Threat Intelligence Blog

Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.

Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 10 May 2024

Black Arrow Cyber Threat Intelligence Briefing 10 May 2024:

-China Suspected of Hacking MoD, Through Its Payroll Provider

-Security Tools Fail to Translate Risks for Executives

-Gang Accused of MGM Hack Shifts Attacks to Finance Sector

-Are SMEs Paving the Way for Cyber Attacks on Larger Companies?

-Misconfigurations Drive 80% of Security Exposure, Report Finds

-Only 45% of Organisations Employ MFA Protections

-You Cannot Protect What You Do Not Know You Have, as Criminals are Exploiting Vulnerabilities Faster Than Ever

-The Rise and Stealth of The Socially Engineered Insider

-Over 70% of Staff Use AI At Work, But Only 30% of European Organisations Provide AI Training

-Don't Be the Weakest Link – You and Your Team's Crucial Role in Cyber Security

-Ransomware Activity Thrives, Despite Law enforcement Efforts

-NATO Warns of Russian Hybrid Warfare

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

China Suspected of Hacking UK Ministry of Defence, Through Its Payroll Provider

UK Defence Secretary Grant Shapps has confirmed that over 270,000 personal details have been leaked after the MoD was hacked through its third-party payroll provider, SSCL. The affected systems have been pulled offline since the attack. SSCL’s website describes that it manages HR for the armed forces, the Metropolitan Police and other areas of British government. The commercial supply chain, and in particular HR and payroll providers, is increasing being used as the soft underbelly to attack larger and better protected organisations.

Sources: [LBC] [The Register] [Sky News]

Security Tools Fail to Translate Risks for Executives

Organisations are struggling with internal communication barriers, hindering their ability to address and mitigate cyber security threats, according to a report which found that seven out of 10 C-suite executives said their security teams talk in technical terms without providing business context. However, in contrast, 75% of CISO’s highlight the issue is rooted in security tools that cannot generate the insights C-level executives and boards can use to understand business implications. The role of a good CISO should be to take the output of these tools and turn that data into metrics the Boards can understand.

The issues highlight the necessity for organisations to have someone in their organisation, whether an employee or a third-party, who is able to ingest technical results and translate them into a style that the C-suite can understand for business risk management.

Source: [Help Net Security]

Gang Accused of MGM Hack Shifts Attacks to Finance Sector

The hacking group responsible for the infamous hack on MGM and Caesar’s Palace resorts is engaged in a new campaign targeting the financial sector. The group known as Scattered Spider has targeted 29 companies since 20 April this year, compromising at least 2 insurance companies so far. The research has stated that the attackers are purchasing lookalike domains that match the name of target companies, hosting fake log-in pages. Links to these are sent to employees, in an attempt to direct them there. The most recent attack took place just days ago, with more expected.

Sources: [Bloomberg Law] [Claims Journal]

Are SMEs Paving the Way for Cyber Attacks on Larger Companies?

A recent study highlights the escalating cyber threats facing businesses, particularly SMEs and supply chains. The study found that 32% of UK businesses, including 69% of large and 59% of mid-sized organisations, suffered a cyber attack last year. The situation is worse for SMEs, with weaker security systems and 77% lacking in-house cyber security. SMEs can become entry points for hackers targeting larger partners through interconnected supply chains. Meanwhile, Verizon’s latest data breaches report revealed a 68% increase in supply chain breaches, accounting for 15% of all breaches in 2023, up from 9% in 2022. These breaches are primarily driven by third-party software vulnerabilities exploited in ransomware and extortion attacks. Experts emphasise proactive cyber policies, vulnerability scans, and employee education for SMEs to bolster defences. They also urge organisations to consider third-party bugs as both vulnerability and vendor management problems, make better vendor choices, and use external signals like SEC disclosures in the United States to guide decisions. These measures can help prevent SMEs from becoming gateways for larger attacks and manage the rising threat of supply chain breaches.

Sources: [Insurance Times] [Dark Reading]

Misconfigurations Drive 80% of Security Exposure, Report Finds

A recent report has found that 80% of security exposures are caused by identity and credential misconfigurations, with a third of these putting critical assets at risk of a breach. According to the report, the majority of this is within an organisation’s network user management (Active Directory) and 56% of breaches that impact critical assets are within cloud platforms. There is often the misconception that cloud-based environments are secure by default, but misconfigurations can undo any security benefits and still leave you exposed. Just because someone else built and maintains your house, it is still your responsibility to lock the doors and windows.

Sources: [Security Magazine]

Only 45% of Organisations Employ MFA Protections

A recent report of IT decision-makers has found that 97% are facing challenges with identity verification and 52% are very concerned about credential compromise, followed by account takeover (50%). When it comes to reinforcing identity verification, only 45% used multi-factor authentication (MFA). By using MFA, organisations are forcing two identification verifications: simply knowing a username and password is not enough, especially given the speeds with which attackers can crack passwords, with average 8 character passwords able to be cracked in less than a minute. Whilst no control is 100% impenetrable, enabling MFA will aid in increasing your organisation's cyber resilience.

Source: [Help Net Security]

You Cannot Protect What You Do Not Know You Have, as Criminals are Exploiting Vulnerabilities Faster Than Ever

For many organisations, visibility of their information assets can be incredibly hard to obtain and maintain, with different tools, under-reporting and shadow IT contributing to the problem. Unfortunately, cyber criminals are getting faster at exploiting vulnerabilities, and if you do not know you have the vulnerability in your estate then you cannot patch against it. In their recent report, Fortinet found that attacks started on average 4.76 days after new exploits were publicly disclosed.

Interestingly though, while zero-day threats garner much attention (these are ‘new’ vulnerabilities that are being exploited by attackers but for which there are no security patches yet available), one third of all exploits are for older vulnerabilities. This highlights the need for a comprehensive and robust approach to network security and vulnerability management, beyond simply patching what Microsoft puts out once a month. To have effective patch management, organisations must know what they need to patch and therefore must have visibility of the corporate environment. A good starting block is the creation of a robust information asset register.

Sources: [Security Brief] [Help Net Security] [IT Security Guru]

The Rise and Stealth of The Socially Engineered Insider

Social engineering has become increasingly prevalent as the preferred tactic for foreign adversaries. Insiders are prime targets due to their privileged access to sensitive data. This is particularly affecting the technology, pharma, and critical infrastructure sectors. Advances in AI and social platforms have made it easier to exploit these vulnerabilities. These advances allow threat actors to tailor attacks with unprecedented speed and realism. Using methods like coercion or deception, these actors exploit employees to gain high-value data that can be weaponised. As a result, the threat landscape has become more complex, blurring the lines between internal and external risks. To bolster their defences, organisations are now investing in insider risk management and AI. They are also emphasising employee education and cross-sector collaboration.

Source: [Forbes]

Over 70% of Staff Use AI At Work, But Only 30% of European Organisations Provide AI Training

An ISACA study and the AI Security & Governance Report reveal a complex landscape of AI adoption and security. 73% of European organisations and 54% of global organisations use AI, with 79% increasing their AI budgets, however training and policy development lag behind. Only 30% offer limited training, 40% provide none, and a mere 17% have a comprehensive AI policy. Despite AI’s potential, 80% of data experts find it complicates security, with concerns high around generative AI exploitation (61% of respondents) and AI-powered attacks (over 50% of business leaders). Data poisoning and privacy issues persist, yet 85% of leaders express confidence in their data security strategies, with 83% revising privacy and governance guidelines. With 86% recognising a need for AI training within two years, the call for dynamic governance strategies and formal education is clear to manage evolving threats.

Sources: [Help Net Security] [IT Security Guru]

Don't Be the Weakest Link – You and Your Team's Crucial Role in Cyber Security

Cyber security success depends on more than just technology. Bad actors are always looking for the easiest entry point, meaning that employees’ everyday actions are crucial, when even one careless click or a weak password can be an open door for hackers. However, empowered with the right knowledge and tools, staff can become a robust defence. Nearly 80% of organisations have reported an increase in phishing attacks, but training programs like role-playing exercises and phishing simulations significantly reduce these risks. Effective cyber security also hinges on C-suite leaders promoting a security-first culture, ensuring all employees understand the risks and follow strict protocols like MFA and strong password policies. Consistent training and open communication are vital in fostering a resilient, security-aware workforce.

Source: [JDSupra]

Ransomware Activity Thrives, Despite Law enforcement Efforts

Despite the recent law enforcement takedowns on ransomware groups, ransomware remains rife. Whilst the takedown of a group can come as an initial relief in that the group has gone, it simply forces ransomware affiliates to diversify. This is reflected in ransomware continuing its growth in the first quarter of 2024, with 18 new leak sites, the largest number in a single quarter, emerging over this period. When comes to those at risk, both financial services and healthcare remain a prominent target.

Sources: [Help Net Security ] [Infosecurity Magazine] [Help Net Security]

NATO Warns of Russian Hybrid Warfare

NATO has issued a statement in which it describes it is “deeply concerned about Russia's hybrid actions and the threat that they constitute to NATO security”.  The actions are described to include sabotage, acts of violence, cyber and electronic interference, and disinformation campaigns. This comes as many countries including the UK and US are due to have elections this year.

Sources: [EU Reporter] [Financial Times]

Threats

Ransomware, Extortion and Destructive Attacks

Ransomware Victims

Phishing & Email Based Attacks

Other Social Engineering

Artificial Intelligence

2FA/MFA

Malware

Mobile

Denial of Service/DoS/DDOS

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Supply Chain and Third Parties

Cloud/SaaS

Encryption

Linux and Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Training, Education and Awareness

Regulations, Fines and Legislation

Models, Frameworks and Standards

Data Protection

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity

Cyber Warfare and Cyber Espionage

Nation State Actors

China

Russia

Iran

North Korea

Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence

Tools and Controls

Reports Published in the Last Week

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·         Automotive

·         Construction

·         Critical National Infrastructure (CNI)

·         Defence & Space

·         Education & Academia

·         Energy & Utilities

·         Estate Agencies

·         Financial Services

·         FinTech

·         Food & Agriculture

·         Gaming & Gambling

·         Government & Public Sector (including Law Enforcement)

·         Health/Medical/Pharma

·         Hotels & Hospitality

·         Insurance

·         Legal

·         Manufacturing

·         Maritime

·         Oil, Gas & Mining

·         OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·         Retail & eCommerce

·         Small and Medium Sized Businesses (SMBs)

·         Startups

·         Telecoms

·         Third Sector & Charities

·         Transport & Aviation

·         Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 04 December 2020

Black Arrow Cyber Threat Briefing 4 December 2020: Covid vaccine supply chain targeted by hackers; Criminals Favour Ransomware and BEC; Bank Employee Sells Personal Data of 200,000 Clients; 2020 Pandemic changing short- and long-term approaches to risk; Cyber risks take the fun out of connected toys; Remote Workers Admit Lack of Security Training

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.

Top Cyber Headlines of the Week

Covid vaccine supply chain targeted by hackers, say security experts

Cyber attackers have targeted the cold supply chain needed to deliver Covid-19 vaccines, according to a report detailing a sophisticated operation likely backed by a nation state. 

The hackers appeared to be trying to disrupt or steal information about the vital processes to keep vaccines cold as they travel from factories to hospitals and doctors’ offices.

https://www.ft.com/content/9c303207-8f4a-42b7-b0e4-cf421f036b2f

Criminals to Favour Ransomware and BEC Over Breaches in 2021

The era of the mega-breach may be coming to an end as cyber-criminals eschew consumers’ personal data and focus on phishing and ransomware.

Cyber-criminals are relying less on stolen personal information and more on “poor consumer behaviors” such as password reuse to monetize attacks.

https://www.infosecurity-magazine.com/news/criminals-favor-ransomware-bec/

Bank Employee Sells Personal Data of 200,000 Clients

South Africa–based financial services group Absa has stated that one of its employees sold the personal information of 200,000 clients to third parties.

The group confirmed on Wednesday that the illegal activity had occurred and that 2% of Absa's retail customer base had been impacted.

The employee allegedly responsible for it was a credit analyst who had access to the group's risk-modeling processes.

Data exposed as a result of the security incident included clients' ID numbers, addresses, contact details, and descriptions of vehicles that they had purchased on finance.

https://www.infosecurity-magazine.com/news/bank-employee-sells-personal-data/

LastPass review: Still the leading password manager, despite security history

"'Don't put all your eggs in one basket' is all wrong. I tell you 'put all your eggs in one basket, and then watch that basket,'" said industrialist Andrew Carnegie in 1885. When it comes to privacy tools, he's usually dead wrong. In the case of password managers, however, Carnegie is usually more dead than wrong. To wit, I have been using LastPass so long I don't know when I started using LastPass and, for now, I've got no reason to change that. 

https://www.cnet.com/news/lastpass-review-still-the-leading-password-manager-despite-security-history/

The most significant security innovations of 2020

Who gets access? That is the question that drives every security measure and innovation that’s landed on PopSci’s annual compendium since we launched the category in 2008. Every year, that question gets bigger and bigger. In 2020, the world quaked under a global pandemic that took 1.4 million lives, the US saw a rebirth in its civil rights movement, and a spate of record-breaking wildfires forced entire regions to evacuate. And those are just the new scares. A buildup of angst against ad trackers and app snooping led to major changes in hardware and software alike. It was a year full of lessons, nuances, and mini revolutions, and we strive to match that with our choices.

https://www.popsci.com/story/technology/most-important-security-innovations-2020/

2020 security priorities: Pandemic changing short- and long-term approaches to risk

Security planning and budgeting is always an adventure. You can assess current risk and project the most likely threats, but the only real constant in cybersecurity risk is its unpredictability. Layer a global pandemic on top of that and CISOs suddenly have the nearly impossible task of deciding where to request and allocate resources in 2021.

Show how the COVID pandemic has changed what security focuses on now and what will drive security priorities and spending in 2021. Based on a survey of 522 security professionals from the US, Asia/Pacific and Europe, the study reveals how the pandemic has changed the way organizations assess risk and respond to threats—permanently.

https://www.csoonline.com/article/3598393/new-study-shows-pandemic-changing-short-and-long-term-approaches-to-risk.html

Cyber risks take the fun out of connected toys

As Christmas approaches, internet-enabled smart toys are likely to feature heavily under festive trees. While some dolls of decades past were only capable of speaking pre-recorded phrases, modern equivalents boast speech recognition and can search for answers online in real time.

Other connected gadgets include drones or cars such as Nintendo’s Mario Kart Live Home Circuit, where players race each other in a virtual world modelled after their home surroundings.

But for all the fun that such items can bring, there is a risk — poorly-secured Internet of Things toys can be turned into convenient tools for hackers.

https://www.ft.com/content/c653e977-435f-4553-8401-9fa9b0faf632

Remote Workers Admit Lack of Security Training

A third of remote working employees have not received security training in the last six months.

400 remote workers in the UK across multiple industries, while 83% have had access to security best practice training and 88% are familiar with IT security policies, 32% have received no security training in the last six months.

Also, 50% spend two or more hours a week on IT issues, and 42% felt they had to go around the security policies of their organization to do their job.

https://www.infosecurity-magazine.com/news/remote-workers-training/ 

Threats

Ransomware

Delaware County Pays $500,000 Ransom After Outages

A US county is in the process of paying half-a-million dollars to ransomware extorters who locked its local government network, according to reports.

Pennsylvania’s Delaware County revealed the attack last week, claiming in a notice that it had disrupted “portions of its computer network.

“We commenced an immediate investigation that included taking certain systems offline and working with computer forensic specialists to determine the nature and scope of the event. We are working diligently to restore the functionality of our systems,” it said.

https://www.infosecurity-magazine.com/news/delaware-county-pays-500k-ransom/

MasterChef Producer Hit by Double Extortion Ransomware

A multibillion-dollar TV production company has become the latest big corporate name caught out by ransomware, it emerged late last week.

The firm owns over 120 production firms around the world, delivering TV shows ranging from MasterChef and Big Brother to Black Mirror and The Island with Bear Grylls.

In a short update last Thursday, it claimed to be managing a “cyber-incident” affecting the networks of Endemol Shine Group and Endemol Shine International, Dutch firms it acquired in a $2.2bn deal in July.

Although ransomware isn’t named in the notice, previous reports suggest the firm is being extorted.

https://www.infosecurity-magazine.com/news/masterchef-producer-double/

Sopra Steria to take multi-million euro hit on ransomware attack

The company revealed in October that it had been hit by hackers using a new version of Ryuk ransomware.

It now says that the fallout, with various systems out of action, is likely to have a gross negative impact on operating margin of between €40 million and €50 million.

The group's insurance coverage for cyber risks is EUR30 million, meaning that negative organic revenue growth for the year is now expected to be between 4.5% and five per cent (previously between two per cent and four per cent). Free cash flow is now expected to be between €50 million and €100 million (previously between €80 million and €120 million).

https://www.finextra.com/newsarticle/37020/sopra-steria-to-take-multi-million-euro-hit-on-ransomware-attack

BEC

FBI: BEC Scams Are Using Email Auto-Forwarding

The agency notes in an alert made public this week that since the COVID-19 pandemic began, leading to an increasingly remote workforce, BEC scammers have been taking advantage of the auto-forwarding feature within compromised email inboxes to trick employees to send them money under the guise of legitimate payments to third parties.

This tactic works because most organizations do not sync their web-based email client forwarding features with their desktop client counterparts. This limits the ability of system administrators to detect any suspicious activities and enables the fraudsters to send malicious emails from the compromised accounts without being detected, the alert, sent to organizations in November and made public this week, notes.

https://www.bankinfosecurity.com/fbi-bec-scams-are-using-email-auto-forwarding-a-15498

Phishing

Phishing lures employees with fake 'back to work' internal memos

Scammers are trying to steal email credentials from employees by impersonating their organization's human resources (HR) department in phishing emails camouflaged as internal 'back to work' company memos.

These phishing messages have managed to land in thousands of targeted individuals' mailboxes after bypassing G Suite email defences according to stats provided by researchers at email security company Abnormal Security who spotted this phishing campaign.

There is a high probability that some of the targets will fall for the scammers' tricks given that during this year's COVID-19 pandemic most companies have regularly emailed their employees with updates regarding remote working policy changes.

https://www.bleepingcomputer.com/news/security/phishing-lures-employees-with-fake-back-to-work-internal-memos/

Warning: Massive Zoom phishing targets Thanksgiving meetings

Everyone should be on the lookout for a massive ongoing phishing attack today, pretending to be an invite for a Zoom meeting. Hosted on numerous landing pages, BleepingComputer has learned that thousands of users' credentials have already been stolen by the attack.

With many in the USA hosting virtual Thanksgiving dinners and people in other countries conducting Zoom business meetings, as usual, today is a prime opportunity to perform a phishing attack using Zoom invite lures.

https://www.bleepingcomputer.com/news/security/warning-massive-zoom-phishing-targets-thanksgiving-meetings/

Malware

All-new Windows 10 malware is excellent at evading detection

Security researchers at Kaspersky have discovered a new malware strain developed by the hacker-for-hire group DeathStalker that has been designed to avoid detection on Windows PCs.

While the threat actor has been active since at least 2012, DeathStalker first drew Kaspersky's attention back in 2018 because of its distinctive attack characteristics which didn't resemble those employed by cybercriminals or state-sponsored hackers.

https://www.techradar.com/news/all-new-windows-10-malware-is-excellent-at-evading-detection

New TrickBot version can tamper with UEFI/BIOS firmware

The operators of the TrickBot malware botnet have added a new capability that can allow them to interact with an infected computer's BIOS or UEFI firmware.

The new capability was spotted inside part of a new TrickBot module, first seen in the wild at the end of October, security firms Advanced Intelligence and Eclypsium said in a joint report published today.

The new module has security researchers worried as its features would allow the TrickBot malware to establish more persistent footholds on infected systems, footholds that could allow the malware to survive OS reinstalls.

https://www.zdnet.com/article/new-trickbot-version-can-tamper-with-uefibios-firmware/

Russia-linked APT Turla used a new malware toolset named Crutch

Russian-linked APT group Turla has used a previously undocumented malware toolset, named Crutch, in cyberespionage campaigns aimed at high-profile targets, including the Ministry of Foreign Affairs of a European Union country.

The Turla APT group (aka Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON) has been active since at least 2007 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.

https://securityaffairs.co/wordpress/111813/apt/turla-crutch-malware-platform.html

MacBooks under attack by dangerous malware: What to do

a recent spate of malware attacks targeting macOS of late that installs backdoors to steal sensitive personal information. The security firm discovered that a new malware variant is being used online and backed by a rogue nation-state hacking group known as OceanLotus, which also operates under the name AKTP2 and is based in Vietnam. 

The new malware was created by OceanLotus due to the “similarities in dynamic behavior and code” from previous malware connected to the Vietnamese-based hacking group. 

https://www.laptopmag.com/news/macbooks-under-attack-by-dangerous-malware-what-to-do

Hackers Using Monero Mining Malware as Decoy, Warns Microsoft

The company’s intelligence team said a group called BISMUTH hit government targets in France and Vietnam with relatively conspicuous monero mining trojans this summer. Mining the crypto generated side cash for the group, but it also distracted victims from BISMUTH’s true campaign: credential theft.

Crypto-jacking “allowed BISMUTH to hide its more nefarious activities behind threats that may be perceived to be less alarming because they’re ‘commodity’ malware,” Microsoft concluded. It said the conspicuousness of monero mining fits BISMUTH’s “hide in plain sight” MO.

Microsoft recommended organizations stay vigilant against crypto-jacking as a possible decoy tactic.

https://www.coindesk.com/hackers-using-monero-mining-malware-as-decoy-warns-microsoft

Vulnerabilities

Zerologon is now detected by Microsoft Defender for Identity

There has been a huge focus on the recently patched CVE-2020-1472 Netlogon Elevation of Privilege vulnerability, widely known as ZeroLogon. While Microsoft strongly recommends that you deploy the latest security updates to your servers and devices, we also want to provide you with the best detection coverage possible for your domain controllers. Microsoft Defender for Identity along with other Microsoft 365 Defender solutions detect adversaries as they try to exploit this vulnerability against your domain controllers.

https://www.microsoft.com/security/blog/2020/11/30/zerologon-is-now-detected-by-microsoft-defender-for-identity/

Privacy

'We've heard the feedback...' Microsoft 365 axes per-user productivity monitoring after privacy backlash

If you heard a strange noise coming from Redmond today, it was the sound of some rapid back-pedalling regarding the Productivity Score feature in its Microsoft 365 cloud platform.

Following outcry from subscribers and privacy campaigners, the Windows giant has now vowed to wind back the functionality so that it no longer produces scores for individual users, and instead just summarizes the output of a whole organization. It was feared the dashboard could have been used by bad bosses to measure the productivity of specific employees using daft metrics like the volume of emails or chat messages sent through Microsoft 365.

https://www.theregister.com/2020/12/01/productivity_score/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 27 November 2020

Black Arrow Cyber Threat Briefing 27 November 2020: Hundreds of C-level executives’ credentials available for $100 to $1500; Bluetooth Attack Can Steal a Tesla Model X in Minutes; Three members of TMT cybercrime group arrested in Nigeria; Cyber criminals make £2.5m raid on law firms in lockdown; Hackers post athletes’ naked photos online

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.

Top Cyber Headlines of the Week

Hundreds of C-level executives’ credentials available for $100 to $1500 per account

A credible threat actor is offering access to the email accounts of hundreds of C-level executives for $100 to $1500 per account.

The availability of access to the email accounts of C-level executives could allow threat actors to carry out multiple malicious activities, from cyber espionage to BEC scams.

The threat actor is selling login credentials for Office 365 and Microsoft accounts and the price depends on the size of the C-level executives’ companies and the internal role of the executive.

The threat actor claims its database includes login credentials of high-level executives such as:

CEO, CTO, COO, CFO, CMO. President, Vice President, Executive Assistant, Finance Manager, Accountant, Director, Finance Director, Financial Controller and Accounts Payables

https://securityaffairs.co/wordpress/111588/cyber-crime/executives-credentials-dark-web.html

This Bluetooth Attack Can Steal a Tesla Model X in Minutes

Tesla has always prided itself on its so-called over-the-air updates, pushing out new code automatically to fix bugs and add features. But one security researcher has shown how vulnerabilities in the Tesla Model X's keyless entry system allow a different sort of update:

A hacker could rewrite the firmware of a key fob via Bluetooth connection, lift an unlock code from the fob, and use it to steal a Model X in just a matter of minutes.

https://www.wired.com/story/tesla-model-x-hack-bluetooth/

Three members of TMT cybercrime group arrested in Nigeria

Three Nigerians suspected of being part of a cybercrime group that has made tens of thousands of victims around the world have been arrested today in Lagos, Nigeria, Interpol reported.

In a report disclosing its involvement in the investigation, security firm Group-IB said the three suspects are members of a cybercrime group they have been tracking since 2019 and which they have been tracking under the codename of TMT.

Group-IB said the group primarily operated by sending out mass email spam campaigns containing files laced with malware.

https://www.zdnet.com/article/three-members-of-tmt-cybercrime-group-arrested-in-nigeria/

Cyber criminals make £2.5m raid on law firms in lockdown

The large number of lawyers working from home has become a magnet for cyber criminals, the Solicitors Regulation Authority has said, revealing a 300% increase in phishing scams in the first two months of lockdown alone.

In the first half of 2020, firms reported that nearly £2.5m held by them had been stolen by cybercriminals, more than three times the amount reported in the same period in 2019.

Law firm staff working remotely on less secure devices than the office network and those without dedicated office space finding it hard to keep information confidential. Those using video meetings also need to make sure that unauthorised parties cannot overhear or see a confidential meeting.

https://www.lawgazette.co.uk/news/cyber-criminals-make-25m-raid-on-law-firms-in-lockdown/5106526.article

Hackers post athletes’ naked photos online

Four British athletes are among hundreds of female sports stars and celebrities whose intimate photographs and videos have been posted online in a targeted cyberattack.

The hack, which the athletes became aware of this week, has caused panic and one leading sports agency has advised its clients to take extra measures to protect their private data.

The athletes, who had photographs and videos stolen from their phones, were considering steps last night to have the material removed from the dark net.

https://www.thetimes.co.uk/article/hackers-post-athletes-naked-photos-online-86sq27hgl

Threats

Ransomware

Manchester United hackers 'demanding million-pound ransom'

Manchester United are still suffering the effects of a significant cyberattack that targeted the club earlier this week.

Following last weekend's 'sophisticated' attack, the club has revealed it is still suffering severe disruption to its internal systems, several of which had to be shut down following the incident.

Reports have also claimed that the hackers are demanding "millions of pounds" before they let the club regain full control.

https://www.techradar.com/sg/news/manchester-united-hackers-demanding-million-pound-ransom

Egregor Ransomware Attack Hijacks Printers to Spit Out Ransom Notes

The South American retail giant Cencosud was hit with ransomware last week? The retailer was infected by an Egregor ransomware attack which, in time honoured fashion, stole sensitive files that it found on the compromised network, and encrypted data on Cencosud’s drives to lock workers out of the company’s data.

A text file was left on infected Windows computers, telling the store that private data would be shared with the media if it was not prepared to begin negotiating with the hackers within three days.

That’s nothing unusual, but Egregor’s novel twist is that it can also tell businesses that their computer systems are well and truly breached by sending its ransom note to attached printers.

https://www.tripwire.com/state-of-security/featured/egregor-ransomware-attack-hijacks-printers-spit-out-ransom-notes/

Sopra Steria: Adding up outages and ransomware clean-up, Ryuk attack will cost us up to €50m

Sopra Steria has said a previously announced Ryuk ransomware infection will not only cost it "between €40m and €50m" but will also deepen expected financial losses by several percentage points.

The admission comes weeks after the French-headquartered IT outsourcing firm's Active Directory infrastructure was compromised by malicious people who deployed the Ryuk ransomware, using what the company called "a previously unknown strain."

https://www.theregister.com/2020/11/25/sopra_steria_ransomware_damage_50m_euros/

Phishing

GoDaddy scam shows how voice phishing can be more deceptive than email schemes

Companies can protect employees from phishing schemes through a combination of training, secure email gateways and filtering technologies. But what protects workers from phone-based voice phishing (vishing) scams, like the kind that recently targeted GoDaddy and a group of cryptocurrency platforms that use the Internet domain registrar service?

Experts indicate that there are few easy answers, but organizations intent on putting a stop to such activity may have to push for more secure forms of verification, escalation procedures for sensitive requests, and better security awareness of account support staffers and other lower-level employees.

https://www.scmagazine.com/home/security-news/phishing/godaddy-scam-shows-how-voice-phishing-can-be-more-deceptive-than-email-schemes/

Google Services Weaponized to Bypass Security in Phishing, BEC Campaigns

A spike in recent phishing and business email compromise (BEC) attacks can be traced back to criminals learning how to exploit Google Services, according to research from Armorblox.

Social distancing has driven entire businesses into the arms of the Google ecosystem looking for a reliable, simple way to digitize the traditional office. A report detailing how now-ubiquitous services like Google Forms, Google Docs and others are being used by malicious actors to give their spoofing attempts a false veneer of legitimacy, both to security filters and victims.

https://threatpost.com/google-services-weaponized-to-bypass-security-in-phishing-bec-campaigns/161467/

Malware

Malware creates scam online stores on top of hacked WordPress sites

A new cybercrime gang has been seen taking over vulnerable WordPress sites to install hidden e-commerce stores with the purpose of hijacking the original site's search engine ranking and reputation and promote online scams.

The attacks were discovered earlier this month targeting a WordPress honeypot which was set up and managed.

The attackers leveraged brute-force attacks to gain access to the site's admin account, after which they overwrote the WordPress site's main index file and appended malicious code.

https://www.zdnet.com/article/malware-creates-online-stores-on-top-of-hacked-wordpress-sites/

Enter WAPDropper – An Android Malware Subscribing Victims to Premium Services by Telecom Companies

WAPDropper, a new malware which downloads and executes an additional payload. In the current campaign, it drops a WAP premium dialler which subscribes its victims to premium services without their knowledge or consent.

The malware, which belongs to a newly discovered family, consists of two different modules: the dropper module, which is responsible for downloading the 2nd stage malware, and a premium dialler module that subscribes the victims to premium services offered by legitimate sources – In this campaign, telecommunication providers in Thailand and Malaysia.
https://research.checkpoint.com/2020/enter-wapdropper-subscribe-users-to-premium-services-by-telecom-companies/

LightBot: TrickBot’s new reconnaissance malware for high-value targets

The notorious TrickBot gang has released a new lightweight reconnaissance tool used to scope out an infected victim's network for high-value targets.

Over the past week, security researchers began to see a phishing campaign normally used to distribute TrickBot's BazarLoader malware switch to installing a new malicious PowerShell script.

https://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/

IoT

The smart video doorbells letting hackers into your home

Smart doorbells with cameras let you see who’s at the door without getting up off the sofa, but in-depth security testing has found some are leaving your home wide open to uninvited guests.

With internet-connected smart tech on the rise, smart doorbells are a common sight on UK streets. Popular models, such as Ring and Nest doorbells, are expensive, but scores of similar looking devices have popped up on Amazon, eBay and Wish at a fraction of the price.

https://www.which.co.uk/news/2020/11/the-smart-video-doorbells-letting-hackers-into-your-home/

Password Attacks

Up to 350,000 Spotify accounts hacked in credential stuffing attacks

An unsecured internet-facing database containing over 380 million individual records, including login credentials that were leveraged for breaking into 300,000 to 350,000 Spotify accounts. The exposed records included a variety of sensitive information such as people’s usernames and passwords, email addresses, and countries of residence.

The treasure trove of data was stored on an unsecured Elasticsearch server that was uncovered. Both the origin and owners of the database remain unknown. However, the researchers were able to validate the veracity of the data as Spotify confirmed that the information had been used to defraud both the company and its users.

https://www.welivesecurity.com/2020/11/24/350000-spotify-accounts-hacked-credential-stuffing-attacks/

Passwords exposed for almost 50,000 vulnerable Fortinet VPNs

A hacker has now leaked the credentials for almost 50,000 vulnerable Fortinet VPNs.

Over the weekend a hacker had posted a list of one-line exploits to steal VPN credentials from these devices.

Present on the list of vulnerable targets are IPs belonging to high street banks, telecoms, and government organizations from around the world.

https://www.bleepingcomputer.com/news/security/passwords-exposed-for-almost-50-000-vulnerable-fortinet-vpns/

Vulnerabilities

UK urges orgs to patch critical MobileIron RCE bug

The UK National Cyber Security Centre (NCSC) issued an alert yesterday, prompting all organizations to patch the critical CVE-2020-15505 remote code execution (RCE) vulnerability in MobileIron mobile device management (MDM) systems.

An MDM is a software platform that allows administrators to remotely manage mobile devices in their organization, including the pushing out of apps, updates, and the ability to change settings. This management is all done from a central location, such as an admin console running on the organization's server, making it a prime target for attackers.

https://www.bleepingcomputer.com/news/security/uk-urges-orgs-to-patch-critical-mobileiron-cve-2020-15505-rce-bug/

Critical Unpatched VMware Flaw Affects Multiple Corporates Products

VMware has released temporary workarounds to address a critical vulnerability in its products that could be exploited by an attacker to take control of an affected system.

"A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system," the virtualization software and services firm noted in its advisory.

Tracked as CVE-2020-4006, the command injection vulnerability has a CVSS score of 9.1 out of 10 and impacts VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector.

https://thehackernews.com/2020/11/critical-unpatched-vmware-flaw-affects.html

GitHub fixes 'high severity' security flaw spotted by Google

GitHub has finally fixed a high severity security flaw reported to it by Google Project Zero more than three months ago.

The bug affected GitHub's Actions feature – a developer workflow automation tool was "highly vulnerable to injection attacks".

GitHub's Actions support a feature called workflow commands as a communication channel between the Action runner and the executed action.

https://www.zdnet.com/article/github-fixes-high-severity-security-flaw-spotted-by-google/

Google Chrome users still vulnerable to multiple zero-day attacks

As business users and consumers have moved most of their workloads to the cloud, more and more of their work is being done in web browsers such as Google Chrome as opposed to in applications installed locally on their systems.

This means that the web browser is now an essential yet vulnerable entry point that if compromised, could give cybercriminals access to a user's entire digital life including their email, online banking, social networks and more. However, despite this risk, users are failing to update to the latest version of Google Chrome.

https://www.techradar.com/news/google-chrome-users-still-vulnerable-to-multiple-zero-day-attacks

Microsoft releases patching guidance for Kerberos security bug

Released details on how to fully mitigate a security feature bypass vulnerability in Kerberos KDC (Key Distribution Centre) patched during this month's Patch Tuesday.

The remotely exploitable security bug tracked as CVE-2020-17049 exists in the way KDC decides if service tickets can be used for delegation via Kerberos Constrained Delegation (KCD).

Kerberos is the default authentication protocol for domain connected devices running Windows 2000 or later. Kerberos KDC is a feature that manages service tickets used for encrypting messages between network servers and clients.

https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-patching-guidance-for-kerberos-security-bug/

Data Breaches

Sophos notifies customers of data exposure after database misconfiguration

UK-based cyber-security vendor Sophos is currently notifying customers via email about a security breach the company suffered earlier this week.

Exposed information included details such as customer first and last names, email addresses, and phone numbers (if provided).

https://www.zdnet.com/article/sophos-notifies-customers-of-data-exposure-after-database-misconfiguration/

Privacy

Microsoft productivity score feature criticised as workplace surveillance

Microsoft has been criticised for enabling “workplace surveillance” after privacy campaigners warned that the company’s “productivity score” feature allows managers to use Microsoft 365 to track their employees’ activity at an individual level.

The tools, first released in 2019, are designed to “provide you visibility into how your organisation works”, according to a Microsoft blogpost, and aggregate information about everything from email use to network connectivity into a headline percentage for office productivity.

https://www.theguardian.com/technology/2020/nov/26/microsoft-productivity-score-feature-criticised-workplace-surveillance

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

 

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Cyber Briefing 23 October 2020: Ransomware Continues to Evolve; Infected IoT Up 100%; Brute Force Attacks Up with more Open RDP Ports; 40% Unsure on Mobile Phishing; Most Imitated Phishing Brands

Cyber Briefing 23 October 2020: Ransomware Variants Evolve as Crooks Chase Bigger Paydays; Infected IoT Surges 100% in a Year; Brute Force Attacks Up Due To More Open RDP Ports; 40% of Users Not Sure What Mobile Phishing Is; Microsoft Most Imitated Phishing Brand Q3 2020; DDoS Triples as Ransoms Re-Emerge; Exploited Chrome Bug Fixed; WordPress Forces Security Update; The Most Worrying Vulns Around Today

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.

Threats

Ransomware

This week has been busy with ransomware related news, including new charges against Russian state-sponsored hackers and numerous attacks against well-known organisations.

In 2017, there was an attack utilizing the NotPetya ransomware to destroy data on systems worldwide. This week, the US govt indicted six Russian intelligence operatives [source], known to be part of the notorious 'Sandworm' group, for hacking operations, including NotPetya.

Ransomware variants continue to evolve as crooks chase bigger paydays

The number of ransomware attacks which threaten to leak stolen data if the victim doesn't pay a ransom to get their encrypted files and servers back is growing – and this is being reflected in the changing nature of the cyber criminal market.

Analysis by cyber security researchers found that over the last three months – between July and September - 80 percent of ransomware attacks combined with data dumps were associated with four families of ransomware – Maze, Sodinokibi, Conti and Netwalker.

The period from April to June saw just three ransomware families account for 80 percent of alerts – DoppelPaymer, Maze and Sodinokibi.

The way DoppelPayer has dropped off and how Conti and NetWalker have suddenly emerged some of the most prolific threats shows how the ransomware space continues to evolve, partly because of how successful it has already become for the crooks behind it. [source]

Why this matters:

Maze was the first major family of ransomware to add threats of data breaches to their ransom demands and other ransomware operators have taken note – and stolen the additional extortion tactic.

There is an inherent competitive nature that has befallen the ransomware landscape. The saturated ransomware market pushes ransomware developers to cut through the noise and gain the best ransomware title and this drives more affiliates to carry out their work and, thus, more successful attacks to reach their goal: to make as much money as possible.

DoppelPaymer's activity has dropped over the last few months – although it still remains active - enabling Conti and NetWalker to grab a larger slice of the pie.

Notable ransomware victims of the last week

French IT giant Sopra Steria hit by Ryuk ransomware

French IT services giant Sopra Steria suffered a cyber attack on October 20th, 2020, that reportedly encrypted portions of their network with the Ryuk ransomware.

Sopra Steria is a European information technology company with 46,000 employees in 25 countries worldwide. The company provides a wide range of IT services, including consulting, systems integration, and software development.

The firm has said that the attack has hit all geographies where they operate and have said it will take them several weeks to recover.

Numerous sources have confirmed that it was Ryuk ransomware threat actors who were behind the attack. This hacking group is known for its TrickBot and BazarLoader infections that allow threat actors to access a compromised network and deploy the Ryuk or Conti ransomware infections.

BazarLoader is increasingly being used in Ryuk attacks against high-value targets due to its stealthy nature and is less detected than TrickBot by security software.

When installed, BazarLoader will allow threat actors to remotely access the victim's computer and use it to compromise the rest of the network.

After gaining access to a Windows domain controller, the attackers then deploy the Ryuk ransomware on the network to encrypt all of its devices, as illustrated in the diagram above. [Source1] [source2]

The Nefilim ransomware operators have posted a long list of files that appear to belong to Italian eyewear and eyecare giant Luxottica.

Luxottica Group S.p.A. is an Italian eyewear conglomerate and the world’s largest company in the eyewear industry (which owns brands including LensCrafters, Sunglass Hut, Apex by Sunglass Hut, Pearle Vision, Target Optical, Eyemed vision care plan, and Glasses.com. Its best known brands are Ray-Ban, Persol, and Oakley) and employs over 80,000 people and generated 9.4 billion in revenue for 2019.

The company was hit by a cyber attack and some of the web sites operated by the company were not reachable, including Ray-Ban, Sunglass Hut, LensCrafters, EyeMed, and Pearle Vision.

Reports indicate that the firm was using a Citrix ADX controller device vulnerable to a critical vulnerability and it is believed that a threat actor or actors exploited the above flaw to infect the systems at the company with ransomware. This appears to have subsequently confirmed with Nefilim ransomware operators having posted a long list of files that appear to belong to Luxottica. [source]

Why this matters:

The analysis of the leaked files revealed that they contain confidential information regarding the recruitment process, professional resumes, and info about the internal structures of the Group’s human resource department. The ransomware operators also published a message which accuses Luxottica of having failed the properly manage the attack.

In the past months, the number of ransomware attacks surged, numerous ransomware gangs made the headlines targeting organisations worldwide and threatening victims with releasing the stolen data if the ransom was not paid.

Extortion is the new thing in cyber crime right now, more so than in the past. Companies cannot hide the cyber attack anymore. Now it’s more about how to manage the breach from the communication perspective. Defending companies from these types of attacks becomes even more strategic: data leak damages can generate tremendous amount of costs for companies worldwide.

Other notable ransomware victims this week include:

  • Barnes & Noble hit by Egregor ransomware, strange data leaked [source]

  • Montreal's STM public transport system hit by ransomware attack [source]

  • WastedLocker ransomware hits US-based ski and golf resort operator Boyne Resorts (WastedLocker was the same one used in the attack on Garmin in July) [source]

Other Threats

Infected IoT Device Numbers Surge 100% in a Year

The volume of infected Internet of Things (IoT) devices globally has soared by 100% over the past year, according to new data from Nokia.

It revealed that infected IoT devices now comprise nearly a third (32.7%) of the total number of devices, up from 16.2% in the 2019 report.

Nokia argued that infection rates for connected devices depend dramatically upon the visibility of the devices on the internet.

In networks where devices are routinely assigned public facing internet IP addresses there is a higher infection rate. In networks where carrier grade NAT is used, the infection rate is considerably reduced, because the vulnerable devices are not visible to network scanning.

With the introduction of 5G well underway, it is expected that not only the number of IoT devices will increase dramatically, but also the share of IoT devices accessible directly from the internet will increase as well, and rates of infection rising accordingly. [source]

Brute force attacks increase due to more open RDP ports

While leaving your back door open while you are working from home may be something you do without giving it a second thought, having unnecessary ports open on your computer or on your corporate network is a security risk that is sometimes underestimated. That’s because an open port can be subject to brute force attacks.

A brute force attack is where an attacker tries every way he can think of to get in. Including throwing the kitchen sink at it. In cases where the method they are trying is to get logged in to your system, they will try endless combinations of usernames and passwords until a combination works.

Brute force attacks are usually automated, so it doesn’t cost the attacker a lot of time or energy. Certainly not as much as individually trying to figure out how to access a remote system. Based on a port number or another system specific property, the attacker picks the target and the method and then sets his brute force application in motion. He can then move on to the next target and will get notified when one of the systems has swallowed the hook.

RDP attacks are one of the main entry points when it comes to targeted ransomware operations. To increase effectiveness, ransomware attacks are getting more targeted and one of the primary attack vectors is the Remote Desktop Protocol (RDP). Remote desktop is exactly what the name implies, an option to remotely control a computer system. It almost feels as if you were actually sitting behind that computer. Which is exactly what makes an attacker with RDP access so dangerous. [source]

Why this matters:

Because of the current pandemic, many people are working from home and may be doing so for a while to come. Working from home has the side effect of more RDP ports being opened. Not only to enable the workforce to access company resources from home, but also to enable IT staff to troubleshoot problems on the workers’ devices. A lot of enterprises rely on tech support teams using RDP to troubleshoot problems on employee’s systems.

But ransomware, although prevalent, is not the only reason for these types of attacks. Cyber criminals can also install keyloggers or other spyware on target systems to learn more about the organization they have breached. Other possible objectives might be data theft, espionage, or extortion.

Phishing

Two in five employees are not sure what a mobile phishing attack is

The COVID-19 pandemic has clearly changed the way people work and accelerated the already growing remote work trend. This has also created new security challenges for IT departments, as employees increasingly use their own personal devices to access corporate data and services.

These changes, where employees, IT infrastructures, and customers are everywhere – has led to employees not prioritising security in their new world of work, and the current distributed remote work environment has also triggered a new threat landscape, with malicious actors increasingly targeting mobile devices with phishing attacks.

A new study looking at the impact that lockdown has had on employees working habits polled 1,200 workers across the US, UK, France, Germany, Belgium, Netherlands, Australia, and New Zealand showed that many employees were unaware of how to identify and avoid a phishing attack, and over two in five (43%) of employees are not even sure what a phishing attack is. [source]

Microsoft is Most Imitated Brand for Phishing Attempts in Q3 2020

The latest Check Point ‘Q3 Brand Phishing Report’, highlighting the brands that hackers imitated the most to lure people into giving up personal data, reveals the brands which were most frequently imitated by criminals in their attempts to steal individuals’ personal information or payment credentials during July, August and September.

In Q3, Microsoft was the most frequently targeted brand by cyber criminals, soaring from fifth place (relating to 7% of all brand phishing attempted globally in Q2 of 2020) to the top of the ranking. 19% of all brand phishing attempts related to the technology giant, as threat actors sought to capitalise on large numbers of employees still working remotely during the Covid-19 pandemic. For the first time in 2020, DHL entered the top 10 rankings, taking the second spot with 9% of all phishing attempts related to the company. [source]

Top phishing brands in Q3 2020

  • Microsoft (19%)

  • DHL (9%)

  • Google (9%)

  • PayPal (6%)

  • Netflix (6%)

  • Facebook (5%)

  • Apple (5%)

  • Whatsapp (5%)

  • Amazon (4%)

  • Instagram (4%)

Phishing Lures Shifting from COVID-19 updates to Job Opportunities

Researchers are seeing a pivot in the spear-phishing and phishing lures used by cybercriminals, to entice potential job candidates as businesses start to open up following the pandemic.

Cyber criminals cashed in on the surge of COVID-19 earlier this year, with email lures purporting to be from healthcare professionals offering more information about the pandemic. However, as the year moves forward, bad actors are continuing to swap up their attacks and researchers are now seeing ongoing email based attacks that tap into new job opportunities as businesses start to open up. [source]

Denial of Service Attacks

DDoS (Distributed Denial of Service) Attacks Triple in Size as Ransom Demands Re-Emerge

The last quarter of 2020 has seen a wave of web application attacks which have used ransom letters to target businesses across a number of industries.

According to research from Akamai, the largest of these attacks sent over 200Gbps of traffic at their targets as part of a sustained campaign of higher Bits Per Second (BPS) and Packets Per Second (PPS) than similar attacks had displayed a few weeks prior.

Prior to August most of these attacks were targeting the gaming industry but since then these attacks abruptly swung to financial organisations, and later in the cycle, multiple other verticals.

Akamai explained that none of the vectors involved in these series of attacks were new, as most of the traffic was generated by reflectors and systems that were used to amplify traffic. However, multiple organisations began to receive targeted emails with threats of DDoS attacks, where this would be launched unless a ransom amount was paid. A small DDoS would be made against the company to show that the attackers were serious, and then there was a threat of a 1Tbps attack if payment was not made.

Many extortion DDoS campaigns start as a threat letter, and never progress beyond that point but this this campaign has seen frequent ‘sample’ attacks that prove to the target that criminals have the capability to make life difficult.

Many of the extortion emails ended up being caught by spam filters, and not all targets are willing to admit they’ve received an email from the attackers.

Why this matters:

This extortion DDoS campaign is not over and the criminals behind this campaign are changing and evolving their attacks in order to throw off defenders and the law enforcement agencies that are working to track them down.

Vulnerabilities

New Google Chrome version fixes actively exploited zero-day bug

Google released Chrome 86.0.4240.111 this week to address five security vulnerabilities, one of which is being actively exploited.

The announcement from Google stated they they were aware of reports that an exploit for CVE-2020-15999 exists in the wild.

This new version of Chrome started rolling out to the entire userbase. Users on Windows, Mac, and Linux desktop users can upgrade to Chrome 86 by going to Settings -> Help -> About Google Chrome.

The Google Chrome web browser will then automatically check for the new update and install it when available.

Adobe releases another out-of-band patch, squashing critical bugs across creative software

Adobe has released a second out-of-band security update to patch critical vulnerabilities across numerous software products.

The patch, released outside of the tech giant's typical monthly security cycle, impacts Adobe Illustrator, Dreamweaver, Marketo, Animate, After Effects, Photoshop, Premiere Pro, Media Encoder, InDesign, and the Creative Cloud desktop application on Windows and macOS machines.

The vulnerabilities across the different products variously could result in privilege escalation, cross-site scripting (XSS), which could be weaponised to deploy malicious JavaScript in a browser session, or otherwise could result in arbitrary code execution.

Last week, Adobe released a separate set of out-of-band security fixes impacting the Magento platform. On October 15, Adobe said the patch resolved nine vulnerabilities, eight of which are critical -- including a bug that could be abused to tamper with Magento customer lists. [source]

WordPress deploys forced security update for dangerous bug in popular plugin

The WordPress security team has taken a rare step last week and used a lesser-known internal capability to forcibly push a security update for a popular plugin called Loginizer, which provides security enhancements for the WordPress login page, but that was found to contain a dangerous SQL injection bug that could have allowed hackers to take over WordPress sites running older versions of the plugin. [source]

Why this matters:

Remote attackers to run code against the WordPress database — in what is referred to as an unauthenticated SQL injection attack.

These are the most worrying vulnerabilities around today

Failure to patch once again leaves organisations open to attacks

The US National Security Agency (NSA) has published a new cyber security advisory in which it details 25 of the most dangerous vulnerabilities actively being exploited in the wild by Chinese state-sponsored hackers and other cyber criminals.

Unlike zero-day vulnerabilities where hardware and software makers have yet to release a patch, all of the vulnerabilities in the NSA's advisory are well-known and patches have been made available to download from their vendors. However, the problem lies in the fact that organisations have yet to patch their systems, leaving them vulnerable to potential exploits and attacks.

The NSA provided further details on the nature of the vulnerabilities in its advisory while urging organisations to patch them immediately.

Most of the vulnerabilities listed below can be exploited to gain initial access to victim networks using products that are directly accessible from the Internet and act as gateways to internal networks. The majority of the products are either for remote access or for external web services and should be prioritised for immediate patching. The full list can be found here.

The first bug in the list, tracked as CVE-2019-11510, relates to Pulse Secure VPN servers and how an unauthenticated remote attacker can expose keys or passwords by sending a specially crafted URI to perform an arbitrary file reading vulnerability.

Another notable bug from the list, tracked as CVE-2020-5902, affects the Traffic Management User Interface (TMUI) of F5 BIG-IP proxies and load balancers and it is vulnerable to a Remote Code Execution (RCE) vulnerability that if exploited, could allow a remote attacker to take over an entire BIG-IP device.

The Citrix Application Delivery Controller (ADC) and Gateway systems are vulnerable to a directory traversal bug, tracked as CVE-2019-19781, that can lead to remote code execution where an attacker does not need to possess valid credentials for the device.

The advisory also mentions BlueKeep, SigRed, Netlogon, CurveBall and other more well-known vulnerabilities.

To avoid falling victim to any potential attacks exploiting these vulnerabilities, the NSA recommends that organisations keep their systems and products updated and patched as soon as possible after vendors release them. [source]

Miscellaneous Cyber News of the Weeks

Hackers Can Clone Millions of Toyota, Hyundai, and Kia Keys

Owners of cars with keyless start systems have learned to worry about so-called relay attacks, in which hackers exploit radio-enabled keys to steal vehicles without leaving a trace. Now it turns out that many millions of other cars that use chip-enabled mechanical keys are also vulnerable to high-tech theft. A few cryptographic flaws combined with a little old-fashioned hot-wiring—or even a well-placed screwdriver—lets hackers clone those keys and drive away in seconds.

Researchers this week revealed new vulnerabilities in the encryption systems used by immobilisers, the radio-enabled devices inside of cars that communicate at close range with a key fob to unlock the car's ignition and allow it to start. Specifically, they found problems in how Toyota, Hyundai, and Kia implement their encryption system. A hacker who swipes a relatively inexpensive RFID reader/transmitter device near the key fob of any affected car can gain enough information to derive its secret cryptographic value. That, in turn, would allow the attacker to spoof the device to impersonate the key inside the car, disabling the immobiliser and letting them start the engine.

The researchers say the affected car models include the Toyota Camry, Corolla, and RAV4; the Kia Optima, Soul, and Rio; and the Hyundai I10, I20, and I40, amongst others. [source]

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More