Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 21 October 2022
Black Arrow Cyber Threat Briefing 21 October 2022:
-Gen Z, Millennials Really Doesn't Care About Workplace Cyber Security
-Supply Chain Attacks Increased Over 600% This Year and Companies Are Falling Behind
-Cyber-Enabled Crimes Are Biggest Police Concerns
-List of Common Passwords Accounts for Nearly All Cyber Attacks
-Shared Responsibility or Shared Fate? Decentralized IT Means We Are All Cyber Defenders
-Ukraine War Cuts Ransomware as Kremlin Co-Opts Hackers
-96% Of Companies Report Insufficient Security for Sensitive Cloud Data
-Your Microsoft Exchange Server Is a Security Liability
-Are Cyber Security Vendors Pushing Snake Oil?
-Ransomware Preparedness, What Are You Doing Wrong?
-NSA Cybersecurity Director's Six Takeaways from the War in Ukraine
-Microsoft Confirms Server Misconfiguration Led to 65,000+ Companies' Data Leak
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Gen Z, Millennials Really Don’t Care About Workplace Cyber Security
When it comes to cyber security in the workplace, younger employees don’t really seem to care that much, which is putting their organisations in serious harm’s way, new research has claimed.
Surveying approximately 1,000 workers using devices issued by their employers, professional services firm EY found Gen Z enterprise employees were more apathetic about cyber security than their Boomer counterparts in adhering to their employer's safety policies.
This is despite the fact that four in five (83%) of all those surveyed claimed to understand their employer’s security protocol.
When it comes to implementing mandatory IT updates, for example, 58% of Gen Z’ers and 42% of millennials would disregard them for as long as possible. Less than a third (31%) of Gen X’ers, and just 15% of baby boomers said they do the same.
Apathy in the young extends to password reuse between private and business accounts. A third of Gen Z and millennial workers surveyed admitted to this, compared to less than a quarter of all Gen X’ers and baby boomers.
Some say the apathy of young people towards technology is down to their over-familiarity with technology, and never having been without it. Being too comfortable with tech undoubtedly makes an enterprise's younger employees a major target for cyber criminals looking to exploit any hole in security.
If an organisation's cyber security practices aren't upheld strongly, threat actors can compromise huge networks with simple social engineering attacks.
https://www.techradar.com/news/younger-workers-dont-care-about-workplace-cybersecurity
Supply Chain Attacks Increased Over 600% This Year and Companies Are Falling Behind
The number of documented supply chain attacks involving malicious third-party components has increased 633% over the past year, now sitting at over 88,000 known instances, according to a new report from software supply chain management company Sonatype. Meanwhile, instances of transitive vulnerabilities that software components inherit from their own dependencies have also reached unprecedented levels and plague two-thirds of open-source libraries.
“The networked nature of dependencies highlights the importance of having visibility and awareness about these complex supply chains” Sonatype said in its newly released State of the Software Supply Chain report. “These dependencies impact our software, so having an understanding of their origins is critical to vulnerability response. Many organisations did not have the needed visibility and continued their incident response procedures for Log4Shell well beyond the summer of 2022 as a result.”
Log4Shell is a critical vulnerability discovered in November 2021 in Log4j, a widely popular open-source Java library used for logging and bundled in millions of enterprise applications and software products, often as an indirect dependency. According to Sonatype’s monitoring, as of August 2022, the adoption rate for fixed versions of Log4j sits at around 65%. Moreover, this doesn’t even account for the fact that the Log4Shell vulnerability originated in a Java class called JndiManager that is part of Log4j-core, but which has also been borrowed by 783 other projects and is now found in over 19,000 software components.
Log4Shell served as a watershed moment, highlighting the inherent risks that exist in the open-source software ecosystem – which sits at the core of modern software development – and the need to manage them properly. It also led to several initiatives to secure the software supply chain by private organisations, software repository managers, the Linux Foundation, and government bodies. Yet, most organisations are far from where they need to be in terms of open-source supply chain management.
Cyber-Enabled Crimes Are Biggest Police Concerns
Cyber-related crimes such as money laundering, ransomware and phishing pose the biggest threat to society, according to the first ever Interpol Global Crime Trend report.
The inaugural study was compiled from data received from the policing organisation’s 195 member countries, as well as information and analysis from external sources.
Money laundering was ranked the number one threat, with 67% of respondents claiming it to be a “high” or “very high” risk. Ransomware came second (66%) but was the crime type that most (72%) expected to increase in the next 3–5 years.
Of the nine top crime trends identified in the report, six are directly cyber-enabled, including money laundering, ransomware, phishing, financial fraud, computer intrusion and child sexual exploitation.
Interpol warned that the pandemic had fomented new underground offerings like “financial crime-as-a-service,” including digital money laundering tools which help to lower the barrier to entry for criminal gangs. It also claimed that demand for online child sexual exploitation and abuse (OCSEA) content surged during the pandemic. Some 62% of respondents expect it to increase or significantly increase in the coming years.
The findings represent something of a turnaround from pre-pandemic times, when drug trafficking regularly topped the list of police concerns. Thanks to a surge in corporate digitalisation, home working and online shopping, there are now rich pickings to be had from targeting consumers and business users with cyber-scams and attacks, Interpol claimed.
https://www.infosecurity-magazine.com/news/cyberenabled-crimes-are-biggest/
List of Common Passwords Accounts for Nearly All Cyber Attacks
Half of a million passwords from the RockYou2021 list account for 99.997% of all credential attacks against a variety of honeypots, suggesting attackers are just taking the easy road.
Tens of millions of credential-based attacks targeting two common types of servers boiled down to a small fraction of the passwords that formed a list of leaked credentials, known as the RockYou2021 list.
Vulnerability management firm Rapid7, via its network of honeypots, recorded every attempt to compromise those servers over a 12-month period, finding that the attempted credential attacks resulted in 512,000 permutations. Almost all of those passwords (99.997%) are included in a common password list — the RockYou2021 file, which has 8.4 billion entries — suggesting that attackers, or the subset of threat actors attacking Rapid7's honeypots, are sticking to a common playbook.
The overlap in all the attacks also suggest attackers are taking the easy road, said Rapid7. "We know now, in a provable and demonstrable way, that nobody — 0% of attackers — is trying to be creative when it comes to unfocused, untargeted attacks across the Internet," they said. "Therefore, it's very easy to avoid this kind of opportunistic attack, and it takes very little effort to take this threat off the table entirely, with modern password managers and configuration controls."
Every year, security firms present research suggesting users are continuing to pick bad passwords. In 2019, an evaluation of passwords leaked to the Internet found that the top password was "123456," followed by "123456789" and "qwerty," and unfortunately things have not got much better since then.
https://www.darkreading.com/endpoint/a-common-password-list-accounts-for-nearly-all-cyberattacks
Shared Responsibility or Shared Fate? Decentralised IT Means We Are All Cyber Defenders
Does your organisation truly understand the shared responsibility model? Shared responsibility emerged from the early days of cloud computing as a way to delineate responsibilities between cloud providers and their customers, but often there's a gap between what shared responsibility means and how it is interpreted. With the decentralisation of IT, this gap is getting worse.
Applications, servers, and overall technology used to be under the purview and control of the IT department, yet with the shift to cloud, and specifically software-as-a-service (SaaS), this dynamic has changed. Whether it's the sales team bringing in a customer relationship management (CRM) system like Salesforce, or the HR department operating a human resources information system (HRIS) like Workday, there's a clear "expanding universe" of IT that no longer sits where it used to. Critical business workflows exist in separate business units far from IT and security and are managed as such. Our corporate IT footprints have become decentralised.
This is not some minor, temporary trend. With the ease and speed of adopting new SaaS applications and the desire to "lift and shift" code into cloud-based environments, this is the future. The future is decentralised.
The shift to business-owned and -operated applications puts security teams in a position where risk management is their responsibility; they are not even able to log into some of these critical systems. It's like asking your doctor to keep you healthy but not giving her access to your information or having regular check-ups. It doesn't work that way.
Beyond the challenging human skills gap, there's technical entropy and diversity everywhere, with different configuration settings, event logs, threat vectors, and data sensitivities. On the access side, there are different admins, users, integrations, and APIs. If you think managing security on Windows and Mac is a lot, try it across many huge applications.
With this reality, how can the security team be expected to combat a growing amount of decentralised business technology risk?
We must operate our technology with the understanding that shared responsibility is the vertical view between cloud provider and customer, but that enterprise-owned piece of shared responsibility is the burden of multiple teams horizontally across an organisation. Too often the mentality is us versus them, availability versus security, too busy to care about risk, too concerned with risk to understand "the business."
Ukraine War Cuts Ransomware as Kremlin Co-Opts Hackers
The Ukraine war has helped reduce global ransomware attacks by 10pc in the last few months, a British cyber security company has said.
Criminal hacking gangs, usually engaged in corporate ransomware activities, are increasingly being co-opted by the Russian military to launch cyber attacks on Ukraine, according to Digital Shadows. “The war is likely to continue to motivate ransomware actors to target government and critical infrastructure entities,” according to the firm. Such attacks partly contributed to a 10pc drop in the number of ransomware threats launched during the three months to September, said the London-based company.
The drop in ransomware may also partly be caused by tit-for-tat digital attacks between rival hacking gangs. Researchers said the Lockbit gang, who recently targeted LSE-listed car retailer Pendragon with a $60m (£53.85m) ransom demand, were the target of attacks from their underworld rivals. The group is increasingly inviting resentment from competing threat groups and possibly former members.
Some cyber criminals’ servers went offline in September after what appeared to be an attack from competitors. In the world of cyber criminality, it is not uncommon for tensions to flare among rival groups.
Officials from GCHQ’s National Cyber Security Centre have said ransomware is one of the biggest cyber threats facing the UK. Figures published by the Department for Digital, Culture, Media and Sport this year revealed the average costs to businesses caused by ransomware attacks is around £19,000 per incident.
US-based cyber security company Palo Alto Networks, however, warned that the average ransom payment it saw in the early part of this year was $925,000 (£829,000).
https://www.telegraph.co.uk/business/2022/10/23/ukraine-war-cuts-ransomware-kremlin-co-opts-hackers/
96% Of Companies Report Insufficient Security for Sensitive Cloud Data
The vast majority of organisations lack confidence in securing their data in cloud, while many companies acknowledge they lack sufficient security even for their most sensitive data, according to a new report by the Cloud Security Alliance (CSA).
The CSA report surveyed 1,663 IT and security professionals from organisations of various sizes and in various locations. "Only 4% report sufficient security for 100% of their data in the cloud. This means that 96% of organisations have insufficient security for at least some of their sensitive data," according to the report, which was sponsored by data intelligence firm BigID.
Apart from struggling with securing sensitive data, organisations are also having trouble tracking data in the cloud. Over a quarter of organisations polled aren’t tracking regulated data, nearly a third aren’t tracking confidential or internal data, and 45% aren’t tracking unclassified data, the report said.
“This suggests that organisations’ current methods of classifying data aren’t sufficient for their needs. However, if the tracking is this low, it could be a contributing factor to the issue of dark data. Organisations need to utilise data discovery and classification tools to properly understand the data they have and how to protect it,” the CSA study noted.
Your Microsoft Exchange Server Is a Security Liability
With endless vulnerabilities, widespread hacking campaigns, slow and technically tough patching, it's time to say goodbye to on-premise Exchange.
Once, reasonable people who cared about security, privacy, and reliability ran their own email servers. Today, the vast majority host their personal email in the cloud, handing off that substantial burden to the capable security and engineering teams at companies like Google and Microsoft. Now, cyber security experts argue that a similar switch is due - or long overdue - for corporate and government networks. For enterprises that use on-premise Microsoft Exchange, still running their own email machine somewhere in a closet or data centre, the time has come to move to a cloud service, if only to avoid the years-long plague of bugs in Exchange servers that has made it nearly impossible to keep determined hackers out.
The latest reminder of that struggle arrived earlier this week, when Taiwanese security researcher Orange Tsai published a blog post laying out the details of a security vulnerability in Microsoft Exchange. Tsai warned Microsoft about this vulnerability as early as June of 2021, and while the company responded by releasing some partial fixes, it took Microsoft 14 months to fully resolve the underlying security problem. Tsai had earlier reported a related vulnerability in Exchange that was massively exploited by a group of Chinese state-sponsored hackers known as Hafnium, which last year penetrated more than 30,000 targets by some counts. Yet according to the timeline described in Tsai’s post this week, Microsoft repeatedly delayed fixing the newer variation of that same vulnerability, assuring Tsai no fewer than four times that it would patch the bug before pushing off a full patch for months longer. When Microsoft finally released a fix, Tsai wrote, it still required manual activation and lacked any documentation for four more months.
Meanwhile, another pair of actively exploited vulnerabilities in Exchange that were revealed last month still remain unpatched after researchers showed that Microsoft’s initial attempts to fix the flaws had failed. Those vulnerabilities were just the latest in a years-long pattern of security bugs in Exchange’s code. And even when Microsoft does release Exchange patches, they’re often not widely implemented, due to the time-consuming technical process of installing them.
The result of those compounding problems, for many who have watched the hacker-induced headaches of running an Exchange server pile up, is a clear message: An Exchange server is itself a security vulnerability, and the fix is to get rid of it.
“You need to move off of on-premise Exchange forever. That’s the bottom line,” says Dustin Childs, the head of threat awareness at security firm Trend Micro’s Zero Day Initiative (ZDI), which pays researchers for finding and reporting vulnerabilities in commonly used software and runs the Pwn2Own hacking competition. “You’re not getting the support, as far as security fixes, that you would expect from a really mission-critical component of your infrastructure.”
https://www.wired.com/story/microsoft-exchange-server-vulnerabilities/
Are Cyber Security Vendors Pushing Snake Oil?
Survey: 96 percent of cyber security decision makers confused by vendor marketing.
The availability of new security products increases, the amount of budget spent on cyber security grows, and the number of security breaches seems to outpace both. This basic lack of correlation between increasing cyber security spend and any clear increase in cyber security effectiveness is the subject of a new analytical survey from Egress.
With 52 million data breaches in Q2 2022 alone (Statista), Egress questioned 800 cyber security and IT leaders on why vendor claims and reality aren’t aligned. The headline response in the survey is that 91% of decision makers have difficulty in selecting cyber security vendors due to unclear marketing about their specific offerings.
The financial investment cycle doesn’t help in this. For many investors, the strength of the management team is more important than the product. The argument is not whether this product is a cyber security silver bullet, but whether this management can take the company to a point where it can exit with serious profits.
If investment is achieved, much of it will go into marketing. That marketing must compete against existing, established vendors – so it tends to be louder, more aggressive, and replete with hyperbole. Marketing noise can lead to increased valuation, which can lead to a successful and profitable exit by the investors.
Of course, this is an oversimplification and doesn’t always happen. The point, however, is that it does happen and has no relevance to the real effectiveness of the product in question. Without any doubt, there are many products that have been over-hyped by marketing funds provided by profit-driven investors.
https://www.securityweek.com/are-cybersecurity-vendors-pushing-snake-oil
Ransomware Preparedness: What Are You Doing Wrong?
Axio released its 2022 State of Ransomware Preparedness research report, revealing that although notable improvements have been made since Axio’s 2021 report, organisational ransomware preparedness continues to be insufficient to keep pace with new attack vectors.
The report reveals that the lack of fundamental cyber security practices and controls, including critical vulnerability patching and employee cyber security training, continues to undermine organisational attempts to improve ransomware defences.
“Ransomware continues to wreak havoc on global organisations, regardless of size or industry,” remarked the report’s co-author David White, President of Axio. “As the number of attacks will most likely continue on an exponential trajectory, it’s more important than ever for companies to re-evaluate their cyber security practices and make the needed improvements to help combat these attacks.”
The report identifies several emerging patterns that yield insights into why organisations are increasingly susceptible to ransomware attacks. In 2021, seven key areas where organisations were deficient in implementing and sustaining basic cyber security practices were identified, and these patterns dominated the 2022 study results as well:
Managing privileged access
Improving basic cyber hygiene
Reducing exposure to supply chain and third-party risk
Monitoring and defending networks
Managing ransomware incidents
Identifying and addressing vulnerabilities in a timely manner
Improving cyber security training and awareness
Overall, most organisations surveyed are not adequately prepared to manage the risk associated with a ransomware attack. Key data findings include:
The number of organisations with a functional privileged access management solution in place increased by 10% but remains low at 33% overall.
Limitations on the use of service and local administrator accounts remain average overall, with nearly 50% of organisations reporting implementing these practices.
Approximately 40% of organisations monitor third-party network access, evaluate third-party cyber security posture, and limit the use of third-party software.
Less than 50% of respondents implement basic network segmentation and only 40% monitor for anomalous connections.
Critical vulnerability patching within 24 hours was reported by only 24% of organisations.
A ransomware-specific playbook for incident management is in place for only 30% of organisations.
Active phishing training has improved but is still not practiced by 40% of organisations.
https://www.helpnetsecurity.com/2022/10/20/insufficient-ransomware-preparedness/
NSA Cybersecurity Director's Six Takeaways from the War in Ukraine
From the warning banner ‘Be afraid and expect the worst’ that was shown on several Ukrainian government websites on January 13, 2022, after a cyber-attack took them down, the US National Security Agency’s (NSA) cybersecurity director, Rob Joyce, knew that something was going to be different, and very aggressive, between Ukraine and Russia, and that it would be happening in the cyber space as well.
Ten months on, he was invited to speak at one of Mandiant Worldwide Information Security Exchange's (mWISE) opening keynotes on October 18, 2022. Joyce shared six takeaways from the Russia-Ukraine cyber-conflict in terms of what we learned from it and its impact on how nations should protect their organisations.
Both espionage and destructive attacks will occur in conflict
The cyber security industry has unique insight into these conflicts
Sensitive intelligence can make a decisive difference
You can develop resiliency skills
Don’t try to go it alone
You have not planned enough yet for the contingencies
Toward the end of the keynote, Joyce suggested the audience simulate a scenario based on what happened in Ukraine with the China-Taiwan conflict escalating and see what they should put in place to better prepare for such an event.
https://www.infosecurity-magazine.com/news/nsa-6-takeaways-war-ukraine/
Microsoft Confirms Server Misconfiguration Led to 65,000+ Companies' Data Leak
Microsoft this week confirmed that it inadvertently exposed information related to thousands of customers following a security lapse that left an endpoint publicly accessible over the internet sans any authentication.
"This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provisioning of Microsoft services," Microsoft said in an alert.
Microsoft also emphasised that the B2B leak was "caused by an unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem and was not the result of a security vulnerability."
The misconfiguration of the Azure Blob Storage was spotted on September 24, 2022, by cyber security company SOCRadar, which termed the leak BlueBleed. Microsoft said it's in the process of directly notifying impacted customers.
The Windows maker did not reveal the scale of the data leak, but according to SOCRadar, it affects more than 65,000 entities in 111 countries. The exposure amounts to 2.4 terabytes of data that consists of invoices, product orders, signed customer documents, partner ecosystem details, among others.
https://thehackernews.com/2022/10/microsoft-confirms-server.html
Threats
Ransomware and Extortion
Сryptocurrency and Ransomware — The Ultimate Friendship (thehackernews.com)
Venus Ransomware targets publicly exposed Remote Desktop services (bleepingcomputer.com)
Pendragon being held to $60m ransom by dark web hackers – Car Dealer Magazine
Magniber Ransomware Is Targeting Home PC (informationsecuritybuzz.com)
Hackers exploit critical VMware flaw to drop ransomware, miners (bleepingcomputer.com)
Ransomware Now Deployed as a Precursor to Physical War - MSSP Alert
TommyLeaks and SchoolBoys: Two sides of the same ransomware gang (bleepingcomputer.com)
With Conti gone, LockBit takes lead of the ransomware threat landscape | CSO Online
Tactics Tie Ransom Cartel Group to Defunct REvil Ransomware (darkreading.com)
Wholesale giant METRO hit by IT outage after cyber attack (bleepingcomputer.com)
The link between Ransom Cartel and REvil ransomware gangs - Security Affairs
How Vice Society Got Away With a Global Ransomware Spree | WIRED
Defenders beware: A case for post-ransomware investigations - Microsoft Security Blog
Ransomware crews regrouping as LockBit rise continues (computerweekly.com)
Ransom Cartel linked to notorious REvil ransomware operation (bleepingcomputer.com)
Hackney Council Ransomware Attack £12m+ Recovery - IT Security Guru
Microsoft Warns of Novel Ransomware Attacking Ukraine, Poland - MSSP Alert
Prestige ransomware hits victims of HermeticWiper • The Register
New ransomware targets transportation sectors in Ukraine, Poland | SC Media (scmagazine.com)
Japanese tech firm Oomiya hit by LockBit 3.0 - Security Affairs
Ransomware attack halts circulation of some German newspapers (bleepingcomputer.com)
Ransomware Insurance Security Requirement Strategies (trendmicro.com)
Australian insurance firm Medibank confirms ransomware attack (bleepingcomputer.com)
BlackByte ransomware uses new data theft tool for double-extortion (bleepingcomputer.com)
Phishing & Email Based Attacks
Phishing works so well crims won't use deepfakes: Sophos • The Register
Phishing Mitigation Can Cost Businesses More Than $1M Annually (darkreading.com)
Securing your organisation against phishing can cost up to $85 per email | CSO Online
How phishing campaigns abuse Google Ad click tracking redirects - Help Net Security
Other Social Engineering; Smishing, Vishing, etc
Malware
VMware bug with 9.8 severity rating exploited to install witch’s brew of malware | Ars Technica
Microsoft’s out-of-date driver list left Windows PCs open to malware attacks for years - The Verge
Ursnif malware switches from bank account theft to initial access (bleepingcomputer.com)
Experts spotted a new undetectable PowerShell Backdoor - Security Affairs
Typosquat campaign mimics 27 brands to push Windows, Android malware (bleepingcomputer.com)
Thousands of GitHub repositories deliver fake PoC exploits with malware (bleepingcomputer.com)
Hackers use new stealthy PowerShell backdoor to target 60+ victims (bleepingcomputer.com)
Hijacking of Popular Minecraft Launcher by Rogue Developer Raises Malware Fears - IGN
URSNIF (aka Gozi) banking trojan morphs into backdoor • The Register
What is a RAT (Remote Access Trojan)? | Definition from TechTarget
Mobile
Internet of Things – IoT
Riskiest IoT Devices - Cameras, VoIP And Video Conferencing (informationsecuritybuzz.com)
Securing IoT devices against attacks that target critical infrastructure - Microsoft Security Blog
74% say connected cars and EV chargers need cyber security ratings | Ars Technica
Data Breaches/Leaks
The companies most likely to lose your data - Help Net Security
Fines are not enough! Data breach victims want better security - Help Net Security
Medibank hack turned into a data breach: The attackers are demanding money - Help Net Security
Mormon Church Hit By Cyber attack, Personal Data Exposed (informationsecuritybuzz.com)
Keystone Health Data Breach Impacts 235,000 Patients | SecurityWeek.Com
Fashion brand SHEIN fined $1.9m for lying about data breach – Naked Security (sophos.com)
Client Data Exfiltrated In Advanced NHS cyber Attack (informationsecuritybuzz.com)
Australian Wine Dealer Suffers Data Breach, 500,000 Customers May Be (informationsecuritybuzz.com)
Advocate Aurora Health in potential 3 million patient leak • The Register
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Why Crypto Winter is No Excuse to Let Your Cyber Defences Falter (thehackernews.com)
North Korea’s Lazarus Group Attacks Japanese Crypto Firms - Decrypt
Coinbase users scammed out of $21M in crypto sue company for negligence | Ars Technica
SIM Swappers Sentenced to Prison for Hacking Accounts, Stealing Cryptocurrency | SecurityWeek.Com
Fraud, Scams & Financial Crime
Financial losses to synthetic identity-based fraud to double by 2024 | CSO Online
AI is Key to Tackling Money Mules and Disrupting Fraud: Industry Group | SecurityWeek.Com
Deepfakes
Deepfakes: What they are and how to spot them - Help Net Security
Phishing works so well crims won't use deepfakes: Sophos • The Register
Insurance
Supply Chain and Third Parties
Software Supply Chain
Software Supply Chain Attacks Soar 742% In Three Years (informationsecuritybuzz.com)
SBOMs: An Overhyped Concept That Won't Secure Your Software Supply Chain (darkreading.com)
Denial of Service DoS/DDoS
Cloud/SaaS
Microsoft Data-Exposure Incident Highlights Risk of Cloud Storage Misconfiguration (darkreading.com)
3 cloud security posture questions CISOs should answer (techtarget.com)
Attack Surface Management
Identity and Access Management
Encryption
API
Open Source
New security concerns for the open-source software supply chain - Help Net Security
Python vulnerability highlights open source security woes (techtarget.com)
3 Ways to Help Customers Defend Against Linux-Based Cyber attacks - MSSP Alert
OldGremlin hackers use Linux ransomware to attack Russian orgs (bleepingcomputer.com)
Passwords, Credential Stuffing & Brute Force Attacks
Most People Still Reuse Their Passwords Despite Years Of Hacking (informationsecuritybuzz.com)
Password Report: Honeypot Data Shows Bot Attack Trends Against RDP, SSH | SecurityWeek.Com
Eight RTX 4090s Can Break Passwords in Under an Hour | Tom's Hardware (tomshardware.com)
Training, Education and Awareness
Security Awareness Urged to Grow Beyond Compliance (darkreading.com)
Raising cyber security awareness is good for everyone - but it needs to be done better | ZDNET
Millennials, Gen Z blamed for poor company security • The Register
Privacy, Surveillance and Mass Monitoring
Regulations, Fines and Legislation
Fines are not enough! Data breach victims want better security - Help Net Security
Fashion brand SHEIN fined $1.9m for lying about data breach – Naked Security (sophos.com)
New York fines EyeMed $4.5 million for 2020 email hack, data breach | SC Media (scmagazine.com)
Health insurer pays out $4.5m over bungled data security • The Register
Law Enforcement Action and Take Downs
INTERPOL-led Operation Takes Down 'Black Axe' Cyber Crime Organisation (thehackernews.com)
Law enforcement arrested 31 suspects for stealing cars by hacking key fobs - Security Affairs
Interpol is setting up its own metaverse to learn how to police the virtual world | Euronews
Brazilian Police Nab Suspected Member of Lapsus$ Group (darkreading.com)
Interpol Report: "Financial Crime-as-a-Service" an Emerging Threat - MSSP Alert
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Ransomware Now Deployed as a Precursor to Physical War - MSSP Alert
US, China, Russia, more meet at Singapore infosec event • The Register
NSA cyber chief says Ukraine war is compelling more intelligence sharing with industry - CyberScoop
China-Linked Cyber-Espionage Team Homes In on Hong Kong Government Orgs (darkreading.com)
Microsoft Warns of Novel Ransomware Attacking Ukraine, Poland - MSSP Alert
Hackers target Asian casinos in lengthy cyber espionage campaign (bleepingcomputer.com)
Prestige ransomware hits victims of HermeticWiper • The Register
Pro-Russia Hackers DDoS Bulgarian Government - Infosecurity Magazine (infosecurity-magazine.com)
Nation State Actors
Nation State Actors – Russia
Ukraine's cyber chief calls for global anti-fake news fight • The Register
German Cyber security Boss Sacked Over Kremlin Connection (darkreading.com)
New ransomware targets transportation sectors in Ukraine, Poland | SC Media (scmagazine.com)
Bulgaria hit by a cyber attack originating from Russia - Security Affairs
Nation State Actors – China
As China-Taiwan tensions mount, how's your cyber defence? • The Register
Chinese 'Spyder Loader' Malware Spotted Targeting Organisations in Hong Kong (thehackernews.com)
Hackers compromised Hong Kong govt agency network for a year (bleepingcomputer.com)
WIP19 Threat Group Cyber attacks Target IT Service Providers, Telcos - MSSP Alert
Nation State Actors – North Korea
Nation State Actors – Iran
Vulnerability Management
Vulnerabilities
45,654 VMware ESXi servers reached End of Life on Oct. 15 - Security Affairs
VMware bug with 9.8 severity rating exploited to install witch’s brew of malware | Ars Technica
Text message verification flaws in your Windows Active Directory (bleepingcomputer.com)
Apache Commons Vulnerability: Patch but Don't Panic (darkreading.com)
Zoom for Mac patches sneaky “spy-on-me” bug – update now! – Naked Security (sophos.com)
ProxyLogon researcher details new Exchange Server flaws (techtarget.com)
Exploited Windows zero-day lets JavaScript files bypass security warnings (bleepingcomputer.com)
Dozen High-Severity Vulnerabilities Patched in F5 Products | SecurityWeek.Com
Oracle Releases 370 New Security Patches With October 2022 CPU | SecurityWeek.Com
Palo Alto Networks fixed a high-severity flaw in PAN-OS - Security Affairs
Hackers exploit critical VMware flaw to drop ransomware, miners (bleepingcomputer.com)
Zimbra Patches Under-Attack Code Execution Bug | SecurityWeek.Com
WordPress Security Update 6.0.3 Patches 16 Vulnerabilities | SecurityWeek.Com
Python vulnerability highlights open source security woes (techtarget.com)
Other News
Zero trust is misused in security, say Cloudflare, Zscaler - Protocol
Cyber professional shortfall hits 3.4 million (computerweekly.com)
VPN use prevails despite interest in VPN alternatives (techtarget.com)
JP Morgan Bans Staff From Working Remotely In Hotels and Coffee Shops-But Not Airbnbs | Inc.com
Experts discovered millions of .git folders exposed to public - Security Affairs
Microsoft Defender is lacking in offline detection capabilities, says AV-Comparatives | TechSpot
Internet connectivity worldwide impacted by severed fiber cables in France (bleepingcomputer.com)
UK's Remote Shetland Mysteriously Lose Phone, Internet After Cable Cut (businessinsider.com)
CISOs, rejoice! Security spending is increasing - Help Net Security
Equifax surveilled 1,000 remote workers, fired 24 found juggling two jobs | Ars Technica
NATO Just Deployed Its First Killer Ground Robot (futurism.com)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 29 July 2022
Black Arrow Cyber Threat Briefing 29 July 2022
-1 in 3 Employees Don’t Understand Why Cyber Security Is Important
-As Companies Calculate Cyber Risk, The Right Data Makes a Big Difference
-Only 25% Of Organizations Consider Their Biggest Threat to Be from Inside the Business
-The Global Average Cost of a Data Breach Reaches an All-Time High of $4.35 Million
-Race Against Time: Hackers Start Hunting for Victims Just 15 Minutes After a Bug Is Disclosed
-Ransomware-as-a-Service Groups Forced to Change Tack as Payments Decline
-Phishers Targeted Financial Services Most During H1 2022
-HR Emails Dupe Employees the Most – KnowBe4 research reveals
-84% Of Organizations Experienced an Identity-Related Breach In The Past 18 Months
-Economic Downturn Raises Risk of Insiders Going Rogue
-5 Trends Making Cyber Security Threats Riskier and More Expensive
-Ransomware: Publicly Reported Incidents Are Only the Tip of the Iceberg
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
1 in 3 Employees Don’t Understand Why Cyber Security Is Important
According to a new Tessian report, 30% of employees do not think they personally play a role in maintaining their company’s cyber security posture.
What’s more, only 39% of employees say they’re very likely to report a security incident, making investigation and remediation even more challenging and time-consuming for security teams. When asked why, 42% of employees said they wouldn’t know if they had caused an incident in the first place, and 25% say they just don’t care enough about cyber security to mention it.
Virtually all IT and security leaders agreed that a strong security culture is important in maintaining a strong security posture. Yet, despite rating their organisation’s security 8 out 10, on average, three-quarters of organisations experienced a security incident in the last 12 months.
The report suggests this could stem from a reliance on traditional training programs: 48% of security leaders say training is one of the most important influences on building a positive security posture. But the reality is that employees aren’t engaged; just 28% of UK and US workers say security awareness training is engaging and only 36% say they’re paying full attention. Of those who are, only half say it’s helpful, while another 50% have had a negative experience with a phishing simulation. With recent headlines depicting how phishing simulations can go awry, negative experiences like these further alienate employees and decrease engagement.
https://www.helpnetsecurity.com/2022/07/28/employees-dont-understand-why-cybersecurity-is-important/
As Companies Calculate Cyber Risk, the Right Data Makes a Big Difference
The proposed US Securities and Exchange Commission’s stronger rules for reporting cyber attacks will have ramifications beyond increased disclosure of attacks to the public. By requiring not just quick reporting of incidents, but also disclosure of cyber policies and risk management, such regulation will ultimately bring more accountability for cyber security to the highest levels of corporate leadership. Other jurisdictions will very likely follow the US in requiring more stringent cyber controls and governance.
This means that boards and executives everywhere will need to increase their understanding of cyber security, not only from a tech point of view, but from a risk and business exposure point of view. The CFO, CMO and the rest of the C-suite and board will want and need to know what financial exposure the business faces from a data breach, and how likely it is that breaches will happen. This is the only way they will be able to develop cyber policies and plans and react properly to the proposed regulations.
Companies will therefore need to be able to calculate and put a dollar value on their exposure to cyber risk. This is the starting point for the ability to make cyber security decisions not in a vacuum, but as part of overall business decisions. To accurately quantify cyber security exposure, companies need to understand what the threats are and which data and business assets are at risk, and they then need to multiply the cost of a breach by the probability that such an event will take place in order to put a dollar figure on their exposure.
While there are many automated tools, including those that use artificial intelligence (AI), that can help with this, the key to doing this well is to make sure calculations are rooted in real and relevant data – which is different for each company or organisation.
Only 25% Of Organisations Consider Their Biggest Threat to Be from Inside the Business
A worrying 73.5% of organisations feel they have wasted the majority of their cyber security budget on failing to remediate threats, despite having an over-abundance of security tools at their disposal, according to Gurucul.
Only 25% of organisations consider their biggest threat to be from inside the business, despite insider threats increasing by 47% over the past two years. With only a quarter of businesses seeing their biggest threat emanating from inside their organisation, it seems over 70% saw the biggest cyber security challenges emanating from external threats such as ransomware. In fact, although external threats account for many security incidents, we must never forget to look beyond those external malicious and bad actors to insider threats to effectively secure corporate data and IP.
The survey also found 33% of respondents said they are able to detect threats within hours, while 27.07% even claimed they can detect threats in real-time. However, challenges persist with 33% of respondents stating that it still takes their organisation days and weeks to detect threats, with 6% not being able to detect them at all.
https://www.helpnetsecurity.com/2022/07/28/biggest-threat-inside-the-business/
The Global Average Cost of a Data Breach Reaches an All-Time High of $4.35 Million
IBM Security released the 2022 Cost of a Data Breach Report, revealing costlier and higher-impact data breaches than ever before, with the global average cost of a data breach reaching an all-time high of $4.35 million for studied organisations.
With breach costs increasing nearly 13% over the last two years of the report, the findings suggest these incidents may also be contributing to rising costs of goods and services. In fact, 60% of studied organisations raised their product or services prices due to the breach, when the cost of goods is already soaring worldwide amid inflation and supply chain issues.
The perpetuality of cyber attacks is also shedding light on the “haunting effect” data breaches are having on businesses, with the IBM report finding 83% of studied organisations have experienced more than one data breach in their lifetime. Another factor rising over time is the after-effects of breaches on these organisations, which linger long after they occur, as nearly 50% of breach costs are incurred more than a year after the breach.
The 2022 Cost of a Data Breach Report is based on in-depth analysis of real-world data breaches experienced by 550 organisations globally between March 2021 and March 2022. The research, which was sponsored and analysed by IBM Security, was conducted by the Ponemon Institute.
https://www.helpnetsecurity.com/2022/07/27/2022-cost-of-a-data-breach-report/
Race Against Time: Hackers Start Hunting for Victims Just 15 Minutes After a Bug Is Disclosed
Attackers are becoming faster at exploiting previously undisclosed zero-day flaws, according to Palo Alto Networks. This means that the amount of time that system admins have to patch systems before exploitation happens is shrinking fast..
The company warns in its 2022 report covering 600 incident response (IR) cases that attackers typically start scanning for vulnerabilities within 15 minutes of one being announced.
Among this group are 2021's most significant flaws, including the Exchange Server ProxyShell and ProxyLogon sets of flaws, the persistent Apache Log4j flaws aka Log4Shell, the SonicWall zero-day flaws, and Zoho ManageEngine ADSelfService Plus.
While phishing remains the biggest method for initial access, accounting for 37% of IR cases, software vulnerabilities accounted of 31%. Brute-force credential attacks (like password spraying) accounted for 9%, while smaller categories included previously compromised credentials (6%), insider threat (5%), social engineering (5%), and abuse of trusted relationships/tools (4%).
Over 87% of the flaws identified as the source of initial access fell into one of six vulnerability categories.
Ransomware-as-a-Service Groups Forced to Change Tack as Payments Decline
Ransomware-as-a-service (RaaS) operators are evolving their tactics yet again in response to more aggressive law enforcement efforts, in a move that is reducing their profits but also making affiliates harder to track, according to Coveware.
The security vendor’s Q2 2022 ransomware report revealed that concerted efforts to crack down on groups like Conti and DarkSide have forced threat actors to adapt yet again.
It identified three characteristics of RaaS operations that used to be beneficial, but are increasingly seen as a hinderance.
The first is RaaS branding, which has helped to cement the reputation of some groups and improve the chances of victims paying, according to Coveware. However, branding also makes attribution easier and can draw the unwanted attention of law enforcement, it said.
“RaaS groups are keeping a lower profile and vetting affiliates and their victims more thoroughly,” Coveware explained.
“More RaaS groups have formed, resulting in less concentration among the top few variants. Affiliates are frequently shifting between RaaS variants on different attacks, making attribution beyond the variant more challenging.”
In some cases, affiliates are also using “unbranded” malware to make attribution more difficult, it added.
The second evolution in RaaS involves back-end infrastructure, which used to enable scale and increase profitability. However, it also means a larger attack surface and a digital footprint that’s more expensive and challenging to maintain.
As a result, RaaS developers are being forced to invest more in obfuscation and redundancy, which is hitting profits and reducing the amount of resources available for expansion, Coveware claimed.
Finally, RaaS shared services used to help affiliates with initial access, stolen data storage, negotiation management and leak site support.
https://www.infosecurity-magazine.com/news/raas-groups-forced-change-payments/
Phishers Targeted Financial Services Most During H1 2022
Banks received the lion’s share of phishing attacks during the first half of 2022, according to figures published by cyber security company Vade.
The analysis also found that attackers were most likely to send their phishing emails on weekdays, with most arriving between Monday and Wednesday. Attacks tapered off towards the end of the week, Vade said.
While financial services scored highest on a per-sector basis, Microsoft was the most impersonated brand overall. The company’s Microsoft 365 cloud productivity services are a huge draw for cyber-criminals hoping to access accounts using phishing attacks.
Phishing attacks on Microsoft customers have become more creative, according to Vade, which identified several phone-based attacks. It highlighted a campaign impersonating Microsoft’s Defender anti-malware product, fraudulently warning that the company had debited a subscription fee. It encouraged victims to fix the problem by phone.
Facebook came a close second, followed by financial services company Crédit Agricole, WhatsApp and Orange.
https://www.infosecurity-magazine.com/news/phishers-financial-services-h1-2022/
HR Emails Dupe Employees the Most – KnowBe4 research reveals
In phishing tests conducted on business emails, more than half of the subject lines clicked imitated Human Resources communications.
New research has revealed the top email subjects clicked on in phishing tests were those related to or from Human Resources, according to the latest ‘most clicked phishing tests‘ conducted by KnowBe4. In fact, half of those that were clicked on had subject lines related to Human Resources, including vacation policy updates, dress code changes, and upcoming performance reviews. The second most clicked category were those send from IT, which include requests or actions of password verifications that were needed immediately.
KnowBe4’s CEO commented “More than 80% of company data breaches globally come from human error, so security awareness training for your staff is one of the least costly and most effective methods to thwart social engineering attacks. Training gives employees the ability to rapidly recognise a suspicious email, even if it appears to come from an internal source, causing them to pause before clicking. That moment where they stop and question the email is a critical and often overlooked element of security culture that could significantly reduce your risk surface.”
This research comes hot off the heels of the recent KnowBe4 industry benchmarking report which found one in three untrained employees will click on a phishing link. The worst performing industries were Energy & Utilities, Insurance and Consulting, with all labelled the most at risk for social engineering in the large enterprise category.
84% Of Organisations Experienced an Identity-Related Breach in the Past 18 Months
60% of IT security decision makers believe their overall security strategy does not keep pace with the threat landscape, and that they are either lagging behind (20%), treading water (13%), or merely running to keep up (27%), according to a survey by Sapio Research.
The report also highlights differences between the perceived and actual effectiveness of security strategies. While 40% of respondents believe they have the right strategy in place, 84% of organisations reported that they have experienced an identity-related breach or an attack using stolen credentials during the previous year and a half.
Promisingly, many organisations are hungry to make a change, particularly when it comes to protecting identities. In fact, 90% of respondents state that their organisations fully recognise the importance of identity security in enabling them to achieve their business goals, and 87% say that it is one of the most important security priorities for the next 12 months.
However, 75% of IT and security professionals also believe that they’ll fall short of protecting privileged identities because they won’t get the support they need. This is largely due to a lack of budget and executive alignment, with 63% of respondents saying that their company’s board still doesn’t fully understand identity security and the role it plays in enabling better business operations.
While the importance of identity security is acknowledged by business leaders, most security teams will not receive the backing and budget they need to put vital security controls and solutions in place to reduce major risks. This means that the majority of organisations will continue to fall short of protecting privileges, leaving them vulnerable to cyber criminals looking to discover privileged accounts and abuse them.
https://www.helpnetsecurity.com/2022/07/28/identity-related-breach/
Economic Downturn Raises Risk of Insiders Going Rogue
Declining economic conditions could make insiders more susceptible to recruitment offers from threat actors looking for allies to assist them in carrying out various attacks.
Enterprise security teams need to be aware of the heightened risk and strengthen measures for protecting against, detecting, and responding to insider threats, researchers from Palo Alto Network's Unit 42 threat intelligence team recommended in a report this week.
The security vendor's report highlighted several other important takeaways for security operations teams, including the fact that ransomware and business email compromise attacks continue to dominate incident response cases and vulnerability exploits — accounting for nearly one-third of all breaches.
Unit 42 researchers analysed data from a sampling of over 600 incident response engagements between April 2021 and May 2022 and determined that difficult economic times could lure more actors to cyber crime. This could include both people with technical skills looking to make a fast buck, as well as financially stressed insiders with legitimate access to valuable enterprise data and IT assets. The prevalence of remote and hybrid work models has created an environment where it's easier for workers to steal intellectual property or carry out other malicious activity, the researchers found.
https://www.darkreading.com/risk/economic-downturn-raises-the-risk-of-insiders-going-rogue
5 Trends Making Cyber Security Threats Riskier and More Expensive
Since the pandemic the cyber world has become a far riskier place. According to the Hiscox Cyber Readiness Report 2022, almost half (48%) of organisations across the US and Europe experienced a cyber attack in the past 12 months. Even more alarming is that these attacks are happening despite businesses doubling down on their cyber security spend.
Cyber security is at a critical inflection point where five megatrends are making the threat landscape riskier, more complicated, and costlier to manage than previously reported. To better understand the evolution of this threat landscape, let’s examine these trends in more detail.
Everything becomes digital
Organisations become ecosystems
Physical and digital worlds collide
New technologies bring new risks
Regulations become more complex
Organisations can follow these best practices to elevate cyber security performance:
Identify, prioritise, and implement controls around risks.
Adopt a framework such as ISO 27001 or NIST Cyber Security Framework.
Develop human-layered cyber security.
Fortify your supply chain.
Avoid using too many tools.
Prioritise protection of critical assets.
Automate where you can.
Monitor security metrics regularly to help business leaders get insight into security effectiveness, regulatory compliance, and levels of security awareness in the organisation.
Cyber security will always be a work in progress. The key to effective risk management is having proactive visibility and context across the entire attack surface. This helps to understand which vulnerabilities, if exploited, can cause the greatest harm to the business. Not all risks can be mitigated; some risks will have to be accepted and trade-offs will have to be negotiated.
Ransomware: Publicly Reported Incidents Are Only the Tip of the Iceberg
The threat landscape report on ransomware attacks published this week by the European Union Agency for Cybersecurity (ENISA) uncovers the shortcomings of the current reporting mechanisms across the EU.
As one of the most devastating types of cyber security attacks over the last decade, ransomware, has grown to impact organisations of all sizes across the globe.
This threat landscape report analysed a total of 623 ransomware incidents across the EU, the United Kingdom and the United States for a reporting period from May 2021 to June 2022. The data was gathered from governments' and security companies' reports, from the press, verified blogs and in some cases using related sources from the dark web.
Between May 2021 and June 2022 about 10 terabytes of data were stolen each month by ransomware threat actors. 58.2% of the data stolen included employees' personal data.
At least 47 unique ransomware threat actors were found.
For 94.2% of incidents, we do not know whether the company paid the ransom or not. However, when the negotiation fails, the attackers usually expose and make the data available on their webpages. This is what happens in general and is a reality for 37.88% of incidents.
We can therefore conclude that the remaining 62.12% of companies either came to an agreement with the attackers or found another solution.
The study also shows that companies of every size and from all sectors are affected.
The figures in the report can however only portray a part of the overall picture. In reality, the study reveals that the total number of ransomware attacks is much larger. At present this total is impossible to capture since too many organisations still do not make their incidents public or do not report on them to the relevant authorities.
Threats
Ransomware
LockBit 3.0: Significantly Improved Ransomware Helps the Gang Stay on Top (darkreading.com)
Ransomware looms large over the cyber insurance industry - Help Net Security
800,000 businesses fall victim to ransomware each year (komando.com)
Business services top target of ransomware attacks (securitybrief.co.nz)
How Crypto is Driving the Ransomware Epidemic | Cryptoland Roundtable - YouTube
On security researcher's newsletter, exposing cyber criminals behind ransomware - CyberScoop
LockBit ransomware abuses Windows Defender to load Cobalt Strike (bleepingcomputer.com)
Mailing List Provider WordFly Scrambling to Recover Following Ransomware Attack | SecurityWeek.Com
No More Ransom helps millions of ransomware victims in 6 years (bleepingcomputer.com)
Lockbit ransomware gang claims to have breached the Italian Revenue Agency - Security Affairs
Lockbit Ramps Up Attacks on Public Sector - Infosecurity Magazine (infosecurity-magazine.com)
A ‘Top Tier’ Hacking Gang Is Likely To Be Behind Entrust Ransomware (informationsecuritybuzz.com)
No More Ransom Helped More Than 1.5 Million People Decrypt Their Devices (darkreading.com)
Ransomware caused American Dental Association outage, led to stolen data (scmagazine.com)
The road to ransomware recovery starts before an attack • The Register
BEC – Business Email Compromise
Phishing & Email Based Attacks
Phishing Attacks Skyrocket with Microsoft and Facebook as Most Abused Brands | Threatpost
Phishing scam targeting Bank of America, Citi and Wells Fargo customers (komando.com)
APT-Like Phishing Threat Mirrors Landing Pages (darkreading.com)
New Callback Malware Campaign Impersonates Legitimate Cyber Security Providers - MSSP Alert
Phishing Attacks: Microsoft Leads Top 25 of Impersonated Brands - MSSP Alert
1,000s of Phishing Attacks Blast Off From InterPlanetary File System (darkreading.com)
New ‘Robin Banks’ phishing service targets BofA, Citi, and Wells Fargo (bleepingcomputer.com)
Other Social Engineering; SMishing, Vishing, etc
Malware
Cisco Incident Response Report: Commodity Malware Top Threat in Q2 - MSSP Alert
Discovery of new UEFI rootkit exposes an ugly truth: The attacks are invisible to us | Ars Technica
As Microsoft blocks Office macros, hackers find new attack vectors (bleepingcomputer.com)
Microsoft Links Raspberry Robin USB Worm to Russian Evil Corp Hackers (thehackernews.com)
Microsoft links Raspberry Robin malware to Evil Corp attacks (bleepingcomputer.com)
Malware-laced npm packages used to target Discord users - Security Affairs
CosmicStrand UEFI malware found in Gigabyte, ASUS motherboards (bleepingcomputer.com)
Sophisticated UEFI rootkit of Chinese origin shows up again in the wild after 3 years | CSO Online
Attackers are slowly abandoning malicious macros - Help Net Security
One of the most beloved Windows tools could actually be a huge security risk | TechRadar
QBot phishing uses Windows Calculator DLL hijacking to infect devices (bleepingcomputer.com)
Gootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike (trendmicro.com)
Microsoft: Austrian company DSIRF selling Subzero malware (techtarget.com)
Threat actors leverages DLL-SideLoading to spread Qakbot - Security Affairs
Rare 'CosmicStrand' UEFI Rootkit Swings into Cyber crime Orbit (darkreading.com)
Mobile
Here are the top phone security threats in 2022 and how to avoid them | ZDNet
New Android malware apps installed 10 million times from Google Play (bleepingcomputer.com)
Roaming Mantis Financial Hackers Targeting Android and iPhone Users in France (thehackernews.com)
Facebook ads push Android adware with 7 million installs on Google Play (bleepingcomputer.com)
Millions of Android devices infected with wallet-draining malware | TechRadar
Over a Dozen Android Apps on Google Play Store Caught Dropping Banking Malware (thehackernews.com)
Internet of Things – IoT
IoT Botnets Fuels DDoS Attacks – Are You Prepared? | Threatpost
Dahua IP Camera Vulnerability Could Let Attackers Take Full Control Over Devices (thehackernews.com)
Data Breaches/Leaks
US court system suffered ‘incredibly significant attack’ • The Register
Congress Warns of US Court Records System Breach - Infosecurity Magazine (infosecurity-magazine.com)
Uber admits covering up massive 2016 data breach in settlement with US prosecutors - The Verge
T-Mobile to pay $500M for one of the largest data breaches in US history [Updated] | Ars Technica
Data Stolen in Breach at Security Company Entrust | SecurityWeek.Com
Fallout from massive Shanghai Police data breach reverberates on dark web - CyberScoop
Big Questions Remain Around Massive Shanghai Police Data Breach (darkreading.com)
Organised Crime & Criminal Actors
Cyber-mercenaries represent shifting criminal business model • The Register
Messaging Apps Tapped as Platform for Cyber Criminal Activity | Threatpost
Teenager Jailed for Snapchat Blackmail Cyber Crimes- IT Security Guru
DUCKTAIL operation targets Facebook’s Business and Ad accounts - Security Affairs
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Crypto fraud on the rise as consumers fall for fake celebrity endorsements | Cybernews
Hackers Increasingly Using WebAssembly Coded Cryptominers to Evade Detection (thehackernews.com)
NFT Hacking Group Attacks On The Rise, Report Finds- IT Security Guru
Hackers steal $6 million from blockchain music platform Audius (bleepingcomputer.com)
Fraud, Scams & Financial Crime
Major shifts and the growing risk of identity fraud - Help Net Security
JPMorgan, UBS accused of shoddy identity theft protection • The Register
Euro Police Bust €3m Internet Fraud Gang - Infosecurity Magazine (infosecurity-magazine.com)
Romance scammers jailed after tricking Irish OAP out of €250k (bitdefender.com)
What the Titanic Can Teach Us About Fraud? | SecurityWeek.Com
AML/CFT/Sanctions
Insurance
Dark Web
Cyber crime goods and services are cheap and plentiful - Help Net Security
Hackers Selling Malware on Dark Web Underground Market (cybersecuritynews.com)
Supply Chain and Third Parties
Software Supply Chain
Denial of Service DoS/DDoS
Akamai blocked the largest DDoS attack ever on its European customers - Security Affairs
DDoS Attack Trends in 2022: Ultrashort, Powerful, Multivector Attacks (bleepingcomputer.com)
Cloud/SaaS
Kansas MSP shuts down cloud services to fend off cyber attack (bleepingcomputer.com)
Organisations are struggling with SaaS security. Why? - Help Net Security
Attack Surface Management
Identity and Access Management
Encryption
Transport Layer Security (TLS): Issues & Protocol (trendmicro.com)
SSH2 vs. SSH1 and why SSH versions still matter (techtarget.com)
Passwords, Credential Stuffing & Brute Force Attacks
Using Account Lockout policies to block Windows Brute Force Attacks (bleepingcomputer.com)
Stop Putting Your Accounts At Risk, and Start Using a Password Manager (thehackernews.com)
Social Media
Facebook security cracked by Malware made in Vietnam • The Register
Cyber-Criminal Offers 5.4m Twitter Users’ Data - Infosecurity Magazine (infosecurity-magazine.com)
Training, Education and Awareness
Privacy
Law Enforcement Action and Take Downs
UK Seizes Nearly $27m in Crypto-Assets - Infosecurity Magazine (infosecurity-magazine.com)
European Cops Helped 1.5 Million People Decrypt Their Ransomwared Computers (vice.com)
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Cyberspies use Google Chrome extension to steal emails undetected (bleepingcomputer.com)
Microsoft says it caught an Austrian spyware group using Windows 0-day exploits - The Verge
Pegasus spyware: Just 'tip of the iceberg' seen so far • The Register
Cyber attacks by Iran and Israel now target critical infrastructure. - The Washington Post
US and Ukraine Sign Agreement to Deepen Cyber security Operational Collaboration - MSSP Alert
CISA, Ukrainian cyber agency deepen partnership to combat Russian threat - CyberScoop
How is Anonymous attacking Russia? The top six ways ranked (cnbc.com)
European Lawmaker Targeted With Cytrox Predator Surveillance Spyware | SecurityWeek.Com
Nation State Actors
Nation State Actors – Russia
Russia is quietly ramping up its Internet censorship machine | Ars Technica
Apple network traffic takes mysterious detour through Russia • The Register
Nation State Actors – China
Chinese APTs: Interlinked networks and side hustles – Intrusion Truth (wordpress.com)
OneWeb sale risks giving China a stake in ‘Five Eyes’ spying tech (telegraph.co.uk)
Nation State Actors – North Korea
North Korean Hackers Using Malicious Browser Extension to Spy on Email Accounts (thehackernews.com)
North Korean hackers attack EU targets with Konni RAT malware (bleepingcomputer.com)
US puts $10 million bounty on North Korean threat groups • The Register
Is APT28 behind the STIFF#BIZON attacks attributed to North Korea-linked APT37? Security Affairs
Nation State Actors – Iran
Vulnerability Management
Hackers scan for vulnerabilities within 15 minutes of disclosure (bleepingcomputer.com)
Attackers Have 'Favourite' Vulnerabilities to Exploit (darkreading.com)
Taking the Risk-Based Approach to Vulnerability Patching (thehackernews.com)
Organisations struggle to manage devices and stay ahead of vulnerabilities - Help Net Security
2022 Unit 42 Incident Response Report: How Attackers Exploit Zero-Days (paloaltonetworks.com)
Security Teams Overwhelmed With Bugs, Bitten by Patch Prioritization (darkreading.com)
Time between vuln disclosures, exploits is getting smaller • The Register
Vulnerabilities
Critical Samba bug could let anyone become Domain Admin – patch now! – Naked Security (sophos.com)
Multiple Windows, Adobe Zero-Days Anchor Knotweed Commercial Spyware (darkreading.com)
How to Fix CVE-2022-30190 vulnerability using Microsoft Intune - CloudInfra
CISA releases IOCs for attacks exploiting Log4Shell in VMware Horizon and UAG | CSO Online
Critical FileWave MDM Flaws Open Organisation-Managed Devices to Remote Hackers (thehackernews.com)
Hackers are abusing IIS extensions to establish covert backdoors - Security Affairs
FileWave fixes bugs that left 1,000+ orgs open to ransomware • The Register
Google Chrome Zero-day Vulnerability Discovered By Avast (informationsecuritybuzz.com)
LibreOffice fixed 3 flaws, including a code execution issue - Security Affairs
Drupal developers fixed a code execution flaw in the popular CMS - Security Affairs
LibreOffice Releases Software Update to Patch 3 New Vulnerabilities (thehackernews.com)
Hackers Exploit PrestaShop Zero-Day to Steal Payment Data from Online Stores (thehackernews.com)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
Reports Published in the Last Week
Other News
A Retrospective on the 2015 Ashley Madison Breach – Krebs on Security
The Great BizApp Hack: Cyber-Risks in Your Everyday Business Applications (darkreading.com)
Threat Actors Pivot Around Microsoft’s Macro-Blocking in Office | Threatpost
Microsoft again reverses course, will block macros by default (scmagazine.com)
Is Your Home or Small Business Built on Secure Foundations? Think Again… (darkreading.com)
Infosec pros want more industry cooperation and support for open standards - Help Net Security
We pass cyber attack costs onto customers, businesses admit • The Register
How to Combat the Biggest Security Risks Posed by Machine Identities (thehackernews.com)
Discord, Telegram Services Hijacked to Launch Array of Cyber Attacks (darkreading.com)
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 20 May 2022
Black Arrow Cyber Threat Briefing 20 May 2022
-Fifth of Businesses Say Cyber Attack Nearly Broke Them
-Weak Security Controls and Practices Routinely Exploited for Initial Access
-How Do Ransomware Attacks Impact Victim Organisations’ Stock?
-Prioritise Patching Vulnerabilities Associated with Ransomware
-Researchers Warn of Advanced Persistent Threats/Nation State Actors (APTs), Data Leaks as Serious Threats Against UK Financial Sector
-Remote Work Hazards: Attackers Exploit Weak WiFi, Endpoints, and the Cloud
-Small Businesses Under Fire from Password Stealers
-Email Is the Riskiest Channel for Data Security
-Phishing Attacks for Initial Access Surged 54% in Q1
-State of Internet Crime in Q1 2022: Bot Traffic on The Rise, And More
-Fears Grow for Smaller Nations After Ransomware Attack on Costa Rica Escalates
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Fifth of Businesses Say Cyber Attack Nearly Broke Them
A fifth of US and European businesses have warned that a serious cyber attack nearly rendered them insolvent, with most (87%) viewing compromise as a bigger threat than an economic downturn, according to Hiscox.
The insurer polled over 5000 businesses in the US, UK, Ireland, France, Spain, Germany, the Netherlands and Belgium to compile its annual Hiscox Cyber Readiness Report.
It revealed the potentially catastrophic financial damage that a serious cyber-attack can wreak. The number claiming to have nearly been brought down by a breach increased 24% compared to the previous year.
Nearly half (48%) of respondents said they suffered an attack over the past 12 months, a 12% increase from the previous report’s findings. Perhaps unsurprisingly, businesses in seven out of eight countries see cyber as their biggest threat.
Yet perception appears to vary greatly depending on whether an organisation has suffered a serious compromise or not. While over half (55%) of total respondents said they view cyber as a high-risk area, the figure among companies that have not yet suffered an attack is just 36%.
https://www.infosecurity-magazine.com/news/fifth-of-businesses-cyber-attack/
Weak Security Controls and Practices Routinely Exploited for Initial Access
Cyber actors routinely exploit poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system. A joint Cybersecurity Advisory by the cyber security authorities of the United States, Canada, New Zealand, the Netherlands, and the United Kingdom identifies commonly exploited controls and practices and includes best practices to mitigate the issues.
Malicious cyber actors often exploit the following common weak security controls, poor configurations, and poor security practices to employ the initial access techniques.
Multifactor authentication (MFA) is not enforced
Incorrectly applied privileges or permissions and errors within access control lists
Software is not up to date
Use of vendor-supplied default configurations or default login usernames and passwords
Remote services, such as a virtual private network (VPN), lack sufficient controls to prevent unauthorised access
Strong password policies are not implemented
Cloud services are unprotected
Open ports and misconfigured services are exposed to the internet
Failure to detect or block phishing attempts
Poor endpoint detection and response.
https://www.cisa.gov/uscert/ncas/alerts/aa22-137a
How Do Ransomware Attacks Impact Victim Organisations’ Stock?
Ransomware has developed into an extremely lucrative business model with little risk involved for the threat actors. Couple this with the willingness of most victim organisations to pay the ransom demand under the assumption it will return business operations to normal - ultimately encouraging more attacks - and we have a big problem with no easy remedies.
Back in 2021, Cybereason published a report titled Ransomware Attacks and the True Cost to Business that revealed the various costs that organisations face after falling victim to a ransomware attack. Here are some of the most significant findings that stood out:
Two-thirds of ransomware victims said that they endured a significant loss of revenue following the attack
More than half (53%) of organisations suffered damage to their brand and reputation after a ransomware infection
A third of those who fell to ransomware lost C-level talent in the attack’s aftermath
Three in 10 organisations had no choice but to lay off employees due to the financial pressures resulting from a ransomware incident
A quarter of ransomware victims said that they needed to suspend operations.
Prioritise Patching Vulnerabilities Associated with Ransomware
In the last quarter, ransomware attacks have made mainstream headlines on a near-daily basis, with groups like Lapsus$ and Conti’s names splashed across the page. Major organisations like Okta, Globant and Kitchenware maker Meyer Corporation have all fallen victim, and they are very much not alone. The data indicates that increasing vulnerabilities, new advanced persistent threat (APT) groups and new ransomware families are contributing to ransomware’s continued prevalence and profitability.
The top stats include:
22 new vulnerabilities and nine new weaknesses have been associated with ransomware since January 2022; of the 22, a whopping 21 are considered of critical or high risk severity
19 (out of 22) of the newly-added vulnerabilities are associated with the Conti ransomware gang
Three new APT groups (Exotic Lily, APT 35, DEV-0401) and four new ransomware families (AvosLocker, Karma, BlackCat, Night Sky) are deploying ransomware to attack their targets
141 of CISA’s Known Exploited Vulnerabilities (KEVs) are being used by ransomware operators – including 18 newly identified this quarter
11 vulnerabilities tied to ransomware remain undetected by popular scanners
624 unique vulnerabilities were found within the 846 healthcare products analysed.
https://www.helpnetsecurity.com/2022/05/19/increase-ransomware-vulnerabilities/
Researchers Warn of Advanced Persistent Threats (APTs), Data Leaks as Serious Threats Against UK Financial Sector
Researchers say that geopolitical tension, ransomware, and cyber attacks using stolen credentials threaten the UK's financial sector.
KELA's security team published a report examining the cyber security issues and attacks that surfaced in 2021 and early 2022, specifically focused on the United Kingdom's banks and other financial services.
The UK was one of the first countries to stand with Ukraine after the invasion by Russia. This could make UK organisations a tempting target for threat actors siding with Russia - whether by state-sponsored advanced persistent threat (APT) groups or hacktivists. The National Cyber Security Centre (NCSC) previously warned businesses to shore up their cyber security following Russia's assault.
APTs are often responsible for attacking the financial sector: account credentials, card numbers, and the personally identifiable information (PII) of customers are useful not only in social engineering and identity theft but also to make fraudulent purchases or for card cloning.
APTs target organisations worldwide, and those located in the UK are no exception. Over the past few years, APTs, including the Chinese APT40 and APT31, have utilised vulnerabilities, including ProxyLogon, to compromise UK businesses.
"In general, APTs may target the financial sector to commit fraud, burglarise ATMs, execute transactions, and penetrate organisations' internal financial systems," KELA says. "Although specific threats to the UK financial sector have not been identified, there is no doubt that the UK has occasionally been a target of APT groups during 2021."
Exposed corporate information and leaked credentials are also of note. After browsing Dark Web forums, the researchers found that UK data is "in demand" by cyber criminals who are seeking PII, access credentials, and internal data.
Remote Work Hazards: Attackers Exploit Weak WiFi, Endpoints, and the Cloud
Infoblox unveils a global report examining the state of security concerns, costs, and remedies. As the pandemic and uneven shutdowns stretch into a third year, organisations are accelerating digital transformation projects to support remote work. Meanwhile, attackers have seized on vulnerabilities in these environments, creating more work and larger budgets for security teams.
1,100 respondents in IT and cyber security roles in 11 countries – United States, Mexico, Brazil, United Kingdom, Germany, France, the Netherlands, Spain, United Arab Emirates, Australia, and Singapore – participated in the survey.
The surge in remote work has changed the corporate landscape significantly – and permanently. 52% of respondents accelerated digital transformation projects, 42% increased customer portal support for remote engagement, 30% moved apps to third party cloud providers, and 26% shuttered physical offices for good. These changes led to the additions of VPNs and firewalls, a mix of corporate and employee owned devices as well as cloud and on-premises DDI servers to manage data traffic across the expanded network.
The hybrid workforce reality is causing greater concerns with data leakage, ransomware and attacks through remote access tools and cloud services. Respondents indicate concerns about their abilities to counter increasingly sophisticated cyber attacks with limited control over employees, work-from-home technologies, and vulnerable supply chain partners. The sophistication of state-sponsored malware also is a source of worry for many.
Organisations have good reason to worry: 53% of respondents experienced up to five security incidents that led to at least one breach.
https://www.helpnetsecurity.com/2022/05/17/state-of-security/
Small Businesses Under Fire from Password Stealers
Password-stealing malware and other cyber attacks have increased significantly against small businesses over the past year, according to Kaspersky researchers.
An assessment released this week detailed the number of Trojan Password Stealing Ware (PSW) detections, internet attacks and attacks on Remote Desktop Protocol (RDP) between January and April 2022, compared with the same time frame from 2021. Kaspersky's research showed a jump in the detection of password stealers within small business environments, as well as increases in other types of cyber attacks.
According to Kaspersky, the biggest increase in threats against small businesses was password stealers, specifically Trojan PSWs. There were nearly 1 million more detected Trojan PSWs targeting small and medium-sized businesses in the first trimester of 2022 than the first of 2021, increasing from 3,029,903 to 4,003,323.
Email Is the Riskiest Channel for Data Security
Research from Tessian and the Ponemon Institute reveals that nearly 60% of organisations experienced data loss or exfiltration caused by an employee mistake on email in the last 12 months.
Email was revealed as the riskiest channel for data loss in organisations, as stated by 65% of IT security practitioners. This was closely followed by cloud file-sharing services (62%) and instant messaging platforms (57%).
The research surveyed 614 IT security practitioners across the globe to also reveal that:
Employee negligence, because of not following policies, is the leading cause of data loss incidents (40%)
27% of data loss incidents are caused by malicious insiders
It takes up to three days for security and risk management teams to detect and remediate a data loss and exfiltration incident caused by a malicious insider on email
23% of organisations experience up to 30 security incidents involving employees’ use of email every month (for example, email was sent to an unintended recipient).
The most common types of confidential and sensitive information lost or intentionally stolen include: customer information (61%); intellectual property (56%); and consumer information (47%). User-created data (sensitive email content, text files, M&A documents), regulated data (credit card data, Social Security numbers, national ID numbers, employee data), and intellectual property were identified as the three types of data that are most difficult to protect from data loss.
The top two consequences for data loss incidents were revealed as non-compliance with data protection regulations (57%) and damage to an organisation’s reputation (52%). Furthermore, a previous study from Tessian found that 29% of businesses lost a client or customer because of an employee sending an email to the wrong person.
https://www.helpnetsecurity.com/2022/05/20/data-loss-email/
Phishing Attacks for Initial Access Surged 54% in Q1
Threat actors doubled down on their use of phishing emails as an initial attack vector during the first quarter of 2022 — and in many cases then used that access to drop ransomware or to extort organisations in other ways.
Researchers from Kroll recently analysed data gathered from security incidents they responded to in the first three months of this year. The analysis showed a 54% increase in incidents of phishing for initial access compared with the same period last year.
For the first time since Microsoft disclosed the so-called ProxyLogon set of vulnerabilities in Exchange Server in the first quarter of 2021, incidents tied to email compromises surpassed those related to ransomware. Kroll described the sharp increase in phishing activity as likely the result of a surge in activity tied to Emotet and IceID malware — threat actors have been using both to drop other malware.
https://www.darkreading.com/risk/phishing-attacks-for-initial-access-surged-q1
Fears Grow for Smaller Nations After Ransomware Attack on Costa Rica Escalates
Conti demanded $20M in ransom — and the overthrow of the government.
It’s been a rough start for the newly elected Costa Rica president Rodrigo Chaves, who less than a week into office declared his country “at war” with the Conti ransomware gang.
“We’re at war and this is not an exaggeration,” Chaves told local media. “The war is against an international terrorist group, which apparently has operatives in Costa Rica. There are very clear indications that people inside the country are collaborating with Conti.”
Conti’s assault on the Costa Rican government began in April. The country’s Finance Ministry was the first hit by the Russia-linked hacking group, and in a statement on May 16, Chaves said the number of institutions impacted had since grown to 27. This, he admitted, means civil servants wouldn’t be paid on time and will impact the country’s foreign trade.
In a message posted to its dark web leaks blog, Conti urged the citizens of Costa Rica to pressure their government to pay the ransom, which the group doubled from an initial $10 million to $20 million. In a separate statement, the group warned: “We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power.”
Conti is among the most prolific hacking groups. The FBI warned earlier this year that the gang was among “the three top variants” that targeted businesses in the United States, and it has been blamed for ransomware attacks targeting dozens of businesses, including Fat Face, Shutterfly and the Irish healthcare service.
But Conti has picked up its pace in recent months: In January and February it published 31 victims on its leaks blog. In March and April, it posted 133 victims.
https://techcrunch.com/2022/05/20/costa-rica-ransomware-attack/
Threats
Ransomware
Ransomware Gangs Rely More on Weaponizing Vulnerabilities (bleepingcomputer.com)
Ransomware Gang Extorted 725 BTC in One Attack, On-Chain Sleuths Find (coindesk.com)
5 Critical Questions to Test Your Ransomware Preparedness - Help Net Security
“Alarming” Surge in Conti Group Activity This Year - Infosecurity Magazine
Why AI-Powered Ransomware Cyber Attacks Could Be Coming Soon - Protocol
Nikkei Says Customer Data Likely Impacted in Ransomware Attack | SecurityWeek.Com
Wizard Spider Hackers Hire Cold Callers to Scare Ransomware Victims Into Paying Up | ZDNet
Greenland Hit by Cyber Attack, Finds Its Health Service Crippled (bitdefender.com)
Conti Ransomware Shuts Down Operation, Rebrands into Smaller Units (bleepingcomputer.com)
No One Is Slowing Down BlackByte Ransomware Gang • The Register
President Rodrigo Chaves says Costa Rica is at war with Conti hackers - BBC News
Engineering Firm Parker Discloses Data Breach After Ransomware Attack (bleepingcomputer.com)
US links Thanos and Jigsaw ransomware to 55-year-old doctor (bleepingcomputer.com)
Russian Conti Ransomware Gang Threatens to Overthrow New Costa Rican Government (thehackernews.com)
Phishing & Email Based Attacks
This Phishing Attack Delivers Three Forms of Malware. And They All Want to Steal Your Data | ZDNet
HTML Attachments Remain Popular Among Phishing Actors In 2022 (bleepingcomputer.com)
Chatbot Army Deployed in Latest DHL Shipping Phish (darkreading.com)
Phishing Gang That Stole Over 400,000 Euros Busted in Spain (tripwire.com)
Long Lost @ Symbol Gets New Life Obscuring Malicious URLs | Malwarebytes Labs
Spanish Police Dismantle Phishing Gang That Emptied Bank Accounts (bleepingcomputer.com)
Malware
Microsoft Identifies Botnet Variant Targeting Windows and Linux Systems - Infosecurity Magazine
Activity of the Linux XorDdos bot increased by 254% over the last 6 monthsSecurity Affairs
Fake Domains Offer Windows 11 Installers - But Deliver Malware Instead | ZDNet
Bruised but Not Broken: The Resurgence of the Emotet Botnet Malware (trendmicro.com)
Malicious PyPI Pymafka Package Opens Backdoors On Windows, Linux, and Macs (bleepingcomputer.com)
April VMware Bugs Abused to Deliver Mirai Malware, Exploit Log4Shell | Threatpost
Mobile
6 Scary Tactics Used in Mobile App Attacks (darkreading.com)
Researchers Find Potential Way to Run Malware on iPhone Even When it's OFF (thehackernews.com)
Google TAG: Cytrox's Predator Spyware Used to Target Android Users | WIRED
IoT
Data Breaches/Leaks
Organised Crime & Criminal Actors
Ukrainian Hacker Jailed for 4-Years in U.S. for Selling Access to Hacked Servers (thehackernews.com)
US Recovers a Record $15m from the 3ve Ad-Fraud Crew • The Register
Cryptocurrency/Cryptomining/Cryptojacking/NFTs
How Cryptocurrencies Enable Attackers and Defenders (techtarget.com)
Monero-Mining Sysrv Botnet Targets Windows, Linux Web Servers • The Register
US Brings First-Of-Its-Kind Bitcoin Sanctions-Busting Case • The Register
Fake Pixelmon NFT Site Infects You with Password-Stealing Malware (bleepingcomputer.com)
Hackers Compromise a String of NFT Discord Channels (vice.com)
Fraud, Scams & Financial Crime
Supply Chain and Third Parties
MITRE Creates Framework for Supply Chain Security (darkreading.com)
The Four Horsemen of Software Supply Chain Attacks - MSSP Alert
Cloud/SaaS
7 Key Findings from the 2022 SaaS Security Survey Report (thehackernews.com)
New Research Identifies Poor IAM Policies as The Greatest Cloud Vulnerability - CyberScoop
Are You Investing in Securing Your Data in the Cloud? (thehackernews.com)
380K Kubernetes API Servers Exposed to Public Internet | Threatpost
Open Source
Privacy
How To Ensure That the Smart Home Doesn’t Jeopardize Data Privacy? - Help Net Security
Privacy. Ad Bidders Haven't Heard of It, Report Reveals • The Register
Third-Party Web Trackers Log What You Type Before Submitting (bleepingcomputer.com)
Passwords & Credential Stuffing
The Most Insecure and Easily Hackable Passwords - Help Net Security
Half of IT Leaders Store Passwords in Shared Docs - Infosecurity Magazine
Cyber Bullying and Cyber Stalking
Regulations, Fines and Legislation
Europe Moves Closer to Stricter Cyber Security Standards • The Register
EU's NIS 2 Directive to Strengthen Cyber Security Requirements For Companies - Help Net Security
Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Google TAG: Cytrox's Predator Spyware Used to Target Android Users | WIRED
How Mobile Networks Have Become a Front in the Battle for Ukraine (darkreading.com)
China-linked Twisted Panda Caught Spying on Russian R&D Orgs • The Register
Pro-Russian Hackers Spread Hoaxes to Divide Ukraine, Allies | SecurityWeek.Com
A custom PowerShell RAT Targets Germany Using Crisis in Ukraine as Bait - Security Affairs
Nation State Actors
Nation State Actors – Russia
Putin Promises to Bolster Russia's IT Security in Face of Cyber Attacks | Reuters
Russian Hackers Declare War On 10 Countries After Failed Eurovision DDoS attack | IT PRO
Pro-Russian Information Operations Escalate in Ukraine War (darkreading.com)
Russian Undersea Cable Threat Shifts Tech Business to UK (telegraph.co.uk)
Russians Allegedly Storm Ukrainian ISP, Blackmail It to Switch To Russian Networks - CyberScoop
Russia-linked Sandworm Continues to Conduct Attacks Against Ukraine - Security Affairs
Russian Cyber Attack on Eurovision Foiled By Italian Authorities (bitdefender.com)
This Russian Botnet Does Far More Than DDoS Attacks - And on A Massive Scale | ZDNet
Nation State Actors – China
Nation State Actors – North Korea
Nation State Actors – Iran
Vulnerabilities
QNAP Urges Users to Update NAS Devices to Prevent Deadbolt Ransomware Attacks (thehackernews.com)
Cisco Fixes an IOS XR Flaw Actively Exploited in The Wild - Security Affairs
2 Vulnerabilities With 9.8 Severity Ratings Are Under Exploit. A 3rd Looms | Ars Technica
Microsoft Rushes a Fix After May Patch Tuesday Breaks Authentication (darkreading.com)
Microsoft Fixes New PetitPotam Windows NTLM Relay Attack Vector (bleepingcomputer.com)
Apple Patches Zero-Day Kernel Hole and Much More – Update Now! – Naked Security (sophos.com)
High-Severity Bug Reported in Google's OAuth Client Library for Java (thehackernews.com)
Over 20,000 Zyxel Firewalls Still Exposed to Critical Bug - Infosecurity Magazine
Apple Fixes the Sixth Zero-Day Since The Beginning of 2022 - Security Affairs
Mozilla Patches Wednesday’s Pwn2Own Double-Exploit… on Friday! – Naked Security (sophos.com)
Critical Vulnerability in Premium WordPress Themes Allows for Site Takeover | Threatpost
Critical Jupiter WordPress Plugin Flaws Let Hackers Take Over Sites (bleepingcomputer.com)
Apple Finally Patches Exploited Vulnerabilities in macOS Big Sur, Catalina | SecurityWeek.Com
NVIDIA Fixes Ten Vulnerabilities in Windows GPU Display Drivers (bleepingcomputer.com)
New Brute Force Attacks Against SQL Servers Use PowerShell Wrapper | SecurityWeek.Com
Sector Specific
Retail/eCommerce
How Crooks Backdoor Sites and Scrape Credit Card Info • The Register
Digital Skimming is Now the Preserve of Non-Magecart Groups - Infosecurity Magazine
Energy & Utilities
Water Companies Are Increasingly Uninsurable Due To Ransomware, Industry Execs Say - CyberScoop
UK Announces Nuclear Cyber Security Strategy - IT Security Guru
Education and Academia
Ransomware Attack Exposes Data of 500,000 Chicago Students (bleepingcomputer.com)
Higher Education Institutions Being Targeted for Ransomware Attacks | TechRepublic
“Incompetent” Council Leaks Details of Students With Special Educational Needs • Graham Cluley
Researchers Find Backdoor in School Management Plugin for WordPress (thehackernews.com)
Other News
UK Government: Lack of Skills the Number One Issue in Cyber Security - Infosecurity Magazine
Malicious Hackers Are Finding It Too Easy to Achieve Their Initial Access (tripwire.com)
How Threat Actors Are a Click Away From Becoming Quasi-APTs (darkreading.com)
Cyber Security: Global Food Supply Chain at Risk From Malicious Hackers - BBC News
Cyber Security Agencies Reveal Top Initial Access Attack Vectors (bleepingcomputer.com)
50% of Orgs Rely on Email to Manage Security (darkreading.com)