Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 02 July 2021
Black Arrow Cyber Threat Briefing 02 July 2021: Russian Hackers Target IT Supply Chain In Ransomware Attack Leading To Hundreds Of Firms Being Hit; 71% Of Orgs Experienced BEC Attacks Over The Past Year; Cyber Insurance Making Ransomware Crisis Worse; Breach Exposes 92% Of LinkedIn Users; Users Clueless About Cyber Security Risks; Paying Ransoms Make You A Bigger Target; Cyber Crime Never Sleeps; Classified MOD Docs Found At Bus Stop; Don’t Leave Your Cyber IR Plan To IT, It’s An Organisational Risk
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Russian Hackers Target IT Supply Chain In Ransomware Attack Leading To Hundreds Of Firms Being Hit
Hackers began a ransomware attack on Friday, hitting at least 200 companies, according to cyber security researchers.
In what appears to be one of the largest supply chain attacks to date, hackers compromised Kaseya, an IT management software supplier, in order to spread ransomware to the managed service providers that use its technology, as well as to their clients in turn.
The attacks have been attributed t=to REvil, the notorious Russia-linked ransomware cartel that the FBI claimed was behind recent crippling attack on beef supplier JBS.
The attack is the latest example of hackers weaponising the IT supply chain in order to attack victims at scale, by breaching just one provider. Last year, it emerged that Russian state-backed hackers had hijacked the SolarWinds IT software group in order to penetrate the email networks of US federal agencies and corporations, for example.
Late on Friday, Kaseya urged those using the compromised “VSA server” tool, which provides remote monitoring and patching capabilities, to shut it down immediately.
https://www.ft.com/content/a8e7c9a2-5819-424f-b087-c6f2e8f0c7a1
71% Of Organisations Experienced BEC Attacks Over The Past Year
Business email compromise (BEC) attacks are one of the most financially damaging cyber crimes and have been on the rise over the past year. This is according to a new report which revealed that spoofed email accounts or websites accounted for the highest number of BEC attack as 71% of organisations acknowledged they had seen one over the past year. This is followed by spear phishing (69%) and malware (24%). Data from 270 IT and cyber security professionals were collected to identify the latest enterprise adoption trends, gaps and solution preferences related to phishing attacks.
https://www.helpnetsecurity.com/2021/06/25/bec-attacks-past-year/
Cyber Insurance Isn't Helping With Cyber Security, And It Might Be Making The Ransomware Crisis Worse, Say Researchers
Cyber insurance is designed to protect organisations against the fallout of cyber attacks, including covering the financial costs of dealing with incidents. However, some critics argue that insurance encourages ransomware victims to simply pay the ransom demand that will then be covered by the insurers, rather than have adequate security to deter hackers in the first place. Insurers argue that it's the customer that makes any decision to pay the ransom, not the insurer.
LinkedIn Breach Reportedly Exposes Data Of 92% Of Users, Including Inferred Salaries
A second massive LinkedIn breach reportedly exposes the data of 700M users, which is more than 92% of the total 756M users. The database is for sale on the dark web, with records including phone numbers, physical addresses, geolocation data, and inferred salaries. The hacker who obtained the data has posted a sample of 1M records, and checks confirm that the data is both genuine and up to date. No passwords are included, but as the site notes, this is still valuable data that can be used for identity theft and convincing-looking phishing attempts that can themselves be used to obtain login credentials for LinkedIn and other sites. https://9to5mac.com/2021/06/29/linkedin-breach/
Users Clueless About Cyber Security Risks
Organisations are facing yet another unprecedented threat to their cyber security now that employees are headed back into offices with their personal devices, lax security hygiene and no clue about some of the most catastrophic attacks in history, such as the Colonial Pipeline shutdown. A new survey shows the mountains of work ahead for security teams in not just locking down their organisations’ systems but also in keeping users from getting duped into handing over the keys to the kingdom. 2,000 end users were surveyed in the U.S. and found the dangers to critical infrastructure, utilities and food supplies are not sinking in with the public, despite the deluge of headlines.
https://threatpost.com/users-clueless-cybersecurity-risks-study/167404/
Ransomware: Paying Up Won't Stop You From Getting Hit Again, Says Cyber Security Chief
Ireland's Health Service Executive (HSE) has been praised for its response after falling victim to a major ransomware attack and for not giving into cyber criminals and paying a ransom. HSE was hit with Conti ransomware in May, significantly impacting frontline health services. The attackers initially demanded a ransom of $20 million in bitcoin for the decryption key to restore the network. While the gang eventually handed over a decryption key without receiving a ransom, they still published stolen patient data – a common technique by ransomware attackers, designed to pressure victims into paying.
Don’t Leave Your Cyber IR Plan To IT, It’s An Organisational Risk
Phishing attacks, insider threats, denial of service disruptions, malware and ransomware — cyber security incidents like these happen on a daily basis. For most of these incidents, the onsite IT team will remediate based on a pre-developed plan and process. And for many of these incidents, that’s a solid approach. But those incident response plans and strategies are IT oriented and geared toward short-term fixes and single incident responses. Meaning, if an incident accelerates beyond a handful of infected laptops or a compromised server and begins to affect operations of all or even part of the organisation, business itself can be disrupted — or even shut down entirely.
https://securityintelligence.com/posts/incident-response-vs-cyber-crisis-management-plan/
Cyber Crime Never Sleeps
When the Colonial Pipeline fell victim to a ransomware attack, people across the United States were shocked to find that a single episode of cyber crime could lead to widespread delays, gas shortages and soaring prices at the pump. But disruptive ransomware attacks like these are far from rare; in fact, they are becoming more and more frequent. Cyber crime is on the rise, and our cyber security infrastructure desperately needs to keep up. A quick look at the data from the last year confirms that cyber crime is a growing threat. Identity theft doubled in 2020 over 2019.
https://www.newsweek.com/cybercrime-never-sleeps-opinion-1603901
IT, Healthcare And Manufacturing Facing Most Phishing Attacks
Researchers examined more than 905 million emails for the H1 2021 Global Phish Cyber Attack Report, finding that the IT industry specifically saw 9,000 phishing emails in a one month span out of almost 400,000 total emails. Their healthcare industry customers saw more than 6,000 phishing emails in one month out of an average of over 450,000 emails and manufacturing saw a bit less than 6,000 phishing emails out of about 330,000 total emails. Researchers said these industries are ripe targets because of the massive amount of personal data they collect and because they are often stocked with outdated technology that can be easily attacked.
https://www.zdnet.com/article/it-healthcare-and-manufacturing-facing-most-phishing-attacks-report/
Classified Ministry Of Defence Documents Found At Bus Stop
Classified Ministry of Defence documents containing details about HMS Defender and the British military have been found at a bus stop in Kent. One set of documents discusses the likely Russian reaction to the ship's passage through Ukrainian waters off the Crimea coast on Wednesday. Another details plans for a possible UK military presence in Afghanistan after the US-led NATO operation there ends. The government said an investigation had been launched.
Cabinet Office Increases Cyber Security Training Budget By Almost 500%
The UK’s Cabinet Office increased its cyber security training budget to £274,142.85 in the fiscal year 2021 – a 483% increase from the £47,018 spent in the previous year. In its FOI response, the Cabinet Office detailed the cyber security courses attended by its staff, revealing that the number of booked courses grew from 35 in 2019-20 to 428 in the current fiscal year.
Threats
Ransomware
Increase In Ransomware Attacks ‘Absolutely Aligns’ With Rise Of Crypto, FireEye CEO Says
Ransomware Gangs Now Creating Websites To Recruit Affiliates
New Ransomware Highlights Widespread Adoption Of Golang Language By Cyber Attackers
This Major Ransomware Attack Was Foiled At The Last Minute. Here's How They Spotted It
Using VMs To Hide Ransomware Attacks Is Becoming More Popular
Phishing
Malware
Microsoft Admits To Signing Rootkit Malware In Supply-Chain Fiasco
The 'ChaChi' Trojan Is Helping A Ransomware Gang Target Schools
Mobile
IoT
Data Breaches
Organised Crime & Criminal Actors
Cryptocurrency/Cryptojacking
OT, ICS, IIoT and SCADA
Nation State Actors
Russian Hackers Had Months-Long Access To Denmark's Central Bank
Russian Hackers Are Trying To Brute-Force Hundreds Of Networks
US And UK Agencies Accuse Russia Of Political Cyber Campaign
Cloud
Privacy
Vulnerabilities
Microsoft Finds Netgear Router Bugs Enabling Corporate Breaches
Exploitable Critical RCE Vulnerability Allows Regular Users To Fully Compromise Active Directory
Critical VMware Carbon Black Bug Allows Authentication Bypass
My Book Live Users Wake Up To Wiped Devices, Active RCE Attacks
Flaws In FortiWeb WAF Expose Fortinet Devices To Remote Hack
Hackers Exploited 0-Day, Not 2018 Bug, To Mass-Wipe My Book Live Devices
A Second Exploit Has Emerged In The Sad WD My Book Live Data Deletion Saga
Microsoft Adds Second CVE For PrintNightmare Remote Code Execution
Zyxel Says A Threat Actor Is Targeting Its Enterprise Firewall And VPN Devices
Other News
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Cyber Weekly Flash Briefing 24 July 2020: Cyber crime up 23% Over Past Year, Nearly 50% of employees have made a serious security mistake at work, 99.9% of Hacked Microsoft Accounts Don’t Use 2FA
Cyber Weekly Flash Briefing 24 July 2020: Cyber crime up 23% Over Past Year, Nearly 50% of employees have made a serious security mistake at work, 99.9% of Hacked Microsoft Accounts Don’t Use 2FA
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Cybercrime Jumped 23% Over Past Year, Says ONS
Cybercrime offenses reported by individuals and businesses have risen 23% over the past year, according to the Office for National Statistics (ONS).
The UK government body explained that 26,215 incidents were referred to the National Fraud Intelligence Bureau (NFIB) by Action Fraud in the year ending March 2020.
The year-on-year increase was driven by a large uptick in the two highest-volume “computer misuse” types reported to Action Fraud. “Hacking – social media and email” saw a 55% increase from 12,894 offenses, and “computer viruses/malware” incidents soared by 61% to reach 6745 cases.
The double-digit increase in reported cybercrime came in spite of improvements to “internal case review processes” and an online reporting tool at Action Fraud in October 2018 which meant some offenses previously categorized as computer misuse are now being properly identified as fraud, ONS said.
Why this matters:
Any increase in reported cyber crime is significant, but such a large rise is even more alarming and demonstrates that firms and individuals need to make sure they are treating these threats seriously.
Read more here: https://www.infosecurity-magazine.com/news/cybercrime-jumped-23-over-past-year#disqus_thread
Nearly half of employees have made a serious security mistake at work
Distraction and burnout can lead to serious mistakes when working online
New research from an email security firm has revealed that almost half (43%) of employees in the US and UK have made mistakes at work that have resulted in cyber security repercussions for themselves or their company.
A survey of 2,000 professionals between the ages of 18 and 51 to find out more about why workers make mistakes and how they can be prevented before they end up turning into data breaches.
Of the employees surveyed, a quarter of them confessed to clicking on links in a phishing email at work. The research also found that employees between 31 and 40 years of age were four times more likely than employees over age 51 to click on a phishing email. At the same time, male employees were twice as likely to do so than their female coworkers.
Why does this matter:
Cyber and Information Security is fundamentally a human problem, not an IT problem, and all the IT controls in the world are worth very little if humans bypass them or fail to follow safe working practices. Ensure your users, at all levels, are aware of the role they play in securing your organisation and make sure they receive adequate and suitable training.
99.9 Percent of Hacked Microsoft Accounts Don’t Use 2FA
Two-factor authentication (2FA) is the single most effective method of preventing unauthorised access to an online account as number from Microsoft prove.
Microsoft tracks over 1 billion active accounts monthly, which is nearly 1/8 of the world’s population. These generate more than 30 billion monthly login events. Every login to a corporate O365 account can generate multiple login entries across multiple apps, as well as additional events for other apps that use O365 for single sign-on.
If that number sounds big, bear in mind that Microsoft stops 300 million fraudulent sign-in attempts every day. Again, that’s not per year or per month, but 300 million per day.
In January 2020, 480,000 Microsoft accounts—0.048 percent of all Microsoft accounts—were compromised by spraying attacks. This is when an attacker runs a common password (like “Spring2020!”) against lists of thousands of accounts, in the hopes that some of those will have used that common password.
Sprays are just one form of attack; hundreds and thousands more were caused by credential stuffing. To perpetuate these, the attacker buys usernames and passwords on the dark web and tries them on other systems.
Then, there’s phishing, which is when an attacker convinces you to log in to a fake website to get your password. These methods are how online accounts are typically “hacked,” in common parlance.
In all, over 1 million Microsoft accounts were breached in January. That’s just over 32,000 compromised accounts per day, which sounds bad until you remember the 300 million fraudulent login attempts stopped per day.
But the most important number of all is that 99.9 percent of all Microsoft account breaches would have been stopped if the accounts had two-factor authentication enabled.
Why this matters:
Two-factor authentication (2FA) is the single most effective method of preventing unauthorised access to online accounts, remediating (or preventing) approximately 95% of attacks. That this simple step, normally available free of charge from online account providers, is so effective means it should be implemented wherever and whenever possible.
Read more here: https://www.howtogeek.com/681419/watch-out-99.9-of-hacked-microsoft-accounts-dont-use-2fa/
Adobe issues emergency fixes for critical vulnerabilities in Photoshop, Bridge, Prelude
Adobe has released an out-of-band emergency security update for Photoshop, Prelude, and Bridge.
On Tuesday, a week after issuing the firm's standard monthly security update, Adobe published security advisories revealing a total of 13 vulnerabilities, 12 of which are deemed critical.
Five vulnerabilities have now been resolved in Photoshop CC 2019 -- versions 20.0.9 and earlier -- and Photoshop 2020 -- versions 21.2 and earlier -- on Windows machines.
All of these vulnerabilities are considered critical, as if exploited, can lead to arbitrary code execution.
Why does this matter:
Vulnerabilities in software are exploited by attackers, patching these vulnerabilities means the vulnerabilities cannot then be exploited. Updates should always be installed as soon as possible to prevent them from being used in attacks.
Read more: https://www.zdnet.com/article/adobe-issues-emergency-fixes-for-vulnerabilities-in-photoshop-prelude/
Blackbaud Hack: Universities lose data to ransomware attack
At least 10 universities in the UK, US and Canada have had data stolen about students and/or alumni after hackers attacked a cloud computing provider.
Human Rights Watch and the children's mental health charity, Young Minds, have also confirmed they were affected.
The hack targeted Blackbaud, one of the world's largest providers of education administration, fundraising, and financial management software.
The US-based company's systems were hacked in May and it has been criticised for not disclosing this externally until July and for having paid the hackers an undisclosed ransom.
In some cases, the data was limited to that of former students, who had been asked to financially support the establishments they had graduated from. But in others it extended to staff, existing students and other supporters.
The institutions the BBC has confirmed have been affected are:
· University of York
· Oxford Brookes University
· Loughborough University
· University of Leeds
· University of London
· University of Reading
· University College, Oxford
· Ambrose University in Alberta, Canada
· Human Rights Watch
· Young Minds
· Rhode Island School of Design in the US
· University of Exeter
In some cases, the stolen data included phone numbers, donation history and events attended. Credit card and other payment details do not appear to have been exposed.
Why does this matter:
Every entity, business, organisation and individual is at risk from ransomware, the bigger the organisation the more point of entries exist but this does not mean this is not a major threat to smaller businesses too. Nearly all these attacks stem from a user clicking on a link in a phishing email so make sure your staff are adept at spotting phishing emails.
Amazon Prime phishing scam returns - here's all you need to know
Shoppers warned of phone and email attacks against Amazon Prime users
Shoppers using Amazon Prime have been warned about a major phishing scam which appears to have resurfaced across the country
The scammers target victims via an automated telephone call claiming that they have opened an Amazon Prime account and that they should "press one" to cancel the transaction.
Doing so will connect the call to a fraudster posing as an Amazon customer service representative who then informs the recipient of the call that their subscription was purchased fraudulently due to a supposed "security flaw" on the targeted person's computer. The bogus Amazon representative then asks for remote access to the recipient's computer, supposedly to fix the security breach. Remote access gives control access allowing the scammers to steal personal information, including passwords and banking information.
There is also an email version of the same scam.
The email version of this scam sees the victim receiving a message stating they have started an Amazon Music subscription charged at £28.99 per month. The email then asks the recipient to click a link if they want to cancel the subscription and receive a refund - but the page they are taken to in order to input their card details and receive the refund will instead send their details to fraudsters.
Why does this matter:
Scammers only need a small number of people they target to fall for the scam for it to be profitable for them, so unfortunately these types of scams are not going to go away any time soon. Make sure you keep up to date with the latest and emerging scams and make sure relatives who might fall victim to these scams are also aware that these types of attacks are happening all the time so to exercise caution if they receive calls or emails of this nature.
Read more here: https://www.techradar.com/uk/news/amazon-prime-phishing-scam-returns-heres-all-you-need-to-know
Phishing attacks concealed in Google Cloud Services
Cyber criminals are increasingly concealing phishing efforts behind legitimate resources.
A lie is best concealed between two truths, an old saying goes, and it seems hackers are using this wisdom to better hide their phishing efforts.
Cyber security researchers are warning of a phishing campaign that utilises Google Cloud Services and offers legitimate PDF whitepapers to victims that give away their login credentials.
According to the researchers, it all starts with a PDF document uploaded to Google Drive, containing a link to a phishing page. The landing page requires the user to log in with their Office 365 or organisation email.
After the victim gives away their login credentials, they are redirected to a genuine PDF report published by a “renowned global consulting firm.”
Why does this matter:
Since the phishing page is hosted on Google Cloud Storage, the user might not become suspicious. Hackers are swarming around the cloud storage services that we rely on and trust, making it much tougher to identify actual phishing attacks. Traditional red flags of a phishing attack, such as look-alike domains or websites without certificates, won’t help us much as we enter a potential cyber pandemic. Users of Google Cloud Platform, even AWS and Azure users, should all beware of this fast-growing trend and learn how to protect themselves. It starts by thinking twice about the files you receive from senders.
Read more here: https://www.itproportal.com/news/phishing-attacks-concealed-in-google-cloud-services/
Analysts Detect New Banking Malware
A new strain of banking malware dubbed BlackRock has been detected by researchers
An investigation into its origins has revealed BlackRock to be derived from the Xerxes banking malware. Xerxes was in turn spawned out of the LokiBot Android banking Trojan, first detected around four years ago.
The source code of the Xerxes malware was made public by its author around May 2019, making it possible for any threat actor to get their hands on it. Despite the code's availability, researchers found that the only Android banking Trojan based on Xerxes' source code that is currently operating appears to be BlackRock.
Why this matters:
This malevolent malware steals credentials not only from banking apps but also from other apps designed to facilitate communication, shopping and business. In total, the researchers found 337 Android apps were impacted, including dating, social networking and cryptocurrency apps.
Read more here: https://www.infosecurity-magazine.com/news/analysts-detect-new-banking/#disqus_thread
Hackers wipe out more than 1,000 databases, leaving only the word 'meow'
Over 1000 unsecured databases have been permanently deleted, leaving only the word “meow” behind.
The attack saw a database that had details of the UFO VPN. UFO VPN, and other products from seemingly the same company, had recently been in the news for exposing user information.
Information exposed include unencrypted account passwords, location information, and IP addresses of user devices and VPN servers.
The VPN, and others like it, claimed that it was not logging user details. Reports alleged that this was not the case.
The attack seems to have come from a bot, according to Forbes, as the attack script overwrites database indexes with random numerical strings and the word ‘Meow’.
Why does this matter:
Unsecured databases are wide open to attackers and not only can the contents be read and information gleaned used in other attacks they can also, as was the case in this attack, be deleted, losing all data.
Is your smart home hosting malware attacks?
It’s not only computers that can be compromised by hackers, almost any electronic device can be compromised – including your smart home gadgets.
Researchers have discovered a new family of malware called Mozi that has been quickly spreading online since last year and appears to have been designed specifically to attack low-power smart devices. Once installed, the malware tries to make contact with other infected devices, adding itself to a botnet (a collection of other compromised devices).
Infected device continues to operate normally however the devices constantly ‘listening’ for instructions from the botnet. The botnet has been designed to launch Distributed Denial of Service attacks (DDoS) that can be used to attack and crash online services and websites. Once activated, your infected devices will be used by hackers to participate in large DDoS attacks.
Some variants can also steal data, or execute additional code, allowing hackers to gain control of your network.
As the malware evolves, the list of affected devices will undoubtedly grow.
Why does this matter:
Almost any electronic device can be compromised to serve malware, be co-opted into taking part in distributed denial of service attacks or otherwise be exploited or used as a point of entry into a network. As more and more of these devices appear in our homes and offices many people do not realise they are significantly increasing their potential attack surface.
Read more: https://www.pandasecurity.com/mediacenter/mobile-news/smart-home-hosting-malware/
Russian cyber attacks an 'urgent threat' to national security
Russia's cyber attack capabilities -- and its willingness to use them -- pose an "immediate and urgent threat" to the UK's national security, according to a report from a committee of MPs.
The long- delayed Russia report from the UK parliament's Intelligence and Security Committee (ISC) describes how it sees Russia's abilities to use malicious cyber activities to further its aims.
"Russia's cyber capability, when combined with its willingness to deploy it in a malicious capacity, is a matter of grave concern, and poses an immediate and urgent threat to our national security," the report said.
Why does this matter:
Given the immediate threat that Russia poses to UK national security, it is concerning that there is no clear coordination of the numerous organisations across the UK intelligence community working on this issue. The risks posed by Russia, and other nation states such as China, Iran and North Korea should not be understated or ignored.
Read more here: https://www.zdnet.com/article/russian-cyberattacks-an-urgent-threat-to-national-security/