Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• CFOs’ Overconfidence in Cyber Security Can Cost Millions

Kroll announced its report entitled ‘Cyber Risk and CFOs: Over-Confidence is Costly’ which found chief financial officers (CFOs) to be woefully in the dark regarding cyber security, despite confidence in their company’s ability to respond to an incident.

The report, conducted by StudioID of Industry Dive, exposed three key themes among the 180 senior finance executives surveyed worldwide:

1. Ignorance is bliss. Eighty-seven percent of CFOs are either very or extremely confident in their organisation’s cyber attack response. This is at odds with the level of visibility CFOs have into cyber risk issues, given only four out of 10 surveyed have regular briefings with their cyber teams.

2. Wide-ranging damages. 71% of the represented organisations suffered more than $5 million in financial losses stemming from cyber incidents in the previous 18 months, and 61% had suffered at least three significant cyber incidents in that time. Eighty-two percent of the executives in the survey said their companies suffered a loss of 5% or more in their valuations following their largest cyber security incident in the previous 18 months.

3. Increasing investment in cyber security. Forty-five percent of respondents plan to increase the percentage of their overall IT budget dedicated to information security by at least 10%.

According to Kroll: “We often see that CFOs are not aware enough of the financial risk presented by cyber threats until they face an incident. At that point, it’s clear that they need to be involved not only in the recovery, including permitting access to emergency funds and procuring third-party suppliers, but also in the strategy and investment around cyber both pre- and post-incident.”

“Ultimately, cyber attacks represent a financial risk to the business, and incidents can have a significant impact on value. It is, therefore, critical that this is included in wider business risk considerations. A CFO and CISO should work side-by-side, helping the business navigate the operational and financial risk of cyber.”

https://www.helpnetsecurity.com/2022/09/14/cfos-cybersecurity-confidence/

• Cyber Security Outflanks Inflation, Talent, Logistics in Business Worries

Nearly six in 10 IT leaders in a new study view cyber security as their top business concern, ranking it higher than inflation, retaining talent and supply chain/logistics management.

Less than half of respondents (43%) believe their critical data and assets are protected from cyber threats despite increased cyber security investments by their organisations, greater board visibility and increased collaboration between the security team and the C-suite, Rackspace said in its new survey of 1,420 IT professionals worldwide.

The multi-cloud technology services specialist said that a “large majority” of the survey respondents report being either unprepared or only “somewhat prepared” to respond to major threats, such as identifying and mitigating threats and areas of concern (62%), recovering from cyber attacks (61%) or preventing lapses and breaches (63%).

Cloud native security is where organisations are most likely to rely on an outside partner, such as a managed security service provider, for expertise.

Here are more of the survey’s findings:

• The top three cyber security challenges their organisation is facing: migrating and operating apps (45%); shortage of workers with cyber security skills (39%); lack of visibility of vulnerabilities across all infrastructure (38%).

• 70% of survey respondents report that their cyber security budgets have increased over the past three years.

• The leading recipients of new investment are cloud native security (59%); data security (50%), consultative security services (44%); and application security (41%).

• Investments align closely with the areas where organisations perceive their greatest concentration of threats, led by network security (58%), closely followed by web application attacks (53%) and cloud architecture attacks (50%).

• 70% of respondents said there has been an increase in board visibility for cyber security over the past five years, while 69% cite better collaboration between the security team and members of the C-suite.

• Only 13% of respondents said there were significant communications gaps between the security team and C-suite, while 69% of IT executives view their counterparts in the C-suite as advocates for their concerns.

The authors stated “We are seeing a major shift in how organisations are allocating resources to address cyber threats, even as budgets increase. The cloud brings with it a new array of security challenges that require new expertise, and often reliance on external partners who can help implement cloud native security tools, automate security, provide cloud native application protection, offer container security solutions and other capabilities”.

https://www.msspalert.com/cybersecurity-research/cybersecurity-outflanks-inflation-talent-logistics-in-business-worries-rackspace-research/

• Attackers Can Compromise Most Cloud Data in Just 3 Steps

An analysis of cloud services finds that known vulnerabilities typically open the door for attackers, while insecure cloud architectures allow them to gain access to the crown jewels.

Companies and their cloud providers often leave vulnerabilities open in their system and services, gifting attackers with an easy path to gain access to critical data.

According to an Orca Security analysis of data collected from major cloud services, attackers only need on average three steps to gain access to sensitive data, the so-called "crown jewels," starting most often — in 78% of cases — with the exploitation of a known vulnerability.

While much of the security discussion has focused on the misconfigurations of cloud resources by companies, cloud providers have often been slow to plug vulnerabilities.

The key is to fix the root causes, which is the initial vector, and to increase the number of steps that they attacker needs to take. Proper security controls can make sure that even if there is an initial attack vector, you are still not able to reach the crown jewels.

The report analysed data from Orca's security research team using data from a "billions of cloud assets on AWS, Azure, and Google Cloud," which the company's customers regularly scan. The data included cloud workload and configuration data, environment data, and information on assets collected in the first half of 2022.

https://www.darkreading.com/cloud/cyberattackers-compromise-most-cloud-data-3-steps

• Cyber Insurance Premiums Soar 80% As Claims Surge

Cyber insurance premiums have soared in the past year as claims surged in response to a rise in damaging attacks by hackers.

The cost of taking out cyber cover had doubled on average every year for the past three years, said global insurance broker Marsh. Honan Group, another broker, pointed to an 80 per cent rise in premiums in the past 12 months, following a 20 per cent increase in the cost of cover in each of the previous two years.

Brokers are calling cyber “the new D&O”, referring to sharp rises in directors and officers insurance premiums since 2018. Brokers were hopeful premiums would ease, but have warned insurers would continue to demand companies prove they had strong security systems and policies in place before agreeing to sell them insurance.

There’ll be a number of insurance companies that won’t even look at a business that doesn’t have a bunch of security measures in place. They’ll just turn around and say, ‘we’re not going to insure you’. The chief reason for the price rises is the increase in the number and size of claims relating to ransomware, where criminals use malicious software to block access to an organisation’s computer system until a sum of money is paid. In addition, some insurers left the market, while remaining players attempted to recoup the cost of under-priced contracts written in previous years.

The rise in the premiums is mainly due to ransomware and cyber attacks across the board have risen sharply over the past few years.

https://www.afr.com/work-and-careers/management/cyber-insurance-premiums-soar-80pc-as-claims-surge-20220908-p5bglo

• One In 10 Employees Leaks Sensitive Company Data Every 6 Months

Departing employees are most likely to leak sensitive information to competitors, criminals or the media in exchange for cash.

Insider threats are an ongoing menace that enterprise security teams need to handle. It's a global problem but especially acute in the US, with 47 million Americans quitting their jobs in 2021. The threat of ex-employees taking sensitive information to competitors, selling it to criminals in exchange for cash, and leaking files to media is making data exfiltration a growing concern. 

About 1.4 million people who handle sensitive information in their organisation globally were tracked over the period from January to June 30 this year by cyber security firm Cyberhaven to find out when, how and who is involved in data exfiltration.

On average, 2.5% of employees exfiltrate sensitive information in a month, but over a six-month period, nearly one in 10, or 9.4% of employees, do so, Cyberhaven noted in its report. Data exfiltration incidents occur when data is transferred outside the organisation in unapproved ways.

Among employees that exfiltrated data, the top 1% most prolific “super stealers” were responsible for 7.7% of incidents, and the top 10% were responsible for 34.9% of incidents.

North America accounted for the highest number of incidents at 44%, followed by the Asia Pacific region at 27%. Europe, the Middle East, and Africa accounted for 24% of incidents while 5% of incidents were recorded in South America.

https://www.csoonline.com/article/3673260/one-in-10-employees-leaks-sensitive-company-data-every-6-months-report.html#tk.rss_news

• Business Application Compromise and the Evolving Art of Social Engineering

Social engineering is hardly a new concept, even in the world of cyber security. Phishing scams alone have been around for nearly 30 years, with attackers consistently finding new ways to entice victims into clicking a link, downloading a file, or providing sensitive information.

Business email compromise (BEC) attacks iterated on this concept by having the attacker gain access to a legitimate email account and impersonate its owner. Attackers reason that victims won't question an email that comes from a trusted source — and all too often, they're right.

But email isn't the only effective means cyber criminals use to engage in social engineering attacks. Modern businesses rely on a range of digital applications, from cloud services and VPNs to communications tools and financial services. What's more, these applications are interconnected, so an attacker who can compromise one can compromise others, too. Organisations can't afford to focus exclusively on phishing and BEC attacks — not when business application compromise (BAC) is on the rise.

https://www.darkreading.com/vulnerabilities-threats/business-application-compromise-the-evolving-art-of-social-engineering

• SMBs Are Hardest-Hit By Ransomware

Coalition announced the mid-year update to its 2022 Cyber Claims Report detailing the evolution of cyber trends, revealing that small businesses have become bigger targets, overall incidents are down, and ransomware attacks are declining as demands go unpaid.

During the first half of 2022, the average cost of a claim for a small business owner increased to $139,000, which is 58% higher than levels during the first half of 2021.

“Across industries, we continue to see high-profile attacks targeting organisations with weak or exposed infrastructure — which has become exacerbated by today’s remote working culture and companies’ dependence on third-party vendors,” said Coalition’s Head of Claims.

“Small businesses are especially vulnerable because they often lack resources. For these businesses, avoiding downtime and disruption is essential, and they must understand that Active Insurance is accessible.”

The good news: both Coalition and the broader insurance industry observed a decrease in ransomware attack frequency and the amount of ransom demanded between the second half of 2021 and the first half of 2022. Ransomware demands decreased from $1.37M in H2 2021 to $896,000 in H1 2022.

“Organisations are increasingly aware of the threat ransomware poses. They have started to implement controls such as offline data backups that allow them to refuse to pay the ransom and restore operations through other means,” said Coalition’s Head of Incident Response. “As ransomware is on the decline, attackers are turning to reliable methods. Phishing, for example, has skyrocketed – and only continues to grow.”

https://www.helpnetsecurity.com/2022/09/15/small-businesses-ransomware-targets/

• 65% Say Legacy Backup Solutions Aren’t Up To Ransomware Challenges

HYCU researchers are reporting 65% of respondents lack full confidence in their legacy backup solutions (HYCU is a multi-cloud backup-as-a-service provider).

According to the report, 65% of surveyed enterprise organisations are increasing spending on detection, prevention and recovery, and respondents are beginning to understand that air-gapped or immutable backups are the only ways to ensure that the backups themselves don’t fall prey to encryption worms when ransomware hits.

Key findings include:

• 52% of ransomware victims suffered data loss

• 63% of victims suffered an operational disruption

• Just 41% air gap their backups

• Just 47% routinely test their backups

• Only 35% of respondents believe their current backup and recovery tools are sufficient.

https://informationsecuritybuzz.com/expert-comments/65-say-legacy-backup-solutions-arent-up-to-ransomware-challenges/

• Four-Fifths of Firms Hit by Critical Cloud Security Incident

Some 80% of organisations suffered a “severe” cloud security incident over the past year, while a quarter worry they’ve suffered a cloud data breach and aren’t aware of it, according to new research from Snyk.

The developer security specialist polled 400 cloud engineering and security practitioners from organisations of various sizes and sectors, to compile its State of Cloud Security Report.

Among the incidents flagged by respondents over the past 12 months were breaches, leaks, intrusions, crypto-mining, compliance violations, failed audits and system downtime in the cloud.

Startups (89%) and public sector organisations (88%) were the most likely to have suffered such an incident over the period.

The bad news is that 58% of respondents predict they will suffer another severe incident in the cloud over the coming year. Over three-quarters (77%) of those questioned cited poor training and collaboration as a major challenge in this regard.

“Many cloud security failures result from a lack of effective cross-team collaboration and team training. When different teams use different tools or policy frameworks, reconciling work across those teams and ensuring consistent enforcement can be challenging,” the report argued.

https://www.infosecurity-magazine.com/news/fourfifths-firms-critical-cloud/

• Homeworkers Putting Home and Business Cyber Safety at Risk

BlackBerry published a European research report exposing the cyber security risk created by cost-conscious homeworkers who prioritise security behind price, usability and ease of set up in their purchase of domestic smart devices.

32% of European home workers who own a smart device surveyed said security was a top three factor when choosing a smart device, compared to 50% who prioritised price. 28% of businesses aren’t putting adequate security provisions in place to extend cyber protection as far as homes. This heightens the risk of cyber attacks for businesses and their employees, as hybrid and home working become the norm.

The survey of 4,000 home workers in the UK, France, Germany, and the Netherlands revealed that 28% of people say that their employer has not done or communicated anything about protecting their home network or smart devices, or they don’t know if they are protected.

Furthermore, 75% of Europeans say their employers have taken no steps to secure the home internet connection or provide software protection for home devices. This failure to extend network security to home devices increases risk of the vulnerabilities created by hybrid and home working being successfully exploited. These are particularly sobering findings for small and mid-sized businesses who face upwards of eleven cyber attacks per device, per day, according to the research.

Through even the most innocent of devices, bad actors can access home networks with connections to company devices – or company data on consumer devices – and seize the opportunity to steal data and intellectual property worth millions. It’s likely businesses will bear the brunt of cyber attacks caused by unsecured home devices, with knock-on effects to employees themselves.

https://www.helpnetsecurity.com/2022/09/12/homeworkers-smart-devices-security/

• Uber Hacked, Internal Systems Breached and Vulnerability Reports Stolen

Uber suffered a cyber attack Thursday afternoon with an allegedly 18-year-old hacker downloading HackerOne vulnerability reports and sharing screenshots of the company's internal systems, email dashboard, and Slack server.

The screenshots shared by the hacker and seen by BleepingComputer show what appears to be full access to many critical Uber IT systems, including the company's security software and Windows domain.

Other systems accessed by the hacker include the company's Amazon Web Services console, VMware vSphere/ESXi virtual machines, and the Google Workspace admin dashboard for managing the Uber email accounts.

The threat actor also breached the Uber Slack server, which he used to post messages to employees stating that the company was hacked. However, screenshots from Uber's slack indicate that these announcements were first met with memes and jokes as employees had not realised an actual cyber attack was taking place.

Uber has since confirmed the attack, tweeting that they are in touch with law enforcement and will post additional information as it becomes available. "We are currently responding to a cyber security incident. We are in touch with law enforcement and will post additional updates here as they become available," tweeted the Uber Communications account.

The New York Times, which first reported on the breach, said they spoke to the threat actor, who said they breached Uber after performing a social engineering attack on an employee and stealing their password. The threat actor then gained access to the company's internal systems using the stolen credentials.

https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/

• IHG Hack: 'Vindictive' Couple Deleted Hotel Chain Data for Fun

Hackers have told the BBC they carried out a destructive cyber-attack against Holiday Inn owner Intercontinental Hotels Group (IHG) "for fun".

Describing themselves as a couple from Vietnam, they say they first tried a ransomware attack, then deleted large amounts of data when they were foiled. They accessed the FTSE 100 firm's databases thanks to an easily found and weak password, Qwerty1234. An expert says the case highlights the vindictive side of criminal hackers.

UK-based IHG operates 6,000 hotels around the world, including the Holiday Inn, Crowne Plaza and Regent brands. On Monday last week, customers reported widespread problems with booking and check-in. For 24 hours IHG responded to complaints on social media by saying that the company was "undergoing system maintenance".

Then on the Tuesday afternoon it told investors that it had been hacked.

https://www.bbc.co.uk/news/technology-62937678

Threats

Ransomware and Extortion

• How prepared are organisations to tackle ransomware attacks? - Help Net Security

• Lorenz ransomware breaches corporate network via phone systems (bleepingcomputer.com)

• 3 Iranian nationals are accused of ransomware attacks on US victims (cnbc.com)

• Emotet botnet now pushes Quantum and BlackCat ransomware (bleepingcomputer.com)

• Cisco confirms Yanluowang ransomware leaked stolen company data (bleepingcomputer.com)

• DEV-0270 Hacker Group Uses Windows BitLocker Feature to Encrypt Systems (gbhackers.com)

• New York ambulance service discloses data breach after ransomware attack (bleepingcomputer.com)

• The ransomware problem won't get better until we change one thing | ZDNET

• Iranian Hackers Used Victims’ Printers to Issue Ransom Demands, DOJ Says (vice.com)

• Transparency, disclosure key to fighting ransomware (techtarget.com)

• Researchers Warn of 674% Surge in Deadbolt Ransomware - Infosecurity Magazine (infosecurity-magazine.com)

• Over Three-Quarters of Retailers Hit by Ransomware in 2021 - Infosecurity Magazine (infosecurity-magazine.com)

• Cisco Data Breach Attributed to Lapsus$ Ransomware Group (darkreading.com)

• Ransomware Group Leaks Files Stolen From Cisco | SecurityWeek.Com

• The LA School District Cyber Attack Keeps Unravelling – Expert Comments (informationsecuritybuzz.com)

Phishing & Email Based Attacks

• Revolut hit by ‘phishing’ cyber attack | Business | The Times

• Crooks are using lures related to Her Majesty Queen Elizabeth II in phishing attacks - Security Affairs

• Phishing page embeds keylogger to steal passwords as you type (bleepingcomputer.com)

• Hackers now use ‘sock puppets’ for more realistic phishing attacks (bleepingcomputer.com)

• Phishers take aim at Facebook page owners - Help Net Security

• New Spear Phish Methodology Relies on PuTTY SSH Client to Infect Systems - Infosecurity Magazine (infosecurity-magazine.com)

• Real Estate Phish Swallows 1,000s of Microsoft 365 Credentials (darkreading.com)

• Death of Queen Elizabeth II exploited to steal Microsoft credentials (bleepingcomputer.com)

• Potential phishing activity update - NCSC.GOV.UK

Other Social Engineering; Smishing, Vishing, etc

• Serious Breach at Uber Spotlights Hacker Social Deception | SecurityWeek.Com

Malware

• Hackers Are Using WeTransfer Links To Spread Malware (informationsecuritybuzz.com)

• New malware bundle self-spreads through YouTube gaming videos (bleepingcomputer.com)

• Linux variant of the SideWalk backdoor discovered - Help Net Security

• Malware on Pirated Content Sites a Major WFH Risk for Enterprises (darkreading.com)

• How to spot and avoid scams and malware in search results - The Washington Post

• Gay hookup site typosquatted to push dodgy Chrome extensions, scams (bleepingcomputer.com)

Mobile

• Google Patches Critical Vulnerabilities in Pixel Phones | SecurityWeek.Com

• Apple patches iPhone and macOS flaws under active attack • The Register

Internet of Things – IoT

• Securing your IoT devices against cyber attacks in 5 steps (bleepingcomputer.com)

• EU Wants to Toughen Cyber Security Rules for Smart Devices | SecurityWeek.Com

Data Breaches/Leaks

• Uber hacked, internal systems breached and vulnerability reports stolen (bleepingcomputer.com)

• LastPass says hackers had internal access for four days (bleepingcomputer.com)

• Hacker sells stolen Starbucks data of 219,000 Singapore customers (bleepingcomputer.com)

• U-Haul discloses data breach exposing customer driver licenses (bleepingcomputer.com)

• Hackers Compromise Employee Data at PVC-Maker Eurocell - Infosecurity Magazine (infosecurity-magazine.com)

Organised Crime & Criminal Actors

• Chinese-linked cyber crims nab $529 million from India • The Register

• Cyber Crime Forum Admins Steal from Site Users - Infosecurity Magazine (infosecurity-magazine.com)

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Police arrest man for laundering tens of millions in stolen crypto (bleepingcomputer.com)

• US regulators say multi-billion-dollar crypto lender Celsius was operating like a ponzi scheme | PC Gamer

• Hackers Targeting WebLogic Servers and Docker APIs for Mining Cryptocurrencies (thehackernews.com)

• Fake cryptocurrency giveaway sites have tripled this year (bleepingcomputer.com)

• Crypto Scams Skyrocket - IT Security Guru

• A Post-exploitation Look at Coinminers Abusing WebLogic Vulnerabilities (trendmicro.com)

• DOJ drops report on cryptocurrency crime efforts (techtarget.com)

• 76% Of Financial Institutions Plan On Using Crypto In The Next 3 Years (informationsecuritybuzz.com)

• How Can You Tell if a Cryptocurrency is Legitimate? Read Our Guide To Find Out - IT Security Guru

Insider Risk and Insider Threats

• 5 Ways to Mitigate Your New Insider Threats in the Great Resignation (thehackernews.com)

• Ex-Broadcom engineer asks for no prison in trade secret case • The Register

Fraud, Scams & Financial Crime

• Microsoft Edge’s News Feed ads abused for tech support scams (bleepingcomputer.com)

• Cops Raid Suspected Fraudster Penthouses - Infosecurity Magazine (infosecurity-magazine.com)

• How to spot and avoid scams and malware in search results - The Washington Post

• Tax fraud ring leader jailed for selling children’s stolen identities (bleepingcomputer.com)

AML/CFT/Sanctions

• Spanish police arrest ‘one of Europe’s biggest money launderers’ | Financial Times (ft.com)

Insurance

• Coalition Cyber Insurance - Small Businesses Prime Targets (informationsecuritybuzz.com)

Dark Web

• Documents For Sale on the Dark Web - IT Security Guru

Supply Chain and Third Parties

• Hackers breach software vendor for Magento supply-chain attacks (bleepingcomputer.com)

• WordPress sites backdoored after FishPig supply chain attack • The Register

Denial of Service DoS/DDoS

• DDoS Attacks on UK Firms Surge During Ukraine War - Infosecurity Magazine (infosecurity-magazine.com)

• Akamai stopped new record-breaking DDoS attack in Europe (bleepingcomputer.com)

Cloud/SaaS

• 5 ways to improve your cloud security posture (techtarget.com)

• Excess privilege in the cloud is a universal security problem, IBM says | CSO Online

• Organisations lack visibility into unauthorised public cloud data access - Help Net Security

• One-third of enterprises don’t encrypt sensitive data in the cloud | CSO Online

Attack Surface Management

• Cyber attack trends vs. growing IT complexity - Help Net Security

• Outdated infrastructure remains a problem against sophisticated cyber attacks - Help Net Security

Shadow IT

• Use shadow IT discovery to find unauthorized devices and apps (techtarget.com)

Encryption

• Keep Today's Encrypted Data From Becoming Tomorrow's Treasure (darkreading.com)

API

• Hackers Targeting WebLogic Servers and Docker APIs for Mining Cryptocurrencies (thehackernews.com)

• API security—and even visibility—isn’t getting handled by enterprises | CSO Online

• Bad bots are coming at APIs! How to beat the API bot attacks? - Help Net Security

Open Source

• When It Comes to Security, Don’t Overlook Your Linux Systems | SecurityWeek.Com

• 40% of pros scaled back back open source use over security • The Register

• You never walk alone: The SideWalk backdoor gets a Linux variant | WeLiveSecurity

Passwords, Credential Stuffing & Brute Force Attacks

• IHG Was Hacked Using Password “Qwerty1234” - LoyaltyLobby

Social Media

• Thwarting attackers in their favourite new playground: Social media - Help Net Security

• Twitter whistleblower tells Senate of ‘egregious’ security failings by company | Twitter | The Guardian

• Cyber attackers Abuse Facebook Ad Manager in Savvy Credential-Harvesting Campaign (darkreading.com)

Training, Education and Awareness

• Security Awareness Training Must Evolve to Align With Growing E-Commerce Security Threats (darkreading.com)

Parental Controls and Child Safety

• Cyber Crime Fears for Children as Cost-of-Living Bites - Infosecurity Magazine (infosecurity-magazine.com)

Regulations, Fines and Legislation

• 10 Steps to Successfully Navigate Cyber Security Compliance - MSSP Alert

Models, Frameworks and Standards

• Don’t Put Preparation on Pause: CMMC 2.0 is Coming Quicker Than You Think - MSSP Alert

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Montenegro Under Cyber Attack, Russia Blamed, All NATO States Would Be (informationsecuritybuzz.com)

• DDoS Attacks on UK Firms Surge During Ukraine War - Infosecurity Magazine (infosecurity-magazine.com)

• New Cyberespionage Group 'Worok' Targeting Entities in Asia | SecurityWeek.Com

• ShadowPad Threat Actors Return With Fresh Government Strikes, Updated Tools (darkreading.com)

Nation State Actors

Nation State Actors – Russia

• Montenegro Wrestles With Massive Cyber Attack, Russia Blamed | SecurityWeek.Com

• Russia’s cyber future connected at the waist to Soviet military industrial complex | CSO Online

Nation State Actors – North Korea

• North Korea-linked APT spreads tainted versions of PuTTY via WhatsApp - Security Affairs

Nation State Actors – Iran

• Iranian cyber spies use multi-persona impersonation in phishing threads | CSO Online

• Albania says Iranian hackers hit the country with another cyber attack - CyberScoop

• US, UK, Canada and Australia Link Iranian Government Agency to Ransomware Attacks | SecurityWeek.Com

• Iranian Hackers Target High-Value Targets in Nuclear Security and Genomic Research (thehackernews.com)

• Iranian Hackers Used Victims’ Printers to Issue Ransom Demands, DOJ Says (vice.com)

Vulnerability Management

• Backlogs larger than 100K+ vulnerabilities but too time-consuming to address - Help Net Security

Vulnerabilities

• Microsoft September 2022 Patch Tuesday fixes zero-day used in attacks, 63 flaws (bleepingcomputer.com)

• Adobe Patches 63 Security Flaws in Patch Tuesday Bundle | SecurityWeek.Com

• CISA orders agencies to patch vulnerability used in Stuxnet attacks (bleepingcomputer.com)

• Chrome 105 Update Patches High-Severity Vulnerabilities | SecurityWeek.Com

• Microsoft Teams stores auth tokens as cleartext in Windows, Linux, Macs (bleepingcomputer.com)

• Microsoft Quashes Actively Exploited Zero-Day, Wormable Critical Bugs (darkreading.com)

• Apple fixed the eighth actively exploited zero-day this year - Security Affairs

• Cisco Patches High-Severity Vulnerability in SD-WAN vManage | SecurityWeek.Com

• Over 280,000 WordPress Sites Attacked Using WPGateway Plugin Zero-Day Vulnerability (thehackernews.com)

• Over 280,000 WordPress sites may have been hijacked by zero-day hiding in popular plugin | TechRadar

• High-Severity Firmware Security Flaws Left Unpatched in HP Enterprise Devices (thehackernews.com)

• CISA added 2 more security flaws to its Known Exploited Vulnerabilities Catalog - Security Affairs

• ManageEngine Password Management Vulnerability and Patch: Details for MSPs, MSSPs - MSSP Alert

Reports Published in the Last Week

• Falcon OverWatch Threat Hunting Report 2022 | CrowdStrike

• Cyber Security: Benchmarking Security Gaps & Privileged Access (delinea.com)

Other News

• MSPs and cyber security: The time for turning a blind eye is over - Help Net Security

• Red Teaming to Reduce Cyber Risk (trendmicro.com)

• Organisations should fear misconfigurations more than vulnerabilities - Help Net Security

• Companies need data privacy plan before joining metaverse (techtarget.com)

• Lens reflections may betray your secrets in Zoom video calls • The Register

• US Government Wants Security Guarantees From Software Vendors | SecurityWeek.Com

• Serious Security: Browser-in-the-browser attacks – watch out for windows that aren’t! – Naked Security (sophos.com)

• The Cyber Security Head Game | Psychology Today South Africa

• Cyber Security Report: Average Data Breach in US Costs $9.4 Million - MSSP Alert

• 5 Best Practices for Building Your Data Loss Prevention Strategy (darkreading.com)

• Hands-on cyber attacks jump 50%, CrowdStrike reports | CSO Online

• Penetration Testing Report: Security Misconfiguration Is "Top Vulnerability" - MSSP Alert

• Twitter whistleblower: Lack of access, data controls invite exploitation | SC Media (scmagazine.com)

• Cost of Living Crisis Impact on Online Activity - IT Security Guru

• Attacker Apparently Didn't Have to Breach a Single System to Pwn Uber (darkreading.com)

• Zoom outage left users unable to sign in or join meetings (bleepingcomputer.com)

• Five ways your data may be at risk — and what to do about it (bleepingcomputer.com)

• Notepad++ Plugins Allow Attackers to Infiltrate Systems, Achieve Persistence - Infosecurity Magazine (infosecurity-magazine.com)

• Twitter's ex-security boss Zatko disses biz as dysfunctional • The Register

• Don't Let Your Home Wi-Fi Get Hacked. Here's What to Do - CNET

• How serious are organisations about their data sovereignty strategies? - Help Net Security

• Undermining Microsoft Teams Security By Mining Tokens (informationsecuritybuzz.com)

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• 79% Of Companies Only Invest in Cyber Security After Hacking Incidents

The British cyber security company Tanium published a survey on investments in digital protection in UK companies with alarming results: 79% of them only approve investments in cyber security after suffering a data breach; 92% experienced a data attack or breach, of which 74% occurred in 2021. Leadership reticence is also high, with 63% of leaders convinced cyber security is only a concern after an attack.

The complexity of the situation has grown with the digital transformation of work. If it streamlines many processes, it can also open up serious security gaps. A sensitive point is the “home office”: companies need effective solutions to eliminate gaps that may appear between employees’ computers (often shared devices) and the company’s internal network.

Putting in solutions is just the beginning of a necessary strategy and investment effort in virtual protection. Complex scams based on phishing, reverse engineering, and backdoor-type malicious programs (“planted” discreetly on a device and sometimes inactive for months) often combine real-world and virtual-world fraud.

The escalation of corporate data hijacking appears in this scenario. The most notorious case at a global level of such an incident, with a million-dollar ransom demand, was launched in 2021 on Colonial Pipeline. This US company paid $40 million to regain control over strategic data after fuel supplies through its pipelines to several states were threatened for days.

https://informationsecuritybuzz.com/infosec-news/79-of-the-companies-only-invest-in-cybersecurity-after-hacking-incidents/

• Nearly Half of Breaches During First Half of 2022 Involved Stolen Credentials

According to a new report by Acronis, a Switzerland-based cyber security company, nearly half of breaches during the first six months of 2022 involved stolen credentials.

The goal of stealing credentials is to launch ransomware attacks. According to the report, these “continue to be the number one threat to large and medium-sized businesses, including government organisations.”

Attackers usually use phishing techniques to extract these credentials. In the first half of the year, over 600 malicious email campaigns made their way across the internet, of which 58% were phishing attempts and 28% featured malware.

Acronis also added that “as reliance on the cloud increases, attackers have homed in on different entryways to cloud-based networks.”

Additionally, cyber criminals now also target unpatched or software vulnerabilities to extract data, with a recent increase on Linux operating systems and managed service providers (MSPs) and their network of SMB customers.

The third vector spotted by Acronis was “non-traditional entry avenues” such as cryptocurrencies and decentralised finance (DeFi) systems.

https://www.itsecurityguru.org/2022/08/30/nearly-half-of-breaches-during-first-half-of-2022-involved-stolen-credentials/

• Outdated Infrastructure Not Up to Today’s Ransomware Challenges

A global research commissioned by Cohesity reveals that nearly half of respondents say their company depends on outdated, legacy backup and recovery infrastructure to manage and protect their data. In some cases, this technology is more than 20 years old and was designed long before today’s multicloud era and onslaught of sophisticated cyber attacks plaguing enterprises globally.

Challenges pertaining to outdated infrastructure could easily be compounded by the fact that many IT and security teams don’t seem to have a plan in place to mobilise if and when a cyber attack occurs. Nearly 60% of respondents expressed some level of concern that their IT and security teams would be able to mobilise efficiently to respond to the attack.

These are just some of the findings from an April 2022 survey, conducted by Censuswide, of more than 2,000 IT and SecOps professionals (split nearly 50/50 between the two groups) in the United States, the United Kingdom, Australia and New Zealand. All respondents play a role in the decision-making process for IT or security within their organisations.

IT and security teams should raise the alarm bell if their organisation continues to use antiquated technology to manage and secure their most critical digital asset – their data.

Cyber criminals are actively preying on this outdated infrastructure as they know it was not built for today’s dispersed, multicloud environments, nor was it built to help companies protect and rapidly recover from sophisticated cyber attacks.

https://www.helpnetsecurity.com/2022/08/30/outdated-infrastructure-manage-data/

• Ghost Data Increases Enterprise Business Risk

IT has to get its hands around cloud data sprawl. Another area of focus should be on ghost data, as it expands the organisation's cloud attack surface.

Cloud sprawl is a big issue for organisations, with business teams spinning up cloud systems and services on their own, often without IT oversight. That leads to cloud data sprawl as data is scattered across different environments. If IT doesn’t know about the cloud systems and services, then IT is also not managing the data being collected, processed, and stored there.

We all know about shadow IT, the systems and network devices in the organisation’s environment that IT is not managing. Similarly, shadow data refers to unmanaged data store copies and snapshots or log data that are not part of IT’s backup and recovery strategy. Researchers at Cyera estimate that 60% of the data security posture issues that are present in cloud accounts stem from unsecured sensitive data.

Then there is the problem of ghost data. When data gets deleted from cloud systems, it isn’t fully gone. Copies linger in backups or snapshots of data stores. Ghost data refers to those copies left behind after the original has been deleted, and Cyera’s recent analysis show that enterprises have quite a lot of it.

After scanning the three major cloud providers (Amazon Web Services, Azure, and Google Cloud), Cyera researchers found that over 30% of scanned customer cloud data stores are ghost data and more than 58% contain sensitive, or very sensitive, data. For example, researchers found unsecured database snapshots in non-production environments that contained sensitive customer data where the original database had been destroyed. Researchers also uncovered sensitive personal and authentication data in plain text where the production data and application were no longer in use.

Ghost data usually has no business value - the data was deleted for a reason - and having it around unnecessarily increases business risk. Attackers don’t care if they get their hands on the original sensitive information or the copy because to them, all data has value, regardless of the form it takes.

https://www.darkreading.com/edge-threat-monitor/ghost-data-increases-enterprise-business-risk

• Detected Cyber Threats Surge 52% in 1H 2022

A leading cyber security vendor blocked 63 billion threats in the first half of 2022 alone, over 50% more than the same period a year ago.

The findings come from the Trend Micro 2022 Midyear Cybersecurity Report and illustrate the scale of the challenge facing network defenders.

Trend Micro highlighted the persistent threat posed by ransomware-as-a-service (RaaS) groups as one that will continue to cause major challenges for organisations in the years to come.

It said detections of prolific groups such as LockBit and Conti increased by 500% year-on-year in 1H 2022. Such groups will continue to adapt their tactics, techniques and procedures (TTPs) in the race for profits.

The report warned of a surge in threats targeting Linux systems, for example. It said detections of attacks on Linux servers and embedded systems grew 75% year-on-year in the first half of 2022. Both SMBs and larger organisations are now a target, it claimed.

Many RaaS groups exploit vulnerabilities as a primary attack vector. Their job is getting easier as the number of published common vulnerabilities and exposures (CVEs) continues to grow strongly.

Trend Micro’s Zero Day Initiative published advisories on 944 vulnerabilities in the first half of 2021, a 23% year-on-year increase. The number of critical bug advisories it published soared by 400% over the same period.

https://www.infosecurity-magazine.com/news/detected-cyberthreats-surge-52-in/

• An Interview with Initial Access Broker Wazawaka: ‘There Is No Such Money Anywhere as There is in Ransomware’

Last April, a ransomware group threatened to expose police informants and other sensitive information if the Washington, D.C. Metropolitan Police Department did not pay a demand.

The brazen attack was the work of a gang known as Babuk, which in early 2021 gained a reputation for posting stolen databases on its website from victims that refused to pay a ransom. Just days after it tried to extort the Metropolitan Police Department, Babuk announced it was closing its ransomware affiliate program, and would focus on data theft and extortion instead.

Earlier this year, cyber security journalist Brian Krebs uncovered details about one man behind the operation named Mikhail Matveev, who was also connected to a number of other groups and identities, including the handle ‘Wazawaka.’ According to Krebs, Matveev had become more unhinged than usual, “publishing bizarre selfie videos” and creating a Twitter account to share exploit code.

Matveev talked to Recorded Future about his interaction with other hackers, details about ransomware attacks he’s been involved in, and how he settled on the name Babuk.

Click the link below for the full interview but the long and short is ransomware has created a criminal ecosystem the likes of which the world has never seen.

https://therecord.media/an-interview-with-initial-access-broker-wazawaka-there-is-no-such-money-anywhere-as-there-is-in-ransomware/

• Cyber Crime Underground More Dangerous Than Organisations Realise

Kela, a cyber threat intelligence specialist, found in a new study of some 400 security pros in the US that organisations are more at risk from the “cyber crime underground” than they realise.

The Israel-based company surveyed security team members responsible for gathering cyber crime threat intelligence daily to better understand if they’re proactively scanning the dark web and other cyber crime sources, what tools they’re using and the gaps they see in their cyber crime threat intelligence approach. Nearly 60% of the respondents do not believe their current cyber crime prevention is effective, the results showed.

Here are the study’s key findings:

• 69% are concerned about threats from the cyber crime underground.

• 54% wouldn’t be surprised to find their organisation’s data on the cyber crime underground.

• Only 38% believe that they’re very likely to detect it if it was released.

• 48% have no documented cyber crime threat intelligence policy in place.

• Only 41% believe their current security program is very effective.

• 49% are not satisfied with the visibility they have of the cyber crime underground.

• Of the 51% who were satisfied with their visibility into the cyber crime underground, 39% were still unable to prevent an attack.

• Additional training and proficiency in cyber crime intelligence investigations is the most needed capability.

https://www.msspalert.com/cybersecurity-research/cybercrime-underground-more-dangerous-than-organizations-realize-threat-intelligence-firm-warns/

• New Ransomware Group BianLian Activity Exploding

A new ransomware group operating under the name BianLian emerged in late 2021 and has become increasingly active since.

The threat actor already has twenty alleged victims across several industries (insurance, medicine, law and engineering), according to a research paper from US cyber security firm Redacted, published on September 1, 2022. The majority of the victim organisations have been based in Australia, North America and the UK.

The research team has given no attribution yet but believes the threat actor “represents a group of individuals who are very skilled in network penetration but are relatively new to the extortion/ransomware business.”

BianLian uses a custom toolkit, including homemade encryptors and encryption backdoors. Both, as well as the command-and-control (C&C) software the hackers use, are written in Go, an increasingly popular programming language among ransomware threat actors.

Troublingly, the Redacted team of researchers has found evidence that BianLian is likely now trying to up their game.

https://www.infosecurity-magazine.com/news/new-ransomware-group-bianlian/

• Can Your Passwords Withstand Threat Actors’ Dirty Tricks?

Password security hinges on the answer to that seemingly simple question. Unfortunately, you can’t know the answer until you’ve engaged a ruthless penetration tester to find out if your environment can stand up to the frighteningly good password cracking skills of today’s most nefarious hackers.

The whole purpose of hiring skilled penetration testers (“pentesters”) is to find out if your environment is truly impenetrable — and if it’s not, exactly how you should shore up your defences. Good pentesters and red teamers spend their time trying to simulate and emulate the real bad actors. After all, what’s the point of pressure-testing your IT infrastructure if you don’t use the same pressure that you’ll face in the real world?

You should “train like you fight.” Without sparring, how can you expect to jump into a boxing ring and go a few rounds with a skilled boxer? That’s the entire point of goal-based penetration testing and red/purple team engagements that simulate real-world threat actors.

Password cracking will continue to evolve – and so should your penetration testing tactics and plans. By the time you get to your fourth or fifth round with a quality pentesting consultancy, your risk mitigation will have dramatically improved — which means you’ll be able to move on to the next stage of security maturity.

https://www.helpnetsecurity.com/2022/08/30/stand-up-to-password-cracking/

• Ransomware Gangs’ Favourite Targets

Barracuda released its fourth-annual threat research report which looks at ransomware attack patterns that occurred between August 2021 and July 2022.

For the 106 highly publicised attacks our researchers analysed, the dominant targets are still five key industries: education (15%), municipalities (12%), healthcare (12%), infrastructure (8%), and financial (6%). The number of ransomware attacks increased year-over-year across each of these five industry verticals, and attacks against other industries more than doubled compared to last year’s report.

While attacks on municipalities increased only slightly, the analysis over the past 12 months showed that ransomware attacks on educational institutions more than doubled, and attacks on the healthcare and financial verticals tripled. Many choose not to disclose when they get hit.

This year, researchers dug in deeper on these highly publicised attacks to see which other industries are starting to be targeted. Service providers were hit the most, and ransomware attacks on automobile, hospitality, media, retail, software, and technology organisations all increased as well.

Most ransomware attacks don’t make headlines, though. Many victims choose not to disclose when they get hit, and the attacks are often sophisticated and extremely hard to handle for small businesses.

As ransomware and other cyber threats continue to evolve, the need for adequate security solutions has never been greater. Many cyber criminals target small businesses in an attempt to gain access to larger organisations. As a result, it is essential for security providers to create products that are easy to use and implement, regardless of a company’s size.

Additionally, sophisticated security technologies should be available as services, so that businesses of all sizes can protect themselves against these ever-changing threats. By making security solutions more accessible and user-friendly, the entire industry can help to better defend against ransomware and other cyber attacks.

https://www.helpnetsecurity.com/2022/08/31/ransomware-attack-patterns/

• Tentacles of ‘0ktapus’ Threat Group Victimise 130 Firms

Over 130 companies were tangled in sprawling phishing campaign that spoofed a multi-factor authentication system.

Targeted attacks on Twilio and Cloudflare employees are tied to a massive phishing campaign that resulted in 9,931 accounts at over 130 organisations being compromised. The campaigns are tied to focused abuse of identity and access management firm Okta, which gained the threat actors the 0ktapus moniker, by researchers.

The primary goal of the threat actors was to obtain Okta identity credentials and multi-factor authentication (MFA) codes from users of the targeted organisations. These users received text messages containing links to phishing sites that mimicked the Okta authentication page of their organisation.

114 US-based firms were impacted, with additional victims of sprinkled across 68 additional countries. The full scope of the attack is still unknown but the 0ktapus campaign has been incredibly effective, and the full scale of it may not be known for some time.

The 0ktapus attackers are believed to have begun their campaign by targeting telecommunications companies in hopes of winning access to potential targets’ phone numbers.

While unsure exactly how threat actors obtained a list of phone numbers used in MFA-related attacks, one theory researchers posit is that 0ktapus attackers began their campaign targeting telecommunications companies.

https://threatpost.com/0ktapus-victimize-130-firms/180487/

• Organisations Are Spending Billions on Malware Defence That’s Easy to Bypass

Last year, organisations spent $2 billion on products that provide Endpoint Detection and Response, a relatively new type of security protection for detecting and blocking malware targeting network-connected devices. EDRs, as they're commonly called, represent a newer approach to malware detection. Static analysis, one of two more traditional methods, searches for suspicious signs in the DNA of a file itself. Dynamic analysis, the other more established method, runs untrusted code inside a secured "sandbox" to analyse what it does to confirm it's safe before allowing it to have full system access.

EDRs—which are forecasted to generate revenue of $18 billion by 2031 and are sold by dozens of security companies—take an entirely different approach. Rather than analyse the structure or execution of the code ahead of time, EDRs monitor the code's behaviour as it runs inside a machine or network. In theory, it can shut down a ransomware attack in progress by detecting that a process executed on hundreds of machines in the past 15 minutes is encrypting files en masse. Unlike static and dynamic analyses, EDR is akin to a security guard that uses machine learning to keep tabs in real time on the activities inside a machine or network.

Despite the buzz surrounding EDRs, new research suggests that the protection they provide isn't all that hard for skilled malware developers to circumvent. In fact, the researchers behind the study estimate EDR evasion adds only one additional week of development time to the typical infection of a large organisational network. That's because two fairly basic bypass techniques, particularly when combined, appear to work on most EDRs available in the industry.

https://arstechnica.com/information-technology/2022/08/newfangled-edr-malware-detection-generates-billions-but-is-easy-to-bypass/

Threats

Ransomware

• Global Ransomware Damages to Exceed $30bn by 2023 - Infosecurity Magazine (infosecurity-magazine.com)

• Ransomware Research: 10 Key Findings, Five Ways to Defend Against Hijackers - MSSP Alert

• Cyber Attack: Spike in Ransomware Threat to More Than 1.2 Million Per Month Between January-June, Says Report | LatestLY

• LockBit ransomware gang gets aggressive with triple-extortion tactic (bleepingcomputer.com)

• New Golang-based 'Agenda Ransomware' Can Be Customized For Each Victim (thehackernews.com)

• Chile and Montenegro Floored by Ransomware - Infosecurity Magazine (infosecurity-magazine.com)

• Researchers Detail Emerging Cross-Platform BianLian Ransomware Attacks (thehackernews.com)

• Ragnar Locker Brags About TAP Air Portugal Breach (darkreading.com)

• Police ‘negotiating with hackers’ who hit Paris hospital computer system | World | The Times

• Advanced cyber-attack: NHS doctors' paperwork piles up - BBC News

• Another Ransomware For Linux Likely In Development - Security Affairs

• Montenegro hit by ransomware attack, hackers demand $10 million (bleepingcomputer.com)

• Should ransomware payments be banned? A few considerations - Help Net Security

• Researchers Spot Snowballing BianLian Ransomware Gang Activity (darkreading.com)

• Ragnar Locker continues trend of ransomware targeting energy sector | CSO Online

• BlackCat ransomware claims attack on Italian energy agency (bleepingcomputer.com)

• Italian Oil Major Becomes Victim Of Ransomware Attack | OilPrice.com

• Damart clothing store hit by Hive ransomware, $2 million demanded (bleepingcomputer.com)

• Baker & Taylor's Systems Remain Offline a Week After Ransomware Attack - Infosecurity Magazine (infosecurity-magazine.com)

• Gloucester Council planning site still disrupted from cyber attack - BBC News

BEC – Business Email Compromise

• How BEC attacks on human capital management systems are increasing - Help Net Security

Malware

• Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users | McAfee Blog

• A study on malicious plugins in WordPress Marketplaces - Security Affairs

• Prynt Stealer Contains a Backdoor to Steal Victims' Data Stolen by Other Cyber criminals (thehackernews.com)

• New Evidence Links Raspberry Robin Malware to Dridex and Russian Evil Corp Hackers (thehackernews.com)

• BumbleBee a New Modular Backdoor Evolved From BookWorm (trendmicro.com)

• Malicious Chrome Extensions Plague 1.4M Users (darkreading.com)

Mobile

• Mobile banking apps put 300,000 digital fingerprints at risk • The Register

• Researcher unveils smart lock hack for fingerprint theft (techtarget.com)

• Source Code of Over 1800 Android and iOS Apps Gives Access to AWS Credentials - Infosecurity Magazine (infosecurity-magazine.com)

Internet of Things – IoT

• Skyrocketing IoT Bug Disclosures Put Pressure on Security Teams (darkreading.com)

• Singapore clocks higher ransomware attacks, warns of IoT risks | ZDNET

• Standards Body Publishes Guidelines for IoT Security Testing - Infosecurity Magazine (infosecurity-magazine.com)

• ieGeek Vulnerabilities still prevalent in 2022 - Amazon Ft. IG20 (realinfosec.net)

Data Breaches/Leaks

• Evil Corp and Conti Linked to Cisco Data Breach, eSentire Suggests - Infosecurity Magazine (infosecurity-magazine.com)

• Okta Says Customer Data Compromised in Twilio Hack | SecurityWeek.Com

• Password Manager With 25 Million Users Confirms Breach, Expert Weighs In (informationsecuritybuzz.com)

• Neopets says hackers had access to its systems for 18 months (bleepingcomputer.com)

• Akasa Air Suffers Data Leak on First Day of Operation- IT Security Guru

• Samsung says hackers obtained some customer data in newly disclosed breach | Engadget

• Millions of student loan accounts exposed in data breach | TechRadar

• Russian streaming platform confirms data breach affecting 7.5M users (bleepingcomputer.com)

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• FBI: Crooks stole $1b+ in cryptocurrency already this year • The Register

• Ukraine takes down cyber crime group hitting crypto fraud victims (bleepingcomputer.com)

• FBI: Crooks are using these DeFi flaws to steal your money | ZDNET

• Windows malware delays coinminer install by a month to evade detection (bleepingcomputer.com)

• Cryptominer Disguised as Google Translate Targeted 11 Countries - Infosecurity Magazine (infosecurity-magazine.com)

• Crypto-Crooks Spread Trojanized Google Translate App in Watering-Hole Attack (darkreading.com)

• Hackers Use ModernLoader to Infect Systems with Stealers and Cryptominers (thehackernews.com)

Insider Risk and Insider Threats

• West Yorkshire PC due in court over police computer searches - BBC News

Fraud, Scams & Financial Crime

• Big Banks vs. Big Tech: Who Is Liable For Online Fraud? (informationsecuritybuzz.com)

Insurance

• Cyber insurance has been around for 25 years. It’s still a bit of a mess. (slate.com)

• Who Pays for an Act of Cyber War? | WIRED

• Travelers, Policyholder Agree to Void Current Cyber Policy (insurancejournal.com)

• Cyber Frauds Skyrocket: Can Cyber Insurance Protect You in Real World? Experts Explain (news18.com)

• Google Cloud, Microsoft and AWS dive into cyber insurance - Protocol

• Cyber Insurance Price Hike Hits Local Governments Hard (insurancejournal.com)

• Insurers must rethink handling of cyber attacks on states | Financial Times (ft.com)

• Cyber insurance on rise as attacks surge | Mint (livemint.com)

Dark Web

• German man charged for trying to hire fake contract killer on darkweb | Euronews

• COVID-19 data put for sale on Dark Web - Security Affairs

• NATO Investigates Dark Web Leak of Data Stolen From Missile Vendor (darkreading.com)

Supply Chain and Third Parties

• PyPI Phishing Campaign | JuiceLedger Threat Actor Pivots From Fake Apps to Supply Chain Attacks - SentinelOne

Software Supply Chain

• NSA and CISA share tips to secure the software supply chain (bleepingcomputer.com)

Denial of Service DoS/DDoS

• DDoS activity launched by patriotic hacktivists is on the rise - Help Net Security

Cloud/SaaS

• 1 in 3 organisations don't know if their public cloud data was exfiltrated - Help Net Security

• Real-World Cloud Attacks: The True Tasks of Cloud Ransomware Mitigation (darkreading.com)

Encryption

• CISA: Prepare now for quantum computers, not when hackers use them (bleepingcomputer.com)

• Homomorphic encryption: a holy grail for privacy, explained (fastcompany.com)

API

• The 4 Most Common OWASP API Security - IT Security Guru

Open Source

• Linux devices 'increasingly' under attack from hackers, warn security researchers | ZDNET

Passwords, Credential Stuffing & Brute Force Attacks

• LastPass source code breach – do we still recommend password managers? – Naked Security (sophos.com)

Social Media

• Social media is ruining our lives and the public are finally waking up (telegraph.co.uk)

• LinkedIn New Hacking Scam (informationsecuritybuzz.com)

• Thousands lured with blue badges in Instagram phishing attack (bleepingcomputer.com)

Training, Education and Awareness

• (ISC)² Launches 'Certified in Cybersecurity' Entry-Level Certification to Address Global Workforce Gap (darkreading.com)

Privacy

• Trident Royal Navy staff reveal sensitive data on fitness app | News | The Times

• Cops wanted to keep mass surveillance app secret; privacy advocates refused | Ars Technica

• US telcos admit to storing, handing over location data • The Register

• Facebook moves to settle Cambridge Analytica lawsuit | TechCrunch

• Homomorphic encryption: a holy grail for privacy, explained (fastcompany.com)

• Nobody’s special to the WFH software spies | Comment | The Times

Travel

• Cyber Safety for Summer Vacation | SecurityWeek.Com

Parental Controls and Child Safety

• Scammers Targeting Thousands Of Children As Young As Six, Figures Show (informationsecuritybuzz.com)

• Over a Third of Parents Do Not Know What Online Accounts Their Children Use - IT Security Guru

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Why Russia's cyber war in Ukraine hasn't played out as predicted (newatlas.com)

• Ukraine's army of hackers failed to thwart Russia and quickly gave up | New Scientist

• Cyber criminals Apparently Involved in Russia-Linked Attack on Montenegro Government | SecurityWeek.Com

• Who Pays for an Act of Cyber War? | WIRED

• Moscow gridlock as hackers send dozens of taxis to Hotel Ukraine (telegraph.co.uk)

• Finland To Offer Businesses Cybersec Vouchers In Wake Of Nato-related (informationsecuritybuzz.com)

• China-linked APT40 used ScanBox Framework in a long-running espionage campaign - Security Affairs

• Montenegro says Russian cyber attacks threaten key state functions (bleepingcomputer.com)

• Google says it cut off Russian disinformation sites from its vast ad display network - CyberScoop

• Ex-spies banned from arms exports for UAE hack-for-hire work • The Register

Nation State Actors

Nation State Actors – Russia

• Third-party hacking groups lose interest in Russia-Ukraine conflict, study claims | SC Media (scmagazine.com)

• FBI deploys cyber team to Montenegro following massive cyber attack | The Hill

• New Evidence Links Raspberry Robin Malware to Dridex and Russian Evil Corp Hackers (thehackernews.com)

• Montenegro Sent Back to Analog by Unprecedented Cyber Attacks | Balkan Insight

Nation State Actors – China

• Chinese Hackers Target Energy Firms in South China Sea | SecurityWeek.Com

• China-linked APT40 targets wind turbines, Aust. government • The Register

Nation State Actors – Misc

• Insurers must rethink handling of cyber attacks on states | Financial Times (ft.com)

Vulnerabilities

• Apple Quietly Releases Another Patch for Zero-Day RCE Bug (darkreading.com)

• Google Chrome emergency update fixes new zero-day used in attacks (bleepingcomputer.com)

• URGENT! Apple slips out zero-day update for older iPhones and iPads – Naked Security (sophos.com)

• WordPress 6.0.2 Patches Vulnerability That Could Impact Millions of Legacy Sites | SecurityWeek.Com

• Critical hole in Atlassian Bitbucket needs patching now • The Register

Reports Published in the Last Week

• Tackling the Growing and Evolving Digital Attack Surface 2022 Midyear Cybersecurity Report (trendmicro.com)

Other News

• Former Cyber criminal: These Are the Biggest Threats on the Internet (businessinsider.com)

• Stuxnet explained: The first known cyber weapon | CSO Online

• Infra Used in Cisco Hack Also Targeted Workforce Management Solution (thehackernews.com)

• Flicking the kill switch: governments embrace internet shutdowns as a form of control | Internet | The Guardian

• Okta Impersonation Technique Could be Utilized by Attackers | SecurityWeek.Com

• Remote Work Cyber Security: 12 Risks and How to Prevent Them (techtarget.com)

• Does your cyber crime prevention program work? - Help Net Security

• Does Blockchain really offer Better Digital Security? - IT Security Guru

• IT and Employees Don’t Always See Eye to Eye on Cyber Security - IT Security Guru

• New Cyber Security Regulations Are Coming. Here’s How to Prepare. (hbr.org)

• 3 Cyber Security Trends for 2022 - IT Security Guru

• Cyber security budget breakdown and best practices (techtarget.com)

• How Just-in-Time privilege elevation prevents data breaches and lateral movement - Help Net Security

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Lloyd's to Exclude Certain Nation-State Attacks from Cyber Insurance Policies

Lloyd's of London insurance policies will stop covering losses from certain nation-state cyber attacks and those that happen during wars, beginning in seven months' time.

In a memo sent to the company's 76-plus insurance syndicates, underwriting director Tony Chaudhry said Lloyd's remains "strongly supportive" of cyber attack coverage. However, as these threats continue to grow, they may "expose the market to systemic risks that syndicates could struggle to manage," he added, noting that nation-state-sponsored attacks are particularly costly to cover.

Because of this, all standalone cyber attack policies must include "a suitable clause excluding liability for losses arising from any state-backed cyber attack," Chaudhry wrote. These changes will take effect beginning March 31, 2023 at the inception or renewal of each policy.

At a minimum (key word: minimum) these policies must exclude losses arising from a war, whether declared or not, if the policy doesn't already have a separate war exclusion. They must also at least exclude losses from nation-state cyber attacks that "significantly impair the ability of a state to function or that significantly impair the security capabilities of a state."

Policies must also "set out a robust basis" on which to attribute state-sponsored cyber attacks, according to Chaudhry – and therein lies the rub.

Attributing a cyber attack to a particular crime group or nation-state with 100 percent confidence "is absolutely hard," NSA director of cybersecurity Rob Joyce said at this year's RSA Conference.

Threat analysts typically attribute an attack to a nation-state from its level of sophistication, but as advanced persistent crime groups become more sophisticated – and have more resources at their disposal to buy zero-day exploits and employ specialists for each stage of an attack – differentiating between nation-states and cyber crime gangs becomes increasingly difficult, he explained.

There are times when nation-states will act like criminals, using their tools and infrastructure, and sometimes vice versa. The clear line of sophistication and stealth that many have used as a common sense delineation has blurred. Yet, If you are going to pay out money you are likely going to look for something that is more ironclad and likely related to forensic evidence.

https://www.theregister.com/2022/08/24/lloyds_cybersecurity_insurance/

• Cyber Security Top Risk for Enterprise C-Suite Leaders, PwC Study Says

Cyber security is now firmly on the agenda of the entire C-suite, consultancy PricewaterhouseCoopers (PwC) reports in a new survey of more than 700 business leaders across a variety of industries.

Of key enterprise issues, cyber security ranks at the top of business risks, with nearly 80% of the respondents considering it a moderate to serious risk. The warning isn’t confined to just chief information security officers, but ranges from chief executives to chief financial officers, chief operating officers, chief technology officers, chief marketing officers and includes corporate board members. Virtually all roles ranked cyber attacks high on their list of risks, PwC said.

Overall, 40% of business leaders ranked cyber security as the top serious risk facing their companies, and 38% ranked it a moderate risk.

Here are six steps businesses can take to address cyber security concerns:

1. View cyber security as a broad business concern and not just an IT issue.

2. Build cyber security and data privacy into agendas across the C-suite and board.

3. Increase investment to improve security.

4. Educate employees on effective cyber security practices.

5. For each new business initiative or transformation, make sure there’s a cyber plan in place.

6. Use data and intelligence to regularly measure cyber risks. Proactively look for blind spots in third-party relationships and supply chains.

https://www.msspalert.com/cybersecurity-research/cybersecurity-top-risk-for-enterprise-c-suite-leaders-pwc-study-says/

• Apathy Is Your Company's Biggest Cyber Security Vulnerability — Here's How to Combat It

Human error continues to be the leading cause of a cyber security breach. Nearly 60% of organisations experienced a data loss due to an employee's mistake on email in the last year, while one in four employees fell for a phishing attack.

Employee apathy, while it may not seem like a major cyber security issue, can leave an organisation vulnerable to both malicious attacks and accidental data loss. Equipping employees with the tools and knowledge they need to prevent these risks has never been more important to keep organisations safe.

A new report from Tessian sheds light on the full extent of employee apathy and its impact on cyber security posture. The report found that a significant number of employees aren't engaged in their organisation's cyber security efforts and don't understand the role they play. One in three employees say they don't understand the importance of cyber security at work. What's more, only 39% say they're very likely to report a cyber security incident. Why? A quarter of employees say they don't care enough about cyber security to mention it.

This is a serious problem. IT and security teams can't investigate or remediate a threat they don't know about.

Employees play an important role in flagging incidents or suspicious activity early on to prevent them from escalating to a costly breach. Building a strong cyber security culture can mitigate apathy by engaging employees as part of the solution and providing the tools and training they need to work productively and securely.

https://www.darkreading.com/attacks-breaches/apathy-is-your-company-s-biggest-cybersecurity-vulnerability-here-s-how-to-combat-it

• The World’s Largest Sovereign Wealth Fund Warns Cyber Security Is Top Concern, as Attacks on Banks and Financial Service Double

Cyber security has eclipsed tumultuous financial markets as the biggest concern for the world’s largest sovereign wealth fund, as it faces an average of three “serious” cyber attacks each day.

The number of significant hacking attempts against Norway’s $1.2tn oil fund, Norges Bank Investment Management, has doubled in the past two to three years.

The fund, which reported its biggest half-year dollar loss last week after inflation and recession fears shook markets, suffers about 100,000 cyber attacks a year, of which it classifies more than 1,000 as serious, according to its top executives.

“I’m worried about cyber more than I am about markets,” their CEO told the Financial Times. “We’re seeing many more attempts, more attacks [that are] increasingly sophisticated.”

The fund’s top executives are even concerned that concerted cyber attacks are becoming a systemic financial risk as markets become increasingly digitised.

Their deputy CEO pointed to the 2020 attack on SolarWinds, a software provider, by Russian state-backed hackers that allowed them to breach several US government agencies, including the Treasury and Pentagon, and a number of Fortune 500 companies including Microsoft, Intel and Deloitte.

“They estimate there were 1,000 Russians [involved] in that one attack, working in a co-ordinated fashion. I mean, Jesus, that’s our whole building on one attack, so you’re up against some formidable forces there,” he said.

Cyber attacks targeting the financial industry have risen sharply in recent months. Malware attacks globally rose 11 per cent in the first half of 2022, but they doubled at banks and financial institutions, according to cyber security specialist SonicWall. Ransomware attacks dropped 23 per cent worldwide, but increased 243 per cent against financial targets in the same period.

https://www.ft.com/content/1aa6f92a-078b-4e1a-81ca-65298b8310b2

Configuration Errors to Blame for 80% of Ransomware

The vast majority (80%) of ransomware attacks can be traced back to common configuration errors in software and devices, according to Microsoft.

The tech giant’s latest Cyber Signals report focuses on the ransomware as a service (RaaS) model, which it claims has democratised the ability to launch attacks to groups “without sophistication or advanced skills.” Some RaaS programs now have over 50 affiliate groups on their books.

For defenders, a key challenge is ensuring they don’t leave systems misconfigured, it added.

“Ransomware attacks involve decisions based on configurations of networks and differ for each victim even if the ransomware payload is the same,” the report argued. “Ransomware culminates an attack that can include data exfiltration and other impacts. Because of the interconnected nature of the cyber-criminal economy, seemingly unrelated intrusions can build upon each other.”

Although each attack is different, Microsoft pointed to missing or misconfigured security products and legacy configurations in enterprise apps as two key areas of risk exposure.

“Like smoke alarms, security products must be installed in the correct spaces and tested frequently. Verify that security tools are operating in their most secure configuration, and that no part of a network is unprotected,” it urged. “Consider deleting duplicative or unused apps to eliminate risky, unused services. Be mindful of where you permit remote helpdesk apps like TeamViewer. These are notoriously targeted by threat actors to gain express access to laptops.”

Although not named in the report, another system regularly misconfigured and hijacked by ransomware actors is the remote desktop protocol (RDP), which often is not protected by a strong password or two-factor authentication. It’s widely believed to be one of the top three vectors for attack.

The bad news for network defenders is they don’t have much time after initial compromise to contain an attack. Microsoft claimed the median time for an attacker to begin moving laterally inside the network after device compromise is one hour, 42 minutes. The median time for an attacker to access private data following a phishing email is one hour, 12 minutes, the firm added.

https://www.infosecurity-magazine.com/news/configuration-errors-blame-80/

• Ransomware Surges to 1.2 Million Attacks Per Month

Ransomware threat detections have risen to over one million per month this year, with a French hospital the latest to suffer a major outage.

The 1000-bed Center Hospitalier Sud Francilien (CHSF) near Paris revealed it was hit on Sunday morning, in an attack which has knocked out all the hospital's business software, storage systems including medical imaging, and patient admissions. This has led to all but the most urgent emergency patients being diverted to other facilities in the region.

France24 cited figures claiming cyber-attacks against French hospitals surged 70% year-on-year in 2021. "Each day we need to rewrite patients' medications, all the prescriptions, the discharge prescriptions," Valerie Caudwell, president of the medical commission at CHSF hospital, reportedly said. "For the nurses, instead of putting in all the patients' data on the computer, they now need to file it manually from scratch."

Reports suggest Lockbit 3.0 may be to blame for the $10m ransom demand, which the hospital is refusing to pay.

Barracuda Networks claimed in a new report out today that education, municipalities, healthcare, infrastructure and finance have remained the top five targets for ransomware over the past 12 months. However, while attacks on local government increased only slightly, those targeting educational institutions more than doubled, and attacks on the healthcare and financial verticals tripled. Overall, Barracuda claimed that ransomware detections between January and June of this year climbed to more than 1.2 million per month.

https://www.infosecurity-magazine.com/news/ransomware-surges-to-12-million/

• A Massive Hacking Campaign Stole 10,000 Login Credentials From 130 Different Organisations

A phishing campaign targeted Okta users at multiple companies, successfully swiping passwords from staffers and then using them to steal company secrets.

Researchers say that a mysterious “threat actor” (a fancy term for a hacker or hacker group) has managed to steal nearly 10,000 login credentials from the employees of 130 organisations, in the latest far-reaching supply chain attack on corporate America. Many of the victims are prominent software companies, including firms like Twilio, MailChimp, and Cloudflare, among many others.

The news comes from research conducted by cyber security firm Group-IB, which began looking into the hacking campaign after a client was phished and reached out for help. The research shows that the threat actor behind the campaign, which researchers have dubbed “0ktapus,” used basic tactics to target staff from droves of well-known companies. The hacker(s) would use stolen login information to gain access to corporate networks before going on to steal data and then break into another company’s network.

“This case is of interest because despite using low-skill methods it was able to compromise a large number of well-known organisations,” researchers wrote in their blog. “Furthermore, once the attackers compromised an organisation they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance.”

https://gizmodo.com/oktapus-okta-hack-twilio-10000-logins-130-companies-1849457420

• This Company Paid a Ransom Demand. Hackers Leaked Its Data Anyway

A victim of a ransomware attack paid to restore access to their network – but the cyber criminals didn't hold up their end of the deal.

The real-life incident, as detailed by cyber security researchers at Barracuda Networks, took place in August 2021, when hackers from BlackMatter ransomware group used a phishing email to compromise the account of a single victim at an undisclosed company.

From that initial entry point, the attackers were able to expand their access to the network by moving laterally around the infrastructure, ultimately leading to the point where they were able to install hacking tools and steal sensitive data. Stealing sensitive data has become a common part of ransomware attacks. Criminals leverage it as part of their extortion attempts, threatening to release it if a ransom isn't received. 

The attackers appear to have had access to the network for at least a few weeks, seemingly going undetected before systems were encrypted and a ransom was demanded, to be paid in Bitcoin.

Cyber security agencies warn that despite networks being encrypted, victims shouldn't pay ransom demands for a decryption key because this only shows hackers that such attacks are effective.

https://www.zdnet.com/article/this-company-paid-a-ransom-demand-hackers-leaked-its-data-anyway/

• Sophisticated BEC Scammers Bypass Microsoft 365 Multi-Factor Authentication

A Business Email Compromise (BEC) attack recently analysed by cloud incident response company Mitiga used an adversary-in-the-middle (AitM) phishing attack to bypass Microsoft Office 365 MFA and gain access to a business executive's account, and then managed to add a second authenticator device to the account for persistent access. According to the researchers, the campaign they analysed is widespread and targets large transactions of up to several million dollars each.

The attack started with a well-crafted phishing email masquerading as a notification from DocuSign, a widely used cloud-based electronic document signing service. The email was crafted to the targeted business executive, suggesting that attackers have done reconnaissance work. The link in the phishing email led to an attacker-controlled website which then redirects to a Microsoft 365 single sign-on login page.

This fake login page uses an AitM technique, where the attackers run a reverse proxy to authentication requests back and forth between the victim and the real Microsoft 365 website. The victim has the same experience as they would have on the real Microsoft login page, complete with the legitimate MFA request that they must complete using their authenticator app. Once the authentication process is completed successfully, the Microsoft service creates a session token which gets flagged in its systems that it fulfilled MFA. The difference is that since the attackers acted as a proxy, they now have this session token too and can use it to access the account.

This reverse proxy technique is not new and has been used to bypass MFA for several years. In fact, easy-to-use open-source attack frameworks have been created for this purpose.

https://www.csoonline.com/article/3670575/sophisticated-bec-scammers-bypass-microsoft-365-multi-factor-authentication.html

• 77% Of Security Leaders Fear We’re in Perpetual Cyber War from Now On

A survey of cyber security decision makers found 77 percent think the world is now in a perpetual state of cyber warfare.

In addition, 82 percent believe geopolitics and cyber security are "intrinsically linked," and two-thirds of polled organisations reported changing their security posture in response to the Russian invasion of Ukraine.

Of those asked, 64 percent believe they may have already been the target of a nation-state-directed cyber attack. Unfortunately, 63 percent of surveyed security leaders also believe that they'd never even know if a nation-state level actor pwned them.

The survey, organised by security shop Venafi, questioned 1,100 security leaders. They said the results show cyber warfare is here, and that it's completely different to many would have imagined. "Any business can be damaged by nation-states," they stated.

It's been common knowledge for some time that government-backed advanced persistent threat (APT) crews are being used to further online geopolitical goals. Unlike conventional warfare, everyone is a target and there's no military or government method for protecting everyone.

Nor is there going to be much financial redress available. Earlier this week Lloyd's of London announced it would no longer recompense policy holders for certain nation-state attacks.

https://www.theregister.com/2022/08/27/in-brief-security/

• Cyber Security Governance: A Path to Cyber Maturity

Organisations need cyber security governance programs that make every employee aware of the cyber security mitigation efforts required to reduce cyber-risks.

In an increasingly challenging threat landscape, many organisations struggle with developing and implementing effective cyber security governance. The "Managing Cybersecurity Risk: A Crisis of Confidence" infographic by the CMMI Institute and ISACA stated: "While enterprise leaders recognise that mature cyber security is essential to thriving in today's digital economy, they often lack the insights and data to have peace of mind that their organisations are efficiently and effectively managing cyber risk."

Indeed, damages from cyber crime are projected to cost the world $7 trillion in 2022, according to the "Boardroom Cybersecurity 2022 Report" from Cybersecurity Ventures. As a result, "board members and chief executives are more interested in cyber security now than ever before," the report stated, adding that the time is ripe for turning awareness into action.

How, then, can board leaders have confidence that their organisations are prepared against cyber attacks? The first order of business for most organisations is to enable a strong cyber security governance program.

Cyber security governance refers to the component of governance that addresses an organisation's dependence on cyber space in the presence of adversaries. The ISO/IEC 27001 standard defines cyber security governance as the following: “The system by which an organisation directs and controls security governance, specifies the accountability framework and provides oversight to ensure that risks are adequately mitigated, while management ensures that controls are implemented to mitigate risks”.

Traditionally, cyber security is viewed through the lens of a technical or operational issue to be handled in the technology space. Cyber security planning needs to fully transition from a back-office operational function to its own area aligned with law, privacy and enterprise risk. The CISO should have a seat at the table alongside the CIO, COO, CFO and CEO. This helps the C-suite understand cyber security as an enterprise-wide risk management issue, along with the legal implications of cyber-risks, and not solely a technology issue.

https://www.techtarget.com/searchsecurity/post/Cybersecurity-governance-A-path-to-cyber-maturity

• The Rise of Data Exfiltration and Why It Is a Greater Risk Than Ransomware

Ransomware is the de facto threat organisations have faced over the past few years. Threat actors were making easy money by exploiting the high valuation of cryptocurrencies and their victims' lack of adequate preparation.

Think about bad security policies, untested backups, patch management practices not up-to-par, and so forth. It resulted in easy growth for ransomware extortion, a crime that multiple threat actors around the world perpetrate.

Something's changed, though. Crypto valuations have dropped, reducing the monetary appeal of ransomware attacks due to organisations mounting better defence against ransomware.

Threat actors have been searching for another opportunity – and found one. It's called data exfiltration, or exfil, a type of espionage causing headaches at organisations worldwide.

Information exfiltration is rapidly becoming more prevalent. Earlier this year, incidents at Nvidia, Microsoft, and several other companies have highlighted how big of a problem it's become – and how, for some organisations, it may be a threat that's even bigger than ransomware.

Nvidia, for example, became entangled in a complex tit-for-tat exchange with hacker group Lapsus$. One of the biggest chipmakers in the world was faced with the public exposure of the source code for invaluable technology, as Lapsus$ leaked the source code for the company's Deep Learning Super Sampling (DLSS) research.

When it comes to exfil extortion, attackers do not enter with the primary aim of encrypting a system and causing disruption the way that a ransomware attacker does. Though, yes, attackers may still use encryption to cover their tracks.

Instead, attackers on an information exfiltration mission will move vast amounts of proprietary data to systems that they control. And here's the game: attackers will proceed to extort the victim, threatening to release that confidential information into the wild or to sell it to unscrupulous third parties.

https://thehackernews.com/2022/08/the-rise-of-data-exfiltration-and-why.html

Threats

Ransomware

• Ransomware Groups Can Adapt Malware Code to Different Operating Systems Simultaneously, Kaspersky Research Finds - MSSP Alert

• [Whoa] Ransomware Strains Almost Double in Six Months from 5,400 to 10,666 (knowbe4.com)

• Ransomware: Most attacks exploit these common cyber security mistakes - so fix them now, warns Microsoft | ZDNET

• Ransomware dominates the threat landscape - Help Net Security

• We need to think about ransomware differently - Help Net Security

• Disk wiping malware knows no borders - Help Net Security

• NATO investigates hacker sale of missile firm data - BBC News           

• Cyber attackers disrupt services at French hospital, demand $10 million ransom (france24.com)

• New 'Agenda' Ransomware Customized for Each Victim | SecurityWeek.Com

• LockBit gang hit by DDoS attack after Entrust leaks • The Register

• New ransomware HavanaCrypt poses as Google software update | CSO Online

• WannaCry explained: A perfect ransomware storm | CSO Online

• LockBit Ransomware Site Hit by DDoS Attack as Hackers Start Leaking Entrust Data | SecurityWeek.Com

• New Golang Ransomware Agenda Customizes Attacks (trendmicro.com)

• New 'BianLian' Ransomware Variant on the Rise (darkreading.com)

• New 'Donut Leaks' extortion gang linked to recent ransomware attacks (bleepingcomputer.com)

• Ransomware Attacks are on the Rise | Threatpost

• Quantum ransomware attack disrupts govt agency in Dominican Republic (bleepingcomputer.com)

• Car Dealership Hit by Major Ransomware Attack - Infosecurity Magazine

• Ransomware Gang Leaks Data Allegedly Stolen from Greek Gas Supplier | SecurityWeek.Com

• Major airline technology provider Accelya attacked by ransomware group - The Record by Recorded Future

• Businesses expect the government to increase its financial assistance for all ransomware incidents - Help Net Security

BEC – Business Email Compromise

• Before Portland lost $1.4 million in cyber breach, city treasurer raised red flag - OPB

Phishing & Email Based Attacks

• Phishing attacks abusing SaaS platforms see a massive 1,100% growth (bleepingcomputer.com)

• Researchers Warn of AiTM Attack Targeting Google G-Suite Enterprise Users (thehackernews.com)

• Unusual Microsoft 365 Phishing Campaign Spoofs eFax Via Compromised Dynamics Voice Account (darkreading.com)

• Hiding a phishing attack behind the AWS cloud • The Register

• 10 key facts about callback phishing attacks - CyberTalk 2022

Other Social Engineering; Smishing, Vishing, etc

• New social engineering tactics discovered in the wild - Help Net Security

Malware

• Threat actor abuses Genshin Impact Anti-Cheat driver to disable antivirus - Security Affairs

• Fake DDoS Protection Alerts Distribute Dangerous RAT (darkreading.com)

• Meet Borat RAT, a New Unique Triple Threat (thehackernews.com)

• Donot Team group updates its Windows malware framework - Security Affairs

• How 'Kimsuky' hackers ensure their malware only reach valid targets (bleepingcomputer.com)

• Grandoreiro banking malware targets Mexico and Spain - Security Affairs

• Fake Chrome extension 'Internet Download Manager' has 200,000 installs (bleepingcomputer.com)

• Threat actors are using the Tox P2P messenger as C2 server - Security Affairs

Mobile

• Google Play Store Serving Up Chameleon-like Apps (informationsecuritybuzz.com)

• We can make our phones harder to hack but complete security is a pipe dream | John Naughton | The Guardian

Internet of Things – IoT

• Cyber criminals Are Selling Access to Chinese Surveillance Cameras | Threatpost

• IoT Vulnerability Disclosures Up 57% in Six Months, Claroty Reveals - Infosecurity Magazine

• Thousands of Organisations Remain at Risk from Critical Zero-Click IP Camera Bug (darkreading.com)

Data Breaches/Leaks

• LastPass data breach: threat actors stole portion of source code - Security Affairs

• Plex discloses data breach and urges password reset - Security Affairs

• Why the Twilio Breach Cuts So Deep | WIRED

• Plex was compromised, exposing usernames, emails, and passwords - The Verge

• DoorDash discloses new data breach tied to Twilio hackers (bleepingcomputer.com)

• Data on California Prisons' Visitors, Staff, Inmates Exposed | SecurityWeek.Com

• Expert Commentary On The Plex Data Breach (informationsecuritybuzz.com)

• Textile Company Sferra Discloses Data Breach | SecurityWeek.Com

• Novant Health: Oops, we leaked 1.3m patients' info to Meta • The Register

Organised Crime & Criminal Actors

• RaaS Kits Are Hiding Who The Attackers Really Are – Expert Comments (informationsecuritybuzz.com)

• Researchers warn of darkverse emerging from the metaverse | CSO Online

 Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• An anatomy of crypto-enabled cyber crime | Financial Times (ft.com)

• Cryptojackers Spread Across Computers Globally- IT Security Guru

• Hackers Are Breaking Into and Emptying Cash App Accounts (vice.com)

• Threat actors are stealing funds from General Bytes Bitcoin ATMSecurity Affairs

• How Economic Changes and Crypto's Rise Are Fuelling the use of "Cyber Mules" | SecurityWeek.Com

Fraud, Scams & Financial Crime

• Scammers Create “AI Hologram” of C-Suite Crypto Exec - Infosecurity Magazine

• Employee fraud: Beware of deepfake job applicants - Protocol

• A closer look at identity crimes committed against individuals - Help Net Security

• What type of fraud enables attackers to make a living? - Help Net Security

Insurance

• Lloyds Of London Ends Insurance Coverage For State Cyber Attacks, Expert (informationsecuritybuzz.com)

Software Supply Chain

• Why SBOMs alone aren’t enough for software supply chain security | CSO Online

Denial of Service DoS/DDoS

• DDoS attacks jump 203%, patriotic hacktivism surges - Help Net Security

• Threat Actor Deploys Raven Storm Tool to Perform DDoS Attacks - Infosecurity Magazine

• LockBit gang hit by DDoS attack after Entrust leaks • The Register

• Gambling sites are losing significant amounts of revenue due to raising DDoS attacks - Help Net Security

Cloud/SaaS

• Mitiga: Attackers evade Microsoft MFA to lurk inside M365 (techtarget.com)

• Phishing attacks abusing SaaS platforms see a massive 1,100% growth (bleepingcomputer.com)

• How complicated access management protocols have impacted cloud security - Help Net Security

Identity and Access Management

• IT leaders struggling to address identity sprawl - Help Net Security

• Identity Security Pain Points and What Can Be Done (darkreading.com)

• Thoma Bravo: Securing digital identities has become a major priority - Help Net Security

Encryption

• CISA: Action required now to prepare for quantum computing cyber threats | ZDNET

• Encrypted Traffic Analysis: Mitigating Against The Risk Of Encryption (informationsecuritybuzz.com)

• US Government: Stop Dickering and Prepare for Post-Quantum Encryption Now - CNET

API

• API security incidents occur at least once a month - Help Net Security

Passwords, Credential Stuffing & Brute Force Attacks

• Credential phishing attacks rise and represent a huge threat to businesses - Help Net Security

• Twilio hackers breached over 130 organisations during months-long hacking spree | TechCrunch

• FBI: Beware Residential IPs Hiding Credential Stuffing - Infosecurity Magazine

Social Media

• Experts Reaction to Poor Security At Twitter (informationsecuritybuzz.com)

Privacy

• Oracle sued over ‘worldwide surveillance machine’ by privacy rights activists | CSO Online

• Most top mobile carriers retain geolocation data for two years on average, FCC findings show - CyberScoop

Travel

• Hackers target hotel and travel companies with fake reservations (bleepingcomputer.com)

• Fake Reservation Links Prey on Weary Travelers | Threatpost

• British Airways passengers targeted in baggage scam using Twitter | The Independent

Models, Frameworks and Standards

• PCI DSS v4.0 is coming, here's how to prepare to comply (techtarget.com)

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Lloyd's of London Introduces New War Exclusion Insurance Clauses | SecurityWeek.Com

• The (Nation) State of Cyber: 64% of Businesses Suspect They've Been Targeted or Impacted by Nation-State Attacks (darkreading.com)

• EU Outlines Critical Cyber Response to Ukraine War - Infosecurity Magazine

• Unprecedented cyber attack hit State Infrastructure of Montenegro - Security Affairs

• Suspected Iranian Hackers Targeted Several Israeli Organisations for Espionage (thehackernews.com)

Nation State Actors

Nation State Actors – Russia

• Microsoft: Russian hackers gain powerful 'MagicWeb' authentication bypass | ZDNET

• Microsoft Attributes New Post-Compromise Capability to Nobelium - Infosecurity Magazine

Nation State Actors – Iran

• Google Uncovers Tool Used by Iranian Hackers to Steal Data from Email Accounts (thehackernews.com)

• Iranian Hackers Exploiting Unpatched Log4j 2 Bugs to Target Israeli Organisations (thehackernews.com)

Nation State Actors – Misc APT

• Donot Team group updates its Windows malware framework - Security Affairs

• Cyber crime Groups Increasingly Adopting Sliver Command-and-Control Framework (thehackernews.com)

Vulnerability Management

• Up to 35% more CVEs published so far this year compared to 2021 | CSO Online

• Why patching quality, vendor info on vulnerabilities are declining | CSO Online

• How fast is the financial industry fixing its software security flaws? - Help Net Security

• Highlighting What should be Patched First at the Endpoint (bleepingcomputer.com)

Vulnerabilities

• Cisco Patches High-Severity Vulnerabilities in Business Switches | SecurityWeek.Com

• CISA Warns of Active Exploitation of Palo Alto Networks' PAN-OS Vulnerability (thehackernews.com)

• Critical flaw impacts Atlassian Bitbucket Server and Data Center - Security Affairs

• VMware fixes privilege escalation vulnerabilities in VMware Tools - Infosecurity Magazine

• VMware LPE Bug Allows Cyber attackers to Feast on Virtual Machine Data (darkreading.com)

• Critical RCE bug in GitLab patched, update ASAP! (CVE-2022-2884) - Help Net Security

• Mac users urged to update Zoom, after security patch released for previously-flawed security patch (bitdefender.com)

• Zoom patches root exploit, patches patch due to root exploit • The Register

• US government really hopes you've patched your Zimbra server • The Register

• Apple security flaw ‘actively exploited’ by hackers to fully control devices | Apple | The Guardian

• Microsoft publicly discloses details on critical ChromeOS flaw - Security Affairs

• Mozilla Patches High-Severity Vulnerabilities in Firefox, Thunderbird | SecurityWeek.Com

• 'DirtyCred' Vulnerability Haunting Linux Kernel for 8 Years | SecurityWeek.Com

• Privilege Escalation Flaw Haunts VMware Tools | SecurityWeek.Com

Reports Published in the Last Week

• Cyber Signals: Defend against the new ransomware landscape - Microsoft

• Threat Spotlight: The untold stories of ransomware - Journey Notes (barracuda.com)

Other News

• How attackers use and abuse Microsoft MFA - Help Net Security

• There is an urgent need to reduce systemic cyber risks | Financial Times (ft.com)

• Critical infrastructure is under attack from hackers. Securing it needs to be a priority - before it's too late | ZDNET

• We Need to Talk About How Good A.I. Is Getting - The New York Times (nytimes.com)

• A lack of endpoint security strategy is leaving enterprises open to attack - Help Net Security

• NIST Weighs in on AI Risk (darkreading.com)

• Twitter whistleblower report holds security lessons (techtarget.com)

• Nearly 3 Years Later, SolarWinds CISO Shares 3 Lessons From the Infamous Attack (darkreading.com)

• Data governance: 5 tips for holistic data protection - Microsoft Security Blog

• US Government Spending Billions on Cyber security (thehackernews.com)

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.