Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Quarter of UK SMBs Hit by Ransomware in 2022

Over one in four (26%) British SMBs have been targeted by ransomware over the past year, with half (47%) of those compromised paying their extorters, according to new data from anti-virus provider Avast. The security vendor polled 1000 IT decision makers from UK SMBs back in October, to better understand the risk landscape over the previous 12 months.

More than two-thirds (68%) of respondents said they are more concerned about being attacked since the start of the war in Ukraine, fuelling concerns that have led to half (50%) investing in cyber-insurance. They’re wise to do so, considering that 41% of those hit by ransomware lost data, while 34% lost access to devices, according to Avast.

Given that SMBs comprise over 99% of private sector businesses in the country, it’s reassuring that cyber is now being viewed as a major business risk. Nearly half (48%) ranked it as one of the biggest threats they currently face, versus 66% who cited financial risk stemming from surging operational cost. More respondents cited cyber as a top threat than did physical security (35%) and supply chain disruption (33%).

Avast argued that SMBs are among the groups most vulnerable to cyber-threats as they often have very limited budget and resources, and many don’t have somebody on staff managing security holistically. As a result, not only are SMB’s lacking in their defence, but they’re also slower and less able to react to incidents.

https://www.infosecurity-magazine.com/news/quarter-of-uk-smbs-hit-ransomware/

• Global Cyber Attack Volume Surges 38% in 2022

The number of cyber attacks recorded last year was nearly two-fifths (38%) greater than the total volume observed in 2021, according to Check Point.

The security vendor claimed the increase was largely due to a surge in attacks on healthcare organisations, which saw the largest year-on-year (YoY) increase (74%), and the activities of smaller, more agile hacking groups.

Overall, attacks reached an all-time high in Q4 with an average of 1168 weekly attacks per organisation. The average weekly figures for the year were highest for education sector organisations (2314), government and military (1661) and healthcare (1463).

Threat actors appear to have capitalised on gaps in security created by the shift to remote working. The ransomware ecosystem is continuing to evolve and grow with smaller, more agile criminal groups that form to evade law enforcement. Hackers are also now increasingly widening their aim to target business collaboration tools such as Slack, Teams, OneDrive and Google Drive with phishing exploits. These make for a rich source of sensitive data given that most organisations’ employees continue to work remotely.

It is predicted that AI tools like ChatGPT would help to fuel a continued surge in attacks in 2023 by making it quicker and easier for bad actors to generate malicious code and emails.

Recorded cyber-attacks on US organisations grew 57% YoY in 2022, while the figure was even higher in the UK (77%). This chimes with data from UK ISP Beaming, which found that 2022 was the busiest year on record for attacks. It recorded 687,489 attempts to breach UK businesses in 2022 – the equivalent of one attack every 46 seconds.

https://www.infosecurity-magazine.com/news/global-cyberattack-volume-surges/

• 1 in 3 Organisations Do Not Provide Any Cyber Security Training to Remote Workers Despite the Majority of Employees Having Access to Critical Data

New research from cyber security provider Hornetsecurity has found that 33% of companies are not providing any cyber security awareness training to users who work remotely.

The study also revealed nearly three-quarters (74%) of remote staff have access to critical data, which is creating more risk for companies in the new hybrid working world.

Despite the current lack of training and employees feeling ill-equipped, almost half (44%) of respondents said their organisation plans to increase the percentage of employees that work remotely. The popularity of hybrid work, and the associated risks, means that companies must prioritise training and education to make remote working safe.

Traditional methods of controlling and securing company data aren't as effective when employees are working in remote locations and greater responsibility falls on the individual. Companies must acknowledge the unique risks associated with remote work and activate relevant security management systems, as well as empower employees to deal with a certain level of risk.

The independent survey, which quizzed 925 IT professionals from a range of business types and sizes globally, highlighted the security management challenges and employee cyber security risk when working remotely. The research revealed two core problems causing risk: employees having access to critical data, and not enough training being provided on how to manage cyber security or how to reduce the risk of a cyber-attack or breach.

https://www.darkreading.com/vulnerabilities-threats/1-in-3-organizations-do-not-provide-any-cybersecurity-training-to-remote-workers-despite-a-majority-of-employees-having-access-to-critical-data

• AI-Generated Phishing Attacks Are Becoming More Convincing

It's time for you and your colleagues to become more sceptical about what you read.

That's a takeaway from a series of experiments undertaken using GPT-3 AI text-generating interfaces to create malicious messages designed to spear-phish, scam, harass, and spread fake news.

Experts at WithSecure have described their investigations into just how easy it is to automate the creation of credible yet malicious content at incredible speed. Amongst the use cases explored by the research were the use of GPT-3 models to create:

• Phishing content – emails or messages designed to trick a user into opening a malicious attachment or visiting a malicious link

• Social opposition – social media messages designed to troll and harass individuals or to cause brand damage

• Social validation – social media messages designed to advertise or sell, or to legitimise a scam

• Fake news – research into how well GPT-3 can generate convincing fake news articles of events that weren’t part of its training set

All of these could, of course, be useful to cyber criminals hell-bent on scamming the unwary or spreading unrest.

https://www.tripwire.com/state-of-security/ai-generated-phishing-attacks-are-becoming-more-convincing

• Customer and Employee Data the Top Prize for Hackers

The theft of customer and employee data accounts for almost half (45%) of all stolen data between July 2021 and June 2022, according to a new report from cyber security solution provider Imperva.

The data is part of a 12-month analysis by Imperva Threat Research on the trends and threats related to data security in its report “More Lessons Learned from Analysing 100 Data Breaches”.

Their analysis found that theft of credit card information and password details dropped by 64% compared to 2021. The decline in stolen credit card and password data pointing to the uptake of basic security tactics like multi-factor authentication (MFA). However, in the long term, PII data is the most valuable data to cyber-criminals. With enough stolen PII, they can engage in full-on identity theft which is hugely profitable and very difficult to prevent. Credit cards and passwords can be changed the second there is a breach, but when PII is stolen, it can be years before it is weaponised by hackers.

The research also revealed the root causes of data breaches, with social engineering (17%) and unsecured databases (15%) two of the biggest culprits. Misconfigured applications were only responsible for 2% of data breaches, but Imperva said that businesses should expect this figure to rise in the near future, particularly with cloud-managed infrastructure where configuring for security requires significant expertise.

It’s really concerning that a third (32%) of data breaches are down to unsecured databases and social engineering attacks, since they’re both straightforward to mitigate. A publicly open database dramatically increases the risk of a breach and, all too often, they are left like this not out of a failure of security practices but rather the total absence of any security posture at all.

https://www.infosecurity-magazine.com/news/customer-employee-data-hackers/

• Royal Mail hit by Ransomware Attack, Causes ‘Severe Disruption’ to Services

Royal Mail experienced “severe service disruption” to its international export services following a ransomware attack, the company has announced. A statement said it was temporarily unable to despatch export items including letters and parcels to overseas destinations.

Royal Mail said: “We have asked customers temporarily to stop submitting any export items into the network while we work hard to resolve the issue” and advising that “Some customers may experience delay or disruption to items already shipped for export.”

The attack was later attributed to LockBit, a prolific ransomware gang with close ties to Russia. Both the NCSC and the NCA were involved in responding to the incident.

https://www.independent.co.uk/business/royal-mail-cyber-attack-exports-b2260308.html

• The Guardian Confirms Personal Information Compromised in Ransomware Attack

British news organisation The Guardian has confirmed that personal information was compromised in a ransomware attack in December 2022.

The company fell victim to the attack just days before Christmas, when it instructed staff to work from home, announcing network disruptions that mostly impacted the print newspaper.

Right from the start, the Guardian said it suspected ransomware to have been involved in the incident, and this week the company confirmed that this was indeed the case. In an email to staff on Wednesday, The Guardian Media Group’s chief executive and the Guardian’s editor-in-chief said that the sophisticated cyber attack was likely the result of phishing.

They also announced that the personal information of UK staff members was compromised in the attack, but said that reader data and the information of US and Australia staff was not impacted. “We have seen no evidence that any data has been exposed online thus far and we continue to monitor this very closely,” the Guardian representatives said. While the attack forced the Guardian staff to work from home, online publishing has been unaffected, and production of daily newspapers has continued as well.

“We believe this was a criminal ransomware attack, and not the specific targeting of the Guardian as a media organisation,” the Guardian said.

The company continues to work on recovery and estimates that critical systems would be restored in the next two weeks. Staff, however, will continue to work from home until at least early February. “These attacks have become more frequent and sophisticated in the past three years, against organisations of all sizes, and kinds, in all countries,” the Guardian said.

https://www.securityweek.com/guardian-confirms-personal-information-compromised-ransomware-attack

• Ransomware Gang Releases Info Stolen from 14 UK Schools, Including Passport Scans

Another month, another release of personal information stolen from a school system. This time, it's a group of 14 schools in the United Kingdom.

Once again, the perpetrator appears to be Vice Society, which is well known for targeting educational systems in the US. As the Cybersecurity and Infrastructure Security Agency (CISA) pointed out in a bulletin from Sept. 6, "K-12 institutions may be seen as particularly lucrative targets due to the amount of sensitive student data accessible through school systems or their managed service providers."

The UK hack may have turned up even more confidential information than the Los Angeles school system breach last year. As the BBC reported on Jan. 6, "One folder marked 'passports' contains passport scans for pupils and parents on school trips going back to 2011, whereas another marked 'contract' contains contractual offers made to staff alongside teaching documents on muscle contractions."

Some prominent school cyber attacks in the US include public school districts in Chicago, Baltimore, and Los Angeles. A new study from digital learning platform Clever claims that one in four schools experienced a cyber-incident over the past year, and according to a new report from security software vendor Emsisoft, at least 45 school districts and 44 higher learning institutions suffered ransomware attacks in 2022.

Schools are an attractive target as they are typically data-rich and resource-poor. Without proper resources in terms of dedicated staffing and the necessary tools and training to protect against cyber-attacks, schools can be a soft target. Many of the 14 schools hit by this latest leak are colleges and universities, but primary and secondary schools were also hit, according to the BBC's list.

https://www.darkreading.com/attacks-breaches/vice-society-releases-info-stolen-uk-schools-passport-scans

• The Dark Web’s Criminal Minds See Internet of Things as Next Big Hacking Prize

Cyber security experts say 2022 may have marked an inflection point due to the rapid proliferation of IoT (Internet of Things) devices.

Criminal groups buy and sell services, and one hot idea — a business model for a crime — can take off quickly when they realise that it works to do damage or to get people to pay. Attacks are evolving from those that shut down computers or stole data, to include those that could more directly wreak havoc on everyday life. IoT devices can be the entry points for attacks on parts of countries’ critical infrastructure, like electrical grids or pipelines, or they can be the specific targets of criminals, as in the case of cars or medical devices that contain software.

For the past decade, manufacturers, software companies and consumers have been rushing to the promise of Internet of Things devices. Now there are an estimated 17 billion in the world, from printers to garage door openers, each one packed with software (some of it open-source software) that can be easily hacked.

What many experts are anticipating is the day enterprising criminals or hackers affiliated with a nation-state figure out an easy-to-replicate scheme using IoT devices at scale. A group of criminals, perhaps connected to a foreign government, could figure out how to take control of many things at once – like cars, or medical devices. There have already been large-scale attacks using IoT, in the form of IoT botnets. In that case, actors leveraging unpatched vulnerabilities in IoT devices used control of those devices to carry out denial of service attacks against many targets. Those vulnerabilities are found regularly in ubiquitous products that are rarely updated.

In other words, the possibility already exists. It’s only a question of when a criminal or a nation decides to act in a way that targets the physical world at a large scale. There are a handful of companies, new regulatory approaches, a growing focus on cars as a particularly important area, and a new movement within the software engineering world to do a better job of incorporating cyber security from the beginning.

https://www.cnbc.com/2023/01/09/the-dark-webs-criminal-minds-see-iot-as-the-next-big-hacking-prize.html

• Corrupted File to Blame for Computer Glitch which Grounded Every US Flight

A corrupted file has been blamed for a glitch on the Federal Aviation Administration's computer system which saw every flight grounded across the US.

All outbound flights were grounded until around 9am Eastern Time (2pm GMT) on Wednesday as the FAA worked to restore its Notice to Air Missions (NOTAM) system, which alerts pilots of potential hazards along a flight route.

On Wednesday 4,948 flights within, into or out of the US had been delayed, according to flight tracker FlightAware.com, while 868 had been cancelled. Most delays were concentrated along the East Coast. Normal air traffic operations resumed gradually across the US following the outage to the NOTAM system that provides safety information to flight crews.

A corrupted file affected both the primary and the backup systems, a senior government official told NBC News on Wednesday night, adding that officials continue to investigate. Whilst Government officials said there was no evidence of a cyber attack, it shows the real world impacts that an outage or corrupted file can cause.

https://news.sky.com/story/all-flights-across-us-grounded-due-to-faa-computer-system-glitch-us-media-12784252

Threats

Ransomware, Extortion and Destructive Attacks

• Royal Mail unable to despatch items abroad after 'cyber incident' | UK News | Sky News

• Lorenz ransomware gang plants backdoors to use months later (bleepingcomputer.com)

• Quarter of UK SMBs Hit by Ransomware in 2022 - Infosecurity Magazine (infosecurity-magazine.com)

• Worldwide Ransomware Attacks Trend (informationsecuritybuzz.com)

• LastPass Faces Class-Action Lawsuit Over Password Vault Breach (pcmag.com)

• 10 of the biggest ransomware attacks of 2022 | TechTarget

• Rackspace: Ransomware actor accessed 27 customers' data | TechTarget

• Hackers demand £15 million ransom from Hull and Yorkshire schools after cyber attack - Hull Live (hulldailymail.co.uk)

• Rackspace Ransomware Incident Highlights Risks of Relying on Mitigation Alone (darkreading.com)

• Risk & Repeat: Analysing the Rackspace ransomware attack | TechTarget

• Guardian confirms it was hit by ransomware attack | The Guardian | The Guardian

• Post-ransomware attack, The Guardian warns staff their personal data was accessed • Graham Cluley

• The Guardian Confirms Personal Information Compromised in Ransomware Attack | SecurityWeek.Com

• Royal Mail cyber attack linked to LockBit ransomware operation (bleepingcomputer.com)

• The Guardian Confirms UK Members' Data Was Accessed in Ransomware Attack - Infosecurity Magazine (infosecurity-magazine.com)

• Hive Ransomware leaked 550 GB stolen from Consulate Health Care - Security Affairs

• Iowa’s largest school district cancels classes after cyber attack (bleepingcomputer.com)

• Hackers leak sensitive files after attack on San Francisco transit police (nbcnews.com)

• Vice Society ransomware claims attack on Australian firefighting service (bleepingcomputer.com)

• Ransomware attack at Hope Sentamu Learning Trust in York | York Press

Phishing & Email Based Attacks

• AI-generated phishing emails just got much more convincing • The Register

• Better Phishing, Easy Malicious Implants: How AI Could Change Cyber attacks (darkreading.com)

• AI-generated phishing attacks are becoming more convincing | Tripwire

• Twitter Data Leak: What the Exposure of 200 Million User Emails Means for You | WIRED

• New APT Dark Pink Hits Asia-Pacific, Europe With Spear Phishing Tactics - Infosecurity Magazine (infosecurity-magazine.com)

• Telegram Bot Abuse For Phishing Increased By 800% in 2022 - Infosecurity Magazine (infosecurity-magazine.com)

• Phishing campaign targets government institution in Moldova - Security Affairs

Malware

• Better Phishing, Easy Malicious Implants: How AI Could Change Cyber attacks (darkreading.com)

• Turla, a Russian Espionage Group, Piggybacked on Other Hackers' USB Infections | WIRED

• ChatGPT Used to Develop New Malicious Tools - Infosecurity Magazine (infosecurity-magazine.com)

• Russia’s Turla falls back on old malware C2 domains to avoid detection | Computer Weekly

• Many of 13 New Mac Malware Families Discovered in 2022 Linked to China | SecurityWeek.Com

• Dridex Malware Now Attacking macOS Systems with Novel Infection Method (thehackernews.com)

• New Spyware Variant with RAT Capabilities Targeting Financial Institutions, Social Media - MSSP Alert

• Over 1,300 fake AnyDesk sites push Vidar info-stealing malware (bleepingcomputer.com)

• Attackers abuse business-critical cloud apps to deliver malware - Help Net Security

• New Analysis Reveals Raspberry Robin Can be Repurposed by Other Threat Actors (thehackernews.com)

• 6 PyPI Packages Detour Firewall Using Cloudflare Tunnels (informationsecuritybuzz.com)

• Microsoft: Kubernetes clusters hacked in malware campaign via PostgreSQL (bleepingcomputer.com)

• Malicious PyPi packages create CloudFlare Tunnels to bypass firewalls (bleepingcomputer.com)

• Gootkit Loader Actively Targets Australian Healthcare Industry (trendmicro.com)

• Raspberry Robin's botnet second life - SEKOIA.IO Blog

• Telegram Bot Abuse For Phishing Increased By 800% in 2022 - Infosecurity Magazine (infosecurity-magazine.com)

• IcedID Malware Strikes Again: Active Directory Domain Compromised in Under 24 Hours (thehackernews.com)

• Android TV box on Amazon came pre-installed with malware (bleepingcomputer.com)

• VLC media player is being hiajcked to send out malware | TechRadar

• RAT malware campaign tries to evade detection using polyglot files (bleepingcomputer.com)

• Italian Users Warned of Malware Attack Targeting Sensitive Information (thehackernews.com)

• Hackers push fake Pokemon NFT game to take over Windows devices (bleepingcomputer.com)

• How to protect yourself from bot-driven account fraud - Help Net Security

Mobile

• Android spyware strikes again targeting financial institutions and your money | Fox News

• Messenger billed as better than Signal is riddled with vulnerabilities | Ars Technica

• StrongPity hackers target Android users via trojanized Telegram app (bleepingcomputer.com)

• Threema claims encryption flaws never had a real-world impact (bleepingcomputer.com)

• Latest Firmware Flaws in Qualcomm Snapdragon Need Attention (darkreading.com)

• Threat actors claim access to Telegram servers through insiders - Security Affairs

• $20K Buys Insider Access to Telegram Servers, Dark Web Ad Claims (darkreading.com)

Denial of Service/DoS/DDOS

• How to Defend Against any Type of DNS Attack | A10 Networks

• The most significant DDoS attacks in the past year - Help Net Security

• Multiple Danish Banks Disrupted By DDoS Cyber-Attack - Infosecurity Magazine (infosecurity-magazine.com)

• Big Prizes, Cash on Offer for Joining 'DDosia' Anti-Ukraine Cyber attack Project (darkreading.com)

• New Study Uncovers Text-to-SQL Model Vulnerabilities Allowing Data Theft and DoS Attacks (thehackernews.com)

• Serbia Slammed With DDoS Attacks (darkreading.com)

Internet of Things – IoT

• The dark web's criminal minds see IoT as the next big hacking prize (cnbc.com)

• Android TV box on Amazon came pre-installed with malware (bleepingcomputer.com)

• Hackers can trick Wi-Fi devices into draining their own batteries | New Scientist

Data Breaches/Leaks

• Twitter Data Leak: What the Exposure of 200 Million User Emails Means for You | WIRED

• 14 UK schools hit by cyber attack and documents leaked - BBC News

• Air France and KLM notify customers of account hacks (bleepingcomputer.com)

• Vice Society Releases Info Stolen From 14 UK Schools, Including Passport Scans (darkreading.com)

• Twitter's mushrooming data breach crisis could prove costly | CSO Online

• Twitter Denies Hacking Claims, Assures Leaked User Data Not from its System (thehackernews.com)

• 6 oversights that enable data breaches - Help Net Security

• CircleCI – code-building service suffers total credential compromise – Naked Security (sophos.com)

• Aflac's Japan says US partner leaked cancer customer info • The Register

• Data leak exposes information of 10,000 French social security beneficiaries | CSO Online

• Chick-fil-A investigates reports of hacked customer accounts (bleepingcomputer.com)

• Oxford University dating website for staff and students shut down after ‘huge data breach’ | News | The Times

• SolarWinds shareholders appeal Orion breach lawsuit to Delaware Supreme Court | SC Media (scmagazine.com)

Organised Crime & Criminal Actors

• JP Morgan must face suit over $272m cybertheft • The Register

• Cyber criminals are already using ChatGPT to own you | SC Media (scmagazine.com)

• Russian Cyber Crew Targets Ukraine Financial Sector Via Infected USB Drives - MSSP Alert

• 2022 Was the Biggest Year Yet for Crypto, if You're a Crook (gizmodo.com)

• Researchers Find 'Digital Crime Haven' While Investigating Magecart Activity (darkreading.com)

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• 2022 Was the Biggest Year Yet for Crypto, if You're a Crook (gizmodo.com)

• European police takes down call centres behind cryptocurrency scams (bleepingcomputer.com)

• European cops shut down fake crypto call centres • The Register

• Kinsing Crypto Malware Hits Kubernetes Clusters via Misconfigured PostgreSQL (thehackernews.com)

Fraud, Scams & Financial Crime

• European police takes down call centres behind cryptocurrency scams (bleepingcomputer.com)

• Nationwide warns ‘checking is important’ as thousands targeted in online scam | Personal Finance |

• How to protect yourself from bot-driven account fraud - Help Net Security

Insurance

• Insurance Co. Beazley Launches $45M 'Cyber Catastrophe Bond' (gizmodo.com)

• Insurer Beazley launches first catastrophe bond for cyber threats | Financial Times (ft.com)

• 4 Cyber Insurance Requirement Predictions for 2023 (trendmicro.com)

Dark Web

• Threat actors claim access to Telegram servers through insiders - Security Affairs

• $20K Buys Insider Access to Telegram Servers, Dark Web Ad Claims (darkreading.com)

• Pakistan tells government agencies to avoid the dark web • The Register

Software Supply Chain

• Software Supply Chain Security Needs a Bigger Picture (darkreading.com)

Cloud/SaaS

• Attackers abuse business-critical cloud apps to deliver malware - Help Net Security

• Top SaaS Cyber security Threats in 2023: Are You Ready? (thehackernews.com)

• Why Do User Permissions Matter for SaaS Security? (thehackernews.com)

Attack Surface Management

• Why the atomized network is growing, and how to protect it - Help Net Security

• Web 3.0 Shifts Attack Surface and Highlights Need for Continuous Security (darkreading.com)

Identity and Access Management

• 4 identity security trends to watch in 2023 - Help Net Security

Encryption

• RSA crypto cracked? Or perhaps not! – Naked Security (sophos.com)

• What is Triple DES and why is it being disallowed? | TechTarget

Passwords, Credential Stuffing & Brute Force Attacks

• A fifth of passwords used by federal agency cracked in security audit | Ars Technica

• Why FIDO and passwordless authentication is the future - Help Net Security

• 'Copyright Infringement' Lure Used for Facebook Credential Harvesting (darkreading.com)

• Why it might be time to consider using FIDO-based authentication devices | CSO Online

Social Media

• Twitter Data Leak: What the Exposure of 200 Million User Emails Means for You | WIRED

• Twitter's mushrooming data breach crisis could prove costly | CSO Online

• New Spyware Variant with RAT Capabilities Targeting Financial Institutions, Social Media - MSSP Alert

• Twitter Denies Hacking Claims, Assures Leaked User Data Not from its System (thehackernews.com)

• If governments are banning TikTok, why is it still on your corporate devices? | CSO Online

• 'Copyright Infringement' Lure Used for Facebook Credential Harvesting (darkreading.com)

Training, Education and Awareness

• 1 in 3 Organisations Do Not Provide Any Cyber Security Training to Remote Workers Despite a Majority of Employees Having Access to Critical Data (darkreading.com)

Regulations, Fines and Legislation

• Technical And Legal Risks Of ChatGPT: How Prepared Are We With Laws On AI? (informationsecuritybuzz.com)

Governance, Risk and Compliance

• US cyber security director: The tech ecosystem has ‘become really unsafe’ (yahoo.com)

• Global Cyber-Attack Volume Surges 38% in 2022 - Infosecurity Magazine (infosecurity-magazine.com)

• Customer and Employee Data the Top Prize for Hackers – Imperva - Infosecurity Magazine (infosecurity-magazine.com)

• 1 in 3 Organisations Do Not Provide Any Cyber Security Training to Remote Workers Despite a Majority of Employees Having Access to Critical Data (darkreading.com)

• Global Risks Report: Understand the risk landscape in 2023 and beyond - Help Net Security

• 6 oversights that enable data breaches - Help Net Security

• Why Analysing Past Incidents Helps Teams More Than Usual Security Metrics (darkreading.com)

• Cyber security spending and economic headwinds in 2023 | CSO Online

• How to Ensure Cyber Security Investments Remain a Priority Across Your Organisation (darkreading.com)

• Practical Risk Management - Beyond Certification (informationsecuritybuzz.com)

• Vulnerable software, low incident reporting raises risks | TechTarget

• How Will a Recession Will Affect CISOs? | SecurityWeek.Com

Careers, Working in Cyber and Information Security

• Cyber security staff are struggling. Here's how to support them better | ZDNET

Law Enforcement Action and Take Downs

• European cops shut down fake crypto call centres • The Register

• European police takes down call centres behind cryptocurrency scams (bleepingcomputer.com)

Privacy, Surveillance and Mass Monitoring

• Hidden Chinese tracking device 'found in UK Government car' sparks national security fears (inews.co.uk)

Artificial Intelligence

• AI-generated phishing emails just got much more convincing • The Register

• ChatGPT: The infosec assistant that is jack of all trades, master of none - Help Net Security

• How hackers might be exploiting ChatGPT | Cybernews

• Better Phishing, Easy Malicious Implants: How AI Could Change Cyber attacks (darkreading.com)

• VALL-E AI can mimic a person’s voice from a 3-second snippet • The Register

• ChatGPT Artificial Intelligence: An Upcoming Cyber security Threat? (darkreading.com)

• Hackers Exploiting OpenAI’s ChatGPT to Deploy Malware (hackread.com)

• Cyber criminals are already using ChatGPT to own you | SC Media (scmagazine.com)

• Trojan Puzzle attack trains AI assistants into suggesting malicious code (bleepingcomputer.com)

• The ChatGPT bot is causing panic now – but it’ll soon be as mundane a tool as Excel | John Naughton | The Guardian

• How hackers might be exploiting ChatGPT | Cybernews

• ChatGPT Used to Develop New Malicious Tools - Infosecurity Magazine (infosecurity-magazine.com)

• Technical And Legal Risks Of ChatGPT: How Prepared Are We With Laws On AI? (informationsecuritybuzz.com)

• DHS, CISA plan AI-based cyber security analytics sandbox • The Register

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Turla, a Russian Espionage Group, Piggybacked on Other Hackers' USB Infections | WIRED

• Russia’s Turla falls back on old malware C2 domains to avoid detection | Computer Weekly

• Hidden Chinese tracking device 'found in UK Government car' sparks national security fears (inews.co.uk)

• Ukraine: Russian Cyber-Attacks Should Be Considered War Crimes - Infosecurity Magazine (infosecurity-magazine.com)

• New APT Dark Pink Hits Asia-Pacific, Europe With Spear Phishing Tactics - Infosecurity Magazine (infosecurity-magazine.com)

• Exclusive: Russian hackers targeted U.S. nuclear scientists | Reuters

• Russian cyber attacks on Ukraine halved with help from Amazon and Microsoft (telegraph.co.uk)

• Dark Pink, a newly discovered hacking campaign, threatens Southeast Asian military, government organisations (cyberscoop.com)

• New Dark Pink APT group targets govt and military with custom malware (bleepingcomputer.com)

• Big Prizes, Cash on Offer for Joining 'DDosia' Anti-Ukraine Cyber attack Project (darkreading.com)

• Phishing campaign targets government institution in Moldova - Security Affairs

• Serbia Slammed With DDoS Attacks (darkreading.com)

• Russian and Belarusian men charged with spying for Russian GRU - Security Affairs

Nation State Actors

Nation State Actors – Russia

• Turla, a Russian Espionage Group, Piggybacked on Other Hackers' USB Infections | WIRED

• Russia’s Turla falls back on old malware C2 domains to avoid detection | Computer Weekly

• Ukraine: Russian Cyber-Attacks Should Be Considered War Crimes - Infosecurity Magazine (infosecurity-magazine.com)

• Exclusive: Russian hackers targeted U.S. nuclear scientists | Reuters

• Russian cyber attacks on Ukraine halved with help from Amazon and Microsoft (telegraph.co.uk)

• How Elon Musk’s Starlink has changed warfare | The Economist

• Big Prizes, Cash on Offer for Joining 'DDosia' Anti-Ukraine Cyber attack Project (darkreading.com)

• Phishing campaign targets government institution in Moldova - Security Affairs

• Serbia Slammed With DDoS Attacks (darkreading.com)

• Russian and Belarusian men charged with spying for Russian GRU - Security Affairs

• Musk's Starlink Satellite's Role In Ukraine War Inspires Taiwan To Thwart Potential China Attack

Nation State Actors – China

• Hidden Chinese tracking device 'found in UK Government car' sparks national security fears (inews.co.uk)

• Many of 13 New Mac Malware Families Discovered in 2022 Linked to China | SecurityWeek.Com

• If governments are banning TikTok, why is it still on your corporate devices? | CSO Online

• Musk's Starlink Satellite's Role In Ukraine War Inspires Taiwan To Thwart Potential China Attack

Nation State Actors – Iran

• Iran says it foiled cyber attack on central bank | Reuters

Nation State Actors – Misc

• New APT Dark Pink Hits Asia-Pacific, Europe With Spear Phishing Tactics - Infosecurity Magazine (infosecurity-magazine.com)

• Dark Pink, a newly discovered hacking campaign, threatens Southeast Asian military, government organisations (cyberscoop.com)

• New Dark Pink APT group targets govt and military with custom malware (bleepingcomputer.com)

Vulnerability Management

Applications Five Years or Older Likely to have Security Flaws - Infosecurity Magazine (infosecurity-magazine.com)

Patch Where it Hurts: Effective Vulnerability Management in 2023 (thehackernews.com)

70% of apps contain at least one security flaw after 5 years in production - Help Net Security

Rackspace Ransomware Incident Highlights Risks of Relying on Mitigation Alone (darkreading.com)

Does a hybrid model for vulnerability management make sense? • Graham Cluley

Vulnerabilities

• Microsoft Patch Tuesday: 97 Windows Vulns, 1 Exploited Zero-Day | SecurityWeek.Com

• Microsoft plugs actively exploited zero-day hole (CVE-2023-21674) - Help Net Security

• The Roadmap to Secure Access Service Edge (SASE) - MSSP Alert

• Hundreds of SugarCRM servers infected with critical in-the-wild exploit | Ars Technica

• Chrome 109 Patches 17 Vulnerabilities | SecurityWeek.Com

• Cyber criminals bypass Windows security with driver-vulnerability exploit | CSO Online

• Google Chrome 'SymStealer' Vulnerability Could Affect 2.5 Billion Users - Infosecurity Magazine (infosecurity-magazine.com)

• Attackers target govt networks exploiting Fortinet SSL-VPN CVE-2022-42475 - Security Affairs

• Adobe Plugs Security Holes in Acrobat, Reader Software | SecurityWeek.Com

• Zoom Patches High Risk Flaws on Windows, MacOS Platforms | SecurityWeek.Com

• Cisco warns of auth bypass bug with public exploit in EoL routers (bleepingcomputer.com)

• Swiss Threema messaging app found to have vulnerabilities • The Register

• Alert: Hackers Actively Exploiting Critical "Control Web Panel" RCE Vulnerability (thehackernews.com)

• Fortinet says hackers exploited critical vulnerability to infect VPN customers | Ars Technica

• Critical bug in Cisco Small Business Routers will receive no patch - Security Affairs

• Severe Vulnerabilities Allow Hacking of Asus Gaming Router | SecurityWeek.Com

• JsonWebToken Security Bug Opens Servers to RCE (darkreading.com)

• Latest Firmware Flaws in Qualcomm Snapdragon Need Attention (darkreading.com)

Tools and Controls

• How to prevent and detect lateral movement attacks | TechTarget

• 65% of Organisations Plan to Adopt a Security Service Edge Platform in Next 2 Years: Axis Security (darkreading.com)

• How Will a Recession Will Affect CISOs? | SecurityWeek.Com

• What is Red Teaming & How it Benefits Orgs (trendmicro.com)

• Data Loss Prevention Capability Guide (informationsecuritybuzz.com)

• 4 key shifts in the breach and attack simulation (BAS) market - Help Net Security

• How to prioritize effectively with threat modeling • The Register

• XDR and the Age-old Problem of Alert Fatigue | SecurityWeek.Com

• 11 top XDR tools and how to evaluate them | CSO Online

• Why FIDO and passwordless authentication is the future - Help Net Security

• Why it might be time to consider using FIDO-based authentication devices | CSO Online

• How to Defend Against any Type of DNS Attack | A10 Networks

• DHS, CISA plan AI-based cyber security analytics sandbox • The Register

• ChatGPT: The infosec assistant that is jack of all trades, master of none - Help Net Security

Other News

• Better Include Physical Security With Cyber security | T&D World

• 6 oversights that enable data breaches - Help Net Security

• It’s official: Digital trust really matters to everyone online - Help Net Security

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

New Strain Of Ransomware Implements Self-Spreading Capabilities

French experts spotted a new Ryuk ransomware variant that implements self-spreading capabilities to infect other devices on victims’ local networks.

This new version has a new attribute that allows it to self replicate over the local network allowing the malware to propagate itself – machine to machine – within the Windows domain. Once launched, it will spread itself to every Windows machine it can reach.

https://securityaffairs.co/wordpress/115064/reports/ryuk-ransomware-self-spreading-capabilities.html

One In Four People Use Work Passwords For Consumer Websites

The report found that one in four consumers admit to using their work email or passwords to log in to consumer websites and applications such as food delivery apps, online shopping sites and even dating apps. The report found that consumers are neglecting to implement fundamental security safeguards across smart IoT devices at home, which could have serious security ramifications on both the individual and the enterprise amid increased and ongoing remote work spurred by the COVID-19 pandemic.

https://www.helpnetsecurity.com/2021/02/26/use-work-passwords-for-consumer-websites/

Massive Rise In Threats Across Expanding Attack Surfaces

New malware samples nearly doubled: New ransomware samples increased 106% year-over-year. Trojans increased 128%, with threat actors using trojans to exploit lower-severity vulnerabilities. Sophisticated, multi-staged attacks and malware-as-a-service have become the norm. Vulnerabilities hit a new high: 18,341 new vulnerabilities in 2020 have been reported. To stay ahead of attacks, security and risk leaders need sophisticated insights into which vulnerabilities are high-risk and remediation options for all assets, including non-patching options.

https://www.helpnetsecurity.com/2021/02/26/expanding-attack-surfaces/

Half of Organisations Concerned Remote Working Puts Them at Greater Risk of Cyber Attacks

Half of organizations are concerned that the shift to remote work is putting them a greater risk of Cyber Attacks, according to a new study with IDG. A survey of UK CIOs, CTOs and IT decision makers revealed that insecure practices are regularly taking place among remote workers, providing more opportunities for Cyber Criminals to strike.

https://www.infosecurity-magazine.com/news/half-orgs-remote-working-risk/

Microsoft Patches Four Zero-Day Exchange Server Bugs

Microsoft has been forced to release out-of-band patches to fix multiple zero-day vulnerabilities being exploited by Chinese state-backed threat actors. The unusual step was taken to protect customers running on-premises versions of Microsoft Exchange Server.

https://www.infosecurity-magazine.com/news/microsoft-patch-four-zeroday/

A Booming Trade In Bugs Is Undermining Cyber Security

If you discover that a favourite vending-machine dispenses free chocolate when its buttons are pressed just so, what should you do? The virtuous option is to tell the manufacturer, so it can fix it. The temptation is to gorge.

https://www.economist.com/books-and-arts/2021/03/06/a-booming-trade-in-bugs-is-undermining-cyber-security

Is Your Browser Extension A Botnet Backdoor?

A company that rents out access to more than 10 million Web browsers so that clients can hide their true Internet addresses has built its network by paying browser extension makers to quietly include its code in their creations. This story examines the lopsided economics of extension development, and why installing an extension can be such a risky proposition.

https://krebsonsecurity.com/2021/03/is-your-browser-extension-a-botnet-backdoor/

Cyber Attack Shuts Down Online Learning At 15 UK Schools

A threat actor was able to access the trust's central network infrastructure and while an investigation took place, all existing phone, email, and website communication had to be pulled. Students are still learning remotely in England. Schools are set to reopen on March 8, but in the meantime, only a small subset of children are attending school physically, such as the children of key workers.

https://www.zdnet.com/article/cyberattack-shuts-down-online-learning-at-15-uk-schools/

First Fully Weaponized Spectre Exploit Discovered Online

A fully weaponized exploit for the Spectre CPU vulnerability was uploaded on the malware-scanning website VirusTotal last month, marking the first time a working exploit capable of doing actual damage has entered the public domain. The exploit was discovered and targets Spectre, a major vulnerability that was disclosed in January 2018. According to its website, the Spectre bug is a hardware design flaw in the architectures of Intel, AMD, and ARM processors that allows code running inside bad apps to break the isolation between different applications at the CPU level and then steal sensitive data from other apps running on the same system.

https://therecord.media/first-fully-weaponized-spectre-exploit-discovered-online/

Solarwinds Security Fiasco May Have Started With Simple Password Blunders

We still do not know just how bad the SolarWinds security breach is. We do know over a hundred US government agencies and companies were cracked. "The largest and most sophisticated attack the world has ever seen," with more than a thousand hackers behind it. It may have all started when an intern first set an important password to "'solarwinds123." Then, adding insult to injury, the intern shared the password on GitHub.

https://www.zdnet.com/article/solarwinds-security-fiasco-may-have-started-with-simple-password-blunders/

Threats

Ransomware

• Data analytics agency Polecat held to ransom after server exposed 30TB of records

• Ransomware gang hacks Ecuador's largest private bank, Ministry of Finance

• Ransomware puzzle: These two pieces of malware look very different, but they evolved from the same root

• Search crimes – how the Gootkit gang poisons Google searches

• Qualys hit with ransomware: customer invoices leaked on extortionists' tor blog

Phishing

• COVID19 Vaccine Phishing Scams Surge 26% in Three Months

Malware

• Compromised Website Images Camouflage ObliqueRAT Malware

• Malicious NPM packages target Amazon, Slack with new dependency attacks

Mobile

• This new jailbreak threat could put nearly all iPhones at risk

Vulnerabilities

• These Microsoft Exchange Server zero-day flaws are being used by hackers, so update now

• High severity Linux network security holes found, fixed

• Working Windows and Linux Spectre exploits found on VirusTotal

• Google shares PoC exploit for critical Windows 10 Graphics RCE bug

• Another Chrome zero-day exploit – so get that update done!

• If you own a MacBook, download and install macOS Big Sur 11.2.2 ASAP

Data Breaches

• Data is the world’s most valuable (and vulnerable) resource

• Far-Right Platform Gab Has Been Hacked—Including Private Data

• Singapore Airlines frequent flyer members hit in third-party data security breach

Organised Crime

• Three Top Russian Cyber Crime Forums Hacked

• Hackers share methods to bypass 3D Secure for payment cards

• Cyber Crime 'Help Wanted': Job Hunting on the Dark Web

Dark Web

• The 20 Most Common Passwords Found On The Dark Web

Supply Chain

• Why supply chains are today's fastest growing cyber security threat

• Bombardier is latest victim of Accellion supply chain attack

Nation-State Actors

• Indian cyber espionage activity rising amid growing rivalry with China, Pakistan

• Microsoft accuses China over email cyber-attacks

• New nation-state cyber attacks

• Lazarus Targets Defense Companies with ThreatNeedle Malware

• Security News This Week: The SolarWinds Body Count Now Includes NASA and the FAA

Privacy

• How To Reclaim Your Privacy from Windows 10

• Home-security cameras have become a fruitful resource for law enforcement — and a fatal risk

Reports Published in the Last Week

• Report: Quality, not quantity, is the hallmark of the latest waves of phishing attacks

Other News

• Next Cyber War will hit regular People online

• Prime-factor mathematical foundations of RSA cryptography ‘broken’, claims cryptographer

• Criminals 'Posing As Cyber Security Experts' As Number Of Firms Rises

• NSA, Microsoft promote a Zero Trust approach to cyber security

• Inside the race to keep secrets safe from the quantum computing revolution

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.