Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Advisory 30/09/2022 – Microsoft SQL Servers Targeted by FARGO Ransomware
Black Arrow Cyber Advisory 30/09/2022 – Microsoft SQL Servers Targeted by FARGO Ransomware
Executive Summary
Unsecured Microsoft SQL servers have been identified as the target for FARGO Ransomware (aka Mallox, aka TargetCompany). This ransomware strain attempts to shut down various processes and services on affected machines before encrypting the data and supplying a ransom note, which contains a warning that data may be published on the public domain if payment is not received.
What’s the risk to me or my business?
At current the threat actors appear to be targeting vulnerable Microsoft SQL servers and gain initial access through either credential brute forcing or through known vulnerabilities that have not been patched. If the threat actor gains access to this server and successfully delivers the ransomware, then data could be encrypted and published on the public domain.
What can I do?
Ensure that leading practices are followed for securing Microsoft SQL servers, including both timely patching of security vulnerabilities when made available, and ensuring that server administrator accounts are protected with strong passwords and multi-factor authentication where available.
Technical Summary
The attack unfolds by first a threat actor having initial access to the MS-SQL process, allowing them to execute a .net file through either CMD or Powershell. This file downloads additional malware, which then generates a .BAT file that shuts down certain processes and services. The ransomware is then injected into AppLaunch.exe, which is a normal windows program. It attempts to delete a registry key, executes recovery deactivation and closes some additional processes including the MS-SQL server. This allows access to the database offline, which allows for the files to be encrypted with the .FARGO3 extension. A ransomware note named ‘RECOVERY FILES.TXT’ is then generated, detailing payment, with a warning that data will be published on the public domain if the payment is not received.
Further information on this ransomware strain is available here, including Indicators of Compromise: FARGO Ransomware (Mallox) Being Distributed to Unsecured MS-SQL Servers - ASEC BLOG (ahnlab.com)
Need help understanding your gaps, or just want some advice? Get in touch with us.
Black Arrow Cyber Threat Briefing 20 May 2022
Black Arrow Cyber Threat Briefing 20 May 2022
-Fifth of Businesses Say Cyber Attack Nearly Broke Them
-Weak Security Controls and Practices Routinely Exploited for Initial Access
-How Do Ransomware Attacks Impact Victim Organisations’ Stock?
-Prioritise Patching Vulnerabilities Associated with Ransomware
-Researchers Warn of Advanced Persistent Threats/Nation State Actors (APTs), Data Leaks as Serious Threats Against UK Financial Sector
-Remote Work Hazards: Attackers Exploit Weak WiFi, Endpoints, and the Cloud
-Small Businesses Under Fire from Password Stealers
-Email Is the Riskiest Channel for Data Security
-Phishing Attacks for Initial Access Surged 54% in Q1
-State of Internet Crime in Q1 2022: Bot Traffic on The Rise, And More
-Fears Grow for Smaller Nations After Ransomware Attack on Costa Rica Escalates
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Fifth of Businesses Say Cyber Attack Nearly Broke Them
A fifth of US and European businesses have warned that a serious cyber attack nearly rendered them insolvent, with most (87%) viewing compromise as a bigger threat than an economic downturn, according to Hiscox.
The insurer polled over 5000 businesses in the US, UK, Ireland, France, Spain, Germany, the Netherlands and Belgium to compile its annual Hiscox Cyber Readiness Report.
It revealed the potentially catastrophic financial damage that a serious cyber-attack can wreak. The number claiming to have nearly been brought down by a breach increased 24% compared to the previous year.
Nearly half (48%) of respondents said they suffered an attack over the past 12 months, a 12% increase from the previous report’s findings. Perhaps unsurprisingly, businesses in seven out of eight countries see cyber as their biggest threat.
Yet perception appears to vary greatly depending on whether an organisation has suffered a serious compromise or not. While over half (55%) of total respondents said they view cyber as a high-risk area, the figure among companies that have not yet suffered an attack is just 36%.
https://www.infosecurity-magazine.com/news/fifth-of-businesses-cyber-attack/
Weak Security Controls and Practices Routinely Exploited for Initial Access
Cyber actors routinely exploit poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system. A joint Cybersecurity Advisory by the cyber security authorities of the United States, Canada, New Zealand, the Netherlands, and the United Kingdom identifies commonly exploited controls and practices and includes best practices to mitigate the issues.
Malicious cyber actors often exploit the following common weak security controls, poor configurations, and poor security practices to employ the initial access techniques.
Multifactor authentication (MFA) is not enforced
Incorrectly applied privileges or permissions and errors within access control lists
Software is not up to date
Use of vendor-supplied default configurations or default login usernames and passwords
Remote services, such as a virtual private network (VPN), lack sufficient controls to prevent unauthorised access
Strong password policies are not implemented
Cloud services are unprotected
Open ports and misconfigured services are exposed to the internet
Failure to detect or block phishing attempts
Poor endpoint detection and response.
https://www.cisa.gov/uscert/ncas/alerts/aa22-137a
How Do Ransomware Attacks Impact Victim Organisations’ Stock?
Ransomware has developed into an extremely lucrative business model with little risk involved for the threat actors. Couple this with the willingness of most victim organisations to pay the ransom demand under the assumption it will return business operations to normal - ultimately encouraging more attacks - and we have a big problem with no easy remedies.
Back in 2021, Cybereason published a report titled Ransomware Attacks and the True Cost to Business that revealed the various costs that organisations face after falling victim to a ransomware attack. Here are some of the most significant findings that stood out:
Two-thirds of ransomware victims said that they endured a significant loss of revenue following the attack
More than half (53%) of organisations suffered damage to their brand and reputation after a ransomware infection
A third of those who fell to ransomware lost C-level talent in the attack’s aftermath
Three in 10 organisations had no choice but to lay off employees due to the financial pressures resulting from a ransomware incident
A quarter of ransomware victims said that they needed to suspend operations.
Prioritise Patching Vulnerabilities Associated with Ransomware
In the last quarter, ransomware attacks have made mainstream headlines on a near-daily basis, with groups like Lapsus$ and Conti’s names splashed across the page. Major organisations like Okta, Globant and Kitchenware maker Meyer Corporation have all fallen victim, and they are very much not alone. The data indicates that increasing vulnerabilities, new advanced persistent threat (APT) groups and new ransomware families are contributing to ransomware’s continued prevalence and profitability.
The top stats include:
22 new vulnerabilities and nine new weaknesses have been associated with ransomware since January 2022; of the 22, a whopping 21 are considered of critical or high risk severity
19 (out of 22) of the newly-added vulnerabilities are associated with the Conti ransomware gang
Three new APT groups (Exotic Lily, APT 35, DEV-0401) and four new ransomware families (AvosLocker, Karma, BlackCat, Night Sky) are deploying ransomware to attack their targets
141 of CISA’s Known Exploited Vulnerabilities (KEVs) are being used by ransomware operators – including 18 newly identified this quarter
11 vulnerabilities tied to ransomware remain undetected by popular scanners
624 unique vulnerabilities were found within the 846 healthcare products analysed.
https://www.helpnetsecurity.com/2022/05/19/increase-ransomware-vulnerabilities/
Researchers Warn of Advanced Persistent Threats (APTs), Data Leaks as Serious Threats Against UK Financial Sector
Researchers say that geopolitical tension, ransomware, and cyber attacks using stolen credentials threaten the UK's financial sector.
KELA's security team published a report examining the cyber security issues and attacks that surfaced in 2021 and early 2022, specifically focused on the United Kingdom's banks and other financial services.
The UK was one of the first countries to stand with Ukraine after the invasion by Russia. This could make UK organisations a tempting target for threat actors siding with Russia - whether by state-sponsored advanced persistent threat (APT) groups or hacktivists. The National Cyber Security Centre (NCSC) previously warned businesses to shore up their cyber security following Russia's assault.
APTs are often responsible for attacking the financial sector: account credentials, card numbers, and the personally identifiable information (PII) of customers are useful not only in social engineering and identity theft but also to make fraudulent purchases or for card cloning.
APTs target organisations worldwide, and those located in the UK are no exception. Over the past few years, APTs, including the Chinese APT40 and APT31, have utilised vulnerabilities, including ProxyLogon, to compromise UK businesses.
"In general, APTs may target the financial sector to commit fraud, burglarise ATMs, execute transactions, and penetrate organisations' internal financial systems," KELA says. "Although specific threats to the UK financial sector have not been identified, there is no doubt that the UK has occasionally been a target of APT groups during 2021."
Exposed corporate information and leaked credentials are also of note. After browsing Dark Web forums, the researchers found that UK data is "in demand" by cyber criminals who are seeking PII, access credentials, and internal data.
Remote Work Hazards: Attackers Exploit Weak WiFi, Endpoints, and the Cloud
Infoblox unveils a global report examining the state of security concerns, costs, and remedies. As the pandemic and uneven shutdowns stretch into a third year, organisations are accelerating digital transformation projects to support remote work. Meanwhile, attackers have seized on vulnerabilities in these environments, creating more work and larger budgets for security teams.
1,100 respondents in IT and cyber security roles in 11 countries – United States, Mexico, Brazil, United Kingdom, Germany, France, the Netherlands, Spain, United Arab Emirates, Australia, and Singapore – participated in the survey.
The surge in remote work has changed the corporate landscape significantly – and permanently. 52% of respondents accelerated digital transformation projects, 42% increased customer portal support for remote engagement, 30% moved apps to third party cloud providers, and 26% shuttered physical offices for good. These changes led to the additions of VPNs and firewalls, a mix of corporate and employee owned devices as well as cloud and on-premises DDI servers to manage data traffic across the expanded network.
The hybrid workforce reality is causing greater concerns with data leakage, ransomware and attacks through remote access tools and cloud services. Respondents indicate concerns about their abilities to counter increasingly sophisticated cyber attacks with limited control over employees, work-from-home technologies, and vulnerable supply chain partners. The sophistication of state-sponsored malware also is a source of worry for many.
Organisations have good reason to worry: 53% of respondents experienced up to five security incidents that led to at least one breach.
https://www.helpnetsecurity.com/2022/05/17/state-of-security/
Small Businesses Under Fire from Password Stealers
Password-stealing malware and other cyber attacks have increased significantly against small businesses over the past year, according to Kaspersky researchers.
An assessment released this week detailed the number of Trojan Password Stealing Ware (PSW) detections, internet attacks and attacks on Remote Desktop Protocol (RDP) between January and April 2022, compared with the same time frame from 2021. Kaspersky's research showed a jump in the detection of password stealers within small business environments, as well as increases in other types of cyber attacks.
According to Kaspersky, the biggest increase in threats against small businesses was password stealers, specifically Trojan PSWs. There were nearly 1 million more detected Trojan PSWs targeting small and medium-sized businesses in the first trimester of 2022 than the first of 2021, increasing from 3,029,903 to 4,003,323.
Email Is the Riskiest Channel for Data Security
Research from Tessian and the Ponemon Institute reveals that nearly 60% of organisations experienced data loss or exfiltration caused by an employee mistake on email in the last 12 months.
Email was revealed as the riskiest channel for data loss in organisations, as stated by 65% of IT security practitioners. This was closely followed by cloud file-sharing services (62%) and instant messaging platforms (57%).
The research surveyed 614 IT security practitioners across the globe to also reveal that:
Employee negligence, because of not following policies, is the leading cause of data loss incidents (40%)
27% of data loss incidents are caused by malicious insiders
It takes up to three days for security and risk management teams to detect and remediate a data loss and exfiltration incident caused by a malicious insider on email
23% of organisations experience up to 30 security incidents involving employees’ use of email every month (for example, email was sent to an unintended recipient).
The most common types of confidential and sensitive information lost or intentionally stolen include: customer information (61%); intellectual property (56%); and consumer information (47%). User-created data (sensitive email content, text files, M&A documents), regulated data (credit card data, Social Security numbers, national ID numbers, employee data), and intellectual property were identified as the three types of data that are most difficult to protect from data loss.
The top two consequences for data loss incidents were revealed as non-compliance with data protection regulations (57%) and damage to an organisation’s reputation (52%). Furthermore, a previous study from Tessian found that 29% of businesses lost a client or customer because of an employee sending an email to the wrong person.
https://www.helpnetsecurity.com/2022/05/20/data-loss-email/
Phishing Attacks for Initial Access Surged 54% in Q1
Threat actors doubled down on their use of phishing emails as an initial attack vector during the first quarter of 2022 — and in many cases then used that access to drop ransomware or to extort organisations in other ways.
Researchers from Kroll recently analysed data gathered from security incidents they responded to in the first three months of this year. The analysis showed a 54% increase in incidents of phishing for initial access compared with the same period last year.
For the first time since Microsoft disclosed the so-called ProxyLogon set of vulnerabilities in Exchange Server in the first quarter of 2021, incidents tied to email compromises surpassed those related to ransomware. Kroll described the sharp increase in phishing activity as likely the result of a surge in activity tied to Emotet and IceID malware — threat actors have been using both to drop other malware.
https://www.darkreading.com/risk/phishing-attacks-for-initial-access-surged-q1
Fears Grow for Smaller Nations After Ransomware Attack on Costa Rica Escalates
Conti demanded $20M in ransom — and the overthrow of the government.
It’s been a rough start for the newly elected Costa Rica president Rodrigo Chaves, who less than a week into office declared his country “at war” with the Conti ransomware gang.
“We’re at war and this is not an exaggeration,” Chaves told local media. “The war is against an international terrorist group, which apparently has operatives in Costa Rica. There are very clear indications that people inside the country are collaborating with Conti.”
Conti’s assault on the Costa Rican government began in April. The country’s Finance Ministry was the first hit by the Russia-linked hacking group, and in a statement on May 16, Chaves said the number of institutions impacted had since grown to 27. This, he admitted, means civil servants wouldn’t be paid on time and will impact the country’s foreign trade.
In a message posted to its dark web leaks blog, Conti urged the citizens of Costa Rica to pressure their government to pay the ransom, which the group doubled from an initial $10 million to $20 million. In a separate statement, the group warned: “We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power.”
Conti is among the most prolific hacking groups. The FBI warned earlier this year that the gang was among “the three top variants” that targeted businesses in the United States, and it has been blamed for ransomware attacks targeting dozens of businesses, including Fat Face, Shutterfly and the Irish healthcare service.
But Conti has picked up its pace in recent months: In January and February it published 31 victims on its leaks blog. In March and April, it posted 133 victims.
https://techcrunch.com/2022/05/20/costa-rica-ransomware-attack/
Threats
Ransomware
Ransomware Gangs Rely More on Weaponizing Vulnerabilities (bleepingcomputer.com)
Ransomware Gang Extorted 725 BTC in One Attack, On-Chain Sleuths Find (coindesk.com)
5 Critical Questions to Test Your Ransomware Preparedness - Help Net Security
“Alarming” Surge in Conti Group Activity This Year - Infosecurity Magazine
Why AI-Powered Ransomware Cyber Attacks Could Be Coming Soon - Protocol
Nikkei Says Customer Data Likely Impacted in Ransomware Attack | SecurityWeek.Com
Wizard Spider Hackers Hire Cold Callers to Scare Ransomware Victims Into Paying Up | ZDNet
Greenland Hit by Cyber Attack, Finds Its Health Service Crippled (bitdefender.com)
Conti Ransomware Shuts Down Operation, Rebrands into Smaller Units (bleepingcomputer.com)
No One Is Slowing Down BlackByte Ransomware Gang • The Register
President Rodrigo Chaves says Costa Rica is at war with Conti hackers - BBC News
Engineering Firm Parker Discloses Data Breach After Ransomware Attack (bleepingcomputer.com)
US links Thanos and Jigsaw ransomware to 55-year-old doctor (bleepingcomputer.com)
Russian Conti Ransomware Gang Threatens to Overthrow New Costa Rican Government (thehackernews.com)
Phishing & Email Based Attacks
This Phishing Attack Delivers Three Forms of Malware. And They All Want to Steal Your Data | ZDNet
HTML Attachments Remain Popular Among Phishing Actors In 2022 (bleepingcomputer.com)
Chatbot Army Deployed in Latest DHL Shipping Phish (darkreading.com)
Phishing Gang That Stole Over 400,000 Euros Busted in Spain (tripwire.com)
Long Lost @ Symbol Gets New Life Obscuring Malicious URLs | Malwarebytes Labs
Spanish Police Dismantle Phishing Gang That Emptied Bank Accounts (bleepingcomputer.com)
Malware
Microsoft Identifies Botnet Variant Targeting Windows and Linux Systems - Infosecurity Magazine
Activity of the Linux XorDdos bot increased by 254% over the last 6 monthsSecurity Affairs
Fake Domains Offer Windows 11 Installers - But Deliver Malware Instead | ZDNet
Bruised but Not Broken: The Resurgence of the Emotet Botnet Malware (trendmicro.com)
Malicious PyPI Pymafka Package Opens Backdoors On Windows, Linux, and Macs (bleepingcomputer.com)
April VMware Bugs Abused to Deliver Mirai Malware, Exploit Log4Shell | Threatpost
Mobile
6 Scary Tactics Used in Mobile App Attacks (darkreading.com)
Researchers Find Potential Way to Run Malware on iPhone Even When it's OFF (thehackernews.com)
Google TAG: Cytrox's Predator Spyware Used to Target Android Users | WIRED
IoT
Data Breaches/Leaks
Organised Crime & Criminal Actors
Ukrainian Hacker Jailed for 4-Years in U.S. for Selling Access to Hacked Servers (thehackernews.com)
US Recovers a Record $15m from the 3ve Ad-Fraud Crew • The Register
Cryptocurrency/Cryptomining/Cryptojacking/NFTs
How Cryptocurrencies Enable Attackers and Defenders (techtarget.com)
Monero-Mining Sysrv Botnet Targets Windows, Linux Web Servers • The Register
US Brings First-Of-Its-Kind Bitcoin Sanctions-Busting Case • The Register
Fake Pixelmon NFT Site Infects You with Password-Stealing Malware (bleepingcomputer.com)
Hackers Compromise a String of NFT Discord Channels (vice.com)
Fraud, Scams & Financial Crime
Supply Chain and Third Parties
MITRE Creates Framework for Supply Chain Security (darkreading.com)
The Four Horsemen of Software Supply Chain Attacks - MSSP Alert
Cloud/SaaS
7 Key Findings from the 2022 SaaS Security Survey Report (thehackernews.com)
New Research Identifies Poor IAM Policies as The Greatest Cloud Vulnerability - CyberScoop
Are You Investing in Securing Your Data in the Cloud? (thehackernews.com)
380K Kubernetes API Servers Exposed to Public Internet | Threatpost
Open Source
Privacy
How To Ensure That the Smart Home Doesn’t Jeopardize Data Privacy? - Help Net Security
Privacy. Ad Bidders Haven't Heard of It, Report Reveals • The Register
Third-Party Web Trackers Log What You Type Before Submitting (bleepingcomputer.com)
Passwords & Credential Stuffing
The Most Insecure and Easily Hackable Passwords - Help Net Security
Half of IT Leaders Store Passwords in Shared Docs - Infosecurity Magazine
Cyber Bullying and Cyber Stalking
Regulations, Fines and Legislation
Europe Moves Closer to Stricter Cyber Security Standards • The Register
EU's NIS 2 Directive to Strengthen Cyber Security Requirements For Companies - Help Net Security
Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Google TAG: Cytrox's Predator Spyware Used to Target Android Users | WIRED
How Mobile Networks Have Become a Front in the Battle for Ukraine (darkreading.com)
China-linked Twisted Panda Caught Spying on Russian R&D Orgs • The Register
Pro-Russian Hackers Spread Hoaxes to Divide Ukraine, Allies | SecurityWeek.Com
A custom PowerShell RAT Targets Germany Using Crisis in Ukraine as Bait - Security Affairs
Nation State Actors
Nation State Actors – Russia
Putin Promises to Bolster Russia's IT Security in Face of Cyber Attacks | Reuters
Russian Hackers Declare War On 10 Countries After Failed Eurovision DDoS attack | IT PRO
Pro-Russian Information Operations Escalate in Ukraine War (darkreading.com)
Russian Undersea Cable Threat Shifts Tech Business to UK (telegraph.co.uk)
Russians Allegedly Storm Ukrainian ISP, Blackmail It to Switch To Russian Networks - CyberScoop
Russia-linked Sandworm Continues to Conduct Attacks Against Ukraine - Security Affairs
Russian Cyber Attack on Eurovision Foiled By Italian Authorities (bitdefender.com)
This Russian Botnet Does Far More Than DDoS Attacks - And on A Massive Scale | ZDNet
Nation State Actors – China
Nation State Actors – North Korea
Nation State Actors – Iran
Vulnerabilities
QNAP Urges Users to Update NAS Devices to Prevent Deadbolt Ransomware Attacks (thehackernews.com)
Cisco Fixes an IOS XR Flaw Actively Exploited in The Wild - Security Affairs
2 Vulnerabilities With 9.8 Severity Ratings Are Under Exploit. A 3rd Looms | Ars Technica
Microsoft Rushes a Fix After May Patch Tuesday Breaks Authentication (darkreading.com)
Microsoft Fixes New PetitPotam Windows NTLM Relay Attack Vector (bleepingcomputer.com)
Apple Patches Zero-Day Kernel Hole and Much More – Update Now! – Naked Security (sophos.com)
High-Severity Bug Reported in Google's OAuth Client Library for Java (thehackernews.com)
Over 20,000 Zyxel Firewalls Still Exposed to Critical Bug - Infosecurity Magazine
Apple Fixes the Sixth Zero-Day Since The Beginning of 2022 - Security Affairs
Mozilla Patches Wednesday’s Pwn2Own Double-Exploit… on Friday! – Naked Security (sophos.com)
Critical Vulnerability in Premium WordPress Themes Allows for Site Takeover | Threatpost
Critical Jupiter WordPress Plugin Flaws Let Hackers Take Over Sites (bleepingcomputer.com)
Apple Finally Patches Exploited Vulnerabilities in macOS Big Sur, Catalina | SecurityWeek.Com
NVIDIA Fixes Ten Vulnerabilities in Windows GPU Display Drivers (bleepingcomputer.com)
New Brute Force Attacks Against SQL Servers Use PowerShell Wrapper | SecurityWeek.Com
Sector Specific
Retail/eCommerce
How Crooks Backdoor Sites and Scrape Credit Card Info • The Register
Digital Skimming is Now the Preserve of Non-Magecart Groups - Infosecurity Magazine
Energy & Utilities
Water Companies Are Increasingly Uninsurable Due To Ransomware, Industry Execs Say - CyberScoop
UK Announces Nuclear Cyber Security Strategy - IT Security Guru
Education and Academia
Ransomware Attack Exposes Data of 500,000 Chicago Students (bleepingcomputer.com)
Higher Education Institutions Being Targeted for Ransomware Attacks | TechRepublic
“Incompetent” Council Leaks Details of Students With Special Educational Needs • Graham Cluley
Researchers Find Backdoor in School Management Plugin for WordPress (thehackernews.com)
Other News
UK Government: Lack of Skills the Number One Issue in Cyber Security - Infosecurity Magazine
Malicious Hackers Are Finding It Too Easy to Achieve Their Initial Access (tripwire.com)
How Threat Actors Are a Click Away From Becoming Quasi-APTs (darkreading.com)
Cyber Security: Global Food Supply Chain at Risk From Malicious Hackers - BBC News
Cyber Security Agencies Reveal Top Initial Access Attack Vectors (bleepingcomputer.com)
50% of Orgs Rely on Email to Manage Security (darkreading.com)
Black Arrow Cyber Threat Briefing 22 October 2021
Black Arrow Cyber Threat Briefing 22 October 2021
-Many Organisations Lack Basic Cyber Hygiene Despite High Confidence In Their Cyber Defences
-83% Of Ransomware Victims Paid Ransom: Survey
-Report: Ransomware Affected 72% Of Organizations In Past Year
-Ransomware: Looking For Weaknesses In Your Own Network Is Key To Stopping Attacks
-A Hacker Warns: Give Up Trying To Keep Me Out — And Focus On Your Data
-Cyber Risk Trends Driving The Surge In Ransomware Incidents
-US Ransomware Victims Paid $600 Million to Hackers in 1H of 2021
-Hacking Group Created Fake Cyber Security Companies To Hire Experts And Involve Them In Ransomware Attacks Tricking Them Of Conducting A Pentest
-Nearly Three-Quarters of Organizations Victimized by DNS Attacks in Past 12 Months
-Cyber Crime Matures As Hackers Are Forced To Work Smarter
-Hackers Stealing Browser Cookies to Hijack High-Profile YouTube Accounts
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Many Organisations Lack Basic Cyber Hygiene Despite High Confidence In Their Cyber Defences
A new report released this week analysed IT security leaders’ perceived threat of ransomware attacks and the maturity of their cyber security defences. The report found that while 81% of those surveyed consider their security to be above average or exceptional, many lack basic cyber hygiene – 41% lack a password complexity requirement, one of the cheapest, easiest forms of protection, and only 55.6% have implemented multi-factor authentication (MFA). https://www.helpnetsecurity.com/2021/10/21/organizations-cyber-hygiene/
83% Of Ransomware Victims Paid Ransom
A new survey of 300 US-based IT decision-makers found that 64% have been victims of a ransomware attack in the last 12 months, and 83% of those attack victims paid the ransom demand.
Cybersecurity company ThycoticCentrify released its "2021 State of Ransomware Survey & Report" on Tuesday, featuring the insights of IT leaders who have dealt with ransomware attacks over the last year. https://www.zdnet.com/article/83-of-ransomware-victims-paid-ransom-survey/
Ransomware Affected 72% Of Organisations In Past Year
72% of organisations were affected by ransomware at least once within the past twelve months, with 18% impacted more than six times in the past year. Organizations of all sizes were affected nearly to the same extent, with the exception of those with more than 25,000 employees. https://venturebeat.com/2021/10/20/report-ransomware-affected-72-of-organizations-in-past-year/
Ransomware: Looking For Weaknesses In Your Own Network Is Key To Stopping Attacks
Ransomware is a major cybersecurity threat to organisations around the world, but it's possible to reduce the impact of an attack if you have a thorough understanding of your own network and the correct protections are in place.
While the best form of defence is to stop ransomware infiltrating the network in the first place, thinking about how the network is put together can help slow down or stop the spread of an attack, even if the intruders have successfully breached the perimeter. https://www.zdnet.com/article/ransomware-looking-for-weaknesses-in-your-own-network-is-key-to-stopping-attacks/
A Hacker Warns: Give Up Trying To Keep Me Out — And Focus On Your Data
There is a misconceived notion that the security arena is a battlefield. It is not. It is a chess board and requires foresight and calculated pawn placement to protect the king — your data. If your main focus lies on keeping hackers out of your environment, then it’s already check mate. Your mission should be to buy time, slow hackers down and ultimately contain an attack.
Businesses must therefore make it as hard as possible for adversaries to exploit the relationships that allow them to move laterally through the corporate network. They can do this by distrusting anyone within their data’s environment and repeatedly corroborating that all users are who they say they are, and that they act like it too. That last part is crucial, because while identities are easy to compromise and imitate, behaviours are not. https://www.ft.com/content/93cec8b6-3fe9-4e9e-800a-62e13a0e2eac
Cyber Risk Trends Driving The Surge In Ransomware Incidents
During the COVID-19 crisis, another outbreak took place in the cyber space: a digital pandemic driven by ransomware. In a recent report, Allianz Global Corporate & Specialty (AGCS) analyzes the latest risk developments around ransomware and outlines how companies can strengthen their defenses with good cyber hygiene and IT security practices
The increasing frequency and severity of ransomware incidents is driven by several factors:
· Growing number of different attack patterns such as double and triple extortion campaigns
· Criminal business model around ‘ransomware as a service’ and cryptocurrencies
· Recent skyrocketing of ransom demands
· Rise of supply chain attacks.
Not all attacks are targeted. Criminals also adopt a scattergun approach to exploit those businesses that aren’t addressing or understanding the vulnerabilities they may have. Businesses must understand the need to strengthen their controls.
Cyber intrusion activity globally jumped 125% in the first half of 2021 compared to the previous year, according to Accenture, with ransomware and extortion operations one of the major contributors behind this increase. According to the FBI, there was a 62% increase in ransomware incidents in the US in the same period that followed an increase of 20% for the full year 2020. https://www.helpnetsecurity.com/2021/10/18/five-ransomware-trends/
US Ransomware Victims Paid $600 Million to Hackers in 1H of 2021
US Ransomware victims coughed up nearly $600 million to cyber hijackers in the first six months of 2021, further stamping cyber extortionists as an “increasing threat” to the U.S. financial, business and public sectors, a recent report released by the Treasury Department said.
Data gathered by the Financial Crimes Enforcement Network (FinCEN) derived from financial institutions’ Suspicious Activity Reports (SARs) revealed that the 635 reports filed for the first six months of this year is already 30 percent greater than the 487 filed for all of last year. Some 458 financial transitions have been reported as of June 30, 2021 with the total value of suspicious activity reported in ransomware-related SARs during the first six months of 2021 amounting to $590 million, or 42 percent more than the $416 million filed for all of 2020. https://www.msspalert.com/cybersecurity-research/victims-paid-600-millon-1h-2021/
Hacking Group Created Fake Cyber Security Companies To Hire Experts And Involve Them In Ransomware Attacks Tricking Them Of Conducting A Pentest
The FIN7 hacking group is attempting to enter in the ransomware business and is doing it with an interesting technique. The gang is creating fake cyber security companies that hire experts requesting them to carry out pen testing attacks under the guise of pentesting activities.
FIN7 is a Russian criminal group that has been active since mid-2015, it focuses on restaurants, gambling, and hospitality industries in the US to harvest financial information that was used in attacks or sold in cybercrime marketplaces.
One of the companies created by the cyber criminal organizations with this purpose is Combi Security, but researchers from Gemini Advisory discovered other similar organizations by analyzing the site of another fake cybersecurity company named Bastion Security. https://securityaffairs.co/wordpress/123673/cyber-crime/fin7-fake-cybersecurity-firm.html
Nearly Three-Quarters of Organisations Victimized by DNS Attacks in Past 12 Months
Domain name system (DNS) attacks are impacting organizations at worrisome rates. According to a new survey from the Neustar International Security Council (NISC) conducted in September 2021, 72% of study participants reported experiencing a DNS attack within the last 12 months. Among those targeted, 61% have seen multiple attacks and 11% said they have been victimized regularly. While one-third of respondents recovered within minutes, 58% saw their businesses disrupted for more than an hour, and 14% took several hours to recover. https://www.darkreading.com/attacks-breaches/nearly-three-quarters-of-organizations-victimized-by-dns-attacks-in-past-12-months
Cyber Crime Matures As Hackers Are Forced To Work Smarter
An analysis of 500 hacking incidents across a wide range of industries has revealed trends that characterize a maturity in the way hacking groups operate today.
Researchers at Kaspersky have focused on the Russian cybercrime underground, which is currently one of the most prolific ecosystems, but many elements in their findings are common denominators for all hackers groups worldwide.
One key finding of the study is that the level of security on office software, web services, email platforms, etc., is getting better, browser vulnerabilities have reduced in numbers, and websites are not as easy to compromise and use as infection vectors today.
This has resulted in making web infections too difficult to pursue for non-sophisticated threat groups.
The case is similar with vulnerabilities, which are fewer and more expensive to discover.
Instead, hacking groups are waiting for a PoC or patch to be released, and then use that information to create their own exploits. https://www.bleepingcomputer.com/news/security/cybercrime-matures-as-hackers-are-forced-to-work-smarter/
Hackers Stealing Browser Cookies to Hijack High-Profile YouTube Accounts
Since at least late 2019, a network of hackers-for-hire have been hijacking the channels of YouTube creators, luring them with bogus collaboration opportunities to broadcast cryptocurrency scams or sell the accounts to the highest bidder.
That's according to a new report published by Google's Threat Analysis Group (TAG), which said it disrupted financially motivated phishing campaigns targeting the video platform with cookie theft malware. The actors behind the infiltration have been attributed to a group of hackers recruited in a Russian-speaking forum. https://thehackernews.com/2021/10/hackers-stealing-browser-cookies-to.html
Threats
Ransomware
2021 Ransomware Transactions Already Exceed 2020 Numbers, Treasury Department Says - CyberScoop
DarkSide Ransomware Rushes To Cash Out $7 Million In Bitcoin (Bleepingcomputer.Com)
Gigabyte Allegedly Hit by AvosLocker Ransomware | Threatpost
Evil Corp Demands $40 Million In New Macaw Ransomware Attacks (Bleepingcomputer.com)
Olympus US Hack Tied To Sanctioned Russian Ransomware Group | Techcrunch
81% of UK Healthcare Organizations Hit by Ransomware in Last Year - Infosecurity Magazine
BEC
Phishing
Malware
Cyber Criminals Have Found A Way To Get Their Malware Certified By Microsoft | Techradar
Minecraft Declared The Most Malware-Infected Game (Hackread.Com)
Mobile
Vulnerabilities
Update Now! Chrome Fixes More Security Issues - Malwarebytes Labs
A Flaw In WinRAR Could Lead To Remote Code Execution - Security Affairs
SQL Is The Top Critical Risk In The Web Application Layer In Q3, 2021 - IT Security Guru
Data Breaches/Leaks
Organised Crime & Criminal Actors
Insider Threats
Dark Web
The Dark Web Has Become Darker And Busier, Cyber Crime Services Cost Less Than $500 | Techspot
Increased Activity Surrounding Stolen Data On The Dark Web - Help Net Security
The Truth About The Dark Web's Secret Red Rooms (grunge.com)
Supply Chain
OT, ICS, IIoT and SCADA
Nation State Actors
State-Backed Hackers Breach Telcos With Custom Malware (Bleepingcomputer.Com)
Suspected Chinese Hackers Behind Attacks On Ten Israeli Hospitals (Bleepingcomputer.Com)
Cloud
Privacy
Over 80% of Brits Deluged with Scam Calls and Texts - Infosecurity Magazine
How mobile devices can be tracked via Bluetooth analysis • The Register
Brave Ditches Google For Its Own Privacy-Centric Search Engine (Bleepingcomputer.Com)
A Massive ‘Stalkerware’ Leak Puts The Phone Data Of Thousands At Risk | Techcrunch
Reports Published in the Last Week
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Cyber Weekly Flash Briefing 29 May 2020: Criminals impersonate Google to target remote workers, ransomware up 950% in 2019, cloud collab tool use surges along with attacks, EasyJet £18 billion suit
Cyber Weekly Flash Briefing 29 May 2020: Criminals impersonate Google to target remote workers, ransomware up 950% in 2019, cloud collab tool use surges along with attacks, EasyJet £18 billion suit
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
60ish second video roundup
Cyber-Criminals Impersonating Google to Target Remote Workers
Remote workers have been targeted by up to 65,000 Google-branded cyber-attacks during the first four months of 2020, according to a new report. The study found that Google file sharing and storage websites were used in 65% of nearly 100,000 form-based attacks the security firm detected in this period.
According to the analysis, a number of Google-branded sites, such as storage.googleapis.com, docs.google.com, storage.cloud.google.com and drive.google.com, were used to try and trick victims into sharing login credentials. Google-branded attacks were far in excess of those impersonating Microsoft, with the sites onedrive.live.com, sway.office.com and forms.office.com making up 13% of attacks.
Other form-based sites used by attackers included sendgrid.net (10%), mailchimp.com (4%) and formcrafts.com (2%).
Read the full article here: https://www.infosecurity-magazine.com/news/cyber-criminals-impersonating/
Ransomware Demands Soared 950% in 2019
Ransomware operators had another standout year in 2019, with attacks and ransom demands soaring according to new data.
A new report claimed that, after a relatively quiet 2018, ransomware was back with a vengeance last year, as attack volumes climbed by 40%.
As large enterprises became an increasing focus for attacks, ransom demands also soared: from $8,000 in 2018 to $84,000 last year. That’s a 950% increase.
The “greediest ransomware families with highest pay-off” were apparently Ryuk, DoppelPaymer and REvil, the latter on occasion demanding $800,000.
Read more: https://www.infosecurity-magazine.com/news/ransomware-demands-soared-950-in/
Use of cloud collaboration tools surges and so do attacks
The COVID-19 pandemic has pushed companies to adapt to new government-mandated restrictions on workforce movement around the world. The immediate response has been rapid adoption and integration of cloud services, particularly cloud-based collaboration tools such Microsoft Office 365, Slack and videoconferencing platforms. A new report shows that hackers are responding to this with increased focus on abusing cloud account credentials.
Analysis of cloud usage data that was collected between January and April from over 30 million enterprise indicated a 50% growth in the adoption of cloud services across all industries. Some industries, however, saw a much bigger spike--for example manufacturing with 144% and education with 114%.
The use rate of certain collaboration and videoconferencing tools has been particularly high. Cisco Webex usage has increased by 600%, Zoom by 350%, Microsoft Teams by 300% and Slack by 200%. Again, manufacturing and education ranked at the top.
Huge rise in hacking attacks on home workers during lockdown
Hackers have launched a wave of cyber-attacks trying to exploit British people working from home, as the coronavirus lockdown forces people to use often unfamiliar computer systems.
The proportion of attacks targeting home workers increased from 12% of malicious email traffic before the UK’s lockdown began in March to more than 60% six weeks later, according to new data.
Attacks specifically aimed at exploiting the chaos wrought by Sars-CoV-2 have been evident since January, when the outbreak started to garner international news headlines.
The attacks have increased in sophistication, specifically targeting coronavirus-related anxieties rather than the more usual attempts at financial fraud or extortion.
In early May “a large malicious email campaign” was detected against UK businesses that told employees they could choose to be furloughed if they signed up to a specific website.
Read more here: https://www.theguardian.com/technology/2020/may/24/hacking-attacks-on-home-workers-see-huge-rise-during-lockdown?CMP=share_btn_tw
EasyJet faces £18 billion class-action lawsuit over data breach
UK budget airline easyJet is facing an £18 billion class-action lawsuit filed on behalf of customers impacted by a recently-disclosed data breach.
Made public on May 19, easyJet said that information belonging to nine million customers may have been exposed in a cyber attack, including over 2,200 credit card records.
The "highly sophisticated" attacker to blame for the security incident managed to access this financial information, as well as email addresses and travel details. EasyJet is still contacting impacted travelers.
The carrier did not explain how or exactly when the data breach took place, beyond that "unauthorized access" has been "closed off."
The National Cyber Security Centre (NCSC) and the UK's Information Commissioner's Office (ICO) have been notified, of which the latter has the power to impose heavy fines under GDPR if an investigation finds the carrier has been lax in data protection and security.
Last year, British Airways faced a "notice of intent" filed by the ICO to fine the airline £183.4 million for failing to protect the data of 500,000 customers in a data breach during 2018.
Read the full article here: https://www.zdnet.com/article/easyjet-faces-18-billion-class-action-lawsuit-over-data-breach/
Data Breach at Bank of America
Bank of America Corporation has disclosed a data breach affecting clients who have applied for the Paycheck Protection Program (PPP).
Client information was exposed on April 22 when the bank uploaded PPP applicants' details onto the US Small Business Administration's test platform. The platform was designed to give lenders the opportunity to test the PPP submissions before the second round of applications kicked off.
The breach was revealed in a filing made by Bank of America with the California Attorney General's Office. As a result of the incident, other SBA-authorized lenders and their vendors were able to view clients' information.
Data exposed in the breach consisted of details relating not only to individual businesses, but also to their owners. Compromised data may have included the business address and tax identification number along with the owner's name, address, Social Security number, phone number, email address, and citizenship status.
More Here: https://www.infosecurity-magazine.com/news/data-breach-at-bank-of-america/
Apple sends out 11 security alerts – get your fixes now!
Apple has just blasted out 11 email advisories detailing its most recent raft of security fixes.
There were 63 distinct CVE-tagged vulnerabilities in the 11 advisory emails.
11 of these vulnerabilities affected software right across Apple’s mobile, Mac and Windows products.
Read more: https://nakedsecurity.sophos.com/2020/05/27/apple-sends-out-11-security-alerts-get-your-fixes-now/
NSA warns of new Sandworm attacks on email servers
The US National Security Agency (NSA) has published a security alert warning of a new wave of cyber attacks against email servers conducted by one of Russia's most advanced cyber-espionage units.
The NSA says that members of Unit 74455 of the GRU Main Center for Special Technologies (GTsST), a division of the Russian military intelligence service, have been attacking email servers running the Exim mail transfer agent (MTA).
Also known as "Sandworm," this group has been hacking Exim servers since August 2019 by exploiting a critical vulnerability.
Read more: https://www.zdnet.com/article/nsa-warns-of-new-sandworm-attacks-on-email-servers/
DoubleGun Group Builds Massive Botnet Using Cloud Services
An operation from the China-based cybercrime gang known as DoubleGun Group has been disrupted, which had amassed hundreds of thousands of bots that were controlled via public cloud services, including Alibaba and Baidu Tieba.
Researchers in a recent post said that they noticed DNS activity in its telemetry that traced back to a suspicious domain controlling mass amounts of infected Windows devices. Analysis of the command-and-control (C2) infrastructure of the operation and the malware used to build the botnet showed that the effort could be attributed to a known threat group – DoubleGun, a.k.a. ShuangQiang.
Read more: https://threatpost.com/doublegun-massive-botnet-cloud-services/156075/
Malicious actor holds at least 31 stolen SQL databases for ransom
A malicious cyber actor or hacking collective has reportedly been sweeping the internet for online stores’ unsecured SQL databases, copying their contents, and threatening to publish the information if the rightful owners don’t pay up.
The perpetrator has stolen the copied versions of at least 31 SQL databases, which have been put up for sale on an unnamed website. These databases constitute roughly 1.620 million rows of information, including e-commerce customers’ names, usernames, email addresses, MD5-hashed passwords, birth dates, addresses, genders, account statuses, histories and more