Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Amid Legal Fallout, Cyber Insurers Redefine State-Sponsored Attacks as Act of War

As carriers rewrite their act-of-war exclusions following the NotPetya settlement between Mondelez and Zurich, organisations should read their cyber insurance policies carefully to see what is still covered.

The consequences from NotPetya, which the US government said was caused by a Russian cyber attack on Ukraine in 2017, continue to be felt as cyber insurers modify coverage exclusions, expanding the definition of an "act of war." Indeed, the 5-year-old cyber attack appears to be turning the cyber insurance market on its head.

Mondelez International, parent of such popular brands as Cadbury, Oreo, Ritz, and Triscuit, was hit hard by NotPetya, with factories and production disrupted. It took days for the company's staff to regain control of its computer systems. The company filed a claim with its property and casualty insurer, Zurich American, for $100 million in losses. After initially approving a fraction of the claim — $10 million — Zurich declined to pay, stating the attack was an act of war and thus excluded from the coverage. Mondelez filed a lawsuit.

Late last month Mondelez and Zurich American reportedly agreed to the original $100 million claim, but that wasn't until after Merck won its $1.4 billion lawsuit against Ace American Insurance Company in January 2022 for its NotPetya-related losses. Merck's claims also were against its property and casualty policy, not a cyber insurance policy.

Back in 2017, cyber insurance policies were still nascent, and so many large corporations filed claims for damages related to NotPetya — the scourge that caused an estimated $10 billion in damage worldwide — against corporate property and casualty policies.

What's Changed? The significance of these settlements illustrates an ongoing maturation of the cyber insurance market, says Forrester Research.

Until 2020 and the COVID-19 pandemic, cyber insurance policies were sold in a fashion akin to traditional home or auto policies, with little concern for a company's cyber security profile, the tools it had in place to defend its networks and data, or its general cyber hygiene.

Once a large number of ransomware attacks occurred that built off of the lax cyber security many organisations demonstrated, insurance carriers began tightening the requirements for obtaining such policies.

https://www.darkreading.com/edge-articles/amid-notpetya-fallout-cyber-insurers-define-state-sponsored-attacks-as-act-of-war

• Is Your Board Prepared For New Cyber Security Regulations?

Boards are now paying attention to the need to participate in cyber security oversight. Not only are the consequences sparking concern, but the new regulations are upping the ante and changing the game.

Boards have a particularly important role to ensure appropriate management of cyber risk as part of their fiduciary and oversight role. As cyber threats increase and companies worldwide bolster their cyber security budgets, the regulatory community, including the U.S. Securities and Exchange Commission (SEC), is advancing new requirements that companies will need to know about as they reinforce their cyber strategy.

Most organisations focus on cyber protection rather than cyber resilience, and that could be a mistake. Resiliency is more than just protection; it’s a plan for recovery and business continuation. Being resilient means that you’ve done as much as you can to protect and detect a cyber incident, and you have also done as much as you can to make sure you can continue to operate when an incident occurs. A company who invests only in protection is not managing the risk associated with getting up and running again in the event of a cyber incident.

Research indicates that most board members believe it is not a matter of if, but when, their company will experience a cyber event. The ultimate goal of a cyber-resilient organisation would be zero disruption from a cyber breach. That makes the focus on resilience more important.

In March 2022, the SEC issued a proposed rule titled Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.  In it, the SEC describes its intention to require public companies to disclose whether their boards have members with cyber security expertise: “Cyber security is already among the top priorities of many boards of directors and cyber security incidents and other risks are considered one of the largest threats to companies. Accordingly, investors may find disclosure of whether any board members have cyber security expertise to be important as they consider their investment in the registrant as well as their votes on the election of directors of the registrant.”

The SEC will soon require companies to disclose their cyber security governance capabilities, including the board’s oversight of cyber risk, a description of management’s role in assessing and managing cyber risks, the relevant expertise of such management, and management’s role in implementing the registrant’s cyber security policies, procedures, and strategies. Specifically, where pertinent to board oversight, registrants will be required to disclose:

• whether the entire board, a specific board member, or a board committee is responsible for the oversight of cyber risks,

• the processes by which the board is informed about cyber risks, and the frequency of its discussions on this topic,

• whether and how the board or specified board committee considers cyber risks as part of its business strategy, risk management, and financial oversight.

https://hbr.org/2022/11/is-your-board-prepared-for-new-cybersecurity-regulations

• Unwanted Emails Steadily Creeping into Inboxes

A research from cloud security provider Hornetsecurity has revealed that 40.5% of work emails are unwanted. The Cyber Security Report 2023, which analysed more than 25 billion work emails, also reveals significant changes to the nature of cyber attacks in 2022 – indicating the constant, growing threats to email security, and need for caution in digital workplace communications.

Phishing remains the most common style of email attack, representing 39.6% of detected threats. Threat actors used the following file types sent via email to deliver payloads: Archive files (Zip, 7z, etc.) sent via email make up 28% of threats, down slightly from last year’s 33.6%, with HTML files increasing from 15.3% to 21%, and DOC(X) from 4.8% to 12.7%.

This year’s cyber security report shows the steady creep of threats into inboxes around the world. The rise in unwanted emails, now found to be nearly 41%, is putting email users and businesses at significant risk.

HornetSecurity’s analysis identified both the enduring risk and changing landscape of ransomware attacks – highlighting the need for businesses and their employees to be more vigilant than ever.

New cyber security trends and techniques for organisations to watch out for were also tracked. Since Microsoft disabled macros settings in Office 365, there has been a significant increase in HTML smuggling attacks using embedded LNK or ZIP files to deliver malware. Microsoft 365 makes it easy to share documents, and end users often overlook the ramifications of how files are shared, as well as the security implications. Hornetsecurity found 25% of respondents were either unsure or assumed that Microsoft 365 was immune to ransomware threats.

For these attackers, every industry is a target. Companies must therefore ensure comprehensive security awareness training while implementing next-generation preventative measures to ward off threats.

https://www.helpnetsecurity.com/2022/11/14/email-security-threats/

• People Are Still Using the Dumbest Passwords Available

If you were thinking that most people would have learned by now not to use “password” as the password for their sensitive systems, then you would be giving too much credit to the general scrolling public.

Cyber security researchers from Cybernews and password manager company NordPass both independently reported this week on data surrounding the most commonly-used passwords. Trying to discern the frequently used words, phrases, and numbers among the general public wouldn’t be simple if it weren’t for the troves of leaked passwords being sold on the dark web.

Cybernews said it based its data on a list of 56 million breached or leaked passwords in 2022 found via databases in darknet and clearnet hacker forums. Some of the most-used passwords were exactly what you expect, easy-to-remember junk passwords for company accounts, including “123456,” “root,” and “guest” all looking pretty in the top three.

NordPass, on the other hand, listed its top passwords by country and the supposed gender of the user. In their case, “password” sat in the number one spot for most-used password throughout the globe. Some countries had very specific passwords that were commonly used, such as “liverpool” being the number 4 most-used password in the UK despite it being 197 in the world. The number 2 most-used password for Brazil accounts is “Brasil” while in Germany, number 5 is “hallo.”

NordPass said the list of passwords was built by a team of independent researchers who compiled 3TB of data from listings on the dark web, including some data that was leaked in data breaches that occurred in 2022. The company noted that some data might be from late 2021, though the passwords were listed on the dark web in the new year.

https://gizmodo.com/passwords-hacker-best-passwords-cybersecurity-1849792818

• Zero-Trust Initiatives Stall, as Cyber Attack Costs Rocket to $1M per Incident

Researchers find current data protection strategies are failing to get the job done, and IT leaders are concerned, while a lack of qualified IT security talent hampers cyber-defence initiatives.

Organisations are struggling with mounting data losses, increased downtime, and rising recovery costs due to cyber attacks — to the tune of $1.06 million in costs per incident. Meanwhile, IT security teams are stalled on getting defences up to speed.

That's according to the 2022 Dell Global Data Protection Index (GDPI) survey of 1,000 IT decision-makers across 15 countries and 14 industries, which found that organisations that experienced disruption have also suffered an average of 2TB data loss and 19 hours of downtime.

Most respondents (67%) said they lack confidence that their existing data protection measures are sufficient to cope with malware and ransomware threats. A full 63% said they are not very confident that all business-critical data can be reliably recovered in the event of a destructive cyber attack.

Their fears seem founded: Nearly half of respondents (48%) experienced a cyber attack in the past 12 months that prevented access to their data (a 23% increase from 2021) — and that's a trend that will likely continue.

The growth and increased distribution of data across edge, core data centre and multiple public cloud environments are making it exceedingly difficult for IT admins to protect their data.

On the protection front, most organisations are falling behind; for instance, 91% are aware of or planning to deploy a zero-trust architecture, but only 12% are fully deployed.

And it's not just advanced defence that's lacking: Keegan points out that 69% of respondents stated they simply cannot meet their backup windows to be prepared for a ransomware attack.

https://www.darkreading.com/endpoint/zero-trust-initiatives-stall-cyberattack-costs-1m-per-incident

• 44% of Financial Institutions Believe Their Own IT Teams Are the Main Risk to Cloud Security

Netwrix, a cyber security vendor, today announced additional findings for the financial and banking sector from its global 2022 Cloud Security Report.

Compared to other industries surveyed, financial institutions are much more concerned about users who have legitimate access to their cloud infrastructure. Indeed, 44% of respondents in this sector say their own IT staff poses the biggest risk to data security in the cloud and 47% worry about contractors and partners, compared to 30% and 36% respectively in other verticals surveyed.

Financial organisations experience accidental data leakage more often than companies in other verticals: 32% of them reported this type of security incident within the last 12 months, compared to the average of 25%. This is a good reason for them to be concerned about users who might unintentionally expose sensitive information. To address this threat, organisations need to implement a zero-standing privilege approach in which elevated access rights are granted only when they are needed and only for as long as needed. Cloud misconfigurations are another common reason for accidental data leakage. Therefore, security teams must continually monitor the integrity of their cloud configurations, ideally with a dedicated solution that automates the process.

All sectors say phishing is the most common type of attack they experience. However, 91% of financial institutions say they can spot phishing within minutes or hours, compared to 82% of respondents in other verticals.

Even though mature financial organisations detect phishing quickly, it is still crucial for them to keep educating their personnel on this threat because attacks are becoming more sophisticated. To increase the likelihood of a user clicking a malicious link, attackers are crafting custom spear phishing messages that are directed at the person responsible for a certain task in the organisation and that appear to come from an authority figure. Regular staff training, along with continuous activity monitoring, will help reduce the risk of infiltration.

https://www.darkreading.com/cloud/44-of-financial-institutions-believe-their-own-it-teams-are-the-main-risk-to-cloud-security

• MFA Fatigue Attacks Are Putting Your Organisation at Risk

The rapid advancement of technology in all industries has led to the threat of ever-increasing cyber attacks that target businesses, governments, and individuals alike. A common threat targeting businesses is MFA Fatigue attacks—a technique where a cyber criminal attempts to gain access to a corporate network by bombarding a user with MFA prompts until they finally accept one.

MFA refers to multi-factor authentication, a layered end-user verification strategy to secure data and applications. For a user to log in, an MFA system needs them to submit various combinations of two or more credentials.

Using MFA Fatigue attacks, cyber criminals bombard their victims with repeated 2FA (two-factor authentication) push notifications to trick them into authenticating their login attempts, to increase their chances of gaining access to sensitive information. This attempt can be successful, especially when the target victim is distracted or overwhelmed by the notifications or misinterprets them as legitimate authentication requests.

One major MFA Fatigue attack, also known as MFA bombing, targeted the ride-sharing giant Uber in September 2022. Uber attributed the attack to Lapsus$, a hacking group that started by compromising an external contractor’s credentials.

Cyber criminals increasingly use social engineering attacks to access their targets’ sensitive credentials. Social engineering is a manipulative technique used by hackers to exploit human error to gain private information.

MFA Fatigue is a technique that has gained popularity among hackers in recent years as part of their social engineering attacks. This is a simple yet effective technique with destructive consequences as the hackers are banking on their targets’ lack of training and understanding of attack vectors. Since many MFA users are unfamiliar with this style of attack, they would not understand that they are approving a fraudulent notification.

https://www.bleepingcomputer.com/news/security/mfa-fatigue-attacks-are-putting-your-organization-at-risk/

• Cyber Security Training Boosts Risk Posture, Research Finds

Business executives worldwide see the economic advantages of continuing professional cyber security education and the steep downside from a workforce of under-trained individuals, Cybrary, a training platform provider, said in a new report.

The survey of 275 executives, directors and security professionals in North America and the UK who either procure or influence professional cyber security training, was conducted by consultancy Omdia. The results showed that the benefits of professional training boost an employee’s impact on the organisation, the overall risk posture of the organisation, and in the costs associated with finding and retaining highly skilled employees, the analyst said.

The study’s key findings include:

• 73% of respondents said their team’s cyber security performance was more efficient because of ongoing professional cyber security training.

• 62% of respondents said that training improved their organisation’s cyber security effectiveness (which encompasses decreases in the number of breach attempts and overall security events).

• 79% of respondents ranked professional cyber security training at the top or near the top of importance for the organisation’s ability to prevent and rapidly remediate breaches and ensuing consequences such as reputational damage.

• 70% of companies reported a relationship between an incident and training, and two-thirds of respondents reported increased investments in ongoing cyber security training after a security incident.

• Large enterprises are the least likely to delay upskilling until after an incident, indicating that companies with larger cyber security teams firmly understand the importance of ongoing professional training.

• 67% of surveyed SMBs invested in cyber security training after a security incident, which served as a call to action.

• 53% invested in professional cyber security training due to a cyber security insurance audit.

• 48% of organisations said that cyber security training drives retention and decreases the likelihood that a cyber security professional will leave the organisation that trains them.

• 41% said that ongoing cyber security training has no significant impact on if a cyber security professional leaves.

Cybrary said the research shows the rewards that organisations enjoy by investing in training and upskilling their security professionals. The data “codifies the fiscal and reputational paybacks in proactively improving cyber security defences versus responding to attacks. It also codifies an often-underrecognised benefit of cyber security upskilling: helping the organisation retain invaluable security talent despite market and organisational uncertainty”.

https://www.msspalert.com/cybersecurity-research/cybersecurity-training-boosts-risk-posture-research-finds/

• MI5 Chief: UK Will Have to Tackle Russian Aggression ‘for Years to Come’

Britain will have to tackle Russian aggression for years to come, said the MI5’s chief on Wednesday, adding that his agency had blocked more than 100 attempts by the Kremlin to insert suspected spies into the UK since the Salisbury poisonings.

Ken McCallum, giving an annual threat update, said state-based threats were increasing and said the UK also faced a heightened direct threat from Iran, which had threatened “to kidnap or even kill” 10 people based in Britain in the past year.

The spy chief said Russia had suffered a “strategic blow” after 400 spies were expelled from around Europe following the start of the war in Ukraine, but he said the Kremlin was actively trying to rebuild its espionage network.

Britain had expelled 23 Russian spies posing as diplomats after the poisoning of Sergei and Yulia Skripal in Salisbury in 2018, yet since then “over 100 Russian diplomatic visa applications” had been rejected on national security grounds.

McCallum accused Russia of making “silly claims” about British activities without evidence, such as that UK was involved in attacking the Nord Stream gas pipelines. But the head of MI5 said “the serious point” was that “the UK must be ready for Russian aggression for years to come”.

Iran’s “aggressive intelligence services” were actively targeting Britain and had made “at least 10” attempts to “kidnap or even kill” British or UK-based individuals since January as the regime felt greater pressure than ever before.

https://www.theguardian.com/uk-news/2022/nov/16/mi5-chief-uk-will-have-to-tackle-russian-aggression-for-years-to-come

• Offboarding Processes Pose Security Risks as Job Turnover Increases: Report

Research from YouGov finds that poor offboarding practices across industries including healthcare and tech are putting companies at risk, including for loss of end-user devices and unauthorised SaaS application use.

Organisations across multiple industries are struggling to mitigate potential risks, including loss of end-user and storage devices as well as unauthorised use of SaaS applications, during their offboarding process, according to new research conducted by YouGov in partnership with Enterprise Technology Management (ETM) firm Oomnitza.

Over the last 18 months, employee turnover has increased, with the US Department of Labor estimating that by the end of 2021, a total of 69 million people, more than 20% of Americans, had either lost or changed their job. Although these figures could initially be attributed to the so-called Great Resignation, this figure is likely to increase due to the numerous job cuts that are now being reported, including layoffs at major technology companies, as organisations look to reduce operational costs.

Although the circumstances of an employee’s departure can sometimes make the offboarding process more complex, ultimately offboarding should aim to prevent disruption and mitigate any potential risks.

However, in YouGov’s 2022 State of Corporate Offboarding Process Automation report, the research found that although implementing a secure offboarding processes is now seen as a business imperative for enterprises, 48% of the survey’s respondents expressed deficiencies in or lack of automated workflows across departments and IT tools to facilitate the secure offboarding of employees.

https://www.computerworld.com/article/3680368/offboarding-processes-pose-security-risks-as-job-turnover-increases-report.html#tk.rss_news

• Supply Chains Need Shoring Up Against Cyber Attacks, C-Suite Executives Say

Nearly every organisation (98%) in a new survey of some 2,100 C-suite executives has been hit by a supply chain cyber attack in the last year, security provider BlueVoyant said in a newly released study.

The study gleaned data from interviews with chief technology officers (CTOs), chief security officers (CSOs), chief operating officers (COOs), chief information officers (CIOs), chief information security officers (CISOs), and chief procurement officers (CPOs) responsible for supply chain and cyber risk management in organisations of more than 1,000 employees across business services, financial services, healthcare and pharmaceutical, manufacturing, utilities and energy, and defence industries.

While the number of companies experiencing digital supply chain attacks has stayed relatively static year-over-year, the attention paid by organisations to that attack vector has increased, BlueVoyant said. Still, the New York-based cyber defender said, there’s a lot of room for organisations to better monitor suppliers and “work with them to remediate issues to reduce their supply chain risks.”

Here are some macro highlights from the survey:

• 40% of respondents rely on the third-party vendor or supplier to ensure adequate security.

• In 2021, 53% of companies said they audited or reported on supplier security more than twice per year. That number has improved to 67% in 2022. These numbers include enterprises monitoring in real time.

• Budgets for supply chain defence are increasing, with 84% of respondents saying their budget has increased in the past 12 months.

• The top pain points reported are internal understanding across the enterprise that suppliers are part of their cyber security posture, meeting regulatory requirements, and working with suppliers to improve their security.

https://www.msspalert.com/cybersecurity-research/supply-chains-need-shoring-up-against-cyberattacks-c-suite-executives-say/

• Do Companies Need Cyber Insurance?

Companies are increasingly seeking to transfer risk with cyber insurance. This trend has been influenced by a greater severity in cyber attacks and the resulting skyrocketing costs of incident response, business disruption and recovery.

Companies struggle to afford the high prices of cyber insurance, however. One market index reported the price of cyber insurance increased 79% in the second quarter of 2022. Without it, however, companies risk shouldering the full cost of any resulting harm. Furthermore, insurance companies that lack traditional decades of actuarial data must consider whether to provide cyber insurance to clients unable or unwilling to show their cyber security maturity through independent risk analysis.

This combination of circumstances leaves businesses vulnerable, financially drained and facing potential reputational damage. But does it have to be this way? And is cyber insurance truly necessary? For the majority of organisations, the answer is that cyber insurance is a worthwhile investment as part of their overall risk treatment plans. There are a number of activities, however, that should be undertaken to optimise the benefits and reduce the costs of cyber-risk insurance.

A rise in high-profile attacks, in tandem with increased regulation and compliance surrounding cyber security and privacy, has shifted the conversation around digital safety. No longer is cyber security an optional aspect of the business model with a fixed, stagnant cost. Businesses today have become too digitally dependent to ignore cyber security, with classified, internal information stored online; communication largely conducted via email or another platform; and the workforce transitioned to hybrid and remote work environments. Effective cyber security and privacy, as well as mitigating financial and operational risks, can be strategic enablers to modern digital business.

Cyber insurance is not a solution -- it's a piece of the puzzle. Regardless of industry or company size, all businesses should conduct an independent cyber audit prior to committing to cyber insurance. In doing so, organisations can determine the need for cyber insurance and better understand their organisations' risk posture and weak points.

Even if insurance is needed, the audit further adds value as it lets insurance companies support the company specific to its digital landscape and help it become more digitally strong. Additionally, the existence of an independent audit and risk review may indeed enable the insurance company to offer higher levels of coverage without the need for excessive premiums.

https://www.techtarget.com/searchsecurity/post/Do-companies-need-cyber-insurance

Threats

Ransomware and Extortion

• Ransomware incidents now make up majority of British government’s crisis management COBRA meetings - The Record by Recorded Future

• Ransomware is a global problem that needs a global solution | TechCrunch

• FBI: Hive ransomware extorted $100M from over 1,300 victims (bleepingcomputer.com)

• The psychological fallout of a ransomware crisis - Help Net Security

• New extortion scam threatens to damage sites’ reputation, leak data (bleepingcomputer.com)

• Thales Denies Getting Hacked as Ransomware Gang Releases Gigabytes of Data | SecurityWeek.Com

• Microsoft Warns of Cyber crime Group Delivering Royal Ransomware, Other Malware | SecurityWeek.Com

• Hive Ransomware Has Made $100m to Date - Infosecurity Magazine (infosecurity-magazine.com)

• LockBit Remains Most Prolific Ransomware in Q3 - Infosecurity Magazine (infosecurity-magazine.com)

• DEV-0569 finds new ways to deliver Royal ransomware, various payloads - Microsoft Security Blog

• Transportation sector targeted by both ransomware and APTs - Help Net Security

• Ukraine says Russian hacktivists use new Somnia ransomware (bleepingcomputer.com)

• Ransomware on Healthcare Organisations cost Global Economy $92 bn - IT Security Guru

• Russian hacktivists hit Ukrainian orgs with ransomware - but no ransom demands - Help Net Security

• Australia to ‘stand up and punch back’ against cyber crims • The Register

• LockBit ransomware activity nose-dived in October (techtarget.com)

• Medibank data breach update: Details of almost 1000 employees also included in cyber attack (9news.com.au)

• How to deal with the trauma of the Medibank cyber breach | Andrea Szasz | The Guardian

• Australia is considering a ban on cyber ransom payments, but it could backfire. Here's another idea (theconversation.com)

• Researchers secretly helped decrypt Zeppelin ransomware for 2 years (bleepingcomputer.com)

• Vanuatu: Hackers strand Pacific island government for over a week - BBC News

• Cape Town scrambles after cyber attacks (iol.co.za)

• Canadian Supermarket Chain Sobeys Hit by Ransomware Attack | SecurityWeek.Com

• Two public schools in Michigan hit by a ransomware attack - Security Affairs

• Ukraine says Russian hacktivists use new Somnia ransomware (bleepingcomputer.com)

Phishing & Email Based Attacks

• Top enterprise email threats and how to counter them - Help Net Security

• China-Based Sophisticated Phishing Campaign Uses 42,000 Domains - Information Security Buzz

• Mass Email Extortion Campaign Claims Server Hack - Infosecurity Magazine (infosecurity-magazine.com)

• Netflix Phishing Emails Surge 78% - Infosecurity Magazine (infosecurity-magazine.com)

• Instagram Credential Phishing Attacks Bypass Microsoft Email Security, Target Thousands - Infosecurity Magazine (infosecurity-magazine.com)

• More Than Half of Black Friday Spam Emails Are Scams - Infosecurity Magazine (infosecurity-magazine.com)

• Earth Preta Spear-Phishing Governments Worldwide (trendmicro.com)

• Email Security Best Practices for Phishing Prevention (trendmicro.com)

Malware

• Wipermania: Malware Remains a Potent Threat, 10 Years Since 'Shamoon' (darkreading.com)

• QBot phishing abuses Windows Control Panel EXE to infect devices (bleepingcomputer.com)

• Researchers Sound Alarm on Dangerous BatLoader Malware Dropper (darkreading.com)

• Study: Almost 50% of macOS malware only comes from one app - Neowin

• Notorious Emotet botnet returns after a few months off • The Register

• Chinese hackers use Google Drive to drop malware on govt networks (bleepingcomputer.com)

• Microsoft Warns of Cyber crime Group Delivering Royal Ransomware, Other Malware | SecurityWeek.Com

• LodaRAT Malware Resurfaces with New Variants Employing Updated Functionalities (thehackernews.com)

• New attacks use Windows security bypass zero-day to drop malware (bleepingcomputer.com)

• Updated RapperBot malware targets game servers in DDoS attacks (bleepingcomputer.com)

• North Korean Hackers Targeting Europe and Latin America with Updated DTrack Backdoor (thehackernews.com)

• Google Wins Lawsuit Against Glupteba Botnet Operators | SecurityWeek.Com

Mobile

• Android malware: A million people downloaded these malicious apps before they were finally removed from Google Play | ZDNET

Internet of Things – IoT

• Shocker: EV charging infrastructure is seriously insecure • The Register

• Aiphone Intercom System Vulnerability Allows Hackers to Open Doors | SecurityWeek.Com

Data Breaches/Leaks

• Police published sexual assault victims' names and addresses on its website (bitdefender.com)

• Here’s How Bad a Twitter Mega-Breach Would Be | WIRED

• Whoosh confirms data breach after hackers sell 7.2M user records (bleepingcomputer.com)

Organised Crime & Criminal Actors

• Long-Standing Chinese Cyber crime Campaign Spoofs Over 400 Brands | SecurityWeek.Com

• Suspected Zeus cyber crime ring leader ‘Tank’ arrested by Swiss police (bleepingcomputer.com)

• Australia's Hack-Back Plan Against Cyber attackers Raises Familiar Concerns (darkreading.com)

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Banks ban crypto to fight fraudsters | Money | The Sunday Times (thetimes.co.uk)

• 'Three quarters' of retail Bitcoin investors are in the red • The Register

Insider Risk and Insider Threats

• Meta Reportedly Fires Dozens of Employees for Hijacking Users' Facebook and Instagram Accounts (thehackernews.com)

• Meta Employees Were Fired for Selling Account Info to Hackers (gizmodo.com)

Fraud, Scams & Financial Crime

• Massive adware campaign spoofs top brands to trick users | TechRadar

• More Than Half of Black Friday Spam Emails Are Scams - Infosecurity Magazine (infosecurity-magazine.com)

• Police Celebrate Arrest of 59 Suspected Scammers - Infosecurity Magazine (infosecurity-magazine.com)

• Cyber Monday Will Be the Most Fraudulent Day of the Season, Says SEON (darkreading.com)

• UK Shoppers Lost £15m+ to Scammers Last Winter - Infosecurity Magazine (infosecurity-magazine.com)

• How scammers are now exploiting cashless parking (telegraph.co.uk)

• Experts Advice On International Fraud Awareness Week - Information Security Buzz

• Theranos fraudster Elizabeth Holmes jailed for conning investors over multibillion-dollar blood-testing scam | US News | Sky News

• Banks ban crypto to fight fraudsters | Money | The Sunday Times (thetimes.co.uk)

Impersonation Attacks

• 42,000 sites used to trap users in brand impersonation scheme (bleepingcomputer.com)

• Instagram Impersonators Target Thousands, Slipping by Microsoft's Cyber security (darkreading.com)

Dark Web

• Andy Greenberg on how 'Tracers in the Dark' found the dark web's worst criminals - CyberScoop

Supply Chain and Third Parties

• Where Can Third-Party Governance and Risk Management Take Us? (darkreading.com)

Software Supply Chain

• The Next Generation of Supply Chain Attacks Is Here to Stay (darkreading.com)

Denial of Service DoS/DDoS

• 2022 holiday DDoS protection guide - Microsoft Security Blog

• Updated RapperBot malware targets game servers in DDoS attacks (bleepingcomputer.com)

Cloud/SaaS

• Cloud data protection trends you need to be aware of - Help Net Security

• Cyber security implications of using public cloud platforms - Help Net Security

• Evolving Security for Government Multiclouds (darkreading.com)

Encryption

• Why companies can no longer hide keys under the doormat - Help Net Security

• Quantum Cryptography Apocalypse: A Timeline and Action Plan (darkreading.com)

Open Source

• It's official - open source software has never been more important | TechRadar

Passwords, Credential Stuffing & Brute Force Attacks

• Top passwords used in RDP brute-force attacks - Help Net Security

Social Media

• Advertising giant warns clients to stay off Twitter (telegraph.co.uk)

• It’s time. Delete your Twitter DMs • Graham Cluley

• Stop using Twitter to log in to other websites | ZDNET

• Instagram Credential Phishing Attacks Bypass Microsoft Email Security, Target Thousands - Infosecurity Magazine (infosecurity-magazine.com)

• Meta keeps booting small-business owners for being hacked on Facebook | Ars Technica

• Guinness, Cadbury’s and Nissan told to avoid ‘toxic’ and ‘dangerous’ Twitter (telegraph.co.uk)

• Meta Reportedly Fires Dozens of Employees for Hijacking Users' Facebook and Instagram Accounts (thehackernews.com)

• FBI director says he's 'extremely concerned' about China's ability to weaponize TikTok - CyberScoop

• Here’s How Bad a Twitter Mega-Breach Would Be | WIRED

• Instagram Impersonators Target Thousands, Slipping by Microsoft's Cyber security (darkreading.com)

Privacy, Surveillance and Mass Monitoring

• Electronics repair technicians snoop on your data - Help Net Security

• Google to Pay $391 Million Privacy Fine for Secretly Tracking Users' Location (thehackernews.com)

• Security firms hijack New York trees to monitor workers • The Register

Governance, Risk and Compliance

• Have board directors any liability for a cyber attack against their company? - Security Affairs

• Data sovereignty and compliance need help • The Register

Careers, Working in Cyber and Information Security

• Cyber security jobs: Five ways to help you build your career | ZDNET

• The Future of Cyber security Recruiting: Lessons on What Employers Want and What Students Need (darkreading.com)

• Google cloud wants CISOs to do more about diversity • The Register

• Amazon poaches top National Cyber Security Centre exec Levy | Business News | Sky News

Law Enforcement Action and Take Downs

• Zeus Botnet Suspected Leader Arrested in Geneva - Infosecurity Magazine (infosecurity-magazine.com)

• Police Celebrate Arrest of 59 Suspected Scammers - Infosecurity Magazine (infosecurity-magazine.com)

• Suspected Zeus cyber crime ring leader ‘Tank’ arrested by Swiss police (bleepingcomputer.com)

• Police dismantle pirated TV streaming network with 500,000 users (bleepingcomputer.com)

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Chinese hackers target government agencies and defence orgs (bleepingcomputer.com)

• Chinese Spy Gets 20 Years for Aviation Espionage Plot - Infosecurity Magazine (infosecurity-magazine.com)

• Russian hacktivists hit Ukrainian orgs with ransomware - but no ransom demands - Help Net Security

• Botnets, Trojans, DDoS From Ukraine and Russia Have Increased Since Invasion - Infosecurity Magazine (infosecurity-magazine.com)

• COP27 Delegates Given Burner Phones To Combat Spying - Information Security Buzz

• Avast details Worok espionage group's compromise chain - Security Affairs

• New "Earth Longzhi" APT Targets Ukraine and Asian Countries with Custom Cobalt Strike Loaders (thehackernews.com)

• 'Even if we go into nuclear winter, I know I tried to help': A volunteer hacker on waging cyber war | Euronews

• Biden set to approve expansive authorities for Pentagon to carry out cyber operations - CyberScoop

• Ukraine says Russian hacktivists use new Somnia ransomware (bleepingcomputer.com)

• Europe’s spyware scandal is a global wakeup call. (slate.com)

• Internal Documents Show How Close the F.B.I. Came to Deploying Spyware - The New York Times (nytimes.com)

• Koch-funded group sues US state over mobile 'spyware' • The Register

Nation State Actors

Nation State Actors – Russia

• UK Banks Bolstering Defences As Russian Cyber Threat Rises - Information Security Buzz

• EXCLUSIVE Russian software disguised as American finds its way into U.S. Army, CDC apps | Reuters

• Pro-Russian hackers claim cyber attack on FBI website: Report | Fox News

• Ukraine says Russian hacktivists use new Somnia ransomware (bleepingcomputer.com)

Nation State Actors – China

• China playing ‘long game’ as it co-opts UK assets, warns MI5 chief | Financial Times (ft.com)

• FBI director says he's 'extremely concerned' about China's ability to weaponize TikTok - CyberScoop

• Chinese Cyber espionage Group 'Billbug' Targets Certificate Authority | SecurityWeek.Com

• Previously undetected Earth Longzhi APT is a subgroup of APT41 - Security Affairs

• Rishi Sunak to hold surprise meeting with Chinese president at G20 | Financial Times (ft.com)

• Chinese hackers use Google Drive to drop malware on govt networks (bleepingcomputer.com)

• State-sponsored hackers in China compromise certificate authority | Ars Technica

• Chinese 'Mustang Panda' Hackers Actively Targeting Governments Worldwide (thehackernews.com)

• Reports of Chinese police stations in US worry FBI - BBC News

Nation State Actors – North Korea

• North Korean hackers target European orgs with updated malware (bleepingcomputer.com)

• North Korean Hackers Targeting Europe and Latin America with Updated DTrack Backdoor (thehackernews.com)

Nation State Actors – Iran

• US govt: Iranian hackers breached federal agency using Log4Shell exploit (bleepingcomputer.com)

• CISA: Iranian APT actors compromised federal network (techtarget.com)

• US Gov Warning: Start Hunting for Iranian APTs That Exploited Log4j | SecurityWeek.Com

Nation State Actors – Misc

• State-Backed APT Group Activity Continuing Apace - Infosecurity Magazine (infosecurity-magazine.com)

• The challenges of tracking APT attacks - Help Net Security

Vulnerability Management

• Misconfigurations, Vulnerabilities Found in 95% of Applications (darkreading.com)

Vulnerabilities

• Microsoft Office lets hackers execute arbitrary code, update now | TechRadar

• Unpatched Zimbra Platforms Are Probably Compromised, CISA Says (darkreading.com)

• All Day DevOps: Third of Log4j downloads still pull vulnerable version despite threat of supply chain attacks | The Daily Swig (portswigger.net)

• Exploit released for actively abused ProxyNotShell Exchange bug (bleepingcomputer.com)

• F5 fixes two remote code execution flaws in BIG-IP, BIG-IQ (bleepingcomputer.com)

• Samba Patches Vulnerability That Can Lead to DoS, Remote Code Execution | SecurityWeek.Com

• Firefox 107 Patches High-Impact Vulnerabilities | SecurityWeek.Com

• Atlassian Releases Patches for Critical Flaws Affecting Crowd and Bitbucket Products (thehackernews.com)

• Windows Kerberos authentication breaks after November updates (bleepingcomputer.com)

• Nasty SQL Injection Bug in Zendesk Endangers Sensitive Customer Data (darkreading.com)

• Mastodon users vulnerable to password-stealing attacks | The Daily Swig (portswigger.net)

• High Severity Vulnerabilities Reported in F5 BIG-IP and BIG-IQ Devices (thehackernews.com)

Tools and Controls

• XDR: Still confusing after all these years | CSO Online

• What is an External Penetration Test? (thehackernews.com)

• MITRE Engenuity Launches Evaluations for Security Service Providers (darkreading.com)

• How Routine Pen Testing Can Reveal the Unseen Flaws in Your Cyber security Posture (darkreading.com)

• How Browser Innovations Are Taking On New Cyber Threats | WIRED UK

Reports Published in the Last Week

• 2022 Global Threat Report | Elastic

• Cyber Risk Index 1H'22 Snapshot (trendmicro.com)

Other News

• Cyber security Industry Must Maintain Public Faith in Technology, Says NCSC Founder - Infosecurity Magazine (infosecurity-magazine.com)

• Cyber Resilience: The New Strategy to Cope With Increased Threats | SecurityWeek.Com

• The 4 horsemen of the cyber security apocalypse | Security Magazine

• The Top Five Cyber security Trends of 2023: KnowBe4 Makes Its Predictions - MSSP Alert

• Build a mature approach for better cyber security vendor evaluation | CSO Online

• Almost half of customers have left a vendor due to poor digital trust: Report | CSO Online

• Global 2000 companies failing to adopt key domain security measures | CSO Online

• Research: Most North American SMBs Outsource Cyber security Management to Third Parties - MSSP Alert

• Majority of Companies Reduce Cyber security Staff Over Holidays - Infosecurity Magazine (infosecurity-magazine.com)

• Over 12,000 Cyber Incidents at US DoD Since 2015, But Incident Management Still Lacking | SecurityWeek.Com

• Repair technicians caught snooping on customer data • The Register

• Research: Most North American SMBs Outsource Cyber security Management to Third Parties - MSSP Alert

• 'No guns, no guards, no gates.' NSA opens up to outsiders in fight for cyber security (cyberscoop.com)

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Businesses Urged Not to Give In To Ransomware Cyber Criminals As Authorities See Increase In Payouts

While there have been arguments made for criminalising the payment of ransoms, it poses a number of additional risks such as providing the criminals with an additional factor they could use to extort their victims.

Businesses are being urged not to pay cyber extortionists as authorities say they are seeing evidence of a rise in ransomware payments.

In a joint letter to the Law Society, the National Cyber Security Centre (NCSC) and the Information Commissioner's Office are warning solicitors who may have been advising their clients to pay.

It follows warnings earlier this year by cyber security experts from the UK, US, and Australia of a "growing wave of increasingly sophisticated ransomware attacks" which could have "devastating consequences".

The joint letter states that while ransomware payments are "not unusually unlawful" those who pay them "should be mindful of how relevant sanctions regimes (particularly those related to Russia)" when considering making the payment.

The US sanctioned in December 2019 any financial dealings with a Russian cyber crime group that was accused of working with Russian intelligence to steal classified government documents.

Despite the spillover from the Russian war in Ukraine - in one case knocking 5,800 wind turbines in Germany offline - the NCSC says it has not detected any increase in hostile activity targeting Britain during the conflict.

Businesses however had been warned that there is a heightened threat level when it comes to cyber attacks due to the conflict which is likely to be here "for the long-haul".

https://news.sky.com/story/businesses-urged-not-to-give-in-to-ransomware-cyber-criminals-as-authorities-see-increase-in-payouts-12648253

• People Are the Primary Attack Vector Around the World

With an unprecedented number of employees now working in hybrid or fully remote environments, compounded by an increase in cyber threats and a more overwhelmed, COVID-19 information fatigued workforce, there has never been a more critical time to effectively create and maintain a cyber secure workforce and an engaged security culture.

People have become the primary attack vector for cyber-attackers around the world. Humans, rather than technology, represent the greatest risk to organisations and the professionals who oversee security awareness programs are the key to effectively managing that risk.

Awareness programs enable security teams to effectively manage their human risk by changing how people think about cyber security and help them exhibit secure behaviours, from the Board of Directors on down.

Effective and mature security awareness programs not only change their workforce’s behaviour and culture but also measure and demonstrate their value to leadership via a metrics framework. Organisations can no longer justify an annual training to tick the compliance box, and it remains critical for organisations to dedicate enough personnel, resources, and tools to manage their human risk effectively.

https://www.helpnetsecurity.com/2022/07/05/people-primary-attack-vector/

• Early Detection Crucial in Stopping Business Email Compromise (BEC) Scams

Cofense Intelligence studied hundreds of business email compromise attacks and found that most scams attempt to establish trust with targeted employees over multiple emails.

Avoiding a costly social engineering attack often requires employees to spot suspicious emails before threat actors request sensitive information or access.

Cofense Intelligence published new research Thursday that showed most business email compromise (BEC) scams can be thwarted in their initial stages when the attackers are not asking for money or a transfer of funds. The cyber security vendor analysed hundreds of BEC emails sent to customers during March and April, and engaged with the threat actors in approximately half the cases.

The company found that only 36% of attackers looking to conduct fraud attacks opened with a cordial greeting and request for cash, gift cards or confidential payment information. Most BEC scams, Cofense found, attempt to slowly build up trust over the course of multiple email exchanges with the target and ingratiate them with common phrases like "sorry to bother you."

Once they realise they can get money out of you, they will do everything they can to drain you dry. For many of the scammers, this becomes a literal hustle, where they will quickly pivot to other cash-out methods. Just because something starts as a wire transfer doesn't mean they won't ask you to send cryptocurrency, gift cards, a cheque, or use your personal Venmo or PayPal to wire them money.

https://www.techtarget.com/searchsecurity/news/252522493/Early-detection-crucial-in-stopping-BEC-scams

• 54% of SMBs Do Not Implement Multi-Factor Authentication (MFA)

SMB owners across the globe are still relying only on usernames and passwords to secure critical employee, customer, and partner data, according to the Global Small Business Multi-Factor Authentication (MFA) Study released by the Cyber Readiness Institute (CRI).

Services that enforce MFA require users to present more than one piece of evidence whenever they log in to a business account (e.g., company email, payroll, human resources, etc.).

MFA has been in use for decades and is widely recommended by cyber security experts, yet 55% of SMBs surveyed are not “very aware” of MFA and its security benefits, and 54% do not use it for their business. Of the businesses that have not implemented MFA, 47% noted they either didn’t understand MFA or didn’t see its value. In addition, nearly 60% of small business and medium-sized owners have not discussed MFA with their employees.

Nearly all account compromise attacks can be stopped outright, just by using MFA. It’s a proven, effective way to thwart bad actors.

Of the companies that have implemented some form of MFA, many still seem to have done so haphazardly. Only 39% of those who offer MFA have a process for prioritising critical hardware, software, and data, with 49% merely “encouraging the use of MFA when it is available.”

https://www.helpnetsecurity.com/2022/07/08/smb-implement-mfa/

• New Cyber Threat Emerges from the Inside, Research Report Finds

In its 2022 Insider Risk Intelligence & Research Report, DTEX Systems, a workforce cyber intelligence and security company, identifies a new cyber threat: the “Super Malicious Insider.”

Just what is a Super Malicious Insider and where does it come from? Well, it comes from inside your own organisation or someone who recently worked for you — a threat actor who may be truly of your own making.

“It was the year (2021) we all came to realise the Work-from-Anywhere (WFA) movement was here to stay,” DTEX reports. “For security and risk professionals, this hastened the end of corporate perimeter-centric security, and a requirement to protect hundreds of thousands of ‘remote offices’ outside of traditional corporate controls. To make matters worse, a measurable increase in employee attrition toward the end of 2021 created the perfect storm for insider threats.”

So, if your organisation didn’t observe a proportional increase in attempted or actual data loss, then you were likely not looking, DTEX asserts.

Critically your insiders know your vulnerabilities and can exploit them, for example, when an employee quits to join a competitor, it is often tempting to take proprietary information with them. This can include customer lists, product plans, financial data and other intellectual property.

The Super Malicious Insider is better able to hide their activities, obfuscate data and exfiltrate sensitive information without detection. Importantly, in numerous insider incidents reviewed in 2021, the Super Malicious Insider had made significant efforts to appear normal by not straying outside of their day-to-day routine, DTEX reports.

Here are some key statistics from the report:

• Industrial espionage is at an all-time high. In 2021, 72% of respondents saw an increase in actionable insider threat incidents. IP or data theft led the list at 42% of incidents, followed by unauthorised or accidental disclosure (23%), sabotage (19%), fraud (%) and other (7%). In fact, 42% of all DTEX i3 investigations involved theft of IP or customer data.

• The technology industry (38%), followed by pharma/life sciences (21%), accounted for the most IP theft incidents. In addition, technology (33%) had the most super malicious incidents, followed by critical infrastructure (24%) and government (11%).

• Investigations that led to criminal prosecution occurred within someone’s home 75% of the time. More telling, 32% of malicious incident incidents included sophisticated insider techniques.

https://www.msspalert.com/cybersecurity-research/new-cyberthreat-emerges-from-the-inside-research-report-finds/

• Ransomware: Why It's Still A Big Threat, And Where The Gangs Are Going Next

Ransomware attacks are still lucrative for cyber criminals because victims pay ransoms - and the threat is still evolving.

Ransomware has been a cyber security issue for a long time, but last year it went mainstream. Security threats like malware, ransomware and hacking gangs are always evolving.

Major ransomware attacks like those on Colonial Pipeline, the Irish Healthcare Executive and many others demonstrated how significant the problem had become as cyber attacks disrupted people's lives.

What was once a small cyber-criminal industry based around encrypting files on personal computers and demanding a ransom of a few hundred dollars for a decryption key had evolved into a massive ecosystem designed around holding critical services and infrastructure to ransom - and making extortion demands of millions of dollars.

No wonder Lindy Cameron, head of the UK's National Cyber Security Centre (NCSC), has described ransomware as "the biggest global cyber threat".

Ransomware is continually evolving, with new variants appearing, new ransomware groups emerging, and new techniques and tactics designed to make the most money from attacks.

And as the recent Conti ransomware leaks showed, the most successful ransomware gangs are organised as if they were any other group of software developers.

They are really acting like a business. Aside from the fact they're not legitimately registered, they really are. They're functioning like a real business and sometimes the number of people within these organisations is bigger than some startups. They have shown a lot of resilience and a lot of agility in adapting to what's new.

https://www.zdnet.com/article/ransomware-why-its-still-a-big-threat-and-where-the-gangs-are-going-next/

• NCSC: Prepare for Protracted Period of Heightened Cyber Risk

The UK’s leading cyber security agency has urged organisations to follow best practices and take care of their infosecurity staff in order to weather an extended period of elevated cyber risk due to the ongoing war in Ukraine.

The National Cyber Security Centre (NCSC) guide, Maintaining A Sustainable Strengthened Cyber Security Posture, comes on the back of warnings that organisations must “prepare for the long haul” as the conflict enters its fifth month.

Alongside basic hygiene controls, the strengthening of cyber-resilience and revisiting of risk-based decisions made in the earlier acute phase of the war, organisations should pay special attention to their security staff, the NCSC said.

“Increased workloads for cyber security staff over an extended period can harm their wellbeing and lead to lower productivity, with a potential rise in unsafe behaviours or errors,” it said.

With this in mind, the guide highlighted several steps IT security managers should consider:

• Empower staff to make decisions in order to improve agility and free-up leaders to focus on medium-term priorities

• Spread workloads evenly across a wider pool of staff to reduce the risk of burnout and enable less experienced employees to benefit from development opportunities

• Provide opportunities for staff to recharge through more frequent breaks and time away from the office, as well as work on less pressured tasks

• Look after each other by watching for signs that colleagues are struggling and ensuring they always have the right resources to hand

• Engage the entire workforce with the right internal communications processes, and support so that all staff are able to identify and report suspicious behaviour

https://www.infosecurity-magazine.com/news/ncsc-prepare-cyber-risk/

• 69% Of Employees Need to Deal with More Security Measures In A Hybrid Work Environment

Security firm Ivanti worked with global digital transformation experts and surveyed 10,000 office workers, IT professionals, and the C-Suite to evaluate the level of prioritisation and adoption of digital employee experience in organisations and how it shapes the daily working experiences for employees. The report revealed that 49% of employees are frustrated by the tech and tools their organisation provides and 64% believe that the way they interact with technology directly impacts morale.

One of the biggest challenges facing IT leaders today is the need to enable a seamless end user experience while maintaining robust security. The challenge becomes more complex when there is pressure from the top to bypass security measures, with 49% of C-level executives reporting they have requested to bypass one or more security measures in the last year.

Maintaining a secure environment and focusing on the digital employee experience are two inseparable elements of any digital transformation. In the war for talent a key differentiator for organisations is providing an exceptional and secure digital experience. Ivanti, a cyber security software provider, says “We believe that organisations not prioritising how their employees experience technology is a contributing factor for the Great Resignation”.

https://www.helpnetsecurity.com/2022/07/04/security-measures-hybrid-work-environment/

• FBI and MI5 Leaders Give Unprecedented Joint Warning on Chinese Spying

The head of the FBI and the leader of Britain’s domestic intelligence agency have delivered an unprecedented joint address, raising fresh alarm about the Chinese government, warning business leaders that Beijing is determined to steal their technology for competitive gain.

In a speech at MI5’s London headquarters intended as a show of western solidarity, Christopher Wray, the FBI director, stood alongside the MI5 director general, Ken McCallum. Wray reaffirmed longstanding concerns about economic espionage and hacking operations by China, as well as the Chinese government’s efforts to stifle dissent abroad.

“We consistently see that it’s the Chinese government that poses the biggest long-term threat to our economic and national security, and by ‘our’, I mean both of our nations, along with our allies in Europe and elsewhere,” Wray said.

He told the audience the Chinese government was “set on stealing your technology, whatever it is that makes your industry tick, and using it to undercut your business and dominate your market”.

Ken McCallum said MI5 was running seven times as many investigations into China as it had been four years ago and planned to “grow as much again” to tackle the widespread attempts at inference which pervade “so many aspects of our national life”.

https://www.theguardian.com/world/2022/jul/06/fbi-mi5-china-spying-cyberattacks-business-economy

• As Cyber Criminals Recycle Ransomware, They're Getting Faster

Like history, ransomware repeats itself. Researchers recently encountered a new variant of a ransomware campaign and observed that it has been improving itself by reusing code from publicly available sources.

Nokoyawa is a new ransomware for Windows that first appeared at the beginning of this year. The first samples found by researchers were gathered in February 2022 and contain significant coding similarities with other older ransomware strains, some going back to 2019.

These new variants had been improving themselves by reusing code from publicly available sources. The April 2022 samples include three new features that increase the number of files that Nokoyawa can encrypt. These features already existed in recent ransomware families, and their addition just indicates that Nokoyawa developers are trying to match pace with other operators in terms of technological capability.

https://www.securityweek.com/cybercriminals-recycle-ransomware-theyre-getting-faster

• UK Military Investigates Hacks on Army Social Media Accounts

British military authorities are trying to find out who hacked the army’s social media accounts over the weekend, flooding them with cryptocurrency videos and posts related to collectible electronic art.

The investigation was launched after authorised content on the army’s YouTube account was replaced with a video feed promoting cryptocurrencies that included images of billionaire Elon Musk. The Army’s Twitter account retweeted a number of posts about non-fungible tokens, unique digital images that can be bought and sold but have no physical counterpart.

“Apologies for the temporary interruption to our feed,” the Army said in a tweet posted after the Twitter account was restored on Sunday. “We will conduct a full investigation and learn from this incident. Thanks for following us, and normal service will now resume.”

The Ministry of Defence said late Sunday that both breaches had been “resolved.”

While internet users were unable to access the Army’s YouTube site on Monday, a spokesperson said the site was down for standard maintenance. The Twitter feed was operating normally.

Although U.K. officials have previously raised concerns about state-sponsored Russian hacking, the military did not speculate on who was responsible for Sunday’s breaches.

“The Army takes information security extremely seriously, and until their investigation is complete it would be inappropriate to comment further,” the Ministry of Defence said.

https://www.securityweek.com/uk-military-investigates-hacks-army-social-media-accounts

Campaign Targeting SOHO Routers Highlights Risks to Remote Workers

A targeted attack campaign has been compromising small office/home office (SOHO) routers since late 2020, with the goal of hijacking network communications and infecting local computers with stealthy and sophisticated backdoors. Attacks against home routers are not new, but the implants used by attackers in this case were designed for local network reconnaissance and lateral movement instead of just abusing the router itself.

"The rapid shift to remote work in spring of 2020 presented a fresh opportunity for threat actors to subvert traditional defence-in-depth protections by targeting the weakest points of the new network perimeter - devices that are routinely purchased by consumers but rarely monitored or patched - small office/home office (SOHO) routers," researchers from Black Lotus Labs, the threat intelligence arm of telecommunications company Lumen Technologies said in a recent report.

https://www.csoonline.com/article/3665912/apt-campaign-targeting-soho-routers-highlights-risks-to-remote-workers.html#tk.rss_news

Threats

Ransomware

• Lawyers Urged to Stop Advising Clients to Pay Ransomware Demands - Infosecurity Magazine

• Ransomware in 2022: Evolving threats, slow progress (techtarget.com)

• AstraLocker ransomware closes doors to pursue cryptojacking • The Register

• Ransomware gangs are feeling the crypto winter's impact | TechSpot

• LockBit explained: How it has become the most popular ransomware | CSO Online

• Hive ransomware gang turns to Rust, more complex encryption • The Register

• New RedAlert Ransomware targets Windows, Linux VMware ESXi servers (bleepingcomputer.com)

• Ransomware, hacking groups move from Cobalt Strike to Brute Ratel (bleepingcomputer.com)

• North Korean ransomware dubbed Maui active since May 2021 • The Register

• Hive Ransomware Upgrades to Rust for More Sophisticated Encryption Method (thehackernews.com)

• Ransomware, hacking groups move from Cobalt Strike to Brute Ratel (bleepingcomputer.com)

• New 'HavanaCrypt' Ransomware Distributed as Fake Google Software Update | SecurityWeek.Com

• As New Clues Emerges, Experts Wonder: Is REvil Back? (thehackernews.com)

• Researchers Detail Techniques LockBit Ransomware Using to Infect its Targets (thehackernews.com)

• New 0mega ransomware targets businesses in double-extortion attacks (bleepingcomputer.com)

• Feds wave red flag over Maui ransomware | CSO Online

• Evolution of the LockBit Ransomware operation relies on new techniques - Security Affairs

• AstraLocker ransomware shuts down and releases decryptors (bleepingcomputer.com)

• QNAP warns of new Checkmate ransomware targeting NAS devices (bleepingcomputer.com)

• Quantum ransomware attack affects 657 healthcare orgs (bleepingcomputer.com)

• How Conti ransomware group crippled Costa Rica — then fell apart | Financial Times (ft.com)

• Researchers Detail Techniques LockBit Ransomware Using to Infect its Targets (thehackernews.com)

• EternalBlue 5 years after WannaCry and NotPetya - SANS Internet Storm Center

Phishing & Email Based Attacks

• Fake copyright complaints push IcedID malware using Yandex Forms (bleepingcomputer.com)

• Spear Phishing Fake Job Offer Likely Behind Axie Infinity's Lazarus $600m Hack - Infosecurity Magazine (infosecurity-magazine.com)

Malware

• Hackers Exploiting Follina Bug to Deploy Rozena Backdoor (thehackernews.com)

• Dangerous new malware dances past more than 50 antivirus services | TechRadar

• Raspberry Robin campaign leverages compromised QNAP devicesSecurity Affairs

• Malware knocks IT services vendor SHI offline • The Register

• Near-undetectable malware linked to Russia's Cozy Bear • The Register

• New stealthy OrBit malware steals data from Linux devices (bleepingcomputer.com)

• Hackers are using YouTube videos to trick people into installing malware | TechRadar

Mobile

• This WhatsApp scam promises big, but just sends you into a spiral | ZDNet

• Android malware subscribes you to premium services without you knowing - GSMArena.com news

• Free smartphone stalkerware detection tool gets dedicated hub (bleepingcomputer.com)

• Four more apps that infected thousands of Android devices with malware removed from Google Play store | ZDNet

• Apple Debuts Spyware Protection for State-Sponsored Cyber Attacks (darkreading.com)

Internet of Things – IoT

• Vulnerability allows hackers to unlock and start Honda cars remotely | TechSpot

Data Breaches/Leaks

• Marriott Data Breach Exposes PII, Credit Cards (darkreading.com)

• Aon Hack Exposed Sensitive Information of 146,000 Customers - Infosecurity Magazine

• Hackers Claim to Have Stolen Police Data in China’s Largest Cyber Security Breach - Bloomberg

• Human Error Blamed for Leak of 1 Billion Records of Chinese Citizens | Threatpost

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Ransomware gangs are feeling the crypto winter's impact | TechSpot

• AstraLocker ransomware closes doors to pursue cryptojacking • The Register

• Hackers are using YouTube videos to trick people into installing malware | TechRadar

• PennyWise crypto-stealing malware spreads through YouTube (cointelegraph.com)

• US urges Japan to step up pressure on crypto miners with links to Russia | Financial Times (ft.com)

• Large-scale cryptomining campaign is targeting the NPM repositorySecurity Affairs

• ECB to warn eurozone countries over crypto regulation | Financial Times (ft.com)

• Microsoft Issue Updated Warning Against Known Cloud Threat Actor Group - IT Security Guru

Insider Risk and Insider Threats

• Human Error Blamed for Leak of 1 Billion Records of Chinese Citizens | Threatpost

• HackerOne incident raises concerns for insider threats (techtarget.com)

Fraud, Scams & Financial Crime

• Ukrainian police takes down phishing gang behind payments scam | ZDNet

Supply Chain and Third Parties

• Applying Shift Left principles to third party risk management - Help Net Security

Software Supply Chain

• NPM supply-chain attack impacts hundreds of websites and apps (bleepingcomputer.com)

Cloud/SaaS

• Microsoft Issue Updated Warning Against Known Cloud Threat Actor Group - IT Security Guru

• Cloud Misconfig Exposes 3TB of Sensitive Airport Data in Amazon S3 Bucket: 'Lives at Stake' (darkreading.com)

• What Do All of Those Cloud Cyber Security Acronyms Mean? (darkreading.com)

Identity and Access Management

• 6 signs your IAM strategy is failing, and how to fix it | CSO Online

Asset Management

• How a cyber asset management strategy can help enterprises detect threats - Help Net Security

Encryption

• Encryption is high up on corporate priority lists - Help Net Security

• Quantum-resistant encryption recommended for standardization • The Register

• The threat of quantum computing to sensitive data - Help Net Security

• Inside NIST's 4 Crypto Algorithms for a Post-Quantum World (darkreading.com)

• End-to-end encryption’s central role in modern self-defence | Ars Technica

API

• Why your API gateway is not enough for API security? - Help Net Security

Open Source

• Researchers Warn of New OrBit Linux Malware That Hijacks Execution Flow (thehackernews.com)

Social Media

• British Army Cyber Attack Reminds Businesses That Social Media Accounts Are Prime Targets (informationsecuritybuzz.com)

• Limp Facebook Policies – Do They Ignore Suffering And Crime! (informationsecuritybuzz.com)

Digital Transformation

• Cyber security is driving digital transformation in alternative investment institutions - Help Net Security

Travel

• Marriott suffered a new data breach, attackers stole 20GB of data - Security Affairs

Cyber Bullying and Cyber Stalking

• Free smartphone stalkerware detection tool gets dedicated hub (bleepingcomputer.com)

Regulations, Fines and Legislation

• ICO Set to Scale Back Public Sector Fines - Infosecurity Magazine

• ECB to warn eurozone countries over crypto regulation | Financial Times (ft.com)

• Wegmans hit with $400,000 data-breach penalty (democratandchronicle.com)

Models, Frameworks and Standards

• PCI DSS 4.0 released, addresses emerging threats and technologies - Help Net Security

Law Enforcement Action and Take Downs

• Ukrainian police takes down phishing gang behind payments scam | ZDNet

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Apple's New "Lockdown Mode" Protects iPhone, iPad, and Mac Against Spyware (thehackernews.com)

• Pro-Kremlin hackers Killnet hit Latvia with biggest cyber attack in its history | World | The Times

• TrickBot Gang Shifted its Focus on "Systematically" Targeting Ukraine (thehackernews.com)

• UK to combat Russia’s ‘hostile online warfare’ by forcing internet firms to remove disinformation | TechCrunch

• NATO Announce Plans to Develop Cyber Rapid Response Capabilities - IT Security Guru

• FBI and MI5 bosses: China cheats and steals at massive scale • The Register

• Hackers linked to the Chinese government increasingly target Russia, analysis suggests - CyberScoop

• In Switch, Trickbot Group Now Attacking Ukrainian Targets (darkreading.com)

• Apple Debuts Spyware Protection for State-Sponsored Cyber Attacks (darkreading.com)

Nation State Actors

Nation State Actors – Russia

• Russian Info Ops Ramp Up Effort to Divide West on Ukraine - Infosecurity Magazine

• Near-undetectable malware linked to Russia's Cozy Bear • The Register

Nation State Actors – China

• US and UK intelligence chiefs call for vigilance on China’s industrial spies | Financial Times (ft.com)

• China Censors What Could Be Biggest Data Hack in History (gizmodo.com)

• Hackers linked to the Chinese government increasingly target Russia, analysis suggests - CyberScoop

• China’s Cabinet Stresses Cyber Security After Data Leak - Bloomberg

• Security warning after sale of stolen Chinese data - BBC News

• Five accused of trying to silence China critics in US • The Register

• 50 Chinese students leave UK in three years after spy chiefs’ warning | Espionage | The Guardian

• More UK calls for ban of CCTV makers Hikvision, Dahua • The Register

Nation State Actors – North Korea

• Russian information operations focus on dividing Western coalition supporting Ukraine - CyberScoop

• North Korean ransomware dubbed Maui active since May 2021 • The Register

• Feds wave red flag over Maui ransomware | CSO Online

• Spear Phishing Fake Job Offer Likely Behind Axie Infinity's Lazarus $600m Hack - Infosecurity Magazine (infosecurity-magazine.com)

Nation State Actors – Iran

• Hacktivists claiming attack on Iranian steel facilities dump tranche of 'top secret documents' - CyberScoop

• Latest Cyber Attack Against Iran Part of Ongoing Campaign | Threatpost

Vulnerability Management

• Google: Half of zero-day exploits linked to poor software fixes | ZDNet

• Why Browser Vulnerabilities Are a Serious Threat — and How to Minimize Your Risk (darkreading.com)

Vulnerabilities

• Cisco and Fortinet Release Security Patches for Multiple Products (thehackernews.com)

• Google Patches Actively Exploited Chrome Bug | Threatpost

• OpenSSL version 3.0.5 fixes a flaw that could potentially lead to RCE - Security Affairs

• Apache “Commons Configuration” patches Log4Shell-style bug – what you need to know – Naked Security (sophos.com)

• Cisco fixed a critical arbitrary File Overwrite flaw in Enterprise Communication solutions - Security Affairs

• Cisco Releases 10 Security Patches For Expressway Series and TelePresence VCS Products - Infosecurity Magazine

• Django fixes SQL Injection vulnerability in new releases (bleepingcomputer.com)

• Google fixes the fourth Chrome zero-day in 2022 - Security Affairs - Security Affairs

• Tens of Jenkins plugins are affected by zero-day vulnerabilities - Security Affairs

• OpenSSL fixes two “one-liner” crypto bugs – what you need to know – Naked Security (sophos.com)

• Fortinet addressed multiple vulnerabilities in several products - Security Affairs

• There’s a Nasty Security Hole in the Apache Webserver – The New Stack

Sector Specific

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

We currently provide tailored threat intelligence based on the following sectors, additional sectors by arrangement:

• Automotive

• Construction

• Critical National Infrastructure (CNI)

• Defence & Space

• Education & Academia

• Energy & Utilities

• Estate Agencies

• Financial Services

• FinTech

• Food & Agriculture

• Gaming & Gambling

• Government & Public Sector (including Law Enforcement)

• Health/Medical/Pharma

• Hotels & Hospitality

• Insurance

• Legal

• Manufacturing

• Maritime

• Oil, Gas & Mining

• OT, ICS, IIoT, SCADA & Cyber-Physical Systems

• Retail & eCommerce

• Small and Medium Sized Businesses (SMBs)

• Startups

• Telecoms

• Third Sector & Charities

• Transport & Aviation

• Web3

Other News

• These are the cyber security threats of tomorrow that you should be thinking about today | ZDNet

• Rising threats spark scramble for cyber workers | The Hill

• Why Browser Vulnerabilities Are a Serious Threat — and How to Minimize Your Risk (darkreading.com)

• Microsoft rolls back plan to block macros by default • Graham Cluley

• Attacker groups adopt new penetration testing tool Brute Ratel | CSO Online

• Security tester says he broke into datacenter via toilets • The Register

• SQL injection, XSS vulnerabilities continue to plague organisations | CSO Online

• Endless cyber-threat pressure could leave security staff burnt out. Here's what you need to change | ZDNet

• Top 7 types of data security technology (techtarget.com)

• Imagination is key to effective data loss prevention - Help Net Security

• The Age of Collaborative Security: What Tens of Thousands of Machines Witness (thehackernews.com)

• Maintaining a sustainable strengthened cyber security posture - NCSC.GOV.UK

• Hacking the Crypto-Monetized Web (trendmicro.com)

• Reflections Of A Former Hacker: How Leaders Can Protect Their Business From Cyber Threats (forbes.com)

• Zero Trust Bolsters Our National Defence Against Rising Cyber Threats (darkreading.com)

• Security advisory accidentally exposes vulnerable systems (bleepingcomputer.com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Microsoft Sees Rampant Log4j Exploit Attempts, Testing

Microsoft says it’s only going to get worse: It’s seen state-sponsored and cyber-criminal attackers probing systems for the Log4Shell flaw through the end of December.

No surprise here: The holidays bought no Log4Shell relief.

Threat actors vigorously launched exploit attempts and testing during the last weeks of December, Microsoft said on Monday, in the latest update to its landing page and guidance around the flaws in Apache’s Log4j logging library.

“We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks,” according to Microsoft.

https://threatpost.com/microsoft-rampant-log4j-exploits-testing/177358/

Warning: Log4j Still Lurks Where Dependency Analysis Can’t Find It

The best programming practice to include a third-party library in source code is to use the import command. It is the easiest way to do it, and it is also the way that most dependency analysis programs work to determine if a vulnerable library is in play. But any time code is included without calling it as an external package, traditional dependency analysis might not be enough to find it — including when Java coders use a common trick to resolve conflicting dependencies during the design process.

A new study by jFrog found that 400 packages on repository Maven Central used Log4j code without calling it as an external package. Around a third of that came from fat jars — jar files that include all external dependencies to make a more efficient product. The remainder came from directly inserting Log4j code into the source code, including shading, a work-around used when two or more dependencies call different versions of the same library in a way that might conflict.

While 400 may not seem like a lot for Maven Central, where Google found 17,000 packages implementing the vulnerable Log4j library, some of the 400 packages unearthed by JFrog are widely used.

https://www.scmagazine.com/analysis/devops/warning-log4j-still-lurks-where-dependency-analysis-cant-find-it

Hackers Sending Malware-Filled USB Sticks to Companies Disguised as Presents

The "malicious USB stick" trick is old but apparently it's still wildly popular with the crooks.

Word to the wise: If a stranger ever offers you a random USB stick as a gift, best not to take it.

On Thursday, the FBI warned that a hacker group has been using the US mail to send malware-laden USB drives to companies in the defence, transportation and insurance industries. The criminals’ hope is that employees will be gullible enough to stick them into their computers, thus creating the opportunity for ransomware attacks or the deployment of other malicious software, The Record reports.

The hacker group behind this bad behaviour—a group called FIN7—has gone to great lengths to make their parcels appear innocuous. In some cases, packages were dressed up as if they were sent by the US Department of Health and Human Services, with notes explaining that the drives contained important information about COVID-19 guidelines. In other cases, they were delivered as if they had been sent via Amazon, along with a “decorative gift box containing a fraudulent thank you letter, counterfeit gift card, and a USB,” according to the FBI warning.

https://gizmodo.com/hackers-have-been-sending-malware-filled-usb-sticks-to-1848323578

Patch Systems Vulnerable To Critical Log4j Flaws, UK And US Officials Warn

One of the highest-severity vulnerabilities in years, Log4Shell remains under attack.

Criminals are actively exploiting the high-severity Log4Shell vulnerability on servers running VMware Horizon in an attempt to install malware that allows them to gain full control of affected systems, the UK’s publicly funded healthcare system is warning.

CVE-2021-44228 is one of the most severe vulnerabilities to come to light in the past few years. It resides in Log4J, a system-logging code library used in thousands if not millions of third-party applications and websites. That means there is a huge base of vulnerable systems. Additionally, the vulnerability is extremely easy to exploit and allows attackers to install Web shells, which provide a command window for executing highly privileged commands on hacked servers.

The remote-code execution flaw in Log4J came to light in December after exploit code was released before a patch was available. Malicious hackers quickly began actively exploiting CVE-2021-44228 to compromise sensitive systems.

https://arstechnica.com/information-technology/2022/01/patch-systems-vulnerable-to-critical-log4j-flaws-uk-and-us-officials-warn/

‘Elephant Beetle’ Lurks For Months In Networks

The group blends into an environment before loading up trivial, thickly stacked, fraudulent financial transactions too tiny to be noticed but adding up to millions of dollars.

Researchers have identified a threat group that’s been quietly siphoning off millions of dollars from financial- and commerce-sector companies, spending months patiently studying their targets’ financial systems and slipping in fraudulent transactions amongst regular activity.

The Sygnia Incident Response team has been tracking the group, which it named Elephant Beetle, aka TG2003, for two years.

In a Wednesday report, the researchers called Elephant Beetle’s attack relentless, as the group has hidden “in plain sight” without the need to develop exploits.

https://threatpost.com/elephant-beetle-months-networks-financial/177393/

Sonicwall: Y2k22 Bug Hits Email Security, Firewall Products

SonicWall has confirmed today that some of its Email Security and firewall products have been hit by the Y2K22 bug, causing message log updates and junk box failures starting with January 1st, 2022.

The company says that email users and administrators will no longer be able to access the junk box or un-junk newly received emails on affected systems.

They will also no longer be able to trace incoming/outgoing emails using the message logs because they're no longer updated.

On January 2nd, SonicWall deployed updates to North American and European instances of Hosted Email Security, the company's cloud email security service.

It also released fixes for its on-premises Email Security Appliance (ES 10.0.15) and customers using firewalls with the Anti-Spam Junk Store functionality toggled on (Junk Store 7.6.9).

https://www.bleepingcomputer.com/news/security/sonicwall-y2k22-bug-hits-email-security-firewall-products/

Hackers Use Video Player To Steal Credit Cards From Over 100 Sites

Hackers used a cloud video hosting service to perform a supply chain attack on over one hundred real estate sites that injected malicious scripts to steal information inputted in website forms.

These scripts are known as skimmers or formjackers and are commonly injected into hacked websites to steal sensitive information entered into forms. Skimmers are commonly used on checkout pages for online stores to steal payment information.

In a new supply chain attack discovered by Palo Alto Networks Unit42, threat actors abused a cloud video hosting feature to inject skimmer code into a video player. When a website embeds that player, it embeds the malicious script, causing the site to become infected.

https://www.bleepingcomputer.com/news/security/hackers-use-video-player-to-steal-credit-cards-from-over-100-sites/

Cyber World Is Starting 2022 In Crisis Mode With The Log4j Bug

The cyber security world is starting off 2022 in crisis mode.

The newest culprit is the log4j software bug, which cyber security and Infrastructure Security Agency (CISA) Director Jen Easterly called “the most serious vulnerability I have seen in my decades-long career.” It forced many cyber security pros to work through the holidays to protect computer systems at Big Tech firms, large and small companies and government agencies.

But crises like log4j have become the norm rather than the exception during the past few years.

Last year kicked off with the SolarWinds hack — a Russian government operation that compromised reams of sensitive information from U.S. government agencies and corporations.

Digital threats of all sorts are growing far faster than the capability to defend against them. If past is prologue, 2022 is likely to be a year of big hacks, big threats and plenty more crises.

“We’re always in crisis is the long and short of it,” Jake Williams, a former National Security Agency (NSA) cyber operator and founder of the firm Rendition Infosec, told me. “Anyone looking for calm rather than the storm in cyber is in the wrong field.”

https://www.washingtonpost.com/politics/2022/01/03/cyber-world-is-starting-2022-crisis-mode-with-log4j-bug/

Everything You Need To Know About Ransomware Attacks and Gangs In 2022

Ransomware is a lucrative business for criminals. It is paying off, and it is working.

According to a recent Trend Micro report, a staggering 84% of US organisations experienced either a phishing or ransomware attack in the last year. The average ransomware payment was over $500,000.

Bad actors want to keep cashing in. So they’re going as far as creating ransomware kits as a service (Ransomware as a Service) to be sold on the dark web and even setting up fake companies to recruit potential employees.

Many ransomware gangs function like real companies — with marketing teams, websites, software development, user documentation, support forums and media relations.

If the “companies” run by ransomware gangs can operate with minimal expenses and mind-blowing revenues, what’s stopping them from growing in number and size?

https://securityintelligence.com/articles/ransomware-attacks-gangs-2022/

Why the Log4j Vulnerability Makes Endpoint Visibility and Zero Trust Security More Important Than Ever

The Apache Log4j vulnerability is one of the most serious vulnerabilities in recent years—putting millions of devices at risk.

IT organisations worldwide are still reeling from the discovery of a major security vulnerability in Apache Log4j, an open-source logging utility embedded in countless internal and commercial applications.

By submitting a carefully constructed variable string to log4j, attackers can take control of any application that includes log4j. Suddenly, cyber criminals around the world have a blueprint for launching attacks on everything from retail store kiosks to mission-critical applications in hospitals.

If security teams overlook even one instance of log4j in their software, they give attackers an opportunity to issue system commands at will. Attackers can use those commands to install ransomware, exfiltrate data, shut down operations — the list goes on.

How should enterprises respond to this pervasive threat?

https://www.cio.com/article/302868/why-the-log4j-vulnerability-makes-endpoint-visibility-and-zero-trust-security-more-important-than-ever.html

Threats

Ransomware

• Night Sky Is The Latest Ransomware Targeting Corporate Networks (bleepingcomputer.com)

• Counties In New Mexico, Arkansas Begin 2022 With Ransomware Attacks | ZDNet

• Ransomware Attack Affects The Websites Of 5,000 Schools - CNNPolitics

Phishing

• Google Docs Comments Weaponized in New Phishing Campaign (darkreading.com)

• US Arrests Suspect Who Stole Unpublished Books In Phishing Attacks (bleepingcomputer.com)

Malware

• FluBot Malware Now Targets Europe Posing As Flash Player App (bleepingcomputer.com)

• New Mac Malware Samples Underscore Growing Threat (darkreading.com)

• Purple Fox Rootkit Now Bundled With Telegram Installer | Malwarebytes Labs

• ‘Malsmoke’ Exploits Microsoft’s E-Signature Verification | Threatpost

Mobile

• Apple iPhone Malware Tactic Causes Fake Shutdowns to Enable Spying | Threatpost

IoT

• IoT's Importance is Growing Rapidly, But Its Security Is Still Weak | SecurityWeek.Com

Data Breaches/Leaks

• List Of Data Breaches And Cyber Attacks In December 2021 | 219M records (itgovernance.co.uk)

• Have I Been Pwned Warns Of DatPiff Data Breach Impacting Millions (bleepingcomputer.com)

• Morgan Stanley To Pay $60 Million To Resolve Data Security Lawsuit (Yahoo.Com)

Cryptocurrency/Cryptomining/Cryptojacking

• Report: $2.2 Billion In Cryptocurrency Stolen From DeFi Platforms In 2021 | ZDNet

• UK Police Seize £322m of Cryptocurrency in Past Five Years - Infosecurity Magazine

Fraud, Scams & Financial Crime

• Broker-Dealers Impersonators Stole $50 Million Using Spoofed Sites (bleepingcomputer.com)

• 'Sextortion' Leads To Financial Losses And Psychological Trauma. Here's What To Look Out For On Dating Apps (theconversation.com)

DoS/DDoS

• CDN Cache Poisoning Allows DoS Attacks Against Cloud Apps (darkreading.com)

OT, ICS, IIoT and SCADA

• Why The UK’s Energy Sector Is Fragile And Ripe To Cyber Attacks - Help Net Security

Nation State Actors

• Should Businesses Be Concerned About APT-Style Attacks? - Help Net Security

• MI6 Chief Thanks China For ‘Free Publicity’ After James Bond Spoof | China | The Guardian

• Log4j Vulnerabilities: New Patches And Nation-State Exploitation. (thecyberwire.com)

• North Korea-Linked Konni APT Targets Russian Diplomatic Bodies - Security Affairs

Privacy

• Swiss Army Bans All Chat Apps But Locally-Developed Threema (bleepingcomputer.com)

• France Fines Google, Facebook €210 Million Over Privacy Violating Tracking Cookies (thehackernews.com)

Passwords & Credential Stuffing

• 1.1M Compromised Accounts Found at 17 Major Companies | Threatpost

Spyware and Espionage

• US Counterintelligence Shares Tips To Block Spyware Attacks (bleepingcomputer.com)

Vulnerabilities

• Google Chrome Update Includes 37 Security Fixes | ZDNet

• Emergency Windows Server Update Fixes Remote Desktop Issues (bleepingcomputer.com)

• Microsoft Rolled Out Emergency Fix For Y2k22 Bug In Exchange Servers - Security Affairs

• VMware Fixed CVE-2021-22045 Heap-Overflow In Workstation, Fusion and ESXi - Security Affairs

• Latest WordPress Security Release Fixes XSS, SQL Injection Bugs | The Daily Swig (portswigger.net)

• Internet Bug Bounty: High Severity Vulnerability In Apache HTTP Server Could Lead To RCE | The Daily Swig (portswigger.net)

• QNAP: Get NAS Devices Off the Internet Now | Threatpost

• New Ubuntu Linux Kernel Security Updates Fix 9 Vulnerabilities, Patch Now - 9to5Linux

• JFrog Researchers Find JNDI Vulnerability In H2 Database Consoles Similar To Log4Shell | ZDNet

• Unpatched HomeKit Vulnerability Exposes iPhones, iPads to DoS Attacks | SecurityWeek.Com

Sector Specific

Defence

• FBI: Hackers Use BadUSB To Target Defence Firms With Ransomware (bleepingcomputer.com)

Health/Medical/Pharma Sector

• Are Medical Devices at Risk of Ransomware Attacks? (thehackernews.com)

Estate Agents

• Hackers Target Real Estate Websites with Skimmer in Latest Supply Chain Attack (thehackernews.com)

Other News

Log4j Flaw Attack Levels Remain High, Microsoft Warns | ZDNet

Cyber Attack Against UK Ministry of Defence Training Academy Revealed | ZDNet

API Security: Understanding The Next Top Attack Vector - Help Net Security

E-Waste Is a Cybersecurity Problem, Too - IEEE Spectrum

The Log4j Debacle Showed Again That Public Disclosure Of 0-Days Only Helps Attackers - Help Net Security

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.