Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Ransomware Is the Biggest Global Cyber Threat. And The Attacks Are Still Evolving

Ransomware is the biggest cyber security threat facing the world today, with the potential to significantly affect whole societies and economies – and the attacks are unrelenting, the head of the National Cyber Security Centre (NCSC) has warned.

"Even with a war raging in Ukraine – the biggest global cyber threat we still face is ransomware. That tells you something of the scale of the problem. Ransomware attacks strike hard and fast. They are evolving rapidly, they are all-pervasive, they're increasingly offered by gangs as a service, lowering the bar for entry into cyber crime," said Lindy Cameron, CEO of the NCSC in a speech at Tel Aviv Cyber Week.

She added that the NCSC has dealt with "nationally significant incidents" along with hundreds of general cyber incidents that "affect the UK more widely every year".

While she didn't detail any specific instances of responding to ransomware incidents, Cameron warned that "these complex attacks have the potential to affect our societies and economies significantly", and implied that if it weren't for the work of NCSC incident responders, alongside their counterparts in the industry and international counterparts, the attacks could have had a major impact.

https://www.zdnet.com/article/ransomware-attacks-are-the-biggest-global-cyber-threat-and-still-evolving-warns-cybersecurity-chief/

• Study Reveals Traditional Data Security Tools Have a 60% Failure Rate Against Ransomware and Extortion

Titaniam, Inc., the data security platform, announced the ‘State of Data Exfiltration & Extortion Report.’ The survey revealed that while over 70% of organisations have an existing set of prevention, detection, and backup solutions, nearly 40% of organisations have been hit with ransomware attacks in the last year, and more than 70% have experienced one in the previous five years, proving existing solutions to be woefully inadequate in managing the risks and impacts from these attacks.

Data exfiltration during ransomware attacks is up 106% relative to where it was five years ago. We are seeing the emergence of a new trend where cyber criminals are no longer limiting themselves to just encrypting entire systems—they are making sure to steal data ahead of the encryption so that they can have additional leverage on the victim. The survey found that 65% of those who have experienced a ransomware attack have also experienced data theft or exfiltration due to the incident. Of those victims, 60% say the hackers used the data theft to extort them further, known as double extortion. Most of them, i.e., 59% of victims, paid the hackers, implying that they were not helped by their backup or data security tools to prevent this fate.

Data is being exposed for theft and extortion in other ways too. Nearly half (47%) uncovered publicly exposed data in their systems in the last 24 months. It was found that respondents have a mix of data security & protection (78%), prevention & detection (75%), and backup and recovery (73%) in their cyber security stacks. Still, exposure and extortion numbers imply a missing puzzle piece regarding attacks.

https://www.darkreading.com/attacks-breaches/study-reveals-traditional-data-security-tools-have-a-60-failure-rate-against-ransomware-and-extortion

• Patchable and Preventable Security Issues Lead Causes of Q1 Attacks

Attacks against companies spiked in Q1 2022 with patchable and preventable external vulnerabilities responsible for the bulk of attacks.

Eighty-two percent of attacks on organisations in Q1 2022 were caused by the external exposure of known vulnerabilities in the victim’s external-facing perimeter or attack surface. Those unpatched bugs overshadowed breach-related financial losses tied to human error, which accounted for 18 percent.

The numbers come from Tetra Defense and its quarterly report that sheds light on a notable uptick in cyber attacks against United States organisations between January and March 2022.

The report did not let employee security hygiene, or a lack thereof, off the hook. Tetra revealed that a lack of multi-factor authentication (MFA) mechanisms adopted by firms and compromised credentials are still major factors in attacks against organisations.

https://threatpost.com/lead-causes-of-q1-attacks/180096/

• Three in Four Vulnerability Management Programs Ineffective

How at risk are organisations to unsecured vulnerabilities in their networks? NopSec, a threat and exposure management provider, gives us the answers in a new study of some 430 cyber security professionals.

Are security teams finding successful approaches to their vulnerability management, or are “open doors around their attack surface” leaving them susceptible to disaster in their organisation? The answer, as it turns out, is that some organisations are better at detection, response and remediation of their vulnerabilities.

Perhaps more importantly, others are not as locked down as they believe, according to the report. Keeping track of known vulnerabilities and responding quickly is one thing, but locating flaws they did not previously know existed is quite another.

Seventy percent of respondent say their vulnerability management program (VMP) is only somewhat effective or worse, blind spots and shadow IT remain top challenges, and vulnerabilities take too long to patch.

https://www.msspalert.com/cybersecurity-research/three-in-four-vulnerability-management-programs-ineffective-study-finds/

• EMEA Continues to Be a Hotspot for Malware Threats

Ransomware detections in the first quarter of this year doubled the total volume reported for 2021, according to the latest quarterly Internet Security Report from the WatchGuard Threat Lab. Researchers also found that the Emotet botnet came back in a big way, the infamous Log4Shell vulnerability tripled its attack efforts and malicious cryptomining activity increased.

Although findings from the Threat Lab’s Q4 2021 report showed ransomware attacks trending down year over year, that all changed in Q1 2022 with a massive explosion in ransomware detections. While Q4 2021 saw the downfall of the infamous REvil cybergang, WatchGuard analysis suggests that this opened the door for the LAPSUS$ extortion group to emerge, which along with many new ransomware variants such as BlackCat – the first known ransomware written in the Rust programming language – could be contributing factors to an ever-increasing ransomware and cyber-extortion threat landscape.

The report also shows that EMEA continues to be a hotspot for malware threats. Overall regional detections of basic and evasive malware show WatchGuard Fireboxes in EMEA were hit harder than those in North, Central and South America (AMER) at 57% and 22%, respectively, followed by Asia-Pacific (APAC) at 21%.

https://www.helpnetsecurity.com/2022/06/30/emea-malware-threats/

• A New, Remarkably Sophisticated Malware Is Attacking Home and Small Office Routers

An unusually advanced hacking group has spent almost two years infecting a wide range of routers in North America and Europe with malware that takes full control of connected devices running Windows, macOS, and Linux, researchers reported on June 28.

So far, researchers from Lumen Technologies' Black Lotus Labs say they've identified at least 80 targets infected by the stealthy malware, including routers made by Cisco, Netgear, Asus, and DrayTek. Dubbed ZuoRAT, the remote access Trojan is part of a broader hacking campaign that has existed since at least the fourth quarter of 2020 and continues to operate.

The discovery of custom-built malware written for the MIPS architecture and compiled for small-office and home-office routers is significant, particularly given its range of capabilities. Its ability to enumerate all devices connected to an infected router and collect the DNS lookups and network traffic they send and receive, and remain undetected, is the hallmark of a highly sophisticated threat actor.

"While compromising small office/home office (SOHO) routers as a vector to gain access to an adjacent LAN is not a novel technique, it has seldom been reported," Black Lotus Labs researchers wrote. "Similarly, reports of person-in-the-middle style attacks, such as DNS and HTTP hijacking, are even rarer and a mark of a complex and targeted operation. The use of these two techniques congruently demonstrated a high level of sophistication by a threat actor, indicating that this campaign was possibly performed by a state-sponsored organisation."

The campaign comprises at least four pieces of malware, three of them written from scratch by the threat actor. The first piece is the MIPS-based ZuoRAT, which closely resembles the Mirai internet-of-things malware that achieved record-breaking distributed denial-of-service attacks that crippled some Internet services for days. ZuoRAT often gets installed by exploiting unpatched vulnerabilities in SOHO devices.

https://www.wired.com/story/zuorat-trojan-malware-hacking-routers/

• What Are Shadow IDs, and How Are They Crucial in 2022?

Just before last Christmas, in a first-of-a-kind case, JPMorgan was fined $200M for employees using non-sanctioned applications for communicating about financial strategy. No mention of insider trading, naked shorting, or any malevolence. Just employees circumventing regulation using, well, Shadow IT. Not because they tried to obfuscate or hide anything, simply because it was a convenient tool that they preferred over any other sanctioned products (which JPMorgan certainly has quite a few of.)

Visibility into unknown and unsanctioned applications has been required by regulators and also recommended by the Center for Internet Security community for a long time. Yet it seems that new and better approaches are still in demand. Gartner has identified External Attack Surface Management, Digital Supply Chain Risk, and Identity Threat Detection as the top three trends to focus on in 2022, all of which are closely intertwined with Shadow IT.

"Shadow IDs," or in other words, unmanaged employee identities and accounts in third-party services, are often created using a simple email-and-password-based registration. Cloud access security broker (CASB) and corporate single-sign-on (SSO) solutions are limited to a few sanctioned applications, and are not widely adopted on most websites and services either. This means, that a large part of an organisation's external surface - as well as its user identities - may be completely invisible.

https://thehackernews.com/2022/06/what-are-shadow-ids-and-how-are-they.html

• Zero-Days Aren't Going Away Anytime Soon, and What Leaders Need to Know

Few security exploits are the source of more sleepless nights for security professionals than zero-day attacks. Just recently, researchers discovered a new vulnerability enabling hackers to achieve remote code execution within Microsoft Office. Dubbing the evolving threat the Follina exploit, researchers say all versions of Office are at risk. And because the internal security teams have no time to prepare or patch their systems to defend against these software vulnerabilities, crafty threat actors can take advantage, taking their time after they've accessed an organisation's environment to observe and exfiltrate data while remaining completely unseen.

And though sophisticated threat actors and nations have exploited zero-days for nearly two decades, last year saw a historic rise in the number of vulnerabilities detected. Both Google and Mandiant tracked a record number of zero-days last year, with the caveat that more zero-days are being discovered because security companies are getting better at finding them — not necessarily because hackers are coming up with new vulnerabilities. Not all zero-days are created equal, though. Some require sophisticated and novel techniques, like the attack on SolarWinds, and others exploit simple vulnerabilities in commonly used programs like Windows. Thankfully, there's some basic cyber hygiene strategies that can keep your organisation sufficiently prepared to mitigate zero-day exploits.

https://www.darkreading.com/attacks-breaches/zero-days-aren-t-going-away-anytime-soon-and-what-leaders-need-to-know

• Half of 2022's Zero-Days Are Variants of Previous Vulnerabilities

Google Project Zero has observed a total of 18 exploited zero-day vulnerabilities in the first half of 2022, at least half of which exist because previous bugs were not properly addressed.

According to Google Project Zero researcher Maddie Stone, nine of the in-the-wild zero-days seen so far this year could have been prevented had organisations applied more comprehensive patching.

“On top of that, four of the 2022 zero-days are variants of 2021 in-the-wild zero-days. Just 12 months from the original in-the-wild zero-day being patched, attackers came back with a variant of the original bug,” Stone says.

The most recent of these issues is the Follina vulnerability in the Windows platform. Tracked as CVE-2022-30190, it is a variant of an MSHTML zero-day tracked as CVE-2021-40444.

CVE-2022-21882 is another Windows vulnerability that is a variant of an in-the-wild zero-day that was improperly resolved last year, namely CVE-2021-1732.

An iOS IOMobileFrameBuffer bug (CVE-2022-22587) and a type confusion flaw in Chrome’s V8 engine (CVE-2022-1096) are two other zero-days that are variants of exploited security flaws found last year – CVE-2021-30983 and CVE-2021-30551, respectively.

Other 2022 zero-days that are variants of improperly addressed security defects are CVE-2022-1364 (Chrome), CVE-2022-22620 (WebKit), CVE-2021-39793 (Google Pixel), CVE-2022-26134 (Atlassian Confluence), and CVE-2022-26925 (Windows flaw called PetitPotam).

https://www.securityweek.com/google-half-2022s-zero-days-are-variants-previous-vulnerabilities

• Human Error Remains the Top Security Issue

Human error remains the most effective vector for conducting network infiltrations and data breaches.

The SANS Institute security centre issued its annual security awareness report Wednesday, which was based on data from 1,000 infosec professionals and found that employees and their lack of security training remain common points of failure for data breaches and network attacks. The report also tracked the maturity level of respondents' security awareness programs and their effectiveness in reducing human risk.

"This year's report once again identifies what we have seen over the past three years: that the most mature security awareness programs are those that have the most people dedicated to managing and supporting it," the cyber security training and education organisation said.

"These larger teams are more effective at working with the security team to identify, track, and prioritise their top human risks, and at engaging, motivating, and training their workforce to manage those risks."

The SANS Institute study ranked maturity by five levels, from lowest to highest: nonexistent, compliance-focused, promoting awareness and behaviour change, long-term sustainment and culture change, and metrics framework. The report found that while approximately 400 respondents said their programs promote awareness and behaviour change - the highest such response for any maturity level - the number represented a 10% decrease from the previous year's report.

https://www.techtarget.com/searchsecurity/news/252522226/SANS-Institute-Human-error-remains-the-top-security-issue

• Carnival Cruises Torpedoed by US States, Agrees to Pay $6m After Wave of Cyber Attacks

Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyber attacks.

A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based business revealed intruders had not only encrypted some of its data but also downloaded a collection of names and addresses; Social Security info, driver's license, and passport numbers; and health and payment information of thousands of people in almost every American state.

It all started to go wrong more than a year prior, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn't disclosed until 10 months later, in March 2020.

Back in 2019, the security operations team spotted an internal email account sending spam to other addresses. It turned out miscreants had hijacked 124 employee Microsoft Office 365 email accounts, and were using them to send phishing emails to harvest more credentials. This, we're told, gave the intruders access to personal data on 180,000 Carnival employees and customers. It's likely the miscreants first broke in using phishing mails or brute-forcing passwords; either way, there was no multi-factor authentication.

Then in August 2020, the company said it was hit with the aforementioned ransomware, and copies of its files were siphoned. In January 2021, it was infected again with malware, and again sensitive information – specifically, customer passport numbers and dates of birth, and employee credit card numbers – were downloaded. And in March that year, a staffer's work email account was compromised again to send out a phishing email; more sensitive information was exposed.

https://www.theregister.com/2022/06/28/carnival-cybersecurity-fines/

• Uber Ex-Security Chief Accused of Hacking Coverup Must Face Fraud Charges, Judge Rules

A federal judge on Tuesday said a former Uber Technologies Inc. security chief must face wire fraud charges over his alleged role in trying to cover up a 2016 hacking that exposed personal information of 57 million passengers and drivers.

The US Department of Justice had in December added the three charges against Joseph Sullivan to an earlier indictment, saying he arranged to pay money to two hackers in exchange for their silence, while trying to conceal the hacking from passengers, drivers and the US Federal Trade Commission.

https://www.reuters.com/business/uber-ex-security-chief-accused-hacking-coverup-must-face-fraud-charges-judge-2022-06-28/

Threats

Ransomware

• Ransomware market evolution results in fewer variants, but rise in off-the-shelf cyber crime kits continues | The Daily Swig (portswigger.net)

• Record-Breaking Year for Ransomware Attacks, WatchGuard Research Predicts - MSSP Alert

• Cyber Security Experts Warn of Emerging Threat of "Black Basta" Ransomware (thehackernews.com)

• 5 years after NotPetya: Lessons learned | CSO Online

• AstraLocker 2.0 infects users directly from Word attachments (bleepingcomputer.com)

• Mitel VoIP Bug Exploited in Ransomware Attacks | Threatpost

• Black Basta Ransomware Gang Attacks 50 Companies, Cybereason Reports - MSSP Alert

• How Dangerous Is BlackBasta Ransomware? (informationsecuritybuzz.com)

• LockBit 3.0 Debuts With Ransomware Bug Bounty Program (darkreading.com)

• Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit (trendmicro.com)

• Son of Conti: Ransomware tries its hand at politics - The Record by Recorded Future

• Kaseya Ransomware - Cyber Leader’s Thoughts & Learnings One Year Later (informationsecuritybuzz.com)

• Are Protection Payments the Future of Ransomware? (tripwire.com)

• Conti vs. LockBit: A Comparative Analysis of Ransomware Groups (trendmicro.com)

• This new malware is at the heart of the ransomware ecosystem | ZDNet

• Macmillan Publishing shuts down systems after likely ransomware attack (bleepingcomputer.com)

• Walmart denies being hit by Yanluowang ransomware attack (bleepingcomputer.com)

• Fake copyright infringement emails install LockBit ransomware (bleepingcomputer.com)

• Cisco Talos techniques uncover ransomware sites on dark web (techtarget.com)

• RansomHouse gang claims to have some stolen AMD data • The Register

• 'Prolific' NetWalker extortionist pleads guilty • The Register

Phishing & Email Based Attacks

• Google Warns About Hacker-for-Hire Services Trying to Phish Users (pcmag.com)

• Clever phishing method bypasses MFA using Microsoft WebView2 apps (bleepingcomputer.com)

• Cyber Attacks via Unpatched Systems Cost Orgs More Than Phishing (darkreading.com)

• How phishing attacks are becoming more sophisticated - Help Net Security

• How Evilnum Cyber Attacks Target Microsoft Office Files - MSSP Alert

• New Matanbuchus Campaign drops Cobalt Strike beacons - Security Affairs

• Kaspersky Reveals Phishing Emails That Employees Find Most Confusing (darkreading.com)

• Ukraine arrests cyber crime gang operating over 400 phishing sites (bleepingcomputer.com)

Malware

• Microsoft finds Raspberry Robin worm in hundreds of Windows networks (bleepingcomputer.com)

• Microsoft Exchange servers worldwide backdoored with new malware (bleepingcomputer.com)

• Microsoft warning: This malware that targets Linux just got a big update | ZDNet

• ZuoRAT Hijacks SOHO Routers From Cisco, Netgear (darkreading.com)

• XFiles info-stealing malware adds support for Follina delivery (bleepingcomputer.com)

• Raccoon Stealer is back with a new version to steal your passwords (bleepingcomputer.com)

• Minors Use Discord Servers To Earn Extra Pocket Money Through Spreading Malware (informationsecuritybuzz.com)

• PyPi python packages caught sending stolen AWS keys to unsecured sites (bleepingcomputer.com)

Mobile

• Android Spyware 'Revive' Upgraded to Banking Trojan - Infosecurity Magazine

• Google warns Hermit spyware is infecting phones. What is it and how do you protect yourself from it? | Mashable

• Phone Hackers: 9 Ways To Tell If You Have Fallen Victim (informationsecuritybuzz.com)

• Apple revokes certificates for Hermit spyware app - 9to5Mac

• Google Warns of New Spyware Targeting iOS and Android Users - IT Security Guru

Internet of Things – IoT

• Swarm of malfunctioning driverless taxis brings traffic to a halt for hours (telegraph.co.uk)

Data Breaches/Leaks

• Millions of free VPN user records leaked | TechRadar

• Leaky Access Tokens Exposed Amazon Photos of Users | Threatpost

• California gun dashboards expose 10 years of personal data • The Register

Organised Crime & Criminal Actors

• The strange business of cyber crime | CSO Online

• Russia-China cyber criminal collaboration could “destabilize” international order | CSO Online

• Canadian admits to hacking spree with Russian cyber-gang - BBC News

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Pentagon finds concerning vulnerabilities on blockchain | TechRepublic

• Threat actors sell access to tens of vulnerable networks compromised by exploiting Atlassian 0daySecurity Affairs

• Hackers steal $100m from another breached crypto bridge | TechRadar

• Santander Warns of 87% Surge in UK Crypto Scams - Infosecurity Magazine

• Dozens of cryptography libraries vulnerable to private key theft | The Daily Swig (portswigger.net)

• Missing Cryptoqueen: FBI adds Ruja Ignatova to top ten most wanted - BBC News

• Singapore warns of ‘brutal, unrelentingly hard’ crypto regs • The Register

Insider Risk and Insider Threats

• Rogue HackerOne employee steals bug reports to sell on the side (bleepingcomputer.com)

• Japanese worker loses city's personal data in USB fail • The Register

• How you handle independent contractors may determine your insider threat risk | CSO Online

Fraud, Scams & Financial Crime

• Threat actors increasingly use third parties to run their scams - Help Net Security

• Santander Warns of 87% Surge in UK Crypto Scams - Infosecurity Magazine

• Evolving online habits have paved the way for fraud. What can we do about it? - Help Net Security

Insurance

• Cyber Insurance: The Good, the Bad, and the Ugly - IT Security Guru

Software Supply Chain

• It's a Race to Secure the Software Supply Chain — Have You Already Stumbled? (darkreading.com)

• Over a Decade in Software Security: What Have We learned? - IT Security Guru

Denial of Service DoS/DDoS

• Russian hacktivists take down Norway govt sites in DDoS attacks (bleepingcomputer.com)

Attack Surface Management

• Digital Shadows Weaken Your Attack Surface (securityintelligence.com)

Shadow IT

• Shadow IT Spurs 1 in 3 Cyber Attacks (darkreading.com)

• What is Shadow IT and why is it so risky? (thehackernews.com)

Open Source

• CISA Warns of Active Exploitation of 'PwnKit' Linux Vulnerability in the Wild (thehackernews.com)

Passwords, Credential Stuffing & Brute Force Attacks

• RansomHouse Hackers Claim to Breach AMD With Bad Passwords (gizmodo.com)

• Breaking Down the Zola Hack and Why Password Reuse is so Dangerous (bleepingcomputer.com)

• Raccoon Stealer is back with a new version to steal your passwords (bleepingcomputer.com)

Social Media

• Verified Twitter accounts hacked to send fake suspension notices (bleepingcomputer.com)

• Facebook Business Pages Targeted via Chatbot in Data-Harvesting Campaign (darkreading.com)

• New YTStealer malware steals accounts from YouTube Creators (bleepingcomputer.com)

• Facebook 2FA phish arrives just 28 minutes after scam domain created – Naked Security (sophos.com)

Training, Education and Awareness

• Time Constraints Hamper Security Awareness Programs (darkreading.com)

Privacy

• ‘Supercookies’ Have Privacy Experts Sounding the Alarm | WIRED

• UK should immediately ban use of live facial recognition, warns report | Financial Times (ft.com)

• Snoopers’ Charter Ruled Partially Unlawful - Infosecurity Magazine

• We must stop sleepwalking towards a surveillance state | Financial Times (ft.com)

Parental Controls and Child Safety

• How parents can talk about online safety and personal info protection with their kids - Help Net Security

Regulations, Fines and Legislation

• Manx government department fined over data breach - BBC News

• Clearview fine: The unacceptable face of modern surveillance - Help Net Security

• UK security services must seek approval to access telecoms data, judges rule | UK security and counter-terrorism | The Guardian

Law Enforcement Action and Take Downs

• Global Police Crack Down on Online Sexual Exploitation - Infosecurity Magazine

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Lethal drinking water, runs on banks and panic buying: What a real Undeclared War cyber attack could mean (inews.co.uk)

• Microsoft's Defending Ukraine report offers fresh details on digital conflict and disinformation | CSO Online

• Clear Rules Needed to Prevent Conflict and Struggle in Cyber Space, Says NCSC Chief - Infosecurity Magazine

• NATO to create cyber rapid response force, increase cyber defence aid to Ukraine - CyberScoop

• Could the Russian cyber attack on Lithuania draw a military response from NATO? | World News | Sky News

• Evilnum hackers return in new operation targeting migration orgs (bleepingcomputer.com)

• Commercial cyber products must be used responsibly, says NCSC CEO (computerweekly.com)

• G7 to tackle cyber threats and disinformation from Russia: communique | Reuters

• Google Warns of New Spyware Targeting iOS and Android Users - IT Security Guru

• Apple revokes certificates for Hermit spyware app - 9to5Mac

• China lured graduate jobseekers into digital espionage | Ars Technica

• FCC commissioner calls TikTok Chinese spyware and wants it pulled from mobile app stores (androidpolice.com)

• Google warns Hermit spyware is infecting phones. What is it and how do you protect yourself from it? | Mashable

Nation State Actors

Nation State Actors – Russia

• Ukraine targeted by almost 800 cyber attacks since the war started (bleepingcomputer.com)

• Russia-linked actors may be behind an explosion at a liquefied natural gas plant in Texas - Security Affairs

• Russian Hacker Group Says Cyber Attacks Continue On Lithuania (informationsecuritybuzz.com)

• Russian hacktivists take down Norway govt sites in DDoS attacks (bleepingcomputer.com)

• Russia's Killnet hacker group says it attacked Lithuania | Reuters

Nation State Actors – China

• Chinese Threat Actor Targets Rare Earth Mining Companies in North America, Australia | SecurityWeek.Com

• Chinese Hackers Target Building Management Systems | SecurityWeek.Com

• China lured graduate jobseekers into digital espionage | Ars Technica

Nation State Actors – North Korea

• Experts blame North Korea-linked Lazarus APT for Harmony hack - Security Affairs

Vulnerability Management

• 18 Zero-Days Exploited So Far in 2022 (darkreading.com)

• Why more zero-day vulnerabilities are being found in the wild | CSO Online

• Cyber Attacks via Unpatched Systems Cost Orgs More Than Phishing (darkreading.com)

• Solving the indirect vulnerability enigma - fixing indirect vulnerabilities without breaking your dependency tree (thehackernews.com)

• Microsoft's quiet mishandling of vulnerabilities is becoming a public mess - OnMSFT.com

Vulnerabilities

• MITRE shares this year's list of most dangerous software bugs (bleepingcomputer.com)

• Critical ManageEngine ADAudit Plus Vulnerability Allows Network Takeover, Mass Data Exfiltration (darkreading.com)

• How and why threat actors target Microsoft Active Directory | CSO Online

• Atlassian Confluence Exploits Peak at 100K Daily (darkreading.com)

• Patch Now: Linux Container-Escape Flaw in Azure Service Fabric (darkreading.com)

• Zoho ManageEngine ADAudit Plus bug gets public RCE exploit (bleepingcomputer.com)

• OpenSSL 3.0.5 awaits release to fix potential security flaw • The Register

• CISA: Adopt Modern Auth now for Exchange Online • The Register

• CISA Warns of Active Exploitation of 'PwnKit' Linux Vulnerability in the Wild (thehackernews.com)

• CISA orders agencies to patch Windows LSA bug exploited in the wild (bleepingcomputer.com)

• Mitel VoIP Bug Exploited in Ransomware Attacks | Threatpost

• Log4Shell Vulnerability in VMware Leads to Data Exfiltration and Ransomware (trendmicro.com)

• Jenkins discloses dozens of zero-day bugs in multiple plugins (bleepingcomputer.com)

• New UnRAR Vulnerability Could Let Attackers Hack Zimbra Webmail Servers (thehackernews.com)

Sector Specific

Critical National Infrastructure (CNI)

• Stress and Burnout Could Lead to Exodus of CNI Cyber Security Leaders - Infosecurity Magazine

Financial Services Sector

• Android Spyware 'Revive' Upgraded to Banking Trojan - Infosecurity Magazine

FinTech

• A Fintech Horror Story: How One Company Prioritizes Cyber Security (darkreading.com)

• Security and compliance concerns limit ‘open finance’ expansion, say executives (scmagazine.com)

Telecoms

• Why the next-gen telecom ecosystem needs better regulations (techtarget.com)

OT, ICS, IIoT, SCADA and Cyber-Physical Systems

• APT Hackers Targeting Industrial Control Systems with ShadowPad Backdoor (thehackernews.com)

• Cyber-Physical Security: Benchmarking to Advance Your Journey | SecurityWeek.Com

• Critical Security Flaws Identified in CODESYS ICS Automation Software (thehackernews.com)

• Microsoft Exchange bug abused to hack building automation systems (bleepingcomputer.com)

• 5 Cyber Security Tips for Smart Buildings - IT Security Guru

• Chinese Hackers Target Building Management Systems | SecurityWeek.Com

• OT security: Helping under-resourced critical infrastructure organisations - Help Net Security

Energy & Utilities

Oil, Gas and Mining

Chinese Threat Actor Targets Rare Earth Mining Companies in North America, Australia | SecurityWeek.Com

Food and Agriculture

• Wiltshire Farm Foods Cyberattack (informationsecuritybuzz.com)

Education and Academia

• Threat Actor Claims Responsibility For IBM and Stanford University Hack - Infosecurity Magazine (infosecurity-magazine.com)

Web3

• Securing the Metaverse and Web3 | SecurityWeek.Com

• Cyber security and the metaverse: Identifying the weak spots | VentureBeat

Reports Published in the Last Week

• State of Email Security | Mimecast

• Q1 2022 Incident Response Insights from Tetra Defense | Arctic Wolf

• State of Data Exfiltration and Extortion 2022 - Titaniam

• SANS 2022 Security Awareness Report: Human Risk Remains the Biggest Threat to Your Organisation’s Cyber Security | SANS Institute

• Defending Ukraine: Early Lessons from the Cyber War - Microsoft On the Issues

Other News

• Cyber Attacks Gain Steam in Early '22: Tetra Defense Report - MSSP Alert

• FBI warns crooks are using deepfake videos in job interviews • The Register

• Destructive firmware attacks pose a significant threat to businesses - Help Net Security

• 48% of security practitioners seeing 3x increase in alerts per day - Help Net Security

• Adversarial machine learning explained: How attackers disrupt AI and ML systems | CSO Online

• Companies are desperate for cyber security workers—more than 700K positions need to be filled | Fortune

• 82% Cyber Breaches In Verizon’s Report Preventable, Says MyCena (informationsecuritybuzz.com)

• SolarWinds hack explained: Everything you need to know (techtarget.com)

• Properly securing APIs is becoming increasingly urgent - Help Net Security

• 97% Of UK Business Leaders Expect Quantum Computing to Disrupt Their Sectors - Infosecurity Magazine

• LGBTQ+ folks warned of dating app extortion scams • The Register

• What is Zero Trust and why would you want it? • The Register

• Tencent admits to poisoned QR code attack on QQ accounts • The Register

• Exploring the insecurity of readily available Wi-Fi networks - Help Net Security

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Fifth of Businesses Say Cyber Attack Nearly Broke Them

A fifth of US and European businesses have warned that a serious cyber attack nearly rendered them insolvent, with most (87%) viewing compromise as a bigger threat than an economic downturn, according to Hiscox.

The insurer polled over 5000 businesses in the US, UK, Ireland, France, Spain, Germany, the Netherlands and Belgium to compile its annual Hiscox Cyber Readiness Report.

It revealed the potentially catastrophic financial damage that a serious cyber-attack can wreak. The number claiming to have nearly been brought down by a breach increased 24% compared to the previous year.

Nearly half (48%) of respondents said they suffered an attack over the past 12 months, a 12% increase from the previous report’s findings. Perhaps unsurprisingly, businesses in seven out of eight countries see cyber as their biggest threat.

Yet perception appears to vary greatly depending on whether an organisation has suffered a serious compromise or not. While over half (55%) of total respondents said they view cyber as a high-risk area, the figure among companies that have not yet suffered an attack is just 36%.

https://www.infosecurity-magazine.com/news/fifth-of-businesses-cyber-attack/

• Weak Security Controls and Practices Routinely Exploited for Initial Access

Cyber actors routinely exploit poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system. A joint Cybersecurity Advisory by the cyber security authorities of the United States, Canada, New Zealand, the Netherlands, and the United Kingdom identifies commonly exploited controls and practices and includes best practices to mitigate the issues.

Malicious cyber actors often exploit the following common weak security controls, poor configurations, and poor security practices to employ the initial access techniques.

• Multifactor authentication (MFA) is not enforced

• Incorrectly applied privileges or permissions and errors within access control lists

• Software is not up to date

• Use of vendor-supplied default configurations or default login usernames and passwords

• Remote services, such as a virtual private network (VPN), lack sufficient controls to prevent unauthorised access

• Strong password policies are not implemented

• Cloud services are unprotected

• Open ports and misconfigured services are exposed to the internet

• Failure to detect or block phishing attempts

• Poor endpoint detection and response.

https://www.cisa.gov/uscert/ncas/alerts/aa22-137a

• How Do Ransomware Attacks Impact Victim Organisations’ Stock?

Ransomware has developed into an extremely lucrative business model with little risk involved for the threat actors. Couple this with the willingness of most victim organisations to pay the ransom demand under the assumption it will return business operations to normal - ultimately encouraging more attacks - and we have a big problem with no easy remedies.

Back in 2021, Cybereason published a report titled Ransomware Attacks and the True Cost to Business that revealed the various costs that organisations face after falling victim to a ransomware attack. Here are some of the most significant findings that stood out:

• Two-thirds of ransomware victims said that they endured a significant loss of revenue following the attack

• More than half (53%) of organisations suffered damage to their brand and reputation after a ransomware infection

• A third of those who fell to ransomware lost C-level talent in the attack’s aftermath

• Three in 10 organisations had no choice but to lay off employees due to the financial pressures resulting from a ransomware incident

• A quarter of ransomware victims said that they needed to suspend operations.

https://www.msspalert.com/cybersecurity-guests/how-do-ransomware-attacks-impact-victim-organizations-stock/

• Prioritise Patching Vulnerabilities Associated with Ransomware

In the last quarter, ransomware attacks have made mainstream headlines on a near-daily basis, with groups like Lapsus$ and Conti’s names splashed across the page. Major organisations like Okta, Globant and Kitchenware maker Meyer Corporation have all fallen victim, and they are very much not alone. The data indicates that increasing vulnerabilities, new advanced persistent threat (APT) groups and new ransomware families are contributing to ransomware’s continued prevalence and profitability.

The top stats include:

• 22 new vulnerabilities and nine new weaknesses have been associated with ransomware since January 2022; of the 22, a whopping 21 are considered of critical or high risk severity

• 19 (out of 22) of the newly-added vulnerabilities are associated with the Conti ransomware gang

• Three new APT groups (Exotic Lily, APT 35, DEV-0401) and four new ransomware families (AvosLocker, Karma, BlackCat, Night Sky) are deploying ransomware to attack their targets

• 141 of CISA’s Known Exploited Vulnerabilities (KEVs) are being used by ransomware operators – including 18 newly identified this quarter

• 11 vulnerabilities tied to ransomware remain undetected by popular scanners

• 624 unique vulnerabilities were found within the 846 healthcare products analysed.

https://www.helpnetsecurity.com/2022/05/19/increase-ransomware-vulnerabilities/

• Researchers Warn of Advanced Persistent Threats (APTs), Data Leaks as Serious Threats Against UK Financial Sector

Researchers say that geopolitical tension, ransomware, and cyber attacks using stolen credentials threaten the UK's financial sector.

KELA's security team published a report examining the cyber security issues and attacks that surfaced in 2021 and early 2022, specifically focused on the United Kingdom's banks and other financial services.

The UK was one of the first countries to stand with Ukraine after the invasion by Russia. This could make UK organisations a tempting target for threat actors siding with Russia - whether by state-sponsored advanced persistent threat (APT) groups or hacktivists. The National Cyber Security Centre (NCSC) previously warned businesses to shore up their cyber security following Russia's assault.

APTs are often responsible for attacking the financial sector: account credentials, card numbers, and the personally identifiable information (PII) of customers are useful not only in social engineering and identity theft but also to make fraudulent purchases or for card cloning.

APTs target organisations worldwide, and those located in the UK are no exception. Over the past few years, APTs, including the Chinese APT40 and APT31, have utilised vulnerabilities, including ProxyLogon, to compromise UK businesses.

"In general, APTs may target the financial sector to commit fraud, burglarise ATMs, execute transactions, and penetrate organisations' internal financial systems," KELA says. "Although specific threats to the UK financial sector have not been identified, there is no doubt that the UK has occasionally been a target of APT groups during 2021."

Exposed corporate information and leaked credentials are also of note. After browsing Dark Web forums, the researchers found that UK data is "in demand" by cyber criminals who are seeking PII, access credentials, and internal data.

https://www.zdnet.com/article/researchers-warn-of-apts-data-leaks-as-serious-threats-against-uk-financial-sector/

• Remote Work Hazards: Attackers Exploit Weak WiFi, Endpoints, and the Cloud

Infoblox unveils a global report examining the state of security concerns, costs, and remedies. As the pandemic and uneven shutdowns stretch into a third year, organisations are accelerating digital transformation projects to support remote work. Meanwhile, attackers have seized on vulnerabilities in these environments, creating more work and larger budgets for security teams.

1,100 respondents in IT and cyber security roles in 11 countries – United States, Mexico, Brazil, United Kingdom, Germany, France, the Netherlands, Spain, United Arab Emirates, Australia, and Singapore – participated in the survey.

The surge in remote work has changed the corporate landscape significantly – and permanently. 52% of respondents accelerated digital transformation projects, 42% increased customer portal support for remote engagement, 30% moved apps to third party cloud providers, and 26% shuttered physical offices for good. These changes led to the additions of VPNs and firewalls, a mix of corporate and employee owned devices as well as cloud and on-premises DDI servers to manage data traffic across the expanded network.

The hybrid workforce reality is causing greater concerns with data leakage, ransomware and attacks through remote access tools and cloud services. Respondents indicate concerns about their abilities to counter increasingly sophisticated cyber attacks with limited control over employees, work-from-home technologies, and vulnerable supply chain partners. The sophistication of state-sponsored malware also is a source of worry for many.

Organisations have good reason to worry: 53% of respondents experienced up to five security incidents that led to at least one breach.

https://www.helpnetsecurity.com/2022/05/17/state-of-security/

• Small Businesses Under Fire from Password Stealers

Password-stealing malware and other cyber attacks have increased significantly against small businesses over the past year, according to Kaspersky researchers.

An assessment released this week detailed the number of Trojan Password Stealing Ware (PSW) detections, internet attacks and attacks on Remote Desktop Protocol (RDP) between January and April 2022, compared with the same time frame from 2021. Kaspersky's research showed a jump in the detection of password stealers within small business environments, as well as increases in other types of cyber attacks.

According to Kaspersky, the biggest increase in threats against small businesses was password stealers, specifically Trojan PSWs. There were nearly 1 million more detected Trojan PSWs targeting small and medium-sized businesses in the first trimester of 2022 than the first of 2021, increasing from 3,029,903 to 4,003,323.

https://www.techtarget.com/searchsecurity/news/252518442/Small-businesses-under-fire-from-password-stealers

• Email Is the Riskiest Channel for Data Security

Research from Tessian and the Ponemon Institute reveals that nearly 60% of organisations experienced data loss or exfiltration caused by an employee mistake on email in the last 12 months.

Email was revealed as the riskiest channel for data loss in organisations, as stated by 65% of IT security practitioners. This was closely followed by cloud file-sharing services (62%) and instant messaging platforms (57%).

The research surveyed 614 IT security practitioners across the globe to also reveal that:

• Employee negligence, because of not following policies, is the leading cause of data loss incidents (40%)

• 27% of data loss incidents are caused by malicious insiders

• It takes up to three days for security and risk management teams to detect and remediate a data loss and exfiltration incident caused by a malicious insider on email

• 23% of organisations experience up to 30 security incidents involving employees’ use of email every month (for example, email was sent to an unintended recipient).

The most common types of confidential and sensitive information lost or intentionally stolen include: customer information (61%); intellectual property (56%); and consumer information (47%). User-created data (sensitive email content, text files, M&A documents), regulated data (credit card data, Social Security numbers, national ID numbers, employee data), and intellectual property were identified as the three types of data that are most difficult to protect from data loss.

The top two consequences for data loss incidents were revealed as non-compliance with data protection regulations (57%) and damage to an organisation’s reputation (52%). Furthermore, a previous study from Tessian found that 29% of businesses lost a client or customer because of an employee sending an email to the wrong person.

https://www.helpnetsecurity.com/2022/05/20/data-loss-email/

• Phishing Attacks for Initial Access Surged 54% in Q1

Threat actors doubled down on their use of phishing emails as an initial attack vector during the first quarter of 2022 — and in many cases then used that access to drop ransomware or to extort organisations in other ways.

Researchers from Kroll recently analysed data gathered from security incidents they responded to in the first three months of this year. The analysis showed a 54% increase in incidents of phishing for initial access compared with the same period last year.

For the first time since Microsoft disclosed the so-called ProxyLogon set of vulnerabilities in Exchange Server in the first quarter of 2021, incidents tied to email compromises surpassed those related to ransomware. Kroll described the sharp increase in phishing activity as likely the result of a surge in activity tied to Emotet and IceID malware — threat actors have been using both to drop other malware.

https://www.darkreading.com/risk/phishing-attacks-for-initial-access-surged-q1

• Fears Grow for Smaller Nations After Ransomware Attack on Costa Rica Escalates

Conti demanded $20M in ransom — and the overthrow of the government.

It’s been a rough start for the newly elected Costa Rica president Rodrigo Chaves, who less than a week into office declared his country “at war” with the Conti ransomware gang.

“We’re at war and this is not an exaggeration,” Chaves told local media. “The war is against an international terrorist group, which apparently has operatives in Costa Rica. There are very clear indications that people inside the country are collaborating with Conti.”

Conti’s assault on the Costa Rican government began in April. The country’s Finance Ministry was the first hit by the Russia-linked hacking group, and in a statement on May 16, Chaves said the number of institutions impacted had since grown to 27. This, he admitted, means civil servants wouldn’t be paid on time and will impact the country’s foreign trade.

In a message posted to its dark web leaks blog, Conti urged the citizens of Costa Rica to pressure their government to pay the ransom, which the group doubled from an initial $10 million to $20 million. In a separate statement, the group warned: “We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power.”

Conti is among the most prolific hacking groups. The FBI warned earlier this year that the gang was among “the three top variants” that targeted businesses in the United States, and it has been blamed for ransomware attacks targeting dozens of businesses, including Fat Face, Shutterfly and the Irish healthcare service.

But Conti has picked up its pace in recent months: In January and February it published 31 victims on its leaks blog. In March and April, it posted 133 victims.

https://techcrunch.com/2022/05/20/costa-rica-ransomware-attack/

Threats

Ransomware

• Ransomware Gangs Rely More on Weaponizing Vulnerabilities (bleepingcomputer.com)

• Ransomware Gang Extorted 725 BTC in One Attack, On-Chain Sleuths Find (coindesk.com)

• 5 Critical Questions to Test Your Ransomware Preparedness - Help Net Security

• “Alarming” Surge in Conti Group Activity This Year - Infosecurity Magazine

• Why AI-Powered Ransomware Cyber Attacks Could Be Coming Soon - Protocol

• Nikkei Says Customer Data Likely Impacted in Ransomware Attack | SecurityWeek.Com

• Wizard Spider Hackers Hire Cold Callers to Scare Ransomware Victims Into Paying Up | ZDNet

• Greenland Hit by Cyber Attack, Finds Its Health Service Crippled (bitdefender.com)

• Conti Ransomware Shuts Down Operation, Rebrands into Smaller Units (bleepingcomputer.com)

• No One Is Slowing Down BlackByte Ransomware Gang • The Register

• President Rodrigo Chaves says Costa Rica is at war with Conti hackers - BBC News

• Engineering Firm Parker Discloses Data Breach After Ransomware Attack (bleepingcomputer.com)

• US links Thanos and Jigsaw ransomware to 55-year-old doctor (bleepingcomputer.com)

• Russian Conti Ransomware Gang Threatens to Overthrow New Costa Rican Government (thehackernews.com)

Phishing & Email Based Attacks

• This Phishing Attack Delivers Three Forms of Malware. And They All Want to Steal Your Data | ZDNet

• HTML Attachments Remain Popular Among Phishing Actors In 2022 (bleepingcomputer.com)

• Chatbot Army Deployed in Latest DHL Shipping Phish (darkreading.com)

• Phishing Gang That Stole Over 400,000 Euros Busted in Spain (tripwire.com)

• Long Lost @ Symbol Gets New Life Obscuring Malicious URLs | Malwarebytes Labs

• Spanish Police Dismantle Phishing Gang That Emptied Bank Accounts (bleepingcomputer.com)

Malware

• Emotet is the Most Common Malware - Help Net Security

• Microsoft Identifies Botnet Variant Targeting Windows and Linux Systems - Infosecurity Magazine

• Activity of the Linux XorDdos bot increased by 254% over the last 6 monthsSecurity Affairs

• Fake Domains Offer Windows 11 Installers - But Deliver Malware Instead | ZDNet

• Bruised but Not Broken: The Resurgence of the Emotet Botnet Malware (trendmicro.com)

• Malicious PyPI Pymafka Package Opens Backdoors On Windows, Linux, and Macs (bleepingcomputer.com)

• April VMware Bugs Abused to Deliver Mirai Malware, Exploit Log4Shell | Threatpost

Mobile

• 6 Scary Tactics Used in Mobile App Attacks (darkreading.com)

• Researchers Find Potential Way to Run Malware on iPhone Even When it's OFF (thehackernews.com)

• Google TAG: Cytrox's Predator Spyware Used to Target Android Users | WIRED

IoT

• New Bluetooth Hack Could Let Attackers Remotely Unlock Smart Locks and Cars (thehackernews.com)

Data Breaches/Leaks

• Cornwall Council Data Breach - Information Security Buzz

• Pharmacy Giant Hit By Data Breach Affecting 3.6 Million Customers - Infosecurity Magazine

Organised Crime & Criminal Actors

• Ukrainian Hacker Jailed for 4-Years in U.S. for Selling Access to Hacked Servers (thehackernews.com)

• US Recovers a Record $15m from the 3ve Ad-Fraud Crew • The Register

Cryptocurrency/Cryptomining/Cryptojacking/NFTs

• How Cryptocurrencies Enable Attackers and Defenders (techtarget.com)

• Monero-Mining Sysrv Botnet Targets Windows, Linux Web Servers • The Register

• US Brings First-Of-Its-Kind Bitcoin Sanctions-Busting Case • The Register

• Fake Pixelmon NFT Site Infects You with Password-Stealing Malware (bleepingcomputer.com)

• Hackers Compromise a String of NFT Discord Channels (vice.com)

Fraud, Scams & Financial Crime

• Popularity Of Online Payment Goes Hand-In-Hand with Fraud - Help Net Security

Supply Chain and Third Parties

• MITRE Creates Framework for Supply Chain Security (darkreading.com)

• The Four Horsemen of Software Supply Chain Attacks - MSSP Alert

• Recovering From a Cyber Security Earthquake: The Lessons Organisations Must Learn - Help Net Security

Cloud/SaaS

• 7 Key Findings from the 2022 SaaS Security Survey Report (thehackernews.com)

• New Research Identifies Poor IAM Policies as The Greatest Cloud Vulnerability - CyberScoop

• Are You Investing in Securing Your Data in the Cloud? (thehackernews.com)

• 380K Kubernetes API Servers Exposed to Public Internet | Threatpost

Open Source

• The Industry Must Better Secure Open Source Code From Threat Actors (darkreading.com)

Privacy

• How To Ensure That the Smart Home Doesn’t Jeopardize Data Privacy? - Help Net Security

• Privacy. Ad Bidders Haven't Heard of It, Report Reveals • The Register

• Third-Party Web Trackers Log What You Type Before Submitting (bleepingcomputer.com)

Passwords & Credential Stuffing

• The Most Insecure and Easily Hackable Passwords - Help Net Security

• Half of IT Leaders Store Passwords in Shared Docs - Infosecurity Magazine

Cyber Bullying and Cyber Stalking

• UK Sextortion Cases Doubled in 2021 - Infosecurity Magazine

Regulations, Fines and Legislation

• Europe Moves Closer to Stricter Cyber Security Standards • The Register

• EU's NIS 2 Directive to Strengthen Cyber Security Requirements For Companies - Help Net Security

Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Google TAG: Cytrox's Predator Spyware Used to Target Android Users | WIRED

• Britain can legally launch cyber attacks against hostile states, says Attorney General (telegraph.co.uk)

• How Mobile Networks Have Become a Front in the Battle for Ukraine (darkreading.com)

• China-linked Twisted Panda Caught Spying on Russian R&D Orgs • The Register

• Pro-Russian Hackers Spread Hoaxes to Divide Ukraine, Allies | SecurityWeek.Com

• A custom PowerShell RAT Targets Germany Using Crisis in Ukraine as Bait - Security Affairs

Nation State Actors

Nation State Actors – Russia

• Putin Promises to Bolster Russia's IT Security in Face of Cyber Attacks | Reuters

• Russian Hackers Declare War On 10 Countries After Failed Eurovision DDoS attack | IT PRO

• Pro-Russian Information Operations Escalate in Ukraine War (darkreading.com)

• Russian Undersea Cable Threat Shifts Tech Business to UK (telegraph.co.uk)

• Russians Allegedly Storm Ukrainian ISP, Blackmail It to Switch To Russian Networks - CyberScoop

• Russia-linked Sandworm Continues to Conduct Attacks Against Ukraine - Security Affairs

• Russian Cyber Attack on Eurovision Foiled By Italian Authorities (bitdefender.com)

• This Russian Botnet Does Far More Than DDoS Attacks - And on A Massive Scale | ZDNet

Nation State Actors – China

• Chinese ‘Space Pirates’ are Hacking Russian Aerospace Firms (bleepingcomputer.com)

Nation State Actors – North Korea

• FBI Warns of North Korean Spies Posing as Foreign IT Workers • The Register

Nation State Actors – Iran

• US Charges Venezuelan Doctor with Selling Ransomware Used By Iranian Group | Reuters

Vulnerability Management

• APTs Overwhelmingly Share Known Vulnerabilities Rather Than Attack O-Days | Threatpost

• How Micropatching Could Help Close the Security Update Gap (techtarget.com)

• Partial Patching Still Provides Strong Protection Against APTs (darkreading.com)

Vulnerabilities

• QNAP Urges Users to Update NAS Devices to Prevent Deadbolt Ransomware Attacks (thehackernews.com)

• Cisco Fixes an IOS XR Flaw Actively Exploited in The Wild - Security Affairs

• 2 Vulnerabilities With 9.8 Severity Ratings Are Under Exploit. A 3rd Looms | Ars Technica

• Microsoft Rushes a Fix After May Patch Tuesday Breaks Authentication (darkreading.com)

• Microsoft Fixes New PetitPotam Windows NTLM Relay Attack Vector (bleepingcomputer.com)

• Apple Patches Zero-Day Kernel Hole and Much More – Update Now! – Naked Security (sophos.com)

• Two Business-Grade Netgear VPN Routers Have Security Vulnerabilities That Can't Be Fixed - Help Net Security

• SharePoint RCE Bug Resurfaces Three Months After Being Patched by Microsoft | The Daily Swig (portswigger.net)

• High-Severity Bug Reported in Google's OAuth Client Library for Java (thehackernews.com)

• Over 20,000 Zyxel Firewalls Still Exposed to Critical Bug - Infosecurity Magazine

• Apple Fixes the Sixth Zero-Day Since The Beginning of 2022 - Security Affairs

• Apache Releases Security Advisory for Tomcat | CISA

• Mozilla Patches Wednesday’s Pwn2Own Double-Exploit… on Friday! – Naked Security (sophos.com)

• Critical Vulnerability in Premium WordPress Themes Allows for Site Takeover | Threatpost

• Critical Jupiter WordPress Plugin Flaws Let Hackers Take Over Sites (bleepingcomputer.com)

• Apple Finally Patches Exploited Vulnerabilities in macOS Big Sur, Catalina | SecurityWeek.Com

• NVIDIA Fixes Ten Vulnerabilities in Windows GPU Display Drivers (bleepingcomputer.com)

• Gmail-Linked Facebook Accounts Vulnerable to Attack Using A Chain Of Bugs—Now Fixed | Malwarebytes Labs

• New Brute Force Attacks Against SQL Servers Use PowerShell Wrapper | SecurityWeek.Com

Sector Specific

Retail/eCommerce

• How Crooks Backdoor Sites and Scrape Credit Card Info • The Register

• Digital Skimming is Now the Preserve of Non-Magecart Groups - Infosecurity Magazine

Energy & Utilities

• Water Companies Are Increasingly Uninsurable Due To Ransomware, Industry Execs Say - CyberScoop

• UK Announces Nuclear Cyber Security Strategy - IT Security Guru

Education and Academia

• Ransomware Attack Exposes Data of 500,000 Chicago Students (bleepingcomputer.com)

• Higher Education Institutions Being Targeted for Ransomware Attacks | TechRepublic

• “Incompetent” Council Leaks Details of Students With Special Educational Needs • Graham Cluley

• Researchers Find Backdoor in School Management Plugin for WordPress (thehackernews.com)

Reports Published in the Last Week

• Q2 2022 State of Fraud & Account Security Report - Arkose Labs

• 2022 SaaS Security Survey Report (adaptive-shield.com)

• 2021-2022 UK Financial Sector Dark Web Threat Landscape Report - Kela (ke-la.com)

Other News

• UK Government: Lack of Skills the Number One Issue in Cyber Security - Infosecurity Magazine

• Malicious Hackers Are Finding It Too Easy to Achieve Their Initial Access (tripwire.com)

• NIST’s Cyber Security Framework Has Become The Common Language For International Cyber Security (scmagazine.com)

• How Threat Actors Are a Click Away From Becoming Quasi-APTs (darkreading.com)

• Cyber Security: Global Food Supply Chain at Risk From Malicious Hackers - BBC News

• Cyber Security Agencies Reveal Top Initial Access Attack Vectors (bleepingcomputer.com)

• 50% of Orgs Rely on Email to Manage Security (darkreading.com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Many Workers Ignore Security Risks To Maximize Productivity

A large proportion of employees often take shortcuts to optimize productivity at work, despite understanding the security risks, new data suggests. According to a survey which polled 8,000 workers worldwide, almost four in five (79%) have engaged in one or more “risky activity” in the past twelve months. In a third of cases (35%), this involved saving passwords to their browser. A similar percentage admitted to using a single password across multiple online accounts, while 23% connected personal devices to corporate networks.

https://www.itproportal.com/news/many-workers-ignore-security-risks-to-maximize-productivity/

Financial Services Accounting For Nearly 40% Of All Phishing URLs

A report was released for H1 2021, which revealed that there has been a major jump in phishing attacks since the start of the year with a 281 percent spike in May and another 284 percent increase in June, for a total of 4.2 billion phishing emails detected for June alone. For this 6-month window researchers identified Crédit Agricole as the most impersonated brand, with 17,555 unique phishing URLs, followed by Facebook, with 17,338, and Microsoft, with 12,777.

https://www.helpnetsecurity.com/2021/07/22/financial-services-phishing/

Half Of Organisations Are Ineffective At Countering Phishing And Ransomware Threats

Half of organisations are not effective at countering phishing and ransomware threats. The findings come from a study compiled from interviews with 130 cyber security professionals in mid-sized and large organisations. “Phishing and ransomware were already critical enterprise security risks even before the pandemic hit and, as this report shows, the advent of mass remote working has increased the pressure of these threats,”. “Organisations need multi-layered defences in place to mitigate these risks.”

https://www.helpnetsecurity.com/2021/07/19/countering-phishing-and-ransomware/

36% Of Organisations Suffered A Serious Cloud Security Data Leak Or A Breach In The Past Year

As cloud adoption accelerates and the scale of cloud environments grows, engineering and security teams say that risks—and the costs of addressing them—are increasing. The findings are part of the State of Cloud Security 2021 survey. The survey of 300 cloud pros (including cloud engineers; security engineers; DevOps; architects) found that 36% of organisations suffered a serious cloud security data leak or a breach in the past 12 months, and eight out of ten are worried that they’re vulnerable to a major data breach related to cloud misconfiguration. 64% say the problem will get worse or remain unchanged over the next year.

https://www.helpnetsecurity.com/2021/07/27/cloud-security-data-leak/

HP Finds 75% Of Threats Were Delivered By Email In First Six Months Of 2021

According to the latest HP Report, email is still the most popular way for malware and other threats to be delivered, with more than 75% of threats being sent through email messages.  The report -- covering the first half of 2021 -- is compiled based on customers who opt to share their threat alerts with the company. HP's researchers found that there has been a 65% rise in the use of hacking tools downloaded from underground forums and filesharing websites from H2 2020 to H1 2021. Some of the tools can solve CAPTCHA challenges using computer vision techniques.

https://www.zdnet.com/article/hp-finds-75-of-threats-were-delivered-by-email-in-first-six-months-of-2021/

Data Breach Costs Hit Record High Due To Pandemic

Data breaches have always proved costly for victimized organisations. But the coronavirus pandemic made a bad situation even worse. A report released Wednesday looks at how and why the average cost of dealing with a data breach has jumped to a new high. The average cost of a data breach among companies surveyed reached $4.24 million per incident, the highest in 17 years.

https://www.techrepublic.com/article/data-breach-costs-hit-record-high-due-to-pandemic/

Top 30 Critical Security Vulnerabilities Most Exploited By Hackers

Intelligence agencies in Australia, the U.K., and the U.S. issued a joint advisory on Wednesday detailing the most exploited vulnerabilities in 2020 and 2021, once again demonstrating how threat actors can swiftly weaponize publicly disclosed flaws to their advantage. The top 30 vulnerabilities span a wide range of software, including remote work, virtual private networks (VPNs), and cloud-based technologies, that cover a broad spectrum of products from Microsoft, VMware, Pulse Secure, Fortinet, Accellion, Citrix, F5 Big IP, Atlassian, and Drupal.

https://thehackernews.com/2021/07/top-30-critical-security.html

Average Time To Fix High Severity Vulnerabilities Grows From 197 Days To 246 Days In 6 Months: Report

A recent report has found that the remediation rate for severe vulnerabilities is on the decline, while the average time to fix is on the rise. The report, which is compiled monthly, covers window of exposure, vulnerability by class and time to fix. The latest report found that the window of exposure for applications has increased over the last six months while the top-5 vulnerability classes by prevalence remain constant, which the researchers behind the report said was a "systematic failure to address these well-known vulnerabilities." According to researchers, the time to fix vulnerabilities has dropped 3 days, from 205 days to 202 days. The average time to fix is 202 days, the report found, representing an increase from 197 days at the beginning of the year. The average time to fix for high vulnerabilities grew from 194 days at the beginning of the year to 246 days at the end of June.

https://www.zdnet.com/article/average-time-to-fix-high-vulnerabilities-grows-from-197-days-to-246-days-in-6-months-report/

Why Remote Working Leaves Us Vulnerable To Cyber Attacks

An industry survey found 56% of senior IT technicians believe their employees have picked up bad cyber security habits while working from home. For Example. A cyber-crime group known as REvil took meticulous care when picking the timing for its most recent attack - US Independence Day, 4 July. They knew many IT specialists and cyber-security experts would be on leave, enjoying a long weekend off work. Before long, more than 1,000 companies in the US, and at least 17 other countries, were under attack from hackers. Many firms were forced into a costly downtime period as a result. Among those targeted during the incident was a well-known software provider, Kaseya. REvil used Kaseya as a conduit to spread its ransomware - a malware that can scramble and steal an organisation's computer data - through other corporate and cloud-based networks that use the software.

https://www.bbc.co.uk/news/business-57847652

Stop Mitigating Cyber Security Threats And Start Preventing Them

The impacts of a successful cyber attack can be devastating. Through multiple forms of extortion, criminals can use stolen data and other business-critical assets, including sensitive financial and customer data to hold companies hostage with just one campaign. The average cost of a phishing attack last year was $832,500, with zero-day attacks costing around $1,238,000. Spending this amount of money to recover from a cyber attack could bring a company to its knees. Today’s cyber attacks present very real existential threats to businesses and C-level executives are beginning to fully realize the gravity of these threats. It is critical that organizations invest in solutions that are going to help stop these attackers before they enter their environments.

https://www.itproportal.com/features/stop-mitigating-cybersecurity-threats-and-start-preventing-them/

Threats

Ransomware

• Babuk Ransomware Decryptor Causes Encryption 'Beyond Repair'

• Ransomware Can Penetrate Quickly, Significantly Damaging An Organisation

• BlackMatter Ransomware Targets Companies With Revenue Of $100 Million And More

• LockBit Ransomware Now Encrypts Windows Domains Using Group Policies

• FBI Tracking More Than 100 Active Ransomware Groups

• The World's Top Ransomware Gangs Have created A cyber Crime "Cartel"

Social Engineering

• Average Organisation Targeted By Over 700 Social Engineering Attacks Each Year: Report

• These Hackers Built An Elaborate Online Profile To Fool Their Targets Into Downloading Malware

• FIN7’s Liquor Lure Compromises Law Firm With Backdoor

Malware

• Cisco Researchers Spotlight Solarmarker Malware

• Hackers Exploit Microsoft Browser Bug To Deploy VBA Malware On Targeted PCs

• Some Windows 11 Installers Infect Your PC With Malware

• Microsoft Warns Of LemonDuck Malware Targeting Windows and Linux Systems

• Discord CDN And API Abuses Drive Wave Of Malware Detections

• Japanese Computers Hit By A Wiper Malware Ahead Of 2021 Tokyo Olympics

Mobile

• New Android Malware Uses VNC To Spy And Steal Passwords From Victims

• UBEL Is The New Oscorp — Android Credential Stealing Malware Active In The Wild

Vulnerabilities

• Microsoft Warns Of Credential Stealing NTLM Relay Attacks Against Windows Domain Controllers

• VPN Servers Seized By Ukrainian Authorities Weren’t Encrypted

• Web Applications Have Become A Security Liability

• Hackers Have Found Yet Another Way To Attack Kubernetes Clusters

• Windows 10 Printer Problems Persist Following Latest Security Update

• Microsoft Rushes Fix For ‘PetitPotam’ Attack PoC

• Apple Releases Urgent 0-Day Bug Patch For Mac, iPhone And iPad Devices

• Researchers Warn Of Unpatched Kaseya Unitrends Backup Vulnerabilities

• New Linux Kernel Bug Lets You Get Root On Most Modern Distros

• Dozens Of Web Apps Vulnerable To DNS Cache Poisoning Via ‘Forgot Password’ Feature

• Nasty MacOS Malware XCSSET Now Targets Google Chrome, Telegram Software

Data Breaches

• Over 80 US Municipalities’ Sensitive Information, Including Resident’s Personal Data, Left Vulnerable In Massive Data Breach

• Gun Owners' Fears After Firearms Dealer Data Breach

Organised Crime & Criminal Actors

• Threat Actor Offers Clubhouse Secret Database Containing 3.8b Phone Numbers

• Number Of Hacking Tools Increasing As Cyber Criminals Become More Organised

Dark Web

• How The Dark Web Enables Access To Corporate Networks

Supply Chain

• Kaseya Denies Paying Ransom For Decryptor, Refuses Comment On NDA

DoS/DDoS

• DSoS Attacks Are Up, With Ever-Greater Network Impact

Nation State Actors

• Chinese Hackers Implant PlugX Variant On Compromised MS Exchange Servers

• APT Group Hits IIS Web Servers With Deserialization Flaws And Memory-Resident Malware

Privacy

• Behind The Mercenary Spyware Industry

Reports Published in the Last Week

• DDoS Attack Trends For 2021 Q2

• Spear Phishing: Top Threats And Trends Volume 6

Other News

• PunkSpider—The Search Engine For Web Exploits—Rises From the Dead

• Biden Warns A ‘Real Shooting War’ Could Come From Cyber Breach

• Hackers Turning To 'Exotic' Programming Languages For Malware Development

• Discord Is Now An Essential Tool For Hackers

• Research Roadblock? Security Pros Weigh In On China’s New Vulnerability Disclosure Law

• For Hackers, Space Is The Final Frontier

• A DNS Outage Just Took Down A Large Chunk Of The Internet

• Ireland Sees Biggest Rise In Cyber Security Attacks

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.