Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

New Technology Has Enabled Cyber-Crime On An Industrial Scale

Nobody likes a call from the taxman. Donald Rumsfeld, who as America’s defence secretary oversaw a budget bigger than the economy of a typical country, nonetheless finds the rules so confusing that he writes to the Internal Revenue Service each year complaining that he has “no idea” whether he has filed his taxes correctly. So, it is hardly surprising that, when the phone rings and an official-sounding voice says you have underpaid your taxes and will be connected to an adviser to pay the balance, ordinary folk tremble.

https://www.economist.com/international/2021/05/06/new-technology-has-enabled-cyber-crime-on-an-industrial-scale

Cyber Security Control Failures Listed As Top Emerging Risk

Despite a myriad of risks resulting from the pandemic, such as the new work environment and environmental, social and governance (ESG) concerns, cyber security risk was singled out with notable consistency across all geographic regions and most industries, cited by 67% of respondents. The next highest cited risk, “the new working model” was cited by 43% of respondents. “Many organisations were forced to implement quick fixes to serious operational gaps as a result of their initial pandemic responses.”

https://www.helpnetsecurity.com/2021/05/03/cybersecurity-control-failures/

Third Parties Caused Data Breaches At 51% Of Organisations

Remote access is becoming an organisation's weakest attack surface, according to new research published. The new report, titled “A Crisis in Third-party Remote Access Security,” reveals a disparity between an organisation's perceived third-party access security threat and the protective measures it puts in place. Researchers found that organisations are exposing their networks to non-compliance and security risks by not taking action to reduce third-party access risk.

https://www.infosecurity-magazine.com/news/third-parties-breaches-at-51-of/

Apple Devices Under Attack — Update Your Mac, iPhone, iPad And Apple Watch Now

Apple on Monday (May 3) pushed out emergency patches to macOS, iPadOS, watchOS and two different versions of iOS to fix four flaws in WebKit, the rendering engine that underlies the Safari web browser. Install these updates when you receive them, because for each flaw, the company states that "Apple is aware of a report that this issue may have been actively exploited." In each case, Apple says, "processing maliciously crafted web content may lead to arbitrary code execution." In plain English, that means web pages could be built to remotely hack your Mac, iPhone, iPad, or Apple Watch.

https://www.tomsguide.com/uk/news/apple-urgent-updates-2105

Enforcing KYC, AML Laws Is Key To Reducing Ransomware Attacks: Task Force

Better enforcement of crypto currency regulations can help address an increasing number of ransomware attacks; a public-private task force claimed Thursday. The Ransomware Task Force, led by the Institute for Security and Technology with support from Microsoft, McAfee and various government agencies, published a report proposing a host of government and company responses to the growing threat of ransomware attacks, including recommendations to disrupt payments to the developers who develop this form of malware. A ransomware attack is one where a malicious actor hijacks a computer or network, locking it until the victim pays a ransom, often in crypto currency (ransomware victims paid close to $350 million in crypto to attackers last year). Paying the ransom is not necessarily a guarantee the perpetrator will share a decryption tool to unlock the computer.

https://www.coindesk.com/enforcing-kyc-aml-laws-is-key-to-reducing-ransomware-attacks-report-says

Ransomware Reality Shock: 92% Who Pay Do Not Get Their Data Back

As Apple gets caught up in an apparent $50 million ransomware extortion attempt by a significant cyber criminal gang, new research reveals just how unlikely it is that organisations will get all their data back if they pay up. On April 23, I reported how the notorious cyber criminal gang behind the REvil ransomware operation had attempted to get Apple to pay the ransom for another business that it had targeted. That business, REvil said, was Apple original design manufacturer Quanta Computer and the gang said it had stolen the schematics for several new Apple products. Several blueprints were published to the REvil dark web site, including one that 9to5Mac determined was related to the 2021 MacBook Pro.

https://www.forbes.com/sites/daveywinder/2021/05/02/ransomware-reality-shock-92-who-pay-dont-get-their-data-back/?sh=4c38f3d5e0c7

New Vulnerabilities Impact 60% Of The Internet’s Email Servers

The maintainers of the Exim email server software have released updates today to patch a collection of 21 vulnerabilities that can allow threat actors to take over servers using both local and remote attack vectors. Known as 21Nails, the vulnerabilities were discovered by the security firm Qualys. The bugs impact Exim, a type of email server known as a mail transfer agent (MTA) that helps email traffic travel across the internet and reach its intended destinations. While there are different MTA clients available, an April 2021 survey shows that Exim has a market share of nearly 60% among all MTA solutions, being widely adopted around the internet.

New vulnerabilities impact 60% of the internet’s email servers

Ransomware: There's Been A Big Rise In Double Extortion Attacks As Gangs Try Out New Tricks

There has been a big rise in the number of ransomware gangs that threaten to release information stolen from the victims if they themselves rather than the firm, do not pay the ransom for the decryption key required to restore their network. The idea behind these 'double extortion' ransomware attacks is that even if the victim organisation believes it can restore its network without giving into the ransom demands of cyber criminals – which regularly cost millions of dollars in Bitcoin – the threat of sensitive information about employees or customers being exposed could still push victims to giving into the blackmail and paying the ransom.

https://www.zdnet.com/article/ransomware-theres-been-a-big-rise-in-double-extortion-attacks-as-gangs-try-out-new-tricks/

They Told Their Therapists Everything. Hackers Leaked It All

Finnish mental health Clinic Vastaamo suffers catastrophic data breach. A security flaw at the firm’s IT provider not only exposed full names, dates of birth, and social security numbers, but also the actual written notes their therapists had taken. It was the patients themselves, rather than the firm were then left facing a demand for ransom payment to prevent public disclosure of their data.

https://www.wired.com/story/vastaamo-psychotherapy-patients-hack-data-breach/?utm_source=twitter&utm_medium=social&utm_campaign=onsite-share&utm_brand=wired&utm_social-type=earned

Millions At Security Risk From Old Routers

Millions of people could be using outdated routers that put them at risk of being hacked. The consumer watchdog examined 13 models provided to customers by internet-service companies such as EE, Sky and Virgin Media and found more than two-thirds had flaws. It estimated about six million people could have a device not updated since 2018 or earlier. So, in some cases, they would not have received crucial security updates.

https://www.bbc.co.uk/news/technology-56996717

An Estimated 30% Of All Smartphones Vulnerable To New Qualcomm Bug

Around a third of all smartphones in the world are believed to be affected by a new vulnerability in a Qualcomm modem component that can grant attackers access to the device’s call and SMS history and even audio conversations. First designed in the early 90s, the chip has been updated across the years to support 2G, 3G, 4G, and 5G cellular communications and has slowly become one of the world’s most ubiquitous technologies, especially with smartphone vendors. Devices that use Qualcomm MSM chips today include high-end smartphone models sold by Google, Samsung, LG, Xiaomi, and One Plus, just to name a few.

https://therecord.media/an-estimated-30-of-all-smartphones-vulnerable-to-new-qualcomm-bug/

Threats

Ransomware

• Cloud Hosting Provider Swiss Cloud Suffered A Ransomware Attack

• Babuk Quits Ransomware Encryption, Focuses On Data-Theft Extortion

Phishing

• 'Phishing' Sites Buying Workplace Login Details Linked to Well-Funded Start-up

Malware

• Global Phishing Attacks Spawn Three New Malware Strains

• New Pingback Malware Using ICMP Tunnelling to Evade C&C Detection

• New Buer Malware Downloader Rewritten in E-Z Rust Language

Mobile

• Serious Android flaw threatens hundreds of millions of users

Vulnerabilities

• Security Researchers Found 21 Flaws In This Widely Used Email Server, So Update Immediately

• Dell Is Issuing A Security Patch For Hundreds Of Computer Models Going Back To 2009

• Pulse Secure fixes VPN zero-day used to hack high-value targets

• Microsoft Warns Of Damaging Vulnerabilities In Dozens Of Iot Operating Systems

• Python Also Impacted By Critical Ip Address Validation Vulnerability

• Computer Scientists Discover New Vulnerability Affecting Computers Globally

Data Breaches

• Data Leak Implicates Over 200,000 People In Amazon Fake Product Review Scam

• Middle Market Companies Facing A Record Number Of Data Breaches

Nation State Actors

• Researchers Uncover Iranian State-Sponsored Ransomware Operation

• Rare New Windows Rootkit Spotted In Chinese Apt Attacks

Denial of Service

• A Massive DDoS Knocked Offline Belgian Government Websites

Privacy

• Android Devices Are Leaking Contact Tracing Data All Over The Place

Other News

• Woman Loses Nearly £113k In Dating Site Romance Fraud

• Healthcare Organisations Implementing Zero Trust To Tackle Cyber Attacks

• Hackers Break Into Tesla Using a Drone Flying Over the Car

• Penetration Testing Leaving Organisations With Too Many Blind Spots

• Goodbye Again, Flash—Microsoft Makes Removal From Windows 10 Mandatory

• Data Leak Makes Peloton’s Horrible, No-Good, Really Bad Day Even Worse

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

If you’re pressed for time watch the 60 second quick fire video summary of the top cyber and infosec stories from the last week:

EasyJet admits data of nine million hacked

EasyJet has admitted that a "highly sophisticated cyber-attack" has affected approximately nine million customers.

It said email addresses and travel details had been stolen and that 2,208 customers had also had their credit and debit card details "accessed".

The firm has informed the UK's Information Commissioner's Office while it investigates the breach.

EasyJet first became aware of the attack in January.

It told the BBC that it was only able to notify customers whose credit card details were stolen in early April.

"This was a highly sophisticated attacker. It took time to understand the scope of the attack and to identify who had been impacted," the airline told the BBC.

Read more here: https://www.bbc.co.uk/news/technology-52722626

To test its security mid-pandemic, GitLab tried phishing its own work-from-home staff. 1 in 5 fell for it

Code hosting site GitLab recently concluded a security exercise to test the susceptibility of its all-remote workforce to phishing – and a fifth of the participants submitted their credentials to the fake login page.

The mock attack simulated a targeted phishing campaign designed to get GitLab employees to give up their credentials.

The GitLab security personnel playing the role of an attacker – obtained the domain name gitlab.company and set it up using the open source GoPhish framework and Google's GSuite to send phishing emails. The messages were designed to look like a laptop upgrade notification from GitLab's IT department.

Targets were asked to click on a link in order to accept their upgrade and this link was instead a fake GitLab.com login page hosted on the domain 'gitlab.company'.

Fifty emails went out and 17 (34 per cent) clicked on the link in the messages that led to the simulated phishing website. Of those, 10 (59 per cent of those who clicked through or 20 per cent of the total test group) went on to enter credentials. And just 6 of the 50 message recipients (12 per cent) reported the phishing attempt to GitLab security personnel.

According to Verizon's 2020 Data Breach Investigations Report, 22 per cent of data exposure incidents involved phishing or about 90 per cent of incidents involving social interaction.

Read the original article here: https://www.theregister.co.uk/2020/05/21/gitlab_phishing_pentest/

60% of Insider Threats Involve Employees Planning to Leave

More than 80% of employees planning to leave an organization bring its data with them. These "flight-risk" individuals were involved in roughly 60% of insider threats analysed in a new study.

Researchers analysed more than 300 confirmed incidents as part of the "2020 Securonix Insider Threat Report." They found most insider threats involve exfiltration of sensitive data (62%), though others include privilege misuse (19%), data aggregation (9.5%), and infrastructure sabotage (5.1%). Employees planning an exit start to show so-called flight-risk behaviour between two weeks and two months ahead of their last day, the researchers discovered.

Most people who exfiltrate sensitive information do so over email, a pattern detected in nearly 44% of cases. The next most-popular method is uploading the information to cloud storage websites (16%), a technique growing popular as more organizations rely on cloud collaboration software such as Box and Dropbox. Employees are also known to steal corporate information using data downloads (10.7%), unauthorized removable devices (8.9%), and data snooping through SharePoint (8%).

Today's insider threats look different from those a few years ago. Cloud tools have made it easier for employees to share files with non-business accounts, creating a challenge for security teams.

Read more here: https://www.darkreading.com/risk/60--of-insider-threats-involve-employees-planning-to-leave/d/d-id/1337876

One in ten home working Brits are not GDPR compliant

Remote working may have improved the work-life balance of many Brits, but it has also made organisations more likely to fall foul of GDPR.

This is according to a new report from IT support company ILUX, which found that a tenth of workers in the UK do not believe their remote working practices are compliant.

Based on a poll of 2,000 UK-based home workers, the report hints the problem could stem from the adoption of BYOD initiatives, explaining that personal technology for work could be the catalyst for respondents' concerns.

There is also the issue of support, with two thirds of respondents feeling they have lacked sufficient support from business owners during the pandemic. One tenth of the respondents considered their managers too busy or stressed to warrant approaching.

Asking employees to work from home and then not providing the right computer systems and security measures is a recipe for disaster.

The last thing any business needs at this time is to lose valuable data, leave themselves open to cyber attacks or phishing and leave themselves vulnerable to the unknown. It may only seem like a small number, but it’s best not to be in that ten percent.

Remote staff should be provided with company devices on which to work, protected with the latest security patches and cyber security solutions.

Read more here: https://www.itproportal.com/news/one-in-ten-home-working-brits-are-not-gdpr-compliant/

SMBs see cyberattacks that rhyme with large enterprises due to cloud shift

Small businesses are increasingly seeing the same cyberattacks and techniques as large enterprises in contrast with previous years, according to the 2020 Verizon Data Breach Investigations Report.

The last time Verizon researchers tracked small business attacks was in the 2013 DBIR. At that time, SMBs were hit with payment card cybercrime. Today, the attacks are aimed at web applications and errors due to configurations. Meanwhile, the external attackers are targeting SMBs just like large enterprises, according to Verizon.

Verizon found that small companies with less than 1,000 employees are seeing the same attacks as large enterprises. Why? SMBs have adjusted their business models to be more cloud based and rhyme more with large companies.

Read the full article: https://www.zdnet.com/article/smbs-see-cyberattacks-that-rhyme-with-large-enterprises-due-to-cloud-shift/

Microsoft warns of huge email phishing scam - here's how to stay protected

Microsoft has issued an alert to users concerning a new widespread Covid-19 themed phishing campaign.

The threat installs a remote administration tool to completely take over a user's system and even execute commands on it remotely.

The Microsoft Security Intelligence team provided further details on this ongoing campaign in a series of tweets in which it said that cybercriminals are using malicious Excel attachments to infect user's devices with a remote access trojan (RAT).

The attack begins with potential victims receiving an email that impersonates the John Hopkins Center. This email claims to provide victims with an update on the number of coronavirus-related deaths in the US. However, attached to the email is an Excel file that displays a chart showing the number of deaths in the US.

Read more here: https://www.techradar.com/uk/news/microsoft-warns-of-huge-phishing-attack-heres-how-to-stay-safe

Security threats associated with shadow IT

As cyber threats and remote working challenges linked to COVID-19 continue to rise, IT teams are increasingly pressured to keep organisations’ security posture intact. When it comes to remote working, one of the major issues facing enterprises is shadow IT.

End users eager to adopt the newest cloud applications to support their remote work are bypassing IT administrators and in doing so, unknowingly opening both themselves and their organization up to new threats.

You’ve probably heard the saying, “What you don’t know can’t hurt you.” In the case of shadow IT, it’s the exact opposite – what your organisation doesn’t know truly can and will hurt it.

Shadow IT might sound great at surface level if you think of it as tech-savvy employees and departments deploying collaborative cloud apps to increase productivity and meet business goals. However, there’s a lot more going on below the surface, including increased risk of data breaches, regulation violations and compliance issues, as well as the potential for missed financial goals due to unforeseen costs.

One solution to risks associated with shadow IT is to have workers only use cloud apps that have been vetted and approved by your IT department. However, that approach is oftentimes not possible when shadow apps are acquired by non-IT professionals who have little to no knowledge of software standardization. Additionally, when shadow SaaS apps are used by employees or departments the attack area is hugely increased because many are not secure or patched. If IT departments are unaware of an app’s existence, they can’t take measures to protect companies’ data or its users.

Another solution that organisations use is attempting to block access to cloud services that don’t meet security and compliance standards. Unfortunately, there is a vast discrepancy in the intended block rate and the actual block rate, called the “cloud enforcement gap” and represents shadow IT acquisition and usage.

Read more here: https://www.helpnetsecurity.com/2020/05/18/security-shadow-it/

Supercomputers hacked across Europe to mine cryptocurrency

Multiple supercomputers across Europe have been infected this week with cryptocurrency mining malware and have shut down to investigate the intrusions.

Security incidents have been reported in the UK, Germany, and Switzerland, while a similar intrusion is rumoured to have also happened at a high-performance computing centre located in Spain.

The first report of an attack came to light on Monday from the University of Edinburgh, which runs the ARCHER supercomputer. The organization reported "security exploitation on the ARCHER login nodes," shut down the ARCHER system to investigate, and reset SSH passwords to prevent further intrusions.

Read more here: https://www.zdnet.com/article/supercomputers-hacked-across-europe-to-mine-cryptocurrency/

Powerful Android malware stayed hidden for years, infecting tens of thousands of smartphones

A carefully managed hacking and espionage campaign is infecting smartphones with a potent form of Android malware, providing those behind it with total control of the device, while also remaining completely hidden from the user.

Mandrake spyware abuses legitimate Android functions to help gain access to everything on the compromised device in attacks that can gather almost any information about the user.

The attacker can browse and collect all data on the device, steal account credentials for accounts including banking applications. secretly take recordings of activity on the screen, track the GPS location of the user and more, all while continuously covering their tracks.

Read the original article here: https://www.zdnet.com/article/this-powerful-android-malware-stayed-hidden-years-infected-tens-of-thousands-of-smartphones/

Strain of ransomware goes fileless to make attacks untraceable

Malicious actors have been spotted using an especially sneaky fileless malware technique — reflective dynamic-link library (DLL) injection — to infect victims with Netwalker ransomware in hopes of making the attacks untraceable while frustrating security analysts.

Instead of compiling the malware and storing it into the disk, the adversaries are writing it in PowerShell and executing it directly into memory making this technique is stealthier than regular DLL injection because aside from not needing the actual DLL file on disk, it also does not need any windows loader for it to be injected. This eliminates the need for registering the DLL as a loaded module of a process, and allowing evasion from DLL load monitoring tools.

Read more here: https://www.scmagazine.com/home/security-news/ransomware/netwalker-ransomware-actors-go-fileless-to-make-attacks-untraceable/

Smartphones, laptops, IoT devices vulnerable to new Bluetooth attack

Academics have disclosed today a new vulnerability in the Bluetooth wireless protocol, broadly used to interconnect modern devices, such as smartphones, tablets, laptops, and smart IoT devices.

The vulnerability, codenamed BIAS (Bluetooth Impersonation AttackS), impacts the classic version of the Bluetooth protocol, also known as Basic Rate / Enhanced Data Rate, Bluetooth BR/EDR, or just Bluetooth Classic.

A bug in the bonding authentication process can allow an attacker to spoof the identity of a previously paired/bonded device and successfully authenticate and connect to another device without knowing the long-term pairing key that was previously established between the two.

Once a BIAS attack is successful, the attacker can then access or take control of another Bluetooth Classic device.

Read more here: https://www.zdnet.com/article/smartphones-laptops-iot-devices-vulnerable-to-new-bias-bluetooth-attack/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.