Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
The Most Effective Phishing Lures - which ones will you fall for...?! Cyber Tip Tuesday video 15 September 2020
Welcome to this week's Black Arrow Cyber Tip Tuesday, this week Tony is talking about the most effective phishing lures.
Which phishing emails subject lines or hooks are user most likely to fall for?
Phishing emails often have a sense of urgency attached to them to get users to react without taking time to think or assess whether the email is genuine, but there are also subject lines that are more likely to trick users.
Anything where the user things they may be about to lose something they have earned or are entitled to can be effective, so things like a change or reduction in pay or benefits, reduction in holidays or a loss of things like airmiles or hotel loyalty points can be effective.
Anything involving threats of criminal action, courts, or implying you will incur a cost or charge for not complying is also effective, especially when combined with the sense of urgency.
Make sure your users are aware of the most effective lures and are continually honing their ability to spot phishing emails with rolling testing.
Welcome to this week's Black Arrow Cyber Tip Tuesday, this week Tony is talking about the most effective phishing lures.
Which phishing emails subject lines or hooks are user most likely to fall for?
Phishing emails often have a sense of urgency attached to them to get users to react without taking time to think or assess whether the email is genuine, but there are also subject lines that are more likely to trick users.
Anything where the user things they may be about to lose something they have earned or are entitled to can be effective, so things like a change or reduction in pay or benefits, reduction in holidays or a loss of things like airmiles or hotel loyalty points can be effective.
Anything involving threats of criminal action, courts, or implying you will incur a cost or charge for not complying is also effective, especially when combined with the sense of urgency.
Make sure your users are aware of the most effective lures and are continually honing their ability to spot phishing emails with rolling testing.
Cyber Weekly Flash Briefing 22 May 2020: EasyJet say 9m customers hacked, firm phishes its own staff and 20% fail, 60% insider threats involve staff planning to leave, 1 in 10 WFH Brits breach GDPR
Cyber Weekly Flash Briefing 22 May 2020: EasyJet say 9m customers hacked, firm phishes its own staff and 20% fail, 60% insider threats involve staff planning to leave, 1 in 10 WFH Brits breach GDPR
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
If you’re pressed for time watch the 60 second quick fire video summary of the top cyber and infosec stories from the last week:
EasyJet admits data of nine million hacked
EasyJet has admitted that a "highly sophisticated cyber-attack" has affected approximately nine million customers.
It said email addresses and travel details had been stolen and that 2,208 customers had also had their credit and debit card details "accessed".
The firm has informed the UK's Information Commissioner's Office while it investigates the breach.
EasyJet first became aware of the attack in January.
It told the BBC that it was only able to notify customers whose credit card details were stolen in early April.
"This was a highly sophisticated attacker. It took time to understand the scope of the attack and to identify who had been impacted," the airline told the BBC.
Read more here: https://www.bbc.co.uk/news/technology-52722626
To test its security mid-pandemic, GitLab tried phishing its own work-from-home staff. 1 in 5 fell for it
Code hosting site GitLab recently concluded a security exercise to test the susceptibility of its all-remote workforce to phishing – and a fifth of the participants submitted their credentials to the fake login page.
The mock attack simulated a targeted phishing campaign designed to get GitLab employees to give up their credentials.
The GitLab security personnel playing the role of an attacker – obtained the domain name gitlab.company and set it up using the open source GoPhish framework and Google's GSuite to send phishing emails. The messages were designed to look like a laptop upgrade notification from GitLab's IT department.
Targets were asked to click on a link in order to accept their upgrade and this link was instead a fake GitLab.com login page hosted on the domain 'gitlab.company'.
Fifty emails went out and 17 (34 per cent) clicked on the link in the messages that led to the simulated phishing website. Of those, 10 (59 per cent of those who clicked through or 20 per cent of the total test group) went on to enter credentials. And just 6 of the 50 message recipients (12 per cent) reported the phishing attempt to GitLab security personnel.
According to Verizon's 2020 Data Breach Investigations Report, 22 per cent of data exposure incidents involved phishing or about 90 per cent of incidents involving social interaction.
Read the original article here: https://www.theregister.co.uk/2020/05/21/gitlab_phishing_pentest/
60% of Insider Threats Involve Employees Planning to Leave
More than 80% of employees planning to leave an organization bring its data with them. These "flight-risk" individuals were involved in roughly 60% of insider threats analysed in a new study.
Researchers analysed more than 300 confirmed incidents as part of the "2020 Securonix Insider Threat Report." They found most insider threats involve exfiltration of sensitive data (62%), though others include privilege misuse (19%), data aggregation (9.5%), and infrastructure sabotage (5.1%). Employees planning an exit start to show so-called flight-risk behaviour between two weeks and two months ahead of their last day, the researchers discovered.
Most people who exfiltrate sensitive information do so over email, a pattern detected in nearly 44% of cases. The next most-popular method is uploading the information to cloud storage websites (16%), a technique growing popular as more organizations rely on cloud collaboration software such as Box and Dropbox. Employees are also known to steal corporate information using data downloads (10.7%), unauthorized removable devices (8.9%), and data snooping through SharePoint (8%).
Today's insider threats look different from those a few years ago. Cloud tools have made it easier for employees to share files with non-business accounts, creating a challenge for security teams.
Read more here: https://www.darkreading.com/risk/60--of-insider-threats-involve-employees-planning-to-leave/d/d-id/1337876
One in ten home working Brits are not GDPR compliant
Remote working may have improved the work-life balance of many Brits, but it has also made organisations more likely to fall foul of GDPR.
This is according to a new report from IT support company ILUX, which found that a tenth of workers in the UK do not believe their remote working practices are compliant.
Based on a poll of 2,000 UK-based home workers, the report hints the problem could stem from the adoption of BYOD initiatives, explaining that personal technology for work could be the catalyst for respondents' concerns.
There is also the issue of support, with two thirds of respondents feeling they have lacked sufficient support from business owners during the pandemic. One tenth of the respondents considered their managers too busy or stressed to warrant approaching.
Asking employees to work from home and then not providing the right computer systems and security measures is a recipe for disaster.
The last thing any business needs at this time is to lose valuable data, leave themselves open to cyber attacks or phishing and leave themselves vulnerable to the unknown. It may only seem like a small number, but it’s best not to be in that ten percent.
Remote staff should be provided with company devices on which to work, protected with the latest security patches and cyber security solutions.
Read more here: https://www.itproportal.com/news/one-in-ten-home-working-brits-are-not-gdpr-compliant/
SMBs see cyberattacks that rhyme with large enterprises due to cloud shift
Small businesses are increasingly seeing the same cyberattacks and techniques as large enterprises in contrast with previous years, according to the 2020 Verizon Data Breach Investigations Report.
The last time Verizon researchers tracked small business attacks was in the 2013 DBIR. At that time, SMBs were hit with payment card cybercrime. Today, the attacks are aimed at web applications and errors due to configurations. Meanwhile, the external attackers are targeting SMBs just like large enterprises, according to Verizon.
Verizon found that small companies with less than 1,000 employees are seeing the same attacks as large enterprises. Why? SMBs have adjusted their business models to be more cloud based and rhyme more with large companies.
Read the full article: https://www.zdnet.com/article/smbs-see-cyberattacks-that-rhyme-with-large-enterprises-due-to-cloud-shift/
Microsoft warns of huge email phishing scam - here's how to stay protected
Microsoft has issued an alert to users concerning a new widespread Covid-19 themed phishing campaign.
The threat installs a remote administration tool to completely take over a user's system and even execute commands on it remotely.
The Microsoft Security Intelligence team provided further details on this ongoing campaign in a series of tweets in which it said that cybercriminals are using malicious Excel attachments to infect user's devices with a remote access trojan (RAT).
The attack begins with potential victims receiving an email that impersonates the John Hopkins Center. This email claims to provide victims with an update on the number of coronavirus-related deaths in the US. However, attached to the email is an Excel file that displays a chart showing the number of deaths in the US.
Read more here: https://www.techradar.com/uk/news/microsoft-warns-of-huge-phishing-attack-heres-how-to-stay-safe
Security threats associated with shadow IT
As cyber threats and remote working challenges linked to COVID-19 continue to rise, IT teams are increasingly pressured to keep organisations’ security posture intact. When it comes to remote working, one of the major issues facing enterprises is shadow IT.
End users eager to adopt the newest cloud applications to support their remote work are bypassing IT administrators and in doing so, unknowingly opening both themselves and their organization up to new threats.
You’ve probably heard the saying, “What you don’t know can’t hurt you.” In the case of shadow IT, it’s the exact opposite – what your organisation doesn’t know truly can and will hurt it.
Shadow IT might sound great at surface level if you think of it as tech-savvy employees and departments deploying collaborative cloud apps to increase productivity and meet business goals. However, there’s a lot more going on below the surface, including increased risk of data breaches, regulation violations and compliance issues, as well as the potential for missed financial goals due to unforeseen costs.
One solution to risks associated with shadow IT is to have workers only use cloud apps that have been vetted and approved by your IT department. However, that approach is oftentimes not possible when shadow apps are acquired by non-IT professionals who have little to no knowledge of software standardization. Additionally, when shadow SaaS apps are used by employees or departments the attack area is hugely increased because many are not secure or patched. If IT departments are unaware of an app’s existence, they can’t take measures to protect companies’ data or its users.
Another solution that organisations use is attempting to block access to cloud services that don’t meet security and compliance standards. Unfortunately, there is a vast discrepancy in the intended block rate and the actual block rate, called the “cloud enforcement gap” and represents shadow IT acquisition and usage.
Read more here: https://www.helpnetsecurity.com/2020/05/18/security-shadow-it/
Supercomputers hacked across Europe to mine cryptocurrency
Multiple supercomputers across Europe have been infected this week with cryptocurrency mining malware and have shut down to investigate the intrusions.
Security incidents have been reported in the UK, Germany, and Switzerland, while a similar intrusion is rumoured to have also happened at a high-performance computing centre located in Spain.
The first report of an attack came to light on Monday from the University of Edinburgh, which runs the ARCHER supercomputer. The organization reported "security exploitation on the ARCHER login nodes," shut down the ARCHER system to investigate, and reset SSH passwords to prevent further intrusions.
Read more here: https://www.zdnet.com/article/supercomputers-hacked-across-europe-to-mine-cryptocurrency/
Powerful Android malware stayed hidden for years, infecting tens of thousands of smartphones
A carefully managed hacking and espionage campaign is infecting smartphones with a potent form of Android malware, providing those behind it with total control of the device, while also remaining completely hidden from the user.
Mandrake spyware abuses legitimate Android functions to help gain access to everything on the compromised device in attacks that can gather almost any information about the user.
The attacker can browse and collect all data on the device, steal account credentials for accounts including banking applications. secretly take recordings of activity on the screen, track the GPS location of the user and more, all while continuously covering their tracks.
Read the original article here: https://www.zdnet.com/article/this-powerful-android-malware-stayed-hidden-years-infected-tens-of-thousands-of-smartphones/
Strain of ransomware goes fileless to make attacks untraceable
Malicious actors have been spotted using an especially sneaky fileless malware technique — reflective dynamic-link library (DLL) injection — to infect victims with Netwalker ransomware in hopes of making the attacks untraceable while frustrating security analysts.
Instead of compiling the malware and storing it into the disk, the adversaries are writing it in PowerShell and executing it directly into memory making this technique is stealthier than regular DLL injection because aside from not needing the actual DLL file on disk, it also does not need any windows loader for it to be injected. This eliminates the need for registering the DLL as a loaded module of a process, and allowing evasion from DLL load monitoring tools.
Read more here: https://www.scmagazine.com/home/security-news/ransomware/netwalker-ransomware-actors-go-fileless-to-make-attacks-untraceable/
Smartphones, laptops, IoT devices vulnerable to new Bluetooth attack
Academics have disclosed today a new vulnerability in the Bluetooth wireless protocol, broadly used to interconnect modern devices, such as smartphones, tablets, laptops, and smart IoT devices.
The vulnerability, codenamed BIAS (Bluetooth Impersonation AttackS), impacts the classic version of the Bluetooth protocol, also known as Basic Rate / Enhanced Data Rate, Bluetooth BR/EDR, or just Bluetooth Classic.
A bug in the bonding authentication process can allow an attacker to spoof the identity of a previously paired/bonded device and successfully authenticate and connect to another device without knowing the long-term pairing key that was previously established between the two.
Once a BIAS attack is successful, the attacker can then access or take control of another Bluetooth Classic device.
Read more here: https://www.zdnet.com/article/smartphones-laptops-iot-devices-vulnerable-to-new-bias-bluetooth-attack/