Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 10 May 2024
Black Arrow Cyber Threat Intelligence Briefing 10 May 2024:
-China Suspected of Hacking MoD, Through Its Payroll Provider
-Security Tools Fail to Translate Risks for Executives
-Gang Accused of MGM Hack Shifts Attacks to Finance Sector
-Are SMEs Paving the Way for Cyber Attacks on Larger Companies?
-Misconfigurations Drive 80% of Security Exposure, Report Finds
-Only 45% of Organisations Employ MFA Protections
-You Cannot Protect What You Do Not Know You Have, as Criminals are Exploiting Vulnerabilities Faster Than Ever
-The Rise and Stealth of The Socially Engineered Insider
-Over 70% of Staff Use AI At Work, But Only 30% of European Organisations Provide AI Training
-Don't Be the Weakest Link – You and Your Team's Crucial Role in Cyber Security
-Ransomware Activity Thrives, Despite Law enforcement Efforts
-NATO Warns of Russian Hybrid Warfare
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
China Suspected of Hacking UK Ministry of Defence, Through Its Payroll Provider
UK Defence Secretary Grant Shapps has confirmed that over 270,000 personal details have been leaked after the MoD was hacked through its third-party payroll provider, SSCL. The affected systems have been pulled offline since the attack. SSCL’s website describes that it manages HR for the armed forces, the Metropolitan Police and other areas of British government. The commercial supply chain, and in particular HR and payroll providers, is increasing being used as the soft underbelly to attack larger and better protected organisations.
Sources: [LBC] [The Register] [Sky News]
Security Tools Fail to Translate Risks for Executives
Organisations are struggling with internal communication barriers, hindering their ability to address and mitigate cyber security threats, according to a report which found that seven out of 10 C-suite executives said their security teams talk in technical terms without providing business context. However, in contrast, 75% of CISO’s highlight the issue is rooted in security tools that cannot generate the insights C-level executives and boards can use to understand business implications. The role of a good CISO should be to take the output of these tools and turn that data into metrics the Boards can understand.
The issues highlight the necessity for organisations to have someone in their organisation, whether an employee or a third-party, who is able to ingest technical results and translate them into a style that the C-suite can understand for business risk management.
Source: [Help Net Security]
Gang Accused of MGM Hack Shifts Attacks to Finance Sector
The hacking group responsible for the infamous hack on MGM and Caesar’s Palace resorts is engaged in a new campaign targeting the financial sector. The group known as Scattered Spider has targeted 29 companies since 20 April this year, compromising at least 2 insurance companies so far. The research has stated that the attackers are purchasing lookalike domains that match the name of target companies, hosting fake log-in pages. Links to these are sent to employees, in an attempt to direct them there. The most recent attack took place just days ago, with more expected.
Sources: [Bloomberg Law] [Claims Journal]
Are SMEs Paving the Way for Cyber Attacks on Larger Companies?
A recent study highlights the escalating cyber threats facing businesses, particularly SMEs and supply chains. The study found that 32% of UK businesses, including 69% of large and 59% of mid-sized organisations, suffered a cyber attack last year. The situation is worse for SMEs, with weaker security systems and 77% lacking in-house cyber security. SMEs can become entry points for hackers targeting larger partners through interconnected supply chains. Meanwhile, Verizon’s latest data breaches report revealed a 68% increase in supply chain breaches, accounting for 15% of all breaches in 2023, up from 9% in 2022. These breaches are primarily driven by third-party software vulnerabilities exploited in ransomware and extortion attacks. Experts emphasise proactive cyber policies, vulnerability scans, and employee education for SMEs to bolster defences. They also urge organisations to consider third-party bugs as both vulnerability and vendor management problems, make better vendor choices, and use external signals like SEC disclosures in the United States to guide decisions. These measures can help prevent SMEs from becoming gateways for larger attacks and manage the rising threat of supply chain breaches.
Sources: [Insurance Times] [Dark Reading]
Misconfigurations Drive 80% of Security Exposure, Report Finds
A recent report has found that 80% of security exposures are caused by identity and credential misconfigurations, with a third of these putting critical assets at risk of a breach. According to the report, the majority of this is within an organisation’s network user management (Active Directory) and 56% of breaches that impact critical assets are within cloud platforms. There is often the misconception that cloud-based environments are secure by default, but misconfigurations can undo any security benefits and still leave you exposed. Just because someone else built and maintains your house, it is still your responsibility to lock the doors and windows.
Sources: [Security Magazine]
Only 45% of Organisations Employ MFA Protections
A recent report of IT decision-makers has found that 97% are facing challenges with identity verification and 52% are very concerned about credential compromise, followed by account takeover (50%). When it comes to reinforcing identity verification, only 45% used multi-factor authentication (MFA). By using MFA, organisations are forcing two identification verifications: simply knowing a username and password is not enough, especially given the speeds with which attackers can crack passwords, with average 8 character passwords able to be cracked in less than a minute. Whilst no control is 100% impenetrable, enabling MFA will aid in increasing your organisation's cyber resilience.
Source: [Help Net Security]
You Cannot Protect What You Do Not Know You Have, as Criminals are Exploiting Vulnerabilities Faster Than Ever
For many organisations, visibility of their information assets can be incredibly hard to obtain and maintain, with different tools, under-reporting and shadow IT contributing to the problem. Unfortunately, cyber criminals are getting faster at exploiting vulnerabilities, and if you do not know you have the vulnerability in your estate then you cannot patch against it. In their recent report, Fortinet found that attacks started on average 4.76 days after new exploits were publicly disclosed.
Interestingly though, while zero-day threats garner much attention (these are ‘new’ vulnerabilities that are being exploited by attackers but for which there are no security patches yet available), one third of all exploits are for older vulnerabilities. This highlights the need for a comprehensive and robust approach to network security and vulnerability management, beyond simply patching what Microsoft puts out once a month. To have effective patch management, organisations must know what they need to patch and therefore must have visibility of the corporate environment. A good starting block is the creation of a robust information asset register.
Sources: [Security Brief] [Help Net Security] [IT Security Guru]
The Rise and Stealth of The Socially Engineered Insider
Social engineering has become increasingly prevalent as the preferred tactic for foreign adversaries. Insiders are prime targets due to their privileged access to sensitive data. This is particularly affecting the technology, pharma, and critical infrastructure sectors. Advances in AI and social platforms have made it easier to exploit these vulnerabilities. These advances allow threat actors to tailor attacks with unprecedented speed and realism. Using methods like coercion or deception, these actors exploit employees to gain high-value data that can be weaponised. As a result, the threat landscape has become more complex, blurring the lines between internal and external risks. To bolster their defences, organisations are now investing in insider risk management and AI. They are also emphasising employee education and cross-sector collaboration.
Source: [Forbes]
Over 70% of Staff Use AI At Work, But Only 30% of European Organisations Provide AI Training
An ISACA study and the AI Security & Governance Report reveal a complex landscape of AI adoption and security. 73% of European organisations and 54% of global organisations use AI, with 79% increasing their AI budgets, however training and policy development lag behind. Only 30% offer limited training, 40% provide none, and a mere 17% have a comprehensive AI policy. Despite AI’s potential, 80% of data experts find it complicates security, with concerns high around generative AI exploitation (61% of respondents) and AI-powered attacks (over 50% of business leaders). Data poisoning and privacy issues persist, yet 85% of leaders express confidence in their data security strategies, with 83% revising privacy and governance guidelines. With 86% recognising a need for AI training within two years, the call for dynamic governance strategies and formal education is clear to manage evolving threats.
Sources: [Help Net Security] [IT Security Guru]
Don't Be the Weakest Link – You and Your Team's Crucial Role in Cyber Security
Cyber security success depends on more than just technology. Bad actors are always looking for the easiest entry point, meaning that employees’ everyday actions are crucial, when even one careless click or a weak password can be an open door for hackers. However, empowered with the right knowledge and tools, staff can become a robust defence. Nearly 80% of organisations have reported an increase in phishing attacks, but training programs like role-playing exercises and phishing simulations significantly reduce these risks. Effective cyber security also hinges on C-suite leaders promoting a security-first culture, ensuring all employees understand the risks and follow strict protocols like MFA and strong password policies. Consistent training and open communication are vital in fostering a resilient, security-aware workforce.
Source: [JDSupra]
Ransomware Activity Thrives, Despite Law enforcement Efforts
Despite the recent law enforcement takedowns on ransomware groups, ransomware remains rife. Whilst the takedown of a group can come as an initial relief in that the group has gone, it simply forces ransomware affiliates to diversify. This is reflected in ransomware continuing its growth in the first quarter of 2024, with 18 new leak sites, the largest number in a single quarter, emerging over this period. When comes to those at risk, both financial services and healthcare remain a prominent target.
Sources: [Help Net Security ] [Infosecurity Magazine] [Help Net Security]
NATO Warns of Russian Hybrid Warfare
NATO has issued a statement in which it describes it is “deeply concerned about Russia's hybrid actions and the threat that they constitute to NATO security”. The actions are described to include sabotage, acts of violence, cyber and electronic interference, and disinformation campaigns. This comes as many countries including the UK and US are due to have elections this year.
Sources: [EU Reporter] [Financial Times]
Governance, Risk and Compliance
You cannot protect what you do not understand (securitybrief.co.nz)
Security tools fail to translate risks for executives - Help Net Security
It Costs How Much?!? The Financial Pitfalls of Cyber Attacks on SMBs (thehackernews.com)
Now More Than Ever, it's Crucial for Companies to Get Cyber Security Right (newsweek.com)
Why SMBs are facing significant security, business risks - Help Net Security
Are SMEs paving the way for cyber attacks on larger companies? | Insurance Times
Don't Be the Weakest Link – Your Team's Crucial Role in Cyber Security | NAVEX - JDSupra
The Art Of Cyber Security Governance: Safeguarding Beyond Code (forbes.com)
CISOs Are Worried About Their Jobs & Dissatisfied With Their Incomes (darkreading.com)
92% of CISOs Question the Future of Their Role Amidst Growing AI Pressures | Business Wire
Three strategies for winning the cyber security arms race | Fintech Nexus
Rethinking Cyber Security Investment Amid Rising Threats (govinfosecurity.com)
CIOs and CFOs, two parts of the same whole - IT Security Guru
Threats
Ransomware, Extortion and Destructive Attacks
Gang Accused of MGM Hack Turns Its Sights on Finance Sector (bloomberglaw.com)
Cybercrime Unicorns: What Everyone Needs to Know About Ransomware Gangs (pcmag.com)
Why Paying Should Be A Last Resort In Ransomware Attacks (forbes.com)
Ransomware activity is back on track despite law enforcement efforts - Help Net Security
Ransomware evolves from extortion to 'psychological attacks' • The Register
Russian Hacker Dmitry Khoroshev Unmasked as LockBit Ransomware Administrator (thehackernews.com)
Ransomware attacks impact 20% of sensitive data in healthcare orgs - Help Net Security
An overwhelming majority of organisations paid ransomware last year - eCampus News
The Growing Threat of Advanced Ransomware Attacks (inforisktoday.com)
Law enforcement seized Lockbit group's website again (securityaffairs.com)
Consultant charged with $1.5M extortion of IT giant • The Register
IT chiefs plan to spend and innovate their way out of ransomware swamp | TechRadar
Ransomware crooks SIM swap kids to pressure parents • The Register
Scattered Spider group a unique challenge for cyber cops, FBI leader says (therecord.media)
97% of Organisations Hit by Ransomware Worked with Law Enforcement (globenewswire.com)
CISA boss: Secure software needed to stop ransomware • The Register
Shields Up: How to Minimize Ransomware Exposure - Security Week
Ransomware Victims
UnitedHealth’s 'egregious negligence' led to that ransomware • The Register
Ascension healthcare takes systems offline after cyber attack (bleepingcomputer.com)
London Drugs president tight-lipped over recent cyber attack | CBC News
Boeing confirms attempted $200 million ransomware extortion attempt | CyberScoop
Cyber attack disrupts operations at major US health care network | CNN Business
City of Wichita Shuts Down Network Following Ransomware Attack - Security Week
Patient appointments imperilled by cyber attack on French radiologist (therecord.media)
Ransomware attack hits Brandywine Realty Trust | SC Media (scmagazine.com)
Phishing & Email Based Attacks
Other Social Engineering
The Rise And Stealth Of The Socially Engineered Insider (forbes.com)
Iranian hackers harvest credentials through advanced social engineering campaigns | CSO Online
What is social engineering penetration testing? | Definition from TechTarget
Artificial Intelligence
Organisations go ahead with AI despite security risks - Help Net Security
Innovation, Not Regulation, Will Protect Corporations From Deepfakes (darkreading.com)
Strategies for preventing AI misuse in cyber security - Help Net Security
AI is changing the game when it comes to cyber security | ITPro
Why the Cyber Security Industry Is Obsessed With AI Right Now - CNET
LLMs & Malicious Code Injections: 'We Have to Assume It's Coming' (darkreading.com)
Cyber Security, Deepfakes and the Human Risk of AI Fraud (govtech.com)
Criminal Use of AI Growing, But Lags Behind Defenders - Security Week
2FA/MFA
Only 45% of organisations use MFA to protect against fraud - Help Net Security
UnitedHealth Attack: Stolen Credentials, No MFA | MSSP Alert
Malware
ZLoader Malware adds Zeus's anti-analysis feature (securityaffairs.com)
Russia-linked APT28 and crooks are still using the Moobot botnet (securityaffairs.com)
Iranian hackers pose as journalists to push backdoor malware (bleepingcomputer.com)
New 'Cuckoo' Persistent macOS Spyware Targeting Intel and Arm Macs (thehackernews.com)
Hijack Loader Malware Employs Process Hollowing, UAC Bypass in Latest Version (thehackernews.com)
Mirai Botnet Exploits Ivanti Connect Secure Flaws for Malicious Payload Delivery (thehackernews.com)
Mobile
Mobile Banking Malware Surges 32% - Infosecurity Magazine (infosecurity-magazine.com)
Android bug can leak DNS traffic with VPN kill switch enabled (bleepingcomputer.com)
European Threat To End-To-End Encryption Would Invade Phones (forbes.com)
Ransomware crooks SIM swap kids to pressure parents • The Register
Denial of Service/DoS/DDOS
Data Breaches/Leaks
How does a data breach affect you and why should you care? | TechRadar
Dell customer order database stolen, for sale on dark web • The Register
The Breach of a Face Recognition Firm Reveals a Hidden Danger of Biometrics | WIRED
Cyber attack: Large volume of data stolen in attack on Scottish health board (scotsman.com)
Security breach affects 6,000 German military VC meetings (avinteractive.com)
Security company exposes 1.2M guard and suspect records • The Register
Children's mental health records published after cyber attack - BBC News
Georgia education agency's MOVEit data theft impacted 800K • The Register
Data Brokers: What They Are and How to Safeguard Your Privacy - IT Security Guru
Zscaler Investigates Hacking Claims After Data Offered for Sale - Security Week
UK government departments reveal rise in data breaches & lost devices (datacentrenews.uk)
'Sophisticated' cyber attacks involving British Colombia government networks found | CBC News
Over 380K more NYC students had info leaked, bringing total to over 1M (nypost.com)
Dating apps kiss'n'tell all sorts of sensitive user info • The Register
Organised Crime & Criminal Actors
Hackers of all kinds are attacking routers across the world | TechRadar
These Dangerous Scammers Don’t Even Bother to Hide Their Crimes | WIRED
Massive webshop fraud ring steals credit cards from 850,000 people (bleepingcomputer.com)
Scattered Spider group a unique challenge for cyber cops, FBI leader says (therecord.media)
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Insider Risk and Insider Threats
The Rise And Stealth Of The Socially Engineered Insider (forbes.com)
Don't Be the Weakest Link – Your Team's Crucial Role in Cyber Security | NAVEX - JDSupra
Supply Chain and Third Parties
UK Military Data Breach a Reminder of Third-Party Risk (darkreading.com)
Details of UK military personnel exposed in huge payroll data breach | AP News
Firm at centre of MoD 'China' hack handles data for several Whitehall departments (inews.co.uk)
DBIR: Supply Chain Breaches Up 68% Year Over Year (darkreading.com)
The complexities of third-party risk management - Help Net Security
Cloud/SaaS
Encryption
Cop complaints won't stop E2EE, says encryption advocate • The Register
European Threat To End-To-End Encryption Would Invade Phones (forbes.com)
Linux and Open Source
Open-Source Cyber Security Is a Ticking Time Bomb (gizmodo.com)
Spies Among Us: Insider Threats in Open Source Environments (darkreading.com)
Passwords, Credential Stuffing & Brute Force Attacks
Iranian hackers harvest credentials through advanced social engineering campaigns | CSO Online
Microsoft introduces Passkeys support for consumer accounts - gHacks Tech News
Google Announces Passkeys Adopted by Over 400 Million Accounts (thehackernews.com)
UnitedHealth Attack: Stolen Credentials, No MFA | MSSP Alert
Hackers can crack average 8-character passwords in under a minute (newsbytesapp.com)
How secure is the “Password Protection” on your files and drives? - Help Net Security
Social Media
Training, Education and Awareness
Regulations, Fines and Legislation
The EU Cyber Diplomacy Toolbox: Shaping Global Cyber Security Standards | UpGuard
The NIS2 Compliance Deadline Is Nearing. Are You Prepared? - Security Boulevard
Innovation, Not Regulation, Will Protect Corporations From Deepfakes (darkreading.com)
Models, Frameworks and Standards
Data Protection
Careers, Working in Cyber and Information Security
How workforce reductions affect cyber security postures - Help Net Security
One in Four Tech CISOs Unhappy with Compensation - Security Boulevard
Law Enforcement Action and Take Downs
Ransomware activity is back on track despite law enforcement efforts - Help Net Security
LockBit's seized darknet site resurrected by police, teasing new revelations (therecord.media)
LockBit leader unmasked and sanctioned - National Crime Agency
Israeli private investigator wanted for hacking in US is arrested in London | The Independent
German police bust Europe's 'largest' scam call centre – DW – 05/02/2024
Consultant charged with $1.5M extortion of IT giant • The Register
97% of Organisations Hit by Ransomware Worked with Law Enforcement (globenewswire.com)
Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity
Cyber Warfare and Cyber Espionage
Israeli private investigator wanted for hacking in US is arrested in London | The Independent
Cyber Attacks on US Utilities: New Trends in Cyber Warfare - ClearanceJobs
'The Mask' Espionage Group Resurfaces After 10-Year Hiatus (darkreading.com)
Nation State Actors
China
Firm at centre of MoD 'China' hack handles data for several Whitehall departments (inews.co.uk)
Lessons from LOCKED SHIELDS 2024 cyber exercise | SC Media (scmagazine.com)
China-Linked Hackers Used ROOTROT Webshell in MITRE Network Intrusion (thehackernews.com)
Russia
Malice from Moscow: NATO warns of Russian hybrid warfare - EU Reporter
Russia plotting sabotage across Europe, intelligence agencies warn (ft.com)
How Nato could respond after wave of Russian spy arrests across Europe (inews.co.uk)
EU, NATO denounce Russia's cyber attacks on Germany, Czechia (kyivindependent.com)
Russia Cyber Attack Germany's Ruling Party, Defence | Silicon UK
Foreign Ministry: Czech institutions targeted by GRU cyber attacks | Radio Prague International
Russia-linked APT28 and crooks are still using the Moobot botnet (securityaffairs.com)
Ukraine records increase in financially motivated attacks by Russian hackers (therecord.media)
Cyber War? EU rages over alleged Russian cyber attack on German’s ruling SPD (brusselssignal.eu)
Lessons from LOCKED SHIELDS 2024 cyber exercise | SC Media (scmagazine.com)
A (Strange) Interview With the Russian-Military-Linked Hackers Targeting US Water Utilities | WIRED
Russia says Germany using baseless 'hacker myths' to destroy ties | Reuters
Poland says it too was targeted by Russian hackers – POLITICO
Kaspersky denies claims it helped Russia with drones • The Register
Iran
Iranian hackers pose as journalists to push backdoor malware (bleepingcomputer.com)
Iranian hackers harvest credentials through advanced social engineering campaigns | CSO Online
North Korea
Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence
Vulnerability Management
Cyber criminals are getting faster at exploiting vulnerabilities - Help Net Security
Misconfigurations drive 80% of security exposures | Security Magazine
Patch management vs. vulnerability management: Key differences | TechTarget
What is Risk-Based Vulnerability Management (RBVM)? (techtarget.com)
CISA’s KEV list improving private and public-sector patching • The Register
CISA Announces CVE Enrichment Project 'Vulnrichment' - Security Week
Vulnerabilities
Citrix Addresses High-Severity NetScaler Servers Flaw (darkreading.com)
Over 50,000 Tinyproxy servers vulnerable to critical RCE flaw (bleepingcomputer.com)
Veeam fixes RCE flaw in backup management platform (CVE-2024-29212) - Help Net Security
LiteSpeed Cache WordPress plugin actively exploited in the wild (securityaffairs.com)
New BIG-IP Next Central Manager bugs allow device takeover (bleepingcomputer.com)
Microsoft: April Windows Server updates also cause crashes, reboots (bleepingcomputer.com)
Android bug can leak DNS traffic with VPN kill switch enabled (bleepingcomputer.com)
Mirai Botnet Exploits Ivanti Connect Secure Flaws for Malicious Payload Delivery (thehackernews.com)
Tools and Controls
Behind Closed Doors: The Rise of Hidden Malicious Remote Access (cybereason.com)
Security tools fail to translate risks for executives - Help Net Security
Misconfigurations drive 80% of security exposures | Security Magazine
NSA, FBI Alert on North Korean Hackers Spoofing Emails from Trusted Sources (thehackernews.com)
Microsoft plans to lock down Windows DNS like never before. Here’s how. | Ars Technica
Novel attack against virtually all VPN apps neuters their entire purpose | Ars Technica
Strategies for preventing AI misuse in cyber security - Help Net Security
Shadow APIs: An Overlooked Cyber Risk for Orgs (darkreading.com)
What is social engineering penetration testing? | Definition from TechTarget
How workforce reductions affect cyber security postures - Help Net Security
What is Risk-Based Vulnerability Management (RBVM)? (techtarget.com)
Top 10 physical security considerations for CISOs | CSO Online
IT chiefs plan to spend and innovate their way out of ransomware swamp | TechRadar
A SaaS Security Challenge: Getting Permissions All in One Place (thehackernews.com)
Tips for Controlling the Costs of Security Tools - The New Stack
Rethinking Cyber Security Investment Amid Rising Threats (govinfosecurity.com)
Microsoft confirms Windows 11 24H2 turns on Device Encryption by default (windowslatest.com)
Reports Published in the Last Week
Other News
Microsoft overhaul treats security as ‘top priority’ after a series of failures - The Verge
The EU Cyber Diplomacy Toolbox: Shaping Global Cyber Security Standards | UpGuard
Complexity leads to trade-off between risk and innovation (betanews.com)
When has the UK faced cyber attacks in the past? | The Independent
Man-in-the-middle attack: The new cyber security threat | YourStory
Paris 2024 gearing up to face unprecedented cyber security threat | Reuters
38% of riskiest cyber physical systems neglected, warns Claroty report (securitybrief.co.nz)
Why undersea cables need high-priority protection • The Register
GAO: NASA Faces 'Inconsistent' Cyber Security Across Spacecraft (darkreading.com)
Cyber security regulations: Are non-compliant cars more vulnerable? | Autocar
Fujitsu sets aside £200m as calls mount for Post Office scandal payout
FE News | Why the education sector needs to do the homework on cyber security as attacks soar
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 26 April 2024
Black Arrow Cyber Threat Intelligence Briefing 26 April 2024:
-Coalition Finds More Than Half of Cyber Insurance Claims Originate in the Email Inbox
-Unmasking the True Cost of Cyber Attacks: Beyond Ransom and Recovery
-Why Cyber Security Should Be Driving Your Enterprise Risk Management Strategy
-Ransomware Double-Dip - Re-Victimisation in Cyber Extortion
-AI is a Major Threat and Many Financial Organisations Are Not Doing Enough to Fight the Threat
-6 out of 10 Businesses Struggle to Manage Cyber Risk
-'Junk Gun' Ransomware: New Low-Cost Cyber Threat Targets SMBs
-Penetration Testing Infrequency Leaves Security Gaps
-Bank Prohibited from Opening New Accounts After Regulators Lose Patience With Poor Cyber Security Governance
-The Psychological Impact of Phishing Attacks on Your Employees
-Where Hackers Find Your Weak Spots
-The Role of Threat Intelligence in Financial Data Protection
-Government Cannot Protect Business and Services from Cyber Attack, Decision Makers Say
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Coalition Finds More Than Half of Cyber Insurance Claims Originate in the Email Inbox
The 2024 Cyber Claims Report by insurer Coalition reveals critical vulnerabilities and trends affecting cyber insurance policyholders. Notably, over half of the claims in 2023 stemmed from funds transfer fraud (FTF) and business email compromise (BEC), underlining the critical role of email security in cyber risk management. The report also indicated heightened risks associated with boundary devices like firewalls and VPNs, particularly if they are exposed online and have known vulnerabilities. Additionally, the overall claims frequency and severity rose by 13% and 10% respectively, pushing the average loss to $100,000. These insights emphasise the necessity of proactive cyber security measures and the valuable role of cyber insurance in mitigating financial losses from cyber incidents.
Sources: [IT Security Guru] [Emerging Risks]
Unmasking the True Cost of Cyber Attacks: Beyond Ransom and Recovery
The global cost of cyber crime is expected to soar to $10.5 trillion annually by 2025, a steep rise from $3 trillion in 2015, underscoring a significant improvement in the methods of cyber criminals, according to Cybersecurity Ventures. Beyond direct financial losses like ransomware payments, the hidden costs of cyber attacks for businesses include severe operational disruptions, lost revenue, damaged reputations, strained customer relationships, and regulatory fines. These incidents, further exacerbated by increased insurance premiums, collectively contribute to substantial long-term financial burdens. The report indicates that 88% of data breaches are attributable to human error, underscoring the importance of comprehensive employee training alongside technological defences. To combat these evolving cyber threats effectively, organisations must adopt a multi-pronged strategy that includes advanced security technologies, regular system updates, employee education, and comprehensive security audits.
According to another report from SiliconAngle, cyber insurance claims increased 13% year-over-year in 2023, with the 10% rise in overall claims severity attributed to mounting ransomware attack claims.
Sources: [The Hacker News] [Huntress] [SC Media]
Why Cyber Security Should Be Driving Your Enterprise Risk Management Strategy
Cyber security has transformed from a secondary concern into the cornerstone of corporate risk management. The historical view of cyber security as merely a component of broader risk strategies is outdated; it now demands a central role in safeguarding against operational, financial, and reputational threats. Many businesses, recognising the vital role of technology in all operations, have begun elevating the position of Chief Information Security Officer (CISO) to integrate cyber security into their overall enterprise risk frameworks. This shift not only enhances visibility and strategic alignment at the highest organisational levels but also fosters more robust defences against cyber threats. As such, adopting a cyber security-centric approach is crucial for compliance and long-term resilience in the face of growing digital threats.
Source: [Forbes]
Ransomware Double-Dip: Re-Victimisation in Cyber Extortion
A recent cyber security study reveals a troubling trend of re-victimisation among organisations hit by cyber extortion or ransomware attacks. Analysis of over 11,000 affected organisations shows recurring victimisation due to repeated attacks, data reuse among criminal affiliates, or cross-affiliate data sharing. Notably, cyber extortion incidents have surged by 51% year-on-year. Additionally, a separate study reports payments exceeding $1 billion and a 20% increase in ransomware attack victims since early 2023. These findings underscore the increasing sophistication and persistence of cyber criminals. Despite law enforcement efforts, adaptable cyber crime groups swiftly resume operations, complicating effective threat mitigation. Organisations must enhance their cyber security measures to avoid becoming repeated targets.
Sources: [Security Magazine] [The Hacker News] [SC Media]
AI is a Major Threat and Many Financial Organisations Are Not Doing Enough
Artificial intelligence (AI) is a major concern for organisations, especially for the financial services sector due to the information they hold. Recent reports have found that AI has driven phishing up by 60% and AI tools have been linked to data exposure in 1 in 5 UK organisations. But it is not just attackers utilising AI: a separate report found that 20% of employees have exposed data via AI.
Currently, many financial organisations are not doing enough to secure themselves to fight AI. In a recent survey, 69% of fraud-management decision makers, AML professionals, and risk and compliance leaders reported that criminals are more advanced at using AI for financial crime than firms are in defending against it.
Sources: [Verdict] [Beta News] [Infosecurity Magazine] [TechRadar] [Security Brief]
6 out of 10 Businesses Struggle to Manage Cyber Risk
A report has found that 6 in 10 businesses are struggling to manage their cyber risk and just 43% have confidence in their ability to address cyber risk. Further, 35% of total respondents worry that senior management does not see cyber attacks as a significant risk; the same percentage also reported a struggle in hiring skilled professionals. When it came to implementing their security policy, half of respondents found difficulty, and when it came to securing the supply chain, a third reported worries.
Given the inevitability of a cyber attack, organisations need to prepare themselves. Those that struggle to manage their cyber risk and/or hire skilled professions will benefit from outsourcing to skilled, reputable cyber security organisations who can guide them through the process.
Sources: [PR Newswire] [Beta News]
'Junk Gun' Ransomware: New Low-Cost Cyber Threat Targets SMBs
Sophos’ research reveals a concerning trend: ‘junk gun’ ransomware variants are now traded on the dark web. Rather than going the traditional route of selling or buying ransomware to or as an affiliate, attackers have now begun creating and selling unsophisticated ransomware variants for a one-time cost. Priced at a median of $375, they attract lower-skilled attackers, especially those targeting small and medium-sized businesses (SMBs). As major ransomware players fade, these variants pose significant threats, accounting for over 75% of cyber incidents affecting SMBs in 2023.
Source: [Security Brief] [Tripwire]
Penetration Testing Infrequency Leaves Security Gaps
Many organisations are struggling to maintain the balance between penetration testing and IT changes within the organisation, leaving security gaps according to a recent report. The report found that 73% of organisations reported changes to their IT environments at least quarterly, however only 40% performed penetration testing at the same frequency.
The issue arises where there is a significant duration during which changes have been implemented without undergoing assessment, leaving organisations open to risk for extended periods of time. Consider the situation in which an organisation moves their infrastructure from on-premise to the cloud: they now have a different IT environment, and with that, new risks.
Black Arrow always recommends that a robust penetration test should be conducted whenever changes to internet facing infrastructure have been made, and at least annually.
Source: [MSSP Alert]
Bank Prohibited from Opening New Accounts After Regulators Lose Patience with Poor Cyber Security Governance
A bank in India has been banned from signing up new customers, and instructed to focus on improving its cyber security after “serious deficiencies and non-compliances” were found within their IT environment. The compliances provided by the bank were described as “inadequate, incorrect or not sustained”. The bank is now subject to an external audit, which if passed, will consider the lifting of the restrictions placed upon them.
Source: [The Register]
The Psychological Impact of Phishing Attacks on Your Employees
Phishing remains one of the most prevalent attack vectors for bad actors, and its psychological impact on employees can be severe, with many employees facing a loss in confidence and job satisfaction as well as an increase in anxiety. In a study by Egress, it was found that 74% of employees were disciplined, dismissed or left voluntarily after suffering a phishing incident, which can cause hesitation when it comes to reporting phishing.
Phishing incidents and simulations where employees have clicked should be seen as an opportunity to learn, not to blame, and to understand why a phish was successful and what can be done in future to prevent it. Organisations should perform security education and awareness training to help employees lessen their chance of falling victim, as well as knowing the reporting procedures.
Source: [Beta News]
Where Hackers Find Your Weak Spots
A recent analysis highlights social engineering as a primary vector for cyber attacks, emphasising its reliance on meticulously gathered intelligence to exploit organisational vulnerabilities. Attackers leverage various intelligence sources; Open Source Intelligence (OSINT) for public data, Social Media Intelligence (SOCMINT) for social media insights, Advertising Intelligence (ADINT) from advertising data, Dark Web Intelligence (DARKINT) from the DarkWeb, and the emerging AI Intelligence (AI-INT) using artificial intelligence. These methods equip cyber criminals with detailed knowledge about potential victims, enabling targeted and effective attacks. The report underscores the critical importance of robust information management and employee training to mitigate such threats, specifically advocating for regular training, AI-use policies, and proactive intelligence gathering by organisations to protect against the substantial risks posed by social engineering.
Source: [Dark Reading]
The Role of Threat Intelligence in Financial Data Protection
The financial industry’s reliance on digital processes has made it vulnerable to cyber attacks. Criminals target sensitive customer data, leading to financial losses, regulatory fines, and reputational damage. To combat these threats such as phishing, malware, ransomware, and social engineering, financial institutions must prioritise robust cyber security measures. One effective approach is threat intelligence, which involves ingesting reliable threat data, customised to your sector and the technology you have in place, and dark web monitoring.
Source: [Security Boulevard]
Government Cannot Protect Business and Services from Cyber Attack, Decision Makers Say
According to a recent report, 66% of surveyed IT leaders expressed a lack of confidence in their government’s ability to defend people and enterprises from cyber attacks, especially those from nation state actors. This scepticism arises from the growing complexity of threats and the rapid evolution of cyber warfare. While governments play a critical role in national security, their agility in adapting to the ever-changing digital landscape leaves organisations finding themselves increasingly responsible for their own protection.
Source: [TechRadar] [Security Magazine]
Governance, Risk and Compliance
Ransomware triggers cyber insurance claims increase | SC Media (scmagazine.com)
Six out of 10 businesses struggle to manage cyber risk (betanews.com)
Email inbox cyber crime leaps as claims soar (emergingrisks.co.uk)
It Costs How Much?!? The Financial Pitfalls of Cyber Attacks on SMBs | Huntress
Why Cyber Security Should Be Driving Your Enterprise Risk Management Strategy (forbes.com)
Cyber attacks are on the rise, and that includes small businesses. Here's what to know | AP News
Cyber staff priority as threats continue – report (emergingrisks.co.uk)
UK government cannot protect businesses and services from cyber attacks, IT pros say | TechRadar
Why cyber attacks shouldn’t be viewed as isolated incidents - Raconteur
Bank banned from opening new accounts over IT risks • The Register
Battening down the hatches: Navigating third-party cyber threats | SC Media (scmagazine.com)
Cyber Attacks Keep Rising. Here's What Small Businesses Need to Know | Inc.com
73% of SME security pros missed or ignored critical alerts - Help Net Security
Unmasking the True Cost of Cyber Attacks: Beyond Ransom and Recovery (thehackernews.com)
4 steps CISOs can take to raise trust in their business | TechTarget
NCSC Says Newer Threats Need Network Defence Strategy | Trend Micro (US)
Uncertainty is the most common driver of noncompliance - Help Net Security
Threats
Ransomware, Extortion and Destructive Attacks
Ransomware triggers cyber insurance claims increase | SC Media (scmagazine.com)
Report finds a near 20% increase in ransomware victims year-over-year | Security Magazine
Ransomware Double-Dip: Re-Victimization in Cyber Extortion (thehackernews.com)
'Junk gun' ransomware: New low-cost cyber threat targets SMBs (securitybrief.co.nz)
Mandiant: Attacker dwell time down, ransomware up in 2023 | TechTarget
Behavioural patterns of ransomware groups are changing - Help Net Security
Record ransomware attacks in March 2024, report finds (securitybrief.co.nz)
Ransomware payments drop to record low of 28% in Q1 2024 (bleepingcomputer.com)
Hackers use developing countries as testing ground for new ransomware attacks (ft.com)
Ransomware Still On Rise Despite Better Defences, Firm Says - Law360
Hackers are using developing countries for ransomware practice | Ars Technica
Dark web inundated by cheap ransomware tools | SC Media (scmagazine.com)
Unmasking the True Cost of Cyber Attacks: Beyond Ransom and Recovery (thehackernews.com)
Action needed amid escalating ransomware attacks, record-high payments | SC Media (scmagazine.com)
HelloKitty ransomware rebrands, releases CD Projekt and Cisco data (bleepingcomputer.com)
Rising Ransomware Issue: English-Speaking Western Affiliates (govinfosecurity.com)
CL0P ransomware gang is on the rise | Hogan Lovells - JDSupra
Proportion paying ransoms declines in Q1 2024, even as takings break a new record (computing.co.uk)
Megazord Ransomware Attacking Healthcare & Govt Entities (cybersecuritynews.com)
CISA ransomware warning program set to fully launch by end of 2024 | CyberScoop
Cyber Hygiene Helps Organisations Mitigate Ransomware-Related Vulnerabilities | CISA
Ransomware attacks rise in global food & agriculture sector (securitybrief.co.nz)
Ransomware Victims
Hackers Were in Change Healthcare 9 Days Before Attack (pymnts.com)
UnitedHealth BlackCat Attack Cost is $872M in Q1 | MSSP Alert
UnitedHealth admits breach could affect large chunk of US • The Register
Back from the Brink: UnitedHealth Offers Sobering Post-Attack Update (darkreading.com)
UnitedHealth Paid Ransom to Protect Patient Data | MSSP Alert
UNDP, City of Copenhagen Targeted in Data-Extortion Cyber Attack (darkreading.com)
Cannes Hospital Cancels Medical Procedures Following Cyber Attack - Security Week
Small medical practices will close because of Change cyber attack, says AMA | Healthcare IT News
HelloKitty ransomware rebrands, releases CD Projekt and Cisco data (bleepingcomputer.com)
Sweden's liquor shelves to run empty this week due to ransomware attack (therecord.media)
Authentication failure blamed for Change Healthcare ransomware attack | CSO Online
Ransomware feared as Octapharma Plasma closes 150+ centers • The Register
Red Ransomware takes credit for Targus attack | SC Media (scmagazine.com)
Ransomware Gang Leaks Data Allegedly Stolen From Government Contractor - Security Week
Carpetright unable to trade after cyber attack - Retail Gazette
Street lights in Leicester City cannot be turned off due to a cyber attack (securityaffairs.com)
Phishing & Email Based Attacks
The psychological impact of phishing attacks on your employees (betanews.com)
Hackers Create Legit Phishing Links With Ghost GitHub, GitLab Comments (darkreading.com)
Authorities investigate LabHost users after phishing service shut down | SC Media (scmagazine.com)
LA County Health Services: Patients' data exposed in phishing attack (bleepingcomputer.com)
BEC
Other Social Engineering
LastPass Users Lose Master Passwords to Ultra-Convincing Scam (darkreading.com)
Open Source Groups Warn of Social Engineering Backdoors | MSSP Alert
Artificial Intelligence
AI is a major threat and financial organisations are not doing enough to fight it | Biometric Update
Fifth of CISOs Admit Staff Leaked Data Via GenAI - Infosecurity Magazine (infosecurity-magazine.com)
Five Eyes agencies publish report on AI security | Hogan Lovells - JDSupra
AI tools linked to data exposure in 1 in 5 UK organisations (securitybrief.co.nz)
CSOs say AI is 'biggest cyber threat' to organisations | TechRadar
Man arrested for 'framing colleague' with AI-generated voice • The Register
Microsoft Warns: North Korean Hackers Turn to AI-Fueled Cyber Espionage (thehackernews.com)
People doubt their own ability to spot AI-generated deepfakes - Help Net Security
A National Security Insider Does the Math on the Dangers of AI | WIRED
40% of organisations have AI policies for critical infrastructure | Security Magazine
GPT-4 can exploit real vulnerabilities by reading advisories • The Register
25 cyber security AI stats you should know - Help Net Security
Cyber Threats in the Age of AI: Protecting Your Digital DNA - Security Boulevard
6 security items that should be in every AI acceptable use policy | CSO Online
'Poisoned' data could wreck AIs in wartime, warns Army software acquisition chief - Breaking Defence
The use of AI in war games could change military strategy (theconversation.com)
2FA/MFA
Strengths & Weaknesses of MFA Methods Against Cyber Attacks | Duo Security
What is multi-factor authentication (MFA), and why is it important? - Help Net Security
Malware
ToddyCat APT Is Stealing Data on 'Industrial Scale' (darkreading.com)
Report says over 10 million devices were infected by data-stealing malware in 2023 - PhoneArena
New Brokewell malware takes over Android devices, steals data (bleepingcomputer.com)
GitLab affected by GitHub-style CDN flaw allowing malware hosting (bleepingcomputer.com)
Microsoft unmasks Russia-linked ‘GooseEgg’ malware (therecord.media)
Hackers hijack antivirus updates to drop GuptiMiner malware (bleepingcomputer.com)
eScan Antivirus Update Mechanism Exploited to Spread Backdoors and Miners (thehackernews.com)
Beware! Notorious Samurai Stealer Used in Targeted Attacks (cybersecuritynews.com)
Threat Actor Uses Multiple Infostealers in Global Campaign - Security Week
Seedworm Hackers Exploit RMM Tools to Deliver Malware (cybersecuritynews.com)
Antivirus updates hijacked to drop dangerous malware | TechRadar
Hackers infect users of antivirus service that delivered updates over HTTP | Ars Technica
Researchers sinkhole PlugX malware server with 2.5 million unique IPs (bleepingcomputer.com)
Millions of IPs remain infected by USB worm years after its creators left it for dead | Ars Technica
North Korea's Lazarus Group Deploys New Kaolin RAT via Fake Job Lures (thehackernews.com)
Mobile
Report says over 10 million devices were infected by data-stealing malware in 2023 - PhoneArena
Ukrainian soldiers’ apps increasingly targeted for spying, cyber agency warns (therecord.media)
iPhone password reset attacks are real – how to protect yourself | Mashable
New Brokewell malware takes over Android devices, steals data (bleepingcomputer.com)
Godfather Banking Trojan Spawns 1.2K Samples Across 57 Countries (darkreading.com)
Give Your iPhone a Security Boost With This iOS 17.4 Feature - CNET
Data Breaches/Leaks
5.3M World-Check records may be leaked; how to check your records | SC Media (scmagazine.com)
Hackers stole 7,000,000 people's DNA. But what can they do with it? | Tech News | Metro News
AT&T Offers All Customers Free Security Bundle After Data Breach (tech.co)
App bug exposes 1M neighbourhood watchers to data harvesters • The Register
Fifth of CISOs Admit Staff Leaked Data Via GenAI - Infosecurity Magazine (infosecurity-magazine.com)
Organised Crime & Criminal Actors
Rising Ransomware Issue: English-Speaking Western Affiliates (govinfosecurity.com)
Russian FSB Counterintelligence Chief Gets 9 Years in Cyber Crime Bribery Scheme – Krebs on Security
Authorities investigate LabHost users after phishing service shut down | SC Media (scmagazine.com)
To Catch a Cyber Criminal -- and the Fallout That Follows (informationweek.com)
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
eScan Antivirus Update Mechanism Exploited to Spread Backdoors and Miners (thehackernews.com)
Lazarus On the Hunt: How North Korean Hackers are Targeting Crypto via LinkedIn (bitcoinist.com)
Insider Risk and Insider Threats
Most people still rely on memory or pen and paper for password management - Help Net Security
CesiumAstro claims former exec spilled trade secrets to upstart competitor AnySignal | TechCrunch
Insurance
Ransomware triggers cyber insurance claims increase | SC Media (scmagazine.com)
Email inbox cyber crime leaps as claims soar (emergingrisks.co.uk)
Coalition: Insurance claims for Cisco ASA users spiked in 2023 | TechTarget
Supply Chain and Third Parties
Battening down the hatches: Navigating third-party cyber threats | SC Media (scmagazine.com)
Ransomware Gang Leaks Data Allegedly Stolen From Government Contractor - Security Week
Cloud/SaaS
How Attackers Can Own a Business Without Touching the Endpoint (thehackernews.com)
5 Hard Truths About the State of Cloud Security 2024 (darkreading.com)
Identity and Access Management
How Attackers Can Own a Business Without Touching the Endpoint (thehackernews.com)
Identity-based security threats are growing rapidly: report | CSO Online
Encryption
Europol asks tech firms, governments to get rid of E2EE • The Register
How tech firms are tackling the risks of quantum computing | World Economic Forum (weforum.org)
Australian authorities call for Big Tech help with decryption • The Register
Linux and Open Source
Passwords, Credential Stuffing & Brute Force Attacks
Most people still rely on memory or pen and paper for password management - Help Net Security
New Password Cracking Analysis Targets Bcrypt - Security Week
Brute Force Password Cracking Takes Longer - Don't Celebrate Yet (technewsworld.com)
Social Media
Dutch govt body: Don't use Facebook if unsure about privacy • The Register
North Korea's Lazarus Group Deploys New Kaolin RAT via Fake Job Lures (thehackernews.com)
Malvertising
Training, Education and Awareness
Regulations, Fines and Legislation
Preparing for NIS2: A Compliance Guide For Covered Entities | UpGuard
NIS2: Preparing for EU’s New Cyber Security Rules | Wilson Sonsini Goodrich & Rosati – JDSupra
Compliance in 2024: Cutting through the noise (federalnewsnetwork.com)
Google Postpones Third-Party Cookie Deprecation Amid UK Regulatory Scrutiny (thehackernews.com)
A view from Brussels: To be sovereign, or not to be (iapp.org)
Cyber Security | UK Regulatory Outlook April 2024 - Lexology
Net neutrality has been restored in the US - Help Net Security
Models, Frameworks and Standards
Fortifying your business with ISO 27001 - DCD (datacenterdynamics.com)
Preparing for NIS2: A Compliance Guide For Covered Entities | UpGuard
Taking Time to Understand NIS2 Reporting Requirements - Security Boulevard
Data Protection
Boost your data protection with insights from Dell's report - SiliconANGLE
A view from Brussels: To be sovereign, or not to be (iapp.org)
Careers, Working in Cyber and Information Security
Cyber staff priority as threats continue – report (emergingrisks.co.uk)
Three Ways Organisations Can Overcome the Cyber Security Skills Gap - Security Boulevard
Addressing the cyber skills shortage: 5 key steps to take | CSO Online
Five Essential Steps To Land Your First Cyber Security Job (forbes.com)
Expert Insight: Outdated Recruitment Methods Are Impeding The Global Cyber Army - IT Security Guru
Law Enforcement Action and Take Downs
Authorities investigate LabHost users after phishing service shut down | SC Media (scmagazine.com)
To Catch a Cyber Criminal -- and the Fallout That Follows (informationweek.com)
Man arrested for 'framing colleague' with AI-generated voice • The Register
Misinformation, Disinformation and Propaganda
Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity
Cyber Warfare and Cyber Espionage
State-Sponsored Hackers Exploit Two Cisco Zero-Day Vulnerabilities for Espionage (thehackernews.com)
China
ToddyCat APT Is Stealing Data on 'Industrial Scale' (darkreading.com)
Chinese, Russian espionage campaigns increasingly targeting edge devices (therecord.media)
UK mulls fresh controls on 'sensitive tech' after China cyber claim (thenextweb.com)
FBI Director Wray Issues Dire Warning on China's Cyber Security Threat (darkreading.com)
Head of Belgian Foreign Affairs Committee says she was hacked by China | Reuters
New tool used in China-linked attacks against Asia-Pacific | SC Media (scmagazine.com)
Dutch intelligence warns of stronger threats from China, jihadists and extremists | NL Times
MITRE breached by nation-state threat actor via Ivanti zero-days - Help Net Security
Ads on .gov.uk websites raise eyebrows over privacy • The Register
Russia
Microsoft: APT28 hackers exploit Windows flaw reported by NSA (bleepingcomputer.com)
Microsoft issues warning over ‘GooseEgg’ tool used in Russian hacking campaigns | ITPro
Chinese, Russian espionage campaigns increasingly targeting edge devices (therecord.media)
Russia's Fancy Bear Pummels Windows Print Spooler Bug (darkreading.com)
Overflowing Water Tank Linked to Russian Cyber Attack (govtech.com)
Russia accused of jamming GPS signal on flights from UK causing route chaos (inews.co.uk)
Russian Sandworm hackers targeted 20 critical orgs in Ukraine (bleepingcomputer.com)
Russian FSB Counterintelligence Chief Gets 9 Years in Cyber Crime Bribery Scheme – Krebs on Security
Campaigns and political parties are in the crosshairs of election meddlers | CyberScoop
Mandiant: Russia, Iran pose biggest threat to 2024 elections • The Register
Ukrainian soldiers’ apps increasingly targeted for spying, cyber agency warns (therecord.media)
MITRE breached by nation-state threat actor via Ivanti zero-days - Help Net Security
Ukraine participates in NATO cyber security exercise in Estonia / The New Voice of Ukraine (nv.ua)
Cyber attacks on Poland surged after election of pro-Ukraine regime (thenextweb.com)
Iran
Campaigns and political parties are in the crosshairs of election meddlers | CyberScoop
Mandiant: Russia, Iran pose biggest threat to 2024 elections • The Register
Iranian nationals charged with hacking US companies, Treasury and State departments | CyberScoop
The Biggest 2024 Elections Threat: Kitchen-Sink Attack Chains (darkreading.com)
North Korea
Hackers hijack antivirus updates to drop GuptiMiner malware (bleepingcomputer.com)
Microsoft Warns: North Korean Hackers Turn to AI-Fuelled Cyber Espionage (thehackernews.com)
North Korea's Lazarus Group Deploys New Kaolin RAT via Fake Job Lures (thehackernews.com)
Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence
Vulnerability Management
Third-Party Software Patching: Your Cyber Armor in 2024 | MSSP Alert
Automated patch management: 9 best practices for success | TechTarget
Vulnerabilities Versus Intentionally Malicious Software Components - The New Stack
GPT-4 can exploit real vulnerabilities by reading advisories • The Register
CISA ransomware warning program set to fully launch by end of 2024 | CyberScoop
Vulnerabilities
22,500 Palo Alto firewalls "possibly vulnerable" to ongoing attacks (bleepingcomputer.com)
Palo Alto Networks Discloses More Details on Critical PAN-OS Flaw Under Attack (thehackernews.com)
Russia's Fancy Bear Pummels Windows Print Spooler Bug (darkreading.com)
'MagicDot' Windows Weakness Allows Unprivileged Rootkit Activity (darkreading.com)
Microsoft: APT28 hackers exploit Windows flaw reported by NSA (bleepingcomputer.com)
MITRE says state hackers breached its network via Ivanti zero-days (bleepingcomputer.com)
GitLab affected by GitHub-style CDN flaw allowing malware hosting (bleepingcomputer.com)
Google Patches Critical Chrome Vulnerability - Security Week
Microsoft releases Exchange hotfixes for security update issues (bleepingcomputer.com)
PoC Exploit Released For Critical Oracle VirtualBox Vulnerability (gbhackers.com)
Critical Forminator plugin flaw impacts over 300k WordPress sites (bleepingcomputer.com)
Major Security Flaw in Popular Keyboard Apps Puts Millions at Risk (cybersecuritynews.com)
Patch Now: CrushFTP Zero-Day Cloud Exploit Targets US Orgs (darkreading.com)
GitHub vulnerability leaks sensitive security reports | TechTarget
New Password Cracking Analysis Targets Bcrypt - Security Week
Maximum severity Flowmon bug has a public exploit, patch now (bleepingcomputer.com)
Tools and Controls
Seedworm Hackers Exploit RMM Tools to Deliver Malware (cybersecuritynews.com)
Third-Party Software Patching: Your Cyber Armour in 2024 | MSSP Alert
The Role of Threat Intelligence in Financial Data Protection - Security Boulevard
Automated patch management: 9 best practices for success | TechTarget
Rethinking How You Work with Detection and Response Metrics (darkreading.com)
Choosing SOC Tools? Read This First [2024 Guide] - Security Boulevard
Research Shows How Attackers Can Abuse EDR Security Products - SecurityWeek
What is multi-factor authentication (MFA), and why is it important? - Help Net Security
Strengths & Weaknesses of MFA Methods Against Cyber Attacks | Duo Security
Zero Trust Takes Over: 63% of Orgs Implementing Globally (darkreading.com)
5 Hard Truths About the State of Cloud Security 2024 (darkreading.com)
Explore CASB use cases before you decide to buy | TechTarget
SD-WAN: Don't Build a Dead End, Prepare for Future-Proof Secure Networking - SecurityWeek
Identity-based security threats are growing rapidly: report | CSO Online
Microsoft criticized for charging for security add-ons • The Register
5 insights from new Microsoft CNAPP guide | Microsoft Security Blog
The Peril of Badly Secured Network Edge Devices (inforisktoday.com)
VPNs, Firewalls' Nonexistent Telemetry Lures APTs (darkreading.com)
The first steps of establishing your cloud security strategy - Help Net Security
40% of organizations have AI policies for critical infrastructure | Security Magazine
Understand the Benefits and Limitations of Automated Tools in Penetration Testing (prweb.com)
World´s most advanced cyber defence exercise kicks off in Tallinn
CISA ransomware warning program set to fully launch by end of 2024 | CyberScoop
Reports Published in the Last Week
Mandiant's M-Trends Report Reveals New Insights from Frontline Cyber Investigations (prnewswire.com)
Boost your data protection with insights from Dell's report - SiliconANGLE
Rising Cyber Threats Pose Serious Concerns for Financial Stability (imf.org)
Cyber Security in the UK - House of Commons Library (parliament.uk)
Other News
Why Educating HR Professionals on Cyber Risk Is Crucial (thehrdirector.com)
Network Threats: A Step-by-Step Attack Demonstration (thehackernews.com)
UK cyber agency NCSC announces Richard Horne as its next chief executive (therecord.media)
Internet cable at Cali airport cut in apparent sabotage • The Register
EU Statement – UN General Assembly 1st Committee: Cyber Security | EEAS (europa.eu)
Why Tourists Are Particularly Vulnerable To Cyber Attacks (maltatoday.com.mt)
AI Is Going Well For Microsoft, But Cyber Security Is Not - Microsoft (NASDAQ:MSFT) - Benzinga
Questions for IT and cyber leaders from the CSRB Microsoft report | Computer Weekly
World´s most advanced cyber defence exercise kicks off in Tallinn
Why Cyber Security Is Key To Solving Global Crises (forbes.com)
Colleges spending more than ever on cyber security efforts (insidehighered.com)
Foreign states targeting UK universities, MI5 warns - BBC News
Cyber resilience in the public sector: lessons for UK Councils (techinformed.com)
Digital Blitzkrieg: Unveiling Cyber Logistics Warfare (darkreading.com)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 12 April 2024
Black Arrow Cyber Threat Intelligence Briefing 12 April 2024:
-UK Cyber Breaches Survey Finds Business Falling Short on Cyber, as Half Suffer Breach and Many Fail to Report
-The Cyber Attack Stopped by a Microsoft Engineer Was Scarier Than We Realise
-UK Government Urged to Get on ‘Front Foot’ with Ransomware Instead of ‘Absorbing the Punches’
-74% of Employees Falling Victim to Phishing Attacks Hit with Disciplinary Actions; Egress Reveals
-Why Are Many Businesses Turning to Third-Party Security Partners?
-60% of SMBs and 74% of Businesses with up to 500 Employees are Concerned About Cyber Security as Attacks Rise
-Cyber Attacks Cost Financial Firms $12bn Says IMF
-LastPass: Hackers Targeted Employee in Failed Deepfake CEO Call
-Most Cyber Criminal Threats are Concentrated in Just a Few Countries
-Why Incident Response is the Best Cyber Security ROI
-Ransomware Attacks are the Canaries in the Cyber Coal Mine
-Cyber Security is Crucial, but What is Risk and How do You Assess it?
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
UK Cyber Breaches Survey Finds Business Falling Short on Cyber, as Half Suffer Breach and Many Fail to Report
Half of UK businesses experienced a cyber breach last year, according to a survey by the UK Government. The figure could be much higher however, as the survey found only 34% report breaches externally.
It is said that a cyber incident is a matter of when, not if. Nonetheless, 78% of organisations lack a dedicated response plan outlining actions to be taken in the event of a cyber incident and only 11% review their immediate suppliers for risks. To improve cyber resilience, there needs to be a paradigm shift.
Sources: [Computer Weekly] [Computing] [Infosecurity Magazine] [Info Risk Today]
Cyber Attacks Cost Financial Firms $12bn Says IMF
A recent International Monetary Fund (IMF) report has highlighted significant financial losses in the financial services sector, totalling $12 billion over the last two decades due to cyber attacks, with losses accelerating post-pandemic. The number of incidents and the scale of extreme losses have sharply increased, prompting the IMF to urge enhanced cross-border cooperation to uphold the stability of the global financial system.
The report underscores the critical threat that cyber attacks pose to financial stability, particularly for banks in advanced economies which are more exposed to such risks. With major institutions like JP Morgan facing up to 45 billion cyber threats daily, the IMF emphasises the need for international collaboration to effectively manage and mitigate these risks.
Source: [Finextra]
The Cyber Attack Stopped by a Microsoft Engineer Was Scarier Than We Realise
A critical security breach was narrowly avoided when a Microsoft developer detected suspicious activity in XZ Utils, an open-source library crucial to internet infrastructure. This discovery revealed that a new developer had implanted a sophisticated backdoor in the software, potentially giving unauthorised access to millions of servers worldwide. This incident has intensified scrutiny on the vulnerabilities of open-source software, which is largely maintained by unpaid or underfunded volunteers and serves as a backbone for the internet economy. The situation has prompted discussions among government officials and cyber security experts about enhancing the protection of open-source environments. This close call, described by some as a moment of "unreasonable luck," underscores the pressing need for sustainable support and rigorous security measures in the open-source community.
Source: [Inc.com]
UK Government Urged to Get on ‘Front Foot’ with Ransomware Instead of ‘Absorbing the Punches’
Amidst a rising tide of ransomware attacks affecting wide range of UK services, officials in Westminster are being pressured to enhance funding for operations aimed at disrupting ransomware gangs. The current strategy focuses on bolstering organisational cyber security and recovery preparedness, a stance under the second pillar of the UK's National Cyber Strategy known as resilience. However, this approach has not curbed the frequency of incidents, which have steadily increased over the past five years, impacting sectors including the NHS and local governments. In contrast to the proactive disruption efforts seen in the US, the UK has yet to allocate new funds for such measures, despite successful disruptions like the recent takedown of the LockBit gang by the US National Crime Agency, which underscored the potential benefits of increased resources for cyber crime disruption.
Source: [The Record Media]
74% of Employees Falling Victim to Phishing Attacks Hit with Disciplinary Actions
The Egress 'Email Threat Landscape 2024' report reveals a surge in phishing attacks, with 94% of companies falling victim to this type of crime in this past year alone, leading to increasingly complex cyber security challenges. According to the report, 96% of these companies suffered significant repercussions, including operational disruption and data breaches, with common attack vectors being malicious URLs, and malware or ransomware attachments.
The human cost is also notable, with 74 per cent of employees involved in attacks having faced disciplinary actions, dismissals, or voluntary departures, underscoring the severity of the issue and the heightened vigilance among companies in addressing the phishing threat. Financial losses primarily stem from customer churn, which accounts for nearly half of the total impact. Amidst rising attacks through compromised third-party accounts, Egress advocates for stronger monitoring and defence strategies to protect critical data and reduce organisational and individual hardships.
Source: [The Fintech Times]
Why Are Many Businesses Turning to Third-Party Security Partners?
In 2023, 71% of organisations reported being impacted by a cyber security skills shortage, leading many to scale back their cyber security initiatives amid escalating threats. To bridge the gap, businesses are increasingly turning to third-party security partnerships, reflecting a shift towards outsourcing crucial cyber security operations to handle complex challenges more efficiently. This approach is driven by the need to fill technical and resource gaps in the face of a severe workforce shortfall, with an estimated 600,000 unfilled security positions in the US alone. Moreover, these strategic partnerships allow organisations to leverage external expertise for scalable and effective security solutions, alleviating the burden of staying updated with the rapidly evolving threat landscape.
Source: [Help Net Security]
74% of Businesses with up to 500 Employees are Concerned About Cyber Security as Attacks Rise
According to a recent poll by the US Chamber of Commerce, 60% of small businesses expressed concerns about threats, with 58% concerned about a supply chain breakdown. The highest concern came from businesses with 20-500 employees (74%). Despite such concern, only 49% had trained staff on cyber security. When it came to the impact of a cyber event, 27% of respondents say they are one disaster or threat away from shutting down their business.
Sources: [Malwcv arebytes][Marketplace] [US Chamber]
LastPass: Hackers Targeted Employee in Failed Deepfake CEO Call
LastPass recently reported a thwarted voice phishing attack targeting one of its employees using deepfake audio technology to impersonate CEO Karim Toubba. The attack, conducted via WhatsApp, was identified by the employee as suspicious due to the unusual communication channel and clear signs of social engineering, such as forced urgency. Despite the failure of this particular attempt, LastPass has shared the incident publicly to highlight the growing use of AI-generated deepfakes in executive impersonation schemes. This incident underscores a broader trend, as indicated by alerts from both the US Department of Health and Human Services and the FBI, pointing to an increase in sophisticated cyber attacks employing deepfake technology for fraud, social engineering, and potential influence operations.
Source: [Bleepingcomputer]
Most Cyber Criminal Threats are Concentrated in Just a Few Countries
Oxford researchers have developed the world's first cyber crime index to identify global hotspots of cyber criminal activity, ranking countries based on the prevalence and sophistication of cyber threats. The index reveals that a significant portion of cyber threats is concentrated in a few countries, with Russia and Ukraine positioned at the top, with the USA and the UK also ranking prominently. The results indicate that countries like China, Russia, Ukraine, the US, Romania, and Nigeria are among the top hubs for activities ranging from technical services to money laundering. This tool aims to refine the focus for cyber crime research and prevention efforts, although the study acknowledges the need for a broader and more representative sample of expert opinions to enhance the accuracy and applicability of the findings. The index underscores that while cyber crime may appear globally fluid, it has pronounced local concentrations.
Sources: [ThisisOxfordshire] [Phys Org]
Why Incident Response is the Best Cyber Security ROI
The Microsoft Incident Response Reference Guide predicts that most organisations will encounter one or more major security incidents where attackers gain administrative control over crucial IT systems and data. While complete prevention of cyber attacks may not be feasible, prompt and effective incident response is essential to mitigate damage and protect reputations. However, many organisations may not be adequately budgeting for incident response, and the recent UK Government report found that 78% of organisations do not have formalised incident response plans, risking prolonged recovery and increased costs. Cyber crime damages hit $23b in 2023, but the true costs of incidents includes non-financial damage such as reputational harm. If a cyber incident is a matter of when, not if, then a prepared incident response plan is the best cyber security ROI.
Black Arrow works with organisations of all sizes and sectors to design and prepare for managing a cyber security incident; this can include an Incident Response Plan and an educational tabletop exercise for the leadership team that highlights the proportionate controls to help the organisation prevent and mitigate an incident.
Source: [CSO Online]
Ransomware Attacks are the Canaries in the Cyber Coal Mine
A recent report has found that ransomware attacks were up 110% compared to the prior month, stating that unreported attacks were up to 6 times higher. The report found that tactics are increasingly using data extortion, with 92% of attacks utilising this method.
Sources: [Silicon Republic] [The Hill]
Cyber Security is Crucial, but What is Risk and How do You Assess it?
Cyber security is an increasingly sophisticated game of cat and mouse, where the landscape is constantly shifting. Your cyber risk is the probability of negative impacts stemming from a cyber incident, but how do you assess risk?
One thing to understand is that there are a multitude of risks: risks from phishing, risks from insiders, risks from network attacks, risks of supply chain compromise, and of course, nation states. To understand risk, an organisation must first identify the information that it needs to protect, to avoid only learning of the information asset’s existence from a successful attacker. Once all assets are identified, then organisations should conduct risk assessments to identify threats and an evaluation the potential damage that can be done.
Sources: [Security Boulevard] [International Banker]
Governance, Risk and Compliance
Cyber attacks cost financial firms $12bn says IMF (finextra.com)
UK business falling short on cybersecurity warns government report (computing.co.uk)
60% of small businesses are concerned about cyber security threats | Malwarebytes
Cyber attacks on small businesses are on the rise - Marketplace
What is cyber security risk & how to assess - Security Boulevard
Cyber Security Regulations Aren’t Static—Your Practices Can’t Be Either (forbes.com)
Why Cyber Security Is More Crucial Today Than Ever Before (internationalbanker.com)
Why are many businesses turning to third-party security partners? - Help Net Security
CISO Perspectives on Complying with Cyber Security Regulations (thehackernews.com)
Why incident response is the best cyber security ROI | CSO Online
Privacy Versus Cyber – What is the Bigger Risk? | Jackson Lewis P.C. - JDSupra
Large businesses struggle to tackle cyber threats (betanews.com)
Resilience And Antifragility Are The Best Strategies For 2024 (forbes.com)
The state of secrets security: 7 action items for better managing risk - Security Boulevard
Former Uber CSO Joe Sullivan and lessons learned from the infamous 2016 Uber breach | CSO Online
Why cyberpsychology is such an important part of effective cyber security | CSO Online
Cyber Security in the Evolving Threat Landscape (securityaffairs.com)
How CISOs can make themselves ready to serve on the board | CSO Online
CISOs Need A Data-Driven Approach To Offensive Security (forbes.com)
Threats
Ransomware, Extortion and Destructive Attacks
Ransomware surged 110pc last month, report claims (siliconrepublic.com)
Ransomware attacks are the canaries in the cyber coal mine | The Hill
Ransomware gang’s new extortion trick? Calling the front desk | TechCrunch
Frameworks, Guidelines & Bounties Alone Won't Defeat Ransomware (darkreading.com)
Ransomware group maturity should influence ransom payment decision - Help Net Security
Proactive and Reactive Ransomware Protection Strategies - Security Boulevard
How can the energy sector bolster its resilience to ransomware attacks? - Help Net Security
CL0P's Ransomware Rampage - Security Measures for 2024 (thehackernews.com)
LockBit copycat DarkVault spurs rebranding rumour | SC Media (scmagazine.com)
Ransomware payouts hit all-time high, but that’s not the whole story (securityintelligence.com)
Ransomware Victims
Second ransomware gang says it’s extorting Change Healthcare • The Register
Targus says it is facing major cyber attack, global operations hit | TechRadar
Optics giant Hoya hit with $10 million ransomware demand (bleepingcomputer.com)
Panera Bread week-long IT outage caused by ransomware attack (bleepingcomputer.com)
Phishing & Email Based Attacks
Honeytrap sext scandal MP William Wragg will keep Tory whip (thetimes.co.uk)
How malicious email campaigns continue to slip through the cracks - Help Net Security
TA547 Phishing Attack Hits German Firms with Rhadamanthys Stealer (thehackernews.com)
Cyber Criminals Invade Inboxes: What Small Businesses Can Do (pymnts.com)
Phishing Detection and Response: What You Need to Know - Security Boulevard
Other Social Engineering
Cyber Criminals Target Victims Using Social Engineering Techniques (ic3.gov)
Honeytrap sext scandal MP William Wragg will keep Tory whip (thetimes.co.uk)
LastPass: Hackers targeted employee in failed deepfake CEO call (bleepingcomputer.com)
Artificial Intelligence
China is using generative AI to carry out influence operations (securityaffairs.com)
What Lies Ahead for Cyber Security in the Era of Generative AI? - IT Security Guru
AI risks under the auditor's lens more than ever - Help Net Security
Speed of AI development is outpacing risk assessment | Ars Technica
Malicious PowerShell script pushing malware looks AI-written (bleepingcomputer.com)
LastPass: Hackers targeted employee in failed deepfake CEO call (bleepingcomputer.com)
AI-as-a-Service Providers Vulnerable to PrivEsc and Cross-Tenant Attacks (thehackernews.com)
How Artificial Intelligence Is Fuelling Incel Communities (yahoo.com)
2FA/MFA
Malware
Urgent Security Alert! Hackers Hijacked Notepad++ Plugin (gbhackers.com)
Sophisticated Latrodectus Malware Linked to 2017 Strain (inforisktoday.com)
Critical Flaws Leave 92,000 D-Link NAS Devices Vulnerable to Malware Attacks (thehackernews.com)
Bing ad posing as NordVPN aims to spread SecTopRAT malware | SC Media (scmagazine.com)
ScrubCrypt used to drop VenomRAT along with many malicious plugins (securityaffairs.com)
Unit 42: Malware-initiated scanning attacks on the rise | TechTarget
RUBYCARP hackers linked to 10-year-old cryptomining botnet (bleepingcomputer.com)
Raspberry Robin Returns: New Malware Campaign Spreading Through WSF Files (thehackernews.com)
Malicious PowerShell script pushing malware looks AI-written (bleepingcomputer.com)
TA547 Phishing Attack Hits German Firms with Rhadamanthys Stealer (thehackernews.com)
Mobile
Denial of Service/DoS/DDOS
How Nation-State DDoS Attacks Impact Us All (darkreading.com)
DDoS Protection Needs Detective and Preventive Controls (darkreading.com)
French cities knocked offline by 'large-scale cyber attack' • The Register
Internet of Things – IoT
Amazon Removes a Feature From Fire TVs Over Security Concerns | Cord Cutters News
Over 90,000 LG Smart TVs may be exposed to remote attacks (bleepingcomputer.com)
EV Charging Stations Still Riddled With Cyber Security Vulnerabilities (darkreading.com)
UK town halls given green light to use Chinese CCTV — despite Westminster ban – POLITICO
Hotel check-in terminal leaks rafts of guests' room codes • The Register
Data Breaches/Leaks
Many of the world's biggest companies reported data breaches last year | TechRadar
US Data Breach Reports Surge 90% Annually in Q1 - Infosecurity Magazine (infosecurity-magazine.com)
37% of publicly shared files expose personal information - Help Net Security
Acuity confirms hackers stole non-sensitive govt data from GitHub repos (bleepingcomputer.com)
Home Depot confirms third-party data breach exposed employee info (bleepingcomputer.com)
AT&T now says data breach impacted 51 million customers (bleepingcomputer.com)
DOJ data on 340,000 individuals stolen in consulting firm hack | SC Media (scmagazine.com)
Taxi software vendor exposes personal details of nearly 300K • The Register
Employee credentials leaked in Microsoft security lapse (techmonitor.ai)
Organised Crime & Criminal Actors
Russia ranked biggest cyber crime threat to rest of the world | Tech News | Metro News
Oxford research uncovers world cyber crime hotspots | thisisoxfordshire
Cyber crooks poison GitHub search to fool developers | Computer Weekly
Zambia Busts 77 People in China-Backed Cyber Crime Op (darkreading.com)
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Hackers deploy crypto drainers on thousands of WordPress sites (bleepingcomputer.com)
RUBYCARP hackers linked to 10-year-old cryptomining botnet (bleepingcomputer.com)
Insider Risk and Insider Threats
Microsoft employees exposed internal passwords in security lapse | TechCrunch
Insider Threats Surge Amid Growing Foreign Interference - Security Boulevard
Insurance
US insurers using drones to deny home insurance policies • The Register
Cyber Insurance: Sexy? No. Important? Critically yes. - Security Boulevard
Supply Chain and Third Parties
Why a near-miss cyber attack put US officials and the tech industry on edge - The Japan Times
DOJ data on 340,000 individuals stolen in consulting firm hack | SC Media (scmagazine.com)
Encryption
Linux and Open Source
The Cyber Attack Stopped by a Microsoft Engineer Was Scarier Than We Realize | Inc.com
Supply chain attack sends shockwaves through open-source community | CyberScoop
German state ditches Microsoft for Linux and LibreOffice | ZDNET
Open source foundations unite on common standards for EU’s Cyber Resilience Act | TechCrunch
Who’s the bigger cyber security risk – Microsoft or open source? (reason.com)
Passwords, Credential Stuffing & Brute Force Attacks
Reusing passwords: The hidden cost of convenience (bleepingcomputer.com)
Microsoft employees exposed internal passwords in security lapse | TechCrunch
CISA says Sisense hack impacts critical infrastructure orgs (bleepingcomputer.com)
Social Media
Regulations, Fines and Legislation
Cyber Security Regulations Aren’t Static—Your Practices Can’t Be Either (forbes.com)
Open source foundations unite on common standards for EU’s Cyber Resilience Act | TechCrunch
Spy Law Needs Fixing Now to Stop Overreach—Not a Backdoor Boost (bloomberglaw.com)
CISA: 300,000+ Small Entities Covered By Proposed Cyber Reporting Regs | MSSP Alert
CISO Perspectives on Complying with Cyber Security Regulations (thehackernews.com)
Models, Frameworks and Standards
HIPAA Fundamentals for Providers | Tucker Arensberg, P.C. - JDSupra
Process and Control Today | NIS2 – cyber security directive from the EU. Get ready! (pandct.com)
Backup and Recovery
Data Protection
Careers, Working in Cyber and Information Security
Law Enforcement Action and Take Downs
Misinformation, Disinformation and Propaganda
Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity
Nation State Actors
China
A TikTok Whistleblower Got DC’s Attention. Do His Claims Add Up? | WIRED
China is using generative AI to carry out influence operations (securityaffairs.com)
Zambia Busts 77 People in China-Backed Cyber Crime Op (darkreading.com)
Honeytrap sext scandal MP William Wragg will keep Tory whip (thetimes.co.uk)
UK town halls given green light to use Chinese CCTV — despite Westminster ban – POLITICO
China flooding Britain with fake stamps in act of 'economic warfare' (telegraph.co.uk)
Russia
Germany to launch cyber military branch to combat Russian threats (therecord.media)
US says Russian hackers stole federal government emails during Microsoft cyber attack | TechCrunch
Macron: Russia will target Paris Olympics (insidethegames.biz)
Cyber attack on TV channel BabyTV: Toddlers suddenly exposed to Russian propaganda | NL Times
Cyber security in 2023: Estonia's year of advanced threats (e-estonia.com)
Oxford research uncovers world cyber crime hotspots | thisisoxfordshire
Most cyber criminal threats are concentrated in just a few countries, new index shows (phys.org)
Extensive Russian criminal record leak conducted by hacktivist group | SC Media (scmagazine.com)
Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence
Top Israeli spy chief exposes his true identity in online security lapse | Israel | The Guardian
Extensive Russian criminal record leak conducted by hacktivist group | SC Media (scmagazine.com)
Apple Updates Spyware Alert System to Warn Victims of Mercenary Attacks (thehackernews.com)
Apple Warns of iPhone "Mercenary Attack" Across 92 Countries (cnet.com)
Vulnerability Management
Zero-Day Attacks on the Rise: Google Reports 50% Increase in 2023 - Security Boulevard
How exposure management elevates cyber resilience - Help Net Security
Company Offering $30 Million for Android, iOS, Browser Zero-Day Exploits - Security Week
Unit 42: Malware-initiated scanning attacks on the rise | TechTarget
Vulnerabilities
Microsoft Fixes 149 Flaws in Huge April Patch Release, Zero-Days Included (thehackernews.com)
Patch Tuesday: Code Execution Flaws in Multiple Adobe Software Products - Security Week
SAP's April 2024 Updates Patch High-Severity Vulnerabilities - Security Week
Microsoft Plugs Gaping Hole in Azure Kubernetes Service Confidential Containers - Security Week
Two new bugs can bypass detection and steal SharePoint data | SC Media (scmagazine.com)
New SharePoint flaws help hackers evade detection when stealing files (bleepingcomputer.com)
Hackers Claiming of Working Windows 0-Day LPE Exploit (cybersecuritynews.com)
Microsoft fixes five security vulnerabilities in Edge 123 - Neowin
Cisco Warns of Vulnerability in Discontinued Small Business Routers - Security Week
Urgent Security Alert! Hackers Hijacked Notepad++ Plugin (gbhackers.com)
+16K Ivanti VPN gateways still vulnerable to RCE CVE-2024-21894 (securityaffairs.com)
Over 92,000 exposed D-Link NAS devices have a backdoor account (bleepingcomputer.com)
Company Offering $30 Million for Android, iOS, Browser Zero-Day Exploits - Security Week
Critical 'BatBadBut' Rust Vulnerability Exposes Windows Systems to Attacks (thehackernews.com)
Intel and Lenovo servers impacted by 6-year-old BMC flaw (bleepingcomputer.com)
Critical Flaws Leave 92,000 D-Link NAS Devices Vulnerable to Malware Attacks (thehackernews.com)
Fortinet Patches Critical RCE Vulnerability in FortiClientLinux - Security Week
Researchers Resurrect Spectre v2 Attack Against Intel CPUs - Security Week
AI-as-a-Service Providers Vulnerable to PrivEsc and Cross-Tenant Attacks (thehackernews.com)
Severe Vulnerabilities Discovered in Software to Protect Internet Routing (prleap.com)
Tools and Controls
Seven ways to be sure you can restore from backup | Computer Weekly
Why incident response is the best cyber security ROI | CSO Online
Improving Dark Web Investigations with Threat Intelligence | Recorded Future
What Lies Ahead for Cyber Security in the Era of Generative AI? - IT Security Guru
What is cyber security risk & how to assess - Security Boulevard
Your Guide to Threat Detection and Response - Security Boulevard
Report finds 90% of cyber attacks in 2023 exploited RDP (securitybrief.co.nz)
How exposure management elevates cyber resilience - Help Net Security
Phishing Detection and Response: What You Need to Know - Security Boulevard
The state of secrets security: 7 action items for better managing risk - Security Boulevard
How Red Team Exercises Increases Your Cyber Health | Trend Micro (US)
How Google’s 90-day TLS certificate validity proposal will affect enterprises - Help Net Security
Reports Published in the Last Week
Other News
Third of charities experienced a cyber breach last year, government reports (civilsociety.co.uk)
Hackers Exploit Magento Bug to Steal Payment Data from E-commerce Websites (thehackernews.com)
OODA Loop - The Water Sector Is Being Threatened. That Should Worry Everyone
France Bracing for Cyber Attacks During Summer Olympics - The New York Times (nytimes.com)
Risk & Repeat: Cyber Safety Review Board takes Microsoft to task | TechTarget
The Baltimore Bridge Collapse Is a Warning | Proceedings - April 2024 Vol. 150/4/1,454 (usni.org)
Report finds 90% of cyber attacks in 2023 exploited RDP (securitybrief.co.nz)
Financial sector cyber security at the helm of investor protection | Mint (livemint.com)
US Health Dept warns hospitals of hackers targeting IT help desks (bleepingcomputer.com)
Former Uber CSO Joe Sullivan and lessons learned from the infamous 2016 Uber breach | CSO Online
Software-Defined Vehicle Fleets Face a Twisty Road on Cyber Security (darkreading.com)
Independent Pharmacies Must Prioritize Cyber Security (drugtopics.com)
Devious 'man in the middle' hacks on the rise: How to stay safe | PCWorld
Top 10 Attacker Techniques: What do They Mean for MSSPs? | MSSP Alert
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Advisory 28 March 2023 – DEV-1101 Automated AiTM Phishing Campaigns Bypassing MFA
Black Arrow Cyber Advisory 28 March 2023 – DEV-1101 Automated AiTM Phishing Campaigns Bypassing MFA
Executive Summary
Microsoft Threat intelligence team has recently exposed the activities of a threat actor named DEV-1101. This threat actor advertises an open-source phishing kit that can be deployed to automate Adversary-in-the-middle (AiTM) campaigns. The phishing kit has the capability to circumvent multifactor authentication (MFA), evade detection through an antibot database, manage the phishing activity through telegram bots, and mimics services such as Microsoft Office or Outlook.
What’s the risk to me or my business?
If an AiTM phishing campaign is successful, the actor can set up a malicious site that will act as the intended valid website such as Microsoft Office or Microsoft Outlook. Here it can steal the credentials of the user and steal the authenticated session tokens of the MFA. In the most severe situations this can lead to a loss of confidentiality, integrity or availability of affected systems as the attacker has free access to perform any further criminal activity such as stealing, corrupting or and deleting data. Alongside the impact of the compromise, this can also lead to reputational damage and potentially financial penalties.
What can I do?
Black arrow recommends that you always deploy and maintain MFA where possible. While certain certain attacks may be able to circumvent MFA, it is important to remember that strong cyber security controls involve having layers of defences, in this case Conditional Access could be used to supplement the MFA control could reduce the risk of compromise. Organisations should also look to implement continuous monitoring for suspicious and anomalous activity to identify indicators of compromise. Other actions can be to ensure software and operating systems are up to date to avoid common vulnerabilities to be exploited. It is also vital that this is supplemented with end-user training including phishing simulations as this is the ingress point for this type of attack. Users should be encouraged to report any instances of interactions with emails that do not seem right.
Further information on the attack method can be found here:
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity
Black Arrow Cyber Threat Briefing 17 March 2023
Black Arrow Cyber Threat Briefing 17 March 2023:
-Almost Half of IT Leaders Consider Security as an Afterthought
-Over $10bn Lost To Online Frauds, with Pig Butchering and Investment Scams Accounting for $3B, Overtaking BEC – FBI Report Says
-Over 721 Million Passwords Were Leaked in 2022
-How Much of a Cyber Security Risk are Suppliers?
-90% of £5m+ Businesses Hit by Cyber Attacks
-Rushed Cloud Migrations Result in Escalating Technical Debt
-17 European Nations Targeted by Russia in 2023 as Espionage Ramping Up
-Microsoft Warns of Large-Scale Use of Phishing Kits
-BEC Volumes Double on Phishing Surge
-The Risk of Pasting Confidential Company Data in ChatGPT
-Ransomware Attacks have Entered a New Phase
-MI5 Launches New Agency to Tackle State-Backed Attacks
-Why Cyber Awareness Training is an Ongoing Process
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Almost Half of IT Leaders Consider Security as an Afterthought
A recent industry report found that security is an afterthought for almost half of UK IT leaders, despite 92% of respondents agreeing that security risks had risen in the last five years. Additionally, 48% of respondents felt that the rapid development of new tools had caused challenges around security. The concept of security as an afterthought is worrying when considering that 39% of UK businesses identified a cyber attack within the past 12 months.
Over $10bn Lost to Online Frauds, with Pig Butchering and Investment Scams Accounting for $3B, Overtaking BEC – FBI Report Says
According to the latest FBI crime report pig butchering now accounts for $3 billion of the $10 billion total lost to online fraud. Pig butchering is a rising investment scam that uses the promise of romance and the lure of making easy cryptocurrency profit against its unsuspecting targets. The concept of pig butchering is to “fatten up” the victim, with small returns on cryptocurrency and personal interactions, often with an element of romance; eventually, the victim is lured into making a larger investment with the scammer. In addition to pig butchering, other investment scams are growing in provenance and are set to overtake Business Email Compromise (BEC) as a major earner for cyber criminals.
Over 721 Million Passwords were Leaked in 2022
A report published this week discovered 721.5 million exposed credentials online in 2022. Additionally, the report identified 72% of users reusing previously compromised passwords. The study also uncovered 8.6 billion personally identifiable information assets, including 67 million credit card numbers which were publicly available.
https://www.neowin.net/news/study-over-721-million-passwords-were-leaked-in-2022/
How Much of a Cyber Security Risk are Suppliers?
When your business is digitally connected to a service provider, you need to understand how a cyber security attack on their business can affect yours. You can have all the right measures in place to manage your own cyber risks, but this doesn’t matter if there are undiscovered vulnerabilities in your supply chain. Organisations need to audit the cyber security of suppliers at several stages of their relationship; you may benefit from specialist cyber security support if you can’t do this in-house. Ask hard questions and consider advising your suppliers that if their cyber security is not enough then you may take your business elsewhere. Many businesses now require suppliers to be certified to schemes such as ISO 27001; demonstrating your security posture to your customers is an important ticket to trade.
https://www.thetimes.co.uk/article/how-much-of-a-cybersecurity-risk-are-my-suppliers-mqbwcf7p2
90% of £5m+ Businesses Hit by Cyber Attacks
A study from Forbes found that 57% of small and medium-sized enterprises had suffered an online attack. Businesses with an annual turnover in excess of £5 million were even more likely to experience a cyber crime with the figure rising to nearly 90% of firms of this size suffering a cyber attack. To make matters worse, the study found that a significant proportion of British businesses are without any form of protection against online attacks.
https://www.itsecurityguru.org/2023/03/13/nine-in-10-5m-businesses-hit-by-cyber-attacks/
Rushed Cloud Migrations Result in Escalating Technical Debt
A cloud service provider found 83% of CIO’s are feeling pressured to stretch their budgets even further than before. 72% of CIOs admitted that they are behind in their digital transformation because of technical debt and 38% believed the accumulation of this debt is largely because of rushed cloud migrations. Respondents believed these rushed migrations caused for miscalculations in the cloud budget, which resulted in significant overspend.
https://www.helpnetsecurity.com/2023/03/16/managing-cloud-costs/
Microsoft: 17 European Nations Targeted by Russia in 2023 as Espionage Ramping Up
According to an intelligence report from Microsoft, Russia has been ramping up its cyber espionage operations and this now includes 17 European nations. Of all 74 countries targeted, the UK ranked third, after the US and Poland.
Microsoft Warns of Large-Scale Use of Phishing Kits
Microsoft have found that phishing kits are being purchased and used to perform millions of phishing emails every day. In their report, Microsoft found the availability of purchasing such phishing kits was part of the industrialisation of the cyber criminal economy and lowered the barrier of entry for cyber crime. Microsoft identified phishing kits which had the capability to bypass multi factor authentication selling for as little as $300. The emergence of AI is only going to compound this.
https://thehackernews.com/2023/03/microsoft-warns-of-large-scale-use-of.html
BEC Volumes Double on Phishing Surge
The number of Business Email Compromise (BEC) incidents doubled last year according to security provider Secureworks. In their report, they found that the main initial access vectors for BEC were phishing and systems with known vulnerabilities, with each accounting for a third of initial accesses.
https://www.infosecurity-magazine.com/news/bec-volumes-double-on-phishing/
The Risk of Pasting Confidential Company Data in ChatGPT
Researchers analysed the use of artificial intelligence tool ChatGPT and found that 4.9% of employees have provided company data to the tool; ChatGPT builds its knowledge on this and in turn, this knowledge is shared publicly. The risk is serious, with employees putting their organisation at risk of leaking sensitive and confidential information. The research found that 0.9% of employees are responsible for 80% of leaks caused by pasting company data into ChatGPT and this number is expected to rise.
https://securityaffairs.com/143394/security/company-data-chatgpt-risks.html
Ransomware Attacks have Entered a Heinous New Phase
With an increasing amount of victims refusing to pay, cyber criminal gangs are now resorting to new techniques; this includes the recent release of stolen naked photos of cancer patients and sensitive student records. Where encryption and a demand for payment were previously the de facto method for cyber criminals, this has now shifted to pure exfiltration. In a report, the FBI highlighted evolving and increasingly aggressive extortion behaviour, with actors increasingly threatening to release stolen data.
https://www.wired.com/story/ransomware-tactics-cancer-photos-student-records/
MI5 Launches New Agency to Tackle State-Backed Attacks
British intelligence agency MI5 have announced the creation of the National Protective Security Authority (NPSA), created as part of a major review of government defences. The NPSA is to operate out of MI5 and absorb and extend the responsibilities for the protection of national infrastructure. The NPSA will work with existing agencies such as the National Cyber Security Centre (NCSC) and the Counter Terrorism Security Office (CTSO) to provide defensive advice to UK organisations.
https://www.infosecurity-magazine.com/news/mi5-new-agency-tackle-statebacked/
Why Cyber Awareness Training is an Ongoing Process
A survey conducted by Hornetsecurity found that 80% of respondents believed remote working introduced extra cyber security risks and 75% were aware that personal devices are used to access sensitive data, fuelling the need for employees to be cyber aware. Where IT security training is only undertaken once, for example in block training, it is likely that participants will have forgotten a lot of the content after as little as a week; this means that for organisations to get the most out of training, they need to conduct frequent awareness training. By conducting frequent training there is more chance of trainees retaining the training content and allowing the organisation to shape a culture of cyber security.
Threats
Ransomware, Extortion and Destructive Attacks
BianLian Ransomware Pivots From Encryption to Pure Data-Theft Extortion (darkreading.com)
Rise of Ransomware Attacks Main Focus for SOCs, research finds - IT Security Guru
FBI: Ransomware hit 860 critical infrastructure orgs in 2022 (bleepingcomputer.com)
Microsoft fixes Windows zero-day exploited in ransomware attacks (bleepingcomputer.com)
Clop ransomware gang begins extorting GoAnywhere zero-day victims (bleepingcomputer.com)
Staples-owned Essendant facing multi-day "outage," orders frozen (bleepingcomputer.com)
CISA now warns critical infrastructure of ransomware-vulnerable devices (bleepingcomputer.com)
Dissecting the malicious arsenal of the Makop ransomware gang- - Security Affairs
Blackbaud agrees to pay $3m to settle SEC ransomware probe • The Register
Ransomware Gang Claims It Hacked Amazon's Ring (gizmodo.com)
5 Reasons MSSP Clients Need Strong AppSec Strategies to Thwart Ransomware - MSSP Alert
Dish customers kept in the dark as ransomware fallout continues | TechCrunch
Cancer patient sues hospital over stolen naked photos • The Register
ChipMixer platform seized for laundering ransomware payments, drug sales (bleepingcomputer.com)
Kaspersky Updates Decryption Tool for Conti Ransomware - MSSP Alert
Conti-based ransomware ‘MeowCorp’ gets free decryptor (bleepingcomputer.com)
Universities and colleges cope silently with ransomware attacks | CSO Online
Phishing & Email Based Attacks
Software for sale is fueling a torrent of phishing attacks that bypass MFA | Ars Technica
Cyber criminals Devising More Tactics For Phishing Attacks (informationsecuritybuzz.com)
6 reasons why your anti-phishing strategy isn’t working | CSO Online
Cyberthreat On New Email By Exotic Lily (informationsecuritybuzz.com)
Botnet that knows your name and quotes your email is back with new tricks | Ars Technica
Analysts Spot a Wave of SVB-Related Cyber Fraud Striking the Business Sector (darkreading.com)
How two-step phishing attacks evade detection and what you can do about it - Help Net Security
BEC – Business Email Compromise
Pig Butchering & Investment Scams: The $3B Cyber crime Threat Overtaking BEC (darkreading.com)
Organizations need to re-examine their approach to BEC protection - Help Net Security
BEC Volumes Double on Phishing Surge - Infosecurity Magazine (infosecurity-magazine.com)
2FA/MFA
Outlook app to get built-in Microsoft 365 MFA on Android, iOS (bleepingcomputer.com)
Software for sale is fuelling a torrent of phishing attacks that bypass MFA | Ars Technica
Malware
Microsoft OneNote to get enhanced security after recent malware abuse (bleepingcomputer.com)
New Version of Prometei Botnet Infects Over 10,000 Systems Worldwide (thehackernews.com)
Malware Targets People Looking to Pirate Oscar-Nominated Films (darkreading.com)
Law enforcement seized the website selling the NetWire RAT- - Security Affairs
BATLOADER Malware Uses Google Ads to Deliver Vidar Stealer and Ursnif Payloads (thehackernews.com)
Warning: AI-generated YouTube Video Tutorials Spreading Infostealer Malware (thehackernews.com)
Emotet attempts to sell access after infiltrating high-value networks | SC Media (scmagazine.com)
Emotet, QSnatch Malware Dominate Malicious DNS Traffic (darkreading.com)
Winter Vivern APT hackers use fake antivirus scans to install malware (bleepingcomputer.com)
Chinese and Russian Hackers Using SILKLOADER Malware to Evade Detection (thehackernews.com)
New malware sample of defunct TeamTNT threat group raises concerns | SC Media (scmagazine.com)
Adobe Acrobat Sign abused to push Redline info-stealing malware (bleepingcomputer.com)
Mobile
Xenomorph Android malware now steals data from 400 banks (bleepingcomputer.com)
GoatRAT Android Banking Trojan Targets Mobile Automated Payment System (darkreading.com)
WhatsApp Tells UK Government It’s Still Not Willing To Undermine Its Encryption | Techdirt
Convincing Twitter 'quote tweet' phone scam targets bank customers (bleepingcomputer.com)
Google Warns Samsung and Pixel Phone Owners About 18 Dire Exploits - CNET
FakeCalls Android malware returns with new ways to hide on phones (bleepingcomputer.com)
Botnets
New Version of Prometei Botnet Infects Over 10,000 Systems Worldwide (thehackernews.com)
Botnet that knows your name and quotes your email is back with new tricks | Ars Technica
Denial of Service/DoS/DDOS
Internet of Things – IoT
Researchers Uncover Over a Dozen Security Flaws in Akuvox E11 Smart Intercom (thehackernews.com)
Tesla App Lets Man Accidentally Steal Model 3 That Wasn't His (gizmodo.com)
Data Breaches/Leaks
Negative Impacts of Data Loss and How to Avoid Them - MSSP Alert
Mental health provider Cerebral alerts 3.1M people of data breach (bleepingcomputer.com)
BMW exposes data of clients in Italy, experts warn- - Security Affairs
Acronis states that only one customer's account was compromised- - Security Affairs
Security giant Rubrik says hackers used Fortra zero-day to steal internal data | TechCrunch
LA Housing Authority Suffers Year-Long Breach - Infosecurity Magazine (infosecurity-magazine.com)
Hacker selling data allegedly stolen in US Marshals Service hack (bleepingcomputer.com)
Organised Crime & Criminal Actors
Cyber crime Losses Exceeded $10 Billion in 2022: FBI - SecurityWeek
Nine In 10 £5m+ Businesses Hit By Cyber Attacks - IT Security Guru
CISA: Federal civilian agency hacked by nation-state and criminal hacking groups | CyberScoop
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
FBI Warns of Crypto-Stealing Play-to-Earn Games - Infosecurity Magazine (infosecurity-magazine.com)
Massive vulnerabilities revealed at Dogecoin, Litecoin, Zcash | Fortune Crypto
UK Crypto Firm Loses $200m in Cyber-Attack - Infosecurity Magazine (infosecurity-magazine.com)
One of the darkweb’s largest cryptocurrency laundromats washed out | Europol (europa.eu)
UK Bank Limits Crypto Payments to Smother Fraud - Infosecurity Magazine (infosecurity-magazine.com)
CrowdStrike discovered the first-ever Dero crypto mining campaign- - Security Affairs
Claim: FTX leaders helped themselves to $3.2B in cash • The Register
Feds charge exiled Chinese billionaire over crypto fraud • The Register
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
Cyber crime Losses Exceeded $10 Billion in 2022: FBI - SecurityWeek
Nine In 10 £5m+ Businesses Hit By Cyber Attacks - IT Security Guru
ChatGPT fraud is on the rise: Here's what to watch out for | ZDNET
Analysts Spot a Wave of SVB-Related Cyber Fraud Striking the Business Sector (darkreading.com)
The SVB demise is a fraudster's paradise, so take precautions - Help Net Security
Fighting financial fraud through fusion centers - Help Net Security
UK Crypto Firm Loses $200m in Cyber-Attack - Infosecurity Magazine (infosecurity-magazine.com)
UK Bank Limits Crypto Payments to Smother Fraud - Infosecurity Magazine (infosecurity-magazine.com)
Convincing Twitter 'quote tweet' phone scam targets bank customers (bleepingcomputer.com)
Claim: FTX leaders helped themselves to $3.2B in cash • The Register
Feds charge exiled Chinese billionaire over crypto fraud • The Register
Impersonation Attacks
Deepfakes
AML/CFT/Sanctions
One of the darkweb’s largest cryptocurrency laundromats washed out | Europol (europa.eu)
Russia’s Cyber security Companies Shrug Off Sanctions - CEPA
Dark Web
Supply Chain and Third Parties
Top 10 operational risks: focus on third-party risk - Risk.net
How much of a cyber security risk are my suppliers? (thetimes.co.uk)
Software Supply Chain
We can't wait for SBOMs to be demanded by regulation - Help Net Security
Best practices for securing the software application supply chain - Help Net Security
Cloud/SaaS
Rushed cloud migrations result in escalating technical debt - Help Net Security
CrowdStrike report shows identities under siege, cloud data theft up | VentureBeat
How to Apply NIST Principles to SaaS in 2023 (thehackernews.com)
Hybrid/Remote Working
Attack Surface Management
Identity and Access Management
Access Control Gap in Microsoft Active Directory Widens Enterprise Attack Surface (darkreading.com)
Navigating the future of digital identity - Help Net Security
Encryption
Google Proposes Reducing TLS Cert Life Span to 90 Days (darkreading.com)
WhatsApp Tells UK Government It’s Still Not Willing To Undermine Its Encryption | Techdirt
Passwords, Credential Stuffing & Brute Force Attacks
Poor Passwords Still Weakest Link Hackers Seek, Report Reveals - MSSP Alert
Study: Over 721 million passwords were leaked in 2022 - Neowin
Social Media
UK bans TikTok from government mobile phones | TikTok | The Guardian
Convincing Twitter 'quote tweet' phone scam targets bank customers (bleepingcomputer.com)
Malvertising
Training, Education and Awareness
Regulations, Fines and Legislation
WhatsApp Tells UK Government It’s Still Not Willing To Undermine Its Encryption | Techdirt
The US cyber security strategy won’t address today’s threats with regulation alone | CyberScoop
Governance, Risk and Compliance
Make Sure Your Cyber security Budget Stays Flexible (darkreading.com)
Getting cyber security right requires a change of mindset | The Strategist (aspistrategist.org.au)
6 principles for building engaged security governance | TechTarget
Models, Frameworks and Standards
How to Apply NIST Principles to SaaS in 2023 (thehackernews.com)
Meet Data Privacy Mandates With Cyber security Frameworks (darkreading.com)
Data Protection
Law Enforcement Action and Take Downs
International authorities bring NetWire's malware infrastructure to a standstill | TechSpot
One of the darkweb’s largest cryptocurrency laundromats washed out | Europol (europa.eu)
Privacy, Surveillance and Mass Monitoring
German states rethink reliance on Palantir technology | Financial Times (ft.com)
Consumers Believe Vendors Don't Adequately Protect Their Personal Data, Report Finds - MSSP Alert
Meet Data Privacy Mandates With Cyber security Frameworks (darkreading.com)
Artificial Intelligence
Warning: AI-generated YouTube Video Tutorials Spreading Infostealer Malware (thehackernews.com)
ChatGPT and the Growing Threat of Bring Your Own AI to the SOC - SecurityWeek
How Businesses Can Get Ready for AI-Powered Security Threats (darkreading.com)
UK spy agency warns of security threat from ChatGPT and rival chatbots | Metro News
Why red team exercises for AI should be on a CISO's radar | CSO Online
GPT-4 Can’t Stop Helping Hackers Make Cyber criminal Tools (forbes.com)
Misinformation, Disinformation and Propaganda
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Microsoft: Russian hackers may be readying new wave of destructive attacks | CyberScoop
UK bans TikTok from government mobile phones | TikTok | The Guardian
Microsoft: 17 European Nations Targeted by Russia in 2023 as Espionage Ramping Up - SecurityWeek
Russians told to rush to nuclear bomb shelters after hackers take over state media (telegraph.co.uk)
Remcos Trojan Linked to Cyber Espionage Operations Against Ukrainian Government - MSSP Alert
YoroTrooper cyber spies target CIS energy orgs, EU embassies (bleepingcomputer.com)
China sought control of telecoms to spy on Micronesia • The Register
Russia disinformation looks to US far right to weaken Ukraine support | Russia | The Guardian
This Is the New Leader of Russia's Infamous Sandworm Hacking Unit | WIRED
Russia’s Cyber security Companies Shrug Off Sanctions - CEPA
Polish intelligence dismantled a network of Russian spies- Security Affairs
Microsoft sheds light on a year of Russian hybrid warfare in Ukraine- Security Affairs
Wave of Stealthy China Cyber attacks Hits US., Private Networks, Google Says - WSJ
Russian hackers plotting another cyber attack against Ukraine - Microsoft (ukrinform.net)
Here's how Chinese spies exploited a critical Fortinet bug • The Register
Nation State Actors
UK bans TikTok from government mobile phones | TikTok | The Guardian
North Korean hackers used polished LinkedIn profiles to target security researchers | CyberScoop
A new Chinese era: security and control | Financial Times (ft.com)
Russians told to rush to nuclear bomb shelters after hackers take over state media (telegraph.co.uk)
Attacks on SonicWall appliances linked to Chinese campaign: Mandiant | CSO Online
Remcos Trojan Linked to Cyber Espionage Operations Against Ukrainian Government - MSSP Alert
Microsoft fixes Outlook zero-day used by Russian hackers since April 2022 (bleepingcomputer.com)
China sought control of telecoms to spy on Micronesia • The Register
CISA: Federal civilian agency hacked by nation-state and criminal hacking groups | CyberScoop
APT29 abuses EU information exchange systems in recent attacks- Security Affairs
Chinese and Russian Hackers Using SILKLOADER Malware to Evade Detection (thehackernews.com)
Russia disinformation looks to US far right to weaken Ukraine support | Russia | The Guardian
This Is the New Leader of Russia's Infamous Sandworm Hacking Unit | WIRED
Russia’s Cyber security Companies Shrug Off Sanctions - CEPA
Microsoft sheds light on a year of Russian hybrid warfare in Ukraine- Security Affairs
Wave of Stealthy China Cyber attacks Hits US., Private Networks, Google Says - WSJ
Russian hackers plotting another cyber attack against Ukraine - Microsoft (ukrinform.net)
Here's how Chinese spies exploited a critical Fortinet bug • The Register
Vulnerabilities
Critical Microsoft Outlook/365 bug CVE-2023-23397 under attack (thestack.technology)
Critical Microsoft Outlook bug PoC shows how easy it is to exploit (bleepingcomputer.com)
Microsoft fixes Outlook zero-day used by Russian hackers since April 2022 (bleepingcomputer.com)
Microsoft and Fortinet fix bugs under active exploit • The Register
CISA warns of actively exploited Plex bug after LastPass breach (bleepingcomputer.com)
Cisco fixed CVE-2023-20049 DoS flaw affecting enterprise routers- Security Affairs
Massive vulnerabilities revealed at Dogecoin, Litecoin, Zcash | Fortune Crypto
SAP releases security updates fixing five critical vulnerabilities (bleepingcomputer.com)
Adobe Warns of ‘Very Limited Attacks’ Exploiting ColdFusion Zero-Day - SecurityWeek
Microsoft fixes Windows zero-day exploited in ransomware attacks (bleepingcomputer.com)
Microsoft March 2023 Patch Tuesday fixes 2 zero-days, 83 flaws (bleepingcomputer.com)
Firefox 111 patches 11 holes, but not 1 zero-day among them… – Naked Security (sophos.com)
Microsoft Pins Outlook Zero-Day Attacks on Russian Actor, Offers Detection Script - SecurityWeek
Cyber attackers Continue Assault Against Fortinet Devices (darkreading.com)
Security firm Rubrik is latest to be felled by GoAnywhere vulnerability | Ars Technica
Google Warns Samsung and Pixel Phone Owners About 18 Dire Exploits - CNET
Microsoft shares script to fix WinRE BitLocker bypass flaw (bleepingcomputer.com)
Here's how Chinese spies exploited a critical Fortinet bug • The Register
Tools and Controls
Make Sure Your Cyber security Budget Stays Flexible (darkreading.com)
What Is a Stateful Inspection Firewall? Ultimate Guide (enterprisestorageforum.com)
Set up PowerShell script block logging for added security | TechTarget
Brazil seizing Flipper Zero shipments to prevent use in crime (bleepingcomputer.com)
Outlook app to get built-in Microsoft 365 MFA on Android, iOS (bleepingcomputer.com)
5 Reasons MSSP Clients Need Strong AppSec Strategies to Thwart Ransomware - MSSP Alert
5 Steps to Effective Cloud Detection and Response - The New Stack
Virtual patching: Cut time to patch from 250 days to (helpnetsecurity.com)
ChatGPT may be a bigger cyber security risk than an actual benefit (bleepingcomputer.com)
Change Is Coming to the Network Detection and Response (NDR) Market (darkreading.com)
Rise of Ransomware Attacks Main Focus for SOCs, research finds - IT Security Guru
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Advisory 07/09/2022 – Phishing-as-a-Service Platform that bypasses MFA lets all hackers use advanced phishing tactics (Updated 25/11/2022)
Black Arrow Cyber Advisory 07/09/2022 – Phishing-as-a-Service Platform that bypasses MFA lets all hackers use advanced phishing tactics
Update: 25/11/2022: There has been a number of sources that have noted a steady increase in these attacks.
Executive Summary
EvilProxy, a Phishing-as-a-Service (PaaS) platform allows low-skill malicious actors to bypass Multi-Factor Authentication from multiple different service providers, using techniques similar to those outlined in the previous cyber advisory on 19/07/2022, where Microsoft detected a new phishing campaign that had the potential to bypass MFA if additional controls were not in place. Malicious actors can pay for the service via a subscription model that allows them to setup and manage phishing campaigns in a similar fashion to phishing simulation training.
What’s the risk to me or my business?
As advanced phishing techniques become available to low-skill threat actors, it is expected that there will be an increase in phishing campaigns going forward. These particular campaigns are more dangerous as they have the potential to bypass security controls such as Multi-Factor Authentication.
What can I do?
Continue to follow the advice issued with the previous threat alert: Black Arrow Cyber Advisory 19/07/2022 – Microsoft identifies Phishing campaign which can bypass MFA. As this platform can be used against different services including Apple and Google, it is important to have these controls in place across the business estate where possible.
A full breakdown of this particular phishing platform is available here: New EvilProxy service lets all hackers use advanced phishing tactics (bleepingcomputer.com)
Update: Microsoft Detection and Response Team (DART) has provided an updated blog post on how these attacks have increased and evolved over time, with the focus being on stealing cookies in comparison to stealing credentials. Recommended protections include management and oversight on end user devices to ensure that they are kept up to date with patches and anti-virus definitions, reducing the lifetime of authenticated sessions and the implementation of Conditional Access application control. Further information can be found here: Token tactics: How to prevent, detect, and respond to cloud token theft - Microsoft Security Blog
Need help understanding your gaps, or just want some advice? Get in touch with us.
Black Arrow Cyber Threat Briefing 19 August 2022
Black Arrow Cyber Threat Briefing 19 August 2022:
-Businesses Found to Neglect Cyber Security Until it is Too Late
-Cyber Tops Staff Retention as Biggest Business Risk
-Cyber Criminals Weaponising Ransomware Data for BEC Attacks
-Callback Phishing Attacks See Massive 625% Growth Since Q1 2021
-Credential Phishing Attacks Skyrocketing, 265 Brands Impersonated in H1 2022
-Are Cloud Environments Secure Enough for Today’s Threats?
-Most Q2 Attacks Targeted Old Microsoft Vulnerabilities
-Cyber Resiliency Isn't Just About Technology, It's About People
-The “Cyber Insurance Gap” Is Threatening Most Companies
-Easing the Cyber-Skills Crisis with Staff Augmentation
-Mailchimp Suffers Second Breach In 4 Months
-Firm Told It Can't Claim Full Cyber Crime Insurance After Social Engineering Attack
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Businesses Found to Neglect Cyber Security Until it is Too Late
Businesses only take cyber security seriously after falling victim to an attack, according to a report published by the UK's Department for Culture, Media and Sport (DCMS) this week.
For the research, the UK government surveyed IT professionals and end users in 10 UK organisations of varying sizes that have experienced cyber security breaches in the past three years. This analysed their existing level of security prior to a breach, the business impacts of the attack and how cyber security arrangements changed in the wake of the incident.
Nearly all respondents said their organisation took cyber security much more seriously after experiencing a breach, including reviewing existing practices and significantly increased investment in technology solutions.
While there was a consensus among participants that there is a greater need for vigilance and investment in cyber security, there was significant variation between organisations’ practices in this area. Medium and large organisations tended to have formal plans in place and budget allocated for further cyber security investment, but smaller businesses mostly did not due to resource constraints.
https://www.infosecurity-magazine.com/news/cybersecurity-seriously-breach/
Cyber Tops Staff Retention as Biggest Business Risk
Cyber security concerns represent the most serious risk facing organisations, beating inflation, talent acquisition/retention and rising production costs, according to a new PwC study.
The PwC Pulse: Managing business risks in 2022 report was compiled from interviews with 722 US C-suite executives.
Two-fifths (40%) ranked cyber-attacks as a serious risk, rising to 51% of board members. PwC said boardrooms may be getting more attuned to cyber risk after new SEC proposals were published in March that would require directors to oversee cyber security risk and be more transparent about their cyber expertise.
In fact, executives appear to be getting more proactive with cyber security on a number of fronts.
Some 84% said they are taking action or monitoring closely policy areas related to cyber security, privacy and data protection. A further 79% said they’re revising or enhancing their cyber risk management approaches, and half (49%) pointed to increased investments in cyber security and privacy.
By way of comparison, 53% said they’re increasing investment in digital transformation and 52% in IT.
Cyber security is a strategic business enabler – technology is the central nervous system of many companies – and confirming its data is secure and protected can be brand defining.
There’s now heightened attention from a wider range of business leaders and corporate directors as they recognise that cyber security and data privacy should be part of not only a risk management strategy, but also a broader corporate strategy. C-suite and boards are actively taking steps to better understand the global threat landscape, confirm a foundational cyber security program is in place, and manage these risks to create opportunities.
https://www.infosecurity-magazine.com/news/cyber-tops-staff-retention-biggest/
Cyber Criminals Weaponising Ransomware Data for BEC Attacks
Cyber criminals and other threat actors are increasingly using data dumped from ransomware attacks in secondary business email compromise (BEC) attacks, according to new analysis by Accenture Cyber Threat Intelligence.
The ACTI team analysed data from the 20 most active ransomware leak sites, measured by number of featured victims, between July 2021 and July 2022. Of the 4,026 victims (corporate, non-governmental organisations, and governmental entities) uncovered on various ransomware groups’ dedicated leak sites, an estimated 91% incurred subsequent data disclosures, ACTI found.
Dedicated leak sites most commonly provide financial data, followed by employee and client personally identifiable information and communication documentation. The rise of double extortion attempts – where attack groups use ransomware to exfiltrate data and then publicise the data on dedicated leak sites – has made large amounts of sensitive corporate data available to any threat actor. The most valuable types of data most useful for conducting BEC attacks are financial, employee, and communication data, as well as operational documents. There is a significant overlap between the types of data most useful for conducting BEC attacks and the types of data most commonly posted on these ransomware leak sites, ACTI said.
The data is a “rich source for information for criminals who can easily weaponise it for secondary BEC attacks,” ACTI said. “The primary factor driving an increased threat of BEC and VEC attacks stemming from double-extortion leaks is the availability of [corporate and communication data].”
Callback Phishing Attacks See Massive 625% Growth Since Q1 2021
Hackers are increasingly moving towards hybrid forms of phishing attacks that combine email and voice social engineering calls as a way to breach corporate networks for ransomware and data extortion attacks.
According to Agari's Q2 2022 cyber-intelligence report, phishing volumes have only increased by 6% compared to Q1 2022. However, the use of 'hybrid vishing' is seeing a massive 625% growth.
Vishing, "voice phishing," involves some form of a phone call to perform social engineering on the victim. Its hybrid form, called "callback phishing," also includes an email before the call, typically presenting the victim with a fake subscription/invoice notice.
The recipient is advised to call on the provided phone number to resolve any issues with the charge, but instead of a real customer support agent, the call is answered by phishing actors.
The scammers then offer to resolve the presented problem by tricking the victim into disclosing sensitive information or installing remote desktop tools on their system. The threat actors then connect to the victim's device remotely to install further backdoors or spread to other machines.
These callback phishing attacks were first introduced by the 'BazarCall/BazaCall' campaigns that appeared in March 2021 to gain initial access to corporate networks for ransomware attacks.
The attacks work so well that multiple ransomware and extortion gangs, such as Quantum, Zeon, and Silent Ransom Group, have adopted the same technique today to gain initial network access through an unsuspecting employee.
"Hybrid Vishing attacks reached a six-quarter high in Q2, increasing 625% from Q1 2021. This threat type also contributed to 24.6% of the overall share of Response-Based threats," details the Agari report.
"While this is the second quarter hybrid vishing attacks have declined in share due to the overall increase of response-based threats, vishing volume has steadily increased in count over the course of the year."
Credential Phishing Attacks Skyrocketing, 265 Brands Impersonated in H1 2022
Abnormal Security released a report which explores the current email threat landscape and provides insight into the latest advanced email attack trends, including increases in business email compromise, the evolution of financial supply chain compromise, and the rise of brand impersonation in credential phishing attacks.
The research found a 48% increase in email attacks over the previous six months, and 68.5% of those attacks included a credential phishing link. In addition to posing as internal employees and executives, cyber criminals impersonated well-known brands in 15% of phishing emails, relying on the brands’ familiarity and reputation to convince employees to provide their login credentials. Most common among the 265 brands impersonated in these attacks were social networks and Microsoft products.
“The vast majority of cyber crime today is successful because it exploits the people behind the keyboard,” said Crane Hassold, director of threat intelligence at Abnormal Security.
“By compromising people rather than networks, it’s easier for attackers to circumvent conventional security measures. This is especially true with brand impersonation, where attackers use urgency and fear to encourage their targets to provide usernames and passwords.”
LinkedIn took the top spot for brand impersonation, but Outlook, OneDrive and Microsoft 365 appeared in 20% of all attacks. What makes these attacks particularly dangerous is that phishing emails are often the first step to compromising employee email accounts. Acquiring Microsoft credentials enables cyber criminals to access the full suite of connected products, allowing them to view sensitive data and use the account to send business email compromise attacks.
https://www.helpnetsecurity.com/2022/08/15/landscape-email-threat/
Are Cloud Environments Secure Enough for Today’s Threats?
Cyber security is a major problem right now. Not only is it the highest priority of any given business to keep their own data and their customers’ and clients’ data secure, but changes in the workplace have had a knock-on effect on cyber security. The concept of working from home has forced businesses all around the world to address old and new cyber security threats. People taking their laptops, and therefore their data, home to public networks that can be hacked or leaving access details like passwords scribbled on notebooks has meant that access to a business and therefore their customers’ data is a lot more accessible.
The saving grace was said to be the cloud. Beyond retraining cyber security in staff workforces, the practical solution was to move data into the cloud. But we’re now a few years from the point when the cloud really gained popularity. Is it still the answer to all our cyber security problems? Is there a chance of risk to using the cloud?
Cloud data breaches do happen and misconfiguration is a leading cause of them, mainly due to businesses inadequate cyber security strategies. This is due to several factors, such as the fundamental nature of the cloud designed to be easy for anyone to access, and businesses unable to completely see or control the cloud’s infrastructure and therefore relying on the cyber security controls that are provided by the cloud service provider (or CSP).
Unauthorised access is also a risk. The internet, which is a readily available public resource to most of the world, makes it easy for hackers to access data if they have the credentials to get past the cyber security set up by the individual business. This is where the ugliness of internal cloud breaches happens. If security is not configured well or credentials like passwords and secret questions are compromised, an attacker can easily access the cloud.
However, it’s not only through an employee that hackers access credentials. Phishing is a very common means of gaining information that would allow access to a customer or business data.
Plus, the simple nature of sharing data can easily backfire on a company. A lot of data access is granted with a link to someone external, which can then be forwarded, either sold or stolen, to an attacker to access the cloud’s data.
https://www.itsecurityguru.org/2022/08/16/are-cloud-environments-secure-enough-for-todays-threats/
Most Q2 Attacks Targeted Old Microsoft Vulnerabilities
Attacks targeting a remote code execution vulnerability in Microsoft's MSHTML browser engine — which was patched last September — soared during the second quarter of this year, according to a Kaspersky analysis.
Researchers from Kaspersky counted at least 4,886 attacks targeting the flaw (CVE-2021-40444) last quarter, an eightfold increase over the first quarter of 2022. The security vendor attributed the continued adversary interest in the vulnerability to the ease with which it can be exploited.
Kaspersky said it has observed threat actors exploiting the flaw in attacks on organisations across multiple sectors including the energy and industrial sectors, research and development, IT companies, and financial and medical technology firms. In many of these attacks, the adversaries have used social engineering tricks to try and get victims to open specially crafted Office documents that would then download and execute a malicious script. The flaw was under active attack at the time Microsoft first disclosed it in September 2021.
Attacks targeting a remote code execution vulnerability in Microsoft's MSHTML browser engine — which was patched last September — soared during the second quarter of this year, according to a Kaspersky analysis. Researchers from Kaspersky counted at least 4,886 attacks targeting the flaw last quarter, an eightfold increase over the first quarter of 2022. The security vendor attributed the continued adversary interest in the vulnerability to the ease with which it can be exploited. According to Kaspersky, exploits for Windows vulnerabilities accounted for 82% of all exploits across all platforms during the second quarter of 2022. While attacks on the MSHTML vulnerability increased the most dramatically, it was by no means the most exploited flaw, which was a remote code execution vulnerability in Microsoft Office that was disclosed and patched four years ago that was attacked some 345,827 times last quarter.
Cyber Resiliency Isn't Just About Technology, It's About People
Cyber attacks are on the rise — but if we're being honest, that statement has been true for quite a while, given the acceleration of cyber incidents over the past several years. Recent research indicates that organisations experienced 50% more attack attempts per week on corporate networks in 2021 than they did in 2020, and tactics such as phishing are becoming increasingly popular as attackers refine their tried-and-true methods to more successfully entice unsuspecting targets.
It's no surprise, then, that cyber resiliency has been a hot topic in the cyber security world. But although cyber resiliency refers broadly to the ability of an organisation to anticipate, withstand, and recover from cyber security incidents, many experts make the mistake of applying the term specifically to technology. And while it's true that detection and remediation tools, backup systems, and other resources play an important role in cyber resiliency, organisations that focus exclusively on technology risk are overlooking an equally important element: people.
People are often thought of as the weak link in cyber security. It's easy to understand why. People fall for phishing scams. They use weak passwords and procrastinate on installing security updates. They misconfigure hardware and software, leave cloud assets unsecured, and send confidential files to the wrong recipient. There's a reason so much cyber security technology is moving toward automation: removing people from the equation is seen as one of the most obvious ways to improve security. To many security experts, that's just common sense.
Except — is it, really? It's true that people make mistakes — it's called "human error" for a reason, after all — but many of those mistakes come when employees aren't put in a position to succeed. Phishing is a great example. Most people are familiar with the concept of phishing, but many may not be aware of the nefarious techniques that today's attackers deploy. If employees have not been properly trained, they may not be aware that attackers often impersonate real people within the organisation, or that the CEO asking them to buy gift cards "for a company happy hour" probably isn't legit. Organisations that want to build strong cyber-resiliency cannot pretend that people don't exist. Instead, they need to prioritise the resiliency of their people just as highly as the resiliency of their technology.
Training the organisation to recognise the signs of common attack tactics, practice better password and cyber hygiene, and report signs of suspicious activity can help ease the burden on IT and security personnel by providing them better information in a more timely manner. It also avoids some of the pitfalls that create a drain on their time and resources. By ensuring that people at every level of the business are more resilient, today's organisations will discover that their overall cyber-resiliency will improve significantly.
The “Cyber Insurance Gap” Is Threatening Most Companies
A new study by BlackBerry and Corvus Insurance confirms a “cyber insurance gap” is growing, with a majority of businesses either uninsured or under insured against a rising tide of ransomware attacks and other cyber threats.
Only 19% of all businesses surveyed have ransomware coverage limits above the median ransomware demand amount ($600,000)
Among SMBs with fewer than 1,500 employees, only 14% have a coverage limit in excess of $600,000
37% of respondents with cyber insurance do not have any coverage for ransomware payment demands
43% of those with a policy are not covered for auxiliary costs such as court fees or employee downtime
60% say they would reconsider entering into a partnership or agreement with another business or supplier if the organisation did not have comprehensive cyber insurance
Endpoint detection and response (EDR) software is frequently a key component to obtaining a policy
34% of respondents have been previously denied cyber coverage by insurance providers due to not meeting EDR eligibility requirements
Easing the Cyber-Skills Crisis with Staff Augmentation
Filling cyber security roles can be costly, slow, and chancy. More firms are working with third-party service providers to quickly procure needed expertise.
There are many possible solutions to the cyber security skills shortage, but most of them take time. Cyber security education, career development tracks, training programs, employer-sponsored academies, and internships are great ways to build a talent pipeline and develop skill sets to meet organisational needs in years to come.
But sometimes the need to fill a gap in capability is more immediate.
An organisation in the entertainment industry recently found itself in such a position. Its primary cyber security staff member quit suddenly without notice, taking along critical institutional knowledge and leaving various projects incomplete. With its key defender gone, the organisation's environment was left vulnerable. In a scarce talent market, the organisation faced a long hiring process to find a replacement — too long to leave its digital estate unattended. It needed expertise, and quickly.
According to a 2021 ESG report, 57% of organisations have been impacted by the global cyber security skills crisis. Seventy-six percent say it's difficult to recruit and hire security professionals. The biggest effects of this shortage are increasing workloads, positions open for weeks or months, and high cyber security staff burnout and attrition.
In this climate, more companies are turning to third parties for cyber security staff reinforcement. According to a NewtonX study, 56% of organisations are now subcontracting up to a quarter of their cyber security staff. Sixty-nine percent of companies rely on third-party expertise to assist in mitigating the risk of ransomware — up from 58% in 2017 — per a study by Ponemon and CBI, a Converge Company.
One way that companies gain this additional support is via third-party staff augmentation and consulting services. Cyber security staff augmentation, or strategic staffing, entails trained external consultants acting as an extension of an organisation's security team in a residency. Engagements can be anywhere from a few weeks to a few years, and roles can range from analysts and engineers to architects, compliance specialists, and virtual CISOs.
https://www.darkreading.com/operations/easing-the-cyber-skills-crisis-with-staff-augmentation
Mailchimp Suffers Second Breach In 4 Months
Mailchimp suffered another data breach earlier this month, and this one cost it a client.
In a statement Friday, Mailchimp disclosed that a security incident involving phishing and social engineering tactics had targeted cryptocurrency and blockchain companies using the email marketing platform. It was the second Mailchimp breach to target cryptocurrency customers in a four-month span.
Though Mailchimp said it has suspended accounts where suspicious activity was detected while an investigation is ongoing, it did not reveal the source of the breach or scope of the attack.
More details were provided Sunday by one of the affected customers, DigitalOcean, which cut ties with Mailchimp on Aug. 9.
The cloud hosting provider observed suspicious activity beginning Aug. 8, when threat actors used its Mailchimp account for "a small number of attempted compromises" of DigitalOcean customer accounts -- specifically cryptocurrency platforms.
While it is not clear whether any DigitalOcean accounts were compromised, the company did confirm that some email addresses were exposed. More importantly, the statement attributed a potential source of the most recent Mailchimp breach.
https://www.techtarget.com/searchsecurity/news/252523911/Mailchimp-suffers-second-breach-in-4-months
Firm Told It Can't Claim Full Cyber Crime Insurance After Social Engineering Attack
A Minnesota computer store suing its cyber insurance provider has had its case dismissed, with the courts saying it was a clear instance of social engineering, a crime for which the insurer was only liable to cover a fraction of total losses.
SJ Computers alleged in a November lawsuit that Travelers Casualty and Surety Co. owed it far more than paid on a claim for nearly $600,000 in losses due to a successful business email compromise (BEC) attack.
According to its website, SJ Computers is a Microsoft Authorised Refurbisher, reselling Dell, HP, Lenovo and Acer products, as well as providing tech services including software installs and upgrades.
Travelers, which filed a motion to dismiss, said SJ's policy clearly delineated between computer fraud and social engineering fraud. The motion was granted with prejudice last Friday.
In the dismissal order, the US District Court for Minnesota found that the two policy agreements are mutually exclusive, as well as finding SJ's claim fell squarely into its social engineering fraud agreement with Travelers, which has a cap of $100,000.
When SJ filed its claim with Travelers, the court noted, it did so only under the social engineering fraud agreement. After realising the policy limit on computer fraud was 10 times higher, "SJ Computers then made a series of arguments – ranging from creative to desperate – to try to persuade Travelers that its loss was not the result of social-engineering-fraud (as SJ Computers itself had initially said) but instead the result of computer fraud," the district judge wrote in the order.
https://www.theregister.com/2022/08/16/social_engineering_cyber_crime_insurance/
Threats
Ransomware
Ransomware Group Threatens to Leak Data Stolen From Security Firm Entrust | SecurityWeek.Com
Cisco Confirms Hack: Yanluowang Ransom Gang Claims 2.8GB Of Data (informationsecuritybuzz.com)
Ransomware is still on the rise. Here's what you need to do to stay safe from hackers | ZDNET
Russian Man Extradited to US for Laundering Ryuk Ransomware Money | SecurityWeek.Com
‘Coopetition’ a growing trend among ransomware gangs (computerweekly.com)
Hackers Attack UK Water Supplier, Sends Ransom Demand to the Wrong Company (gizmodo.com)
SOVA malware adds ransomware feature to encrypt Android devices (bleepingcomputer.com)
BlackByte ransomware v2 is out with new extortion novelties - Security Affairs
Ransomware is back, healthcare sector most targeted - Help Net Security
Why Hackers Are Now Targeting Electric Car Charging Stations (nocamels.com)
BlackByte Ransomware Gang Returns With Twitter Presence, Tiered Pricing (darkreading.com)
Ski-Doo maker BRP resumes operations following cyber attack; shares fluctuate - MarketWatch
Argentina's Judiciary of Córdoba hit by PLAY ransomware attack (bleepingcomputer.com)
BEC – Business Email Compromise
Phishing & Email Based Attacks
Response-based attacks make up 41% of all email-based scams - Help Net Security
PayPal Phishing Scam Uses Invoices Sent Via PayPal – Krebs on Security
Microsoft admits it can't stop scammers fooling you with their latest tricks | ZDNET
Other Social Engineering; SMishing, Vishing, etc
Malware
Hackers Deploy Bumblebee Loader to Breach Target Networks - Infosecurity Magazine
'DarkTortilla' Malware Wraps in Sophistication for High-Volume RAT Infections (darkreading.com)
Malicious browser extensions targeted almost 7 million people (bleepingcomputer.com)
DoNot Team Hackers Updated its Malware Toolkit with Improved Capabilities (thehackernews.com)
Whack-a-Mole: More Malicious PyPI Packages Spring Up Targeting Discord, Roblox (darkreading.com)
Mobile
SOVA Android malware now also encrypts victims' files - Security Affairs
Malware devs already bypassed Android 13's new security feature (bleepingcomputer.com)
Google releases Android 13 with improved privacy and security features - Help Net Security
Android malware apps with 2 million installs found on Google Play (bleepingcomputer.com)
Researchers Find 35 Adware Apps on Google Play - Infosecurity Magazine
Nearly 1,900 Signal Messenger Accounts Potentially Compromised in Twilio Hack (thehackernews.com)
Internet of Things – IoT
How attackers are exploiting corporate IoT - Help Net Security
Amazon fixes Ring Android app flaw exposing camera recordings (bleepingcomputer.com)
Data Breaches/Leaks
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
With Plunge in Value, Cryptocurrency Crimes Decline in 2022 (darkreading.com)
Hardware-based threat defence against increasingly complex cryptojackers - Microsoft Security Blog
Insider Risk and Insider Threats
Ex-HP manager jailed for $5m company card shopping spree • The Register
Microsoft Employees Exposed Own Company’s Internal Logins (vice.com)
Fraud, Scams & Financial Crime
AML/CFT/Sanctions
Insurance
Organisations are losing cyber insurance as an important risk management tool - Help Net Security
For cyber insurance, some technology leads to higher premiums (techtarget.com)
New Study Reveals Serious Cyber-Insurance Shortfalls - Infosecurity Magazine
Supply Chain and Third Parties
Denial of Service DoS/DDoS
Cloud/SaaS
Organisations Struggle to Fend Off Cloud and Web Attacks - Infosecurity Magazine
Incident response in the cloud can be simple if you are prepared - Help Net Security
Passwords, Credential Stuffing & Brute Force Attacks
Credential Theft Is (Still) A Top Attack Method (thehackernews.com)
FBI Warns of Proxies and Configurations Used in Credential Stuffing Attacks | SecurityWeek.Com
Over 9,000 VNC servers exposed online without a password (bleepingcomputer.com)
Privacy
Google fined $60 million over Android location data collection (bleepingcomputer.com)
New Amazon Ring Vulnerability Could Have Exposed All Your Camera Recordings (thehackernews.com)
Period and pregnancy tracking apps have bad privacy protections, report finds - The Verge
Regulations, Fines and Legislation
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
5 Russia-Linked Groups Target Ukraine in Cyberwar (darkreading.com)
Russia-linked Gamaredon APT continues to target Ukraine - Security Affairs
Microsoft shuts down accounts linked to Russian spies • The Register
State-Sponsored APTs Dangle Job Opps to Lure In Spy Victims (darkreading.com)
Estonia Repels Biggest Cyber-Attack Since 2007 - Infosecurity Magazine
NHS cyber attacks hit record levels in four in five trusts after Russian invasion (telegraph.co.uk)
Nation State Actors
Nation State Actors – Russia
Microsoft disrupts Russian hackers' operation on NATO targets (bleepingcomputer.com)
Russian APT29 hackers abuse Azure services to hack Microsoft 365 users (bleepingcomputer.com)
Microsoft Disrupts Russian Group's Multiyear Cyber-Espionage Campaign (darkreading.com)
Russian hackers target Ukraine with default Word template hijacker (bleepingcomputer.com)
Estonia says it repelled major cyber attack after removing Soviet monuments | Reuters
Nation State Actors – China
Western companies wake up to China risk | Financial Times (ft.com)
China-backed APT41 Hackers Targeted 13 Organisations Worldwide Last Year (thehackernews.com)
China-linked RedAlpha behind multi-year credential theft campaign - Security Affairs
Chinese Cyberspy Group 'RedAlpha' Targeting Governments, Humanitarian Entities | SecurityWeek.Com
China's APT41 Embraces Baffling Approach for Dropping Cobalt Strike Payload (darkreading.com)
Chinese takeover of tech company blocked over security fears (telegraph.co.uk)
3 ways China's access to TikTok data is a security risk | CSO Online
Montana flagged bugs in cow app exploited in alleged China hack | Business and Economy | Al Jazeera
APT41 group: 4 malicious campaigns, 13 victims, new tools and techniques - Help Net Security
Nation State Actors – North Korea
Vulnerability Management
Vulnerabilities
CISA adds 7 vulnerabilities to list of bugs exploited by hackers (bleepingcomputer.com)
Google patches yet another Chrome zero-day vulnerability (techtarget.com)
Chrome browser gets 11 security fixes with 1 zero-day – update now! – Naked Security (sophos.com)
Cisco fixes High-Severity bug in Secure Web Appliance - Security Affairs
Exploit out for critical Realtek flaw affecting many networking devices (bleepingcomputer.com)
Safari 15.6.1 fixes a zero-day flaw actively exploited in the wild - Security Affairs
Rapid7: Cisco ASA and ASDM flaws went unpatched for months (techtarget.com)
Windows Vulnerability Could Crack DC Server Credentials Open (darkreading.com)
ÆPIC and SQUIP Vulnerabilities Found in Intel and AMD Processors (thehackernews.com)
PoC exploit code for the critical Realtek RCE flaw released online - Security Affairs
Other News
Exploiting stolen session cookies to bypass multi-factor authentication (MFA) - Help Net Security
Janet Jackson music video given CVE for crashing laptops • The Register
How aware are organisations of the importance of endpoint management security? - Help Net Security
The Future of Cyber Security is Prevention | SecurityWeek.Com
DigitalOcean Discloses Impact From Recent Mailchimp Cyber Attack | SecurityWeek.Com
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 05 August 2022
Black Arrow Cyber Threat Briefing 05 August 2022
-Average Cost of Data Breaches Hits Record High of $4.35 Million: IBM
-Researchers Warns of Large-Scale Adversary-in-the-Middle (AiTM) Attacks Targeting Enterprise Users
-UK NHS Suffers Outage After Cyber Attack on Managed Service Provider
-A Third of Organisations Experience a Ransomware Attack Once a Week
-Ransomware Products, Services Ads on Dark Web Show Clues to Danger
-Wolf In Sheep’s Clothing, How Malware Tricks Users and Antivirus
-Microsoft Accounts Targeted with New MFA-Bypassing Phishing Kit
-Cyber Attack Prevention Is Cost-Effective, So Why Aren’t Businesses Investing to Protect?
-Securing Your Move to the Hybrid Cloud
-Lessons from the Russian Cyber Warfare Attacks
-Four Sneaky Attacker Evasion Techniques You Should Know About
-Zero-Day Defence: Tips for Defusing the Threat
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Average Cost of Data Breaches Hits Record High of $4.35 Million: IBM
The global average cost of data breaches reached an all-time high of $4.35 million in 2022 compared with $4.24 million in 2021, according to a new IBM Security report. About 60% of the breached organisations raised product and services prices due to the breaches.
The annual report, conducted by Ponemon Institute and analysed and sponsored by IBM Security, is based on the analysis of real-world data breaches experienced by 550 organisations globally between March 2021 and March 2022.
According to the report, about 83% of the organisations have experienced more than one breach in their lifetime, with nearly half of the costs reported to be incurred more than a year after the breach.
The report revealed that ransomware and destructive attacks represented 28% of breaches among the critical infrastructure organisations studied, indicating that threat actors are specifically targeting the sector to disrupt global supply chains. The critical infrastructure sector includes financial services, industrial, transportation, and healthcare companies.
Researchers Warns of Large-Scale Adversary-in-the-Middle (AiTM) Attacks Targeting Enterprise Users
A new, large-scale phishing campaign has been observed using adversary-in-the-middle (AitM) techniques to get around security protections and compromise enterprise email accounts.
It uses a technique capable of bypassing multi-factor authentication. The campaign is specifically designed to reach end users in enterprises that use Microsoft's email services.
Prominent targets include fintech, lending, insurance, energy, manufacturing, and federal credit union verticals located in the US, UK, New Zealand, and Australia.
This is not the first time such a phishing attack has come to light. Last month, Microsoft disclosed that over 10,000 organisations had been targeted since September 2021 by means of AitM techniques to breach accounts secured with multi-factor authentication (MFA).
The ongoing campaign, effective June 2022, commences with an invoice-themed email sent to targets containing an HTML attachment, which includes a phishing URL embedded within it.
https://thehackernews.com/2022/08/researchers-warns-of-large-scale-aitm.html
UK NHS Suffers Outage After Cyber Attack on Managed Service Provider
The UK National Health Service (NHS) 111 emergency services were affected by a significant and ongoing outage triggered by a cyber attack that hit the systems of British managed service provider (MSP) Advanced.
Advanced's Adastra client patient management solution, which is used by 85% of NHS 111 services, was hit by a major outage together with several other services provided by the MSP, according to a status page.
"There was a major outage of a computer system that is used to refer patients from NHS 111 Wales to out-of-hours GP providers," the Welsh Ambulance Services said. "This system is used by Local Health Boards to coordinate these services for patients. The ongoing outage is significant and has been far-reaching, impacting each of the four nations in the UK."
The UK public was advised to access the NHS 111 emergency services using the online platform until the incident is resolved.
While no details were provided regarding the nature of the cyber attack, based on the wording, it is likely that this was a ransomware or data extortion attack.
A Third of Organisations Experience a Ransomware Attack Once a Week
Ransomware attacks show no sign of slowing. According to new research published by Menlo Security, a third of organisations experience a ransomware attack at least once a week, with one in 10 experiencing them more than once a day.
The research, conducted among 500+ IT security decision makers at US and UK organisations with more than 1,000 employees, highlights the impact this is having on security professionals’ own wellbeing. When asked what keeps them awake at night, 41% of respondents say they worry about ransomware attacks evolving beyond their team’s knowledge and skillset, while 39% worry about them evolving beyond their company’s security capabilities.
Their biggest concern, however, is the risk of employees ignoring corporate security advice and clicking on links or attachments containing malware (46%). Respondents worry more about this than they do their own job security, with just a quarter (26%) of respondents worried about losing their job.
According to the report, around half of organisations (61% US and 44% UK) have been the victim of a successful ransomware attack in the last 18 months, with customers and prospects the most likely entry point for an attack.
Partners/suppliers and employees/contractors are also seen as serious security risks, although one in 10 admit they are unable to identify how the attacks got in. The top three ransomware attack vectors are email (54%), web browsers via a desktop or laptop (49%) and mobile devices (39%).
https://www.helpnetsecurity.com/2022/08/04/organizations-experience-ransomware-attack/
Ransomware Products and Services Ads on Dark Web Show Clues to Danger
Why is ransomware’s destructive potential so daunting? Some clues are in the “for sale” ads. In an examination of some 35 million dark web URLs, a provider of machine identity management and a forensic specialist found some 475 web pages peddling sophisticated ransomware products and services with a number of high profile crews hawking ransomware-as-a-service.
The work is a joint effort between the Salt Lake City-based Venafi and Forensic Pathways, which took place between November 2021 and March 2022. Researchers used Forensic’s Dark Search Engine to carry out the investigation.
Here are some of the research findings:
87% of the ransomware found on the dark web has been delivered via malicious macros to infect targeted systems.
30 different “brands” of ransomware were identified within marketplace listings and forum discussions.
Many strains of ransomware being sold — such as Babuk, GoldenEye, Darkside/BlackCat, Egregor, HiddenTear and WannaCry — have been successfully used in high-profile attacks.
Ransomware strains used in high-profile attacks command a higher price for associated services. For example, the most expensive listing was $1,262 for a customised version of Darkside ransomware, which was used in the Colonial Pipeline ransomware attack.
Source code listings for well-known ransomware generally command higher price points. For example, Babuk source code is listed for $950 and Paradise source code is selling for $593.
Ransomware Sold for as Little as $1: In addition to a variety of ransomware at various price points, a wide range of services and tools that help make it easier for attackers with minimal technical skills to launch ransomware attacks are for sale on the dark web, Venafi said. Services with the greatest number of listings include those offering source code, build services, custom development services and ransomware packages that include step-by-step tutorials.
Wolf In Sheep’s Clothing: How Malware Tricks Users and Antivirus
One of the primary methods used by malware distributors to infect devices is by deceiving people into downloading and running malicious files, and to achieve this deception, malware authors are using a variety of tricks.
Some of these tricks include masquerading malware executables as legitimate applications, signing them with valid certificates, or compromising trustworthy sites to use them as distribution points.
According to VirusTotal, a security platform for scanning uploaded files for malware, some of these tricks are happening on a much larger scale than initially thought.
The platform has compiled a report presenting stats from January 2021 until July 2022, based on the submission of two million files daily, illustrating trends in how malware is distributed.
Abusing legitimate domains: Distributing malware through legitimate, popular, and high-ranking websites allows threat actors to evade IP-based blocklists, enjoy high availability, and provide a greater level of trust.
Using stolen code-signing certificates: Signing malware samples with valid certificates stolen from companies is a reliable way to evade AV detection and security warnings on the host. Of all the malicious samples uploaded to VirusTotal between January 2021 and April 2022, over a million were signed, and 87% used a valid certificate.
Disguised as popular software: Masquerading a malware executable as a legitimate, popular application has seen an upward trend in 2022. Victims download these files thinking they’re getting the applications they need, but upon running the installers, they infect their systems with malware. The most mimicked applications are Skype, Adobe Acrobat, VLC, and 7zip.
Lacing legitimate installers - Finally, there’s the trick of hiding malware inside legitimate application installers and running the infection process in the background while the real apps execute in the foreground. Based on VirusTotal stats, this practice also appears to be on the rise this year, using Google Chrome, Malwarebytes, Windows Updates, Zoom, Brave, Firefox, ProtonVPN, and Telegram as lures.
Microsoft Accounts Targeted with New MFA-Bypassing Phishing Kit
A new large-scale phishing campaign targeting credentials for Microsoft email services use a custom proxy-based phishing kit to bypass multi-factor authentication.
Researchers believe the campaign's goal is to breach corporate accounts to conduct BEC (business email compromise) attacks, diverting payments to bank accounts under their control using falsified documents.
The phishing campaign's targets include fin-tech, lending, accounting, insurance, and Federal Credit Union organisations in the US, UK, New Zealand, and Australia.
The campaign was discovered by Zscaler's ThreatLabz researchers, who report that the operation is still ongoing, and the phishing actors register new phishing domains almost daily.
Starting in June 2022, Zscaler's analysts noticed a spike in sophisticated phishing attempts against specific sectors and users of Microsoft email services.
Some of the newly registered domains used in the campaign are typo-squatted versions of legitimate domains.
Notably, many phishing emails originated from the accounts of executives working in these organisations, whom the threat actors most likely compromised earlier.
Cyber Attack Prevention Is Cost-Effective, So Why Aren’t Businesses Investing to Protect?
Cyber attacks like ransomware, BEC scams and data breaches are some of the key issues businesses are facing today, but despite the number of high-profile incidents, many boardrooms are reluctant to free up budget to invest in the cyber security measures necessary to avoid becoming the next victim.
In a Help Net Security interview, Former Pentagon Chief Strategy Officer Jonathan Reiber, VP Cyber security Strategy and Policy, AttackIQ, discusses how now, more than ever, companies need to protect themselves from cyber threat actors. He offers insight for CISOs, from talking to the Board to proper budget allocation.
https://www.helpnetsecurity.com/2022/08/01/cyberattack-prevention-investing/
Securing Your Move to the Hybrid Cloud
The combination of private and public cloud infrastructure, which most organisations are already using, poses unique security challenges. There are many reasons why organisations adopt the public cloud, from enabling rapid growth without the burden of capacity planning to leveraging flexibility and agility in delivering customer-centric services. However, this use can leave companies open to threats.
Since regulatory requirements or other preferences dictate that certain applications remain on private (on-prem) infrastructure, many organisations choose to maintain a mix of private and public infrastructure. Additionally, organisations typically use multiple cloud providers simultaneously or preserve the option to move between providers. However, this hybrid approach presents unique and diverse security challenges. Different cloud providers and private cloud platforms may offer similar capabilities but different ways of implementing security controls, along with disparate management tools.
The question then becomes: How can an organisation maintain consistent governance, policy enforcement and controls across different clouds? And how can it ensure that it maintains its security posture when moving between them? Fortunately, there are steps professionals can take to ensure that applications are continuously secure, starting from the early stages of development and extending throughout the lifecycle.
https://threatpost.com/secure-move-cloud/180335/
Lessons from the Russian Cyber Warfare Attacks
Cyber warfare tactics may not involve tanks and bombs, but they often go hand-in-hand with real combat.
The Russian invasion of Ukraine is a prime example. Before Russian troops crossed the border, Russian hackers had already taken down Ukrainian government websites. And after the conflict started, the hacktivist group Anonymous turned the tables by hacking Russian media to shut down propaganda about the war.
In these unprecedented times of targeted attacks against governments and financial institutions, every organisation should be on heightened alert about protecting their critical infrastructure and digital attack surface.
With the Russia-Ukraine conflict as a backdrop, two Trend Micro security experts recently discussed cyber warfare techniques and how they’re an important reminder for every business to proactively manage cyber risk.
https://www.trendmicro.com/en_us/ciso/22/h/russian-cyber-warfare-attacks.html
Four Sneaky Attacker Evasion Techniques You Should Know About
Remember those portrayals of hackers in the 80s and 90s where you just knew when you got pwned? A blue screen of death, a scary message, a back-and-forth text exchange with a hacker—if you got pwned in a movie in the 80s and 90s, you knew it right off the bat.
What a shame that today’s hackers have learned to be quiet when infiltrating an environment. Sure, “loud” attacks like ransomware still exist, but threat actors have learned that if they keep themselves hidden, they can usually do far more damage. For hackers, a little stealth can go a long way. Some attack tactics are inherently quiet, making them arguably more dangerous as they can be harder to detect. Here are four of these attack tactics you should know about.
Trusted Application Abuse: Attackers know that many people have applications that they inherently trust, making those trusted applications the perfect launchpad for cyber attacks. Threat actors know that defenders and the tools they use are often on the hunt for new malware presenting itself in environments. What isn’t so easy to detect is when the malware masquerades under legitimate applications.
Trusted Infrastructure Abuse: Much like trusted application abuse, trusted infrastructure abuse is the act of using legitimate, publicly hosted services and toolsets (such as Dropbox or Google Drive) as part of the attack infrastructure. Threat actors know that people tend to trust Dropbox and Google Drive. As a result, this makes these tools a prime means for threat actors to carry out malicious activity. Threat actors often find trusted infrastructure abuse easy because these services aren’t usually blocked at an enterprise’s gateway. In turn, outbound communications can hide in plain sight.
Obfuscation: Although cyber security has more than its fair share of tedious acronyms, the good news is that many terms can be broken down by their generic dictionary definitions. According to dictionary.com, this is what obfuscate means: “To make something unclear, obscure or difficult to understand.” And that’s exactly what it means in cyber security: finding ways to conceal malicious behaviour. In turn, this makes it more difficult for analysts and the tools they use to flag suspicious or malicious activity.
Persistence: Imagine writing up documentation using your computer, something you may well do in your role. You’ve spent a ton of time doing the research required, finding the right sources and compiling all your information into a document. Now, imagine not hitting save on that document and losing it as soon as you reboot your computer. Sound like a nightmare—or perhaps a real anxiety-inducing experience you’ve been through before? Threat actors agree. And that’s why they establish persistence. They don’t want all of their hard work to get into your systems in the first place to be in vain just because you restart your computer. They establish persistence to make sure they can still hang around even after you reboot.
Zero-Day Defence: Tips for Defusing the Threat
Because they leave so little time to patch and defuse, zero-day threats require a proactive, multi-layered approach based on zero trust.
The recent Atlassian Confluence remote code execution bug is just the latest example of zero-day threats targeting critical vulnerabilities within major infrastructure providers. The specific threat, an Object-Graph Navigation Language (OGNL) injection, has been around for years but took on new significance given the scope of the Atlassian exploit. And OGNL attacks are on the rise.
Once bad actors find such a vulnerability, proof-of-concept exploits start knocking at the door, seeking unauthenticated access to create new admin accounts, execute remote commands, and take over servers. In the Atlassian case, Akamai's threat research team identified that the number of unique IP addresses attempting these exploits grew to more than 200 within just 24 hours.
Defending against these exploits becomes a race against time worthy of a 007 movie. The clock is ticking and you don't have much time to implement a patch and "defuse" the threat before it's too late. But first you need to know that an exploit is underway. That requires a proactive, multi-layered approach to online security based on zero trust.
What do these layers look like? There are a number of different practices that security teams — and their third-party Web application and infrastructure partners — should be aware of.
https://www.darkreading.com/attacks-breaches/zero-day-defense-tips-for-defusing-the-threat
Threats
Ransomware
Reported ransomware attacks are just the tip of the iceberg. That's a problem for everyone | ZDNet
Initial Access Brokers - Key to Rise In Ransomware Attacks (informationsecuritybuzz.com)
Ransomware gangs are hitting roadblocks, but aren't stopping (yet) - Help Net Security
LockBit Ransomware Abuses Windows Defender for Payload Loading | SecurityWeek.Com
German Chambers of Industry and Commerce hit by 'massive' cyber attack (bleepingcomputer.com)
Ransomware Task Force releases SMB blueprint for defence and mitigation (scmagazine.com)
German semiconductor giant Semikron says hackers encrypted its network | TechCrunch
Ransomware Hit on European Pipeline & Energy Supplier Encevo Linked to BlackCat (darkreading.com)
Luxembourg Energy Company Hit by Ransomware | SecurityWeek.Com
Spanish research agency still recovering after ransomware attack (bleepingcomputer.com)
Phishing & Email Based Attacks
Countdown Clock Puts Pressure on Phishing Targets - Infosecurity Magazine
The most impersonated brand in phishing attacks? Microsoft - Help Net Security
Open Redirect Flaw Snags Amex, Snapchat User Data | Threatpost
A new malware threat is spying on users' Gmail inbox — do this before you're next | Laptop Mag
Massive New Phishing Campaign Targets Microsoft Email Service Users (darkreading.com)
North Korean Hackers Use Browser Extension to Spy on Gmail and AOL Accounts - Infosecurity Magazine
Other Social Engineering; SMishing, Vishing, etc
Malware
VirusTotal Reveals Most Impersonated Software in Malware Attacks (thehackernews.com)
Gootkit Loader Resurfaces with Updated Tactic to Compromise Targeted Computers (thehackernews.com)
Woody RAT: A new feature-rich malware spotted in the wild | Malwarebytes Labs
New IoT RapperBot Malware Targeting Linux Servers via SSH Brute-Forcing Attack (thehackernews.com)
New Linux malware brute-forces SSH servers to breach networks (bleepingcomputer.com)
Attackers cause Discord discord with malicious npm packages • The Register
Gootkit AaaS malware is still active and uses updated tactics - Security Affairs
Mobile
Facebook finds new Android malware used by APT hackers (bleepingcomputer.com)
Google Patches Critical Android Bluetooth Flaw in August Security Bulletin - Infosecurity Magazine
Banking trojan finds new routes to accounts by infiltrating Google Play Store (scmagazine.com)
Internet of Things – IoT
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Nearly $200 Million Stolen from Cryptocurrency Bridge Nomad | SecurityWeek.Com
Crypto firm that promised security loses $200 million in 'frenzied free-for-all' hack | PC Gamer
Nomad to crooks: Keep 10% as a bounty, return the rest • The Register
Cyber attackers Drain Nearly $6M From Solana Crypto Wallets (darkreading.com)
Man robbed of $800,000 in cryptocurrency sues Google • The Register
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
UK Branded Europe’s “Capital of Card Fraud” - Infosecurity Magazine
Huge network of 11,000 fake investment sites targets Europe (bleepingcomputer.com)
Online payment fraud losses accelerate at an alarming rate - Help Net Security
COMMENT: 'Hi Mum, Hi Dad' Scams On The Rise - Britons Already (informationsecuritybuzz.com)
Increase in Fake Tickets Being Sold by Cyber criminals on Social Media - IT Security Guru
AML/CFT/Sanctions
Dark Web
A Ransomware Explosion Fosters Thriving Dark Web Ecosystem (darkreading.com)
The popularity of Dark Utilities 'C2-as-a-Service' rapidly increases - Security Affairs
Software Supply Chain
Cloud/SaaS
Cyber attackers Increasingly Target Cloud IAM as a Weak Link (darkreading.com)
What Worries Security Teams About the Cloud? (darkreading.com)
Who Has Control: The SaaS App Admin Paradox (thehackernews.com)
Enterprises face a multitude of barriers to securing diverse cloud environments - Help Net Security
Open Source
Passwords, Credential Stuffing & Brute Force Attacks
Hackers stole passwords for accessing 140,000 payment terminals | TechCrunch
Credential Canaries Create Minefield for Attackers (darkreading.com)
5 reasons why businesses should never use consumer-grade password managers | TechRadar
Social Media
Hackers Exploit Twitter Vulnerability to Exposes 5.4 Million Accounts (thehackernews.com)
Parliament shuts down TikTok account over China data security concerns (telegraph.co.uk)
Over 3,200 Apps Leak Twitter API Keys, Some Allowing Account Hijacks (informationsecuritybuzz.com)
Increase in Fake Tickets Being Sold by Cyber criminals on Social Media - IT Security Guru
Privacy
Cyber Bullying and Cyber Stalking
Regulations, Fines and Legislation
Most companies are unprepared for CCPA and GDPR compliance - Help Net Security
Data privacy: Collect what you need, protect what you collect | CSO Online
India scraps data protection law, promises better successor • The Register
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Ukraine takes down 1,000,000 bots used for disinformation (bleepingcomputer.com)
Nancy Pelosi ties Chinese cyber-attacks to Taiwan visit • The Register
Spanish Research Center Suffers Cyber attack Linked to Russia | SecurityWeek.Com
Russian organisations attacked with new Woody RAT malware (bleepingcomputer.com)
Greek intelligence spied on journalist with a surveillance spyware - Security Affairs
Rare Pegasus screenshots depict NSO Group's spyware capabilities | AppleInsider
Nation State Actors
Nation State Actors – Russia
Nation State Actors – China
Chinese hackers use new Cobalt Strike-like attack framework (bleepingcomputer.com)
Massive China-Linked Disinformation Campaign Taps PR Firm for Help (darkreading.com)
Parliament shuts down TikTok account over China data security concerns (telegraph.co.uk)
Global network of fake news sites push Chinese propaganda, researchers find - CyberScoop
Taiwanese military reports DDoS in wake of US Speaker visit • The Register
Nation State Actors – North Korea
Nation State Actors – Iran
Nation State Actors – Misc APT
Vulnerabilities
VMware urges admins to patch critical auth bypass bug immediately (bleepingcomputer.com)
Critical RCE Bug in DrayTek Routers Opens SMBs to Zero-Click Attacks (darkreading.com)
Cisco fixes critical remote code execution bug in VPN routers (bleepingcomputer.com)
F5 Fixes 21 Vulnerabilities With Quarterly Security Patches | SecurityWeek.Com
High-Severity Bug in Kaspersky VPN Client Opens Door to PC Takeover (darkreading.com)
Slack Resets Passwords After a Bug Exposed Hashed Passwords for Some Users (thehackernews.com)
VMware Releases Patches for Several New Flaws Affecting Multiple Products (thehackernews.com)
Hackers are actively exploiting password-stealing flaw in Zimbra (bleepingcomputer.com)
Google fixed Critical Remote Code Execution flaw in Android - Security Affairs
CISA adds Zimbra bug to Known Exploited Vulnerabilities Catalogue - Security Affairs
Warning! Critical flaws found in US Emergency Alert System • The Register
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
Other News
APIs attacked in 94% of companies in past year - IT Security Guru
Over 60% of Organisations Expose SSH to the Internet - Infosecurity Magazine
How IT and security teams can work together to improve endpoint security - Microsoft Security Blog
Burnout and attrition impact tech teams sustaining modern digital systems - Help Net Security
Machine learning creates a new attack surface requiring specialized defences - Help Net Security
Cyber security lessons learned from COVID-19 pandemic (techtarget.com)
10 enterprise database security best practices (techtarget.com)
Resolving Availability vs. Security, a Constant Conflict in IT (thehackernews.com)
Tips to prevent RDP and other remote attacks on Microsoft networks | CSO Online
The Myth of Protection Online — and What Comes Next (darkreading.com)
The Importance of Data Security in the Enterprise (techtarget.com)
How IT Teams Can Use 'Harm Reduction' for Better Cyber security Outcomes (darkreading.com)
Businesses lack visibility into run-time threats against mobile apps and APIs - Help Net Security
Browser synchronization abuse: Bookmarks as a covert data exfiltration channel - Help Net Security
Threats emanating from digital ecosystems can be a blind spot for businesses - Help Net Security
Busting the Myths of Hardware Based Security - Security Affairs
New Traffic Light Protocol standard released after five years (bleepingcomputer.com)
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Advisory 21/07/2022 – Cyber Insurance Policies: Misrepresentation and Ransomware pay-outs
Black Arrow Cyber Advisory 20/07/2022 – Cyber Insurance Policies: Misrepresentation and Ransomware pay-outs
Executive Summary
Ransomware attacks are becoming more prevalent and the costs for insurers are increasing. Traditionally, ransomware groups have encrypted an organisation’s data and demanded a ransom for the decryption key. However, in the last year, there has been a growing shift by the ransomware community towards exfiltration and then a threat to release the stolen data to extort money from their victims.. These factors have increased the financial pressure that cyber insurance companies are currently experiencing, which in turn has caused them to reconsider their obligations for settling claims. There are currently two significant court cases relating to ransomware insurance claims involving the Travelers insurance company.
The first case relates to Graff, a UK-based jeweller who paid a ransom of $7.5M to prevent the Russian-based ransomware gang Conti from releasing 69,000 confidential documents it had stolen. Graff published the following public statement regarding the dispute with their insurer: “We are extremely frustrated and disappointed by Travelers’ attempt to avoid settlement of this insured risk. They have left us with no option but to bring these recovery proceedings at the High Court.”
The second involves a filing with the US District court requesting a declaration that Travellers insurance contract with International Control Services (ICS) is invalid due to misrepresentation of Multi-Factor Authentication (MFA) controls on the company’s application for its cyber insurance policy. The application stated that MFA was used for administrative or privileged access. Subsequently, ICS were victim to a ransomware attack that resulted in a claim against their cyber insurance policy. As the insurer, Travelers conducted an investigation which revealed that ICS “only used MFA to protect its firewall, and did not use MFA to protect any other digital assets.”
What’s the risk to me or my business?
With the evolving threat of ransomware being ever prominent, it is critical that an organisation considers appropriate cyber controls across people, operations and technology to manage and effectively reduce its risk. Organisations often rely on cyber insurance to provide cover when these controls fail, however insurers are now demanding more evidence of robust cyber controls as they begin to better manage their own exposure to the increasing risks.
What can I do?
Ensure that leadership have an understanding of key cyber controls and what is covered within a cyber insurance policy. When considering ransomware payments, it should be clear what the policy will cover. Any declaration of cyber security controls should be informed by an appropriate cyber security expert with knowledge of what controls the organisation has in place, to ensure that the facts are correctly represented and are less likely to be used in a misrepresentation defence.
Further information on the above cases can be found here:
Need help understanding your gaps, or just want some advice? Get in touch with us.
Black Arrow Cyber Advisory 19/07/2022 – Microsoft identifies Phishing campaign which can bypass MFA if additional controls are not in place
Black Arrow Cyber Advisory 19/07/2022 – Microsoft identifies Phishing campaign which can bypass MFA if additional controls are not in place
Executive Summary
Microsoft has released information on a new phishing campaign involving “adversary-in-the-middle” AiTM techniques, which has affected more than 10,000 organisations since September 2021. What is unique about this particular attack method is that it has the potential to bypass Multi-Factor Authentication (MFA). It is important to note that this attack does not make use of a vulnerability within MFA, and that MFA is still a key control in preventing credential compromise.
What’s the risk to me or my business?
As more organisations implement security controls such as MFA, malicious actors will be looking into possibilities of targeting these controls. This particular attack technique involves a proxy server being deployed in between the recipient and a valid targeted website. In short, a targeted user would receive a phishing email, the link to the phishing email would resolve in a valid website, with the traffic being re-directed through the server of a malicious actor. This allows the malicious actor to steal “authenticated session cookies”, after the user has logged into the valid website. The malicious actor can then use the authenticated session cookies to access the valid website with the targeted users credentials, which can then lead to further attacks such as Business Email Compromise as shown in the diagram below.
Figure 1: Overview of AiTM phishing campaign and follow-on BEC (Microsoft 365 Defender Research Team, 2022)
What can I do?
Microsoft recommends implementing conditional access policies, which can limit user access in different scenarios, such as only allowing access to trusted locations, compliant devices or trusted IP addresses. This would prevent a stolen session cookie from granting access to an account outside of these conditions. Anti-Phishing solutions can also be used to block phishing emails from arriving in end-users inboxes, however it is worth noting that these solutions may not be able to block every threat. Where possible, security monitoring should be in place to detect suspicious sign-in attempts, and unusual mailbox activities including external forwarding, rule creation and access from untrusted IP addresses or devices.
It is also critically important that technical controls such as MFA are supplemented with end-user training, including Phishing simulations as it is the primary ingress point for this type of attack.
Technical Summary
Microsoft has published a full breakdown of sample attacks that they have monitored. So far they have followed the following process:
1. An attacker sends emails containing an HTML file attachment, stating that a voicemail has been received on their Microsoft account. This email follows the same template which is received when a user receives a voicemail via Microsoft Teams.
2. The user clicks on the HTML attachment, which takes them to a website displaying the mp3 file being downloaded. No actual download takes place, but a progress bar is updated.
3. The user is then re-directed to a gatekeeper, which confirms that the user has clicked on the html attachment.
4. The user arrives at a proxied version of the Microsoft Azure Active Directory login page. It is important to note that if an organisation has customised this landing page with their corporate logo then this will also be displayed, making the website seem even more legitimate.
5. The user enters their credentials which are then authenticated by Microsoft. If MFA is enabled, the user would be prompted for MFA at this stage.
6. The user is re-directed to the official Microsoft 365 website, while the authenticated session cookies are captured by the attacker, also allowing them into the official Microsoft 365 website.
7. Microsoft’s research has then shown that the stolen session is used for Business Email Compromise (BEC) attacks, targeting finance related emails within the targeted users inbox to request fraud payments. At this stage however a malicious attacker also has potential to access any 365 service which the targeted user has access to.
Appropriate conditional access controls could prevent an attacker at step 6 from using the stolen cookies to access the targeted users Microsoft 365 account.
A full breakdown of this particular phishing campaign is available here: From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud - Microsoft Security Blog
Need help understanding your gaps, or just want some advice? Get in touch with us.
References
Microsoft 365 Defender Research Team. (2022, 07 19). From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud. Retrieved from Microsoft 365 Defender Research Team Security Blog: https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/
Black Arrow Cyber Threat Briefing 18 February 2022
Black Arrow Cyber Threat Briefing 18 February 2022
-Small Businesses Facing Upwards of 11 Cyber Threats Per Day Per Device
-As Ukraine Tensions Rise, UK Organisations Should Protect Themselves From Cyber Threats
-Microsoft Teams Targeted With Takeover Trojans
-The European Central Bank is Warning Banks of Possible Russia-Linked Cyber Attack Amid the Rising Crisis With Ukraine
-Companies Face Soaring Prices For Cyber Insurance
-Even When Warned, Businesses Ignore Critical Vulnerabilities And Hope For The Best
-Ransomware-Related Data Leaks Nearly Doubled in 2021: Report
-Online Fraud Skyrocketing: Gaming, Streaming, Social Media, Travel and Ecommerce Hit the Most
-Poor Security Hygiene Organisations and Ransomware Attacks: Painful Math
-Security Teams Expect Attackers to Go After End Users First
-US Warns of Imminent Russian Invasion of Ukraine With Tanks, Jet Fighters, Cyber Attacks
-TrickBot Malware Targeted Customers of 60 High-Profile Companies Since 2020
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
As Ukraine Tensions Rise, UK Organisations Should Protect Themselves From Cyber Threats
In a world that is so dependent on digital assets, cyber resilience is more important than ever. At the National Cyber Security Centre – a part of GCHQ – the mission is to make the UK the safest place to live and work online, but they have said they cannot do it alone.
Now, at a time of heightened cyber threats, the NCSC is urging all organisations to follow their advice on the steps they should take to improve their resilience.
The UK is closer to the crisis in Ukraine than you might think. While 2,000-odd miles separate us physically from their borders with Russia, that distance is much shorter in cyber space – and attacks targeting Ukraine’s digital infrastructure could be felt here in Britain.
Cyber attacks do not respect geographic boundaries. On a daily basis, businesses in the UK are targeted by ransomware attacks from criminals overseas.
And as tensions have risen in Ukraine in recent weeks, authorities have already seen a number of cyber attacks occurring. On Friday evening, the UK government judged that the Russian Main Intelligence Directorate (GRU) was involved in last week’s distributed denial of service attacks against the financial sector in Ukraine.
If the situation continues to escalate, we could see cyber attacks that have international consequences, intentional or not. Rising tensions in the region, with the risk of overspill, are why the National Cyber Security Centre (NCSC) has said that the UK’s cyber risk has heightened in the last month, although there is no evidence of the UK being specifically targeted.
Small Businesses Facing Upwards of 11 Cyber Threats Per Day Per Device
BlackBerry's 2022 Threat Report highlights growing threats to SMBs, calls on government to make cyber security top priority
BlackBerry Limited has released the 2022 BlackBerry Annual Threat Report, highlighting a cybercriminal underground which it says has been optimised to better target local small businesses. Small businesses will continue to be an epicentre for cybercriminal focus as SMBs facing upward of 11 cyber threats per device per day, which only stands to accelerate as cybercriminals increasingly adopt collaborative mindsets.
The report also uncovered cyber breadcrumbs from some of last year’s most notorious ransomware attacks, suggesting some of the biggest culprits may have simply been outsourced labour. In multiple incidents BlackBerry identified threat actors leaving behind playbook text files containing IP addresses and more, suggesting the authors of this year’s sophisticated ransomware are not the ones carrying out attacks. This highlights the growing shared economy within the cyber underground.
Microsoft Teams Targeted With Takeover Trojans
Threat actors are targeting Microsoft Teams users by planting malicious documents in chat threads that execute Trojans that ultimately can take over end-user machines, researchers have found.
Researchers began tracking the campaign in January, which drops malicious executable files in Teams conversations that, when clicked on, eventually take over the user’s computer, according to a report published Thursday.
Using an executable file, or a file that contains instructions for the system to execute, hackers can install DLL files and allow the program to self-administer and take control over the computer. By attaching the file to a Teams attack, hackers have found a new way to easily target millions of users.
Cyber criminals long have targeted Microsoft’s ubiquitous document-creation and sharing suite – the legacy Office and its cloud-based version, Office 365 – with attacks against individual apps in the suite such as PowerPoint as well as business email compromise and other scams.
Now Microsoft Teams – a business communication and collaboration suite – is emerging as an increasingly popular attack surface for cybercriminals.
https://threatpost.com/microsoft-teams-targeted-takeover-trojans/178497/
The European Central Bank is Warning Banks of Possible Russia-Linked Cyber Attack Amid the Rising Crisis With Ukraine
The European Central Bank is warning banks of possible Russia-linked cyber attack amid the rising crisis with Ukraine and is inviting them to step up defences.
The news was reported by Reuters, citing two unnamed sources. The ECB pointed out that addressing cyber security is a top priority for the European agency.
“The European Central Bank is telling euro zone banks zone to step up their defences against cyber attacks, also in the context of geopolitical tensions such as the stand-off between Russia and Ukraine, the ECB’s top supervisor said on Thursday.” reported Reuters.
ECB warned that the rising risk from cyber attacks begun in 2020.
Companies Face Soaring Prices For Cyber Insurance
The cost of cyber insurance has risen steeply over the past year. According to Marsh, the price of cover in the US grew by 130 per cent in the fourth quarter of 2021 alone, while in the UK it grew by 92 per cent. That has increased pressure on companies who are facing cost inflation in other parts of their business.
The steep hikes in the cost of cyber insurance come against a backdrop of rising prices more broadly. According to Marsh, commercial insurance prices rose 13 per cent in the final quarter of 2021.
The hardening market from reduced capacity allied with increasing cyber fraud are potent forces. Pricing becomes more challenging, reinsurance appetite reduced whilst costs increasing and fraudsters have as much access to the latest technologies as do enterprises, the government sector and the insurance industry.
There may be limits to what insurers can cover. Speaking to the Financial Times last week the chief executive of Zurich said: “A connected economy offers lots of opportunities for cyber attacks.” A major cyber risk, he added, “is something only governments can manage”.
Companies will have to do more themselves to fight cyber fraud with technology partners. Meanwhile brokers and insurers must review underwriting data and practices and government raise effectiveness at prosecuting criminals.
https://www.ft.com/content/60ddc050-a846-461a-aa10-5aaabf6b35a5
Even When Warned, Businesses Ignore Critical Vulnerabilities And Hope For The Best
A Bulletproof research found the extent to which businesses are leaving themselves open to cyber attack. When tested, 28% of businesses had critical vulnerabilities – vulnerabilities that could be immediately exploited by cyber attacks.
A quarter of businesses neglected to fix those critical vulnerabilities, even though penetration testing had highlighted them to the business after a retest was completed.
The research analyzed data from over 3,800 days’ worth of penetration testing services. These tests are a means of identifying vulnerabilities within an organisation’s security systems by simulating how malicious actors would seek to exploit such shortcomings.
https://www.helpnetsecurity.com/2022/02/18/businesses-critical-vulnerabilities/
Ransomware-Related Data Leaks Nearly Doubled in 2021: Report
There was a significant increase in ransomware-related data leaks and interactive intrusions in 2021, according to the 2022 Global Threat Report released on Tuesday by endpoint security firm CrowdStrike.
The number of ransomware attacks that led to data leaks increased from 1,474 in 2020 to 2,686 in 2021, which represents an 82% increase. The sectors most impacted by data leaks in 2021 were industrial and engineering, manufacturing, and technology.
The growth and impact of big game hunting in 2021 was a palpable force felt across all sectors and in nearly every region of the world. Although some adversaries and ransomware ceased operations in 2021, the overall number of operating ransomware families increased,” CrowdStrike said in its report.
https://www.securityweek.com/ransomware-related-data-leaks-nearly-doubled-2021-report
Online Fraud Skyrocketing: Gaming, Streaming, Social Media, Travel and Ecommerce Hit the Most
An Arkose Labs report is warning UK commerce that it faces its most challenging year ever. Experts analyzed over 150 billion transaction requests across 254 countries and territories in 2021 over 12 months to discover that there has been an 85% increase in login attacks and fake consumer account creation at businesses.
Alongside this, it identified that one in four new online accounts created were fake. A further 21% of all traffic was confirmed as a fraudulent cyber attack.
From the earliest days of online information to the rapid evolution of today’s metaverses, the internet has come a long way. However, this latest data shows that it is more under attack than ever before.
Your digital identity is a currency for fraudsters and wherever there is online commerce, cyber criminals are quick to identify vulnerabilities.
https://www.helpnetsecurity.com/2022/02/14/fake-consumer-account/
Poor Security Hygiene Organisations and Ransomware Attacks: Painful Math
Poor cyber security hygiene is widely considered to be a major influencing factor for exposure to a ransomware attack. But is that an accurate assessment?
In a new study, RiskRecon, a security best practices specialist, investigated 600+ cyber hijacks to determine if companies victimized by a “detonation” had poor cyber security hygiene at the time and which factors, such as web encryption, application security and email security, are key gaps in coverage.
The answer: Cyber security hygiene does in fact play a large role in an organisation’s vulnerability to a ransomware attack. RiskRecon analyzed the cyber security hygiene on the day of ransomware incident for 622 organisations spanning 633 ransomware events occurring between 2017 and 2021. Based on a comparison population of cyber security ratings and assessments of some 100,000 entities, companies that have very poor cyber security hygiene in their internet-facing systems (a ‘D’ or ‘F’ RiskRecon rating) have about a 40 times higher rate of destructive ransomware events as compared to those with clean cyber security hygiene. Only .03 percent of ‘A-rated’ companies were victims of a destructive ransomware attack, compared with 1.08 percent of ‘D-rated’ and 0.91 percent of ‘F-rated’ companies.
The cyber security conditions underlying the RiskRecon rating reveal just how poor the cyber security hygiene is of companies, on average, that fall victim to a material system-encrypting ransomware attack. For example, ransomware victims have an average of 11 material software vulnerabilities in their internet-facing systems, in comparison with only one issue in the general population. Looking at network services that criminals commonly exploit, ransomware victims expose 3.3 times more unsafe network services to the internet than the general population.
Security Teams Expect Attackers to Go After End Users First
Phishing, malware, and ransomware have spurred organisations to increase their investments in endpoint security, according to Dark Reading’s Endpoint Security Survey.
The shift to a more distributed work environment and an increase in digital transformation initiatives have motivated organisations to bolster their endpoint security defences. However, end users continue to be a major source of worry for IT and security decision-makers, according to the latest Dark Reading survey.
Phishing, malware, and ransomware pose major threats to organisations, as do attacks involving credential theft. An overwhelming 93% of IT and security professionals in Dark Reading’s "2022 Endpoint Security Survey" cite the growing number of ransomware attacks as the reason behind increased investments in endpoint security. Similarly, 83% say the increase in attacks using end-user credentials spurred their endpoint investments.
End users pose one of the biggest threats to the organisation, as 87% expect that if attackers wanted to steal the organisation’s data, they would begin by targeting a single end user.
Concerns about the end user are not new. Verizon’s "2021 Data Breach Investigations Report" found that 85% of the breaches it investigated in 2020 involved end users in some way – such as stolen account credentials, incorrectly assigned privileges or elevated privileges, social engineering, and user error.
US Warns of Imminent Russian Invasion of Ukraine With Tanks, Jet Fighters, Cyber Attacks
President Biden said Friday he is convinced Russian President Vladimir Putin has decided to invade Ukraine and that he expects an attack in the coming days, with targets including the Ukrainian capital, Kyiv.
US officials said a Russian attack could involve a broad combination of jet fighters, tanks, ballistic missiles and cyberattacks, with the ultimate intention of rendering Ukraine’s leadership powerless.
The officials said Mr. Putin has laid the groundwork in recent days through a series of destabilizing activities and false-flag operations, long predicted by U.S. and allied officials and intended to make it look as if Ukraine has provoked Russia into a conflict, thus justifying the Russian invasion.
TrickBot Malware Targeted Customers of 60 High-Profile Companies Since 2020
The notorious TrickBot malware is targeting customers of 60 financial and technology companies, including cryptocurrency firms, primarily located in the U.S., even as its operators have updated the botnet with new anti-analysis features.
TrickBot is a sophisticated and versatile malware with more than 20 modules that can be downloaded and executed on demand.
In addition to being both prevalent and persistent, TrickBot has continually evolved its tactics to go past security and detection layers. To that end, the malware's "injectDll" web-injects module, which is responsible for stealing banking and credential data, leverages anti-deobfuscation techniques to crash the web page and thwart attempts to scrutinize the source code.
Also put in place are anti-analysis guardrails to prevent security researchers from sending automated requests to command-and-control (C2) servers to retrieve fresh web injects.
https://thehackernews.com/2022/02/trickbot-malware-targeted-customers-of.html
Threats
Ransomware
Ransomware’s Savage Reign Continues As Attacks Increase 105% - Help Net Security
SonicWall CEO on ransomware: Every good vendor was hit in past 2 years - The Register
Are You Prepared for 2022's More Destructive Ransomware? | SecurityWeek.Com
CISA Advisory Cautions MSPs: Beware More Ransomware Attacks - MSSP Alert
Conti Ransomware Gang Takes Over Trickbot Malware Operation (bleepingcomputer.com)
FBI Eyes Ransomware Profits With New Cryptocurrency Crimes Unit | TechCrunch
FBI Warns BlackByte Ransomware Is Targeting US Critical Infrastructure | TechCrunch
BEC – Business Email Compromise
Phishing & Email
Malware
Emotet Now Spreading Through Malicious Excel Files | Threatpost
PseudoManuscrypt Malware Spreading the Same Way as CryptBot Targets Koreans (thehackernews.com)
Baby Golang-Based Botnet Already Pulling in $3K/Month for Operators | Threatpost
25 Years On, Microsoft Makes Another Stab At Stopping Macro Malware • Graham Cluley
Three-Fifths of Cyber-Attacks in 2021 Were Malware-Free - Infosecurity Magazine
Data Breaches/Leaks
Organised Crime & Criminal Actors
74% of Ransomware Revenue Goes to Russia-Linked Hackers - BBC News
Interpol Must Change With Cyber Crime, Says Director • The Register
Attackers Hone Their Playbooks, Become More Agile (darkreading.com)
Cryptocurrency/Cryptomining/Cryptojacking
SIM-Swapping Attacks, Many Aimed at Crypto Accounts, Are on the Rise - WSJ
FBI Says Crypto Payments Are a 'Huge Challenge' Amid Rise in Ransomware Attacks - Decrypt
Insider Risk and Insider Threats
The Rise Of The Super Malicious Insider: Yes, We Need To Worry - Help Net Security
Finance Officer Jailed After Stealing £200,000 from Charity - Infosecurity Magazine
Ex IT Tech Jailed For Wiping School Network During Lockdown • The Register
Fraud, Scams & Financial Crime
Barclays: Scams Surged in Final Quarter of 2021 - Infosecurity Magazine
Fraud and Scam Activity Hits All-Time High - Help Net Security
Soaring Losses Accelerate Investments In Anti-Fraud Tech - Help Net Security
Threat Actors Still Love a Romance Scam - Infosecurity Magazine
Singapore Introduces Strong Measures To Stop Online Scams • The Register
7 Tips for How To Spot a Scammer and Protect Yourself | Well+Good
DoS/DDoS
Nation State Actors
Russia’s Offensive Cyber Actions Should Be A Cause For Concern For CISOs | CSO Online
Russia Stole US Defense Data From IT Systems, Says CISA • The Register
Researchers Link ShadowPad Malware Attacks to Chinese Ministry and PLA (thehackernews.com)
Chinese MI6 Informant Gave Information To MPs About Huawei Threat | Huawei | The Guardian
Red Cross Attributes Server Breach To Nation-State Actor - CyberScoop
Iranian Hackers Targeting VMware Horizon Log4j Flaws to Deploy Ransomware (thehackernews.com)
Cloud
Report: 63% of IT Pros Say Cyber Threats Are Top Obstacle To Cloud Adoption Strategy | VentureBeat
EU Watchdog To Probe Public Sector's Love Affair With Cloud • The Register
Privacy
Spyware, Espionage & Cyber Warfare
The Conflict In Ukraine Proves Cyber-Attacks Are Now Weapons Of War (thenextweb.com)
Cyber Warfare In Ukraine Poses A Threat To The Global System | Financial Times (ft.com)
EU Data Protection Watchdog Calls for Ban on Pegasus-like Commercial Spyware (thehackernews.com)
Using Mobile Networks For Cyber Attacks As Part Of A Warfare Strategy - Help Net Security
Moses Staff Hackers Targeting Israeli Organisations for Cyber Espionage (thehackernews.com)
Vulnerabilities
Squirrelwaffle, Microsoft Exchange Server Vulnerabilities Exploited For Financial Fraud | ZDNet
Attackers Can Crash Cisco Email Security Appliances by Sending Malicious Emails (thehackernews.com)
New Chrome 0-Day Bug Under Active Attack – Update Your Browser ASAP! (thehackernews.com)
Multiple Vulnerabilities Put 40 Million Ubuntu Users At Risk | TechRadar
Critical Flaw Uncovered in WordPress Backup Plugin Used by Over 3 Million Sites (thehackernews.com)
High-Severity Vulnerability Found in Apache Database System Used by Major Firms | SecurityWeek.Com
VMware Fixes Holes That Could Allow Virtual Machine Escapes – Naked Security (sophos.com)
Another Critical RCE Discovered in Adobe Commerce and Magento Platforms (thehackernews.com)
T2 Mac Security Vulnerability: Passwords Can Now Be Cracked - 9to5Mac
Sector Specific
Financial Services Sector
Open Banking Innovation: A Race Between Developers And Cyber Criminals - Help Net Security
Canada's Major Banks Go Offline In Mysterious Hours-Long Outage (bleepingcomputer.com)
Defence
Transport and Aviation
Energy & Utilities
Other News
Over 28,000 Vulnerabilities Disclosed in 2021: Report | SecurityWeek.Com
Web Application Firewalls (WAFs) Can't Give Organisations The Security They Need - Help Net Security
How Challenging Is Corporate Data Protection? - Help Net Security
Local Authority Sets Aside £380k for Cyber-Attack Recovery - Infosecurity Magazine
Traditional MFA Is Creating A False Sense Of Security - Help Net Security
Massive LinkedIn Phishing, Bot Attacks Feed on the Job-Hungry | Threatpost
Be Flexible About Where People Work — But Not on Data Privacy (darkreading.com)
Researchers Block “Largest Ever” Bot Attack - Infosecurity Magazine
BadUSB: The Cyber Threat That Gets You To Plug It In – CloudSavvy IT
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
LinkedIn breach reportedly exposes data of 92% of users, including inferred salaries
LinkedIn breach reportedly exposes data of 92% of users, including inferred salaries
A second massive LinkedIn breach reportedly exposes the data of 700M users, which is more than 92% of the total 756M users. The database is for sale on the dark web, with records including phone numbers, physical addresses, geolocation data, and inferred salaries.
A second massive LinkedIn breach reportedly exposes the data of 700M users, which is more than 92% of the total 756M users. The database is for sale on the dark web, with records including phone numbers, physical addresses, geolocation data, and inferred salaries.
The hacker who obtained the data has posted a sample of 1M records, and checks confirm that the data is both genuine and up-to-date.
Reports indicate that the hacker appears to have misused the official LinkedIn API to download the data, the same method used in a similar breach back in April.
On June 22nd, a user of a popular hacker advertised data from 700 Million LinkedIn users for sale. The user of the forum posted up a sample of the data that includes 1 million LinkedIn users. The sample was examined and found to contain the following information:
· Email Addresses
· Full names
· Phone numbers
· Physical addresses
· Geolocation records
· LinkedIn username and profile URL
· Personal and professional experience/background
· Genders
· Other social media accounts and usernames
Based on analysis by researchers and cross-checking data from the sample with other publicly available information, it appears all data is authentic and tied to real users. Additionally, the data does appear to be up to date, with samples from 2020 to 2021.
No passwords are included, but as the site notes, this is still valuable data that can be used for identity theft and convincing-looking phishing attempts that can themselves be used to obtain login credentials for LinkedIn and other sites.
Although passwords were not included we still recommend you change your LinkedIn password and enable MFA (we strongly recommend MFA on any and all accounts you access online). We also recommend vigilance against social engineering attempts using information gleaned from this breach.
Original post: LinkedIn breach reportedly exposes data of 92% of users
Black Arrow Cyber Threat Briefing 18 June 2021
Black Arrow Cyber Threat Briefing 18 June 2021: Ransomware Now Ranks As UK’s Top Cyber Security Danger; 54% of all employees reuse passwords across accounts; Most Firms Face Second Ransomware Attack After Paying Off First; Bad Cyber Security Behaviours Plaguing The Remote Workforce; VPN Attacks Up Nearly 2000% As Companies Embrace A Hybrid Workplace; Over 65,000 Ransomware Attacks Expected In 2021; Business Leaders Now Feel More Vulnerable To Cyber Attacks
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Ransomware Now Ranks As UK’s Top Cyber Security Danger
Ransomware hackers are now the biggest cyber security threat in the UK for the majority of individuals and businesses in the region, Lindy Cameron, chief executive of the National Cyber Security Centre (NCSC), said in a speech. “For the vast majority of UK citizens and businesses, and indeed for the vast majority of critical national infrastructure providers and government service providers, the primary key threat is not state actors but cyber criminals,” Cameron said in the speech at the second annual cyber security meeting at the Royal United Services Institute (RUSI), the oldest independent defense and security think tank worldwide.
54% of all employees reuse passwords across multiple work accounts
Results of a study into current attitudes and adaptability to at-home corporate cyber security, employee training, and support in the current global hybrid working era revealed some interesting results. The report surveyed 3,006 employees, business owners, and C-suite executives at large organisations (250+ employees), who have worked from home and use work issued devices in the UK, France and Germany.
According to the findings 54% of all employees use the same passwords across multiple work accounts. 22% of respondents still keep track of passwords by writing them down, including 41% of business owners and 32% of C-level executives.
42% of respondents admit to using work-issued devices for personal reasons daily while working from home. Of these, 29% are using work devices for banking and shopping, and 7% admit to watching illegal streaming services. Senior workers are among the biggest offenders, as 44% of business owners and 39% of C-level executives admit to performing personal tasks on work-issued devices every day since working from home, with 23% of business owners and 15% of C-level respondents using them for illegal streaming/watching TV.
A year after the pandemic began and work-from-home policies were implemented, 37% of all employees across all sectors are yet to receive cyber security training to work from home, leaving businesses largely exposed to evolving risks. 43% of all employees suggest that cyber security isn’t the responsibility of the workforce, with 60% believing this should be handled by IT teams.
https://www.helpnetsecurity.com/2021/06/10/employees-reuse-passwords-across-multiple-work-accounts/
VPN Attacks Up Nearly 2000% As Companies Embrace A Hybrid Workplace
In Q1 2021, there was a 1,916% increase in attacks against Fortinet’s SSL-VPN and a 1,527% increase in Pulse Connect Secure VPN. These vulnerabilities allow a threat actor to gain access to a network. Once they are in, they can exfiltrate information and deploy ransomware. “2020 was the era of remote work and as the workforce adjusted, information technology professionals scrambled to support this level of remote activity by enabling a wide variety of remote connectivity methods,” said J.R. Cunningham, CSO at Nuspire. “This added multiple new attack vectors that enabled threat actors to prey on organisations, which is what we started to see in Q1 and are continuing to see today.”
https://www.helpnetsecurity.com/2021/06/15/vpn-attacks-up/
Most Firms Face Second Ransomware Attack After Paying Off First
Most businesses that choose to pay to regain access to their encrypted systems experience a subsequent ransomware attack. And almost half of those that pay up say some or all their data retrieved were corrupted. Some 80% of organisations that paid ransom demands experienced a second attack, of which 46% believed the subsequent ransomware to be caused by the same hackers. Amongst those that paid to regain access to their systems, 46% said at least some of their data was corrupted, according to a survey released Wednesday. The study polled 1,263 security professionals in seven markets worldwide, including 100 in Singapore, as well as respondents in Germany, France, the US, and UK.
https://www.zdnet.com/article/most-firms-face-second-ransomware-attack-after-paying-off-first/
Over 65,000 Ransomware Attacks Expected In 2021: Former Cisco CEO
U.S. companies are expected to endure over 65,000 ransomware attacks this year — and that's “a conservative number,” according to John Chambers, former CEO of Cisco Systems. With McDonald’s, JBS, and Colonial Pipeline Co. all recently coming under cyber attacks, Chambers does not foresee an end to the onslaught of cyber security threats anytime soon. He estimated that the number of ransomware attacks in 2021 could end up being as high as 100,000, with each one costing companies an average of $170,000. In the case of Colonial, just one password was needed for hackers to compromise the entire company’s IT infrastructure. This led to Colonial and JBS paying a combined $15 million in ransom against FBI advice.
Business Leaders Now Feel More Vulnerable To Cyber Attacks
Geographically speaking, 55% of US and 49% of UK respondents have experienced the most severe impact to their network security due to these attacks (suggesting that their businesses are more of a target than those in continental Europe) which, in turn, has resulted in a clear majority of respondents (60%) increasing their investment in this area. A sizeable 68% of leaders said their company has experienced a DDoS attack in the last 12 months with the UK (76%) and the US (73%) experiencing a significantly higher proportion compared to 59% of their German and 56% French counterparts. Additionally, over half of the leaders who participated in the survey confirmed that they specifically experienced a DDoS ransom or extortion attack in that time, with a large number of them (65%) targeted at UK companies, compared with the relatively low number in France (38%).
https://www.helpnetsecurity.com/2021/06/14/business-leaders-feel-vulnerable-cyber-attacks/
Ransomware Gang Turns To Revenge Porn
At least one ransomware gang has taken a rare and highly invasive step in order to convince its victims to pay: leaking nude images allegedly uncovered as part of their hack of a target company. The news presents an escalation in the world of ransomware and digital extortion, and comes as the U.S. government and other countries discuss new measures to curb the spike in ransomware incidents. Ransomware groups have recently targeted, and in some cases extracted payment from, the Colonial Pipeline Company, meat producer JBS, and the Irish healthcare system. Locking down computers with ransomware can already have a substantial impact on business operations; leaking information on top of that can present victims with another risk. But posting nude images publicly on the internet threatens to make extortion of organisations a much more personal matter.
https://www.vice.com/en/article/z3xzby/ransomware-gang-revenge-porn-leaks-nude-images
Bank Of America Spends Over $1 Billion Per Year On Cyber Security
Bank of America CEO Brian Moynihan said Monday that the company has ramped its cyber security spending to over $1 billion a year. “I became CEO 11 and a half years ago, and we probably spent three to $400 million [per year] and we’re up over a billion now,” Moynihan said on CNBC’s “Squawk Box.” “The institutions around us, other institutions and my peers, spend like amounts, and our contracting parties spend like amounts,” he added. “In other words, we cause spending in third parties that provide services to us to protect us in the same way. So there’s a lot of money being spend on this, and I think one of the things our industry has done a great job of is work together.”
https://www.cnbc.com/2021/06/14/bank-of-america-spends-over-1-billion-per-year-on-cybersecurity.html
Bad Cyber Security Behaviours Plaguing The Remote Workforce
According to the report, younger employees are most likely to admit they cut cyber security corners, with 51% of 16-24 year olds and 46% of 25-34 year olds reporting they’ve used security workarounds. In addition, 39% say the cyber security behaviours they practice while working from home differ from those practiced in the office, with half admitting it’s because they feel they were being watched by IT departments. IT leaders are optimistic about the return to office, with 70% believing staff will more likely follow company security policies around data protection and privacy. However, only 57% of employees think the same.
https://www.helpnetsecurity.com/2021/06/16/cybersecurity-behaviors/
Threats
Ransomware
Why Backups Are Not The Panacea For Recovery From A Ransomware Attack
Ryuk Ransomware Recovery Cost Us $8.1m And Counting, Says Baltimore School Authority
Experts Shed Light On Distinctive Tactics Used By Hades Ransomware
The latest Revil Ransomware Victim? Sol Oriens. Oh, A US Nuclear Weapons Contractor
BEC
Phishing
Malware
Vulnerabilities
Update Your Chrome Browser To Patch Yet Another 0-Day Exploited In-The-Wild
Vulnerability In Microsoft Teams Granted Attackers Access To Emails, Messages, And Personal Files
Critical Remote Code Execution Flaw In Thousands Of VMWare vCenter Servers Remains Unpatched
Data Breaches
UK Listed Law Firm Gateley Admits Client Data Lost Through Cyber Attack
Alibaba Suffers Billion-Item Data Leak Of Usernames And Mobile Numbers
Maritime Firm HMM Suffers Security Breach And Cyber Attack On Its Email Systems
Mensa Data Spillage Was Due to 'Unauthorised Internal Download'
Volkswagen, Audi Disclose Data Breach Impacting Over 3.3 Million Customers, Interested Buyers
Organised Crime & Criminal Actors
Cryptocurrency
Supply Chain
OT, ICS, IIoT and SCADA
Nation State Actors
Biden Says He Told Putin U.S. Will Hack Back Against Future Russian Cyber Attacks
Little-Noticed Cyber Spying Campaign Blamed On China Was Much Wider Than Thought
Denial of Service
Cloud
Privacy
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 14 May 2021
Black Arrow Cyber Threat Briefing 14 May 2021: Two Thirds Of CISOs Expect Damaging Cyber Attack In Next 12 Months; Ransomware - Don't Pay, It Just Shows Cyber Criminals That Attacks Work; Most Significant Cyber Attacks 2006-2020; The Shape Of Fraud And Cyber Crime, 10 Things We Learned From 2020; US Pipeline Ransomware Serves As Warning To Persistent Corporate Inertia Over Security; Ransomware Attackers Now Using Triple Extortion Tactics; AXA Pledges To Stop Reimbursing French Ransomware Victims; Cyber Experts Warn Over Online Wine Scams
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Two Thirds Of CISOs Across World Expect Damaging Cyber Attack In Next 12 Months
More than 1,000 CISOs around the world have expressed concerns about the security ramifications of the massive shift to remote work since the beginning of the pandemic. One hundred CISOs from the US, Canada, the UK, France, Germany, Italy, Spain, Sweden, the Netherlands, UAE, Saudi Arabia, Australia, Japan, and Singapore were interviewed for the report, with many highlighting significant problems in the current cyber security landscape.
Ransomware: Don't Pay Up, It Just Shows Cyber Criminals That Attacks Work, Warns Home Secretary
For victims of ransomware attacks, paying the ransom does not guarantee that their network will be restored – and handing money to criminals only encourages them to try their luck infecting more companies with the file-encrypting malware. The impact of ransomware attacks continues to rise as cyber criminals encrypt networks, while also blackmailing victims with the prospect of stolen data being published, to generate as much money as possible from extortion.
The Most Significant Cyber Attacks From 2006-2020, By Country
Committing a cyber crime can have serious consequences. In the US, a cyber criminal can receive up to 20 years in prison for hacking into a government institution if it compromises national security. Yet, despite the consequences, cyber criminals continue to wreak havoc across the globe. But some countries seem to be targeted more than others. Using data from SpecOps Software, this graphic looks at the countries that have experienced the most significant cyber attacks over the last two decades.
https://www.visualcapitalist.com/cyber-attacks-worldwide-2006-2020/
The Shape Of Fraud And Cyber Crime: 10 Things We Learned From 2020
While it remains true that the older you are, the greater the financial loss, why would fraudsters target the young, who are arguably less well off? The answer lies in volume. Criminals have been offsetting higher monetary gain for higher attack rates, capitalising on the fact that the young are perhaps both more liberal with personal information (and privacy in general) and, at the same time, heavy digital users (social media, surveys, games, and so on). In fact, it is scary to see how much value the humble email address can have for criminals. We often forget that once obtained, it can be used further down the line to commit more fraud.
Is Third-Party Software Leaving You Vulnerable To Cyber Attacks?
When companies buy digital products, they expect them to be secure. In most cases, they do not test for vulnerabilities down the digital supply chain — and do not even have adequate processes or tools to do so. Hackers have taken note, and incidents of supply chain cyber attacks, which exploit weaknesses within the digital supply chain to break into organisations’ internal networks, are on the rise. As a result, there have been many headline incidents that not only bring shame to the companies involved, but rachet up the visibility of these threats to top executives who want to know their offerings are secure.
https://hbr.org/2021/05/is-third-party-software-leaving-you-vulnerable-to-cyberattacks
US Pipeline Ransomware Attack Serves As Fair Warning To Persistent Corporate Inertia Over Security
Organisations that continue to disregard the need to ensure they have adopted basic cyber security hygiene practices should be taken to task. This will be critical, especially as cyber criminals turn their attention to sectors where cyber threats can result in real-world risks, as demonstrated in the US Colonial Pipeline attack. In many of my conversations with cyber security experts, there is a shared sense of frustration that businesses still are failing to get some of the most basic things right. Default passwords are left unchanged, frontline staff and employees are still falling for common scams and phishing attacks, and major businesses think nothing of using technology that are decades old.
Ransomware Attackers Are Now Using Triple Extortion Tactics
The number of organisations affected by ransomware so far this year has more than doubled, compared with the same period in 2020, according to the report. Since April, Check Point researchers have observed an average of 1,000 organisations impacted by ransomware every week. For all of 2020, ransomware cost businesses worldwide around $20 billion, more than 75% higher than the amount in 2019. The healthcare sector has been seeing the highest volume of ransomware with around 109 attacks per organization each week. Amid news of a ransomware attack against gas pipeline company Colonial Pipeline, the utilities sector has experienced 59 attacks per organization per week. Organisations in the insurance and legal sector have been affected by 34 such attacks each week.
https://www.techrepublic.com/article/ransomware-attackers-are-now-using-triple-extortion-tactics/
AXA Pledges To Stop Reimbursing Ransom Payments For French Ransomware Victims
Insurance company AXA has revealed that, at the request of French government officials, it will end cyber insurance policies in France that pay ransomware victims back for ransoms paid out to cyber criminals. While unconfirmed, the Associated Press reported that the move was an industry first. AXA is one of the five biggest insurers in Europe and made the decision as ransomware attacks become a daily occurrence for organisations across the world.
The Dystopic Future Of Cyber Security And The Importance Of Empowering CISOs
Over a decade ago, in 2007, the first iPhone was released and with it emerged an ecosystem of apps that continues to expand to this day. This was a watershed moment, not solely for the technology industry, but civilization. It was a catalyst for what was to come. Suddenly, every consumer could access the internet at a touch of a button, and the accumulation of their data by private companies began en masse. It was at this point that data was established as an increasingly valuable commodity, and in turn, became a heightened exploitation risk. It also instigated a wave of innovation that has yet to break and is only growing rapidly in pace. In this state, technology providers, users, and manufacturers get excited about new functionalities, new features, new developments, while little thought is given to the negative consequences that could arise as a result. Indeed, fear has no place in the state of innovation as it is this primal thinking that inhibits creativity.
https://www.infosecurity-magazine.com/blogs/the-dystopic-future-of/
Cyber Security Experts Warn Over Online Wine Scams
Online wine scams became a bigger threat as cyber criminals sought to take advantage of more people and businesses organising virtual drinks and ordering bottles on the internet in the wake of Covid-19 restrictions, suggests the report. So-called ‘phishing emails’ were a particular concern, according to findings published in April by US-based group Recorded Future in partnership with Area 1 Security. From January 2020 onwards, the authors found a significant rise in legitimate wine-themed web domain registrations using terms like Merlot, Pinot, Chardonnay or Vino.
https://www.decanter.com/wine-news/cyber-security-experts-warn-over-online-wine-scams-457647/
Threats
Ransomware
New Ransomware: CISA Warns Over Fivehands File-Encrypting Malware Variant
Energy Companies Are The Firms Most Likely To Pay Cyber Attack Ransoms
A Student Pirating Software Led To A Full-Blown Ryuk Ransomware Attack
BEC
Phishing
Other Social Engineering
Coronavirus-Related Cyber Crime Contributes To 15-Fold Surge In Scam Takedowns
She Responded To A Smishing Scam. Then The Spam Texts Got Worse.
Malware
Mobile
IOT
Vulnerabilities
Don’t Delay Installing Your Windows 10 May Patch Tuesday Update – It Fixes 3 Zero-Day Exploits
WiFi Vulnerability May Leave Millions Of Devices Open To 'Frag Attacks'
Remote Mouse Mobile App Contains Raft Of Zero-Day RCE Vulnerabilities
Lemon Duck Hacking Group Adopts Microsoft Exchange Server Vulnerabilities In New Attacks
Data Breaches
Organised Crime & Criminal Actors
Supply Chain
Nation State Actors
Russian Hackers Are Targeting These Vulnerabilities, So Patch Now
NCSC Warns British Start-Ups Of Threat From Chinese And Russian Hackers
Privacy
Reports Published in the Last Week
Other News
Your Old Mobile Phone Number Could Compromise Your Cyber Security
Biden Signs Executive Order Aiming To Prevent Future Cyber Security Disasters
Train Firm’s ‘Worker Bonus’ Email Is Actually Cyber Security Test
Half Of Government Security Incidents Caused By Missing Patches
90% Of Security Leaders View Bot Management As A Top Priority
'Everyone Had To Rethink Security': What Microsoft Learned In Last Year
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 16 April 2021
Black Arrow Cyber Threat Briefing 16 April 2021: 61% Of Employees Fail Basic Cyber Security Quiz; More Than 1,900 Hacking Groups Active Today; Ransomware Crisis Worsens; Enterprise Security Attackers Are One Password Away From Your Worst Day; Microsoft’s April Update Patches 114 Bugs; Nation-State Attacks Targeting Businesses Rise; Criminals Installing Cryptojacking Malware On Unpatched Exchange Servers; Network Vulns Affect Over 100 Million Devices; Brits Still Confused By Multi-Factor Authentication
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
61 Percent Of Employees Fail Basic Cyber Security Quiz
Nearly 70% of employees polled in a new survey said they recently received cyber security training from their employers, yet 61% nevertheless failed when asked to take a basic quiz on the topic. This was one of the leading findings of a research study that sought to understand the cyber security habits of some 1,200 workers, as well as their knowledge of best practices and ability to recognize security threats.
https://www.scmagazine.com/home/security-news/61-percent-of-employees-fail-basic-cybersecurity-quiz/
More Than 1,900 Distinct Hacking Groups Are Active Today
There are currently more than 1,900 distinct hacking groups that are active today, a number that grew from 1,800 groups recorded at the end of 2019. In its yearly cyber crime report, the company said it discovered 650 new threat actors during 2020, but new evidence also allowed it to remove 500 groups from its threat actor tracker due to overlaps in activity and hacking infrastructure with previously known clusters.
https://therecord.media/fireeye-more-than-1900-distinct-hacking-groups-are-active-today/
Ransomware: The Internet's Biggest Security Crisis Is Getting Worse
Organisations continue to fall victim to ransomware, and yet progress on tackling these attacks, which now constitute one of the biggest security problems on the internet, remains slow. From small companies to councils, government agencies and big business, the number and range of organisations hit by ransomware is rising. One recent example; schools with 36,000 students have been hit, leaving pupils without access to email as attempts were made to get systems back online. That is at least four chains of schools attacked in the last month.
Enterprise Security Attackers Are One Password Away From Your Worst Day
If the definition of insanity is doing the same thing over and over and expecting a different outcome, then one might say the cyber security industry is insane.
Criminals continue to innovate with highly sophisticated attack methods, but many security organisations still use the same technological approaches they did 10 years ago. The world has changed, but cyber security hasn’t kept pace.
Distributed systems, with people and data everywhere, mean the perimeter has disappeared. And the hackers couldn’t be more excited. The same technology approaches, like correlation rules, manual processes and reviewing alerts in isolation, do little more than remedy symptoms while hardly addressing the underlying problem.
Credentials are supposed to be the front gates of the castle, but as the SOC is failing to change, it is failing to detect. The cyber security industry must rethink its strategy to analyse how credentials are used and stop breaches before they become bigger problems.
Microsoft’s April Update Patches 114 Bugs—Half Of Which Allow Remote Code Execution
The fourth Patch Tuesday of 2021 is another big one. Today, Microsoft revealed 114 vulnerabilities fixed in the monthly security, over half of which could potentially be exploited for remote code execution by attackers. Of the 55 remote execution bugs, over half were tied to Windows’ Remote Procedure Call (RPC) interface. Four more were Microsoft Exchange bugs (all urgent fixes) reported to Microsoft by the National Security Agency. In addition, six Chrome vulnerabilities that were previously addressed by Google are included in the roll-up.
Nation-State Cyber Attacks Targeting Businesses Are On The Rise
Businesses are increasingly coming under fire from nation state-backed hackers as governments around the world engage in attacks to steal secrets or lay the foundations for future attacks. Nation States, Cyberconflict and the Web of Profit, a study by cyber security researchers at HP and criminologists at the University of Surrey, warns that the number of key nation-state attacks has risen significantly over the past three years – and that enterprises and businesses are increasingly being targeted. An analysis of nation-state cyber attacks between 2017 and 2020 reveals that just over a third of organisations targeted were businesses: cyber defence, media, government, and critical infrastructure are all also common targets in these attacks, but enterprise has risen to the top of the list.
https://www.zdnet.com/article/nation-state-cyber-attacks-targeting-businesses-are-on-the-rise/
Cyber Criminals Are Installing Cryptojacking Malware On Unpatched Microsoft Exchange Servers
Cyber criminals are targeting vulnerable Microsoft Exchange servers with cryptocurrency mining malware in a campaign designed to secretly use the processing power of compromised systems to make money. Zero-day vulnerabilities in Microsoft Exchange Server were detailed last month when Microsoft released critical security updates to prevent the exploitation of vulnerable systems. Cyber attackers ranging from nation-state-linked hacking groups to ransomware gangs have rushed to take advantage of unpatched Exchange servers -- but they are not the only ones.
NAME:WRECK DNS Vulnerabilities Affect Over 100 Million Devices
Security researchers have disclosed nine vulnerabilities affecting network communication stacks running on at least 100 million devices. Collectively referred to as NAME: WRECK, the flaws could be leveraged to take offline affected devices or to gain control over them. The vulnerabilities were found in a wide range of products, from high-performance servers and networking equipment to operational technology (OT) systems that monitor and control industrial equipment. According to researchers threat actors could exploit NAME:WRECK vulnerabilities to deal significant damage to government or enterprise servers, healthcare facilities, retailers, or companies in the manufacturing business by stealing sensitive data, modifying or taking equipment offline for sabotage purposes.
Brits Still Confused By Multi-Factor Authentication
The British public are still woefully underinformed and unaware of the security benefits of multi-factor authentication (MFA). The industry association, founded in 2012 to promote authentication standards and reduce global reliance on passwords, recently polled over 4000 consumers in the UK, France, Germany, and the US. It revealed that half (49%) UK consumers have had their social media accounts compromised or know a friend or family member who has. However, despite a continued number of high-profile account takeovers, 43% said this does not make them enhance security on their accounts, even though they “feel like” they should. Part of the problem seems to be a general lack of understanding about the benefits of MFA in protecting account holders from phishing, as well as credential stuffing and other brute force attack types. Although such features are offered by all social media companies today, over a quarter (26%) of respondents said they were not using or didn’t know about them.
https://www.infosecurity-magazine.com/news/brits-still-confused-by/
623K Payment Cards Stolen From Cyber Crime Forum
The Swarmshop cyber underground “card shop” has been hit by hackers, who lifted the site’s database of stolen payment-card data and leaked it online. That is according to researchers, who said that the database was posted on a rival underground forum. Card shops, are online cyber criminal forums where stolen payment-card data is bought and sold. Researchers said the database in question contains 623,036 payment-card records from card-issuers in Brazil, Canada, China, France, Mexico, Saudi Arabia, Singapore, the U.K., and the U.S.
https://threatpost.com/623m-payment-cards-stolen-from-cybercrime-forum/165336/
Threats
Ransomware
Dutch Supermarkets Run Out Of Cheese After Ransomware Attack
This Nasty Ransomware Hacks Your VPN To Break Into Your Device
Phishing
Other Social Engineering
7 New Social Engineering Tactics Threat Actors Are Using Now
Cloud-Native Watering Hole Attack: Simple And Potentially Devastating
Malware
Mobile
Vulnerabilities
Adobe Patches Slew of Critical Security Bugs in Bridge, Photoshop
Microsoft Security Update Fixes Zero-Day Vulnerabilities In Windows And Other Software
Data Breaches
Organised Crime & Criminal Actors
Nation State Actors
Iran Vows Revenge For 'Israeli' Attack On Natanz Nuclear Site
NSA: Top 5 Vulnerabilities Actively Abused By Russian Govt Hackers
Privacy
Reports Published in the Last Week
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Cyber Weekly Flash Briefing 17 July 2020: Major US Twitter accounts hacked, Malware in Chinese Tax Software, NK steals $2bn through cyber heists, Counterfeit Cisco kit, Windows DNS vulns, Citrix vuln
Cyber Weekly Flash Briefing 17 July 2020: Major US Twitter accounts hacked, Malware in Chinese Tax Software, NK steals $2bn through cyber heists, Counterfeit Cisco kit, Windows DNS vulns, Citrix vulns, Iranian Spies Accidentally Leaked Videos of Themselves Hacking, Malicious Router Log-Ins Soar Tenfold in Botnet Battle
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Major US Twitter accounts hacked in Bitcoin scam
Billionaires Elon Musk, Jeff Bezos and Bill Gates are among many prominent US figures targeted by hackers on Twitter in an apparent Bitcoin scam.
The official accounts of Barack Obama, Joe Biden and Kanye West also requested donations in the cryptocurrency.
"Everyone is asking me to give back," a tweet from Mr Gates' account said. "You send $1,000, I send you back $2,000."
The US Senate Commerce committee has demanded Twitter brief it about the incident next week.
Twitter said it was a "co-ordinated" attack targeting its employees "with access to internal systems and tools".
"We know they [the hackers] used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf," the company said in a series of tweets.
It added that "significant steps" had been taken to limit access to such internal systems and tools while the company's investigation was ongoing.
The firm has also blocked users from being able to tweet Bitcoin wallet addresses for the time being.
Read more here: https://www.bbc.co.uk/news/technology-53425822
More Malware Found Hidden in Chinese Tax Software
A malware campaign hiding backdoors in mandatory Chinese corporate tax software is far more extensive than at first thought, according to researchers from Trustwave.
The vendor warned last month that it discovered several clients had unwittingly installed the GoldenSpy backdoor after agreeing to download the Intelligent Tax software product, produced by Aisino Corporation.
China’s banks require all companies to download software from either Aisino or Baiwang to comply with its Golden Tax VAT scheme, indicating that the malware campaign has either direct sponsorship from the government, or is happening with its blessing.
Soon after Trustwave reported on the powerful GoldenSpy backdoor, which it said could not be removed, an uninstaller appeared out of the blue which directly negates the threat.
Now the vendor has discovered a second piece of malware, dubbed GoldenHelper, which dates back to before GoldenSpy. It’s found in the Golden Tax Invoicing Software (Baiwang edition), which is digitally signed by a subsidiary of Aisino, Nou Nou Technologies.
The malware, while functionally different to GoldenSpy, has a similar delivery mechanism and it utilises three DLL files to: interface with the Golden Tax software; bypass Windows security and escalate privileges; and download and execute arbitrary code with system-level privileges.
It also uses multiple techniques to hide its presence and activity, including randomization of name whilst in transit and of file system location, timestomping, IP-based Domain Generation Algorithm (DGA), and UAC bypass and privilege escalation.
Read more here: https://www.infosecurity-magazine.com/news/more-malware-hidden/
How North Korea’s army of hackers stole $2bn through cyber bank heists
Towards the end of last year, a series of seemingly innocuous LinkedIn messages were sent to employees of aerospace and military companies in the UK, Europe and the Middle East. Curious engineers who replied to the job offers were sent further messages urging them to download files to find out more about the opportunities.
The file contained a list of available jobs and the salaries for each role. While recipients read through the list of highly paid positions, their computers were silently taken over by hackers who implanted software that allowed them to peer through all of their files and emails.
The lucrative jobs weren’t real, and neither were the recruiters. Instead the messages were sent by Lazarus, a notorious North Korean hacking group, which in 2014 had managed to break into the servers of Sony Pictures and in 2017 brought parts of the NHS to a standstill during the WannaCry ransomware attack.
Once the hackers had gained access to their target’s computer, the fake LinkedIn profiles vanished.
One hacker then used his access to a victim’s email account to find an outstanding invoice. He sent an email to another business demanding payment, but asked for the money to be sent to a new bank account controlled by the hacking group.
This cyber attack is a typical example of North Korea’s unique approach to hacking. As well as attacks to make political statements, the country uses its legions of hackers to generate billions of dollars for the regime through a series of audacious cyber bank heists.
A United Nations report published last year estimated that North Korean hackers have stolen more than $2bn (£1.5bn) and said the money was being funneled into the regime’s missile development programmes.
Cut off from almost all of the world’s financial systems, North Korea has for years relied on a series of illegal activities to bolster its income. As well as thriving drug trafficking and counterfeiting schemes, the regime has also funded hundreds of its own digital bank heists.
Read more here: https://www.telegraph.co.uk/technology/2020/07/12/north-koreas-army-hackers-stole-2bn-cyber-bank-heists/
UK ‘on alert for China cyber attack’ in retaliation for Hong Kong
The government must be alert to potential cyber attacks from countries such as China, ministers have said as tensions increase between London and Beijing.
Last month relations between the UK and China soured after Boris Johnson pledged to offer refuge to millions of Hong Kong citizens if the country implements its planned national security law. The government is also reported to have ‘changed its view’ on plans for Chinese tech company Huawei to play a role in developing the UK’s 5G network due to growing unease over security risks.
Now senior sources claim the worsening ties could see Britain be targeted by Chinese-backed hackers in a so-called ‘cyber 9/11’. This could damage computer networks, cause power and phone blackouts and bring hospitals, government and businesses to a standstill.
Britain’s National Cyber Security Centre says it is not ‘expecting’ a rise in attacks. However, one senior minister said the threat was ‘obviously part of conversations’, but added that ‘all risk must be looked at in the round’.
Read more: https://metro.co.uk/2020/07/12/ministers-fear-cyber-attack-uk-relations-worsen-china-12978970/
Ransomware warning: Now attacks are stealing data as well as encrypting it
There's now an increasing chance of getting your data stolen, in addition to your network being encrypted, when you are hit with a ransomware attack – which means falling victim to this kind of malware is now even more dangerous.
The prospect of being locked out of the network by cyber criminals is damaging enough, but by leaking stolen data, hackers are creating additional problems. Crooks use the stolen data as leverage, effectively trying to bully organisations who've become infected with ransomware into paying up – rather than trying to restore the network themselves – on the basis that if no ransom is paid, private information will be leaked.
Ransomware groups like those behind Maze and Sodinokibi have already shown they'll go ahead and publish private information if they're not paid and now the tactic is becoming increasingly common, with over one in ten attacks now coming with blackmail in addition to extortion.
Organisations in the legal, healthcare and financial sectors are among the most targeted by these campaigns, based on the assumption that they hold the most sensitive data.
Read more here: https://www.zdnet.com/article/ransomware-warning-now-attacks-are-stealing-data-as-well-as-encrypting-it/
Stop Ignoring Two-Factor Authentication Just Because You’re Lazy
A large number of people and businesses are missing out on a simple, effective online security solution by ignoring two-factor authentication (2FA), also called multi-factor authentication (MFA). The only requirement is to enter a code or press a button on a separate device from the one being used, yet for many, that effort seems too great. Laziness literally becomes the weakest point in their data protection systems.
If this sounds familiar, it’s time to change, as 2FA strengthens the security of all-important apps, including those where you share financial details such as banking and shopping apps – but to work, it has to be used.
Read more here: https://www.infosecurity-magazine.com/opinions/authentication-lazy/
Russian hackers ‘try to steal vaccine research’ in cyber attack on labs
Hackers linked to Russian intelligence agencies are targeting British scientists seeking to develop a coronavirus vaccine, spooks in the US, UK and Canada have warned.
In a joint statement Britain’s National Cyber Security Centre (NCSC), the US National Security Agency and the Canadian Communication Security Establishment, said that the APT29 hacking group, also known as the ‘Dukes’ or ‘Cozy Bear’ has been hitting medical organisations and universities with cyber attacks which they believe have had the Kremlin’s blessing.
These attacks are part of a global campaign to steal research secrets of research. While the institutions targeted have not been revealed, the UK is home to two of the world’s leading coronavirus vaccine development programmes based at Oxford University and Imperial College London.
Read more: https://metro.co.uk/2020/07/16/russian-hackers-launch-cyber-attack-uk-vaccine-researchers-12998769/
Counterfeit Cisco switches raise network security alarms
In a disconcerting event for IT security professionals, counterfeit versions of Cisco Catalyst 2960-X Series switches were discovered on an unnamed business network, and the fake gear was found to be designed to circumvent typical authentication procedures, according to a report.
researcher say their investigators found that while the counterfeit Cisco 2960-X units did not have any backdoor-like features, they did employ various measures to fool security controls. For example, one of the units exploited what F-Secure believes to be a previously undiscovered software vulnerability to undermine secure boot processes that provide protection against firmware tampering.
Vulnerability in Windows DNS servers
Microsoft has reported a critical vulnerability in Windows DNS server under CVE-2020-1350.
Bad news: The vulnerability scored 10 on the CVSS scale, which means it’s critical. Good news: Cyber criminals can exploit it only if the system is running in DNS server mode; in other words, the number of potentially vulnerable computers is relatively small. Moreover, the company has already released patches and a workaround.
The vulnerability lets a malefactor force DNS servers running Windows Server to execute malicious code remotely. In other words, the vulnerability belongs to the RCE class. To exploit CVE-2020-1350, one just has to send a specially generated request to the DNS server.
Installing the Microsoft patch modifies the method of handling requests by DNS servers. The patch is available for Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server version 1903, Windows Server version 1909, and Windows Server version 2004.
Read more here: https://www.kaspersky.com/blog/cve-2020-1350-dns-rce/36366/
Threat actors are scanning the Internet for Citrix systems affected by the recently disclosed vulnerabilities.
This week Citrix has addressed 11 vulnerabilities affecting the ADC, Gateway, and SD-WAN WANOP networking products. The vulnerabilities could be exploited by attackers for local privilege escalation, to trigger a DoS condition, to bypass authorization, to get code injection, and to launch XSS attacks.
Some of the addressed flaws could be exploited only if the attackers have access to the targeted system and request user interaction, or other conditions must be verified. For this reason, Citrix believes the flaws are less likely to be exploited.
Now, hackers are scanning the web for systems affected by the recently disclosed Citrix vulnerabilities.
Read more here: https://securityaffairs.co/wordpress/105776/hacking/vulnerable-citrix-systems-scan.html
Iranian Spies Accidentally Leaked Videos of Themselves Hacking
A security team obtained five hours of Iranian state actor group APT35 hacking operations, showing exactly how the group steals data from email accounts—and who it’s targeting.
Normally security researchers need to painstakingly piece together the blow-by-blow of a state-sponsored hacking operation, they're usually following a thin trail of malicious code samples, network logs, and connections to faraway servers. That detective work gets significantly easier when hackers record what they’re doing and upload the video to an unprotected server on the open internet. Which is precisely what a group of Iranian hackers may have unwittingly done.
Read more here: https://www.wired.com/story/iran-apt35-hacking-video/
Amazon-Themed Phishing Campaigns Swim Past Security Checks
A pair of recent campaigns aim to lift credentials and other personal information under the guise of Amazon package-delivery notices.
Amazon in the era of COVID-19 has become a staple of many people’s lives, as they order everything from sourdough starter to exercise equipment. Cybercrooks have latched onto the delivery behemoth as a lure for phishing emails, knowing that plenty of legitimate delivery messages are also making it into people’s inboxes and offering cover.
Researchers recently spotted a pair of savvy campaigns leveraging Amazon: A credential-phishing attempt using a purported Amazon delivery order failure notice; and a voice phishing (vishing) attempt also using Amazon delivery order. Both are examples of the ever-more sophisticated phishing efforts being developed by fraudsters that are aimed at gaming traditional email security efforts, researchers said.
Read more here: https://threatpost.com/amazon-phishing-campaigns-security-checks/157495/
Malicious Router Log-Ins Soar Tenfold in Botnet Battle
Home users are being urged to ensure their routers are adequately protected after experts revealed a tenfold spike in brute force log-in attempts.
According to the latest research from Trend Micro “Worm War: The Botnet Battle for IoT Territory”, describes a threat landscape in which rival cyber-criminals are competing against each other in a race to compromise as many devices as possible, to conscript into botnets.
The vendor claimed that automated log-in attempts against routers rose from 23 million in September to nearly 249 million attempts in December 2019. As recently as March this year, it detected almost 194 million brute force logins.
The report also revealed an uptick in routers attempting to open telnet sessions with other devices. As telnet is unencrypted it’s a favorite way for hackers or their botnets to sniff user credentials and therefore infect more routers or IoT devices.
Nearly 16,000 devices attempted to open telnet sessions with other IoT devices in a single week in mid-March, according to the data.
The report warned that these mass compromises could cause serious disruption for home networks at a time when many global users are being forced to work and study from home.
Read more here: https://www.infosecurity-magazine.com/news/malicious-router-logins-soar/
Week in review 06 October 2019: top 10 cyber myths, security breaches inevitable, employee negligence contribute to data breaches, UK local authorities hit with hundreds of cyberattacks every hour
Week in review 06 October 2019: top 10 cyber myths, security breaches inevitable, employee negligence contribute to data breaches, UK local authorities hit with hundreds of cyberattacks every hour
Round up of the most significant open source stories of the last week
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Top 10 Cyber Security Myths
SecurityBoulevard.com have a list of the top 10 cyber security myths that criminals love, including the Number 1 ‘This can’t happen to me’ and a few other prime examples that we do hear in conversation quite often.
Read the full list here: https://securityboulevard.com/2019/10/10-cybersecurity-myths-that-criminals-love/
A security breach is inevitable, IT leaders warned
No matter how much IT security tech and training is in place, sophisticated, targeted attacks are going to breach company defences, Carbon Black warns
A survey by security vendor Carbon Black, as part of their Global threat series study, reported that 84% of UK organisations participating in the study said they have suffered one or more breaches in the past 12 months due to external cyber attacks.
The survey reported that the average number of breaches in affected organisations was 2.89, a reduction from the 3.67 seen in the January 2019 report, with more than half (51.5%) of respondents saying they had been breached only once.
Carbon Black said the number of businesses identifying just a single breach has grown from the previous research, where only 15% had suffered only a single breach. This may indicate that businesses are responding more robustly to breach incidents to ensure that frequency is reduced.
At the other end of the scale, 5.5% of the businesses surveyed admitted they had been breached 10 or more times, and 3% said they didn’t know how many times they had been breached.
The study found that among the IT leaders who took part in the research, 84% reported an increase in cyber attacks in the past 12 months, with nine in 10 saying the attacks they face are becoming more sophisticated. This compares with 87% in the previous report and 82% in the summer of 2018.
https://www.computerweekly.com/news/252471594/A-security-breach-is-inevitable-IT-leaders-warned
Employee negligence can be a leading contributor to data breaches
Two thirds (68%) of businesses reported their organisation has experienced at least one data breach in the past 12 months, and nearly three in four (69%) of those data breaches involved the loss or theft of paper documents or electronic devices containing sensitive information, according to a report conducted by the Ponemon Institute.
https://www.helpnetsecurity.com/2019/10/01/workplace-data-breaches-risk/
UK local authorities hit with hundreds of cyberattacks every hour
Councils across the UK have suffered 263 million attacks in the first six months of the year - equivalent to 800 attacks an hour, or 13 attacks every minute. This is according to a new report by Gallagher, based on a Freedom of Information (FoI) request made towards the councils, with 203 of them answering, and another 204 councils who did not respond so the actual number of attacks could more than double the above, exceeding 500 million in the first half of the year. This gives an idea of the sheer scale and number of attacks going on all the time against all organisations.
https://www.itproportal.com/news/uk-local-authorities-hit-with-hundreds-of-cyberattacks-every-hour/
Microsoft: Any form of MFA takes users out of reach of most attacks
There have been several reports in the media regarding SIM hijacking attacks and the ease with which these types of attacks are being perpetrated, and these reports have raised some doubts or concerns about the security of multi-factor authentication.
This article does a good job of explaining how not all MFA solutions are created equally but the overarching message is that any MFA implementation, anything beyond just a username and password, significantly increases the amount of work for an attacker and as a result accounts with MFA represent less than 0.1% of all attacks.
FBI Stance on Whether Firms Should Pay Ransomware
The FBI in the US came out with hard hitting advice telling firms not to pay ransoms, but to inform the FBI in the event that a firm in the US did decide to pay a ransom.
They then softened their stance with an updated version of their guidance including a section discussing the option of paying the hackers to get data decrypted.
https://www.theregister.co.uk/2019/10/03/fbi_softens_stance_on_ransomware/
Best practice around ransomware is always to ensure you have sufficient backups, both online and offline, such that you can restore your data in the event you get hit with ransomware. Firms need to ensure they have tested recovering their data to make sure they could recover if they needed to. It is too late when trying to recover for real to discover the backup doesn’t work or the wrong directory was being backed up.
Do not rely on cloud storage as being sufficient backup as often any ransomware attack will synchronise with files stored in the cloud before the infection is detected.
More Attacks Seen Using ‘Island Hopping’ (using targets with less security to leverage attacks against targets with more security)
Recent attacks, especially recent attacks against the aerospace and defence industries, have seen an increase in ‘island hopping’, where a bigger group or better defended target is attacked indirectly, through its network of weaker, less defended partner companies. These attacks are carried out in a more ‘horizontal' way rather than the more traditional 'vertical' methods.
https://www.zdnet.com/article/this-new-hacking-group-is-using-island-hopping-to-target-victims/
In addition to the recent aerospace attacks island hopping is also becoming more frequently used to attack financial services.
https://www.itpro.co.uk/security/33946/50-of-cyber-attacks-now-use-island-hopping
Half a million British Airways customers have been given the go-ahead to sue the airline over its cybersecurity breach last summer
On Friday a High Court judge granted a group litigation order, paving the way for a mass legal action enabling some 500,000 people affected by a series of breaches between April and September last year.
Cybersecurity breaches to increase nearly 70% in next 5 years
New analysis from Juniper Research has found that the cost of data breaches will rise from $3 trillion each year to over $5 trillion in 2024, an average annual growth of 11%.
This will primarily be driven by increasing fines for data breaches as regulation tightens, as well as a greater proportion of business lost as enterprises become more dependent on the digital realm.
The new research in The Future of Cybercrime & Security: Threat Analysis, Impact Assessment & Mitigation Strategies 2019-2024 whitepaper noted that while the cost per breach will steadily rise in the future, the levels of data disclosed will make headlines but not impact breach costs directly, as most fines and lost business are not directly related to breach sizes.
Sophisticated tools provide false sense of cyber-security: Survey
Are you confident that your firm is cyber-threat-proof? A Forrester survey among over 250 senior security decision-makers in North America and Europe found that most of them are confident in their firms’ security measures. However, threats to cyber-security remain strong, said the research.
"The abundance of technology investments gives firms a false sense of confidence in their security posture. Their challenges reveal a different story," said the report.
Security executives currently employ a variety of tools and technologies to identify risks and test the effectiveness of their security controls. As a result, they are left with point-in-time assessments that require them to cobble together data from disparate systems to truly understand the organisation’s security posture. This approach is reactive, labour-intensive, and insufficient in scale, explained the report.
Fileless Malware on the Rise
According to reports analysing the state of the threat landscape, fileless malware incidents are up to some 265% in the first half of 2019 when compared to the same period in 2018. Fileless malware sometimes has been referred to as a zero-footprint attack or non-malware attack. However, fileless malware may be the best name for the attack method, as the attack is not dependent on end users downloading and running malware via compromised files. Rather, fileless malware executes malicious scripts by piggybacking on legitimate software packages. More often than not, the malware resides in the computer’s random access memory (RAM), not installed on the hard drive.
https://securityboulevard.com/2019/10/fileless-malware-on-the-rise/