Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Almost Half of Former Employees Say Their Passwords Still Work

An alarming number of organisations are not properly offboarding employees when they leave, especially in regard to passwords. In a new survey of 1,000 workers who had access to company passwords at their previous jobs, 47% admitted to using them after leaving the company.

According to the survey one in three respondents said they had been using the passwords for upwards of two years, which is a distressingly long time for organisations not to be aware of who is accessing those accounts and services.

When asked what they use the passwords for, 64% said to access their former email accounts and 44% to access company data. A concerning 10% of respondents said they were trying to disrupt company activities.

https://www.darkreading.com/edge-threat-monitor/almost-half-of-former-employees-say-their-passwords-still-work

• Efficient Risk Based Patch Management Means Eliminating Just 2% of Exposures Could Protect 90% of Critical Assets

A recent cyber security report analysed over 60 million security exposures, or weaknesses that could give an attacker access to systems. The report found that only 2% enabled attackers access to critical assets, while 75% of exposures along attack paths lead to “dead ends”. Further, the report shows that average organisations have 11,000 exploitable security exposures monthly, with techniques targeting credentials and permissions affecting 82% of organisations and exploits accounting for over 70% of all identified security exposures.

The report found that most security alerts were benign and did not lead to critical assets. By applying efficient risk based patch management and reducing unnecessary access to critical assets, organisations can mitigate a significant amount of risk. This isn’t a simple task however, for an organisation to be able to employ efficient risk based patch management it must have a sufficient level of cyber maturity and internal vulnerability scanning accompanied by a dynamic threat intelligence component.

https://www.infosecurity-magazine.com/news/eliminating-2-exposures-protect-90/

• Printers Pose Persistent Yet Overlooked Threat

A rash of printer-related vulnerabilities in 2023 have punctuated security expert warnings that printers continue to be a significant vulnerability within companies — especially as remote workers require printing resources or access to corporate printers. So far in 2023, Lexmark advised that a publicly available remote exploit had already targeted a code execution flaw in its printers, HP warned of a vulnerable firmware version on some of its enterprise printers, and Microsoft fixed three remote code execution vulnerabilities in its printer drivers.

Printers remain a likely soft spot in most companies’ attack surface area, particularly because they are not always part of a company’s asset management process and are often left out of security assessments and risk registers. Many organisations don’t know where their printers are, their security status, configuration, monitoring or logging activity. Research has shown that 67% of companies are worried about the risk home printers may pose and only 26% of information technology and cyber security professionals are confident in their organisation’s printing infrastructure security.

https://www.darkreading.com/vulnerabilities-threats/printers-pose-persistent-yet-overlooked-threat

• Employees Are as Likely as Cyber Criminals to Cause Cyber Incidents

Employees and cyber criminals cause similar numbers of data leakages. Kaspersky’s 2022 IT Security Economics survey found cyber-attacks caused 23% of data leakages, while employees caused a similar proportion, at 22%. The rise in employees causing leakages may be linked with more remote working since the pandemic, with new staff laptops, tablets, and virtual private networks (VPNs) featuring among the extra endpoints and systems needing security. Although innocent mistakes or ignoring cyber-security policy were behind most leakages, security managers reported 36% of employee-triggered leakages were deliberate acts of sabotage or espionage. The high number of cyber-incidents stemming from employee action shows all organisations need thorough cyber-security awareness training to teach all staff how to avoid common security mistakes.

https://www.independent.co.uk/news/business/business-reporter/employees-cyber-criminals-cyber-incidents-b2314225.html

• Over 90% of Organisations Find Threat Hunting a Challenge

Executing essential cyber security operations tasks during the threat hunting process is an increasingly challenging proposition to the vast majority of organisations, with 93% of those polled for a Sophos report saying they find basic security operations a chore.

In the report, “The state of cybersecurity 2023: The business impact of adversaries on defenders”, Sophos said these findings were likely the result of the ongoing cyber security skills shortage, which is creating a domino effect in security operations: a lack of skilled personnel makes investigating alerts take longer, which reduces the security team’s capacity and increases the organisation’s exposure to higher levels of risk.

Organisations that suffer the most are those with revenues of less than $10m (£8m), which are more likely to lack the necessary skillsets, followed by organisations with revenues of more than $5bn, where organisational and system complexity likely play a more prominent role.

https://www.computerweekly.com/news/365534612/Over-90-of-organisations-find-threat-hunting-a-challenge

• 75% of Organisations Have Suffered a Cyber Security Breach

Most organisations need stronger security controls to stop cyber security breaches and cyber attacks, according to “The Data Dilemma: Cloud Adoption and Risk Report” from security service edge (SSE) company Skyhigh Security. Key takeaways from the report include:

• 97% of organisations indicated they are experiencing private cloud problems.

• 75% have experienced a cyber security breach, threat and/or theft of data.

• 75% said shadow IT “impairs their ability to keep data secure.”

• 60% allow employees to download sensitive data to their personal devices.

• 52% noted their employees are using SaaS services that are commissioned by departments outside of IT and without direct involvement of their IT department.

• 37% said they do not trust the public cloud to secure their sensitive data.

https://www.msspalert.com/cybersecurity-research/skyhigh-security-report-75-of-organizations-have-suffered-a-cybersecurity-breach/

• Leak Shows Evolving Russian Cyber War Capabilities

The leak of thousands of pages of secret documentation related to the development of Moscow’s cyber and information operations capabilities paint a picture of a government obsessed with social control and committed to scaling their capacity for non-kinetic interference.

The leaked documents detail methods and training simulations intended to prepare an operator workforce for offensive operations against critical infrastructure targets. Tools revealed by these recent leaks suggest a desire and an ability to extensively map foreign vulnerabilities and make the job of Russia’s cyber conflict operators as accessible and scalable as possible.

This leak reinforces the significant concern regarding the threat posed by Russian cyber forces to firms across the globe.

https://www.csoonline.com/article/3692821/ntc-vulkan-leak-shows-evolving-russian-cyberwar-capabilities.html#tk.rss_news

• Outsourced Payroll and HR Services Firm Forced to Shut Down After Cyber Attack

Belgian headquartered HR and payroll giant SD Worx has suffered a cyber attack causing them to shut down all IT systems for their UK and Ireland services. While the login portals for other European countries are working correctly, the company's UK customer portal was not accessible. As a full-service human resources and payroll company, SD Worx manages a large amount of sensitive data for their client's employees.

According to the company's general conditions agreement, this data may include tax information, government ID numbers, addresses, full names, birth dates, phone numbers, bank account numbers, employee evaluations, and more.

https://www.bleepingcomputer.com/news/security/sd-worx-shuts-down-uk-payroll-hr-services-after-cyberattack/

• When a Cyber Criminal Steals Personal Data from Your Organisation What Do You Do and Who Do You Need to Inform?

If that happens it might be time for your management to clear their desks. The prospect of financial penalties and reputational damage is very real. You need to know your obligations — for instance, reporting the breach to applicable authorities and regulators within strict timeframes — understand the breach, and prioritise. Then you communicate and remedy. If you haven’t planned well, it’s going to be tough.

You need to understand the data breach. Who is affected — is it staff or customer data? What exactly have the cyber criminals accessed? Consider the type of information: salary details and passport copies, or customer payment information.

If personal data has been lost or compromised, you will likely have an obligation under data protection regulations to report the breach to your applicable data protection authority within 72 hours, and if you are a regulated business there will likely be similar requirements to report to your regulator within a similar timeframe. Knowing your obligations — ideally before any hack takes place — will guide how well you respond.

https://www.thetimes.co.uk/article/who-should-i-inform-after-a-data-hack-dcrzvgp2x

• Insider Threat and Ransomware: A Growing Issue

Ransomware is a growing epidemic. 2022 saw a slew of high-profile attacks leading to massive paydays for cyber criminals. Cyber criminals work just as hard to conceal their identities and location as they do to exploit weaknesses and capture valuable data to hold hostage. Organisations not only stand to lose money in this scenario, but the damage to their reputation and trustworthiness in the market can be challenging to recover from. Customers place high trust in the safety of their personal information, and it’s the company they hold accountable – not the thieves – if it slips into the wrong hands.

Even if you have good technical controls, the low-hanging fruit is capitalising on the human element and gaining entrance through a person within your organisation. Insider threats come in all shapes and sizes and roles, including employees, executives, former employees, board members, contractors, and service providers. Insider threats, by their very nature, pose a unique challenge for organisations.

https://informationsecuritybuzz.com/insider-threat-and-ransomware-a-growing-issue/

• How LockBit Changed Cyber Security Forever

LockBit are one of the most prolific ransomware gangs globally, accounting for almost half of ransomware attacks in 2022. They not only maintain a high profile, but they’ve also turned ransom monetisation upside down. Thanks to their innovative approach, the group has claimed 44% of total ransomware attacks launched in 2022. LockBit made history by launching the industry’s first bug bounty program initiated by a ransomware group. The operation invites security experts to uncover vulnerabilities and report them for rewards ranging from $1,000 to a staggering $1 million. This has since been expanded and now offers bounties for creative ways to enhance ransomware operations.

https://securityintelligence.com/articles/how-lockbit-changed-cybersecurity/

• Hybrid Work Environments Are Stressing CISOs

The impact of the hybrid workforce on security posture, as well as the risks introduced by this way of working, are posing concerns for CISOs and driving them to develop new strategies for hybrid work security, according to a new report.

Among the report’s most critical findings is the revelation that browsing-based threats ranked as CISOs’ number one concern, regardless of whether their organisation was operating primarily in an in-office, hybrid, or remote setting.

And as for the risks posed by hybrid and remote workers specifically, insecure browsing also topped the list of CISOs’ concerns.

https://www.helpnetsecurity.com/2023/04/12/hybrid-work-environments-stressing-cisos/

• Protect Your Data with a USB Condom

USB isn't just a charging protocol, it also allows data to flow back and forth, and while most of the time this data flow is safe, it is possible to create a malicious charging port that can do bad things, such as plant malware on your device or steal your data. Equally, an employee plugging their personal phone into a corporate USB port may present a danger to the corporate network through the phone. A USB condom is a small dongle that adds a layer of protection between your device and the charging point you're attaching it to by blocking the data being transferred through the port. If you must use a charger, cable, or charging port that isn't under your control, it makes sense to use a USB condom.

https://www.zdnet.com/article/protect-your-data-with-a-usb-condom/

• Strategising Cyber Security: Why a Risk-based Approach is Key

By 2027, cyber crime could cost the global economy nearly $24 trillion. Businesses often find themselves at the sharp end of this challenge, and, as such, cyber security is a critical aspect of the modern business landscape. Cyber threats are multiplying and pose serious financial, legal and reputational challenges to organisations.

Modern and effective cyber security management entails more than managing technology risk; it encompasses managing business risk. Organisations must recognise cyber security as a strategic imperative integrated into their overall risk management framework — and this starts at the board level.  In some cases, board members may find it beneficial to seek help in assessing appropriate levels of control.

https://www.weforum.org/agenda/2023/04/strategizing-cybersecurity-why-a-risk-based-approach-is-key/

Threats

Ransomware, Extortion and Destructive Attacks

• Microsoft Issues Patches for 97 Flaws, Including Active Ransomware Exploit (thehackernews.com)

• Microsoft patches vulnerability used in Nokoyawa ransomware attacks | CSO Online

• How LockBit Changed Cyber security Forever (securityintelligence.com)

• Iran-Based Hackers Caught Carrying Out Destructive Attacks Under Ransomware Guise (thehackernews.com)

• Insider Threat And Ransomware: A Growing Issue (informationsecuritybuzz.com)

• Rorschach ransomware deployed by misusing a security tool - Help Net Security

• Medusa ransomware claims attack on Open University of Cyprus (bleepingcomputer.com)

• Cyble — New Cylance Ransomware with Power-Packed CommandLine Options

• Taiwanese PC Company MSI Falls Victim to Ransomware Attack (thehackernews.com)

• KFC, Pizza Hut owner discloses data breach after ransomware attack (bleepingcomputer.com)

• 7 Things Your Ransomware Response Playbook Is Likely Missing (darkreading.com)

• Cyber crime group exploits Windows zero-day in ransomware attacks-Security Affairs

• Windows zero-day vulnerability exploited in ransomware attacks (bleepingcomputer.com)

• Ransomware gangs increasingly deploy zero-days to maximize attacks | CyberScoop

• Latitude Financial Refuses to Pay Ransom - Infosecurity Magazine (infosecurity-magazine.com)

• Superyacht-Maker Hit by Easter Ransomware Attack - Infosecurity Magazine (infosecurity-magazine.com)

Phishing & Email Based Attacks

• Microsoft: Phishing attack targets accountants as Tax Day approaches (bleepingcomputer.com)

• Researchers Uncover Thriving Phishing Kit Market on Telegram Channels (thehackernews.com)

• Phishing Campaign Targeting YouTube Content Creators, Malware Hitting Charging Stations - MSSP Alert

BEC – Business Email Compromise

• 'BEC 3.0' Is Here with Tax-Season QuickBooks Cyber attacks (darkreading.com)

Other Social Engineering; Smishing, Vishing, etc

• Simple psychology is the most dangerous form of cyber attack (thetimes.co.uk)

2FA/MFA

• Comparing enabled and enforced MFA in Microsoft 365 | TechTarget

• Rilide browser extension steals MFA codes - Help Net Security

Malware

• New Mirai Variant Employs Uncommon Tactics to Distribute Malware (darkreading.com)

• Typhon Reborn Stealer Malware Resurfaces with Advanced Evasion Techniques (thehackernews.com)

• BlackGuard Stealer Extends its Capabilities in New Variant - MSSP Alert

• Check Point Software Technologies: Qbot Top Malware in March 2023 - MSSP Alert

• Cryptocurrency Stealer Malware Distributed via 13 NuGet Packages (thehackernews.com)

• DEV-0196: QuaDream’s “KingsPawn” malware used to target civil society in Europe, North America, the Middle East, and Southeast Asia - Microsoft Security Blog

• Attackers Hide RedLine Stealer Behind ChatGPT, Google Bard Facebook Ads (darkreading.com)

• Microsoft shares guidance to detect BlackLotus UEFI bootkit attacks (bleepingcomputer.com)

• Researchers Uncover 7000 Malicious Open Source Packages - Infosecurity Magazine (infosecurity-magazine.com)

• Microsoft, Fortra Gains Legal Rights Against Cobalt Strike Abuse (informationsecuritybuzz.com)

• Emotet Climbs March 2023's Most Wanted Malware List With OneNote Campaign - Infosecurity Magazine (infosecurity-magazine.com)

• Legion Malware Marches onto Web Servers to Steal Credentials, Spam Mobile Users (darkreading.com)

• WhatsApp boosts defence against account takeover via malware (bleepingcomputer.com)

Mobile

• Protect your data with a USB condom | ZDNET

• FBI warns about dangers of public USB charging ports | Popular Science (popsci.com)

• Researchers Uncover Thriving Phishing Kit Market on Telegram Channels (thehackernews.com)

• Android phones vulnerable to remote hacking — update right now | Tom's Guide (tomsguide.com)

• Burglars tunnel through Apple Store’s neighbour, allegedly steal $500K in iPhones | Ars Technica

• 5G connections set to rise past 5.9 billion by 2027 - Help Net Security

• Cyber criminals To Add Android Malware On Google Play Up To $20,000 (informationsecuritybuzz.com)

• Cyber criminals Turn to Android Loaders on Dark Web to Evade Google Play Security (thehackernews.com)

• Israel-based Spyware Firm QuaDream Targets High-Risk iPhones with Zero-Click Exploit (thehackernews.com)

• WhatsApp boosts defence against account takeover via malware (bleepingcomputer.com)

Denial of Service/DoS/DDOS

• Hackers Flood NPM with Bogus Packages Causing a DoS Attack (thehackernews.com)

• DDoS attacks shifting to VPS infrastructure for increased power (bleepingcomputer.com)

• DDoS threat report for 2023 Q1 (cloudflare.com)

• DDoS alert traffic reaches record-breaking level of 436 petabits in one day - Help Net Security

• DDoS attacks rise as pro-Russia groups attack Finland, Israel (techrepublic.com)

Internet of Things – IoT

• Printers Pose Persistent Yet Overlooked Threat (darkreading.com)

• There’s a new form of keyless car theft that works in under 2 minutes | Ars Technica

• Special Report: Tesla workers shared sensitive images recorded by customer cars | Reuters

• Default static key in ThingsBoard IoT platform can give attackers admin access | CSO Online

• 5G connections set to rise past 5.9 billion by 2027 - Help Net Security

• New Ultrasonic Acoustic Attack Targeting Microphones and Voice Assistants Gives Remote Access to Most Smart Devices - The Debrief

• Zigbee PRO 2023 introduces new security mechanisms, feature enhancements - Help Net Security

• Critical Vulnerability in Hikvision Storage Solutions Exposes Video Security Data - SecurityWeek

Data Breaches/Leaks

• Samsung employees unwittingly leaked company secret data by using ChatGPT-Security Affairs

• Cloud accounting firm in a pickle after researchers find admin login data | TechRadar

• Service NSW breach exposes personal data affecting thousands of customers | 7NEWS

• Leaked n documents provide rare window into depth of US intelligence on allies and foes | CNN Politics

• Military Intel Leak Investigated By US Officials (informationsecuritybuzz.com)

• Hyundai data breach exposes owner details in France and Italy (bleepingcomputer.com)

• Over 20,000 Iowa Medicaid Members Affected By Data Breach - Infosecurity Magazine (infosecurity-magazine.com)

Organised Crime & Criminal Actors

• Criminal businesses adopt corporate behaviour as they grow - Help Net Security

• Seized Genesis malware market's infostealers infected 1.5 million computers | CSO Online

• Breached shutdown sparks migration to ARES data leak forums (bleepingcomputer.com)

• FBI: Crooks posing as PRC agents prey on Chinese in the US • The Register

• 5 Types of Cyber Crime Groups (trendmicro.com)

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Sentiment DeFi Hacker Makes Amends by Returning 90% of Funds (beincrypto.com)

• Cryptocurrency Stealer Malware Distributed via 13 NuGet Packages (thehackernews.com)

• EU-Funded Report Calls for Crypto ID Checks, Police Training to Combat Darknet Markets (coindesk.com)

Insider Risk and Insider Threats

• Employees are as likely as cyber-criminals to cause cyber-incidents | The Independent

• Cyber criminals use simple trick to obtain personal data - Help Net Security

• Nearly Half of Workers Pilfer Former Employers’ Passwords to Access Accounts, Study Says - MSSP Alert

• Insider Threat And Ransomware: A Growing Issue (informationsecuritybuzz.com)

• Building a human firewall to block cyber attacks | McKinsey

• How to Combat Insider Threats-Security Affairs

Fraud, Scams & Financial Crime

• FBI warns of companies exploiting sextortion victims for profit (bleepingcomputer.com)

• Cambodia deports 19 Japanese cyber crime scam suspects | News | Al Jazeera

• ‘Overemployed’ Hustlers Exploit ChatGPT To Take On Even More Full-Time Jobs (vice.com)

• When Banking Laws Don't Protect Consumers From Cybertheft (darkreading.com)

• AI clones child’s voice in fake kidnapping scam | The Independent

• Five arrested after 33,000 victims lose $98M to online investment fraud (bleepingcomputer.com)

• Stolen Card Numbers Plummet 94% Globally - Infosecurity Magazine (infosecurity-magazine.com)

Supply Chain and Third Parties

• 3CX confirms North Korean hackers behind supply chain attack (bleepingcomputer.com)

• Capita: IT outsourcer reels from being locked out of its own IT (thetimes.co.uk)

Cloud/SaaS

• Western Digital struggles to fix massive My Cloud outage, offers workaround (bleepingcomputer.com)

• Nation-state actors are taking advantage of weak passwords to go after cloud customers, Google says | CyberScoop

• Microsoft Azure Users Warned of Potential Shared Key Authorization Abuse - SecurityWeek

• How and Why to Put Multicloud to Work (darkreading.com)

• Iranian APT group launches destructive attacks in hybrid Azure AD environments | CSO Online

• Cloud accounting firm in a pickle after researchers find admin login data | TechRadar

• Securing the Chaos – Harnessing Dispersed Multi-Cloud, Hybrid Environments - SecurityWeek

Hybrid/Remote Working

• 4 ways to secure your remote work setup | ZDNET

• Hybrid work environments are stressing CISOs - Help Net Security

• ‘Overemployed’ Hustlers Exploit ChatGPT To Take On Even More Full-Time Jobs (vice.com)

Attack Surface Management

• How to Secure Web Applications in a Growing Digital Attack Surface (bleepingcomputer.com)

• The new weakest link in the cyber security chain - Help Net Security

Shadow IT

• How to use a CASB to manage shadow IT | TechTarget

Identity and Access Management

• Identity Management Day: 3 Things MSSPs Need to Know - MSSP Alert

• Centralized vs. decentralized identity management explained | TechTarget

• The Service Accounts Challenge: Can't See or Secure Them Until It's Too Late (thehackernews.com)

Encryption

• The UK government has sparked an encryption row over powers it might never use | Financial Times (ft.com)

• Why the US Needs Quantum-Safe Cryptography Deployed Now (darkreading.com)

API

• How to fix the top 5 API vulnerabilities | TechTarget

• Google launches dependency API and curated package repository with security metadata | CSO Online

• Why Shadow APIs are More Dangerous than You Think (thehackernews.com)

Open Source

• Researchers Uncover 7000 Malicious Open Source Packages - Infosecurity Magazine (infosecurity-magazine.com)

Passwords, Credential Stuffing & Brute Force Attacks

• Almost Half of Former Employees Say Their Passwords Still Work (darkreading.com)

• LastPass Breach Reveals Important Lessons (darkreading.com)

• Why it's time to move towards a passwordless future - Help Net Security

• AI can crack most password in less than a minute | TechRadar

• How an AI tool could crack your passwords in seconds | ZDNET

• Meet PassGAN, the supposedly “terrifying” AI password cracker that’s mostly hype | Ars Technica

Social Media

• Tech layoffs raise new alarms about how platforms protect users | CNN Business

Malvertising

• Attackers Hide RedLine Stealer Behind ChatGPT, Google Bard Facebook Ads (darkreading.com)

Training, Education and Awareness

• How to transform cyber security learning and make content more engaging - Help Net Security

Regulations, Fines and Legislation

• Lagging regulations frustrate protecting data from cyber attacks (themandarin.com.au)

• The UK government has sparked an encryption row over powers it might never use | Financial Times (ft.com)

• Battle could be brewing over new FCC data breach reporting rules | CSO Online

• When Banking Laws Don't Protect Consumers From Cyber Theft (darkreading.com)

Governance, Risk and Compliance

• Employees are as likely as cyber-criminals to cause cyber-incidents | The Independent

• Skyhigh Security Report: 75% of Organizations Have Suffered a Cyber security Breach - MSSP Alert

• Strategising cyber security: Why a risk-based approach is key | World Economic Forum (weforum.org)

• Who should I inform after a data hack? (thetimes.co.uk)

• Two-Fifths of IT Pros Told to Keep Breaches Quiet - Infosecurity Magazine (infosecurity-magazine.com)

• Outcome-based cyber security paves way for organizational goals - Help Net Security

• Why reporting an incident only makes the cyber security community stronger | CSO Online

• 6 common challenges facing cyber security teams and how to overcome them | TechCrunch

• Top 10 Cyber security Trends for 2023: From Zero Trust to Cyber Insurance (thehackernews.com)

• Most Security Exposures Do Not Put Organizations' Critical Assets At Risk, Study Shows - MSSP Alert

• Threat hunting programs can save organizations from costly security breaches - Help Net Security

• LastPass Breach Reveals Important Lessons (darkreading.com)

• Gartner: Human-Centric Design Is Top Cyber Security Trend for 2023 (darkreading.com)

Law Enforcement Action and Take Downs

• Seized Genesis malware market's infostealers infected 1.5 million computers | CSO Online

• Spanish cops arrest teenage 'Robin Hood hacker' • The Register

• Australia Is Scouring the Earth for Cyber criminals — the US Should Too (darkreading.com)

• Cambodia deports 19 Japanese cyber crime scam suspects | News | Al Jazeera

• Dutch Police mails RaidForums members to warn they’re being watched (bleepingcomputer.com)

• Five arrested after 33,000 victims lose $98M to online investment fraud (bleepingcomputer.com)

Privacy, Surveillance and Mass Monitoring

• Tesla Sued Over Workers' Alleged Access to Car Video Imagery - SecurityWeek

• Consumers take data control into their own hands amid rising privacy concerns - Help Net Security

Artificial Intelligence

• 5 ChatGPT security risks in the enterprise | TechTarget

• Samsung employees unwittingly leaked company secret data by using ChatGPT - Security Affairs

• Cyber crime: be careful what you tell your chatbot helper… | Chatbots | The Guardian

• US cyber chiefs warn of threats from China and AI • The Register

• When you're talking to a chatbot, who's listening? | CNN Business

• Bad Actors Will Use Large Language Models — but Defenders Can, Too (darkreading.com)

• Fight AI With AI (darkreading.com)

• American investors shouldn’t be ‘arming the enemy’ by helping China create its own version of OpenAI, warns top VC Keith Rabois (yahoo.com)

• GPT-4 tried to escape into the internet today and it ‘almost worked’ | by Cezary Gesikowski | Mar, 2023 | Bootcamp (uxdesign.cc)

• It sounds like science fiction but it’s not: AI can financially destroy your business | Gene Marks | The Guardian

• AI can crack most password in less than a minute | TechRadar

• ‘Overemployed’ Hustlers Exploit ChatGPT To Take On Even More Full-Time Jobs (vice.com)

• AI clones child’s voice in fake kidnapping scam | The Independent

• European privacy watchdog creates ChatGPT task force | Reuters

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Russian hackers linked to widespread attacks targeting NATO and EU (bleepingcomputer.com)

• NTC Vulkan leak shows evolving Russian cyberwar capabilities | CSO Online

• What we know about Russian hackers — and how to stop them — after a year of cyberwar in Ukraine | CyberScoop

• The Discord servers at the center of a massive US intelligence leak | CyberScoop

• Cisco trashed offices and destroyed spares as it quit Russia • The Register

• Another zero-click Apple spyware biz shows up in town again • The Register

• Ukrainian hackers spend $25,000 of pro-Russian blogger's money on sex toys (bitdefender.com)

• DDoS attacks rise as pro-Russia groups attack Finland, Israel (techrepublic.com)

• Russian Hacker Group Zarya Hit Canadian Pipeline—Leaked Docs (gizmodo.com)

• Experts warn of new spyware threat targeting journalists and political figures | Hacking | The Guardian

• Russia's Joker DPR Claims Access to Ukraine Troop Movement Data (darkreading.com)

• Spyware Offered to Cyber attackers via PyPI Python Repository (darkreading.com)

• Russian hackers ‘target security cameras inside Ukraine coffee shops’ | Ukraine | The Guardian

• Russian attacks on Ukrainian infrastructure cause internet outages, cutting off a valuable wartime tool | CyberScoop

• Israel-based Spyware Firm QuaDream Targets High-Risk iPhones with Zero-Click Exploit (thehackernews.com)

Nation State Actors

• Russia-linked APT29 is behind recent attacks targeting NATO and EU-Security Affairs

• North Korean Hackers Uncovered as Mastermind in 3CX Supply Chain Attack (thehackernews.com)

• Nation-state actors are taking advantage of weak passwords to go after cloud customers, Google says | CyberScoop

• Iran-Based Hackers Caught Carrying Out Destructive Attacks Under Ransomware Guise (thehackernews.com)

• US cyber chiefs warn of threats from China and AI • The Register

• Ukrainian hackers spend $25,000 of pro-Russian blogger's money on sex toys (bitdefender.com)

• American investors shouldn’t be ‘arming the enemy’ by helping China create its own version of OpenAI, warns top VC Keith Rabois (yahoo.com)

• Google is on a crusade against cyber security threats from North Korea | TechRadar

• Russian Hacker Group Zarya Hit Canadian Pipeline—Leaked Docs (gizmodo.com)

• Iranian APT group launches destructive attacks in hybrid Azure AD environments | CSO Online

• Leaked US. assessment includes warning about Russian hackers accessing sensitive infrastructure (nbcnews.com)

• FBI: Crooks posing as PRC agents prey on Chinese in the US • The Register

• Lazarus Group's DeathNote Campaign Reveals Shift in Targets - Infosecurity Magazine (infosecurity-magazine.com)

Vulnerability Management

• Eliminating 2% of Exposures Could Protect 90% of Critical Assets - Infosecurity Magazine (infosecurity-magazine.com)

• Most Security Exposures Do Not Put Organizations' Critical Assets At Risk, Study Shows - MSSP Alert

• Ransomware gangs increasingly deploy zero-days to maximize attacks | CyberScoop

• Google Launches New Cyber security Initiatives to Strengthen Vulnerability Management (thehackernews.com)

Vulnerabilities

• Microsoft Issues Patches for 97 Flaws, Including Active Ransomware Exploit (thehackernews.com)

• Windows admins warned to patch critical MSMQ QueueJumper bug (bleepingcomputer.com)

• Nokoyawa ransomware attacks with Windows zero-day | Securelist

• Thousands at risk from critical RCE bug in legacy MS service | Computer Weekly

• Apple issues emergency patches for spyware-style 0-day exploits – update now! – Naked Security (sophos.com)

• 1M+ WordPress Sites Hacked via Zero-Day Plug-in Bugs (darkreading.com)

• Sophos Patches Critical Code Execution Vulnerability in Web Security Appliance - SecurityWeek

• Cisco Patches Code and Command Execution Vulnerabilities in Several Products - SecurityWeek

• CISA orders agencies to patch Backup Exec bugs used by ransomware gang (bleepingcomputer.com)

• CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA

• Data-leak flaw in Qualcomm, HiSilicon-based Wi-Fi AP chips • The Register

• Twitter 'Shadow Ban' Bug Gets Official CVE (darkreading.com)

• Exploit available for critical bug in VM2 JavaScript sandbox library (bleepingcomputer.com)

• Microsoft finally gets around to fixing half-decade-old Firefox CPU bug | TechRadar

• SAP releases security updates for two critical-severity flaws (bleepingcomputer.com)

• Adobe Plugs Gaping Security Holes in Reader, Acrobat - SecurityWeek

• Limit Login Attempts Plugin Patches Severe Unauthenticated Stored XSS Vulnerability – WP Tavern

• Fortinet Patches Critical Vulnerability in Data Analytics Solution - SecurityWeek

• How Microsoft’s Shared Key authorization can be abused and how to fix it | CSO Online

• Microsoft shares fix for Outlook issue blocking access to emails (bleepingcomputer.com)

• Critical Vulnerability in Hikvision Storage Solutions Exposes Video Security Data - SecurityWeek

Tools and Controls

• Threat hunting programs can save organizations from costly security breaches - Help Net Security

• Stopping criminals from abusing security tools - Microsoft On the Issues

• Most Security Exposures Do Not Put Organizations' Critical Assets At Risk, Study Shows - MSSP Alert

• LastPass Breach Reveals Important Lessons (darkreading.com)

• The Pope's Security Gets a Boost With Vatican's MDM Move (darkreading.com)

• Bad Actors Will Use Large Language Models — but Defenders Can, Too (darkreading.com)

• Fight AI With AI (darkreading.com)

• Cyber crime: be careful what you tell your chatbot helper… | Chatbots | The Guardian

• Detailed Analysis Of The Best Password Managers In 2023 (informationsecuritybuzz.com)

• How CIEM Can Improve Identity, Permissions Management for Multicloud Deployments (darkreading.com)

• SD-WAN vs. VPN: How do they compare? | TechTarget

• Centralized vs. decentralized identity management explained | TechTarget

• The Service Accounts Challenge: Can't See or Secure Them Until It's Too Late (thehackernews.com)

• What is an Intrusion Prevention System (IPS)? (techtarget.com)

• Securing the Chaos – Harnessing Dispersed Multi-Cloud, Hybrid Environments - SecurityWeek

• How to Secure Web Applications in a Growing Digital Attack Surface (bleepingcomputer.com)

• 4 strategies to help reduce the risk of DNS tunnelling | CSO Online

Reports Published in the Last Week

• DDoS threat report for 2023 Q1 (cloudflare.com)

Other News

• MSI Confirms Cyber Attack, Issues Firmware Download Guidance - SecurityWeek

• Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign - Microsoft Security Blog

• 1M+ WordPress Sites Hacked via Zero-Day Plug-in Bugs (darkreading.com)

• Western Digital restores service; attack details remain unclear | TechTarget

• 5 tips for tackling technical debt | CIO

• The Internet Reform Trilemma (darkreading.com)

• Rapid7 Has Good News for UK Security Posture - Infosecurity Magazine (infosecurity-magazine.com)

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Why It’s Mission-Critical That All-Sized Businesses Stay Cyber Secure

A study analysing millions of emails across thousands of companies found that on average, employees of small businesses with less than 100 employees experience 350% more social engineering attacks than employees of larger enterprises. 57% of these are phishing attacks – the most prevalent social engineering attack of 2021.

Add to the mix that the global average cost of a data breach for businesses has skyrocketed. According to IBM Security’s annual Cost of a Data Breach Report, the average global cost is now a phenomenal $4.35 million.

Generally, larger corporations tend to have bigger security budgets, making them less of a target than smaller businesses with lesser budgets, and as such, more attractive to cyber criminals. This means that for small and medium-sized enterprises (SMEs) – with fewer resources and money – protection from cyber-attacks is now a matter of survival.

Ease of attack is not the only reason why criminals attack SMEs either. SMEs are often an entry point to target bigger organisations within the same supply chain. These larger corporations can either be crucial partners, suppliers, or customers, making SMEs prime targets.

But with efficient cyber security measures, every business regardless of size can keep themselves and their network safe.

https://informationsecuritybuzz.com/articles/why-its-mission-critical-that-all-sized-businesses-stay-cyber-secure/

• Half of Firms Report Supply Chain Ransomware Compromise

Over half (52%) of global organisations know a partner that has been compromised by ransomware, yet few are doing anything to improve the security of their supply chain, according to Trend Micro.

The security vendor polled nearly 3,000 IT decision makers across 26 countries to produce its latest report, ‘Everything is connected: Uncovering the ransomware threat from global supply chains’.

It revealed that 90% of global IT leaders believe their partners and customers are making their own organisation a more attractive ransomware target.

That might be down in part to the fact that SMBs comprise a significant chunk of the supply chain for 52% of respondents. The security of SMBs is generally thought to be less effective than protection in larger, better resourced companies.

However, despite their concerns, less than half (47%) of respondents said they share knowledge about ransomware attacks with their suppliers, while a quarter (25%) claimed they don’t share potentially useful threat information with partners.

https://www.infosecurity-magazine.com/news/half-firms-supply-chain-ransomware/

• Vulnerability Exploits, Not Phishing, Are the Top Cyber Attack Vector for Initial Compromise

Breaches involving phishing and credential compromise have received a lot of attention in recent years because of how frequently threat actors have employed the tactics in executing both targeted and opportunistic attacks. But that doesn't mean that enterprise organisations can afford to lessen their focus on vulnerability patching one bit.

A report from Kaspersky this week identified more initial intrusions last year resulting from exploitation of vulnerabilities in Internet-facing applications than breaches involving malicious emails and compromised accounts combined. And data that the company has collected through the second quarter of 2022 suggests the same trend might be playing out this year as well.

Kaspersky's analysis of its 2021 incident-response data showed that breaches involving vulnerability exploits surged from 31.5% of all incidents in 2020 to 53.6% in 2021. Over the same period, attacks associated with the use of compromised accounts to gain initial access declined from 31.6% in 2020 to 17.9% last year. Initial intrusions resulting from phishing emails decreased from 23.7% to 14.3% during the same period.

https://www.darkreading.com/vulnerabilities-threats/vulnerability-exploits-phishing-top-attack-vector-initial-compromise

• Uber’s Ex-Security Chief Faces Landmark Trial Over Data Breach That Hit 57m Users

Uber’s former security officer, Joe Sullivan, is standing trial this week in what is believed to be the first case of an executive facing criminal charges in relation to a data breach.

The US district court in San Francisco will start hearing arguments on whether Sullivan, the former head of security at the ride-share giant, failed to properly disclose a 2016 data breach affecting 57 million Uber riders and drivers around the world.

At a time when reports of ransomware attacks have surged and cyber security insurance premiums have risen, the case could set an important precedent regarding the culpability of US security staffers and executives for the way the companies they work for handle cyber security incidents.

The breach first came to light in November 2017, when Uber’s chief executive, Dara Khosrowshahi, revealed that hackers had gained access to the driver’s licence numbers of 600,000 US Uber drivers as well as the names, email addresses and phone numbers of as many as 57 million Uber riders and drivers.

Public disclosures like Khosrowshahi’s are required by law in many US states, with most regulations mandating that the notification be made “in the most expedient time possible and without unreasonable delay”.

But Khosrowshahi’s announcement came with an admission: a whole year had passed since the information had been breached.

https://www.theguardian.com/technology/2022/sep/06/uber-joe-sullivan-trial-security-data-breach

• Over 10% of Enterprise IT Assets Found With Missing Endpoint Protection

More than 10% of enterprise IT assets are missing endpoint protection and roughly 5% are not covered by enterprise patch management solutions.

The figures come from new research by Sevco Security, which the company has compiled in the State of the Cybersecurity Attack Surface report.

"Attackers are very adept at exploiting enterprise vulnerabilities. Security and IT teams already have their hands full mitigating the vulnerabilities that they know about, and our data confirms that this is just the tip of the iceberg," Sevco told Infosecurity Magazine.

The document analyses data aggregated from visibility into more than 500,000 IT assets, and underlines existential and underreported cyber security issues in relation to securing enterprises’ assets.

“The uncertainty of enterprise inventory – the elements that make up an organisation’s cyber security attack surface – upends the foundation of every major security framework and presents a challenge to security teams: it’s impossible to protect what you can’t see,” they said.

For instance, the data found that roughly 3% of all IT assets are “stale” in endpoint protection, while 1% are stale from the perspective of patch management coverage.

https://www.infosecurity-magazine.com/news/enterprise-assets-miss-endpoint/

• Some Employees Aren't Just Leaving Companies — They're Defrauding Them

Since the Great Resignation in 2021, millions of employees have left their roles with current employers in search of better ones. According to Microsoft, 40% of employees reported they are considering leaving their current roles by the end of 2022. With many still working in remote or hybrid positions due to the pandemic, larger businesses have started implementing measures to gain a better understanding of employee morale and sentiment to prevent turnover.

While most employees leave companies on good terms, some may become extremely unhappy or disgruntled prior to their departure and are more likely to defraud the company either before leaving or on their way out the door. The unfortunate reality is that no business is immune to fraud, but luckily, there are several steps you can take to prevent it from happening.

According to the Cressey Fraud Triangle, fraudulent behaviour often occurs due to three contributing factors. These include pressure or motive to commit a fraud (usually a personal financial problem), perceived opportunity within the organisation to commit a fraud (poor oversight or internal controls), and rationalisation (the ability to justify the crime to make it seem acceptable).

Very often, a fraudster needs all three sides of the triangle to successfully commit a crime. Therefore, it is extremely important for organisations to do their best to create controls and understand the risk associated with each of these areas. For example, an employee may be disgruntled and also have personal financial issues. However, if internal controls are robust and the employee doesn't have access to financial instruments, valuable assets or software systems, their ability to defraud the company is extremely limited or will get identified immediately.

https://www.darkreading.com/vulnerabilities-threats/some-employees-aren-t-just-leaving-companies-they-re-defrauding-them

• Ransomware Gangs Switching to New Intermittent Encryption Tactic

A growing number of ransomware groups are adopting a new tactic that helps them encrypt their victims' systems faster while reducing the chances of being detected and stopped.

This tactic is called intermittent encryption, and it consists of encrypting only parts of the targeted files' content, which would still render the data unrecoverable without using a valid decryption key.

For example, by skipping every other 16 bytes of a file, the encryption process takes almost half of the time required for full encryption but still locks the contents for good.

Additionally, because the encryption is milder, automated detection tools that rely on detecting signs of trouble in the form of intense file IO operations are more likely to fail.

SentinelLabs has posted a report examining a trend started by LockFile in mid-2021 and now adopted by the likes of Black Basta, ALPHV (BlackCat), PLAY, Agenda, and Qyick.

These groups actively promote the presence of intermittent encryption features in their ransomware family to entice affiliates to join the RaaS operation.

"Notably, Qyick features intermittent encryption, which is what the cool kids are using as you read this. Combined with the fact that is written in Go, the speed is unmatched," describes a Qyick advertisement on hacking forums.

https://www.bleepingcomputer.com/news/security/ransomware-gangs-switching-to-new-intermittent-encryption-tactic/

• How Posting Personal and Business Photos Can Be a Security Risk

Image geotags, metadata, and location information can allow competitors, cyber criminals, and even nation-state threat actors to gain knowledge they can use against organisations.

Marketers in every industry enjoy evidencing their reach to their superiors and providing tangible examples of their width and breadth of influence via social networks, media, and other means of engagement. Photos of both customers and employees engaging at hosted social events, trade shows, conferences, and direct one-on-one encounters are often viewed as gold. Couple this with the individual employee’s or customer’s photos working their way onto social network platforms for others to see and admire, and the value of that gold increases, success being quantified by impressions, views and individual engagements.

The value of that gold doubles when not only does the company harvest data and call it a success, but their competitors also analyse such photos capturing a plethora of useful data points, including geotagged data, metadata of the photo, and identity of the individuals caught in the frame. They, too, call it a success. Yes, the digital engagement involving location data and or location hints within photos is a double-edged sword.

It isn’t just competitors who harvest the data. Criminal elements and nation-state intelligence and security elements do as well. Francis Bacon’s adage, “Knowledge itself is power,” applies. With location, time and place, and identity, competitors, criminals, and nation-states are given their initial tidbits of openly acquired information from which to begin to build their mosaic. 

https://www.csoonline.com/article/3672869/how-posting-personal-and-business-photos-can-be-a-security-risk.html#tk.rss_news

• Your Vendors Are Likely Your Biggest Cyber Security Risk

As speed of business increases, more and more organisations are looking to either buy companies or outsource more services to gain market advantage. With organisations expanding their vendor base, there is a critical need for holistic third-party risk management (TPRM) and comprehensive cyber security measures to assess how much risk vendors pose.

While organisations assess and manage risk on a multitude of layers, none present bigger threats to business resiliency than third-party risk and a lack of robust cyber security controls. Breaches and service interruptions tied to these risk areas have brought down critical systems of major organisations. In 2021, 53% of CISOs surveyed by Black Kite reported being hit by at least one ransomware attack.

It bears repeating: Cyber security and third-party risk are the two biggest problems facing your long-term viability. Businesses need to be able to tackle these risk vectors individually to gain a complete view of their risk profile. A cross-functional process is essential to managing the overlap between these risk areas to better protect your organisation and increase workflow efficiency.

Ensuring that the cyber security practices of your vendors align with your organisation’s standards is critical to safeguarding your systems and data. In fact, it is just as important as how stable the business is or how well it delivers products and services.

https://www.helpnetsecurity.com/2022/09/05/vendors-cybersecurity-risk/

• A Recent Chinese Hack Is a Wake-up Call for the Security of the World’s Software Supply Chain

It’s perhaps only a coincidence that there’s a famous Chinese saying ‘No one knows, not even the ghosts’ that neatly summarises a recent hack on MiMi, a Chinese messaging app. According to recent reports, a Chinese state-backed hacking group inserted malicious code into this messaging app, essentially pulling off the equivalent of the infamous SolarWinds hack. Users of MiMi were served a version of the app with malicious code added, thanks to attackers taking control of the servers that delivered the app. In short, this was a software supply chain attack in which the software delivery pipeline was compromised.

Observers could be forgiven for thinking that this is just another hack. Chinese hacking groups, and those of Western countries too, have developed a reputation over the past two decades for spying, surveillance, and sabotage. But this attack is different than typical hacking fare because the attackers rode in on the back of a trusted piece of software. This is a software supply chain attack, where the attackers tamper with either source code, the software build system, or the software publishing pipeline, all of which have become essential to the functioning of the world’s digital economy.

Software supply chain attacks have been rapidly growing in frequency. Twenty years ago, there might have been one or two a year. These days, depending on the methodology, there are either hundreds or thousands a year, and that’s only counting the reported attacks. And increasingly anybody who depends upon software (read: everybody) is or shortly will be a victim: the U.S. government, Microsoft, thousands of other companies and, apparently in this MiMi attack, individuals.

https://thediplomat.com/2022/09/a-recent-chinese-hack-is-a-wake-up-call-for-the-security-of-the-worlds-software-supply-chain/

• Massive Hotels Group IHG Struck by Cyber Attack Which Disrupts Booking Systems

InterContinental Hotels Group (IHG), which owns brands such as InterContinental, Crowne Plaza, Holiday Inn, and many others, has had its IT systems breached by malicious hackers.

In a filing with the London Stock Exchange, the multinational hospitality company reported that "parts of the company's technology systems have been subject to unauthorised activity."

As a result, the company said, "IHG's booking channels and other applications have been significantly disrupted since [Monday], and this is ongoing."

The first indication that the company was experiencing problems appeared early on Monday morning UK time, when anyone who tried to book a hotel room via the company's website or app, or access their IHG One Rewards account was greeted by a maintenance message.

Although it has made no declaration regarding the nature of the security breach, in its filing with the London Stock Exchange, IHG mentioned they were "working to fully restore all systems". This would fit into the scenario of IHG having hit been hit with ransomware, which may not only have encrypted data - locking the company out of its systems and demanding a ransom be paid - but could have also caused even more problems.

https://www.bitdefender.com/blog/hotforsecurity/massive-hotels-group-ihg-struck-by-cyberattack-which-disrupts-booking-systems/

• London's Biggest Bus Operator Hit by Cyber "Incident"

Travellers in London were braced for more delays last week after the city’s largest bus operator revealed it has been hit by a “cyber security incident,” according to reports.

Newcastle-based transportation group Go-Ahead shared a statement with the London Stock Exchange indicating “unauthorised activity” had been discovered on its network yesterday.

“Upon becoming aware of the incident, Go-Ahead immediately engaged external forensic specialists and has taken precautionary measures with its IT infrastructure whilst it continues to investigate the nature and extent of the incident and implement its incident response plans,” it stated. “Go-Ahead will continue to assess the potential impact of the incident but confirms that there is no impact on UK or International rail services which are operating normally.”

However, the same may not be true of its bus services. Sky News reported that bus and driver rosters may have been impacted by the attack, which could disrupt operations.

Go-Ahead operates multiple services in the South, South West, London, North West, East Anglia, East Yorkshire and its native North East. It is London’s largest bus company, operating over 2400 buses in the capital and employing more than 7000 staff.

https://www.infosecurity-magazine.com/news/londons-biggest-bus-operator-hit/

Threats

Ransomware and Extortion

• Ransomware remains the number one threat to businesses and government organisations - Help Net Security

• Interpol dismantles sextortion ring, warns of increased attacks (bleepingcomputer.com)

• Play Ransomware Attack Playbook Similar to that of Hive, Nokoyawa (trendmicro.com)

• Ransomware attacks on Linux to surge - Help Net Security

• LockBit gang leads the way for ransomware (techtarget.com)

• Some Members of Conti Group Targeting Ukraine in Financially Motivated Attacks (thehackernews.com)

• How to Improve Mean Time to Detect for Ransomware | SecurityWeek.Com

• Google: Former Conti ransomware members attacking Ukraine (techtarget.com)

• Hackers Are Using NASA Telescope Images To Push Ransomware (informationsecuritybuzz.com)

• Ransomware gang's Cobalt Strike servers DDoSed with anti-Russia messages (bleepingcomputer.com)

• Everything You Need To Know About BlackCat (AlphaV) (darkreading.com)

• Microsoft: Iranian hackers encrypt Windows systems using BitLocker (bleepingcomputer.com)

• Microsoft Warns of Ransomware Attacks by Iranian Phosphorus Hacker Group (thehackernews.com)

• Clarion Housing: Anger over landlord silence since cyber attack - BBC News

• New Ransomware Hits Windows, Linux Servers Of Chile Govt Agency (informationsecuritybuzz.com)

• QNAP warns new Deadbolt ransomware attacks exploiting 0day - Security Affairs

• Second largest U.S. school district LAUSD hit by ransomware (bleepingcomputer.com)

• Windows Defender identified Chromium, Electron apps as Hive Ransomware - Security Affairs

• BlackCat Ransomware Linked to Italy's Energy Services Firm Hack - Infosecurity Magazine (infosecurity-magazine.com)

Phishing & Email Based Attacks

• EvilProxy Commodifies Reverse-Proxy Tactic for Phishing, Bypassing 2FA (darkreading.com)

• Criminals harvest users' PI by impersonating popular brands - Help Net Security

• Lampion malware returns in phishing attacks abusing WeTransfer (bleepingcomputer.com)

• A new phishing scam targets American Express cardholders - Security Affairs

• EvilProxy phishing-as-a-service with MFA bypass emerged on the dark web - Help Net Security

• GIFShell attack creates reverse shell using Microsoft Teams GIFs (bleepingcomputer.com)

Other Social Engineering; Smishing, Vishing, etc

• Defeat social engineering attacks by growing your cyber resilience - Help Net Security

Malware

• Cyber criminals targeting Minecraft fans with malware • The Register

• Next-Gen Linux Malware Takes Over Devices With Unique Tool Set (darkreading.com)

• TeslaGun Primed to Blast a New Wave of Backdoor Cyber attacks (darkreading.com)

• New Linux malware evades detection using multi-stage deployment (bleepingcomputer.com)

• Bumblebee malware adds post-exploitation tool for stealthy infections (bleepingcomputer.com)

• Botnets in the Age of Remote Work (darkreading.com)

• North Korean Hackers Deploying New MagicRAT Malware in Targeted Campaigns (thehackernews.com)

Mobile

• In-app browser security risks, and what to do about them | CSO Online

• Fake Antivirus and Cleaner Apps Caught Installing SharkBot Android Banking Trojan (thehackernews.com)

• SharkBot Malware Resurfaces on Google Play to Steal Users' Credentials - Infosecurity Magazine (infosecurity-magazine.com)

Internet of Things – IoT

• New Stealthy Shikitega Malware Targeting Linux Systems and IoT Devices (thehackernews.com)

Data Breaches/Leaks

• NATO docs sold on darkweb after they were stolen from Portugal - Security Affairs

• Criminals claim they've stolen NATO missile plans • The Register

• TikTok denies data breach following leak of user data - Security Affairs

• IRS mistakenly published confidential info for roughly 120K taxpayers - Security Affairs

• Samsung US Says Customer Data Compromised in July Data Breach | SecurityWeek.Com

• Digital Identity Provider SDK Leaves Hundreds Of Thousands Of Biometric (informationsecuritybuzz.com)

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Scammers live-streamed on YouTube a fake Apple crypto event - Security Affairs

• FBI: Crooks are using these DeFi flaws to steal your money | ZDNET

• Feds freeze $30m in cryptocurrency stolen from Axie Infinity • The Register

• New Rules for Crypto Exchanges to Stop Sanctions Evaders - Infosecurity Magazine (infosecurity-magazine.com)

Fraud, Scams & Financial Crime

• 62% of consumers see fraud as an inevitable risk of online shopping - Help Net Security

• Islanders in Jersey lose nearly £400,000 to romance fraud | ITV News Channel

• The Advantages of Threat Intelligence for Combating Fraud | SecurityWeek.Com

AML/CFT/Sanctions

• UK forces crypto exchanges to report suspected sanction breaches | Cryptocurrencies | The Guardian

• US Treasury sanctioned Iran ’s Ministry of Intelligence over Albania cyber attack - Security Affairs

Insurance

• Lloyd’s of London defends cyber insurance exclusion for state-backed attacks | Financial Times (ft.com)

• Global Cyber security Insurance Market Size Expected to Top $32.6 Billion by 2028 - MSSP Alert

• With cyber insurance costs increasing, can smaller firms avoid getting priced out? - Help Net Security

Supply Chain and Third Parties

• Supply chain risk is a top security priority as confidence in partners wanes - Help Net Security

• KeyBank: Hackers of third-party provider stole customer data | The Seattle Times

• Government guide for supply chain security: The good, the bad and the ugly - Help Net Security

Software Supply Chain

• Report Highlights Prevalence of Software Supply Chain Risks (darkreading.com)

Denial of Service DoS/DDoS

• Ransomware gang's Cobalt Strike servers DDoSed with anti-Russia messages (bleepingcomputer.com)

Cloud/SaaS

• Defenders Be Prepared: Cyber attacks Surge Against Linux Amid Cloud Migration (darkreading.com)

• Hybrid Cloud Security Challenges & Solutions (trendmicro.com)

• 3 Critical Steps for Reducing Cloud Risk (darkreading.com)

Identity and Access Management

• There is no secure critical infrastructure without identity-based access - Help Net Security

Encryption

• A Pragmatic Response to the Quantum Threat (darkreading.com)

API

• 6 Top API Security Risks! Favoured Targets for Attackers If Left Unmanaged (thehackernews.com)

• API Security for the Modern Enterprise - IT Security Guru

Open Source

• New Linux malware combines unusual stealth with a full suite of capabilities | Ars Technica

Passwords, Credential Stuffing & Brute Force Attacks

• Are Default Passwords Hiding in Your Active Directory? Here's how to check (bleepingcomputer.com)

• 200,000 North Face accounts hacked in credential stuffing attack (bleepingcomputer.com)

Social Media

• TikTok denies security breach after hackers leak user data, source code (bleepingcomputer.com)

• Facebook Engineers Admit They Don’t Know What They Do With Your Data (vice.com)

• Meta axes Responsible Innovation team charged with addressing ethical problems with Facebook, Instagram, WhatsApp | Fortune

Privacy

• You should know that most websites share your in-site search queries with third parties - Help Net Security

• Meta Fined $400m in Ireland For Children's Privacy Breach - Infosecurity Magazine (infosecurity-magazine.com)

Parental Controls and Child Safety

• Google’s image-scanning illustrates how tech firms can penalise the innocent | John Naughton | The Guardian

Cyber Bullying and Cyber Stalking

• ‘I didn’t want it anywhere near me’: how the Apple AirTag became a gift to stalkers | Apple | The Guardian

Regulations, Fines and Legislation

• Tear up decades-old law to save Britain from hackers, say cyber experts (telegraph.co.uk)

• UK Privacy Regulator Fines Halfords for Spam Deluge - Infosecurity Magazine (infosecurity-magazine.com)

• Meta Fined $400m in Ireland For Children's Privacy Breach - Infosecurity Magazine (infosecurity-magazine.com)

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Google Details Recent Ukraine Cyber attacks | SecurityWeek.Com

• Ukraine dismantles more bot farms spreading Russian disinformation (bleepingcomputer.com)

• Ukraine is under attack by hacking tools repurposed from Conti cyber crime group | Ars Technica

• Sprawling, multi-year Iranian cyberespionage and surveillance group exposed in new report - CyberScoop

• Iranian APT42 Launched Over 30 Espionage Attacks Against Activists and Dissidents (thehackernews.com)

• Newly discovered cyber spy group targets Asia • The Register

• New Iranian hacking group APT42 deploys custom Android spyware (bleepingcomputer.com)

• Israeli Defence Minister's Cleaner Sentenced for Spying Attempt | SecurityWeek.Com

• An interview with Ukrainian hacker 'Herm1t' on countering pro-Kremlin attacks - The Record by Recorded Future

• Researchers Find New Android Spyware Campaign Targeting Uyghur Community (thehackernews.com)

• Anonymous hacked Yandex taxi causing a traffic jam in Moscow - Security Affairs

Nation State Actors

Nation State Actors – Russia

• Raspberry Robin Malware Connected to Russian Evil Corp Gang (darkreading.com)

Nation State Actors – China

• US bans ‘advanced tech’ firms from building facilities in China for a decade | Technology sector | The Guardian

Nation State Actors – North Korea

• North Korean Hackers Deploying New MagicRAT Malware in Targeted Campaigns (thehackernews.com)

• North Korea's Lazarus Targets Energy Firms With Three RATs | SecurityWeek.Com

Nation State Actors – Iran

• Microsoft: Iranian hackers encrypt Windows systems using BitLocker (bleepingcomputer.com)

• UK condemns Iran for reckless cyber attack against Albania - GOV.UK (www.gov.uk)

• US Treasury sanctioned Iran ’s Ministry of Intelligence over Albania cyber attack - Security Affairs

• NATO Condemns Alleged Iranian Cyber attack on Albania | SecurityWeek.Com

• New Iranian hacking group APT42 deploys custom Android spyware (bleepingcomputer.com)

• Microsoft investigates Iranian attacks against the Albanian government - Microsoft Security Blog

• Microsoft Warns of Ransomware Attacks by Iranian Phosphorus Hacker Group (thehackernews.com)

Nation State Actors – Misc

• Nation-state attacks are a growing threat to video conferencing - Help Net Security

• Use of machine identities is growing in state-sponsored cyber attacks - Help Net Security

Vulnerability Management

• High-profile vulnerabilities encourage organisations to improve security posture - Help Net Security

Vulnerabilities

• CISA adds 12 new flaws to Known Exploited Vulnerabilities Catalog - Security Affairs

• September 2022 Patch Tuesday forecast: No sign of cooling off - Help Net Security

• High-risk ConnectWise Automate vulnerability fixed, admins urged to patch ASAP - Help Net Security

• Hackers Exploit Zero-Day in WordPress BackupBuddy Plugin in ~5 Million Attempts (thehackernews.com)

• Cisco Releases Security Patches for New Vulnerabilities Impacting Multiple Products (thehackernews.com)

• Mirai Variant MooBot Botnet Exploiting D-Link Router Vulnerabilities (thehackernews.com)

• Cisco won’t fix authentication bypass zero-day in EoL routers (bleepingcomputer.com)

• Critical RCE Vulnerability Affects Zyxel NAS Devices — Firmware Patch Released (thehackernews.com)

• Chrome and Edge fix zero-day security hole – update now! – Naked Security (sophos.com)

• Google Patches Sixth Chrome Zero-Day of 2022 | SecurityWeek.Com

• QNAP patches zero-day used in new Deadbolt ransomware attacks (bleepingcomputer.com)

• HP fixes severe bug in pre-installed Support Assistant tool (bleepingcomputer.com)

Other News

• Top 5 Cyber crime Cases in 2022 (techgenix.com)

• The Heartbleed bug: How a flaw in OpenSSL caused a security crisis | CSO Online

• Cyber Security - the More Things Change, the More They Are The Same | SecurityWeek.Com

• CISOs say stress and burnout are their top personal risks (cnbc.com)

• How to deal with unprecedented levels of regulatory change - Help Net Security

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Businesses Urged Not to Give In To Ransomware Cyber Criminals As Authorities See Increase In Payouts

While there have been arguments made for criminalising the payment of ransoms, it poses a number of additional risks such as providing the criminals with an additional factor they could use to extort their victims.

Businesses are being urged not to pay cyber extortionists as authorities say they are seeing evidence of a rise in ransomware payments.

In a joint letter to the Law Society, the National Cyber Security Centre (NCSC) and the Information Commissioner's Office are warning solicitors who may have been advising their clients to pay.

It follows warnings earlier this year by cyber security experts from the UK, US, and Australia of a "growing wave of increasingly sophisticated ransomware attacks" which could have "devastating consequences".

The joint letter states that while ransomware payments are "not unusually unlawful" those who pay them "should be mindful of how relevant sanctions regimes (particularly those related to Russia)" when considering making the payment.

The US sanctioned in December 2019 any financial dealings with a Russian cyber crime group that was accused of working with Russian intelligence to steal classified government documents.

Despite the spillover from the Russian war in Ukraine - in one case knocking 5,800 wind turbines in Germany offline - the NCSC says it has not detected any increase in hostile activity targeting Britain during the conflict.

Businesses however had been warned that there is a heightened threat level when it comes to cyber attacks due to the conflict which is likely to be here "for the long-haul".

https://news.sky.com/story/businesses-urged-not-to-give-in-to-ransomware-cyber-criminals-as-authorities-see-increase-in-payouts-12648253

• People Are the Primary Attack Vector Around the World

With an unprecedented number of employees now working in hybrid or fully remote environments, compounded by an increase in cyber threats and a more overwhelmed, COVID-19 information fatigued workforce, there has never been a more critical time to effectively create and maintain a cyber secure workforce and an engaged security culture.

People have become the primary attack vector for cyber-attackers around the world. Humans, rather than technology, represent the greatest risk to organisations and the professionals who oversee security awareness programs are the key to effectively managing that risk.

Awareness programs enable security teams to effectively manage their human risk by changing how people think about cyber security and help them exhibit secure behaviours, from the Board of Directors on down.

Effective and mature security awareness programs not only change their workforce’s behaviour and culture but also measure and demonstrate their value to leadership via a metrics framework. Organisations can no longer justify an annual training to tick the compliance box, and it remains critical for organisations to dedicate enough personnel, resources, and tools to manage their human risk effectively.

https://www.helpnetsecurity.com/2022/07/05/people-primary-attack-vector/

• Early Detection Crucial in Stopping Business Email Compromise (BEC) Scams

Cofense Intelligence studied hundreds of business email compromise attacks and found that most scams attempt to establish trust with targeted employees over multiple emails.

Avoiding a costly social engineering attack often requires employees to spot suspicious emails before threat actors request sensitive information or access.

Cofense Intelligence published new research Thursday that showed most business email compromise (BEC) scams can be thwarted in their initial stages when the attackers are not asking for money or a transfer of funds. The cyber security vendor analysed hundreds of BEC emails sent to customers during March and April, and engaged with the threat actors in approximately half the cases.

The company found that only 36% of attackers looking to conduct fraud attacks opened with a cordial greeting and request for cash, gift cards or confidential payment information. Most BEC scams, Cofense found, attempt to slowly build up trust over the course of multiple email exchanges with the target and ingratiate them with common phrases like "sorry to bother you."

Once they realise they can get money out of you, they will do everything they can to drain you dry. For many of the scammers, this becomes a literal hustle, where they will quickly pivot to other cash-out methods. Just because something starts as a wire transfer doesn't mean they won't ask you to send cryptocurrency, gift cards, a cheque, or use your personal Venmo or PayPal to wire them money.

https://www.techtarget.com/searchsecurity/news/252522493/Early-detection-crucial-in-stopping-BEC-scams

• 54% of SMBs Do Not Implement Multi-Factor Authentication (MFA)

SMB owners across the globe are still relying only on usernames and passwords to secure critical employee, customer, and partner data, according to the Global Small Business Multi-Factor Authentication (MFA) Study released by the Cyber Readiness Institute (CRI).

Services that enforce MFA require users to present more than one piece of evidence whenever they log in to a business account (e.g., company email, payroll, human resources, etc.).

MFA has been in use for decades and is widely recommended by cyber security experts, yet 55% of SMBs surveyed are not “very aware” of MFA and its security benefits, and 54% do not use it for their business. Of the businesses that have not implemented MFA, 47% noted they either didn’t understand MFA or didn’t see its value. In addition, nearly 60% of small business and medium-sized owners have not discussed MFA with their employees.

Nearly all account compromise attacks can be stopped outright, just by using MFA. It’s a proven, effective way to thwart bad actors.

Of the companies that have implemented some form of MFA, many still seem to have done so haphazardly. Only 39% of those who offer MFA have a process for prioritising critical hardware, software, and data, with 49% merely “encouraging the use of MFA when it is available.”

https://www.helpnetsecurity.com/2022/07/08/smb-implement-mfa/

• New Cyber Threat Emerges from the Inside, Research Report Finds

In its 2022 Insider Risk Intelligence & Research Report, DTEX Systems, a workforce cyber intelligence and security company, identifies a new cyber threat: the “Super Malicious Insider.”

Just what is a Super Malicious Insider and where does it come from? Well, it comes from inside your own organisation or someone who recently worked for you — a threat actor who may be truly of your own making.

“It was the year (2021) we all came to realise the Work-from-Anywhere (WFA) movement was here to stay,” DTEX reports. “For security and risk professionals, this hastened the end of corporate perimeter-centric security, and a requirement to protect hundreds of thousands of ‘remote offices’ outside of traditional corporate controls. To make matters worse, a measurable increase in employee attrition toward the end of 2021 created the perfect storm for insider threats.”

So, if your organisation didn’t observe a proportional increase in attempted or actual data loss, then you were likely not looking, DTEX asserts.

Critically your insiders know your vulnerabilities and can exploit them, for example, when an employee quits to join a competitor, it is often tempting to take proprietary information with them. This can include customer lists, product plans, financial data and other intellectual property.

The Super Malicious Insider is better able to hide their activities, obfuscate data and exfiltrate sensitive information without detection. Importantly, in numerous insider incidents reviewed in 2021, the Super Malicious Insider had made significant efforts to appear normal by not straying outside of their day-to-day routine, DTEX reports.

Here are some key statistics from the report:

• Industrial espionage is at an all-time high. In 2021, 72% of respondents saw an increase in actionable insider threat incidents. IP or data theft led the list at 42% of incidents, followed by unauthorised or accidental disclosure (23%), sabotage (19%), fraud (%) and other (7%). In fact, 42% of all DTEX i3 investigations involved theft of IP or customer data.

• The technology industry (38%), followed by pharma/life sciences (21%), accounted for the most IP theft incidents. In addition, technology (33%) had the most super malicious incidents, followed by critical infrastructure (24%) and government (11%).

• Investigations that led to criminal prosecution occurred within someone’s home 75% of the time. More telling, 32% of malicious incident incidents included sophisticated insider techniques.

https://www.msspalert.com/cybersecurity-research/new-cyberthreat-emerges-from-the-inside-research-report-finds/

• Ransomware: Why It's Still A Big Threat, And Where The Gangs Are Going Next

Ransomware attacks are still lucrative for cyber criminals because victims pay ransoms - and the threat is still evolving.

Ransomware has been a cyber security issue for a long time, but last year it went mainstream. Security threats like malware, ransomware and hacking gangs are always evolving.

Major ransomware attacks like those on Colonial Pipeline, the Irish Healthcare Executive and many others demonstrated how significant the problem had become as cyber attacks disrupted people's lives.

What was once a small cyber-criminal industry based around encrypting files on personal computers and demanding a ransom of a few hundred dollars for a decryption key had evolved into a massive ecosystem designed around holding critical services and infrastructure to ransom - and making extortion demands of millions of dollars.

No wonder Lindy Cameron, head of the UK's National Cyber Security Centre (NCSC), has described ransomware as "the biggest global cyber threat".

Ransomware is continually evolving, with new variants appearing, new ransomware groups emerging, and new techniques and tactics designed to make the most money from attacks.

And as the recent Conti ransomware leaks showed, the most successful ransomware gangs are organised as if they were any other group of software developers.

They are really acting like a business. Aside from the fact they're not legitimately registered, they really are. They're functioning like a real business and sometimes the number of people within these organisations is bigger than some startups. They have shown a lot of resilience and a lot of agility in adapting to what's new.

https://www.zdnet.com/article/ransomware-why-its-still-a-big-threat-and-where-the-gangs-are-going-next/

• NCSC: Prepare for Protracted Period of Heightened Cyber Risk

The UK’s leading cyber security agency has urged organisations to follow best practices and take care of their infosecurity staff in order to weather an extended period of elevated cyber risk due to the ongoing war in Ukraine.

The National Cyber Security Centre (NCSC) guide, Maintaining A Sustainable Strengthened Cyber Security Posture, comes on the back of warnings that organisations must “prepare for the long haul” as the conflict enters its fifth month.

Alongside basic hygiene controls, the strengthening of cyber-resilience and revisiting of risk-based decisions made in the earlier acute phase of the war, organisations should pay special attention to their security staff, the NCSC said.

“Increased workloads for cyber security staff over an extended period can harm their wellbeing and lead to lower productivity, with a potential rise in unsafe behaviours or errors,” it said.

With this in mind, the guide highlighted several steps IT security managers should consider:

• Empower staff to make decisions in order to improve agility and free-up leaders to focus on medium-term priorities

• Spread workloads evenly across a wider pool of staff to reduce the risk of burnout and enable less experienced employees to benefit from development opportunities

• Provide opportunities for staff to recharge through more frequent breaks and time away from the office, as well as work on less pressured tasks

• Look after each other by watching for signs that colleagues are struggling and ensuring they always have the right resources to hand

• Engage the entire workforce with the right internal communications processes, and support so that all staff are able to identify and report suspicious behaviour

https://www.infosecurity-magazine.com/news/ncsc-prepare-cyber-risk/

• 69% Of Employees Need to Deal with More Security Measures In A Hybrid Work Environment

Security firm Ivanti worked with global digital transformation experts and surveyed 10,000 office workers, IT professionals, and the C-Suite to evaluate the level of prioritisation and adoption of digital employee experience in organisations and how it shapes the daily working experiences for employees. The report revealed that 49% of employees are frustrated by the tech and tools their organisation provides and 64% believe that the way they interact with technology directly impacts morale.

One of the biggest challenges facing IT leaders today is the need to enable a seamless end user experience while maintaining robust security. The challenge becomes more complex when there is pressure from the top to bypass security measures, with 49% of C-level executives reporting they have requested to bypass one or more security measures in the last year.

Maintaining a secure environment and focusing on the digital employee experience are two inseparable elements of any digital transformation. In the war for talent a key differentiator for organisations is providing an exceptional and secure digital experience. Ivanti, a cyber security software provider, says “We believe that organisations not prioritising how their employees experience technology is a contributing factor for the Great Resignation”.

https://www.helpnetsecurity.com/2022/07/04/security-measures-hybrid-work-environment/

• FBI and MI5 Leaders Give Unprecedented Joint Warning on Chinese Spying

The head of the FBI and the leader of Britain’s domestic intelligence agency have delivered an unprecedented joint address, raising fresh alarm about the Chinese government, warning business leaders that Beijing is determined to steal their technology for competitive gain.

In a speech at MI5’s London headquarters intended as a show of western solidarity, Christopher Wray, the FBI director, stood alongside the MI5 director general, Ken McCallum. Wray reaffirmed longstanding concerns about economic espionage and hacking operations by China, as well as the Chinese government’s efforts to stifle dissent abroad.

“We consistently see that it’s the Chinese government that poses the biggest long-term threat to our economic and national security, and by ‘our’, I mean both of our nations, along with our allies in Europe and elsewhere,” Wray said.

He told the audience the Chinese government was “set on stealing your technology, whatever it is that makes your industry tick, and using it to undercut your business and dominate your market”.

Ken McCallum said MI5 was running seven times as many investigations into China as it had been four years ago and planned to “grow as much again” to tackle the widespread attempts at inference which pervade “so many aspects of our national life”.

https://www.theguardian.com/world/2022/jul/06/fbi-mi5-china-spying-cyberattacks-business-economy

• As Cyber Criminals Recycle Ransomware, They're Getting Faster

Like history, ransomware repeats itself. Researchers recently encountered a new variant of a ransomware campaign and observed that it has been improving itself by reusing code from publicly available sources.

Nokoyawa is a new ransomware for Windows that first appeared at the beginning of this year. The first samples found by researchers were gathered in February 2022 and contain significant coding similarities with other older ransomware strains, some going back to 2019.

These new variants had been improving themselves by reusing code from publicly available sources. The April 2022 samples include three new features that increase the number of files that Nokoyawa can encrypt. These features already existed in recent ransomware families, and their addition just indicates that Nokoyawa developers are trying to match pace with other operators in terms of technological capability.

https://www.securityweek.com/cybercriminals-recycle-ransomware-theyre-getting-faster

• UK Military Investigates Hacks on Army Social Media Accounts

British military authorities are trying to find out who hacked the army’s social media accounts over the weekend, flooding them with cryptocurrency videos and posts related to collectible electronic art.

The investigation was launched after authorised content on the army’s YouTube account was replaced with a video feed promoting cryptocurrencies that included images of billionaire Elon Musk. The Army’s Twitter account retweeted a number of posts about non-fungible tokens, unique digital images that can be bought and sold but have no physical counterpart.

“Apologies for the temporary interruption to our feed,” the Army said in a tweet posted after the Twitter account was restored on Sunday. “We will conduct a full investigation and learn from this incident. Thanks for following us, and normal service will now resume.”

The Ministry of Defence said late Sunday that both breaches had been “resolved.”

While internet users were unable to access the Army’s YouTube site on Monday, a spokesperson said the site was down for standard maintenance. The Twitter feed was operating normally.

Although U.K. officials have previously raised concerns about state-sponsored Russian hacking, the military did not speculate on who was responsible for Sunday’s breaches.

“The Army takes information security extremely seriously, and until their investigation is complete it would be inappropriate to comment further,” the Ministry of Defence said.

https://www.securityweek.com/uk-military-investigates-hacks-army-social-media-accounts

Campaign Targeting SOHO Routers Highlights Risks to Remote Workers

A targeted attack campaign has been compromising small office/home office (SOHO) routers since late 2020, with the goal of hijacking network communications and infecting local computers with stealthy and sophisticated backdoors. Attacks against home routers are not new, but the implants used by attackers in this case were designed for local network reconnaissance and lateral movement instead of just abusing the router itself.

"The rapid shift to remote work in spring of 2020 presented a fresh opportunity for threat actors to subvert traditional defence-in-depth protections by targeting the weakest points of the new network perimeter - devices that are routinely purchased by consumers but rarely monitored or patched - small office/home office (SOHO) routers," researchers from Black Lotus Labs, the threat intelligence arm of telecommunications company Lumen Technologies said in a recent report.

https://www.csoonline.com/article/3665912/apt-campaign-targeting-soho-routers-highlights-risks-to-remote-workers.html#tk.rss_news

Threats

Ransomware

• Lawyers Urged to Stop Advising Clients to Pay Ransomware Demands - Infosecurity Magazine

• Ransomware in 2022: Evolving threats, slow progress (techtarget.com)

• AstraLocker ransomware closes doors to pursue cryptojacking • The Register

• Ransomware gangs are feeling the crypto winter's impact | TechSpot

• LockBit explained: How it has become the most popular ransomware | CSO Online

• Hive ransomware gang turns to Rust, more complex encryption • The Register

• New RedAlert Ransomware targets Windows, Linux VMware ESXi servers (bleepingcomputer.com)

• Ransomware, hacking groups move from Cobalt Strike to Brute Ratel (bleepingcomputer.com)

• North Korean ransomware dubbed Maui active since May 2021 • The Register

• Hive Ransomware Upgrades to Rust for More Sophisticated Encryption Method (thehackernews.com)

• Ransomware, hacking groups move from Cobalt Strike to Brute Ratel (bleepingcomputer.com)

• New 'HavanaCrypt' Ransomware Distributed as Fake Google Software Update | SecurityWeek.Com

• As New Clues Emerges, Experts Wonder: Is REvil Back? (thehackernews.com)

• Researchers Detail Techniques LockBit Ransomware Using to Infect its Targets (thehackernews.com)

• New 0mega ransomware targets businesses in double-extortion attacks (bleepingcomputer.com)

• Feds wave red flag over Maui ransomware | CSO Online

• Evolution of the LockBit Ransomware operation relies on new techniques - Security Affairs

• AstraLocker ransomware shuts down and releases decryptors (bleepingcomputer.com)

• QNAP warns of new Checkmate ransomware targeting NAS devices (bleepingcomputer.com)

• Quantum ransomware attack affects 657 healthcare orgs (bleepingcomputer.com)

• How Conti ransomware group crippled Costa Rica — then fell apart | Financial Times (ft.com)

• Researchers Detail Techniques LockBit Ransomware Using to Infect its Targets (thehackernews.com)

• EternalBlue 5 years after WannaCry and NotPetya - SANS Internet Storm Center

Phishing & Email Based Attacks

• Fake copyright complaints push IcedID malware using Yandex Forms (bleepingcomputer.com)

• Spear Phishing Fake Job Offer Likely Behind Axie Infinity's Lazarus $600m Hack - Infosecurity Magazine (infosecurity-magazine.com)

Malware

• Hackers Exploiting Follina Bug to Deploy Rozena Backdoor (thehackernews.com)

• Dangerous new malware dances past more than 50 antivirus services | TechRadar

• Raspberry Robin campaign leverages compromised QNAP devicesSecurity Affairs

• Malware knocks IT services vendor SHI offline • The Register

• Near-undetectable malware linked to Russia's Cozy Bear • The Register

• New stealthy OrBit malware steals data from Linux devices (bleepingcomputer.com)

• Hackers are using YouTube videos to trick people into installing malware | TechRadar

Mobile

• This WhatsApp scam promises big, but just sends you into a spiral | ZDNet

• Android malware subscribes you to premium services without you knowing - GSMArena.com news

• Free smartphone stalkerware detection tool gets dedicated hub (bleepingcomputer.com)

• Four more apps that infected thousands of Android devices with malware removed from Google Play store | ZDNet

• Apple Debuts Spyware Protection for State-Sponsored Cyber Attacks (darkreading.com)

Internet of Things – IoT

• Vulnerability allows hackers to unlock and start Honda cars remotely | TechSpot

Data Breaches/Leaks

• Marriott Data Breach Exposes PII, Credit Cards (darkreading.com)

• Aon Hack Exposed Sensitive Information of 146,000 Customers - Infosecurity Magazine

• Hackers Claim to Have Stolen Police Data in China’s Largest Cyber Security Breach - Bloomberg

• Human Error Blamed for Leak of 1 Billion Records of Chinese Citizens | Threatpost

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Ransomware gangs are feeling the crypto winter's impact | TechSpot

• AstraLocker ransomware closes doors to pursue cryptojacking • The Register

• Hackers are using YouTube videos to trick people into installing malware | TechRadar

• PennyWise crypto-stealing malware spreads through YouTube (cointelegraph.com)

• US urges Japan to step up pressure on crypto miners with links to Russia | Financial Times (ft.com)

• Large-scale cryptomining campaign is targeting the NPM repositorySecurity Affairs

• ECB to warn eurozone countries over crypto regulation | Financial Times (ft.com)

• Microsoft Issue Updated Warning Against Known Cloud Threat Actor Group - IT Security Guru

Insider Risk and Insider Threats

• Human Error Blamed for Leak of 1 Billion Records of Chinese Citizens | Threatpost

• HackerOne incident raises concerns for insider threats (techtarget.com)

Fraud, Scams & Financial Crime

• Ukrainian police takes down phishing gang behind payments scam | ZDNet

Supply Chain and Third Parties

• Applying Shift Left principles to third party risk management - Help Net Security

Software Supply Chain

• NPM supply-chain attack impacts hundreds of websites and apps (bleepingcomputer.com)

Cloud/SaaS

• Microsoft Issue Updated Warning Against Known Cloud Threat Actor Group - IT Security Guru

• Cloud Misconfig Exposes 3TB of Sensitive Airport Data in Amazon S3 Bucket: 'Lives at Stake' (darkreading.com)

• What Do All of Those Cloud Cyber Security Acronyms Mean? (darkreading.com)

Identity and Access Management

• 6 signs your IAM strategy is failing, and how to fix it | CSO Online

Asset Management

• How a cyber asset management strategy can help enterprises detect threats - Help Net Security

Encryption

• Encryption is high up on corporate priority lists - Help Net Security

• Quantum-resistant encryption recommended for standardization • The Register

• The threat of quantum computing to sensitive data - Help Net Security

• Inside NIST's 4 Crypto Algorithms for a Post-Quantum World (darkreading.com)

• End-to-end encryption’s central role in modern self-defence | Ars Technica

API

• Why your API gateway is not enough for API security? - Help Net Security

Open Source

• Researchers Warn of New OrBit Linux Malware That Hijacks Execution Flow (thehackernews.com)

Social Media

• British Army Cyber Attack Reminds Businesses That Social Media Accounts Are Prime Targets (informationsecuritybuzz.com)

• Limp Facebook Policies – Do They Ignore Suffering And Crime! (informationsecuritybuzz.com)

Digital Transformation

• Cyber security is driving digital transformation in alternative investment institutions - Help Net Security

Travel

• Marriott suffered a new data breach, attackers stole 20GB of data - Security Affairs

Cyber Bullying and Cyber Stalking

• Free smartphone stalkerware detection tool gets dedicated hub (bleepingcomputer.com)

Regulations, Fines and Legislation

• ICO Set to Scale Back Public Sector Fines - Infosecurity Magazine

• ECB to warn eurozone countries over crypto regulation | Financial Times (ft.com)

• Wegmans hit with $400,000 data-breach penalty (democratandchronicle.com)

Models, Frameworks and Standards

• PCI DSS 4.0 released, addresses emerging threats and technologies - Help Net Security

Law Enforcement Action and Take Downs

• Ukrainian police takes down phishing gang behind payments scam | ZDNet

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Apple's New "Lockdown Mode" Protects iPhone, iPad, and Mac Against Spyware (thehackernews.com)

• Pro-Kremlin hackers Killnet hit Latvia with biggest cyber attack in its history | World | The Times

• TrickBot Gang Shifted its Focus on "Systematically" Targeting Ukraine (thehackernews.com)

• UK to combat Russia’s ‘hostile online warfare’ by forcing internet firms to remove disinformation | TechCrunch

• NATO Announce Plans to Develop Cyber Rapid Response Capabilities - IT Security Guru

• FBI and MI5 bosses: China cheats and steals at massive scale • The Register

• Hackers linked to the Chinese government increasingly target Russia, analysis suggests - CyberScoop

• In Switch, Trickbot Group Now Attacking Ukrainian Targets (darkreading.com)

• Apple Debuts Spyware Protection for State-Sponsored Cyber Attacks (darkreading.com)

Nation State Actors

Nation State Actors – Russia

• Russian Info Ops Ramp Up Effort to Divide West on Ukraine - Infosecurity Magazine

• Near-undetectable malware linked to Russia's Cozy Bear • The Register

Nation State Actors – China

• US and UK intelligence chiefs call for vigilance on China’s industrial spies | Financial Times (ft.com)

• China Censors What Could Be Biggest Data Hack in History (gizmodo.com)

• Hackers linked to the Chinese government increasingly target Russia, analysis suggests - CyberScoop

• China’s Cabinet Stresses Cyber Security After Data Leak - Bloomberg

• Security warning after sale of stolen Chinese data - BBC News

• Five accused of trying to silence China critics in US • The Register

• 50 Chinese students leave UK in three years after spy chiefs’ warning | Espionage | The Guardian

• More UK calls for ban of CCTV makers Hikvision, Dahua • The Register

Nation State Actors – North Korea

• Russian information operations focus on dividing Western coalition supporting Ukraine - CyberScoop

• North Korean ransomware dubbed Maui active since May 2021 • The Register

• Feds wave red flag over Maui ransomware | CSO Online

• Spear Phishing Fake Job Offer Likely Behind Axie Infinity's Lazarus $600m Hack - Infosecurity Magazine (infosecurity-magazine.com)

Nation State Actors – Iran

• Hacktivists claiming attack on Iranian steel facilities dump tranche of 'top secret documents' - CyberScoop

• Latest Cyber Attack Against Iran Part of Ongoing Campaign | Threatpost

Vulnerability Management

• Google: Half of zero-day exploits linked to poor software fixes | ZDNet

• Why Browser Vulnerabilities Are a Serious Threat — and How to Minimize Your Risk (darkreading.com)

Vulnerabilities

• Cisco and Fortinet Release Security Patches for Multiple Products (thehackernews.com)

• Google Patches Actively Exploited Chrome Bug | Threatpost

• OpenSSL version 3.0.5 fixes a flaw that could potentially lead to RCE - Security Affairs

• Apache “Commons Configuration” patches Log4Shell-style bug – what you need to know – Naked Security (sophos.com)

• Cisco fixed a critical arbitrary File Overwrite flaw in Enterprise Communication solutions - Security Affairs

• Cisco Releases 10 Security Patches For Expressway Series and TelePresence VCS Products - Infosecurity Magazine

• Django fixes SQL Injection vulnerability in new releases (bleepingcomputer.com)

• Google fixes the fourth Chrome zero-day in 2022 - Security Affairs - Security Affairs

• Tens of Jenkins plugins are affected by zero-day vulnerabilities - Security Affairs

• OpenSSL fixes two “one-liner” crypto bugs – what you need to know – Naked Security (sophos.com)

• Fortinet addressed multiple vulnerabilities in several products - Security Affairs

• There’s a Nasty Security Hole in the Apache Webserver – The New Stack

Sector Specific

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

We currently provide tailored threat intelligence based on the following sectors, additional sectors by arrangement:

• Automotive

• Construction

• Critical National Infrastructure (CNI)

• Defence & Space

• Education & Academia

• Energy & Utilities

• Estate Agencies

• Financial Services

• FinTech

• Food & Agriculture

• Gaming & Gambling

• Government & Public Sector (including Law Enforcement)

• Health/Medical/Pharma

• Hotels & Hospitality

• Insurance

• Legal

• Manufacturing

• Maritime

• Oil, Gas & Mining

• OT, ICS, IIoT, SCADA & Cyber-Physical Systems

• Retail & eCommerce

• Small and Medium Sized Businesses (SMBs)

• Startups

• Telecoms

• Third Sector & Charities

• Transport & Aviation

• Web3

Other News

• These are the cyber security threats of tomorrow that you should be thinking about today | ZDNet

• Rising threats spark scramble for cyber workers | The Hill

• Why Browser Vulnerabilities Are a Serious Threat — and How to Minimize Your Risk (darkreading.com)

• Microsoft rolls back plan to block macros by default • Graham Cluley

• Attacker groups adopt new penetration testing tool Brute Ratel | CSO Online

• Security tester says he broke into datacenter via toilets • The Register

• SQL injection, XSS vulnerabilities continue to plague organisations | CSO Online

• Endless cyber-threat pressure could leave security staff burnt out. Here's what you need to change | ZDNet

• Top 7 types of data security technology (techtarget.com)

• Imagination is key to effective data loss prevention - Help Net Security

• The Age of Collaborative Security: What Tens of Thousands of Machines Witness (thehackernews.com)

• Maintaining a sustainable strengthened cyber security posture - NCSC.GOV.UK

• Hacking the Crypto-Monetized Web (trendmicro.com)

• Reflections Of A Former Hacker: How Leaders Can Protect Their Business From Cyber Threats (forbes.com)

• Zero Trust Bolsters Our National Defence Against Rising Cyber Threats (darkreading.com)

• Security advisory accidentally exposes vulnerable systems (bleepingcomputer.com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.