Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Businesses Found to Neglect Cyber Security Until it is Too Late

Businesses only take cyber security seriously after falling victim to an attack, according to a report published by the UK's Department for Culture, Media and Sport (DCMS) this week.

For the research, the UK government surveyed IT professionals and end users in 10 UK organisations of varying sizes that have experienced cyber security breaches in the past three years. This analysed their existing level of security prior to a breach, the business impacts of the attack and how cyber security arrangements changed in the wake of the incident.

Nearly all respondents said their organisation took cyber security much more seriously after experiencing a breach, including reviewing existing practices and significantly increased investment in technology solutions.

While there was a consensus among participants that there is a greater need for vigilance and investment in cyber security, there was significant variation between organisations’ practices in this area. Medium and large organisations tended to have formal plans in place and budget allocated for further cyber security investment, but smaller businesses mostly did not due to resource constraints.

https://www.infosecurity-magazine.com/news/cybersecurity-seriously-breach/

• Cyber Tops Staff Retention as Biggest Business Risk

Cyber security concerns represent the most serious risk facing organisations, beating inflation, talent acquisition/retention and rising production costs, according to a new PwC study.

The PwC Pulse: Managing business risks in 2022 report was compiled from interviews with 722 US C-suite executives.

Two-fifths (40%) ranked cyber-attacks as a serious risk, rising to 51% of board members. PwC said boardrooms may be getting more attuned to cyber risk after new SEC proposals were published in March that would require directors to oversee cyber security risk and be more transparent about their cyber expertise.

In fact, executives appear to be getting more proactive with cyber security on a number of fronts.

Some 84% said they are taking action or monitoring closely policy areas related to cyber security, privacy and data protection. A further 79% said they’re revising or enhancing their cyber risk management approaches, and half (49%) pointed to increased investments in cyber security and privacy.

By way of comparison, 53% said they’re increasing investment in digital transformation and 52% in IT.

Cyber security is a strategic business enabler – technology is the central nervous system of many companies – and confirming its data is secure and protected can be brand defining.

There’s now heightened attention from a wider range of business leaders and corporate directors as they recognise that cyber security and data privacy should be part of not only a risk management strategy, but also a broader corporate strategy. C-suite and boards are actively taking steps to better understand the global threat landscape, confirm a foundational cyber security program is in place, and manage these risks to create opportunities.

https://www.infosecurity-magazine.com/news/cyber-tops-staff-retention-biggest/

• Cyber Criminals Weaponising Ransomware Data for BEC Attacks

Cyber criminals and other threat actors are increasingly using data dumped from ransomware attacks in secondary business email compromise (BEC) attacks, according to new analysis by Accenture Cyber Threat Intelligence.

The ACTI team analysed data from the 20 most active ransomware leak sites, measured by number of featured victims, between July 2021 and July 2022. Of the 4,026 victims (corporate, non-governmental organisations, and governmental entities) uncovered on various ransomware groups’ dedicated leak sites, an estimated 91% incurred subsequent data disclosures, ACTI found.

Dedicated leak sites most commonly provide financial data, followed by employee and client personally identifiable information and communication documentation. The rise of double extortion attempts – where attack groups use ransomware to exfiltrate data and then publicise the data on dedicated leak sites – has made large amounts of sensitive corporate data available to any threat actor. The most valuable types of data most useful for conducting BEC attacks are financial, employee, and communication data, as well as operational documents. There is a significant overlap between the types of data most useful for conducting BEC attacks and the types of data most commonly posted on these ransomware leak sites, ACTI said.

The data is a “rich source for information for criminals who can easily weaponise it for secondary BEC attacks,” ACTI said. “The primary factor driving an increased threat of BEC and VEC attacks stemming from double-extortion leaks is the availability of [corporate and communication data].”

https://www.darkreading.com/edge-threat-monitor/cybercriminals-weaponizing-ransomware-data-for-bec-attacks

• Callback Phishing Attacks See Massive 625% Growth Since Q1 2021

Hackers are increasingly moving towards hybrid forms of phishing attacks that combine email and voice social engineering calls as a way to breach corporate networks for ransomware and data extortion attacks.

According to Agari's Q2 2022 cyber-intelligence report, phishing volumes have only increased by 6% compared to Q1 2022. However, the use of 'hybrid vishing' is seeing a massive 625% growth.

Vishing, "voice phishing," involves some form of a phone call to perform social engineering on the victim. Its hybrid form, called "callback phishing," also includes an email before the call, typically presenting the victim with a fake subscription/invoice notice.

The recipient is advised to call on the provided phone number to resolve any issues with the charge, but instead of a real customer support agent, the call is answered by phishing actors.

The scammers then offer to resolve the presented problem by tricking the victim into disclosing sensitive information or installing remote desktop tools on their system. The threat actors then connect to the victim's device remotely to install further backdoors or spread to other machines.

These callback phishing attacks were first introduced by the 'BazarCall/BazaCall' campaigns that appeared in March 2021 to gain initial access to corporate networks for ransomware attacks.

The attacks work so well that multiple ransomware and extortion gangs, such as Quantum, Zeon, and Silent Ransom Group, have adopted the same technique today to gain initial network access through an unsuspecting employee.

"Hybrid Vishing attacks reached a six-quarter high in Q2, increasing 625% from Q1 2021. This threat type also contributed to 24.6% of the overall share of Response-Based threats," details the Agari report.

"While this is the second quarter hybrid vishing attacks have declined in share due to the overall increase of response-based threats, vishing volume has steadily increased in count over the course of the year."

https://www.bleepingcomputer.com/news/security/callback-phishing-attacks-see-massive-625-percent-growth-since-q1-2021/

• Credential Phishing Attacks Skyrocketing, 265 Brands Impersonated in H1 2022

Abnormal Security released a report which explores the current email threat landscape and provides insight into the latest advanced email attack trends, including increases in business email compromise, the evolution of financial supply chain compromise, and the rise of brand impersonation in credential phishing attacks.

The research found a 48% increase in email attacks over the previous six months, and 68.5% of those attacks included a credential phishing link. In addition to posing as internal employees and executives, cyber criminals impersonated well-known brands in 15% of phishing emails, relying on the brands’ familiarity and reputation to convince employees to provide their login credentials. Most common among the 265 brands impersonated in these attacks were social networks and Microsoft products.

“The vast majority of cyber crime today is successful because it exploits the people behind the keyboard,” said Crane Hassold, director of threat intelligence at Abnormal Security.

“By compromising people rather than networks, it’s easier for attackers to circumvent conventional security measures. This is especially true with brand impersonation, where attackers use urgency and fear to encourage their targets to provide usernames and passwords.”

LinkedIn took the top spot for brand impersonation, but Outlook, OneDrive and Microsoft 365 appeared in 20% of all attacks. What makes these attacks particularly dangerous is that phishing emails are often the first step to compromising employee email accounts. Acquiring Microsoft credentials enables cyber criminals to access the full suite of connected products, allowing them to view sensitive data and use the account to send business email compromise attacks.

https://www.helpnetsecurity.com/2022/08/15/landscape-email-threat/

• Are Cloud Environments Secure Enough for Today’s Threats?

Cyber security is a major problem right now. Not only is it the highest priority of any given business to keep their own data and their customers’ and clients’ data secure, but changes in the workplace have had a knock-on effect on cyber security. The concept of working from home has forced businesses all around the world to address old and new cyber security threats. People taking their laptops, and therefore their data, home to public networks that can be hacked or leaving access details like passwords scribbled on notebooks has meant that access to a business and therefore their customers’ data is a lot more accessible.

The saving grace was said to be the cloud. Beyond retraining cyber security in staff workforces, the practical solution was to move data into the cloud. But we’re now a few years from the point when the cloud really gained popularity. Is it still the answer to all our cyber security problems? Is there a chance of risk to using the cloud?

Cloud data breaches do happen and misconfiguration is a leading cause of them, mainly due to businesses inadequate cyber security strategies. This is due to several factors, such as the fundamental nature of the cloud designed to be easy for anyone to access, and businesses unable to completely see or control the cloud’s infrastructure and therefore relying on the cyber security controls that are provided by the cloud service provider (or CSP).

Unauthorised access is also a risk. The internet, which is a readily available public resource to most of the world, makes it easy for hackers to access data if they have the credentials to get past the cyber security set up by the individual business. This is where the ugliness of internal cloud breaches happens. If security is not configured well or credentials like passwords and secret questions are compromised, an attacker can easily access the cloud.

However, it’s not only through an employee that hackers access credentials. Phishing is a very common means of gaining information that would allow access to a customer or business data.

Plus, the simple nature of sharing data can easily backfire on a company. A lot of data access is granted with a link to someone external, which can then be forwarded, either sold or stolen, to an attacker to access the cloud’s data.

https://www.itsecurityguru.org/2022/08/16/are-cloud-environments-secure-enough-for-todays-threats/

• Most Q2 Attacks Targeted Old Microsoft Vulnerabilities

Attacks targeting a remote code execution vulnerability in Microsoft's MSHTML browser engine — which was patched last September — soared during the second quarter of this year, according to a Kaspersky analysis.

Researchers from Kaspersky counted at least 4,886 attacks targeting the flaw (CVE-2021-40444) last quarter, an eightfold increase over the first quarter of 2022. The security vendor attributed the continued adversary interest in the vulnerability to the ease with which it can be exploited.

Kaspersky said it has observed threat actors exploiting the flaw in attacks on organisations across multiple sectors including the energy and industrial sectors, research and development, IT companies, and financial and medical technology firms. In many of these attacks, the adversaries have used social engineering tricks to try and get victims to open specially crafted Office documents that would then download and execute a malicious script. The flaw was under active attack at the time Microsoft first disclosed it in September 2021.

Attacks targeting a remote code execution vulnerability in Microsoft's MSHTML browser engine — which was patched last September — soared during the second quarter of this year, according to a Kaspersky analysis. Researchers from Kaspersky counted at least 4,886 attacks targeting the flaw last quarter, an eightfold increase over the first quarter of 2022. The security vendor attributed the continued adversary interest in the vulnerability to the ease with which it can be exploited. According to Kaspersky, exploits for Windows vulnerabilities accounted for 82% of all exploits across all platforms during the second quarter of 2022. While attacks on the MSHTML vulnerability increased the most dramatically, it was by no means the most exploited flaw, which was a remote code execution vulnerability in Microsoft Office that was disclosed and patched four years ago that was attacked some 345,827 times last quarter.

https://www.darkreading.com/attacks-breaches/most-attacks-in-q2-targeted-old-microsoft-vulnerabilities

• Cyber Resiliency Isn't Just About Technology, It's About People

Cyber attacks are on the rise — but if we're being honest, that statement has been true for quite a while, given the acceleration of cyber incidents over the past several years. Recent research indicates that organisations experienced 50% more attack attempts per week on corporate networks in 2021 than they did in 2020, and tactics such as phishing are becoming increasingly popular as attackers refine their tried-and-true methods to more successfully entice unsuspecting targets.

It's no surprise, then, that cyber resiliency has been a hot topic in the cyber security world. But although cyber resiliency refers broadly to the ability of an organisation to anticipate, withstand, and recover from cyber security incidents, many experts make the mistake of applying the term specifically to technology. And while it's true that detection and remediation tools, backup systems, and other resources play an important role in cyber resiliency, organisations that focus exclusively on technology risk are overlooking an equally important element: people.

People are often thought of as the weak link in cyber security. It's easy to understand why. People fall for phishing scams. They use weak passwords and procrastinate on installing security updates. They misconfigure hardware and software, leave cloud assets unsecured, and send confidential files to the wrong recipient. There's a reason so much cyber security technology is moving toward automation: removing people from the equation is seen as one of the most obvious ways to improve security. To many security experts, that's just common sense.

Except — is it, really? It's true that people make mistakes — it's called "human error" for a reason, after all — but many of those mistakes come when employees aren't put in a position to succeed. Phishing is a great example. Most people are familiar with the concept of phishing, but many may not be aware of the nefarious techniques that today's attackers deploy. If employees have not been properly trained, they may not be aware that attackers often impersonate real people within the organisation, or that the CEO asking them to buy gift cards "for a company happy hour" probably isn't legit. Organisations that want to build strong cyber-resiliency cannot pretend that people don't exist. Instead, they need to prioritise the resiliency of their people just as highly as the resiliency of their technology.

Training the organisation to recognise the signs of common attack tactics, practice better password and cyber hygiene, and report signs of suspicious activity can help ease the burden on IT and security personnel by providing them better information in a more timely manner. It also avoids some of the pitfalls that create a drain on their time and resources. By ensuring that people at every level of the business are more resilient, today's organisations will discover that their overall cyber-resiliency will improve significantly.

https://www.darkreading.com/vulnerabilities-threats/cyber-resiliency-isn-t-just-about-technology-it-s-about-people

• The “Cyber Insurance Gap” Is Threatening Most Companies

A new study by BlackBerry and Corvus Insurance confirms a “cyber insurance gap” is growing, with a majority of businesses either uninsured or under insured against a rising tide of ransomware attacks and other cyber threats.

• Only 19% of all businesses surveyed have ransomware coverage limits above the median ransomware demand amount ($600,000)

• Among SMBs with fewer than 1,500 employees, only 14% have a coverage limit in excess of $600,000

• 37% of respondents with cyber insurance do not have any coverage for ransomware payment demands

• 43% of those with a policy are not covered for auxiliary costs such as court fees or employee downtime

• 60% say they would reconsider entering into a partnership or agreement with another business or supplier if the organisation did not have comprehensive cyber insurance

• Endpoint detection and response (EDR) software is frequently a key component to obtaining a policy

• 34% of respondents have been previously denied cyber coverage by insurance providers due to not meeting EDR eligibility requirements

https://informationsecuritybuzz.com/expert-comments/the-cyber-insurance-gap-is-threatening-most-companies/

• Easing the Cyber-Skills Crisis with Staff Augmentation

Filling cyber security roles can be costly, slow, and chancy. More firms are working with third-party service providers to quickly procure needed expertise.

There are many possible solutions to the cyber security skills shortage, but most of them take time. Cyber security education, career development tracks, training programs, employer-sponsored academies, and internships are great ways to build a talent pipeline and develop skill sets to meet organisational needs in years to come.

But sometimes the need to fill a gap in capability is more immediate.

An organisation in the entertainment industry recently found itself in such a position. Its primary cyber security staff member quit suddenly without notice, taking along critical institutional knowledge and leaving various projects incomplete. With its key defender gone, the organisation's environment was left vulnerable. In a scarce talent market, the organisation faced a long hiring process to find a replacement — too long to leave its digital estate unattended. It needed expertise, and quickly.

According to a 2021 ESG report, 57% of organisations have been impacted by the global cyber security skills crisis. Seventy-six percent say it's difficult to recruit and hire security professionals. The biggest effects of this shortage are increasing workloads, positions open for weeks or months, and high cyber security staff burnout and attrition.

In this climate, more companies are turning to third parties for cyber security staff reinforcement. According to a NewtonX study, 56% of organisations are now subcontracting up to a quarter of their cyber security staff. Sixty-nine percent of companies rely on third-party expertise to assist in mitigating the risk of ransomware — up from 58% in 2017 — per a study by Ponemon and CBI, a Converge Company.

One way that companies gain this additional support is via third-party staff augmentation and consulting services. Cyber security staff augmentation, or strategic staffing, entails trained external consultants acting as an extension of an organisation's security team in a residency. Engagements can be anywhere from a few weeks to a few years, and roles can range from analysts and engineers to architects, compliance specialists, and virtual CISOs.

https://www.darkreading.com/operations/easing-the-cyber-skills-crisis-with-staff-augmentation

• Mailchimp Suffers Second Breach In 4 Months

Mailchimp suffered another data breach earlier this month, and this one cost it a client.

In a statement Friday, Mailchimp disclosed that a security incident involving phishing and social engineering tactics had targeted cryptocurrency and blockchain companies using the email marketing platform. It was the second Mailchimp breach to target cryptocurrency customers in a four-month span.

Though Mailchimp said it has suspended accounts where suspicious activity was detected while an investigation is ongoing, it did not reveal the source of the breach or scope of the attack.

More details were provided Sunday by one of the affected customers, DigitalOcean, which cut ties with Mailchimp on Aug. 9.

The cloud hosting provider observed suspicious activity beginning Aug. 8, when threat actors used its Mailchimp account for "a small number of attempted compromises" of DigitalOcean customer accounts -- specifically cryptocurrency platforms.

While it is not clear whether any DigitalOcean accounts were compromised, the company did confirm that some email addresses were exposed. More importantly, the statement attributed a potential source of the most recent Mailchimp breach.

https://www.techtarget.com/searchsecurity/news/252523911/Mailchimp-suffers-second-breach-in-4-months

• Firm Told It Can't Claim Full Cyber Crime Insurance After Social Engineering Attack

A Minnesota computer store suing its cyber insurance provider has had its case dismissed, with the courts saying it was a clear instance of social engineering, a crime for which the insurer was only liable to cover a fraction of total losses.

SJ Computers alleged in a November lawsuit that Travelers Casualty and Surety Co. owed it far more than paid on a claim for nearly $600,000 in losses due to a successful business email compromise (BEC) attack.

According to its website, SJ Computers is a Microsoft Authorised Refurbisher, reselling Dell, HP, Lenovo and Acer products, as well as providing tech services including software installs and upgrades.

Travelers, which filed a motion to dismiss, said SJ's policy clearly delineated between computer fraud and social engineering fraud. The motion was granted with prejudice last Friday.

In the dismissal order, the US District Court for Minnesota found that the two policy agreements are mutually exclusive, as well as finding SJ's claim fell squarely into its social engineering fraud agreement with Travelers, which has a cap of $100,000.

When SJ filed its claim with Travelers, the court noted, it did so only under the social engineering fraud agreement. After realising the policy limit on computer fraud was 10 times higher, "SJ Computers then made a series of arguments – ranging from creative to desperate – to try to persuade Travelers that its loss was not the result of social-engineering-fraud (as SJ Computers itself had initially said) but instead the result of computer fraud," the district judge wrote in the order.

https://www.theregister.com/2022/08/16/social_engineering_cyber_crime_insurance/

Threats

Ransomware

• Ransomware Group Threatens to Leak Data Stolen From Security Firm Entrust | SecurityWeek.Com

• Cisco Confirms Hack: Yanluowang Ransom Gang Claims 2.8GB Of Data (informationsecuritybuzz.com)

• Ransomware is still on the rise. Here's what you need to do to stay safe from hackers | ZDNET

• Russian Man Extradited to US for Laundering Ryuk Ransomware Money | SecurityWeek.Com

• ‘Coopetition’ a growing trend among ransomware gangs (computerweekly.com)

• Hackers Attack UK Water Supplier, Sends Ransom Demand to the Wrong Company (gizmodo.com)

• SOVA malware adds ransomware feature to encrypt Android devices (bleepingcomputer.com)

• BlackByte ransomware v2 is out with new extortion novelties - Security Affairs

• Ransomware is back, healthcare sector most targeted - Help Net Security

• Why Hackers Are Now Targeting Electric Car Charging Stations (nocamels.com)

• BlackByte Ransomware Gang Returns With Twitter Presence, Tiered Pricing (darkreading.com)

• Ski-Doo maker BRP resumes operations following cyber attack; shares fluctuate - MarketWatch

• Argentina's Judiciary of Córdoba hit by PLAY ransomware attack (bleepingcomputer.com)

BEC – Business Email Compromise

• Three Extradited from UK to US on $5m BEC Charges - Infosecurity Magazine

Phishing & Email Based Attacks

• Response-based attacks make up 41% of all email-based scams - Help Net Security

• PayPal Phishing Scam Uses Invoices Sent Via PayPal – Krebs on Security

• Microsoft admits it can't stop scammers fooling you with their latest tricks | ZDNET

Other Social Engineering; SMishing, Vishing, etc

• This is the lamest Microsoft Office security threat we've ever seen - but people will still fall for it | TechRadar

Malware

• Hackers Deploy Bumblebee Loader to Breach Target Networks - Infosecurity Magazine

• 'DarkTortilla' Malware Wraps in Sophistication for High-Volume RAT Infections (darkreading.com)

• Malicious browser extensions targeted almost 7 million people (bleepingcomputer.com)

• DoNot Team Hackers Updated its Malware Toolkit with Improved Capabilities (thehackernews.com)

• Whack-a-Mole: More Malicious PyPI Packages Spring Up Targeting Discord, Roblox (darkreading.com)

• This String of Emojis Is Actually Malware (vice.com)

Mobile

• SOVA Android malware now also encrypts victims' files - Security Affairs

• Malware devs already bypassed Android 13's new security feature (bleepingcomputer.com)

• Google releases Android 13 with improved privacy and security features - Help Net Security

• Android malware apps with 2 million installs found on Google Play (bleepingcomputer.com)

• Researchers Find 35 Adware Apps on Google Play - Infosecurity Magazine

• Nearly 1,900 Signal Messenger Accounts Potentially Compromised in Twilio Hack (thehackernews.com)

Internet of Things – IoT

• How attackers are exploiting corporate IoT - Help Net Security

• ‘Ask all the time: why do I need this?’ How to stop your vacuum from spying on you | Smart homes | The Guardian

• Amazon fixes Ring Android app flaw exposing camera recordings (bleepingcomputer.com)

Data Breaches/Leaks

• Digital Ocean dumps Mailchimp after security breach • The Register

Organised Crime & Criminal Actors

• How Do Hackers Steal Credit Card Information? | TechTarget

• IT security worker who hacked businesses caught out by neighbour's Wi-Fi - Manchester Evening News

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• With Plunge in Value, Cryptocurrency Crimes Decline in 2022 (darkreading.com)

• Microsoft: Cryptojackers Continue to Evolve to Be Stealthier and Spread Faster - Infosecurity Magazine

• Hardware-based threat defence against increasingly complex cryptojackers - Microsoft Security Blog

Insider Risk and Insider Threats

• Ex-HP manager jailed for $5m company card shopping spree • The Register

• Microsoft Employees Exposed Own Company’s Internal Logins (vice.com)

Fraud, Scams & Financial Crime

• SEC claims $1.3m pump-and-dump scam used hacked accounts • The Register

AML/CFT/Sanctions

• Alleged Russian Money Launderer Extradited from the Netherlands to U.S. | OPA | Department of Justice

Insurance

• Organisations are losing cyber insurance as an important risk management tool - Help Net Security

• For cyber insurance, some technology leads to higher premiums (techtarget.com)

• New Study Reveals Serious Cyber-Insurance Shortfalls - Infosecurity Magazine

Supply Chain and Third Parties

• Expert On Report Showing 297% Increase in US Breaches Tied To Supply Chain (informationsecuritybuzz.com)

• Transitioning From VPNs to Zero-Trust Access Requires Shoring Up Third-Party Risk Management (darkreading.com)

• How a Third-Party SMS Service Was Used to Take Over Signal Accounts

Denial of Service DoS/DDoS

• Google blocked the largest Layer 7 DDoS reported to date - Security Affairs

Cloud/SaaS

• Organisations Struggle to Fend Off Cloud and Web Attacks - Infosecurity Magazine

• Incident response in the cloud can be simple if you are prepared - Help Net Security

Passwords, Credential Stuffing & Brute Force Attacks

• Credential Theft Is (Still) A Top Attack Method (thehackernews.com)

• FBI Warns of Proxies and Configurations Used in Credential Stuffing Attacks | SecurityWeek.Com

• Over 9,000 VNC servers exposed online without a password (bleepingcomputer.com)

Privacy

• Google fined $60 million over Android location data collection (bleepingcomputer.com)

• New Amazon Ring Vulnerability Could Have Exposed All Your Camera Recordings (thehackernews.com)

• ‘Ask all the time: why do I need this?’ How to stop your vacuum from spying on you | Smart homes | The Guardian

• Period and pregnancy tracking apps have bad privacy protections, report finds - The Verge

Regulations, Fines and Legislation

• Financial Services & Cyber Security Regulations: New York Making Changes? - MSSP Alert

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• 5 Russia-Linked Groups Target Ukraine in Cyberwar (darkreading.com)

• Russia-linked Gamaredon APT continues to target Ukraine - Security Affairs

• Microsoft shuts down accounts linked to Russian spies • The Register

• State-Sponsored APTs Dangle Job Opps to Lure In Spy Victims (darkreading.com)

• Estonia Repels Biggest Cyber-Attack Since 2007 - Infosecurity Magazine

• Spyware Scandals Are Ripping Through Europe | WIRED

• US Cyber Command deploys defensive operators to Croatia to hunt for malicious cyber activity - Help Net Security

• NHS cyber attacks hit record levels in four in five trusts after Russian invasion (telegraph.co.uk)

• Spyware Hunters Are Expanding Their Tool Set | WIRED

Nation State Actors

Nation State Actors – Russia

• Microsoft disrupts Russian hackers' operation on NATO targets (bleepingcomputer.com)

• Russian APT29 hackers abuse Azure services to hack Microsoft 365 users (bleepingcomputer.com)

• Microsoft Disrupts Russian Group's Multiyear Cyber-Espionage Campaign (darkreading.com)

• Russian hackers target Ukraine with default Word template hijacker (bleepingcomputer.com)

• Estonia says it repelled major cyber attack after removing Soviet monuments | Reuters

Nation State Actors – China

• Western companies wake up to China risk | Financial Times (ft.com)

• China-backed APT41 Hackers Targeted 13 Organisations Worldwide Last Year (thehackernews.com)

• China-linked RedAlpha behind multi-year credential theft campaign - Security Affairs

• Chinese Cyberspy Group 'RedAlpha' Targeting Governments, Humanitarian Entities | SecurityWeek.Com

• China's APT41 Embraces Baffling Approach for Dropping Cobalt Strike Payload (darkreading.com)

• Chinese takeover of tech company blocked over security fears (telegraph.co.uk)

• 3 ways China's access to TikTok data is a security risk | CSO Online

• Montana flagged bugs in cow app exploited in alleged China hack | Business and Economy | Al Jazeera

• APT41 group: 4 malicious campaigns, 13 victims, new tools and techniques - Help Net Security

Nation State Actors – North Korea

• North Korean hackers use signed macOS malware to target IT job seekers (bleepingcomputer.com)

• Mac Attack: North Korea's Lazarus APT Targets Apple's M1 Chip (darkreading.com)

Vulnerability Management

• Zero Day Initiative seeing an increase in failed patches (techtarget.com)

• Vulnerability Broker Applies Pressure on Software Vendors Shipping Faulty, Incomplete Patches | SecurityWeek.Com

• Which Security Bugs Will Be Exploited? Researchers Create an ML Model to Find Out (darkreading.com)

Vulnerabilities

• CISA adds 7 vulnerabilities to list of bugs exploited by hackers (bleepingcomputer.com)

• Google patches yet another Chrome zero-day vulnerability (techtarget.com)

• Chrome browser gets 11 security fixes with 1 zero-day – update now! – Naked Security (sophos.com)

• Cisco fixes High-Severity bug in Secure Web Appliance - Security Affairs

• Exploit out for critical Realtek flaw affecting many networking devices (bleepingcomputer.com)

• Software Patches Flaw on macOS Could Let Hackers Bypass All Security Levels - Infosecurity Magazine (infosecurity-magazine.com)

• Safari 15.6.1 fixes a zero-day flaw actively exploited in the wild - Security Affairs

• Rapid7: Cisco ASA and ASDM flaws went unpatched for months (techtarget.com)

• Windows Vulnerability Could Crack DC Server Credentials Open (darkreading.com)

• ÆPIC and SQUIP Vulnerabilities Found in Intel and AMD Processors (thehackernews.com)

• PoC exploit code for the critical Realtek RCE flaw released online - Security Affairs

Other News

• Exploiting stolen session cookies to bypass multi-factor authentication (MFA) - Help Net Security

• The Future of Endpoint Management | SecurityWeek.Com

• Janet Jackson music video given CVE for crashing laptops • The Register

• More Evil Markets | How It's Never Been Easier To Buy Initial Access To Compromised Networks - SentinelOne

• How aware are organisations of the importance of endpoint management security? - Help Net Security

• The Future of Cyber Security is Prevention | SecurityWeek.Com

• Signal/Twilio Incident - How Secure Are SMS Verifications? Experts Weigh (informationsecuritybuzz.com)

• DigitalOcean Discloses Impact From Recent Mailchimp Cyber Attack | SecurityWeek.Com

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Average Cost of Data Breaches Hits Record High of $4.35 Million: IBM

The global average cost of data breaches reached an all-time high of $4.35 million in 2022 compared with $4.24 million in 2021, according to a new IBM Security report. About 60% of the breached organisations raised product and services prices due to the breaches.

The annual report, conducted by Ponemon Institute and analysed and sponsored by IBM Security, is based on the analysis of real-world data breaches experienced by 550 organisations globally between March 2021 and March 2022.

According to the report, about 83% of the organisations have experienced more than one breach in their lifetime, with nearly half of the costs reported to be incurred more than a year after the breach.

The report revealed that ransomware and destructive attacks represented 28% of breaches among the critical infrastructure organisations studied, indicating that threat actors are specifically targeting the sector to disrupt global supply chains. The critical infrastructure sector includes financial services, industrial, transportation, and healthcare companies.

https://www.csoonline.com/article/3668655/average-cost-of-data-breaches-hits-record-high-of-435-million-ibm.html#tk.rss_news

• Researchers Warns of Large-Scale Adversary-in-the-Middle (AiTM) Attacks Targeting Enterprise Users

A new, large-scale phishing campaign has been observed using adversary-in-the-middle (AitM) techniques to get around security protections and compromise enterprise email accounts.

It uses a technique capable of bypassing multi-factor authentication. The campaign is specifically designed to reach end users in enterprises that use Microsoft's email services.

Prominent targets include fintech, lending, insurance, energy, manufacturing, and federal credit union verticals located in the US, UK, New Zealand, and Australia.

This is not the first time such a phishing attack has come to light. Last month, Microsoft disclosed that over 10,000 organisations had been targeted since September 2021 by means of AitM techniques to breach accounts secured with multi-factor authentication (MFA).

The ongoing campaign, effective June 2022, commences with an invoice-themed email sent to targets containing an HTML attachment, which includes a phishing URL embedded within it.

https://thehackernews.com/2022/08/researchers-warns-of-large-scale-aitm.html

• UK NHS Suffers Outage After Cyber Attack on Managed Service Provider

The UK National Health Service (NHS) 111 emergency services were affected by a significant and ongoing outage triggered by a cyber attack that hit the systems of British managed service provider (MSP) Advanced.

Advanced's Adastra client patient management solution, which is used by 85% of NHS 111 services, was hit by a major outage together with several other services provided by the MSP, according to a status page.

"There was a major outage of a computer system that is used to refer patients from NHS 111 Wales to out-of-hours GP providers," the Welsh Ambulance Services said. "This system is used by Local Health Boards to coordinate these services for patients. The ongoing outage is significant and has been far-reaching, impacting each of the four nations in the UK."

The UK public was advised to access the NHS 111 emergency services using the online platform until the incident is resolved.

While no details were provided regarding the nature of the cyber attack, based on the wording, it is likely that this was a ransomware or data extortion attack.

https://www.bleepingcomputer.com/news/security/uk-nhs-suffers-outage-after-cyberattack-on-managed-service-provider/

• A Third of Organisations Experience a Ransomware Attack Once a Week

Ransomware attacks show no sign of slowing. According to new research published by Menlo Security, a third of organisations experience a ransomware attack at least once a week, with one in 10 experiencing them more than once a day.

The research, conducted among 500+ IT security decision makers at US and UK organisations with more than 1,000 employees, highlights the impact this is having on security professionals’ own wellbeing. When asked what keeps them awake at night, 41% of respondents say they worry about ransomware attacks evolving beyond their team’s knowledge and skillset, while 39% worry about them evolving beyond their company’s security capabilities.

Their biggest concern, however, is the risk of employees ignoring corporate security advice and clicking on links or attachments containing malware (46%). Respondents worry more about this than they do their own job security, with just a quarter (26%) of respondents worried about losing their job.

According to the report, around half of organisations (61% US and 44% UK) have been the victim of a successful ransomware attack in the last 18 months, with customers and prospects the most likely entry point for an attack.

Partners/suppliers and employees/contractors are also seen as serious security risks, although one in 10 admit they are unable to identify how the attacks got in. The top three ransomware attack vectors are email (54%), web browsers via a desktop or laptop (49%) and mobile devices (39%).

https://www.helpnetsecurity.com/2022/08/04/organizations-experience-ransomware-attack/

• Ransomware Products and Services Ads on Dark Web Show Clues to Danger

Why is ransomware’s destructive potential so daunting? Some clues are in the “for sale” ads. In an examination of some 35 million dark web URLs, a provider of machine identity management and a forensic specialist found some 475 web pages peddling sophisticated ransomware products and services with a number of high profile crews hawking ransomware-as-a-service.

The work is a joint effort between the Salt Lake City-based Venafi and Forensic Pathways, which took place between November 2021 and March 2022. Researchers used Forensic’s Dark Search Engine to carry out the investigation.

Here are some of the research findings:

• 87% of the ransomware found on the dark web has been delivered via malicious macros to infect targeted systems.

• 30 different “brands” of ransomware were identified within marketplace listings and forum discussions.

• Many strains of ransomware being sold — such as Babuk, GoldenEye, Darkside/BlackCat, Egregor, HiddenTear and WannaCry — have been successfully used in high-profile attacks.

• Ransomware strains used in high-profile attacks command a higher price for associated services. For example, the most expensive listing was $1,262 for a customised version of Darkside ransomware, which was used in the Colonial Pipeline ransomware attack.

• Source code listings for well-known ransomware generally command higher price points. For example, Babuk source code is listed for $950 and Paradise source code is selling for $593.

Ransomware Sold for as Little as $1: In addition to a variety of ransomware at various price points, a wide range of services and tools that help make it easier for attackers with minimal technical skills to launch ransomware attacks are for sale on the dark web, Venafi said. Services with the greatest number of listings include those offering source code, build services, custom development services and ransomware packages that include step-by-step tutorials.

https://www.msspalert.com/cybersecurity-breaches-and-attacks/ransomware/ransomware-products-services-ads-on-dark-web-show-clues-to-danger/

• Wolf In Sheep’s Clothing: How Malware Tricks Users and Antivirus

One of the primary methods used by malware distributors to infect devices is by deceiving people into downloading and running malicious files, and to achieve this deception, malware authors are using a variety of tricks.

Some of these tricks include masquerading malware executables as legitimate applications, signing them with valid certificates, or compromising trustworthy sites to use them as distribution points.

According to VirusTotal, a security platform for scanning uploaded files for malware, some of these tricks are happening on a much larger scale than initially thought.

The platform has compiled a report presenting stats from January 2021 until July 2022, based on the submission of two million files daily, illustrating trends in how malware is distributed.

• Abusing legitimate domains: Distributing malware through legitimate, popular, and high-ranking websites allows threat actors to evade IP-based blocklists, enjoy high availability, and provide a greater level of trust.

• Using stolen code-signing certificates: Signing malware samples with valid certificates stolen from companies is a reliable way to evade AV detection and security warnings on the host. Of all the malicious samples uploaded to VirusTotal between January 2021 and April 2022, over a million were signed, and 87% used a valid certificate.

• Disguised as popular software: Masquerading a malware executable as a legitimate, popular application has seen an upward trend in 2022. Victims download these files thinking they’re getting the applications they need, but upon running the installers, they infect their systems with malware. The most mimicked applications are Skype, Adobe Acrobat, VLC, and 7zip.

• Lacing legitimate installers - Finally, there’s the trick of hiding malware inside legitimate application installers and running the infection process in the background while the real apps execute in the foreground. Based on VirusTotal stats, this practice also appears to be on the rise this year, using Google Chrome, Malwarebytes, Windows Updates, Zoom, Brave, Firefox, ProtonVPN, and Telegram as lures.

https://www.bleepingcomputer.com/news/security/wolf-in-sheep-s-clothing-how-malware-tricks-users-and-antivirus/

• Microsoft Accounts Targeted with New MFA-Bypassing Phishing Kit

A new large-scale phishing campaign targeting credentials for Microsoft email services use a custom proxy-based phishing kit to bypass multi-factor authentication.

Researchers believe the campaign's goal is to breach corporate accounts to conduct BEC (business email compromise) attacks, diverting payments to bank accounts under their control using falsified documents.

The phishing campaign's targets include fin-tech, lending, accounting, insurance, and Federal Credit Union organisations in the US, UK, New Zealand, and Australia.

The campaign was discovered by Zscaler's ThreatLabz researchers, who report that the operation is still ongoing, and the phishing actors register new phishing domains almost daily.

Starting in June 2022, Zscaler's analysts noticed a spike in sophisticated phishing attempts against specific sectors and users of Microsoft email services.

Some of the newly registered domains used in the campaign are typo-squatted versions of legitimate domains.

Notably, many phishing emails originated from the accounts of executives working in these organisations, whom the threat actors most likely compromised earlier.

https://www.bleepingcomputer.com/news/security/microsoft-accounts-targeted-with-new-mfa-bypassing-phishing-kit/

• Cyber Attack Prevention Is Cost-Effective, So Why Aren’t Businesses Investing to Protect?

Cyber attacks like ransomware, BEC scams and data breaches are some of the key issues businesses are facing today, but despite the number of high-profile incidents, many boardrooms are reluctant to free up budget to invest in the cyber security measures necessary to avoid becoming the next victim.

In a Help Net Security interview, Former Pentagon Chief Strategy Officer Jonathan Reiber, VP Cyber security Strategy and Policy, AttackIQ, discusses how now, more than ever, companies need to protect themselves from cyber threat actors. He offers insight for CISOs, from talking to the Board to proper budget allocation.

https://www.helpnetsecurity.com/2022/08/01/cyberattack-prevention-investing/

• Securing Your Move to the Hybrid Cloud

The combination of private and public cloud infrastructure, which most organisations are already using, poses unique security challenges. There are many reasons why organisations adopt the public cloud, from enabling rapid growth without the burden of capacity planning to leveraging flexibility and agility in delivering customer-centric services. However, this use can leave companies open to threats.

Since regulatory requirements or other preferences dictate that certain applications remain on private (on-prem) infrastructure, many organisations choose to maintain a mix of private and public infrastructure. Additionally, organisations typically use multiple cloud providers simultaneously or preserve the option to move between providers. However, this hybrid approach presents unique and diverse security challenges. Different cloud providers and private cloud platforms may offer similar capabilities but different ways of implementing security controls, along with disparate management tools.

The question then becomes: How can an organisation maintain consistent governance, policy enforcement and controls across different clouds? And how can it ensure that it maintains its security posture when moving between them? Fortunately, there are steps professionals can take to ensure that applications are continuously secure, starting from the early stages of development and extending throughout the lifecycle.

https://threatpost.com/secure-move-cloud/180335/

• Lessons from the Russian Cyber Warfare Attacks

Cyber warfare tactics may not involve tanks and bombs, but they often go hand-in-hand with real combat.

The Russian invasion of Ukraine is a prime example. Before Russian troops crossed the border, Russian hackers had already taken down Ukrainian government websites. And after the conflict started, the hacktivist group Anonymous turned the tables by hacking Russian media to shut down propaganda about the war.

In these unprecedented times of targeted attacks against governments and financial institutions, every organisation should be on heightened alert about protecting their critical infrastructure and digital attack surface.

With the Russia-Ukraine conflict as a backdrop, two Trend Micro security experts recently discussed cyber warfare techniques and how they’re an important reminder for every business to proactively manage cyber risk.

https://www.trendmicro.com/en_us/ciso/22/h/russian-cyber-warfare-attacks.html

• Four Sneaky Attacker Evasion Techniques You Should Know About

Remember those portrayals of hackers in the 80s and 90s where you just knew when you got pwned? A blue screen of death, a scary message, a back-and-forth text exchange with a hacker—if you got pwned in a movie in the 80s and 90s, you knew it right off the bat.

What a shame that today’s hackers have learned to be quiet when infiltrating an environment. Sure, “loud” attacks like ransomware still exist, but threat actors have learned that if they keep themselves hidden, they can usually do far more damage. For hackers, a little stealth can go a long way. Some attack tactics are inherently quiet, making them arguably more dangerous as they can be harder to detect. Here are four of these attack tactics you should know about.

1. Trusted Application Abuse: Attackers know that many people have applications that they inherently trust, making those trusted applications the perfect launchpad for cyber attacks. Threat actors know that defenders and the tools they use are often on the hunt for new malware presenting itself in environments. What isn’t so easy to detect is when the malware masquerades under legitimate applications.

2. Trusted Infrastructure Abuse: Much like trusted application abuse, trusted infrastructure abuse is the act of using legitimate, publicly hosted services and toolsets (such as Dropbox or Google Drive) as part of the attack infrastructure. Threat actors know that people tend to trust Dropbox and Google Drive. As a result, this makes these tools a prime means for threat actors to carry out malicious activity. Threat actors often find trusted infrastructure abuse easy because these services aren’t usually blocked at an enterprise’s gateway. In turn, outbound communications can hide in plain sight.

3. Obfuscation: Although cyber security has more than its fair share of tedious acronyms, the good news is that many terms can be broken down by their generic dictionary definitions. According to dictionary.com, this is what obfuscate means: “To make something unclear, obscure or difficult to understand.” And that’s exactly what it means in cyber security: finding ways to conceal malicious behaviour. In turn, this makes it more difficult for analysts and the tools they use to flag suspicious or malicious activity.

4. Persistence: Imagine writing up documentation using your computer, something you may well do in your role. You’ve spent a ton of time doing the research required, finding the right sources and compiling all your information into a document. Now, imagine not hitting save on that document and losing it as soon as you reboot your computer. Sound like a nightmare—or perhaps a real anxiety-inducing experience you’ve been through before? Threat actors agree. And that’s why they establish persistence. They don’t want all of their hard work to get into your systems in the first place to be in vain just because you restart your computer. They establish persistence to make sure they can still hang around even after you reboot.

https://www.msspalert.com/cybersecurity-guests/four-sneaky-attacker-evasion-techniques-you-should-know-about/

• Zero-Day Defence: Tips for Defusing the Threat

Because they leave so little time to patch and defuse, zero-day threats require a proactive, multi-layered approach based on zero trust.

The recent Atlassian Confluence remote code execution bug is just the latest example of zero-day threats targeting critical vulnerabilities within major infrastructure providers. The specific threat, an Object-Graph Navigation Language (OGNL) injection, has been around for years but took on new significance given the scope of the Atlassian exploit. And OGNL attacks are on the rise.

Once bad actors find such a vulnerability, proof-of-concept exploits start knocking at the door, seeking unauthenticated access to create new admin accounts, execute remote commands, and take over servers. In the Atlassian case, Akamai's threat research team identified that the number of unique IP addresses attempting these exploits grew to more than 200 within just 24 hours.

Defending against these exploits becomes a race against time worthy of a 007 movie. The clock is ticking and you don't have much time to implement a patch and "defuse" the threat before it's too late. But first you need to know that an exploit is underway. That requires a proactive, multi-layered approach to online security based on zero trust.

What do these layers look like? There are a number of different practices that security teams — and their third-party Web application and infrastructure partners — should be aware of.

https://www.darkreading.com/attacks-breaches/zero-day-defense-tips-for-defusing-the-threat

Threats

Ransomware

• Reported ransomware attacks are just the tip of the iceberg. That's a problem for everyone | ZDNet

• Initial Access Brokers - Key to Rise In Ransomware Attacks (informationsecuritybuzz.com)

• Ransomware gangs are hitting roadblocks, but aren't stopping (yet) - Help Net Security

• SonicWall: Ransomware Global Cyber Attack Volume Shrinks, Still Exceeds Totals for 2017-2019 - MSSP Alert

• 87% of the ransomware found on the dark web has been delivered via malicious macros - Help Net Security

• LockBit Ransomware Abuses Windows Defender for Payload Loading | SecurityWeek.Com

• German Chambers of Industry and Commerce hit by 'massive' cyber attack (bleepingcomputer.com)

• Brand-New HavanaCrypt Ransomware Poses as Google Software Update App Uses Microsoft Hosting Service IP Address as C&C Server (trendmicro.com)

• Ransomware Task Force releases SMB blueprint for defence and mitigation (scmagazine.com)

• Prepare for ransomware before you're hit • The Register

• German semiconductor giant Semikron says hackers encrypted its network | TechCrunch

• Ransomware Hit on European Pipeline & Energy Supplier Encevo Linked to BlackCat (darkreading.com)

• Luxembourg Energy Company Hit by Ransomware | SecurityWeek.Com

• Spanish research agency still recovering after ransomware attack (bleepingcomputer.com)

Phishing & Email Based Attacks

• Countdown Clock Puts Pressure on Phishing Targets - Infosecurity Magazine

• The most impersonated brand in phishing attacks? Microsoft - Help Net Security

• Open Redirect Flaw Snags Amex, Snapchat User Data | Threatpost

• American Express, Snapchat Open-Redirect Vulnerabilities Exploited in Phishing Scheme (darkreading.com)

• A new malware threat is spying on users' Gmail inbox — do this before you're next | Laptop Mag

• Massive New Phishing Campaign Targets Microsoft Email Service Users (darkreading.com)

• North Korean Hackers Use Browser Extension to Spy on Gmail and AOL Accounts - Infosecurity Magazine

Other Social Engineering; SMishing, Vishing, etc

• US FCC warns of the rise of smishing attacks - Security Affairs

Malware

• VirusTotal Reveals Most Impersonated Software in Malware Attacks (thehackernews.com)

• Gootkit Loader Resurfaces with Updated Tactic to Compromise Targeted Computers (thehackernews.com)

• Woody RAT: A new feature-rich malware spotted in the wild | Malwarebytes Labs

• VirusTotal: Threat Actors Mimic Legitimate Apps, Use Stolen Certs to Spread Malware (darkreading.com)

• New IoT RapperBot Malware Targeting Linux Servers via SSH Brute-Forcing Attack (thehackernews.com)

• New Linux malware brute-forces SSH servers to breach networks (bleepingcomputer.com)

• Credential Stealer Malware Raccoon Updated to Obtain Passwords More Efficiently - Infosecurity Magazine

• Attackers cause Discord discord with malicious npm packages • The Register

• Gootkit AaaS malware is still active and uses updated tactics - Security Affairs

Mobile

• Facebook finds new Android malware used by APT hackers (bleepingcomputer.com)

• Google Patches Critical Android Bluetooth Flaw in August Security Bulletin - Infosecurity Magazine

• Banking trojan finds new routes to accounts by infiltrating Google Play Store (scmagazine.com)

Internet of Things – IoT

• A Digital Home Has Many Open Doors (darkreading.com)

• All the Data Amazon's Ring Cameras Collect About You | WIRED

Organised Crime & Criminal Actors

• Thousands of hackers flock to 'Dark Utilities' C2-as-a-Service (bleepingcomputer.com)

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Phishing campaign targets Coinbase wallet holders to steal cryptocurrency in real-time - Help Net Security

• Nearly $200 Million Stolen from Cryptocurrency Bridge Nomad | SecurityWeek.Com

• Crypto firm that promised security loses $200 million in 'frenzied free-for-all' hack | PC Gamer

• Nomad to crooks: Keep 10% as a bounty, return the rest • The Register

• Cyber attackers Drain Nearly $6M From Solana Crypto Wallets (darkreading.com)

• Man robbed of $800,000 in cryptocurrency sues Google • The Register

Insider Risk and Insider Threats

• T-Mobile Store Owner Made $25M Using Stolen Employee Credentials (darkreading.com)

Fraud, Scams & Financial Crime

• UK Branded Europe’s “Capital of Card Fraud” - Infosecurity Magazine

• Huge network of 11,000 fake investment sites targets Europe (bleepingcomputer.com)

• Online payment fraud losses accelerate at an alarming rate - Help Net Security

• COMMENT: 'Hi Mum, Hi Dad' Scams On The Rise - Britons Already (informationsecuritybuzz.com)

• Increase in Fake Tickets Being Sold by Cyber criminals on Social Media - IT Security Guru

AML/CFT/Sanctions

• Robinhood Crypto Penalized $30M for Violating NY Cybersecurity Regulations | SecurityWeek.Com

Dark Web

• A Ransomware Explosion Fosters Thriving Dark Web Ecosystem (darkreading.com)

• The popularity of Dark Utilities 'C2-as-a-Service' rapidly increases - Security Affairs

Software Supply Chain

• Now is the time to focus on software supply chain security improvements - Help Net Security

Cloud/SaaS

• Cyber attackers Increasingly Target Cloud IAM as a Weak Link (darkreading.com)

• What Worries Security Teams About the Cloud? (darkreading.com)

• Who Has Control: The SaaS App Admin Paradox (thehackernews.com)

• Enterprises face a multitude of barriers to securing diverse cloud environments - Help Net Security

Open Source

• New Linux malware brute-forces SSH servers to breach networks (bleepingcomputer.com)

Passwords, Credential Stuffing & Brute Force Attacks

• Hackers stole passwords for accessing 140,000 payment terminals | TechCrunch

• Credential Canaries Create Minefield for Attackers (darkreading.com)

• 5 reasons why businesses should never use consumer-grade password managers | TechRadar

Social Media

• Hackers Exploit Twitter Vulnerability to Exposes 5.4 Million Accounts (thehackernews.com)

• Parliament shuts down TikTok account over China data security concerns (telegraph.co.uk)

• Over 3,200 Apps Leak Twitter API Keys, Some Allowing Account Hijacks (informationsecuritybuzz.com)

• Increase in Fake Tickets Being Sold by Cyber criminals on Social Media - IT Security Guru

Privacy

• DuckDuckGo browser now blocks all Microsoft trackers, most of the time (bleepingcomputer.com)

Cyber Bullying and Cyber Stalking

• Australia charges dev of Imminent Monitor RAT used by domestic abusers (bleepingcomputer.com)

Regulations, Fines and Legislation

• Most companies are unprepared for CCPA and GDPR compliance - Help Net Security

• Data privacy: Collect what you need, protect what you collect | CSO Online

• India scraps data protection law, promises better successor • The Register

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Austrian Investigation Reveals Spyware Targeting Law Firms, Finance Institutions - Infosecurity Magazine

• Ukraine takes down 1,000,000 bots used for disinformation (bleepingcomputer.com)

• Nancy Pelosi ties Chinese cyber-attacks to Taiwan visit • The Register

• Spanish Research Center Suffers Cyber attack Linked to Russia | SecurityWeek.Com

• Russian organisations attacked with new Woody RAT malware (bleepingcomputer.com)

• Greek intelligence spied on journalist with a surveillance spyware - Security Affairs

• Rare Pegasus screenshots depict NSO Group's spyware capabilities | AppleInsider

Nation State Actors

Nation State Actors – Russia

• Double Whammy: Russian Hackers Launch Cyber Attacks On Lockheed Martin; Armed Forces Hack Into HIMARS -- Reports (eurasiantimes.com)

• Ukraine Shutters Major Russian Bot Farm - Infosecurity Magazine

Nation State Actors – China

• Chinese hackers use new Cobalt Strike-like attack framework (bleepingcomputer.com)

• Massive China-Linked Disinformation Campaign Taps PR Firm for Help (darkreading.com)

• Parliament shuts down TikTok account over China data security concerns (telegraph.co.uk)

• China, Huawei, and the eavesdropping threat | CSO Online

• Global network of fake news sites push Chinese propaganda, researchers find - CyberScoop

• Taiwanese military reports DDoS in wake of US Speaker visit • The Register

Nation State Actors – North Korea

• Cyber crime a Key Revenue Stream For North Korea's Weapons Program - Infosecurity Magazine (infosecurity-magazine.com)

• North Korean Hackers Use Browser Extension to Spy on Gmail and AOL Accounts - Infosecurity Magazine (infosecurity-magazine.com)

Nation State Actors – Iran

• Iranian Hackers Likely Behind Disruptive Cyber attacks Against Albanian Government (thehackernews.com)

• Disruptive Cyber attacks on NATO Member Albania Linked to Iran | SecurityWeek.Com

Nation State Actors – Misc APT

• Twitter breach exposes anonymous accounts to nation state hackers - CyberScoop

Vulnerabilities

• VMware urges admins to patch critical auth bypass bug immediately (bleepingcomputer.com)

• Critical RCE Bug in DrayTek Routers Opens SMBs to Zero-Click Attacks (darkreading.com)

• Cisco fixes critical remote code execution bug in VPN routers (bleepingcomputer.com)

• F5 Fixes 21 Vulnerabilities With Quarterly Security Patches | SecurityWeek.Com

• High-Severity Bug in Kaspersky VPN Client Opens Door to PC Takeover (darkreading.com)

• Hackers Exploit Atlassian Confluence Vulnerability to Deploy New 'Ljl' Backdoor - Infosecurity Magazine

• Slack Resets Passwords After a Bug Exposed Hashed Passwords for Some Users (thehackernews.com)

• VMware Releases Patches for Several New Flaws Affecting Multiple Products (thehackernews.com)

• Hackers are actively exploiting password-stealing flaw in Zimbra (bleepingcomputer.com)

• Google fixed Critical Remote Code Execution flaw in Android - Security Affairs

• CISA adds Zimbra bug to Known Exploited Vulnerabilities Catalogue - Security Affairs

• Warning! Critical flaws found in US Emergency Alert System • The Register

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

Other News

• APIs attacked in 94% of companies in past year - IT Security Guru

• Over 60% of Organisations Expose SSH to the Internet - Infosecurity Magazine

• How IT and security teams can work together to improve endpoint security - Microsoft Security Blog

• Burnout and attrition impact tech teams sustaining modern digital systems - Help Net Security

• Machine learning creates a new attack surface requiring specialized defences - Help Net Security

• Cyber security lessons learned from COVID-19 pandemic (techtarget.com)

• 10 enterprise database security best practices (techtarget.com)

• Resolving Availability vs. Security, a Constant Conflict in IT (thehackernews.com)

• Tips to prevent RDP and other remote attacks on Microsoft networks | CSO Online

• 5 ways to unite security and compliance | CSO Online

• The Myth of Protection Online — and What Comes Next (darkreading.com)

• The Importance of Data Security in the Enterprise (techtarget.com)

• Who Needs Macros? | Threat Actors Pivot to Abusing Explorer and Other LOLBins via Windows Shortcuts - SentinelOne

• How IT Teams Can Use 'Harm Reduction' for Better Cyber security Outcomes (darkreading.com)

• Businesses lack visibility into run-time threats against mobile apps and APIs - Help Net Security

• Browser synchronization abuse: Bookmarks as a covert data exfiltration channel - Help Net Security

• Threats emanating from digital ecosystems can be a blind spot for businesses - Help Net Security

• Busting the Myths of Hardware Based Security - Security Affairs

• New Traffic Light Protocol standard released after five years (bleepingcomputer.com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• 10,000 Organisations Targeted by Phishing Attack That Bypasses Multi-Factor Authentication

Microsoft has shared details of a widespread phishing campaign that not only attempted to steal the passwords of targeted organisations, but was also capable of circumventing multi-factor authentication (MFA) defences.

The attackers used AiTM (Attacker-in-The-Middle) reverse-proxy sites to pose as Office 365 login pages which requested MFA codes, and then use them to log into the genuine site.

According to Microsoft’s detailed report on the campaign, once hackers had broken into email inboxes via the use of stolen passwords and session cookies, they would exploit their access to launch Business Email Compromise (BEC) attacks on other targets.

By creating rules on victims’ email accounts, the attackers are able to then ensure that they maintain access to incoming email even if a victim later changes their password.

The global pandemic, and the resulting increase in staff working from home, has helped fuel a rise in the adoption of multi-factor authentication.

Cyber criminals, however, haven’t thrown in the towel when faced with MFA-protected accounts. Accounts with MFA are certainly less trivial to break into than accounts which haven’t hardened their security, but that doesn’t mean that it’s impossible.

Reverse-proxy phishing kits like Modlishka, for instance, impersonate a login page, and ask unsuspecting users to enter their login credentials and MFA code. That collected data is then passed to the genuine website – granting the cyber criminal access to the site.

As more and more people recognise the benefits of MFA, we can expect a rise in the number of cyber criminals investing effort into bypassing MFA.

Microsoft’s advice is that organisations should complement MFA with additional technology and best practices.

https://www.tripwire.com/state-of-security/featured/10000-organisations-targeted-by-phishing-attack-that-bypasses-multi-factor-authentication/

• Businesses Are Adding More Endpoints, But Can’t Manage Them All

Most enterprises struggle to maintain visibility and control of their endpoint devices, leading to increased security breaches and impaired ability to ward off outside attacks, according to a survey conducted by Ponemon Institute.

Findings show that the average enterprise now manages approximately 135,000 endpoint devices. Despite $4,252,500 of annual budget spent on endpoint protection, an average of 48 percent of devices – or 64,800 per enterprise – are at risk because they are no longer detected by the organisation’s IT department or the endpoints’ operating systems have become outdated.

Additionally, 63 percent of respondents find that the lack of visibility into their endpoints is the most significant barrier to achieving a strong security posture.

IT organisations are facing unprecedented rates of distribution point sprawl, which has grown rapidly since the onset of the COVID-19 pandemic. 61 percent of respondents say distribution points have increased in the last two years, and the average endpoint has as many as 7 agents installed for remote management, further adding to management complexity.

https://www.helpnetsecurity.com/2022/07/14/businesses-are-adding-more-endpoints/

• Ransomware Activity Resurges in Q2

Ransomware activity rose by a fifth in the last quarter, according to a report from security firm Digital Shadows.

The company, which monitors almost 90 data leak sites on the dark web, observed ransomware groups name 705 victims in Q2 2022, representing a 21% increase over last quarter’s 582. This was a resurgence in activity following a 25.3% decline quarter-on-quarter during Q1.

The LockBit ransomware group overtook Conti in victim numbers as Conti ceased operations following the leak of internal chat logs. Conti had reached almost 900 victims during its operations, but LockBit is now closing in on 1,000 after a 13% growth in activity during the quarter.

LockBit also continued to innovate, releasing version 3 of its ransomware with new features, including support for payments using the Zcash cryptocurrency. It also launched a reward program for any information on high-value targets, along with a data leak site that allows anyone to purchase victim data.

At around 230, Lockbit’s quarterly victim numbers far exceeded any other group in Q2. It was accountable for almost a third of all postings to leak sites in Q2. Conti, which had limped along for several weeks after its own data leak, managed just over 50. In third place was Alphv, which grew 118% during the quarter. Basta came in fourth.

Some other smaller groups are also growing rapidly, according to the report. Vice Society, in fifth place this quarter, doubled its activity.

https://www.infosecurity-magazine.com/news/ransomware-activity-resurges-q2/

• One-Third of Users Without Security Awareness Training Click on Phishing URLs

Phishing attacks just won't die, and new data underscores their effectiveness among users who have not been provided security awareness training.

According to data pulled from security awareness training provider KnowBe4's clients, 32.4% of users will fall for a phish — clicking on a link or following a phony request — if those users have not had any official training. The disconnect is worse in some industry sectors, including consulting, energy and utilities, and healthcare and pharmaceuticals, where half of all untrained users fall for phishing attacks.

The data was pulled from 23.4 million simulated phishing tests conducted at more than 30,000 organisations, encompassing some 9.5 million users. According to KnowBe4, 90 days after monthly or more training, the number of phishing test fails dropped to around 17.6%, and to 5% after one year of regular awareness training.

https://www.darkreading.com/remote-workforce/one-third-of-users-click-on-phishing

• Ransomware Scourge Drives Price Hikes in Cyber Insurance

Cyber security insurance costs are rising, and insurers are likely to demand more direct access to organisational metrics and measures to make more accurate risk assessments.

The rising cost of ransomware attacks is helping push significant premium increases in cyber insurance policies in the UK and US, new data shows.

With the average payouts across the past two years averaging more than $3.5 million in the US, a growing number of cyber security insurers want direct access to customer security metrics and measures. This would help prove the status of security controls, according to a Panaseer report on the state of the cyber insurance industry.

However, insurance firms are struggling to accurately understand a customer's security posture, which is in turn affecting price increases.

Panaseer notes that 82% of insurers surveyed said they expect the rise in premiums to continue. The increasing cost of ransomware is putting premiums up, and the increase in the number of attacks, as well as the number of successful attacks, means insurance is getting harder to get and is getting more expensive.

Meanwhile, 87% of insurers surveyed say they want a more consistent approach to analysing cyber-risk. Fundamentally, insurers need better information in order to price the risk — questionnaires aren't going to cut it. Having real live data coming from a customer about their security posture is what's going to be required for them to accurately price risk, in the same way that telematics did for car insurance.

https://www.darkreading.com/attacks-breaches/ransomware-scourge-drives-price-hikes-in-cyber-insurance

• Conventional Cyber Security Approaches Are Falling Short

Traditional security approaches that rely on reactive, detect-and-respond measures and tedious manual processes can’t keep pace with the volume, variety, and velocity of current threats, according to Skybox Security. As a result, 27% of all executives and 40% of CSOs say their organisations are not well prepared for today’s rapidly shifting threat landscape.

On average, organisations experienced 15% more cyber security incidents in 2021 than in 2020. In addition, “material breaches”— defined as “those generating a large loss, compromising many records, or having a significant impact on business operations” — jumped 24.5%.

The top four causes of the most significant breaches reported by the affected organisations were:

• Human error

• Misconfigurations

• Poor maintenance/lack of cyber hygiene

• Unknown assets.

https://www.helpnetsecurity.com/2022/07/14/conventional-cybersecurity-approaches/

• Virtual CISOs Are the Best Defence Against Accelerating Cyber-Risks

The cyber security challenges that companies are facing today are vast, multidimensional, and rapidly changing. Exacerbating the issue is the relentless evolution of threat actors and their ability to outmanoeuvre security controls effortlessly.

As technology races forward, companies without a full-time CISO (Chief Information Security Officer) are struggling to keep pace. For many, finding, attracting, retaining, and affording the level of skills and experience needed is out of reach or simply unrealistic. Enter the virtual CISO (vCISO). These on-demand experts provide security insights to companies on an ongoing basis and help ensure that security teams have the resources they need to be successful.

Typically, an engagement with a vCISO is long lasting, but in a fractional delivery model. This is very different from a project-oriented approach that requires a massive investment and results in a stack of deliverables for the internal team to implement and maintain. A vCISO not only helps to form the approach, define the action plan, and set the road map but, importantly, stays engaged throughout the implementation and well into the ongoing management phases.

The best vCISO engagements are long-term contracts. Typically, there's an upfront effort where the vCISO is more engaged in the first few months to establish an understanding, develop a road map, and create a rhythm with the team. Then, their support drops into a regular pace which can range from two to three days per week or five to ten days per month.

https://www.darkreading.com/careers-and-people/virtual-cisos-are-the-best-defense-against-accelerating-cyber-risks

• Firms Not Planning for Supply Chain Threats

Enterprises are failing to plan properly for supply chain risks and cyber security threats from the wider digital ecosystem, a leading technology consultancy has warned.

According to Tata Consultancy Services (TCS), firms put the risks posed by ecosystem partners at the bottom of a list of 10 key threats. CISOs and chief risk officers believed that financial systems, customer databases and R&D were the systems most likely to be targeted. Supply chain and distribution was placed in ninth.

The report, based on a survey of larger firms with annual revenues of $1bn or more, found that only 16% of chief risk officers believed the digital ecosystem was a concern when it comes to cyber risks, and only 14% said those ecosystems were a priority for board level discussions.

The research also found that a small number of enterprises fail to focus on cyber risk, with one in six boards discussing it only “occasionally, as necessary or never.” TCS found, though, that organisations with above-average profit and revenue growth were more likely to put cyber security on the agenda at board meetings.

TCS also found that enterprises view the cloud as a more secure environment than conventional data centres and on-premises systems. Additionally, the research highlighted ongoing concerns about skills and the need to attract and retain talented security staff. Firms where senior leaders focus on cyber security are more likely to be able to close the skills gap, according to the study.

https://www.infosecurity-magazine.com/news/planning-supply-chain-threats/

• Data Breach Lawsuit: Will IT Service Provider Capgemini Owe Damages?

IT service provider and consulting firm Capgemini is facing a lawsuit related to a June 2020 data breach. The plaintiff — gaming company Razer — is seeking $7 million in damages. A trial in Singapore’s High Court regarding the dispute is underway, according to Vulcan Post.

Razer claims it has suffered approximately $6.85 million in profit losses from its online website due to the data breach. Razer is pursuing damages for an unquantified sum for profit losses from the rejection of its digital bank license application.

The Razer data breach occurred due to an issue with an IT system. It may have exposed the personal information of about 100,000 Razer customers.

The Razer data breach may have occurred due to a misconfigured Elasticsearch cluster. It also was exposed to the public and indexed by public search engines and took more than three weeks to fix.

Experts from Razer and Capgemini agreed that the data breach was caused by a security misconfiguration. However, Razer now claims that a Capgemini employee recommended the IT system that led to the breach and is therefore responsible for the incident.

https://www.msspalert.com/cybersecurity-breaches-and-attacks/data-breach-lawsuit-gaming-company-razer-sues-capgemini-for-7-million/

• Security Culture: Fear of Cyber Warfare Driving Initiatives

KnowBe4, the provider of security awareness training and simulated phishing platform, has conducted a survey during Infosecurity Europe, which evaluated the opinions of nearly 200 security professionals towards security culture, or more specifically: the ideas, customs and social behaviours of an organisation that influence their security practices.

The research found the threat of cyber warfare (30%) or experiencing a data breach or cyber attack (30%) were the two biggest reasons why security professionals wanted to improve security culture at their organisations. Given the current invasion of Ukraine by Russia and the resulting cyber security warnings announced by many of the world’s leading governments, improving current cyber security efforts has continued to be a top priority for many.

The study also revealed just over two thirds (67%) answered that a strong security culture would very likely reduce the risk of security incidents, with the majority (85%) directing their efforts into both improving security awareness training and communicating values expected from employees regarding security.

However, there are many obstacles when attempting to create a strong security culture, with the main issue being a lack of budget (26%) which was followed security professionals facing indifference from fellow employees (24%) and a lack of senior management support (16%).

Interestingly, just under three quarters (73%) admitted to putting an increased effort into measuring employees understanding of security – this still leaves a considerable gap of 27% that do not, something many security professionals will want to consider closing. Thankfully, 38% agree this aspect of security culture would be an area they want to improve in their organisation. When witnessing a colleague display poor security practises, 67% of UK security experts would prefer to tell the individual discreetly, while just under a third (31%) would send the member of staff training material to review. Only 18% would report the individual to the security team.

https://www.itsecurityguru.org/2022/07/11/security-culture-fear-of-cyber-warfare-driving-initiatives/

• Cryptocurrency 'Mixers' See Record Transactions from Sanctioned Actors

Use of so-called cryptocurrency “mixers,” which combine various types of assets to mask their origin, peaked at a 30-day average of nearly $52 million worth of digital currency in April, representing an unprecedented volume of funds moving through those services, researchers at cryptocurrency research firm Chainalysis found.

A near two-fold increase in funds sent from illicit addresses has accelerated the increase, indicating that the technology that can obfuscate the currency continues to be highly attractive to cyber criminals.

Cryptocurrency mixers work by taking an individual’s cryptocurrency and combining it with a larger pool before returning units equivalent to the original amount minus a service fee to the original account. As a result, it makes it harder for law enforcement and cryptocurrency analysts to trace the currency.

Mixers aren’t solely used by criminals, but they are extremely popular with them. 10% of all funds from illicit wallets are sent to mixers, while mixers received less than 0.5% of the share of other sources of funds tracked by the firm, including decentralised finance projects.

The bulk of illicit funds transferred to mixers came from sanctioned actors, primarily Russian dark net market Hydra and more recently the Lazarus Group, a group of North Korean state-backed hackers. International law enforcement took out Hydra, which had been responsible for 80% of dark web transactions involving cryptocurrency, in May. The US Treasury’s Office of Foreign Assets Control followed with sanctions on more than 100 of its cryptocurrency addresses.

The use of mixers by North Korea state-backed hackers, and a popular mixer they employed to launder funds, made up the rest of the transfers.

https://www.cyberscoop.com/cryptocurrency-mixers-see-record-transactions-from-sanctioned-actors/

• Online Payment Fraud Expected to Cost $343B Over Next 5 Years

Despite ratcheted-up efforts to prevent account takeover, fraudsters are cashing in on a range of online payment fraud schemes, which researchers predict will cost retail organisations more than $343 billion over the next five years.

Physical good purchases are loss leaders, making up 49% of online payment fraud, driven in large part by developing markets with little address verification, according to a new Juniper Research report.

Fundamentally, no two online transactions are the same, so the way transactions are secured cannot follow a one-size-fits-all solution. Payment fraud detection and prevention vendors must build a multitude of verification capabilities, and intelligently orchestrate different solutions depending on circumstances, in order to correctly protect both merchants and users.

https://www.darkreading.com/application-security/online-payment-fraud-expected-to-cost-343b-over-5-years

Threats

Ransomware

• Largest ransom pay-outs by cyber-insurers averaged £3.2 million in the past two years – Intelligent CISO

• Risk & Repeat: Ransomware in 2022 so far (techtarget.com)

• Paying ransomware crooks won’t reduce your legal risk, warns regulator – Naked Security (sophos.com)

• Ransomware Attacks Reign Supreme in 2022 - MSSP Alert

• BlackCat (aka ALPHV) ransomware is increasing stakes up to $2.5 million in demands - Help Net Security

• New Lilith ransomware emerges with extortion site, lists first victim (bleepingcomputer.com)

• Experts warn of the new 0mega ransomware operation - Security Affairs

• Organisations Warned of New Lilith, RedAlert, 0mega Ransomware | SecurityWeek.Com

• Microsoft links H0ly Gh0st ransomware operation to North Korean hackers (bleepingcomputer.com)

• Feds Issue Warning for North Korean-backed Ransomware Hijackers - MSSP Alert

• Ransomware gang now lets you search their stolen data (bleepingcomputer.com)

• Rise in ransomware drives IT leaders to implement data encryption - Help Net Security

• BlackCat Ransomware Group Deploys Brute Ratel Pen Testing Kit - Infosecurity Magazine (infosecurity-magazine.com)

• Bandai Namco confirms hack after ALPHV ransomware data leak threat (bleepingcomputer.com)

• 1.9m patients' medical data exposed in PFC ransomware attack • The Register

Phishing & Email Based Attacks

• Email scams are getting more personal – they even fool cyber security experts (theconversation.com)

• New Phishing Attacks Shame, Scare Victims into Surrendering Twitter, Discord Credentials (darkreading.com)

• Hackers impersonate cyber security firms in callback phishing attacks (bleepingcomputer.com)

• $8 million stolen in large-scale Uniswap airdrop phishing attack (bleepingcomputer.com)

• Almost a third of untrained users will click a phishing link - KnowBe4 research - IT Security Guru

• PayPal phishing kit added to hacked WordPress sites for full ID theft (bleepingcomputer.com)

Other Social Engineering

• Rise In Smishing Scams, Why And How To Protect? (informationsecuritybuzz.com)

• How Hackers Create Fake Personas for Social Engineering (darkreading.com)

• How attackers abuse Quickbooks to send phone scam emails - Help Net Security

Malware

• Criminals are now posing as security companies to trick you into installing malware | TechRadar

Mobile

• New Android malware on Google Play installed 3 million times (bleepingcomputer.com)

• The weaponizing of smartphone location data on the battlefield - Help Net Security

Internet of Things – IoT

• Honda Admits Hackers Could Unlock Car Doors, Start Engines | SecurityWeek.Com

• Watch This $80,000 Tesla Model Y Get Hacked With $20 Hardware - autoevolution

Data Breaches/Leaks

• Fewer Individuals Fall Victim to Data Breaches as Attackers Switch to Business in 2022 - Infosecurity Magazine (infosecurity-magazine.com)

Organised Crime & Criminal Actors

• A look inside Russian cyber crime syndicate TrickBot reveals an organised, potent adversary - CyberScoop

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Crypto Scams Soar Despite Crash (informationsecuritybuzz.com)

• Cryptocurrency flowing into “mixers” hits an all-time high. Wanna guess why? | Ars Technica

• Falling Cryptocurrency Market Stalling Cyber Crime Activity - Infosecurity Magazine (infosecurity-magazine.com)

• Hackers stole $620 million from Axie Infinity via fake job interviews (bleepingcomputer.com)

Insider Risk and Insider Threats

• Joshua Schulte Convicted of Leaking CIA 'Vault 7' to Wikileaks (gizmodo.com)

Fraud, Scams & Financial Crime

• New Phishing Kit Hijacks WordPress Sites for PayPal Scam (darkreading.com)

Insurance

• Cyber Insurers Looking for New Risk Assessment Models - Infosecurity Magazine (infosecurity-magazine.com)

• How War Impacts Cyber Insurance | Threatpost4

• The cyber insurance market has a critical infrastructure problem - CyberScoop

Supply Chain and Third Parties

• 3 Golden Rules of Modern Third-Party Risk Management (darkreading.com)

Denial of Service DoS/DDoS

• Mantis, the tiny shrimp that launched 3,000 DDoS attacks • The Register

Identity and Access Management

• Report: Financial Institutions Overly Complacent About Current Authentication Methods (darkreading.com)

• Access Permissions: Manual Reviews Less Effective than Automation, Netwrix Study Finds - MSSP Alert

Encryption

• What to do now about tomorrow’s code-cracking computers | The Economist

Social Media

• Facebook 2FA scammers return – this time in just 21 minutes – Naked Security (sophos.com)

• Disneyland Social Media Hacked - IT Security Guru

Training, Education and Awareness

• Accessible Cyber security Awareness Training Reduces Your Risk of Cyber Attack (darkreading.com)

Privacy

• New Cache Side Channel Attack Can De-Anonymize Targeted Online Users (thehackernews.com)

• Amazon handed Ring video to police without warrant, consent • The Register

• TikTok Chief Security Officer Steps Down Amid Concerns About Privacy (businessinsider.com)

Regulations, Fines and Legislation

• Proposed SEC Rules Require More Transparency About Cyber-Risk (darkreading.com)

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Ukraine's Cyber Agency Reports Q2 Cyber-Attack Surge - Infosecurity Magazine (infosecurity-magazine.com)

• Cyber espionage groups increasingly target journalists and media organisations | CSO Online

• Sandworm APT Trolls Researchers on Its Trail as It Targets Ukraine (darkreading.com)

• The Man at the Centre of the New Cyber World War - POLITICO

• How War Impacts Cyber Insurance | Threatpost

• Lithuanian Energy Firm Disrupted by DDOS Attack - Infosecurity Magazine (infosecurity-magazine.com)

• Security vendor splits to address Russia’s war in Ukraine • The Register

• Apple previews Lockdown Mode, a new extreme security feature | ZDNet

Nation State Actors

Nation State Actors – North Korea

• ‘Nobody is holding them back’ — North Korean cyber-attack threat rises (cointelegraph.com)

• North Korean threat actor targets small and midsize businesses with H0lyGh0st ransomware - Microsoft Security Blog

Nation State Actors – Misc APT

• APT groups target journalists and media organisations since 2021 - Security Affairs

Vulnerability Management

• Rethinking Vulnerability Management in a Heightened Threat Landscape | Threatpost

• Using shields up to secure credentials and mitigate vulnerabilities (scmagazine.com)

• The enemy of vulnerability management? Unrealistic expectations - Help Net Security

Vulnerabilities

• DHS warns: Expect Log4j risks for 'a decade or longer' • The Register

• Microsoft's Patch Tuesday fixes one bug under active exploit • The Register

• Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution (cisecurity.org)

• CISA orders agencies to patch new Windows zero-day used in attacks (bleepingcomputer.com)

• Flaw in Netwrix Auditor application allows arbitrary code execution - Security Affairs

• Elastix VoIP systems hacked in massive campaign to install PHP web shells (bleepingcomputer.com)

• Hackers Targeting VoIP Servers by Exploiting Digium Phone Software (thehackernews.com)

• Microsoft Teams security vulnerability left users open to XSS via flawed stickers feature | The Daily Swig (portswigger.net)

• Anvil Mobile Hit By New Exploit - DNS Hijacking. (informationsecuritybuzz.com)

• Microsoft Issues Fixes for 84 Vulnerabilities: Here's What to Patch Now (darkreading.com)

• Patch these Juniper Networks bugs, CISA says • The Register

• Buggy WordPress plugin allows complete site takeover • The Register

• VMware patches vCenter Server flaw disclosed in November (bleepingcomputer.com)

• Vulnerabilities that could allow undetectable infections affect 70 Lenovo laptop models | Ars Technica

• AMD, Intel chips vulnerable to 'Retbleed' Spectre variant • The Register

• Microsoft fixes dozens of Azure Site Recovery privilege escalation bugs (bleepingcomputer.com)

• Microsoft releases PoC exploit for macOS sandbox escape vulnerability (bleepingcomputer.com)

• AWS squashes authentication bugs in Kubernetes service • The Register

• Lenovo fixes trio of UEFI vulnerabilities • The Register

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in. 

• Automotive

• Construction

• Critical National Infrastructure (CNI)

• Defence & Space

• Education & Academia

• Energy & Utilities

• Estate Agencies

• Financial Services

• FinTech

• Food & Agriculture

• Gaming & Gambling

• Government & Public Sector (including Law Enforcement)

• Health/Medical/Pharma

• Hotels & Hospitality

• Insurance

• Legal

• Manufacturing

• Maritime

• Oil, Gas & Mining

• OT, ICS, IIoT, SCADA & Cyber-Physical Systems

• Retail & eCommerce

• Small and Medium Sized Businesses (SMBs)

• Startups

• Telecoms

• Third Sector & Charities

• Transport & Aviation

• Web3

Reports Published in the Last Week

State of Authentication in the Finance Industry 2022 | HYPR

Online Payment Fraud Market Report 2022-27: Size, Share, Trends (juniperresearch.com)

Other News

5 key considerations for your 2023 cyber security budget planning | CSO Online

What Are the Risks of Employees Going on a 'Hybrid Holiday'? (darkreading.com)

New ‘Luna Moth’ hackers breach orgs via fake subscription renewals (bleepingcomputer.com)

Experian accounts could still be at risk from hackers | TechRadar

Cyber security skills surpass cloud skills as this year's training priority, if professionals can find the time | ZDNet

Average American Accesses Suspicious Sites 6.5 Times a Day - Infosecurity Magazine (infosecurity-magazine.com)

Mergers and acquisitions are a strong zero-trust use case • The Register

Recruitment agency Morgan Hunt confirms 'cyber incident' • The Register

New Exploit Attacks UK Routers and Runs Up Mobile Data Bills - ISPreview UK

How Attackers Could Dupe Developers into Downloading Malicious Code From GitHub (darkreading.com)

CEO of Dozens of Companies Charged in Scheme to Traffic An Estimated $1bn in Fake Cisco Devices - Infosecurity Magazine (infosecurity-magazine.com)

Data breaches explained: Types, examples, and impact | CSO Online

President of European Central Bank Christine Lagarde targeted by hackers - Security Affairs

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Fifth of Businesses Say Cyber Attack Nearly Broke Them

A fifth of US and European businesses have warned that a serious cyber attack nearly rendered them insolvent, with most (87%) viewing compromise as a bigger threat than an economic downturn, according to Hiscox.

The insurer polled over 5000 businesses in the US, UK, Ireland, France, Spain, Germany, the Netherlands and Belgium to compile its annual Hiscox Cyber Readiness Report.

It revealed the potentially catastrophic financial damage that a serious cyber-attack can wreak. The number claiming to have nearly been brought down by a breach increased 24% compared to the previous year.

Nearly half (48%) of respondents said they suffered an attack over the past 12 months, a 12% increase from the previous report’s findings. Perhaps unsurprisingly, businesses in seven out of eight countries see cyber as their biggest threat.

Yet perception appears to vary greatly depending on whether an organisation has suffered a serious compromise or not. While over half (55%) of total respondents said they view cyber as a high-risk area, the figure among companies that have not yet suffered an attack is just 36%.

https://www.infosecurity-magazine.com/news/fifth-of-businesses-cyber-attack/

• Weak Security Controls and Practices Routinely Exploited for Initial Access

Cyber actors routinely exploit poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system. A joint Cybersecurity Advisory by the cyber security authorities of the United States, Canada, New Zealand, the Netherlands, and the United Kingdom identifies commonly exploited controls and practices and includes best practices to mitigate the issues.

Malicious cyber actors often exploit the following common weak security controls, poor configurations, and poor security practices to employ the initial access techniques.

• Multifactor authentication (MFA) is not enforced

• Incorrectly applied privileges or permissions and errors within access control lists

• Software is not up to date

• Use of vendor-supplied default configurations or default login usernames and passwords

• Remote services, such as a virtual private network (VPN), lack sufficient controls to prevent unauthorised access

• Strong password policies are not implemented

• Cloud services are unprotected

• Open ports and misconfigured services are exposed to the internet

• Failure to detect or block phishing attempts

• Poor endpoint detection and response.

https://www.cisa.gov/uscert/ncas/alerts/aa22-137a

• How Do Ransomware Attacks Impact Victim Organisations’ Stock?

Ransomware has developed into an extremely lucrative business model with little risk involved for the threat actors. Couple this with the willingness of most victim organisations to pay the ransom demand under the assumption it will return business operations to normal - ultimately encouraging more attacks - and we have a big problem with no easy remedies.

Back in 2021, Cybereason published a report titled Ransomware Attacks and the True Cost to Business that revealed the various costs that organisations face after falling victim to a ransomware attack. Here are some of the most significant findings that stood out:

• Two-thirds of ransomware victims said that they endured a significant loss of revenue following the attack

• More than half (53%) of organisations suffered damage to their brand and reputation after a ransomware infection

• A third of those who fell to ransomware lost C-level talent in the attack’s aftermath

• Three in 10 organisations had no choice but to lay off employees due to the financial pressures resulting from a ransomware incident

• A quarter of ransomware victims said that they needed to suspend operations.

https://www.msspalert.com/cybersecurity-guests/how-do-ransomware-attacks-impact-victim-organizations-stock/

• Prioritise Patching Vulnerabilities Associated with Ransomware

In the last quarter, ransomware attacks have made mainstream headlines on a near-daily basis, with groups like Lapsus$ and Conti’s names splashed across the page. Major organisations like Okta, Globant and Kitchenware maker Meyer Corporation have all fallen victim, and they are very much not alone. The data indicates that increasing vulnerabilities, new advanced persistent threat (APT) groups and new ransomware families are contributing to ransomware’s continued prevalence and profitability.

The top stats include:

• 22 new vulnerabilities and nine new weaknesses have been associated with ransomware since January 2022; of the 22, a whopping 21 are considered of critical or high risk severity

• 19 (out of 22) of the newly-added vulnerabilities are associated with the Conti ransomware gang

• Three new APT groups (Exotic Lily, APT 35, DEV-0401) and four new ransomware families (AvosLocker, Karma, BlackCat, Night Sky) are deploying ransomware to attack their targets

• 141 of CISA’s Known Exploited Vulnerabilities (KEVs) are being used by ransomware operators – including 18 newly identified this quarter

• 11 vulnerabilities tied to ransomware remain undetected by popular scanners

• 624 unique vulnerabilities were found within the 846 healthcare products analysed.

https://www.helpnetsecurity.com/2022/05/19/increase-ransomware-vulnerabilities/

• Researchers Warn of Advanced Persistent Threats (APTs), Data Leaks as Serious Threats Against UK Financial Sector

Researchers say that geopolitical tension, ransomware, and cyber attacks using stolen credentials threaten the UK's financial sector.

KELA's security team published a report examining the cyber security issues and attacks that surfaced in 2021 and early 2022, specifically focused on the United Kingdom's banks and other financial services.

The UK was one of the first countries to stand with Ukraine after the invasion by Russia. This could make UK organisations a tempting target for threat actors siding with Russia - whether by state-sponsored advanced persistent threat (APT) groups or hacktivists. The National Cyber Security Centre (NCSC) previously warned businesses to shore up their cyber security following Russia's assault.

APTs are often responsible for attacking the financial sector: account credentials, card numbers, and the personally identifiable information (PII) of customers are useful not only in social engineering and identity theft but also to make fraudulent purchases or for card cloning.

APTs target organisations worldwide, and those located in the UK are no exception. Over the past few years, APTs, including the Chinese APT40 and APT31, have utilised vulnerabilities, including ProxyLogon, to compromise UK businesses.

"In general, APTs may target the financial sector to commit fraud, burglarise ATMs, execute transactions, and penetrate organisations' internal financial systems," KELA says. "Although specific threats to the UK financial sector have not been identified, there is no doubt that the UK has occasionally been a target of APT groups during 2021."

Exposed corporate information and leaked credentials are also of note. After browsing Dark Web forums, the researchers found that UK data is "in demand" by cyber criminals who are seeking PII, access credentials, and internal data.

https://www.zdnet.com/article/researchers-warn-of-apts-data-leaks-as-serious-threats-against-uk-financial-sector/

• Remote Work Hazards: Attackers Exploit Weak WiFi, Endpoints, and the Cloud

Infoblox unveils a global report examining the state of security concerns, costs, and remedies. As the pandemic and uneven shutdowns stretch into a third year, organisations are accelerating digital transformation projects to support remote work. Meanwhile, attackers have seized on vulnerabilities in these environments, creating more work and larger budgets for security teams.

1,100 respondents in IT and cyber security roles in 11 countries – United States, Mexico, Brazil, United Kingdom, Germany, France, the Netherlands, Spain, United Arab Emirates, Australia, and Singapore – participated in the survey.

The surge in remote work has changed the corporate landscape significantly – and permanently. 52% of respondents accelerated digital transformation projects, 42% increased customer portal support for remote engagement, 30% moved apps to third party cloud providers, and 26% shuttered physical offices for good. These changes led to the additions of VPNs and firewalls, a mix of corporate and employee owned devices as well as cloud and on-premises DDI servers to manage data traffic across the expanded network.

The hybrid workforce reality is causing greater concerns with data leakage, ransomware and attacks through remote access tools and cloud services. Respondents indicate concerns about their abilities to counter increasingly sophisticated cyber attacks with limited control over employees, work-from-home technologies, and vulnerable supply chain partners. The sophistication of state-sponsored malware also is a source of worry for many.

Organisations have good reason to worry: 53% of respondents experienced up to five security incidents that led to at least one breach.

https://www.helpnetsecurity.com/2022/05/17/state-of-security/

• Small Businesses Under Fire from Password Stealers

Password-stealing malware and other cyber attacks have increased significantly against small businesses over the past year, according to Kaspersky researchers.

An assessment released this week detailed the number of Trojan Password Stealing Ware (PSW) detections, internet attacks and attacks on Remote Desktop Protocol (RDP) between January and April 2022, compared with the same time frame from 2021. Kaspersky's research showed a jump in the detection of password stealers within small business environments, as well as increases in other types of cyber attacks.

According to Kaspersky, the biggest increase in threats against small businesses was password stealers, specifically Trojan PSWs. There were nearly 1 million more detected Trojan PSWs targeting small and medium-sized businesses in the first trimester of 2022 than the first of 2021, increasing from 3,029,903 to 4,003,323.

https://www.techtarget.com/searchsecurity/news/252518442/Small-businesses-under-fire-from-password-stealers

• Email Is the Riskiest Channel for Data Security

Research from Tessian and the Ponemon Institute reveals that nearly 60% of organisations experienced data loss or exfiltration caused by an employee mistake on email in the last 12 months.

Email was revealed as the riskiest channel for data loss in organisations, as stated by 65% of IT security practitioners. This was closely followed by cloud file-sharing services (62%) and instant messaging platforms (57%).

The research surveyed 614 IT security practitioners across the globe to also reveal that:

• Employee negligence, because of not following policies, is the leading cause of data loss incidents (40%)

• 27% of data loss incidents are caused by malicious insiders

• It takes up to three days for security and risk management teams to detect and remediate a data loss and exfiltration incident caused by a malicious insider on email

• 23% of organisations experience up to 30 security incidents involving employees’ use of email every month (for example, email was sent to an unintended recipient).

The most common types of confidential and sensitive information lost or intentionally stolen include: customer information (61%); intellectual property (56%); and consumer information (47%). User-created data (sensitive email content, text files, M&A documents), regulated data (credit card data, Social Security numbers, national ID numbers, employee data), and intellectual property were identified as the three types of data that are most difficult to protect from data loss.

The top two consequences for data loss incidents were revealed as non-compliance with data protection regulations (57%) and damage to an organisation’s reputation (52%). Furthermore, a previous study from Tessian found that 29% of businesses lost a client or customer because of an employee sending an email to the wrong person.

https://www.helpnetsecurity.com/2022/05/20/data-loss-email/

• Phishing Attacks for Initial Access Surged 54% in Q1

Threat actors doubled down on their use of phishing emails as an initial attack vector during the first quarter of 2022 — and in many cases then used that access to drop ransomware or to extort organisations in other ways.

Researchers from Kroll recently analysed data gathered from security incidents they responded to in the first three months of this year. The analysis showed a 54% increase in incidents of phishing for initial access compared with the same period last year.

For the first time since Microsoft disclosed the so-called ProxyLogon set of vulnerabilities in Exchange Server in the first quarter of 2021, incidents tied to email compromises surpassed those related to ransomware. Kroll described the sharp increase in phishing activity as likely the result of a surge in activity tied to Emotet and IceID malware — threat actors have been using both to drop other malware.

https://www.darkreading.com/risk/phishing-attacks-for-initial-access-surged-q1

• Fears Grow for Smaller Nations After Ransomware Attack on Costa Rica Escalates

Conti demanded $20M in ransom — and the overthrow of the government.

It’s been a rough start for the newly elected Costa Rica president Rodrigo Chaves, who less than a week into office declared his country “at war” with the Conti ransomware gang.

“We’re at war and this is not an exaggeration,” Chaves told local media. “The war is against an international terrorist group, which apparently has operatives in Costa Rica. There are very clear indications that people inside the country are collaborating with Conti.”

Conti’s assault on the Costa Rican government began in April. The country’s Finance Ministry was the first hit by the Russia-linked hacking group, and in a statement on May 16, Chaves said the number of institutions impacted had since grown to 27. This, he admitted, means civil servants wouldn’t be paid on time and will impact the country’s foreign trade.

In a message posted to its dark web leaks blog, Conti urged the citizens of Costa Rica to pressure their government to pay the ransom, which the group doubled from an initial $10 million to $20 million. In a separate statement, the group warned: “We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power.”

Conti is among the most prolific hacking groups. The FBI warned earlier this year that the gang was among “the three top variants” that targeted businesses in the United States, and it has been blamed for ransomware attacks targeting dozens of businesses, including Fat Face, Shutterfly and the Irish healthcare service.

But Conti has picked up its pace in recent months: In January and February it published 31 victims on its leaks blog. In March and April, it posted 133 victims.

https://techcrunch.com/2022/05/20/costa-rica-ransomware-attack/

Threats

Ransomware

• Ransomware Gangs Rely More on Weaponizing Vulnerabilities (bleepingcomputer.com)

• Ransomware Gang Extorted 725 BTC in One Attack, On-Chain Sleuths Find (coindesk.com)

• 5 Critical Questions to Test Your Ransomware Preparedness - Help Net Security

• “Alarming” Surge in Conti Group Activity This Year - Infosecurity Magazine

• Why AI-Powered Ransomware Cyber Attacks Could Be Coming Soon - Protocol

• Nikkei Says Customer Data Likely Impacted in Ransomware Attack | SecurityWeek.Com

• Wizard Spider Hackers Hire Cold Callers to Scare Ransomware Victims Into Paying Up | ZDNet

• Greenland Hit by Cyber Attack, Finds Its Health Service Crippled (bitdefender.com)

• Conti Ransomware Shuts Down Operation, Rebrands into Smaller Units (bleepingcomputer.com)

• No One Is Slowing Down BlackByte Ransomware Gang • The Register

• President Rodrigo Chaves says Costa Rica is at war with Conti hackers - BBC News

• Engineering Firm Parker Discloses Data Breach After Ransomware Attack (bleepingcomputer.com)

• US links Thanos and Jigsaw ransomware to 55-year-old doctor (bleepingcomputer.com)

• Russian Conti Ransomware Gang Threatens to Overthrow New Costa Rican Government (thehackernews.com)

Phishing & Email Based Attacks

• This Phishing Attack Delivers Three Forms of Malware. And They All Want to Steal Your Data | ZDNet

• HTML Attachments Remain Popular Among Phishing Actors In 2022 (bleepingcomputer.com)

• Chatbot Army Deployed in Latest DHL Shipping Phish (darkreading.com)

• Phishing Gang That Stole Over 400,000 Euros Busted in Spain (tripwire.com)

• Long Lost @ Symbol Gets New Life Obscuring Malicious URLs | Malwarebytes Labs

• Spanish Police Dismantle Phishing Gang That Emptied Bank Accounts (bleepingcomputer.com)

Malware

• Emotet is the Most Common Malware - Help Net Security

• Microsoft Identifies Botnet Variant Targeting Windows and Linux Systems - Infosecurity Magazine

• Activity of the Linux XorDdos bot increased by 254% over the last 6 monthsSecurity Affairs

• Fake Domains Offer Windows 11 Installers - But Deliver Malware Instead | ZDNet

• Bruised but Not Broken: The Resurgence of the Emotet Botnet Malware (trendmicro.com)

• Malicious PyPI Pymafka Package Opens Backdoors On Windows, Linux, and Macs (bleepingcomputer.com)

• April VMware Bugs Abused to Deliver Mirai Malware, Exploit Log4Shell | Threatpost

Mobile

• 6 Scary Tactics Used in Mobile App Attacks (darkreading.com)

• Researchers Find Potential Way to Run Malware on iPhone Even When it's OFF (thehackernews.com)

• Google TAG: Cytrox's Predator Spyware Used to Target Android Users | WIRED

IoT

• New Bluetooth Hack Could Let Attackers Remotely Unlock Smart Locks and Cars (thehackernews.com)

Data Breaches/Leaks

• Cornwall Council Data Breach - Information Security Buzz

• Pharmacy Giant Hit By Data Breach Affecting 3.6 Million Customers - Infosecurity Magazine

Organised Crime & Criminal Actors

• Ukrainian Hacker Jailed for 4-Years in U.S. for Selling Access to Hacked Servers (thehackernews.com)

• US Recovers a Record $15m from the 3ve Ad-Fraud Crew • The Register

Cryptocurrency/Cryptomining/Cryptojacking/NFTs

• How Cryptocurrencies Enable Attackers and Defenders (techtarget.com)

• Monero-Mining Sysrv Botnet Targets Windows, Linux Web Servers • The Register

• US Brings First-Of-Its-Kind Bitcoin Sanctions-Busting Case • The Register

• Fake Pixelmon NFT Site Infects You with Password-Stealing Malware (bleepingcomputer.com)

• Hackers Compromise a String of NFT Discord Channels (vice.com)

Fraud, Scams & Financial Crime

• Popularity Of Online Payment Goes Hand-In-Hand with Fraud - Help Net Security

Supply Chain and Third Parties

• MITRE Creates Framework for Supply Chain Security (darkreading.com)

• The Four Horsemen of Software Supply Chain Attacks - MSSP Alert

• Recovering From a Cyber Security Earthquake: The Lessons Organisations Must Learn - Help Net Security

Cloud/SaaS

• 7 Key Findings from the 2022 SaaS Security Survey Report (thehackernews.com)

• New Research Identifies Poor IAM Policies as The Greatest Cloud Vulnerability - CyberScoop

• Are You Investing in Securing Your Data in the Cloud? (thehackernews.com)

• 380K Kubernetes API Servers Exposed to Public Internet | Threatpost

Open Source

• The Industry Must Better Secure Open Source Code From Threat Actors (darkreading.com)

Privacy

• How To Ensure That the Smart Home Doesn’t Jeopardize Data Privacy? - Help Net Security

• Privacy. Ad Bidders Haven't Heard of It, Report Reveals • The Register

• Third-Party Web Trackers Log What You Type Before Submitting (bleepingcomputer.com)

Passwords & Credential Stuffing

• The Most Insecure and Easily Hackable Passwords - Help Net Security

• Half of IT Leaders Store Passwords in Shared Docs - Infosecurity Magazine

Cyber Bullying and Cyber Stalking

• UK Sextortion Cases Doubled in 2021 - Infosecurity Magazine

Regulations, Fines and Legislation

• Europe Moves Closer to Stricter Cyber Security Standards • The Register

• EU's NIS 2 Directive to Strengthen Cyber Security Requirements For Companies - Help Net Security

Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Google TAG: Cytrox's Predator Spyware Used to Target Android Users | WIRED

• Britain can legally launch cyber attacks against hostile states, says Attorney General (telegraph.co.uk)

• How Mobile Networks Have Become a Front in the Battle for Ukraine (darkreading.com)

• China-linked Twisted Panda Caught Spying on Russian R&D Orgs • The Register

• Pro-Russian Hackers Spread Hoaxes to Divide Ukraine, Allies | SecurityWeek.Com

• A custom PowerShell RAT Targets Germany Using Crisis in Ukraine as Bait - Security Affairs

Nation State Actors

Nation State Actors – Russia

• Putin Promises to Bolster Russia's IT Security in Face of Cyber Attacks | Reuters

• Russian Hackers Declare War On 10 Countries After Failed Eurovision DDoS attack | IT PRO

• Pro-Russian Information Operations Escalate in Ukraine War (darkreading.com)

• Russian Undersea Cable Threat Shifts Tech Business to UK (telegraph.co.uk)

• Russians Allegedly Storm Ukrainian ISP, Blackmail It to Switch To Russian Networks - CyberScoop

• Russia-linked Sandworm Continues to Conduct Attacks Against Ukraine - Security Affairs

• Russian Cyber Attack on Eurovision Foiled By Italian Authorities (bitdefender.com)

• This Russian Botnet Does Far More Than DDoS Attacks - And on A Massive Scale | ZDNet

Nation State Actors – China

• Chinese ‘Space Pirates’ are Hacking Russian Aerospace Firms (bleepingcomputer.com)

Nation State Actors – North Korea

• FBI Warns of North Korean Spies Posing as Foreign IT Workers • The Register

Nation State Actors – Iran

• US Charges Venezuelan Doctor with Selling Ransomware Used By Iranian Group | Reuters

Vulnerability Management

• APTs Overwhelmingly Share Known Vulnerabilities Rather Than Attack O-Days | Threatpost

• How Micropatching Could Help Close the Security Update Gap (techtarget.com)

• Partial Patching Still Provides Strong Protection Against APTs (darkreading.com)

Vulnerabilities

• QNAP Urges Users to Update NAS Devices to Prevent Deadbolt Ransomware Attacks (thehackernews.com)

• Cisco Fixes an IOS XR Flaw Actively Exploited in The Wild - Security Affairs

• 2 Vulnerabilities With 9.8 Severity Ratings Are Under Exploit. A 3rd Looms | Ars Technica

• Microsoft Rushes a Fix After May Patch Tuesday Breaks Authentication (darkreading.com)

• Microsoft Fixes New PetitPotam Windows NTLM Relay Attack Vector (bleepingcomputer.com)

• Apple Patches Zero-Day Kernel Hole and Much More – Update Now! – Naked Security (sophos.com)

• Two Business-Grade Netgear VPN Routers Have Security Vulnerabilities That Can't Be Fixed - Help Net Security

• SharePoint RCE Bug Resurfaces Three Months After Being Patched by Microsoft | The Daily Swig (portswigger.net)

• High-Severity Bug Reported in Google's OAuth Client Library for Java (thehackernews.com)

• Over 20,000 Zyxel Firewalls Still Exposed to Critical Bug - Infosecurity Magazine

• Apple Fixes the Sixth Zero-Day Since The Beginning of 2022 - Security Affairs

• Apache Releases Security Advisory for Tomcat | CISA

• Mozilla Patches Wednesday’s Pwn2Own Double-Exploit… on Friday! – Naked Security (sophos.com)

• Critical Vulnerability in Premium WordPress Themes Allows for Site Takeover | Threatpost

• Critical Jupiter WordPress Plugin Flaws Let Hackers Take Over Sites (bleepingcomputer.com)

• Apple Finally Patches Exploited Vulnerabilities in macOS Big Sur, Catalina | SecurityWeek.Com

• NVIDIA Fixes Ten Vulnerabilities in Windows GPU Display Drivers (bleepingcomputer.com)

• Gmail-Linked Facebook Accounts Vulnerable to Attack Using A Chain Of Bugs—Now Fixed | Malwarebytes Labs

• New Brute Force Attacks Against SQL Servers Use PowerShell Wrapper | SecurityWeek.Com

Sector Specific

Retail/eCommerce

• How Crooks Backdoor Sites and Scrape Credit Card Info • The Register

• Digital Skimming is Now the Preserve of Non-Magecart Groups - Infosecurity Magazine

Energy & Utilities

• Water Companies Are Increasingly Uninsurable Due To Ransomware, Industry Execs Say - CyberScoop

• UK Announces Nuclear Cyber Security Strategy - IT Security Guru

Education and Academia

• Ransomware Attack Exposes Data of 500,000 Chicago Students (bleepingcomputer.com)

• Higher Education Institutions Being Targeted for Ransomware Attacks | TechRepublic

• “Incompetent” Council Leaks Details of Students With Special Educational Needs • Graham Cluley

• Researchers Find Backdoor in School Management Plugin for WordPress (thehackernews.com)

Reports Published in the Last Week

• Q2 2022 State of Fraud & Account Security Report - Arkose Labs

• 2022 SaaS Security Survey Report (adaptive-shield.com)

• 2021-2022 UK Financial Sector Dark Web Threat Landscape Report - Kela (ke-la.com)

Other News

• UK Government: Lack of Skills the Number One Issue in Cyber Security - Infosecurity Magazine

• Malicious Hackers Are Finding It Too Easy to Achieve Their Initial Access (tripwire.com)

• NIST’s Cyber Security Framework Has Become The Common Language For International Cyber Security (scmagazine.com)

• How Threat Actors Are a Click Away From Becoming Quasi-APTs (darkreading.com)

• Cyber Security: Global Food Supply Chain at Risk From Malicious Hackers - BBC News

• Cyber Security Agencies Reveal Top Initial Access Attack Vectors (bleepingcomputer.com)

• 50% of Orgs Rely on Email to Manage Security (darkreading.com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Why Ransomware Attacks Prefer Small Business Targets Rather Than Rich Enterprises

Enterprise businesses with 25,000 employees+ are less likely to get hit by a ransomware attack than smaller businesses — even though big companies typically can afford to pay higher ransoms, the 2022 CyberEdge Cyberthreat Defense Report concluded.

What explains hackers taking aim at small businesses more frequently than enterprise giants?  The answer: Damaging a critical infrastructure facility or similar disruptions are certain to catch the eye of federal law enforcement, or national governments — something that no hacker wants, CyberEdge said. Smaller to medium-sized firms, as it turns out, get hit more frequently by ransomware attacks, on average at roughly 70 percent, the report said.

Overall, some 71 percent of organisations have been bitten by ransomware in 2022, up a point and a half from last year and by 8.5 points in 2020. It’s companies of 10,000 to 24,999 employees that are the sweet spot for ransomware hackers, nearly 75 percent of which are victimised by cyber extortionists.

The extensive study, which surveyed 1,200 security decision makers and practitioners employed by companies of greater than 500 people in 17 countries across 19 industries, is geared to helping gauge their internal practices and investments against those of their counterparts in other parts of the world.

https://www.msspalert.com/cybersecurity-research/why-ransomware-attacks-prefer-small-business-targets-rather-than-rich-enterprises/

• Ransomware Plagues Finance Sector as Cyber Attacks Get More Complex

Cyber criminals have evolved from hacking wire transfers to targeting market data, as ransomware continues to hit financial firms, says a new VMware report. Here's what to do about it.

Ransomware plagues financial institutions as they face increasingly complex threats over previous years owing to the changing behaviour of cyber criminal cartels, according to VMware's latest Modern Bank Heists report.

This has happened as the cyber crime cartels have evolved beyond wire transfer frauds to target market strategies, take over brokerage accounts, and island-hop into banks, according to the report.

For the report, VMware surveyed 130 financial sector CISOs and security leaders from across different regions including North America, Europe, Asia Pacific, Central and South America, and Africa.

Report findings were consistent with observations by other security experts. "The Secret Service, in its investigative capacity to protect the nation's financial payment systems and financial infrastructure, has seen an evolution and increase in complex cyber-enabled fraud," says Jeremy Sheridan, former assistant director at the US Secret Service. "The persistent, inadequate security of systems connected to the internet provides opportunity and methodology."

https://www.csoonline.com/article/3657875/ransomware-plagues-finance-sector-as-cyberattacks-get-more-complex.html

• 76% of Organisations Worldwide Expect to Suffer a Cyber Attack This Year

Ransomware, phishing/social engineering, denial of service (DoS) attacks, and the business fallout of a data breach rank as the top concerns of global organisations, a new study shows.

The newly published Cyber Risk Index, a study by Trend Micro and the Ponemon Institute, shows that more than three-quarters of global organisations expect to suffer a cyber attack in the next 12 months — 25% of which say an attack is "very likely."

More than 80% of the 3,400 CISO and IT professionals and managers surveyed say their organisations were hit with one or more successful cyber attacks in the past 12 months, and 35% suffered seven or more attacks, according to the report, which covers the second half of 2021.

https://www.darkreading.com/attacks-breaches/76-of-organizations-worldwide-expect-to-suffer-a-cyberattack-this-year

• Most Email Security Approaches Fail to Block Common Threats

A full 89 percent of organisations experienced one or more successful email breaches during the previous 12 months, translating into big-time costs.

On overwhelming number of security teams believe their email security systems to be ineffective against the most serious inbound threats, including ransomware.

That’s according to a survey of business customers using Microsoft 365 for email commissioned by Cyren and conducted by Osterman Research, which examined concerns with phishing, business email compromise (BEC), and ransomware threats, attacks that became costly incidents, and preparedness to deal with attacks and incidents.

“Security team managers are most concerned that current email security solutions do not block serious inbound threats (particularly ransomware), which requires time for response and remediation by the security team before dangerous threats are triggered by users,” according to the report, released Wednesday.

Less than half of those surveyed said that their organisations can block delivery of email threats. And, correspondingly, less than half of organisations rank their currently deployed email security solutions as effective.

https://threatpost.com/email-security-fail-block-threats/179370/

• Financial Leaders Grappling with More Aggressive and Sophisticated Attack Methods

VMware released a report which takes the pulse of the financial industry’s top CISOs and security leaders on the changing behaviour of cyber criminal cartels and the defensive shift of the financial sector.

The report found that financial institutions are facing increased destructive attacks and falling victim to ransomware more than in years past, as sophisticated cyber crime cartels evolve beyond wire transfer fraud to now target market strategies, take over brokerage accounts and island hop into banks.

In the Modern Bank Heists report, 63% of financial institutions admitted experiencing an increase in destructive attacks, with cyber criminals leveraging this method as a means to burn evidence as part of a counter incident response.

Additionally, 74% experienced at least one ransomware attack over the past year, with 63% paying the ransom. When asked about the nation-state actors behind these attacks, the majority of financial instructions stated that Russia posed the greatest concern, as geopolitical tension continues to escalate in cyberspace.

https://www.helpnetsecurity.com/2022/04/21/cybercriminal-cartels-financial-sector/

• Hackers Sneak Malware into Resumes Sent to Corporate Hiring Managers

A new set of phishing attacks delivering the ‘more_eggs’ malware has been observed striking corporate hiring managers with bogus resumes as an infection vector, a year after potential candidates looking for work on LinkedIn were lured with weaponised job offers.

"This year the more_eggs operation has flipped the social engineering script, targeting hiring managers with fake resumes instead of targeting jobseekers with fake job offers," eSentire's research and reporting lead, Keegan Keplinger, said in a statement.

The Canadian cyber security company said it identified and disrupted four separate security incidents, three of which occurred at the end of March. Targeted entities include a US-based aerospace company, an accounting business located in the UK, a law firm, and a staffing agency, both based out of Canada.

The malware, suspected to be the handiwork of a threat actor called Golden Chickens (aka Venom Spider), is a stealthy, modular backdoor suite capable of stealing valuable information and conducting lateral movement across the compromised network.

"More_eggs achieves execution by passing malicious code to legitimate windows processes and letting those windows processes do the work for them," Keplinger said. The goal is to leverage the resumes as a decoy to launch the malware and sidestep detection.

https://thehackernews.com/2022/04/hackers-sneak-moreeggs-malware-into.html

• West Warns of Russian Cyber Attacks as Concerns Rise Over Putin’s Nuclear Rhetoric

Cyber crime groups have publicly pledged support for Russia, western officials worry about Putin’s reliance on nuclear threats and the battle for Mariupol in Ukraine grinds on.

The US and four of its closest allies have warned that “evolving intelligence” shows that Russia is contemplating cyber attacks on countries backing Ukraine, as the Kremlin’s frustration grows at its failure to make military gains.

Vladimir Putin used the launch on Wednesday of a powerful new Sarmat intercontinental ballistic missile (ICBM), capable of carrying ten or more warheads, to make nuclear threats against western countries.

The Sarmat has long been in development and test flights were initially due to start in 2017. The Pentagon confirmed that the US had been given notice of the test and was not alarmed. Western officials are more concerned by the increasing emphasis Moscow puts on its nuclear arsenal as its conventional forces have faltered in Ukraine.

The Ukrainian army continued to put up resistance in the besieged and devastated city of Mariupol, but Putin’s Chechen ally, Ramzan Kadyrov, predicted that the last stand of the port’s defenders at the Azovstal steel works would fall on Thursday.

The Kremlin has made repeated threats against the many countries that have been supplying Ukraine’s army with modern weapons, and members of the “Five Eyes” intelligence sharing network – the US, Britain, Canada, Australia and New Zealand – predicted Moscow could also work with cyber crime groups to launch attacks on governments, institutions and businesses.

https://www.theguardian.com/world/2022/apr/21/west-warns-of-russian-cyber-attacks-as-concerns-rise-over-putins-nuclear-rhetoric

• Criminals Adopting New Methods To Bypass Improved Defences, Says Zscaler

The number of phishing attacks worldwide jumped 29 percent last year as threat actors countered stronger enterprise defences with newer methods, according to researchers with Zscaler's ThreatLabz research team.

Cyber criminals have adapted to multi-factor authentication (MFA), employee security awareness training, and security controls by broadening who and where they will attack.

While the United States remained the country with the most phishing attempts, others are seeing faster growth in the number of incidents – exploiting new vectors like SMS and lowering the barrier of entry for launching attacks through pre-built tools made available on the market.

"Phishing attacks continue to remain one of the most prevalent attack vectors, often serving as a starting point for more advanced next stage attacks that may result in a large-scale breach," Deepen Desai, CISO and vice president of security research and operations at Zscaler, told The Register.

https://www.theregister.com/2022/04/20/phishing-attempts-on-rise-zscaler/

• Cyber Criminals Are ‘Drinking the Tears’ of Ukrainians

In biology, when an insect drinks the tears of a large creature, it is called lachryphagy. And in cyberspace, malicious actors are likewise “drinking tears” by exploiting humanitarian concerns about the war in Ukraine for profit. Different forms of deception include tricking people into donating to bogus charities, clicking on Ukraine-themed malicious links and attachments, and even impersonating officials to extort payment for rescuing loved ones.

It is an unfortunate reality that cyber opportunists are engaging in lachryphagy to exploit humanitarian concerns about the war for profit or data collection. To date, one of the largest cryptocurrency scams involving fraudulent Ukrainian relief payments totalled $50 million in March, the Wall Street Journal reports.

Immediately following Russia’s invasion of Ukraine, cybersecurity companies warned the public that criminals were preying on Ukrainian relief fundraising efforts with cryptocurrency scams. Bitdefender Labs reports that cyber criminals have impersonated Ukrainian government entities and charitable organisations such as UNICEF, and the Australian humanitarian agency, Act for Peace. “Some [scammers] are even pretending to be Wladimir Klitschko, whose brother Vitali is mayor of Ukraine’s capital, Kyiv,” according to the BBC.

https://thehill.com/opinion/cybersecurity/3273636-cyber-criminals-are-drinking-the-tears-of-ukrainians/?rl=1

• Hackers For Hire Attempt to Destroy Hedge Fund Manager's Reputation

Hackers bombarded a British hedge fund manager with 3,000 emails and fake news stories about his mortgage in an effort to destroy his reputation after being hired by a corporate rival.

Criminals even sought to gain personal information about Matthew Earl by pretending to be his sister in a three-year campaign when he raised concerns over the controversial German payments company Wirecard.

Mr Earl, a former City analyst who runs the hedge fund ShadowFall, said he was targeted by a group called Dark Basin.

This group has been linked to Aviram Azari, who this week pleaded guilty in New York to a conspiracy to target journalists and critics of Wirecard using phishing emails.

Mr Earl said the hacking attempts started in 2016 after ShadowFall, nicknamed the “dark destroyer” in the City, criticised the financial performance of Wirecard. The German company was later mired in a series of accounting scandals and went bust.

He said: “I was being sent very targeted emails, which were crafted with personal information about my interests, friends and family’s details. They were very specific.”

Mr Earl received news stories that appeared to be from media outlets such as Reuters and Bloomberg. Another email appeared to be sent by his sister, sharing family photographs, he added.

https://www.telegraph.co.uk/business/2022/04/21/reign-terror-hackers-hire-ramp-corporate-espionage/

• New Threat Groups and Malware Families Emerging

Mandiant announced the findings of an annual report that provides timely data and insights based on frontline investigations and remediations of high-impact cyber attacks worldwide. The 2022 report––which tracks investigation metrics between October 1, 2020 and December 31, 2021—reveals over 1,100 new threat groups and 733 new malware families.

The report also notes a realignment and retooling of China cyber espionage operations to align with the implementation of China’s 14th Five-Year Plan in 2021. The report warns that the national-level priorities included in the plan “signal an upcoming increase in China-nexus actors conducting intrusion attempts against intellectual property or other strategically important economic concerns, as well as defence industry products and other dual-use technologies over the next few years.”

https://www.helpnetsecurity.com/2022/04/22/adversaries-innovating-and-adapting/

Economic Warfare: Attacks on Critical Infrastructure Part of Geopolitical Conflict

We’ve known for years that since at least March of 2016, Russian government threat actors have been targeting multiple U.S. critical infrastructure sectors including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. The Department of Homeland Security (DHS), the Federal Bureau of Investigations (FBI), and other agencies have acknowledged this for quite some time in many of their technical alerts and statements.

In the intervening years, with the acceleration of digital transformation, cyber criminals and nation-state actors have increasingly set their sights on these sectors. The convergence of physical and digital assets brings competitive advantage but also inevitable risks. Attacks against hospitals, oil pipelines, food supply chains, and other critical infrastructure, have brought into sharp focus the vulnerability of cyber-physical systems (CPS) and the impact on lives and livelihoods when they are disrupted. Now, overwhelming signs indicate critical infrastructure companies are in the bullseye of geopolitical conflict.

https://www.securityweek.com/economic-warfare-attacks-critical-infrastructure-part-geopolitical-conflict

Threats

Ransomware

• How Ready Are Organisations to Manage and Recover From A Ransomware Attack? - Help Net Security

• FBI: BlackCat Ransomware Breached At Least 60 Entities Worldwide (bleepingcomputer.com)

• Ransomware: This Gang Is Getting a Lot Quicker at Encrypting Networks | ZDNet

• Hive Hackers Are Exploiting Microsoft Exchange Servers in Ransomware Spree | ZDNet

• REvil's TOR Sites Come Alive to Redirect To New Ransomware Operation (bleepingcomputer.com)

• PYSA Ransomware Attacks: Here's What MSSPs Need to Know - MSSP Alert

• An Investigation of the BlackCat Ransomware via Trend Micro Vision One

• REvil Resurrected? Ransomware Crew Appears to Be Back • The Register

• FBI Warning: Ransomware Gangs Are Going After This Lucrative but Unexpected Target | ZDNet

Phishing & Email Based Attacks

• LinkedIn Brand Takes Lead as Most Impersonated In Phishing Attacks (bleepingcomputer.com)

• FBI Warns of 'Reverse' Instant Payments Phishing Schemes | SecurityWeek.Com

• Spreading Malware Through Community Phishing - Help Net Security

Malware

• Windows Malware Can Steal Social Media Credentials and Banking Logins (komando.com)

• Emotet Botnet Switches to 64-bit Modules, Increases Activity (bleepingcomputer.com)

• New SolarMarker Malware Variant Using Updated Techniques to Stay Under the Radar (thehackernews.com)

• Emotet Reestablishes Itself at The Top Of The Malware World • The Register

Mobile

• Millions of Android Users at Risk Of Attack After Widespread Security Issue Uncovered | TechRadar

BYOD

• 60% of Companies using BYOD Face Serious Security Risks - Help Net Security

IoT

• How to Secure Smart Home (IOT) Devices | Reviews by Wirecutter (nytimes.com)

• New Stealthy BotenaGo Malware Variant Targets DVR Devices (bleepingcomputer.com)

Organised Crime & Criminal Actors

• Russian Hackers Are Seeking Alternative Money-Laundering Options (bleepingcomputer.com)

• How Russia Is Isolating Its Own Cyber Criminals (darkreading.com)

Cryptocurrency/Cryptomining/Cryptojacking

• Hackers Hammer SpringShell Vulnerability In Attempt To Install Cryptominers | Ars Technica

• Beanstalk DeFi Platform Loses $182 Million In Flash-Loan Attack (bleepingcomputer.com)

• Yet Another Phishing Attack? Terra Users Lose $4.3 Million, According To Security Firm (watcher.guru)

• Hackers Steal $655K After Picking MetaMask Seed from iCloud Backup (bleepingcomputer.com)

• LemonDuck Botnet Plunders Docker Cloud Instances in Cryptocurrency Crime Wave | ZDNet

Fraud, Scams & Financial Crime

• Security Lessons From a Payment Fraud Attack (darkreading.com)

• Scammers Snatch Up Expired Domains, Vexing Google | TechCrunch

Insurance

• Cyber Insurance and the Changing Global Risk Environment - Security Affairs

Dark Web

• Experts Spotted Industrial Spy, A New Stolen Data Marketplace - Security Affairs

Supply Chain and Third Parties

• Strength in Unity: Why It's Especially Important to Strengthen Your Supply Chain Now (darkreading.com)

• More Than Half of Initial Infections in Cyber Attacks Come Via Exploits, Supply Chain Compromises (darkreading.com)

Cloud

• IT Leaders Require Deeper Security Insights to Confidently Manage Multi-Cloud Workloads - Help Net Security

• Rethinking Cyber-Defence Strategies in the Public-Cloud Age | Threatpost

• Cyber Criminals Are Shifting Their Gaze To Kubernetes - Information Security Buzz

Passwords & Credential Stuffing

• What Is Peppering in Password Security and How Does It Work? (makeuseof.com)

Digital Transformation

• The Price of An Accelerated Digital Transformation - Help Net Security

Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Moving Towards Defence in Depth Under The Grey Skies Of Conflict - Help Net Security

• Locked Shields ‘Live Fire’ Cyber Drills to be Held as War in Ukraine Continues - Bloomberg

• Russian-Linked Shuckworm Crew Ups Attacks on Ukraine • The Register

• Russian Gamaredon APT Continues to Target Ukraine - Security Affairs

• Phishing Attacks Using the Topic "Azovstal" Targets Entities in Ukraine - Security Affairs

• Hackers Claim to Target Russia with Cyber Attacks and Leaks - The New York Times (nytimes.com)

• The Anonymous Collective Hacked Other Russian Organisations - Security Affairs

• Spyware Was Used Against Catalan Targets and UK Prime Minister and Foreign Office | CSO Online

• Stalkerware Detection Trends: Monitor and Spyware Findings - MSSP Alert

• Catalan Chief Accuses Spain's Intelligence Agency of Hacking | SecurityWeek.Com

• Anomaly 6 Tracked NSA and CIA Spies as Product Demo: Report (gizmodo.com)

Nation State Actors

Nation State Actors – Russia

• Five Eyes Nations Warn of Russian Cyber Attacks Against Critical Infrastructure (thehackernews.com)

• NATO Locked Shields War Games Prep for Real Russian Cyber Attack (gizmodo.com)

• The Russian Cyber Threat Is Here to Stay and NATO Needs To Understand It | Fox News

• A Russian Cyber Attack Is Coming —Lawmakers and Citizens Must Prepare | The Hill

• US Officials Increase Warnings About Russian Cyber-Attacks - Infosecurity Magazine

• Work From Home Software 'At Risk of Russian Cyber Attacks' (telegraph.co.uk)

• US Officials Preparing for Potential Russian Cyber Attacks - CBS News

• After Foiled Sandworm Attack, US Critical Infrastructure Should Stand Guard | CSO Online

Nation State Actors – China

• Chinese Hackers Behind Most Zero-Day Exploits During 2021 (bleepingcomputer.com)

Nation State Actors – North Korea

• North Korea Funds Nuclear Program with Cyber Crime- IT Security Guru

• North Korea Aims 'TraderTraitor' Malware at Cryptocurrency Workers (cyberscoop.com)

• Blockchain Companies Warned of North Korean Hackers - IT Security Guru

Nation State Actors – Misc

• State Actors Drive Record Number of Zero-Day Exploits in 2021 - Infosecurity Magazine

Vulnerability Management

• Vulnerabilities That Kept Security Leaders Busy in Q1 2022 - Help Net Security

• How Fast Do Cyber Criminals Capitalize on New Security Weaknesses? - Help Net Security

• Zero-Day Exploit Use Exploded in 2021 (darkreading.com)

Vulnerabilities

• VMware, Chrome Flaws Added to Known Exploited Vulnerabilities Catalogue - Security Affairs

• Hackers Exploiting Recently Reported Windows Print Spooler Vulnerability in the Wild (thehackernews.com)

• Cisco Releases Security Patches for TelePresence, RoomOS and Umbrella VA (thehackernews.com)

• Time to get patching: Oracle's quarterly Critical Patch Update arrives with 520 fixes | ZDNet

• 7-Zip Zero-Day Vulnerability Grants Privilege Escalation | TechSpot

• When “Secure” Isn’t Secure at All: High‑Impact UEFI Vulnerabilities Discovered in Lenovo Consumer Laptops | WeLiveSecurity

• QNAP Warns of New Bugs in Its Network Attached Storage Devices – Naked Security (sophos.com)

• Cisco Umbrella Default SSH Key Allows Theft of Admin Credentials (bleepingcomputer.com)

• Researcher Releases PoC for Recent Java Cryptographic Vulnerability (thehackernews.com)

• Critical Cryptographic Java Security Blunder Patched – Update Now! – Naked Security (sophos.com)

• Atlassian Drops Patches for Critical Jira Authentication Bypass Vulnerability (thehackernews.com)

• Unpatched Bug in RainLoop Webmail Could Give Hackers Access to all Emails (thehackernews.com)

• Zero-Day Exploits Found And Disclosed Hit A Record High In 2021, Google Project Zero says - CyberScoop

Sector Specific

Financial Services Sector

• Modern Bank Heists 5.0: The Escalation from Dwell to Destruction (vmware.com)

• Two-Thirds of Global Banks Witness Surge in Destructive Attacks - Infosecurity Magazine

FinTech

• Ransomware in Fintech: Cyber Criminals Adopt New Means as Theft Gives Way To Sabotage - Help Net Security

Health/Medical/Pharma Sector

• The New Cyberthreat To Healthcare: Killware - Information Security Buzz

• Many Medical Device Makers Skimp on Security Practices (darkreading.com)

Transport and Aviation

• Cyber-Attackers Hit Sunwing Airlines - Infosecurity Magazine (infosecurity-magazine.com)

Reports Published in the Last Week

• Modern Bank Heist 5.0 (vmware.com)

• 3 Key Takeaways from the 2022 ConnectWise MSP Threat Report - MSSP Alert

• Discover The Anatomy of An External Cyber Attack Surface With New RiskIQ Report - Microsoft Security Blog

Other News

• Why Companies Should Make ERP Security a Top Priority (techtarget.com)

• The Evolving Role of The Lawyer in Cyber Security - Help Net Security

• Cyber Security Litigation Risks: 4 Top Concerns for CISOs | CSO Online

• Ponemon Research - Businesses to Invest $172b On Cyber Security In 2022 - Information Security Buzz

• T-Mobile Admits Lapsus$ Hackers Gained Access to its Internal Tools and Source Code (thehackernews.com)

• Funkypigeon.com Suspends Orders After 'Cyber Security Incident' | Business News | Sky News

• The SEC Is About To Force CISOs Into America’s Boardrooms (forbes.com)

• Data Breaches, Ransomware Attacks Leave Security Teams “Exhausted” - MSSP Alert

• When Attacks Surge, Turn to Data to Strengthen Detection and Response | SecurityWeek.Com

• What Can Someone Do with Your IP Address? (makeuseof.com)

• Attacker Accessed Dozens of Repositories After OAuth Token Theft - Information Security Buzz

• 7 Best Practices for Web3 Security Risk Mitigation (techtarget.com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.