Threat Intelligence Blog

Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.

Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 07 October 2022

Black Arrow Cyber Threat Briefing 07 October 2022:

-Russian Sanctions Instigator Lloyd's Possibly Hit by Cyber Attack

-Former Uber Security Chief Convicted of Covering Up Data Breach

-First 72 Hours of Incident Response Critical to Taming Cyber Attack Chaos

-Email Defences Under Siege: Phishing Attacks Dramatically Improve

-Remote Services Are Becoming an Attractive Target for Ransomware

-Growing Reliance on Cloud Brings New Security Challenges

-Many IT Pros Don’t Think a Ransomware Attack Can Impact Microsoft 365 Data

-Ransomware Group Bypasses "Enormous" Range of EDR Tools

-MS Exchange Zero-Days: The Calm Before the Storm?

-Average Company with Data in the Cloud Faces $28 Million in Data-Breach Risk

-Secureworks Finds Network Intruders See Little Resistance

-Regulations, Laws and Accountability are Changing the Cyber Security Landscape

-This Year’s Biggest Cyber Threats

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • Russian Sanctions Instigator Lloyd's Possibly Hit by Cyber Attack

Lloyd’s of London, the London-based insurance market heavily involved in implementing sanctions against Russia, may have been hit by a cyber-attack. On Wednesday, October 5, 2022, the British insurance market revealed it had detected “unusual activity” on its systems and has turned off all external connectivity “as a precautionary measure.”

“We have informed market participants and relevant parties, and we will provide more information once our investigations have concluded,” said a Lloyd’s spokesperson.

The company did not comment on whether or not it has been contacted by hackers, if a ransom demand has been issued, or on the possible source of the attack.

However, the insurance market has been closely involved with the design and implementation of sanctions imposed on Russia in response to its invasion of Ukraine – a potential motive for the attack. Lloyd’s itself has confirmed it was working closely with British and international governments to implement such sanctions.

Around 100 insurance syndicates operate at Lloyd's.

Earlier in 2022, Lloyd’s instructed its 76 insurance syndicates to remove “nation-state-backed cyber attacks” from insurance policies by March 2023, as well as losses “arising from a war.”

https://www.infosecurity-magazine.com/news/lloyds-possibly-hit-by-cyberattack/

  • Former Uber Security Chief Convicted of Covering Up Data Breach

Uber’s former head of security has been convicted of covering up a 2016 data breach at the rideshare giant, hiding details from US regulators and paying off a pair of hackers in return for their discretion.

The trial, closely watched in cyber security circles, is believed to be the first criminal prosecution of a company executive over the handling of a data breach.

Joe Sullivan, who was fired in 2017 over the incident, was found guilty by a San Francisco jury of obstructing an investigation by the Federal Trade Commission. At the time of the 2016 breach, the regulator had been investigating the car-booking service over a different cyber security lapse that had occurred two years earlier.

Jurors also convicted Sullivan of a second count related to having knowledge of but failing to report the 2016 breach to the appropriate government authorities. The incident eventually became public in 2017 when Dara Khosrowshahi, who had just taken over as chief executive, disclosed details of the attack.

Prosecutors said Sullivan had taken steps to make sure data compromised in the attack would not be revealed. According to court documents, two hackers approached Sullivan’s team to notify Uber of a security flaw that exposed the personal information of almost 60mn drivers and riders on the platform.

https://www.ft.com/content/051af6a1-41d1-4a6c-9e5a-d23d46b2a9c9

  • First 72 Hours of Incident Response Critical to Taming Cyber Attack Chaos

Cyber security professionals tasked with responding to attacks experience stress, burnout, and mental health issues that are exacerbated by a lack of breach preparedness and sufficient incident response practice in their organisations.

A new IBM Security-sponsored survey published this week found that two-thirds (67%) of incident responders suffer stress and anxiety during at least some of their engagements, while 44% have sacrificed the well-being of their relationships, and 42% have suffered burnout, according to the survey conducted by Morning Consult. In addition, 68% of incidents responders often have to work on two or more incidents at the same time, increasing their stress, according to the survey's results.

Companies that plan and practice responding to a variety of incidents can lower the stress levels of their incident responders, employees, and executives, says John Dwyer, head of research for IBM Security's X-Force response team.

"Organisations are not effectively establishing their response strategies with the responders in mind — it does not need to be as stressful as it is," he says. "There is a lot of time when the responders are managing organisations during an incident, because those organisations were not prepared for the crisis that occurs. These attacks happen every day."

The IBM Security-funded study underscores why the cyber security community has focused increasingly on the mental health of its members. About half (51%) of cyber security defenders have suffered burnout or extreme stress in the past year, according to a VMware survey released in August 2021. Cyber security executives have also spotlighted the issue as one that affects the community and companies' ability to retain skilled workers.

https://www.darkreading.com/attacks-breaches/incident-response-s-first-72-hours-critical-to-taming-chaos

  • Email Defences Under Siege: Phishing Attacks Dramatically Improve

This week's report that cyber attackers are laser-focused on crafting attacks specialised to bypass Microsoft's default security showcases an alarming evolution in phishing tactics, security experts said this week.

Threat actors are getting better at slipping phishing attacks through the weak spots in platform email defences, using a variety of techniques, such as zero-point font obfuscation, hiding behind cloud-messaging services, and delaying payload activation, for instance. They're also doing more targeting and research on victims.

As a result, nearly 1 in 5 phishing emails (18.8%) bypassed Microsoft's platform defences and landed in workers' inboxes in 2022, a rate that increased 74% compared to 2020, according to research published by cyber security firm Check Point Software. Attackers increasingly used techniques to pass security checks, such as Sender Policy Framework (SPF), and obfuscate functional components of an e-mail, such as using zero-size fonts or hiding malicious URLs from analysis.

The increasing capabilities of attackers is due to the better understanding of current defences, says Avanan, an email security firm acquired by Check Point in August 2021.

"It is a family of 10 to 20 techniques, but they all lead to the objective of deceiving a company's security layers," he says. "The end result is always an email that looks genuine to the recipient but looks different to the algorithm that analyses the content."

Microsoft declined to comment on the research. However, the company has warned of advanced techniques, such as adversary-in-the-middle phishing (AiTM), which uses a custom URL to place a proxy server between a victim and their desired site, allowing the attacker to capture sensitive data, such as usernames and passwords. In July, the company warned that more than 10,000 organisations had been targeted during one AiTM campaign.

https://www.darkreading.com/remote-workforce/email-defenses-under-siege-phishing-attacks-dramatically-improve

  • Remote Services Are Becoming an Attractive Target for Ransomware

Stolen credentials are no longer the number one initial access vector for ransomware operators looking to infect a target network and its endpoints - instead, they’ve become more interested in exploiting vulnerabilities found in internet-facing systems.

A report from Secureworks claims ransomware-as-a-service developers are quick to add newly discovered vulnerabilities into their arsenals, allowing even less competent hackers to exploit them swiftly, and with relative ease.

In fact, the company's annual State of the Threat Report reveals that flaw exploitation in remote services accounted for 52% of all ransomware incidents the company analysed over the last 12 months.

Besides remote services, Secureworks also spotted a 150% increase in the use of infostealers, which became a “key precursor” to ransomware. Both these factors, the report stresses, kept ransomware as the number one threat for businesses of all sizes, “who must fight to stay abreast of the demands of new vulnerability prioritisation and patching”.

All things considered, ransomware is still the biggest threat for businesses. It takes up almost a quarter of all attacks that were reported in the last 12 months, Secureworks says, and despite law enforcement being actively involved, operators remained highly active.

https://www.techradar.com/news/remote-services-are-becoming-an-attractive-target-for-ransomware

  • Growing Reliance on Cloud Brings New Security Challenges

There was a time when cloud was just a small subset of IT infrastructure, and cloud security referred to a very specific set of tasks. The current reality is very different, organisations are heavily dependent on cloud technologies and cloud security has become a much more complex endeavour.

Organisations increasingly rely on the cloud to deliver new applications, reduce costs, and support business operations. One in every four organisations already have majority workloads in the cloud, and 44% of workloads currently run in some form of public cloud, says Omdia, a research and advisory group.

Practically every midsize and large organisation now operates in some kind of a hybrid cloud environment, with a mix of cloud and on-premises systems. For most organisations, software-as-a-service constitute the bulk (80%) of their cloud environments, followed by infrastructure-as-a-service and platform-as-a-service deployments.

In the past, cloud security conversations tended to focus on making sure cloud environments are being configured properly, but cloud security nowadays goes far beyond just configuration management. The sprawling cloud environment means security management has to be centralised, Omdia said. Security functions also need to be integrated into existing application deployment workflows.

On top of all of this, multicloud is becoming more common among organisations as they shift their workloads to avoid being dependent on a single platform. The three major cloud providers – Amazon Web Services, Microsoft Azure, and Google Cloud Platform – account for 65% of the cloud market.

https://www.darkreading.com/dr-tech/growing-reliance-on-cloud-brings-new-security-challenges

  • Many IT Pros Don’t Think a Ransomware Attack Can Impact Microsoft 365 Data

The 2022 Ransomware Report, which surveyed over 2,000 IT leaders, revealed that 24% have been victims of a ransomware attack, with 20% of attacks happening in the last year.

Cyber attacks are happening more frequently. Last year’s ransomware survey revealed that 21% of companies experienced an attack. This year it rose by three percent to 24%.

“Attacks on businesses are increasing, and there is a shocking lack of awareness and preparation by IT pros. Our survey shows that many in the IT community have a false sense of security. As bad actors develop new techniques, companies like ours have to do what it takes to come out ahead and protect businesses around the world,” said Hornetsecurity.

The report highlighted a lack of knowledge on the security available to businesses. 25% of IT professionals either don’t know or don’t think that Microsoft 365 data can be impacted by a ransomware attack.

Just as worryingly, 40% of IT professionals that use Microsoft 365 in their organisation admitted they do not have a recovery plan in case their Microsoft 365 data was compromised by a ransomware attack.

“Microsoft 365 is vulnerable to phishing attacks and ransomware attacks, but with the help of third-party tools, IT admins can backup their Microsoft 365 data securely and protect themselves from such attacks,” said Hofmann.

https://www.helpnetsecurity.com/2022/10/03/ransomware-attack-impact-microsoft-365-data/

  • Ransomware Group Bypasses "Enormous" Range of EDR Tools

A notorious ransomware group has been spotted leveraging sophisticated techniques to bypass endpoint detection and response (EDR) tools.

BlackByte, which the US government has said poses a serious threat to critical infrastructure, used a “Bring Your Own Driver” technique to circumvent over 1000 drivers used by commercially available EDR products, according to Sophos. The UK cyber security vendor explained in a new report that the group had exploited a known vulnerability, CVE-2019-16098, in Windows graphics utility driver RTCorec6.sys. This enabled it to communicate directly with a victim system’s kernel and issue commands to disable callback routines used by EDR tools.

The group also used EDR bypass techniques borrowed from open source tool EDRSandblast to deactivate the Microsoft-Windows-Threat-Intelligence ETW (Event Tracing for Windows) provider. This is a Windows feature “that provides logs about the use of commonly maliciously abused API calls such as NtReadVirtualMemory to inject into another process’s memory,” explained Sophos. Neutralising it in this way renders any security tool relying on the feature also useless, the firm argued.

“If you think of computers as a fortress, for many EDR providers, ETW is the guard at the front gate,” said Sophos. “If the guard goes down, then that leaves the rest of the system extremely vulnerable. And, because ETW is used by so many different providers, BlackByte’s pool of potential targets for deploying this EDR bypass is enormous.”

BlackByte is not the only ransomware group using these advanced techniques to get around existing detection tools, illustrating the continued arms race between attackers and defenders. AvosLocker used a similar method in May, Sophos said. “Anecdotally, from what we’re seeing in the field, it does appear that EDR bypass is becoming a more popular technique for ransomware threat groups,” the firm confirmed. “This is not surprising. Threat actors often leverage tools and techniques developed by the ‘offensive security’ industry to launch attacks faster and with minimal effort.”

https://www.infosecurity-magazine.com/news/ransomware-bypasses-enormous-range/

  • MS Exchange Zero-Days: The Calm Before the Storm?

Two exploited MS Exchange zero-days that still have no official fix, have been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog.

But mitigating the risk of exploitation until patches are ready will require patience and doggedness, as Microsoft is still revising its advice to admins and network defenders, and still working on the patches.

The two vulnerabilities were publicly documented last Wednesday, by researchers with Vietnamese company GTSC, and Microsoft soon after sprung into (discernible) action by offering customer guidance, followed by an analysis of the attacks exploiting the two vulnerabilities. Several changes have been made to the documents since then, after the company found and other researchers pointed out several shortcomings.

Microsoft says its threat analysts observed “activity related to a single activity group in August 2022 that achieved initial access and compromised Exchange servers by chaining CVE-2022-41040 and CVE-2022-41082 in a small number of targeted attacks,” and that the attackers breached fewer than 10 organisations globally. “MSTIC assesses with medium confidence that the single activity group is likely to be a state-sponsored organisation,” they added.

The other good news is there are still no public exploits for the two vulnerabilities. But, Microsoft says, “Prior Exchange vulnerabilities that require authentication have been adopted into the toolkits of attackers who deploy ransomware, and these vulnerabilities are likely to be included in similar attacks due to the highly privileged access Exchange systems confer onto an attacker.”

Enterprise defenders should expect trouble via this attack path in the near future, it seems, so keeping abreast of the changing situation and springing into action as quickly as possible once the patches are made available is advised. Scammers have since started impersonating security researchers and offering non-existing PoC exploits for CVE-2022-41082 for sale via GitHub

https://www.helpnetsecurity.com/2022/10/03/ms-exchange-cve-2022-41040-cve-2022-41082/

  • Average Company with Data in the Cloud Faces $28 Million in Data-Breach Risk

Hard-to-control collaboration, complex SaaS permissions, and risky misconfigurations — such as admin accounts without multi-factor authentication (MFA) — have left a dangerous amount of cloud data exposed to insider threats and cyber attacks, according to Varonis.

For the report, researchers analysed nearly 10 billion cloud objects (more than 15 petabytes of data) across a random sample of data risk assessments performed at more than 700 companies worldwide. In the average company, 157,000 sensitive records are exposed to everyone on the internet by SaaS sharing features, representing $28 million in data-breach risk, Varonis researchers have found.

One out of every 10 records in the cloud is exposed to all employees — creating an impossibly large internal blast radius, which maximises damage during a ransomware attack. The average company has 4,468 user accounts without MFA enabled, making it easier for attackers to compromise internally exposed data.

Out of 33 super admin accounts in the average organisation, more than half did not have MFA enabled. This makes it easier for attackers to compromise these powerful accounts, steal more data, and create backdoors. Companies have more than 40 million unique permissions across SaaS applications, creating a nightmare for IT and security teams responsible for managing and reducing cloud data risk.

“Cloud security shouldn’t be taken for granted. When security teams lack critical visibility to manage and protect SaaS and IaaS apps and services, it’s nearly impossible to ensure your data isn’t walking out the door,” said Varonis. “This report is a true-to-life picture of over 700 real-world risk assessments of production SaaS environments. The results underscore the urgent need for CISOs to uncover and remediate their cloud risk as quickly as possible.”

https://www.helpnetsecurity.com/2022/10/05/company-data-breach-risk/

  • Secureworks Finds Network Intruders See Little Resistance

Attackers who break into networks only need to take a few basic measures in order to avoid detection.

Security vendor Secureworks said in its annual State of the Threat report that it observed several data breaches between June 2021 and June 2022 and found that, by and large, once network intruders gained a foothold on the targets' environment, they had to do relatively little to stay concealed.

"One thing that is notable about them is that none of these techniques are particularly sophisticated," the vendor said. "That is because threat actors do not need them to be; the adversary will only innovate enough to achieve their objectives. So there is a direct relationship between the maturity of the controls in a target environment and the techniques they employ to bypass those controls."

Among the more basic measures taken by the attackers was coding their tools in newer languages such as Go or Rust. This tweak created enough of a difference in the software to evade signature-checking tools, according to Secureworks' report. In other cases, the network intruders hid their activity by packing their malware within a trusted Windows installer or by sneaking it into the Authenticode signature of a trusted DLL. In another case, a malware infection was seen moving data out of the victim's network via TOR nodes. While effective, Secureworks said the techniques are hardly innovative. Rather, they indicate that threat actors find themselves only needing to do the bare minimum to conceal themselves from detection.

https://www.techtarget.com/searchsecurity/news/252525696/Secureworks-finds-network-intruders-see-little-resistance

  • Regulations, Laws and Accountability are Changing the Cyber Security Landscape

As cyber criminals continue to develop new ways to wreak havoc, regulators have been working to catch up. They aim to protect data and consumers while avoiding nation-state attacks that are a risk to national and economic security. But some of these regulations may provide an opportunity for MSSPs.

Some of these regulations are a response to what’s generally been a hands-off approach to telling organisations what to do. Unfortunately, cyber security isn’t always prioritised when budgets and resources are allocated. The result is a steadily rising tide of breaches and exploits that have held organisations hostage and made private information available on the dark web.

The new regulations are coming from all directions: at the state and federal levels in the US and around the world. While many of these regulations aren’t yet final, there’s no reason not to start aligning with where trends will ease the impact of changing rules. At the same time, many organisations want to hold the government responsible for some kinds of attacks. It will be interesting to see how regulating works, as most politicians and bureaucrats aren’t known for their technological savvy.

In the US, for example, new regulations are in development in the Federal Trade Commission, Food and Drug Administration, Department of Homeland Security, Department of Transportation, Department of Energy, and the Cybersecurity and Infrastructure Security Agency. Thirty-six states have enacted cyber security legislation, and the count increases as other countries join.

One of the motivating factors for all these new regulations is that most cyber attacks aren’t reported. Lawmakers realise cyber security threats continue to be one of the top national security and economic risks. In the last year and a half (2020-2022), there have been attacks on America’s gas supply, meat supply, and various other companies, courts, and government agencies. One FBI cyber security official estimated the government only learns about 20% to 25% of intrusions at US business and academic institutions.

In March, Congress passed legislation requiring critical infrastructure operators to report significant cyber attacks to CISA within 72 hours of learning about the attack. It also required them to report a ransomware payment within 24 hours. These regulations will also consider reporting “near misses” so that this data can also be studied and tracked. The problem is, how does one define a “near miss”?

https://www.msspalert.com/cybersecurity-guests/regulations-laws-and-accountability-are-changing-the-cybersecurity-landscape/

  • This Year’s Biggest Cyber Threats

OpenText announced the Nastiest Malware of 2022, a ranking of the year’s biggest cyber threats. For the fifth year running, experts combed through the data, analysed different behaviours, and determined which malicious payloads are the nastiest.

Emotet regained its place at the top, reminding the world that while affiliates may be taken down, the masterminds are resilient. LockBit evolved its tactics into something never seen before: triple extortion. Analysis also revealed an almost 1100% increase in phishing during the first four months of 2022 compared to the same period in 2021, indicating a possible end to the “hacker holiday,” a hacker rest period following the busy holiday season.

“The key takeaway from this year’s findings is that malware remains centre stage in the threats posed towards individuals, businesses, and governments,” said OpenText.

“Cyber criminals continue to evolve their tactics, leaving the infosec community in a constant state of catch-up. With the mainstream adoption of ransomware payloads and cryptocurrency facilitating payments, the battle will continue. No person, no business—regardless of size—is immune to these threats.”

While this year’s list may designate payloads into different categories of malware, it’s important to note many of these bad actor groups contract work from others. This allows each group to specialise in their respective payload and perfect it.

https://www.helpnetsecurity.com/2022/10/06/2022-nastiest-malware/


Threats

Ransomware and Extortion

BEC – Business Email Compromise

Phishing & Email Based Attacks

Other Social Engineering; Smishing, Vishing, etc

Malware

Mobile

Internet of Things – IoT

Data Breaches/Leaks

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Fraud, Scams & Financial Crime

Deepfakes

Supply Chain and Third Parties

Denial of Service DoS/DDoS

Cloud/SaaS

Encryption

API

Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Privacy, Surveillance and Mass Monitoring

Regulations, Fines and Legislation

Models, Frameworks and Standards

Secure Disposal

Backup and Recovery

Law Enforcement Action and Take Downs

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine







Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3


As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 01 July 2022

Black Arrow Cyber Threat Briefing 01 July 2022:

-Ransomware Is the Biggest Global Cyber Threat. And The Attacks Are Still Evolving

-Study Reveals Traditional Data Security Tools Have a 60% Failure Rate Against Ransomware and Extortion

-Patchable and Preventable Security Issues Lead Causes of Q1 Attacks

-Three in Four Vulnerability Management Programs Ineffective, NopSec Research Finds

-EMEA Continues to Be a Hotspot for Malware Threats

-A New, Remarkably Sophisticated Malware Is Attacking Home and Small Office Routers

-What Are Shadow IDs, and How Are They Crucial in 2022?

-Zero-Days Aren't Going Away Anytime Soon & What Leaders Need to Know

-Half of 2022's Zero-Days Are Variants of Previous Vulnerabilities

-Human Error Remains the Top Security Issue

-Carnival Cruises Torpedoed by US States, Agrees to Pay $6m After Wave of Cyber Attacks

-Uber Ex-Security Chief Accused of Hacking Coverup Must Face Fraud Charges, Judge Rules

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • Ransomware Is the Biggest Global Cyber Threat. And The Attacks Are Still Evolving

Ransomware is the biggest cyber security threat facing the world today, with the potential to significantly affect whole societies and economies – and the attacks are unrelenting, the head of the National Cyber Security Centre (NCSC) has warned.

"Even with a war raging in Ukraine – the biggest global cyber threat we still face is ransomware. That tells you something of the scale of the problem. Ransomware attacks strike hard and fast. They are evolving rapidly, they are all-pervasive, they're increasingly offered by gangs as a service, lowering the bar for entry into cyber crime," said Lindy Cameron, CEO of the NCSC in a speech at Tel Aviv Cyber Week.

She added that the NCSC has dealt with "nationally significant incidents" along with hundreds of general cyber incidents that "affect the UK more widely every year".

While she didn't detail any specific instances of responding to ransomware incidents, Cameron warned that "these complex attacks have the potential to affect our societies and economies significantly", and implied that if it weren't for the work of NCSC incident responders, alongside their counterparts in the industry and international counterparts, the attacks could have had a major impact.

https://www.zdnet.com/article/ransomware-attacks-are-the-biggest-global-cyber-threat-and-still-evolving-warns-cybersecurity-chief/

  • Study Reveals Traditional Data Security Tools Have a 60% Failure Rate Against Ransomware and Extortion

Titaniam, Inc., the data security platform, announced the ‘State of Data Exfiltration & Extortion Report.’ The survey revealed that while over 70% of organisations have an existing set of prevention, detection, and backup solutions, nearly 40% of organisations have been hit with ransomware attacks in the last year, and more than 70% have experienced one in the previous five years, proving existing solutions to be woefully inadequate in managing the risks and impacts from these attacks.

Data exfiltration during ransomware attacks is up 106% relative to where it was five years ago. We are seeing the emergence of a new trend where cyber criminals are no longer limiting themselves to just encrypting entire systems—they are making sure to steal data ahead of the encryption so that they can have additional leverage on the victim. The survey found that 65% of those who have experienced a ransomware attack have also experienced data theft or exfiltration due to the incident. Of those victims, 60% say the hackers used the data theft to extort them further, known as double extortion. Most of them, i.e., 59% of victims, paid the hackers, implying that they were not helped by their backup or data security tools to prevent this fate.

Data is being exposed for theft and extortion in other ways too. Nearly half (47%) uncovered publicly exposed data in their systems in the last 24 months. It was found that respondents have a mix of data security & protection (78%), prevention & detection (75%), and backup and recovery (73%) in their cyber security stacks. Still, exposure and extortion numbers imply a missing puzzle piece regarding attacks.

https://www.darkreading.com/attacks-breaches/study-reveals-traditional-data-security-tools-have-a-60-failure-rate-against-ransomware-and-extortion

  • Patchable and Preventable Security Issues Lead Causes of Q1 Attacks

Attacks against companies spiked in Q1 2022 with patchable and preventable external vulnerabilities responsible for the bulk of attacks.

Eighty-two percent of attacks on organisations in Q1 2022 were caused by the external exposure of known vulnerabilities in the victim’s external-facing perimeter or attack surface. Those unpatched bugs overshadowed breach-related financial losses tied to human error, which accounted for 18 percent.

The numbers come from Tetra Defense and its quarterly report that sheds light on a notable uptick in cyber attacks against United States organisations between January and March 2022.

The report did not let employee security hygiene, or a lack thereof, off the hook. Tetra revealed that a lack of multi-factor authentication (MFA) mechanisms adopted by firms and compromised credentials are still major factors in attacks against organisations.

https://threatpost.com/lead-causes-of-q1-attacks/180096/

  • Three in Four Vulnerability Management Programs Ineffective

How at risk are organisations to unsecured vulnerabilities in their networks? NopSec, a threat and exposure management provider, gives us the answers in a new study of some 430 cyber security professionals.

Are security teams finding successful approaches to their vulnerability management, or are “open doors around their attack surface” leaving them susceptible to disaster in their organisation? The answer, as it turns out, is that some organisations are better at detection, response and remediation of their vulnerabilities.

Perhaps more importantly, others are not as locked down as they believe, according to the report. Keeping track of known vulnerabilities and responding quickly is one thing, but locating flaws they did not previously know existed is quite another.

Seventy percent of respondent say their vulnerability management program (VMP) is only somewhat effective or worse, blind spots and shadow IT remain top challenges, and vulnerabilities take too long to patch.

https://www.msspalert.com/cybersecurity-research/three-in-four-vulnerability-management-programs-ineffective-study-finds/

  • EMEA Continues to Be a Hotspot for Malware Threats

Ransomware detections in the first quarter of this year doubled the total volume reported for 2021, according to the latest quarterly Internet Security Report from the WatchGuard Threat Lab. Researchers also found that the Emotet botnet came back in a big way, the infamous Log4Shell vulnerability tripled its attack efforts and malicious cryptomining activity increased.

Although findings from the Threat Lab’s Q4 2021 report showed ransomware attacks trending down year over year, that all changed in Q1 2022 with a massive explosion in ransomware detections. While Q4 2021 saw the downfall of the infamous REvil cybergang, WatchGuard analysis suggests that this opened the door for the LAPSUS$ extortion group to emerge, which along with many new ransomware variants such as BlackCat – the first known ransomware written in the Rust programming language – could be contributing factors to an ever-increasing ransomware and cyber-extortion threat landscape.

The report also shows that EMEA continues to be a hotspot for malware threats. Overall regional detections of basic and evasive malware show WatchGuard Fireboxes in EMEA were hit harder than those in North, Central and South America (AMER) at 57% and 22%, respectively, followed by Asia-Pacific (APAC) at 21%.

https://www.helpnetsecurity.com/2022/06/30/emea-malware-threats/

  • A New, Remarkably Sophisticated Malware Is Attacking Home and Small Office Routers

An unusually advanced hacking group has spent almost two years infecting a wide range of routers in North America and Europe with malware that takes full control of connected devices running Windows, macOS, and Linux, researchers reported on June 28.

So far, researchers from Lumen Technologies' Black Lotus Labs say they've identified at least 80 targets infected by the stealthy malware, including routers made by Cisco, Netgear, Asus, and DrayTek. Dubbed ZuoRAT, the remote access Trojan is part of a broader hacking campaign that has existed since at least the fourth quarter of 2020 and continues to operate.

The discovery of custom-built malware written for the MIPS architecture and compiled for small-office and home-office routers is significant, particularly given its range of capabilities. Its ability to enumerate all devices connected to an infected router and collect the DNS lookups and network traffic they send and receive, and remain undetected, is the hallmark of a highly sophisticated threat actor.

"While compromising small office/home office (SOHO) routers as a vector to gain access to an adjacent LAN is not a novel technique, it has seldom been reported," Black Lotus Labs researchers wrote. "Similarly, reports of person-in-the-middle style attacks, such as DNS and HTTP hijacking, are even rarer and a mark of a complex and targeted operation. The use of these two techniques congruently demonstrated a high level of sophistication by a threat actor, indicating that this campaign was possibly performed by a state-sponsored organisation."

The campaign comprises at least four pieces of malware, three of them written from scratch by the threat actor. The first piece is the MIPS-based ZuoRAT, which closely resembles the Mirai internet-of-things malware that achieved record-breaking distributed denial-of-service attacks that crippled some Internet services for days. ZuoRAT often gets installed by exploiting unpatched vulnerabilities in SOHO devices.

https://www.wired.com/story/zuorat-trojan-malware-hacking-routers/

  • What Are Shadow IDs, and How Are They Crucial in 2022?

Just before last Christmas, in a first-of-a-kind case, JPMorgan was fined $200M for employees using non-sanctioned applications for communicating about financial strategy. No mention of insider trading, naked shorting, or any malevolence. Just employees circumventing regulation using, well, Shadow IT. Not because they tried to obfuscate or hide anything, simply because it was a convenient tool that they preferred over any other sanctioned products (which JPMorgan certainly has quite a few of.)

Visibility into unknown and unsanctioned applications has been required by regulators and also recommended by the Center for Internet Security community for a long time. Yet it seems that new and better approaches are still in demand. Gartner has identified External Attack Surface Management, Digital Supply Chain Risk, and Identity Threat Detection as the top three trends to focus on in 2022, all of which are closely intertwined with Shadow IT.

"Shadow IDs," or in other words, unmanaged employee identities and accounts in third-party services, are often created using a simple email-and-password-based registration. Cloud access security broker (CASB) and corporate single-sign-on (SSO) solutions are limited to a few sanctioned applications, and are not widely adopted on most websites and services either. This means, that a large part of an organisation's external surface - as well as its user identities - may be completely invisible.

https://thehackernews.com/2022/06/what-are-shadow-ids-and-how-are-they.html

  • Zero-Days Aren't Going Away Anytime Soon, and What Leaders Need to Know

Few security exploits are the source of more sleepless nights for security professionals than zero-day attacks. Just recently, researchers discovered a new vulnerability enabling hackers to achieve remote code execution within Microsoft Office. Dubbing the evolving threat the Follina exploit, researchers say all versions of Office are at risk. And because the internal security teams have no time to prepare or patch their systems to defend against these software vulnerabilities, crafty threat actors can take advantage, taking their time after they've accessed an organisation's environment to observe and exfiltrate data while remaining completely unseen.

And though sophisticated threat actors and nations have exploited zero-days for nearly two decades, last year saw a historic rise in the number of vulnerabilities detected. Both Google and Mandiant tracked a record number of zero-days last year, with the caveat that more zero-days are being discovered because security companies are getting better at finding them — not necessarily because hackers are coming up with new vulnerabilities. Not all zero-days are created equal, though. Some require sophisticated and novel techniques, like the attack on SolarWinds, and others exploit simple vulnerabilities in commonly used programs like Windows. Thankfully, there's some basic cyber hygiene strategies that can keep your organisation sufficiently prepared to mitigate zero-day exploits.

https://www.darkreading.com/attacks-breaches/zero-days-aren-t-going-away-anytime-soon-and-what-leaders-need-to-know

  • Half of 2022's Zero-Days Are Variants of Previous Vulnerabilities

Google Project Zero has observed a total of 18 exploited zero-day vulnerabilities in the first half of 2022, at least half of which exist because previous bugs were not properly addressed.

According to Google Project Zero researcher Maddie Stone, nine of the in-the-wild zero-days seen so far this year could have been prevented had organisations applied more comprehensive patching.

“On top of that, four of the 2022 zero-days are variants of 2021 in-the-wild zero-days. Just 12 months from the original in-the-wild zero-day being patched, attackers came back with a variant of the original bug,” Stone says.

The most recent of these issues is the Follina vulnerability in the Windows platform. Tracked as CVE-2022-30190, it is a variant of an MSHTML zero-day tracked as CVE-2021-40444.

CVE-2022-21882 is another Windows vulnerability that is a variant of an in-the-wild zero-day that was improperly resolved last year, namely CVE-2021-1732.

An iOS IOMobileFrameBuffer bug (CVE-2022-22587) and a type confusion flaw in Chrome’s V8 engine (CVE-2022-1096) are two other zero-days that are variants of exploited security flaws found last year – CVE-2021-30983 and CVE-2021-30551, respectively.

Other 2022 zero-days that are variants of improperly addressed security defects are CVE-2022-1364 (Chrome), CVE-2022-22620 (WebKit), CVE-2021-39793 (Google Pixel), CVE-2022-26134 (Atlassian Confluence), and CVE-2022-26925 (Windows flaw called PetitPotam).

https://www.securityweek.com/google-half-2022s-zero-days-are-variants-previous-vulnerabilities

  • Human Error Remains the Top Security Issue

Human error remains the most effective vector for conducting network infiltrations and data breaches.

The SANS Institute security centre issued its annual security awareness report Wednesday, which was based on data from 1,000 infosec professionals and found that employees and their lack of security training remain common points of failure for data breaches and network attacks. The report also tracked the maturity level of respondents' security awareness programs and their effectiveness in reducing human risk.

"This year's report once again identifies what we have seen over the past three years: that the most mature security awareness programs are those that have the most people dedicated to managing and supporting it," the cyber security training and education organisation said.

"These larger teams are more effective at working with the security team to identify, track, and prioritise their top human risks, and at engaging, motivating, and training their workforce to manage those risks."

The SANS Institute study ranked maturity by five levels, from lowest to highest: nonexistent, compliance-focused, promoting awareness and behaviour change, long-term sustainment and culture change, and metrics framework. The report found that while approximately 400 respondents said their programs promote awareness and behaviour change - the highest such response for any maturity level - the number represented a 10% decrease from the previous year's report.

https://www.techtarget.com/searchsecurity/news/252522226/SANS-Institute-Human-error-remains-the-top-security-issue

  • Carnival Cruises Torpedoed by US States, Agrees to Pay $6m After Wave of Cyber Attacks

Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyber attacks.

A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based business revealed intruders had not only encrypted some of its data but also downloaded a collection of names and addresses; Social Security info, driver's license, and passport numbers; and health and payment information of thousands of people in almost every American state.

It all started to go wrong more than a year prior, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn't disclosed until 10 months later, in March 2020.

Back in 2019, the security operations team spotted an internal email account sending spam to other addresses. It turned out miscreants had hijacked 124 employee Microsoft Office 365 email accounts, and were using them to send phishing emails to harvest more credentials. This, we're told, gave the intruders access to personal data on 180,000 Carnival employees and customers. It's likely the miscreants first broke in using phishing mails or brute-forcing passwords; either way, there was no multi-factor authentication.

Then in August 2020, the company said it was hit with the aforementioned ransomware, and copies of its files were siphoned. In January 2021, it was infected again with malware, and again sensitive information – specifically, customer passport numbers and dates of birth, and employee credit card numbers – were downloaded. And in March that year, a staffer's work email account was compromised again to send out a phishing email; more sensitive information was exposed.

https://www.theregister.com/2022/06/28/carnival-cybersecurity-fines/

  • Uber Ex-Security Chief Accused of Hacking Coverup Must Face Fraud Charges, Judge Rules

A federal judge on Tuesday said a former Uber Technologies Inc. security chief must face wire fraud charges over his alleged role in trying to cover up a 2016 hacking that exposed personal information of 57 million passengers and drivers.

The US Department of Justice had in December added the three charges against Joseph Sullivan to an earlier indictment, saying he arranged to pay money to two hackers in exchange for their silence, while trying to conceal the hacking from passengers, drivers and the US Federal Trade Commission.

https://www.reuters.com/business/uber-ex-security-chief-accused-hacking-coverup-must-face-fraud-charges-judge-2022-06-28/

Threats

Ransomware

Phishing & Email Based Attacks

Malware

Mobile

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Fraud, Scams & Financial Crime

Insurance

Software Supply Chain

Denial of Service DoS/DDoS

Attack Surface Management

Shadow IT

Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Training, Education and Awareness

Privacy

Parental Controls and Child Safety

Regulations, Fines and Legislation

Law Enforcement Action and Take Downs

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

Nation State Actors

Nation State Actors – Russia

Nation State Actors – China

Nation State Actors – North Korea

Vulnerability Management

Vulnerabilities

Sector Specific

Critical National Infrastructure (CNI)

Financial Services Sector

FinTech

Telecoms

OT, ICS, IIoT, SCADA and Cyber-Physical Systems

Energy & Utilities

Oil, Gas and Mining

Chinese Threat Actor Targets Rare Earth Mining Companies in North America, Australia | SecurityWeek.Com

Food and Agriculture

Education and Academia

Web3

Reports Published in the Last Week

Other News

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More