Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 23 September 2022
Black Arrow Cyber Threat Briefing 23 September 2022:
-Cyber Insurers Clamp Down on Clients' Self-Attestation of Security Controls
-Survey Shows CISOs Losing Confidence in Ability to Stop Ransomware Attacks
-MFA Fatigue: Hackers’ New Favourite Tactic In High-Profile Breaches
-Credential Stuffing Accounts For One-third Of Global Login Attempts, Okta Finds
-Ransomware Operators Might Be Dropping File Encryption In Favour Of Corrupting Files
-Revolut Hack Exposes Data Of 50,000 Users, Fuels New Phishing Wave
-Researchers Say Insider Threats Play A Larger Role In Security Incidents
-SMBs vs. Large Enterprises: Not All Compromises Are Created Equal
-Cyber Attack Costs for Businesses up by 80%
-Morgan Stanley Fined $35m By SEC For Data Security Lapse, Sold Devices Full of Customer PII
-Eyeglass Reflections Can Leak Information During Video Calls
-Uber Says It Was Likely Hacked by Teenage Hacker Gang LAPSUS$
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Cyber Insurers Clamp Down on Clients' Self-Attestation of Security Controls
After one company suffered a breach that could have been headed off by the MFA it claimed to have, insurers are looking to confirm claimed cyber security measures.
A voided lawsuit from a cyber insurance carrier claiming its customer misled it on its insurance application could potentially pave the way to change how underwriters evaluate self-attestation claims on insurance applications.
The case — Travelers Property Casualty Company of America v. International Control Services Inc. (ICS) — hinged on ICS claiming it had multifactor authentication (MFA) in place when the electronics manufacturer applied for a policy. In May the company experienced a ransomware attack. Forensics investigators determined there was no MFA in place, so Travelers asserted it should not be liable for the claim. The case was filed in the US District Court for the Central District of Illinois on July 6 and at the end of August, the litigants agreed to void the contract, ending ICS's efforts to have its insurer cover its losses.
This case was unusual in that Travelers maintained the misrepresentation "materially affected the acceptance of the risk and/or the hazard assumed by Travelers" in the court filing. Taking a client to court is a departure from other similar cases where an insurance company simply denied the claim.
Sean O'Brien of Yale Law School notes that security should be proactive, stopping possible breaches before they occur rather than simply responding to each successful attack. The insurance industry is likely to become more and more pernickety as cyber security claims rise, defending their bottom line and avoiding reimbursement wherever possible. This has always been the role of insurance adjusters, of course, and their business is in many ways adversarial to your organisation's interests after the dust settles from a cyber attack.
That said, organisations should not expect a payout for poor cyber security policies and practices, he notes.
Survey Shows CISOs Losing Confidence in Ability to Stop Ransomware Attacks
Despite an 86% surge in budget resources to defend against ransomware, 90% of organisations were impacted by attacks last year, a survey reveals.
An annual survey of CISOs from Canada, the UK, and US reveals that security teams are starting to lose hope that they can defend against the next ransomware attack. The survey was conducted by SpyCloud, and it showed that although budgets to protect against cyber attacks have swelled by 86%, a full 90% of organisations surveyed said they had been impacted by a ransomware over the past year.
More organisations have implemented 'Plan B' measures this year, from opening cryptocurrency accounts to purchasing ransomware insurance. These findings suggest that organisations realise threats are slipping through their defences and a ransomware attack is inevitable.
The survey did show some bright spots on the cyber security front — nearly three-quarters of those organisations surveyed are using multifactor authentication (MFA), with an increase from 44% to 73% year-over-year. The report added that respondents said they are focused on stopping credential-stealing malware, particularly on unmanaged network devices.
MFA Fatigue: Hackers’ New Favourite Tactic in High-Profile Breaches
Hackers are more frequently using social engineering attacks to gain access to corporate credentials and breach large networks. One component of these attacks that is becoming more popular with the rise of multi-factor authentication is a technique called MFA Fatigue.
When breaching corporate networks, hackers commonly use stolen employee login credentials to access VPNs and the internal network. The reality is that obtaining corporate credentials is far from difficult for threat actors, who can use various methods, including phishing attacks, malware, leaked credentials from data breaches, or purchasing them on dark web marketplaces.
To counter this, enterprises have increasingly adopted multi-factor authentication to prevent users from logging into a network without first entering an additional form of verification. This additional information can be a one-time passcode, a prompt asking you to verify the login attempt, or the use of hardware security keys.
While threat actors can use numerous methods to bypass multi-factor authentication, most revolve around stealing cookies through malware or man-in-the-middle phishing attack frameworks. However, a social engineering technique called 'MFA Fatigue' is growing more popular with threat actors as it does not require malware or phishing infrastructure and has proven to be successful in attacks.
An MFA Fatigue attack is when a threat actor runs a script that attempts to log in with stolen credentials over and over, causing what feels like an endless stream of MFA push requests to be sent to the account's owner's mobile device. The goal is to keep this up, day and night, to break down the target's cyber security posture and inflict a sense of "fatigue" regarding these MFA prompts.
Credential Stuffing Accounts for One-third Of Global Login Attempts
Okta’s global State of Secure Identity Report has found that credential stuffing is the top threat against customer accounts, outpacing legitimate login traffic in some countries. The report presents trends, examples and observations unearthed from the billions of authentications on Okta’s Auth0 platform.
Credential stuffing is when attacks take advantage of the practice of password reuse. It begins with a stolen login or password pair, then threat actors use these credentials across other common sites, using automated tooling used to “stuff” credential pairs into login forms. When an account holder reuses the same (or similar) passwords on multiple sites, it creates a domino effect in which a single credential pair can be used to breach multiple applications.
Across all industries globally, Okta found there were almost 10 billion credential stuffing attempts in the first 90 days of 2022, which amounts to 34% of authentication traffic.
Ransomware Operators Might Be Dropping File Encryption in Favour of Corrupting Files
Corrupting files is faster, cheaper, and less likely to be stopped by endpoint protection tools than encrypting them.
A recent attack that involved a threat actor believed to be an affiliate of the BlackCat/ALPHV ransomware-as-a-service (RaaS) operation was found to use a data exfiltration tool dubbed Exmatter. Exmatter is a tool that allows attackers to scan the victim computer's drives for files with certain extensions and then upload them to an attacker-controlled server in a unique directory created for every victim. The tool supports several exfiltration methods including FTP, SFTP, and webDAV.
The way the Eraser function works is that it loads two random files from the list into memory and then copies a random chunk from the second file to the beginning of the first file overwriting its original contents. This doesn't technically erase the file but rather corrupts it. The researchers believe this feature is still being developed because the command that calls the Eraser function is not yet fully implemented and the function’s code still has some inefficiencies. Since the selected data chunk is random, it can sometimes be very small, which makes some files more recoverable than others.
Why destroy files by overwriting them with random data instead of deploying ransomware to encrypt them? At a first glance these seem like similar file manipulation operations. Encrypting a file involves overwriting it, one block at a time, with random-looking data (the ciphertext). However, there are ways to detect these encryption operations when done in great succession and many endpoint security programs can now detect when a process exhibits this behaviour and can stop it. Meanwhile, the kind of file overwriting that Exmatter does is much more subtle.
The act of using legitimate file data from the victim machine to corrupt other files may be a technique to avoid heuristic-based detection for ransomware and wipers, as copying file data from one file to another is much more plausibly benign functionality compared to sequentially overwriting files with random data or encrypting them.
Another reason is that encrypting files is a more intensive task that takes a longer time. It's also much harder and costly to implement file encryption programs, which ransomware essentially are, without bugs or flaws that researchers could exploit to reverse the encryption. There have been many cases over the years where researchers found weaknesses in ransomware encryption implementations and were able to release decryptors. This has happened to BlackMatter, the Ransomwware-as-a-Service (RaaS) operation with which the Exmatter tool has been originally associated.
With data exfiltration now the norm among threat actors, developing stable, secure, and fast ransomware to encrypt files is a redundant and costly endeavour compared to corrupting files and using the exfiltrated copies as the means of data recovery.
It remains to be seen if this is the start of a trend where ransomware affiliates switch to data destruction instead of encryption, ensuring the only copy is in their possession, or if it's just an isolated incident where BlackMatter/BlackCat affiliates want to avoid mistakes of the past. However, data theft and extortion attacks that involve destruction are not new and have been widespread in the cloud database space. Attackers have hit unprotected S3 buckets, MongoDB databases, Redis instances, and ElasticSearch indexes for years, deleting their contents and leaving behind ransom notes so it wouldn't be a surprise to see this move to on-premises systems as well.
Revolut Hack Exposes Data Of 50,000 Users, Fuels New Phishing Wave
Revolut has suffered a cyber attack that gave an unauthorised third party access to personal information of tens of thousands of clients. The incident occurred over a week ago, on Sunday night, and has been described as "highly targeted."
Founded in 2015, Revolut is a financial technology company that has seen a rapid growth, now offering banking, money management, and investment services to customers all over the world. In a statement a company spokesperson said that an unauthorised party had access "for a short period of time" to details of only a 0.16% of its customers.
"We immediately identified and isolated the attack to effectively limit its impact and have contacted those customers affected. Customers who have not received an email have not been impacted" , Revolut said.
According to the breach disclosure to the State Data Protection Inspectorate in Lithuania, where Revolut has a banking license, 50,150 customers have been impacted. Based on the information from Revolut, the agency said that the number of affected customers in the European Economic Area is 20,687, and just 379 Lithuanian citizens are potentially impacted by this incident.
Details on how the threat actor gained access to the database have not been disclosed but it appears that the attacker relied on social engineering. The Lithuanian data protection agency notes that the likely exposed information includes:
Email addresses
Full names
Postal addresses
Phone numbers
Limited payment card data
Account data
However, in a message to an affected customer, Revolut says that the type of compromised personal data varies for different customers. Card details, PINs, or passwords were not accessed.
Researchers Say Insider Threats Play a Larger Role In Security Incidents
Insider threats are becoming an increasingly common part of the attack chain, with malicious insiders and unwitting assets playing critical roles in incidents over the past year, according to Cisco Talos research.
In a blog post, Cisco Talos researchers said organisations can mitigate these types of risks via education, user-access control, and ensuring proper processes and procedures are in place when and if employees leave the organisation.
There are a variety of reasons a user may choose to become a malicious insider, and unfortunately many of them are occurring today. The most obvious being financial distress, where a user has a lot of debt and selling the ability to infect their employer can be a tempting avenue. There have been examples of users trying to sell access into employer networks for more than a decade, having spotted them on dark web forums. The current climate, with the economy tilting toward recession, is ripe for this type of abuse.
The cyber crime underground remains a hot spot for insider threat recruitment efforts because of the relative anonymity, accessibility, and low barrier of entry it affords. Malicious actors use forums and instant messaging platforms to advertise their insider services or, vice versa, to recruit accomplices for specific schemes that require insider access or knowledge.
By far, the most popular motivation for insider threats is financial gain. There are plenty of examples of financially-motivated threat actors seeking employees at companies to provide data and access to sell in the underground or leverage against the organisation or its customers. There have also been instances where individuals turn to underground forums and instant messaging platforms claiming to be employees at notable organisations to sell company information.
SMBs vs. Large Enterprises: Not All Compromises Are Created Equal
Attackers view smaller organisations as having fewer security protocols in place, therefore requiring less effort to compromise. Lumu has found that compromise is significantly different for small businesses than for medium-sized and large enterprises.
There is no silver bullet for organisations to protect themselves from compromise, but there are critical steps to take to understand your potential exposure and make sure that your cyber security protocols are aligned accordingly.
Compromise often stay undetected for long periods of time – 201 days on average with compromise detection and containment taking approximately 271 days. It’s critical for smaller businesses to know they are more susceptible and to get ahead of the curve with safeguards.
Results from the Lumu Ransomware Assessment show a few reasons why attacks continue to stay undetected for such long periods of time:
· 58% of organisations aren’t monitoring roaming devices, which is concerning with a workforce that has embraced remote working
· 72% of organisations either don’t or only partially monitor the use of network resources and traffic, which is problematic given that most compromises tend to originate from within the network
· Crypto-mining doesn’t appear to be a concern for the majority of organisations as 76% either do not know or only partially know how to identify it; however, this is a commonly used technique for cyber criminals
Additionally, threat data unveils attack techniques used and how they vary based on the size of the organisation.
Small businesses are primarily targeted by malware attacks (60%) and are also at greater risk of Malware, Command and Control, and Crypto-Mining. Medium-sized businesses and large enterprises don’t see as much malware and are more susceptible to Domain Generated Algorithms (DGA). This type of attack allows adversaries to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains.
https://www.helpnetsecurity.com/2022/09/22/smaller-organizations-security-protocols/
Cyber Attack Costs for Businesses up by 80%
In seven out of eight countries, cyber attacks are now seen as the biggest risk to business — outranking COVID-19, economic turmoil, skills shortages, and other issues. The "Hiscox Cyber Readiness Report 2022," which assesses how prepared businesses are to fight back against cyber incidents and breaches, polled more than 5,000 corporate cyber security professionals in the US, UK, Belgium, France, Germany, Ireland, Spain, and the Netherlands. These experts had some enlightening things to say.
According to the report, IT pros are more worried about cyber attacks (46%) than the pandemic (43%) or skills shortages (38%). And the data prove it. The survey indicates that in the past 12 months, US businesses weathered a 7% increase in cyber attacks. Approximately half of all US businesses (47%) suffered an attack in the past year.
Remote work has caused many smaller organisations to use cloud solutions instead of utilizing in-house IT services. However, with more cloud applications and APIs in use, the attack surface has broadened, too, making these organisations more vulnerable to cyber crime.
Although the proportion of staff working remotely almost halved in the past year — from 62% of the workforce in 2021 to 39% in 2022 — overall IT expenditures doubled, from $11.5 million in 2021 to $24.2 million this year. "Despite 61% of survey respondents now being back in the office, businesses are still experiencing a hangover from the pandemic," Hiscox said in a statement. "Remote working provided a year-long Christmas for cyber criminals, and we can see the results of their cyber-feast in the increased frequency and cost of attacks. As we move into a new era of hybrid working, we all have an increased responsibility to continue learning, and managing our own cyber security."
It may come as no surprise that as more organisations evolve and scale their digital business models, the median cost of an attack has surged — from $10,000 last year to $18,000 in 2022. The US is bearing the brunt of generally higher cyber attack costs, with 40% of attack victims incurring costs of $25,000 or higher. The most common vulnerability — i.e., the entry point for cyber criminals — was a cloud-based corporate server.
However, in terms of attack costs, the report reveals major regional disparities. While one organisation in the UK suffered total attack costs of $6.7 million, the hardest-hit firms in Germany, Ireland, and the Netherlands paid out more than $5 million. In turn, Belgium, France, Germany, and Spain all experienced stable or lower median costs.
https://www.darkreading.com/attacks-breaches/cyberattack-costs-for-us-businesses-up-by-80-
Morgan Stanley Fined $35m By SEC For Data Security Lapse, Sold Devices Full of Customer PII
American financial services giant Morgan Stanley agreed to pay the Securities and Exchange Commission (SEC) a $35m penalty on Tuesday over data security lapses.
According to the SEC's complaint, the firm would have allowed roughly 1000 unencrypted hard drives (HDDs) and about 8000 backup tapes from decommissioned data centres to be resold on auction sites without first being wiped.
The improper disposal of the devices reportedly started in 2016 and per the SEC complaint, was part of an "extensive failure" that exposed 15 million customers' data.
In fact, instead of destroying the hard drives or employing an internal IT team to erase them, Morgan Stanley would have contracted an unnamed third–party moving company with allegedly no experience in decommissioning storage media to take care of the hardware.
The moving company initially subcontracted an IT firm to wipe the drives, but their business relationship went sour, so the mover started selling the storage devices to another firm that auctioned them online without erasing them.
"This is an astonishing security mistake by one of the world's most prestigious banks, who would be expected to have well–established procedures in system life cycle management," Jordan Schroeder, managing CISO at Barrier Networks, told Infosecurity Magazine.
"Not only does the situation mean that the bank put customer data at risk, but it also demonstrates the organisation was not following an expected policy which explained the secure disposing of IT equipment."
https://www.infosecurity-magazine.com/news/morgan-stanley-pay-dollar35m-sec/
Eyeglass Reflections Can Leak Information During Video Calls
A group of academic researchers have devised a method of reconstructing text exposed via participants’ eyeglasses and other reflective objects during video conferences.
Zoom and other video conferencing tools, which have been widely adopted over the past couple of years as a result of the Covid-19 pandemic, may be used by attackers to leak information unintentionally reflected in objects such as eyeglasses, the researchers say.
Using mathematical modelling and human subjects experiments, this research explores the extent to which emerging webcams might leak recognizable textual and graphical information gleaming from eyeglass reflections captured by webcams.
Dubbed ‘webcam peeking attack’, a threat model devised by academics shows that it is possible to obtain an accuracy of over 75% when reconstructing and recognizing text with heights as small as 10 mm, captured by a 720p webcam.
According to the academics, attackers can also rely on webcam peeking to identify the websites that the victims are using. Moreover, they believe that 4k webcams will allow attackers to easily reconstruct most header texts on popular websites.
To mitigate the risk posed by webcam peeking attacks, the researchers propose both near- and long-term mitigations, including the use of software that can blur the eyeglass areas of the video stream. Some video conferencing solutions already offer blurring capabilities, albeit not fine-tuned.
https://www.securityweek.com/eyeglass-reflections-can-leak-information-during-video-calls
Uber Says It Was Likely Hacked by Teenage Hacker Gang LAPSUS$
Uber has published additional information about how it was hacked, claiming that it was targeted by LAPSUS$, a cyber criminal gang with a hefty track record that is thought to be composed largely of teenagers.
Last week, someone broke into Uber’s network and used the access to cause all sorts of chaos. The culprit, who claims to be 18 years old, managed to spam company staff with vulgar Slack messages, post a picture of a penis on the company’s internal websites, and leak images of Uber’s internal environment to the web. Now, the ride-share giant has released a statement providing details on its ordeal.
In its update, the company has clarified how it was hacked, largely confirming an account made by the hacker themself. Uber says that the hacker exploited the login credentials of a company contractor to initially gain access to the network. The hacker may have originally bought access to those credentials via the dark web, Uber says. The hacker then used them to make multiple login attempts to the contractor’s account. The login attempts prompted a slew of multi-factor authentication requests for the contractor, who ultimately authenticated one of them. The hacker has previously claimed that it conducted a social engineering scheme to convince the contractor to authenticate the login attempt.
Security experts have called this an “MFA fatigue” attack. This increasingly common intrusion tactic seeks to overwhelm a victim with authentication push requests until they validate the hacker’s illegitimate login attempt.
Most interestingly, Uber has also claimed that whoever was behind this hacking episode is affiliated with the cyber crime gang “LAPSUS$.” It’s not totally clear how Uber knows that.
https://gizmodo.com/uber-says-it-was-hacked-by-teenage-hacker-gang-lapsus-1849554679
Threats
Ransomware and Extortion
Microsoft SQL servers hacked in TargetCompany ransomware attacks (bleepingcomputer.com)
BlackCat ransomware’s data exfiltration tool gets an upgrade (bleepingcomputer.com)
SpyCloud Report: 90% of Companies Affected by Ransomware in 2022 - MSSP Alert
Netflix-style Ransomware Makes Your Organisation’s Data The Prize In A (informationsecuritybuzz.com)
LockBit ransomware builder leaked online by “angry developer” (bleepingcomputer.com)
How to Prevent Ransomware as a Service (RaaS) Attacks (trendmicro.com)
The Risk of Ransomware Supply Chain Attacks (trendmicro.com)
Europol and Bitdefender Release Free Decryptor for LockerGoga Ransomware (thehackernews.com)
Vice Society Demands Ransom From LAUSD Two Weeks After Hack (gizmodo.com)
Phishing & Email Based Attacks
Microsoft: Exchange servers hacked via OAuth apps for phishing (bleepingcomputer.com)
LinkedIn Smart Links abused in evasive email phishing attacks (bleepingcomputer.com)
BBC Warns Of Cost-of-living Phishing, Expert Weighs In (informationsecuritybuzz.com)
Microsoft 365 phishing attacks impersonate US govt agencies (bleepingcomputer.com)
How DKIM records reduce email spoofing, phishing and spam (techtarget.com)
Security alert: new phishing campaign targets GitHub users | The GitHub Blog
American Airlines learned it was breached from phishing targets (bleepingcomputer.com)
Email-based threats: A pain point for organisations - Help Net Security
Other Social Engineering; Smishing, Vishing, etc
Malware
IT giants warn of ongoing Chromeloader malware campaigns - Security Affairs
Fake sites fool Zoom users into downloading deadly code • The Register
Malicious NPM package discovered in supply chain attack (techtarget.com)
How botnet attacks work and how to defend against them (bleepingcomputer.com)
Mobile
This dangerous Android spyware could affect millions of devices | TechRadar
Banking Users Faced With Rewards Phishing Scam - IT Security Guru
Malicious Apps With Millions of Downloads Found in Apple App Store, Google Play (darkreading.com)
Data Breaches/Leaks
Cyber Attack Steals Passenger Data From Portuguese Airline | SecurityWeek.Com
American Airlines discloses data breach after employee email compromise (bleepingcomputer.com)
Significant cyber attack hits Australian telco Optus • The Register
Organised Crime & Criminal Actors
London Police Arrested 17-Year-Old Hacker Suspected of Uber and GTA 6 Breaches (thehackernews.com)
Ukraine dismantles hacker gang that stole 30 million accounts (bleepingcomputer.com)
Cambodian authorities crack down on cyber slavery • The Register
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Cryptocurrency world's Wintermute loses $160m in cyber-heist • The Register
South Korean prosecutors ask Interpol to issue red notice for Do Kwon | Financial Times (ft.com)
"Fake crypto millionaire" charged with alleged $1.7M cryptomining scam (bitdefender.com)
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
Multi-million dollar credit card fraud operation uncovered (bleepingcomputer.com)
Microsoft Warns of Large-Scale Click Fraud Campaign Targeting Gamers (thehackernews.com)
Cyber crime cost American seniors $3 billion last year, a 62% jump (usatoday.com)
Insurance
Cyber Security Insurance Trends: Key Takeaways for MSPs - MSSP Alert
D&O insurance not yet a priority despite criminal trial of Uber’s former CISO | CSO Online
Supply Chain and Third Parties
Denial of Service DoS/DDoS
DDoS and bot attacks in 2022: Business sectors at risk and how to defend (bleepingcomputer.com)
Record DDoS Attack with 25.3 Billion Requests Abused HTTP/2 Multiplexing (thehackernews.com)
Imperva mitigated long-lasting, 25.3 billion request DDoS attack (bleepingcomputer.com)
Cloud/SaaS
Encryption
API
Open Source
Privacy, Surveillance and Mass Monitoring
Pressure mounts against Europol over data privacy • The Register
San Francisco cops can use private cameras for surveillance • The Register
Parental Controls and Child Safety
Regulations, Fines and Legislation
5 Data Privacy Laws That Could Affect Your Business (informationsecuritybuzz.com)
France and Germany fall foul of EU data retention rules • The Register
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Russia Makes Veiled Threat to Destroy SpaceX's Starlink (pcmag.com)
Researchers Uncover New Metador APT Targeting Telcos, ISPs, and Universities (thehackernews.com)
Russian Sandworm hackers pose as Ukrainian telcos to drop malware (bleepingcomputer.com)
Anonymous claims hacked website of Russian Ministry of Defence - Security Affairs
Pro-Ukraine Hacktivists Claim to Have Hacked Notorious Russian Mercenary Group (vice.com)
European Spyware Investigators Criticize Israel and Poland | SecurityWeek.Com
Hackathon finds dozens of Ukrainian refugees trafficked online | Ars Technica
Researchers Uncover Mysterious 'Metador' Cyber-Espionage Group (darkreading.com)
This dangerous Android spyware could affect millions of devices | TechRadar
Nation State Actors
Nation State Actors – Russia
Inside Russia’s Vast Surveillance State: ‘They Are Watching’ - The New York Times (nytimes.com)
Russian Cyberspies Targeting Ukraine Pose as Telecoms Providers | SecurityWeek.Com
Nation State Actors – China
Nation State Actors – Iran
FBI: Iranian hackers lurked in Albania’s govt network for 14 months (bleepingcomputer.com)
NATO's Team in Albania to Help on Iran-Alleged Cyber Attack | SecurityWeek.Com
Nation State Actors – Misc
Vulnerability Management
Vulnerabilities
Hackers Actively Exploiting New Sophos Firewall RCE Vulnerability (thehackernews.com)
CISA adds Zoho ManageEngine flaw to its Known Exploited Vulnerabilities Catalogue - Security Affairs
AttachMe: a critical flaw affects Oracle Cloud Infrastructure (OCI) - Security Affairs
BIND Updates Patch High-Severity Vulnerabilities | SecurityWeek.Com
15-year-old Python flaw found in 'over 350,000' projects • The Register
CISA warns of critical ManageEngine RCE bug used in attacks (bleepingcomputer.com)
Critical Magento vulnerability targeted in new surge of attacks (bleepingcomputer.com)
Reports Published in the Last Week
Other News
Why Even Big Tech Companies Keep Getting Hacked—and What They Plan to Do About It - WSJ
20/20 visibility is paramount to network security - Help Net Security
Domain shadowing becoming more popular among cyber criminals (bleepingcomputer.com)
Multi-factor authentication fatigue attacks are on the rise: How to defend against them | CSO Online
What's behind the different names for cyber hacker groups (axios.com)
IT services group Wipro fires 300 employees moonlighting for competitors | TechCrunch
How can organisations benefit from full-stack observability? - Help Net Security
Firing Your Entire Cyber Security Team? Are You Sure? (thehackernews.com)
Cyber criminals launching more MFA bypass attacks (techtarget.com)
Microsoft (MSFT) Says Managers Shouldn’t Spy on Staff to Ensure They’re Working - Bloomberg
A third of enterprises globally don’t prioritize digital trust: ISACA | CSO Online
How Malware Hides in Images and What You Can Do About It (gizmodo.com)
International cooperation is key to fighting threat actors and cyber crime | CSO Online
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 25 March 2022
Black Arrow Cyber Threat Briefing 25 March 2022:
-Morgan Stanley Client Accounts Breached in Social Engineering Attacks
-Ransomware Is Scary, But Another Scam Is Costing Victims Much, Much More
-Phishing Kits Constantly Evolve to Evade Security Software
-Ransomware Payments, Demands Rose Dramatically in 2021
-7 Suspected Members of LAPSUS$ Hacker Gang, Aged 16 to 21, Arrested in UK
-Here's How Fast Ransomware Encrypts Files
-HEAT Attacks: A New Class of Cyber Threats Organisations Are Not Prepared For
-The Cyber Warfare Predicted In Ukraine May Be Yet To Come
-The Three Russian Cyber Attacks The West Most Fears
-Do These 8 Things Now To Boost Your Security Ahead Of Potential Russian Cyber Attacks
-Cyber Crime Victims Suffered Losses of Over $6.9B in 2021 in the US Alone
-Expanding Threat Landscape: Cyber Criminals Attacking from All Sides
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Morgan Stanley Client Accounts Breached in Social Engineering Attacks
Morgan Stanley Wealth Management says some of its customers had their accounts compromised in social engineering attacks.
The account breaches were the result of vishing (aka voice phishing), a social engineering attack where scammers impersonate a trusted entity (in this case Morgan Stanley) during a voice call to convince their targets into revealing sensitive information such as banking or login credentials.
The company said in a notice sent to affected clients that, "on or around February 11, 2022," a threat actor impersonating Morgan Stanley gained access to their accounts after tricking them into providing their Morgan Stanley Online account info.
After successfully breaching their accounts, the attacker also electronically transferred money to their own bank account by initiating payments using the Zelle payment service.
Ransomware Is Scary, But Another Scam Is Costing Victims Much, Much More
Business email compromise (BEC) remains the biggest source of financial losses, which totalled $2.4 billion in 2021, up from an estimated $1.8 billion in 2020, according to the Federal Bureau of Investigation's (FBI) Internet Crime Center (IC3).
The FBI says in its 2021 annual report that Americans last year lost $6.9 billion to scammers and cyber criminals through ransomware, BEC, and cryptocurrency theft related to financial and romance scams. In 2020, that figure stood at $4.2 billion.
Last year, FBI's Internet Crime Complaint Center (IC3) received 847,376 complaints about cybercrime losses, up 7% from 791,790 complaints in 2020.
BEC has been the largest source of fraud for several years despite ransomware attacks grabbing most headlines.
Phishing Kits Constantly Evolve to Evade Security Software
Modern phishing kits sold on cybercrime forums as off-the-shelf packages feature multiple, sophisticated detection avoidance and traffic filtering systems to ensure that internet security solutions won’t mark them as a threat.
Fake websites that mimic well-known brands are abundant on the internet to lure victims and steal their payment details or account credentials.
Most of these websites are built using phishing kits that feature brand logos, realistic login pages, and in cases of advanced offerings, dynamic webpages assembled from a set of basic elements.
Ransomware Payment Demands Rose Dramatically in 2021
Ransomware attackers demanded dramatically higher ransom fees last year, and the average ransom payment rose by 78% to $541,010, according to data from incident response (IR) cases investigated by Palo Alto Networks Unit 42.
IR cases by Unit 42 also saw a whopping 144% increase in ransom demands, to $2.2 million. According to the report, the most victimised sectors were professional and legal services, construction, wholesale and retail, healthcare, and manufacturing.
Cyber extortion spiked, with 85% of ransomware victims — some 2, 556 organisations — having their data dumped and exposed on leak sites, according to the "2022 Unit 42 Ransomware Threat Report."
Conti led the ransomware attack volume, representing some one in five cases Unit 42 investigated, followed by REvil, Hello Kitty, and Phobos.
https://www.darkreading.com/attacks-breaches/ransomware-payments-demands-rose-dramatically-in-2021
7 Suspected Members of LAPSUS$ Hacker Gang, aged 16 to 21, Arrested in UK
The City of London Police has arrested seven teenagers between the ages of 16 and 21 for their alleged connections to the prolific LAPSUS$ extortion gang that's linked to a recent burst of attacks targeting NVIDIA, Samsung, Ubisoft, LG, Microsoft, and Okta.
"The City of London Police has been conducting an investigation with its partners into members of a hacking group," Detective Inspector, Michael O'Sullivan, said in a statement shared with The Hacker News. "Seven people between the ages of 16 and 21 have been arrested in connection with this investigation and have all been released under investigation. Our enquiries remain ongoing."
The development, which was first disclosed by BBC News, comes after a report from Bloomberg revealed that a 16-year-old Oxford-based teenager is the mastermind of the group. It's not immediately clear if the minor is one among the arrested individuals. The said teen, under the online alias White or Breachbase, is alleged to have accumulated about $14 million in Bitcoin from hacking.
https://thehackernews.com/2022/03/7-suspected-members-of-lapsus-hacker.html
Here's How Fast Ransomware Encrypts Files
Forty-two minutes and 54 seconds: that's how quickly the median ransomware variant can encrypt and lock out a victim from 100,000 of their files.
The data point came from Splunk's SURGe team, which analysed in its lab how quickly the 10 biggest ransomware strains — Lockbit, REvil, Blackmatter, Conti, Ryuk, Avaddon, Babuk, Darkside, Maize, and Mespinoza — could encrypt 100,000 files consisting of some 53.93 gigabytes of data. Lockbit won the race, with speeds of 86% faster than the median. One Lockbit sample was clocked at encrypting 25,000 files per minute.
Splunk's team found that ransomware variants are all over the map speed-wise, and the underlying hardware can dictate their encryption speeds.
https://www.darkreading.com/application-security/here-s-how-fast-ransomware-encrypts-files
HEAT Attacks: A New Class of Cyber Threats Organisations Are Not Prepared For
Web malware (47%) and ransomware (42%) now top the list of security threats that organisations are most concerned about. Yet despite the growing risks, just 27% have advanced threat protection in place on every endpoint device that can access corporate applications and resources.
This is according to research published by Menlo Security, exploring what steps organisations are taking to secure themselves in the wake of a new class of cyber threats – known as Highly Evasive Adaptive Threats (HEAT).
As employees spend more time working in the browser and accessing cloud-based applications, the risk of HEAT attacks increases. Almost two-thirds of organisations have had a device compromised by a browser-based attack in the last 12 months. The report suggests that organisations are not being proactive enough in mitigating the risk of these threats, with 45% failing to add strength to their network security stack over the past year. There are also conflicting views on the most effective place to deploy security to prevent advanced threats, with 43% citing the network, and 37% the cloud.
https://www.helpnetsecurity.com/2022/03/22/web-security-threats/
The Cyber Warfare Predicted in Ukraine May Be Yet to Come
In the build-up to Russia’s invasion of Ukraine, the national security community braced for a campaign combining military combat, disinformation, electronic warfare and cyber attacks. Vladimir Putin would deploy devastating cyber operations, the thinking went, to disable government and critical infrastructure, blind Ukrainian surveillance capabilities and limit lines of communications to help invading forces. But that’s not how it has played out. At least, not yet.
The danger is that as political and economic conditions deteriorate, the red lines and escalation judgments that kept Moscow’s most potent cyber capabilities in check may adjust. Western sanctions and lethal aid support to Ukraine may prompt Russian hackers to lash out against the west. Russian ransomware actors may also take advantage of the situation, possibly resorting to cyber crime as one of the few means of revenue generation.
https://www.ft.com/content/2938a3cd-1825-4013-8219-4ee6342e20ca
The Three Russian Cyber Attacks the West Most Fears
The UK's cyber authorities are supporting the White House's calls for "increased cyber-security precautions", though neither has given any evidence that Russia is planning a cyber-attack.
Russia has previously stated that such accusations are "Russophobic".
However, Russia is a cyber-superpower with a serious arsenal of cyber-tools, and hackers capable of disruptive and potentially destructive cyber-attacks.
Ukraine has remained relatively untroubled by Russian cyber-offensives but experts now fear that Russia may go on a cyber-offensive against Ukraine's allies.
"Biden's warnings seem plausible, particularly as the West introduced more sanctions, hacktivists continue to join the fray, and the kinetic aspects of the invasion seemingly don't go to plan," says Jen Ellis, from cyber-security firm Rapid7.
This article from the BCC outlines the hacks that experts most fear, and they are repeats of things we have already seen coming out of Russia, only potentially a lot more destructive this time around.
https://www.bbc.co.uk/news/technology-60841924
Do These 8 Things Now to Boost Your Security Ahead of Potential Russian Cyber Attacks
The message comes as the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) ramp up warnings about Russian hacking of everything from online accounts to satellite broadband networks. CISA's current campaign is called Shields Up, which urges all organisations to patch immediately and secure network boundaries. This messaging is being echoed by UK and other Western Cyber authorities:
The use of Multi-Factor Authentication (MFA) is being very strongly advocated. The White House and other agencies both sides of the Atlantic also urged companies to take seven other steps:
Deploy modern security tools on your computers and devices to continuously look for and mitigate threats
Make sure that your systems are patched and protected against all known vulnerabilities, and change passwords across your networks so that previously stolen credentials are useless to malicious actors
Back up your data and ensure you have offline backups beyond the reach of malicious actors
Run exercises and drill your emergency plans so that you are prepared to respond quickly to minimize the impact of any attack
Encrypt your data so it cannot be used if it is stolen
Educate your employees to common tactics that attackers will use over email or through websites
Work with specialists to establish relationships in advance of any cyber incidents.
Cyber Crime Victims Suffered Losses of Over $6.9B in 2021 in the US Alone
The FBI's Internet Crime Complaint Center (IC3) reported a record-breaking year for 2021 in the number of complaints it received, among which business email compromise (BEC) attacks made up the majority of incidents.
IC3 handled 847,376 complaint reports last year — an increase of 7% over 2020 — which mainly revolved around phishing attacks, nonpayment/nondelivery scams, and personal data breaches. Overall, losses amounted to more than $6.9 billion.
BEC and email account compromises ranked as the No. 1 attack, accounting for 19,954 complaints and losses of around $2.4 billion.
"In 2021, heightened attention was brought to the urgent need for more cyber incident reporting to the federal government. Cyber incidents are in fact crimes deserving of an investigation, leading to judicial repercussions for the perpetrators who commit them," Paul Abbate, deputy director of the FBI wrote in the IC3's newly published annual report.
Expanding Threat Landscape: Cyber Criminals Attacking from All Sides
Research from Trend Micro warns of spiralling risk to digital infrastructure and remote workers as threat actors increase their rate of attack on organisations and individuals.
“Attackers are always working to increase their victim count and profit, whether through quantity or effectiveness of attacks,” said Jon Clay, VP of threat intelligence at Trend Micro.
“Our latest research shows that while Trend Micro threat detections rose 42% year-on-year in 2021 to over 94 billion, they shrank in some areas as attacks became more precisely targeted.”
Ransomware attackers are shifting their focus to critical businesses and industries more likely to pay, and double extortion tactics ensure that they are able to profit. Ransomware-as-a-service offerings have opened the market to attackers with limited technical knowledge – but also given rise to more specialisation, such as initial access brokers who are now an essential part of the cybercrime supply chain.
Threat actors are also getting better at exploiting human error to compromise cloud infrastructure and remote workers. Trend Micro detected and prevented 25.7 million email threats in 2021 compared to 16.7 million in 2020, with the volume of blocked phishing attempts nearly doubling over the period. Research shows home workers are often prone to take more risks than those in the office, which makes phishing a particular risk.
https://www.helpnetsecurity.com/2022/03/22/threat-actors-increase-attack/
Threats
Ransomware
Ransomware Infections Follow Precursor Malware – Lumu • The Register
Ransomware, Malware-as-a-Service Dominate Threat Landscape | SecurityWeek.Com
AvosLocker Ransomware - What You Need To Know | The State of Security (tripwire.com)
What the Conti Ransomware Group Data Leak Tells Us (darkreading.com)
Ransomware Demands And Payments Increase With Use Of Leak Sites (computerweekly.com)
Ten Notorious Ransomware Strains Put to The Encryption Speed Test (bleepingcomputer.com)
Lockbit Wins Ransomware Speed Test, Encrypts 25k Files/Min • The Register
Talos warns of BlackMatter-linked BlackCat Ransomware • The Register
Report: 89% of Organizations Say Kubernetes Ransomware Is A Problem Today | VentureBeat
Top Russian Meat Producer Hit with Windows BitLocker Encryption Attack (bleepingcomputer.com)
Greece's Public Postal Service Offline Due To Ransomware Attack (bleepingcomputer.com)
Lawsuit Claims Kronos Breach Exposed Data For 'Millions' (techtarget.com)
Estonian Man Sentenced To Prison For Role In Cyber Intrusions, Ransomware Attacks - CyberScoop
Phishing & Email
New Phishing Toolkit Lets Anyone Create Fake Chrome Browser Windows (bleepingcomputer.com)
Browser-in-the-Browser Attack Makes Phishing Nearly Invisible | Threatpost
'Unique Attack Chain' Drops Backdoor in New Phishing Campaign (darkreading.com)
Other Social Engineering
Malware
Malicious Microsoft Excel Add-Ins Used to Deliver RAT Malware (bleepingcomputer.com)
BitRAT Malware Now Spreading As A Windows 10 License Activator (bleepingcomputer.com)
Mobile
URL Rendering Trick Enabled WhatsApp, Signal, iMessage Phishing (bleepingcomputer.com)
Downloaders Currently the Most Prevalent Android Malware (darkreading.com)
Experts Uncover Campaign Stealing Cryptocurrency from Android and iPhone Users (thehackernews.com)
Android Password-Stealing Malware Infects 100,000 Google Play Users (bleepingcomputer.com)
IoT
Botnet of Thousands of MikroTik Routers Abused in Glupteba, TrickBot Campaigns (thehackernews.com)
Honda Civics Vulnerable To Remote Unlock, Start Hack • The Register
Data Breaches/Leaks
UK MoD's Capita-Run Recruitment Portal Support Offline • The Register
Background Check Company Sued Over Data Breach - Infosecurity Magazine (infosecurity-magazine.com)
Organised Crime & Criminal Actors
Who is LAPSUS$, the Gang Hacking Microsoft, Samsung, and Okta? (gizmodo.com)
Hackers Are Targeting European Refugee Charities -Ukrainian Official | Reuters
Hackers Steal From Hackers By Pushing Fake Malware On Forums (bleepingcomputer.com)
Cryptocurrency/Cryptomining/Cryptojacking
An Investigation of Cryptocurrency Scams and Schemes (trendmicro.com)
Global Regulators Monitor Crypto Use in Ukraine War | Reuters
Cryptocurrency Companies Impacted by HubSpot Breach (techtarget.com)
Insider Risk and Insider Threats
6 Types Of Insider Threats And How To Prevent Them (techtarget.com)
HP Staffer Blew $5m On Personal Expenses With Company Card • The Register
Fraud, Scams & Financial Crime
Internet Crime in 2021: Investment Fraud Losses Soar - Help Net Security
NFT Fraud in the UK Soars 400% in 2021 - Infosecurity Magazine (infosecurity-magazine.com)
DeFiance Capital Founder Loses $1.7M in NFTs To Phishing Scam - Decrypt
Insurance
Dark Web
Supply Chain
Cloud
Passwords & Credential Stuffing
Spyware, Espionage & Cyber Warfare
Nation State Actors
Nation State Actors – Russia
Internet Sanctions Against Russia Pose Risks, Challenges For Businesses | CSO Online
Is It Safe To Use Russian-Based Kaspersky Antivirus? No, And Here's Why (komando.com)
Anonymous Leaked 28gb of Data Stolen from The Central Bank of Russia - Security Affairs
President Biden Says Russia Exploring Revenge Cyber Attacks • The Register
Analysis: Putin's next escalation could be a direct cyberattack on the West - CNNPolitics
Russia-backed Hackers Bypassed MFA, Exploited Print Vulnerability - MSSP Alert
Hackers Around The World Deluge Russia's Internet With Simple, Effective Cyber Attacks (nbcnews.com)
Anonymous Targets Western Companies Still Active in Russia - Security Affairs
Ukrainian Enterprises Hit with the DoubleZero Wiper - Security Affairs
NATO, G-7 Leaders Promise Bulwark Against Retaliatory Russian Cyber Attacks (cyberscoop.com)
Russia Hacked Ukrainian Satellite Communications, Officials Believe - BBC News
Russia-linked InvisiMole APT Targets State Organizations Of Ukraine - Security Affairs
Corrupted Open-Source Software Enters the Russian Battlefield | ZDNet
Nestlé Says 'Anonymous' Data Leak Actually A Self-Own • The Register
Nation State Actors – China
Another Chinese Hacking Group Spotted Targeting Ukraine Amid Russia Invasion (thehackernews.com)
Chinese APT Combines Fresh Hodur RAT with Complex Anti-Detection | Threatpost
Mustang Panda Hacking Group Takes Advantage Of Ukraine Crisis In New Attacks | ZDNet
Nation State Actors – North Korea
Vulnerabilities
CISA Adds 66 Vulnerabilities To List Of Bugs Exploited In Attacks (bleepingcomputer.com)
Three Critical RCE Flaws Affect Hundreds of HP Printer Models - Security Affairs
Critical Sophos Firewall vulnerability allows remote code execution (bleepingcomputer.com)
VMware Fixes Carbon Black Command Injection, Upload Bugs • The Register
Western Digital Fixes Critical Bug Giving Root On My Cloud NAS Devices (bleepingcomputer.com)
Sector Specific
Health/Medical/Pharma Sector
Scottish Mental Health Charity SAMH Targeted In Cyber Attack - BBC News
Over 1 Million Impacted in Data Breach at Texas Dental Services Provider | SecurityWeek.Com
Retail/eCommerce
Transport and Aviation
Energy & Utilities
Education and Academia
Reports Published in the Last Week
Other News
A Better Grasp of Cyber Attack Tactics Can Stop Criminals Faster (bleepingcomputer.com)
The Chaos (and Cost) of the Lapsus$ Hacking Carnage | SecurityWeek.Com
Soldiers told to use Signal instead of WhatsApp for security | The Times
Cyber Security Compliance: Start With Proven Best Practices - Help Net Security
Only 27% of Orgs Have Advanced Threat Protection on Endpoints | VentureBeat
Okta Breach Leads To Questions On Disclosure, Reliance On Third-Party Vendors - CyberScoop
The Challenges Audit Leaders Need To Look Out For This Year - Help Net Security
South Korean DarkHotel Hackers Targeted Luxury Hotels in Macau (thehackernews.com)
ISACA: Two-Thirds of Cybersecurity Teams Are Understaffed - Infosecurity Magazine
Security Teams are Responsible for Over 165k Assets - Infosecurity Magazine
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.