Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 10 May 2024
Black Arrow Cyber Threat Intelligence Briefing 10 May 2024:
-China Suspected of Hacking MoD, Through Its Payroll Provider
-Security Tools Fail to Translate Risks for Executives
-Gang Accused of MGM Hack Shifts Attacks to Finance Sector
-Are SMEs Paving the Way for Cyber Attacks on Larger Companies?
-Misconfigurations Drive 80% of Security Exposure, Report Finds
-Only 45% of Organisations Employ MFA Protections
-You Cannot Protect What You Do Not Know You Have, as Criminals are Exploiting Vulnerabilities Faster Than Ever
-The Rise and Stealth of The Socially Engineered Insider
-Over 70% of Staff Use AI At Work, But Only 30% of European Organisations Provide AI Training
-Don't Be the Weakest Link – You and Your Team's Crucial Role in Cyber Security
-Ransomware Activity Thrives, Despite Law enforcement Efforts
-NATO Warns of Russian Hybrid Warfare
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
China Suspected of Hacking UK Ministry of Defence, Through Its Payroll Provider
UK Defence Secretary Grant Shapps has confirmed that over 270,000 personal details have been leaked after the MoD was hacked through its third-party payroll provider, SSCL. The affected systems have been pulled offline since the attack. SSCL’s website describes that it manages HR for the armed forces, the Metropolitan Police and other areas of British government. The commercial supply chain, and in particular HR and payroll providers, is increasing being used as the soft underbelly to attack larger and better protected organisations.
Sources: [LBC] [The Register] [Sky News]
Security Tools Fail to Translate Risks for Executives
Organisations are struggling with internal communication barriers, hindering their ability to address and mitigate cyber security threats, according to a report which found that seven out of 10 C-suite executives said their security teams talk in technical terms without providing business context. However, in contrast, 75% of CISO’s highlight the issue is rooted in security tools that cannot generate the insights C-level executives and boards can use to understand business implications. The role of a good CISO should be to take the output of these tools and turn that data into metrics the Boards can understand.
The issues highlight the necessity for organisations to have someone in their organisation, whether an employee or a third-party, who is able to ingest technical results and translate them into a style that the C-suite can understand for business risk management.
Source: [Help Net Security]
Gang Accused of MGM Hack Shifts Attacks to Finance Sector
The hacking group responsible for the infamous hack on MGM and Caesar’s Palace resorts is engaged in a new campaign targeting the financial sector. The group known as Scattered Spider has targeted 29 companies since 20 April this year, compromising at least 2 insurance companies so far. The research has stated that the attackers are purchasing lookalike domains that match the name of target companies, hosting fake log-in pages. Links to these are sent to employees, in an attempt to direct them there. The most recent attack took place just days ago, with more expected.
Sources: [Bloomberg Law] [Claims Journal]
Are SMEs Paving the Way for Cyber Attacks on Larger Companies?
A recent study highlights the escalating cyber threats facing businesses, particularly SMEs and supply chains. The study found that 32% of UK businesses, including 69% of large and 59% of mid-sized organisations, suffered a cyber attack last year. The situation is worse for SMEs, with weaker security systems and 77% lacking in-house cyber security. SMEs can become entry points for hackers targeting larger partners through interconnected supply chains. Meanwhile, Verizon’s latest data breaches report revealed a 68% increase in supply chain breaches, accounting for 15% of all breaches in 2023, up from 9% in 2022. These breaches are primarily driven by third-party software vulnerabilities exploited in ransomware and extortion attacks. Experts emphasise proactive cyber policies, vulnerability scans, and employee education for SMEs to bolster defences. They also urge organisations to consider third-party bugs as both vulnerability and vendor management problems, make better vendor choices, and use external signals like SEC disclosures in the United States to guide decisions. These measures can help prevent SMEs from becoming gateways for larger attacks and manage the rising threat of supply chain breaches.
Sources: [Insurance Times] [Dark Reading]
Misconfigurations Drive 80% of Security Exposure, Report Finds
A recent report has found that 80% of security exposures are caused by identity and credential misconfigurations, with a third of these putting critical assets at risk of a breach. According to the report, the majority of this is within an organisation’s network user management (Active Directory) and 56% of breaches that impact critical assets are within cloud platforms. There is often the misconception that cloud-based environments are secure by default, but misconfigurations can undo any security benefits and still leave you exposed. Just because someone else built and maintains your house, it is still your responsibility to lock the doors and windows.
Sources: [Security Magazine]
Only 45% of Organisations Employ MFA Protections
A recent report of IT decision-makers has found that 97% are facing challenges with identity verification and 52% are very concerned about credential compromise, followed by account takeover (50%). When it comes to reinforcing identity verification, only 45% used multi-factor authentication (MFA). By using MFA, organisations are forcing two identification verifications: simply knowing a username and password is not enough, especially given the speeds with which attackers can crack passwords, with average 8 character passwords able to be cracked in less than a minute. Whilst no control is 100% impenetrable, enabling MFA will aid in increasing your organisation's cyber resilience.
Source: [Help Net Security]
You Cannot Protect What You Do Not Know You Have, as Criminals are Exploiting Vulnerabilities Faster Than Ever
For many organisations, visibility of their information assets can be incredibly hard to obtain and maintain, with different tools, under-reporting and shadow IT contributing to the problem. Unfortunately, cyber criminals are getting faster at exploiting vulnerabilities, and if you do not know you have the vulnerability in your estate then you cannot patch against it. In their recent report, Fortinet found that attacks started on average 4.76 days after new exploits were publicly disclosed.
Interestingly though, while zero-day threats garner much attention (these are ‘new’ vulnerabilities that are being exploited by attackers but for which there are no security patches yet available), one third of all exploits are for older vulnerabilities. This highlights the need for a comprehensive and robust approach to network security and vulnerability management, beyond simply patching what Microsoft puts out once a month. To have effective patch management, organisations must know what they need to patch and therefore must have visibility of the corporate environment. A good starting block is the creation of a robust information asset register.
Sources: [Security Brief] [Help Net Security] [IT Security Guru]
The Rise and Stealth of The Socially Engineered Insider
Social engineering has become increasingly prevalent as the preferred tactic for foreign adversaries. Insiders are prime targets due to their privileged access to sensitive data. This is particularly affecting the technology, pharma, and critical infrastructure sectors. Advances in AI and social platforms have made it easier to exploit these vulnerabilities. These advances allow threat actors to tailor attacks with unprecedented speed and realism. Using methods like coercion or deception, these actors exploit employees to gain high-value data that can be weaponised. As a result, the threat landscape has become more complex, blurring the lines between internal and external risks. To bolster their defences, organisations are now investing in insider risk management and AI. They are also emphasising employee education and cross-sector collaboration.
Source: [Forbes]
Over 70% of Staff Use AI At Work, But Only 30% of European Organisations Provide AI Training
An ISACA study and the AI Security & Governance Report reveal a complex landscape of AI adoption and security. 73% of European organisations and 54% of global organisations use AI, with 79% increasing their AI budgets, however training and policy development lag behind. Only 30% offer limited training, 40% provide none, and a mere 17% have a comprehensive AI policy. Despite AI’s potential, 80% of data experts find it complicates security, with concerns high around generative AI exploitation (61% of respondents) and AI-powered attacks (over 50% of business leaders). Data poisoning and privacy issues persist, yet 85% of leaders express confidence in their data security strategies, with 83% revising privacy and governance guidelines. With 86% recognising a need for AI training within two years, the call for dynamic governance strategies and formal education is clear to manage evolving threats.
Sources: [Help Net Security] [IT Security Guru]
Don't Be the Weakest Link – You and Your Team's Crucial Role in Cyber Security
Cyber security success depends on more than just technology. Bad actors are always looking for the easiest entry point, meaning that employees’ everyday actions are crucial, when even one careless click or a weak password can be an open door for hackers. However, empowered with the right knowledge and tools, staff can become a robust defence. Nearly 80% of organisations have reported an increase in phishing attacks, but training programs like role-playing exercises and phishing simulations significantly reduce these risks. Effective cyber security also hinges on C-suite leaders promoting a security-first culture, ensuring all employees understand the risks and follow strict protocols like MFA and strong password policies. Consistent training and open communication are vital in fostering a resilient, security-aware workforce.
Source: [JDSupra]
Ransomware Activity Thrives, Despite Law enforcement Efforts
Despite the recent law enforcement takedowns on ransomware groups, ransomware remains rife. Whilst the takedown of a group can come as an initial relief in that the group has gone, it simply forces ransomware affiliates to diversify. This is reflected in ransomware continuing its growth in the first quarter of 2024, with 18 new leak sites, the largest number in a single quarter, emerging over this period. When comes to those at risk, both financial services and healthcare remain a prominent target.
Sources: [Help Net Security ] [Infosecurity Magazine] [Help Net Security]
NATO Warns of Russian Hybrid Warfare
NATO has issued a statement in which it describes it is “deeply concerned about Russia's hybrid actions and the threat that they constitute to NATO security”. The actions are described to include sabotage, acts of violence, cyber and electronic interference, and disinformation campaigns. This comes as many countries including the UK and US are due to have elections this year.
Sources: [EU Reporter] [Financial Times]
Governance, Risk and Compliance
You cannot protect what you do not understand (securitybrief.co.nz)
Security tools fail to translate risks for executives - Help Net Security
It Costs How Much?!? The Financial Pitfalls of Cyber Attacks on SMBs (thehackernews.com)
Now More Than Ever, it's Crucial for Companies to Get Cyber Security Right (newsweek.com)
Why SMBs are facing significant security, business risks - Help Net Security
Are SMEs paving the way for cyber attacks on larger companies? | Insurance Times
Don't Be the Weakest Link – Your Team's Crucial Role in Cyber Security | NAVEX - JDSupra
The Art Of Cyber Security Governance: Safeguarding Beyond Code (forbes.com)
CISOs Are Worried About Their Jobs & Dissatisfied With Their Incomes (darkreading.com)
92% of CISOs Question the Future of Their Role Amidst Growing AI Pressures | Business Wire
Three strategies for winning the cyber security arms race | Fintech Nexus
Rethinking Cyber Security Investment Amid Rising Threats (govinfosecurity.com)
CIOs and CFOs, two parts of the same whole - IT Security Guru
Threats
Ransomware, Extortion and Destructive Attacks
Gang Accused of MGM Hack Turns Its Sights on Finance Sector (bloomberglaw.com)
Cybercrime Unicorns: What Everyone Needs to Know About Ransomware Gangs (pcmag.com)
Why Paying Should Be A Last Resort In Ransomware Attacks (forbes.com)
Ransomware activity is back on track despite law enforcement efforts - Help Net Security
Ransomware evolves from extortion to 'psychological attacks' • The Register
Russian Hacker Dmitry Khoroshev Unmasked as LockBit Ransomware Administrator (thehackernews.com)
Ransomware attacks impact 20% of sensitive data in healthcare orgs - Help Net Security
An overwhelming majority of organisations paid ransomware last year - eCampus News
The Growing Threat of Advanced Ransomware Attacks (inforisktoday.com)
Law enforcement seized Lockbit group's website again (securityaffairs.com)
Consultant charged with $1.5M extortion of IT giant • The Register
IT chiefs plan to spend and innovate their way out of ransomware swamp | TechRadar
Ransomware crooks SIM swap kids to pressure parents • The Register
Scattered Spider group a unique challenge for cyber cops, FBI leader says (therecord.media)
97% of Organisations Hit by Ransomware Worked with Law Enforcement (globenewswire.com)
CISA boss: Secure software needed to stop ransomware • The Register
Shields Up: How to Minimize Ransomware Exposure - Security Week
Ransomware Victims
UnitedHealth’s 'egregious negligence' led to that ransomware • The Register
Ascension healthcare takes systems offline after cyber attack (bleepingcomputer.com)
London Drugs president tight-lipped over recent cyber attack | CBC News
Boeing confirms attempted $200 million ransomware extortion attempt | CyberScoop
Cyber attack disrupts operations at major US health care network | CNN Business
City of Wichita Shuts Down Network Following Ransomware Attack - Security Week
Patient appointments imperilled by cyber attack on French radiologist (therecord.media)
Ransomware attack hits Brandywine Realty Trust | SC Media (scmagazine.com)
Phishing & Email Based Attacks
Other Social Engineering
The Rise And Stealth Of The Socially Engineered Insider (forbes.com)
Iranian hackers harvest credentials through advanced social engineering campaigns | CSO Online
What is social engineering penetration testing? | Definition from TechTarget
Artificial Intelligence
Organisations go ahead with AI despite security risks - Help Net Security
Innovation, Not Regulation, Will Protect Corporations From Deepfakes (darkreading.com)
Strategies for preventing AI misuse in cyber security - Help Net Security
AI is changing the game when it comes to cyber security | ITPro
Why the Cyber Security Industry Is Obsessed With AI Right Now - CNET
LLMs & Malicious Code Injections: 'We Have to Assume It's Coming' (darkreading.com)
Cyber Security, Deepfakes and the Human Risk of AI Fraud (govtech.com)
Criminal Use of AI Growing, But Lags Behind Defenders - Security Week
2FA/MFA
Only 45% of organisations use MFA to protect against fraud - Help Net Security
UnitedHealth Attack: Stolen Credentials, No MFA | MSSP Alert
Malware
ZLoader Malware adds Zeus's anti-analysis feature (securityaffairs.com)
Russia-linked APT28 and crooks are still using the Moobot botnet (securityaffairs.com)
Iranian hackers pose as journalists to push backdoor malware (bleepingcomputer.com)
New 'Cuckoo' Persistent macOS Spyware Targeting Intel and Arm Macs (thehackernews.com)
Hijack Loader Malware Employs Process Hollowing, UAC Bypass in Latest Version (thehackernews.com)
Mirai Botnet Exploits Ivanti Connect Secure Flaws for Malicious Payload Delivery (thehackernews.com)
Mobile
Mobile Banking Malware Surges 32% - Infosecurity Magazine (infosecurity-magazine.com)
Android bug can leak DNS traffic with VPN kill switch enabled (bleepingcomputer.com)
European Threat To End-To-End Encryption Would Invade Phones (forbes.com)
Ransomware crooks SIM swap kids to pressure parents • The Register
Denial of Service/DoS/DDOS
Data Breaches/Leaks
How does a data breach affect you and why should you care? | TechRadar
Dell customer order database stolen, for sale on dark web • The Register
The Breach of a Face Recognition Firm Reveals a Hidden Danger of Biometrics | WIRED
Cyber attack: Large volume of data stolen in attack on Scottish health board (scotsman.com)
Security breach affects 6,000 German military VC meetings (avinteractive.com)
Security company exposes 1.2M guard and suspect records • The Register
Children's mental health records published after cyber attack - BBC News
Georgia education agency's MOVEit data theft impacted 800K • The Register
Data Brokers: What They Are and How to Safeguard Your Privacy - IT Security Guru
Zscaler Investigates Hacking Claims After Data Offered for Sale - Security Week
UK government departments reveal rise in data breaches & lost devices (datacentrenews.uk)
'Sophisticated' cyber attacks involving British Colombia government networks found | CBC News
Over 380K more NYC students had info leaked, bringing total to over 1M (nypost.com)
Dating apps kiss'n'tell all sorts of sensitive user info • The Register
Organised Crime & Criminal Actors
Hackers of all kinds are attacking routers across the world | TechRadar
These Dangerous Scammers Don’t Even Bother to Hide Their Crimes | WIRED
Massive webshop fraud ring steals credit cards from 850,000 people (bleepingcomputer.com)
Scattered Spider group a unique challenge for cyber cops, FBI leader says (therecord.media)
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Insider Risk and Insider Threats
The Rise And Stealth Of The Socially Engineered Insider (forbes.com)
Don't Be the Weakest Link – Your Team's Crucial Role in Cyber Security | NAVEX - JDSupra
Supply Chain and Third Parties
UK Military Data Breach a Reminder of Third-Party Risk (darkreading.com)
Details of UK military personnel exposed in huge payroll data breach | AP News
Firm at centre of MoD 'China' hack handles data for several Whitehall departments (inews.co.uk)
DBIR: Supply Chain Breaches Up 68% Year Over Year (darkreading.com)
The complexities of third-party risk management - Help Net Security
Cloud/SaaS
Encryption
Cop complaints won't stop E2EE, says encryption advocate • The Register
European Threat To End-To-End Encryption Would Invade Phones (forbes.com)
Linux and Open Source
Open-Source Cyber Security Is a Ticking Time Bomb (gizmodo.com)
Spies Among Us: Insider Threats in Open Source Environments (darkreading.com)
Passwords, Credential Stuffing & Brute Force Attacks
Iranian hackers harvest credentials through advanced social engineering campaigns | CSO Online
Microsoft introduces Passkeys support for consumer accounts - gHacks Tech News
Google Announces Passkeys Adopted by Over 400 Million Accounts (thehackernews.com)
UnitedHealth Attack: Stolen Credentials, No MFA | MSSP Alert
Hackers can crack average 8-character passwords in under a minute (newsbytesapp.com)
How secure is the “Password Protection” on your files and drives? - Help Net Security
Social Media
Training, Education and Awareness
Regulations, Fines and Legislation
The EU Cyber Diplomacy Toolbox: Shaping Global Cyber Security Standards | UpGuard
The NIS2 Compliance Deadline Is Nearing. Are You Prepared? - Security Boulevard
Innovation, Not Regulation, Will Protect Corporations From Deepfakes (darkreading.com)
Models, Frameworks and Standards
Data Protection
Careers, Working in Cyber and Information Security
How workforce reductions affect cyber security postures - Help Net Security
One in Four Tech CISOs Unhappy with Compensation - Security Boulevard
Law Enforcement Action and Take Downs
Ransomware activity is back on track despite law enforcement efforts - Help Net Security
LockBit's seized darknet site resurrected by police, teasing new revelations (therecord.media)
LockBit leader unmasked and sanctioned - National Crime Agency
Israeli private investigator wanted for hacking in US is arrested in London | The Independent
German police bust Europe's 'largest' scam call centre – DW – 05/02/2024
Consultant charged with $1.5M extortion of IT giant • The Register
97% of Organisations Hit by Ransomware Worked with Law Enforcement (globenewswire.com)
Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity
Cyber Warfare and Cyber Espionage
Israeli private investigator wanted for hacking in US is arrested in London | The Independent
Cyber Attacks on US Utilities: New Trends in Cyber Warfare - ClearanceJobs
'The Mask' Espionage Group Resurfaces After 10-Year Hiatus (darkreading.com)
Nation State Actors
China
Firm at centre of MoD 'China' hack handles data for several Whitehall departments (inews.co.uk)
Lessons from LOCKED SHIELDS 2024 cyber exercise | SC Media (scmagazine.com)
China-Linked Hackers Used ROOTROT Webshell in MITRE Network Intrusion (thehackernews.com)
Russia
Malice from Moscow: NATO warns of Russian hybrid warfare - EU Reporter
Russia plotting sabotage across Europe, intelligence agencies warn (ft.com)
How Nato could respond after wave of Russian spy arrests across Europe (inews.co.uk)
EU, NATO denounce Russia's cyber attacks on Germany, Czechia (kyivindependent.com)
Russia Cyber Attack Germany's Ruling Party, Defence | Silicon UK
Foreign Ministry: Czech institutions targeted by GRU cyber attacks | Radio Prague International
Russia-linked APT28 and crooks are still using the Moobot botnet (securityaffairs.com)
Ukraine records increase in financially motivated attacks by Russian hackers (therecord.media)
Cyber War? EU rages over alleged Russian cyber attack on German’s ruling SPD (brusselssignal.eu)
Lessons from LOCKED SHIELDS 2024 cyber exercise | SC Media (scmagazine.com)
A (Strange) Interview With the Russian-Military-Linked Hackers Targeting US Water Utilities | WIRED
Russia says Germany using baseless 'hacker myths' to destroy ties | Reuters
Poland says it too was targeted by Russian hackers – POLITICO
Kaspersky denies claims it helped Russia with drones • The Register
Iran
Iranian hackers pose as journalists to push backdoor malware (bleepingcomputer.com)
Iranian hackers harvest credentials through advanced social engineering campaigns | CSO Online
North Korea
Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence
Vulnerability Management
Cyber criminals are getting faster at exploiting vulnerabilities - Help Net Security
Misconfigurations drive 80% of security exposures | Security Magazine
Patch management vs. vulnerability management: Key differences | TechTarget
What is Risk-Based Vulnerability Management (RBVM)? (techtarget.com)
CISA’s KEV list improving private and public-sector patching • The Register
CISA Announces CVE Enrichment Project 'Vulnrichment' - Security Week
Vulnerabilities
Citrix Addresses High-Severity NetScaler Servers Flaw (darkreading.com)
Over 50,000 Tinyproxy servers vulnerable to critical RCE flaw (bleepingcomputer.com)
Veeam fixes RCE flaw in backup management platform (CVE-2024-29212) - Help Net Security
LiteSpeed Cache WordPress plugin actively exploited in the wild (securityaffairs.com)
New BIG-IP Next Central Manager bugs allow device takeover (bleepingcomputer.com)
Microsoft: April Windows Server updates also cause crashes, reboots (bleepingcomputer.com)
Android bug can leak DNS traffic with VPN kill switch enabled (bleepingcomputer.com)
Mirai Botnet Exploits Ivanti Connect Secure Flaws for Malicious Payload Delivery (thehackernews.com)
Tools and Controls
Behind Closed Doors: The Rise of Hidden Malicious Remote Access (cybereason.com)
Security tools fail to translate risks for executives - Help Net Security
Misconfigurations drive 80% of security exposures | Security Magazine
NSA, FBI Alert on North Korean Hackers Spoofing Emails from Trusted Sources (thehackernews.com)
Microsoft plans to lock down Windows DNS like never before. Here’s how. | Ars Technica
Novel attack against virtually all VPN apps neuters their entire purpose | Ars Technica
Strategies for preventing AI misuse in cyber security - Help Net Security
Shadow APIs: An Overlooked Cyber Risk for Orgs (darkreading.com)
What is social engineering penetration testing? | Definition from TechTarget
How workforce reductions affect cyber security postures - Help Net Security
What is Risk-Based Vulnerability Management (RBVM)? (techtarget.com)
Top 10 physical security considerations for CISOs | CSO Online
IT chiefs plan to spend and innovate their way out of ransomware swamp | TechRadar
A SaaS Security Challenge: Getting Permissions All in One Place (thehackernews.com)
Tips for Controlling the Costs of Security Tools - The New Stack
Rethinking Cyber Security Investment Amid Rising Threats (govinfosecurity.com)
Microsoft confirms Windows 11 24H2 turns on Device Encryption by default (windowslatest.com)
Reports Published in the Last Week
Other News
Microsoft overhaul treats security as ‘top priority’ after a series of failures - The Verge
The EU Cyber Diplomacy Toolbox: Shaping Global Cyber Security Standards | UpGuard
Complexity leads to trade-off between risk and innovation (betanews.com)
When has the UK faced cyber attacks in the past? | The Independent
Man-in-the-middle attack: The new cyber security threat | YourStory
Paris 2024 gearing up to face unprecedented cyber security threat | Reuters
38% of riskiest cyber physical systems neglected, warns Claroty report (securitybrief.co.nz)
Why undersea cables need high-priority protection • The Register
GAO: NASA Faces 'Inconsistent' Cyber Security Across Spacecraft (darkreading.com)
Cyber security regulations: Are non-compliant cars more vulnerable? | Autocar
Fujitsu sets aside £200m as calls mount for Post Office scandal payout
FE News | Why the education sector needs to do the homework on cyber security as attacks soar
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 04 December 2020
Black Arrow Cyber Threat Briefing 4 December 2020: Covid vaccine supply chain targeted by hackers; Criminals Favour Ransomware and BEC; Bank Employee Sells Personal Data of 200,000 Clients; 2020 Pandemic changing short- and long-term approaches to risk; Cyber risks take the fun out of connected toys; Remote Workers Admit Lack of Security Training
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.
Top Cyber Headlines of the Week
Covid vaccine supply chain targeted by hackers, say security experts
Cyber attackers have targeted the cold supply chain needed to deliver Covid-19 vaccines, according to a report detailing a sophisticated operation likely backed by a nation state.
The hackers appeared to be trying to disrupt or steal information about the vital processes to keep vaccines cold as they travel from factories to hospitals and doctors’ offices.
https://www.ft.com/content/9c303207-8f4a-42b7-b0e4-cf421f036b2f
Criminals to Favour Ransomware and BEC Over Breaches in 2021
The era of the mega-breach may be coming to an end as cyber-criminals eschew consumers’ personal data and focus on phishing and ransomware.
Cyber-criminals are relying less on stolen personal information and more on “poor consumer behaviors” such as password reuse to monetize attacks.
https://www.infosecurity-magazine.com/news/criminals-favor-ransomware-bec/
Bank Employee Sells Personal Data of 200,000 Clients
South Africa–based financial services group Absa has stated that one of its employees sold the personal information of 200,000 clients to third parties.
The group confirmed on Wednesday that the illegal activity had occurred and that 2% of Absa's retail customer base had been impacted.
The employee allegedly responsible for it was a credit analyst who had access to the group's risk-modeling processes.
Data exposed as a result of the security incident included clients' ID numbers, addresses, contact details, and descriptions of vehicles that they had purchased on finance.
https://www.infosecurity-magazine.com/news/bank-employee-sells-personal-data/
LastPass review: Still the leading password manager, despite security history
"'Don't put all your eggs in one basket' is all wrong. I tell you 'put all your eggs in one basket, and then watch that basket,'" said industrialist Andrew Carnegie in 1885. When it comes to privacy tools, he's usually dead wrong. In the case of password managers, however, Carnegie is usually more dead than wrong. To wit, I have been using LastPass so long I don't know when I started using LastPass and, for now, I've got no reason to change that.
The most significant security innovations of 2020
Who gets access? That is the question that drives every security measure and innovation that’s landed on PopSci’s annual compendium since we launched the category in 2008. Every year, that question gets bigger and bigger. In 2020, the world quaked under a global pandemic that took 1.4 million lives, the US saw a rebirth in its civil rights movement, and a spate of record-breaking wildfires forced entire regions to evacuate. And those are just the new scares. A buildup of angst against ad trackers and app snooping led to major changes in hardware and software alike. It was a year full of lessons, nuances, and mini revolutions, and we strive to match that with our choices.
https://www.popsci.com/story/technology/most-important-security-innovations-2020/
2020 security priorities: Pandemic changing short- and long-term approaches to risk
Security planning and budgeting is always an adventure. You can assess current risk and project the most likely threats, but the only real constant in cybersecurity risk is its unpredictability. Layer a global pandemic on top of that and CISOs suddenly have the nearly impossible task of deciding where to request and allocate resources in 2021.
Show how the COVID pandemic has changed what security focuses on now and what will drive security priorities and spending in 2021. Based on a survey of 522 security professionals from the US, Asia/Pacific and Europe, the study reveals how the pandemic has changed the way organizations assess risk and respond to threats—permanently.
Cyber risks take the fun out of connected toys
As Christmas approaches, internet-enabled smart toys are likely to feature heavily under festive trees. While some dolls of decades past were only capable of speaking pre-recorded phrases, modern equivalents boast speech recognition and can search for answers online in real time.
Other connected gadgets include drones or cars such as Nintendo’s Mario Kart Live Home Circuit, where players race each other in a virtual world modelled after their home surroundings.
But for all the fun that such items can bring, there is a risk — poorly-secured Internet of Things toys can be turned into convenient tools for hackers.
https://www.ft.com/content/c653e977-435f-4553-8401-9fa9b0faf632
Remote Workers Admit Lack of Security Training
A third of remote working employees have not received security training in the last six months.
400 remote workers in the UK across multiple industries, while 83% have had access to security best practice training and 88% are familiar with IT security policies, 32% have received no security training in the last six months.
Also, 50% spend two or more hours a week on IT issues, and 42% felt they had to go around the security policies of their organization to do their job.
https://www.infosecurity-magazine.com/news/remote-workers-training/
Threats
Ransomware
Delaware County Pays $500,000 Ransom After Outages
A US county is in the process of paying half-a-million dollars to ransomware extorters who locked its local government network, according to reports.
Pennsylvania’s Delaware County revealed the attack last week, claiming in a notice that it had disrupted “portions of its computer network.
“We commenced an immediate investigation that included taking certain systems offline and working with computer forensic specialists to determine the nature and scope of the event. We are working diligently to restore the functionality of our systems,” it said.
https://www.infosecurity-magazine.com/news/delaware-county-pays-500k-ransom/
MasterChef Producer Hit by Double Extortion Ransomware
A multibillion-dollar TV production company has become the latest big corporate name caught out by ransomware, it emerged late last week.
The firm owns over 120 production firms around the world, delivering TV shows ranging from MasterChef and Big Brother to Black Mirror and The Island with Bear Grylls.
In a short update last Thursday, it claimed to be managing a “cyber-incident” affecting the networks of Endemol Shine Group and Endemol Shine International, Dutch firms it acquired in a $2.2bn deal in July.
Although ransomware isn’t named in the notice, previous reports suggest the firm is being extorted.
https://www.infosecurity-magazine.com/news/masterchef-producer-double/
Sopra Steria to take multi-million euro hit on ransomware attack
The company revealed in October that it had been hit by hackers using a new version of Ryuk ransomware.
It now says that the fallout, with various systems out of action, is likely to have a gross negative impact on operating margin of between €40 million and €50 million.
The group's insurance coverage for cyber risks is EUR30 million, meaning that negative organic revenue growth for the year is now expected to be between 4.5% and five per cent (previously between two per cent and four per cent). Free cash flow is now expected to be between €50 million and €100 million (previously between €80 million and €120 million).
BEC
FBI: BEC Scams Are Using Email Auto-Forwarding
The agency notes in an alert made public this week that since the COVID-19 pandemic began, leading to an increasingly remote workforce, BEC scammers have been taking advantage of the auto-forwarding feature within compromised email inboxes to trick employees to send them money under the guise of legitimate payments to third parties.
This tactic works because most organizations do not sync their web-based email client forwarding features with their desktop client counterparts. This limits the ability of system administrators to detect any suspicious activities and enables the fraudsters to send malicious emails from the compromised accounts without being detected, the alert, sent to organizations in November and made public this week, notes.
https://www.bankinfosecurity.com/fbi-bec-scams-are-using-email-auto-forwarding-a-15498
Phishing
Phishing lures employees with fake 'back to work' internal memos
Scammers are trying to steal email credentials from employees by impersonating their organization's human resources (HR) department in phishing emails camouflaged as internal 'back to work' company memos.
These phishing messages have managed to land in thousands of targeted individuals' mailboxes after bypassing G Suite email defences according to stats provided by researchers at email security company Abnormal Security who spotted this phishing campaign.
There is a high probability that some of the targets will fall for the scammers' tricks given that during this year's COVID-19 pandemic most companies have regularly emailed their employees with updates regarding remote working policy changes.
Warning: Massive Zoom phishing targets Thanksgiving meetings
Everyone should be on the lookout for a massive ongoing phishing attack today, pretending to be an invite for a Zoom meeting. Hosted on numerous landing pages, BleepingComputer has learned that thousands of users' credentials have already been stolen by the attack.
With many in the USA hosting virtual Thanksgiving dinners and people in other countries conducting Zoom business meetings, as usual, today is a prime opportunity to perform a phishing attack using Zoom invite lures.
Malware
All-new Windows 10 malware is excellent at evading detection
Security researchers at Kaspersky have discovered a new malware strain developed by the hacker-for-hire group DeathStalker that has been designed to avoid detection on Windows PCs.
While the threat actor has been active since at least 2012, DeathStalker first drew Kaspersky's attention back in 2018 because of its distinctive attack characteristics which didn't resemble those employed by cybercriminals or state-sponsored hackers.
https://www.techradar.com/news/all-new-windows-10-malware-is-excellent-at-evading-detection
New TrickBot version can tamper with UEFI/BIOS firmware
The operators of the TrickBot malware botnet have added a new capability that can allow them to interact with an infected computer's BIOS or UEFI firmware.
The new capability was spotted inside part of a new TrickBot module, first seen in the wild at the end of October, security firms Advanced Intelligence and Eclypsium said in a joint report published today.
The new module has security researchers worried as its features would allow the TrickBot malware to establish more persistent footholds on infected systems, footholds that could allow the malware to survive OS reinstalls.
https://www.zdnet.com/article/new-trickbot-version-can-tamper-with-uefibios-firmware/
Russia-linked APT Turla used a new malware toolset named Crutch
Russian-linked APT group Turla has used a previously undocumented malware toolset, named Crutch, in cyberespionage campaigns aimed at high-profile targets, including the Ministry of Foreign Affairs of a European Union country.
The Turla APT group (aka Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON) has been active since at least 2007 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.
https://securityaffairs.co/wordpress/111813/apt/turla-crutch-malware-platform.html
MacBooks under attack by dangerous malware: What to do
a recent spate of malware attacks targeting macOS of late that installs backdoors to steal sensitive personal information. The security firm discovered that a new malware variant is being used online and backed by a rogue nation-state hacking group known as OceanLotus, which also operates under the name AKTP2 and is based in Vietnam.
The new malware was created by OceanLotus due to the “similarities in dynamic behavior and code” from previous malware connected to the Vietnamese-based hacking group.
https://www.laptopmag.com/news/macbooks-under-attack-by-dangerous-malware-what-to-do
Hackers Using Monero Mining Malware as Decoy, Warns Microsoft
The company’s intelligence team said a group called BISMUTH hit government targets in France and Vietnam with relatively conspicuous monero mining trojans this summer. Mining the crypto generated side cash for the group, but it also distracted victims from BISMUTH’s true campaign: credential theft.
Crypto-jacking “allowed BISMUTH to hide its more nefarious activities behind threats that may be perceived to be less alarming because they’re ‘commodity’ malware,” Microsoft concluded. It said the conspicuousness of monero mining fits BISMUTH’s “hide in plain sight” MO.
Microsoft recommended organizations stay vigilant against crypto-jacking as a possible decoy tactic.
https://www.coindesk.com/hackers-using-monero-mining-malware-as-decoy-warns-microsoft
Vulnerabilities
Zerologon is now detected by Microsoft Defender for Identity
There has been a huge focus on the recently patched CVE-2020-1472 Netlogon Elevation of Privilege vulnerability, widely known as ZeroLogon. While Microsoft strongly recommends that you deploy the latest security updates to your servers and devices, we also want to provide you with the best detection coverage possible for your domain controllers. Microsoft Defender for Identity along with other Microsoft 365 Defender solutions detect adversaries as they try to exploit this vulnerability against your domain controllers.
Privacy
'We've heard the feedback...' Microsoft 365 axes per-user productivity monitoring after privacy backlash
If you heard a strange noise coming from Redmond today, it was the sound of some rapid back-pedalling regarding the Productivity Score feature in its Microsoft 365 cloud platform.
Following outcry from subscribers and privacy campaigners, the Windows giant has now vowed to wind back the functionality so that it no longer produces scores for individual users, and instead just summarizes the output of a whole organization. It was feared the dashboard could have been used by bad bosses to measure the productivity of specific employees using daft metrics like the volume of emails or chat messages sent through Microsoft 365.
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 27 November 2020
Black Arrow Cyber Threat Briefing 27 November 2020: Hundreds of C-level executives’ credentials available for $100 to $1500; Bluetooth Attack Can Steal a Tesla Model X in Minutes; Three members of TMT cybercrime group arrested in Nigeria; Cyber criminals make £2.5m raid on law firms in lockdown; Hackers post athletes’ naked photos online
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.
Top Cyber Headlines of the Week
Hundreds of C-level executives’ credentials available for $100 to $1500 per account
A credible threat actor is offering access to the email accounts of hundreds of C-level executives for $100 to $1500 per account.
The availability of access to the email accounts of C-level executives could allow threat actors to carry out multiple malicious activities, from cyber espionage to BEC scams.
The threat actor is selling login credentials for Office 365 and Microsoft accounts and the price depends on the size of the C-level executives’ companies and the internal role of the executive.
The threat actor claims its database includes login credentials of high-level executives such as:
CEO, CTO, COO, CFO, CMO. President, Vice President, Executive Assistant, Finance Manager, Accountant, Director, Finance Director, Financial Controller and Accounts Payables
https://securityaffairs.co/wordpress/111588/cyber-crime/executives-credentials-dark-web.html
This Bluetooth Attack Can Steal a Tesla Model X in Minutes
Tesla has always prided itself on its so-called over-the-air updates, pushing out new code automatically to fix bugs and add features. But one security researcher has shown how vulnerabilities in the Tesla Model X's keyless entry system allow a different sort of update:
A hacker could rewrite the firmware of a key fob via Bluetooth connection, lift an unlock code from the fob, and use it to steal a Model X in just a matter of minutes.
https://www.wired.com/story/tesla-model-x-hack-bluetooth/
Three members of TMT cybercrime group arrested in Nigeria
Three Nigerians suspected of being part of a cybercrime group that has made tens of thousands of victims around the world have been arrested today in Lagos, Nigeria, Interpol reported.
In a report disclosing its involvement in the investigation, security firm Group-IB said the three suspects are members of a cybercrime group they have been tracking since 2019 and which they have been tracking under the codename of TMT.
Group-IB said the group primarily operated by sending out mass email spam campaigns containing files laced with malware.
https://www.zdnet.com/article/three-members-of-tmt-cybercrime-group-arrested-in-nigeria/
Cyber criminals make £2.5m raid on law firms in lockdown
The large number of lawyers working from home has become a magnet for cyber criminals, the Solicitors Regulation Authority has said, revealing a 300% increase in phishing scams in the first two months of lockdown alone.
In the first half of 2020, firms reported that nearly £2.5m held by them had been stolen by cybercriminals, more than three times the amount reported in the same period in 2019.
Law firm staff working remotely on less secure devices than the office network and those without dedicated office space finding it hard to keep information confidential. Those using video meetings also need to make sure that unauthorised parties cannot overhear or see a confidential meeting.
Hackers post athletes’ naked photos online
Four British athletes are among hundreds of female sports stars and celebrities whose intimate photographs and videos have been posted online in a targeted cyberattack.
The hack, which the athletes became aware of this week, has caused panic and one leading sports agency has advised its clients to take extra measures to protect their private data.
The athletes, who had photographs and videos stolen from their phones, were considering steps last night to have the material removed from the dark net.
https://www.thetimes.co.uk/article/hackers-post-athletes-naked-photos-online-86sq27hgl
Threats
Ransomware
Manchester United hackers 'demanding million-pound ransom'
Manchester United are still suffering the effects of a significant cyberattack that targeted the club earlier this week.
Following last weekend's 'sophisticated' attack, the club has revealed it is still suffering severe disruption to its internal systems, several of which had to be shut down following the incident.
Reports have also claimed that the hackers are demanding "millions of pounds" before they let the club regain full control.
https://www.techradar.com/sg/news/manchester-united-hackers-demanding-million-pound-ransom
Egregor Ransomware Attack Hijacks Printers to Spit Out Ransom Notes
The South American retail giant Cencosud was hit with ransomware last week? The retailer was infected by an Egregor ransomware attack which, in time honoured fashion, stole sensitive files that it found on the compromised network, and encrypted data on Cencosud’s drives to lock workers out of the company’s data.
A text file was left on infected Windows computers, telling the store that private data would be shared with the media if it was not prepared to begin negotiating with the hackers within three days.
That’s nothing unusual, but Egregor’s novel twist is that it can also tell businesses that their computer systems are well and truly breached by sending its ransom note to attached printers.
Sopra Steria: Adding up outages and ransomware clean-up, Ryuk attack will cost us up to €50m
Sopra Steria has said a previously announced Ryuk ransomware infection will not only cost it "between €40m and €50m" but will also deepen expected financial losses by several percentage points.
The admission comes weeks after the French-headquartered IT outsourcing firm's Active Directory infrastructure was compromised by malicious people who deployed the Ryuk ransomware, using what the company called "a previously unknown strain."
https://www.theregister.com/2020/11/25/sopra_steria_ransomware_damage_50m_euros/
Phishing
GoDaddy scam shows how voice phishing can be more deceptive than email schemes
Companies can protect employees from phishing schemes through a combination of training, secure email gateways and filtering technologies. But what protects workers from phone-based voice phishing (vishing) scams, like the kind that recently targeted GoDaddy and a group of cryptocurrency platforms that use the Internet domain registrar service?
Experts indicate that there are few easy answers, but organizations intent on putting a stop to such activity may have to push for more secure forms of verification, escalation procedures for sensitive requests, and better security awareness of account support staffers and other lower-level employees.
Google Services Weaponized to Bypass Security in Phishing, BEC Campaigns
A spike in recent phishing and business email compromise (BEC) attacks can be traced back to criminals learning how to exploit Google Services, according to research from Armorblox.
Social distancing has driven entire businesses into the arms of the Google ecosystem looking for a reliable, simple way to digitize the traditional office. A report detailing how now-ubiquitous services like Google Forms, Google Docs and others are being used by malicious actors to give their spoofing attempts a false veneer of legitimacy, both to security filters and victims.
Malware
Malware creates scam online stores on top of hacked WordPress sites
A new cybercrime gang has been seen taking over vulnerable WordPress sites to install hidden e-commerce stores with the purpose of hijacking the original site's search engine ranking and reputation and promote online scams.
The attacks were discovered earlier this month targeting a WordPress honeypot which was set up and managed.
The attackers leveraged brute-force attacks to gain access to the site's admin account, after which they overwrote the WordPress site's main index file and appended malicious code.
https://www.zdnet.com/article/malware-creates-online-stores-on-top-of-hacked-wordpress-sites/
Enter WAPDropper – An Android Malware Subscribing Victims to Premium Services by Telecom Companies
WAPDropper, a new malware which downloads and executes an additional payload. In the current campaign, it drops a WAP premium dialler which subscribes its victims to premium services without their knowledge or consent.
The malware, which belongs to a newly discovered family, consists of two different modules: the dropper module, which is responsible for downloading the 2nd stage malware, and a premium dialler module that subscribes the victims to premium services offered by legitimate sources – In this campaign, telecommunication providers in Thailand and Malaysia.
https://research.checkpoint.com/2020/enter-wapdropper-subscribe-users-to-premium-services-by-telecom-companies/
LightBot: TrickBot’s new reconnaissance malware for high-value targets
The notorious TrickBot gang has released a new lightweight reconnaissance tool used to scope out an infected victim's network for high-value targets.
Over the past week, security researchers began to see a phishing campaign normally used to distribute TrickBot's BazarLoader malware switch to installing a new malicious PowerShell script.
IoT
The smart video doorbells letting hackers into your home
Smart doorbells with cameras let you see who’s at the door without getting up off the sofa, but in-depth security testing has found some are leaving your home wide open to uninvited guests.
With internet-connected smart tech on the rise, smart doorbells are a common sight on UK streets. Popular models, such as Ring and Nest doorbells, are expensive, but scores of similar looking devices have popped up on Amazon, eBay and Wish at a fraction of the price.
https://www.which.co.uk/news/2020/11/the-smart-video-doorbells-letting-hackers-into-your-home/
Password Attacks
Up to 350,000 Spotify accounts hacked in credential stuffing attacks
An unsecured internet-facing database containing over 380 million individual records, including login credentials that were leveraged for breaking into 300,000 to 350,000 Spotify accounts. The exposed records included a variety of sensitive information such as people’s usernames and passwords, email addresses, and countries of residence.
The treasure trove of data was stored on an unsecured Elasticsearch server that was uncovered. Both the origin and owners of the database remain unknown. However, the researchers were able to validate the veracity of the data as Spotify confirmed that the information had been used to defraud both the company and its users.
Passwords exposed for almost 50,000 vulnerable Fortinet VPNs
A hacker has now leaked the credentials for almost 50,000 vulnerable Fortinet VPNs.
Over the weekend a hacker had posted a list of one-line exploits to steal VPN credentials from these devices.
Present on the list of vulnerable targets are IPs belonging to high street banks, telecoms, and government organizations from around the world.
Vulnerabilities
UK urges orgs to patch critical MobileIron RCE bug
The UK National Cyber Security Centre (NCSC) issued an alert yesterday, prompting all organizations to patch the critical CVE-2020-15505 remote code execution (RCE) vulnerability in MobileIron mobile device management (MDM) systems.
An MDM is a software platform that allows administrators to remotely manage mobile devices in their organization, including the pushing out of apps, updates, and the ability to change settings. This management is all done from a central location, such as an admin console running on the organization's server, making it a prime target for attackers.
Critical Unpatched VMware Flaw Affects Multiple Corporates Products
VMware has released temporary workarounds to address a critical vulnerability in its products that could be exploited by an attacker to take control of an affected system.
"A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system," the virtualization software and services firm noted in its advisory.
Tracked as CVE-2020-4006, the command injection vulnerability has a CVSS score of 9.1 out of 10 and impacts VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector.
https://thehackernews.com/2020/11/critical-unpatched-vmware-flaw-affects.html
GitHub fixes 'high severity' security flaw spotted by Google
GitHub has finally fixed a high severity security flaw reported to it by Google Project Zero more than three months ago.
The bug affected GitHub's Actions feature – a developer workflow automation tool was "highly vulnerable to injection attacks".
GitHub's Actions support a feature called workflow commands as a communication channel between the Action runner and the executed action.
https://www.zdnet.com/article/github-fixes-high-severity-security-flaw-spotted-by-google/
Google Chrome users still vulnerable to multiple zero-day attacks
As business users and consumers have moved most of their workloads to the cloud, more and more of their work is being done in web browsers such as Google Chrome as opposed to in applications installed locally on their systems.
This means that the web browser is now an essential yet vulnerable entry point that if compromised, could give cybercriminals access to a user's entire digital life including their email, online banking, social networks and more. However, despite this risk, users are failing to update to the latest version of Google Chrome.
https://www.techradar.com/news/google-chrome-users-still-vulnerable-to-multiple-zero-day-attacks
Microsoft releases patching guidance for Kerberos security bug
Released details on how to fully mitigate a security feature bypass vulnerability in Kerberos KDC (Key Distribution Centre) patched during this month's Patch Tuesday.
The remotely exploitable security bug tracked as CVE-2020-17049 exists in the way KDC decides if service tickets can be used for delegation via Kerberos Constrained Delegation (KCD).
Kerberos is the default authentication protocol for domain connected devices running Windows 2000 or later. Kerberos KDC is a feature that manages service tickets used for encrypting messages between network servers and clients.
Data Breaches
Sophos notifies customers of data exposure after database misconfiguration
UK-based cyber-security vendor Sophos is currently notifying customers via email about a security breach the company suffered earlier this week.
Exposed information included details such as customer first and last names, email addresses, and phone numbers (if provided).
Privacy
Microsoft productivity score feature criticised as workplace surveillance
Microsoft has been criticised for enabling “workplace surveillance” after privacy campaigners warned that the company’s “productivity score” feature allows managers to use Microsoft 365 to track their employees’ activity at an individual level.
The tools, first released in 2019, are designed to “provide you visibility into how your organisation works”, according to a Microsoft blogpost, and aggregate information about everything from email use to network connectivity into a headline percentage for office productivity.
Other News
Robot vacuum cleaners can eavesdrop on your conversations, researchers reveal - Bitdefender
You can protect the company from hackers, but can you protect the company from the CEO?
Botnets have been silently mass-scanning the internet for unsecured ENV files | ZDNet
Windows 10 KB4586819 update fixes gaming and USB 3.0 issues (bleepingcomputer.com)
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Cyber Briefing 23 October 2020: Ransomware Continues to Evolve; Infected IoT Up 100%; Brute Force Attacks Up with more Open RDP Ports; 40% Unsure on Mobile Phishing; Most Imitated Phishing Brands
Cyber Briefing 23 October 2020: Ransomware Variants Evolve as Crooks Chase Bigger Paydays; Infected IoT Surges 100% in a Year; Brute Force Attacks Up Due To More Open RDP Ports; 40% of Users Not Sure What Mobile Phishing Is; Microsoft Most Imitated Phishing Brand Q3 2020; DDoS Triples as Ransoms Re-Emerge; Exploited Chrome Bug Fixed; WordPress Forces Security Update; The Most Worrying Vulns Around Today
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.
Threats
Ransomware
This week has been busy with ransomware related news, including new charges against Russian state-sponsored hackers and numerous attacks against well-known organisations.
In 2017, there was an attack utilizing the NotPetya ransomware to destroy data on systems worldwide. This week, the US govt indicted six Russian intelligence operatives [source], known to be part of the notorious 'Sandworm' group, for hacking operations, including NotPetya.
Ransomware variants continue to evolve as crooks chase bigger paydays
The number of ransomware attacks which threaten to leak stolen data if the victim doesn't pay a ransom to get their encrypted files and servers back is growing – and this is being reflected in the changing nature of the cyber criminal market.
Analysis by cyber security researchers found that over the last three months – between July and September - 80 percent of ransomware attacks combined with data dumps were associated with four families of ransomware – Maze, Sodinokibi, Conti and Netwalker.
The period from April to June saw just three ransomware families account for 80 percent of alerts – DoppelPaymer, Maze and Sodinokibi.
The way DoppelPayer has dropped off and how Conti and NetWalker have suddenly emerged some of the most prolific threats shows how the ransomware space continues to evolve, partly because of how successful it has already become for the crooks behind it. [source]
Why this matters:
Maze was the first major family of ransomware to add threats of data breaches to their ransom demands and other ransomware operators have taken note – and stolen the additional extortion tactic.
There is an inherent competitive nature that has befallen the ransomware landscape. The saturated ransomware market pushes ransomware developers to cut through the noise and gain the best ransomware title and this drives more affiliates to carry out their work and, thus, more successful attacks to reach their goal: to make as much money as possible.
DoppelPaymer's activity has dropped over the last few months – although it still remains active - enabling Conti and NetWalker to grab a larger slice of the pie.
Notable ransomware victims of the last week
French IT giant Sopra Steria hit by Ryuk ransomware
French IT services giant Sopra Steria suffered a cyber attack on October 20th, 2020, that reportedly encrypted portions of their network with the Ryuk ransomware.
Sopra Steria is a European information technology company with 46,000 employees in 25 countries worldwide. The company provides a wide range of IT services, including consulting, systems integration, and software development.
The firm has said that the attack has hit all geographies where they operate and have said it will take them several weeks to recover.
Numerous sources have confirmed that it was Ryuk ransomware threat actors who were behind the attack. This hacking group is known for its TrickBot and BazarLoader infections that allow threat actors to access a compromised network and deploy the Ryuk or Conti ransomware infections.
BazarLoader is increasingly being used in Ryuk attacks against high-value targets due to its stealthy nature and is less detected than TrickBot by security software.
When installed, BazarLoader will allow threat actors to remotely access the victim's computer and use it to compromise the rest of the network.
After gaining access to a Windows domain controller, the attackers then deploy the Ryuk ransomware on the network to encrypt all of its devices, as illustrated in the diagram above. [Source1] [source2]
The Nefilim ransomware operators have posted a long list of files that appear to belong to Italian eyewear and eyecare giant Luxottica.
Luxottica Group S.p.A. is an Italian eyewear conglomerate and the world’s largest company in the eyewear industry (which owns brands including LensCrafters, Sunglass Hut, Apex by Sunglass Hut, Pearle Vision, Target Optical, Eyemed vision care plan, and Glasses.com. Its best known brands are Ray-Ban, Persol, and Oakley) and employs over 80,000 people and generated 9.4 billion in revenue for 2019.
The company was hit by a cyber attack and some of the web sites operated by the company were not reachable, including Ray-Ban, Sunglass Hut, LensCrafters, EyeMed, and Pearle Vision.
Reports indicate that the firm was using a Citrix ADX controller device vulnerable to a critical vulnerability and it is believed that a threat actor or actors exploited the above flaw to infect the systems at the company with ransomware. This appears to have subsequently confirmed with Nefilim ransomware operators having posted a long list of files that appear to belong to Luxottica. [source]
Why this matters:
The analysis of the leaked files revealed that they contain confidential information regarding the recruitment process, professional resumes, and info about the internal structures of the Group’s human resource department. The ransomware operators also published a message which accuses Luxottica of having failed the properly manage the attack.
In the past months, the number of ransomware attacks surged, numerous ransomware gangs made the headlines targeting organisations worldwide and threatening victims with releasing the stolen data if the ransom was not paid.
Extortion is the new thing in cyber crime right now, more so than in the past. Companies cannot hide the cyber attack anymore. Now it’s more about how to manage the breach from the communication perspective. Defending companies from these types of attacks becomes even more strategic: data leak damages can generate tremendous amount of costs for companies worldwide.
Other notable ransomware victims this week include:
Barnes & Noble hit by Egregor ransomware, strange data leaked [source]
Montreal's STM public transport system hit by ransomware attack [source]
WastedLocker ransomware hits US-based ski and golf resort operator Boyne Resorts (WastedLocker was the same one used in the attack on Garmin in July) [source]
Other Threats
Infected IoT Device Numbers Surge 100% in a Year
The volume of infected Internet of Things (IoT) devices globally has soared by 100% over the past year, according to new data from Nokia.
It revealed that infected IoT devices now comprise nearly a third (32.7%) of the total number of devices, up from 16.2% in the 2019 report.
Nokia argued that infection rates for connected devices depend dramatically upon the visibility of the devices on the internet.
In networks where devices are routinely assigned public facing internet IP addresses there is a higher infection rate. In networks where carrier grade NAT is used, the infection rate is considerably reduced, because the vulnerable devices are not visible to network scanning.
With the introduction of 5G well underway, it is expected that not only the number of IoT devices will increase dramatically, but also the share of IoT devices accessible directly from the internet will increase as well, and rates of infection rising accordingly. [source]
Brute force attacks increase due to more open RDP ports
While leaving your back door open while you are working from home may be something you do without giving it a second thought, having unnecessary ports open on your computer or on your corporate network is a security risk that is sometimes underestimated. That’s because an open port can be subject to brute force attacks.
A brute force attack is where an attacker tries every way he can think of to get in. Including throwing the kitchen sink at it. In cases where the method they are trying is to get logged in to your system, they will try endless combinations of usernames and passwords until a combination works.
Brute force attacks are usually automated, so it doesn’t cost the attacker a lot of time or energy. Certainly not as much as individually trying to figure out how to access a remote system. Based on a port number or another system specific property, the attacker picks the target and the method and then sets his brute force application in motion. He can then move on to the next target and will get notified when one of the systems has swallowed the hook.
RDP attacks are one of the main entry points when it comes to targeted ransomware operations. To increase effectiveness, ransomware attacks are getting more targeted and one of the primary attack vectors is the Remote Desktop Protocol (RDP). Remote desktop is exactly what the name implies, an option to remotely control a computer system. It almost feels as if you were actually sitting behind that computer. Which is exactly what makes an attacker with RDP access so dangerous. [source]
Why this matters:
Because of the current pandemic, many people are working from home and may be doing so for a while to come. Working from home has the side effect of more RDP ports being opened. Not only to enable the workforce to access company resources from home, but also to enable IT staff to troubleshoot problems on the workers’ devices. A lot of enterprises rely on tech support teams using RDP to troubleshoot problems on employee’s systems.
But ransomware, although prevalent, is not the only reason for these types of attacks. Cyber criminals can also install keyloggers or other spyware on target systems to learn more about the organization they have breached. Other possible objectives might be data theft, espionage, or extortion.
Phishing
Two in five employees are not sure what a mobile phishing attack is
The COVID-19 pandemic has clearly changed the way people work and accelerated the already growing remote work trend. This has also created new security challenges for IT departments, as employees increasingly use their own personal devices to access corporate data and services.
These changes, where employees, IT infrastructures, and customers are everywhere – has led to employees not prioritising security in their new world of work, and the current distributed remote work environment has also triggered a new threat landscape, with malicious actors increasingly targeting mobile devices with phishing attacks.
A new study looking at the impact that lockdown has had on employees working habits polled 1,200 workers across the US, UK, France, Germany, Belgium, Netherlands, Australia, and New Zealand showed that many employees were unaware of how to identify and avoid a phishing attack, and over two in five (43%) of employees are not even sure what a phishing attack is. [source]
Microsoft is Most Imitated Brand for Phishing Attempts in Q3 2020
The latest Check Point ‘Q3 Brand Phishing Report’, highlighting the brands that hackers imitated the most to lure people into giving up personal data, reveals the brands which were most frequently imitated by criminals in their attempts to steal individuals’ personal information or payment credentials during July, August and September.
In Q3, Microsoft was the most frequently targeted brand by cyber criminals, soaring from fifth place (relating to 7% of all brand phishing attempted globally in Q2 of 2020) to the top of the ranking. 19% of all brand phishing attempts related to the technology giant, as threat actors sought to capitalise on large numbers of employees still working remotely during the Covid-19 pandemic. For the first time in 2020, DHL entered the top 10 rankings, taking the second spot with 9% of all phishing attempts related to the company. [source]
Top phishing brands in Q3 2020
Microsoft (19%)
DHL (9%)
Google (9%)
PayPal (6%)
Netflix (6%)
Facebook (5%)
Apple (5%)
Whatsapp (5%)
Amazon (4%)
Instagram (4%)
Phishing Lures Shifting from COVID-19 updates to Job Opportunities
Researchers are seeing a pivot in the spear-phishing and phishing lures used by cybercriminals, to entice potential job candidates as businesses start to open up following the pandemic.
Cyber criminals cashed in on the surge of COVID-19 earlier this year, with email lures purporting to be from healthcare professionals offering more information about the pandemic. However, as the year moves forward, bad actors are continuing to swap up their attacks and researchers are now seeing ongoing email based attacks that tap into new job opportunities as businesses start to open up. [source]
Denial of Service Attacks
DDoS (Distributed Denial of Service) Attacks Triple in Size as Ransom Demands Re-Emerge
The last quarter of 2020 has seen a wave of web application attacks which have used ransom letters to target businesses across a number of industries.
According to research from Akamai, the largest of these attacks sent over 200Gbps of traffic at their targets as part of a sustained campaign of higher Bits Per Second (BPS) and Packets Per Second (PPS) than similar attacks had displayed a few weeks prior.
Prior to August most of these attacks were targeting the gaming industry but since then these attacks abruptly swung to financial organisations, and later in the cycle, multiple other verticals.
Akamai explained that none of the vectors involved in these series of attacks were new, as most of the traffic was generated by reflectors and systems that were used to amplify traffic. However, multiple organisations began to receive targeted emails with threats of DDoS attacks, where this would be launched unless a ransom amount was paid. A small DDoS would be made against the company to show that the attackers were serious, and then there was a threat of a 1Tbps attack if payment was not made.
Many extortion DDoS campaigns start as a threat letter, and never progress beyond that point but this this campaign has seen frequent ‘sample’ attacks that prove to the target that criminals have the capability to make life difficult.
Many of the extortion emails ended up being caught by spam filters, and not all targets are willing to admit they’ve received an email from the attackers.
Why this matters:
This extortion DDoS campaign is not over and the criminals behind this campaign are changing and evolving their attacks in order to throw off defenders and the law enforcement agencies that are working to track them down.
Vulnerabilities
New Google Chrome version fixes actively exploited zero-day bug
Google released Chrome 86.0.4240.111 this week to address five security vulnerabilities, one of which is being actively exploited.
The announcement from Google stated they they were aware of reports that an exploit for CVE-2020-15999 exists in the wild.
This new version of Chrome started rolling out to the entire userbase. Users on Windows, Mac, and Linux desktop users can upgrade to Chrome 86 by going to Settings -> Help -> About Google Chrome.
The Google Chrome web browser will then automatically check for the new update and install it when available.
Adobe releases another out-of-band patch, squashing critical bugs across creative software
Adobe has released a second out-of-band security update to patch critical vulnerabilities across numerous software products.
The patch, released outside of the tech giant's typical monthly security cycle, impacts Adobe Illustrator, Dreamweaver, Marketo, Animate, After Effects, Photoshop, Premiere Pro, Media Encoder, InDesign, and the Creative Cloud desktop application on Windows and macOS machines.
The vulnerabilities across the different products variously could result in privilege escalation, cross-site scripting (XSS), which could be weaponised to deploy malicious JavaScript in a browser session, or otherwise could result in arbitrary code execution.
Last week, Adobe released a separate set of out-of-band security fixes impacting the Magento platform. On October 15, Adobe said the patch resolved nine vulnerabilities, eight of which are critical -- including a bug that could be abused to tamper with Magento customer lists. [source]
WordPress deploys forced security update for dangerous bug in popular plugin
The WordPress security team has taken a rare step last week and used a lesser-known internal capability to forcibly push a security update for a popular plugin called Loginizer, which provides security enhancements for the WordPress login page, but that was found to contain a dangerous SQL injection bug that could have allowed hackers to take over WordPress sites running older versions of the plugin. [source]
Why this matters:
Remote attackers to run code against the WordPress database — in what is referred to as an unauthenticated SQL injection attack.
These are the most worrying vulnerabilities around today
Failure to patch once again leaves organisations open to attacks
The US National Security Agency (NSA) has published a new cyber security advisory in which it details 25 of the most dangerous vulnerabilities actively being exploited in the wild by Chinese state-sponsored hackers and other cyber criminals.
Unlike zero-day vulnerabilities where hardware and software makers have yet to release a patch, all of the vulnerabilities in the NSA's advisory are well-known and patches have been made available to download from their vendors. However, the problem lies in the fact that organisations have yet to patch their systems, leaving them vulnerable to potential exploits and attacks.
The NSA provided further details on the nature of the vulnerabilities in its advisory while urging organisations to patch them immediately.
Most of the vulnerabilities listed below can be exploited to gain initial access to victim networks using products that are directly accessible from the Internet and act as gateways to internal networks. The majority of the products are either for remote access or for external web services and should be prioritised for immediate patching. The full list can be found here.
The first bug in the list, tracked as CVE-2019-11510, relates to Pulse Secure VPN servers and how an unauthenticated remote attacker can expose keys or passwords by sending a specially crafted URI to perform an arbitrary file reading vulnerability.
Another notable bug from the list, tracked as CVE-2020-5902, affects the Traffic Management User Interface (TMUI) of F5 BIG-IP proxies and load balancers and it is vulnerable to a Remote Code Execution (RCE) vulnerability that if exploited, could allow a remote attacker to take over an entire BIG-IP device.
The Citrix Application Delivery Controller (ADC) and Gateway systems are vulnerable to a directory traversal bug, tracked as CVE-2019-19781, that can lead to remote code execution where an attacker does not need to possess valid credentials for the device.
The advisory also mentions BlueKeep, SigRed, Netlogon, CurveBall and other more well-known vulnerabilities.
To avoid falling victim to any potential attacks exploiting these vulnerabilities, the NSA recommends that organisations keep their systems and products updated and patched as soon as possible after vendors release them. [source]
Miscellaneous Cyber News of the Weeks
Hackers Can Clone Millions of Toyota, Hyundai, and Kia Keys
Owners of cars with keyless start systems have learned to worry about so-called relay attacks, in which hackers exploit radio-enabled keys to steal vehicles without leaving a trace. Now it turns out that many millions of other cars that use chip-enabled mechanical keys are also vulnerable to high-tech theft. A few cryptographic flaws combined with a little old-fashioned hot-wiring—or even a well-placed screwdriver—lets hackers clone those keys and drive away in seconds.
Researchers this week revealed new vulnerabilities in the encryption systems used by immobilisers, the radio-enabled devices inside of cars that communicate at close range with a key fob to unlock the car's ignition and allow it to start. Specifically, they found problems in how Toyota, Hyundai, and Kia implement their encryption system. A hacker who swipes a relatively inexpensive RFID reader/transmitter device near the key fob of any affected car can gain enough information to derive its secret cryptographic value. That, in turn, would allow the attacker to spoof the device to impersonate the key inside the car, disabling the immobiliser and letting them start the engine.
The researchers say the affected car models include the Toyota Camry, Corolla, and RAV4; the Kia Optima, Soul, and Rio; and the Hyundai I10, I20, and I40, amongst others. [source]
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.