Executive Summary

Vulnerabilities in Apple, Atlassian, Ivanti and VMware are currently being actively exploited in the wild. All of the vendors have a security patch available to address the vulnerabilities and due to the active exploitation of the vulnerabilities, it is recommended to apply them immediately.

Apple

Following  a report that Chinese authorities revealed they have used previously known vulnerabilities in Apple's AirDrop functionality to help law enforcement, Apple have released a patch for an actively exploited critical Zero-day in iOS, iPadOS, macOS, tvOS and Safari web browser,. The zero-day vulnerability is a type confusion exploit that allows an attacker to perform arbitrary code execution.

Impacted Versions:

iOS 17.3 and iPadOS 17.3 - iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

iOS 16.7.5 and iPadOS 16.7.5 - iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation

macOS Sonoma 14.3 - Macs running macOS Sonoma

macOS Ventura 13.6.4 - Macs running macOS Ventura

macOS Monterey 12.7.3 - Macs running macOS Monterey

Safari 17.3 - Macs running macOS Monterey and macOS Ventura

What can I do?

Updates to vulnerable devices should be applied immediately due to this vulnerability being under active exploitation.

Atlassian

Following the disclosure of the Atlassian Confluence vulnerability, it has become a target for active exploitation. Researchers have observed attackers attempting to exploit this vulnerability. At present, there are 11,000 Confluence instances exposed on the internet, and Shadowserver has recorded nearly 40,000 exploitation attempts. For further information on the vulnerability see our advisory posted linked below.

Ivanti

Following the public disclosure of two Ivanti vulnerabilities being actively exploited, a third vulnerability has now been added to the CISA’s Known Exploited Vulnerabilities (KEV) Catalog.

CVE-2023-35082 - This vulnerability enables a remote unauthorised attacker to access users’ personally identifiable information and make limited modifications to the server.

Impacted versions:

his vulnerability impacts all versions of Ivanti Endpoint Manager Mobile (EPMM) 11.10, 11.9, and 11.8. MobileIron Core 11.7 and earlier versions are also affected by this vulnerability.

What can I do?

Ivanti released a patch for this vulnerability in August 2023. It is recommended to update any impacted products to version 11.11.0.0 or later to safeguard them from this vulnerability.

VMware

A critical vulnerability in VMware vCenter Server Management has been exploited in the wild by a Chinese hacking group since 2021. The vulnerability (CVE-2023-34048) allows an attacker to write out of bounds potentially leading to remote code execution. VMware released a patch in October 2023 stating that it was not under active exploitation. VMware have recommend customers update to the latest version, which is 9.0U2.

Further Information

For further information on Ivanti and Atlassian see our previous advisory:

https://www.blackarrowcyber.com/blog/advisory-17-january-2024-citrix-ivanti-atlassian-oracle-sonicwall-vmware-security-updates

Apple

Further details on the Apple vulnerabilities can be found here:

https://support.apple.com/en-gb/HT201222

Ivanti

Further details on the Ivanti vulnerabilities can be found here:

https://forums.ivanti.com/s/article/KB-Remote-Unauthenticated-API-Access-Vulnerability-CVE-2023-35082?language=en_US

https://www.cisa.gov/news-events/alerts/2024/01/18/cisa-adds-one-known-exploited-vulnerability-catalog

VMware

Further details on the VMware  vCenter Server Management vulnerability can be found here:

https://www.vmware.com/security/advisories/VMSA-2023-0023.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity 

Executive Summary

Apple has recently released multiple patches, covering a number of vulnerabilities, including one actively exploited zero-day. The zero-day vulnerability has been found to affect devices running vulnerable versions of iOS, iPadOS, macOS, tvOS, watchOS and Safari. The actively exploited zero-day allows threat actors to obtain the highest privileges available (kernel privileges) on affected devices. Earlier this month, another actively exploited zero day, CVE-2023-37450, was addressed by Apple through a Rapid Security Response update.

What’s the risk to me or my business?

Exploitation of the vulnerability could allow an attacker unauthorised access to sensitive data, allowing them to manipulate or delete important information, or even take over the entire device, compromising the confidentiality, integrity, and availability of the data held by an exploited device. In some cases, threat actors are exploiting the vulnerability to install spyware on vulnerable devices.

What can I do?

Given the widespread use of Apple devices for both corporate and personal use, it is important to prioritise the application of the released patches to protect devices. Apple has also released patches addressing these vulnerabilities for products that are no longer supported. We recommend updating your devices promptly to these latest versions. Apple has acknowledged active exploitation of these vulnerabilities and as such recommends updating immediately. Organisations who do not use Apple devices, but have a bring your own device policy should consider whether this may include Apple devices.

Apple have addressed the zero-day in the following versions:

• macOS Ventura 13.5

• iOS 16.6

• iPadOS 16.6

• Safari 16.6

• tvOS 16.6

• watchOS 9.6

 Technical Summary

CVE-2023-38606 – Successful exploitation of this flaw could lead to a threat actor obtaining kernel privileges (the highest available). This allows the malicious actor to “modify sensitive kernel state”.

For information on all vulnerabilities addressed can be found in the following links below:

Further information on the iOS and iPadOS vulnerabilities can be found here:

https://support.apple.com/en-us/HT213841

Further information on the Mac vulnerabilities can be found here:

https://support.apple.com/en-us/HT213843

Further information on the Safari vulnerabilities can be found here:

https://support.apple.com/en-gb/HT213847

Further information on the tvOS vulnerabilities can be found here:

https://support.apple.com/en-gb/HT213846

Further information on the watchOS vulnerabilities can be found here:

https://support.apple.com/en-gb/HT213848

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive Summary

Open Sources Intelligence (OSINT) conducted by Black Arrow Cyber have identified a number of threats against the Apple ecosystem, with some threats reported to have nation state involvement. It is important to highlight that any internet-abled product can be a target for attackers, therefore appropriate protective controls should always be considered for all devices, especially those that are used to directly access sensitive information.

MacOS “Migraine” Vulnerability

Recently, Microsoft revealed a new macOS vulnerability dubbed “Migraine” (CVE-2023-3269) which impacts vulnerable apple devices which run macOS. The vulnerability allows an attacker with root access, which is the highest level of permissions to bypass the built in security protections, gaining remote code execution and the ability to create undeletable malware, tamper with the integrity of systems and expand the attack to the rest of the network. Apple has released a security patch which addresses this vulnerability, further details can be found at the bottom of this post.

iOS “Operation Triangulation”

Reports have identified a new mobile state-sponsored advanced persistent threat group that has been targeting iOS devices as part of an attack campaign labelled “Operation Triangulation”. the campaign is carried out using an invisible iMessage with a malicious attachment, which when executed on a device installs spyware. The deployment of the spyware is completely hidden and requires no action from the user. The spyware then quietly transmits private information to remote servers; this includes microphone recordings, photos from instant messengers, geolocation, and data about a number of other activities of the owner of the infected device. This trojan is targeting middle and upper management staff with the only workaround currently being a complete reset of the device.

Complex toolkit with files allowing backdoor capabilities targeting macOS

Bitdefender researchers have recently discovered a set of malicious files that are part of a sophisticated toolkit targeting Apple macOS systems. This malicious attack allows an attacker to gather system information, run commands, download and execute files on the victim’s machine, and to terminate the exploit script. The malicious files predominantly target macOS Monterey (version 12) and newer.

Growing Malware Threats to macOS

In addition to this, additional growing threats to macOS have been recorded in the wild. This includes:

- Threat actor groups Lazarus and BlueNoroff have been using malware dubbed “RustBucket” in financially motivated attacks to target users and steal victim’s data.  

- Reports identifying ransomware gangs, including the infamous Lockbit, developing encryption that targets macOs, specifically their M1 chips. There is no current working version of this malware.

- A rise in the use of XCSSET malware, which exploits multiple zero-days found in the Apple safari browser to download a developer version of the app on the target’s device giving it access to data from other apps such as Skype, Telegram, notes, and screen recorders.

-  An increase in the use of malware-as-a-service (MaaS), such as Atomic macOS Stealer which is capable of stealing passwords, credentials, cookies, browser data, auto-fills, and other important information and MacStealer, which extracts information from compromised systems.

- The well known 3CX attack in which the state-sponsored APT’s had altered the MacOS version of the 3CX desktop client to deliver further malware, and exfiltrate it.

Mac Vulnerabilities

Looking at the US Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalogue, there have been 36 actively recorded exploits relating to devices running macOS devices since 2021.  

What’s the risk to me or my business?

An organisation which excludes the security of any asset, relying on reputation or built-in protections alone, is leaving themselves open to potential compromise of the confidentiality, integrity and availability of the data which is held on the asset and is accessed through the asset, which includes Apple devices. Such assets include devices that are purchased by the organisation to be used as corporate devices and those that are personally owned by employees being used as part of Bring Your Own Device schemes.

What can I do?

Endpoint Protective Technologies and Security Hardening including anti-malware, Firewalls and detective solutions should be considered for all endpoints, including those that run Windows, macOS, Linux, Android and iOS.

Organisation should ensure that their asset registers are up to date and include all assets which hold or access organisational information. The better view an organisations has of its attack surface, the greater their cyber resilience will be. This should be supplemented with an effective threat intelligence programme, allowing organisations to keep up to date with emerging threats.

Further information can be found here:

macOs “Migraine” Vulnerability: https://www.microsoft.com/en-us/security/blog/2023/05/30/new-macos-vulnerability-migraine-could-bypass-system-integrity-protection/

Lockbit Encryptors found targeting macOS: https://www.bleepingcomputer.com/news/security/lockbit-ransomware-encryptors-found-targeting-mac-devices/

iOS Operation Triangulation: https://usa.kaspersky.com/blog/triangulation-attack-on-ios/28444/

6 Growing Malware Threats to macOS: https://www.darkreading.com/endpoint/top-macos-malware-threats-proliferate

Malicious Files with Backdoor targeting macOS attack: https://www.bitdefender.com/blog/labs/fragments-of-cross-platform-backdoor-hint-at-larger-mac-os-attack/

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

Apple has recently released updates for iOS, iPadOS, macOS, watchOS and Safari browser. These updates address a set of flaws that were actively exploited in the wild with the most severe allowing an attacker to perform Arbitrary Code Execution.

What’s the risk to me or my business?

Depending on the privileges associated with the user, if the vulnerability is successfully exploited an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. This can lead to compromise of the confidentiality, integrity, and availability of organisational information in that could be accessed from the affected asset.

Technical Summary

The two vulnerabilities below have been actively exploited in the mobile surveillance campaign called Operation Triangulation.

CVE-2023-32434 – This is an integer overflow vulnerability in the kernel that could be exploited by a malicious app to execute arbitrary code with kernel privileges.

CVE-2023-32435 – This is a memory corruption vulnerability in Webkit that could lead to arbitrary code execution when processing specially crafted web content.

The updates are available for the following platforms:

• iOS 16.5.1 and iPadOS 16.5.1 - iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

• iOS 15.7.7 and iPadOS 15.7.7 - iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

• macOS Ventura 13.4.1, macOS Monterey 12.6.7, and macOS Big Sur 11.7.8

• watchOS 9.5.2 - Apple Watch Series 4 and later

• watchOS 8.8.1 - Apple Watch Series 3, Series 4, Series 5, Series 6, Series 7, and SE, and

• Safari 16.5.1 - Macs running macOS Monterey

What can I do?

It is recommended to apply the update provided by Apple to all vulnerable systems immediately as the flaws have been addressed in this patch.

Further details on the Apple security updates can be found here: https://support.apple.com/en-us/HT201222

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Businesses Found to Neglect Cyber Security Until it is Too Late

Businesses only take cyber security seriously after falling victim to an attack, according to a report published by the UK's Department for Culture, Media and Sport (DCMS) this week.

For the research, the UK government surveyed IT professionals and end users in 10 UK organisations of varying sizes that have experienced cyber security breaches in the past three years. This analysed their existing level of security prior to a breach, the business impacts of the attack and how cyber security arrangements changed in the wake of the incident.

Nearly all respondents said their organisation took cyber security much more seriously after experiencing a breach, including reviewing existing practices and significantly increased investment in technology solutions.

While there was a consensus among participants that there is a greater need for vigilance and investment in cyber security, there was significant variation between organisations’ practices in this area. Medium and large organisations tended to have formal plans in place and budget allocated for further cyber security investment, but smaller businesses mostly did not due to resource constraints.

https://www.infosecurity-magazine.com/news/cybersecurity-seriously-breach/

• Cyber Tops Staff Retention as Biggest Business Risk

Cyber security concerns represent the most serious risk facing organisations, beating inflation, talent acquisition/retention and rising production costs, according to a new PwC study.

The PwC Pulse: Managing business risks in 2022 report was compiled from interviews with 722 US C-suite executives.

Two-fifths (40%) ranked cyber-attacks as a serious risk, rising to 51% of board members. PwC said boardrooms may be getting more attuned to cyber risk after new SEC proposals were published in March that would require directors to oversee cyber security risk and be more transparent about their cyber expertise.

In fact, executives appear to be getting more proactive with cyber security on a number of fronts.

Some 84% said they are taking action or monitoring closely policy areas related to cyber security, privacy and data protection. A further 79% said they’re revising or enhancing their cyber risk management approaches, and half (49%) pointed to increased investments in cyber security and privacy.

By way of comparison, 53% said they’re increasing investment in digital transformation and 52% in IT.

Cyber security is a strategic business enabler – technology is the central nervous system of many companies – and confirming its data is secure and protected can be brand defining.

There’s now heightened attention from a wider range of business leaders and corporate directors as they recognise that cyber security and data privacy should be part of not only a risk management strategy, but also a broader corporate strategy. C-suite and boards are actively taking steps to better understand the global threat landscape, confirm a foundational cyber security program is in place, and manage these risks to create opportunities.

https://www.infosecurity-magazine.com/news/cyber-tops-staff-retention-biggest/

• Cyber Criminals Weaponising Ransomware Data for BEC Attacks

Cyber criminals and other threat actors are increasingly using data dumped from ransomware attacks in secondary business email compromise (BEC) attacks, according to new analysis by Accenture Cyber Threat Intelligence.

The ACTI team analysed data from the 20 most active ransomware leak sites, measured by number of featured victims, between July 2021 and July 2022. Of the 4,026 victims (corporate, non-governmental organisations, and governmental entities) uncovered on various ransomware groups’ dedicated leak sites, an estimated 91% incurred subsequent data disclosures, ACTI found.

Dedicated leak sites most commonly provide financial data, followed by employee and client personally identifiable information and communication documentation. The rise of double extortion attempts – where attack groups use ransomware to exfiltrate data and then publicise the data on dedicated leak sites – has made large amounts of sensitive corporate data available to any threat actor. The most valuable types of data most useful for conducting BEC attacks are financial, employee, and communication data, as well as operational documents. There is a significant overlap between the types of data most useful for conducting BEC attacks and the types of data most commonly posted on these ransomware leak sites, ACTI said.

The data is a “rich source for information for criminals who can easily weaponise it for secondary BEC attacks,” ACTI said. “The primary factor driving an increased threat of BEC and VEC attacks stemming from double-extortion leaks is the availability of [corporate and communication data].”

https://www.darkreading.com/edge-threat-monitor/cybercriminals-weaponizing-ransomware-data-for-bec-attacks

• Callback Phishing Attacks See Massive 625% Growth Since Q1 2021

Hackers are increasingly moving towards hybrid forms of phishing attacks that combine email and voice social engineering calls as a way to breach corporate networks for ransomware and data extortion attacks.

According to Agari's Q2 2022 cyber-intelligence report, phishing volumes have only increased by 6% compared to Q1 2022. However, the use of 'hybrid vishing' is seeing a massive 625% growth.

Vishing, "voice phishing," involves some form of a phone call to perform social engineering on the victim. Its hybrid form, called "callback phishing," also includes an email before the call, typically presenting the victim with a fake subscription/invoice notice.

The recipient is advised to call on the provided phone number to resolve any issues with the charge, but instead of a real customer support agent, the call is answered by phishing actors.

The scammers then offer to resolve the presented problem by tricking the victim into disclosing sensitive information or installing remote desktop tools on their system. The threat actors then connect to the victim's device remotely to install further backdoors or spread to other machines.

These callback phishing attacks were first introduced by the 'BazarCall/BazaCall' campaigns that appeared in March 2021 to gain initial access to corporate networks for ransomware attacks.

The attacks work so well that multiple ransomware and extortion gangs, such as Quantum, Zeon, and Silent Ransom Group, have adopted the same technique today to gain initial network access through an unsuspecting employee.

"Hybrid Vishing attacks reached a six-quarter high in Q2, increasing 625% from Q1 2021. This threat type also contributed to 24.6% of the overall share of Response-Based threats," details the Agari report.

"While this is the second quarter hybrid vishing attacks have declined in share due to the overall increase of response-based threats, vishing volume has steadily increased in count over the course of the year."

https://www.bleepingcomputer.com/news/security/callback-phishing-attacks-see-massive-625-percent-growth-since-q1-2021/

• Credential Phishing Attacks Skyrocketing, 265 Brands Impersonated in H1 2022

Abnormal Security released a report which explores the current email threat landscape and provides insight into the latest advanced email attack trends, including increases in business email compromise, the evolution of financial supply chain compromise, and the rise of brand impersonation in credential phishing attacks.

The research found a 48% increase in email attacks over the previous six months, and 68.5% of those attacks included a credential phishing link. In addition to posing as internal employees and executives, cyber criminals impersonated well-known brands in 15% of phishing emails, relying on the brands’ familiarity and reputation to convince employees to provide their login credentials. Most common among the 265 brands impersonated in these attacks were social networks and Microsoft products.

“The vast majority of cyber crime today is successful because it exploits the people behind the keyboard,” said Crane Hassold, director of threat intelligence at Abnormal Security.

“By compromising people rather than networks, it’s easier for attackers to circumvent conventional security measures. This is especially true with brand impersonation, where attackers use urgency and fear to encourage their targets to provide usernames and passwords.”

LinkedIn took the top spot for brand impersonation, but Outlook, OneDrive and Microsoft 365 appeared in 20% of all attacks. What makes these attacks particularly dangerous is that phishing emails are often the first step to compromising employee email accounts. Acquiring Microsoft credentials enables cyber criminals to access the full suite of connected products, allowing them to view sensitive data and use the account to send business email compromise attacks.

https://www.helpnetsecurity.com/2022/08/15/landscape-email-threat/

• Are Cloud Environments Secure Enough for Today’s Threats?

Cyber security is a major problem right now. Not only is it the highest priority of any given business to keep their own data and their customers’ and clients’ data secure, but changes in the workplace have had a knock-on effect on cyber security. The concept of working from home has forced businesses all around the world to address old and new cyber security threats. People taking their laptops, and therefore their data, home to public networks that can be hacked or leaving access details like passwords scribbled on notebooks has meant that access to a business and therefore their customers’ data is a lot more accessible.

The saving grace was said to be the cloud. Beyond retraining cyber security in staff workforces, the practical solution was to move data into the cloud. But we’re now a few years from the point when the cloud really gained popularity. Is it still the answer to all our cyber security problems? Is there a chance of risk to using the cloud?

Cloud data breaches do happen and misconfiguration is a leading cause of them, mainly due to businesses inadequate cyber security strategies. This is due to several factors, such as the fundamental nature of the cloud designed to be easy for anyone to access, and businesses unable to completely see or control the cloud’s infrastructure and therefore relying on the cyber security controls that are provided by the cloud service provider (or CSP).

Unauthorised access is also a risk. The internet, which is a readily available public resource to most of the world, makes it easy for hackers to access data if they have the credentials to get past the cyber security set up by the individual business. This is where the ugliness of internal cloud breaches happens. If security is not configured well or credentials like passwords and secret questions are compromised, an attacker can easily access the cloud.

However, it’s not only through an employee that hackers access credentials. Phishing is a very common means of gaining information that would allow access to a customer or business data.

Plus, the simple nature of sharing data can easily backfire on a company. A lot of data access is granted with a link to someone external, which can then be forwarded, either sold or stolen, to an attacker to access the cloud’s data.

https://www.itsecurityguru.org/2022/08/16/are-cloud-environments-secure-enough-for-todays-threats/

• Most Q2 Attacks Targeted Old Microsoft Vulnerabilities

Attacks targeting a remote code execution vulnerability in Microsoft's MSHTML browser engine — which was patched last September — soared during the second quarter of this year, according to a Kaspersky analysis.

Researchers from Kaspersky counted at least 4,886 attacks targeting the flaw (CVE-2021-40444) last quarter, an eightfold increase over the first quarter of 2022. The security vendor attributed the continued adversary interest in the vulnerability to the ease with which it can be exploited.

Kaspersky said it has observed threat actors exploiting the flaw in attacks on organisations across multiple sectors including the energy and industrial sectors, research and development, IT companies, and financial and medical technology firms. In many of these attacks, the adversaries have used social engineering tricks to try and get victims to open specially crafted Office documents that would then download and execute a malicious script. The flaw was under active attack at the time Microsoft first disclosed it in September 2021.

Attacks targeting a remote code execution vulnerability in Microsoft's MSHTML browser engine — which was patched last September — soared during the second quarter of this year, according to a Kaspersky analysis. Researchers from Kaspersky counted at least 4,886 attacks targeting the flaw last quarter, an eightfold increase over the first quarter of 2022. The security vendor attributed the continued adversary interest in the vulnerability to the ease with which it can be exploited. According to Kaspersky, exploits for Windows vulnerabilities accounted for 82% of all exploits across all platforms during the second quarter of 2022. While attacks on the MSHTML vulnerability increased the most dramatically, it was by no means the most exploited flaw, which was a remote code execution vulnerability in Microsoft Office that was disclosed and patched four years ago that was attacked some 345,827 times last quarter.

https://www.darkreading.com/attacks-breaches/most-attacks-in-q2-targeted-old-microsoft-vulnerabilities

• Cyber Resiliency Isn't Just About Technology, It's About People

Cyber attacks are on the rise — but if we're being honest, that statement has been true for quite a while, given the acceleration of cyber incidents over the past several years. Recent research indicates that organisations experienced 50% more attack attempts per week on corporate networks in 2021 than they did in 2020, and tactics such as phishing are becoming increasingly popular as attackers refine their tried-and-true methods to more successfully entice unsuspecting targets.

It's no surprise, then, that cyber resiliency has been a hot topic in the cyber security world. But although cyber resiliency refers broadly to the ability of an organisation to anticipate, withstand, and recover from cyber security incidents, many experts make the mistake of applying the term specifically to technology. And while it's true that detection and remediation tools, backup systems, and other resources play an important role in cyber resiliency, organisations that focus exclusively on technology risk are overlooking an equally important element: people.

People are often thought of as the weak link in cyber security. It's easy to understand why. People fall for phishing scams. They use weak passwords and procrastinate on installing security updates. They misconfigure hardware and software, leave cloud assets unsecured, and send confidential files to the wrong recipient. There's a reason so much cyber security technology is moving toward automation: removing people from the equation is seen as one of the most obvious ways to improve security. To many security experts, that's just common sense.

Except — is it, really? It's true that people make mistakes — it's called "human error" for a reason, after all — but many of those mistakes come when employees aren't put in a position to succeed. Phishing is a great example. Most people are familiar with the concept of phishing, but many may not be aware of the nefarious techniques that today's attackers deploy. If employees have not been properly trained, they may not be aware that attackers often impersonate real people within the organisation, or that the CEO asking them to buy gift cards "for a company happy hour" probably isn't legit. Organisations that want to build strong cyber-resiliency cannot pretend that people don't exist. Instead, they need to prioritise the resiliency of their people just as highly as the resiliency of their technology.

Training the organisation to recognise the signs of common attack tactics, practice better password and cyber hygiene, and report signs of suspicious activity can help ease the burden on IT and security personnel by providing them better information in a more timely manner. It also avoids some of the pitfalls that create a drain on their time and resources. By ensuring that people at every level of the business are more resilient, today's organisations will discover that their overall cyber-resiliency will improve significantly.

https://www.darkreading.com/vulnerabilities-threats/cyber-resiliency-isn-t-just-about-technology-it-s-about-people

• The “Cyber Insurance Gap” Is Threatening Most Companies

A new study by BlackBerry and Corvus Insurance confirms a “cyber insurance gap” is growing, with a majority of businesses either uninsured or under insured against a rising tide of ransomware attacks and other cyber threats.

• Only 19% of all businesses surveyed have ransomware coverage limits above the median ransomware demand amount ($600,000)

• Among SMBs with fewer than 1,500 employees, only 14% have a coverage limit in excess of $600,000

• 37% of respondents with cyber insurance do not have any coverage for ransomware payment demands

• 43% of those with a policy are not covered for auxiliary costs such as court fees or employee downtime

• 60% say they would reconsider entering into a partnership or agreement with another business or supplier if the organisation did not have comprehensive cyber insurance

• Endpoint detection and response (EDR) software is frequently a key component to obtaining a policy

• 34% of respondents have been previously denied cyber coverage by insurance providers due to not meeting EDR eligibility requirements

https://informationsecuritybuzz.com/expert-comments/the-cyber-insurance-gap-is-threatening-most-companies/

• Easing the Cyber-Skills Crisis with Staff Augmentation

Filling cyber security roles can be costly, slow, and chancy. More firms are working with third-party service providers to quickly procure needed expertise.

There are many possible solutions to the cyber security skills shortage, but most of them take time. Cyber security education, career development tracks, training programs, employer-sponsored academies, and internships are great ways to build a talent pipeline and develop skill sets to meet organisational needs in years to come.

But sometimes the need to fill a gap in capability is more immediate.

An organisation in the entertainment industry recently found itself in such a position. Its primary cyber security staff member quit suddenly without notice, taking along critical institutional knowledge and leaving various projects incomplete. With its key defender gone, the organisation's environment was left vulnerable. In a scarce talent market, the organisation faced a long hiring process to find a replacement — too long to leave its digital estate unattended. It needed expertise, and quickly.

According to a 2021 ESG report, 57% of organisations have been impacted by the global cyber security skills crisis. Seventy-six percent say it's difficult to recruit and hire security professionals. The biggest effects of this shortage are increasing workloads, positions open for weeks or months, and high cyber security staff burnout and attrition.

In this climate, more companies are turning to third parties for cyber security staff reinforcement. According to a NewtonX study, 56% of organisations are now subcontracting up to a quarter of their cyber security staff. Sixty-nine percent of companies rely on third-party expertise to assist in mitigating the risk of ransomware — up from 58% in 2017 — per a study by Ponemon and CBI, a Converge Company.

One way that companies gain this additional support is via third-party staff augmentation and consulting services. Cyber security staff augmentation, or strategic staffing, entails trained external consultants acting as an extension of an organisation's security team in a residency. Engagements can be anywhere from a few weeks to a few years, and roles can range from analysts and engineers to architects, compliance specialists, and virtual CISOs.

https://www.darkreading.com/operations/easing-the-cyber-skills-crisis-with-staff-augmentation

• Mailchimp Suffers Second Breach In 4 Months

Mailchimp suffered another data breach earlier this month, and this one cost it a client.

In a statement Friday, Mailchimp disclosed that a security incident involving phishing and social engineering tactics had targeted cryptocurrency and blockchain companies using the email marketing platform. It was the second Mailchimp breach to target cryptocurrency customers in a four-month span.

Though Mailchimp said it has suspended accounts where suspicious activity was detected while an investigation is ongoing, it did not reveal the source of the breach or scope of the attack.

More details were provided Sunday by one of the affected customers, DigitalOcean, which cut ties with Mailchimp on Aug. 9.

The cloud hosting provider observed suspicious activity beginning Aug. 8, when threat actors used its Mailchimp account for "a small number of attempted compromises" of DigitalOcean customer accounts -- specifically cryptocurrency platforms.

While it is not clear whether any DigitalOcean accounts were compromised, the company did confirm that some email addresses were exposed. More importantly, the statement attributed a potential source of the most recent Mailchimp breach.

https://www.techtarget.com/searchsecurity/news/252523911/Mailchimp-suffers-second-breach-in-4-months

• Firm Told It Can't Claim Full Cyber Crime Insurance After Social Engineering Attack

A Minnesota computer store suing its cyber insurance provider has had its case dismissed, with the courts saying it was a clear instance of social engineering, a crime for which the insurer was only liable to cover a fraction of total losses.

SJ Computers alleged in a November lawsuit that Travelers Casualty and Surety Co. owed it far more than paid on a claim for nearly $600,000 in losses due to a successful business email compromise (BEC) attack.

According to its website, SJ Computers is a Microsoft Authorised Refurbisher, reselling Dell, HP, Lenovo and Acer products, as well as providing tech services including software installs and upgrades.

Travelers, which filed a motion to dismiss, said SJ's policy clearly delineated between computer fraud and social engineering fraud. The motion was granted with prejudice last Friday.

In the dismissal order, the US District Court for Minnesota found that the two policy agreements are mutually exclusive, as well as finding SJ's claim fell squarely into its social engineering fraud agreement with Travelers, which has a cap of $100,000.

When SJ filed its claim with Travelers, the court noted, it did so only under the social engineering fraud agreement. After realising the policy limit on computer fraud was 10 times higher, "SJ Computers then made a series of arguments – ranging from creative to desperate – to try to persuade Travelers that its loss was not the result of social-engineering-fraud (as SJ Computers itself had initially said) but instead the result of computer fraud," the district judge wrote in the order.

https://www.theregister.com/2022/08/16/social_engineering_cyber_crime_insurance/

Threats

Ransomware

• Ransomware Group Threatens to Leak Data Stolen From Security Firm Entrust | SecurityWeek.Com

• Cisco Confirms Hack: Yanluowang Ransom Gang Claims 2.8GB Of Data (informationsecuritybuzz.com)

• Ransomware is still on the rise. Here's what you need to do to stay safe from hackers | ZDNET

• Russian Man Extradited to US for Laundering Ryuk Ransomware Money | SecurityWeek.Com

• ‘Coopetition’ a growing trend among ransomware gangs (computerweekly.com)

• Hackers Attack UK Water Supplier, Sends Ransom Demand to the Wrong Company (gizmodo.com)

• SOVA malware adds ransomware feature to encrypt Android devices (bleepingcomputer.com)

• BlackByte ransomware v2 is out with new extortion novelties - Security Affairs

• Ransomware is back, healthcare sector most targeted - Help Net Security

• Why Hackers Are Now Targeting Electric Car Charging Stations (nocamels.com)

• BlackByte Ransomware Gang Returns With Twitter Presence, Tiered Pricing (darkreading.com)

• Ski-Doo maker BRP resumes operations following cyber attack; shares fluctuate - MarketWatch

• Argentina's Judiciary of Córdoba hit by PLAY ransomware attack (bleepingcomputer.com)

BEC – Business Email Compromise

• Three Extradited from UK to US on $5m BEC Charges - Infosecurity Magazine

Phishing & Email Based Attacks

• Response-based attacks make up 41% of all email-based scams - Help Net Security

• PayPal Phishing Scam Uses Invoices Sent Via PayPal – Krebs on Security

• Microsoft admits it can't stop scammers fooling you with their latest tricks | ZDNET

Other Social Engineering; SMishing, Vishing, etc

• This is the lamest Microsoft Office security threat we've ever seen - but people will still fall for it | TechRadar

Malware

• Hackers Deploy Bumblebee Loader to Breach Target Networks - Infosecurity Magazine

• 'DarkTortilla' Malware Wraps in Sophistication for High-Volume RAT Infections (darkreading.com)

• Malicious browser extensions targeted almost 7 million people (bleepingcomputer.com)

• DoNot Team Hackers Updated its Malware Toolkit with Improved Capabilities (thehackernews.com)

• Whack-a-Mole: More Malicious PyPI Packages Spring Up Targeting Discord, Roblox (darkreading.com)

• This String of Emojis Is Actually Malware (vice.com)

Mobile

• SOVA Android malware now also encrypts victims' files - Security Affairs

• Malware devs already bypassed Android 13's new security feature (bleepingcomputer.com)

• Google releases Android 13 with improved privacy and security features - Help Net Security

• Android malware apps with 2 million installs found on Google Play (bleepingcomputer.com)

• Researchers Find 35 Adware Apps on Google Play - Infosecurity Magazine

• Nearly 1,900 Signal Messenger Accounts Potentially Compromised in Twilio Hack (thehackernews.com)

Internet of Things – IoT

• How attackers are exploiting corporate IoT - Help Net Security

• ‘Ask all the time: why do I need this?’ How to stop your vacuum from spying on you | Smart homes | The Guardian

• Amazon fixes Ring Android app flaw exposing camera recordings (bleepingcomputer.com)

Data Breaches/Leaks

• Digital Ocean dumps Mailchimp after security breach • The Register

Organised Crime & Criminal Actors

• How Do Hackers Steal Credit Card Information? | TechTarget

• IT security worker who hacked businesses caught out by neighbour's Wi-Fi - Manchester Evening News

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• With Plunge in Value, Cryptocurrency Crimes Decline in 2022 (darkreading.com)

• Microsoft: Cryptojackers Continue to Evolve to Be Stealthier and Spread Faster - Infosecurity Magazine

• Hardware-based threat defence against increasingly complex cryptojackers - Microsoft Security Blog

Insider Risk and Insider Threats

• Ex-HP manager jailed for $5m company card shopping spree • The Register

• Microsoft Employees Exposed Own Company’s Internal Logins (vice.com)

Fraud, Scams & Financial Crime

• SEC claims $1.3m pump-and-dump scam used hacked accounts • The Register

AML/CFT/Sanctions

• Alleged Russian Money Launderer Extradited from the Netherlands to U.S. | OPA | Department of Justice

Insurance

• Organisations are losing cyber insurance as an important risk management tool - Help Net Security

• For cyber insurance, some technology leads to higher premiums (techtarget.com)

• New Study Reveals Serious Cyber-Insurance Shortfalls - Infosecurity Magazine

Supply Chain and Third Parties

• Expert On Report Showing 297% Increase in US Breaches Tied To Supply Chain (informationsecuritybuzz.com)

• Transitioning From VPNs to Zero-Trust Access Requires Shoring Up Third-Party Risk Management (darkreading.com)

• How a Third-Party SMS Service Was Used to Take Over Signal Accounts

Denial of Service DoS/DDoS

• Google blocked the largest Layer 7 DDoS reported to date - Security Affairs

Cloud/SaaS

• Organisations Struggle to Fend Off Cloud and Web Attacks - Infosecurity Magazine

• Incident response in the cloud can be simple if you are prepared - Help Net Security

Passwords, Credential Stuffing & Brute Force Attacks

• Credential Theft Is (Still) A Top Attack Method (thehackernews.com)

• FBI Warns of Proxies and Configurations Used in Credential Stuffing Attacks | SecurityWeek.Com

• Over 9,000 VNC servers exposed online without a password (bleepingcomputer.com)

Privacy

• Google fined $60 million over Android location data collection (bleepingcomputer.com)

• New Amazon Ring Vulnerability Could Have Exposed All Your Camera Recordings (thehackernews.com)

• ‘Ask all the time: why do I need this?’ How to stop your vacuum from spying on you | Smart homes | The Guardian

• Period and pregnancy tracking apps have bad privacy protections, report finds - The Verge

Regulations, Fines and Legislation

• Financial Services & Cyber Security Regulations: New York Making Changes? - MSSP Alert

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• 5 Russia-Linked Groups Target Ukraine in Cyberwar (darkreading.com)

• Russia-linked Gamaredon APT continues to target Ukraine - Security Affairs

• Microsoft shuts down accounts linked to Russian spies • The Register

• State-Sponsored APTs Dangle Job Opps to Lure In Spy Victims (darkreading.com)

• Estonia Repels Biggest Cyber-Attack Since 2007 - Infosecurity Magazine

• Spyware Scandals Are Ripping Through Europe | WIRED

• US Cyber Command deploys defensive operators to Croatia to hunt for malicious cyber activity - Help Net Security

• NHS cyber attacks hit record levels in four in five trusts after Russian invasion (telegraph.co.uk)

• Spyware Hunters Are Expanding Their Tool Set | WIRED

Nation State Actors

Nation State Actors – Russia

• Microsoft disrupts Russian hackers' operation on NATO targets (bleepingcomputer.com)

• Russian APT29 hackers abuse Azure services to hack Microsoft 365 users (bleepingcomputer.com)

• Microsoft Disrupts Russian Group's Multiyear Cyber-Espionage Campaign (darkreading.com)

• Russian hackers target Ukraine with default Word template hijacker (bleepingcomputer.com)

• Estonia says it repelled major cyber attack after removing Soviet monuments | Reuters

Nation State Actors – China

• Western companies wake up to China risk | Financial Times (ft.com)

• China-backed APT41 Hackers Targeted 13 Organisations Worldwide Last Year (thehackernews.com)

• China-linked RedAlpha behind multi-year credential theft campaign - Security Affairs

• Chinese Cyberspy Group 'RedAlpha' Targeting Governments, Humanitarian Entities | SecurityWeek.Com

• China's APT41 Embraces Baffling Approach for Dropping Cobalt Strike Payload (darkreading.com)

• Chinese takeover of tech company blocked over security fears (telegraph.co.uk)

• 3 ways China's access to TikTok data is a security risk | CSO Online

• Montana flagged bugs in cow app exploited in alleged China hack | Business and Economy | Al Jazeera

• APT41 group: 4 malicious campaigns, 13 victims, new tools and techniques - Help Net Security

Nation State Actors – North Korea

• North Korean hackers use signed macOS malware to target IT job seekers (bleepingcomputer.com)

• Mac Attack: North Korea's Lazarus APT Targets Apple's M1 Chip (darkreading.com)

Vulnerability Management

• Zero Day Initiative seeing an increase in failed patches (techtarget.com)

• Vulnerability Broker Applies Pressure on Software Vendors Shipping Faulty, Incomplete Patches | SecurityWeek.Com

• Which Security Bugs Will Be Exploited? Researchers Create an ML Model to Find Out (darkreading.com)

Vulnerabilities

• CISA adds 7 vulnerabilities to list of bugs exploited by hackers (bleepingcomputer.com)

• Google patches yet another Chrome zero-day vulnerability (techtarget.com)

• Chrome browser gets 11 security fixes with 1 zero-day – update now! – Naked Security (sophos.com)

• Cisco fixes High-Severity bug in Secure Web Appliance - Security Affairs

• Exploit out for critical Realtek flaw affecting many networking devices (bleepingcomputer.com)

• Software Patches Flaw on macOS Could Let Hackers Bypass All Security Levels - Infosecurity Magazine (infosecurity-magazine.com)

• Safari 15.6.1 fixes a zero-day flaw actively exploited in the wild - Security Affairs

• Rapid7: Cisco ASA and ASDM flaws went unpatched for months (techtarget.com)

• Windows Vulnerability Could Crack DC Server Credentials Open (darkreading.com)

• ÆPIC and SQUIP Vulnerabilities Found in Intel and AMD Processors (thehackernews.com)

• PoC exploit code for the critical Realtek RCE flaw released online - Security Affairs

Other News

• Exploiting stolen session cookies to bypass multi-factor authentication (MFA) - Help Net Security

• The Future of Endpoint Management | SecurityWeek.Com

• Janet Jackson music video given CVE for crashing laptops • The Register

• More Evil Markets | How It's Never Been Easier To Buy Initial Access To Compromised Networks - SentinelOne

• How aware are organisations of the importance of endpoint management security? - Help Net Security

• The Future of Cyber Security is Prevention | SecurityWeek.Com

• Signal/Twilio Incident - How Secure Are SMS Verifications? Experts Weigh (informationsecuritybuzz.com)

• DigitalOcean Discloses Impact From Recent Mailchimp Cyber Attack | SecurityWeek.Com

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Cyber Risks Top Worldwide Business Concerns In 2022

Cyber perils are the biggest concern for companies globally in 2022, according to the Allianz Risk Barometer. The threat of ransomware attacks, data breaches or major IT outages worries companies even more than business and supply chain disruption, natural disasters or the COVID-19 pandemic, all of which have heavily affected firms in the past year.

Cyber incidents tops the Allianz Risk Barometer for only the second time in the survey’s history (44% of responses), Business interruption drops to a close second (42%) and Natural catastrophes ranks third (25%), up from sixth in 2021. Climate change climbs to its highest-ever ranking of sixth (17%, up from ninth), while Pandemic outbreak drops to fourth (22%).

The annual survey incorporates the views of 2,650 experts in 89 countries and territories, including CEOs, risk managers, brokers and insurance experts. View the full global and country risk rankings.

https://www.helpnetsecurity.com/2022/01/20/cyber-concern-2022/

Bosses Think That Security Is Taken Care Of: CISOs Aren't So Sure

The World Economic Forum warns about a significant gap in understanding between C-suites and information security staff - but it's possible to close the gap.

Organisations could find themselves at risk from cyberattacks because of a significant gap between the views of their own security experts and the boardroom.

The World Economic Forum's new report, The Global Cyber Security Outlook 2022, warns there are big discrepancies between bosses and information security personnel when it comes to the state of cyber resilience within organisations.

According to the paper, 92% of business executives surveyed agree that cyber resilience is integrated into enterprise risk management strategies – or in other words, protecting the organisation against falling victim to a cyberattack, or mitigating the incident so it doesn't result in significant disruption.

However, only 55% of security-focused executives believe that cyber resilience is integrated into risk management strategies – indicating a significant divide in attitudes to cyber security.

This gap can leave organisations vulnerable to cyberattacks, because boardrooms believe enough has been done in order to mitigate threats, while in reality there could be unconsidered vulnerabilities or extra measures put in place.

https://www.zdnet.com/article/managers-think-their-systems-are-unbreakable-cybersecurity-teams-arent-so-sure/

Fraud Is On the Rise, and It's Going to Get Worse

The acceleration of the digital transformation resulted in a surge of online transactions, greater adoption of digital payments, and increased fraud.

As more daily activities — work, education, shopping, and entertainment — shift online, fraud is also on the rise. A trio of recent reports paint a bleak picture, highlighting concerns that companies are experiencing increasing losses from fraud and that the situation will get worse over the coming year.

In KPMG's survey of senior risk executives, 67% say their companies have experienced external fraud in the past 12 months, and 38% expect the risk of fraud committed by external perpetrators to somewhat increase in the next year. External fraud, which includes credit card fraud and identity theft, is specifically referring to incidents perpetuated by individuals outside the company. For most of these respondents, there was a financial impact: Forty-two percent say their organisations experienced 0.5% to 1% of loss as a result of fraud and cybercrime.

https://www.darkreading.com/edge-articles/fraud-is-on-the-rise-and-its-going-to-get-worse

Two-Fifths of Ransomware Victims Still Paying Up

Two-fifths (39%) of ransomware victims paid their extorters over the past three years, with the majority of these spending at least $100,000, according to new Anomali research.

The security vendor hired The Harris Poll to complete its Cyber Resiliency Survey – interviewing 800 security decision-makers in the US, Canada, the UK, Australia, Singapore, Hong Kong, India, New Zealand, the UAE, Mexico and Brazil.

Some 87% said their organisation had been the victim of a successful attack resulting in damage, disruption, or a breach since 2019. However, 83% said they’d experienced more attacks since the start of the pandemic.

Over half (52%) were ransomware victims, with 39% paying up. Of these, 58% gave their attackers between $100,000 and $1m, while 7% handed over more than $1m.

https://www.infosecurity-magazine.com/news/two-fifths-ransomware-victims/

Less Than a Fifth of Cyber Leaders Feel Confident Their Organisation is Cyber-Resilient

Less than one-fifth (17%) of cyber leaders feel confident that their organisations are cyber-resilient, according to the World Economic Forum (WEF)’s inaugural Global Cyber Security Outlook 2022 report.

The study, written in collaboration with Accenture, revealed there is a wide perception gap between business executives and security leaders on the issue of cyber security. For example, 92% of businesses believe cyber-resilience is integrated into their enterprise risk-management strategies, compared to just 55% of cyber leaders.

This difference in attitude appears to be having worrying consequences. The WEF said that many security leaders feel that they are not consulted in security decisions, and only 68% believe cyber-resilience forms a major part of their organisation’s overall corporate risk management.

In addition, over half (59%) of all cyber leaders admitted they would find it challenging to respond to a cyber security incident due to a shortage of skills within their team.

Supply chain security was another major concern among cyber leaders, with almost nine in 10 (88%) viewing SMEs as a key threat to supply chains.

Interestingly, 59% of cyber leaders said cyber-resilience and cyber security are synonymous, with the differences not well understood.

https://www.infosecurity-magazine.com/news/cyber-leaders-organisation/

Endpoint Malware And Ransomware Detections Hit All-Time High

Endpoint malware and ransomware detections surpassed the total volume seen in 2020 by the end of Q3 2021, according to researchers at the WatchGuard Threat Lab. In its latest report, WatchGuard also highlights that a significant percentage of malware continues to arrive over encrypted connections.

While zero-day malware increased by just 3% to 67.2% in Q3 2021, the percentage of malware that arrived via Transport Layer Security (TLS) jumped from 31.6% to 47%. Data shows that many organisations are not decrypting these connections and therefore have poor visibility into the amount of malware hitting their networks.

https://www.helpnetsecurity.com/2022/01/20/endpoint-malware-ransomware-detections-q3-2021/

End Users Remain Organisations' Biggest Security Risk

With the rapid adoption of hybrid working environments and increased attacks, IT and security professionals worry that future data breaches will most likely be the result of end users who are negligent of or break security policy, according to a recent Dark Reading survey. The percentage of respondents in Dark Reading's 2021 Strategic Security Survey who perceive users breaking policy as the biggest risk fell slightly, however, from 51% in 2020 to 48% in 2021. Other potential issues involving end users showed improvements as well, with social engineering falling in concern from 20% to 15% and remote work worries halving from 26% to 13%.

While this trend is positive, it's unclear where the increased confidence comes from, since more people now report ineffective end-user security awareness training (11%, to 2020's 7%).

Respondents shared their heightened concern about well-funded attacks. In 2021, 25% predicted an attack targeted at their organisations (a rise from 2020, when 20% said the same), and fear of a nation-state-sponsored action rose to 16% from 9% the year before. Yet only 16% reported sophisticated, automated malware as a top concern, a 10% drop from 2020, and fear of a gap between security and IT advances only merited 9%. A tiny 3% worried that their security tools wouldn't work well together, dropping from the previous year's 10%.

https://www.darkreading.com/edge-threat-monitor/despite-rise-of-third-party-concerns-end-users-still-the-biggest-security-risk

Supply Chain Disruptions Rose In 2021

56% of businesses experienced more supply chain disruptions in 2021 than 2020, a Hubs report reveals.

Last year was marked by a number of challenges, including computer chip shortages, port congestion, the ongoing impacts of COVID-19, logistics impediments, and energy crises, though with every hurdle faced, solutions are being sought. It is increasingly clear that while certain risks are hard to anticipate and difficult to plan for, it is possible to mitigate the effects of supply chain disruptions by establishing a robust and agile supply chain.

Over 98% of global companies are now planning to boost the resilience of their manufacturing supply chains, however, 37% have yet to implement any measures. As businesses develop long term strategies, over 57% of companies say diversification of their supply chains is the most effective way of building resilience. This report explores last year’s most disruptive events, how disruptions have changed over time, industry trends and strategies for strengthening manufacturing supply chains.

https://www.helpnetsecurity.com/2022/01/19/supply-chain-disruptions-2021/

Red Cross Begs Attackers Not to Leak Stolen Data for 515K People

A cyber attack forced the Red Cross to shut down IT systems running the Restoring Family Links system, which reunites families fractured by war, disaster or migration. UPDATE: The ICRC says it’s open to confidentially communicating with the attacker.

The Red Cross is imploring threat actors to show mercy by abstaining from leaking data belonging to 515,000+ “highly vulnerable” people. The data was stolen from a program used to reunite family members split apart by war, disaster or migration.

“While we don’t know who is responsible for this attack, or why they carried it out, we do have this appeal to make to them,” Robert Mardini, the director general of the International Committee for the Red Cross (ICRC), said in a release on Wednesday. “Your actions could potentially cause yet more harm and pain to those who have already endured untold suffering. The real people, the real families behind the information you now have are among the world’s least powerful. Please do the right thing. Do not share, sell, leak or otherwise use this data.”

https://threatpost.com/red-cross-begs-attackers-not-to-leak-515k-peoples-stolen-data/177799/

DHL Dethrones Microsoft As Most Imitated Brand In Phishing Attacks

DHL was the most imitated brand in phishing campaigns throughout Q4 2021, pushing Microsoft to second place, and Google to fourth.

This isn't surprising considering that the final quarter of every year includes the Black Friday, Cyber Monday, and Christmas shopping season, so phishing lures based on package deliveries naturally increase.

DHL is an international package delivery and express mail service, delivering over 1.6 billion parcels per year.

As such, phishing campaigns impersonating the brand have good chances of reaching people who are waiting for a DHL package to arrive during the holiday season.

The specific lures range from a package that is stuck at customs and requires action for clearance to supposed tracking numbers that hide inside document attachments or embedded links.

https://www.bleepingcomputer.com/news/security/dhl-dethrones-microsoft-as-most-imitated-brand-in-phishing-attacks/

Threats

Ransomware

• New White Rabbit Ransomware Linked To FIN8 Hacking Group (bleepingcomputer.com)

• Conti Ransomware Gang Started Leaking Files Stolen From Bank Indonesia - Security Affairs

• This New Ransomware Comes With A Small But Dangerous Payload | ZDNet

• FBI Warning: This New Ransomware Makes Demands Of Up To $500,000 | ZDNet

• Experts Warn Of Attacks Using A New Linux Variant Of SFile Ransomware - Security Affairs

• SEC Filing Reveals Fortune 500 Firm Targeted in Ransomware Attack | Threatpost

• FBI Warns Organisations of Diavol Ransomware Attacks | SecurityWeek.Com

• Marketing Giant RRD Confirms Data Theft In Conti Ransomware Attack (bleepingcomputer.com)

• After Ransomware Arrests, Some Dark Web Criminals Are Getting Worried | ZDNet

BEC – Business Email Compromise

• Nigerian Authorities Arrest 11 Members of Prolific BEC Fraud Group | SecurityWeek.Com

Phishing

• Phishing Impersonates Shipping Giant Maersk To Push STRRAT Malware (bleepingcomputer.com)

• #COVID19 Phishing Emails Surge 500% on Omicron Concerns - Infosecurity Magazine

• Financially Motivated Earth Lusca Threat Actors Targets Orgs Worldwide - Security Affairs

Malware

• Microsoft Details Recent Damaging Malware Attacks on Ukrainian Organisations (darkreading.com)

• Custom-Written Malware Discovered Across Windows, MacOS, And Linux Systems | TechSpot

• Backdoor RAT for Windows, macOS, and Linux went undetected until now | Ars Technica

• Ukraine: Wiper Malware Masquerading As Ransomware Hits Government Organisations - Help Net Security

• Russian Hackers Heavily Using Malicious Traffic Direction System to Distribute Malware (thehackernews.com)

• Linux Malware Is On The Rise. Here Are Three Top Threats Right Now | ZDNet

• Malware That Can Survive OS Reinstalls Strikes Again, Likely for Cyber Espionage | PCMag

• New MoonBounce UEFI Malware Used By Apt41 In Targeted Attacks (bleepingcomputer.com)

Data Breaches/Leaks

• Exposed Records Exceeded 40 Billion In 2021 - Help Net Security

• European Regulators Hand Out €1.1bn in GDPR Fines - Infosecurity Magazine

Organised Crime & Criminal Actors

• Financially Motivated Earth Lusca Threat Actors Targets Orgs Worldwide - Security Affairs

• A Hacker Is Negotiating With Victims on the Blockchain After $1.4M Heist (vice.com)

• FBI & European Police Take Down Computer Servers Used In Major Cyberattacks Worldwide - CNNPolitics

• Europol Shuts Down VPNLab, Cyber Criminals' Favourite VPN Service (thehackernews.com)

Cryptocurrency/Cryptomining/Cryptojacking

• 2FA Bypassed in $34.6M Crypto.com Heist | Threatpost

• Cyber Criminals Actively Target VMware vSphere with Cryptominers | Threatpost

• New BHUNT Password Stealer Malware Targeting Cryptocurrency Wallets (thehackernews.com)

• Cheap Malware Is Behind A Rise In Attacks On Cryptocurrency Wallets | ZDNet

Insider Risk and Insider Threats

• Research: Why Employees Violate Cyber Security Policies (hbr.org)

• What CISOs Can Learn About Insider Threats From Iran's Human Espionage Tactics | CSO Online

Fraud, Scams & Financial Crime

• How Buy Now, Pay Later Is Being Targeted By Fraudsters - Help Net Security

• Romance Scammer Who Targeted 670 Women Gets 28 Months In Jail – Naked Security (sophos.com)

Insurance

• Merck Awarded $1.4B Insurance Payout over NotPetya Attack | Threatpost

CNI, OT, ICS, IIoT and SCADA

• UK Mulls Making MSPs Subject To Mandatory Security Standards • The Register

• ‘Anomalous’ Spyware Stealing Credentials In Industrial Firms (bleepingcomputer.com)

• European Union Simulated A Cyber Attack On A Fictitious Finnish Power Company - Security Affairs

Nation State Actors

• Ukraine: Recent Cyber Attacks Part of Wider Plot to Sabotage Critical Infrastructure (thehackernews.com)

• Ukraine Cyber Attack Timeline: Microsoft, CISA, White House and Kyiv Statements - MSSP Alert

• Chinese Hackers Spotted Using New UEFI Firmware Implant in Targeted Attacks (thehackernews.com)

• Security Scanners Across Europe Tied To China Govt, Military | AP News

Cloud

• Attackers Use Public Cloud Providers To Spread RATs | CSO Online

Privacy

• UK.Gov's No Place To Hide campaign flops on launch • The Register

Passwords & Credential Stuffing

• Your Keyboard Walking Password Isn’t Complex Or Secure – Review Geek

• Box Flaw Allowed To Bypass MFA And Takeover Accounts - Security Affairs

Spyware, Espionage & Cyber Warfare

• Malware That Can Survive OS Reinstalls Strikes Again, Likely for Cyber Espionage | PCMag

Vulnerabilities

• CISA Adds 13 Exploited Vulnerabilities To List, 9 with Feb. 1 Remediation Date | ZDNet

• Microsoft RDP Vulnerability Makes It A Breeze For Attackers To Become Men-In-The-Middle - TechRepublic

• High-Severity Vulnerabilities Patched in McAfee Enterprise Product | SecurityWeek.Com

• Cisco Releases Patch for Critical Bug Affecting Unified CCMP and Unified CCDM (thehackernews.com)

• A bug in McAfee Agent allows to run code with SYSTEM privileges - Security Affairs

• Zoho Fixes A Critical Vulnerability (CVE-2021-44757) in Desktop Central - Security Affairs

• Ubuntu Patch For Heap Buffer Overflow Vulnerability • The Register

• Google Details Two Zero-Day Bugs Reported in Zoom Clients and MMR Servers (thehackernews.com)

• Hackers Attempt to Exploit New SolarWinds Serv-U Bug in Log4Shell Attacks (thehackernews.com)

• F5 Patches Two Dozen Vulnerabilities in BIG-IP | SecurityWeek.Com

• McAfee Bug Can Be Exploited to Gain Windows SYSTEM Privileges | Threatpost

• Oracle Critical Patch Update for January 2022 will fix 483 new flaws - Security Affairs

• 20K WordPress Sites Exposed by Insecure Plugin REST-API | Threatpost

• Nasty Linux Kernel Bug Found And Fixed | ZDNet

• Cisco Issues Patch for Critical RCE Vulnerability in RCM for StarOS Software (thehackernews.com)

• Critical Bugs in Control Web Panel Expose Linux Servers to RCE Attacks (thehackernews.com)

• Critical SAP Vulnerability Allows Supply Chain Attacks | SecurityWeek.Com

• Zoho Plugs Another Critical Security Hole In Desktop Central (bleepingcomputer.com)

• Safari Exploit Can Leak Browser Histories And Google Account Info | Engadget

Sector Specific

Financial Services Sector

• Singapore Pushed To Introduce Security Measures Amidst Online Banking Scams | ZDNet

Health/Medical/Pharma Sector

• More Than Half Of Medical Devices Found To Have Critical Vulnerabilities | ZDNet

• Additional Healthcare Firms Disclose Impact From Netgain Ransomware Attack | SecurityWeek.Com

Retail

• PCI SSC Updates Card Security Standards To Secure The Card Production Process - Help Net Security

Education and Academia

• Kids Won’t Stop Launching DDoS Attacks Against Their Schools | TechRadar

Other News

• Biggest MSP Takeaways From The Apache Log4j Vulnerability - MSSP Alert

• The Emotional Stages Of A Data Breach: How To Deal With Panic, Anger, And Guilt | CSO Online

• The Log4j Vulnerability Puts Pressure on the Security World | Threatpost

• Hackers Planted Secret Backdoor in Dozens of WordPress Plugins and Themes (thehackernews.com)

• BadUSB explained: How rogue USBs threaten your organisation | CSO Online

• Millions of UK Wi-Fi Routers Vulnerable To Security Threats - IT Security Guru

• NATO, Ukraine Sign Deal to 'Deepen' Cyber Cooperation | SecurityWeek.Com

• UK Umbrella Company Parasol Group Confirms Cyber Attack • The Register

• MPs Criticise Cyber Agency For Not Aiding China Rights Group After It Was Hacked | China | The Guardian

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

 84% Of Organisations Experienced Phishing Or Ransomware Attacks In The Last Year

A new report from Trend Micro has found that 84% of organisations have reported phishing or ransomware security incidents in the last 12 months.

The findings come from an Osterman Research study commissioned by Trend Micro that was compiled from interviews with cyber security professionals in midsize and large organisations nationwide. The research also found that half of organisations are not effective at countering phishing and ransomware threats.

https://www.itpro.co.uk/security/ransomware/360191/84-of-organizations-experienced-phishing-or-ransomware-attacks-in-last

Phishing continues to be one of the easiest paths for ransomware

Ransomware gangs are still using phishing as one of the main ways to attack an organisation, according to a new survey from Cloudian featuring the insights of 200 IT decision-makers who experienced a ransomware attack over the last two years.

More than half of all respondents have held anti-phishing training among employees, and 49% had perimeter defenses in place when they were attacked.

Nearly 25% of all survey respondents said their ransomware attacks started through phishing, and of those victims, 65% had conducted anti-phishing training sessions. For enterprises with fewer than 500 employees, 41% said their attacks started with phishing. About one-third of all victims said their public cloud was the entry point ransomware groups used to attack them.

https://www.zdnet.com/article/phishing-continues-to-be-one-of-the-easiest-paths-for-ransomware-report/

Ransomware: Only Half Of Organisations Can Effectively Defend Against Attacks, Warns Report

Around half of firms don't have the technology to prevent or detect ransomware attacks, according to research by cybersecurity company Trend Micro. It suggests that many organisations don't have the cybersecurity capabilities required to prevent ransomware attacks, such as the ability to detect phishing emails, remote desktop protocol (RDP) compromise or other common techniques deployed by cyber attackers during ransomware campaigns. 

For example, the report warns that many organisations struggle with detecting the suspicious activity associated with ransomware and attacks that could provide early evidence that cyber criminals have compromised the network. That includes failing to identify unusual lateral movement across corporate networks, or being able to spot unauthorised users gaining access to corporate data.

https://www.zdnet.com/article/ransomware-only-half-of-organisations-can-effectively-defend-against-attacks-warns-report/

MI5 Chief Warns Public Of Cyber-Threat From Hostile States Such As China & Russia

Head of Britain's MI5, Ken McCallum, is urging the public to be as vigilant about threats from "hostile states" as from terrorism.

These include disruptive cyber-attacks, misinformation, espionage and interference in politics - and are usually linked to Russia and China.

McCallum is warning that "less visible threats... have the potential to affect us all," affecting UK jobs and public services and could even lead to a loss of life.

The head of the Security Service wants to challenge the idea that activity by so-called "hostile states", usually taken to mean primarily Russia and China, only affects governments or certain institutions.

Instead, he is to argue in an annual threat update, that the British public are not immune to the "tentacles" of covert action by other states.

In the speech at MI5's Thames House headquarters, Mr McCallum will warn the "consequences range from frustration and inconvenience, through loss of livelihood, potentially up to loss of life".

https://eutoday.net/news/security-defence/2021/uk-mi5-chief-ken-mccallum-warns-public-of-cyber-threat-from-hostile-states-such-as-china-russia

Almost All Organisations Have Suffered Insider Data Breaches

Egress’ Insider Data Breach Survey 2021 claims that 94 percent of organisations have experienced insider data breaches in the last year. Human error was the top cause of serious incidents, according to 84 percent of IT leaders surveyed.

However, IT leaders are more concerned about malicious insiders, with 28 percent indicating that intentionally malicious behaviour is their biggest fear. Despite causing the most incidents, human error came bottom of the list, with just over one-fifth (21 percent) saying that it’s their biggest concern.

Additionally, almost three-quarters (74 percent) of organisations have been breached because of employees breaking security rules, and 73 percent have been the victim of phishing attacks.

The survey, independently conducted by Arlington Research on behalf of Egress, surveyed 500 IT leaders and 3,000 employees in the US and UK across vertical sectors including financial services, healthcare and legal.

https://workplaceinsight.net/almost-all-organisations-have-suffered-insider-data-breaches/

Cyber Crime Costs Organisations Nearly $1.79 Million Per Minute

Cybercrime costs organisations an incredible $1.79m every minute, according to RiskIQ’s 2021 Evil Internet Minute Report.

The study, which analysed the volume of malicious activity on the internet, laid bare the scale and damage of cyber-attacks in the past year, finding that 648 cyber-threats occurred every minute.

The researchers calculated that the average cost of a breach is $7.2 per minute, while the overall predicted cybersecurity spend is $280,060 every minute.

E-commerce has been heavily hit by online payment fraud in the past year, with cyber-criminals taking advantage of the shift to online shopping during the COVID-19 pandemic. While the e-commerce industry saw a record $861.1bn in sales, it lost $38,052 to online payment fraud every minute.

https://www.infosecurity-magazine.com/news/cybercrime-costs-orgs-per-minute/

Phishing, Ransomware Driving Wave of Data Breaches

Data compromises have increased every month this year except May.

If that trend continues, or even if there is only an average of 141 new compromises per month for the next six months, the total will still exceed the previous high of 1,632 breaches set in 2017.

These were among the findings of the nonprofit organization Identity Theft Resource Center’s (ITRC) latest data breach analysis report, which revealed publicly reported U.S. data breaches are up 38% in the second quarter of 2021, for a total of 491 compromises, compared to Q1.

https://securityboulevard.com/2021/07/phishing-ransomware-driving-wave-of-data-breaches/

Top CVEs Trending with Cybercriminals

An analysis of criminal forums reveal what publicly known vulnerabilities attackers are most interested in.

Criminal small talk in underground forums offer critical clues about which known Common Vulnerabilities and Exposures (CVEs) threat actors are most focused on. This, in turn, offers defenders clues on what to watch out for.

An analysis of such chatter, by Cognyte, examined 15 cybercrime forums between Jan. 2020 and March 2021. In its report, researchers highlight what CVEs are the most frequently mentioned and try to determine where attackers might strike next.

“Our findings revealed that there is no 100 percent correlation between the two parameters, since the top five CVEs that received the highest number of posts are not exactly the ones that were mentioned on the highest number of Dark Web forums examined,” the report said. “However, it is still enough to understand which CVEs were popular among threat actors on the Dark Web during the time examined.”

https://threatpost.com/top-cves-trending-with-cybercriminals/167889/

Sonicwall Releases Urgent Notice About 'Imminent' Ransomware Targeting Firmware

Networking device maker SonicWall sent out an urgent notice to its customers about "an imminent ransomware campaign using stolen credentials" that is targeting Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and end-of-life 8.x firmware.

In addition to the notice posted to its website, SonicWall sent an email to anyone using SMA and SRA devices, urging some to disconnect their devices immediately. They worked with Mandiant and other security companies on the issue, according to the release.

https://www.zdnet.com/article/sonicwall-releases-urgent-notice-about-imminent-ransomware-targeting-firmware/

Google Finds Zero-Day Security Flaws In All Your Favourite Browsers

Researchers at Google have shared insight into four zero-day security vulnerabilities in popular web browsers which were exploited in the wild earlier this year.

DIscovered by Google's Threat Analysis Group (TAG), the four vulnerabilities in Google Chrome, Internet Explorer, and WebKit, the browser engine used by Apple's Safari, were used as a part of three different campaigns.

https://www.techradar.com/news/google-finds-zero-day-security-flaws-in-all-your-favorite-browsers

Threats

Ransomware

• Ransomware attackers are growing bolder and using new extortion methods

• REvil ransomware gang's websites vanish soon after Kaseya fiasco, Uncle Sam threatens retaliation

• What it's really like to negotiate with ransomware attackers

• Holding The World To Ransom: Top 5 Online Gangs

• Ransomware demands are digital extortion: don’t pay

• Ransomware recovery: Plan for it now

• Ransomware shows the power and weakness of the web

• This ransomware gang hunts for evidence of crime to pressure victims into paying a ransom

• HelloKitty ransomware now targets VMware ESXi servers

BEC

• Business email compromise (BEC) attacks take phishing to the next level

Phishing

• Kaseya warns of phishing campaign pushing fake security updates

• Phishing, Ransomware Driving Wave of Data Breaches

Other Social Engineering

• Social Engineering Tactics Behind Ransomware

• Propaganda as a Social Engineering Tool

Malware

• Trickbot Malware Rebounds with Virtual-Desktop Espionage Module

• Hackers Spread BIOPASS Malware via Chinese Online Gambling Sites

Mobile

• iOS zero-day let SolarWinds hackers compromise fully updated iPhones

Vulnerabilities

• Microsoft July 2021 Patch Tuesday: 117 vulnerabilities, Pwn2Own Exchange Server bug fixed

• SonicWall vulnerability allows attackers to obtain full control of device and underlying OS

• Microsoft's Emergency Patch Fails to Fully Fix PrintNightmare RCE Vulnerability

• So nice of China to put all of its network zero-day vulns in one giant database no one will think to break into

• Serious Security Vulnerability Hits DrayTek’s UK Fibre Routers

• Kaseya issues patch for on-premise customers, SaaS rollout underway

Data Breaches

• Morgan Stanley suffered data breach of customers after supply chain hack

• Fashion retailer Guess discloses data breach after ransomware attack

• Insurance giant CNA reports data breach after ransomware attack

Organised Crime & Criminal Actors

• SolarWinds 0-day gave Chinese hackers privileged access to customer servers

• Magecart hackers hide stolen credit card data into images and bogus CSS files

Cryptocurrency/Cryptojacking

• Does cyber crime impact crypto currency prices? Researchers find out

Insider Threats

• New Code42 Study Reveals Significant Impact of Insider Risk

Dark Web

• Feds: Dark web operator sought to sell inside information

Supply Chain

• UK food supply chain vulnerable to cyber-attack, expert warns

OT, ICS, IIoT and SCADA

• Vulnerability in Schneider Electric PLCs allows for undetectable remote takeover

• Unpatched Critical RCE Bug Allows Industrial, Utility Takeovers

Nation State Actors

• Fake Zoom App Dropped by New APT ‘Luminous Moth’

• These Iranian hackers posed as academics in a bid to steal email passwords

Privacy

• Threat actors scrape 600 million LinkedIn profiles and are selling the data online – again

User Education, Awareness and Training

• Without training one in three users fall for phishing scams 

Other News

Kaseya's Staff Sounded the Alarm About Security Flaws for Years Before Ransomware Attack

Israeli Firm Helped Governments Target Journalists, Activists with 0-Days and Spyware

Endpoint Detection (alone) won’t protect your organisation from advanced hacking groups

Kaseya hack proves we need better cyber metrics

Instagram's Security Checkup will help users secure their accounts after a hack

79% of organisations identify threat modelling as a top priority in 2021

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.