Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 03 February 2023
Black Arrow Cyber Threat Briefing 03 February 2023:
-Business Leaders Need a Hands-on Approach to Stop Cyber Crime, Says Spy Chief
-Rising ‘Firebrick Ostrich’ BEC Group Launches Industrial Scale Cyber Attacks
-The Corporate World is Losing its Grip on Cyber Risk
-Microsoft Reveals Over 100 Threat Actors are Deploying Ransomware in Attacks
-Greater Incident Complexity, a Shift in How Threat Actors Use Stolen Data Will Drive the Cyber Threat Landscape in 2023
-The Threat from Within: 71% of Business Leaders Surveyed Think Next Cyber Security Breach Will come from the Inside
-98% of Organisations Have a Supply Chain Relationship That Has Been Breached
-New Survey Reveals 40% of Companies Experienced a Data Leak in the Past Year
-Russian Hackers Launch Cyber Attack on Germany in Leopard Tank Retaliation
-Financial Services Targeted in 28% of UK Cyber Attacks Last Year
-Phishing Attacks are Getting Scarily Sophisticated. Here’s what to Watch Out For
-City of London on High Alert After Ransomware Attack
-Ransomware Conversations: Why the CFO is Pivotal to Discussing and Preparing for Risk
-JD Sports Warns of 10 Million Customers Put at Risk in Cyber Attack
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Business Leaders Need a Hands-on Approach to Stop Cyber Crime, Says Spy Chief
Business leaders must not see cyber crime as “just a technical issue” that can be left up to IT departments, said Lindy Cameron, chief executive of the National Cyber Security Centre (NCSC). Ms Cameron later commented that “In the world of cyber security, the new year has brought with it some sadly familiar themes - a continuation of cyber incidents affecting organisations large and small as well as the British public”.
Along with this, came the urge for business leaders to step up their efforts in combating cyber crime by taking an active interest and educating themselves on the subject. When commenting upon board members’ level of understanding, Ms Cameron said “I’d also encourage board members to develop a basic understanding of cyber security, which can help when seeking assurances from IT teams about the resilience of an organisation - in a similar way that leaders have a certain level of understanding of finance to assess financial health”.
Rising ‘Firebrick Ostrich’ BEC Group Launches Industrial Scale Cyber Attacks
Business email compromise (BEC) has become one of the most popular methods of financially motivated hacking. And over the past year, one group in particular has demonstrated just how quick, easy, and lucrative it really is.
"Firebrick Ostrich" is a threat actor that's been performing BEC at a near-industrial scale. Since April 2021, the group has carried out more than 350 BEC campaigns, impersonating 151 organisations and utilising 212 malicious domains in the process. This volume of attacks is made possible by the group's wholesale gunslinging approach. Firebrick Ostrich doesn't discriminate much when it comes to targets, or gather exceptional intelligence in order to craft the perfect phishing bait. It throws darts at a wall because, evidently, when it comes to BEC at scale, that's enough.
BEC is attractive to bad actors due to the lower barriers to entry than malware, less risk, faster scaling opportunities, and way more profit potential to higher echelons than other methods of attack. These factors may explain why such attacks are absolutely the emerging trend, potentially even leaving even ransomware in the dust. There are literally hundreds, if not thousands, of these groups out there.
The Corporate World is Losing its Grip on Cyber Risk
Lloyd's of London’s insurance market prides itself on being able to put a price on anything, from Tina Turner’s legs or Bruce Springsteen’s vocal cords, to the risk that a bounty hunter might claim the reward from Cutty Sark Whisky in the 1970s for capturing the Loch Ness monster.
But from the end of March, there will be something it won’t price: systemic cyber risk, or the type of major, catastrophic disruption caused by state-backed cyber warfare. In one sense, this isn’t surprising. Insurance policies typically exclude acts of war. Russia’s NotPetya attack on Ukraine in 2017 showed how state-backed cyber assaults can surpass traditional definitions of armed conflict and overspill their sovereign target to hit global businesses. It caused an estimated $10bn in damages and years of wrangling between companies like pharma group Merck and snack maker Mondelez and their insurers.
But the move is prompting broader questions about the growing pains in this corner of the insurance world. “Cyber insurance isn’t working anywhere at the moment as a public good for society,” says Ciaran Martin, former head of the UK National Cyber Security Centre. “It has a huge role to play in improving defences in a market-based economy and it has been a huge disappointment in that sense so far.”
The Lloyd’s move is designed, say insurers, to clarify rather than restrict coverage. Whether it succeeds is another matter: this is a murky world, where cyber crime groups operate with impunity in certain jurisdictions.
https://www.ft.com/content/78bfdf29-1e20-4c12-a348-06e98d5ae906
Microsoft Reveals Over 100 Threat Actors are Deploying Ransomware in Attacks
Microsoft revealed this week that its security teams are tracking over 100 threat actors deploying ransomware during attacks. In all, the company says it monitors over 50 unique ransomware families, with some of the most prominent ransomware payloads in recent campaigns including Lockbit, BlackCat (aka ALPHV), Play, Vice Society, Black Basta, and Royal.
Microsoft said that defence strategies should focus less on payloads themselves but more on the chain of activities that lead to their deployment, since ransomware gangs are still targeting servers and devices not yet patched against common or recently addressed vulnerabilities.
Furthermore, while new ransomware families launch all the time, most threat actors utilise the same tactics when breaching and spreading through networks, making the effort of detecting such behaviour even more helpful in thwarting their attacks.
Attackers are increasingly relying on tactics beyond phishing to conduct their attacks, with threat actors for example capitalising on recently patched Exchange Server vulnerabilities to hack vulnerable servers and deploy Cuba and Play ransomware.
Ransomware Conversations: Why the CFO is Pivotal to Discussing and Preparing for Risk
With the amount of cyber attacks in all industries, organisations are beginning to grasp the significance of cyber risk and how it is integral to protecting and maintaining an efficient business. In fact, the first half of 2022 alone saw 236.1 million cases of ransomware.
Whilst the expectation for responsibility has typically fallen on Chief Information Security Officers (CISOs), Chief Financial Officers (CFOs) are just as vital in managing cyber risk, which is now inherently also business risk. The CFO plays an important part in determining whether cyber security incidents will become material and affect the business more seriously. Their insight is critical across many areas which include ransomware, cyber insurance, regulatory compliance and budget management.
Greater Incident Complexity, a Shift in How Threat Actors Use Stolen Data Will Drive the Cyber Threat Landscape in 2023
Insurance provider Beazley released their Cyber Services Snapshot Report which claims the cyber security landscape will be influenced by greater complexity and the way threat actors use stolen data. The report also found that as a category, fraudulent instruction experienced a growth as a cause of loss in 2022, up 13% year-over year.
In response to vulnerabilities such as fraudulent instructions, the report suggests organisations must get smarter about educating users to spot things such as spoofed emails or domain names. The report also cautions organisations to watch for social engineering, spear phishing, bypassing of multi-factor authentication (MFA), targeting of managed service providers (MSP) and the compromise of cloud environments as areas of vulnerability.
The Threat from Within: 71% of Business Leaders Surveyed Think Next Cyber Security Breach Will Come from the Inside
A survey conducted by IT provider EisnerAmper found that 71% of business executives worry about accidental internal staff error as one of the top threats facing their organisation and 23% of these worried about malicious intent by an employee. In comparison, 75% of business executives had concerns about external hackers. The survey also asked about current safety measures, with 51% responding that they were “somewhat prepared”. Despite this, only 50% of respondents reported conducting regular cyber security training.
98% of Organisations Have a Supply Chain Relationship That Has Been Breached
A report from SecurityScorecard found that 98% of organisations have a relationship with at least one third party that has experienced a breach in the last two years, while more than 50% have an indirect relationship with more than 200 fourth parties that have been breached. Of course, this is keeping in mind that not all organisations disclose or even know they have been breached.
New Survey Reveals 40% of Companies Experienced a Data Leak in the Past Year
Software provider SysKit has published a report on the effects of digital transformation on IT administrators and the current governance landscape. The report found that 40% of organisations experienced a data leak in the previous year. A data leak can have severe consequences on an organisation's efficiency and the impact can lead to large fines, downtime, and loss of business-critical certifications and customers.
In addition, the Survey found that the biggest challenge for IT administrators was a lack of understanding from superiors, huge workloads and misalignment of IT and business strategies.
Russian Hackers Launch Cyber Attack on Germany in Leopard Tank Retaliation
The websites of key German administrations, including companies and airports, have been targeted by cyber attacks, the German Federal Office for Information Security (BSI) stated.
The BSI commented they had been informed of DDoS (distributed denial of service) attacks “currently in progress against targets in Germany". This was followed by the statement that “Individual targets in the financial sector” and federal government sites were also attacked, with some websites becoming temporarily unavailable. It is believed that this is due to the approved deployment of Leopard 2 tanks to Ukraine, with Russian hacker site Killnet taking credit.
Financial Services Targeted in 28% of UK Cyber Attacks Last Year
Based on data from security provider Imperva, security researchers have identified that over a quarter (28%) of all cyber attacks in the UK hit the financial services and insurance (FSI) industry in the last 12 months. The data also found that Application Programme Interface (API) attacks, malicious automated software and distributed denial of service (DDoS) attacks were the most challenging for the industry. In addition, the data found that roughly 40% of all account takeover attempts were targeted at the FSI industry.
https://www.infosecurity-magazine.com/news/quarter-cyber-attacks-uk-financial/
Phishing Attacks are Getting Scarily Sophisticated. Here’s What to Watch Out For
Hackers are going to great lengths, including mimicking real people and creating and updating fake social media profiles, to trick victims into clicking phishing links and handing over usernames and passwords. The National Cyber Security Centre (NCSC) warns that these phishing attacks are targeting a range of sectors.
The NCSC has also released mitigation advice to help organisations and individuals protect themselves online. The mitigation advice included the use of strong passwords, separate to other accounts; enabling multi-factor authentication (MFA); and applying the latest security updates.
City of London on High Alert After Ransomware Attack
A suspected ransomware attack on a key supplier of trading software to the City of London this week appears to have disrupted activity in the derivatives market. The company impacted, Ion Cleared Derivatives, is investigating. It is reported that 42 clients were impacted by the attack.
https://www.infosecurity-magazine.com/news/city-of-london-high-alert/
JD Sports Warns of 10 Million Customers Put at Risk in Cyber Attack
Sportswear retailer JD Sports said it was the victim of a cyber attack that exposed the data of 10 million customers, in the latest spate of hacks on UK companies.
JD Sports explained that the attack involved unauthorised access to a system that contained “the name, billing address, delivery address, phone number, order details and the final four digits of payment cards”. The data related to customers’ orders made between November 2018 and October 2020, with outdoor gear companies Millets and Blacks also impacted. A full review with cyber security and external specialists is underway.
https://www.ft.com/content/afe00f2f-afcd-478f-9e4d-1cf9c943fa79
Threats
Ransomware, Extortion and Destructive Attacks
City Of London Traders Hit By Russia-Linked Cyber Attack (informationsecuritybuzz.com)
New Nevada Ransomware targets Windows and VMware ESXi systems (bleepingcomputer.com)
US puts a $10m bounty on Hive while Russia shuts down access • The Register
Copycat Criminals mimicking Lockbit gang in northern Europe security affairs
Most criminal cryptocurrency is funneled through just 5 exchanges | Ars Technica
Cyber Attack Hits Derivatives Unit of Trading Software Firm ION - Bloomberg
Regulators weigh in on ION attack as LockBit takes credit • The Register
New Mimic Ransomware Abuses Windows Search Engine (cyber securitynews.com)
Stratford University discloses ransomware attack — but which ransomware attack? (databreaches.net)
Schools don't pay, but ransomware attacks still increasing | TechTarget
Poser Hackers Impersonate LockBit in SMB Cyber attacks (darkreading.com)
Risk & Repeat: The FBI's Hive ransomware takedown | TechTarget
Nevada Ransomware Has Released Upgraded Locker security affairs
LockBit Green ransomware variant borrows code from Conti one security affairs
Arnold Clark customer data stolen in attack claimed by Play ransomware (bleepingcomputer.com)
Ransomware attacks on public sector persist in January | TechTarget
Ransomware attack on data firm ION could take days to fix -sources | Reuters
APT groups use ransomware TTPs as cover for intelligence gathering and sabotage | CSO Online
Phishing & Email Based Attacks
Phishing attacks are getting scarily sophisticated. Here's what to watch out for | ZDNET
Rising ‘Firebrick Ostrich’ BEC Group Launches Industrial-Scale Cyber attacks (darkreading.com)
Porsche halts NFT launch, phishing sites fill the void (bleepingcomputer.com)
Phishers Trick Microsoft Into Granting Them 'Verified' Cloud Partner Status (darkreading.com)
BEC – Business Email Compromise
Other Social Engineering; Smishing, Vishing, etc
2FA/MFA
Malware
How Can Disrupting DNS Communications Thwart a Malware Attack? (darkreading.com)
Hackers use new IceBreaker malware to breach gaming companies (bleepingcomputer.com)
New Threat: Stealthy HeadCrab Malware Compromised Over 1,200 Redis Servers (thehackernews.com)
PoS malware can block contactless payments to steal credit cards (bleepingcomputer.com)
HeadCrab malware targets Redis to mine cryptocurrency | TechTarget
Malvertising attacks are distributing .NET malware loaders • The Register
Hackers weaponize Microsoft Visual Studio add-ins to push malware (bleepingcomputer.com)
Mobile
Google Fi data breach let hackers carry out SIM swap attacks (bleepingcomputer.com)
Over 1,800 Android phishing forms for sale on cyber crime market (bleepingcomputer.com)
Mobile phone fraud: 'They stole £22,500 using my banking app' - BBC News
Botnets
Denial of Service/DoS/DDOS
Killnet Attackers DDoS US and Dutch Hospitals - Infosecurity Magazine (infosecurity-magazine.com)
New DDoS-as-a-Service platform used in recent attacks on hospitals (bleepingcomputer.com)
Internet of Things – IoT
IoT, connected devices biggest contributors to expanding application attack surface | CSO Online
European IoT Manufacturers Lag in Vulnerability Disclosure (databreachtoday.co.uk)
Anker finally comes clean about its Eufy security cameras - The Verge
Data Breaches/Leaks
JD Sports warns data of 10mn customers put at risk in cyber attack | Financial Times (ft.com)
New Survey Reveals 40% of Companies Experienced a Data Leak in the Past Year (darkreading.com)
Planet Ice hacked! 240,000 skating fans' details stolen (bitdefender.com)
Organised Crime & Criminal Actors
Cyber crime job ads on the dark web pay up to $20k per month (bleepingcomputer.com)
Most criminal cryptocurrency is funneled through just 5 exchanges | Ars Technica
Cyber crime Ecosystem Spawns Lucrative Underground Gig Economy (darkreading.com)
Cyber crime job ads on the dark web pay up to $20k per month (bleepingcomputer.com)
Developers, Attackers Top List of Most In Demand Dark Web Jobs, Kaspersky Reports - MSSP Alert
Report on hackers' salaries shows poor wages for developers • The Register
6 Examples of the Evolution of a Scam Site (darkreading.com)
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Most criminal cryptocurrency is funneled through just 5 exchanges | Ars Technica
FBI: North Korea’s Lazarus Group behind $100m crypto attack • The Register
Oxford student jailed for £2m crypto theft after PhD blunder | News | The Times
Porsche halts NFT launch, phishing sites fill the void (bleepingcomputer.com)
Crypto theft: North Korea-linked hackers stole $1.7b in 2022 - BBC News
HeadCrab malware targets Redis to mine cryptocurrency | TechTarget
Insider Risk and Insider Threats
Insider attacks becoming more frequent, more difficult to detect - Help Net Security
Are Your Employees Thinking Critically About Their Online Behaviours? (darkreading.com)
The next cyber threat may come from within - Help Net Security
Insider threats: The cyber risks lurking in the dark (betanews.com)
Former Ubiquiti dev pleads guilty to data theft, extortion • The Register
Fraud, Scams & Financial Crime
FBI: North Korea’s Lazarus Group behind $100m crypto attack • The Register
Oxford student jailed for £2m crypto theft after PhD blunder | News | The Times
Porsche halts NFT launch, phishing sites fill the void (bleepingcomputer.com)
Russian Millionaire on Trial in Hack, Insider Trade Scheme - SecurityWeek
6 Examples of the Evolution of a Scam Site (darkreading.com)
Mobile phone fraud: 'They stole £22,500 using my banking app' - BBC News
Crypto theft: North Korea-linked hackers stole $1.7b in 2022 - BBC News
Romance fraud losses rose 91% during the pandemic, claims UK's TSB bank | Tripwire
Romance Fraudsters Have Stolen £65m From Brits Since 2020 (informationsecuritybuzz.com)
Impersonation Attacks
AML/CFT/Sanctions
Insurance
Dark Web
There’s a Wild Scramble for Control of the Dark Web Taking Place in Russia (vice.com)
Cyber crime job ads on the dark web pay up to $20k per month (bleepingcomputer.com)
Developers, Attackers Top List of Most In Demand Dark Web Jobs, Kaspersky Reports - MSSP Alert
Report on hackers' salaries shows poor wages for developers • The Register
Supply Chain and Third Parties
98% of Firms Have a Supply Chain Relationship That Has Been Breached: Analysis - SecurityWeek
Cyber attack Impact “Catastrophic” for Third Parties, New Study Finds MSSPs at Risk? - MSSP Alert
New “MITRE ATT&CK-like” framework outlines software supply chain attack TTPs | CSO Online
CISA to Open Supply Chain Risk Management Office (darkreading.com)
Cloud/SaaS
Misconfiguration and vulnerabilities biggest risks in cloud security: Report | CSO Online
Hybrid cloud storage security challenges - Help Net Security
Short-staffed SOCs struggle to gain visibility into cloud activities - Help Net Security
Containers
Encryption
Serious Security: The Samba logon bug caused by outdated crypto – Naked Security (sophos.com)
Encryption Explained: At Rest, In Transit & End-To-End Encryption | Splunk
Cyber Insights 2023 | Quantum Computing and the Coming Cryptopocalypse - SecurityWeek
API
The emergence of trinity attacks on APIs - Help Net Security
API management (APIM): What It Is and Where It’s Going security affairs
Open Source
Passwords, Credential Stuffing & Brute Force Attacks
Bitwarden Password Manager users are being targeted by phishing ads on Google- gHacks Tech News
KeePass disputes vulnerability allowing stealthy password theft (bleepingcomputer.com)
Social Media
Inside TikTok’s proposal to address US national security concerns | CyberScoop
Facebook Bug Allows 2FA Bypass Via Instagram (darkreading.com)
Malvertising
Training, Education and Awareness
Regulations, Fines and Legislation
Regulators weigh in on ION attack as LockBit takes credit • The Register
New UN cyber crime convention has a long way to go in a tight timeframe | CSO Online
Governance, Risk and Compliance
Business leaders need hands-on approach to stop cyber crime, says spy chief (telegraph.co.uk)
New Survey Reveals 40% of Companies Experienced a Data Leak in the Past Year (darkreading.com)
70% of CIOs anticipate their involvement in cyber security to increase - Help Net Security
Cyber security Budgets Are Going Up. So Why Aren't Breaches Going Down? (thehackernews.com)
The corporate world is losing its grip on cyber risk | Financial Times (ft.com)
Careers, Working in Cyber and Information Security
The Effect of Cyber security Layoffs on Cyber security Recruitment - SecurityWeek
Economic headwinds could deepen the cyber security skills shortage | CSO Online
Law Enforcement Action and Take Downs
7 Ways Hive Ransomware Gang Caused Chaos Before FBI Hacked It (gizmodo.com)
US puts a $10m bounty on Hive while Russia shuts down access • The Register
Hacker accused of having stolen personal data of all Austrians security affairs
Risk & Repeat: The FBI's Hive ransomware takedown | TechTarget
Privacy, Surveillance and Mass Monitoring
On Data Privacy Day, Organisations Fail Data Privacy Expectations (darkreading.com)
Hacker accused of having stolen personal data of all Austrians security affairs
Enterprises Need to Do More to Assure Consumers About Privacy (darkreading.com)
Artificial Intelligence
Foreign states already using ChatGPT maliciously, UK IT leaders believe | CSO Online
OpenAI releases tool to detect AI-written text (bleepingcomputer.com)
Reality check: Is ChatGPT really the next big cyber security threat? | CyberScoop
Misinformation, Disinformation and Propaganda
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Iranian APT Leaks Data From Saudi Arabia Government Under New Persona - SecurityWeek
Ukraine Links Media Centre Attack to Russian Intelligence (govinfosecurity.com)
Russia-Linked APT29 Uses New Malware in Embassy Attacks - SecurityWeek
Russia's Sandworm APT Launches Swarm of Wiper Attacks in Ukraine (darkreading.com)
Russia-linked Hackers Launch DDoS Attacks on Germany and US. Hospitals, Threaten Canada - MSSP Alert
Latvia says Russian hackers tried to phish its Ministry of Defence (bitdefender.com)
Inside Killnet: Pro-Russia Hacktivist Group's Support and Influence Grows (darkreading.com)
Crypto theft: North Korea-linked hackers stole $1.7b in 2022 - BBC News
North Korean hackers stole research data in two-month-long breach (bleepingcomputer.com)
APT groups use ransomware TTPs as cover for intelligence gathering and sabotage | CSO Online
Nation State Actors
Nation State Actors – Russia
Russian Nuisance Hacking Group KillNet Targets Germany (govinfosecurity.com)
Russian hackers launch cyber attack on Germany in Leopard retaliation | Euronews
Ukraine Links Media Centre Attack to Russian Intelligence (govinfosecurity.com)
A Link to News Site Meduza Can (Technically) Land You in Russian Prison | WIRED
Russia-Linked APT29 Uses New Malware in Embassy Attacks - SecurityWeek
Russia's Sandworm APT Launches Swarm of Wiper Attacks in Ukraine (darkreading.com)
Russia-linked Hackers Launch DDoS Attacks on Germany and US. Hospitals, Threaten Canada - MSSP Alert
Latvia says Russian hackers tried to phish its Ministry of Defence (bitdefender.com)
Killnet Attackers DDoS US and Dutch Hospitals - Infosecurity Magazine (infosecurity-magazine.com)
IT Army of Ukraine gained access to 1.5GB archive from Gazprom security affairs
There’s a Wild Scramble for Control of the Dark Web Taking Place in Russia (vice.com)
Inside Killnet: Pro-Russia Hacktivist Group's Support and Influence Grows (darkreading.com)
Nation State Actors – China
Google deletes 50,000 pro-China fake-news vids and blogs • The Register
TikTok CEO to testify before US. Congress over security concerns | Reuters
Nation State Actors – North Korea
FBI: North Korea’s Lazarus Group behind $100m crypto attack • The Register
Crypto theft: North Korea-linked hackers stole $1.7b in 2022 - BBC News
North Korean hackers stole research data in two-month-long breach (bleepingcomputer.com)
Nation State Actors – Iran
Nation State Actors – Misc
Vulnerability Management
The future of vulnerability management and patch compliance - Help Net Security
What is the CVSS (Common Vulnerability Scoring System)? (techtarget.com)
Vulnerabilities
Researchers to release VMware vRealize Log RCE exploit, patch now (bleepingcomputer.com)
Patch management is crucial to protect Exchange servers, Microsoft warns security affairs
QNAP Fixes Critical Vulnerability in NAS Devices with Latest Security Updates (thehackernews.com)
Over 29,000 QNAP devices unpatched against new critical flaw (bleepingcomputer.com)
Firmware Flaws Could Spell 'Lights Out' for Servers (darkreading.com)
Why you might not be done with your January Microsoft security patches | CSO Online
HPE, NetApp warn of critical open-source bug | SC Media (scmagazine.com)
High-severity bug in F5 BIG-IP can lead to code execution and DoS security affairs
Cisco fixes bug allowing backdoor persistence between reboots (bleepingcomputer.com)
CISA Alert: Oracle E-Business Suite and SugarCRM Vulnerabilities Under Attack (thehackernews.com)
Threat activity increasing around Fortinet VPN vulnerability | TechTarget
Remote code execution exploit chain available for VMware vRealize Log Insight | CSO Online
Tools and Controls
Other News
We can't rely on goodwill to protect our critical infrastructure - Help Net Security
Playing Military Sim War Thunder May Get You Classed as a National Security Risk
Cyber attacks in space: How safe are our satellites? | Metro News
Massive Microsoft 365 outage caused by WAN router IP change (bleepingcomputer.com)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 10 June 2022
Black Arrow Cyber Threat Briefing 10 June 2022
-Business Email Compromise (BEC) Attacks Have Risen 53% Year-Over-Year
-Ransomware Attacks Setting New Records
-Hackers Are Now Hiding Inside Networks for Longer. That's Not a Good Sign
-Paying Ransomware Paints Bigger Bullseye on Target’s Back
-Organisations Fix Only 1 in 10 Vulnerabilities Monthly
-Cyber Attack Surface "Spiralling Out of Control"
-Phishing Hits All-Time High in Q1 2022
-Ransomware's ROI Retreat Will Drive More BEC Attacks
-The Real Cost of Cyber Attacks: What Organisations Should Be Prepared For
-Why Smishing and Vishing Attempts Surged In 2021?
-Know Your Enemy! Learn How Cyber Crime Adversaries Get In…
-Small Businesses Struggle with an Increase in Cyber Attacks
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Business Email Compromise (BEC) Attacks Have Risen 53% Year-Over-Year
Armorblox released a report which highlights the use of language-based attacks that bypass existing email security controls. The report uncovers how the continued increase in remote working has made critical business workflows even more vulnerable to new forms of email-based attacks, often resulting in financial fraud or credential theft.
Language-based attacks have become the new normal for business email compromise (BEC) with 74% of these attacks using language as the main attack vector.
Security teams spend a massive amount of time configuring rules and exceptions in their email security solutions to block impersonation emails – both for executives and other employees. Despite all of that manual work and rule writing, 70% of impersonation emails evaded email security controls.
https://www.helpnetsecurity.com/2022/06/06/language-based-attacks-email-video/
Ransomware Attacks Setting New Records
Zscaler released the findings of its annual ThreatLabz Ransomware Report, which revealed an 80 percent increase in ransomware attacks year-over-year.
In 2022, the most prevalent ransomware trends include double-extortion, supply chain attacks, ransomware-as-a-service, ransomware rebranding, and geo-political incited ransomware attacks. The report details which industries are being targeted the most by cyber criminals, explains the damage caused by double-extortion and supply chain attacks, and catalogues the most active ransomware groups operating today.
Modern ransomware attacks require a single successful asset compromise to gain initial entry, move laterally, and breach the entire environment, making legacy VPN and flat networks extremely vulnerable. Attackers are finding success exploiting weaknesses across businesses’ supply chains as well as critical vulnerabilities like Log4Shell, PrintNightmare, and others. And with ransomware-as-a-service available on the darkweb, more and more criminals are turning to ransomware, realising that the odds of receiving a big payday are high.
The tactics and scope of ransomware attacks have been steadily evolving, but the end goal continues to be a disruption of the target organisation and theft of sensitive information for the purposes of ransom. The size of the ransom often depends on the number of systems infected and the value of the data stolen: the higher the stakes, the higher the payment. In 2019, many ransomware groups updated their tactics to include data exfiltration, commonly referred to as a ‘double extortion’ ransomware.
https://www.helpnetsecurity.com/2022/06/07/ransomware-attacks-increase/
Hackers Are Now Hiding Inside Networks for Longer. That's Not a Good Sign
Cyber criminals are spending more time inside networks before they're discovered, and that's allowing them to do more damage.
The amount of time cyber criminal intruders are spending inside victims' networks is increasing, providing them with the ability to carry out higher complexity campaigns and more damaging cyber attacks.
According to analysis by cyber security researchers at Sophos, who examined incidents targeting organisations around the world and across a wide range of industry sectors, the median dwell time that cyber criminals spend inside compromised networks is now 15 days, up from 11 days the previous year.
Dwell time is the amount of time hackers are inside the network before they're discovered or before they leave – and being able to spend an increased amount of time inside a compromised network undetected means they're able to more carefully conduct malicious activity, such as monitoring users, stealing data or laying the foundations for a malware or ransomware attack.
Paying Ransomware Paints Bigger Bullseye on Target’s Back
Ransomware attackers often strike targets twice, regardless of whether the ransom was paid.
Paying ransomware attackers doesn’t pay off and often paints a bigger target on a victim’s back. Eighty percent of ransomware victims that paid their attackers were hit a second time by the malware scourge.
New ransomware numbers come from a Cybereason’s April ransomware survey of 1,456 cyber security professionals. According to the gated report (registration required), victims that were successfully extorted were not only targeted a second time, but frequently data encrypted by criminals later became unusable during the decryption process because of corruption issues.
The fact that ransomware gangs strike so quickly a second and third time isn’t surprising, because they will try to profit in any possible way so why not hit the same company, demand a higher ransom, and get paid again?
https://threatpost.com/paying-ransomware-bullseye-back/179915/
Organisations Fix Only 1 in 10 Vulnerabilities Monthly
New research from SecurityScorecard features a couple of eye-popping “only” findings: Only 10 percent of vulnerabilities are remediated each month, and only 60 percent of companies have improved their security profile despite a 15-fold increase in the number of cyber incidents in the last three years.
That’s not good. The research, which sought to measure how long it took the 1.6 million organisations assessed to remediate vulnerabilities in the three-year period from 2019 to 2022, also found the following:
· 53% had at least one exposed vulnerability to the internet, while 22% of organisations amassed more than 1,000 vulnerabilities each, confirming more progress is required to protect organisations’ critical assets.
· The financial sector is among the slowest remediation rates (median to fix 50% = 426 days), while utilities ranked among the fastest (median = 270 days).
· Despite a 15-fold increase in exploitation activity for vulnerabilities with published exploit code, there was little evidence that organisations in the financial sector fixed exploited flaws faster.
· The IT sector (62.6%) and public sector (61.6%) had the highest prevalence of open vulnerabilities.
· The financial sector (48.6%) exhibited the lowest proportion of open vulnerabilities; however, there is less than a 10% difference between this and other sectors in terms of industries with the most open vulnerabilities.
· It typically takes organisations 12 months to remediate half of the vulnerabilities in their internet-facing infrastructure.
· When firms have fewer than 10 open vulnerabilities, it can take about a month to close just half of them, but when the list grows into the hundreds, it takes up to a year to reach the halfway point.
Cyber Attack Surface "Spiralling Out of Control"
Global organisations are still beset with cyber visibility and control challenges, with two-fifths (43%) admitting their digital attack surface is out of control as a result, according to new Trend Micro research.
The security vendor polled over 6200 IT and business decision-makers to compile its new study, ‘Mapping the digital attack surface: Why global organisations are struggling to manage cyber risk’.
It revealed that nearly three-quarters (73%) are concerned about the increasing size of their attack surface. Over a third (37%) said it is “constantly evolving and messy,” and just half (51%) thought they were able to fully define its extent.
These visibility challenges are greatest in cloud environments, although problems persist across the board. The report highlights complex supply chains, tool bloat and home working-driven shadow IT as additional contributory factors.
On average, respondents estimated having just 62% visibility of their attack surface.
https://www.infosecurity-magazine.com/news/cyberattack-surface-out-of-control/
Phishing Hits All-Time High in Q1 2022
The first quarter of 2022 saw phishing attacks hit a record high, topping one million for the first time, according to data from the Anti Phishing Working Group (APWG).
The industry, law enforcement and government coalition’s new Phishing Activity Trends Report also revealed that March was the worst month on record for phishing, with 384,291 attacks detected.
The financial sector was the worst hit, accounting for 24% of all detected attacks, although webmail and SaaS providers were also popular targets.
Attacks spoofing retailers dropped 17% from the previous quarter to 15% following the busy holiday shopping season, while those against social media services rose significantly, from nearly 9% percent of all attacks to 13% over the same period.
https://www.infosecurity-magazine.com/news/phishing-hits-all-time-high-q1/
Ransomware's ROI Retreat Will Drive More BEC Attacks
Law enforcement crackdowns, tighter cryptocurrency regulations, and ransomware-as-a-service (RaaS) operator shutdowns are driving down the return on investment for ransomware operations across the globe.
A presentation at the RSA Conference last week laid out analysis of the ransomware threat landscape, predicting that there will be a pivot from ransomware toward renewed interest in basic business email compromise (BEC) attacks in the next 6 to 12 months.
Ransomware attacks grab headlines and have been supercharged by a few prolific RaaS operators, but crackdowns on just one group can make an enormous dent.
Ransomware is a centralised ecosystem with small numbers of operators responsible for the majority of attacks.
The recent disappearance of Pysa, left just two groups, Conti and Lockbit, with more than 50% of the share of the total ransomware attacks in the first half of 2022. BEC groups, on the other hand, are diffuse and scattered, making them much harder to eradicate.
Although they're not as quick to make the headlines, BEC attacks have cost business more than $43 billion since 2016, according to the FBI, and make up $1 out of every $3 lost to cyber attacks, far outpacing ransomware losses.
Ransomware has had a moment over the past couple of years, in part because once threat actors were able to abandon arcane wire transfers to collect ransoms and rely on cryptocurrency, caps on transactions were lifted and it became simple to collect much larger amounts. But new crypto regulations are chilling the ability of these cyber criminals to rely on its infrastructure to do business, adding "friction" to the transactions.
BEC attacks, by comparison, rely on social engineering to corrupt a business's financial supply chain to get employees to willingly part with the cash, making them exponentially harder to track and stop.
The Real Cost of Cyber Attacks: What Organisations Should Be Prepared For
With each passing year, hackers and cyber criminals of all kinds are becoming more sophisticated, malicious, and greedy conducting brazen and often destructive cyber-attacks that can severely disrupt a company’s business operations. And this is a big problem, because, first and foremost, customers rely on a company’s ability to deliver services or products in a timely manner. Cyber attacks not only can affect customers’ data, but they can impact service delivery.
Data breaches and costs associated with them have been on the rise for the past few years, but, according to a 2021 report, the average cost per breach increased from $3.86 million in 2020 to $4.24 million in 2021. The report also identified four categories contributing most global data breach costs – Lost business cost (38%), Detection and escalation (29%), Post breach response (27%), and Notification (6%).
Ransomware attacks cost an average of $4.62 million (the cost of a ransom is not included), and destructive wiper-style attacks cost an average of $4.69 million, the report said.
For a business, a data breach is not just a loss of data, it can also have a long-lasting impact on operations and undermine customers’ trust in the company. In fact, a survey revealed that 87% of consumers are willing to take their business elsewhere if they don’t trust a company is handling their data responsibly. Therefore, the reputational damage might be detrimental to a business’ ability to attract new customers.
Why Smishing and Vishing Attempts Surged In 2021
In The Human Factor Report 2022, security vendor Proofpoint found that SMS phishing (smishing) attacks more than doubled year-on-year in 2021. The report is based on their analysis of over 2.6 billion email messages, 49 billion URLs, 1.9 billion attachments, 28 million cloud accounts and 1.7 billion mobile messages.
The study details the most common attack surfaces and methods including categories of risk, vulnerabilities, attacks, Russian Aligned APT’s, and Privilege as a vector.
Key Findings:
Managers and executives make up only 10% of users, but almost 50% of the most severe attack risk
Attackers attempt to initiate more than 100,000 telephone-oriented attacks every day.
Malicious URLS are 3-4x more common than malicious attachments.
Smishing attempts more than doubled in the US over the year, while in the UK over 50% of lures are themed around delivery notification.
More than 20 million messages attempted to deliver malware linked to eventual ransomware attack
Data loss prevention alerts have stabilised as businesses adopt permanent hybrid work models.
80% of businesses are attacked by a compromised supplier account in any given month.
35% of cloud tenants that received a suspicious login also saw suspicious post-access activity.
Know Your Enemy! Learn How Cyber Crime Adversaries Get In…
Cyber security vendor Sophos dug into the incident reports of 144 real-life cyber attacks investigated by its Rapid Response team during 2021.
What they found might not surprise you, but it’s vital information nevertheless, because it’s what really happened, not merely what might have.
Notably:
Unpatched vulnerabilities were the entry point for close to 50% of the attackers.
Attackers stuck around for more than a month on average when ransomware wasn’t their primary goal.
Attackers were known to have stolen data in about 40% of incidents. (Not all data thefts can be proved, of course, given that there isn’t a gaping hole where your copy of the data used to be, so the true number could be much higher.)
RDP was abused to circumnavigate the network by more than 80% of attackers once they’d broken in.
Intriguingly, if perhaps unsurprisingly, the smaller the organisation, the longer the crooks had generally been in the network before anyone noticed and decided it was time to kick them out.
In businesses with 250 staff and below, the crooks stuck around (in the jargon, this is known by the quaintly archaic automotive metaphor of dwell time) for more than seven weeks on average.
This compared with an average dwell time of just under three weeks for organisations with more than 3000 employees.
As you can imagine, however, ransomware criminals typically stayed hidden for much shorter periods (just under two weeks, instead of just over a month), not least because ransomware attacks are inherently self-limiting.
After all, once ransomware crooks have scrambled all your data, they’re out of hiding and straight into their in-your-face blackmail phase.
https://nakedsecurity.sophos.com/2022/06/07/know-your-enemy-learn-how-cybercrime-adversaries-get-in/
Small Businesses Struggle with an Increase in Cyber Attacks
Part of the problem: They don’t believe they are targets, so they don’t make security a priority. Cyber attacks are becoming more common for small businesses, and many aren’t prepared to deal with an attack.
As small businesses have accelerated their adoption of new technologies for remote work, communication, production and sales during the pandemic, their expanded computer networks have created new vulnerabilities to phishing and ransomware attacks. But many small businesses still don’t expect to be targeted by hackers, so preparing for a cyber attack is well down their list of priorities.
https://www.wsj.com/articles/small-business-cyberattacks-increase-11654540786
Threats
Ransomware
Ransomware attacks have increased by 80% year-over-year - Help Net Security
How the Russia-Ukraine war makes ransomware payments harder | CSO Online
How Poor Communication Opens the Door to Ransomware and Extortion (darkreading.com)
Cuba ransomware returns to extorting victims with updated encryptor (bleepingcomputer.com)
Vice Society gang adds the Italian City of Palermo to its data leak site - Security Affairs
Qbot - known channel for ransomware - delivered via phishing and Follina exploit - Help Net Security
Black Basta Ransomware Targets ESXi Servers in Active Campaign (darkreading.com)
Mandiant: Cyber extortion schemes increasing pressure to pay (techtarget.com)
Roblox Game Pass store used to sell ransomware decryptor (bleepingcomputer.com)
Costa Rican government held up by ransomware … again • The Register
BEEF ALERT: Ransomware Group Very Mad at Being Associated with Lavish Russian Hackers (vice.com)
Ransomware Pressure Forcing UK CISOs to Consider Quitting - Infosecurity Magazine
BEC – Business Email Compromise
Phishing & Email Based Attacks
Evasive phishing mixes reverse tunnels and URL shortening services (bleepingcomputer.com)
Proofpoint: We Block Up to Two Million Extortion Emails Daily - Infosecurity Magazine
Massive Facebook Messenger phishing operation generates millions (bleepingcomputer.com)
Facebook phishing campaign nets millions in IDs and cash • The Register
Other Social Engineering
Malware
Symantec sees more malware operators exploiting Follina • The Register
Potent Emotet Variant Spreads Via Stolen Email Credentials | Threatpost
Symbiote Malware Poses Stealthy, Linux-Based Threat to Financial Industry (darkreading.com)
This advanced new malware strain leaves you practically defenceless | TechRadar
MacOS malware attacks slipping through the cracks (techtarget.com)
11 infamous malware attacks: The first and the worst | CSO Online
9 types of computer virus and how they do their dirty work | CSO Online
Mobile
IoT
New Privacy Framework for IoT Devices Gives Users Control Over Data Sharing (thehackernews.com)
How to Compromise a Printer in Three Simple Steps | CrowdStrike
Data Breaches/Leaks
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking/NFTs
Researchers Detail How Cyber Criminals Targeting Cryptocurrency Users (thehackernews.com)
7 NFT Scams That Could Be Targeting Your Brand (darkreading.com)
Hackers stole +$250,000 in Ethereum from Bored Ape Yacht ClubSecurity Affairs
Fraud, Scams & Financial Crime
Pandemic-related identity fraud: How serious is it? - Help Net Security
Apple Release 2021 Fraud Prevention Analysis- IT Security Guru
AML/CFT/Sanctions
Insurance
Dark Web
Software Supply Chain
82% of CIOs believe their software supply chains are vulnerable - Help Net Security
Boards, CEOs demand software supply chain security improvements - Help Net Security
Denial of Service DoS/DDoS
Cloud/SaaS
Cloud Security Tops Ransomware As Primary RSA Conference Attendee Concern - MSSP Alert
Only 13.5% of IT pros have mastered security in the cloud native space - Help Net Security
OMIGOD: Cloud providers still using secret middleware • The Register
Attack Surface Management
Open Source
Privacy
Researchers Find Bluetooth Signals Can be Fingerprinted to Track Smartphones (thehackernews.com)
New Privacy Framework for IoT Devices Gives Users Control Over Data Sharing (thehackernews.com)
Parental Controls and Child Safety
Law Enforcement Action and Take Downs
Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine
“Cyber Spetsnaz” is Attacking Government Agencies - Security Affairs
Russian Ministry Website Reportedly Hacked- IT Security Guru
Ordinary Ukrainians wage war with digital tools and drones | Financial Times (ft.com)
Ukraine's secret cyber-defence: Excellent backups • The Register
Major DDoS attacks increasing after invasion of Ukraine (techtarget.com)
Nation State Actors
Nation State Actors – Russia
Russia escalates threats against West in response to cyber attacks - CyberScoop
Russia, China, oppose US cyber support of Ukraine • The Register
Nation State Actors – China
Russia, China, oppose US cyber support of Ukraine • The Register
Chinese hacking group Aoqin Dragon quietly spied orgs for a decade (bleepingcomputer.com)
People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices | CISA
US: Chinese govt hackers breached telcos to snoop on network traffic (bleepingcomputer.com)
Nation State Actors – Iran
Microsoft seized 41 domains used by Iran-linked Bohrium APT - Security Affairs
Iranian hackers target energy sector with new DNS backdoor (bleepingcomputer.com)
Nation State Actors – Misc APT
Vulnerability Management
Vulnerabilities
Windows zero-day exploited in US local govt phishing attacks (bleepingcomputer.com)
DogWalk zero-day Windows bug receives patch - but not from Microsoft (bitdefender.com)
Chrome 102 Update Patches High-Severity Vulnerabilities | SecurityWeek.Com
NSA, FBI warning: Hackers are using these flaws to target VPNs and network devices | ZDNet
Ubuntu Users Get a Massive Linux Kernel Update, 35 Security Vulnerabilities Patched - 9to5Linux
Critical U-Boot Vulnerability Allows Rooting of Embedded Systems | SecurityWeek.Com
Sector Specific
Financial Services Sector
Telecoms
US: Chinese govt hackers breached telcos to snoop on network traffic (bleepingcomputer.com)
People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices | CISA
Health/Medical/Pharma Sector
Healthcare-specific cyber security problems and how to address them - Help Net Security
Data for 2 million patients stolen in largest healthcare breach so far of 2022 (scmagazine.com)
Retail/eCommerce
Energy & Utilities
Iranian hackers target energy sector with new DNS backdoor (bleepingcomputer.com)
US Water Utilities Prime Cyber Attack Target, Experts | Threatpost
Education and Academia
Reports Published in the Last Week
Other News
This hacking group quietly spied on their targets for 10 years | ZDNet
Identity-based Attacks and Living-of-the-land Tactics Represent Top Threats - MSSP Alert
Over Half of CISOs Struggling for Board Investment - Infosecurity Magazine
Cisco EVP: Cyber security poverty line is human-rights issue • The Register
Top three most critical areas of web security - Help Net Security
How the Colonial Pipeline attack has changed cyber security | CSO Online
Five Eyes alliance’s top cop: tech is the future of Policing • The Register
An Emerging Threat: Attacking 5G Via Network Slices (darkreading.com)
How AI Is Useful — and Not Useful — for Cyber security (darkreading.com)
Only 43% of security pros can respond to critical alerts in less than an hour - Help Net Security
Now Is the Time to Plan for Post-Quantum Cryptography (darkreading.com)
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.