Threat Intelligence Blog

Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.

Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 19 April 2024

Black Arrow Cyber Threat Intelligence Briefing 19 April 2024:

-94% of Ransomware Victims Have Their Backups Targeted by Attackers

-Sharing IT Providers Is a Risk for Financial Services, Says IMF, as Rising Cyber Threats Pose Serious Concerns for Financial Stability

-Hackers are Threatening to Publish a Huge Stolen Sanctions and Financial Crimes Watchlist

-Your Annual Cyber Security Is Not Working, but There is a Solution

-73% of Security Professionals Say They’ve Missed, Ignored or Failed to Act on a High Priority Security Alert

-Russia and Ukraine Top Inaugural World Cyber Crime Index

-Police Takedown Major Cyber Fraud Superstore: Will the Cyber Crime Industry Become More Fragmented?

-Small Businesses See Stable Business Climate; Cite Cyber Security as Top Threat

-The Threat from Inside: 14% Surge in Insider Threats Compared to Previous Year

-Dark Web Sales Driving Major Rise in Credential Attacks as Attackers Pummel Networks with Millions of Login Attempts

-Large Enterprises Experience Breaches, Despite Large Security Stacks - Report Finds 93% of Breaches Lead to Downtime and Data Loss

-Charities Doing Worse than Private Sector in Staving off Cyber Attacks

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

94% of Ransomware Victims Have Their Backups Targeted by Attackers

Organisations that have backed up sensitive data may believe they are safe from the effects of ransomware attacks; however a new study by Sophos reported that cyber criminals attempted to compromise the backups of 94% of companies hit by ransomware in the past year. The research found that criminals can demand a higher ransom when they compromise an organisation’s backup data, and those victims are twice as likely to pay. The median ransom demand is $2.3 million when backups are compromised, compared to $1 million otherwise.

Additionally, sectors like state and local governments, along with media and entertainment, are particularly vulnerable with nearly all affected organisations experiencing backup compromises.

Source: [Tech Republic]

Sharing IT Providers Is a Risk for Financial Services, Says IMF, as Rising Cyber Threats Pose Serious Concerns for Financial Stability

The International Monetary Fund has found that with greater digitalisation and heightened geopolitical tensions comes a greater risk of cyber attack with systemic consequences. The IMF noted that losses more than quadrupled since 2017 to $2.5 billion.

The push for technology has led to a number of financial services institutions relying on third-party IT firms, increasing their susceptibility to cyber disruption on a wider scale and a potential ripple effect were a third party to be hit. Whilst such third parties can increase the cyber resilience of a financial services institution, they also expose the industry to systemwide shocks, the IMF reports.

The IMF recommend institutions should identify potential systematic risks in their third-party IT firms. If the organisation is unable to perform such risk assessments, they should seek the expert support of an independent cyber security specialist.

Sources: [The Banker] [IMF]

Hackers are Threatening to Publish a Huge Stolen Sanctions and Financial Crimes Watchlist

A cyber crime group named GhostR has claimed responsibility for stealing 5.3 million records from the World-Check database, which companies use for "know your customer" (KYC) checks to screen potential clients for financial crime risks. The data theft occurred in March and originated from a Singapore-based firm with access to World-Check. The London Stock Exchange Group (LSEG), which owns World-Check, confirmed that the breach involved a third-party's dataset and not their systems directly. The stolen data includes sensitive information on individuals identified as high-risk, such as government-sanctioned figures and those linked to organised crime. LSEG is coordinating with the affected third party and authorities to protect the compromised data and prevent its dissemination.

Source: [TechCrunch]

Your Annual Cyber Security Is Not Working, But There is a Solution

Most organisations utilise annual security training in an attempt to ensure every department develops their cyber awareness skills and is able to spot and report a threat. However, this training is often out of date. Additionally, often training has limited interactivity, failing to capture and maintain employees’ attention and retention. On top of this, many training courses fail to connect employees to real-world scenarios that could occur in their specific job.

To get the most return on investment, organisations need to have more regular education, with the aim of long-term behavioural shifts in the work place, nudging employees towards greater cyber hygiene.

Source: [TechRadar]

73% of Security Professionals Say They’ve Missed, Ignored or Failed to Act on a High Priority Security Alert

A new survey from Coro, targeting small medium enterprises (SME) cyber security professionals, reveals that 73% have missed or ignored high priority security alerts due to overwhelming workloads and managing multiple security tools. The 2024 SME Security Workload Impact Report highlights that SMEs are inundated with alerts and responsibilities, which dilute their focus from critical security threats. On average, these professionals manage over 11 security tools and spend nearly five hours daily on tasks like monitoring and patching vulnerabilities. Respondents handle an average of over 2,000 endpoint security agents across 656 devices, more than half dealing with frequent vendor updates.

Source: [Business Wire]

Russia and Ukraine Top Inaugural World Cyber Crime Index

The inaugural World Cybercrime Index (WCI) identifies Russia, Ukraine, and China as the top sources of global cyber crime. This index, the first of its kind, was developed over four years by an international team from the University of Oxford and the University of New South Wales, with input from 92 cyber crime experts. These experts ranked countries based on the impact, professionalism, and technical skills of their cyber criminals across five cyber crime categories, including data theft, scams, and money laundering. Russia topped the list, followed by Ukraine and China, highlighting their significant roles in high-tech cyber criminal activities. The index, expected to be updated regularly, aims to provide a clearer understanding of cyber crime's global geography and its correlation with national characteristics like internet penetration and GDP. Of note the UK and US also made the top ten list, so it is not just other countries we need to worry about.

Top ten Countries in full:

1.       Russia

2.       Ukraine

3.       China

4.       United States

5.       Nigeria

6.       Romania

7.       North Korea

8.       United Kingdom

9.       Brazil

10.   India

Source: [Infosecurity Magazine]

Police Takedown Major Cyber Fraud Superstore: Will the Cyber Crime Industry Become More Fragmented?

The London Metropolitan Police takedown of online fraud service LabHost serves as a reminder of the industrial scale on which cyber crimes are being performed, with the service amassing 480,000 debit or credit card numbers and 64,000 PINs: all for the subscription price of £300 a month. The site even included tutorial videos on how to commit crime and offered customer service.

Such takedowns can lead to fragmentation. The 2,000 individuals subscribed to LabHost may have lost access but where there is demand, supply will be found. The takedown of one service allows other, small services to fill the gap. As the saying goes ‘nature abhors a vacuum’ and it is especially true when it comes to cyber crime; there is too much business for empty spaces not to be filled.

Sources: [ITPro] [The Guardian]

Small Businesses See Stable Business Climate; Cite Cyber Security as Top Threat

Small businesses are experiencing a stable business climate, as reflected by the Small Business Index, indicating an increasing optimism about the economy. However, the recent surge in cyber attacks, including major assaults on UnitedHealth Group and MGM Resorts, has underscored the growing vulnerability of these businesses to cyber crime. Despite 80% of small to medium-sized enterprises feeling well-protected by their IT defences, a Devolutions survey reveals that 69% of them still fell victim to cyber attacks last year. This has led to cyber security being viewed as the greatest threat by 60% of small businesses, even surpassing concerns over supply chain disruptions and the potential for another pandemic.

The average cost of these attacks ranges from $120,000 to $1.24 million, leading to 60% of affected businesses closing within six months. This vulnerability is further compounded by a common underestimation of the ransomware threat. While 71% of businesses feel prepared for future threats, the depth of this preparedness varies, with only 23% feeling very prepared for cyber security challenges.

Sources: [Claims Journal] [Inc.com]

The Threat from Inside: Insider Threats Surge 14% Annually as Cost-of-Living Crisis Bites

Employee fraud grew significantly last year thanks to the opportunities afforded by remote working and the pressures of a cost-of-living crisis in the UK, according to Cifas, an anti-fraud non-profit. The number of individuals recorded in its cross-sector Insider Threat Database (ITD) increased 14% year-on-year (YoY) in 2023, with the most common reason being “dishonest action to obtain benefit by theft or deception” (49%).

Insider threats – both by accident or with malicious intent – by their own employees are overlooked, despite accounting for 58% of cybersecurity breaches in recent years. As a result, a large proportion of businesses may lack any strategy to address insider risks, leaving them vulnerable to financial, operational and reputational harm.

Source: [Infosecurity Magazine] [TechRadar]

Dark Web Sales Driving Major Rise in Credential Attacks as Attackers Pummel Networks with Millions of Login Attempts

Dark web sales are driving a major rise in credential attacks, with a surge in infostealer malware attacks over the last three years significantly heightening the cyber crime landscape. Kaspersky reports a sevenfold increase in data theft attacks, leading to the compromise of over 26 million devices since 2022. Cyber criminals stole roughly 400 million login credentials last year alone, often sold on dark web markets for as low as $10 per log file. These stolen credentials have become a lucrative commodity, fostering a complex economy of initial access brokers who facilitate broader corporate network infiltrations. The Asia-Pacific and Latin America regions have been particularly affected, with millions of credentials stolen annually.

Simultaneously, Cisco’s Talos team warns of a current credential compromise campaign targeting networks via mass login attempts to VPN, SSH, and web apps. Attackers use a mix of generic and specific usernames with nearly 100 passwords from about 4,000 IP addresses, likely routed through anonymising services (such as TOR). These attacks pose risks like unauthorised access, account lockouts, and potential denial-of-service. The attack volume has increased since 18 March this year mirroring a previous alert by Cisco about a similar campaign affecting VPNs. Despite method and infrastructure similarities, a direct link between these campaigns is yet to be confirmed.

Sources: [Ars Technica] [Data Breach Today]

Large Enterprises Experience Breaches, Despite Large Security Stacks; Report Finds 93% of Breaches Lead to Downtime and Data Loss

93% of enterprises admitting to having had a breach have suffered significant consequences, ranging from unplanned downtime to data exposure or financial loss, according to a recent report. 73% of organisations made changes to their IT environment at least quarterly, however only 40% tested their security at the same frequency. Unfortunately, this means that many organisations are facing a significant gap in which changes in the IT environment are untested, and therefore their risk unknown.

Security tools can aid this, however as the report finds, despite having a large number of security stacks, 51% still reported a breach in the past 24 months. Organisations must keep in mind that security extends beyond the technical realm, and it needs to include people and operations.

Sources: [Infosecurity Magazine] [Help Net Security]

Charities Doing Worse than Private Sector in Staving off Cyber Attacks

Recent UK Government data reveals a significant cyber security challenge for charities, with about a third experiencing breaches this past year, equating to nearly 924,000 cyber crimes. Notably, 83% of these incidents involved phishing, with other prevalent threats including fraud emails and malware. The data found that 63% of charities said cyber security was a high priority for senior management, however, charities lag behind the private sector in adopting security monitoring tools and conducting risk assessments.

Additionally, while half of the charities implement basic cyber hygiene defences like malware protection and password policies, only about 40% seek external cyber security guidance.

Source: [TFN]

Governance, Risk and Compliance

Threats

Ransomware, Extortion and Destructive Attacks

Ransomware Victims

Phishing & Email Based Attacks

Other Social Engineering

Artificial Intelligence

2FA/MFA

Malware

Mobile

Denial of Service/DoS/DDOS

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Insurance

Cloud/SaaS

Identity and Access Management

Linux and Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Malvertising

Training, Education and Awareness

Regulations, Fines and Legislation

Models, Frameworks and Standards

Backup and Recovery

Data Protection

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Misinformation, Disinformation and Propaganda

Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity

Cyber Warfare and Cyber Espionage

China

Russia

Iran

North Korea

Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence

Vulnerability Management

Vulnerabilities

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·         Automotive

·         Construction

·         Critical National Infrastructure (CNI)

·         Defence & Space

·         Education & Academia

·         Energy & Utilities

·         Estate Agencies

·         Financial Services

·         FinTech

·         Food & Agriculture

·         Gaming & Gambling

·         Government & Public Sector (including Law Enforcement)

·         Health/Medical/Pharma

·         Hotels & Hospitality

·         Insurance

·         Legal

·         Manufacturing

·         Maritime

·         Oil, Gas & Mining

·         OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·         Retail & eCommerce

·         Small and Medium Sized Businesses (SMBs)

·         Startups

·         Telecoms

·         Third Sector & Charities

·         Transport & Aviation

·         Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 17 December 2021

Black Arrow Cyber Threat Briefing 17 December 2021:

-Employees Think They’re Safe From Cyber Threats On Company Devices

-Internet Is Scrambling To Fix Log4shell, The Worst Hack In History

-Apache Log4j Flaw: A Fukushima Moment for the Cyber Security Industry

-60% of UK Workers Have Been Victim of a Cyber-Attack, Yet Awareness Remains Low

-Ransomware in 2022: We're All Screwed

-Attacks on UK Firms Increase Five-Fold During Pandemic

-The Log4J Software Flaw Is ‘Christmas Come Early’ for Cyber Criminals

-Why Cloud Storage Isn't Immune to Ransomware

-400 Banks’ Customers Targeted with Anubis Trojan

-Sites Hacked With Credit Card Stealers Undetected For Months

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Employees Think They’re Safe From Cyber Threats On Company Devices

A research launched by Menlo Security reveals increased cyber security risks posed to employees and organisations during the 2021 holiday shopping season.

The research – which surveyed 2,000 employed people in the United States and the United Kingdom – found that while employees are concerned about threats and are taking some measures to mitigate them, they often have false confidence in their security posture.

There are now more threats to corporate devices and networks than ever as hybrid work models blur the boundaries between work and home. More than half of respondents (56% US; 53% UK) reported performing non-work-related tasks – such as online shopping – on company devices.

Furthermore, the survey found that 65% of people in the US (63% UK) are doing more online holiday shopping in 2021 compared to previous years, and nearly half of respondents (48% US; 45% UK), reported shopping for gifts this holiday season on a work-issued device such as a laptop or mobile phone.

Workers are also noticing a rise in cyber threats this holiday season, with 58% of respondents in the US (48% UK) observing an increase in scams and fraudulent messages, exemplifying that threats are rampant worldwide. This is worrying many people, as the vast majority of respondents (80% US & UK) report being somewhat to very concerned about their personal data being stolen while online shopping.

However, despite workers’ recognition and concern of cyber threats, 60% of people (65% UK) still believe they’re secure from cyberthreats if they’re using a company device.

https://www.helpnetsecurity.com/2021/12/14/employees-cybersecurity-risks/

Internet Is Scrambling To Fix Log4shell, The Worst Hack In History

Massive data breaches have become so common that we’ve gotten numb to reports detailing another hack or 0-day exploit. That doesn’t reduce the risk of such events happening, as the cat-and-mouse game between security experts and hackers continues. As some vulnerabilities get fixed, others pop up requiring attention from product and service providers. The newest one has a name that will not mean anything to most people. They call the hack Log4Shell in security briefings, which doesn’t sound very scary. But the new 0-day attack is so significant that some people see it as the worst internet hack in history.

Malicious individuals are already exploiting the Log4Shell attack, which allows them to get into computer systems and servers without a password. Security experts have seen Log4Shell in action in Minecraft, the popular game that Microsoft owns. A few lines of text passed around in a chat might be enough to penetrate the defences of a target computer. The same ease of access would allow hackers to go after any computer out there using the Log4J open-sourced java-based logging utility.

https://bgr.com/tech/internet-is-scrambling-to-fix-log4shell-the-worst-hack-in-history/

Apache Log4j Flaw: A Fukushima Moment for the Cyber Security Industry

Organisations around the world will be dealing with the long-tail consequences of this vulnerability, known as Log4Shell, for years to come.

The discovery of a critical flaw in the Apache Log4j software is nothing short of a Fukushima moment for the cybersecurity industry.

Ten years ago, an earthquake and subsequent tidal wave triggered the meltdown of the Fukushima nuclear power plant that continues to plague the region today. Similarly, the early exploitation of Log4j, during which attackers will go after the low-hanging fruit exposed by the vulnerability, will evolve over time to take the form of more complex attacks on more sensitive systems that have less exposure to the internet. And, just as Fukushima brought to light significant issues with longstanding processes in place at the plant, so too does the Log4j vulnerability, known as Log4Shell, highlight two crucial practices of concern:

·       How organisations capture and protect their massive troves of log data; and

·       The use of open-source code libraries as the building blocks for major enterprise applications.

The paradox of Log4j: the more you log, the worse it gets

We’re discovering new apps every minute which use Log4j in one way or another. It affects not only the code you build, but also the third-party systems you have in place. Everything from the new printer you’ve bought for the office to the ticketing system you’ve just deployed is potentially affected by this flaw. Some affected systems may be on premises, others may be hosted in the cloud but no matter where they are, the flaw is likely to have an impact.

https://www.theregister.com/2021/12/17/vmware_criticial_uem_flaw/

60% of UK Workers Have Been Victim of a Cyber-Attack, Yet Awareness Remains Low

There is a “dangerous” lack of awareness among UK workers towards cybersecurity, leaving businesses at risk of attacks, according to a new study by Armis. This is despite 60% of workers admitting they have fallen victim to a cyber-attack.

The nationwide survey of 2000 UK employees found that only around a quarter (27%) are aware of the associated cyber risks, while one in 10 (11%) don’t worry about them at all.

Even more worryingly, just one in five people said they paid for online security, putting businesses at high risk of attacks amid the shift to remote working during COVID-19.

The most prevalent types of attacks experienced by workers or their organisations were phishing (27%), data breaches (23%) and malware (20%).

The study also revealed growing concerns about the scale of the cyber-threats facing the UK. A large-scale cyber-attack was ranked as the fourth biggest future concern (21%) among the respondents, equal to the UK going to war. Two-fifths (40%) said they would like to see a minister for cyber security installed to ensure the issue is focused on more at a government level.

Russian-backed cyber-criminals were considered the biggest threat to the UK’s cybersecurity (20%) by the respondents, followed by financially motivated cyber-criminals (17%) and Chinese-backed cyber-criminals (16%).

https://www.infosecurity-magazine.com/news/uk-workers-victim-cyber-attack/

Ransomware in 2022: We're All Screwed

Ransomware is now a primary threat for businesses, and with the past year or so considered the "golden era" for operators, cybersecurity experts believe this criminal enterprise will reach new heights in the future.

Kronos. Colonial Pipeline. JBS. Kaseya. These are only a handful of 2021's high-profile victims of threat groups including DarkSide, REvil, and BlackMatter.

According to Kela's analysis of dark web forum activity, the "perfect" prospective ransomware victim in the US will have a minimum annual revenue of $100 million and preferred access purchases include domain admin rights, as well as entry into Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) services.

Over the past few years, we've seen ransomware operators evolve from disorganised splinter groups and individuals to highly sophisticated operations, with separate teams collaborating to target everything from SMBs to software supply chains.

Ransomware infection is no longer an end goal of a cyberattack. Instead, malware families in this arena -- including WannaCry, NotPetya, Ryuk, Cerber, and Cryptolocker -- can be one component of attacks designed to elicit a blackmail payment from a victim organisation.

https://www.zdnet.com/article/ransomware-in-2022-were-all-screwed/

Attacks on UK Firms Increase Five-Fold During Pandemic

Attacks on UK firms surged five-fold during the pandemic and now cost way more than the global average, according to Accenture.

The global consultancy polled 500 UK executives to compile its State of Cybersecurity Resilience 2021 study.

It found that large organisations experienced 885 attempted cyber-attacks in 2020 – up from 156 the previous year and more than triple the global average of 270.

They’re also more expensive than elsewhere. Accenture calculated that incidents and breaches cost over £1.3m a year – £350,000 more than the global average.

Over 80% of respondents said the cost of staying ahead of cyber-criminals is unsustainable, a fifth more than the previous year, and a quarter said they’ve been forced to increase cybersecurity budgets by 10% or more.

Worryingly, supply chain attacks accounted for 64% of breaches in the UK last year, up by a quarter (26%) from the previous year.

https://www.infosecurity-magazine.com/news/attacks-on-uk-firms-increase/

The Log4J Software Flaw Is ‘Christmas Come Early’ for Cyber Criminals

Researchers have just identified a security flaw in a software program called Log4J, widely used by a host of private, commercial and government entities to record details ranging from usernames and passwords to credit card transactions. Since the glitch was found last weekend, the cybersecurity community has been scrambling to protect applications, services, infrastructure and even Internet of Things devices from criminals—who are already taking advantage of the vulnerability.

“For cybercriminals this is Christmas come early, because the sky’s the limit,” says Theresa Payton, a former White House chief information officer and the CEO of Fortalice Solutions, a cybersecurity consulting company. “They’re really only limited by their imagination, their technical know-how and their own ability to exploit this flaw.” Payton spoke with Scientific American about what Log4J does, how criminals can use its newly discovered weakness, and what it will take to repair the problem.

https://www.scientificamerican.com/article/the-log4j-software-flaw-is-christmas-come-early-for-cybercriminals/

Why Cloud Storage Isn't Immune to Ransomware

Ransomware is the flavour of the month for cybercriminals. The FBI reports that ransomware attacks rose 20% and losses almost tripled in 2020. And our increased use of the cloud may have played a part in that spike. A survey of CISOs conducted by IDC earlier this year found that 98% of their companies suffered at least one cloud data breach in the previous 18 months as opposed to 79% last year, and numbers got worse the more exposure they had to the cloud.

Organisations now use hundreds of cloud-based apps, which adds thousands of new identities logging in to their systems. This opens almost unlimited possibilities for hackers. Even if cloud vendors have their own identity and access management controls, vulnerabilities will emerge. In fact, recent research into cloud security found that over 70% of organisations had machines open to the public that were linked to identities whose permissions were vulnerable, under the right conditions, to being exploited to launch ransomware attacks.

A number of reasons could explain why security falls through the cracks of many cloud systems, and leaves them more vulnerable to ransomware attacks.

https://www.darkreading.com/attacks-breaches/why-cloud-storage-isn-t-immune-to-ransomware

400 Banks’ Customers Targeted with Anubis Trojan

Customers of Chase, Wells Fargo, Bank of America and Capital One, along with nearly 400 other financial institutions, are being targeted by a malicious app disguised to look like the official account management platform for French telecom company Orange S.A.

Researchers say this is just the beginning.

Once downloaded, the malware – a variant of banking trojan Anubis – steals the user’s personal data to rip them off, researchers at Lookout warned in a new report. And it’s not just customers of big banks at risk, the researchers added: Virtual payment platforms and crypto wallets are also being targeted.

“As a banking trojan malware, Anubis’ goal is to collect significant data about the victim from their mobile device for financial gain,” the Lookout report said. “This is done by intercepting SMSs, keylogging, file exfiltration, screen monitoring, GPS data collection and abuse of the device’s accessibility services.”

https://threatpost.com/400-banks-targeted-anubis-trojan/177038/

Sites Hacked With Credit Card Stealers Undetected For Months

Threat actors are gearing up for the holidays with credit card skimming attacks remaining undetected for months as payment information is stolen from customers.

Magecart skimming is an attack that involves the injection of malicious JavaScript code on a target website, which runs when the visitor is at the checkout page.

The code can steal payment details such as credit card number, holder name, addresses, and CVV, and send them to the actor.

Threat actors may then use this information for purchasing goods online or sold to other actors on underground forums and dark web marketplaces known as "carding" sites.

https://www.bleepingcomputer.com/news/security/sites-hacked-with-credit-card-stealers-undetected-for-months/

Threats

Ransomware

BEC – Business Email Compromise

Phishing

Other Social Engineering

Malware

Mobile

IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking

Insider Risk and Insider Threats

Fraud & Financial Crime

Nation State Actors

Cloud

Privacy

Spyware and Espionage

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 13 August 2021

Black Arrow Cyber Threat Briefing 13 August 2021:

-SMBs Increasingly Vulnerable To Ransomware, Despite The Perception They Are Too Small To Target

-440% Increase In Phishing

-Users Can Be Just As Dangerous As Hackers

-With Crime-As-A-Service, Anyone Can Be An Attacker

-Move To Cloud Creating Security Blindspots

-Connected Devices Increasingly At Risk Of Ransomware Attacks

-Ransomware Payments Explode Amid ‘Quadruple Extortion’

-Accenture Hit With $50M Ransomware

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

SMBs Increasingly Vulnerable To Ransomware, Despite The Perception They Are Too Small To Target

A new report this week warns that small and medium-sized businesses (SMBs) are at particular risk based on the attack trends seen during the first six months of the year. The report revealed that during the first half of 2021, 4 out of 5 organisations experienced a cyber security breach originating from a vulnerability in their third-party vendor ecosystem. That’s at a time when the average cost of a data breach rose to around $3.56 million, with the average ransomware payment jumping 33% to more than $100,000.

https://www.helpnetsecurity.com/2021/08/10/smbs-ransomware/

May 2021 Saw A 440% Increase In Phishing, The Single Largest Phishing Spike On Record

In May 2021, a report revealed a 440% increase in phishing, holding the record for the single largest phishing spike in a single month. It also showed that industries such as oil, gas and mining saw a 47% increase in the same six-month period, with manufacturing and wholesale traders seeing a 32% increase. The report extends its yearly threat intelligence report, with updated metrics between January 1 and June 30 2021. It also investigates the latest trends in malware, phishing and crypto exchanges.

https://www.infosecurity-magazine.com/news/may-phishing-increase-webroot/

Users Can Be Just As Dangerous As Hackers

Most organisations should be at least as worried about user management as they are about Bond villain-type hackers launching compromises from abroad. Most organisations have deployed single sign-on and modern identity-management solutions. These generally allow easy on-boarding, user management, and off-boarding. However, on mobile devices, these solutions have been less effective. Examples include mobile applications such as WhatsApp, Signal, Telegram, or even SMS-which are common in the workforce. All these tools allow for low-friction, agile communication in an increasingly mobile business environment. Today, many of these tools offer end-to-end encryption (e2ee), which is a boon when viewed through the lens of protecting against outside attackers. However, e2ee also resists internal governance and compliance programs.

https://thehackernews.com/2021/08/users-can-be-just-as-dangerous-as.html?m=1

With Crime-As-A-Service, Anyone Can Be An Attacker

Crime-as-a-Service (CaaS) is the practice of experienced cybercriminals selling access to the tools and knowledge needed to execute cyber crime – in particular, it’s often used to create phishing attacks. For hackers, phishing is one of the easiest ways to steal your organisation’s data. Traditionally, executing a successful phishing campaign required a seasoned cyber criminal with technical expertise and knowledge of social engineering. However, with the emergence of CaaS, just about anyone can become a master of phishing for a small fee.

https://www.helpnetsecurity.com/2021/08/03/crime-as-a-service/

The Rise Of Cloud Is Creating Security Blindspots

Businesses are growing increasingly reliant on cloud services, but with all the good, businesses must also face the bad, according to a new report which says that the rise of cloud means greater complexity and more security blind spots.

Increased expansion into the cloud has led to new risks. All of the respondents in the report had suffered at least one incident in their public cloud environment in the last year, with 30 percent saying they had no formal sign-off before pushing to production.

https://www.itproportal.com/news/the-rise-of-cloud-is-creating-security-blindspots/

Connected Devices Increasingly At Risk As New Ransomware Attacks Are Reported Almost Daily

A report has been released on the state of connected devices. The 2021 study addresses pandemic-related cyber security challenges, including the growth of connected devices and related increase of security risks from these devices as threat actors took advantage of chaos to launch attacks. The study incorporates security risk and trend analysis of anonymized data for the past 12 months (June 2020 through June 2021) across the company’s 500+ deployments in healthcare, life sciences, retail, and manufacturing verticals. The number of agentless and un-agentable devices increased to 42% in this year’s report (compared to 32% of agentless or un-agentable devices in 2020).

https://www.helpnetsecurity.com/2021/08/12/connected-devices-risks/

The Value Of PII And How It Still Fuels Malign Activities In The Digital Ecosystem

The COVID-19 pandemic engendered new vulnerabilities in the digital ecosystem for threat actors to exploit, resulting in items like vaccines, fraudulent vaccine certificates, and other COVID-19 related items being sold in dark marketplaces and underground forums, an Intelligence report reveals. The research analysed the value of personally identifiable information (PII), drawing links between the breach economy, PII, and a range of emerging digital threats to executives and brands.

https://www.helpnetsecurity.com/2021/08/10/pii-value-digital-ecosystem/

Ransomware Payments Explode Amid ‘Quadruple Extortion’

Two reports slap hard figures on what’s already crystal clear: Ransomware attacks have skyrocketed, and ransomware payments are the comet trails that have followed them skyward. The average ransomware payment spiked 82 percent year over year: It’s now over half a million dollars, according to the first-half 2021 update report. As far as the sheer multitude of attacks goes, researchers on Thursday reported that they’ve identified and analysed 121 ransomware incidents so far in 2021, a 64 percent increase in attacks, year-over-year.

https://threatpost.com/ransomware-payments-quadruple-extortion/168622/

Hackers Netting Average Of Nearly $10,000 For Stolen Network Access

A new report from a cyber security company has spotlighted the thriving market on the dark web for network access that nets cyber criminals thousands of dollars. Researchers have examined network access sales on underground Russian and English-language forums before compiling a study on why criminals sell their network access and how criminals transfer their network access to buyers. More than 37% of all victims in a sample of the data were based in North America while there was an average price of $9,640 and a median price of $3,000.

https://www.zdnet.com/article/hackers-netting-average-of-nearly-10000-for-stolen-network-access/

1M Stolen Credit Cards Hit Dark Web For Free

Threat actors have leaked 1 million stolen credit cards for free online as a way to promote a fairly new and increasingly popular cyber criminal site dedicated to…selling payment-card credentials. Researchers noticed the leak of the payment-card data during a “routine monitoring of cyber crime and Dark Web marketplaces,” researchers said in a post published over the weekend. The cards were published on an underground card-selling market, AllWorld.Cards, and stolen between 2018 and 2019, according to info posted on the forum.

https://threatpost.com/1m-stolen-credit-cards-dark-web/168514/

Ransomware Group Demanding $50M In Accenture Security Breach

The hacker group behind a ransomware attack on global solution provider giant Accenture has made a ransom demand for $50 million, according to a cyber security firm that reports seeing the demand. The threat actor is demanding the $50 million in exchange for more than 6 TB of data, according to a tweet.

https://www.crn.com/news/security/ransomware-group-demanding-50m-in-accenture-security-breach-cyber-firm

Threats

Ransomware

Phishing

Other Social Engineering

Malware

Mobile

IOT

Vulnerabilities

Organised Crime & Criminal Actors

Dark Web

Supply Chain

DoS/DDoS

Nation State Actors

Cloud

Privacy

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 23 July 2021

Black Arrow Cyber Threat Briefing 23 July 2021: 40% Fell Victim To A Phishing Attack In The Past Month; Traditional Ransomware Defences Are Failing Businesses; The Number Of Employees Going Around IT Security May Surprise You; 740 Ransomware Victims Named On Data Leak Sites In Q2 2021; A More Dynamic Approach Is Needed To Tackle Today’s Evolving Cyber Security Threats; Law Firm For Ford, Boeing, Exxon, Marriott, Walgreens, And More Hacked In Ransomware Attack; UK And Allies Accuse China Of 'Reckless' Cyber Extortion And Microsoft Hack; Even after Emotet takedown, Office docs deliver 43% of all malware downloads now; Gun owners' fears after firearms dealer data breach

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

40% Fell Victim To A Phishing Attack In The Past Month

The global shift to remote work has exacerbated the onslaught, sophistication, and impact of phishing attacks, according to Ivanti. Nearly three-quarters (74%) of respondents said their organisations have fallen victim to a phishing attack in the last year, with 40% confirming they have experienced one in the last month.

Eighty percent of respondents said they have witnessed an increase in volume of phishing attempts and 85% said those attempts are getting more sophisticated. In fact, 73% of respondents said that their IT staff had been targeted by phishing attempts, and 47% of those attempts were successful.

Smishing and vishing scams are the latest variants to gain traction and target mobile users. According to recent research by Aberdeen, attackers have a higher success rate on mobile endpoints than on servers – a pattern that is trending dramatically worse. Meanwhile, the annualized risk of a data breach resulting from mobile phishing attacks has a median value of about $1.7M, and a long tail of value of about $90M.

https://www.helpnetsecurity.com/2021/07/23/risk-phishing-attacks/

Traditional Ransomware Defences Are Failing Businesses

Traditional cyber security strategies are failing to protect organisations from ransomware attacks, new research suggests. Based on a poll of 200 IT decision-makers whose businesses recently suffered ransomware attacks, 54 percent of all victims had their employees go through anti-phishing training. Furthermore, almost half (49 percent) had perimeter defences set up at the time of the attack. However, attack methods have grown too sophisticated for traditional security measures to keep up. Many attacks (24 percent) still start with a successful phishing attempt, while almost a third (31 percent) see attacker enter the network through public cloud.

https://www.itproportal.com/news/traditional-ransomware-defenses-are-failing-businesses/

Cyber Security Risk: The Number Of Employees Going Around IT Security May Surprise You

Last month, a report was published highlighting challenges associated with enabling IT freedoms while ensuring tight security procedures. The findings detail a complex balancing act between IT teams and network users. Calibrating this equilibrium is particularly challenging in the age of remote work as employees log on and virtually collaborate via a host of digital solutions. Overall, the survey found that virtually all employees (93%) "are working around IT restrictions," and a mere 7% said they were "satisfied with their corporate IT restrictions." Interestingly, this information about IT workarounds does not match security leaders' and IT expectations.

https://www.techrepublic.com/article/cybersecurity-risk-the-number-of-employees-going-around-it-security-may-surprise-you/

740 ransomware victims named on data leak sites in Q2 2021: report

More than 700 organizations were attacked with ransomware and had their data posted to data leak sites in Q2 of 2021, according to a new research report from cyber security firm Digital Shadows.

Out of the almost 2,600 victims listed on ransomware data leak sites, 740 of them were named in Q2 2021, representing a 47% increase compared to Q1.

https://www.zdnet.com/article/740-ransomware-victims-named-on-data-leak-sites-in-q2-2021-report/

A More Dynamic Approach Is Needed To Tackle Today’s Evolving Cyber Security Threats

For decades, the cyber security industry has followed a defense-in-depth strategy, which allowed organisations to designate the battlefield against bad actors at their edge firewall. Nowadays, cyber criminals have become as creative as ever. New cyber threats are emerging every day, and with the constantly increasing rate of Ransomware, Phishing, etc. We’re forced to take a more dynamic approach when tackling these cyber threats on a day to day basis. Recent statistics demonstrate the scale of the cyber security issues faced by companies. In 2020, malware attacks increased by 358% and ransomware increased by 435%, and the average cost of recovering from a ransomware attack has doubled in the last 12 months, reaching almost $2 million in 2021.

https://www.helpnetsecurity.com/2021/07/13/dynamic-approach-cybersecurity-threats/

Law Firm For Ford, Boeing, Exxon, Marriott, Walgreens, And More Hacked In Ransomware Attack

Campbell Conroy & O'Neil, P.C., a law firm handling hundreds of cases for the world's leading companies, has announced a large data breach that resulted from a ransomware attack in February.  In a statement, the law firm said it noticed unusual activity on its network on February 27. The firm later realized it was being hit with a ransomware attack and contacted the FBI as well as cyber security companies for help.

https://www.zdnet.com/article/law-firm-for-ford-boeing-exxon-marriott-walgreens-and-more-hacked-in-ransomware-attack/

UK And Allies Accuse China Of 'Reckless' Cyber Extortion And Microsoft Hack

The Government was hinting yet again at covertly using Britain’s own offensive cyber capabilities – hitting back at cyber attacks with cyber attacks of our own. This approach goes all the way back to 2013, when then defence secretary told the Conservative Party conference that the UK would “build a dedicated capability to counter-attack in cyber space and, if necessary, to strike in cyber space”.

https://www.telegraph.co.uk/world-news/2021/07/19/uk-allies-accuse-china-reckless-cyber-extortion-microsoft-hack/

Even after Emotet takedown, Office docs deliver 43% of all malware downloads now

Malware delivered over the cloud increased by 68% in Q2, according to data from cyber security firm Netskope.

The company released the fifth edition of its Cloud and Threat Report that covers the cloud data risks, threats and trends they see throughout the quarter.

The report noted that cloud storage apps account for more than 66% of cloud malware delivery.

"In Q2 2021, 43% of all malware downloads were malicious Office docs, compared to just 20% at the beginning of 2020. This increase comes even after the Emotet takedown, indicating that other groups observed the success of the Emotet crew and have adopted similar techniques," the report said.

https://www.zdnet.com/article/even-after-emotet-takedown-office-docs-deliver-43-of-all-malware-downloads-now/

Gun Owners' Fears After Firearms Dealer Data Breach

Thousands of names and addresses belonging to UK customers of a leading website for buying and selling shotguns and rifles have been published to the dark web following a "security breach".

Guntrader.uk told the BBC it learned of the breach on Monday and had notified the Information Commissioner's Office.

Police, including the National Crime Agency, are investigating.

One affected gun owner said he was afraid the breach could lead to his family being targeted by criminals.

Gun ownership is tightly controlled in the UK, making guns difficult to acquire, and potentially valuable on the black market.

The individual, who did not wish to be named, told the BBC the breach "seriously compromises my security arrangements for my firearms and puts me in a situation where me and my family could be targeted and in danger".

https://www.bbc.co.uk/news/technology-57932823  

Threats

Ransomware

BEC

Phishing

Malware

Mobile

Vulnerabilities

Data Breaches

Organised Crime & Criminal Actors

Supply Chain

DoS/DDoS

OT, ICS, IIoT and SCADA

Nation State Actors

Cloud

Privacy

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 01 April 2021

Black Arrow Cyber Threat Briefing 01 April 2021: Boards Still Aren't Taking Cyber Security Seriously, That Means Everyone Is At Risk; Nearly 40% Of New Ransomware Families Use Both Data Encryption And Data Theft In Attacks; Ransomware - Why We Are Now Facing A Perfect Storm; Nearly A Fifth Of Ransomware Victims Who Pay Off Extortionists Fail To Get Their Data Back; Shadow IT Is Your Organisation's Next Remote-Working Nightmare

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Image by Jo_Johnston from Pixabay

Top Cyber Stories of the Last Week

Boards Still Aren't Taking Cyber Security Seriously, That Means Everyone Is At Risk

Cyber security still is not taken as seriously as it should be by boardroom executives – and that's leaving organisations open to cyber attacks, data breaches and ransomware, the new boss of the National Cyber Security Centre (NCSC) has warned. In her first speech since taking the helm of the UK cyber security agency, CEO Lindy Cameron said cyber security should be viewed with the same importance to CEOs as finance, legal or any other vital day-to-day part of the enterprise.

https://www.zdnet.com/article/boardrooms-still-arent-taking-cybersecurity-seriously-and-thats-putting-everyone-at-risk-from-attacks-warns-new-ncsc-boss/

Nearly 40% Of New Ransomware Families Use Both Data Encryption And Data Theft In Attacks

2020 saw an explosion of ransomware that also steals data, giving the attackers more leverage over their victims. If organisations first refuse to pay a ransom to decrypt their data, attackers threaten to leak the stolen information, increasing pressure on victims to pay. This evolution, referred to as Ransomware 2.0 in the report, was a significant development in 2020. Only one ransomware group was observed using this type of extortion in 2019. By the end of 2020, 15 different ransomware families had adopted this approach. Furthermore, nearly 40% of ransomware families discovered in 2020, as well as several older families, were known to also steal data from victims by the end of last year.

https://www.helpnetsecurity.com/2021/03/31/ransomware-families-data-encryption/

Ransomware: Why We Are Now Facing A Perfect Storm

Ransomware is becoming more successful than ever before because of a combination of factors that allow cyber criminals to easily gain access to corporate networks – and they are finding success because a significant number of organisations that fall victim to attacks are willing to pay the ransom. A report warns that the 'perfect storm' of conditions have come together and allowed ransomware attacks to run rampant against organisations around the world.

https://www.zdnet.com/article/ransomware-why-were-now-facing-a-perfect-storm/

Ransomware: Nearly A Fifth Of Victims Who Pay Off Extortionists Fail To Get Their Data Back

The poll found that close to half (46%) of UK ransomware victims paid the ransom to restore access to their data last year, yet an unfortunate 11% of victims who shelled out did not have their stolen data returned. Whether they paid or not, only 18% of 1,006 UK victims surveyed were able to restore all their encrypted or blocked files following an attack. Internationally the picture is still worse with more than half (56%) paying off extortionists and nearly one in five of whom (17%) failing to get their data back even after paying out.

https://portswigger.net/daily-swig/ransomware-nearly-a-fifth-of-victims-who-pay-off-extortionists-fail-to-get-their-data-back

Billions Of Records Have Been Hacked Already. Make Cyber Security A Priority Or Risk Disaster

More data records have been compromised in 2020 alone than in the past 15 years combined, in what is described as a mounting "data breach crisis" in the latest study from analysis. Over the past 12 months, 31 billion data records have been compromised. This is up 171% from the previous year and constitutes well over half of the 55 billion data records that have been compromised in total since 2005.

https://www.zdnet.com/article/billions-of-records-have-been-hacked-already-make-cybersecurity-a-priority-of-risk-disaster-warns-analyst/

Ransomware Gang Urges Victims’ Customers To Demand A Ransom Payment

A ransomware operation known as 'Clop' is applying maximum pressure on victims by emailing their customers and asking them to demand a ransom payment to protect their privacy. A common tactic used by ransomware operations is to steal unencrypted data before encrypting a victim's network. This data is then used in a double-extortion tactic where they threaten to release the data if a ransom is not paid.

https://www.bleepingcomputer.com/news/security/ransomware-gang-urges-victims-customers-to-demand-a-ransom-payment/

Employee Lockdown Stress May Spark Cyber Security Risk

Stressed-out employees in a remote-working world could be a major contributor to poor cybersecurity postures for companies, according to a survey. Among other findings, the survey found that younger employees as well as people caring for children or other family members reported more stress in their lives, as well riskier IT behaviours when compared to other demographics. For instance, 67 percent of employees under 30 said they use shadow IT (unsanctioned apps, services, and equipment) to help them to perform certain tasks more easily, compared to 27 percent of older workers.

https://threatpost.com/employee-lockdown-stress-cybersecurity-risk/165050/

Shadow IT Is Your Organisation's Next Remote-Working Nightmare

Shadow IT refers to the use of devices, systems and software outside of those permitted by an organisational IT department. According to new research by software company Forcepoint, more than a third (37%) of UK employees are now relying on shadow IT at home, increasing companies' exposure to cyber security risks.

The use of personal devices appears to be one of the biggest culprits: 48% of respondents admitted to using their own devices to access work documents and corporate networks while working from home. Meanwhile, 34% of employees reported using private email or file-sharing cloud services for work purposes – again against the advice of employers.

https://www.techrepublic.com/article/shadow-it-is-your-organizations-next-remote-working-nightmare/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Cyber Threat Briefing 16 October 2020: ransomware tidal wave; notable ransomware victims from the last week; BEC Attacks: Nigeria no longer epicentre, losses top $26B; Trickbot back; MS fix 87 vulns

Cyber Threat Briefing 16 October 2020: ransomware tidal wave of attacks; Notable ransomware victims of the last week; BEC Attacks: Nigeria No Longer the Epicentre as Losses top $26B; Trickbot back after disruption attempts; Microsoft October 2020 Patch Tuesday fixes 87 vulnerabilities; Malware gangs love open source offensive hacking tools

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.

Threats

Ransomware

Ransomware is growing and growing and getting worse all the time, with the G7 this week warning of ‘a tidal wave of ransomware attacks’ [source]. It is fast approaching becoming such a problem that it may soon reach epidemic status with few organisations left unaffected as firm after firm falls victim.

The ransomware gangs have turned crime into a multi-million pound business empire, it is estimated that $7.5 billion was extorted from victims last year in the United States alone [source], putting any legitimate industry or business sector to shame in term of meteoric growth. This is not small scale actors working out of their bedrooms, they have customer support centres and 24/7 helplines, they have plush offices and flash cars, paid for by the victims of their crimes, paid for by firms like yours paying ransoms.

And here's how attackers are getting in: in nearly half (47%) of ransomware cases gangs used the open remote desktop protocol, a tool that has been used by many companies to help staff work from home, but which can also give attackers a way in if it is not correctly secured.

More than a quarter (26%) of cases were traced back to a phishing email, and a smaller number used specific vulnerability exploits (17%), including Citrix NetScaler CVE-2019-19781 and Pulse VPN CVE-2019-11510. This was followed by account takeovers, at 10%. [source]

Criminal gangs have earned so much money and power they are now outsourcing much of the labour, allowing them to live of their spoils while their empires continue to grow, while they do next to nothing, with more and more joining their ranks [source]

As long as even a small number of victims pay the ransom this remains highly lucrative for attackers.

The ransom for Software AG is $23m, but they will demand much smaller sums from much smaller firms – so how are they doing this? Are larger firms being specifically targeted with tailored phishing campaigns, where they hope they will get lucky in getting an employee to fall for the bait, where lower value targets are being hit with machine/algorithmic generated phishing attacks, with lower levels of sophistication and more of a ‘spray and pray’ approach, hoping casting a wide enough net will still result in larger numbers of lower value victims.

We keep trying to warn firms how bad this is getting, and we don’t do this to drum up business, we do this because we are hugely concerned about the direction this is going and how damaging this can be for any firm.

Many firms are reluctant to take cyber security seriously, believing it won’t happen to them, but it is happening to firm after firm after firm who believed it wouldn’t happen to them. It’s too late to start thinking about what you should have done after you’ve become a victim, it’s far better, and far cheaper, to take steps to avoid being a victim in the first place than trying to recover or pay the ransom.

Of the increasing number of firms that do go hit, many don’t survive, and those that do often find things are never the same again, with impacts on confidence levels in your staff and in your IT and information security departments [source]

Ransomware is not only affecting desktops, laptops and servers, but also now increasingly Android and other mobile platforms [source]

Protecting against ransomware is not a luxury or something that can kicked down the road to look at another day, firms need to ensure they are protecting themselves against this threat now – before they become a victim.

Notable ransomware victims of the last week

There have been a number of high profile victims of ransomware in the last week, notably Software AG, a German conglomerate with operations in more than 70 countries, which was attacked by the Clop group who are threatening to dump stolen data if the $23 million ransom is not paid.

Carnival Cruises were hit with ransomware affecting data and personal information for guests, employees and crew for Carnival Cruises, Holland America and Seabourn as well as casino operations.

Early indications point to the disruption being experiences by Hackney Council with their systems stemming from a ransomware attack, although this has not been confirmed.

BEC

BEC Attacks: Nigeria No Longer the Epicentre as Losses top $26B

Business Email Compromise (BEC) Fraudsters now have bases of operation across at least 39 countries and are responsible for $26 billion in losses annually, and growing.

A study of more than 9,000 instances of BEC attacks all over the world shows that the number has skyrocketed over the past year, and that the social-engineering scam has expanded well beyond its historic roots in Nigeria.

Why this matters:

A recent report entitled The Global Reach of Business Email Compromise, found that these attacks cost businesses a staggering $26 billion every year. And that trend appears to be accelerating. In fact, researchers found BEC attacks currently make up a full 40 percent of cyber crime losses globally, impacting at least 177 countries.

For context, the Anti-Phishing Working Group recently find that the average wire transfer in a BEC scan is around $80,000.

In a BEC attack, a scammer impersonates a company executive or other trusted party and tries to trick an employee responsible for payments or other financial transactions into writing money to a bogus account. Attackers usually conduct a fair amount of recon work, studying executive styles and uncovering the organisations vendors, billing system practices and other information to help mount a convincing attack.

Read more: https://threatpost.com/bec-attacks-nigeria-losses-snowball/160118/

Trickbot back after disruption attempts

The Trickbot botnet looks to be working once again, despite separate efforts in the past few weeks aimed at disrupting its operation.

Earlier this month the Emotet spam botnet – which is often the precursor to TrickBot being loaded onto a system – began receiving spam templates intended for mass distribution. These spam templates contained Microsoft Word document attachments with malicious macros that fetch and load a copy of Emotet onto the victim machine. The Emotet bot reached out to its controllers and received commands to download and execute Trickbot on victim machines.

The Trickbot group tag that researchers identified is tied to a typical infection campaign that information security researchers have been observing for the past 6 months or more.

Additionally, Intel 471 researchers saw an update to the Trickbot plugin server configuration file. Fifteen server addresses were added, and two old servers were retained in the configuration, along with the server’s ‘.onion’ address. This was likely done as a fix that would help operators maintain that their infrastructure remains operational. [link]

Why this matters:

The fix is another round in the back-and-forth between Trickbot’s operators and the separate public and private sector parties that have attempted to disrupt the botnet’s actions. This includes actions by the US Cyber Command and Microsoft, who issued a public statement that it had taken legal action to “combat ransomware ahead of U.S. elections.” The legal action involved Microsoft attempting to disrupt a number of Trickbot command and control server IP addresses in the United States.

The fact that Trickbot has resumed normal operations despite the best efforts of the likes of the US Cyber Command and Microsoft shows how resilient of an operation Trickbot is, and how much more effort is needed to fully take the botnet offline for good. The botnet’s operators have all the IT support of legitimate enterprises – continuity planning, backups, automated deployment, and a dedicated workforce – that allow them to quickly react to disruptive measures.

Read more: https://public.intel471.com/blog/trickbot-online-emotet-microsoft-cyber-command-disruption-attempts/

Vulnerabilities

Microsoft October 2020 Patch Tuesday fixes 87 vulnerabilities

Microsoft this week released its monthly batch of security updates known as Patch Tuesday, and this month the OS maker has patched 87 vulnerabilities across a wide range Microsoft products.

By far, the most dangerous bug patched this month is CVE-2020-16898. Described as a remote code execution (RCE) vulnerability in the Windows TCP/IP stack, this bug can allow attackers to take over Windows systems by sending malicious ICMPv6 Router Advertisement packets to an unpatched computer via a network connection.

Another bug to keep an eye on is CVE-2020-16947, a remote code execution issue in Outlook. Microsoft says this bug can be exploited by tricking a user to open a specially crafted file with an affected version of Microsoft Outlook software. [source1] [source2]

Why this matters:

The bug was discovered internally by Microsoft engineers, and OS versions vulnerable to CVE-2020-16898 include Windows 10 and Windows Server 2019.

With a severity score of 9.8 out of a maximum 10, Microsoft considers the bug dangerous and likely to be weaponised, and rightfully so.

Patching the bug is recommended, but workarounds such as disabling ICMPv6 RDNSS support also exist, which would allow system administrators to deploy temporary mitigations until they quality-test this month’s security updates for any OS-crashing bugs.

Critical SonicWall VPN Portal Bug Allows DoS, Worming RCE

A critical security bug in the SonicWall VPN Portal can be used to crash the device and prevent users from connecting to corporate resources. It could also open the door to remote code execution (RCE), researchers said.

The flaw (CVE-2020-5135) is a stack-based buffer overflow in the SonicWall Network Security Applicance (NSA). According to researchers who discovered it, the flaw exists within HTTP/HTTPS service used for product management and SSL VPN remote access. [source]

Why this matters:

An unskilled attacker could trigger a persistent denial-of-service condition using an unauthenticated HTTP request involving a custom protocol handler.

Adding insult to injury, this particular flaw exists in a pre-authentication routine, and within a component (SSL VPN) which is typically exposed to the public internet.

 ‘More Than A Billion’ Phone Wide Open To ‘Backdoor’ Remote Code Execution in Adtech Company’s Code

Malicious code impacting more than a billion smartphone owners is currently in the wild and enabling remote code execution. [source]

Why this matters:

Remote code execution is a very serious security violation, and basically enables the owner of that code do almost anything they want on your phone.

Miscellaneous Cyber News of the Weeks

Malware gangs love open source offensive hacking tools

In the cyber security field, the term OST (Open Source Tools) refers to software apps, libraries, and exploits that possess offensive hacking capabilities and have been released as either free downloads or under an open source license.

OST projects are usually released to provide a proof-of-concept exploit for a new vulnerability, to demonstrate a new (or old) hacking technique, or as penetration testing utilities shared with the community.

These discussions have been taking place for more than a decade. However, they have always been based on personal experiences and convictions, and never on actual raw data.

That changed this week when a security researcher compiled data on 129 open source offensive hacking tools and searched through malware samples and cyber-security reports to discover how widespread was the adoption of OST projects among hacking groups — such as low-level malware gangs, elite financial crime groups, and even nation-state sponsored APTs. [source]

The results were compiled in an interactive map – available here

Why this matters:

Today, OST is one of the most (if not the most) controversial topics in the information security  community.

On one side, you have the people who are in favour of releasing such tools, arguing that they can help defenders learn and prepare systems and networks for future attacks.

On the opposing side, you have the ones who say that OST projects help attackers reduce the costs of developing their own tools and hiding activities into a cloud of tests and legitimate pen-tests.

Fitbit Spyware Steals Personal Data via Watch Face

A researcher has found they can take advantage of lax Fitbit privacy controls to build a malicious spyware watch face.

A wide-open app-building API (Application Programming Interface) could allow an attacker to build a malicious application that could access Fitbit user data, and send it to any server.

A proof-of-concept was created to do just that, after realizing that Fitbit devices are loaded with sensitive personal data. [source]

Why this matters:

Essentially, the API could send device type, location and user information including gender, age, height, heart rate and weight and it could also access calendar information. While this doesn’t include PII profile data, the calendar invites could expose additional information such as names and locations.

The researcher was able to make the app available through the Fitbit Gallery (where Fitbit showcases various third-party and in-house apps). Thus, the spyware appears legitimate, and increase the likelihood it would be downloaded.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Read More
Black Arrow Admin Black Arrow Admin

Cyber Weekly Flash Briefing 03 July 2020: Ransomware attacks increasing, Microsoft emergency updates, ransomware gang auction data, 'return to work' traps, new Windows botnet, Cisco SMB router flaws

Cyber Weekly Flash Briefing 03 July 2020: Ransomware attacks increasing, Microsoft emergency updates, ransomware gang auction data, 'return to work' traps, new Windows botnet, Cisco SMB router flaws

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Ransomware attacks are increasing, do you have an emergency plan in place?

Cyber attacks and data breaches can have serious implications for organisations in terms of downtime, financial damage and reputation of the business. Ransomware attacks that seek to encrypt a victim’s data and demand a fee to restore it continue to be prevalent. Unfortunately, the damage caused can be severe and widespread, yet 39% of organizations either have no ransomware emergency plan in place or are not aware if one exists. This is despite more ransomware attacks being recorded in the past 12 months than ever before.

The largest ransomware attack to date – WannaCry – was estimated to have affected more than 200,000 computers across 150 separate countries. Ransomware today is rife and has been exacerbated by the current work-from-home trend.

21% of respondents to a recent survey said they had experienced a ransomware attack, and of those, 26% admitted they couldn’t access any working backup after the attack. Even when organisations could access a working backup, 22% of them could either only restore a partial amount of data or none at all.

In most countries, employees have been working under a completely different set of parameters for a couple of months; ones where new security risks are high and where cybercriminals are finding new ways to exploit any weaknesses they can find.

Read more: https://www.helpnetsecurity.com/2020/07/01/ransomware-emergency-plan/

Further reading: The 11 Biggest Ransomware Attacks Of 2020 (So Far) https://www.crn.com/slide-shows/security/the-11-biggest-ransomware-attacks-of-2020-so-far-?itc=refresh

Microsoft releases emergency update to fix two serious Windows flaws

Microsoft on Tuesday released emergency security patches to plug a pair of serious vulnerabilities in its Windows Codecs library that impact several Windows 10 and Windows Server versions. Indexed as CVE-2020-1425 and CVE-2020-1457, the two remote-code execution (RCE) flaws are rated as ‘critical’ and ‘important’ in severity, respectively.

Both security loopholes have to do with how Microsoft Windows Codecs Library handles objects in memory. An attacker of the first flaw could obtain information to further compromise the user’s system, while successful exploitation of the second flaw could enable attackers to execute arbitrary code on the targeted machine.

Details are very sparse and there’s no word on specific attack vectors, but Microsoft said that exploitation of either vulnerability “requires that a program process a specially crafted image file”. This could, for example, involve luring the target into downloading and opening a malicious image file shared via email or a compromised website.

Read more: https://www.welivesecurity.com/2020/07/01/microsoft-releases-emergency-update-two-serious-windows-flaws/

Researchers Find New Calendar-Based Phishing Campaign

Researchers have once again spotted crooks using calendar invitations to mount phishing attacks using iCalendar. iCalendar is a media type that lets users store and exchange calendaring and scheduling information, including events and tasks.

Whilst this is evidence of a new campaign, this is not a new technique. A similar attack cropped up last June, when researchers found attackers using Google's auto-add feature. In that attack, smartphone users would see the invitation as a pop-up invitation, displaying a link to a phishing URL that asked for their credit card data and personal information.

Read more: https://www.infosecurity-magazine.com/news/calendar-phishing-campaign/

REvil Ransomware Gang Adds Auction Feature for Stolen Data

The REvil ransomware gang (also known as Sodinokibi) has added an auction feature to its underground website that allows anonymous bidding on information stolen in its targeted ransomware campaigns.

The auction capability appeared at the beginning of June and in announcing the feature, REvil included details on its first lot, the firm said, containing accounting information, files and databases stolen from a Canadian agricultural company.

A few days later on June 8, bidding went live, giving interested parties the choice to submit a bid (starting at $50,000) or buy the data outright, with a higher “blitz” price ($100,000).

Other victims whose data went up for sale in auction include a U.S. food distributor (accounts and documents with a starting price of $100,000 and a blitz price of double that); a U.S. law firm (50GB of data including confidential and personal information on clients, with a starting price of $30,000 and a blitz price of $50,000); and a U.S. intellectual property law firm (1.2TB of data including ‘all’ internal documentation, correspondence, patent agreements and client confidential information with a starting price of $1 million and a blitz price of $10 million).

As for why the latter’s data is so valuable, “data stolen from the intellectual property law firm reportedly includes information related to new technologies and unfiled patents that, given the high-profile client list, likely explains the high starting and blitz prices,” the firm noted in a report Monday, adding that the data would possibly be of interest to competitors or even a nation-state seeking to gain economic advantages.

Read more here: https://threatpost.com/revil-ransomware-gang-auction-stolen-data/157006/

Criminals set 'return to work' traps

Just because workers are returning to their offices, that doesn't mean criminals can't still abuse Covid-19 to spread malware and steal sensitive data.

According to a new report criminals are setting “return to work traps”, taking advantage of the training employees need to go through as they return to the office in its new form.

Many workers now need to go through various tutorials, webinars and training sessions, to ensure they are compliant with new workplace rules set up to prevent viral transmission. Sensing an opportunity, cybercriminals are disguising malware as webinar recordings and other educational material.

According to the report, these new practices are mostly reserved for businesses in North America and Europe, where lockdown measures are slowly being eased up and people are being allowed to return to work.

Read more here: https://www.itproportal.com/news/criminals-set-return-to-work-traps/

This new botnet has recruited an army of Windows devices

A new botnet is exploiting close to a dozen high and critical-severity vulnerabilities in Windows systems to turn them into cryptomining clients as well as to launch DDoS attacks.

The malware behind the botnet has been given the name Satan DDoS though security researchers have taken to referring to its as Lucifer in order to avoid confusion with the Satan ransomware.

A security firm began looking into the botnet after discovering it while following multiple incidents involving the exploitation of a critical vulnerability in a component of a web framework which can lead to remote code execution.

At first the Lucifer malware was believed to be used to mine the cryptocurrency Monero. However, it later become apparent that the malware also contains a DDoS component as well as a self-spreading mechanism that uses severe vulnerabilities and brute-forcing to its advantage.

Read more here: https://www.techradar.com/news/this-new-botnet-has-recruited-an-army-of-windows-devices

Cisco SMB routers hit with another major security flaw

Security researchers have discovered a significant cross-site scripting (XSS) vulnerability in the web admin interface of two small business routers from Cisco.

The XSS vulnerability exists in the company's RVO42 and RV042G routers and it provides attackers with an easy way to take control of the devices' web configuration utility.

This could allow an attacker to perform a number of admin actions from viewing and modifying sensitive information to taking control of the router or even having the ability to move laterally and gain access to other systems on the network.

Read more here: https://www.techradar.com/news/cisco-smb-routers-hit-with-another-major-security-flaw

Xerox apparently victim of Maze attack

It appears that Xerox is the latest victim of Maze ransomware attackers, if screenshots posted by the ransomware’s operators are legitimate.

The hackers claim to have obtained more than 100GB of information and are threatening to publish it, according to a reports.

Maze has hit a number of high-profile targets and in recent months has joined forces with other ransomware groups.

Read more: https://www.scmagazine.com/home/security-news/ransomware/xerox-apparent-victim-of-maze-attack/

FakeSpy Android Malware Spread Via ‘Postal-Service’ Apps

Android mobile device users are being targeted in a new SMS phishing campaign that’s spreading the FakeSpy infostealer. The malware, which is disguised as legitimate global postal-service apps, steals SMS messages, financial data and more from the victims’ devices.

The campaign was first discovered several weeks ago targeting South Korean and Japanese speakers, but it has now expanded that targeting to China, Taiwan, France, Switzerland, Germany, the United Kingdom and the United States. The attacker uses text messages as an initial infection vector, prompting the Android recipients to click on a malicious link, in a practice known as SMS phishing or “smishing.”

Read more here: https://threatpost.com/fakespy-android-malware-spread-via-postal-service-apps/157102/

New Mac Ransomware Is Even More Sinister Than It Appears

There haven't been too many strains tailored specifically to infect Apple's Mac computers since the first full-fledged Mac ransomware surfaced four years ago but new findings published this week have highlighted a new example of Mac ransomware called ThiefQuest.

In addition to ransomware, ThiefQuest has a whole other set of spyware capabilities that allow it to exfiltrate files from an infected computer, search the system for passwords and cryptocurrency wallet data, and run a robust keylogger to grab passwords, credit card numbers, or other financial information as a user types it in. The spyware component also lurks persistently as a backdoor on infected devices, meaning it sticks around even after a computer reboots, and could be used as a launchpad for additional, or "second stage," attacks. Given that ransomware is so rare on Macs to begin with, this one-two punch is especially noteworthy.

Read more here: https://www.wired.com/story/new-mac-ransomware-thiefquest-evilquest/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Read More