Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Hackers Hit One Third of Organisations Worldwide Multiple Times

Hackers have stolen customer records multiple times from nearly a third of organisations worldwide in the past 12 months, security provider Trend Micro said in its newly released, twice-yearly Cyber Risk Index (CRI) report.

The report features interviews with some 4,100 organisations across North America, Europe, Latin/South America and Asia-Pacific. Respondents stressed that customer records are at increased risk as organisations struggle to profile and defend an expanding attack surface.

Overall, respondents rated the following as the top cyber threats in 1H 2022:

• Business Email Compromise (BEC)

• Clickjacking

• Fileless attacks

• Ransomware

• Login attacks (Credential Theft)

Here are some key findings from the study:

• The CRI calculates the gap between organisational preparedness and the likelihood of being attacked, with -10 representing the highest level of risk. The global CRI index moved from –0.04 in 2H 2021 to –0.15 in 1H 2022, indicating a surging level of risk over the past six months.

• This is a slight increase in risk from the second half of 2021, when it was -0.04. Organisations in North America and Asia-Pacific saw an increase in their cyber risk from that period while Europe and Latin/South America’s risk decreased in comparison.

• The number of global organisations experiencing a “successful” cyber-attack increased from 84% to 90% over the same period.

• The number now expected to be compromised over the coming year has also increased from 76% to 85%.

From the business perspective, the biggest concern is the misalignment between CISOs and business executives, Trend Micro said. The answers given by respondents to the question: “My organisation’s IT security objectives are aligned with business objectives,” only made a score of 4.79 out of 10.0

By addressing the shortage of cyber security professionals and improving security processes and technology, organisations will significantly reduce their vulnerability to attacks.

You can’t protect what you can’t see. But with hybrid working ushering in a new era of complex, distributed IT environments, many organisations are finding it difficult to eradicate growing security coverage and visibility gaps. To avoid the attack surface spiraling out of control, they need to combine asset discovery and monitoring with threat detection and response on a single platform.

https://www.msspalert.com/cybersecurity-research/hackers-hit-one-third-of-organizations-worldwide-multiple-times/

• Firms Spend $1,197 Per Employee Yearly to Address Cyber Attacks

Companies pay an average of $1,197 per employee yearly to address successful cyber incidents against email services, cloud collaboration apps or services and browsers.

Security researchers at Perception Point shared the findings with Infosecurity before publishing them in a new white paper this month.

According to the new data, the above figures exclude compliance fines, ransomware mitigation costs and losses from non-operational processes, all of which can cause further spending.

The survey, conducted in conjunction with Osterman Research in June, considers the responses of 250 security and IT decision-makers at various enterprises and reveals additional discoveries regarding today’s enterprise threat landscape.

These findings demonstrate the urgent need for organisations to find the most accurate and efficient cyber security solutions which provide the necessary protection with streamlined processes and managed services.

Among the findings is that malicious incidents against new cloud-based apps and services occur at 60% of the frequency with which they take place on email-based services.

Additionally, some attacks, like those involving malware installed on an endpoint, happen on cloud collaboration apps at a much higher rate (87%) when compared to email-based services.

The Perception Point report also shows that a successful email-based cyber incident takes security staff an average of 86 hours to address.

In light of these figures, the security company added that one security professional with no additional support can only handle 23 email incidents annually, representing a direct cost of $6452 per incident alone.

Conversely, incidents detected on cloud collaboration apps or services take, on average, 71 hours to resolve. In these cases, one professional can handle just 28 incidents yearly at an average cost of $5305 per incident.

https://www.infosecurity-magazine.com/news/firms-dollar1197-per-employee/

• 90% of Organisations have Microsoft 365 Security Gaps

A recently published study evaluated 1.6 million Microsoft 365 users across three continents, finding that 90% of organisations had gaps in essential security protections. Managing Microsoft 365 (M365) is complicated. How can IT teams avoid management headaches, stay 100% compliant, and truly take control of their M365 instance?

Research from the study reveals that many common security procedures are not being followed 100% of the time. This leaves gaping holes in most organisations’ security defences. While most companies have strong documented security policies, the research uncovered that most aren’t being implemented consistently due to difficulties in reporting and limited IT resources:

• 90% of companies had gaps across all four key areas studied – multi-factor authentication (MFA), email security, password policies, and failed logins

• 87% of companies have MFA disabled for some or all their admins (which are the most critical accounts to protect, due to their higher access levels)

• Only 17% of companies had strong password requirements that were being consistently followed.

Overall, nearly every organisation is leaving the door open for cyber security threats due to weak credentials, particularly for administrator accounts.

In addition to security challenges, the study identified key areas for improvement in managing Microsoft 365 licences as well, such as:

• The average company had 21.6% of their licenses unassigned or “sitting on the shelf.” Another 10.2% of licenses were inactive, for an average of 31.9% unused licenses.

• 17% of companies had over 10,000 licenses unassigned or inactive. These cases represent big opportunities to optimise licence spend with better tools.

Overall, the study reveals that reporting challenges make security and licence management incredibly difficult, leading to unnecessary risks and costs.

https://www.helpnetsecurity.com/2022/11/22/microsoft-365-security-protections/

• Luna Moth Phishing Extortion Campaign Targets Businesses in Multiple Sectors

A callback phishing extortion campaign by Luna Moth (aka Silent Ransom Group) has targeted businesses in multiple sectors, including legal and retail.

The findings come from Palo Alto Network’s security team Unit 42, which described the campaign in a new advisory.

“This campaign leverages extortion without encryption, has cost victims hundreds of thousands of dollars and is expanding in scope,” reads the technical write-up. At the same time, Unit 42 said that this type of social engineering attack leaves very few artifacts because it relies on legitimate technology tools to carry out attacks. In fact, callback phishing, also known as telephone-oriented attack delivery (TOAD), is a social engineering method that requires a threat actor to interact with the victim to accomplish their goals.

“This attack style is more resource intensive but less complex than script-based attacks, and it tends to have a much higher success rate,” reads the advisory. According to Unit 42, threat actors associated with the Conti group have extensively used this attack style in BazarCall campaigns. “Early iterations of this attack focused on tricking the victim into downloading the BazarLoader malware using documents with malicious macros,” explained the researchers.

As for the new campaign, which Sygnia security researchers first unveiled in July, it removes the malware portion of the attack. “In this campaign, attackers use legitimate and trusted systems management tools to interact directly with a victim’s computer to manually exfiltrate data [...] As these tools are not malicious, they’re not likely to be flagged by traditional antivirus products,” Unit 42 wrote.

The researchers also said that they expect callback phishing attacks to increase in popularity because of low per-target cost, low risk of detection and fast monetisation factors.

https://www.infosecurity-magazine.com/news/luna-moth-phishing-target-multiple/

• The Real Cost of Cyber Attacks: What Organisations Should Be Prepared For

With each passing year, hackers and cyber criminals of all kinds are becoming more sophisticated, malicious, and greedy conducting brazen and often destructive cyber-attacks that can severely disrupt a company’s business operations. And this is a big problem, because, first and foremost, customers rely on a company’s ability to deliver services or products in a timely manner. Cyber-attacks not only can affect customers’ data, but they can impact service delivery.

In one of the recent incidents, the UK’s discount retailer The Works has been forced to temporarily shut down some of its stores after a ransomware attack. While the tech team quickly shut down the company’s computers after being alerted to the security breach by the firewall system, the attack caused disruption to deliveries and store functionality including till operations.

A cyber security incident can greatly affect a business due to the consequences associated with cyber-attacks like potential lawsuits, hefty fines and damage payments, insurance rate hikes, criminal investigations and bad publicity. For example, shares of Okta, a major provider of authentication services, fell 9% after the company revealed it was a victim of a major supply chain incident via an attack on a third-party contractor’s laptop, which affected some of its customers.

Another glaring example is a 2021 cyber-attack launched by the Russian-speaking ransomware gang called DarkSide against the operator of one of the US’ largest fuel pipelines Colonial Pipeline, which crippled fuel delivery across the Southeastern United States impacting lives of millions due to supply shortages. Colonial paid the DarkSide hackers a $4.4 million ransom soon after the incident. The attackers also stole nearly 100GB of data from Colonial Pipeline and threatened to leak it if the ransom wasn’t paid. It’s also worth noting that the company is now facing a nearly $1 million penalty for failure “to plan and prepare for a manual restart and shutdown operation, which contributed to the national impacts after the cyber-attack.”

Data breaches and costs associated with them have been on the rise for the past few years, but, according to a 2021 report, the average cost per breach increased from $3.86 million in 2020 to $4.24 million in 2021. The report also identified four categories contributing most global data breach costs – Lost business cost (38%), Detection and escalation (29%), Post breach response (27%), and Notification (6%).

Ransomware attacks cost an average of $4.62 million (the cost of a ransom is not included), and destructive wiper-style attacks cost an average of $4.69 million, the report said.

For a business, a data breach is not just a loss of data, it can also have a long-lasting impact on operations and undermine customers’ trust in the company. In fact, a survey revealed that 87% of consumers are willing to take their business elsewhere if they don’t trust a company is handling their data responsibly. Therefore, the reputational damage might be detrimental to a business’ ability to attract new customers.

https://informationsecuritybuzz.com/the-real-cost-of-cyber-attacks-what-organizations-should-be-prepared-for-2/

• 34 Russian Cyber Crime Groups Stole Over 50 Million Passwords with Stealer Malware

As many as 34 Russian-speaking gangs, distributing information-stealing malware under the stealer-as-a-service model, stole no fewer than 50 million passwords in the first seven months of 2022.

"The underground market value of stolen logs and compromised card details is estimated around $5.8 million" Singapore-headquartered Group-IB said in a report shared with The Hacker News.

Aside from looting passwords, the stealers also harvested 2.11 billion cookie files, 113,204 crypto wallets, and 103,150 payment cards.

A majority of the victims were located in the US, followed by Brazil, India, Germany, Indonesia, the Philippines, France, Turkey, Vietnam, and Italy. In total, over 890,000 devices in 111 countries were infected during the time frame.

Group-IB said the members of several scam groups who are propagating the information stealers previously participated in the Classiscam operation. These groups, which are active on Telegram and have around 200 members on average, are hierarchical, consisting of administrators and workers (or traffers), the latter of whom are responsible for driving unsuspecting users to info-stealers like RedLine and Raccoon. This is achieved by setting up bait websites that impersonate well-known companies and luring victims into downloading malicious files. Links to such websites are, in turn, embedded into YouTube video reviews for popular games and lotteries on social media, or shared directly with non-fungible token (NFT) artists.

https://thehackernews.com/2022/11/34-russian-hacker-groups-stole-over-50.html

• “Password” Continues to Be the Most Common Password in 2022

You would think the time spent working from home in the last two years or so helped netizens across the planet figure out how to master the world of WWW in a more efficient manner.

But new research from NordPass shows that despite so many people relying on an Internet connection for their daily activities, few actually care about the security of their data when they go online.

As a result, “password” continues to be the number one password out there, with the aforementioned company claiming that this particular keyword was detected close to 5 million times in a 3TB database. It takes less than one second to crack this password, the company says.

“123456” is currently the second most-used password worldwide, followed by its longer sibling known as “123456789” because, you know, hackers don’t know how to count to 10.

“There’s more than one way to get swindled on Tinder: using “tinder” as your password is more risky than swiping right on a billionaire. In total, this password was used 36,384 times” NordPass says. “The glitziest film industry event of the year – the Oscars ceremony – inspired many to use not-so-glitzy passwords: the password “Oscars” was used 62,983 times.”

Of course, it’s no surprise that Internet users out there turn to movies to get inspiration for their passwords, so unfortunately, “batman” is currently one of the most used keywords supposed to secure Internet accounts.

“Films and shows like Batman, Euphoria, and Encanto were among the most popular releases in 2021/2022. All are also popular passwords: “batman” was used 2,562,776 times, “euphoria” 53,993, and “encanto” 10,808 times,” the company says.

The most common password in the United States is “guest,” while in the United Kingdom, quite a lot of people go for “liverpool” (despite hackers needing just 1 second to crack it).

https://news.softpedia.com/news/password-continues-to-be-the-most-common-password-in-2022-as-well-536503.shtml

• Lasts Year’s Massive Twitter Data Breach Was Far Worse Than Reported, Reveal Security Researchers

A massive Twitter data breach last year, exposing more than five million phone numbers and email addresses, was worse than initially reported. The same security vulnerability appears to have been exploited by multiple bad actors, and the hacked data has been offered for sale on the dark web by several sources.

It had previously been thought that only one hacker gained access to the data, and Twitter’s belated admission reinforced this impression. HackerOne first reported the vulnerability back in January, which allowed anyone to enter a phone number or email address, and then find the associated twitterID. This is an internal identifier used by Twitter, but can be readily converted to a Twitter handle. A bad actor would be able to put together a single database which combined Twitter handles, email addresses, and phone numbers.

At the time, Twitter admitted that the vulnerability had existed, and subsequently been patched, but said nothing about anyone exploiting it. Restore Privacy subsequently reported that a hacker had indeed used the vulnerability to obtain personal data from millions of accounts.

https://9to5mac.com/2022/11/25/massive-twitter-data-breach/

• European Parliament Declares Russia to be a State Sponsor of Terrorism – Then Gets Attacked

On Wednesday, the European Parliament adopted a resolution on the latest developments in Russia’s brutal war of aggression against Ukraine. MEPs highlight that the deliberate attacks and atrocities committed by Russian forces and their proxies against civilians in Ukraine, the destruction of civilian infrastructure and other serious violations of international and humanitarian law amount to acts of terror and constitute war crimes. In light of this, they recognise Russia as a state sponsor of terrorism and as a state that “uses means of terrorism”.

As the EU currently cannot officially designate states as sponsors of terrorism, the European Parliament calls on the EU and its member states to put in place the proper legal framework and consider adding Russia to such a list. This would trigger a number of significant restrictive measures against Moscow and have profound restrictive implications for EU relations with Russia.

In the meantime, MEPs call on the Council to include the Russian paramilitary organisation ‘the Wagner Group’, the 141st Special Motorized Regiment, also known as the “Kadyrovites”, and other Russian-funded armed groups, militias and proxies, on the EU’s terrorist list.

Almost immediately after the vote the European Parliament suffered a sustained denial of service attack that shut down email services and disrupted internet access for more than an hour. A pro-Russian group called KILLNET then claimed responsibility in a Telegram post.

https://www.europarl.europa.eu/news/en/press-room/20221118IPR55707/european-parliament-declares-russia-to-be-a-state-sponsor-of-terrorism

https://informationsecuritybuzz.com/comment-european-parliament-hit-by-cyberattack-after-vote-on-russia/

• The Changing Nature of Nation-State Cyber Warfare

Military conflict is ever shifting from beyond the battlefield and into cyber space. Ever more sophisticated and ruthless groups of nation-state actors and their proxies continue to target critical systems and infrastructure for political and ideological leverage. These criminals’ far-reaching objectives include intelligence gathering, financial gain, destabilising other nations, hindering communications, and the theft of intellectual property.

The risks to individuals and society are clear. Due to its importance to daily life and the economy, the UK’s critical national infrastructure (CNI) is a natural target for malicious nation-state cyber-attacks. We only need look at the Colonial Pipeline ransomware attack in the US – at the hands of the Russia-affiliated DarkSide group – to appreciate the potential for one criminal act to escalate and cause large-scale societal impact: panic and disruption. Even though the pipeline was shut down for less than a week, the havoc caused by suspending fuel supplies gave CNI operators everywhere a worrying taste of things to come.

Closer to home, the recent cyber attack on South Staffordshire Water highlights the need for all utilities providers to take proactive measures and precautions to better secure essential human sustenance supplies. With the risk of coordinated attacks by criminals backed by nation states rising, the potential for human casualties if attacks against CNI go unchecked is becoming starkly clear.

The Russia-Ukraine war has heightened awareness of the cyber threats posed by all nation-state adversaries. Unsurprisingly, challenges and conflicts in the physical world tend to bleed through into the cyber domain. And with relations between Western nations and Russia, China, Iran, and North Korea more fraught than ever, UK organisations can expect to see further increases in cyber threats at the hands of hostile nation-state actors.

https://informationsecuritybuzz.com/the-changing-nature-of-nation-state-cyber-warfare/

• Is Your Company Covered for a Cyber Security Attack? That’s the £2 Million Question

Cyber crime continues to be a persistent and pressing issue for all sized businesses, particularly smaller organisations. In fact, according to the National Cyber Security Alliance, nearly 60% of small businesses that experience a cyber attack shut their doors within six months.

Despite the continuing rise in risk, many small businesses remain vulnerable to cyber attacks due to a lack of resources and – surprisingly – a lack of knowledge of the existing threats. Moreover, companies are now being exposed to cyber risks even further as they struggle to get appropriate cyber insurance, which, if needed, can be devastating should bad actors circumvent your company’s defences.

Cyber insurance is a policy that helps an organisation pay for any financial losses incurred following a data breach or cyber attack. It also helps cover any costs related to the remediation process, such as paying for the investigation, crisis communication, legal services, and customer refunds.

With the constant – and ever-increasing – threat of potential cyber attacks and the need to protect their assets, many companies are applying for cyber insurance, which generally covers a variety of different types of cyber-attacks, including data breaches; business email compromises; cyber extortion demands; malware infections and ransomware.

But, despite the benefits of cyber insurance, it remains surprisingly undervalued. The UK government’s Cyber Security Breaches Survey 2022 found that only 43% of businesses have a cyber insurance policy in place.

Organisations must always seek cost-effective ways to address the cyber security risks they face – as no business is safe in the modern security landscape from a cyber threat. One of the most common ways to mitigate the risk of a cyber security incident is cyber insurance.  While all-sized businesses can benefit from having cyber insurance, small businesses frequently lack the knowledge and importance of securing it. This is usually because of the cost, the time involved in finding a provider, and a lack of understanding of the importance of a cyber insurance policy.

https://informationsecuritybuzz.com/is-your-company-covered-for-a-cybersecurity-attack-thats-the-2-million-question/

Threats

Ransomware and Extortion

• Yanluowang Ransomware's Russian Links Laid Bare - Infosecurity Magazine (infosecurity-magazine.com)

• Medibank hackers release 1,500 more patient records on dark web, including mental health data | Medibank | The Guardian

• Fake subscription invoices lead to corporate data theft and extortion - Help Net Security

• Ouch! Ransomware gang says it won’t attack AirAsia again due to the “chaotic organisation” and sloppy security of hacked airline’s network • Graham Cluley

• Ransomware gang targets Belgian municipality, hits police instead (bleepingcomputer.com)

• New ransomware encrypts files, then steals your Discord account (bleepingcomputer.com)

• Donut extortion group also targets victims with ransomware (bleepingcomputer.com)

• Daixin Ransomware Gang Steals 5 Million AirAsia Passengers' and Employees' Data (thehackernews.com)

• Ransomware attacks: Making cyber ransom payments unlawful would help boards (afr.com)

• An aggressive Black Basta Ransomware campaign targets US-based companies - Security Affairs

• Luna Moth ransomware group invests in call centres to target individual victims - SiliconANGLE

• New ransomware attacks in Ukraine linked to Russian Sandworm hackers (bleepingcomputer.com)

• Cybereason warns of fast-moving Black Basta campaign (techtarget.com)

• Spate Of Ransomware Targeting Healthcare Cost $92 Billion In Downtime Since 2018, Experts Weigh In - Information Security Buzz

• RansomExx Upgrades to Rust (securityintelligence.com)

• Enterprise healthcare providers warned of Lorenz ransomware threat | SC Media (scmagazine.com)

• Montreal-area city hit by ransomware: Report | IT World Canada News

Phishing & Email Based Attacks

• Google Blocks 231B Spam, Phishing Emails in Past 2 Weeks (darkreading.com)

• World Cup phishing emails spike in Middle Eastern countries • The Register

• Microsoft Email Security Bypasses Instagram Credential Phishing Attacks - IT Security Guru

• Researcher warns that Cisco Secure Email Gateways can easily be circumvented - Security Affairs

• SocGholish finds success through novel email techniques | SC Media (scmagazine.com)

BEC – Business Email Compromise

• Ten Charged in $11m Healthcare BEC Plots - Infosecurity Magazine (infosecurity-magazine.com)

Malware

• Cyber criminals are increasingly using info-stealing malware to target victims | CSO Online

• A security firm hacked malware operators, locking them out of their own C&C servers | TechSpot

• Emotet is back and delivers payloads like IcedID and Bumblebee - Security Affairs

• All You Need to Know About Emotet in 2022 (thehackernews.com)

• New attacks use Windows security bypass zero-day to drop malware (bleepingcomputer.com)

• Multi-Purpose Botnet and Infostealer 'Aurora' Rising to Fame | SecurityWeek.Com

• DUCKTAIL malware campaign targeting Facebook business and ads accounts is back | CSO Online

• Aurora infostealer malware increasingly adopted by cybergangs (bleepingcomputer.com)

• This new malware is able to bypass all of Microsoft's security warnings | TechRadar

• Backdoored Chrome extension installed by 200,000 Roblox players (bleepingcomputer.com)

Mobile

• 'Patch Lag' Leaves Millions of Android Devices Vulnerable (darkreading.com)

• Millions of Android Devices Still Don't Have Patches for Mali GPU Flaws (thehackernews.com)

• Your iPhone may be collecting more personal data than you think | Digital Trends

• This Android File Manager App Infected Thousands of Devices with SharkBot Malware (thehackernews.com)

• Bahamut cybermercenary group targets Android users with fake VPN apps | WeLiveSecurity

• WhatsApp data leak: 500 million user records for sale | Cybernews

Internet of Things – IoT

• Vulnerable SDK components lead to supply chain risks in IoT and OT environments - Microsoft Security Blog

Data Breaches/Leaks

• Data from 5.4M Twitter users obtained from multiple threat actors and combined with data from other breaches - Security Affairs

• WhatsApp data leak: 500 million user records for sale - Security Affairs

• California County Says Personal Information Compromised in Data Breach | SecurityWeek.Com

• Personal data of AirAsia Malaysia, Indonesia and Thailand passengers allegedly leaked due to ransomware - SoyaCincau

Organised Crime & Criminal Actors

• Russian cyber gangs stole over 50 million passwords this year (bleepingcomputer.com)

• How social media scammers buy time to steal your 2FA codes – Naked Security (sophos.com)

• DEV-0569 Group Switches Tactics, Abuses Google Ads to Deliver Payloads | Cyware Alerts - Hacker News

• Hackers are locking out Mars Stealer operators from their own servers | TechCrunch

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Bank Of England Says Crypto Needs Regulation Now - Information Security Buzz

• Two Estonians arrested for running $575M crypto Ponzi scheme (bleepingcomputer.com)

• Cyber crooks to ditch BTC as regulation and tracking improves: Kaspersky (cointelegraph.com)

• Google Chrome extension used to steal cryptocurrency, passwords (bleepingcomputer.com)

• Crypto exchanges’ bundling of services threatens stability, says Bank of England official | Financial Times (ft.com)

• Bahamas SEC Or Hacker? Stolen Funds From FTX Keep On Moving (bitcoinist.com)

Fraud, Scams & Financial Crime

• 'iSpoof' service dismantled, main operator and 145 users arrested (bleepingcomputer.com)

• Operation Elaborate - UK police text 70,000 suspected victims of iSpoof bank fraudsters | Tripwire

• UK Cops Lead Action Against Fraud Site that Made £100m - Infosecurity Magazine (infosecurity-magazine.com)

• DUCKTAIL malware campaign targeting Facebook business and ads accounts is back | CSO Online

• Beware - Black Friday online shopping scams are here now | TechRadar

• Online retailers should prepare for a holiday season spike in bot-operated attacks | CSO Online

• Pig butchering domains seized and slaughtered by the Feds • The Register

• Experts Warn Remote Workers of Black Friday Security Threats - Infosecurity Magazine (infosecurity-magazine.com)

Insurance

• What cyber insurance really covers - Help Net Security

Software Supply Chain

• CISA, NSA, ODNI Publish Software Supply Chain Guidelines For Customers - Infosecurity Magazine (infosecurity-magazine.com) 

Denial of Service DoS/DDoS

• Out of the blue: Surviving an 18-hour, 39M-request DDoS attack - Help Net Security

Cloud/SaaS

• The impact of inadequate SaaS management - Help Net Security

Hybrid/Remote Working

• How remote working impacts security incident reporting | CSO Online

Identity and Access Management

• Access Rights – Bridging the Gap Between Current and Desired States - Information Security Buzz

Encryption

• Mathematical theorem used to crack US government encryption algorithm (phys.org)

API

• 5 API Vulnerabilities That Get Exploited by Criminals - Security Affairs

• The API Timebomb - Information Security Buzz

• What are different types of APIs? - IT Security Guru

• Three security design principles for public REST APIs - Help Net Security

Passwords, Credential Stuffing & Brute Force Attacks

• Russian cyber gangs stole over 50 million passwords this year (bleepingcomputer.com)

• Guess the most common password. Hint: We just told you • The Register

• World Cup Players Among Most Breached Passwords - IT Security Guru

• Google Chrome extension used to steal cryptocurrency, passwords (bleepingcomputer.com)

• Microsoft Email Security Bypasses Instagram Credential Phishing Attacks - IT Security Guru

• Hackers steal $300,000 in DraftKings credential stuffing attack (bleepingcomputer.com)

Social Media

• Data from 5.4M Twitter users obtained from multiple threat actors and combined with data from other breaches - Security Affairs

• Ducktail hackers now use WhatsApp to phish for Facebook Ad accounts (bleepingcomputer.com)

• Cyber security Pros Put Mastodon Flaws Under the Microscope (darkreading.com)

• Musk to abused Twitter users: Your tormentors will return • The Register

• Facebook sued for collecting personal data to sell adverts | News | The Times

• DUCKTAIL malware campaign targeting Facebook business and ads accounts is back | CSO Online

• Meta Takes Down Fake Facebook and Instagram Accounts Linked to Pro-US Influence Operation (thehackernews.com)

• Microsoft Email Security Bypasses Instagram Credential Phishing Attacks - IT Security Guru

• Beyond Trump, Twitter welcomes back purveyors of far-right disinformation - CyberScoop

Cyber Bullying, Cyber Stalking and Sextortion

• Musk to abused Twitter users: Your tormentors will return • The Register

Regulations, Fines and Legislation

• Bank Of England Says Crypto Needs Regulation Now - Information Security Buzz

• UK’s Privacy Tsar Defends Controversial Enforcement Strategy - Infosecurity Magazine (infosecurity-magazine.com)

• How US cyber incident reporting law could finally fix the information sharing problem - CyberScoop

Law Enforcement Action and Take Downs

• UK Cops Lead Action Against Fraud Site that Made £100m - Infosecurity Magazine (infosecurity-magazine.com)

• Operation Elaborate - UK police text 70,000 suspected victims of iSpoof bank fraudsters | Tripwire

• Interpol Seized $130 Million from Cyber criminals in Global "HAECHI-III" Crackdown Operation (thehackernews.com)

• 'iSpoof' service dismantled, main operator and 145 users arrested (bleepingcomputer.com)

Privacy, Surveillance and Mass Monitoring

• iPhones are not as privacy-focused as Apple claims, researchers point out - India Today

• Thinking about taking your computer to the repair shop? Be very afraid | Ars Technica

Misinformation, Disinformation and Propaganda

• Beyond Trump, Twitter welcomes back purveyors of far-right disinformation - CyberScoop

• Meta Takes Down Fake Facebook and Instagram Accounts Linked to Pro-US Influence Operation (thehackernews.com)

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Ukraine shows how space is now central to warfare | Financial Times (ft.com)

• New ransomware attacks in Ukraine linked to Russian Sandworm hackers (bleepingcomputer.com)

• EU Parliament Putin things back together after cyber attack • The Register

• Opinion | Democracies flirting with spyware like Pegasus raises dangers - The Washington Post

• Scotland's broadband builder linked to Israeli spyware | HeraldScotland

• Bahamut Spyware Group Compromises Android Devices Via Fake VPN Apps - Infosecurity Magazine (infosecurity-magazine.com)

• Russia-based RansomBoggs Ransomware Targeted Several Ukrainian Organisations (thehackernews.com)

Nation State Actors

Nation State Actors – Russia

• Russian Tech Giant Wants Out of the Country As Ukraine War Rages on (insider.com)

• Yanluowang Ransomware's Russian Links Laid Bare - Infosecurity Magazine (infosecurity-magazine.com)

Nation State Actors – China

• US Bans Chinese Telecom Equipment and Surveillance Cameras Over National Security Risk (thehackernews.com)

• UK bans Chinese CCTV cameras on ‘sensitive’ government sites • The Register

Vulnerability Management

• EPSS explained: How does it compare to CVSS? | CSO Online

Vulnerabilities

• 73 Percent of Retail Applications Contain Security Flaws, but Only a Quarter Are Fixed (yahoo.com)

• ConnectWise Fixes XSS Vulnerability that Could Lead to Remote Code Execution - Infosecurity Magazine (infosecurity-magazine.com)

• Researcher warns that Cisco Secure Email Gateways can easily be circumvented - Security Affairs

• Vulnerability in AWS AppSync allowed unauthorized access to cloud resources | The Daily Swig (portswigger.net)

• AWS fixes 'confused deputy' vulnerability in AppSync • The Register

• How to hack an unpatched Exchange server with rogue PowerShell code – Naked Security (sophos.com)

• Google pushes emergency Chrome update to fix 8th zero-day in 2022 (bleepingcomputer.com)

• Upgrade to Apache Commons Text 1.10 to Avoid New Exploit (infoq.com)

• Security experts are laying Mastodon's flaws bare | TechRadar

• Devices from Dell, HP, and Lenovo used outdated OpenSSL versions - Security Affairs

• PoC Code Published for High-Severity macOS Sandbox Escape Vulnerability | SecurityWeek.Com

• 5 API Vulnerabilities That Get Exploited by Criminals - Security Affairs

• Vulnerable SDK components lead to supply chain risks in IoT and OT environments - Microsoft Security Blog

Tools and Controls

• Does Zero Trust mean Defence in Depth is dead? - Information Security Buzz

• Charting the Path to Zero Trust: Where to Begin (darkreading.com)

Reports Published in the Last Week

• Threat actors extend attack techniques to new enterprise apps and services - Help Net Security

Other News

• Know thy enemy: thinking like a hacker can boost cyber security strategy | CSO Online

• 'Quiet quitting' poses a cyber security risk that calls for a shift in workplace culture  | VentureBeat

• Nighthawk Likely to Become Hackers' New Post-Exploitation Tool After Cobalt Strike (thehackernews.com)

• Security Culture Matters when IT is Decentralized (trendmicro.com)

• Legacy IT system modernization largely driven by security concerns - Help Net Security

• Been Doing It The Same Way For Years? Think Again. (thehackernews.com)

• Here's how to make sure your incident response strategy is ready for holiday hackers - Help Net Security

• Docker Hub repositories hide over 1,650 malicious containers (bleepingcomputer.com)

• Hacked digital billboard in Brisbane displays pornography for several minutes | Queensland | The Guardian

• The Case For A Security Program - Information Security Buzz

• How Tech Companies Can Slow Down Spike in Breaches (darkreading.com)

• Inventor of the Web Sir Tim Berners-Lee wants to save your data from Big Tech with Web3.0 | Euronews

• Deloitte reveals 10 strategic cyber security predictions for 2023  | VentureBeat

• The Biden administration has racked up a host of cyber security accomplishments | CSO Online

• US Navy Forced to Pay Software Company for Licensing Breach (gizmodo.com)

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.

Top Cyber Headlines of the Week

Five Emerging Cyber-Threats to Watch Out for in 2021

What was the driving force behind your company’s digital strategy in 2020? Was it your CEO? Probably not. Your CTO or CISO? Perhaps.

For most organisations, it was COVID-19. In 2019, one company after another said: “work-from-home isn’t an option for us” or “we aren’t interested in shifting operations to the cloud.”

Then everything changed. The pandemic drove a massive shift towards remote work. For many companies, this wasn’t even an option — it was a case of ‘do or die.’

By April 2020, almost half of the American workforce was working from home. As organisations and employees become more comfortable with this, we shouldn’t expect a full return to the traditional in-office model anytime soon, if ever. Work-from-anywhere is the new way of doing business, with employees accessing cloud services, collaborative tools and remote systems from home and public networks – and not always through the safety of a VPN.

https://www.infosecurity-magazine.com/blogs/five-cyber-threats-2021/

Guernsey law firm fined £10,000 for data security breach

Trinity Chambers LLP sent private details about an individual and their family via emails and post, the Data Protection Authority (ODPA) found.

It said a lack of security had given "unconnected" third parties access to the data.

The breach of data by Trinity was the result of "repeated human error", an investigation found.

https://www.bbc.co.uk/news/world-europe-guernsey-54854333

Every employee has a cyber security blind spot

80% of companies say that an increased cyber security risk caused by human factors has posed a challenge during the COVID-19 pandemic, particularly in times of heightened stress.

This is a new report that explores the role employees and their personality play in keeping organisations safe from cyber threats. Including that:

·         Cyber crime has increased by 63% since the COVID-19 lockdown was introduced

·         Human error has been the biggest cyber security challenge during the COVID-19 pandemic, according to CISOs

·         Just a quarter of businesses consider their remote working strategy effective

·         47% of people are concerned about their ability to manage stress during the coronavirus crisis

https://www.helpnetsecurity.com/2020/11/09/cybersecurity-blind-spot/

Zoom settles FTC charges for misleading users about security features

Video conferencing software maker Zoom has reached a deal today with the US Federal Trade Commission to settle accusations that its misled users about some of its security features.

During the height of the COVID-19 pandemic, Zoom had attracted users to its platform with misleading claims that its product supported "end-to-end, 256-bit encryption" and that its service would store recorded calls in an encrypted format.

However, in a complaint filed earlier this year, the investigators found that Zoom's claims were deceptive.

Despite claiming to support end-to-end encrypted (E2EE) calls, Zoom didn't support E2EE calls in the classic meaning of the word.

https://www.zdnet.com/article/zoom-settles-ftc-charges-for-misleading-users-about-security-features/

Threats

Ransomware

How Ryuk Ransomware operators made $34 million from one victim

One hacker group that is targeting high-revenue companies with Ryuk ransomware received $34 million from one victim in exchange for the decryption key that unlocked their computers.

The threat actor is highly proficient at moving laterally inside a compromised network and erasing as much of their tracks as possible before detonating Ryuk ransomware.

https://www.bleepingcomputer.com/news/security/how-ryuk-ransomware-operators-made-34-million-from-one-victim/

Ransomware hits e-commerce platform X-Cart

E-commerce software vendor X-Cart suffered a ransomware attack at the end of October that brought down customer stores hosted on the company's hosting platform.

The incident is believed to have taken place after attackers exploited a vulnerability in a third-party software to gain access to X-Cart's store hosting systems.

https://www.zdnet.com/article/ransomware-hits-e-commerce-platform-x-cart

Linux version of RansomEXX ransomware discovered

A Linux version of the RansomEXX ransomware, marking the first time a major Windows ransomware strain has been ported to Linux to aid in targeted intrusions.

RansomEXX is a relatively new ransomware strain that was first spotted earlier this year in June.

https://www.zdnet.com/article/linux-version-of-ransomexx-ransomware-discovered/

Laptop mega-manufacturer Compal hit by DoppelPaymer ransomware – same one that hit German hospital

Compal, the world’s second-largest white-label laptop manufacturer, has been hit by the file-scrambling DoppelPaymer ransomware gang – and the hackers want $17m in cryptocurrency before they'll hand over the decryption key.

The Taiwanese factory giant, which builds systems for Apple, Lenovo, Dell, and HP, finally admitted malware infected its computers and encrypted its documents after first insisting it had suffered no more than an IT "abnormality" and that its staff had beaten off a cyber-attack.

https://www.theregister.com/2020/11/09/compal_ransomware_report/

Capcom hit by ransomware attack, is reportedly being extorted for $11 million

Earlier this week it emerged that third-party giant Capcom's internal systems had been hacked, though the company claimed that no customer data was affected.

 It has now emerged that the publisher was targeted by the Ragnar Locker ransomware, software designed to exfiltrate information from internal networks before encrypting the lot: at which point the victim is locked-out, contacted, and extorted.

https://www.pcgamer.com/capcom-hit-by-ransomware-attack-is-reportedly-being-extorted-for-pound11-million/

Business Email Compromise (BEC)

Jersey business targeted in £130,000 invoice scam

A Jersey building company has been targeted by a sophisticated impersonation scam, which saw fraudsters intercept more than £130,000 in invoice payments.

The owners, who wish to remain anonymous, said they were "left reeling" after realising their email correspondence with a customer had been hacked, and payments diverted to a scam bank account.

After taking swift action, they were able to recover all their money, but they now want to make sure other islanders do not fall victim. They are encouraging businesses in particular to be "extra vigilant".

https://www.itv.com/news/channel/2020-11-13/jersey-business-targeted-in-130000-invoice-scam

Phishing

Smishing attack tells you “mobile payment problem” – don’t fall for it!

As we’ve warned before, phishing via SMS, or smishing for short, is still popular with cybercriminals.

Sure, old-fashioned text messages have fallen out of favour for personal communications, superseded round the world by instant messaging apps such as WhatsApp, WeChat, Instagram, Telegram and Signal.

But for brief, one-off business communications such as “Your home delivery will arrive at 11:30 today” or “Your one-time login code is 217828”, SMS is still a popular and useful messaging system.

That’s because pretty much every mobile phone in the world can receive text messages, regardless of its age, feature set or ability to access the internet.

Even if you’ve got no credit to send messages or make calls, no third-party apps installed, and no Wi-Fi connectivity, SMSes sent to you will still show up.

https://nakedsecurity.sophos.com/2020/11/10/smishing-attack-tells-you-mobile-payment-problem-dont-fall-for-it/

Malware

Play Store identified as main distribution vector for most Android malware

The official Google Play Store has been identified as the primary source of malware installs on Android devices in a recent academic study — considered the largest one of its kind carried out to date.

Using telemetry data, researchers analysed the origin of app installations on more than 12 million Android devices for a four-month period between June and September 2019.

In total, researchers looked at more than 34 million APK (Android application) installs for 7.9 million unique apps.

https://www.zdnet.com/article/play-store-identified-as-main-distribution-vector-for-most-android-malware/

This new malware wants to add your Linux servers and IoT devices to its botnet

A new form of malware is targeting Linux servers and Internet of Things (IoT) devices and adding them to a botnet in what appears to be the first stage of a hacking campaign targeting cloud-computing infrastructure – although the purpose of the attacks remains unclear.

The malicious worm has been dubbed Gitpaste-12, reflecting on how it uses GitHub and Pastebin for housing component code and has 12 different means of compromising Linux-based x86 servers, as well as Linux ARM- and MIPS-based IoT devices.

https://www.zdnet.com/article/this-new-malware-wants-to-add-your-linux-servers-and-iot-devices-to-its-botnet/

New 'Ghimob' malware can spy on 153 Android mobile applications

Security researchers have discovered a new Android banking trojan that can spy and steal data from 153 Android applications.

Named Ghimob, the trojan is believed to have been developed by the same group behind the Astaroth (Guildma) Windows malware, according to a report published.

Distribution was never carried out via the official Play Store.

Instead, the Ghimob group used emails or malicious sites to redirect users to websites promoting Android apps.

https://www.zdnet.com/article/new-ghimob-malware-can-spy-on-153-android-mobile-applications/

Microsoft Teams Users Under Attack in ‘Fake Updates’ Malware Campaign

Attackers are using ads for fake Microsoft Teams updates to deploy backdoors, which use Cobalt Strike to infect companies’ networks with malware.

 The campaign is targeting various types of companies, with recent targets in the K-12 education sector, where organisations are currently dependent on using apps like Teams for videoconferencing due to COVID-19 restrictions.

Cobalt Strike is a commodity attack-simulation tool that’s used by attackers to spread malware, particularly ransomware. Recently, threat actors were seen using Cobalt Strike in attacks exploiting Zerologon, a privilege-elevation flaw that allows attackers to access a domain controller and completely compromise all Active Directory identity services.

https://threatpost.com/microsoft-teams-fakeupdates-malware/161071/

DDoS

DDoS attacks are cheaper and easier to carry out than ever before

DDoS attacks are getting more complex and more sophisticated while also getting cheaper and easier to carry out as cyber criminals take advantage of the sheer number of insecure internet-connected devices.

Distributed Denial of Service attacks have been a problem for many years, with cyber attackers gaining control of armies of devices and directing their internet traffic at targets in order to take the victim offline.

The disruption causes problems for both businesses and individual users who are prevented from accessing digital services they require – and that's especially a problem as 2020's coronavirus pandemic has forced people to be more reliant on digital services than ever before.

https://www.zdnet.com/article/ddos-attacks-are-cheaper-and-easier-to-carry-out-than-ever-before/

IoT

IoT security is a mess. These guidelines could help fix that

The supply chain around the Internet of Things (IoT) has become the weak link in cyber security, potentially leaving organisations open to cyber attacks via vulnerabilities they're not aware of. But a newly released set of guidelines aims to ensure that security forms part of the entire lifespan of IoT product development.

The Guidelines for Securing the IoT – Secure Supply Chain for IoT report from the European Union Agency for Cybersecurity (ENISA) sets out recommendations throughout the entire IoT supply chain to help keep organisations protected from vulnerabilities that can arise when building connected things.

https://www.zdnet.com/article/iot-security-is-a-mess-these-guidelines-could-help-fix-that/

Vulnerabilities

Windows 10 update created a major password problem

A temporary fix for a frustrating Windows 10 bug that prevents software from storing account credentials, meaning the user must re-enter their username and password each time they log-in.

The flaw is also said to delete cookies held in web browsers, preventing websites from memorising credentials and serving bespoke content to the user.

First reported in April, the issue is present in specific builds of Windows 10 version 2004 and affects applications such as Outlook, Chrome, Edge, OneDrive and more.

https://www.techradar.com/news/windows-10-update-made-a-right-mess-of-this-basic-password-feature

Colossal Intel Update Anchored by Critical Privilege-Escalation Bugs

A massive Intel security update this month addresses flaws across a myriad of products – most notably, critical bugs that can be exploited by unauthenticated cyber criminals in order to gain escalated privileges.

These critical flaws exist in products related to Wireless Bluetooth – including various Intel Wi-Fi modules and wireless network adapters – as well as in its remote out-of-band management tool, Active Management Technology (AMT).

Overall, Intel released 40 security advisories on Tuesday, each addressing critical-, high- and medium-severity vulnerabilities across various products. That by far trumps October’s Intel security update, which resolved one high-severity flaw.

https://threatpost.com/intel-update-critical-privilege-escalation-bugs/161087/

Hackers are exploiting unpatched VoIP flaws to compromise business accounts

A hacking campaign has compromised VoIP (Voice over Internet Protocol) phone systems at over 1,000 companies around the world over the past year in a campaign designed to make profit from selling compromised accounts.

While the main purpose appears to be dialling premium rate numbers owned by attackers or selling phone numbers and call plans that others can use for free, access to VoIP systems could provide cyber criminals with the ability to conduct other attacks, including listening to private calls, cryptomining, or even using compromised systems as a steppingstone towards much more intrusive campaigns.

One hacking group has compromised the VoIP networks of almost 1,200 organisations in over 20 countries by exploiting the vulnerability, with over half the victims in the UK. Industries including government, military, insurance, finance and manufacturing are believed to have fallen victim to the campaign

https://www.zdnet.com/article/hackers-are-exploiting-unpatched-voip-flaws-to-compromise-business-accounts/

Google patches two more Chrome zero-days

Google has released today Chrome version 86.0.4240.198 to patch two zero-day vulnerabilities that were exploited in the wild.

These two bugs mark the fourth and fifth zero-days that Google has patched in Chrome over the past three weeks.

The difference this time is that while the first three zero-days were discovered internally by Google security researchers, these two new zero-days came to Google's attention after tips from anonymous sources.

https://www.zdnet.com/article/google-patches-two-more-chrome-zero-days/

Data Breaches

Ticketmaster fined £1.25m over payment data breach

Ticketmaster UK has been fined £1.25m for failing to keep its customers' personal data secure.

The fine was issued by the Information Commissioner's Office (ICO) following a cyber-attack on the Ticketmaster website in 2018.

The ICO said personal information and payment details had potentially been stolen from more than nine million customers in Europe.

https://www.bbc.co.uk/news/technology-54931873

Millions of Hotel Guests Worldwide Caught Up in Mass Data Leak

A cloud misconfiguration affecting users of a popular reservation platform threatens travellers with identity theft, scams, credit-card fraud and vacation-stealing.

A widely used hotel reservation platform has exposed 10 million files related to guests at various hotels around the world, thanks to a misconfigured Amazon Web Services S3 bucket. The records include sensitive data, including credit-card details.

Prestige Software’s “Cloud Hospitality” is used by hotels to integrate their reservation systems with online booking websites like Expedia and Booking.com.

https://threatpost.com/millions-hotel-guests-worldwide-data-leak/161044/

DWP exposed 6,000 people’s data online for two years

The Department for Work and Pensions (DWP) has removed the personal details of thousands of people after they were exposed online for two years.

The files, published in March and June 2018, listed routine payments to the outsourcing giant Capita and included the National Insurance (NI) numbers of approximately 6,000 people, according to the Mirror. These individuals were believed to be applying for the disability benefit, PIP. No other personal data was exposed in the incident.

https://www.itpro.co.uk/security/data-breaches/357724/dwp-data-breach-exposed-6000-ni-numbers

Data breach at Mashable leaks users’ personal information online

Technology and culture news website Mashable have announced that the personal data of users has been discovered in a leaked database posted on the internet.

In a statement issued this week, Mashable confirmed that a database containing information from readers who made use of the platform’s social media sign-in feature had been found online.

The media company said that “a hacker known for targeting websites and apps” was responsible for the breach. The suspect has not been named.

Leaked data is said to include the full names, locations, email addresses, genders, IP addresses, and links to social media profiles of users.

https://portswigger.net/daily-swig/data-breach-at-mashable-leaks-users-nbsp-personal-information-online

Other News

Try to avoid thinking of the internet as a flashy new battlefield, warns former NCSC chief

https://www.theregister.com/2020/11/11/ciaran_martin_speech_cyber_policy/

Microsoft says three APTs have targeted seven COVID-19 vaccine makers

https://www.zdnet.com/article/microsoft-says-three-apts-have-targeted-seven-covid-19-vaccine-makers/

New stealthy hacker-for-hire group mimics state-backed attackers

https://www.bleepingcomputer.com/news/security/new-stealthy-hacker-for-hire-group-mimics-state-backed-attackers/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.