The next open Cyber User Education and Awareness Training session with any availability left is on Wednesday 06 October 2021 from 10am-12pm.

We currently have 4 spaces remaining and the cost per delegate is £150.

Firms can send between 1-14 staff to these open training courses meaning less disruption to business operations and new starters, for example, don't need to wait until the next time the whole firm gets cyber training.

These open courses are run at least once per week so we can offer a lot of flexibility.

Remember only with Black Arrow do you get access to world-class cyber security experts from British Intelligence, Defence, Law Enforcement, Big-4 Advisory, FTSE100, Global Financial Services and the GFSC.

Call us on 711 988 or email training@blackarrowcyber.com to book places for your staff members.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

91% Of IT Teams Have Felt 'Forced' To Trade Security For Business Operations

A new survey suggests that most IT staff have felt pressured to ignore security concerns in favour of business operations. On Thursday, a new study report was released, which combines data from an online YouGov survey targeting office workers that adopted WFH and global research conducted with IT decision-makers. In total, 91% of those surveyed said that they have felt "pressured" to compromise security due to the need for business continuity during the COVID-19 pandemic. 76% of respondents said that security had taken a backseat, and furthermore, 83% believe that working from home has created a "ticking time bomb" for corporate security incidents. https://www.zdnet.com/article/91-of-it-teams-have-felt-forced-to-trade-security-for-business-operations/

Ransomware Attacks Increased Exponentially In 2021

The growing threat of ransomware has been highlighted by NCC Group's Research Intelligence and Fusion Team (RIFT) analysis. Between January-March 2021 and April-June 2021, the number of ransomware assaults studied by the team climbed by 288%, indicating that enterprises are still facing waves of digital extortion in the form of targeted ransomware. https://www.ehackingnews.com/2021/09/ransomware-attacks-increased.html

Phishing Attacks: One In Three Suspect Emails Reported By Employees Really Are Malicious

All the time spent ticking boxes in cyber security training sessions seems to be paying off after all: according to a new report, about a third of emails reported by employees really are malicious or highly suspect, demonstrating the effectiveness of the well-established maxim "Think before you click".  Researchers analysed over 200,000 emails that were flagged by employees from organisations across the globe in the first half of 2021 and found that 33% of the reports could be classified as phishing. https://www.zdnet.com/article/phishing-attacks-one-in-three-suspect-emails-reported-by-employees-really-are-malicious/

Hackers Shift From Malware To Credential Hijacking

Adversaries are relying less on malware to conduct attacks that are consequently more difficult to detect, according to an annual report conducted by researchers. “According to data from our customer base indexed by Threat Graph, 68% of detections from the last three months were not malware-based,” reads the report released Wednesday. “Attackers are increasingly attempting to accomplish their objectives without writing malware to the endpoint, using legitimate credentials and built-in tools (living off the land)—which are deliberate efforts to evade detection by traditional antivirus products.” https://www.nextgov.com/cybersecurity/2021/09/report-hackers-shift-malware-credential-hacking/185209/

Attacker Breakout Time Now Less Than 30 Minutes

The average time it takes threat actors to move from initial access to lateral movement has fallen by 67% over the past year, putting extra pressure on security operations (SecOps) teams, according to researchers. The findings come from researchers own investigations with customers across around 248,000 unique global endpoints. For incidents where this “breakout time” could be derived over the past year, it averaged just 1 hour 32 minutes. However, in over a third (36%) of intrusions, adversaries managed to move laterally to additional hosts in under 30 minutes. https://www.infosecurity-magazine.com/news/attacker-breakout-time-now-less/

Hackers Leak VPN Account Passwords From 87,000 Fortinet FortiGate Devices

Network security solutions provider Fortinet confirmed that a malicious actor had unauthorizedly disclosed VPN login names and passwords associated with 87,000 FortiGate SSL-VPN devices. "These credentials were obtained from systems that remained unpatched at the time of the actor's scan. While they may have since been patched, if the passwords were not reset, they remain vulnerable," the company said in a statement on Wednesday. https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html

53% Find It Difficult To Prevent An Insider Attack During Data Aggregation

Recent data from researchers found that 53% of companies find it impossible or very difficult to prevent an insider attack when data is being aggregated, a key indicator of intent of an attack. The vast majority of security threats follow a pattern or sequence of activity leading up to an attack, and insider threats are no exception. To fully understand any insider incident, visibility into the entire kill chain of an attack is imperative to preventing the exfiltration of critical data. https://venturebeat.com/2021/09/02/53-find-it-difficult-to-prevent-an-insider-attack-during-data-aggregation/

The Impact Of Ransomware On Cyber Insurance Driving The Need For Broader Cyber Security Knowledge

Not only have ransomware attacks spiked, the amount of ransom demanded has grown exponentially—to somewhere between $50 and $70 million dollars. Cyber Insurers can’t cover “whatever amount the hacker demands”—so major policies lost money. Insurers have responded by raising premiums, restricting coverage, or even getting out of the cyber-insurance game altogether in vulnerable markets. https://www.helpnetsecurity.com/2021/09/10/cyber-insurance-ransomware/

Hackers Exploit Camera Vulnerabilities To Spy On Parents

Various zero day vulnerabilities in home baby monitor could be compromised that lets threat actors hack into camera feed and put malicious codes like malware. The security issues were found in the IoT gadgets, made by China based developer Victure, that were found by researchers. In a security report, researchers revealed about the stack-based buffer flaw present in ONVIF server Victure PC420 component camera that allows hackers to plant remote codes on the victim device. When compromised, hacker can discover cameras (not owned by them) and command devices to broadcast camera feeds to third party and exploit the camera firmware. https://www.ehackingnews.com/2021/09/hackers-exploit-camera-vulnerabilities.html

39% Of All Internet Traffic Is From Bad Bots

Automated traffic takes up 64% of internet traffic – and whilst just 25% of automated traffic was made up by good bots, such as search engine crawlers and social network bots, 39% of all traffic was from bad bots, a Barracuda report reveals.

These bad bots include both basic web scrapers and attack scripts, as well as advanced persistent bots. These advanced bots try their best to evade standard defences and attempt to perform their malicious activities under the radar. The report revealed that the most common of these persistent bots were ones that went after e-commerce applications and login portals. https://www.helpnetsecurity.com/2021/09/07/bad-bots-internet-traffic/

Threats

Ransomware

• REvil Ransomware Group Returns Following Kaseya Attack

• Ragnar Locker Gang Warns Victims Not To Call The FBI

• This Is The Perfect Ransomware Victim, According To Cyber Criminals

• 5 Surefire Things That’ll Get You Targeted By Ransomware

• Hive Is Dangerous New Ransomware Threat, FBI Says

• Why Ransomware Hackers Love A Holiday Weekend

BEC

Phishing

• Microsoft Outlook Shows Real Person’s Contact Info For IDN Phishing Emails

Other Social Engineering

• 'Bitcoin Fraud Cost Me £500,000'

Malware

• Traffic Exchange Networks Distributing Malware Disguised As Cracked Software

• New Malware Uses Novel Fileless Technique To Evade Detection

Mobile

• Dangerous New Cable Can Hack iPhones From One Mile Away

• This Android Security Flaw Could Let Hackers Follow All Your Movements

IOT

• IoT Attacks Skyrocket, Doubling In 6 Months

Vulnerabilities

• Zoho ManageEngine Password Manager Zero-Day Gets A Fix, Amid Attacks

• New CPU Side-Channel Attack Takes Aim At Chrome’s Site Isolation Feature

• Microsoft, CISA Urge Mitigations For Zero-Day RCE Flaw In Windows

• Atlassian CISO Defends Company's Confluence Vulnerability Response, Urges Patching

• PoC Released For GhostScript Vulnerability That Exposed Airbnb, Dropbox

• Netgear Smart Switches Open To Complete Takeover

• New 0-Day Attack Targeting Windows Users With Microsoft Office Documents

• Cisco Patches Critical Authentication Bug With Public Exploit

Data Breaches/Leaks

• Guntrader Breach Perp: I Don't Think It's A Crime To Dump 111k People's Details Online In Google Earth Format

Organised Crime & Criminal Actors

• TrickBot Gang Developer Arrested At The Seoul International Airport

• The Secret Vulnerability Of Cyber Criminals: Burnout

Cryptocurrency/Cryptojacking

• Financial Cyber Crime: Why Crypto Currency Is The Perfect ‘Getaway Car’

Insider Threats

• Enterprises Are Missing The Warning Signs Of Insider Threats

DoS/DDoS

• Yandex Is Battling The largest DDoS In Russian Internet history

Nation State Actors

• Microsoft Says Chinese Hackers Were Behind SolarWinds Serv-U SSH 0-Day Attack

Cloud

• Organisations Struggling To Develop Cloud Applications That Meet Security Requirements

Privacy

• WhatsApp “End-To-End Encrypted” Messages Aren’t That Private After All

• ProtonMail Logs Activist's IP Address With Authorities After Swiss Court Order

Other News

• OWASP Shakes Up Web App Threat Categories With Release Of Draft Top 10

• SIEM Market Size To Reach $6436.2 Million By 2027

• A Zero-Trust Future: Why Cyber Security Should Be Prioritized For The Hybrid Working World

• Microsoft Has A $20 Billion Hacking Plan, But Cyber Security Has A Big Spending Problem

• Misbehaving Microsoft Teams Ad Brings Down The Entire Windows 11 Desktop

• This Seemingly Normal Lightning Cable Will Leak Everything You Type

• HSE Cyber Attack: Irish Health Service Still Recovering Months After Hack

• Brute-Force Attacks Target Inboxes For Gift Card Data

• Glasgow Firm Fined £150k After Half A Million Nuisance Calls, Spoofing Phone Number, Using False Trading Names

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Time’s up. Are you ready to evidence compliance with the new GFSC Cyber Rules now in effect?

Guernsey Regulated Financial Services Firms, the deadline for compliance with the GFSC Cyber Rules is today!

Will you be ready to explain your strategy and governance when the GFSC turn up for a regulatory visit?

The Cyber Rules compel Boards to take accountability for Cyber risks where previously it may have belonged to IT. Technology is only one piece of the puzzle, and often it is your people that present your weakest link.

We support our clients with an independent and proportionate gap analysis report that assesses risks and controls across people, operations and technology. This informs the strategy and governance that shows the GFSC what they want to see, reinforced by objective education and awareness for Boards and users.

We help our clients get the best performance from their IT Provider, to see and remediate the risks that cannot be revealed in a self-assessment either by the provider or the client.

Talk to the professionals today, with the experience and qualifications you can count on.

Contact us on contact@blackarrowcyber.com or call us on 711988

https://guernseypress.com/news/2021/02/19/the-new-gfsc-cyber-security-rules-what-the-gfsc-demands-of-you-and-why-you-cannot-simply-pass-it-to-it/

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

GFSC new Cyber Rules and Guidance out for consultation

The GFSC have put the Cyber Security Rules and Guidance Consultation Paper up on their website and consultation hub.

Why this matters:

The new rules and accompanying guidance came out of the 18 month thematic review which ended last year, which found that regulated financial service firms within the Bailiwick of Guernsey were not taking risks from cyber threats seriously enough and were lacking in appropriate protections and controls. These new rules seek to rectify this but many firms on the Island are going to have to do work to become compliant, especially around their ability to monitor for and detect unusual activity that could be indicative of a actual or attempted intrusion or breach.

The rules and guidance can be found here:

https://consultationhub.gfsc.gg/banking-and-insurance-supervision-and-policy/cyber-security-rules-and-guidance-consultation-pap/

Leaked FinCEN files expose poor data security

Leaked documents, dubbed the “FinCEN Files,” describe global money laundering of $2 trillion processed by many of the world’s biggest banks between 2000 and 2017. The reveal illuminates the struggle for the financial industry and government to provide ironclad data protection.

“This sensational and unprecedented leak clearly demonstrates a wide spectrum of data protection weaknesses in the governmental sector, affecting even the most developed Western countries,” Ilia Kolochenko, founder and CEO of  ImmuniWeb, said of the files.

“From a cybersecurity standpoint, we may expect a growing lack of trust to governmental agencies, which on one side have quasi-unlimited access to the most sensitive data of the largest organisations, while cannot duly safeguard this data on the other side,” he said.

The latest disclosure exposing apparently insufficient attempts by the public and private sectors to curb corruption came to light in a BuzzFeed News report which detailed more than 2,500 reported cases, including 2,100 Suspicious Activity Reports (SAR) filed by financial institutions with the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN).

JPMorgan Chase, Citigroup, Bank of America, Deutsche Bank, HSBC and Standard Chartered are among the financial institutions cited in the leaked files as processing dirty money around the world. The documents may have come from a whistleblower or insider at FinCEN. The International Consortium of Investigative Journalists (ICIJ), which represents 108 news organizations in 88 countries, is conducting a probe of the matter.

Why this matters:

Other similar investigative reports on similar wrongdoing focused single financial, tax or legal institutions, such as the 2017 Panama Papers emanating from clients of the law firm Mossack Fonseca. But the FinCEN docs reveal that a wide array of people from oligarchs and corrupt politicians to drug dealers and organised crime throughout the world know how to circumvent the system’s supposed checks and balances.

Read more: https://www.scmagazine.com/home/security-news/leaked-fincen-files-expose-poor-data-security/

Microsoft says it detected active attacks leveraging Zerologon vulnerability

Hackers are actively exploiting the Zerologon vulnerability in real-world attacks, Microsoft's security intelligence team said this week.

The attacks were expected to happen, according to security industry experts.

Multiple versions of weaponized proof-of-concept exploit code have been published online in freely downloadable form since details about the Zerologon vulnerability were revealed a week ago.

The first proof-of-concept exploit was published hours after the explanatory blog post, confirming initial analysis that the Zerologon bug is easy to exploit, even by low-skilled threat actors.

Why this matters:

Put simply the Zerologon bug is a vulnerability in Netlogon, the protocol used by Windows systems to authenticate against a Windows Server running as a domain controller. Exploiting the Zerologon bug can allow hackers to take over the domain controller, and inherently a company's internal network.

Zerologon was described by many as the most dangerous bug revealed this year. US federal agencies were given three days to patch domain controllers or disconnect them from federal networks.

As several security experts have recommended since Microsoft revealed the attacks, companies that have their domain controller exposed on the internet should take systems offline to patch them.

These internet-reachable servers are particularly vulnerable as attacks can be mounted directly, without the hacker first needing a foothold on internal systems.

Read more: https://www.zdnet.com/article/microsoft-says-it-detected-active-attacks-leveraging-zerologon-vulnerability/

Doppelpaymer ransomware crew fingered for attack on German hospital that caused death of a patient

The Doppelpaymer ransomware gang were behind the cyber-attack on a German hospital that led to one patient's death, according to local sources.

A German newspaper carried a report that Doppelpaymer's eponymous ransomware had been introduced to the University Hospital Düsseldorf's network through a vulnerable Citrix product.

That ransomware infection, activated last week, is said by local prosecutors to have led to the death of one patient who the hospital was unable to treat on arrival. She died in an ambulance while being transported to another medical facility with functioning systems.

Why this matters:

According to a report handed to the provincial government of North Rhine-Westphalia and seen by the German Press Association (DPA), the ransomware's loader had been lurking on the hospital's network since December 2019, the same month a patch was issued by Citrix for CVE-2019-19781 – the same vuln exploited to hit the hospital.

Whilst this is the first time a loss of life has been directly attributed to ransomware the threats are increasing all the time.

Vulnerabilities must be patched as soon as possible to stop known vulnerabilities from being used in attacks.

Read more: https://www.theregister.com/2020/09/23/doppelpaymer_german_hospital_ransomware/

“LokiBot,” the malware that steals your most sensitive data, is on the rise

Agencies in the US have reported seeing a big uptick in infections coming from LokiBot, an open source DIY malware package for Windows that’s openly sold or traded for free in underground forums. It steals passwords and cryptocurrency wallets, and it can also download and install new malware.

The increase was measured by an automated intrusion-detection system for collecting, correlating, analysing, and sharing computer security information.

US cyber agency CISA observed a notable increase in the use of LokiBot malware by malicious cyber actors since July 2020 according to an alert issued this week.

Why this matters:

While not quite as prevalent or noxious as the Emotet malware, LokiBot remains a serious and widespread menace. The infostealer spreads through a variety of methods, including malicious email attachments, exploitation of software vulnerabilities, and trojans sneaked into pirated or free apps. Its simple interface and reliable codebase make it attractive to a wide range of crooks, including those who are new to cybercrime and have few technical skills.

Read more: https://arstechnica.com/information-technology/2020/09/lokibot-the-malware-that-steals-your-most-sensitive-data-is-on-the-rise/

Ransomware is evolving, but the key to preventing attacks remains the same

Ransomware attacks are getting more aggressive according to a senior figure at Europe's law enforcement agency, but there are simple steps which organisations can follow to protect themselves – and their employees – from falling victim to attacks.

"Ransomware is one of the main threats," said the head of operations at Europol's European Cybercrime Centre (EC3). Europol supports the 27 EU member states in their fight against terrorism, cybercrime and other serious and organised forms of crime.

"Criminals behind ransomware attacks are adapting their attack vectors, they're more aggressive than in the past – they're not only encrypting the files, they're also exfiltrating data and making it available," he explained. "From a law enforcement perspective, we have been monitoring this evolution."

Why this matters:

This year has seen a rise in ransomware attacks where cyber criminals aren't just encrypting the networks of victims and demanding six-figure bitcoin payment to return the files, but they're also threatening to publish sensitive corporate information and other stolen data if the victim doesn't pay the ransom.

Read more: https://www.zdnet.com/article/ransomware-is-evolving-but-the-key-to-preventing-attacks-remains-the-same/

A look at the top threats inside malicious emails

Web-phishing targeting various online services almost doubled during the COVID-19 pandemic: it accounted for 46 percent of the total number of fake web pages, Group-IB reveals.

Ransomware, the headliner of the previous half-year, walked off stage: only 1 percent of emails analysed contained this kind of malware. Every third email, meanwhile, contained spyware, which is used by threat actors to steal payment data or other sensitive info to then put it on sale in the darknet or blackmail its owner.

Downloaders, intended for the installation of additional malware, and backdoors, granting cybercriminals remote access to victims’ computers, also made it to top-3. They are followed by banking Trojans, whose share in the total amount of malicious attachments showed growth for the first time in a while.

According to the data, in H1 2020 detected malicious emails were:

• 43 percent of the malicious mails had attachments with spyware or links leading to their downloading

• 17 percent contained downloaders

• 16 percent had backdoors

• 15 percent had banking trojans

• Ransomware, which in the second half of 2019 hid in every second malicious email, almost disappeared from the mailboxes in the first six months of this year with a share of less than 1 percent.

Why this matters:

These findings confirm adversaries’ growing interest in Big Game Hunting. Ransomware operators have switched from attacks en masse on individuals to corporate networks. Thus, when attacking large companies, instead of infecting the computer of a separate individual immediately after the compromise, attackers use the infected machine to move laterally in the network, escalate the privileges in the system and distribute ransomware on as many hosts as possible.

Read more: https://www.helpnetsecurity.com/2020/09/21/top-threats-inside-malicious-emails/

Credential Stuffing: the Culprit of Recent Attacks

A year ago, researchers found that 2.2 billion leaked records, known as Collection 1-5, were being passed around by hackers. This ‘mega leak’ included 1.2 billion unique email addresses and password combinations, 773 million unique email addresses and 21 million plaintext passwords. With this treasure trove, hackers can simply test email and password combinations on different sites, hoping that a user has reused one. This popular technique is known as credential stuffing and is the culprit of many recent data breaches.

There are only a few months left of 2020 but this year has seen its fair share of major data breaches including:

• Marriott International experienced another mega breach, when it was still recovering from the 2018 data breach that exposed approximately 339 million customer records

• Zoom became a new favourite for hackers due to the remote working mandated in many parts of the world - in early April  Zoom fell victim to a credential stuffing attack, which resulted in 500,000 of Zoom’s usernames and passwords being exposed on the Dark Web.

• GoDaddy, the world’s largest domain registrar confirmed in April that credentials of 28,000 of its customer web hosting accounts were compromised in a security incident back in October 2019.

• Nintendo - in March, users reported unauthorised logins to their accounts and charges for digital items without their permission. In June Nintendo advised that approximately 300,000 accounts were affected by the breach, resulting in the compromise of personal identifiable information such as email address, date of birth, country and gender.

Why this matters:

It has become evident that many of the recent data breaches were the result of credential stuffing attacks leveraging compromised passwords or passphrases. Credential stuffing attacks are automated hacks where stolen usernames and password combinations are thrown at the login process of various websites in an effort to break in. With billions of compromised credentials already circulating the Dark Web, credential stuffing attacks can be carried out with relative ease and with a 1-3% success rate.

When the account of an employee is compromised, hackers can gain access to sensitive data that organisation has collected, and sell it on the Dark Web. The stolen data, often including login credentials, can then be used to infiltrate other organisations’ systems which creates a never-ending cycle.

This is why the LinkedIn breach was blamed for several secondary compromises due to users recycling their exposed LinkedIn passwords on other sites.

Read more: https://www.infosecurity-magazine.com/blogs/credential-stuffing-recent-attacks/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.