Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Phishing Emails Up a Whopping 569% in 2022

The volume of phishing emails sent in 2022 spiked by a jaw-dropping 569% according to a new report. Based on data from 35 million users, the report details the astronomical rise of email phishing as a tactic among threat actors in 2022. Key findings from the report include the number of credential phishing emails sent spiked by 478% and, for the eighth consecutive year, business email compromise (BEC) ranked as the top cyber crime.

https://www.darkreading.com/attacks-breaches/phishing-emails-up-whopping-569-percent-2022

• The End User Password Mistakes Putting Your Organisation at Risk

Businesses rely on their end users, but those same users often don't follow the best security practices. Without the right password security policies, a single end user password mistake can be a costly breach of your organisation's defences. End users want to do their work quickly and efficiently, but sharing, reusing and weak passwords can put your organisation at risk so having the right policies in place is essential for security.

https://www.bleepingcomputer.com/news/security/the-end-user-password-mistakes-putting-your-organization-at-risk/

• Millions of Penetration Tests Show Companies’ Security Postures are Getting Worse

The risk score for the average company worsened in the past year as companies fail to adapt to data exfiltration techniques and adequately protect web applications. Companies' effective data-exfiltration risk increased to 44 out of 100 (with 100 indicating the riskiest posture) in 2022, from an average score of 30 in the previous year, indicating that the overall risk of data being compromised has increased. That's according to rankings by Cymulate, who crunched data on 1.7 million hours of offensive cyber security testing. The research noted that while many companies are improving the adoption of strict network and group policies, attackers are adapting to sidestep such protections. They also found that four of the top-10 CVEs (known vulnerabilities) identified in customer environments were more than two years old.

https://www.darkreading.com/cloud/millions-pen-tests-companies-security-posture-getting-worse

• 71% of Employees Keep Work Passwords on Personal Devices

71% of employees store sensitive work passwords on their personal phones, and 66% use their personal texting apps for work, according to a new mobile bring your own device (BYOD) security report this week, with the report also suggesting 95% of security leaders are increasingly concerned about phishing attacks via private messaging apps. With the widespread use of personal mobile devices in the workplace, it is increasingly difficult for employers to ensure the security of sensitive information. The use of personal devices and personal apps was the direct cause of many high-profile corporate breaches and this is a trend that will surely continue, as employees often use corporate and personal devices for work, effectively doubling the attack surface for cyber criminals as threat actors know there are fewer security controls on personal mobile devices than on corporate ones.

https://www.infosecurity-magazine.com/news/70-employees-keep-work-passwords/

• Cyber Frontlines in Russia-Ukraine War Move to Eastern and Northern Europe

More than a year into the war in Ukraine, hackers have extended the cyber battleground to Eastern and Northern Europe with the number of incidents in those geographies spiking noticeably. A new report shows that cyber warfare inside the conflict has “clearly moved on” from the beginnings of the war. Over the last 12 months, the research reports that the majority of incidents only affecting Ukraine in the first quarter of 2022 (50.4%) sank to 28.6% in the third period. But European Union countries have seen a spike in incidents related to the war in the past six months from 9.8% to 46.5%. Indeed, the number of attacks on EU countries in the third quarter of 2022 totalled just slightly less than those in the Ukraine. And, in the first quarter of this year, more than 80% of incidents occurred inside the European Union. Cyber is now a crucial weapon in the arsenal of new instruments of war, alongside disinformation, manipulation of public opinion, economic warfare, sabotage and guerrilla tactics. With the lateralisation of the conflict from Ukraine to the rest of Europe, Western Europe should be wary of possible attacks on critical infrastructure in the short term if the conflict continues to accelerate.

https://www.msspalert.com/cybersecurity-research/cybercrime-front-lines-in-russia-ukraine-war-move-to-eastern-and-northern-europe/

• Security Flaws Cost Fifth of Executives New Business

Boards continue to under-appreciate the value of cyber security to the business, despite acknowledging its critical role in winning new business and talent, according to Trend Micro. The security giant polled 2,718 business decision makers globally to compile its Risky Rewards study and it found that half (51%) believe cyber security is a necessary cost but not a revenue contributor. 48% argue that its value is limited to threat prevention and two-fifths (38%) see security as a barrier rather than a business enabler. That’s despite a fifth (19%) acknowledging that poor security posture has already impacted their ability to win new business, and 57% thinking there is a strong connection between cyber and client acquisition.

 https://www.infosecurity-magazine.com/news/fifth-execs-security-flaws-cost/

• Companies Struggle to Build and Run Effective Programs to Protect Data from Insider Threats

Insider risk is emerging as one of the most challenging threats for organisations to detect, mitigate and manage, Code42 Software said in its annual Data Exposure Report for 2023. To compile data for the study they surveyed some 700 cyber security leaders, managers and practitioners and whilst more than 72% of companies indicated they have an insider risk management (IRM) program in place, the same companies experienced a year-over-year increase in data loss incidents of 32%. 71% of respondees expect data loss from insider events to increase in the next 12 months. Insider incidents are costing organisations $16 million per incident on average, and chief information security officers (CISOs) say that insider risks are the most challenging type of threat to detect. Data loss from insiders is not a new problem but it has become more complex with workforce turnover and cloud adoption.

https://www.msspalert.com/cybersecurity-research/companies-struggle-to-build-and-run-effective-programs-to-protect-data-from-insider-threats/

• Only 10% of Workers Remember All Their Cyber Security Training

New research has found that only 10% of workers remember all their cyber security training. Furthermore, only half of employees are undergoing regular training, and a quarter aren’t receiving any training at all. Organisations should look to carry out effective and regular training that is tailored to their employees to increase the chance of training content being retained, with a programme of ongoing continual reinforcement.

https://www.itsecurityguru.org/2023/03/30/only-10-of-workers-remember-all-their-cyber-security-training/

• Silence Gets You Nowhere in a Data Breach

In cyber security, the phrase “what they don’t know won’t hurt them” is not only wrong, it’s dangerous. Despite this, it’s a motto that remains in many organisations’ PR playbooks, as demonstrated by the recent LastPass and Fortra data breaches. Smaller companies, too, are employing a silent-treatment approach to data breaches, and cyber attacks are now a fact of doing business with almost half of US organisations having suffered a cyber attack in 2022. Attackers are increasingly targeting smaller businesses due to the fact they are seen as easier targets than large companies.

 https://techcrunch.com/2023/03/29/silence-gets-you-nowhere-in-a-data-breach/

• Just 1% of Cloud Permissions are Actively Used

According to Microsoft, a surge in workload identities, super admins and “over-permissioning” is driving the increase in cyber risk for organisations. Just 1% of users are using the permissions granted to them for day-to-day work. Worryingly, this leaves a significant number of unnecessary permissions which could be used by an attacker to elevate their privileges.

https://www.infosecurity-magazine.com/news/just-1-of-cloud-permissions-used/

• Dangerous Misconceptions About Emerging Cyber Threats

Organisations are leaving common attack paths exposed in their quest to combat emergent threats, according to a new report that delves into the efficacy of different security controls, the most concerning threats as tested by organisations worldwide, and top cyber security best practices for 2023. One of the key findings of the report is that many organisations are actively testing against threats seen in the news, likely from pressure to report on their exposure risk to emergent threats, and whilst this is good, it should not take away from assessing threats and exposures that are more likely actively targeting the business.

https://www.helpnetsecurity.com/2023/03/30/misconceptions-emerging-cyber-threats/  

• ‘Grim’ Criminal Abuse of ChatGPT is Coming, Europol Warns

Europol has warned that criminals are set to take advantage of artificial intelligence to commit fraud and other crimes. Europol highlighted that ChatGPT could be used to speed up criminal research, impersonate speech styles for phishing and write code. Furthermore, despite ChatGPT having safeguards, Europol note that these can be circumvented.

https://www.securityweek.com/grim-criminal-abuse-of-chatgpt-is-coming-europol-warns/

Threats

Ransomware, Extortion and Destructive Attacks

• Why CISOs Are Looking to Lateral Security to Mitigate Ransomware | CIO

• 2023 Ransomware Insights | Barracuda Networks

• Clop Keeps Racking Up Ransomware Victims With GoAnywhere Flaw (darkreading.com)

• New IcedID malware variants shift from banking trojans to ransomware | SC Media (scmagazine.com)

• Publicly disclosed US ransomware attacks in 2023 | TechTarget

• Virgin Group added to Cl0p gang’s victim leak site | Cybernews

• New York law firm coughs up $200k after hospital data stolen • The Register

• Telecom giant Lumen suffered a ransomware attack-Security Affairs

• Ransomware crooks are exploiting IBM file exchange bug with a 9.8 severity | Ars Technica

• DarkBit puts data from Israel’s Technion university on sale | CSO Online

• Crown Resorts investigating potential data breach after being contacted by hacking group - ABC News

• Children’s data feared stolen in Fortra ransomware attack | TechCrunch

• P&G confirms data breach - Global Cosmetics News

Phishing & Email Based Attacks

• Phishing Emails Up a Whopping 569% in 2022 (darkreading.com)

• Exchange Online will soon start blocking emails from old, vulnerable on-prem servers - Help Net Security

• Volume of HTTPS Phishing Sites Surges 56% Annually - Infosecurity Magazine (infosecurity-magazine.com)

• Identifying AI-Enabled Phishing (knowbe4.com)

• IRS Phishing Emails Used to Distribute Emotet - Infosecurity Magazine (infosecurity-magazine.com)

• These next-level phishing scams use PayPal or Google Docs to steal your data | TechRadar

• Winter Vivern hackers exploit Zimbra flaw to steal NATO emails (bleepingcomputer.com)

BEC – Business Email Compromise

• BEC scammers are after physical goods, the FBI warns - Help Net Security

• Australian police arrest four BEC actors who stole $1.7 million (bleepingcomputer.com)

• New BEC Tactics Enable Fake Asset Purchases - Infosecurity Magazine (infosecurity-magazine.com)

• FBI: Business email compromise tactics used to defraud US vendors (bleepingcomputer.com)

Other Social Engineering; Smishing, Vishing, etc

• What is vishing (voice or VoIP phishing)? – TechTarget Definition

2FA/MFA

• What is Three-Factor Authentication? | Definition from TechTarget

Malware

• New IcedID malware variants shift from banking trojans to ransomware | SC Media (scmagazine.com)

• MacStealer  macOS malware appears in cyber crime underground--Security Affairs

• Cyber Scammers Using Decentralized File Distribution System to Spread Malware - MSSP Alert

• Microsoft confirms Defender has gone rogue as it's flagging legit links as malware - Neowin

• North Korean malware-spreading, crypto-stealing gang named • The Register

• Malware disguised as Tor browser steals $400k in cryptocash • The Register

• NullMixer Polymorphic Malware Variant Infects 8K Targets in Just a Month (darkreading.com)

• Chinese Cyber spies Use 'Melofee' Linux Malware for Stealthy Attacks - SecurityWeek

• Chinese RedGolf Group Targeting Windows and Linux Systems with KEYPLUG Backdoor (thehackernews.com)

• Realtek and Cacti flaws now actively exploited by malware botnets (bleepingcomputer.com)

• AlienFox malware caught in the cloud hen house • The Register

• Microsoft OneNote will block 120 dangerous file extensions (bleepingcomputer.com)

• IRS Phishing Emails Used to Distribute Emotet - Infosecurity Magazine (infosecurity-magazine.com)

Mobile

• Android-based banking Trojan Nexus now available as malware-as-a-service | CSO Online

• Inaudible ultrasound attack can stealthily control your phone, smart speaker (bleepingcomputer.com)

• Russia’s Rostec allegedly can de-anonymize Telegram users (bleepingcomputer.com)

• Android app from China executed 0-day exploit on millions of devices | Ars Technica

• Google again accused of destroying evidence in Android case • The Register

• Google finds more Android, iOS zero-days used to install spyware (bleepingcomputer.com)

• Samsung keeps ignoring a huge security flaw in millions of Galaxy phones - SamMobile

• iOS Vs. Android – Which Is The More Secure Platform? (informationsecuritybuzz.com)

Botnets

• Realtek and Cacti flaws now actively exploited by malware botnets (bleepingcomputer.com)

Denial of Service/DoS/DDOS

• DDoS DNS attacks are old-school, unsophisticated, and back • The Register

Internet of Things – IoT

• Inaudible ultrasound attack can stealthily control your phone, smart speaker (bleepingcomputer.com)

• This devious cyber attack can target all your smart speakers without you realizing | TechRadar

• Gone in 120 seconds: Tesla Model 3 child's play for hackers • The Register

Data Breaches/Leaks

• Fortra told breached companies their data was safe | TechCrunch

• Procter & Gamble confirms data theft via GoAnywhere zero-day (bleepingcomputer.com)

• Latitude Financial cyber-attack worse than first thought with 14m customer records stolen | Business | The Guardian

• New York law firm coughs up $200k after hospital data stolen • The Register

• Toyota scrambles to patch customer data leak-Security Affairs

• ChatGPT Data Breach Confirmed as Security Firm Warns of Vulnerable Component Exploitation - SecurityWeek

• 500k Impacted by Data Breach at Debt Buyer NCB - SecurityWeek

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• North Korean hackers turn to 'cloud mining' for crypto to avoid law enforcement scrutiny | CyberScoop

• European Parliament Passes Historic Anti-Money Laundering Rules for Crypto Industry – More Regulation Incoming? (cryptonews.com)

• Malware disguised as Tor browser steals $400k in cryptocash • The Register

• NullMixer Polymorphic Malware Variant Infects 8K Targets in Just a Month (darkreading.com)

Insider Risk and Insider Threats

• Companies Struggle to Build and Run Effective Programs to Protect Data From Insider Threats - MSSP Alert

• Over 70% of Employees Keep Work Passwords on Personal Devices - Infosecurity Magazine (infosecurity-magazine.com)

• Only 10% of workers remember all their cyber security training - IT Security Guru

• Data loss from insider events increase despite IRM programs, says study | CSO Online

• Stop Blaming the End User for Security Risk (darkreading.com)

Fraud, Scams & Financial Crime

• Visa fraud expert outlines the many faces of payment ecosystem fraud - Help Net Security

• SMS pumping attacks and how to mitigate them | TechTarget

• Cyber Scammers Using Decentralized File Distribution System to Spread Malware - MSSP Alert

• NCA Celebrates Multimillion-Pound Fraud Takedowns - Infosecurity Magazine (infosecurity-magazine.com)

• How I fell for an internet scam (thetimes.co.uk)

Deepfakes

• AI has figured out how to draw deepfake hands | The Independent

AML/CFT/Sanctions

• European Parliament Passes Historic Anti-Money Laundering Rules for Crypto Industry – More Regulation Incoming? (cryptonews.com)

Insurance

• Beazley working on standalone cyber war product in market first (insuranceinsider.com)

• Organisations Reassess Cyber Insurance as Self-Insurance Strategies Emerge (darkreading.com)

Supply Chain and Third Parties

• Hackers compromise 3CX desktop app in a supply chain attack (bleepingcomputer.com)

• Supply chain cyber attack with possible links to North Korea could have thousands of victims globally | CyberScoop

• Winter Vivern hackers exploit Zimbra flaw to steal NATO emails (bleepingcomputer.com)

• 'They outsmarted us.' 3CX CEO acknowledges mistakes handling potential supply chain cyberattack | CyberScoop

Cloud/SaaS

• Just 1% of Cloud Permissions Are Actively Used - Infosecurity Magazine (infosecurity-magazine.com)

• Where SSO Falls Short in Protecting SaaS (thehackernews.com)

• North Korean hackers turn to 'cloud mining' for crypto to avoid law enforcement scrutiny | CyberScoop

• CISA Releases Hunt Tool for Microsoft's Cloud Services (darkreading.com)

• Balancing security risks and innovation potential of shadow IT teams - Help Net Security

• Microsoft Cloud Vulnerability Led to Bing Search Hijacking, Exposure of Office 365 Data - SecurityWeek

• AlienFox malware caught in the cloud hen house • The Register

Hybrid/Remote Working

• Cyber security focus in second Digital Europe work programme – EURACTIV.com

• More companies are watching their remote workers WFH on camera | Fortune

Shadow IT

• Balancing security risks and innovation potential of shadow IT teams - Help Net Security

Identity and Access Management

• Legacy, password-based authentication systems are failing enterprise security, says study | CSO Online

Encryption

• OpenSSL 1.1.1 Nears End of Life: Security Updates Only Until September 2023 - SecurityWeek

API

• Attacks Targeting APIs Increased By 400% in Last Six Months - Infosecurity Magazine (infosecurity-magazine.com)

Passwords, Credential Stuffing & Brute Force Attacks

• The End-User Password Mistakes Putting Your Organisation at Risk (bleepingcomputer.com)

• New Research Examines Traffers and the Business of Stolen Credentials - IT Security Guru

• Over 70% of Employees Keep Work Passwords on Personal Devices - Infosecurity Magazine (infosecurity-magazine.com)

• Legacy, password-based authentication systems are failing enterprise security, says study | CSO Online

Social Media

• France bans TikTok, all social media apps from government devices | CSO Online

Training, Education and Awareness

• The era of passive cyber security awareness training is over - Help Net Security

• Only 10% of workers remember all their cyber security training - IT Security Guru

• Back and Bigger Than Ever! The Inside Man Season 5 Takes a Stab at Power Hungry Adversaries - IT Security Guru

Parental Controls and Child Safety

• Children’s data feared stolen in Fortra ransomware attack | TechCrunch

Regulations, Fines and Legislation

• UK Introduces Mass Surveillance With Online Safety Bill - SecurityWeek

• Call for Submissions to UK's New Computer Misuse Act - Infosecurity Magazine (infosecurity-magazine.com)

Governance, Risk and Compliance

• Beazley working on standalone cyber war product in market first (insuranceinsider.com)

• 3 Shifts in the Cyber Threat Landscape (trendmicro.com)

• Cyber security vs. Everyone: From Conflict to Collaboration (darkreading.com)

• Using Observability to Power a Smarter Cyber security Strategy (darkreading.com)

• It's Time to Rethink Security Culture, Match Confidence to Capabilities, Immersive Labs Reports - MSSP Alert

• How cyber security decision-makers perceive cyber resilience - Help Net Security

• NCSC issues revised security Board Toolkit for business leaders | Computer Weekly

• The CISO Mantra: Get Ready to Do More With Less (darkreading.com)

Models, Frameworks and Standards

• The best defence against cyber threats for lean security teams - Help Net Security

Backup and Recovery

• World Backup Day is here again – 5 tips to keep your precious data safe – Naked Security (sophos.com)

Law Enforcement Action and Take Downs

• FBI confirms access to Breached cyber crime forum database (bleepingcomputer.com)

• UK creates fake DDoS-for-hire sites to identify cyber criminals (bleepingcomputer.com)

• Australian police arrest four BEC actors who stole $1.7 million (bleepingcomputer.com)

• 20-Year-Old BreachForums Founder Faces Up to 5 Years in Prison (thehackernews.com)

• North Korean hackers turn to 'cloud mining' for crypto to avoid law enforcement scrutiny | Cyber scoop

• NCA Celebrates Multimillion-Pound Fraud Takedowns - Infosecurity Magazine (infosecurity-magazine.com)

Privacy, Surveillance and Mass Monitoring

• The Importance of Data Security and Privacy for Individuals and Businesses in the Digital Age - IT Security Guru

• UK Introduces Mass Surveillance With Online Safety Bill - SecurityWeek

• FBI Spent Tens of Thousands of Dollars on Bulk Data Collection (gizmodo.com)

• Clearview AI used nearly 1m times by US police, it tells the BBC - BBC News

• More companies are watching their remote workers WFH on camera | Fortune

Artificial Intelligence

• 'Grim' Criminal Abuse of ChatGPT is Coming, Europol Warns     - SecurityWeek

• Europol warns of criminal use of ChatGPT-Security Affairs

• In Sudden Alarm, Tech Doyens Call for a Pause on ChatGPT | WIRED

• Musk, Scientists Call for Halt to AI Race Sparked by ChatGPT - SecurityWeek

• AI-fuelled search gives more power to the bad guys | CSO Online

• Identifying AI-Enabled Phishing (knowbe4.com)

• Hacker demonstrates security flaws in GPT-4 just one day after launch | VentureBeat

• AI image of Pope Francis in a puffer jacket fooled the internet and experts fear there’s worse to come (inews.co.uk)

• Godfather of AI Says There's a Minor Risk It'll Eliminate Humanity (futurism.com)

• Clearview AI used nearly 1m times by US police, it tells the BBC - BBC News

• ChatGPT Data Breach Confirmed as Security Firm Warns of Vulnerable Component Exploitation - SecurityWeek

• AI has figured out how to draw deepfake hands | The Independent

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Putin and Xi’s plot to control the internet will leave the West in the dust (telegraph.co.uk)

• In A Surprise, China-Linked TikTok Grabs Power Norway Needs To Make Ammo (forbes.com)

• ‘Vulkan files’ leak reveals Putin’s global and domestic cyberwarfare tactics | Cyberwar | The Guardian

• Cyber crime Front Lines in Russia-Ukraine War Move to Eastern and Northern Europe - MSSP Alert

• Beazley working on standalone cyber war product in market first (insuranceinsider.com)

• 'Bitter' espionage hackers target Chinese nuclear energy orgs (bleepingcomputer.com)

• Earth Preta’s Cyber Espionage Campaign Hits Over 200 (trendmicro.com)

• China crisis is a TikToking time bomb • The Register

• Biden White House Issues Executive Order on Commercial Spyware (gizmodo.com)

• North Korean APT43 Group Uses Cybercrime to Fund Espionage Operations (thehackernews.com)

• Google finds more Android, iOS zero-days used to install spyware (bleepingcomputer.com)

• Over 200 Organisations Targeted in Chinese Cyber Espionage Campaign - SecurityWeek

• Chinese tech firms banned over spy fears granted access to UK officials at security conference (inews.co.uk)

• Google: Commercial Spyware Used by Governments Laden With Zero-Day Exploits (darkreading.com)

• Chinese Cyber spies Use 'Melofee' Linux Malware for Stealthy Attacks - SecurityWeek

• Chinese RedGolf Group Targeting Windows and Linux Systems with KEYPLUG Backdoor (thehackernews.com)

• Pro-Russian hackers target elected US officials supporting Ukraine | Ars Technica

• Russian spies more effective than army, say experts - BBC News

• Cyber warfare leaks show Russian army is adopting mindset of secret police | Cyberwar | The Guardian

Nation State Actors

• Uncle Sam sent cyber-soldiers to Albania to combat Iran • The Register

• Russia’s Rostec allegedly can de-anonymize Telegram users (bleepingcomputer.com)

• Android app from China executed 0-day exploit on millions of devices | Ars Technica

• North Korean hackers turn to 'cloud mining' for crypto to avoid law enforcement scrutiny | CyberScoop

• China urges Apple to improve security and privacy • The Register

• Supply chain cyber attack with possible links to North Korea could have thousands of victims globally | CyberScoop

• North Korean malware-spreading, crypto-stealing gang named • The Register

• Chinese tech firms banned over spy fears granted access to UK officials at security conference (inews.co.uk)

• Smugglers busted sneaking tech into China • The Register

• Chinese RedGolf Group Targeting Windows and Linux Systems with KEYPLUG Backdoor (thehackernews.com)

Vulnerability Management

• What you need before the next vulnerability hits - Help Net Security

• Vulnerability management vs. risk management, compared | TechTarget

• Most Weaponized Vulnerabilities of 2022 and 5 Key Risks: Report - SecurityWeek

• Microsoft shares tips on detecting Outlook zero-day exploitation (bleepingcomputer.com)

• Ignoring network automation is a ticking time bomb for security - Help Net Security

Vulnerabilities

• Microsoft: No-Interaction Outlook Zero Day Exploited Since Last April - SecurityWeek

• Microsoft shares tips on detecting Outlook zero-day exploitation (bleepingcomputer.com)

• Apple patches everything, including a zero-day fix for iOS 15 users – Naked Security (sophos.com)

• QNAP fixed Sudo privilege escalation bug in NAS devices-Security Affairs

• Patch Now: Cyber criminals Set Sights on Critical IBM File Transfer Bug (darkreading.com)

• ChatGPT Vulnerability May Have Exposed Users’ Payment Information - Infosecurity Magazine (infosecurity-magazine.com)

• Microsoft Cloud Vulnerability Led to Bing Search Hijacking, Exposure of Office 365 Data - SecurityWeek

• Super FabriXss flaw in Microsoft Azure SFX could lead to RCE-Security Affairs

• OpenAI quickly fixed account takeover bugs in ChatGPT-Security Affairs

Tools and Controls

• Even with defence tools, CISOs say cyber attacks are ‘inevitable’ (techrepublic.com)

• The era of passive cyber security awareness training is over - Help Net Security

• Silence gets you nowhere in a data breach | TechCrunch

• Only 10% of workers remember all their cyber security training - IT Security Guru

• Prioritizing data security amid workforce disruptions - Help Net Security

• Using Observability to Power a Smarter Cyber security Strategy (darkreading.com)

• For database security it's down to people, not tech fixes • The Register

• Known unknowns: Refining your approach to uncategorized web traffic - Help Net Security

• Understanding adversaries through dark web intelligence - Help Net Security

• Where SSO Falls Short in Protecting SaaS (thehackernews.com)

• How Does Data Literacy Enhance Data Security? (darkreading.com)

• CISA Releases Hunt Tool for Microsoft's Cloud Services (darkreading.com)

• With Security Copilot, Microsoft brings the power of AI to cyber defence - Stories

• Compare breach and attack simulation vs. penetration testing | TechTarget

• Ignoring network automation is a ticking time bomb for security - Help Net Security

• Microsoft's ‘Security Copilot’ Sics ChatGPT on Security Breaches | WIRED

• Breaking the Mold: Pen Testing Solutions That Challenge the Status Quo (thehackernews.com)

• Diagnose your SME’s Cyber security and Scan for Recommendations — ENISA (europa.eu)

• Protect your entire business with the right authentication method - Help Net Security

• What Makes an Effective Anti-Bot Solution? - SecurityWeek

• Microsoft Defender is flagging legit URLs as malicious • The Register

• Managing security in the cloud through Microsoft Intune | CSO Online

• Top 5 SD-WAN Challenges and How to Prepare for Them | TechTarget

• Why Endpoint Resilience Matters - SecurityWeek

• The rise of biometrics and decentralized identity is a game-changer for identity verification - Help Net Security

• Organisations Reassess Cyber Insurance as Self-Insurance Strategies Emerge (darkreading.com)

• The best defence against cyber threats for lean security teams - Help Net Security

• World Backup Day is here again – 5 tips to keep your precious data safe – Naked Security (sophos.com)

• Overcoming obstacles to introduce zero-trust security in established systems - Help Net Security

• The foundation of a holistic identity security strategy - Help Net Security

• The CISO Mantra: Get Ready to Do More With Less (darkreading.com)

Reports Published in the Last Week

• Cyber security focus in second Digital Europe work programme – EURACTIV.com

• 2023 Ransomware Insights | Barracuda Networks

• 2023 State of Cloud Permissions Risks report now published - Microsoft Community Hub

Other News

• GoAnywhere Zero-Day Attack Hits Major Orgs - SecurityWeek

• Hackers changed tactics, went cross-platform in 2022, says Trend Micro | CSO Online

• WiFi protocol flaw allows attackers to hijack network traffic (bleepingcomputer.com)

• Microsoft OneNote will block 120 dangerous file extensions (bleepingcomputer.com)

• How CISOs Can Reduce the Danger of Using Data Brokers (darkreading.com)

• Tech Industry Bids to Tackle Cyber-Mercenary Epidemic - Infosecurity Magazine (infosecurity-magazine.com)

• How Does Data Literacy Enhance Data Security? (darkreading.com)

• Microsoft uses carrot and stick with Exchange Online admins • The Register

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Executive Summary

Cisco has supplied patches which address two high severity vulnerabilities within the Cisco NX-OS software, which runs on their Nexus line of switches. One vulnerability could allow an unauthenticated attacker to remotely cause denial of service to the device. A second vulnerability which also affects the Cisco FXOS, could cause an unauthenticated attacker to laterally execute code on the device, or cause denial of service to the device. Cisco also released a patch for a third high severity vulnerability within the Multi-Site Orchestrator product which could allow a remote, authenticated attacker to escalate privileges to administrator levels on affected devices.

What’s the risk to me or my business?

The first high vulnerability relates to the OSPFv3 feature, which is a routing protocol used in IPv6. As affected devices may be situated on the network perimeter and can be executed remotely, a denial of service could lead to downtime affecting availability of key network infrastructure across an organisation. It should be noted that this feature is disabled by default. The second high vulnerability could allow an attacker who already has access to the organisations network, to further compromise critical network infrastructure, resulting in a potential loss of confidentiality, integrity, and availability.  The third high vulnerability relating to the Multi-Site Orchestrator, which is used to interconnect and manage multiple locations under a single network, could allow an attacker who already has access to a non-privileged account, to escalate their privileges on affected devices, resulting in a potential loss of confidentiality, integrity and availability within the network.

What can I do?

Cisco has released software updates to address the vulnerabilities, which are available for download from their website, and should be applied in line with the organisations vulnerability management process to limit availability impact to the business. Regarding the OSPFv3 vulnerability, if that feature is not in use as it is disabled by default, then this vulnerability cannot be exploited.

Technical Summary

The following is a breakdown of the vulnerabilities with the affected Cisco products.

CVE-2022-20823: A remote denial of service vulnerability relating to the OSPFv3 feature of NX-OS, with a CVSS 3.0 rating of 8.6, which allows a malicious attacker to exploit incomplete input validation by sending a malicious OSPFv3 link-state advertisement (LSA) to an affected device, causing it to crash and restart multiple times which would cause the device to reload, resulting in a DoS condition. Affected devices:

·         Nexus 3000 Series Switches

·         Nexus 5500 Platform Switches

·         Nexus 5600 Platform Switches

·         Nexus 6000 Series Switches

·         Nexus 7000 Series Switches

·         Nexus 9000 Series Fabric Switches in ACI mode

·         Nexus 9000 Series Switches in standalone NX-OS mode

Further information on this specific vulnerability can be found here: Cisco NX-OS Software OSPFv3 Denial of Service Vulnerability

CVE-2022-20824: A remote arbitrary code execution vulnerability with a CVSS 3.0 rating of 8.8, which allows a malicious attacker who is on the same Layer 2 broadcast domain as the affected device (Layer 2 adjacent) to exploit an input validation vulnerability by sending a malicious Cisco Discovery Protocol packet to an affected device, allowing them to execute arbitrary code as the root user, or reload the device resulting in a DoS Condition. Affected devices:

·         Firepower 4100 Series

·         Firepower 9300 Security Appliances

·         MDS 9000 Series Multilayer Switches

·         Nexus 1000 Virtual Edge for VMware vSphere

·         Nexus 1000V Switch for Microsoft Hyper-V

·         Nexus 1000V Switch for VMware vSphere

·         Nexus 3000 Series Switches

·         Nexus 5500 Platform Switches

·         Nexus 5600 Platform Switches

·         Nexus 6000 Series Switches

·         Nexus 7000 Series Switches

·         Nexus 9000 Series Fabric Switches in ACI mode

·         Nexus 9000 Series Switches in standalone NX-OS mode

·         UCS 6200 Series Fabric Interconnects

·         UCS 6300 Series Fabric Interconnects

·         UCS 6400 Series Fabric Interconnects

Further information on this specific vulnerability can be found here: Cisco FXOS and NX-OS Software Cisco Discovery Protocol Denial of Service and Arbitrary Code Execution Vulnerability

CVE-2022-20921: A privilege escalation vulnerability with a CVSS 3.0 rating of 8.8, which allows an authenticated malicious attacker to exploit a vulnerability within the API implementation of Cisco ACI Multi-Site Orchestrator via a crafted HTTP request to elevate to administrator privileges on the affected product. It should be noted that after release 3.4, Cisco ACI MSO was renamed Cisco Nexus Dashboard Orchestrator (NDO), and Cisco NDO is not affected by this vulnerability.

Further information on this specific vulnerability can be found here: Cisco ACI Multi-Site Orchestrator Privilege Escalation Vulnerability

Need help understanding your gaps, or just want some advice? Get in touch with us.