Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 05 August 2022
Black Arrow Cyber Threat Briefing 05 August 2022
-Average Cost of Data Breaches Hits Record High of $4.35 Million: IBM
-Researchers Warns of Large-Scale Adversary-in-the-Middle (AiTM) Attacks Targeting Enterprise Users
-UK NHS Suffers Outage After Cyber Attack on Managed Service Provider
-A Third of Organisations Experience a Ransomware Attack Once a Week
-Ransomware Products, Services Ads on Dark Web Show Clues to Danger
-Wolf In Sheep’s Clothing, How Malware Tricks Users and Antivirus
-Microsoft Accounts Targeted with New MFA-Bypassing Phishing Kit
-Cyber Attack Prevention Is Cost-Effective, So Why Aren’t Businesses Investing to Protect?
-Securing Your Move to the Hybrid Cloud
-Lessons from the Russian Cyber Warfare Attacks
-Four Sneaky Attacker Evasion Techniques You Should Know About
-Zero-Day Defence: Tips for Defusing the Threat
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Average Cost of Data Breaches Hits Record High of $4.35 Million: IBM
The global average cost of data breaches reached an all-time high of $4.35 million in 2022 compared with $4.24 million in 2021, according to a new IBM Security report. About 60% of the breached organisations raised product and services prices due to the breaches.
The annual report, conducted by Ponemon Institute and analysed and sponsored by IBM Security, is based on the analysis of real-world data breaches experienced by 550 organisations globally between March 2021 and March 2022.
According to the report, about 83% of the organisations have experienced more than one breach in their lifetime, with nearly half of the costs reported to be incurred more than a year after the breach.
The report revealed that ransomware and destructive attacks represented 28% of breaches among the critical infrastructure organisations studied, indicating that threat actors are specifically targeting the sector to disrupt global supply chains. The critical infrastructure sector includes financial services, industrial, transportation, and healthcare companies.
Researchers Warns of Large-Scale Adversary-in-the-Middle (AiTM) Attacks Targeting Enterprise Users
A new, large-scale phishing campaign has been observed using adversary-in-the-middle (AitM) techniques to get around security protections and compromise enterprise email accounts.
It uses a technique capable of bypassing multi-factor authentication. The campaign is specifically designed to reach end users in enterprises that use Microsoft's email services.
Prominent targets include fintech, lending, insurance, energy, manufacturing, and federal credit union verticals located in the US, UK, New Zealand, and Australia.
This is not the first time such a phishing attack has come to light. Last month, Microsoft disclosed that over 10,000 organisations had been targeted since September 2021 by means of AitM techniques to breach accounts secured with multi-factor authentication (MFA).
The ongoing campaign, effective June 2022, commences with an invoice-themed email sent to targets containing an HTML attachment, which includes a phishing URL embedded within it.
https://thehackernews.com/2022/08/researchers-warns-of-large-scale-aitm.html
UK NHS Suffers Outage After Cyber Attack on Managed Service Provider
The UK National Health Service (NHS) 111 emergency services were affected by a significant and ongoing outage triggered by a cyber attack that hit the systems of British managed service provider (MSP) Advanced.
Advanced's Adastra client patient management solution, which is used by 85% of NHS 111 services, was hit by a major outage together with several other services provided by the MSP, according to a status page.
"There was a major outage of a computer system that is used to refer patients from NHS 111 Wales to out-of-hours GP providers," the Welsh Ambulance Services said. "This system is used by Local Health Boards to coordinate these services for patients. The ongoing outage is significant and has been far-reaching, impacting each of the four nations in the UK."
The UK public was advised to access the NHS 111 emergency services using the online platform until the incident is resolved.
While no details were provided regarding the nature of the cyber attack, based on the wording, it is likely that this was a ransomware or data extortion attack.
A Third of Organisations Experience a Ransomware Attack Once a Week
Ransomware attacks show no sign of slowing. According to new research published by Menlo Security, a third of organisations experience a ransomware attack at least once a week, with one in 10 experiencing them more than once a day.
The research, conducted among 500+ IT security decision makers at US and UK organisations with more than 1,000 employees, highlights the impact this is having on security professionals’ own wellbeing. When asked what keeps them awake at night, 41% of respondents say they worry about ransomware attacks evolving beyond their team’s knowledge and skillset, while 39% worry about them evolving beyond their company’s security capabilities.
Their biggest concern, however, is the risk of employees ignoring corporate security advice and clicking on links or attachments containing malware (46%). Respondents worry more about this than they do their own job security, with just a quarter (26%) of respondents worried about losing their job.
According to the report, around half of organisations (61% US and 44% UK) have been the victim of a successful ransomware attack in the last 18 months, with customers and prospects the most likely entry point for an attack.
Partners/suppliers and employees/contractors are also seen as serious security risks, although one in 10 admit they are unable to identify how the attacks got in. The top three ransomware attack vectors are email (54%), web browsers via a desktop or laptop (49%) and mobile devices (39%).
https://www.helpnetsecurity.com/2022/08/04/organizations-experience-ransomware-attack/
Ransomware Products and Services Ads on Dark Web Show Clues to Danger
Why is ransomware’s destructive potential so daunting? Some clues are in the “for sale” ads. In an examination of some 35 million dark web URLs, a provider of machine identity management and a forensic specialist found some 475 web pages peddling sophisticated ransomware products and services with a number of high profile crews hawking ransomware-as-a-service.
The work is a joint effort between the Salt Lake City-based Venafi and Forensic Pathways, which took place between November 2021 and March 2022. Researchers used Forensic’s Dark Search Engine to carry out the investigation.
Here are some of the research findings:
87% of the ransomware found on the dark web has been delivered via malicious macros to infect targeted systems.
30 different “brands” of ransomware were identified within marketplace listings and forum discussions.
Many strains of ransomware being sold — such as Babuk, GoldenEye, Darkside/BlackCat, Egregor, HiddenTear and WannaCry — have been successfully used in high-profile attacks.
Ransomware strains used in high-profile attacks command a higher price for associated services. For example, the most expensive listing was $1,262 for a customised version of Darkside ransomware, which was used in the Colonial Pipeline ransomware attack.
Source code listings for well-known ransomware generally command higher price points. For example, Babuk source code is listed for $950 and Paradise source code is selling for $593.
Ransomware Sold for as Little as $1: In addition to a variety of ransomware at various price points, a wide range of services and tools that help make it easier for attackers with minimal technical skills to launch ransomware attacks are for sale on the dark web, Venafi said. Services with the greatest number of listings include those offering source code, build services, custom development services and ransomware packages that include step-by-step tutorials.
Wolf In Sheep’s Clothing: How Malware Tricks Users and Antivirus
One of the primary methods used by malware distributors to infect devices is by deceiving people into downloading and running malicious files, and to achieve this deception, malware authors are using a variety of tricks.
Some of these tricks include masquerading malware executables as legitimate applications, signing them with valid certificates, or compromising trustworthy sites to use them as distribution points.
According to VirusTotal, a security platform for scanning uploaded files for malware, some of these tricks are happening on a much larger scale than initially thought.
The platform has compiled a report presenting stats from January 2021 until July 2022, based on the submission of two million files daily, illustrating trends in how malware is distributed.
Abusing legitimate domains: Distributing malware through legitimate, popular, and high-ranking websites allows threat actors to evade IP-based blocklists, enjoy high availability, and provide a greater level of trust.
Using stolen code-signing certificates: Signing malware samples with valid certificates stolen from companies is a reliable way to evade AV detection and security warnings on the host. Of all the malicious samples uploaded to VirusTotal between January 2021 and April 2022, over a million were signed, and 87% used a valid certificate.
Disguised as popular software: Masquerading a malware executable as a legitimate, popular application has seen an upward trend in 2022. Victims download these files thinking they’re getting the applications they need, but upon running the installers, they infect their systems with malware. The most mimicked applications are Skype, Adobe Acrobat, VLC, and 7zip.
Lacing legitimate installers - Finally, there’s the trick of hiding malware inside legitimate application installers and running the infection process in the background while the real apps execute in the foreground. Based on VirusTotal stats, this practice also appears to be on the rise this year, using Google Chrome, Malwarebytes, Windows Updates, Zoom, Brave, Firefox, ProtonVPN, and Telegram as lures.
Microsoft Accounts Targeted with New MFA-Bypassing Phishing Kit
A new large-scale phishing campaign targeting credentials for Microsoft email services use a custom proxy-based phishing kit to bypass multi-factor authentication.
Researchers believe the campaign's goal is to breach corporate accounts to conduct BEC (business email compromise) attacks, diverting payments to bank accounts under their control using falsified documents.
The phishing campaign's targets include fin-tech, lending, accounting, insurance, and Federal Credit Union organisations in the US, UK, New Zealand, and Australia.
The campaign was discovered by Zscaler's ThreatLabz researchers, who report that the operation is still ongoing, and the phishing actors register new phishing domains almost daily.
Starting in June 2022, Zscaler's analysts noticed a spike in sophisticated phishing attempts against specific sectors and users of Microsoft email services.
Some of the newly registered domains used in the campaign are typo-squatted versions of legitimate domains.
Notably, many phishing emails originated from the accounts of executives working in these organisations, whom the threat actors most likely compromised earlier.
Cyber Attack Prevention Is Cost-Effective, So Why Aren’t Businesses Investing to Protect?
Cyber attacks like ransomware, BEC scams and data breaches are some of the key issues businesses are facing today, but despite the number of high-profile incidents, many boardrooms are reluctant to free up budget to invest in the cyber security measures necessary to avoid becoming the next victim.
In a Help Net Security interview, Former Pentagon Chief Strategy Officer Jonathan Reiber, VP Cyber security Strategy and Policy, AttackIQ, discusses how now, more than ever, companies need to protect themselves from cyber threat actors. He offers insight for CISOs, from talking to the Board to proper budget allocation.
https://www.helpnetsecurity.com/2022/08/01/cyberattack-prevention-investing/
Securing Your Move to the Hybrid Cloud
The combination of private and public cloud infrastructure, which most organisations are already using, poses unique security challenges. There are many reasons why organisations adopt the public cloud, from enabling rapid growth without the burden of capacity planning to leveraging flexibility and agility in delivering customer-centric services. However, this use can leave companies open to threats.
Since regulatory requirements or other preferences dictate that certain applications remain on private (on-prem) infrastructure, many organisations choose to maintain a mix of private and public infrastructure. Additionally, organisations typically use multiple cloud providers simultaneously or preserve the option to move between providers. However, this hybrid approach presents unique and diverse security challenges. Different cloud providers and private cloud platforms may offer similar capabilities but different ways of implementing security controls, along with disparate management tools.
The question then becomes: How can an organisation maintain consistent governance, policy enforcement and controls across different clouds? And how can it ensure that it maintains its security posture when moving between them? Fortunately, there are steps professionals can take to ensure that applications are continuously secure, starting from the early stages of development and extending throughout the lifecycle.
https://threatpost.com/secure-move-cloud/180335/
Lessons from the Russian Cyber Warfare Attacks
Cyber warfare tactics may not involve tanks and bombs, but they often go hand-in-hand with real combat.
The Russian invasion of Ukraine is a prime example. Before Russian troops crossed the border, Russian hackers had already taken down Ukrainian government websites. And after the conflict started, the hacktivist group Anonymous turned the tables by hacking Russian media to shut down propaganda about the war.
In these unprecedented times of targeted attacks against governments and financial institutions, every organisation should be on heightened alert about protecting their critical infrastructure and digital attack surface.
With the Russia-Ukraine conflict as a backdrop, two Trend Micro security experts recently discussed cyber warfare techniques and how they’re an important reminder for every business to proactively manage cyber risk.
https://www.trendmicro.com/en_us/ciso/22/h/russian-cyber-warfare-attacks.html
Four Sneaky Attacker Evasion Techniques You Should Know About
Remember those portrayals of hackers in the 80s and 90s where you just knew when you got pwned? A blue screen of death, a scary message, a back-and-forth text exchange with a hacker—if you got pwned in a movie in the 80s and 90s, you knew it right off the bat.
What a shame that today’s hackers have learned to be quiet when infiltrating an environment. Sure, “loud” attacks like ransomware still exist, but threat actors have learned that if they keep themselves hidden, they can usually do far more damage. For hackers, a little stealth can go a long way. Some attack tactics are inherently quiet, making them arguably more dangerous as they can be harder to detect. Here are four of these attack tactics you should know about.
Trusted Application Abuse: Attackers know that many people have applications that they inherently trust, making those trusted applications the perfect launchpad for cyber attacks. Threat actors know that defenders and the tools they use are often on the hunt for new malware presenting itself in environments. What isn’t so easy to detect is when the malware masquerades under legitimate applications.
Trusted Infrastructure Abuse: Much like trusted application abuse, trusted infrastructure abuse is the act of using legitimate, publicly hosted services and toolsets (such as Dropbox or Google Drive) as part of the attack infrastructure. Threat actors know that people tend to trust Dropbox and Google Drive. As a result, this makes these tools a prime means for threat actors to carry out malicious activity. Threat actors often find trusted infrastructure abuse easy because these services aren’t usually blocked at an enterprise’s gateway. In turn, outbound communications can hide in plain sight.
Obfuscation: Although cyber security has more than its fair share of tedious acronyms, the good news is that many terms can be broken down by their generic dictionary definitions. According to dictionary.com, this is what obfuscate means: “To make something unclear, obscure or difficult to understand.” And that’s exactly what it means in cyber security: finding ways to conceal malicious behaviour. In turn, this makes it more difficult for analysts and the tools they use to flag suspicious or malicious activity.
Persistence: Imagine writing up documentation using your computer, something you may well do in your role. You’ve spent a ton of time doing the research required, finding the right sources and compiling all your information into a document. Now, imagine not hitting save on that document and losing it as soon as you reboot your computer. Sound like a nightmare—or perhaps a real anxiety-inducing experience you’ve been through before? Threat actors agree. And that’s why they establish persistence. They don’t want all of their hard work to get into your systems in the first place to be in vain just because you restart your computer. They establish persistence to make sure they can still hang around even after you reboot.
Zero-Day Defence: Tips for Defusing the Threat
Because they leave so little time to patch and defuse, zero-day threats require a proactive, multi-layered approach based on zero trust.
The recent Atlassian Confluence remote code execution bug is just the latest example of zero-day threats targeting critical vulnerabilities within major infrastructure providers. The specific threat, an Object-Graph Navigation Language (OGNL) injection, has been around for years but took on new significance given the scope of the Atlassian exploit. And OGNL attacks are on the rise.
Once bad actors find such a vulnerability, proof-of-concept exploits start knocking at the door, seeking unauthenticated access to create new admin accounts, execute remote commands, and take over servers. In the Atlassian case, Akamai's threat research team identified that the number of unique IP addresses attempting these exploits grew to more than 200 within just 24 hours.
Defending against these exploits becomes a race against time worthy of a 007 movie. The clock is ticking and you don't have much time to implement a patch and "defuse" the threat before it's too late. But first you need to know that an exploit is underway. That requires a proactive, multi-layered approach to online security based on zero trust.
What do these layers look like? There are a number of different practices that security teams — and their third-party Web application and infrastructure partners — should be aware of.
https://www.darkreading.com/attacks-breaches/zero-day-defense-tips-for-defusing-the-threat
Threats
Ransomware
Reported ransomware attacks are just the tip of the iceberg. That's a problem for everyone | ZDNet
Initial Access Brokers - Key to Rise In Ransomware Attacks (informationsecuritybuzz.com)
Ransomware gangs are hitting roadblocks, but aren't stopping (yet) - Help Net Security
LockBit Ransomware Abuses Windows Defender for Payload Loading | SecurityWeek.Com
German Chambers of Industry and Commerce hit by 'massive' cyber attack (bleepingcomputer.com)
Ransomware Task Force releases SMB blueprint for defence and mitigation (scmagazine.com)
German semiconductor giant Semikron says hackers encrypted its network | TechCrunch
Ransomware Hit on European Pipeline & Energy Supplier Encevo Linked to BlackCat (darkreading.com)
Luxembourg Energy Company Hit by Ransomware | SecurityWeek.Com
Spanish research agency still recovering after ransomware attack (bleepingcomputer.com)
Phishing & Email Based Attacks
Countdown Clock Puts Pressure on Phishing Targets - Infosecurity Magazine
The most impersonated brand in phishing attacks? Microsoft - Help Net Security
Open Redirect Flaw Snags Amex, Snapchat User Data | Threatpost
A new malware threat is spying on users' Gmail inbox — do this before you're next | Laptop Mag
Massive New Phishing Campaign Targets Microsoft Email Service Users (darkreading.com)
North Korean Hackers Use Browser Extension to Spy on Gmail and AOL Accounts - Infosecurity Magazine
Other Social Engineering; SMishing, Vishing, etc
Malware
VirusTotal Reveals Most Impersonated Software in Malware Attacks (thehackernews.com)
Gootkit Loader Resurfaces with Updated Tactic to Compromise Targeted Computers (thehackernews.com)
Woody RAT: A new feature-rich malware spotted in the wild | Malwarebytes Labs
New IoT RapperBot Malware Targeting Linux Servers via SSH Brute-Forcing Attack (thehackernews.com)
New Linux malware brute-forces SSH servers to breach networks (bleepingcomputer.com)
Attackers cause Discord discord with malicious npm packages • The Register
Gootkit AaaS malware is still active and uses updated tactics - Security Affairs
Mobile
Facebook finds new Android malware used by APT hackers (bleepingcomputer.com)
Google Patches Critical Android Bluetooth Flaw in August Security Bulletin - Infosecurity Magazine
Banking trojan finds new routes to accounts by infiltrating Google Play Store (scmagazine.com)
Internet of Things – IoT
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Nearly $200 Million Stolen from Cryptocurrency Bridge Nomad | SecurityWeek.Com
Crypto firm that promised security loses $200 million in 'frenzied free-for-all' hack | PC Gamer
Nomad to crooks: Keep 10% as a bounty, return the rest • The Register
Cyber attackers Drain Nearly $6M From Solana Crypto Wallets (darkreading.com)
Man robbed of $800,000 in cryptocurrency sues Google • The Register
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
UK Branded Europe’s “Capital of Card Fraud” - Infosecurity Magazine
Huge network of 11,000 fake investment sites targets Europe (bleepingcomputer.com)
Online payment fraud losses accelerate at an alarming rate - Help Net Security
COMMENT: 'Hi Mum, Hi Dad' Scams On The Rise - Britons Already (informationsecuritybuzz.com)
Increase in Fake Tickets Being Sold by Cyber criminals on Social Media - IT Security Guru
AML/CFT/Sanctions
Dark Web
A Ransomware Explosion Fosters Thriving Dark Web Ecosystem (darkreading.com)
The popularity of Dark Utilities 'C2-as-a-Service' rapidly increases - Security Affairs
Software Supply Chain
Cloud/SaaS
Cyber attackers Increasingly Target Cloud IAM as a Weak Link (darkreading.com)
What Worries Security Teams About the Cloud? (darkreading.com)
Who Has Control: The SaaS App Admin Paradox (thehackernews.com)
Enterprises face a multitude of barriers to securing diverse cloud environments - Help Net Security
Open Source
Passwords, Credential Stuffing & Brute Force Attacks
Hackers stole passwords for accessing 140,000 payment terminals | TechCrunch
Credential Canaries Create Minefield for Attackers (darkreading.com)
5 reasons why businesses should never use consumer-grade password managers | TechRadar
Social Media
Hackers Exploit Twitter Vulnerability to Exposes 5.4 Million Accounts (thehackernews.com)
Parliament shuts down TikTok account over China data security concerns (telegraph.co.uk)
Over 3,200 Apps Leak Twitter API Keys, Some Allowing Account Hijacks (informationsecuritybuzz.com)
Increase in Fake Tickets Being Sold by Cyber criminals on Social Media - IT Security Guru
Privacy
Cyber Bullying and Cyber Stalking
Regulations, Fines and Legislation
Most companies are unprepared for CCPA and GDPR compliance - Help Net Security
Data privacy: Collect what you need, protect what you collect | CSO Online
India scraps data protection law, promises better successor • The Register
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Ukraine takes down 1,000,000 bots used for disinformation (bleepingcomputer.com)
Nancy Pelosi ties Chinese cyber-attacks to Taiwan visit • The Register
Spanish Research Center Suffers Cyber attack Linked to Russia | SecurityWeek.Com
Russian organisations attacked with new Woody RAT malware (bleepingcomputer.com)
Greek intelligence spied on journalist with a surveillance spyware - Security Affairs
Rare Pegasus screenshots depict NSO Group's spyware capabilities | AppleInsider
Nation State Actors
Nation State Actors – Russia
Nation State Actors – China
Chinese hackers use new Cobalt Strike-like attack framework (bleepingcomputer.com)
Massive China-Linked Disinformation Campaign Taps PR Firm for Help (darkreading.com)
Parliament shuts down TikTok account over China data security concerns (telegraph.co.uk)
Global network of fake news sites push Chinese propaganda, researchers find - CyberScoop
Taiwanese military reports DDoS in wake of US Speaker visit • The Register
Nation State Actors – North Korea
Nation State Actors – Iran
Nation State Actors – Misc APT
Vulnerabilities
VMware urges admins to patch critical auth bypass bug immediately (bleepingcomputer.com)
Critical RCE Bug in DrayTek Routers Opens SMBs to Zero-Click Attacks (darkreading.com)
Cisco fixes critical remote code execution bug in VPN routers (bleepingcomputer.com)
F5 Fixes 21 Vulnerabilities With Quarterly Security Patches | SecurityWeek.Com
High-Severity Bug in Kaspersky VPN Client Opens Door to PC Takeover (darkreading.com)
Slack Resets Passwords After a Bug Exposed Hashed Passwords for Some Users (thehackernews.com)
VMware Releases Patches for Several New Flaws Affecting Multiple Products (thehackernews.com)
Hackers are actively exploiting password-stealing flaw in Zimbra (bleepingcomputer.com)
Google fixed Critical Remote Code Execution flaw in Android - Security Affairs
CISA adds Zimbra bug to Known Exploited Vulnerabilities Catalogue - Security Affairs
Warning! Critical flaws found in US Emergency Alert System • The Register
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
Other News
APIs attacked in 94% of companies in past year - IT Security Guru
Over 60% of Organisations Expose SSH to the Internet - Infosecurity Magazine
How IT and security teams can work together to improve endpoint security - Microsoft Security Blog
Burnout and attrition impact tech teams sustaining modern digital systems - Help Net Security
Machine learning creates a new attack surface requiring specialized defences - Help Net Security
Cyber security lessons learned from COVID-19 pandemic (techtarget.com)
10 enterprise database security best practices (techtarget.com)
Resolving Availability vs. Security, a Constant Conflict in IT (thehackernews.com)
Tips to prevent RDP and other remote attacks on Microsoft networks | CSO Online
The Myth of Protection Online — and What Comes Next (darkreading.com)
The Importance of Data Security in the Enterprise (techtarget.com)
How IT Teams Can Use 'Harm Reduction' for Better Cyber security Outcomes (darkreading.com)
Businesses lack visibility into run-time threats against mobile apps and APIs - Help Net Security
Browser synchronization abuse: Bookmarks as a covert data exfiltration channel - Help Net Security
Threats emanating from digital ecosystems can be a blind spot for businesses - Help Net Security
Busting the Myths of Hardware Based Security - Security Affairs
New Traffic Light Protocol standard released after five years (bleepingcomputer.com)
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 29 July 2022
Black Arrow Cyber Threat Briefing 29 July 2022
-1 in 3 Employees Don’t Understand Why Cyber Security Is Important
-As Companies Calculate Cyber Risk, The Right Data Makes a Big Difference
-Only 25% Of Organizations Consider Their Biggest Threat to Be from Inside the Business
-The Global Average Cost of a Data Breach Reaches an All-Time High of $4.35 Million
-Race Against Time: Hackers Start Hunting for Victims Just 15 Minutes After a Bug Is Disclosed
-Ransomware-as-a-Service Groups Forced to Change Tack as Payments Decline
-Phishers Targeted Financial Services Most During H1 2022
-HR Emails Dupe Employees the Most – KnowBe4 research reveals
-84% Of Organizations Experienced an Identity-Related Breach In The Past 18 Months
-Economic Downturn Raises Risk of Insiders Going Rogue
-5 Trends Making Cyber Security Threats Riskier and More Expensive
-Ransomware: Publicly Reported Incidents Are Only the Tip of the Iceberg
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
1 in 3 Employees Don’t Understand Why Cyber Security Is Important
According to a new Tessian report, 30% of employees do not think they personally play a role in maintaining their company’s cyber security posture.
What’s more, only 39% of employees say they’re very likely to report a security incident, making investigation and remediation even more challenging and time-consuming for security teams. When asked why, 42% of employees said they wouldn’t know if they had caused an incident in the first place, and 25% say they just don’t care enough about cyber security to mention it.
Virtually all IT and security leaders agreed that a strong security culture is important in maintaining a strong security posture. Yet, despite rating their organisation’s security 8 out 10, on average, three-quarters of organisations experienced a security incident in the last 12 months.
The report suggests this could stem from a reliance on traditional training programs: 48% of security leaders say training is one of the most important influences on building a positive security posture. But the reality is that employees aren’t engaged; just 28% of UK and US workers say security awareness training is engaging and only 36% say they’re paying full attention. Of those who are, only half say it’s helpful, while another 50% have had a negative experience with a phishing simulation. With recent headlines depicting how phishing simulations can go awry, negative experiences like these further alienate employees and decrease engagement.
https://www.helpnetsecurity.com/2022/07/28/employees-dont-understand-why-cybersecurity-is-important/
As Companies Calculate Cyber Risk, the Right Data Makes a Big Difference
The proposed US Securities and Exchange Commission’s stronger rules for reporting cyber attacks will have ramifications beyond increased disclosure of attacks to the public. By requiring not just quick reporting of incidents, but also disclosure of cyber policies and risk management, such regulation will ultimately bring more accountability for cyber security to the highest levels of corporate leadership. Other jurisdictions will very likely follow the US in requiring more stringent cyber controls and governance.
This means that boards and executives everywhere will need to increase their understanding of cyber security, not only from a tech point of view, but from a risk and business exposure point of view. The CFO, CMO and the rest of the C-suite and board will want and need to know what financial exposure the business faces from a data breach, and how likely it is that breaches will happen. This is the only way they will be able to develop cyber policies and plans and react properly to the proposed regulations.
Companies will therefore need to be able to calculate and put a dollar value on their exposure to cyber risk. This is the starting point for the ability to make cyber security decisions not in a vacuum, but as part of overall business decisions. To accurately quantify cyber security exposure, companies need to understand what the threats are and which data and business assets are at risk, and they then need to multiply the cost of a breach by the probability that such an event will take place in order to put a dollar figure on their exposure.
While there are many automated tools, including those that use artificial intelligence (AI), that can help with this, the key to doing this well is to make sure calculations are rooted in real and relevant data – which is different for each company or organisation.
Only 25% Of Organisations Consider Their Biggest Threat to Be from Inside the Business
A worrying 73.5% of organisations feel they have wasted the majority of their cyber security budget on failing to remediate threats, despite having an over-abundance of security tools at their disposal, according to Gurucul.
Only 25% of organisations consider their biggest threat to be from inside the business, despite insider threats increasing by 47% over the past two years. With only a quarter of businesses seeing their biggest threat emanating from inside their organisation, it seems over 70% saw the biggest cyber security challenges emanating from external threats such as ransomware. In fact, although external threats account for many security incidents, we must never forget to look beyond those external malicious and bad actors to insider threats to effectively secure corporate data and IP.
The survey also found 33% of respondents said they are able to detect threats within hours, while 27.07% even claimed they can detect threats in real-time. However, challenges persist with 33% of respondents stating that it still takes their organisation days and weeks to detect threats, with 6% not being able to detect them at all.
https://www.helpnetsecurity.com/2022/07/28/biggest-threat-inside-the-business/
The Global Average Cost of a Data Breach Reaches an All-Time High of $4.35 Million
IBM Security released the 2022 Cost of a Data Breach Report, revealing costlier and higher-impact data breaches than ever before, with the global average cost of a data breach reaching an all-time high of $4.35 million for studied organisations.
With breach costs increasing nearly 13% over the last two years of the report, the findings suggest these incidents may also be contributing to rising costs of goods and services. In fact, 60% of studied organisations raised their product or services prices due to the breach, when the cost of goods is already soaring worldwide amid inflation and supply chain issues.
The perpetuality of cyber attacks is also shedding light on the “haunting effect” data breaches are having on businesses, with the IBM report finding 83% of studied organisations have experienced more than one data breach in their lifetime. Another factor rising over time is the after-effects of breaches on these organisations, which linger long after they occur, as nearly 50% of breach costs are incurred more than a year after the breach.
The 2022 Cost of a Data Breach Report is based on in-depth analysis of real-world data breaches experienced by 550 organisations globally between March 2021 and March 2022. The research, which was sponsored and analysed by IBM Security, was conducted by the Ponemon Institute.
https://www.helpnetsecurity.com/2022/07/27/2022-cost-of-a-data-breach-report/
Race Against Time: Hackers Start Hunting for Victims Just 15 Minutes After a Bug Is Disclosed
Attackers are becoming faster at exploiting previously undisclosed zero-day flaws, according to Palo Alto Networks. This means that the amount of time that system admins have to patch systems before exploitation happens is shrinking fast..
The company warns in its 2022 report covering 600 incident response (IR) cases that attackers typically start scanning for vulnerabilities within 15 minutes of one being announced.
Among this group are 2021's most significant flaws, including the Exchange Server ProxyShell and ProxyLogon sets of flaws, the persistent Apache Log4j flaws aka Log4Shell, the SonicWall zero-day flaws, and Zoho ManageEngine ADSelfService Plus.
While phishing remains the biggest method for initial access, accounting for 37% of IR cases, software vulnerabilities accounted of 31%. Brute-force credential attacks (like password spraying) accounted for 9%, while smaller categories included previously compromised credentials (6%), insider threat (5%), social engineering (5%), and abuse of trusted relationships/tools (4%).
Over 87% of the flaws identified as the source of initial access fell into one of six vulnerability categories.
Ransomware-as-a-Service Groups Forced to Change Tack as Payments Decline
Ransomware-as-a-service (RaaS) operators are evolving their tactics yet again in response to more aggressive law enforcement efforts, in a move that is reducing their profits but also making affiliates harder to track, according to Coveware.
The security vendor’s Q2 2022 ransomware report revealed that concerted efforts to crack down on groups like Conti and DarkSide have forced threat actors to adapt yet again.
It identified three characteristics of RaaS operations that used to be beneficial, but are increasingly seen as a hinderance.
The first is RaaS branding, which has helped to cement the reputation of some groups and improve the chances of victims paying, according to Coveware. However, branding also makes attribution easier and can draw the unwanted attention of law enforcement, it said.
“RaaS groups are keeping a lower profile and vetting affiliates and their victims more thoroughly,” Coveware explained.
“More RaaS groups have formed, resulting in less concentration among the top few variants. Affiliates are frequently shifting between RaaS variants on different attacks, making attribution beyond the variant more challenging.”
In some cases, affiliates are also using “unbranded” malware to make attribution more difficult, it added.
The second evolution in RaaS involves back-end infrastructure, which used to enable scale and increase profitability. However, it also means a larger attack surface and a digital footprint that’s more expensive and challenging to maintain.
As a result, RaaS developers are being forced to invest more in obfuscation and redundancy, which is hitting profits and reducing the amount of resources available for expansion, Coveware claimed.
Finally, RaaS shared services used to help affiliates with initial access, stolen data storage, negotiation management and leak site support.
https://www.infosecurity-magazine.com/news/raas-groups-forced-change-payments/
Phishers Targeted Financial Services Most During H1 2022
Banks received the lion’s share of phishing attacks during the first half of 2022, according to figures published by cyber security company Vade.
The analysis also found that attackers were most likely to send their phishing emails on weekdays, with most arriving between Monday and Wednesday. Attacks tapered off towards the end of the week, Vade said.
While financial services scored highest on a per-sector basis, Microsoft was the most impersonated brand overall. The company’s Microsoft 365 cloud productivity services are a huge draw for cyber-criminals hoping to access accounts using phishing attacks.
Phishing attacks on Microsoft customers have become more creative, according to Vade, which identified several phone-based attacks. It highlighted a campaign impersonating Microsoft’s Defender anti-malware product, fraudulently warning that the company had debited a subscription fee. It encouraged victims to fix the problem by phone.
Facebook came a close second, followed by financial services company Crédit Agricole, WhatsApp and Orange.
https://www.infosecurity-magazine.com/news/phishers-financial-services-h1-2022/
HR Emails Dupe Employees the Most – KnowBe4 research reveals
In phishing tests conducted on business emails, more than half of the subject lines clicked imitated Human Resources communications.
New research has revealed the top email subjects clicked on in phishing tests were those related to or from Human Resources, according to the latest ‘most clicked phishing tests‘ conducted by KnowBe4. In fact, half of those that were clicked on had subject lines related to Human Resources, including vacation policy updates, dress code changes, and upcoming performance reviews. The second most clicked category were those send from IT, which include requests or actions of password verifications that were needed immediately.
KnowBe4’s CEO commented “More than 80% of company data breaches globally come from human error, so security awareness training for your staff is one of the least costly and most effective methods to thwart social engineering attacks. Training gives employees the ability to rapidly recognise a suspicious email, even if it appears to come from an internal source, causing them to pause before clicking. That moment where they stop and question the email is a critical and often overlooked element of security culture that could significantly reduce your risk surface.”
This research comes hot off the heels of the recent KnowBe4 industry benchmarking report which found one in three untrained employees will click on a phishing link. The worst performing industries were Energy & Utilities, Insurance and Consulting, with all labelled the most at risk for social engineering in the large enterprise category.
84% Of Organisations Experienced an Identity-Related Breach in the Past 18 Months
60% of IT security decision makers believe their overall security strategy does not keep pace with the threat landscape, and that they are either lagging behind (20%), treading water (13%), or merely running to keep up (27%), according to a survey by Sapio Research.
The report also highlights differences between the perceived and actual effectiveness of security strategies. While 40% of respondents believe they have the right strategy in place, 84% of organisations reported that they have experienced an identity-related breach or an attack using stolen credentials during the previous year and a half.
Promisingly, many organisations are hungry to make a change, particularly when it comes to protecting identities. In fact, 90% of respondents state that their organisations fully recognise the importance of identity security in enabling them to achieve their business goals, and 87% say that it is one of the most important security priorities for the next 12 months.
However, 75% of IT and security professionals also believe that they’ll fall short of protecting privileged identities because they won’t get the support they need. This is largely due to a lack of budget and executive alignment, with 63% of respondents saying that their company’s board still doesn’t fully understand identity security and the role it plays in enabling better business operations.
While the importance of identity security is acknowledged by business leaders, most security teams will not receive the backing and budget they need to put vital security controls and solutions in place to reduce major risks. This means that the majority of organisations will continue to fall short of protecting privileges, leaving them vulnerable to cyber criminals looking to discover privileged accounts and abuse them.
https://www.helpnetsecurity.com/2022/07/28/identity-related-breach/
Economic Downturn Raises Risk of Insiders Going Rogue
Declining economic conditions could make insiders more susceptible to recruitment offers from threat actors looking for allies to assist them in carrying out various attacks.
Enterprise security teams need to be aware of the heightened risk and strengthen measures for protecting against, detecting, and responding to insider threats, researchers from Palo Alto Network's Unit 42 threat intelligence team recommended in a report this week.
The security vendor's report highlighted several other important takeaways for security operations teams, including the fact that ransomware and business email compromise attacks continue to dominate incident response cases and vulnerability exploits — accounting for nearly one-third of all breaches.
Unit 42 researchers analysed data from a sampling of over 600 incident response engagements between April 2021 and May 2022 and determined that difficult economic times could lure more actors to cyber crime. This could include both people with technical skills looking to make a fast buck, as well as financially stressed insiders with legitimate access to valuable enterprise data and IT assets. The prevalence of remote and hybrid work models has created an environment where it's easier for workers to steal intellectual property or carry out other malicious activity, the researchers found.
https://www.darkreading.com/risk/economic-downturn-raises-the-risk-of-insiders-going-rogue
5 Trends Making Cyber Security Threats Riskier and More Expensive
Since the pandemic the cyber world has become a far riskier place. According to the Hiscox Cyber Readiness Report 2022, almost half (48%) of organisations across the US and Europe experienced a cyber attack in the past 12 months. Even more alarming is that these attacks are happening despite businesses doubling down on their cyber security spend.
Cyber security is at a critical inflection point where five megatrends are making the threat landscape riskier, more complicated, and costlier to manage than previously reported. To better understand the evolution of this threat landscape, let’s examine these trends in more detail.
Everything becomes digital
Organisations become ecosystems
Physical and digital worlds collide
New technologies bring new risks
Regulations become more complex
Organisations can follow these best practices to elevate cyber security performance:
Identify, prioritise, and implement controls around risks.
Adopt a framework such as ISO 27001 or NIST Cyber Security Framework.
Develop human-layered cyber security.
Fortify your supply chain.
Avoid using too many tools.
Prioritise protection of critical assets.
Automate where you can.
Monitor security metrics regularly to help business leaders get insight into security effectiveness, regulatory compliance, and levels of security awareness in the organisation.
Cyber security will always be a work in progress. The key to effective risk management is having proactive visibility and context across the entire attack surface. This helps to understand which vulnerabilities, if exploited, can cause the greatest harm to the business. Not all risks can be mitigated; some risks will have to be accepted and trade-offs will have to be negotiated.
Ransomware: Publicly Reported Incidents Are Only the Tip of the Iceberg
The threat landscape report on ransomware attacks published this week by the European Union Agency for Cybersecurity (ENISA) uncovers the shortcomings of the current reporting mechanisms across the EU.
As one of the most devastating types of cyber security attacks over the last decade, ransomware, has grown to impact organisations of all sizes across the globe.
This threat landscape report analysed a total of 623 ransomware incidents across the EU, the United Kingdom and the United States for a reporting period from May 2021 to June 2022. The data was gathered from governments' and security companies' reports, from the press, verified blogs and in some cases using related sources from the dark web.
Between May 2021 and June 2022 about 10 terabytes of data were stolen each month by ransomware threat actors. 58.2% of the data stolen included employees' personal data.
At least 47 unique ransomware threat actors were found.
For 94.2% of incidents, we do not know whether the company paid the ransom or not. However, when the negotiation fails, the attackers usually expose and make the data available on their webpages. This is what happens in general and is a reality for 37.88% of incidents.
We can therefore conclude that the remaining 62.12% of companies either came to an agreement with the attackers or found another solution.
The study also shows that companies of every size and from all sectors are affected.
The figures in the report can however only portray a part of the overall picture. In reality, the study reveals that the total number of ransomware attacks is much larger. At present this total is impossible to capture since too many organisations still do not make their incidents public or do not report on them to the relevant authorities.
Threats
Ransomware
LockBit 3.0: Significantly Improved Ransomware Helps the Gang Stay on Top (darkreading.com)
Ransomware looms large over the cyber insurance industry - Help Net Security
800,000 businesses fall victim to ransomware each year (komando.com)
Business services top target of ransomware attacks (securitybrief.co.nz)
How Crypto is Driving the Ransomware Epidemic | Cryptoland Roundtable - YouTube
On security researcher's newsletter, exposing cyber criminals behind ransomware - CyberScoop
LockBit ransomware abuses Windows Defender to load Cobalt Strike (bleepingcomputer.com)
Mailing List Provider WordFly Scrambling to Recover Following Ransomware Attack | SecurityWeek.Com
No More Ransom helps millions of ransomware victims in 6 years (bleepingcomputer.com)
Lockbit ransomware gang claims to have breached the Italian Revenue Agency - Security Affairs
Lockbit Ramps Up Attacks on Public Sector - Infosecurity Magazine (infosecurity-magazine.com)
A ‘Top Tier’ Hacking Gang Is Likely To Be Behind Entrust Ransomware (informationsecuritybuzz.com)
No More Ransom Helped More Than 1.5 Million People Decrypt Their Devices (darkreading.com)
Ransomware caused American Dental Association outage, led to stolen data (scmagazine.com)
The road to ransomware recovery starts before an attack • The Register
BEC – Business Email Compromise
Phishing & Email Based Attacks
Phishing Attacks Skyrocket with Microsoft and Facebook as Most Abused Brands | Threatpost
Phishing scam targeting Bank of America, Citi and Wells Fargo customers (komando.com)
APT-Like Phishing Threat Mirrors Landing Pages (darkreading.com)
New Callback Malware Campaign Impersonates Legitimate Cyber Security Providers - MSSP Alert
Phishing Attacks: Microsoft Leads Top 25 of Impersonated Brands - MSSP Alert
1,000s of Phishing Attacks Blast Off From InterPlanetary File System (darkreading.com)
New ‘Robin Banks’ phishing service targets BofA, Citi, and Wells Fargo (bleepingcomputer.com)
Other Social Engineering; SMishing, Vishing, etc
Malware
Cisco Incident Response Report: Commodity Malware Top Threat in Q2 - MSSP Alert
Discovery of new UEFI rootkit exposes an ugly truth: The attacks are invisible to us | Ars Technica
As Microsoft blocks Office macros, hackers find new attack vectors (bleepingcomputer.com)
Microsoft Links Raspberry Robin USB Worm to Russian Evil Corp Hackers (thehackernews.com)
Microsoft links Raspberry Robin malware to Evil Corp attacks (bleepingcomputer.com)
Malware-laced npm packages used to target Discord users - Security Affairs
CosmicStrand UEFI malware found in Gigabyte, ASUS motherboards (bleepingcomputer.com)
Sophisticated UEFI rootkit of Chinese origin shows up again in the wild after 3 years | CSO Online
Attackers are slowly abandoning malicious macros - Help Net Security
One of the most beloved Windows tools could actually be a huge security risk | TechRadar
QBot phishing uses Windows Calculator DLL hijacking to infect devices (bleepingcomputer.com)
Gootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike (trendmicro.com)
Microsoft: Austrian company DSIRF selling Subzero malware (techtarget.com)
Threat actors leverages DLL-SideLoading to spread Qakbot - Security Affairs
Rare 'CosmicStrand' UEFI Rootkit Swings into Cyber crime Orbit (darkreading.com)
Mobile
Here are the top phone security threats in 2022 and how to avoid them | ZDNet
New Android malware apps installed 10 million times from Google Play (bleepingcomputer.com)
Roaming Mantis Financial Hackers Targeting Android and iPhone Users in France (thehackernews.com)
Facebook ads push Android adware with 7 million installs on Google Play (bleepingcomputer.com)
Millions of Android devices infected with wallet-draining malware | TechRadar
Over a Dozen Android Apps on Google Play Store Caught Dropping Banking Malware (thehackernews.com)
Internet of Things – IoT
IoT Botnets Fuels DDoS Attacks – Are You Prepared? | Threatpost
Dahua IP Camera Vulnerability Could Let Attackers Take Full Control Over Devices (thehackernews.com)
Data Breaches/Leaks
US court system suffered ‘incredibly significant attack’ • The Register
Congress Warns of US Court Records System Breach - Infosecurity Magazine (infosecurity-magazine.com)
Uber admits covering up massive 2016 data breach in settlement with US prosecutors - The Verge
T-Mobile to pay $500M for one of the largest data breaches in US history [Updated] | Ars Technica
Data Stolen in Breach at Security Company Entrust | SecurityWeek.Com
Fallout from massive Shanghai Police data breach reverberates on dark web - CyberScoop
Big Questions Remain Around Massive Shanghai Police Data Breach (darkreading.com)
Organised Crime & Criminal Actors
Cyber-mercenaries represent shifting criminal business model • The Register
Messaging Apps Tapped as Platform for Cyber Criminal Activity | Threatpost
Teenager Jailed for Snapchat Blackmail Cyber Crimes- IT Security Guru
DUCKTAIL operation targets Facebook’s Business and Ad accounts - Security Affairs
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Crypto fraud on the rise as consumers fall for fake celebrity endorsements | Cybernews
Hackers Increasingly Using WebAssembly Coded Cryptominers to Evade Detection (thehackernews.com)
NFT Hacking Group Attacks On The Rise, Report Finds- IT Security Guru
Hackers steal $6 million from blockchain music platform Audius (bleepingcomputer.com)
Fraud, Scams & Financial Crime
Major shifts and the growing risk of identity fraud - Help Net Security
JPMorgan, UBS accused of shoddy identity theft protection • The Register
Euro Police Bust €3m Internet Fraud Gang - Infosecurity Magazine (infosecurity-magazine.com)
Romance scammers jailed after tricking Irish OAP out of €250k (bitdefender.com)
What the Titanic Can Teach Us About Fraud? | SecurityWeek.Com
AML/CFT/Sanctions
Insurance
Dark Web
Cyber crime goods and services are cheap and plentiful - Help Net Security
Hackers Selling Malware on Dark Web Underground Market (cybersecuritynews.com)
Supply Chain and Third Parties
Software Supply Chain
Denial of Service DoS/DDoS
Akamai blocked the largest DDoS attack ever on its European customers - Security Affairs
DDoS Attack Trends in 2022: Ultrashort, Powerful, Multivector Attacks (bleepingcomputer.com)
Cloud/SaaS
Kansas MSP shuts down cloud services to fend off cyber attack (bleepingcomputer.com)
Organisations are struggling with SaaS security. Why? - Help Net Security
Attack Surface Management
Identity and Access Management
Encryption
Transport Layer Security (TLS): Issues & Protocol (trendmicro.com)
SSH2 vs. SSH1 and why SSH versions still matter (techtarget.com)
Passwords, Credential Stuffing & Brute Force Attacks
Using Account Lockout policies to block Windows Brute Force Attacks (bleepingcomputer.com)
Stop Putting Your Accounts At Risk, and Start Using a Password Manager (thehackernews.com)
Social Media
Facebook security cracked by Malware made in Vietnam • The Register
Cyber-Criminal Offers 5.4m Twitter Users’ Data - Infosecurity Magazine (infosecurity-magazine.com)
Training, Education and Awareness
Privacy
Law Enforcement Action and Take Downs
UK Seizes Nearly $27m in Crypto-Assets - Infosecurity Magazine (infosecurity-magazine.com)
European Cops Helped 1.5 Million People Decrypt Their Ransomwared Computers (vice.com)
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Cyberspies use Google Chrome extension to steal emails undetected (bleepingcomputer.com)
Microsoft says it caught an Austrian spyware group using Windows 0-day exploits - The Verge
Pegasus spyware: Just 'tip of the iceberg' seen so far • The Register
Cyber attacks by Iran and Israel now target critical infrastructure. - The Washington Post
US and Ukraine Sign Agreement to Deepen Cyber security Operational Collaboration - MSSP Alert
CISA, Ukrainian cyber agency deepen partnership to combat Russian threat - CyberScoop
How is Anonymous attacking Russia? The top six ways ranked (cnbc.com)
European Lawmaker Targeted With Cytrox Predator Surveillance Spyware | SecurityWeek.Com
Nation State Actors
Nation State Actors – Russia
Russia is quietly ramping up its Internet censorship machine | Ars Technica
Apple network traffic takes mysterious detour through Russia • The Register
Nation State Actors – China
Chinese APTs: Interlinked networks and side hustles – Intrusion Truth (wordpress.com)
OneWeb sale risks giving China a stake in ‘Five Eyes’ spying tech (telegraph.co.uk)
Nation State Actors – North Korea
North Korean Hackers Using Malicious Browser Extension to Spy on Email Accounts (thehackernews.com)
North Korean hackers attack EU targets with Konni RAT malware (bleepingcomputer.com)
US puts $10 million bounty on North Korean threat groups • The Register
Is APT28 behind the STIFF#BIZON attacks attributed to North Korea-linked APT37? Security Affairs
Nation State Actors – Iran
Vulnerability Management
Hackers scan for vulnerabilities within 15 minutes of disclosure (bleepingcomputer.com)
Attackers Have 'Favourite' Vulnerabilities to Exploit (darkreading.com)
Taking the Risk-Based Approach to Vulnerability Patching (thehackernews.com)
Organisations struggle to manage devices and stay ahead of vulnerabilities - Help Net Security
2022 Unit 42 Incident Response Report: How Attackers Exploit Zero-Days (paloaltonetworks.com)
Security Teams Overwhelmed With Bugs, Bitten by Patch Prioritization (darkreading.com)
Time between vuln disclosures, exploits is getting smaller • The Register
Vulnerabilities
Critical Samba bug could let anyone become Domain Admin – patch now! – Naked Security (sophos.com)
Multiple Windows, Adobe Zero-Days Anchor Knotweed Commercial Spyware (darkreading.com)
How to Fix CVE-2022-30190 vulnerability using Microsoft Intune - CloudInfra
CISA releases IOCs for attacks exploiting Log4Shell in VMware Horizon and UAG | CSO Online
Critical FileWave MDM Flaws Open Organisation-Managed Devices to Remote Hackers (thehackernews.com)
Hackers are abusing IIS extensions to establish covert backdoors - Security Affairs
FileWave fixes bugs that left 1,000+ orgs open to ransomware • The Register
Google Chrome Zero-day Vulnerability Discovered By Avast (informationsecuritybuzz.com)
LibreOffice fixed 3 flaws, including a code execution issue - Security Affairs
Drupal developers fixed a code execution flaw in the popular CMS - Security Affairs
LibreOffice Releases Software Update to Patch 3 New Vulnerabilities (thehackernews.com)
Hackers Exploit PrestaShop Zero-Day to Steal Payment Data from Online Stores (thehackernews.com)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
Reports Published in the Last Week
Other News
A Retrospective on the 2015 Ashley Madison Breach – Krebs on Security
The Great BizApp Hack: Cyber-Risks in Your Everyday Business Applications (darkreading.com)
Threat Actors Pivot Around Microsoft’s Macro-Blocking in Office | Threatpost
Microsoft again reverses course, will block macros by default (scmagazine.com)
Is Your Home or Small Business Built on Secure Foundations? Think Again… (darkreading.com)
Infosec pros want more industry cooperation and support for open standards - Help Net Security
We pass cyber attack costs onto customers, businesses admit • The Register
How to Combat the Biggest Security Risks Posed by Machine Identities (thehackernews.com)
Discord, Telegram Services Hijacked to Launch Array of Cyber Attacks (darkreading.com)
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 15 July 2022
Black Arrow Cyber Threat Briefing 15 July 2022:
-10,000 Organisations Targeted by Phishing Attack That Bypasses Multi-Factor Authentication
-Businesses Are Adding More Endpoints, But Can’t Manage Them All
-Ransomware Activity Resurges in Q2
-North Korean Hackers Targeting Small and Midsize Businesses with H0lyGh0st Ransomware
-One-Third of Users Without Security Awareness Training Click on Phishing URLs
-Ransomware Scourge Drives Price Hikes in Cyber Insurance
-Conventional Cyber Security Approaches Are Falling Short
-Virtual CISOs Are the Best Defence Against Accelerating Cyber Risks
-Firms Not Planning for Supply Chain Threats
-Data Breach Lawsuit: Will IT Service Provider Capgemini Owe Damages?
-Security Culture: Fear of Cyber Warfare Driving Initiatives
-Cryptocurrency 'Mixers' See Record Transactions from Sanctioned Actors
-Online Payment Fraud Expected to Cost $343B Over Next 5 Years
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
10,000 Organisations Targeted by Phishing Attack That Bypasses Multi-Factor Authentication
Microsoft has shared details of a widespread phishing campaign that not only attempted to steal the passwords of targeted organisations, but was also capable of circumventing multi-factor authentication (MFA) defences.
The attackers used AiTM (Attacker-in-The-Middle) reverse-proxy sites to pose as Office 365 login pages which requested MFA codes, and then use them to log into the genuine site.
According to Microsoft’s detailed report on the campaign, once hackers had broken into email inboxes via the use of stolen passwords and session cookies, they would exploit their access to launch Business Email Compromise (BEC) attacks on other targets.
By creating rules on victims’ email accounts, the attackers are able to then ensure that they maintain access to incoming email even if a victim later changes their password.
The global pandemic, and the resulting increase in staff working from home, has helped fuel a rise in the adoption of multi-factor authentication.
Cyber criminals, however, haven’t thrown in the towel when faced with MFA-protected accounts. Accounts with MFA are certainly less trivial to break into than accounts which haven’t hardened their security, but that doesn’t mean that it’s impossible.
Reverse-proxy phishing kits like Modlishka, for instance, impersonate a login page, and ask unsuspecting users to enter their login credentials and MFA code. That collected data is then passed to the genuine website – granting the cyber criminal access to the site.
As more and more people recognise the benefits of MFA, we can expect a rise in the number of cyber criminals investing effort into bypassing MFA.
Microsoft’s advice is that organisations should complement MFA with additional technology and best practices.
Businesses Are Adding More Endpoints, But Can’t Manage Them All
Most enterprises struggle to maintain visibility and control of their endpoint devices, leading to increased security breaches and impaired ability to ward off outside attacks, according to a survey conducted by Ponemon Institute.
Findings show that the average enterprise now manages approximately 135,000 endpoint devices. Despite $4,252,500 of annual budget spent on endpoint protection, an average of 48 percent of devices – or 64,800 per enterprise – are at risk because they are no longer detected by the organisation’s IT department or the endpoints’ operating systems have become outdated.
Additionally, 63 percent of respondents find that the lack of visibility into their endpoints is the most significant barrier to achieving a strong security posture.
IT organisations are facing unprecedented rates of distribution point sprawl, which has grown rapidly since the onset of the COVID-19 pandemic. 61 percent of respondents say distribution points have increased in the last two years, and the average endpoint has as many as 7 agents installed for remote management, further adding to management complexity.
https://www.helpnetsecurity.com/2022/07/14/businesses-are-adding-more-endpoints/
Ransomware Activity Resurges in Q2
Ransomware activity rose by a fifth in the last quarter, according to a report from security firm Digital Shadows.
The company, which monitors almost 90 data leak sites on the dark web, observed ransomware groups name 705 victims in Q2 2022, representing a 21% increase over last quarter’s 582. This was a resurgence in activity following a 25.3% decline quarter-on-quarter during Q1.
The LockBit ransomware group overtook Conti in victim numbers as Conti ceased operations following the leak of internal chat logs. Conti had reached almost 900 victims during its operations, but LockBit is now closing in on 1,000 after a 13% growth in activity during the quarter.
LockBit also continued to innovate, releasing version 3 of its ransomware with new features, including support for payments using the Zcash cryptocurrency. It also launched a reward program for any information on high-value targets, along with a data leak site that allows anyone to purchase victim data.
At around 230, Lockbit’s quarterly victim numbers far exceeded any other group in Q2. It was accountable for almost a third of all postings to leak sites in Q2. Conti, which had limped along for several weeks after its own data leak, managed just over 50. In third place was Alphv, which grew 118% during the quarter. Basta came in fourth.
Some other smaller groups are also growing rapidly, according to the report. Vice Society, in fifth place this quarter, doubled its activity.
https://www.infosecurity-magazine.com/news/ransomware-activity-resurges-q2/
One-Third of Users Without Security Awareness Training Click on Phishing URLs
Phishing attacks just won't die, and new data underscores their effectiveness among users who have not been provided security awareness training.
According to data pulled from security awareness training provider KnowBe4's clients, 32.4% of users will fall for a phish — clicking on a link or following a phony request — if those users have not had any official training. The disconnect is worse in some industry sectors, including consulting, energy and utilities, and healthcare and pharmaceuticals, where half of all untrained users fall for phishing attacks.
The data was pulled from 23.4 million simulated phishing tests conducted at more than 30,000 organisations, encompassing some 9.5 million users. According to KnowBe4, 90 days after monthly or more training, the number of phishing test fails dropped to around 17.6%, and to 5% after one year of regular awareness training.
https://www.darkreading.com/remote-workforce/one-third-of-users-click-on-phishing
Ransomware Scourge Drives Price Hikes in Cyber Insurance
Cyber security insurance costs are rising, and insurers are likely to demand more direct access to organisational metrics and measures to make more accurate risk assessments.
The rising cost of ransomware attacks is helping push significant premium increases in cyber insurance policies in the UK and US, new data shows.
With the average payouts across the past two years averaging more than $3.5 million in the US, a growing number of cyber security insurers want direct access to customer security metrics and measures. This would help prove the status of security controls, according to a Panaseer report on the state of the cyber insurance industry.
However, insurance firms are struggling to accurately understand a customer's security posture, which is in turn affecting price increases.
Panaseer notes that 82% of insurers surveyed said they expect the rise in premiums to continue. The increasing cost of ransomware is putting premiums up, and the increase in the number of attacks, as well as the number of successful attacks, means insurance is getting harder to get and is getting more expensive.
Meanwhile, 87% of insurers surveyed say they want a more consistent approach to analysing cyber-risk. Fundamentally, insurers need better information in order to price the risk — questionnaires aren't going to cut it. Having real live data coming from a customer about their security posture is what's going to be required for them to accurately price risk, in the same way that telematics did for car insurance.
Conventional Cyber Security Approaches Are Falling Short
Traditional security approaches that rely on reactive, detect-and-respond measures and tedious manual processes can’t keep pace with the volume, variety, and velocity of current threats, according to Skybox Security. As a result, 27% of all executives and 40% of CSOs say their organisations are not well prepared for today’s rapidly shifting threat landscape.
On average, organisations experienced 15% more cyber security incidents in 2021 than in 2020. In addition, “material breaches”— defined as “those generating a large loss, compromising many records, or having a significant impact on business operations” — jumped 24.5%.
The top four causes of the most significant breaches reported by the affected organisations were:
Human error
Misconfigurations
Poor maintenance/lack of cyber hygiene
Unknown assets.
https://www.helpnetsecurity.com/2022/07/14/conventional-cybersecurity-approaches/
Virtual CISOs Are the Best Defence Against Accelerating Cyber-Risks
The cyber security challenges that companies are facing today are vast, multidimensional, and rapidly changing. Exacerbating the issue is the relentless evolution of threat actors and their ability to outmanoeuvre security controls effortlessly.
As technology races forward, companies without a full-time CISO (Chief Information Security Officer) are struggling to keep pace. For many, finding, attracting, retaining, and affording the level of skills and experience needed is out of reach or simply unrealistic. Enter the virtual CISO (vCISO). These on-demand experts provide security insights to companies on an ongoing basis and help ensure that security teams have the resources they need to be successful.
Typically, an engagement with a vCISO is long lasting, but in a fractional delivery model. This is very different from a project-oriented approach that requires a massive investment and results in a stack of deliverables for the internal team to implement and maintain. A vCISO not only helps to form the approach, define the action plan, and set the road map but, importantly, stays engaged throughout the implementation and well into the ongoing management phases.
The best vCISO engagements are long-term contracts. Typically, there's an upfront effort where the vCISO is more engaged in the first few months to establish an understanding, develop a road map, and create a rhythm with the team. Then, their support drops into a regular pace which can range from two to three days per week or five to ten days per month.
Firms Not Planning for Supply Chain Threats
Enterprises are failing to plan properly for supply chain risks and cyber security threats from the wider digital ecosystem, a leading technology consultancy has warned.
According to Tata Consultancy Services (TCS), firms put the risks posed by ecosystem partners at the bottom of a list of 10 key threats. CISOs and chief risk officers believed that financial systems, customer databases and R&D were the systems most likely to be targeted. Supply chain and distribution was placed in ninth.
The report, based on a survey of larger firms with annual revenues of $1bn or more, found that only 16% of chief risk officers believed the digital ecosystem was a concern when it comes to cyber risks, and only 14% said those ecosystems were a priority for board level discussions.
The research also found that a small number of enterprises fail to focus on cyber risk, with one in six boards discussing it only “occasionally, as necessary or never.” TCS found, though, that organisations with above-average profit and revenue growth were more likely to put cyber security on the agenda at board meetings.
TCS also found that enterprises view the cloud as a more secure environment than conventional data centres and on-premises systems. Additionally, the research highlighted ongoing concerns about skills and the need to attract and retain talented security staff. Firms where senior leaders focus on cyber security are more likely to be able to close the skills gap, according to the study.
https://www.infosecurity-magazine.com/news/planning-supply-chain-threats/
Data Breach Lawsuit: Will IT Service Provider Capgemini Owe Damages?
IT service provider and consulting firm Capgemini is facing a lawsuit related to a June 2020 data breach. The plaintiff — gaming company Razer — is seeking $7 million in damages. A trial in Singapore’s High Court regarding the dispute is underway, according to Vulcan Post.
Razer claims it has suffered approximately $6.85 million in profit losses from its online website due to the data breach. Razer is pursuing damages for an unquantified sum for profit losses from the rejection of its digital bank license application.
The Razer data breach occurred due to an issue with an IT system. It may have exposed the personal information of about 100,000 Razer customers.
The Razer data breach may have occurred due to a misconfigured Elasticsearch cluster. It also was exposed to the public and indexed by public search engines and took more than three weeks to fix.
Experts from Razer and Capgemini agreed that the data breach was caused by a security misconfiguration. However, Razer now claims that a Capgemini employee recommended the IT system that led to the breach and is therefore responsible for the incident.
Security Culture: Fear of Cyber Warfare Driving Initiatives
KnowBe4, the provider of security awareness training and simulated phishing platform, has conducted a survey during Infosecurity Europe, which evaluated the opinions of nearly 200 security professionals towards security culture, or more specifically: the ideas, customs and social behaviours of an organisation that influence their security practices.
The research found the threat of cyber warfare (30%) or experiencing a data breach or cyber attack (30%) were the two biggest reasons why security professionals wanted to improve security culture at their organisations. Given the current invasion of Ukraine by Russia and the resulting cyber security warnings announced by many of the world’s leading governments, improving current cyber security efforts has continued to be a top priority for many.
The study also revealed just over two thirds (67%) answered that a strong security culture would very likely reduce the risk of security incidents, with the majority (85%) directing their efforts into both improving security awareness training and communicating values expected from employees regarding security.
However, there are many obstacles when attempting to create a strong security culture, with the main issue being a lack of budget (26%) which was followed security professionals facing indifference from fellow employees (24%) and a lack of senior management support (16%).
Interestingly, just under three quarters (73%) admitted to putting an increased effort into measuring employees understanding of security – this still leaves a considerable gap of 27% that do not, something many security professionals will want to consider closing. Thankfully, 38% agree this aspect of security culture would be an area they want to improve in their organisation. When witnessing a colleague display poor security practises, 67% of UK security experts would prefer to tell the individual discreetly, while just under a third (31%) would send the member of staff training material to review. Only 18% would report the individual to the security team.
Cryptocurrency 'Mixers' See Record Transactions from Sanctioned Actors
Use of so-called cryptocurrency “mixers,” which combine various types of assets to mask their origin, peaked at a 30-day average of nearly $52 million worth of digital currency in April, representing an unprecedented volume of funds moving through those services, researchers at cryptocurrency research firm Chainalysis found.
A near two-fold increase in funds sent from illicit addresses has accelerated the increase, indicating that the technology that can obfuscate the currency continues to be highly attractive to cyber criminals.
Cryptocurrency mixers work by taking an individual’s cryptocurrency and combining it with a larger pool before returning units equivalent to the original amount minus a service fee to the original account. As a result, it makes it harder for law enforcement and cryptocurrency analysts to trace the currency.
Mixers aren’t solely used by criminals, but they are extremely popular with them. 10% of all funds from illicit wallets are sent to mixers, while mixers received less than 0.5% of the share of other sources of funds tracked by the firm, including decentralised finance projects.
The bulk of illicit funds transferred to mixers came from sanctioned actors, primarily Russian dark net market Hydra and more recently the Lazarus Group, a group of North Korean state-backed hackers. International law enforcement took out Hydra, which had been responsible for 80% of dark web transactions involving cryptocurrency, in May. The US Treasury’s Office of Foreign Assets Control followed with sanctions on more than 100 of its cryptocurrency addresses.
The use of mixers by North Korea state-backed hackers, and a popular mixer they employed to launder funds, made up the rest of the transfers.
https://www.cyberscoop.com/cryptocurrency-mixers-see-record-transactions-from-sanctioned-actors/
Online Payment Fraud Expected to Cost $343B Over Next 5 Years
Despite ratcheted-up efforts to prevent account takeover, fraudsters are cashing in on a range of online payment fraud schemes, which researchers predict will cost retail organisations more than $343 billion over the next five years.
Physical good purchases are loss leaders, making up 49% of online payment fraud, driven in large part by developing markets with little address verification, according to a new Juniper Research report.
Fundamentally, no two online transactions are the same, so the way transactions are secured cannot follow a one-size-fits-all solution. Payment fraud detection and prevention vendors must build a multitude of verification capabilities, and intelligently orchestrate different solutions depending on circumstances, in order to correctly protect both merchants and users.
Threats
Ransomware
Paying ransomware crooks won’t reduce your legal risk, warns regulator – Naked Security (sophos.com)
New Lilith ransomware emerges with extortion site, lists first victim (bleepingcomputer.com)
Experts warn of the new 0mega ransomware operation - Security Affairs
Organisations Warned of New Lilith, RedAlert, 0mega Ransomware | SecurityWeek.Com
Microsoft links H0ly Gh0st ransomware operation to North Korean hackers (bleepingcomputer.com)
Feds Issue Warning for North Korean-backed Ransomware Hijackers - MSSP Alert
Ransomware gang now lets you search their stolen data (bleepingcomputer.com)
Rise in ransomware drives IT leaders to implement data encryption - Help Net Security
Bandai Namco confirms hack after ALPHV ransomware data leak threat (bleepingcomputer.com)
1.9m patients' medical data exposed in PFC ransomware attack • The Register
Phishing & Email Based Attacks
Email scams are getting more personal – they even fool cyber security experts (theconversation.com)
Hackers impersonate cyber security firms in callback phishing attacks (bleepingcomputer.com)
$8 million stolen in large-scale Uniswap airdrop phishing attack (bleepingcomputer.com)
Almost a third of untrained users will click a phishing link - KnowBe4 research - IT Security Guru
PayPal phishing kit added to hacked WordPress sites for full ID theft (bleepingcomputer.com)
Other Social Engineering
Rise In Smishing Scams, Why And How To Protect? (informationsecuritybuzz.com)
How Hackers Create Fake Personas for Social Engineering (darkreading.com)
How attackers abuse Quickbooks to send phone scam emails - Help Net Security
Malware
Mobile
New Android malware on Google Play installed 3 million times (bleepingcomputer.com)
The weaponizing of smartphone location data on the battlefield - Help Net Security
Internet of Things – IoT
Honda Admits Hackers Could Unlock Car Doors, Start Engines | SecurityWeek.Com
Watch This $80,000 Tesla Model Y Get Hacked With $20 Hardware - autoevolution
Data Breaches/Leaks
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Crypto Scams Soar Despite Crash (informationsecuritybuzz.com)
Cryptocurrency flowing into “mixers” hits an all-time high. Wanna guess why? | Ars Technica
Hackers stole $620 million from Axie Infinity via fake job interviews (bleepingcomputer.com)
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
Insurance
Supply Chain and Third Parties
Denial of Service DoS/DDoS
Identity and Access Management
Encryption
Social Media
Training, Education and Awareness
Privacy
New Cache Side Channel Attack Can De-Anonymize Targeted Online Users (thehackernews.com)
Amazon handed Ring video to police without warrant, consent • The Register
TikTok Chief Security Officer Steps Down Amid Concerns About Privacy (businessinsider.com)
Regulations, Fines and Legislation
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Cyber espionage groups increasingly target journalists and media organisations | CSO Online
Sandworm APT Trolls Researchers on Its Trail as It Targets Ukraine (darkreading.com)
Lithuanian Energy Firm Disrupted by DDOS Attack - Infosecurity Magazine (infosecurity-magazine.com)
Security vendor splits to address Russia’s war in Ukraine • The Register
Apple previews Lockdown Mode, a new extreme security feature | ZDNet
Nation State Actors
Nation State Actors – North Korea
Nation State Actors – Misc APT
Vulnerabilities
DHS warns: Expect Log4j risks for 'a decade or longer' • The Register
Microsoft's Patch Tuesday fixes one bug under active exploit • The Register
Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution (cisecurity.org)
CISA orders agencies to patch new Windows zero-day used in attacks (bleepingcomputer.com)
Flaw in Netwrix Auditor application allows arbitrary code execution - Security Affairs
Elastix VoIP systems hacked in massive campaign to install PHP web shells (bleepingcomputer.com)
Hackers Targeting VoIP Servers by Exploiting Digium Phone Software (thehackernews.com)
Anvil Mobile Hit By New Exploit - DNS Hijacking. (informationsecuritybuzz.com)
Microsoft Issues Fixes for 84 Vulnerabilities: Here's What to Patch Now (darkreading.com)
Buggy WordPress plugin allows complete site takeover • The Register
VMware patches vCenter Server flaw disclosed in November (bleepingcomputer.com)
AMD, Intel chips vulnerable to 'Retbleed' Spectre variant • The Register
Microsoft fixes dozens of Azure Site Recovery privilege escalation bugs (bleepingcomputer.com)
Microsoft releases PoC exploit for macOS sandbox escape vulnerability (bleepingcomputer.com)
AWS squashes authentication bugs in Kubernetes service • The Register
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
Automotive
Construction
Critical National Infrastructure (CNI)
Defence & Space
Education & Academia
Energy & Utilities
Estate Agencies
Financial Services
FinTech
Food & Agriculture
Gaming & Gambling
Government & Public Sector (including Law Enforcement)
Health/Medical/Pharma
Hotels & Hospitality
Insurance
Legal
Manufacturing
Maritime
Oil, Gas & Mining
OT, ICS, IIoT, SCADA & Cyber-Physical Systems
Retail & eCommerce
Small and Medium Sized Businesses (SMBs)
Startups
Telecoms
Third Sector & Charities
Transport & Aviation
Web3
Other News
5 key considerations for your 2023 cyber security budget planning | CSO Online
What Are the Risks of Employees Going on a 'Hybrid Holiday'? (darkreading.com)
New ‘Luna Moth’ hackers breach orgs via fake subscription renewals (bleepingcomputer.com)
Experian accounts could still be at risk from hackers | TechRadar
Mergers and acquisitions are a strong zero-trust use case • The Register
Recruitment agency Morgan Hunt confirms 'cyber incident' • The Register
New Exploit Attacks UK Routers and Runs Up Mobile Data Bills - ISPreview UK
How Attackers Could Dupe Developers into Downloading Malicious Code From GitHub (darkreading.com)
Data breaches explained: Types, examples, and impact | CSO Online
President of European Central Bank Christine Lagarde targeted by hackers - Security Affairs
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 20 May 2022
Black Arrow Cyber Threat Briefing 20 May 2022
-Fifth of Businesses Say Cyber Attack Nearly Broke Them
-Weak Security Controls and Practices Routinely Exploited for Initial Access
-How Do Ransomware Attacks Impact Victim Organisations’ Stock?
-Prioritise Patching Vulnerabilities Associated with Ransomware
-Researchers Warn of Advanced Persistent Threats/Nation State Actors (APTs), Data Leaks as Serious Threats Against UK Financial Sector
-Remote Work Hazards: Attackers Exploit Weak WiFi, Endpoints, and the Cloud
-Small Businesses Under Fire from Password Stealers
-Email Is the Riskiest Channel for Data Security
-Phishing Attacks for Initial Access Surged 54% in Q1
-State of Internet Crime in Q1 2022: Bot Traffic on The Rise, And More
-Fears Grow for Smaller Nations After Ransomware Attack on Costa Rica Escalates
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Fifth of Businesses Say Cyber Attack Nearly Broke Them
A fifth of US and European businesses have warned that a serious cyber attack nearly rendered them insolvent, with most (87%) viewing compromise as a bigger threat than an economic downturn, according to Hiscox.
The insurer polled over 5000 businesses in the US, UK, Ireland, France, Spain, Germany, the Netherlands and Belgium to compile its annual Hiscox Cyber Readiness Report.
It revealed the potentially catastrophic financial damage that a serious cyber-attack can wreak. The number claiming to have nearly been brought down by a breach increased 24% compared to the previous year.
Nearly half (48%) of respondents said they suffered an attack over the past 12 months, a 12% increase from the previous report’s findings. Perhaps unsurprisingly, businesses in seven out of eight countries see cyber as their biggest threat.
Yet perception appears to vary greatly depending on whether an organisation has suffered a serious compromise or not. While over half (55%) of total respondents said they view cyber as a high-risk area, the figure among companies that have not yet suffered an attack is just 36%.
https://www.infosecurity-magazine.com/news/fifth-of-businesses-cyber-attack/
Weak Security Controls and Practices Routinely Exploited for Initial Access
Cyber actors routinely exploit poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system. A joint Cybersecurity Advisory by the cyber security authorities of the United States, Canada, New Zealand, the Netherlands, and the United Kingdom identifies commonly exploited controls and practices and includes best practices to mitigate the issues.
Malicious cyber actors often exploit the following common weak security controls, poor configurations, and poor security practices to employ the initial access techniques.
Multifactor authentication (MFA) is not enforced
Incorrectly applied privileges or permissions and errors within access control lists
Software is not up to date
Use of vendor-supplied default configurations or default login usernames and passwords
Remote services, such as a virtual private network (VPN), lack sufficient controls to prevent unauthorised access
Strong password policies are not implemented
Cloud services are unprotected
Open ports and misconfigured services are exposed to the internet
Failure to detect or block phishing attempts
Poor endpoint detection and response.
https://www.cisa.gov/uscert/ncas/alerts/aa22-137a
How Do Ransomware Attacks Impact Victim Organisations’ Stock?
Ransomware has developed into an extremely lucrative business model with little risk involved for the threat actors. Couple this with the willingness of most victim organisations to pay the ransom demand under the assumption it will return business operations to normal - ultimately encouraging more attacks - and we have a big problem with no easy remedies.
Back in 2021, Cybereason published a report titled Ransomware Attacks and the True Cost to Business that revealed the various costs that organisations face after falling victim to a ransomware attack. Here are some of the most significant findings that stood out:
Two-thirds of ransomware victims said that they endured a significant loss of revenue following the attack
More than half (53%) of organisations suffered damage to their brand and reputation after a ransomware infection
A third of those who fell to ransomware lost C-level talent in the attack’s aftermath
Three in 10 organisations had no choice but to lay off employees due to the financial pressures resulting from a ransomware incident
A quarter of ransomware victims said that they needed to suspend operations.
Prioritise Patching Vulnerabilities Associated with Ransomware
In the last quarter, ransomware attacks have made mainstream headlines on a near-daily basis, with groups like Lapsus$ and Conti’s names splashed across the page. Major organisations like Okta, Globant and Kitchenware maker Meyer Corporation have all fallen victim, and they are very much not alone. The data indicates that increasing vulnerabilities, new advanced persistent threat (APT) groups and new ransomware families are contributing to ransomware’s continued prevalence and profitability.
The top stats include:
22 new vulnerabilities and nine new weaknesses have been associated with ransomware since January 2022; of the 22, a whopping 21 are considered of critical or high risk severity
19 (out of 22) of the newly-added vulnerabilities are associated with the Conti ransomware gang
Three new APT groups (Exotic Lily, APT 35, DEV-0401) and four new ransomware families (AvosLocker, Karma, BlackCat, Night Sky) are deploying ransomware to attack their targets
141 of CISA’s Known Exploited Vulnerabilities (KEVs) are being used by ransomware operators – including 18 newly identified this quarter
11 vulnerabilities tied to ransomware remain undetected by popular scanners
624 unique vulnerabilities were found within the 846 healthcare products analysed.
https://www.helpnetsecurity.com/2022/05/19/increase-ransomware-vulnerabilities/
Researchers Warn of Advanced Persistent Threats (APTs), Data Leaks as Serious Threats Against UK Financial Sector
Researchers say that geopolitical tension, ransomware, and cyber attacks using stolen credentials threaten the UK's financial sector.
KELA's security team published a report examining the cyber security issues and attacks that surfaced in 2021 and early 2022, specifically focused on the United Kingdom's banks and other financial services.
The UK was one of the first countries to stand with Ukraine after the invasion by Russia. This could make UK organisations a tempting target for threat actors siding with Russia - whether by state-sponsored advanced persistent threat (APT) groups or hacktivists. The National Cyber Security Centre (NCSC) previously warned businesses to shore up their cyber security following Russia's assault.
APTs are often responsible for attacking the financial sector: account credentials, card numbers, and the personally identifiable information (PII) of customers are useful not only in social engineering and identity theft but also to make fraudulent purchases or for card cloning.
APTs target organisations worldwide, and those located in the UK are no exception. Over the past few years, APTs, including the Chinese APT40 and APT31, have utilised vulnerabilities, including ProxyLogon, to compromise UK businesses.
"In general, APTs may target the financial sector to commit fraud, burglarise ATMs, execute transactions, and penetrate organisations' internal financial systems," KELA says. "Although specific threats to the UK financial sector have not been identified, there is no doubt that the UK has occasionally been a target of APT groups during 2021."
Exposed corporate information and leaked credentials are also of note. After browsing Dark Web forums, the researchers found that UK data is "in demand" by cyber criminals who are seeking PII, access credentials, and internal data.
Remote Work Hazards: Attackers Exploit Weak WiFi, Endpoints, and the Cloud
Infoblox unveils a global report examining the state of security concerns, costs, and remedies. As the pandemic and uneven shutdowns stretch into a third year, organisations are accelerating digital transformation projects to support remote work. Meanwhile, attackers have seized on vulnerabilities in these environments, creating more work and larger budgets for security teams.
1,100 respondents in IT and cyber security roles in 11 countries – United States, Mexico, Brazil, United Kingdom, Germany, France, the Netherlands, Spain, United Arab Emirates, Australia, and Singapore – participated in the survey.
The surge in remote work has changed the corporate landscape significantly – and permanently. 52% of respondents accelerated digital transformation projects, 42% increased customer portal support for remote engagement, 30% moved apps to third party cloud providers, and 26% shuttered physical offices for good. These changes led to the additions of VPNs and firewalls, a mix of corporate and employee owned devices as well as cloud and on-premises DDI servers to manage data traffic across the expanded network.
The hybrid workforce reality is causing greater concerns with data leakage, ransomware and attacks through remote access tools and cloud services. Respondents indicate concerns about their abilities to counter increasingly sophisticated cyber attacks with limited control over employees, work-from-home technologies, and vulnerable supply chain partners. The sophistication of state-sponsored malware also is a source of worry for many.
Organisations have good reason to worry: 53% of respondents experienced up to five security incidents that led to at least one breach.
https://www.helpnetsecurity.com/2022/05/17/state-of-security/
Small Businesses Under Fire from Password Stealers
Password-stealing malware and other cyber attacks have increased significantly against small businesses over the past year, according to Kaspersky researchers.
An assessment released this week detailed the number of Trojan Password Stealing Ware (PSW) detections, internet attacks and attacks on Remote Desktop Protocol (RDP) between January and April 2022, compared with the same time frame from 2021. Kaspersky's research showed a jump in the detection of password stealers within small business environments, as well as increases in other types of cyber attacks.
According to Kaspersky, the biggest increase in threats against small businesses was password stealers, specifically Trojan PSWs. There were nearly 1 million more detected Trojan PSWs targeting small and medium-sized businesses in the first trimester of 2022 than the first of 2021, increasing from 3,029,903 to 4,003,323.
Email Is the Riskiest Channel for Data Security
Research from Tessian and the Ponemon Institute reveals that nearly 60% of organisations experienced data loss or exfiltration caused by an employee mistake on email in the last 12 months.
Email was revealed as the riskiest channel for data loss in organisations, as stated by 65% of IT security practitioners. This was closely followed by cloud file-sharing services (62%) and instant messaging platforms (57%).
The research surveyed 614 IT security practitioners across the globe to also reveal that:
Employee negligence, because of not following policies, is the leading cause of data loss incidents (40%)
27% of data loss incidents are caused by malicious insiders
It takes up to three days for security and risk management teams to detect and remediate a data loss and exfiltration incident caused by a malicious insider on email
23% of organisations experience up to 30 security incidents involving employees’ use of email every month (for example, email was sent to an unintended recipient).
The most common types of confidential and sensitive information lost or intentionally stolen include: customer information (61%); intellectual property (56%); and consumer information (47%). User-created data (sensitive email content, text files, M&A documents), regulated data (credit card data, Social Security numbers, national ID numbers, employee data), and intellectual property were identified as the three types of data that are most difficult to protect from data loss.
The top two consequences for data loss incidents were revealed as non-compliance with data protection regulations (57%) and damage to an organisation’s reputation (52%). Furthermore, a previous study from Tessian found that 29% of businesses lost a client or customer because of an employee sending an email to the wrong person.
https://www.helpnetsecurity.com/2022/05/20/data-loss-email/
Phishing Attacks for Initial Access Surged 54% in Q1
Threat actors doubled down on their use of phishing emails as an initial attack vector during the first quarter of 2022 — and in many cases then used that access to drop ransomware or to extort organisations in other ways.
Researchers from Kroll recently analysed data gathered from security incidents they responded to in the first three months of this year. The analysis showed a 54% increase in incidents of phishing for initial access compared with the same period last year.
For the first time since Microsoft disclosed the so-called ProxyLogon set of vulnerabilities in Exchange Server in the first quarter of 2021, incidents tied to email compromises surpassed those related to ransomware. Kroll described the sharp increase in phishing activity as likely the result of a surge in activity tied to Emotet and IceID malware — threat actors have been using both to drop other malware.
https://www.darkreading.com/risk/phishing-attacks-for-initial-access-surged-q1
Fears Grow for Smaller Nations After Ransomware Attack on Costa Rica Escalates
Conti demanded $20M in ransom — and the overthrow of the government.
It’s been a rough start for the newly elected Costa Rica president Rodrigo Chaves, who less than a week into office declared his country “at war” with the Conti ransomware gang.
“We’re at war and this is not an exaggeration,” Chaves told local media. “The war is against an international terrorist group, which apparently has operatives in Costa Rica. There are very clear indications that people inside the country are collaborating with Conti.”
Conti’s assault on the Costa Rican government began in April. The country’s Finance Ministry was the first hit by the Russia-linked hacking group, and in a statement on May 16, Chaves said the number of institutions impacted had since grown to 27. This, he admitted, means civil servants wouldn’t be paid on time and will impact the country’s foreign trade.
In a message posted to its dark web leaks blog, Conti urged the citizens of Costa Rica to pressure their government to pay the ransom, which the group doubled from an initial $10 million to $20 million. In a separate statement, the group warned: “We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power.”
Conti is among the most prolific hacking groups. The FBI warned earlier this year that the gang was among “the three top variants” that targeted businesses in the United States, and it has been blamed for ransomware attacks targeting dozens of businesses, including Fat Face, Shutterfly and the Irish healthcare service.
But Conti has picked up its pace in recent months: In January and February it published 31 victims on its leaks blog. In March and April, it posted 133 victims.
https://techcrunch.com/2022/05/20/costa-rica-ransomware-attack/
Threats
Ransomware
Ransomware Gangs Rely More on Weaponizing Vulnerabilities (bleepingcomputer.com)
Ransomware Gang Extorted 725 BTC in One Attack, On-Chain Sleuths Find (coindesk.com)
5 Critical Questions to Test Your Ransomware Preparedness - Help Net Security
“Alarming” Surge in Conti Group Activity This Year - Infosecurity Magazine
Why AI-Powered Ransomware Cyber Attacks Could Be Coming Soon - Protocol
Nikkei Says Customer Data Likely Impacted in Ransomware Attack | SecurityWeek.Com
Wizard Spider Hackers Hire Cold Callers to Scare Ransomware Victims Into Paying Up | ZDNet
Greenland Hit by Cyber Attack, Finds Its Health Service Crippled (bitdefender.com)
Conti Ransomware Shuts Down Operation, Rebrands into Smaller Units (bleepingcomputer.com)
No One Is Slowing Down BlackByte Ransomware Gang • The Register
President Rodrigo Chaves says Costa Rica is at war with Conti hackers - BBC News
Engineering Firm Parker Discloses Data Breach After Ransomware Attack (bleepingcomputer.com)
US links Thanos and Jigsaw ransomware to 55-year-old doctor (bleepingcomputer.com)
Russian Conti Ransomware Gang Threatens to Overthrow New Costa Rican Government (thehackernews.com)
Phishing & Email Based Attacks
This Phishing Attack Delivers Three Forms of Malware. And They All Want to Steal Your Data | ZDNet
HTML Attachments Remain Popular Among Phishing Actors In 2022 (bleepingcomputer.com)
Chatbot Army Deployed in Latest DHL Shipping Phish (darkreading.com)
Phishing Gang That Stole Over 400,000 Euros Busted in Spain (tripwire.com)
Long Lost @ Symbol Gets New Life Obscuring Malicious URLs | Malwarebytes Labs
Spanish Police Dismantle Phishing Gang That Emptied Bank Accounts (bleepingcomputer.com)
Malware
Microsoft Identifies Botnet Variant Targeting Windows and Linux Systems - Infosecurity Magazine
Activity of the Linux XorDdos bot increased by 254% over the last 6 monthsSecurity Affairs
Fake Domains Offer Windows 11 Installers - But Deliver Malware Instead | ZDNet
Bruised but Not Broken: The Resurgence of the Emotet Botnet Malware (trendmicro.com)
Malicious PyPI Pymafka Package Opens Backdoors On Windows, Linux, and Macs (bleepingcomputer.com)
April VMware Bugs Abused to Deliver Mirai Malware, Exploit Log4Shell | Threatpost
Mobile
6 Scary Tactics Used in Mobile App Attacks (darkreading.com)
Researchers Find Potential Way to Run Malware on iPhone Even When it's OFF (thehackernews.com)
Google TAG: Cytrox's Predator Spyware Used to Target Android Users | WIRED
IoT
Data Breaches/Leaks
Organised Crime & Criminal Actors
Ukrainian Hacker Jailed for 4-Years in U.S. for Selling Access to Hacked Servers (thehackernews.com)
US Recovers a Record $15m from the 3ve Ad-Fraud Crew • The Register
Cryptocurrency/Cryptomining/Cryptojacking/NFTs
How Cryptocurrencies Enable Attackers and Defenders (techtarget.com)
Monero-Mining Sysrv Botnet Targets Windows, Linux Web Servers • The Register
US Brings First-Of-Its-Kind Bitcoin Sanctions-Busting Case • The Register
Fake Pixelmon NFT Site Infects You with Password-Stealing Malware (bleepingcomputer.com)
Hackers Compromise a String of NFT Discord Channels (vice.com)
Fraud, Scams & Financial Crime
Supply Chain and Third Parties
MITRE Creates Framework for Supply Chain Security (darkreading.com)
The Four Horsemen of Software Supply Chain Attacks - MSSP Alert
Cloud/SaaS
7 Key Findings from the 2022 SaaS Security Survey Report (thehackernews.com)
New Research Identifies Poor IAM Policies as The Greatest Cloud Vulnerability - CyberScoop
Are You Investing in Securing Your Data in the Cloud? (thehackernews.com)
380K Kubernetes API Servers Exposed to Public Internet | Threatpost
Open Source
Privacy
How To Ensure That the Smart Home Doesn’t Jeopardize Data Privacy? - Help Net Security
Privacy. Ad Bidders Haven't Heard of It, Report Reveals • The Register
Third-Party Web Trackers Log What You Type Before Submitting (bleepingcomputer.com)
Passwords & Credential Stuffing
The Most Insecure and Easily Hackable Passwords - Help Net Security
Half of IT Leaders Store Passwords in Shared Docs - Infosecurity Magazine
Cyber Bullying and Cyber Stalking
Regulations, Fines and Legislation
Europe Moves Closer to Stricter Cyber Security Standards • The Register
EU's NIS 2 Directive to Strengthen Cyber Security Requirements For Companies - Help Net Security
Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Google TAG: Cytrox's Predator Spyware Used to Target Android Users | WIRED
How Mobile Networks Have Become a Front in the Battle for Ukraine (darkreading.com)
China-linked Twisted Panda Caught Spying on Russian R&D Orgs • The Register
Pro-Russian Hackers Spread Hoaxes to Divide Ukraine, Allies | SecurityWeek.Com
A custom PowerShell RAT Targets Germany Using Crisis in Ukraine as Bait - Security Affairs
Nation State Actors
Nation State Actors – Russia
Putin Promises to Bolster Russia's IT Security in Face of Cyber Attacks | Reuters
Russian Hackers Declare War On 10 Countries After Failed Eurovision DDoS attack | IT PRO
Pro-Russian Information Operations Escalate in Ukraine War (darkreading.com)
Russian Undersea Cable Threat Shifts Tech Business to UK (telegraph.co.uk)
Russians Allegedly Storm Ukrainian ISP, Blackmail It to Switch To Russian Networks - CyberScoop
Russia-linked Sandworm Continues to Conduct Attacks Against Ukraine - Security Affairs
Russian Cyber Attack on Eurovision Foiled By Italian Authorities (bitdefender.com)
This Russian Botnet Does Far More Than DDoS Attacks - And on A Massive Scale | ZDNet
Nation State Actors – China
Nation State Actors – North Korea
Nation State Actors – Iran
Vulnerabilities
QNAP Urges Users to Update NAS Devices to Prevent Deadbolt Ransomware Attacks (thehackernews.com)
Cisco Fixes an IOS XR Flaw Actively Exploited in The Wild - Security Affairs
2 Vulnerabilities With 9.8 Severity Ratings Are Under Exploit. A 3rd Looms | Ars Technica
Microsoft Rushes a Fix After May Patch Tuesday Breaks Authentication (darkreading.com)
Microsoft Fixes New PetitPotam Windows NTLM Relay Attack Vector (bleepingcomputer.com)
Apple Patches Zero-Day Kernel Hole and Much More – Update Now! – Naked Security (sophos.com)
High-Severity Bug Reported in Google's OAuth Client Library for Java (thehackernews.com)
Over 20,000 Zyxel Firewalls Still Exposed to Critical Bug - Infosecurity Magazine
Apple Fixes the Sixth Zero-Day Since The Beginning of 2022 - Security Affairs
Mozilla Patches Wednesday’s Pwn2Own Double-Exploit… on Friday! – Naked Security (sophos.com)
Critical Vulnerability in Premium WordPress Themes Allows for Site Takeover | Threatpost
Critical Jupiter WordPress Plugin Flaws Let Hackers Take Over Sites (bleepingcomputer.com)
Apple Finally Patches Exploited Vulnerabilities in macOS Big Sur, Catalina | SecurityWeek.Com
NVIDIA Fixes Ten Vulnerabilities in Windows GPU Display Drivers (bleepingcomputer.com)
New Brute Force Attacks Against SQL Servers Use PowerShell Wrapper | SecurityWeek.Com
Sector Specific
Retail/eCommerce
How Crooks Backdoor Sites and Scrape Credit Card Info • The Register
Digital Skimming is Now the Preserve of Non-Magecart Groups - Infosecurity Magazine
Energy & Utilities
Water Companies Are Increasingly Uninsurable Due To Ransomware, Industry Execs Say - CyberScoop
UK Announces Nuclear Cyber Security Strategy - IT Security Guru
Education and Academia
Ransomware Attack Exposes Data of 500,000 Chicago Students (bleepingcomputer.com)
Higher Education Institutions Being Targeted for Ransomware Attacks | TechRepublic
“Incompetent” Council Leaks Details of Students With Special Educational Needs • Graham Cluley
Researchers Find Backdoor in School Management Plugin for WordPress (thehackernews.com)
Other News
UK Government: Lack of Skills the Number One Issue in Cyber Security - Infosecurity Magazine
Malicious Hackers Are Finding It Too Easy to Achieve Their Initial Access (tripwire.com)
How Threat Actors Are a Click Away From Becoming Quasi-APTs (darkreading.com)
Cyber Security: Global Food Supply Chain at Risk From Malicious Hackers - BBC News
Cyber Security Agencies Reveal Top Initial Access Attack Vectors (bleepingcomputer.com)
50% of Orgs Rely on Email to Manage Security (darkreading.com)