Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 07 May 2021
Black Arrow Cyber Threat Briefing 07 May 2021: New Technology Has Enabled Cyber-Crime On An Industrial Scale; Cyber Security Control Failures Listed As Top Emerging Risk; Third Parties Caused Data Breaches At 51% Of Organisations; Apple Devices Under Attack, Update Now; Ransomware Reality Shock - 92% Who Pay Do Not Get Their Data Back; New Vulnerabilities Impact 60% Of Email Servers; Big Rise In Double Extortion Ransomware; Millions At Security Risk From Old Routers; 30% Of All Smartphones Vulnerable To New Bug
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
New Technology Has Enabled Cyber-Crime On An Industrial Scale
Nobody likes a call from the taxman. Donald Rumsfeld, who as America’s defence secretary oversaw a budget bigger than the economy of a typical country, nonetheless finds the rules so confusing that he writes to the Internal Revenue Service each year complaining that he has “no idea” whether he has filed his taxes correctly. So, it is hardly surprising that, when the phone rings and an official-sounding voice says you have underpaid your taxes and will be connected to an adviser to pay the balance, ordinary folk tremble.
Cyber Security Control Failures Listed As Top Emerging Risk
Despite a myriad of risks resulting from the pandemic, such as the new work environment and environmental, social and governance (ESG) concerns, cyber security risk was singled out with notable consistency across all geographic regions and most industries, cited by 67% of respondents. The next highest cited risk, “the new working model” was cited by 43% of respondents. “Many organisations were forced to implement quick fixes to serious operational gaps as a result of their initial pandemic responses.”
https://www.helpnetsecurity.com/2021/05/03/cybersecurity-control-failures/
Third Parties Caused Data Breaches At 51% Of Organisations
Remote access is becoming an organisation's weakest attack surface, according to new research published. The new report, titled “A Crisis in Third-party Remote Access Security,” reveals a disparity between an organisation's perceived third-party access security threat and the protective measures it puts in place. Researchers found that organisations are exposing their networks to non-compliance and security risks by not taking action to reduce third-party access risk.
https://www.infosecurity-magazine.com/news/third-parties-breaches-at-51-of/
Apple Devices Under Attack — Update Your Mac, iPhone, iPad And Apple Watch Now
Apple on Monday (May 3) pushed out emergency patches to macOS, iPadOS, watchOS and two different versions of iOS to fix four flaws in WebKit, the rendering engine that underlies the Safari web browser. Install these updates when you receive them, because for each flaw, the company states that "Apple is aware of a report that this issue may have been actively exploited." In each case, Apple says, "processing maliciously crafted web content may lead to arbitrary code execution." In plain English, that means web pages could be built to remotely hack your Mac, iPhone, iPad, or Apple Watch.
https://www.tomsguide.com/uk/news/apple-urgent-updates-2105
Enforcing KYC, AML Laws Is Key To Reducing Ransomware Attacks: Task Force
Better enforcement of crypto currency regulations can help address an increasing number of ransomware attacks; a public-private task force claimed Thursday. The Ransomware Task Force, led by the Institute for Security and Technology with support from Microsoft, McAfee and various government agencies, published a report proposing a host of government and company responses to the growing threat of ransomware attacks, including recommendations to disrupt payments to the developers who develop this form of malware. A ransomware attack is one where a malicious actor hijacks a computer or network, locking it until the victim pays a ransom, often in crypto currency (ransomware victims paid close to $350 million in crypto to attackers last year). Paying the ransom is not necessarily a guarantee the perpetrator will share a decryption tool to unlock the computer.
https://www.coindesk.com/enforcing-kyc-aml-laws-is-key-to-reducing-ransomware-attacks-report-says
Ransomware Reality Shock: 92% Who Pay Do Not Get Their Data Back
As Apple gets caught up in an apparent $50 million ransomware extortion attempt by a significant cyber criminal gang, new research reveals just how unlikely it is that organisations will get all their data back if they pay up. On April 23, I reported how the notorious cyber criminal gang behind the REvil ransomware operation had attempted to get Apple to pay the ransom for another business that it had targeted. That business, REvil said, was Apple original design manufacturer Quanta Computer and the gang said it had stolen the schematics for several new Apple products. Several blueprints were published to the REvil dark web site, including one that 9to5Mac determined was related to the 2021 MacBook Pro.
New Vulnerabilities Impact 60% Of The Internet’s Email Servers
The maintainers of the Exim email server software have released updates today to patch a collection of 21 vulnerabilities that can allow threat actors to take over servers using both local and remote attack vectors. Known as 21Nails, the vulnerabilities were discovered by the security firm Qualys. The bugs impact Exim, a type of email server known as a mail transfer agent (MTA) that helps email traffic travel across the internet and reach its intended destinations. While there are different MTA clients available, an April 2021 survey shows that Exim has a market share of nearly 60% among all MTA solutions, being widely adopted around the internet.
New vulnerabilities impact 60% of the internet’s email servers
Ransomware: There's Been A Big Rise In Double Extortion Attacks As Gangs Try Out New Tricks
There has been a big rise in the number of ransomware gangs that threaten to release information stolen from the victims if they themselves rather than the firm, do not pay the ransom for the decryption key required to restore their network. The idea behind these 'double extortion' ransomware attacks is that even if the victim organisation believes it can restore its network without giving into the ransom demands of cyber criminals – which regularly cost millions of dollars in Bitcoin – the threat of sensitive information about employees or customers being exposed could still push victims to giving into the blackmail and paying the ransom.
They Told Their Therapists Everything. Hackers Leaked It All
Finnish mental health Clinic Vastaamo suffers catastrophic data breach. A security flaw at the firm’s IT provider not only exposed full names, dates of birth, and social security numbers, but also the actual written notes their therapists had taken. It was the patients themselves, rather than the firm were then left facing a demand for ransom payment to prevent public disclosure of their data.
Millions At Security Risk From Old Routers
Millions of people could be using outdated routers that put them at risk of being hacked. The consumer watchdog examined 13 models provided to customers by internet-service companies such as EE, Sky and Virgin Media and found more than two-thirds had flaws. It estimated about six million people could have a device not updated since 2018 or earlier. So, in some cases, they would not have received crucial security updates.
https://www.bbc.co.uk/news/technology-56996717
An Estimated 30% Of All Smartphones Vulnerable To New Qualcomm Bug
Around a third of all smartphones in the world are believed to be affected by a new vulnerability in a Qualcomm modem component that can grant attackers access to the device’s call and SMS history and even audio conversations. First designed in the early 90s, the chip has been updated across the years to support 2G, 3G, 4G, and 5G cellular communications and has slowly become one of the world’s most ubiquitous technologies, especially with smartphone vendors. Devices that use Qualcomm MSM chips today include high-end smartphone models sold by Google, Samsung, LG, Xiaomi, and One Plus, just to name a few.
https://therecord.media/an-estimated-30-of-all-smartphones-vulnerable-to-new-qualcomm-bug/
Threats
Ransomware
Cloud Hosting Provider Swiss Cloud Suffered A Ransomware Attack
Babuk Quits Ransomware Encryption, Focuses On Data-Theft Extortion
Phishing
Malware
Mobile
Vulnerabilities
Security Researchers Found 21 Flaws In This Widely Used Email Server, So Update Immediately
Dell Is Issuing A Security Patch For Hundreds Of Computer Models Going Back To 2009
Pulse Secure fixes VPN zero-day used to hack high-value targets
Microsoft Warns Of Damaging Vulnerabilities In Dozens Of Iot Operating Systems
Python Also Impacted By Critical Ip Address Validation Vulnerability
Computer Scientists Discover New Vulnerability Affecting Computers Globally
Data Breaches
Data Leak Implicates Over 200,000 People In Amazon Fake Product Review Scam
Middle Market Companies Facing A Record Number Of Data Breaches
Nation State Actors
Denial of Service
Privacy
Other News
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 23 April 2021
Black Arrow Cyber Threat Briefing 23 April 2021: Cyber Attacks Rise For Businesses, Pushing Many To The Brink; MI5 Warns Of Spies Using LinkedIn To Trick Staff; Sonicwall Warns Customers To Patch 3 Zero-Days Exploited In The Wild; FBI Removed Backdoors From Vulnerable Exchange Servers, Not Everyone Likes The Idea; Pulse Secure VPN Zero-Day Used To Hack Defense Firms & Govt Orgs; Solarwinds Hack Could Cost Insurance Firms $90M; Mount Locker Ransomware Aggressively Changes Up Tactics; QR Codes Offer Easy Cyber Attack Avenues as Usage Spikes
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Cyber Attacks On The Rise For Businesses, Pushing Many To The Brink
The proportion of businesses targeted by cyber criminals in the past year increased from 38% to 43%, with over a quarter of those targeted (28%) experiencing five attacks or more. Those attacks are pushing many firms to the brink, with one in six businesses attacked (17%) saying the financial impact materially threatened the company’s future. On a more positive note, the report shows firms are responding to the cyber challenge: mean spending per business on cyber security has more than doubled in the last two years.
https://www.insurancejournal.com/news/international/2021/04/19/610514.htm
MI5 Warns Of Spies Using Linkedin To Trick Staff Into Spilling Secrets
At least 10,000 UK nationals have been approached by fake profiles linked to hostile states, on the professional social network LinkedIn, over the past five years, according to MI5. It warned users who had accepted such connection requests might have then been lured into sharing secrets. A campaign has been launched to educate government workers about the threat. The 10,000-plus figure includes staff in virtually every government departments as well as key industries, who might be offered speaking or business and travel opportunities that could lead to attempts to recruit them to provide confidential information.
https://www.bbc.co.uk/news/technology-56812746
SonicWall Warns Customers To Patch 3 Zero-Days Exploited In The Wild
Security hardware manufacturer SonicWall is urging customers to patch a set of three zero-day vulnerabilities affecting both its on-premises and hosted Email Security products. "In at least one known case, these vulnerabilities have been observed to be exploited 'in the wild,'" SonicWall said in a security advisory published earlier today. The company said it is "imperative" that organisations using its Email Security hardware appliances, virtual appliances, or software installations on Microsoft Windows Server machines immediately upgrade to a patched version.
The FBI Removed Hacker Backdoors From Vulnerable Microsoft Exchange Servers. Not Everyone Likes The Idea
The FBI had worked to remove malicious web shells from hundreds of computers in the United States that were running vulnerable versions of Microsoft Exchange Server. While the move will have helped keep many organisations secure, it has also raised questions about the direction of cyber security. Earlier this year, four zero-day vulnerabilities in Microsoft Exchange Server, which were being actively exploited by a nation-state-backed hacking operation, were uncovered. Microsoft released a critical security update to protect Exchange Server customers from cyber attacks exploiting the vulnerabilities in March, but a significant number of organisations have yet to apply the security patch.
Pulse Secure VPN Zero-Day Used To Hack Defense Firms, Govt Organisations
A zero-day authentication bypass vulnerability in the Pulse Connect Secure (PCS) SSL VPN appliance actively exploited in attacks against worldwide organisations and focused on US Defence Industrial base networks. As a workaround, the vulnerability can be mitigated on some gateways by disabling Windows File Share Browser and Pulse Secure Collaboration features using instructions available in the security advisory published earlier today.
SolarWinds Hack Could Cost Cyber Insurance Firms $90 Million
Cyber insurance vendors are expected to spend $90 million on incident response and forensic services for clients who were compromised by the SolarWinds hackers. “Although the SolarWinds attack is a cyber catastrophe from a national security perspective, insurers may have narrowly avoided a catastrophic financial incident to their businesses,” The Russian hackers behind the SolarWinds attack appear to have avoided large scale exploitation of victims, instead opting to maintain access and collect sensitive data. But if the SolarWinds hackers had been focused on interrupting business and destroying networks, the campaign could have been catastrophic for insurers.
https://www.crn.com/news/security/solarwinds-hack-could-cost-cyber-insurance-firms-90-million
Mount Locker Ransomware Aggressively Changes Up Tactics
The Mount Locker ransomware has shaken things up in recent campaigns with more sophisticated scripting and anti-prevention features, according to researchers. And, the change in tactics appears to coincide with a rebranding for the malware into “AstroLocker.” According to researchers, Mount Locker has been a swiftly moving threat. Having just hit the ransomware-as-a-service scene in the second half of 2020, the group released a major update in November that broadened its targeting capabilities (including searching for file extensions utilized by TurboTax tax-return software to encrypt). It also added improved detection evasion. Attacks have continued to escalate, and now, another major update signals “an aggressive shift in Mount Locker’s tactics,”.
https://threatpost.com/mount-locker-ransomware-changes-tactics/165559/
QR Codes Offer Easy Cyber Attack Avenues as Usage Spikes
The use of mobile quick-response (QR) codes in daily life, for both work and personal use, continues to rise – and yet, most people are not aware that these handy mobile shortcuts can open them up to savvy cyber attacks. A survey of 4,157 consumers across China, France, Germany, Japan, the U.K. and the U.S. It found that 57 percent of respondents have increased their QR code usage since mid-March 2020, mainly because of the need for touchless transactions in the wake of COVID-19. In all, three-quarters of respondents (77 percent) said they have scanned a QR code before, with 43 percent having scanned a QR code in the past week.
https://threatpost.com/qr-codes-cyberattack-usage-spikes/165526/
Google Alerts Continues To Be A Hotbed Of Scams And Malware
Google Alerts continues to be a hotbed of scams and malware that threat actors are increasingly abusing to promote malicious websites. While Google Alerts has been abused for a long time, a significant increase in activity over the past couple of weeks. People use Google Alerts to monitor for various terms related to cyber attacks, security incidents, malware, etc. In one Google Alert, almost every new article shared with people today by the service led to a scam or malicious website.
Threats
Ransomware
Campus Still Closed as Portsmouth University Reels from Suspected Ransomware
Ransomware Gang Tries To Extort Apple Hours Ahead Of Spring Loaded Event
Discord Nitro gift codes now demanded as ransomware payments
Phishing
Malware
IOT
Vulnerabilities
Google Issues Chrome Update Patching Seven Security Vulnerabilities
Zero-Day Vulnerabilities In Sonicwall Email Security Are Being Actively Exploited
Cisco Router Flaws Left Small Business Networks Open To Abuse
Firefox 88 Patches Bugs And Kills Off A Sneaky Javascript Tracking Trick
Data Breaches
Organised Crime & Criminal Actors
Cryptocurrency
Supply Chain
Nation State Actors
Denial of Service
Other News
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.