Of Cyber Resilience In Smart Buildings - IT Security Guru
Data Breaches/Leaks
Royal Mail customer data leak shutters online Click and Drop • The Register
Vodafone Italy discloses data breach after reseller hacked (bleepingcomputer.com)
LockBit 3.0 gang claims to have stolen data from Thales - Security Affairs
Dropbox discloses breach after hacker stole 130 GitHub repositories (bleepingcomputer.com)
Experian tool exposed partial Social Security numbers, putting customers at risk - CyberScoop
Label Giant Multi-Color Corporation Discloses Data Breach | SecurityWeek.Com
Bed Bath & Beyond Discloses Data Breach to SEC (darkreading.com)
Organised Crime & Criminal Actors
Four-year cyber crime campaign targeting African banks netted $30 million - CyberScoop
French-speaking crooks stole $30m in bank cyber-heist spree • The Register
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Fraud, Scams & Financial Crime
Fraudulent Instruction Losses Spike in 2022 - Infosecurity Magazine (infosecurity-magazine.com)
Former Apple worker pleads guilty to $17m fraud charges • The Register
Insurance
Dark Web
Supply Chain and Third Parties
NCSC issues fresh guidance following recent rise in supply chain cyber attacks – Intelligent CISO
Hundreds of US news sites push malware in supply-chain attack (bleepingcomputer.com)
Software Supply Chain
You can up software supply chain security by implementing these measures - Help Net Security
W4SP Stealer Stings Python Developers in Supply Chain Attack (darkreading.com)
Denial of Service DoS/DDoS
FBI: Hacktivist DDoS attacks had minor impact on critical orgs (bleepingcomputer.com)
DDoS Attacks are Upgrading 70% with The Help of CLDAP (analyticsinsight.net)
Cloud/SaaS
Why Identity & Access Management Governance is a Core Part of Your SaaS Security (thehackernews.com)
Top 4 priorities for cloud data protection - Help Net Security
Zscaler's Cloud-Based Cyber security Outages Showcase Redundancy Problem (darkreading.com)
API
Open Source
Passwords, Credential Stuffing & Brute Force Attacks
Social Media
Training, Education and Awareness
Travel
Regulations, Fines and Legislation
ICO Slashes Government Data Breach Fine - Infosecurity Magazine (infosecurity-magazine.com)
SolarWinds reaches $26m settlement, expects SEC action • The Register
How to Prepare for New SEC Cyber security Disclosure Requirements | SecurityWeek.Com
Careers, Working in Cyber and Information Security
How Microsoft works to grow the next generation of cyber defenders - Microsoft Security Blog
Economic Uncertainty Isn't Stopping Cyber crime Recruitment — It's Fueling It (darkreading.com)
How to Narrow the Talent Gap in Cyber security (darkreading.com)
Is there a problem with stress and burnout in cyber security? - IT Security Guru
Law Enforcement Action and Take Downs
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Will cyber saber-rattling drive us to destruction? - Help Net Security
No.10 WhatsApp Use Is Critical Danger To Security (informationsecuritybuzz.com)
Oreo Giant Mondelez Settles NotPetya 'Act of War' Insurance Suit (darkreading.com)
Cyber Threat Actor Uses Booby-Trapped VPN App to Deploy Android Spyware (darkreading.com)
New SandStrike spyware infects Android devices via malicious VPN app (bleepingcomputer.com)
Russian missile strikes overshadow cyber attacks as Ukraine reels from blackouts | CNN Politics
Nation State Actors
Nation State Actors – Russia
Liz Truss 's phone was allegedly hacked by Russian spies - Security Affairs
MPs 'constantly' warned their phones are national security risk (telegraph.co.uk)
US Treasury thwarted attack by Russian hacker group last month-official | Reuters
Russia tries to impose switch to Linux from Windows (freethink.com)
Nation State Actors – China
China-Backed APT10 Supercharges Spy Game With Custom Fileless Backdoor (darkreading.com)
Chinese Hackers Using New Stealthy Infection Chain to Deploy LODEINFO Malware (thehackernews.com)
Nation State Actors – Misc
Vulnerabilities
Critical ConnectWise Vulnerability Affects Thousands of Internet-Exposed Servers | SecurityWeek.Com
Fortinet fixed 16 vulnerabilities, 6 rated as high severity - Security Affairs
Cisco Patches High-Severity Bugs in Email, Identity, Web Security Products | SecurityWeek.Com
You Need to Update Google Chrome, Windows, and Zoom Right Now | WIRED UK
The Sky Is Not Falling: Disclosed OpenSSL Bugs Are Serious but Not Critical (darkreading.com)
Splunk Patches 9 High-Severity Vulnerabilities in Enterprise Product | SecurityWeek.Com
OpenSSL downgrades horror bug after week of speculation • The Register
Follina Exploit Leads to Domain Compromise (thedfirreport.com)
Patch Now: Dangerous RCE Bug Lays Open ConnectWise Server Backup Managers (darkreading.com)
Other News
Meet fundamental cyber security needs before aiming for more - Help Net Security
NCSC Issued 34 Million Cyber Alerts in Past Year - Infosecurity Magazine (infosecurity-magazine.com)
Multi-factor authentication fatigue can blow open security • The Register
WiFi security flaw lets a drone track devices through walls | Engadget
Build Security Around Users: A Human-First Approach to Cyber Resilience (darkreading.com)
The Role of Ethical Hacking in Cyber security (bolton.ac.uk)
Top 10 Ethical Hacking Trends and Predictions for 2023 (analyticsinsight.net)
British govt is scanning all Internet devices hosted in UK (bleepingcomputer.com)
Red Cross Eyes Digital Emblem for Cyber space Protection | SecurityWeek.Com
Security hygiene and posture management requires new tools (techtarget.com)
Offense Gets the Glory, but Defence Wins the Game | SecurityWeek.Com
The 7 Core Pillars of a Zero-Trust Architecture (techtarget.com)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 02 September 2022
Black Arrow Cyber Threat Briefing 02 September 2022
-79% Of Companies Only Invest in Cyber Security After Hacking Incidents
-Nearly Half of Breaches During First Half of 2022 Involved Stolen Credentials
-Outdated Infrastructure Not Up to Today’s Ransomware Challenges
-Ghost Data Increases Enterprise Business Risk
-Detected Cyber Threats Surge 52% in 1H 2022
-An Interview with Initial Access Broker Wazawaka: ‘There Is No Such Money Anywhere as There is in Ransomware’
-Cyber Crime Underground More Dangerous Than Organisations Realize
-New Ransomware Group BianLian Activity Exploding
-Can Your Passwords Withstand Threat Actors’ Dirty Tricks?
-Ransomware Gangs’ Favourite Targets
-Tentacles of ‘0ktapus’ Threat Group Victimize 130 Firms
-Organisations Are Spending Billions on Malware Defence That’s Easy to Bypass
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
79% Of Companies Only Invest in Cyber Security After Hacking Incidents
The British cyber security company Tanium published a survey on investments in digital protection in UK companies with alarming results: 79% of them only approve investments in cyber security after suffering a data breach; 92% experienced a data attack or breach, of which 74% occurred in 2021. Leadership reticence is also high, with 63% of leaders convinced cyber security is only a concern after an attack.
The complexity of the situation has grown with the digital transformation of work. If it streamlines many processes, it can also open up serious security gaps. A sensitive point is the “home office”: companies need effective solutions to eliminate gaps that may appear between employees’ computers (often shared devices) and the company’s internal network.
Putting in solutions is just the beginning of a necessary strategy and investment effort in virtual protection. Complex scams based on phishing, reverse engineering, and backdoor-type malicious programs (“planted” discreetly on a device and sometimes inactive for months) often combine real-world and virtual-world fraud.
The escalation of corporate data hijacking appears in this scenario. The most notorious case at a global level of such an incident, with a million-dollar ransom demand, was launched in 2021 on Colonial Pipeline. This US company paid $40 million to regain control over strategic data after fuel supplies through its pipelines to several states were threatened for days.
Nearly Half of Breaches During First Half of 2022 Involved Stolen Credentials
According to a new report by Acronis, a Switzerland-based cyber security company, nearly half of breaches during the first six months of 2022 involved stolen credentials.
The goal of stealing credentials is to launch ransomware attacks. According to the report, these “continue to be the number one threat to large and medium-sized businesses, including government organisations.”
Attackers usually use phishing techniques to extract these credentials. In the first half of the year, over 600 malicious email campaigns made their way across the internet, of which 58% were phishing attempts and 28% featured malware.
Acronis also added that “as reliance on the cloud increases, attackers have homed in on different entryways to cloud-based networks.”
Additionally, cyber criminals now also target unpatched or software vulnerabilities to extract data, with a recent increase on Linux operating systems and managed service providers (MSPs) and their network of SMB customers.
The third vector spotted by Acronis was “non-traditional entry avenues” such as cryptocurrencies and decentralised finance (DeFi) systems.
Outdated Infrastructure Not Up to Today’s Ransomware Challenges
A global research commissioned by Cohesity reveals that nearly half of respondents say their company depends on outdated, legacy backup and recovery infrastructure to manage and protect their data. In some cases, this technology is more than 20 years old and was designed long before today’s multicloud era and onslaught of sophisticated cyber attacks plaguing enterprises globally.
Challenges pertaining to outdated infrastructure could easily be compounded by the fact that many IT and security teams don’t seem to have a plan in place to mobilise if and when a cyber attack occurs. Nearly 60% of respondents expressed some level of concern that their IT and security teams would be able to mobilise efficiently to respond to the attack.
These are just some of the findings from an April 2022 survey, conducted by Censuswide, of more than 2,000 IT and SecOps professionals (split nearly 50/50 between the two groups) in the United States, the United Kingdom, Australia and New Zealand. All respondents play a role in the decision-making process for IT or security within their organisations.
IT and security teams should raise the alarm bell if their organisation continues to use antiquated technology to manage and secure their most critical digital asset – their data.
Cyber criminals are actively preying on this outdated infrastructure as they know it was not built for today’s dispersed, multicloud environments, nor was it built to help companies protect and rapidly recover from sophisticated cyber attacks.
https://www.helpnetsecurity.com/2022/08/30/outdated-infrastructure-manage-data/
Ghost Data Increases Enterprise Business Risk
IT has to get its hands around cloud data sprawl. Another area of focus should be on ghost data, as it expands the organisation's cloud attack surface.
Cloud sprawl is a big issue for organisations, with business teams spinning up cloud systems and services on their own, often without IT oversight. That leads to cloud data sprawl as data is scattered across different environments. If IT doesn’t know about the cloud systems and services, then IT is also not managing the data being collected, processed, and stored there.
We all know about shadow IT, the systems and network devices in the organisation’s environment that IT is not managing. Similarly, shadow data refers to unmanaged data store copies and snapshots or log data that are not part of IT’s backup and recovery strategy. Researchers at Cyera estimate that 60% of the data security posture issues that are present in cloud accounts stem from unsecured sensitive data.
Then there is the problem of ghost data. When data gets deleted from cloud systems, it isn’t fully gone. Copies linger in backups or snapshots of data stores. Ghost data refers to those copies left behind after the original has been deleted, and Cyera’s recent analysis show that enterprises have quite a lot of it.
After scanning the three major cloud providers (Amazon Web Services, Azure, and Google Cloud), Cyera researchers found that over 30% of scanned customer cloud data stores are ghost data and more than 58% contain sensitive, or very sensitive, data. For example, researchers found unsecured database snapshots in non-production environments that contained sensitive customer data where the original database had been destroyed. Researchers also uncovered sensitive personal and authentication data in plain text where the production data and application were no longer in use.
Ghost data usually has no business value - the data was deleted for a reason - and having it around unnecessarily increases business risk. Attackers don’t care if they get their hands on the original sensitive information or the copy because to them, all data has value, regardless of the form it takes.
https://www.darkreading.com/edge-threat-monitor/ghost-data-increases-enterprise-business-risk
Detected Cyber Threats Surge 52% in 1H 2022
A leading cyber security vendor blocked 63 billion threats in the first half of 2022 alone, over 50% more than the same period a year ago.
The findings come from the Trend Micro 2022 Midyear Cybersecurity Report and illustrate the scale of the challenge facing network defenders.
Trend Micro highlighted the persistent threat posed by ransomware-as-a-service (RaaS) groups as one that will continue to cause major challenges for organisations in the years to come.
It said detections of prolific groups such as LockBit and Conti increased by 500% year-on-year in 1H 2022. Such groups will continue to adapt their tactics, techniques and procedures (TTPs) in the race for profits.
The report warned of a surge in threats targeting Linux systems, for example. It said detections of attacks on Linux servers and embedded systems grew 75% year-on-year in the first half of 2022. Both SMBs and larger organisations are now a target, it claimed.
Many RaaS groups exploit vulnerabilities as a primary attack vector. Their job is getting easier as the number of published common vulnerabilities and exposures (CVEs) continues to grow strongly.
Trend Micro’s Zero Day Initiative published advisories on 944 vulnerabilities in the first half of 2021, a 23% year-on-year increase. The number of critical bug advisories it published soared by 400% over the same period.
https://www.infosecurity-magazine.com/news/detected-cyberthreats-surge-52-in/
An Interview with Initial Access Broker Wazawaka: ‘There Is No Such Money Anywhere as There is in Ransomware’
Last April, a ransomware group threatened to expose police informants and other sensitive information if the Washington, D.C. Metropolitan Police Department did not pay a demand.
The brazen attack was the work of a gang known as Babuk, which in early 2021 gained a reputation for posting stolen databases on its website from victims that refused to pay a ransom. Just days after it tried to extort the Metropolitan Police Department, Babuk announced it was closing its ransomware affiliate program, and would focus on data theft and extortion instead.
Earlier this year, cyber security journalist Brian Krebs uncovered details about one man behind the operation named Mikhail Matveev, who was also connected to a number of other groups and identities, including the handle ‘Wazawaka.’ According to Krebs, Matveev had become more unhinged than usual, “publishing bizarre selfie videos” and creating a Twitter account to share exploit code.
Matveev talked to Recorded Future about his interaction with other hackers, details about ransomware attacks he’s been involved in, and how he settled on the name Babuk.
Click the link below for the full interview but the long and short is ransomware has created a criminal ecosystem the likes of which the world has never seen.
Cyber Crime Underground More Dangerous Than Organisations Realise
Kela, a cyber threat intelligence specialist, found in a new study of some 400 security pros in the US that organisations are more at risk from the “cyber crime underground” than they realise.
The Israel-based company surveyed security team members responsible for gathering cyber crime threat intelligence daily to better understand if they’re proactively scanning the dark web and other cyber crime sources, what tools they’re using and the gaps they see in their cyber crime threat intelligence approach. Nearly 60% of the respondents do not believe their current cyber crime prevention is effective, the results showed.
Here are the study’s key findings:
69% are concerned about threats from the cyber crime underground.
54% wouldn’t be surprised to find their organisation’s data on the cyber crime underground.
Only 38% believe that they’re very likely to detect it if it was released.
48% have no documented cyber crime threat intelligence policy in place.
Only 41% believe their current security program is very effective.
49% are not satisfied with the visibility they have of the cyber crime underground.
Of the 51% who were satisfied with their visibility into the cyber crime underground, 39% were still unable to prevent an attack.
Additional training and proficiency in cyber crime intelligence investigations is the most needed capability.
New Ransomware Group BianLian Activity Exploding
A new ransomware group operating under the name BianLian emerged in late 2021 and has become increasingly active since.
The threat actor already has twenty alleged victims across several industries (insurance, medicine, law and engineering), according to a research paper from US cyber security firm Redacted, published on September 1, 2022. The majority of the victim organisations have been based in Australia, North America and the UK.
The research team has given no attribution yet but believes the threat actor “represents a group of individuals who are very skilled in network penetration but are relatively new to the extortion/ransomware business.”
BianLian uses a custom toolkit, including homemade encryptors and encryption backdoors. Both, as well as the command-and-control (C&C) software the hackers use, are written in Go, an increasingly popular programming language among ransomware threat actors.
Troublingly, the Redacted team of researchers has found evidence that BianLian is likely now trying to up their game.
https://www.infosecurity-magazine.com/news/new-ransomware-group-bianlian/
Can Your Passwords Withstand Threat Actors’ Dirty Tricks?
Password security hinges on the answer to that seemingly simple question. Unfortunately, you can’t know the answer until you’ve engaged a ruthless penetration tester to find out if your environment can stand up to the frighteningly good password cracking skills of today’s most nefarious hackers.
The whole purpose of hiring skilled penetration testers (“pentesters”) is to find out if your environment is truly impenetrable — and if it’s not, exactly how you should shore up your defences. Good pentesters and red teamers spend their time trying to simulate and emulate the real bad actors. After all, what’s the point of pressure-testing your IT infrastructure if you don’t use the same pressure that you’ll face in the real world?
You should “train like you fight.” Without sparring, how can you expect to jump into a boxing ring and go a few rounds with a skilled boxer? That’s the entire point of goal-based penetration testing and red/purple team engagements that simulate real-world threat actors.
Password cracking will continue to evolve – and so should your penetration testing tactics and plans. By the time you get to your fourth or fifth round with a quality pentesting consultancy, your risk mitigation will have dramatically improved — which means you’ll be able to move on to the next stage of security maturity.
https://www.helpnetsecurity.com/2022/08/30/stand-up-to-password-cracking/
Ransomware Gangs’ Favourite Targets
Barracuda released its fourth-annual threat research report which looks at ransomware attack patterns that occurred between August 2021 and July 2022.
For the 106 highly publicised attacks our researchers analysed, the dominant targets are still five key industries: education (15%), municipalities (12%), healthcare (12%), infrastructure (8%), and financial (6%). The number of ransomware attacks increased year-over-year across each of these five industry verticals, and attacks against other industries more than doubled compared to last year’s report.
While attacks on municipalities increased only slightly, the analysis over the past 12 months showed that ransomware attacks on educational institutions more than doubled, and attacks on the healthcare and financial verticals tripled. Many choose not to disclose when they get hit.
This year, researchers dug in deeper on these highly publicised attacks to see which other industries are starting to be targeted. Service providers were hit the most, and ransomware attacks on automobile, hospitality, media, retail, software, and technology organisations all increased as well.
Most ransomware attacks don’t make headlines, though. Many victims choose not to disclose when they get hit, and the attacks are often sophisticated and extremely hard to handle for small businesses.
As ransomware and other cyber threats continue to evolve, the need for adequate security solutions has never been greater. Many cyber criminals target small businesses in an attempt to gain access to larger organisations. As a result, it is essential for security providers to create products that are easy to use and implement, regardless of a company’s size.
Additionally, sophisticated security technologies should be available as services, so that businesses of all sizes can protect themselves against these ever-changing threats. By making security solutions more accessible and user-friendly, the entire industry can help to better defend against ransomware and other cyber attacks.
https://www.helpnetsecurity.com/2022/08/31/ransomware-attack-patterns/
Tentacles of ‘0ktapus’ Threat Group Victimise 130 Firms
Over 130 companies were tangled in sprawling phishing campaign that spoofed a multi-factor authentication system.
Targeted attacks on Twilio and Cloudflare employees are tied to a massive phishing campaign that resulted in 9,931 accounts at over 130 organisations being compromised. The campaigns are tied to focused abuse of identity and access management firm Okta, which gained the threat actors the 0ktapus moniker, by researchers.
The primary goal of the threat actors was to obtain Okta identity credentials and multi-factor authentication (MFA) codes from users of the targeted organisations. These users received text messages containing links to phishing sites that mimicked the Okta authentication page of their organisation.
114 US-based firms were impacted, with additional victims of sprinkled across 68 additional countries. The full scope of the attack is still unknown but the 0ktapus campaign has been incredibly effective, and the full scale of it may not be known for some time.
The 0ktapus attackers are believed to have begun their campaign by targeting telecommunications companies in hopes of winning access to potential targets’ phone numbers.
While unsure exactly how threat actors obtained a list of phone numbers used in MFA-related attacks, one theory researchers posit is that 0ktapus attackers began their campaign targeting telecommunications companies.
https://threatpost.com/0ktapus-victimize-130-firms/180487/
Organisations Are Spending Billions on Malware Defence That’s Easy to Bypass
Last year, organisations spent $2 billion on products that provide Endpoint Detection and Response, a relatively new type of security protection for detecting and blocking malware targeting network-connected devices. EDRs, as they're commonly called, represent a newer approach to malware detection. Static analysis, one of two more traditional methods, searches for suspicious signs in the DNA of a file itself. Dynamic analysis, the other more established method, runs untrusted code inside a secured "sandbox" to analyse what it does to confirm it's safe before allowing it to have full system access.
EDRs—which are forecasted to generate revenue of $18 billion by 2031 and are sold by dozens of security companies—take an entirely different approach. Rather than analyse the structure or execution of the code ahead of time, EDRs monitor the code's behaviour as it runs inside a machine or network. In theory, it can shut down a ransomware attack in progress by detecting that a process executed on hundreds of machines in the past 15 minutes is encrypting files en masse. Unlike static and dynamic analyses, EDR is akin to a security guard that uses machine learning to keep tabs in real time on the activities inside a machine or network.
Despite the buzz surrounding EDRs, new research suggests that the protection they provide isn't all that hard for skilled malware developers to circumvent. In fact, the researchers behind the study estimate EDR evasion adds only one additional week of development time to the typical infection of a large organisational network. That's because two fairly basic bypass techniques, particularly when combined, appear to work on most EDRs available in the industry.
Threats
Ransomware
Ransomware Research: 10 Key Findings, Five Ways to Defend Against Hijackers - MSSP Alert
LockBit ransomware gang gets aggressive with triple-extortion tactic (bleepingcomputer.com)
New Golang-based 'Agenda Ransomware' Can Be Customized For Each Victim (thehackernews.com)
Chile and Montenegro Floored by Ransomware - Infosecurity Magazine (infosecurity-magazine.com)
Researchers Detail Emerging Cross-Platform BianLian Ransomware Attacks (thehackernews.com)
Ragnar Locker Brags About TAP Air Portugal Breach (darkreading.com)
Police ‘negotiating with hackers’ who hit Paris hospital computer system | World | The Times
Advanced cyber-attack: NHS doctors' paperwork piles up - BBC News
Another Ransomware For Linux Likely In Development - Security Affairs
Montenegro hit by ransomware attack, hackers demand $10 million (bleepingcomputer.com)
Should ransomware payments be banned? A few considerations - Help Net Security
Researchers Spot Snowballing BianLian Ransomware Gang Activity (darkreading.com)
Ragnar Locker continues trend of ransomware targeting energy sector | CSO Online
BlackCat ransomware claims attack on Italian energy agency (bleepingcomputer.com)
Italian Oil Major Becomes Victim Of Ransomware Attack | OilPrice.com
Damart clothing store hit by Hive ransomware, $2 million demanded (bleepingcomputer.com)
Gloucester Council planning site still disrupted from cyber attack - BBC News
BEC – Business Email Compromise
Malware
Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users | McAfee Blog
A study on malicious plugins in WordPress Marketplaces - Security Affairs
BumbleBee a New Modular Backdoor Evolved From BookWorm (trendmicro.com)
Malicious Chrome Extensions Plague 1.4M Users (darkreading.com)
Mobile
Mobile banking apps put 300,000 digital fingerprints at risk • The Register
Researcher unveils smart lock hack for fingerprint theft (techtarget.com)
Internet of Things – IoT
Skyrocketing IoT Bug Disclosures Put Pressure on Security Teams (darkreading.com)
Singapore clocks higher ransomware attacks, warns of IoT risks | ZDNET
ieGeek Vulnerabilities still prevalent in 2022 - Amazon Ft. IG20 (realinfosec.net)
Data Breaches/Leaks
Okta Says Customer Data Compromised in Twilio Hack | SecurityWeek.Com
Neopets says hackers had access to its systems for 18 months (bleepingcomputer.com)
Akasa Air Suffers Data Leak on First Day of Operation- IT Security Guru
Samsung says hackers obtained some customer data in newly disclosed breach | Engadget
Millions of student loan accounts exposed in data breach | TechRadar
Russian streaming platform confirms data breach affecting 7.5M users (bleepingcomputer.com)
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
FBI: Crooks stole $1b+ in cryptocurrency already this year • The Register
Ukraine takes down cyber crime group hitting crypto fraud victims (bleepingcomputer.com)
FBI: Crooks are using these DeFi flaws to steal your money | ZDNET
Windows malware delays coinminer install by a month to evade detection (bleepingcomputer.com)
Crypto-Crooks Spread Trojanized Google Translate App in Watering-Hole Attack (darkreading.com)
Hackers Use ModernLoader to Infect Systems with Stealers and Cryptominers (thehackernews.com)
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
Insurance
Cyber insurance has been around for 25 years. It’s still a bit of a mess. (slate.com)
Travelers, Policyholder Agree to Void Current Cyber Policy (insurancejournal.com)
Cyber Frauds Skyrocket: Can Cyber Insurance Protect You in Real World? Experts Explain (news18.com)
Google Cloud, Microsoft and AWS dive into cyber insurance - Protocol
Cyber Insurance Price Hike Hits Local Governments Hard (insurancejournal.com)
Insurers must rethink handling of cyber attacks on states | Financial Times (ft.com)
Cyber insurance on rise as attacks surge | Mint (livemint.com)
Dark Web
German man charged for trying to hire fake contract killer on darkweb | Euronews
NATO Investigates Dark Web Leak of Data Stolen From Missile Vendor (darkreading.com)
Supply Chain and Third Parties
Software Supply Chain
Denial of Service DoS/DDoS
Cloud/SaaS
1 in 3 organisations don't know if their public cloud data was exfiltrated - Help Net Security
Real-World Cloud Attacks: The True Tasks of Cloud Ransomware Mitigation (darkreading.com)
Encryption
CISA: Prepare now for quantum computers, not when hackers use them (bleepingcomputer.com)
Homomorphic encryption: a holy grail for privacy, explained (fastcompany.com)
API
Open Source
Passwords, Credential Stuffing & Brute Force Attacks
LastPass source code breach – do we still recommend password managers? – Naked Security (sophos.com)
Social Media
Social media is ruining our lives and the public are finally waking up (telegraph.co.uk)
Thousands lured with blue badges in Instagram phishing attack (bleepingcomputer.com)
Training, Education and Awareness
Privacy
Trident Royal Navy staff reveal sensitive data on fitness app | News | The Times
Cops wanted to keep mass surveillance app secret; privacy advocates refused | Ars Technica
US telcos admit to storing, handing over location data • The Register
Facebook moves to settle Cambridge Analytica lawsuit | TechCrunch
Homomorphic encryption: a holy grail for privacy, explained (fastcompany.com)
Nobody’s special to the WFH software spies | Comment | The Times
Travel
Parental Controls and Child Safety
Scammers Targeting Thousands Of Children As Young As Six, Figures Show (informationsecuritybuzz.com)
Over a Third of Parents Do Not Know What Online Accounts Their Children Use - IT Security Guru
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Why Russia's cyber war in Ukraine hasn't played out as predicted (newatlas.com)
Ukraine's army of hackers failed to thwart Russia and quickly gave up | New Scientist
Moscow gridlock as hackers send dozens of taxis to Hotel Ukraine (telegraph.co.uk)
Finland To Offer Businesses Cybersec Vouchers In Wake Of Nato-related (informationsecuritybuzz.com)
China-linked APT40 used ScanBox Framework in a long-running espionage campaign - Security Affairs
Montenegro says Russian cyber attacks threaten key state functions (bleepingcomputer.com)
Google says it cut off Russian disinformation sites from its vast ad display network - CyberScoop
Ex-spies banned from arms exports for UAE hack-for-hire work • The Register
Nation State Actors
Nation State Actors – Russia
FBI deploys cyber team to Montenegro following massive cyber attack | The Hill
Montenegro Sent Back to Analog by Unprecedented Cyber Attacks | Balkan Insight
Nation State Actors – China
Chinese Hackers Target Energy Firms in South China Sea | SecurityWeek.Com
China-linked APT40 targets wind turbines, Aust. government • The Register
Nation State Actors – Misc
Vulnerabilities
Apple Quietly Releases Another Patch for Zero-Day RCE Bug (darkreading.com)
Google Chrome emergency update fixes new zero-day used in attacks (bleepingcomputer.com)
URGENT! Apple slips out zero-day update for older iPhones and iPads – Naked Security (sophos.com)
WordPress 6.0.2 Patches Vulnerability That Could Impact Millions of Legacy Sites | SecurityWeek.Com
Critical hole in Atlassian Bitbucket needs patching now • The Register
Reports Published in the Last Week
Other News
Former Cyber criminal: These Are the Biggest Threats on the Internet (businessinsider.com)
Stuxnet explained: The first known cyber weapon | CSO Online
Infra Used in Cisco Hack Also Targeted Workforce Management Solution (thehackernews.com)
Okta Impersonation Technique Could be Utilized by Attackers | SecurityWeek.Com
Remote Work Cyber Security: 12 Risks and How to Prevent Them (techtarget.com)
Does your cyber crime prevention program work? - Help Net Security
Does Blockchain really offer Better Digital Security? - IT Security Guru
IT and Employees Don’t Always See Eye to Eye on Cyber Security - IT Security Guru
New Cyber Security Regulations Are Coming. Here’s How to Prepare. (hbr.org)
Cyber security budget breakdown and best practices (techtarget.com)
How Just-in-Time privilege elevation prevents data breaches and lateral movement - Help Net Security
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 20 May 2022
Black Arrow Cyber Threat Briefing 20 May 2022
-Fifth of Businesses Say Cyber Attack Nearly Broke Them
-Weak Security Controls and Practices Routinely Exploited for Initial Access
-How Do Ransomware Attacks Impact Victim Organisations’ Stock?
-Prioritise Patching Vulnerabilities Associated with Ransomware
-Researchers Warn of Advanced Persistent Threats/Nation State Actors (APTs), Data Leaks as Serious Threats Against UK Financial Sector
-Remote Work Hazards: Attackers Exploit Weak WiFi, Endpoints, and the Cloud
-Small Businesses Under Fire from Password Stealers
-Email Is the Riskiest Channel for Data Security
-Phishing Attacks for Initial Access Surged 54% in Q1
-State of Internet Crime in Q1 2022: Bot Traffic on The Rise, And More
-Fears Grow for Smaller Nations After Ransomware Attack on Costa Rica Escalates
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Fifth of Businesses Say Cyber Attack Nearly Broke Them
A fifth of US and European businesses have warned that a serious cyber attack nearly rendered them insolvent, with most (87%) viewing compromise as a bigger threat than an economic downturn, according to Hiscox.
The insurer polled over 5000 businesses in the US, UK, Ireland, France, Spain, Germany, the Netherlands and Belgium to compile its annual Hiscox Cyber Readiness Report.
It revealed the potentially catastrophic financial damage that a serious cyber-attack can wreak. The number claiming to have nearly been brought down by a breach increased 24% compared to the previous year.
Nearly half (48%) of respondents said they suffered an attack over the past 12 months, a 12% increase from the previous report’s findings. Perhaps unsurprisingly, businesses in seven out of eight countries see cyber as their biggest threat.
Yet perception appears to vary greatly depending on whether an organisation has suffered a serious compromise or not. While over half (55%) of total respondents said they view cyber as a high-risk area, the figure among companies that have not yet suffered an attack is just 36%.
https://www.infosecurity-magazine.com/news/fifth-of-businesses-cyber-attack/
Weak Security Controls and Practices Routinely Exploited for Initial Access
Cyber actors routinely exploit poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system. A joint Cybersecurity Advisory by the cyber security authorities of the United States, Canada, New Zealand, the Netherlands, and the United Kingdom identifies commonly exploited controls and practices and includes best practices to mitigate the issues.
Malicious cyber actors often exploit the following common weak security controls, poor configurations, and poor security practices to employ the initial access techniques.
Multifactor authentication (MFA) is not enforced
Incorrectly applied privileges or permissions and errors within access control lists
Software is not up to date
Use of vendor-supplied default configurations or default login usernames and passwords
Remote services, such as a virtual private network (VPN), lack sufficient controls to prevent unauthorised access
Strong password policies are not implemented
Cloud services are unprotected
Open ports and misconfigured services are exposed to the internet
Failure to detect or block phishing attempts
Poor endpoint detection and response.
https://www.cisa.gov/uscert/ncas/alerts/aa22-137a
How Do Ransomware Attacks Impact Victim Organisations’ Stock?
Ransomware has developed into an extremely lucrative business model with little risk involved for the threat actors. Couple this with the willingness of most victim organisations to pay the ransom demand under the assumption it will return business operations to normal - ultimately encouraging more attacks - and we have a big problem with no easy remedies.
Back in 2021, Cybereason published a report titled Ransomware Attacks and the True Cost to Business that revealed the various costs that organisations face after falling victim to a ransomware attack. Here are some of the most significant findings that stood out:
Two-thirds of ransomware victims said that they endured a significant loss of revenue following the attack
More than half (53%) of organisations suffered damage to their brand and reputation after a ransomware infection
A third of those who fell to ransomware lost C-level talent in the attack’s aftermath
Three in 10 organisations had no choice but to lay off employees due to the financial pressures resulting from a ransomware incident
A quarter of ransomware victims said that they needed to suspend operations.
Prioritise Patching Vulnerabilities Associated with Ransomware
In the last quarter, ransomware attacks have made mainstream headlines on a near-daily basis, with groups like Lapsus$ and Conti’s names splashed across the page. Major organisations like Okta, Globant and Kitchenware maker Meyer Corporation have all fallen victim, and they are very much not alone. The data indicates that increasing vulnerabilities, new advanced persistent threat (APT) groups and new ransomware families are contributing to ransomware’s continued prevalence and profitability.
The top stats include:
22 new vulnerabilities and nine new weaknesses have been associated with ransomware since January 2022; of the 22, a whopping 21 are considered of critical or high risk severity
19 (out of 22) of the newly-added vulnerabilities are associated with the Conti ransomware gang
Three new APT groups (Exotic Lily, APT 35, DEV-0401) and four new ransomware families (AvosLocker, Karma, BlackCat, Night Sky) are deploying ransomware to attack their targets
141 of CISA’s Known Exploited Vulnerabilities (KEVs) are being used by ransomware operators – including 18 newly identified this quarter
11 vulnerabilities tied to ransomware remain undetected by popular scanners
624 unique vulnerabilities were found within the 846 healthcare products analysed.
https://www.helpnetsecurity.com/2022/05/19/increase-ransomware-vulnerabilities/
Researchers Warn of Advanced Persistent Threats (APTs), Data Leaks as Serious Threats Against UK Financial Sector
Researchers say that geopolitical tension, ransomware, and cyber attacks using stolen credentials threaten the UK's financial sector.
KELA's security team published a report examining the cyber security issues and attacks that surfaced in 2021 and early 2022, specifically focused on the United Kingdom's banks and other financial services.
The UK was one of the first countries to stand with Ukraine after the invasion by Russia. This could make UK organisations a tempting target for threat actors siding with Russia - whether by state-sponsored advanced persistent threat (APT) groups or hacktivists. The National Cyber Security Centre (NCSC) previously warned businesses to shore up their cyber security following Russia's assault.
APTs are often responsible for attacking the financial sector: account credentials, card numbers, and the personally identifiable information (PII) of customers are useful not only in social engineering and identity theft but also to make fraudulent purchases or for card cloning.
APTs target organisations worldwide, and those located in the UK are no exception. Over the past few years, APTs, including the Chinese APT40 and APT31, have utilised vulnerabilities, including ProxyLogon, to compromise UK businesses.
"In general, APTs may target the financial sector to commit fraud, burglarise ATMs, execute transactions, and penetrate organisations' internal financial systems," KELA says. "Although specific threats to the UK financial sector have not been identified, there is no doubt that the UK has occasionally been a target of APT groups during 2021."
Exposed corporate information and leaked credentials are also of note. After browsing Dark Web forums, the researchers found that UK data is "in demand" by cyber criminals who are seeking PII, access credentials, and internal data.
Remote Work Hazards: Attackers Exploit Weak WiFi, Endpoints, and the Cloud
Infoblox unveils a global report examining the state of security concerns, costs, and remedies. As the pandemic and uneven shutdowns stretch into a third year, organisations are accelerating digital transformation projects to support remote work. Meanwhile, attackers have seized on vulnerabilities in these environments, creating more work and larger budgets for security teams.
1,100 respondents in IT and cyber security roles in 11 countries – United States, Mexico, Brazil, United Kingdom, Germany, France, the Netherlands, Spain, United Arab Emirates, Australia, and Singapore – participated in the survey.
The surge in remote work has changed the corporate landscape significantly – and permanently. 52% of respondents accelerated digital transformation projects, 42% increased customer portal support for remote engagement, 30% moved apps to third party cloud providers, and 26% shuttered physical offices for good. These changes led to the additions of VPNs and firewalls, a mix of corporate and employee owned devices as well as cloud and on-premises DDI servers to manage data traffic across the expanded network.
The hybrid workforce reality is causing greater concerns with data leakage, ransomware and attacks through remote access tools and cloud services. Respondents indicate concerns about their abilities to counter increasingly sophisticated cyber attacks with limited control over employees, work-from-home technologies, and vulnerable supply chain partners. The sophistication of state-sponsored malware also is a source of worry for many.
Organisations have good reason to worry: 53% of respondents experienced up to five security incidents that led to at least one breach.
https://www.helpnetsecurity.com/2022/05/17/state-of-security/
Small Businesses Under Fire from Password Stealers
Password-stealing malware and other cyber attacks have increased significantly against small businesses over the past year, according to Kaspersky researchers.
An assessment released this week detailed the number of Trojan Password Stealing Ware (PSW) detections, internet attacks and attacks on Remote Desktop Protocol (RDP) between January and April 2022, compared with the same time frame from 2021. Kaspersky's research showed a jump in the detection of password stealers within small business environments, as well as increases in other types of cyber attacks.
According to Kaspersky, the biggest increase in threats against small businesses was password stealers, specifically Trojan PSWs. There were nearly 1 million more detected Trojan PSWs targeting small and medium-sized businesses in the first trimester of 2022 than the first of 2021, increasing from 3,029,903 to 4,003,323.
Email Is the Riskiest Channel for Data Security
Research from Tessian and the Ponemon Institute reveals that nearly 60% of organisations experienced data loss or exfiltration caused by an employee mistake on email in the last 12 months.
Email was revealed as the riskiest channel for data loss in organisations, as stated by 65% of IT security practitioners. This was closely followed by cloud file-sharing services (62%) and instant messaging platforms (57%).
The research surveyed 614 IT security practitioners across the globe to also reveal that:
Employee negligence, because of not following policies, is the leading cause of data loss incidents (40%)
27% of data loss incidents are caused by malicious insiders
It takes up to three days for security and risk management teams to detect and remediate a data loss and exfiltration incident caused by a malicious insider on email
23% of organisations experience up to 30 security incidents involving employees’ use of email every month (for example, email was sent to an unintended recipient).
The most common types of confidential and sensitive information lost or intentionally stolen include: customer information (61%); intellectual property (56%); and consumer information (47%). User-created data (sensitive email content, text files, M&A documents), regulated data (credit card data, Social Security numbers, national ID numbers, employee data), and intellectual property were identified as the three types of data that are most difficult to protect from data loss.
The top two consequences for data loss incidents were revealed as non-compliance with data protection regulations (57%) and damage to an organisation’s reputation (52%). Furthermore, a previous study from Tessian found that 29% of businesses lost a client or customer because of an employee sending an email to the wrong person.
https://www.helpnetsecurity.com/2022/05/20/data-loss-email/
Phishing Attacks for Initial Access Surged 54% in Q1
Threat actors doubled down on their use of phishing emails as an initial attack vector during the first quarter of 2022 — and in many cases then used that access to drop ransomware or to extort organisations in other ways.
Researchers from Kroll recently analysed data gathered from security incidents they responded to in the first three months of this year. The analysis showed a 54% increase in incidents of phishing for initial access compared with the same period last year.
For the first time since Microsoft disclosed the so-called ProxyLogon set of vulnerabilities in Exchange Server in the first quarter of 2021, incidents tied to email compromises surpassed those related to ransomware. Kroll described the sharp increase in phishing activity as likely the result of a surge in activity tied to Emotet and IceID malware — threat actors have been using both to drop other malware.
https://www.darkreading.com/risk/phishing-attacks-for-initial-access-surged-q1
Fears Grow for Smaller Nations After Ransomware Attack on Costa Rica Escalates
Conti demanded $20M in ransom — and the overthrow of the government.
It’s been a rough start for the newly elected Costa Rica president Rodrigo Chaves, who less than a week into office declared his country “at war” with the Conti ransomware gang.
“We’re at war and this is not an exaggeration,” Chaves told local media. “The war is against an international terrorist group, which apparently has operatives in Costa Rica. There are very clear indications that people inside the country are collaborating with Conti.”
Conti’s assault on the Costa Rican government began in April. The country’s Finance Ministry was the first hit by the Russia-linked hacking group, and in a statement on May 16, Chaves said the number of institutions impacted had since grown to 27. This, he admitted, means civil servants wouldn’t be paid on time and will impact the country’s foreign trade.
In a message posted to its dark web leaks blog, Conti urged the citizens of Costa Rica to pressure their government to pay the ransom, which the group doubled from an initial $10 million to $20 million. In a separate statement, the group warned: “We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power.”
Conti is among the most prolific hacking groups. The FBI warned earlier this year that the gang was among “the three top variants” that targeted businesses in the United States, and it has been blamed for ransomware attacks targeting dozens of businesses, including Fat Face, Shutterfly and the Irish healthcare service.
But Conti has picked up its pace in recent months: In January and February it published 31 victims on its leaks blog. In March and April, it posted 133 victims.
https://techcrunch.com/2022/05/20/costa-rica-ransomware-attack/
Threats
Ransomware
Ransomware Gangs Rely More on Weaponizing Vulnerabilities (bleepingcomputer.com)
Ransomware Gang Extorted 725 BTC in One Attack, On-Chain Sleuths Find (coindesk.com)
5 Critical Questions to Test Your Ransomware Preparedness - Help Net Security
“Alarming” Surge in Conti Group Activity This Year - Infosecurity Magazine
Why AI-Powered Ransomware Cyber Attacks Could Be Coming Soon - Protocol
Nikkei Says Customer Data Likely Impacted in Ransomware Attack | SecurityWeek.Com
Wizard Spider Hackers Hire Cold Callers to Scare Ransomware Victims Into Paying Up | ZDNet
Greenland Hit by Cyber Attack, Finds Its Health Service Crippled (bitdefender.com)
Conti Ransomware Shuts Down Operation, Rebrands into Smaller Units (bleepingcomputer.com)
No One Is Slowing Down BlackByte Ransomware Gang • The Register
President Rodrigo Chaves says Costa Rica is at war with Conti hackers - BBC News
Engineering Firm Parker Discloses Data Breach After Ransomware Attack (bleepingcomputer.com)
US links Thanos and Jigsaw ransomware to 55-year-old doctor (bleepingcomputer.com)
Russian Conti Ransomware Gang Threatens to Overthrow New Costa Rican Government (thehackernews.com)
Phishing & Email Based Attacks
This Phishing Attack Delivers Three Forms of Malware. And They All Want to Steal Your Data | ZDNet
HTML Attachments Remain Popular Among Phishing Actors In 2022 (bleepingcomputer.com)
Chatbot Army Deployed in Latest DHL Shipping Phish (darkreading.com)
Phishing Gang That Stole Over 400,000 Euros Busted in Spain (tripwire.com)
Long Lost @ Symbol Gets New Life Obscuring Malicious URLs | Malwarebytes Labs
Spanish Police Dismantle Phishing Gang That Emptied Bank Accounts (bleepingcomputer.com)
Malware
Microsoft Identifies Botnet Variant Targeting Windows and Linux Systems - Infosecurity Magazine
Activity of the Linux XorDdos bot increased by 254% over the last 6 monthsSecurity Affairs
Fake Domains Offer Windows 11 Installers - But Deliver Malware Instead | ZDNet
Bruised but Not Broken: The Resurgence of the Emotet Botnet Malware (trendmicro.com)
Malicious PyPI Pymafka Package Opens Backdoors On Windows, Linux, and Macs (bleepingcomputer.com)
April VMware Bugs Abused to Deliver Mirai Malware, Exploit Log4Shell | Threatpost
Mobile
6 Scary Tactics Used in Mobile App Attacks (darkreading.com)
Researchers Find Potential Way to Run Malware on iPhone Even When it's OFF (thehackernews.com)
Google TAG: Cytrox's Predator Spyware Used to Target Android Users | WIRED
IoT
Data Breaches/Leaks
Organised Crime & Criminal Actors
Ukrainian Hacker Jailed for 4-Years in U.S. for Selling Access to Hacked Servers (thehackernews.com)
US Recovers a Record $15m from the 3ve Ad-Fraud Crew • The Register
Cryptocurrency/Cryptomining/Cryptojacking/NFTs
How Cryptocurrencies Enable Attackers and Defenders (techtarget.com)
Monero-Mining Sysrv Botnet Targets Windows, Linux Web Servers • The Register
US Brings First-Of-Its-Kind Bitcoin Sanctions-Busting Case • The Register
Fake Pixelmon NFT Site Infects You with Password-Stealing Malware (bleepingcomputer.com)
Hackers Compromise a String of NFT Discord Channels (vice.com)
Fraud, Scams & Financial Crime
Supply Chain and Third Parties
MITRE Creates Framework for Supply Chain Security (darkreading.com)
The Four Horsemen of Software Supply Chain Attacks - MSSP Alert
Cloud/SaaS
7 Key Findings from the 2022 SaaS Security Survey Report (thehackernews.com)
New Research Identifies Poor IAM Policies as The Greatest Cloud Vulnerability - CyberScoop
Are You Investing in Securing Your Data in the Cloud? (thehackernews.com)
380K Kubernetes API Servers Exposed to Public Internet | Threatpost
Open Source
Privacy
How To Ensure That the Smart Home Doesn’t Jeopardize Data Privacy? - Help Net Security
Privacy. Ad Bidders Haven't Heard of It, Report Reveals • The Register
Third-Party Web Trackers Log What You Type Before Submitting (bleepingcomputer.com)
Passwords & Credential Stuffing
The Most Insecure and Easily Hackable Passwords - Help Net Security
Half of IT Leaders Store Passwords in Shared Docs - Infosecurity Magazine
Cyber Bullying and Cyber Stalking
Regulations, Fines and Legislation
Europe Moves Closer to Stricter Cyber Security Standards • The Register
EU's NIS 2 Directive to Strengthen Cyber Security Requirements For Companies - Help Net Security
Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Google TAG: Cytrox's Predator Spyware Used to Target Android Users | WIRED
How Mobile Networks Have Become a Front in the Battle for Ukraine (darkreading.com)
China-linked Twisted Panda Caught Spying on Russian R&D Orgs • The Register
Pro-Russian Hackers Spread Hoaxes to Divide Ukraine, Allies | SecurityWeek.Com
A custom PowerShell RAT Targets Germany Using Crisis in Ukraine as Bait - Security Affairs
Nation State Actors
Nation State Actors – Russia
Putin Promises to Bolster Russia's IT Security in Face of Cyber Attacks | Reuters
Russian Hackers Declare War On 10 Countries After Failed Eurovision DDoS attack | IT PRO
Pro-Russian Information Operations Escalate in Ukraine War (darkreading.com)
Russian Undersea Cable Threat Shifts Tech Business to UK (telegraph.co.uk)
Russians Allegedly Storm Ukrainian ISP, Blackmail It to Switch To Russian Networks - CyberScoop
Russia-linked Sandworm Continues to Conduct Attacks Against Ukraine - Security Affairs
Russian Cyber Attack on Eurovision Foiled By Italian Authorities (bitdefender.com)
This Russian Botnet Does Far More Than DDoS Attacks - And on A Massive Scale | ZDNet
Nation State Actors – China
Nation State Actors – North Korea
Nation State Actors – Iran
Vulnerabilities
QNAP Urges Users to Update NAS Devices to Prevent Deadbolt Ransomware Attacks (thehackernews.com)
Cisco Fixes an IOS XR Flaw Actively Exploited in The Wild - Security Affairs
2 Vulnerabilities With 9.8 Severity Ratings Are Under Exploit. A 3rd Looms | Ars Technica
Microsoft Rushes a Fix After May Patch Tuesday Breaks Authentication (darkreading.com)
Microsoft Fixes New PetitPotam Windows NTLM Relay Attack Vector (bleepingcomputer.com)
Apple Patches Zero-Day Kernel Hole and Much More – Update Now! – Naked Security (sophos.com)
High-Severity Bug Reported in Google's OAuth Client Library for Java (thehackernews.com)
Over 20,000 Zyxel Firewalls Still Exposed to Critical Bug - Infosecurity Magazine
Apple Fixes the Sixth Zero-Day Since The Beginning of 2022 - Security Affairs
Mozilla Patches Wednesday’s Pwn2Own Double-Exploit… on Friday! – Naked Security (sophos.com)
Critical Vulnerability in Premium WordPress Themes Allows for Site Takeover | Threatpost
Critical Jupiter WordPress Plugin Flaws Let Hackers Take Over Sites (bleepingcomputer.com)
Apple Finally Patches Exploited Vulnerabilities in macOS Big Sur, Catalina | SecurityWeek.Com
NVIDIA Fixes Ten Vulnerabilities in Windows GPU Display Drivers (bleepingcomputer.com)
New Brute Force Attacks Against SQL Servers Use PowerShell Wrapper | SecurityWeek.Com
Sector Specific
Retail/eCommerce
How Crooks Backdoor Sites and Scrape Credit Card Info • The Register
Digital Skimming is Now the Preserve of Non-Magecart Groups - Infosecurity Magazine
Energy & Utilities
Water Companies Are Increasingly Uninsurable Due To Ransomware, Industry Execs Say - CyberScoop
UK Announces Nuclear Cyber Security Strategy - IT Security Guru
Education and Academia
Ransomware Attack Exposes Data of 500,000 Chicago Students (bleepingcomputer.com)
Higher Education Institutions Being Targeted for Ransomware Attacks | TechRepublic
“Incompetent” Council Leaks Details of Students With Special Educational Needs • Graham Cluley
Researchers Find Backdoor in School Management Plugin for WordPress (thehackernews.com)
Other News
UK Government: Lack of Skills the Number One Issue in Cyber Security - Infosecurity Magazine
Malicious Hackers Are Finding It Too Easy to Achieve Their Initial Access (tripwire.com)
How Threat Actors Are a Click Away From Becoming Quasi-APTs (darkreading.com)
Cyber Security: Global Food Supply Chain at Risk From Malicious Hackers - BBC News
Cyber Security Agencies Reveal Top Initial Access Attack Vectors (bleepingcomputer.com)
50% of Orgs Rely on Email to Manage Security (darkreading.com)