Threat Intelligence Blog

Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.

Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 04 November 2022

Black Arrow Cyber Threat Briefing 04 November 2022:

-NCSC Looks Back on Year Of ‘Profound Change’ for Cyber

-LastPass Research Finds False Sense of Cyber Security Running Rampant

-Insurance Giant Settles NotPetya ‘Act of War’ Lawsuit, Signaling Cyber Insurance Shakeup

-Microsoft Warns of Uptick in Hackers Leveraging Publicly-Disclosed 0-Day Vulnerabilities

-Chinese Mob Has 100K Slaves Working in Cambodian Cyber Crime Mills

-Ransomware Research: 17 Leaked Databases Operated by Threat Actors Threaten Third Party Organisations

-Not Enough Ransomware Victims Are Reporting Attacks, And That's a Problem for Everyone

-Hackers Selling Access to 576 Corporate Networks for $4 Million

-Cyber Security Recovery is a Process That Starts Long Before a Cyber Attack Occurs

-Geopolitics Plays Major Role in Cyber Attacks, Says EU Cyber Security Agency

-Russian Hackers Account for Most 2021 Ransomware Schemes, US Says

-Exposed: The Global Hacking Network That Targets VIPs

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • NCSC Looks Back on Year Of ‘Profound Change’ for Cyber

The UK’s National Cyber Security Centre (NCSC) provided support for 18 nationally significant ransomware attacks; removed 2.1 million cyber-enabled commodity campaigns; issued 34 million early warning alerts about attacks, compromises, vulnerabilities or open ports; and received 6.5 million reports of suspicious emails in the past 12 months – but in a year of “profound change” in the cyber security landscape, it was Russia’s invasion of Ukraine that dominated the agenda.

Reflecting on the past 12 months as she launched the NCSC’s latest annual report on 1 November at an event in London, NCSC CEO Lindy Cameron said that the return of war to Europe with Russia’s invasion of Ukraine presented a unique set of challenges in cyber space for the NCSC and its partners and allies.

Cameron added that while the cyber threat from Russia has perhaps been the most visible security issue of 2022, it was also important not to forget that when it comes to nation-state actors, it will likely be the technical development and evolution of China that ultimately has the more lasting impact on the UK’s national cyber security.

https://www.computerweekly.com/news/252526766/NCSC-looks-back-on-year-of-profound-change-for-cyber

  • LastPass Research Finds False Sense of Cyber Security Running Rampant

LastPass released findings from its fifth annual Psychology of Password findings, which revealed even with cyber security education on the rise, password hygiene has not improved. Regardless of generational differences across Boomers, Millennials and Gen Z, the research shows a false sense of password security given current behaviours across the board. In addition, LastPass found that while 65% of all respondents have some form of cyber security education — through school, work, social media, books or via online courses — the reality is that 62% almost always or mostly use the same or variation of a password.

The survey, which explored the password security behaviours of 3,750 professionals across seven countries, asked about respondents’ mindset and behaviours surrounding their online security. The findings highlighted a clear disconnect between high confidence when it comes to their password management and their unsafe actions. While the majority of professionals surveyed claimed to be confident in their current password management, this doesn’t translate to safer online behaviour and can create a detrimental false sense of safety.

Key findings from the research include:

  • Gen Z is confident when it comes to their password management, while also being the biggest offenders of poor password hygiene.

  • Cyber security education doesn’t necessarily translate to action.

  • Confidence creates a false sense of password security.

The latest research showcases that even in the face of a pandemic, where we spent more time online amid rising cyber attacks, there continues to be a disconnect for people when it comes to protecting their digital lives. Even though nearly two-thirds of respondents had some form of cyber security education, it is not being put into practice for varying reasons.

https://www.darkreading.com/vulnerabilities-threats/untitled

  • Insurance Giant Settles NotPetya ‘Act of War’ Lawsuit, Signaling Cyber Insurance Shakeup

The settlement last week in a $100 million lawsuit over whether insurance giant Zurich should cover losses Mondelez International suffered from NotPetya may very well reshape the entire cyber insurance marketplace.

Zurich initially denied claims from Mondelez after the malware, which experts estimate caused some $10 billion in damages globally, wreaked havoc on its computer networks. The insurance provider claimed an act of war exemption since it’s widely believed Russian military hackers unleashed NotPetya on a Ukrainian company before it spread around the world.

Now, however, it’s increasingly clear insurers aren’t off the hook for NotPetya payouts or from covering losses from other attacks with clear links to nation-state hackers.

That’s because in this case, what Mondelez and many other corporations endured was not an act of war, but “collateral damage” in a much larger cyber conflict that had nothing to do with them, said the Center for Strategic and International Studies.

There needs to be a rethink what act of war means in cyber space when it comes to insurance. The current definitions come out of the 19th century when we had pirates, navies and privateers.

Last week’s ruling in favour of Mondelez follows a January ruling in a New Jersey court that sided with global pharmaceutical company Merck in a similar case. Its insurance companies initially refused to pay for damages from NotPetya. Merck claimed losses that amounted to $1.4 billion. The insurers are appealing the ruling.

Insurers seized on the NotPetya episode to test how courts would rule on cyber coverage questions, particularly when there’s so much evidence pointing to one particular nation-state actor. Since NotPetya was widely attributed to the Russian government it gave the industry a “really strong opportunity” to set legal precedent limiting their responsibility in these instances.

Insurers will start to be much more upfront about the fact that they aren’t going to cover acts of cyber war or limit payouts for NotPetya type incidents in the future.

https://www.cyberscoop.com/insurance-giant-settles-notpetya-lawsuit/

  • Microsoft Warns of Uptick in Hackers Leveraging Publicly-Disclosed 0-Day Vulnerabilities

Microsoft is warning of an uptick among nation-state and criminal actors increasingly leveraging publicly-disclosed zero-day vulnerabilities for breaching target environments.

The tech giant, in its 114-page Digital Defense Report, said it has "observed a reduction in the time between the announcement of a vulnerability and the commoditisation of that vulnerability," making it imperative that organisations patch such exploits in a timely manner.

This also corroborates with an April 2022 advisory from the US Cybersecurity and Infrastructure Security Agency (CISA), which found that bad actors are "aggressively" targeting newly disclosed software bugs against broad targets globally.

Microsoft noted that it only takes 14 days on average for an exploit to be available in the wild after public disclosure of a flaw, stating that while zero-day attacks are initially limited in scope, they tend to be swiftly adopted by other threat actors, leading to indiscriminate probing events before the patches are installed.

It further accused Chinese state-sponsored groups of being "particularly proficient" at discovering and developing zero-day exploits. This has been compounded by the fact that the Cyberspace Administration of China (CAC) enacted a new vulnerability reporting regulation in September 2021 that requires security flaws to be reported to the government prior to them being shared with the product developers.

Redmond further said the law could enable government-backed elements to stockpile and weaponise the reported bugs, resulting in the increased use of zero-days for espionage activities designed to advance China's economic and military interests.

https://thehackernews.com/2022/11/microsoft-warns-of-uptick-in-hackers.html

  • Chinese Mob Has 100K Slaves Working in Cambodian Cyber Crime Mills

Up to 100,000 people from across Asia have been lured to Cambodia by Chinese crime syndicates with the promise of good jobs. When they arrive, their passports are seized and they are put to work in modern-day sweatshops, running cyber crime campaigns.

The Los Angeles Times reported that Cambodia, which was hit hard economically by the pandemic, has allowed Chinese mobsters to set up enormous cyber crime operations using human trafficked labour without consequence, because of the revenue it generates for the country. The campaigns they carry out run the gamut from romance scams to fake sports betting.

Although the Cambodian government acknowledges that as many as 100,000 workers are involved in these activities, it denies anyone is being held against their will. However, the stories from traumatised victims rescued from cyber crime mills include tales of beatings and torture for failing to meet quotas, and of being sold and passed around from gang to gang.

https://www.darkreading.com/attacks-breaches/chinese-mob-100k-slaves-cambodian-cybercrime-mills

  • Ransomware Research: 17 Leaked Databases Operated by Threat Actors Threaten Third Party Organisations

Ransomware remains a serious threat to organisations, Deep Instinct, a New York-based deep learning cyber security specialist, said in its recently released 2022 Interim Cyber Threat Report.

It’s no surprise, the company said, as there are currently 17 leaked databases operated by threat actors who are leveraging the data for attacks on third-party companies, most notably social engineering, credential theft, and triple-extortion attacks.

Here are the report’s key findings:

  • Changes in ransomware gangs, including LockBit, Hive, BlackCat, and Conti. The latter has spawned “Conti Splinters” made up of former affiliates Quantum, BlackBasta, and BlackByte.

  • Significant changes to tactics by Emotet, Agent Tesla, NanoCore, and others. For example, Emotet uses highly obfuscated VBA macros to avoid detection.

  • The use of documents for malware has decreased as the top attack vector, following Microsoft’s move to disable macros by default in Microsoft Office files. Threat actors have already pivoted to other methods such as LNK, HTML, and archive email attachments.

  • Vulnerabilities such as SpoolFool, Follina and DirtyPipe highlighted the exploitability of both Windows and Linux systems despite efforts to enhance their security.

  • The number of exploited in-the-wild vulnerabilities spikes every 3-4 months. The next spike is expected to occur by the end of the year.

  • Threat actor groups are extending data exfiltration attacks to demand ransoms from third-party companies if the leaked data contains their sensitive information.

The report also makes three predictions:

  • More inside jobs. Malicious threat actors look for the weakest link, which is often in the supply chain. Groups like Lapsus$ do not rely on exploits but instead look for insiders who are willing to sell access to data within their organisation.

  • Rise of protestware. Look for a spike in protestware, which is self-sabotaging one’s software and weaponising it with malware capabilities in an effort to harm all or some of its users. The war between Russia and Ukraine has caused a surge in protestware.

  • End of year attacks. While no major vulnerability in 2022 has emerged similar to the Log4J or the Exchange cases in 2021, there is an increase year-over-year in the number of publicly assigned CVEs for reported vulnerabilities. For now, threat actors are still exploiting old vulnerabilities during 2022 simply because there is a plethora of unpatched systems for 2021 CVEs but that will change.

Organisations are warned to be on their guard. 2022 has been another record year for cyber criminals and ransomware gangs. It’s no secret that these threat actors are constantly upping their game with new and improved tactics designed to evade traditional cyber defences. Defenders must continue to be vigilant and find new approaches to prevent these attacks from happening.

https://www.msspalert.com/cybersecurity-research/ransomware-research-17-leaked-databases-operated-by-threat-actors-threaten-third-party-organizations/

  • Ransomware: Not Enough Victims Are Reporting Attacks, And That's a Problem for Everyone

Ransomware continues to be a significant cyber threat to businesses and the general public – but it's difficult to know the true impact of attacks because many victims aren't coming forward to report them.

The warning comes in the National Cyber Security Centre (NCSC) Annual Review for 2022, which looks back at key developments and incidents in cyber crime over the last year, with ransomware described as an "ever present" threat and a "major challenge" to businesses and public services.

That's demonstrated by how the review details how in the 12-month period between 1 September 2021 and 31 August 2022 there were 18 ransomware incidents that needed a "nationally coordinated" response. These included attacks on a supplier to the National Health Service (NHS) and a ransomware attack against South Staffordshire Water.

However, the true impact of ransomware remains unclear, because the NCSC says that many organisations that fall prey to ransomware attacks aren't disclosing them.

That lack of reporting is despite the significant and disruptive consequences ransomware attacks can have, not only for organisations that fall victim, but for wider society – which is why it's vital that cyber security is taken seriously and incidents are reported.

https://www.zdnet.com/article/ransomware-not-enough-victims-are-reporting-attacks-and-that-increases-the-threat-for-everyone/

  • Hackers Selling Access to 576 Corporate Networks for $4 Million

A new report shows that hackers are selling access to 576 corporate networks worldwide for a total cumulative sales price of $4,000,000, fuelling attacks on the enterprise.

The research comes from Israeli cyber-intelligence firm KELA which published its Q3 2022 ransomware report, reflecting stable activity in the sector of initial access sales but a steep rise in the value of the offerings.

Although the number of sales for network access remained about the same as in the previous two quarters, the cumulative requested price has now reached $4,000,000. For comparison, the total value of initial access listings in Q2 2022 was $660,000, recording a drop in value that coincided with the summer ransomware hiatus that hurt demand.

Initial access brokers (IABs) are hackers who sell access to corporate networks, usually achieved through credential theft, webshells, or exploiting vulnerabilities in publicly exposed hardware. After establishing a foothold on the network, the threat actors sell this corporate access to other hackers who use it to steal valuable data, deploy ransomware, or conduct other malicious activity. The reasons IABs choose not to leverage network access vary, ranging from lacking diverse intrusion skills to preferring not to risk increased legal trouble.

IABs still play a crucial role in the ransomware infection chain, even if they got sidelined last year when big ransomware gangs that operated as crime syndicates operated their own IAB departments.

https://www.bleepingcomputer.com/news/security/hackers-selling-access-to-576-corporate-networks-for-4-million/

  • Cyber Security Recovery is a Process That Starts Long Before a Cyber Attack Occurs

Organisations are racing to stay ahead of cyber criminals, and as a result, we see businesses investing a lot of money on identifying and detecting attacks, on preventing attacks in the first place, and in responding to live attacks. But they are not spending the same amounts on attack recovery. They may have followed all the relevant guidelines, and even implemented the ISO 27000 standard, but none of that helps them to understand how to build the business back after a serious cyber attack.

Until recent years, this cyber security recovery investment would be spent on an annual tabletop exercise or disaster recovery test and auditing recovery plans. While this should be done, it isn’t enough on its own.

Cyber security insurance is also critical, of course, but it only covers some of the losses. It won’t cover future loss. The reality is most organisations find it very difficult to fully recover from an attack. Those that invest more in disaster recovery and business continuity recover from these attacks far more swiftly than their less-prepared competitors.

The four core components of an effective cyber security recovery program

  1. Pre-emptive action

  2. Responsibilities and accountability

  3. Having the right IT architecture, security and recovery process in place

  4. Learning lessons and implementing changes.

Once these factors are understood, and any weak spots identified, the organisation can focus on re-designing or updating architecture and procedures, and on retraining employees (something that should happen regularly).

Recovery is a process that starts long before a cyber attack occurs. It concludes not when the data is secured, but when the organisation can say that it’s learned everything it can from the event and has made the changes necessary to avoid it happening again.

https://www.helpnetsecurity.com/2022/11/03/cybersecurity-recovery/

  • Geopolitics Plays Major Role in Cyber Attacks, Says EU Cyber Security Agency

The ongoing Russia-Ukraine conflict has resulted in an increase in hacktivist activity in the past year, with state-sponsored threat actors targeting 128 governmental organisations in 42 countries that support Ukraine, according to the European Union Agency for Cybersecurity (ENISA).

In addition, some threat actors targeted Ukrainian and Russian entities during the early days of the conflict, likely for the collection of intelligence, according to the 10th edition of the ENISA threat landscape report. The report, this year titled Volatile Geopolitics Shake the Trends of the 2022 Cybersecurity Threat Landscape, notes that in general geopolitical situations continue to have a high impact on cyber security.

This year's report identified several attack types frequently used by state-sponsored attackers. These include zero-day and critical vulnerability exploitation; attacks on operational technology (OT) networks; wiper attacks to destroy and disrupt networks of governmental agencies and critical infrastructure entities; and supply chain attacks. Attacks also featured social engineering, disinformation, and threats against data.

State-sponsored threat actors have also been observed targeting entities from countries in Southeast Asia, Japan, Australia, and Taiwan. Due to increased tensions between specific countries in Asia, state-sponsored threat actors have targeted countries (including EU member states) that had established closer ties with Taiwan.

Ransomware remains the top cyber crime attack type this year as well. More than 10 terabytes of data were stolen monthly during the period studied, with phishing identified as the most common initial vector of such attacks. The report also noted that 60% of affected organisations likely have paid the ransom demanded.

The second most used form of attack was DDoS. The largest DDoS attack ever was launched in Europe in July 2022 against a European customer of Akamai. The attack hit a peak at 853.7Gbps and 659.6Mpps (megapackets per second) over 14 hours.

While all sectors fell victim to attacks, public administration and government entities were the most affected, making up 24% of all cyber attack victims. This was followed by digital service providers at 13% and the general public at 12%. These three sectors alone accounted for 50% of all the attacks during this year.

https://www.csoonline.com/article/3678771/geopolitics-plays-major-role-in-cyberattacks-says-eu-cybersecurity-agency.html#tk.rss_news

  • Russian Hackers Account for Most 2021 Ransomware Schemes, US Says

Payment-seeking software made by Russian hackers was used in three quarters of all the ransomware schemes reported to a US financial crime agency in the second half of 2021, a Treasury Department analysis released on Tuesday showed.

In an analysis issued in response to the increase in number and severity of ransomware attacks against critical infrastructure in the United States since late 2020, the US Financial Crimes Enforcement Network (FinCEN) said it had received 1,489 ransomware-related filings worth nearly $1.2 billion in 2021, a 188% jump from the year before.

Out of 793 ransomware incidents reported to FinCEN in the second half of 2021, 75% "had a nexus to Russia, its proxies, or persons acting on its behalf," the report said.

Washington last week hosted a meeting with officials from 36 countries and the European Union, as well as 13 global companies to address the growing threat of ransomware and other cyber crime, including the illicit use of cryptocurrencies.

https://www.reuters.com/technology/us-says-many-ransomware-attacks-late-2021-were-connected-russian-actors-2022-11-01/

  • Exposed: The Global Hacking Network That Targets VIPs

Private investigators linked to the City of London are using an India-based computer hacking gang to target British businesses, government officials and journalists.

The Sunday Times and the Bureau of Investigative Journalism have been given access to the gang’s database, which reveals the extraordinary scale of the attacks. It shows the criminals targeted the private email accounts of more than 100 victims on behalf of investigators working for autocratic states, British lawyers and their wealthy clients. Critics of Qatar who threatened to expose wrongdoing by the Gulf state in the run-up to this month’s World Cup were among those hacked.

It is the first time the inner workings of a major “hack-for-hire” gang have been leaked to the media and it reveals multiple criminal conspiracies. Some of the hackers’ clients are private investigators used by major law firms with bases in the City of London.

The investigation — based on the leaked documents and undercover work in India — reveals:

  • Orders went out to the gang to target the BBC’s political editor Chris Mason in May, three weeks after his appointment was announced.

  • The president of Switzerland and his deputy were targeted just days after he met Boris Johnson and Liz Truss in Downing Street to discuss Russian sanctions.

  • Philip Hammond, then chancellor, was hacked as he was dealing with the fallout of Russia’s novichok poisonings in Salisbury.

  • A private investigator hired by a London law firm acting for the Russian state ordered the gang to target a British-based oligarch fleeing President Putin.

  • Michel Platini, the former head of European football, was hacked shortly before he was due to talk to French police about corruption allegations relating to this year’s World Cup.

  • The hackers broke into the email inboxes of the Formula One motor racing bosses Ruth Buscombe, the British head of race strategy at the Alfa Romeo team, and Otmar Szafnauer, who was chief executive of the Aston Martin team.

  • The gang seized control of computers owned by Pakistan’s politicians, generals and diplomats and eavesdropped on their private conversations apparently at the behest of the Indian secret services.

The commissioning of hacking is a criminal offence punishable with a maximum sentence of ten years in jail in Britain. The Metropolitan Police was tipped off about the allegations regarding Qatar in October last year, yet chose not to take any action. David Davis, the former cabinet minister, said that the force should reopen its investigation into the cyber attacks against British citizens. Davis said the investigation exposed how London has become “the global centre of hacking”.

https://www.thetimes.co.uk/article/exposed-the-global-hacking-network-that-targets-vips-nff67j67z


Threats

Ransomware and Extortion

Phishing & Email Based Attacks

BEC – Business Email Compromise

Malware

Mobile

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Fraud, Scams & Financial Crime

Insurance

Dark Web

Supply Chain and Third Parties

Software Supply Chain

Denial of Service DoS/DDoS

Cloud/SaaS

API

Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Training, Education and Awareness

Travel

Regulations, Fines and Legislation

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine






Other News

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 28 October 2022

Black Arrow Cyber Threat Briefing 28 October 2022:

-‘Biggest Cyber Risk Is Complacency, Not Hackers’ - UK Information Commissioner Issues Warning as Construction Company Fined £4.4 Million

-Ransomware Threat Shifts from US to EMEA and APAC

-Phishing Attacks Increase by Over 31% In Third Quarter

-UK Urged to Watch for Fraud as People Aim to Make Extra Cash in Cost of Living Crisis

-HR Departments Play a Key Role in Cyber Security

-The Long-Term Psychological Effects of Ransomware Attacks

-7 Hidden Social Media Cyber Risks for Enterprises

-54% of Staff Would Reconsider Working for a Firm That Had Experienced a Cyber Breach, Research Finds

-Evolve as Fast as the Cyber Criminals: Protect Your Business Now, Before it’s Too Late

-Enterprise Ransomware Preparedness Improving but Still Lacking

-Why Are There So Many Data Breaches? A Growing Industry of Criminals is Brokering in Stolen Data

-How The "pizza123" Password Could Take Down an Organisation

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • ‘Biggest Cyber Risk Is Complacency, Not Hackers’ - UK Information Commissioner Issues Warning as Construction Company Fined £4.4 Million

The UK Information Commissioner has warned that companies are leaving themselves open to cyber attack by ignoring crucial measures like updating software and training staff.

The warning comes as the Information Commissioner’s Office (ICO) issued a fine of £4,400,000 to Interserve Group Ltd, a Berkshire based construction company, for failing to keep personal information of its staff secure. This is a breach of data protection law.

The ICO found that the company failed to put appropriate security measures in place to prevent a cyber attack, which enabled hackers to access the personal data of up to 113,000 employees through a phishing email.

The compromised data included personal information such as contact details, national insurance numbers, and bank account details, as well as special category data including ethnic origin, religion, details of any disabilities, sexual orientation, and health information.

John Edwards, UK Information Commissioner, said:

 “The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn't regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn't update software and fails to provide training to staff, you can expect a similar fine from my office.

 “Leaving the door open to cyber attackers is never acceptable, especially when dealing with people’s most sensitive information. This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud.

 “Cyber attacks are a global concern, and businesses around the world need to take steps to guard against complacency. The ICO and NCSC already work together to offer advice and support to businesses, and this week I will be meeting with regulators from around the world, to work towards consistent international cyber guidance so that people’s data is protected wherever a company is based.”

https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/10/biggest-cyber-risk-is-complacency-not-hackers/

  • Ransomware Threat Shifts from US to EMEA and APAC

The volume of ransomware detections in Q3 2022 was the lowest in two years, but certain geographical regions have become bigger targets as attacks on US organisations wane, according to SonicWall. The security vendor used its own threat detection network, including over one million security sensors in more than 200 countries, to reveal the current landscape.

The good news is that global malware volumes have remained flat for the past three quarters, amounting to a total of over four billion detections in the year to date. Of these, ransomware is also trending down after a record-breaking 2021. Even so, SonicWall detected 338 million compromise attempts in the first three quarters of the year.

Year-to-date ransomware attempts in 2022 have already exceeded the full-year totals from four of the past five years, the vendor claimed. While attacks on US organisations dipped by 51% year-on-year during the period, they increased significantly in the UK (20%), EMEA (38%) and APAC (56%).

The cyber-warfare battlefront continues to shift, posing dangerous threats to organisations of all sizes. With expanding attack surfaces, growing numbers of threats and the current geopolitical landscape, it should be no surprise that even the most seasoned IT professional can feel overwhelmed.

https://www.infosecurity-magazine.com/news/ransomware-threat-shifts-from-us/

  • Phishing Attacks Increase by Over 31% In Third Quarter

Email security and threat detection company Vade has found that phishing emails in the third quarter this year increased by more than 31% quarter on quarter, with the number of emails containing malware in the first three quarters surpassing the 2021 level by 55.8 million.

Malware emails in the third quarter of 2022 alone increased by 217% compared to same period in 2021. Malware email volume peaked in July, reaching 19.2 million, before month-over-month declines in August and September, with numbers dropping to 16.8 million and 16.5 million respectively.

According to the report, email is the preferred attack vector for phishing and malware, as it gives hackers a direct channel to users, the weakest link in an organisation’s attack surface. The report analyses phishing and malware data captured by Vade, which does business internationally.

As attacks become more sophisticated, Vade said, they also become increasingly capable of evading the basic security offered by email providers, which almost eight in 10 businesses still rely on, according to Vade’s research.

While the activity of threat actors fluctuates, Vade’s research found that impersonating trusted and established brands remains the most popular strategy for hackers. In the third quarter of 2022, Facebook was the most impersonated brand for the second consecutive quarter, followed by Google, MTB, PayPal, and Microsoft.

The financial services sector remains the most impersonated industry, representing 32% of phishing emails detected by Vade, followed by cloud at 25%, social media at 22%, and internet/telco at 13%.

As phishing attacks increase, the techniques used by threat actors continue to evolve. While phishing campaigns were traditionally large scale and random, more recent campaigns seen by Vade suggest that hackers have pivoted to using more targeted campaigns.

https://www.csoonline.com/article/3678311/phishing-attacks-increase-by-over-31-in-third-quarter-report.html#tk.rss_news

  • UK Urged to Watch for Fraud as People Aim to Make Extra Cash in Cost of Living Crisis

Brits have been warned to “stay alert for fraud” as more people are out to make extra cash as the cost of living rises across the country.

UK Finance said that more than half (56%) of people admitted that they are likely to look for opportunities to make extra money in the coming months, which could leave some people more susceptible to fraud.

According to the trade association’s Take Five To Stop Fraud campaign, one in six, or 16%, of people said the rising cost of living means they are more likely to respond to an unprompted approach from someone offering an investment opportunity or a loan.

Young people were more likely to be at risk, the data suggested, which surveyed 2,000 people across the UK. More than a third (34%) of 18 to 34-year-olds said they are more likely to respond to an unprompted approach from someone, with three in 10 (30%) also more likely to provide their personal or financial details to secure the arrangement.

Overall, three in five people (60%) said they are concerned about falling victim to financial fraud or a scam. It comes as recent figures from UK Finance showed that £609.8m was lost due to fraud and scams in the first half of this year.

https://uk.news.yahoo.com/uk-watch-for-fraud-extra-cash-cost-of-living-crisis-230154352.html

  • HR Departments Play a Key Role in Cyber Security

A common shortcoming of human resources (HR) departments is that — despite being an operation designed to put humans at the centre of how an organisation is run — they often fail to adequately align with their IT counterparts and the core technology systems that define how a business is run and protected from cyber-risk.

Insufficient coordination between HR and IT processes and procedures remains common and gives rise to security gaps that can represent some of the most dangerous vulnerabilities on a company's attack surface. Let's examine the scope of the challenge and some key cyber-asset management priorities that can close the schism for a more robust cyber security posture.

Gone are the days when HR's role in securing the enterprise relied on basic tutorials for employees about protecting passwords on company equipment. Today's threat environment intersects with the workforce in more ways than ever — from bring-your-own-device (BYOD) and authentication gaps to user vulnerabilities that make spear-phishing seem quaint. Traditional social engineering attacks are now being augmented by zero-click exploits that compromise employee devices without the user ever having to click a link or take any action at all.

Beyond malicious threats, even routine HR processes can introduce risk to the organisation when they're not adequately aligned with the IT processes in an organisation. As just one example, when an employee leaves a company, the offboarding goes far beyond just the exit interview to also include removing access to multiple enterprise systems, accounts, and devices — all of which require close coordination between HR and IT personnel and systems.

To better secure the enterprise, it's mission-critical to get HR and IT more united in a common and advanced understanding of cyber hygiene and risk mitigation. This relies on enhanced awareness of the impact that HR processes have on cyber assets in other parts of the organisation, as well as the HR role in access management for employees and contractors. This requires asset visibility that must be ongoing and in real time, since our roles, devices, and access to data and systems may change multiple times over the course of our employment.

https://www.darkreading.com/vulnerabilities-threats/hr-departments-play-a-key-role-in-cybersecurity

  • The Long-Term Psychological Effects of Ransomware Attacks

Northwave has conducted scientific research into the psychological effects of a ransomware crisis on both organisations and individuals. The findings reveal the deep marks that a ransomware crisis leaves on all those affected. It also shows how their IT and security teams can turn in disarray long after the crisis itself has passed.

The research reveals how the psychological impact of ransomware attacks can persist on people in affected organisations for a very long time. It shows that crisis team members may develop serious symptoms far later. Top management and HR need to take measures against this, in fact right from the very beginning of the crisis. They are the ones bearing responsibility for the well-being of their staff.

They also discovered how teams have fallen apart some time after the crisis, with members leaving or staying home on sick-leave. The study reveals that effects can linger throughout the organisation. All in all the investigation shows that this invisible impact of a cyber crisis is an issue for the general business management, and certainly also for HR.

Northwave regards the response to a cyber attack as occurring in three phases. First comes the actual crisis situation, which evolves into an incident phase after about a week. A plan of action is then in place, and recovery measures are launched. The fire has been largely extinguished after a month or so, with the first (basic) functionalities available again.

Full recovery can take one to two years. Each phase has its specific effects on the minds and bodies of those involved, and by extension, on the organisation or parts of it. “On average a company is down for three weeks following a malware attack,” notes Van der Beijl. “But it surprised us that the impact persists for so long afterwards. Psychological issues are still surfacing a year after the actual crisis.”

One of every seven employees involved in the attack, either directly or indirectly, exhibits severe enough symptoms several months later, at a level considered to be above the clinical threshold at which professional trauma treatment help is needed. One in five employees say they would actually have needed more professional help subsequently in coming to terms with the attack. One in three liked to have more knowledge and concrete tools to deal with the psychological effects of the attack.

A ransomware attack has enduring psychological effects on the way employees view the world. Two-thirds of employees, including those not actually involved in the attack, now believe the world is less safe. As one IT manager pointed out, “I’ve become far more suspicious. The outside world is a dangerous place.”

https://www.helpnetsecurity.com/2022/10/25/psychological-effects-ransomware/

  • 7 Hidden Social Media Cyber Risks for Enterprises

Whether they use it to amplify the brand, recruit new employees, advertise new products, or even sell directly to consumers, corporate brands love social media.

According to recent figures, brand advertising on social media is up by 53% in the last year, and that's not accounting for further investments that brands are making in developing and distributing content. They're pushing viral videos, funny memes, podcasts, written material, and more to increase engagement with their customers.

And brands are doing it across not only the old reliable social networks like Facebook and Twitter, but also emerging platforms like TikTok. In fact, according to another recent study, in 2022 marketers are expanding their horizons, with their increased content investments focused on areas like live streaming, long-form and short-form video content, virtual reality and augmented reality content, experimental content, and live audio chat rooms. The top platforms they're focused on most for increasing spending are now TikTok, Instagram, YouTube, and LinkedIn.

With the broadening of these social-media marketing strategies comes more risk. Whether an organisation uses social media to amplify its brand, or its executives and employees leverage social channels to bolster their professional and personal brands, these marketing platforms are a breeding ground for a wide range of cyber attacks and scams, including in the areas of artificial intelligence, deepfakes, and biometrics.

Cyber criminals, fraudsters, spies, and activists work around the clock to take advantage of emerging attack surfaces that arise from enterprise use of social media. The article below presents just a few avenues that organisations may overlook when they double-down on their social media investments.

https://www.darkreading.com/application-security/7-hidden-social-media-cyber-risks-enterprises

  • 54% of Staff Would Reconsider Working for a Firm That Had Experienced a Cyber Breach, Research Finds

Over half (54%) of office workers would reconsider working for a company that had recently experienced a cyber breach. That's according to a new study by cyber security technology provider, Encore.

An independent study of 100 C-level executives, 100 Chief Information Security Officers (CISOs) and 500 office workers in the US and the UK, conducted by Censuswide, sought to uncover the gap that remains between boards and security teams when it comes to addressing cyber demands.

Only a third (33%) of staff said they would be "completely unphased" if their employer suffered a cyber break-in. The majority (57%) of C-level executives polled said they have been breached in the last 12 months alone. Most office workers, however, were unaware, with only 39% believing their organisation had been the victim of a successful attack.

The immediate financial cost of a cyber-attack remains the number one concern for businesses, but security teams are learning that there is a long tail to these breaches, with employees at risk of losing faith in their company, its ethics and values and its overarching responsibilities to the general public. In a competitive market, this is a stark warning to businesses across the world. Keeping your staff in the dark about cyber risk is a fundamental error, not to mention the additional impact of delayed disclosure to customers.

41% of C-level executives polled named reputational damage as one of the biggest costs to their business following a cyber-attack, with 34% agreeing that loss of clientele or their trust was a significant cost.

Despite many admitting to suffering a cyber breach in the last year, the overwhelming majority (92%) of CISOs and C-level executives polled believe their business is secure at any given moment. Encore believes that a mindset shift is needed at an organisational level, treating cyber incidents and the security of employee and customer data as a fundamental part of normal business operations, not a function that sits on the outside, looking in.

https://www.darkreading.com/careers-and-people/54-of-staff-would-reconsider-working-for-a-firm-that-had-experienced-a-cyber-breach-research-finds

  • Evolve as Fast as the Cyber Criminals: Protect Your Business Now, Before It’s Too Late

According to the 2022 Cyber Threat Report, 2021 saw a global average increase of 105% in the number of ransomware attacks. Proofpoint's 2022 State of the Phish report said that a staggering 82% of UK businesses that experienced a ransomware attack sent payment to the cyber criminals – believing this was the cheapest and easiest way to regain access to their data. However, in many cases criminals simply took the payment without restoring access and the organisation finds itself on criminal target lists as it has demonstrated that attacks pay off. Even when decryption keys are handed over it can take an extended period of time to restore data.

One attack, on a hospital in Dusseldorf, Germany, was implicated in the death of a patient who had to be diverted to an alternative site as the A&E department had been forced to close due to the loss of core computer systems. It appears that the attack had been misdirected, and the hackers – who were quickly apprehended by the police – handed over the encryption keys immediately when they realised what had happened. Nevertheless, the decryption process was slow. It began in the early hours of September 11 and by September 20 the hospital was still unable to add or retrieve information, or even send emails. 30 servers had been corrupted.

The methods and techniques required to conduct a cyber-attack have never been more accessible. Whether it is on the darknet or through open-source content, the ability to purchase material that allows a malicious user to conduct a cyber-attack is readily available. Conducting a ransomware attack and using it to extort money from companies and government services alike, is now viewed as a viable business model by organised criminals.

https://www.itsecurityguru.org/2022/10/28/evolve-as-fast-as-the-cybercriminals-protect-your-business-now-before-its-too-late/

  • Enterprise Ransomware Preparedness Improving but Still Lacking

The majority of organisations have made ransomware preparedness a top-five business priority, yet only half believe their preparedness is stronger than it was two years ago. That is according to a recent survey, "The Long Road Ahead to Ransomware Preparedness" by Enterprise Strategy Group, a division of TechTarget.

Despite warnings and available preparedness resources, ransomware continues to distress companies. Seventy-nine percent of survey respondents said they suffered a successful attack within the last year, and 73% reported they had one or more attacks that caused negative financial impact or disrupted business operations in the same time period.

The good news is the board and the C-suite are finally getting the message that more needs to be done to address impending ransomware attempts. In fact, 79% of respondents said business leaders made ransomware preparedness a top business priority, and 82% of organisations plan to invest more in ransomware preparedness over the next 12 to 18 months.

With preparedness investments expected to grow, the survey asked how organisations currently tackle ransomware. Respondents said the most important prevention tactics involve efforts in the following:

  • network security (43%)

  • backup infrastructure security (40%)

  • endpoint security (39%)

  • email security (36%)

  • data encryption (36%)

Ongoing activities cited included data recovery testing, employee security awareness training, response readiness assessments, incident response functional exercises, penetration testing, incident planning and playbook development, phishing simulation programs, tabletop exercises, and blue/red/purple team engagements.

https://www.techtarget.com/searchsecurity/feature/Enterprise-ransomware-preparedness-improving-but-still-lacking

  • Why Are There So Many Data Breaches? A Growing Industry of Criminals is Brokering in Stolen Data

New details have emerged on the severity of the Australian Medibank hack, which has now affected all users. Optus, Medibank, Woolworths, and, last Friday, electricity provider Energy Australia are all now among the Australian household names that have fallen victim to a data breach.

If it seems like barely a week goes by without news of another incident like this, you would be right. Cyber crime is on the rise – seven major Australian businesses were affected by data breaches in the past month alone.

But why now? And who is responsible for this latest wave of cyber attacks?

In large part, the increasing number of data breaches is being driven by the growth of a global illicit industry that trades in your data. In particular, hackers known as “initial access brokers” specialise in illegally gaining access to victim networks and then selling this access to other cyber criminals.

Hackers and initial access brokers are just one part of a complex and diversifying cyber crime ecosystem. This ecosystem contains various cyber criminal groups who increasingly specialise in one particular aspect of online crime and then work together to carry out the attacks.

Ransomware attacks are complex, involving up to nine different stages. These include gaining access to a victim’s network, stealing data, encrypting a victim’s network, and issuing a ransom demand. Increasingly, these attacks are carried out not by lone cyber criminal groups, but rather by networks of different cyber crime groups, each of which specialises in a different stage of the attack.

Initial access brokers will often carry out the first stage of a ransomware attack. Described by Google’s Threat Analysis Group as “the opportunistic locksmiths of the security world”, it’s their job to gain access to a victim’s network.

https://theconversation.com/why-are-there-so-many-data-breaches-a-growing-industry-of-criminals-is-brokering-in-stolen-data-193015

  • How The "pizza123" Password Could Take Down an Organisation

Criminal hackers took responsibility for a recent FastCompany breach, saying they exploited an easily guessed default password, "pizza123." The business magazine reused the weak password across a dozen WordPress accounts, according to the hackers, who described the attack in their own article on FastCompany.com before the publication took the site down.

The breach, the bitter taste of pizza123, and the plight of malicious push notifications, demand caution when selecting and managing passwords.

The hackers claimed to have used the vulnerable password pizza123 to access authentication tokens, Apple News API keys, and Amazon Simple Email Service (SES) tokens. Then they sent offensive push notifications to the home screens of subscribers of the FastCompany channel on the Apple News service.

After decades of investment in sculpting the organisation's brand image, a business can watch its reputation flounder in the face of an obscene push notification. The sentiment of millions of faithful customers can turn sour in an instant. By the time organisations block the messages and make public apologies, the harm is done.

Customers can swap to a competitor, or even sue for the offence when they have entrusted a publisher to provide safe content. Regulatory bodies can fine organisations. The company can spend time and money defending itself in court and restoring its image. But malicious push notifications can do a lot worse than offend customers—criminal hackers can load messages with malware and infect consumer devices, leading to privacy violations and consumer financial fraud.

People often build passwords using the first word that comes to mind and a brief series of numbers. Pizza123 is a perfect example of an easy-to-guess password. Employees will create passwords already appearing on breached password lists. Criminal hackers use brute force attacks to confirm working passwords from the same lists.

Nearly two-thirds of employees reuse their passwords. The more they reuse them across business and personal accounts, the more likely criminal hackers will breach them and test them on the organisation. Hackers know to try the same passwords on different companies they hack because of password reuse.

Robust password management enables fine-grained password policies and policy customisation. With a custom password policy, organisations can increase complexity requirements, like length and previous-password change minimums. A custom password policy with increased complexity requirements will block 95% of weak and breached passwords.

Password length is a particularly critical component of strong passwords. Ninety-three percent of the passwords used in brute force attacks include eight or more characters. A custom password policy can require a minimum password length, decreasing password entropy.

https://www.bleepingcomputer.com/news/security/how-the-pizza123-password-could-take-down-an-organization/


Threats

Ransomware and Extortion

Phishing & Email Based Attacks

Other Social Engineering; Smishing, Vishing, etc

Malware

Mobile

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Fraud, Scams & Financial Crime

Insurance

Dark Web

Software Supply Chain

Denial of Service DoS/DDoS

Cloud/SaaS

Hybrid Working

Attack Surface Management

Encryption

API

Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Biometrics

Social Media

Cyber Bullying, Cyber Stalking and Sextortion

Regulations, Fines and Legislation

Data Protection

Law Enforcement Action and Take Downs

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine







Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3


As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More