Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 22 July 2022
Black Arrow Cyber Threat Briefing 22 July 2022
-Insurer Refuses to Pay Out After Victim Misrepresented Their Cyber Controls
-5 Cyber Security Questions CFOs Should Ask CISOs
-The Biggest Cyber Attacks in 2022 So Far — and it’s Just the Tip of the Iceberg
-Malware-as-a-Service Creating New Cyber Crime Ecosystem
-The Rise and Continuing Popularity of LinkedIn-Themed Phishing
-Microsoft Teams Default Settings Leave Organisations Open to Cyber Attacks
-Top 10 Cyber Security Attacks of Last Decade Show What is to Come
-Software Supply Chain Concerns Reach C-Suite
-EU Warns of Russian Cyber Attack Spillover, Escalation Risks
-Critical Flaws in GPS Tracker Enable “Disastrous” and “Life-Threatening” Hacks
-Russian Hackers Behind Solarwinds Breach Continue to Scour US And European Organisations for Intel, Researchers Say
-The Next Big Security Threat Is Staring Us in The Face. Tackling It Is Going to Be Tough
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Insurer Refuses to Pay Out After Victim Misrepresented Their Cyber Controls
In what may be one of the first court filings of its kind, insurer Travelers is asking a district court for a ruling to rescind a policy because the insured allegedly misrepresented its use of multifactor authentication (MFA) – a condition to get cyber coverage.
According to a July filing, Travelers said it would not have issued a cyber insurance policy in April to electronics manufacturing services company International Control Services (ICS) if the insurer knew the company was not using MFA as it said. Additionally, Travelers wants no part of any losses, costs, or claims from ICS – including from a May ransomware attack ICS suffered.
Travelers alleged ICS submitted a cyber policy application signed by its CEO and “a person responsible for the applicant’s network and information security” that the company used MFA for administrative or privileged access. However, following the May ransomware event, Travelers first learned during an investigation that the insured was not using the security control to protect its server and “only used MFA to protect its firewall, and did not use MFA to protect any other digital assets.”
Therefore, statements ICS made in the application were “misrepresentations, omissions, concealment of facts, and incorrect statements” – all of which “materially affected the acceptance of the risk and/or the hazard assumed by Travelers,” the insurer alleged in the filing.
ICS also was the victim of a ransomware attack in December 2020 when hackers gained access using the username and password of an ICS administrator, Travelers said. ICS told the insurer of the attack during the application process and said it improved the company’s cyber security.
Travelers said it wants the court to declare the insurance contract null and void, rescind the policy, and declare it has no duty to indemnify or defend ICS for any claim.
https://www.insurancejournal.com/news/national/2022/07/12/675516.htm#
5 Cyber Security Questions CFOs Should Ask CISOs
Armed with the answers, chief financial officers can play an essential role in reducing cyber risk.
Even in a shrinking economy, organisations are likely to maintain their level of cyber security spend. But that doesn’t mean in the current economic climate of burgeoning costs and a possible recession they won’t take a magnifying glass to how they are spending the money budgeted to defend systems and data. Indeed, at many companies, cyber security spending isn’t targeting the most significant dangers, according to experts — as evidenced by the large number of successful ransomware attacks and data breaches.
Without a comprehensive understanding of the security landscape and what the organisation needs to do to protect itself, how can CFOs make the right decisions when it comes to investments in cyber security technology and other resources? They can’t.
So, CFOs need to ensure they have a timely grasp of the security issues their organisation faces. That requires turning to the most knowledgeable people in the organisation: chief information security officers (CISOs) and other security leaders on the IT front lines.
Here are five questions CFOs should be asking their CISOs about the security of their companies.
How secure are we as an organisation?
What are the main security threats or risks in our industry?
How do we ensure that the cyber security team and the CISO are involved in business development?
What are the risks and potential costs of not implementing a cyber control?
Do employees understand information security and are they implementing security protocols successfully?
The Biggest Cyber Attacks in 2022 So Far — and it’s Just the Tip of the Iceberg
For those in the cyber resilience realm, it’s no surprise that there’s a continued uptick in cyber attacks. Hackers are hacking, thieves are thieving and ransomers are — you guessed it — ransoming. In other words, cyber crime is absolutely a growth industry.
As we cross into the second half of this year, let’s look at some of the most significant attacks so far:
Blockchain schmockchain. Cryptocurrency exchange Crypto.com’s two-factor-identification (2FA) system was compromised as thieves made off with approximately $30 million.
Still the one they run to. Microsoft’s ubiquity makes it a constant target. Earlier this year, the hacking collective Lapsus$ compromised Cortana and Bing, among other Microsoft products, posting source code online.
Not necessarily the news. News Corp. journalist emails and documents were accessed at properties including the Wall Street Journal, Dow Jones and the New York Post in a hack tied to China.
Uncharitable ways. The Red Cross was the target of an attack earlier this year, with more than half a million “highly vulnerable” records of Red Cross assistance recipients compromised.
Victim of success. North Korea’s Lazarus Group made off with $600 million in cryptocurrencies after blockchain gaming platform Ronin relaxed some of its security protocols so its servers could better handle its growing popularity.
We can hear you now. State-sponsored hackers in China have breached global telecom powerhouses worldwide this year, according to the U.S. Cybersecurity & Infrastructure Security Agency.
Politics, the art of the possible. Christian crowdfunding site GiveSendGo was breached twice this year as hacktivists exposed the records of donors to Canada’s Freedom Convoy.
Disgruntled revenge. Businesspeople everywhere were reminded of the risks associated with departing personnel when fintech powerhouse Block announced that a former employee accessed sensitive customer information, impacting eight million customers.
Unhealthy habits. Two million sensitive customer records were exposed when hackers breached Shields Health Care’s network.
They even stole the rewards points. General Motors revealed that hackers used a credentials stuffing attack to access personal information on an undisclosed number of car owners. They even stole gift-card-redeemable customer reward points.
For every breach or attack that generates headlines, millions of others that we never hear about put businesses at risk regularly. The Anti-Phishing Working Group just released data for the first quarter of this year, and the trend isn’t good. Recorded phishing attacks are at an all-time high (more than a million in just the first quarter) and were accelerating as the quarter closed, with March 2022 setting a new record for single-month attacks.
Malware-as-a-Service Creating New Cyber Crime Ecosystem
This week HP released their report The Evolution of Cybercrime: Why the Dark Web is Supercharging the Threat Landscape and How to Fight Back, exploring how cyber-criminals are increasingly operating in a quasi-professional manner, with malware and ransomware attacks being offered on a ‘software-as-a-service’ basis.
The report’s findings showed how cyber crime is being supercharged through “plug and play” malware kits that are easier than ever to launch attacks. Additionally, cyber syndicates are now collaborating with amateur attackers to target businesses, putting the online world and its users at risk.
The report’s methodology saw HP’s Wolf Security threat team work in tandem with dark-web investigation firm Forensic Pathways to scrape and analyse over 35 million cyber criminal marketplaces and forum posts between February and March 2022, with the investigation helping to gain a deeper understanding of how cyber criminals operate, gain trust, and build reputation. Its key findings include:
Malware is cheap and readily available: Over three-quarters (76%) of malware advertisements listed, and 91% of exploits (i.e. code that gives attackers control over systems by taking advantage of software bugs), retail for under $10.
Trust and reputation are ironically essential parts of cyber-criminal commerce: Over three-quarters (77%) of cyber criminal marketplaces analysed require a vendor bond – a license to sell – which can cost up to $3000. Of these, 92% have a third-party dispute resolution service.
Popular software is giving cyber criminals a foot in the door: Kits that exploit vulnerabilities in niche systems command the highest prices (typically ranging from $1,000-$4,000), while zero day vulnerabilities are retailing at 10s of thousands of pounds on dark web markets.
https://www.infosecurity-magazine.com/news/malware-service-cybercrime/
The Rise and Continuing Popularity of LinkedIn-Themed Phishing
Phishing emails impersonating LinkedIn continue to make the bulk of all brand phishing attempts. According to Check Point, 45% of all email phishing attempts in Q2 2022 imitated the style of communication of the professional social media platform, with the goal of directing targets to a spoofed LinkedIn login page and collecting their account credentials.
The phishers are generally trying to pique the targets’ interest with fake messages claiming that they “have appeared in X searches this week”, that a new message is waiting for them, or that another user would like to do business with them, and are obviously taking advantage of the fact that a record number of individuals are switching or are considering quitting their job and are looking for a new one.
To compare: In Q4 2021, LinkedIn-themed phishing attempts were just 8 percent of the total brand phishing attacks flagged by Check Point. Also, according to Vade Secure, in 2021 the number of LinkedIn-themed phishing pages linked from unique phishing emails was considerably lower than those impersonating other social networks (Facebook, WhatsApp).
Other brands that phishers loved to impersonate during Q2 2022 are (unsurprisingly) Microsoft (13%), DHL (12%) and Amazon (9%).
https://www.helpnetsecurity.com/2022/07/21/linkedin-phishing/
Microsoft Teams Default Settings Leave Organisations Open to Cyber Attacks
Relying on default settings on Microsoft Teams leaves organisations and users open to threats from external domains, and misconfigurations can prove perilous to high-value targets.
Microsoft Teams has over 270 million active monthly users, with government institutions using the software in the US, UK, Netherlands, Germany, Lithuania, and other countries at varying levels.
Cyber security researchers have discovered that relying on default MS Teams settings can leave firms and high-value users vulnerable to social engineering attacks. Attackers could create group chats, masquerade as seniors within the target organisation and observe whether users are online.
Attackers could, rather convincingly, impersonate high-ranking officials and possibly strike up conversations, fooling victims into believing they’re discussing sensitive topics with a superior. Skilled attackers could do a lot of harm with this capability.
https://cybernews.com/security/microsoft-teams-settings-leave-govt-officials-open-to-cyberattacks/
Top 10 Cyber Security Attacks of Last Decade Show What is to Come
Past is prologue, wrote William Shakespeare in his play “The Tempest,” meaning that the present can often be determined by what has come before. So it is with cyber security, serving as the basis of which is Trustwave’s “Decade Retrospective: The State of Vulnerabilities” over the last 10 years.
Threat actors frequently revisit well-known and previously patched vulnerabilities to take advantage of continuing poor cyber security hygiene. “If one does not know what has recently taken place it leaves you vulnerable to another attack,” Trustwave said in its report that identifies and examines the “watershed moments” that shaped cyber security between 2011 and 2021.
With a backdrop of the number of security incidents and vulnerabilities increasing in volume and sophistication, here are Trustwave’s top 10 network vulnerabilities in no particular order that defined the decade and “won’t be forgotten.”
SolarWinds hack and FireEye breach, Detected: December 8, 2020 (FireEye)
EternalBlue Exploit, Detected: April 14, 2017
Heartbleed, Detected: March 21, 2014
Shellshock, Remote Code Execution in BASH, Detected: September 12, 2014
Apache Struts Remote Command Injection & Equifax Breach, Detected: March 6, 2017
Chipocalypse, Speculative Execution Vulnerabilities Meltdown & Spectre
BlueKeep, Remote Desktop as an Access Vector, Detected: January, 2018
Drupalgeddon Series, CMS Vulnerabilities, Detected: January, 2018
Microsoft Windows OLE Vulnerability, Sandworm Exploit, Detected: September 3, 2014
Ripple20 Vulnerabilities, Growing IoT landscape, Detected: June 16, 2020
Software Supply Chain Concerns Reach C-Suite
Major supply chain attacks have had a significant impact on software security awareness and decision-making, with more investment planned for monitoring attack surfaces.
Organisations are waking up to the need to establish better software supply chain risk management policies and are taking action to address the escalating threats and vulnerabilities targeting this expanding attack surface.
These were among the findings of a CyberRisk Alliance-conducted survey of 300 respondents from both software-buying and software-producing companies.
Most survey respondents (52%) said they are "very" or "extremely" concerned about software supply chain risks, and 84% of respondents said their organisation is likely to allocate at least 5% of their AppSec budgets to manage software supply chain risk.
Software buyers are planning to invest in procurement program metrics and reporting, application pen-testing, and software build of materials (SBOM) design and implementation, according to the findings.
Meanwhile, software developers said they plan to invest in secure code review as well as SBOM design and implementation.
https://www.darkreading.com/application-security/software-supply-chain-concerns-reach-c-suite
EU Warns of Russian Cyber Attack Spillover, Escalation Risks
The Council of the European Union (EU) said that Russian hackers and hacker groups increasingly attacking "essential" organisations worldwide could lead to spillover risks and potential escalation.
"This increase in malicious cyber activities, in the context of the war against Ukraine, creates unacceptable risks of spillover effects, misinterpretation and possible escalation," the High Representative on behalf of the EU said.
"The latest distributed denial-of-service (DDoS) attacks against several EU Member States and partners claimed by pro-Russian hacker groups are yet another example of the heightened and tense cyber threat landscape that EU and its Member States have observed."
In this context, the EU reminded Russia that all United Nations member states must adhere to the UN's Framework of responsible state behaviour in cyberspace to ensure international security and peace.
The EU urged all states to take any actions required to stop malicious cyber activities conducted from their territory.
The EU's statement follows a February joint warning from CISA and the FBI that wiper malware attacks targeting Ukraine could spill over to targets from other countries.
Google's Threat Analysis Group (TAG) said in late March that it observed phishing attacks orchestrated by the Russian COLDRIVER hacking group against NATO and European military entities.
In May, the US, UK, and EU accused Russia of coordinating a massive cyber attack that hit the KA-SAT consumer-oriented satellite broadband service in Ukraine on February 24 with AcidRain data destroying malware, approximately one hour before Russia invaded Ukraine.
A Microsoft report from June also confirms the EU's observation of an increase in Russian malicious cyber activities. The company's president said that threat groups linked to Russian intelligence agencies (including the GRU, SVR, and FSB) stepped up cyber attacks against government entities in countries allied with Ukraine after Russia's invasion.
In related news, in July 2021, President Joe Biden warned that cyber attacks leading to severe security breaches could lead to a "real shooting war," a statement issued a month after NATO said that cyber attacks could be compared to "armed attacks" in some circumstances.
Critical Flaws in GPS Tracker Enable “Disastrous” and “Life-Threatening” Hacks
A security firm and the US government are advising the public to immediately stop using a popular GPS tracking device or to at least minimise exposure to it, citing a host of vulnerabilities that make it possible for hackers to remotely disable cars while they’re moving, track location histories, disarm alarms, and cut off fuel.
An assessment from security firm BitSight found six vulnerabilities in the Micodus MV720, a GPS tracker that sells for about $20 and is widely available. The researchers who performed the assessment believe the same critical vulnerabilities are present in other Micodus tracker models. The China-based manufacturer says 1.5 million of its tracking devices are deployed across 420,000 customers. BitSight found the device in use in 169 countries, with customers including governments, militaries, law enforcement agencies, and aerospace, shipping, and manufacturing companies.
BitSight discovered what it said were six “severe” vulnerabilities in the device that allow for a host of possible attacks. One flaw is the use of unencrypted HTTP communications that makes it possible for remote hackers to conduct adversary-in-the-middle attacks that intercept or change requests sent between the mobile application and supporting servers. Other vulnerabilities include a flawed authentication mechanism in the mobile app that can allow attackers to access the hardcoded key for locking down the trackers and the ability to use a custom IP address that makes it possible for hackers to monitor and control all communications to and from the device.
Russian Hackers Behind Solarwinds Breach Continue to Scour US And European Organisations for Intel, Researchers Say
The Russian hackers behind a sweeping 2020 breach of US government networks have in recent months continued to hack US organisations to collect intelligence while also targeting an unnamed European government that is a NATO member.
The new findings show how relentless the hacking group — which US officials have linked with Russia's foreign intelligence service — is in its pursuit of intelligence held by the US and its allies, and how adept the hackers are at targeting widely used cloud-computing technologies.
The hacking efforts come as Russia's invasion of Ukraine continues to fray US-Russia relations and drive intelligence collection efforts from both governments.
In recent months, the hacking group has compromised the networks of US-based organisations that have data of interest to the Russian government.
In separate activity revealed Tuesday, US cyber security firm Palo Alto Networks said that the Russian hacking group had been using popular services like Dropbox and Google Drive to try to deliver malicious software to the embassies of an unnamed European government in Portugal and Brazil in May and June.
https://edition.cnn.com/2022/07/19/politics/russia-solarwinds-hackers/index.html
The Next Big Security Threat Is Staring Us in The Face. Tackling It Is Going to Be Tough
If the ongoing fight against ransomware wasn't keeping security teams busy, along with the challenges of securing the ever-expanding galaxy of Internet of Things devices, or cloud computing, then there's a new challenge on the horizon – protecting against the coming wave of digital imposters or deepfakes.
A deepfake video uses artificial intelligence and deep-learning techniques to produce fake images of people or events.
One recent example is when the mayor of Berlin thought he was having an online meeting with former boxing champion and current mayor of Kyiv, Vitali Klitschko. But the mayor of Berlin grew suspicious when 'Klitschko' started saying some very out of character things relating to the invasion of Ukraine, and when the call was interrupted the mayor's office contacted the Ukrainian ambassador to Berlin – to discover that, whoever they were talking to, it wasn't the real Klitschko.
It's a sign that deepfakes are getting more advanced and quickly. Previous instances of deepfake videos that have gone viral often have tell-tale signs that something isn't real, such as unconvincing edits or odd movements, but the developments in deepfake technology mean it isn't difficult to imagine it being exploited by cyber criminals, particularly when it comes to stealing money.
While ransomware might generate more headlines, business email compromise (BEC) is the costliest form of cyber crime today. The FBI estimates that it costs businesses billions of dollars every year. The most common form of BEC attack involves cyber criminals exploiting emails, hacking into accounts belonging to bosses – or cleverly spoofing their email accounts – and asking staff to authorise large financial transactions, which can often amount to hundreds of thousands of dollars.
The emails claim that the money needs to be sent urgently, maybe as part of a secret business deal that can't be disclosed to anyone. It's a classic social-engineering trick designed to force the victim into transferring money quickly and without asking for confirmation from anyone else who could reveal it's a fake request. By the time anyone might be suspicious, the cyber criminals have taken the money, likely closed the bank account they used for the transfer – and run.
BEC attacks are successful, but many people might remain suspicious of an email from their boss that comes out the blue and they could avoid falling victim by speaking to someone to confirm that it's not real. But if cyber criminals could use a deepfake to make the request, it could be much more difficult for victims to deny the request, because they believe they're actually speaking to their boss on camera.
Many companies publicly list their board of directors and senior management on their website. Often, these high-level business executives will have spoken at events or in the media, so it's possible to find footage of them speaking. By using AI-powered deep-learning techniques, cyber criminals could exploit this public information to create a deepfake of a senior-level executive, exploit email vulnerabilities to request a video call with an employee, and then ask them to make the transaction. If the victim believes they're speaking to their CEO or boss, they're unlikely to deny the request.
Threats
Ransomware
Post-Breakup, Conti Ransomware Members Remain Dangerous (darkreading.com)
The Kronos Ransomware Attack: What You Need to Know So Your Business Isn't Next (darkreading.com)
New Luna ransomware encrypts Windows, Linux, and ESXi systems (bleepingcomputer.com)
Digital security giant Entrust breached by ransomware gang (bleepingcomputer.com)
Protecting Against Kubernetes-Borne Ransomware (darkreading.com)
Knauf cyber attack: Black Basta ransomware gang claims responsibility (techmonitor.ai)
New Redeemer ransomware version promoted on hacker forums (bleepingcomputer.com)
Kaspersky report on Luna and Black Basta ransomware | Securelist
New Cross-Platform 'Luna' Ransomware Only Offered to Russian Affiliates | SecurityWeek.Com
Conti’s Reign of Chaos: Costa Rica in the Crosshairs | Threatpost
Researchers uncover potential ransomware network with U.S. connections - CyberScoop
How Conti ransomware hacked and encrypted the Costa Rican government (bleepingcomputer.com)
A small Canadian town is being extorted by a global ransomware gang - The Verge
BEC – Business Email Compromise
Phishing & Email Based Attacks
Phishing Bonanza: Social-Engineering Savvy Skyrockets as Malicious Actors Cash In (darkreading.com)
Outlook users report suspicious activity from Microsoft IPs • The Register
PayPal Used to Send Malicious “Double Spear” Invoices - Infosecurity Magazine
LinkedIn remains the most impersonated brand in phishing attacks (bleepingcomputer.com)
Google Calendar provides new way to block invitation phishing (bleepingcomputer.com)
Other Social Engineering
Malware
Hacking group '8220' grows cloud botnet to more than 30,000 hosts (bleepingcomputer.com)
Buy ‘plug-n-play’ malware for the price of a pint of beer (computerweekly.com)
New ‘Lightning Framework’ Linux malware installs rootkits, backdoors (bleepingcomputer.com)
Mobile
Google pulls malware-infected apps, 3 million users at risk • The Register
Roaming Mantis hits Android and iOS users in malware, phishing attacks (bleepingcomputer.com)
BYOD
Data Breaches/Leaks
Neopets data breach exposes personal data of 69 million members (bleepingcomputer.com)
Verified Twitter Vulnerability Exposes Data from 5.4 Million Accounts | RestorePrivacy
Mixed Messages as Neopets Scrambles to Respond to Mega Breach - Infosecurity Magazine
Organised Crime & Criminal Actors
Cyber crime escalates as barriers to entry crumble | CSO Online
Understanding the Evolution of Cyber Crime to Predict its Future | SecurityWeek.Com
The growth in targeted, sophisticated cyber attacks troubles top FBI cyber official - CyberScoop
'AIG' Threat Group Launches with Unique Business Model (darkreading.com)
US DOJ report warns of escalating cyber crime, 'blended' threats (techtarget.com)
Chaotic LAPSUS$ Group Goes Quiet, but Threat Likely Persists (darkreading.com)
Last member of Gozi malware troika arrives in US for criminal trial – Naked Security (sophos.com)
Romanian hacker faces US trial over virus-for-hire service - The Verge
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
This Cloud Botnet Has Hijacked 30,000 Systems to Mine Cryptocurrencies (thehackernews.com)
Hackers Use Evilnum Malware to Target Cryptocurrency and Commodities Platforms (thehackernews.com)
Singapore distances itself from local crypto companies • The Register
FBI Warns Fake Crypto Apps are Bilking Investors of Millions | Threatpost
Ex-Coinbase manager charged in crypto insider trading case • The Register
FBI Warns of Fake Cryptocurrency Apps Stealing Millions from Investors (thehackernews.com)
My Big Coin founder guilty of $6m crypto-fraud • The Register
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
AML/CFT/Sanctions
UK Regulator Issues Record Fines as Financial Crime Surges - Infosecurity Magazine
Broker Fined £2m for Financial Crime Control Failings - Infosecurity Magazine
Insurance
82% of global insurers expect the rise in cyber insurance premiums to continue - Help Net Security
Will Your Cyber Insurance Premiums Protect You in Times of War? (darkreading.com)
Dark Web
Supply Chain and Third Parties
Software Supply Chain
Improving Software Supply Chain Cyber Security (trendmicro.com)
Why SBOMs aren't the silver bullet they're portrayed as - Help Net Security
Breaking down CIS's new software supply chain security guidance | CSO Online
Cloud/SaaS
60% of IT leaders are not confident about their secure cloud access - Help Net Security
Public Cloud Customers Admit Security Challenges - Infosecurity Magazine
The New Weak Link in SaaS Security: Devices (thehackernews.com)
Identity and Access Management
Encryption
Open Source
Open source security needs automation as usage climbs amongst organisations | ZDNet
New ‘Lightning Framework’ Linux malware installs rootkits, backdoors (bleepingcomputer.com)
The US military wants to understand the most important software on earth | MIT Technology Review
Passwords, Credential Stuffing & Brute Force Attacks
The importance of secure passwords can't be emphasized enough - Help Net Security
3rd Party Services Are Falling Short on Password Security (bleepingcomputer.com)
Okta Exposes Passwords in Clear Text for Possible Theft (darkreading.com)
Enforcing Password History in Your Windows AD to Curb Password Reuse (bleepingcomputer.com)
Social Media
LinkedIn remains the most impersonated brand in phishing attacks (bleepingcomputer.com)
Hacker selling Twitter account data of 5.4 million users for $30k (bleepingcomputer.com)
TikTok Engaging in Excessive Data Collection - Infosecurity Magazine
Privacy
Parental Controls and Child Safety
Regulations, Fines and Legislation
UK Regulator Issues Record Fines as Financial Crime Surges - Infosecurity Magazine
Legal Experts Concerned Over New UK Digital Reform Bill - Infosecurity Magazine
Understanding Proposed SEC Rules Through an ESG Lens (darkreading.com)
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
EU warns of risks of spillover effects associated with ongoing war - Security Affairs
US Cyber Command IDs new malware strains targeting Ukraine • The Register
Russian hackers use fake DDoS app to infect pro-Ukrainian activists (bleepingcomputer.com)
Experts Uncover New CloudMensis Spyware Targeting Apple macOS Users (thehackernews.com)
Hackers attempt to infiltrate Ukrainian tech company with backdoor malware, Talos says - CyberScoop
Will Your Cyber-Insurance Premiums Protect You in Times of War? (darkreading.com)
Hackers Target Ukrainian Software Company Using GoMet Backdoor (thehackernews.com)
Copycat DoS App Created by Russian Hackers to Target Ukraine - IT Security Guru
Albanian government websites go dark after cyber attack • The Register
Mysterious, Cloud-Enabled macOS Spyware Blows Onto the Scene (darkreading.com)
Belgium claims China-linked APT groups hit its ministries - Security Affairs
Nation State Actors
Nation State Actors – Russia
Google, EU Warn of Malicious Russian Cyber Activity | SecurityWeek.Com
Google warns Kremlin-backed goons pose as pro-Ukraine app • The Register
Russia Released a Ukrainian App for Hacking Russia That Was Actually Malware (vice.com)
Cloaked Ursa (APT29) Hackers Use Trusted Online Storage Services (paloaltonetworks.com)
Russian SVR hackers use Google Drive, Dropbox to evade detection (bleepingcomputer.com)
Russia, Iran discuss broad tech collaboration • The Register
Half of Russian spies in Europe expelled since Ukraine invasion, says MI6 chief | MI6 | The Guardian
Nation State Actors – China
Belgium says Chinese APT gangs attacked its government • The Register
Government blocks Chinese tech deal on national security grounds | Business News | Sky News
Nation State Actors – North Korea
Nation State Actors – Iran
Nation State Actors – Misc APT
Vulnerability Management
Vulnerabilities
Chrome 103 Update Patches High-Severity Vulnerabilities | SecurityWeek.Com
Critical Bugs Threaten to Crack Atlassian Confluence Workspaces Wide Open (darkreading.com)
WordPress Page Builder Plug-in Under Attack, Can't Be Patched (darkreading.com)
SonicWall: Patch critical SQL injection bug immediately (bleepingcomputer.com)
Cisco fixes bug that lets attackers execute commands as root (bleepingcomputer.com)
Atlassian reveals critical flaws across its product line • The Register
Netwrix Auditor Vulnerability Can Facilitate Attacks on Enterprises | SecurityWeek.Com
Azure's Security Vulnerabilities Are Out of Control - Last Week in AWS Blog
Oracle Releases 349 New Security Patches With July 2022 CPU | SecurityWeek.Com
0-day used to infect Chrome users could pose threat to Edge and Safari users, too | Ars Technica
Juniper Networks Patches Over 200 Third-Party Component Vulnerabilities | SecurityWeek.Com
Google Chrome Zero-Day Weaponized to Spy on Journalists (darkreading.com)
Apple Ships Urgent Security Patches for macOS, iOS | SecurityWeek.Com
Juniper Releases Patches for Critical Flaws in Junos OS and Contrail Networking (thehackernews.com)
Code Execution and Other Vulnerabilities Patched in Drupal | SecurityWeek.Com
Atlassian Rolls Out Security Patch for Critical Confluence Vulnerability (thehackernews.com)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
Other News
Hackers for Hire: Adversaries Employ 'Cyber Mercenaries' | Threatpost
Companies around the globe still not implementing MFA - Help Net Security
Global Firms Fear the Worst Over Risk Management Failures - Infosecurity Magazine
Humans are becoming the primary security risk for organisations around the world - Help Net Security
What threats and challenges are CISOs and CROs most focused on? - Help Net Security
What InfoSec Pros Can Teach the Organisation About ESG (darkreading.com)
SATAn Turns Hard Drive Cable Into Antenna To Defeat Air-Gapped Security | Hackaday
Lack of staff and resources drives smaller teams to outsource security - Help Net Security
Office macro security: on-again-off-again feature now BACK ON AGAIN! – Naked Security (sophos.com)
Removing the blind spots that allow lateral movement - Help Net Security
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 03 June 2022
Black Arrow Cyber Threat Briefing 03 June 2022
-Turbulent Cyber Insurance Market Sees Rising Prices and Sinking Coverage
-Ransomware Attacks Still The #1 Threat to Businesses and Organisations
-Third of UK Firms Have Experienced a Security Breach Since 2020
-There Is No Good Digital Transformation Without Cyber Security
-Ransomware Gang Now Hacks Corporate Websites to Show Ransom Notes
-Attackers Are Leveraging Follina, a Critical Microsoft Windows Vulnerability Affecting Nearly All Versions of Windows and Windows Server. What Can You Do?
-Ransomware Attacks Need Less Than Four Days to Encrypt Systems
-57% Of All Digital Crimes In 2021 Were Scams
-Intelligence Is Key to Strategic Business Decisions
-How Cyber Criminals Are Targeting Executives at Home and Their Families
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Turbulent Cyber Insurance Market Sees Rising Prices And Sinking Coverage
As insurers and brokers reckon with unexpected losses, they're charging more for policies and setting higher requirements.
Chaos reigns in the cyber insurance market. Brokers and cyber insurance carriers — the companies that actually offer the policies — are tightening requirements on what applicants need to do to obtain policies due to losses the insurers have suffered from ransomware coverage. During the past year, premiums grew 18% in the first quarter of 2021 and were up 34% in the fourth quarter of 2021, according to Jess Burn, senior analyst at Forrester.
Organisations often find they cannot obtain cyber insurance, are not being renewed for coverage they already have, or are faced with soaring prices and shrinking coverage. Despite the value many organisations put on cyber insurance — in some cases, they're required to carry it to comply with regulations — obtaining such policies is getting more difficult.
While raising premiums, some insurers are reducing coverage. If an organisation bought $10 million worth of coverage for a given price in 2021, for example, renewing that policy in 2022 might see the coverage amount fall to $3 million and the premiums for that lower coverage rise. This phenomenon is due, in part, to insurers trying to strike the right balance of customers' risk profile versus their risk-mitigation efforts.
Ransomware Attacks Still The #1 Threat To Businesses And Organisations
In 2021, ransomware attacks continued to be one of the most prominent threats targeting businesses and organisations worldwide.
High-profile attacks disrupted operations of companies in various sectors.
For example, the Colonial Pipeline attack interrupted critical infrastructure, the JBS Foods attack influenced food processing, and the CNA breach disrupted the insurance industry.
Following the attacks, pressure of law enforcement on ransomware gangs intensified, though simultaneously these threat actors continued to evolve.
They are not only becoming more technologically sophisticated but are also extensively leveraging the growing cyber crime ecosystem looking to find new partners, services and tools for their operations.
https://www.helpnetsecurity.com/2022/05/30/ransomware-trends-video/
Third Of UK Firms Have Experienced A Security Breach Since 2020
Cyber threats are behind soaring fraud and economic crime in the UK, where rates are now second only globally to South Africa, according to PwC.
The consulting giant’s latest Global Economic Crime Survey revealed that nearly two-thirds (64%) of UK businesses experienced fraud, corruption or other economic/financial crime during the past 24 months, a significant increase on the 56% recorded in 2020, and 50% in 2018.
It’s also much higher than the 2022 global average of 46%, PwC said.
Cyber crime was the most commonly reported fraud type, although figures here dropped from 42% in 2020 to 32% in 2022. Included for the first time in the report, supply chain incidents accounted for 19%.
Most (51%) reported fraud cases in the UK were traced back to external parties, versus just 43% globally. The top three culprits were cited as customers, hackers and vendors/suppliers.
https://www.infosecurity-magazine.com/news/third-uk-security-breach-2020/
There Is No Good Digital Transformation Without Cyber Security
Network engineers and CIOs agree that cyber security issues represent the biggest risk for organisations that fail to put networks at the heart of digital transformation plans. According to research commissioned by Opengear, 53% of network engineers and 52% of CIOs polled in the US, UK, France, Germany, and Australia rank cyber security among the list of their biggest risks.
The concerns are fuelled by an escalating number of cyber attacks. In fact, 61% of CIOs report an increase in cyber security attacks/breaches from 2020-21 compared to the preceding two years. For digital transformation of networking, 70% of network engineers say security is the most important focus area, and 31% say network security is their biggest networking priority.
Digital transformation is a priority, but cyber security risk remains. CIOs also understand the importance of the issues. 51% of network engineers say their CIOs have consulted them on investments to deliver digital transformation plans, the highest priority in the survey.
What’s more, 41% of CIOs rank cyber security among their organisation’s most important investment priorities over the next year, with 35% stating it is among the biggest over the next five years. In both cases, cyber security ranks higher than any other factor.
https://www.helpnetsecurity.com/2022/05/31/digital-transformation-cybersecurity-risk/
Ransomware Gang Now Hacks Corporate Websites To Show Ransom Notes
A ransomware gang is taking extortion to a new level by publicly hacking corporate websites to publicly display ransom notes.
This new extortion strategy is being conducted by Industrial Spy, a data extortion gang that recently began using ransomware. As part of their attacks, Industrial Spy will breach networks, steal data, and deploy ransomware on devices. The threat actors then threaten to sell the stolen data on their Tor marketplace if a ransom is not paid.
When ransomware gangs extort a victim, they typically give them a short window, usually a few weeks, to negotiate and pay a ransom before they start leaking data.
During this negotiation process, the threat actors promise to keep the attack secret, provide a decryption key, and delete all data if a ransom is paid.
After this period, the threat actors will use various methods to increase pressure, including DDoS attacks on corporate websites, emailing customers and business partners, and calling executives with threats.
These tactics are all done privately or with minimal exposure on their data leak sites, which are usually only visited by cyber security researchers and the media.
However, this is the first time we have seen a ransomware gang defacing a website to very publicly display a ransom note.
Attackers Are Leveraging Follina, A Critical Microsoft Windows Vulnerability Affecting Nearly All Versions of Windows and Windows Server. What Can You Do?
As the world is waiting for Microsoft to push out a patch for CVE-2022-30190, aka “Follina”, attackers around the world are exploiting the vulnerability in a variety of campaigns.
Microsoft has described CVE-2022-30190 as a Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution vulnerability, confirmed it affects an overwhelming majority of Windows and Windows Server versions, and advised on a workaround to be implemented until a patch is ready.
https://www.helpnetsecurity.com/2022/06/03/patch-cve-2022-30190/
Ransomware Attacks Need Less Than Four Days To Encrypt Systems
The duration of ransomware attacks in 2021 averaged 92.5 hours, measured from initial network access to payload deployment. In 2020, ransomware actors spent an average of 230 hours to complete their attacks and 1637.6 hours in 2019.
This change reflects a more streamlined approach that developed gradually over the years to make large-scale operations more profitable.
At the same time, improvements in incident response and threat detection have forced threat actors to move quicker, to leave defenders with a smaller reaction margin.
The data was collected by researchers at IBM's X-Force team from incidents analysed in 2021. They also noticed a closer collaboration between initial access brokers and ransomware operators.
Previously, network access brokers might wait for multiple days or even weeks before they found a buyer for their network access.
In addition, some ransomware gangs now have direct control over the initial infection vector, an example being Conti taking over the TrickBot malware operation.
Malware that breaches corporate networks is quickly leveraged to enable post-exploitation stages of the attack, sometimes completing its objectives in mere minutes.
57% Of All Digital Crimes In 2021Were Scams
Group-IB shares its analysis of the landscape of the most widespread cyber threat in the world: scams. Accounting for 57% of all financially motivated cyber crime, the scam industry is becoming more structured and involves more and more parties divided into hierarchical groups.
The number of such groups jumped to a record high of 390, which is 3.5 times more than last year, when the maximum number of active groups was close to 110. Due to SaaS (Scam-as-a-Service), in 2021 the number of cyber criminals in one scam gang increased 10 times compared to 2020 and now reaches 100.
Traffic has become the circulatory system of scam projects: researchers emphasise that the number of websites used for purchasing and providing “grey” and illegal traffic and that lure victims into fraudulent schemes has increased by 1.5 times. Scammers are going into 2022 on a new level of scam attack automation: no more non-targeted users. Scammers are now attracting specific groups of victims to increase conversion rates. Social media are more often becoming the first point of contact between scammers and their potential victims.
https://www.helpnetsecurity.com/2022/05/31/scams-widespread-cyber-threat/
Intelligence Is Key To Strategic Business Decisions
Businesses have a growing need for greater relevance in the intelligence they use to inform critical decision-making. Currently just 18% of professionals responsible for security, risk, or compliance in their organisation feel that the intelligence they receive is “very specific and focused on their business”, a S-RM research reveals.
6 in 10 respondents also say the intelligence they receive takes too much time to analyse, meaning it does not always result in better informed decision making. This was the top reason behind dissatisfaction with external intelligence, identified by over 200 professionals working at companies with revenues of over $250 million.
The second most likely reason was that information was not tailored to business needs (47%), followed by too much information (35%).
Growing demand for the use of strategic intelligence has been prompted by increasing cyber (51%) and regulatory concerns (50%). And while these two factors have been climbing the boardroom agenda for years, geopolitical uncertainty has made the need to respond to these developments more acute. In particular, the Russia-Ukraine conflict has created a complex sanctions regime for businesses to operate.
Additionally, navigating the complexities of the COVID-19 pandemic has been a key challenge for businesses in the past three years, with 40% citing this as a catalyst in driving a growing need for strategic intelligence.
https://www.helpnetsecurity.com/2022/06/03/intelligence-decision-making/
How Cyber Criminals Are Targeting Executives At Home And Their Families
Top executives and their families are increasingly being targeted on their personal devices and home networks, as sophisticated threat actors look for new ways to bypass corporate security and get direct access to highly sensitive data.
https://www.helpnetsecurity.com/2022/06/01/cybercriminals-targeting-executives-video/
Threats
Ransomware
Cyber criminals Expand Attack Radius and Ransomware Pain Points | Threatpost
FBI, CISA warn: Don't get caught in Karakurt's web • The Register
Conti ransomware targeted Intel firmware for stealthy attacks (bleepingcomputer.com)
YourCyanide Ransomware Propagates With PasteBin, Discord, Microsoft Links (darkreading.com)
Conti Leaks Reveal Ransomware Gang's Interest in Firmware-based Attacks (thehackernews.com)
Evil Corp switches to LockBit ransomware to evade sanctions (bleepingcomputer.com)
Ransomware attack sends New Jersey county back to 1977 • The Register
Ransomware roundup: System-locking malware dominates headlines | CSO Online
What if ransomware evolved to hit IoT in the enterprise? • The Register
How Costa Rica found itself at war over ransomware | CSO Online
Experts warn of ransomware attacks on government orgs of small states - Security Affairs
Foxconn confirms ransomware attack disrupted production in Mexico (bleepingcomputer.com)
Why Ransomware Timeline Shrinks By 94%? – Information Security Buzz
Hundreds of Elasticsearch databases targeted in ransom attacks (bleepingcomputer.com)
BEC – Business Email Compromise
Phishing & Email Based Attacks
Watch out for phishing emails that inject spyware trio • The Register
Telegram’s blogging platform abused in phishing attacks (bleepingcomputer.com)
Other Social Engineering
Vishing attacks: What they are and how organisations can protect themselves - Help Net Security
Beware the Smish! Home delivery scams with a professional feel… – Naked Security (sophos.com)
Malware
New XLoader Botnet Version Using Probability Theory to Hide its C&C Servers (thehackernews.com)
LuoYu APT delivers WinDealer malware via man-on-the-side attacks - Security Affairs
EnemyBot malware adds enterprise flaws to exploit arsenal • The Register
Researchers Uncover Malware Controlling Thousands of Sites in Parrot TDS Network (thehackernews.com)
Logic bombs explained: Definition, examples, and prevention | CSO Online
Mobile
Top 10 Android banking trojans target apps with 1 billion downloads (bleepingcomputer.com)
WhatsApp accounts hijacked by call forwarding | Malwarebytes Labs
SideWinder Hackers Use Fake Android VPN Apps to Target Pakistani Entities (thehackernews.com)
SMSFactory Android malware sneakily subscribes to premium services (bleepingcomputer.com)
Phishers Having a Field Day on WhatsApp, Telegraph (darkreading.com)
Apple blocked 1.6 millions apps from defrauding users in 2021 (bleepingcomputer.com)
Organised Crime & Criminal Actors
FBI warns of Ukrainian charities impersonated to steal donations (bleepingcomputer.com)
Euro Cops Bust $47m Money Laundering Operation - Infosecurity Magazine (infosecurity-magazine.com)
Three Nigerian Users of Agent Tesla RAT Arrested | SecurityWeek.Com
Cryptocurrency/Cryptomining/Cryptojacking/NFTs
Americans report losing over $1 billion to cryptocurrency scams (bleepingcomputer.com)
Clipminer malware gang stole $1.7M by hijacking crypto payments (bleepingcomputer.com)
Bored Ape Yacht Club, Otherside NFTs stolen in Discord server hack (bleepingcomputer.com)
WatchDog hacking group launches new Docker cryptojacking campaign (bleepingcomputer.com)
Fraud, Scams & Financial Crime
$39.5 billion lost to phone scams in last year - Help Net Security
Britain's biggest bank issues 'urgent warning' over new scam (telegraph.co.uk)
Scams account for most of all financially motivated cyber crime - Help Net Security
AML/CFT/Sanctions
Supply Chain and Third Parties
Denial of Service DoS/DDoS
Open Source
Linux malware is on the rise—6 types of attacks to look for | CSO Online
The Open Source Software Security Mobilization Plan: Takeaways for security leaders | CSO Online
Privacy
Vodafone plans carrier-level user tracking for targeted ads (bleepingcomputer.com)
Europe's hope to scan devices for unlawful files criticized • The Register
Passwords & Credential Stuffing
Regulations, Fines and Legislation
Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine
NSA general confirms US offensive cyber ops in Ukraine war • The Register
Deadly Secret: Electronic Warfare Shapes Russia-Ukraine War | SecurityWeek.Com
Anonymous: Operation Russia after 100 days of war - Security Affairs
Chinese LuoYu hackers deploy cyber-espionage malware via app updates (bleepingcomputer.com)
Nation State Actors
Nation State Actors – Russia
Nation State Actors – China
China-linked TA413 group actively exploits Microsoft Follina Zero-Day flawSecurity Affairs
Chinese state media propaganda found in 88% of Google, Bing news searches - CyberScoop
Chinese LuoYu Hackers Using Man-on-the-Side Attacks to Deploy WinDealer Backdoor (thehackernews.com)
How Beijing’s surveillance cameras crept into Britain’s corridors of power (telegraph.co.uk)
Nation State Actors – North Korea
Nation State Actors – Iran
Nation State Actors – Misc APT
Vulnerability Management
Vulnerabilities
CISA adds 75 vulnerabilities to catalogue in 3 days- IT Security Guru
Fighting Follina: Application Vulnerabilities and Detection Possibilities (darkreading.com)
Yet another zero-day (sort of) in Windows “search URL” handling – Naked Security (sophos.com)
Actively Exploited Atlassian Zero-Day Bug Allows Full System Takeover (darkreading.com)
Microsoft Azure vulnerabilities pose new cloud security risk - Protocol
GitLab Issues Security Patch for Critical Account Takeover Vulnerability (thehackernews.com)
New Unpatched Horde Webmail Bug Lets Hackers Take Over Server by Sending Email (thehackernews.com)
Sector Specific
Financial Services Sector
Government
Health/Medical/Pharma Sector
Twice as Many Healthcare Organisations Now Pay Ransom - Infosecurity Magazine
Novartis says no sensitive data was compromised in cyber attack (bleepingcomputer.com)
Costa Rica’s public health agency hit by Hive ransomware (bleepingcomputer.com)
Transport and Aviation
CNI, OT, ICS, IIoT and SCADA
Food and Agriculture
Web3
Other News
How Failing to Prioritize Cyber Security can Hurt Your Company (analyticsinsight.net)
Bad news: The cyber security skills crisis is about to get even worse | ZDNet
Nearly Three-Quarters of Firms Suffer Downtime from DNS Attacks - Infosecurity Magazine
CIOs and network engineers rank cyber security among the biggest risks - Help Net Security
How USB Drives Can Be a Danger to Your Computer (howtogeek.com)
Australian digital driver's licenses hackable in minutes • The Register
Over 3.6 million MySQL servers found exposed on the Internet (bleepingcomputer.com)
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 13 May 2022
Black Arrow Cyber Threat Briefing 13 May 2022
-UK, US Intelligence Agencies Warn Managed Service Providers, including External IT Providers, Are Now Prime Targets for Cyber Attacks
-Wannacry – 5 Years On, 68% Of Enterprises Are Still At Risk
-You Can’t Eliminate Cyber Attacks, So Focus on Reducing the Blast Radius
-Just In Time? Bosses Are Finally Waking Up to The Cyber Security Threat
-Most Organisations Hit by Ransomware Would Pay Up If Hit Again
-31,000 FTSE 100 Logins Found on Dark Web
-Ransomware: How Executives Should Prepare Given the Current Threat Landscape
-What Your Cyber Insurance Application Form Can Tell You About Ransomware Readiness
-NCSC Shut Down 2.7 Million Scams in 2021
-Top 6 Security Threats Targeting Remote Workers
-Password Reuse Is Rampant Among Employees in All Sectors
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
UK, US Intelligence Agencies Warn Managed Service Providers, including External IT Providers, Are Now Prime Targets for Cyber Attacks
The Five Eyes coalition of international cyber security authorities, this week issued an advisory to warn managed service providers (MSPs), including external IT providers, of an escalating threat of attack from both everyday cyber criminals and state-sponsored threat actors.
MSPs provide or operate information and communications technology services.
With input from cyber security leaders from Australia, Canada, New Zealand, the UK and the US, the NSA provided recommendations to help bolster their cyber defences, including:
Finding and disabling dormant accounts.
Implementing and enforcing multifactor authentication on accounts.
Ensuring contracts clearly map out who owns and is responsible for securing data.
Malicious actors are targeting MSPs to break into their customers' networks and deploy ransomware, steal data, and spy on them, the Five Eyes authorities have formally warned in a joint security alert.
"The UK, Australian, Canadian, New Zealand, and US cyber security authorities expect malicious cyber actors — including state-sponsored advanced persistent threat (APT) groups — to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships," the alert warned.
These types of supply-chain or "island-hopping" attacks can prove very lucrative for cyber criminals because once they break into an MSP, they gain access to all of the customers' networks and data being managed, and in turn commit computer crimes and fraud against those customers' customers.
Wannacry – 5 Years On, 68% Of Enterprises Are Still at Risk
5 years on from one of the world’s most damaging ransomware attacks, research from network detection and response leader ExtraHop has found that 68% of enterprises are still running insecure protocol that were exploited by the North Korean ransomware.
The events of 12 May 2017 live on in cyber security lore. WannaCry revealed just how extensive the damage caused by ransomware can be if deployed in large scale – from downtime to ransom paid to reputational damage. Yet despite the danger, huge numbers of organisations are still running SMBv1, the protocol exploited in the WannaCry attacks that has been publicly deprecated since 2014.
You Can’t Eliminate Cyber Attacks, So Focus on Reducing the Blast Radius
Given it is impossible to prevent all cyber attacks, many organisations should look to reduce the size of the company’s attack surface and the limit the “blast radius” of a potential attack.
There is a danger that the biggest risk concerning cyber attacks is that we’re becoming desensitised to them. After all, businesses experience a ransomware attack every 11 seconds—the majority of which the public never hears about. Faced with this reality, it may seem like efforts to safeguard the enterprise are futile. But that’s all the more reason to strengthen your resolve—and switch up your cyber defence strategy.
The core of this strategy should be the concept of “reducing the blast radius” of an attack, and since you can’t completely eliminate cyber attacks, you need to take steps to contain the impact.
This strategy should contain basic blocking and also consider things such as Zero Trust for remote access, traffic inspection, software-based micro-segmentation and other practical measures to reduce your attack surface.
https://threatpost.com/cyberattacks-blast-radius/179612/
Just In Time? Bosses Are Finally Waking Up to The Cyber Security Threat
Boardrooms have a reputation for not paying much attention to cyber security, but it could be that executives are finally keen to take more interest in securing the systems and networks their businesses rely on.
Senior figures from American, British and Australian cyber security agencies have said that business execs are now more aware of cyber threats and are actively engaging with their chief information security officer (CISO) and information security teams.
Chief execs are starting to ask their CISOs the right questions, rather than leaving them to it because they don't have to understand complex technology. It does feel like a much more engaging strategic conversation, but there can still be a disconnect between knowing what needs to happen, then actually budgeting for and implementing a cyber security strategy.
https://www.zdnet.com/article/just-in-time-bosses-are-finally-waking-up-to-the-cybersecurity-threat/
Most Organisations Hit by Ransomware Would Pay Up If Hit Again
Almost nine in 10 organisations that have suffered a ransomware attack would choose to pay the ransom if hit again, according to a new report, compared with two-thirds of those that have not experienced an attack.
The findings come from a report titled "How business executives perceive ransomware threat" by security company Kaspersky, which states that ransomware has become an ever-present threat, with 64 percent of companies surveyed already having suffered an attack, but more worryingly, that executives seem to believe that paying the ransom is a reliable way of addressing the issue.
The report is based on research involving 900 respondents across North America, South America, Africa, Russia, Europe, and Asia-Pacific. The respondents were in senior non-IT management roles at companies between 50 and 1,000 employees.
Kaspersky claims that in 88 percent of organisations that have had to deal with a ransomware incident, business leaders said they would choose to pay the money if faced with another attack. In contrast, among those that have not so far suffered a ransomware attack, only 67 percent would be willing to pay, and they would be less inclined to do so immediately.
https://www.theregister.com/2022/05/13/organizations_pay_ransomware/
31,000 FTSE 100 Logins Found on Dark Web
Researchers with Outpost24 are reporting over 31,000 corporate credentials for many of the UK’s leading FTSE 100 firms on the dark web. These are the 100 biggest companies listed on the London Stock Exchange by market capitalisation. The researchers used their threat monitoring and auditing tool Blueliv to search dark web sites for the breached credentials.
Key findings from stolen and leaked credentials study:
The majority (81%) of the companies within the FTSE 100 had at least one credential compromised and exposed on the dark web
31,135 total stolen and leaked credentials detected for FTSE 100 companies, with 38% disclosed on the underground in the past 12 months
Nearly half (42%) of FTSE 100 companies have more than 500 compromised credentials exposed on the dark web
Up to 20% of credentials are stolen via malware infection and stealers
11% disclosed in the last 3 months (21% in the last 6 months and over 68% have been exposed for over 12 months)
Over 60% of stolen credentials came from 3 industries – IT/Telecom (23%), Energy and Utility (22%) and Finance (21%)
IT/Telecoms industry is the most at risk with the highest total amount (7,303) and average stolen credentials per company (730), they are most affected by malware infection and have the most amount of stolen credentials disclosed in the last 3 months
On average, healthcare has the highest number of stolen credentials per company (485) from data breach as they found themselves increasingly in the cyber criminals’ crosshairs since the pandemic.
https://informationsecuritybuzz.com/expert-comments/31000-ftse-100-logins-found-on-dark-web/
Ransomware: How Executives Should Prepare Given the Current Threat Landscape
As the number of ransomware attacks continue to increase, the response at C-level must be swift and decisive.
Top executives are increasingly dreading the phone call from their fellow employee notifying them that their company has been hit by a cyber attack. Nearly every week in 2021 and early 2022, a prominent organisation has been in the media spotlight as their public relations team struggles to explain how they were attacked and how they can regain consumer confidence. A recent survey showed that 37 percent of organisations surveyed had been affected by ransomware attacks in the last year.
Worse, the days when executive leadership teams could fully delegate responsibility to a CISO are over. Regardless of reality, surveys have shown that about 40 percent of the public perception of fault for a ransomware attack lands squarely on the CEO’s shoulders, and that 36 percent of attacks result in the loss of C-level talent. While executive involvement in the security program does not guarantee a successful defence, it does give the executive leadership team (ELT) a degree of ownership of the final product, as well as the ability to speak confidently and knowledgeably to the public.
What Your Cyber Insurance Application Form Can Tell You About Ransomware Readiness
The annual cyber insurance application form shows what the carriers think you should be doing to best prevent and recover from ransomware attacks. Pay attention.
If it’s the time of year for you to fill out the annual cyber insurance policy application, you will see how the focus for insurance firms is changing. Each year you can get an insight into what insurance vendors are using to rate the risks and threats to your business and what they are stressing firms should have in place as best practice or what they are expecting you should have in place as a baseline set of controls. Not having them in place could affect insurance rates, whether you are able to get cyber coverage at all, or crucially whether they would pay out in the event of you having to make a claim.
This year you might find more questions specifically around ransomware prevention techniques and protections, from Multi Factor Authentication (MFA) to Endpoint Detection and Response (EDR), and email filtering protections to the robustness of your backups.
Make sure to review your cyber insurance policy and its related questionnaire. And ask whether you are doing everything you can to protect your firm and tailoring your actions to align with what your insurance provider has deemed as a best practice.
NCSC Shut Down 2.7 Million Scams in 2021
The UK National Cyber Security Centre (NCSC) removed 2.7 million online scams last year, it was revealed this week, four times as many scams compared to 2020.
The announcement comes as the security agency shared the most recent data from its Active Cyber Defence initiative at the CYBERUK summit earlier in the week.
According to the NCSC, neutralised scams included fake celebrity endorsements and spoof extortion emails.
It has also been revealed that fraud campaigns used common themes, with NHS vaccines and vaccine passports being particularly popular.
Some cyber criminals even posed as NCSC CEO Lindy Cameron – victims received an email claiming the NCSC had prevented £5m of their money from being stolen, and were urged to supply personal information to retrieve the funds.
https://www.itsecurityguru.org/2022/05/10/ncsc-shut-down-2-7-million-scams-in-2021/
Security Threats Targeting Remote Workers
Remote work offers great benefits, like reduced commute time, increased freedom, and more time to spend with loved ones. But there can be security downsides if sufficient controls are not in place to protect remote workers against the digital threats that come with working via unsecured connections.
Being on a home network lacks the layered network security of the company environment. Remote work itself is not new, but the dramatic shift to working from home over the past two years means there are more security-naive people who are not in the office.
Not all security threats are the fault of technology. Much of it also comes from human error.
Remote work greatly exacerbates human-activated risk, and people are working in more distracting environments where they may have to answer the door for deliveries or might multitask with household chores. That means mistakes are more likely to happen, like sending an email to the wrong recipient or falling for a malicious email attack.
Recent research by Egress found that 77% of IT leaders said they have seen an increase in security compromises since going remote two years ago.
https://www.darkreading.com/endpoint/top-6-security-threats-targeting-remote-workers
Password Reuse Is Rampant Among Employees in All Sectors
SpyCloud published an annual analysis of identity exposure among employees of Fortune 1000 companies in key sectors such as technology, finance, retail and telecommunications.
Drawing on a database of over 200 billion recaptured assets, researchers identified over 687 million exposed credentials and PII tied to Fortune 1000 employees, a 26% increase from last year’s analysis.
Analysis of this data showed a 64% password reuse rate, widespread use of easy-to-guess passwords, and a spike in malware-infected devices –– all sources of cyber risk for both employers and consumers who rely on businesses to safeguard their personal data. With remote work blurring the lines between work and personal device use, a larger attack surface compounds the risk of cyber attacks proliferating beyond compromised employee and consumer identities to penetrate corporate networks.
https://www.helpnetsecurity.com/2022/05/11/fortune-1000-identity-exposure/
Threats
Ransomware
Costa Rica Shows the Damage Ransomware Can Do to a Country - The Washington Post
Ransomware Works Fast, You Need to Be Faster To Counter It - Help Net Security
A Closer Look At Today’s Ransomware Attack Landscape - MSSP Alert
Ransomware Is a National Security Threat, So Please Tell Us About Attacks, Says Government | ZDNet
5 Years That Altered the Ransomware Landscape (darkreading.com)
Colonial Pipeline Faces Nearly $1m Fine After Ransomware • The Register
These Ransomware Attackers Sent Their Ransom Note to The Victim's Printer | ZDNet
New Malware Samples Indicate Return of REvil Ransomware | SecurityWeek.Com
How to Avoid Falling Victim to PayOrGrief's Next Rebrand (darkreading.com)
Examining the Black Basta Ransomware’s Infection Routine (trendmicro.com)
Phishing & Email Based Attacks
Novel Phishing Trick Uses Weird Links to Bypass Spam Filters | Threatpost
New Email Security Tool Launched to Help Organisations Check Their Defences - NCSC.GOV.UK
Malware
Novel ‘Nerbian’ Trojan Uses Advanced Anti-Detection Tricks | Threatpost
Low-rent Remote Access Trojan (RAT) Worries Researchers | Threatpost
Eternity Malware Kit Offers Stealer, Miner, Worm, Ransomware Tools (bleepingcomputer.com)
It costs $7 to Rent DCRat Malware to Backdoor Your Network • The Register
Shopping For Malware: $260 Gets You a Password Stealer... • The Register
Microsoft: Sysrv Botnet Targets Windows, Linux Servers with New Exploits (bleepingcomputer.com)
Google Drive Emerges as Top App For Malware Downloads - Help Net Security
Stealthy Linux Implant BPFdoor Compromised Organizations Globally For Years | CSO Online
Malware Attacks Getting More Regional, Claims Netskope • The Register
5-Buck DCRat Malware Foretells a Worrying Cyber Future (darkreading.com)
Threat Actors Use Telegram to Spread ‘Eternity’ Malware-as-a-Service | Threatpost
German Automakers Targeted in Year-Long Malware Campaign (bleepingcomputer.com)
Data Breaches/Leaks
PII Of 21M SuperVPN, GeckoVPN Users Leaked On Telegram - Information Security Buzz
Victims of Horizon Actuarial Data Breach Exceed 1M (techtarget.com)
Organised Crime & Criminal Actors
Crypto Robber Who Lured Victims Via Snapchat and Stole £34,000 Jailed (bleepingcomputer.com)
Crook Jailed for Selling Stolen Credentials On Dark Web • The Register
US Agrees to International Electronic Cyber Crime Evidence Swap (darkreading.com)
Cryptocurrency/Cryptomining/Cryptojacking/NFTs
NFTs Emerge as the Next Enterprise Attack Vector (darkreading.com)
Fake Binance NFT Mystery Box Bots Steal Victim's Crypto Wallets (bleepingcomputer.com)
Possible $1 Billion Crypto Ponzi Scheme Probed by Tax Investigators - Bloomberg
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
How Can Your Business Defend Itself Against Fraud-as-a-Service? (darkreading.com)
Scammers Impersonate Britain’s Top Cyber Crime Chief in Fake £5m Heist (telegraph.co.uk)
Caramel Credit Card Stealing Service Is Growing in Popularity (bleepingcomputer.com)
Hackers Are Exploiting WordPress Themes, Plugins to Hawk Scams (gizmodo.com)
Thousands of WordPress Sites Hacked to Redirect Visitors to Scam Sites (thehackernews.com)
Insurance
Multi-Factor Authentication: A Key to Cyber Risk Insurance Coverage (tripwire.com)
How Cyber Liability Insurance Can Help Protect Your Business Reputation - MSSP Alert
Supply Chain and Third Parties
Denial of Service DoS/DDoS
Cloud
Open Source
Travel
Parental Controls and Child Safety
Cyber Bullying and Cyber Stalking
Regulations, Fines and Legislation
Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Wars Start in Cyberspace Well Before Shots Are Fired • The Register
#CYBERUK22: Cyber Trends from the Russia-Ukraine War - Infosecurity Magazine
US Pledges to Help Ukraine Keep the Internet and Lights On (darkreading.com)
Spain’s Spy Chief Sacked Over Pegasus Scandal - Infosecurity Magazine
OpRussia Update: Anonymous Breached Other Organizations - Security Affairs
Pro-Russian Hacktivists Target Italy Government Websites - Security Affairs
Nation State Actors
Nation State Actors – Russia
Russian Hackers Targeting Opponents Of Ukraine Invasion, Warns GCHQ Chief | Hacking | The Guardian
Western Intelligence Blames Russia for Europe-Wide Cyber Attack - Infosecurity Magazine
State Department Says Russian Cyber War Against Ukraine Began in January | The Independent
Ukraine War: Don’t Underestimate Russia Cyber-Threat, Warns US - BBC News
Nation State Actors – China
Experts Uncovered a New Wave Of Attacks Conducted By Mustang Panda - Security Affairs
China-Backed Winnti Hackers Attacked Manufacturers Globally, Cybereason Alleges - MSSP Alert
Nation State Actors – Iran
Vulnerability Management
Vulnerabilities
Critical F5 BIG-IP Vulnerability Exploited to Wipe Devices (bleepingcomputer.com)
Adobe Warns of 'Critical' Security Flaws in Enterprise Products | SecurityWeek.Com
Log4Shell Exploit Threatens Enterprise Data Lakes, AI Poisoning (darkreading.com)
Intel Emits Raft of Firmware Patches For Security Flaws • The Register
Actively Exploited Zero-Day Bug Patched by Microsoft | Threatpost
HP Fixes Bug Letting Attackers Overwrite Firmware in Over 200 Models (bleepingcomputer.com)
Zyxel Fixes Firewall Flaws That Could Lead to Hacked Networks (bleepingcomputer.com)
Microsoft Releases Fixes for Azure Flaw Allowing RCE Attacks (bleepingcomputer.com)
Researchers Find Flaws in Word, PDF Script Handling • The Register
SonicWall Releases Patches for New Flaws Affecting SSLVPN SMA1000 Devices (thehackernews.com)
Microsoft: May Windows Updates Cause AD Authentication Failures (bleepingcomputer.com)
Sector Specific
Health/Medical/Pharma Sector
Ransomware Group Strikes Second US Health Care System in The Last Two Months - CyberScoop
Is That Health App Safe to Use? A New Framework Aims To Provide An Answer - Help Net Security
Manufacturing
German Automakers Targeted in Year-Long Malware Campaign (bleepingcomputer.com)
China-Backed Winnti Hackers Attacked Manufacturers Globally, Cybereason Alleges - MSSP Alert
Education and Academia
Reports Published in the Last Week
Other News
An Offensive Mindset Is Crucial for Effective Cyber Defence - Help Net Security
Zero-Click Attacks Explained, And Why They Are So Dangerous | CSO Online
Britain Must Upgrade Cyber Defences ‘Or Be Hit By 9/11-Style Attack’ (telegraph.co.uk)
Everything We Learned From the LAPSUS$ Attacks (thehackernews.com)
Threat Actors Are Stealing Data Now to Decrypt When Quantum Computing Comes (darkreading.com)
Prepare for What You Wish For: More CISOs on Boards | SecurityWeek.Com
Ready, IAM, Fire: How Weak Identity and Access Management (IAM) Makes You a Target (darkreading.com)
How Privileged Access Management (PAM) Must Evolve - MSSP Alert
Secure Your CMS-Based Websites Against Pervasive Attacks - Help Net Security
Threats To Hardware Security Are Growing - Help Net Security
Government’s “Whole of Society” Cyber Strategy Takes Shape - Infosecurity Magazine
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.