Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 12 February 2021
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.
Top Cyber Stories of the Last Week
2020 Sees Ransomware Increase By Over 400 Percent
A new study from Cyber Security company, finds that last year malware increased by 358 percent overall and ransomware increased by 435 percent as compared with 2019. The report which analyzes millions of attacks taking place across the year finds distribution of the Emotet malware skyrocketed by 4,000 percent, while malware threats attacking Android phones increased by 263 percent. July saw the largest increase in malicious activity, up by 653 percent compared with the previous year. Microsoft Office documents are the most manipulated document attack vector and these attacks were up by 112 percent.
https://betanews.com/2021/02/10/ransomware-increase-400-percent/
Remote Desktop Protocol Attacks Surge By 768%
Remote desktop protocol (RDP) attacks increase by 768% between Q1 and Q4 last year, fuelled by the shift to remote working. However, a slower rate of growth was observed in the final quarter of the year, indicating that organizations have enhanced their security for remote users.
https://www.infosecurity-magazine.com/news/remote-desktop-protocol-attacks/
Even Minor Phishing Operations Can Distribute Millions Of Malicious Emails Per Week
Even small-scale phishing campaigns are capable of distributing millions and millions of malicious emails to victims around the world, according to a new report. Describing the most popular styles of phishing attack, criminal today rely on fast-churning campaigns. They create a single phishing email template (usually in English) and send it out to anywhere between 100 and 1,000 targets.
With One Update, This Malicious Android App Hijacked Millions Of Devices
With a single update, a popular barcode scanner app on Google Play transformed into malware and was able to hijack up to 10 million devices. Lavabird Ltd.'s Barcode Scanner was an Android app that had been available on Google's official app repository for years. The app, accounting for over 10 million installs, offered a QR code reader and a barcode generator -- a useful utility for mobile devices.
Cd Projekt Hit By Ransomware Attack, Refused To Pay Ransom, Data Reportedly Sold Off By Hackers
Polish video game maker CD Projekt, which makes Cyberpunk 2077 and The Witcher, has confirmed it was hit by a ransomware attack. In a statement posted to its Twitter account, the company said it will “not give in nor negotiate” with the hackers, saying it has backups in place. “We have already secured our IT infrastructure and begun restoring data,” the company said.
https://techcrunch.com/2021/02/09/cd-projekt-red-hit-by-ransomware-attack-refuses-to-pay-ransom/
Hacked Florida Water Plant Used Shared Passwords And Windows 7 PCs
The Oldsmar, Florida water plant hacked earlier this week used outdated Windows 7 PCs and shared passwords, the Associated Press has reported. A government advisory also revealed that the relatively unsophisticated attack used the remote-access program TeamViewer. However, officials also said that the hacker’s attempt to boost chemicals to dangerous levels was stopped almost immediately after it started.
Top Web Hosting Provider Shuts Down Following Cyber Attack
Cybercriminals often attack websites in order to extort a ransom from their victims but a recent cyberattack against the web hosting company No Support Linux Hosting took quite a different turn. After a hacker managed to breach the company's internal systems and compromise its entire operation, No Support Linux Hosting has announced that it is shutting down. The company alerted its customers to the situation before shutting down its website in a message.
https://www.techradar.com/news/top-web-hosting-provider-shuts-down-following-cyberattack
High Demand For Hacker Services On Dark Web Forums
Nine in 10 (90%) users of dark web forums are searching for a hacker who can provide them with a particular resource or who can download a user database. This is according to new research by Positive Technologies, which analyzed activity on the 10 most prominent forums on the dark web, which offer services such as website hacking and the buying/selling of databases. The study highlights the growing demand for hackers’ services and stolen data, exacerbated by the increased internet usage by both organizations and individuals since the start of COVID-19.
https://www.infosecurity-magazine.com/news/demand-hacker-services-dark-web/
Facebook Phishing Campaign Tricked Nearly 500,000 Users In Two Weeks
A recent investigation uncovered a large scale phishing operation on Facebook. The Facebook phishing campaign is dangerous and targets user personal information. The phishing scam “Is that you” currently on Facebook has been around in multiple forms for years. The whole trouble starts with a “friend” sending you a message claiming to have found a video or image with you in it. The message is usually a video and after clicking, it takes you through a series of websites. These websites have malicious scripts that get your location, device type, and operating system.
Hackers Are Tweaking Their Approach To Phishing Attacks In 2021
Cyber criminals are a creative bunch, constantly coming up with new ways to avoid detection and advance their sinister goals. A new report from cyber security experts at BitDam describes a few fresh techniques used in the wild so far in 2021. According to the report, email protection solutions tend to trust newly created email domains that are yet to be flagged as dangerous. Criminals are now increasingly exploiting this fact to increase the chances that phishing, and malware emails make it into victims' inboxes.
https://www.itproportal.com/news/hackers-are-tweaking-their-approach-to-phishing-attacks-in-2021/
Threats
Ransomware
Researchers identify 223 vulnerabilities used in recent ransomware attacks (Potential headline)
This old form of ransomware has returned with new tricks and new targets
Phishing
Malware
Mobile
IOT
Vulnerabilities
Attackers Exploit Critical Adobe Flaw to Target Windows Users
Microsoft issues emergency fix for Wi-Fi foul-up delivered hot and fresh on Patch Tuesday
Data Breaches
Organised Crime
Supply Chain
Nation-State Actors
Android spyware strains linked to state-sponsored Confucius threat group
'BendyBear' APT malware linked to Chinese government hackers
Microsoft to alert Office 365 users of nation-state hacking activity
Privacy
Reports Published in the Last Week
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Cyber Weekly Flash Brief 08 May 2020: Predatory Cyber Criminals & Hostile States Target Uk, Ransomware Payments Up, New Phishing Attack, Remote Accounts Attacked, Legal Docs Exposed, Samsung Vulns
Cyber Weekly Flash Briefing 08 May 2020: Predatory cyber criminals & hostile states target UK, ransomware payments up, new phishing attack, remote accounts attacked, legal docs exposed, Samsung vulns
If you’re pressed for time watch the 60 second quick fire summary of the top cyber and infosec stories from the last week:
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Coronavirus: ‘Predatory’ cyber criminals and hostile states targeting UK citizens and institutions, Dominic Raab warns UK
Dominic Raab has warned that “predatory” cyber criminals and hostile states are seeking to exploit the coronavirus pandemic, saying that UK citizens, businesses and institutions will be targeted for weeks and months ahead.
His remarks follow a joint warning from cyber security agencies in Britain and the US, urging healthcare and medical research staff to improve their password security to prevent criminals exploiting the crisis further.
Speaking at No 10 earlier in the week, Mr Raab said that while the vast majority of people and countries had rallied together, “there will always be some who seek to exploit a crisis for their own criminal and hostile ends”.
The foreign secretary said he was aware that cyber criminals and “other malicious groups” are targeting individuals and organisations in the UK by deploying Covid-19 related scams and phishing emails.
“That includes groups that in the cyber security world are known as advanced persistent threat (APT) groups – sophisticated groups of hackers who try to breach computer systems,” he said.
“We have clear evidence now that these criminal gangs are actively targeting national and international organisations which are responding to the Covid-19 pandemic, which I have to say makes them particular dangers and venal at this time.”
Read the full article here: https://www.independent.co.uk/news/uk/politics/coronavirus-cyber-crime-hack-business-dominic-raab-a9500316.html
New phishing attack targeting Microsoft Teams users aims to steal Office 365 credentials
Microsoft Teams has seen a surge in usage owing to the increased need for collaboration services as more and more employees are working from home in the wake of the COVID-19 Coronavirus pandemic. With the increased adoption, the tool has also been receiving multiple improvements to help enhance functionality. While the communication of new features is a given, a new phishing attack that mimics notifications from the Redmond giant is being targeted at Teams users.
The specifics of the attack suggests that the goal is to steal users’ Teams/Office 365 credentials by serving messages that redirect to phishing websites. The report states that the email notifications impersonate automated notification emails from Teams that are convincing enough owing to the content and design. The sender email comes from the “sharepointonline-irs.com” domain, something that is misleading and one that is not owned by Microsoft.
Read more here: https://www.neowin.net/news/new-phishing-attack-targeting-microsoft-teams-users-aims-to-steal-office-365-credentials
Ransomware Payments Surge 33% as Attacks Target Remote Access
The average sum paid by enterprises to ransomware attackers surged by 33% quarter-on-quarter in the first three months of the year, as victim organisations struggled to mitigate remote working threats.
A security vendor analysed ransomware cases handled by its own incident response team during the period to compile its latest findings.
It revealed the average enterprise ransomware payment rose to over $111,000 in the quarter, although the median remained at around $44,000, reflecting the fact that most demands from online attackers are more modest.
Sodinokibi (27%), Ryuk (20%) and Phobos (8%) remained the top three most common variants in Q1 2020, although prevalence of Mamba ransomware, which features a boot-locker program and full disk encryption via commercial software, increased significantly.
Poorly secured RDP endpoints continued to be the number one vector for attacks, more popular than phishing emails or exploitation of software vulnerabilities.
Read the full article here: https://www.infosecurity-magazine.com/news/ransomware-payments-surge-33/
Millions of remote desktop accounts attacked every week
Since the start of the outbreak, we've seen cyber criminals target Zoom and spread coronavirus-related phishing campaigns, in a bid to take advantage of the increase in remote working.
Now, new research suggests criminals are also targeting employees reliant on Microsoft's proprietary Remote Desktop Protocol (RDP) with far greater regularity.
According to this new report, hundreds of thousands of employees use RDP as a way to remotely connect to their office computer with the same privileges they would have on site.
However, RDP is also an enticing target for criminals, who are reportedly bombarding the service with brute-force attacks in a bid to gain entry.
Prior to the coronavirus pandemic, researchers typically recorded around 100,000–150,000 attacks of this kind per day, but that number has shot up to almost a million.
Read more: https://www.itproportal.com/news/millions-of-remote-desktop-accounts-are-being-attacked-ever-week/
This phishing campaign targets executives with fake emails from their phone provider
A new spear-phishing campaign has targeted executives and others in attempt to steal login credentials and bank account details by posing as their smartphone provider.
Uncovered by researchers, the attacks come in the form of emails claiming to be from their mobile phone provider, and refer to a problem with their bill.
The security company said the spoof mail had been sent to "a few executives, including one at a leading financial firm".
The messages come with the vague subject 'View Bill – Error – Message' and are designed with branding that looks like they could come from EE. The message tells the victim that the company is working on fixing an unspecified problem and that the user should login to their account to update their details.
Users should be cautious about unexpected messages like this – especially, if like this one, they urge some sort of immediate action – but there's also some elements of the phishing email that should act as a warning that all is not right.
Read more here: https://www.zdnet.com/article/this-phishing-campaign-targets-executives-with-fake-emails-from-their-phone-provider/
This ransomware spreads across hundreds of devices in no time at all
The LockBit ransomware contains a feature that allows attackers to encrypt hundreds of devices in just a few hours once they've breached a corporate network.
LockBit is a fairly new Ransomware-as-a-Service (RaaS) that was launched in September of last year. The developers of the ransomware are in charge of maintaining its payment site and updates while affiliates sign up to distribute the malware. LockBit's developers then earn around 25-40 percent of the ransom payments received while the affiliates earn a slightly larger share at 60-75 percent.
Researchers have published a report revealing how a LockBit ransomware affiliate hacked into a corporate network and encrypted 25 servers and 255 workstations in just three hours.
The hackers began their attack by brute-forcing an administrator account through an outdated VPN service. This gave them the administrative credentials they needed in order to deploy the LockBit ransomware on the network.
Read more: https://www.techradar.com/news/this-ransomware-spreads-across-hundreds-of-devices-in-no-time-at-all
Data security flaw exposes details of thousands of legal documents
A data security flaw has left more than 10,000 legal documents containing sensitive details of commercial property owners unsecured for years in an online database, potentially affecting the clients of about 190 law firms.
The cache of documents, which included Companies House property transaction forms containing authentication details such as email addresses and passwords, had been scanned and uploaded by legal firms — including three of the “magic circle” — using a product from Advanced Computer Software, Britain’s third-largest software company.
Advanced, said in a statement: “We discovered some exposed data on one of our historic software platforms and took immediate steps to address the issue, secure the data and make contact with the small number of affected customers.”
Leaving a security hole open for an extended period of time exposing authentication and other details was serious.
Though the exposure of legal documents is of a different scale to recent incidents — including at Virgin Media and British Airways — involving much larger customer databases, the inclusion of authentication information raised concerns about the potential impact if the exposed data fell into the wrong hands.
Read more here: https://www.ft.com/content/e0d6b6b7-825f-4102-b78f-204e1be205b6
Vulnerabilities in two VPNs opened door to fake, malicious updates
Hackers can exploit critical vulnerabilities in PrivateVPN and Betternet – since fixed – to push out fake updates and plant malicious programs or steal data.
Attackers can intercept VPN communications and force the apps to download fake updates according to the researchers who discovered the flaws.
The researchers stated they were very surprised because these are VPNs – important cybersecurity tools that are meant to keep users safe – have a lot of users trusting these tools to provide them with more security and privacy, not less.
Read more here: https://www.scmagazine.com/home/security-news/vulnerabilities-in-two-vpns-opened-door-to-fake-malicious-updates/
Samsung Confirms Critical Security Issue For Millions: Every Galaxy After 2014 Affected
The monthly security updates from Samsung have started rolling out. If you own a Samsung smartphone that was sold from late 2014 onward, you'd better hope that update hits your device soon. Why so? Only the small matter of a "perfect 10" critical security vulnerability that can enable arbitrary remote code execution (RCE) if exploited. Oh yes, and that arbitrary RCE can happen without any user interaction needed, as this is a "zero-click" vulnerability. And if you think that sounds pretty serious, and it is, there's more to come: the vulnerability affects every Galaxy smartphone that Samsung has made from late 2014 onward.
A hacker group tried to hijack 900,000 WordPress sites over the last week
A hacker group has attempted to hijack nearly one million WordPress sites in the last seven days, according to a security alert issued this week.
Since April 28, this particular hacker group has engaged in a hacking campaign of massive proportions that caused a 30x uptick in the volume of attack traffic being tracked.
The group launched attacks from across more than 24,000 distinct IP addresses and attempted to break into more than 900,000 WordPress sites.
The attacks peaked on Sunday, May 3, when the group launched more than 20 million exploitation attempts against half a million domains.
Read the full article here: https://www.zdnet.com/article/a-hacker-group-tried-to-hijack-900000-wordpress-sites-over-the-last-week/
Popular adult streaming site just accidentally outed millions of users
Adult live streaming platform CAM4 has suffered a massive data breach, exposing the identity of millions of its users.
Discovered by security researchers, the breach was caused by a server configuration error that made 7TB of user data (comprising 10.88 billion records in total) easily discoverable online.
While the misconfigured ElasticSearch database did not betray users’ specific sexual preferences, it did include personally identifiable information including names, email addresses, payment details, chat logs and sexual orientation.
The popular adult platform is used primarily by amateur webcam models to stream explicit content to live audiences. To gain access to premium content or tip performers, users must first register with the site - parting ways with both personal and financial data.
Read more here: https://www.techradar.com/news/this-popular-adult-streaming-site-accidentally-outed-millions-of-users
Hacker Group Selling Databases With Millions Of User Credentials Busted In Poland And Switzerland
Polish and Swiss law enforcement authorities, supported by Europol and Eurojust, dismantled InfinityBlack, a hacking group involved in distributing stolen user credentials, creating and distributing malware and hacking tools, and fraud.
On 29 April 2020, the Polish National Police (Policja) searched six locations in five Polish regions and arrested five individuals believed to be members of the hacking group InfinityBlack. Police seized electronic equipment, external hard drives and hardware cryptocurrency wallets, all worth around €100 000. Two platforms with databases containing over 170 million entries were closed down by the police.
The hacking group created online platforms to sell user login credentials known as ‘combos’. The group was efficiently organised into three defined teams. Developers created tools to test the quality of the stolen databases, while testers analysed the suitability of authorisation data. Project managers then distributed subscriptions against cryptocurrency payments.
The hacking group’s main source of revenue came from stealing loyalty scheme login credentials and selling them on to other, less technical criminal gangs. These gangs would then exchange the loyalty points for expensive electronic devices.
Read more here: https://www.europol.europa.eu/newsroom/news/hacker-group-selling-databases-millions-of-user-credentials-busted-in-poland-and-switzerland