Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Double Extortion Ransomware Victims Soar 935%

Researchers have recorded a 935% year-on-year increase in double extortion attacks, with data from over 2300 companies posted onto ransomware extortion sites.

Group-IB’s Hi-Tech Crime Trends 2021/2022 report covers the period from the second half of 2020 to the first half of 2021.

During that time, an “unholy alliance” of initial access brokers and ransomware-as-a-service (RaaS) affiliate programs has led to a surge in breaches, it claimed.

In total, the number of breach victims on ransomware data leak sites surged from 229 in the previous reporting period to 2371, Group-IB noted. During the same period, the number of leak sites more than doubled to 28, and the number of RaaS affiliates increased 19%, with 21 new groups discovered.

Group-IB warned that, even if victim organisations pay the ransom, their data often end up on these sites.

https://www.infosecurity-magazine.com/news/double-extortion-ransomware-soar/

MI6 Boss: Digital Attack Surface Growing "Exponentially"

Head of the Secret Intelligence Service (SIS), Richard Moore, explained in a rare speech this week that, unlike the character Q from the James Bond films, even MI6 cannot source all of its tech capabilities in-house.

New partners and tech capabilities will help address MI6’s four key priorities: Russia, China, Iran and global terrorism. It’s a challenge made more acute as technology rapidly advances, he said.

“The ‘digital attack surface’ that criminals, terrorists and hostile states threats seek to exploit against us is growing exponentially. We may experience more technological progress in the next ten years than in the last century, with a disruptive impact equal to the industrial revolution,” Moore argued.

https://www.infosecurity-magazine.com/news/mi6-digital-attack-surface-growing/

How Phishing Kits Are Enabling A New Legion Of Pro Phishers

Some cybercriminals are motivated by political ideals, others by malice or mischief, but most are only interested in cold, hard cash. To ensure their criminal endeavours are profitable, they need to balance the potential payday against the time, resources and risk required.

It’s no wonder then that so many use phishing as their default attack method. Malicious emails can be used to reach many targets with relative ease, and criminals can purchase ready-made phishing kits that bundle together everything they need for a lucrative campaign.

https://www.helpnetsecurity.com/2021/12/02/phishing-kits-pro/

Crooks Are Selling Access To Hacked Networks. Ransomware Gangs Are Their Biggest Customers

Dark web forum posts offering compromised VPN, RDP credentials and other ways into networks have tripled in the last year.

There's been a surge in cyber criminals selling access to compromised corporate networks as hackers look to cash in on the demand for vulnerable networks from gangs looking to initiate ransomware attacks.

Researchers at cybersecurity company Group-IB analysed activity on underground forums and said there's been a sharp increase in the number of offers to sell access to compromised corporate networks, with the number of posts offering access tripling between 2020 and 2021

https://www.zdnet.com/article/theres-been-a-big-jump-in-crooks-selling-access-to-hacked-networks-ransomware-gangs-are-their-best-customers/

Omicron Phishing Scam Already Spotted in UK

The global pandemic has provided cover for all sorts of phishing scams over the past couple of years, and the rise in alarm over the spread of the latest COVID-19 variant, Omicron, is no exception.

As public health professionals across the globe grapple with what they fear could be an even more dangerous COVID-19 variant than Delta, threat actors have grabbed the opportunity to turn uncertainty into cash.

UK consumer watchdog “Which?” has raised the alarm that a new phishing scam, doctored up to look like official communications from the National Health Service (NHS), is targeting people with fraud offers for free PCR tests for the COVID-19 Omicron variant

https://threatpost.com/omicron-phishing-scam-uk/176771/

Phishing Remains the Most Common Cause of Data Breaches, Survey Says

Phishing, malware, and denial-of-service attacks remained the most common causes for data breaches in 2021. Data from Dark Reading’s latest Strategic Security Survey shows that more companies experienced a data breach over the past year due to phishing than any other cause. The percentage of organisations reporting a phishing-related breach is slightly higher in the 2021 survey (53%) than in the 2020 survey (51%). The survey found that malware was the second biggest cause of data breaches over the past year, as 41% of the respondents said they experienced a data breach where malware was the primary vector.

https://www.darkreading.com/edge-threat-monitor/phishing-remains-the-most-common-cause-of-data-breaches-survey-says

Ransomware Victims Increase Security Budgets Due To Surge In Attacks

As the end of 2021 approaches, there’s no doubt ransomware became a top cybersecurity concern across multiple industries.  Successful ransomware attacks like the Colonial Pipeline, which took down critical US infrastructure, and Kaseya, which hit over 1,500 companies in a single attack, became a popular topic in the news.

Research conducted by Cymulate, however, shows that despite the increase in the number of attacks this past year, overall victims suffered limited damage in both severity and duration. Potential victims have improved their level of preparedness, with 70% reporting an increase of awareness at the boardroom and business management level. The majority (55%) undertook proactive measures to prevent ransomware attacks before they could cause any significant damage, and many of those respondents (38%) prevented attacks even before they could cause any serious downtime. Only 14% of respondents that experienced an attack were down for a week or more.

https://venturebeat.com/2021/12/03/report-ransomware-victims-increase-security-budgets-due-to-surge-in-attacks/

Control Failures Are Behind A Growing Number Of Cyber Security Incidents

Data from a survey of 1,200 enterprise security leaders reveals that an increase in tools and manual reporting combined with control failures are contributing to the success of threats such as ransomware, which costs organisations an average of $1.85 million in recovery, according to Panaseer.

Currently, only 36% of security leaders feel very confident in their ability to prove controls were working as intended. This is despite 99% of respondents believing it’s valuable to know that all controls are fully deployed and operating within policy, and cybersecurity control failures are currently being listed as the top emerging risk in the latest Gartner Emerging Risks Monitor Report. Attacks only succeed when they hit systems that haven’t been patched or don’t have security controls monitoring them.

https://www.helpnetsecurity.com/2021/12/01/control-failures-cybersecurity/

MI6 Spy Chief Says China, Russia, Iran Top UK Threat List

China, Russia and Iran pose three of the biggest threats to the U.K. in a fast-changing, unstable world, the head of Britain’s foreign intelligence agency said Tuesday.

MI6 chief Richard Moore said the three countries and international terrorism make up the “big four” security issues confronting Britain’s spies.

In his first public speech since becoming head of the Secret Intelligence Service, also known as MI6, in October 2020, Moore said China is the intelligence agency’s “single greatest priority” as the country’s leadership increasingly backs “bold and decisive action” to further its interests.

Calling China “an authoritarian state with different values than ours,” he said Beijing conducts “large-scale espionage operations” against the U.K. and its allies, tries to ”distort public discourse and political decision-making” and exports technology that enables a “web of authoritarian control” around the world.

Moore said the U.K. also continues “to face an acute threat from Russia.” He said Moscow has sponsored killing attempts, such as the poisoning of former spy Sergei Skripal in England in 2018, mounts cyber attacks and attempts to interfere in other countries’ democratic processes.

https://www.securityweek.com/mi6-spy-chief-says-china-russia-iran-top-uk-threat-list

Threats

Ransomware

• Microsoft Exchange Servers Hacked To Deploy BlackByte Ransomware (Bleepingcomputer.Com)

• Ransomware Group Rebrands Multiple Times to Evade Detection - Infosecurity Magazine (infosecurity-magazine.com)

• New Ransomware Variant Could Become Next Big Threat (darkreading.com)

• FBI Says The Cuba Ransomware Gang Made $43.9 Million From Ransom Payments - The Record By Recorded Future

• Yanluowang Ransomware Tied to Thieflock Threat Actor | Threatpost

• Yanluowang Ransomware Operation Matures With Experienced Affiliates (Bleepingcomputer.Com)

• Ransomware Attack On Planned Parenthood Exposes 400,000 Patients' Personal Data - CNN

• Ransomware vs. Cities: A Cyber War (darkreading.com)

Phishing

• APT Groups Adopt New Phishing Method. Will Cybercriminals Follow? (darkreading.com)

• Hackers Increasingly Using RTF Template Injection Technique in Phishing Attacks (thehackernews.com)

• Phishing Kits' Favourite Brand? Amazon - Help Net Security

Malware

• Emotet Now Spreads Via Fake Adobe Windows App Installer Packages (Bleepingcomputer.Com)

• New Malvertising Campaigns Spreading Backdoors, Malicious Chrome Extensions (thehackernews.com)

• Password-Stealing And Keylogging Malware Is Being Spread Through Fake Downloads | ZDNet

• Malware Variants In 2021: Harder To Detect And Respond To - Help Net Security

Mobile

• More Than 300,000 Play Store Users Infected With Android Banking Trojans - The Record By Recorded Future

• Surge Of Info-Stealing Android Malware FluBot Detected Again • The Register

• Fake Support Agents Call Victims To Install Android Banking Malware (Bleepingcomputer.Com)

• Multi-Platform Spyware Tracks Users Across Windows And Android | Techradar

• BEWARE: More Google Play Store Apps are Found to Have Trojan Malware, Per a Kaspersky Malware Analyst | Tech Times

IOT

• HP Patches Wormable Bug Impacting More Than 150 Multi-Functional Printers - The Record By Recorded Future

• IOT Devices Must “Protect Consumers From Cyber Harm”, Says UK Government – Naked Security (Sophos.Com)

Vulnerabilities

• Pretty Much All Wi-Fi Routers Are Vulnerable To Attack, Study Finds | Techradar

• Warning: Yet Another Zoho ManageEngine Product Found Under Active Attacks (thehackernews.com)

• New Ubuntu Linux Kernel Security Patches Address 6 Vulnerabilities, Update Now - 9to5Linux

• Netgear Router Vulnerabilities Affecting SME Products Fixed • The Register

Data Breaches/Leaks

• UK Government Fined £500,000 For New Year Honours Data Breach - BBC News

• Panasonic Discloses Four-Months-Long Data Breach - The Record By Recorded Future

• Misconfigured Database Leaks Data On 300k E-Commerce Buyers - Infosecurity Magazine (Infosecurity-Magazine.Com)

Organised Crime & Criminal Actors

• Russian Bulletproof Hosting Kingpin Gets Five Years - Infosecurity Magazine (infosecurity-magazine.com)

• Europol Arrested 1800 Money Mules As Part Of Anti-Money-Laundering Operation - Security Affairs

Cryptocurrency/Cryptojacking

• Iranians Charged for Cryptojacking After U.S. Firm Gets $760,000 Cloud Bill | SecurityWeek.Com

• Threat Actors Stole $120 M In Crypto From BadgerDAO DeFi Platform - Security Affairs

• Vulnerabilities Exploited for Monero Mining Malware Delivered via GitHub, Netlify (trendmicro.com)

• How Do Criminals Exploit Cryptocurrencies? | Financial Times (ft.com)

Insider Threats

• Man Charged With Ubiquiti Data Breach And Extortion Was Employee Assigned To Investigate Hack (Bitdefender.Com)

Fraud & Financial Crime

• How Criminals Are Using Synthetic Identities for Fraud (darkreading.com)

Insurance

• Lloyd’s Carves Out Cyber-Insurance Exclusions for State-Sponsored Attacks | Threatpost

• Cyber War Victims Might Not Get Payouts – Insurer • The Register

OT, ICS, IIoT and SCADA

• USB Devices the Common Denominator in All Attacks on Air-Gapped Systems (darkreading.com)

Nation State Actors

• MI6 Spy Chief Says China, Russia, Iran Top UK Threat List | SecurityWeek.Com

• Lloyd’s Carves Out Cyber-Insurance Exclusions for State-Sponsored Attacks | Threatpost

• Jumping The Air Gap: 15 Years Of Nation‑State Effort | WeLiveSecurity

• Israel and Iran Broaden Cyberwar to Attack Civilian Targets - The New York Times (nytimes.com)

• APT groups from China, Russia, and India adopt novel attack technique - The Record by Recorded Future

• North Korea-Linked Zinc APT Posed As Samsung Recruiters To Target Security Firms - Security Affairs

Cloud

• These Researchers Wanted To Test Cloud Security. They Were Shocked By What They Found | ZDNet

Parental Controls

• Smartwatches For Children Are A Privacy And Security Nightmare (Bleepingcomputer.Com)

Sector Specific

Retail

• Holiday Season Fraud Fear Higher this Year - Infosecurity Magazine (infosecurity-magazine.com)

• The Cyber Threats Facing Retailers This Holiday Shopping Season (darkreading.com)

Other News

• Hackers Are Guessing Your Credit Card Details - And There's Nothing You Can Do About It | Techradar

• UK Adults ‘Not Concerned’ Over Online Security, Poll Suggests | The Independent

• Nine WiFi Routers Used By Millions Were Vulnerable To 226 Flaws (Bleepingcomputer.Com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week 

Ransomware Attacks Soar 288% in First Half of 2021

The number of ransomware attacks surged by 288% between the first and second quarters of 2021 as double extortion attempts grew, according to the latest data.

Nearly a quarter (22%) of data leaks in the second quarter came from the Conti ransomware group, who typically gain initial network access to victim organisations via phishing emails.

It’s an unfortunate fact that no organisation in any sector is safe from ransomware today.

Targets range from IT companies and suppliers to financial institutions and critical national infrastructure providers, with ransomware-as-a-service increasingly being sold by ransomware gangs in a subscription model. https://www.infosecurity-magazine.com/news/ransomware-attacks-soar-half-2021/  

Ransomware Costs Expected To Reach $265 Billion By 2031

Think ransomware is expensive now? It’s not predicted to get any cheaper over the next decade. Ransoms could cost victims a collective total of $265 billion by 2031. The estimate is based on the prediction that the price tag will increase 30% every year over the next 10 years. https://securityintelligence.com/news/ransomware-costs-expected-265-billion-2031/ 

Brute Force Email Attacks and Account Takeover Attempts Rise 671%, Reaching Unprecedented Levels, Causing Financial And Reputational Damage

A new Email Threat Report for Q3 2021 examines the escalating adverse impact of socially-engineered and never-seen-before email attacks, and other advanced email threats—both financial and reputational—to organisations worldwide. The report surveyed advanced email attacks across eight major industry sectors, including retail and consumer goods, manufacturing, technology, energy and infrastructure services, medical, media and television, finance, and hospitality.

The report also finds 61% of organisations experienced a vendor email compromise/supply chain attack in Q2 2021.

Key report findings include:

• 32.5% of all companies were targeted by brute force attacks in early June 2021

• 137 account takeovers occurred per 100,000 mailboxes for members of the C-suite

• 61% of organisations experienced a vendor email compromise attack this quarter

• 22% more business email compromise attacks since Q4 2020

• 60% chance of a successful account takeover each week for organisations with 50,000+ employees

• 73% of all advanced threats were credential phishing attacks

• 80% probability of attack every week for retail and consumer goods, technology, and media and television companies

https://finance.yahoo.com/news/brute-force-email-attacks-account-120100299.html  

Investigation Into Hacked "Map" Of UK Gun Owners

Gun-selling site Guntrader announced a data breach affecting more than 100,000 customers in July. This week, reports emerged that an animal rights activist blog had published the information. The group had formatted the data so it could be easily imported into mapping software to show individual homes. The National Crime Agency, which has been investigating the data breach and its fallout, said it "is aware that information has been published online as a result of a recent data breach which impacted Guntrader". https://www.bbc.co.uk/news/technology-58413847 

Eight US Financial Services Firms Given Six-Figure Fines Over BEC Data Breaches

The US Securities and Exchange Commission (SEC) has sanctioned multiple financial services firms for cyber security failures that led to the compromise of corporate email accounts and the personal data of thousands of individuals. The case was brought after the unauthorised takeover of cloud-based email accounts at Seattle-based KMS Financial Services, and subsidiaries of California-headquartered Cetera Financial Group and Iowa-based Cambridge Investment Group. https://portswigger.net/daily-swig/eight-us-financial-services-firms-given-six-figure-fines-over-bec-data-breaches

Ransomware Has Been A ‘Game Changer’ For Cyber Insurance

Ransomware attacks accounted for nearly one quarter of all cyber incidents globally last year, according to a software company. The researchers “think of December 2019 as the tipping point for when we started to see ransomware take hold”. The U.S. was hit by a barrage of ransomware attacks in 2019 that impacted at least 966 government agencies, educational establishments, and healthcare providers at a potential cost in excess of $7.5 billion. All of this has a massive knock-on affect for the Insurance firms. https://www.insurancejournal.com/news/national/2021/08/30/628672.htm 

Getting Ahead Of A Major Blind Spot For CISOs: Third-Party Risk

For many CISOs and security leaders, it was not long ago that their remit focused on the networks and digital ecosystems for their organisation alone. In today’s digital world, those days are a thing of the past with a growing number of businesses relying on third-party vendors to scale, save time and outsource expertise to stay ahead. With this change, new security risks affiliated with third-party vendors are more prevalent than ever before. https://www.helpnetsecurity.com/2021/09/01/getting-ahead-of-a-major-blind-spot-for-cisos-third-party-risk/ 

WhatsApp Hit With $267 Million GDPR Fine For Bungling User Privacy Disclosure

Ireland’s Data Protection Commission fined Facebook-owned messenger WhatsApp for $225 million for failing to provide users enough information about the data it shared with other Facebook companies.

The fine is the largest penalty that the Irish regulator has waged since the European Union data protection law, the General Data Protection Regulation, or GDPR, went into effect in 2018. https://www.cyberscoop.com/whatsapp-hit-with-267-million-gdpr-fine-for-bungling-user-privacy-disclosure/  

Microsoft Warns About Open Redirect Phishing Campaign

Microsoft’s Security Intelligence team is warning over phishing campaigns using open redirector links, links crafted to subvert normal inspection efforts. Smart users know to hover over links to see where they're going to lead, but these links are prepared for that type of user and display a safe destination designed to lure targets into a false sense of security. Click the link and you'll be redirected to a domain that appears legit (such as a Microsoft 365 login page, for example) and sets the stage for you to voluntarily hand over credentials to bad actors without even realising it until it's too late. https://www.windowscentral.com/microsoft-warns-about-open-redirect-phishing-campaign

Previous Employees With Access To Corporate Data Remain A Threat To Businesses

Offboarding employees securely is a key problem for business leaders, with 40% concerned that employees who leave a company retain knowledge of passwords that grant access to corporate data. This is according to a report, which found few organisations are implementing access management solutions that work with all applications, meaning most lack the ability to revoke access to all corporate data as soon as an employee leaves. https://www.helpnetsecurity.com/2021/09/02/previous-employees-access-data/

BEC Scammers Seek Native English Speakers On Underground

Looking for work? Speak fluent English? Capable of convincingly portraying a professional – as in, somebody a highly ranked corporate leader would talk to? If you lack scruples and disregard those pesky things called “laws,” it could be your lucky day: Cyber Crooks are putting up help-wanted ads, looking for native English speakers to carry out the social-engineering elements of business email compromise (BEC) attacks. https://threatpost.com/bec-scammers-native-english-speakers/169092/

Half Of Businesses Can't Spot These Signs Of Insider Cyber Security Threats

Most businesses are struggling to identify and detect early indicators that could suggest an insider is plotting to steal data or carry out other cyber attacks. Research suggests that over half of companies find it impossible or very difficult to prevent insider attacks. These businesses are missing indicators that something might be wrong. Those include unusual amounts of files being opened, attempts to use USB devices, staff purposefully circumventing security controls, masking their online activities, or moving and saving files to unusual locations. All these and more might suggest that a user is planning malicious activity, including the theft of company data. https://www.zdnet.com/article/half-of-businesses-cant-spot-these-signs-of-insider-cybersecurity-threats/

Threats

Ransomware

• Conti Ransomware Now Hacking Exchange Servers With ProxyShell Exploits

• First Ransomware to Use Intermittent Encryption Revealed

• Ransomware: It's Only A Matter Of Time Before A Smart City Falls Victim, And We Need To Take Action Now

• LockFile Ransomware Bypasses Protection Using Intermittent File Encryption

• FBI, CISA: Ransomware Attack Risk Increases On Holidays, Weekends

• How Ransomware Runs The Underground Economy

• LockBit Jumps Its Own Countdown, Publishes Bangkok Air Files

Phishing

• This Phishing Attack Is Using A Sneaky Trick To Steal Your Passwords, Warns Microsoft

• Report Analysis On Phishing Campaign Utilizing Vzwpix

Malware

• Cyber Attackers Are Now Quietly Selling Off Their Victim's Internet Bandwidth

• Cyber Criminal Sells Tool To Hide Malware In AMD, NVIDIA GPUS

• Cyber Criminals Abusing Internet-Sharing Services To Monetise Malware Campaigns

Mobile

• Snowden Slams Apple CSAM: Warns iPad, iPhone, Mac Users Worldwide

• Kaspersky Lab Has Reported About Android Viruses Designed To Steal Money Automatically

• Dangerous Android Malware Is Spreading — Beware Of Text Message Scam

Vulnerabilities

• ProxyToken: Another Nail-Biter From Microsoft Exchange

• New BrakTooth Flaws Leave Millions Of Bluetooth-Enabled Devices Vulnerable

• Atlassian Confluence Flaw Under Active Attack

• Meltdown-Like Vulnerability Disclosed For AMD Zen+ And Zen 2 Processors

• NPM Package With 3 Million Weekly Downloads Had A Severe Vulnerability

• Cisco Patches Critical Authentication Bug With Public Exploit

• QNAP Working On Patches For OpenSSL Flaws Affecting Its NAS Devices

• This Top TP-Link Router Ships With Some Serious Security Flaws

Data Breaches/Leaks

Organised Crime & Criminal Actors

• The Consumerisation Of The Cyber Crime-As-A-Service Market

• Chinese Authorities Arrest Hackers Behind Mozi IOT Botnet Attacks

Dark Web

• Data From Fujitsu Is Being Sold On The Dark Web

DoS/DDoS

• Cloudflare Says It Stopped The Largest DDoS Attack Ever Reported

• UK VoIP Telco Receives 'Colossal Ransom Demand', Reveals REvil Cyber Crooks Suspected Of 'Organised' DDoS Attacks On UK VoIP Companies

OT, ICS, IIoT and SCADA

• Nine Cyber Attacks On UK's Transport Sector Missed By Mandatory Reporting Laws

Cloud

• “Worst Cloud Vulnerability You Can Imagine” Discovered In Microsoft Azure

Other News

• Why Zero-Trust Models Should Replace Legacy VPNs

• T-Mobile CEO Calls Latest Data Breach ‘Humbling,’ Claims It’s Committed To Security

• China Restricts Kids’ Online Gaming To Three Hours A Week

• Unpatched Exchange Servers An Overlooked Risk

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.