Executive summary

PuTTY, popular with IT administrators as an open-source terminal emulator that supports SSH, telnet and other network file transfer protocols, is currently being exploited due to a weakness in how it generates cryptographic private keys. The exploitation of the flaw allows an attacker to gain access to the user’s private keys and achieve unauthorised access to SSH servers, with the potential for supply chain attacks if exploited. Cryptographic private keys are typically used and verified by a public key on a server, to ensure the users identity and communicate securely.

What’s the risk to me or my business?

Organisations using a vulnerable version of PuTTY or other software that utilises a vulnerable version are at risk of compromise and unauthorised access to their SSH servers, impacting the confidentiality, integrity and availability of the organisation.

It has been reported that to perform the exploit successfully and calculate a user’s private key, an attacker will need 58 signatures, which could be gained from different sources including signed Git commits or an attacker-owned SSH server which the victim logs in to.

The vulnerability impacts versions 068 to 0.80 of PuTTY, with a fix available in version 0.81.

In addition, the following third-party software has been confirmed as vulnerable, however more are likely to be identified as the full extent of the vulnerability becomes apparent:

FileZilla 3.24.1 – 3.66.5 (fixed in 3.67.0)

WinSCP 5.9.5 – 6.3.2 (fixed in 6.3.3)

TortoiseGit 2.4.0.2 – 2.15.0 (fixed in 2.15.0.1)

TortoiseSVN 1.10.0 – 1.14.6  (users are advised to configure TortoiseSVN to use Plink from the latest PuTTY 0.81 release until a patch becomes available)

What can I do?

Black Arrow recommends upgrading to PuTTY version 0.81, or later, immediately, where available. Organisations should also check if they are using any tools which implement a vulnerable version of PuTTY, this could be achieved with a network vulnerability scan across affected information assets. In addition to the above, organisations should assess if they have any signed Git commits, as these may be used by attackers to gain the signatures required to exploit the vulnerability.

If your organisation has identified the use of any NIST p521 keys generated by a vulnerable version of the tool, they should be replaced by new secure keys immediately, and again following identification and applying updates to affected vulnerable versions.

Technical Summary

CVE-2024-31497- A vulnerability in PuTTY that can allow attackers to recover private keys. The impacted key type is is 521-bit ECDSA, also known as NIST p521.

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Further information can be found here:

https://www.openwall.com/lists/oss-security/2024/04/15/6

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Cyber Security Industry Still Fighting to Recruit and Retain Talent

Cyber security teams are struggling to find the right talent, with the right skills, and to retain experienced employees. The situation is only likely to worsen, as inflation and a tight labour market push up wages. Universities produce graduates with a strong focus on technical knowledge, but not always the broader skills they need to operate in a business environment. This includes the lack of communications skills, understanding of how businesses operate and even emotional intelligence. One solution is to outsource to a corporate cyber security provider or outsource to infill shortages whilst trying to recruit permanent staff.

https://www.infosecurity-magazine.com/news/cybersecurity-industry-recruit/

• How the MOVEit Breach Shows Hackers' Interest in Corporate File Transfer Tools

The world of managed file transfer (MFT) software has become a lucrative target for ransom-seeking hackers, with significant breaches including those of Accellion Inc's File Transfer Appliance in 2021 and Fortra's GoAnywhere MFT earlier this year. These MFT programs, corporate versions of popular file sharing programs like Dropbox or WeTransfer, are highly desirable to hackers for the sensitive data they often transfer between organisations and partners. The recent mass compromise tied to Progress Software Corp's MOVEit transfer product has prompted governments and companies worldwide to scramble in response.

Hackers are shifting their tactics, with an increasing focus on MFT programs which typically face the open internet, making them more vulnerable to breaches. Once inside these file transfer points, hackers have direct access to a wealth of data. In addition, there's a noticeable shift from ransomware groups encrypting a company's network and demanding payment to unscramble it, to a simpler tactic of pure extortion by threatening to leak the data.

https://www.reuters.com/technology/how-moveit-breach-shows-hackers-interest-corporate-file-transfer-tools-2023-06-16/

• Attackers Discovering Exposed Cloud Assets within Minutes

The shift to cloud services, increased remote work, and reliance on third-parties has led to widespread use of Software-as-a-Service (SaaS) applications. This has also opened avenues for attackers to exploit weak security configurations and identities. Over the past year, attackers have intercepted authorisation tokens, bypassed multifactor authentication, and exploited misconfigured systems, targeting critical applications like GitHub, Microsoft 365, Google Workspace, Slack, and Okta. A study revealed alarmingly fast rates of breach discovery and compromise of exposed cloud assets, with assets being discovered within as little as two minutes for some and others within an hour.

https://www.techtarget.com/searchsecurity/news/366542352/Attackers-discovering-exposed-cloud-assets-within-minutes

https://www.darkreading.com/dr-tech/growing-saas-usage-means-larger-attack-surface

• Majority of Users Neglect Best Password Practices

The latest Password Management Report by Keeper Security has shed light on the concerning state of password security practices. The survey found that only 25% of respondents used solid and unique passwords. In comparison, 34% admitted to using repeat variations of passwords, and 30% still relied on simple and easily guessable passwords. The survey also found that 44% of individuals who claimed to have well-managed passwords still admitted to using repeated variations, while 20% acknowledged having had at least one password involved in a data breach or available on the dark web. The document also revealed that 35% of respondents feel overwhelmed when it comes to improving their cyber security. Furthermore, 10% admitted to neglecting password management altogether. More generally, Keeper Security said the survey’s findings highlight a significant gap between perception and reality regarding password security.

https://www.infosecurity-magazine.com/news/users-neglect-best-password/

• One in Three Workers Susceptible to Phishing

More than one in three workers in the UK and Ireland are susceptible to falling for phishing attacks, according to the new 2023 Phishing by Industry Benchmarking Report by KnowBe4. The study found that 35% of users who had received no security training were prone to clicking on suspicious links or engaging in fraudulent actions. Regular training and continual reinforcement can get this figure down but even with training very few organisations ever get click rates down to zero, and you only need one person to click to cause potentially devastating consequences.

Globally, ransomware was responsible for 24% of all data breaches in 2023, with human error accounting for 74% of these incidents. Phishing attacks can often lead to significant reputational damage, financial loss and disruption to business operations.

https://www.infosecurity-magazine.com/news/one-in-three-phishing/

• Ransomware Misconceptions Abound, to the Benefit of Attackers

There is a common ransomware misperception that there's no capability to fight this all too common hostage taking of business data. This is not true. Proactive organisations are increasingly making more strategic use of threat intelligence to prevent or disrupt attacks.

Ransomware has evolved into a massive, often state-sponsored, industry where operators buy, develop, and resell ransomware code, infiltrate networks, and collect ransoms. The perception that a speedy response is critical to prevent data encryption and loss is outdated; attackers now focus on data exfiltration, using ransomware as a distraction. They often target smaller organisations that are linked to larger ones through supply chains, using them as stepping stones. It is important to use in-depth defence measures, including email security to prevent phishing and efficient detection and response systems to identify and recover from changes.

https://www.darkreading.com/vulnerabilities-threats/ransomware-misconceptions-abound-to-the-benefit-of-attackers

• Threat Actors Scale and Commoditise Uncommon Tools and Techniques

Proofpoint’s 2023 Human Factor report highlights significant developments in the cyber attack landscape in 2022. Following two years of pandemic-induced disruption, cyber criminals returned to their usual operations, honing their social engineering skills and commoditising once sophisticated attack techniques. There was a noticeable increase in brute-force and targeted attacks on cloud tenants, conversational smishing attacks, and multifactor authentication (MFA) bypasses. Microsoft 365 formed a large part of organisations' attack surfaces and faced broad abuse, from Office macros to OneNote documents.

Despite some advances in security controls, threat actors continue to innovate and scale their bypasses. Techniques like MFA bypass and telephone-oriented attack delivery are now commonplace. Attackers consistently exploit people, who remain the most critical variable in the attack chain.

https://www.proofpoint.com/uk/newsroom/press-releases/proofpoints-2023-human-factor-report-threat-actors-scale-and-commoditise

• Goodbyes are Difficult, IT Offboarding Processes Make Them Harder

A recent survey found that 68% of organisations recognise the offboarding process as a major cyber security risk, but only 36% have adequate controls in place to secure data access when employees depart. The study revealed that 60% of organisations have discovered former employees still had access to corporate applications after leaving, and 52% have had security incidents linked to former employees. Interestingly, IT professionals are not always alerted when employees leave, leading to access not being revoked and IT assets being mishandled 34% of the time.

https://www.helpnetsecurity.com/2023/06/19/it-offboarding-processes/

• Security Budget Hikes are Missing the Mark, CISOs Say

Misguided expectations on security spend are causing problems for CISOs despite notable budget increases. A recent report found that while most CISOs are experiencing noteworthy increases in security funding, impractical expectations of budget holders are leading to significant amounts being spent on what’s hitting the headlines instead of strategic, business-centric investment in security defences. This lack of understanding shows that a lot of work needs to be done to ensure that information security receives the attention it deserves, especially in the boardroom.

The report found that just 9% of CISOs said information security is always in the top three priorities on the boardroom’s meeting agenda, and less than a quarter (22%) of CISOs are actively participating in business strategy and decision-making processes. Talking to the board about cyber security in a way that is productive can be a significant challenge for CISOs, and failing to do so effectively can result in confusion, disillusionment, and a lack of cohesion among directors, the security function, and the rest of the organisation.

https://www.csoonline.com/article/3700073/security-budget-hikes-are-missing-the-mark-cisos-say.html

https://www.helpnetsecurity.com/2023/06/22/average-cybersecurity-budget-increase/

• Understanding Cyber Resilience: Building a Holistic Approach to Cyber Security

In today’s interconnected world, the threat of cyber attacks is a constant concern for organisations of all sizes and across all industries. Cyber resilience entails not only making it difficult for attackers to infiltrate your systems but also ensuring that your organisation can bounce back quickly and continue operations successfully.

Cyber resilience offers a holistic approach to cyber security, emphasising the ability to withstand and recover from cyber attacks. By adopting the right mindset, leveraging advanced technology, addressing cyber hygiene, and measuring key metrics, organisations can enhance their cyber resilience. Additionally, collaboration within industries and proactive board engagement are crucial for effective risk management. As cyber threats continue to evolve, organisations must prioritise cyber resilience as an ongoing journey, continuously adapting and refining their strategies to stay ahead of malicious actors.

https://informationsecuritybuzz.com/understanding-cyber-resilience-building-a-holistic-approach-to-cybersecurity/

• Emerging Ransomware Group 8Base Releasing Confidential Data from SMBs Globally

A ransomware group that operated under the radar for over a year has come to light in recent weeks, thanks to a series of business data leaks on the Dark Web. Since at least April 2022, 8base has been conducting double-extortion attacks against small and midsized businesses (SMBs). It all came to a head in May, when the group dumped data belonging to 67 organisations on the cyber underground.

Not much is known yet about the group's tactics, techniques, and procedures (TTPs), likely due to the low profile of their victims. The victims span science and technology, manufacturing, retail, construction, healthcare, and more, with victims from as far afield as India, Peru, Madagascar and Brazil, amongst others.

https://www.darkreading.com/vulnerabilities-threats/emerging-ransomware-8base-doxxes-smbs-globally

• Financial Firms to Build Resilience in Face of Growing Cyber-Threats

Cyber resilience is now a key component of operational resilience for the UK’s financial markets, according to a Bank of England official. Cyber attacks have increased by 38% in 2022, and the range of firms and organisations being impacted seems to grow broader and broader.

Regulators want to see how financial firms will cope with an attack, and its impact on the wider financial services ecosystem. Similar work is being done at an international level by the G7, which has its own cyber expert group. In the UK, the main tools for improving resilience are threat intelligence sharing, better coordination between firms, regulators, the Bank and the Treasury, and penetration testing including CBEST. Financial services firms should have scenario specific playbooks, to set out how to contain intruders and stop them spreading to clients and counterparties. In the past, simulation exercises have been used to model terrorist incidents and pandemics and they are now being used to model cyber attacks.

https://www.infosecurity-magazine.com/news/financial-firms-to-build-resilience/

• Fulfilling Expected SEC Requirements for Cyber Security Expertise at Board Level

The US Securities and Exchange Commission (SEC) is expected to introduce a rule requiring demonstration of cyber security expertise at the board level for public companies. A recent study found that currently up to 90% of companies in the Russell 3000 lack even a single director with the necessary cyber expertise. The simplest and speediest solution would be to promote the existing CISO, provided they have the appropriate qualities and experience, to the board but that would require transplanting a focused operational executive into a strategic business advisory role. A credible alternative is to bring in a cyber focused Non-Executive Director with the appropriate skills and experience.

https://www.securityweek.com/fulfilling-expected-sec-requirements-for-cybersecurity-expertise-at-board-level/

Governance, Risk and Compliance

• Why assessing third parties for security risk is still an unsolved problem | CSO Online

• How DORA Will Force Financial Firms to Adopt Cyber Resilience - Infosecurity Magazine (infosecurity-magazine.com)

• Navigating the Complex World of Cyber security Compliance - MSSP Alert

• Security budget hikes are missing the mark, CISOs say | CSO Online

• Understanding Cyber Resilience: Building A Holistic Approach To Cyber security (informationsecuritybuzz.com)

• How to Weather the Coming Cyber security Storm - Infosecurity Magazine (infosecurity-magazine.com)

• Certifications are no guarantee of security - Infosecurity Magazine (infosecurity-magazine.com)

• Increased spending doesn't translate to improved cyber security posture - Help Net Security

• Placing People & Realism at the Center of Your Cyber security Strategy (darkreading.com)

• CISOs’ New Stressors Brought on by Digitalization: Report - SecurityWeek

• Fulfilling Expected SEC Requirements for Cyber security Expertise at Board Level - SecurityWeek

• Decrypting Cyber Risk Quantification (trendmicro.com)

• From details to big picture: how to improve security effectiveness | CIO

• IT Staff Increasingly Saddled with Data Protection Compliance (darkreading.com)

Threats

Ransomware, Extortion and Destructive Attacks

• Explainer: How MOVEit breach shows hackers' interest in corporate file transfer tools | Reuters

• Embattled consulting firm PwC swept up in global cyber breach of file service MOVEit by cyber crime group C10p (afr.com)

• Ransomware Misconceptions Abound, to the Benefit of Attackers (darkreading.com)

• US Offers $10m Reward For MOVEit Attackers - Infosecurity Magazine (infosecurity-magazine.com)

• Data leak at Australian law firm spooks government, business • The Register

• Moveit hack: attack on BBC and BA offers glimpse into the future of cyber crime (theconversation.com)

• Fresh Ransomware Gangs Emerge As Market Leaders Decline (darkreading.com)

• Emerging Ransomware Group 8Base Doxxes SMBs Globally (darkreading.com)

• A Russian national charged for committing LockBit Ransomware attacks - Security Affairs

• Rorschach Ransomware: What You Need to Know (darkreading.com)

• Ransomware is only getting faster: Six steps to a stronger defence (bleepingcomputer.com)

• Ransomware gang preys on cancer centers, triggers alert | SC Media (scmagazine.com)

• Ransomware attacks pose communications dilemmas for local governments | CSO Online

• LockBit Developing Ransomware for Apple M1 Chips, Embedded Systems (darkreading.com)

Ransomware Victims

• MOVEit victim list | KonBriefing.com

• PwC and EY impacted by MOVEit cyber attack (cshub.com)

• Australian Government Says Its Data Was Stolen in Law Firm Ransomware Attack - SecurityWeek

• Hackers threaten to release photos of Beverly Hills plastic surgery patients (bitdefender.com)

• Norton Parent Says Employee Data Stolen in MOVEit Ransomware Attack - SecurityWeek

• BlackCat gang threatens to leak plastic surgery photos • The Register

• Reddit confirms BlackCat ransomware gang stole its data • The Register

• Adur and Worthing Councils investigating after contractor data breach | The Argus

• Iowa’s largest school district confirms ransomware attack, data theft (bleepingcomputer.com)

• Hackers warn University of Manchester students’ of imminent data leak (bleepingcomputer.com)

• MOVEit cyber attack: US Energy Department gets two ransom notices as MOVEit hack claims more victims - The Economic Times (indiatimes.com)

• USDA is investigating a 'possible data breach' related to global Russian cyber criminal hack | CNN

• Avast, Norton Parent Latest Victim of MOVEit Ransomware Attacks (darkreading.com)

• MOVEit Vulnerability Breaches Targeted Fed Agencies (trendmicro.com)

Phishing & Email Based Attacks

• One in Three UK&I Workers Susceptible to Phishing - Infosecurity Magazine (infosecurity-magazine.com)

• Cyber crime: what does psychology have to do with phishing? – podcast | Science | The Guardian

• Hackers Will Be Quick to Bypass Gmail's Blue Check Verification System (darkreading.com)

• UPS discloses data breach after exposed customer info used in SMS phishing (bleepingcomputer.com)

• Insurance companies neglect basic email security - Help Net Security

Other Social Engineering; Smishing, Vishing, etc

• The Simplest Social Engineering Hack Of Them All | Hackaday

• Attackers Create Synthetic Security Researchers to Steal IP (darkreading.com)

Artificial Intelligence

• Civil servants told not to share state secrets with ChatGPT, leaked guidance reveals (telegraph.co.uk)

• How generative AI is creating new classes of security threats | VentureBeat

• Over 100,000 Stolen ChatGPT Account Credentials Sold on Dark Web Marketplaces (thehackernews.com)

• ‘With hackers adopting AI, it’s a cat-and-mouse game’ | Mint (livemint.com)

• ChatGPT and data protection laws: Compliance challenges for businesses - Help Net Security

• Biden Discusses Risks and Promises of Artificial Intelligence With Tech Leaders in San Francisco - SecurityWeek

• The next wave of cyber threats: Defending your company against cyber criminals empowered by generative AI | VentureBeat

• Google Tells Employees to Stay Away from Its Bard Chatbot (gizmodo.com)

Malware

• Experts Uncover Year-Long Cyber Attack on IT Firm Utilising Custom Malware RDStealer (thehackernews.com)

• Attacker seizes abandoned S3 bucket to launch malicious payloads | SC Media (scmagazine.com)

• Hackers use fake OnlyFans pics to drop info-stealing malware (bleepingcomputer.com)

• Researchers Discover New Sophisticated Toolkit Targeting Apple macOS Systems (thehackernews.com)

• Mysterious Mystic Stealer Spreads Like Wildfire in Mere Months (darkreading.com)

• Hackers infect Linux SSH servers with Tsunami botnet malware (bleepingcomputer.com)

• To kill BlackLotus malware, patching is a good start, but... • The Register

• Microsoft Teams bug allows malware delivery from external accounts (bleepingcomputer.com)

• APT37 hackers deploy new FadeStealer eavesdropping malware (bleepingcomputer.com)

• ScarCruft Hackers Exploit Ably Service for Stealthy Wiretapping Attacks (thehackernews.com)

• Chinese Hacker Group 'Flea' Targets American Ministries with Graphican Backdoor (thehackernews.com)

• USB Drives Spread Spyware as China's Mustang Panda APT Goes Global (darkreading.com)

• NSA shares tips on blocking BlackLotus UEFI malware attacks (bleepingcomputer.com)

• Chinese malware accidentally infects networked storage • The Register

• ChamelDoH: New Linux Backdoor Utilising DNS-over-HTTPS Tunneling for Covert CnC (thehackernews.com)

Mobile

• New Version of Android GravityRAT Spyware Targets WhatsApp Backups - Infosecurity Magazine (infosecurity-magazine.com)

• SMS delivery reports can be used to infer recipient's location (bleepingcomputer.com)

• Apple fixes zero-days used to deploy Triangulation spyware via iMessage (bleepingcomputer.com)

• This Android app with over 50,000 installs steals your files and microphone recordings — what to do | Tom's Guide (tomsguide.com)

• Android spyware camouflaged as VPN, chat apps on Google Play (bleepingcomputer.com)

Botnets

• Romanian cyber crime gang Diicot builds DDoS botnet with Mirai variant | CSO Online

• New Condi malware builds DDoS botnet out of TP-Link AX21 routers (bleepingcomputer.com)

• Hackers infect Linux SSH servers with Tsunami botnet malware (bleepingcomputer.com)

• Mirai botnet targets 22 flaws in D-Link, Zyxel, Netgear devices (bleepingcomputer.com)

Denial of Service/DoS/DDOS

• Police crack down on DDoS-for-hire service active since 2013 (bleepingcomputer.com)

• Hackers behind Microsoft outage most likely Russian-backed group aiming to ‘drive division’ in the west | Cyber crime | The Guardian

• European Investment Bank hit by cyber attack after Russian hackers vow to bring down financial system (telegraph.co.uk)

• New Condi malware builds DDoS botnet out of TP-Link AX21 routers (bleepingcomputer.com)

• Zeeland port website hit by DDOS attack, possibly by Russian hackers | NL Times

• From Cryptojacking to DDoS Attacks: Diicot Expands Tactics with Cayosin Botnet (thehackernews.com)

Internet of Things – IoT

• Thousands left vulnerable after severe weakness is discovered in home security system's mobile app | TechSpot

• Romanian cyber crime gang Diicot builds DDoS botnet with Mirai variant | CSO Online

• Smart Pet Feeders Expose Personal Data - Infosecurity Magazine (infosecurity-magazine.com)

• Security for embedded devices is ignored by too many companies, expert says | Fierce Electronics

• Our cities are becoming increasingly automated—and we’re not ready (fastcompany.com)

• US Military Personnel Receiving Unsolicited, Suspicious Smartwatches - SecurityWeek

• Mirai botnet targets 22 flaws in D-Link, Zyxel, Netgear devices (bleepingcomputer.com)

Data Breaches/Leaks

• Data leak at Australian law firm spooks government, business • The Register

• Australian Government Says Its Data Was Stolen in Law Firm Ransomware Attack - SecurityWeek

• 3CX data exposed, third-party to blame - Security Affairs

• Mondelez says crooks stole staff data in security breach • The Register

• UPS discloses data breach after exposed customer info used in SMS phishing (bleepingcomputer.com)

• Reddit hackers threaten to leak data stolen in February breach (bleepingcomputer.com)

• Australia Inc roiled by raft of cyber attacks since late 2022 - The Economic Times (indiatimes.com)

• SSD missing from SAP datacenter turns up on eBay • The Register

• Millions of UK University Credentials Found on Dark Web - Infosecurity Magazine (infosecurity-magazine.com)

• Smart Pet Feeders Expose Personal Data - Infosecurity Magazine (infosecurity-magazine.com)

• Hackers warn University of Manchester students’ of imminent data leak (bleepingcomputer.com)

Organised Crime & Criminal Actors

• Darknet Parliament is now a thing | Cybernews

• Crypto and Cyber Security: A Complex Relationship (analyticsinsight.net)

• Moveit hack: attack on BBC and BA offers glimpse into the future of cyber crime (theconversation.com)

• Cyber attackers Got More Creative Post-Pandemic, Proofpoint Study Finds - MSSP Alert

• The Great Exodus to Telegram: A Tour of the New Cyber crime Underground (bleepingcomputer.com)

• Cyber crime Doesn't Take a Vacation (darkreading.com)

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Crypto and Cyber Security: A Complex Relationship (analyticsinsight.net)

• Blockchain security: Everything you should know for safe use | TechTarget

• From Cryptojacking to DDoS Attacks: Diicot Expands Tactics with Cayosin Botnet (thehackernews.com)

Insider Risk and Insider Threats

• Cost-of-Living Crisis increasing chances of Insider threats - IT Security Guru

• Preventing breaches through cyber awareness: How every federal employee contributes to cyber security | Federal News Network

Fraud, Scams & Financial Crime

• Influencers in firing line as France tackles scams - BBC News

• Keep Job Scams From Hurting Your Organisation (darkreading.com)

• Job Seekers, Look Out for Job Scams (darkreading.com)

Impersonation Attacks

• Attackers Create Synthetic Security Researchers to Steal IP (darkreading.com)

AML/CFT/Sanctions

• EU agrees new sanctions against Russia, targeting Chinese companies suspected of circumvention | Euronews

Dark Web

• Darknet Parliament is now a thing | Cybernews

• Over 100,000 Stolen ChatGPT Account Credentials Sold on Dark Web Marketplaces (thehackernews.com)

• Millions of UK University Credentials Found on Dark Web - Infosecurity Magazine (infosecurity-magazine.com)

Supply Chain and Third Parties

• Capita faces first legal Letter of Claim over mega breach • The Register

• Why assessing third parties for security risk is still an unsolved problem | CSO Online

• 3CX data exposed, third-party to blame - Security Affairs

• Mondelez says crooks stole staff data in security breach • The Register

• Untangling the web of supply chain security with Tony Turner - Help Net Security

Software Supply Chain

• CISA SBOM standards efforts stymied by confusion, inertia | TechTarget

Cloud/SaaS

• Growing SaaS Usage Means Larger Attack Surface (darkreading.com)

• Explainer: How MOVEit breach shows hackers' interest in corporate file transfer tools | Reuters

• A new threat to financial stability lurks in the cloud | Financial Times (ft.com)

• Cloud CISO Perspectives: Early June 2023 | Google Cloud Blog

• Hackers behind Microsoft outage most likely Russian-backed group aiming to ‘drive division’ in the west | Cyber crime | The Guardian

• Western Digital Blocks Unpatched Devices From Cloud Services - SecurityWeek

• Attacker seizes abandoned S3 bucket to launch malicious payloads | SC Media (scmagazine.com)

• Attackers discovering exposed cloud assets within minutes | TechTarget

• Cloud-native security hinges on open source - Help Net Security

• Hybrid Microsoft network/cloud legacy settings may impact your future security posture | CSO Online

• US cyber ambassador says China can win on AI, cloud • The Register

Hybrid/Remote Working

• Home working puts confidential data at risk, GCHQ warns law firms (telegraph.co.uk)

Shadow IT

• Ending the ‘forever war’ against shadow IT | CIO

Identity and Access Management

• The future of passwords and authentication - Help Net Security

Encryption

• Intel to start shipping a quantum processor | Ars Technica

• Quantum hacking alert: Critical vulnerabilities found in quantum key distribution (techxplore.com)

• The US Navy, NATO, and NASA are using a shady Chinese company’s encryption chips | Ars Technica

• Physics - Long-Range Quantum Cryptography Gets Simpler (aps.org)

API

• Why API Security Could Be the Next Big Thing in Cyber - Infosecurity Magazine (infosecurity-magazine.com)

Open Source

• Hackers infect Linux SSH servers with Tsunami botnet malware (bleepingcomputer.com)

• Beware bad passwords as attackers co-opt Linux servers into cyber crime – Naked Security (sophos.com)

• Cloud-native security hinges on open source - Help Net Security

• ChamelDoH: New Linux Backdoor Utilising DNS-over-HTTPS Tunneling for Covert CnC (thehackernews.com)

Passwords, Credential Stuffing & Brute Force Attacks

• Majority of Users Neglect Best Password Practices: Keeper Security - Infosecurity Magazine (infosecurity-magazine.com)

• Forging a Path to Account Takeover: Copy Password Reset Link Vulnerability worth $$$$. | by Manav Bankatwala | Jun, 2023 | InfoSec Write-ups (infosecwriteups.com)

• The future of passwords and authentication - Help Net Security

• These are the most hacked passwords. Is yours on the list? | ZDNET

• Beware bad passwords as attackers co-opt Linux servers into cyber crime – Naked Security (sophos.com)

Social Media

• Influencers in firing line as France tackles scams - BBC News

• Reddit hackers threaten to leak data stolen in February breach (bleepingcomputer.com)

Training, Education and Awareness

• Preventing breaches through cyber awareness: How every federal employee contributes to cyber security | Federal News Network

• Security Training Fail Impacting Digital Transformation - Infosecurity Magazine (infosecurity-magazine.com)

• Security Training Needs to Nudge, Not Nag - Infosecurity Magazine (infosecurity-magazine.com)

Digital Transformation

• Security Training Fail Impacting Digital Transformation - Infosecurity Magazine (infosecurity-magazine.com)

Regulations, Fines and Legislation

• ChatGPT and data protection laws: Compliance challenges for businesses - Help Net Security

• Bill allowing CISA to assist foreign governments passes Senate committee | SC Media (scmagazine.com)

• Fulfilling Expected SEC Requirements for Cyber security Expertise at Board Level - SecurityWeek

Models, Frameworks and Standards

• The significance of CIS Control mapping in the 2023 Verizon DBIR - Help Net Security

• What is PCI Compliance? 12 Requirements and More Explained | Definition from TechTarget

Secure Disposal

• SSD missing from SAP datacenter turns up on eBay • The Register

Data Protection

• ChatGPT and data protection laws: Compliance challenges for businesses - Help Net Security

• Consumer Data: The Risk and Reward for Manufacturing Companies (darkreading.com)

• IT Staff Increasingly Saddled with Data Protection Compliance (darkreading.com)

Careers, Working in Cyber and Information Security

• 8 notable entry-level cyber security career and skills initiatives in 2023 | CSO Online

• UK military is struggling to recruit tech experts, says report | Financial Times (ft.com)

• Certifications are no guarantee of security - Infosecurity Magazine (infosecurity-magazine.com)

• The Quintessential Toolkit: Five Essential Skills For Advancing In The Cyber security Realm (informationsecuritybuzz.com)

• Cyber security Industry Still Fighting to Recruit and Retain Talent - Infosecurity Magazine (infosecurity-magazine.com)

• It’s Time to Think Creatively to Combat Skills Shortages - Infosecurity Magazine (infosecurity-magazine.com)

• Google announces $20 million investment for cyber clinics | CyberScoop

Law Enforcement Action and Take Downs

• Police crack down on DDoS-for-hire service active since 2013 (bleepingcomputer.com)

• Megaupload duo will go to prison at last, but Kim Dotcom fights on… – Naked Security (sophos.com)

• A Russian national charged for committing LockBit Ransomware attacks - Security Affairs

Privacy, Surveillance and Mass Monitoring

• SMS delivery reports can be used to infer recipient's location (bleepingcomputer.com)

• US Military Personnel Receiving Unsolicited, Suspicious Smartwatches - SecurityWeek

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Killnet Threatens Imminent SWIFT, World Banking Attacks (darkreading.com)

• A Newly Named Group of GRU Hackers is Wreaking Havoc in Ukraine | WIRED

• Hackers behind Microsoft outage most likely Russian-backed group aiming to ‘drive division’ in the west | Cyber crime | The Guardian

• UK Pledges Millions in Cyber-Defence Aid to Ukraine - Infosecurity Magazine (infosecurity-magazine.com)

• European Investment Bank hit by cyber attack after Russian hackers vow to bring down financial system (telegraph.co.uk)

• Russia sent its reserve team to wipe Ukrainian hard drives • The Register

• Russian APT Group Caught Hacking Roundcube Email Servers - SecurityWeek

• Hacktivist group Anonymous Sudan a ‘bear in wolf’s clothing’ | SC Media (scmagazine.com)

• Russian APT28 hackers breach Ukrainian govt email servers (bleepingcomputer.com)

• Strategies for staying ahead of modern cyber warfare - CyberTalk

• German intelligence services point to increased hybrid security threats – EURACTIV.com

Nation State Actors

• Microsoft Pins Early June DDoS Attacks on Russian-linked Cyber Crew - MSSP Alert

• US DOJ Launches Cyber Unit to Prosecute Nation-State Threat Actors - SecurityWeek

• Cooperation or Competition? China’s Security Industry Sees the US, Not AI, as the Bigger Threat - SecurityWeek

• US Military Personnel Receiving Unsolicited, Suspicious Smartwatches - SecurityWeek

• USB Drives Spread Spyware as China's Mustang Panda APT Goes Global (darkreading.com)

• CISA orders govt agencies to patch bugs exploited by Russian hackers (bleepingcomputer.com)

• US Cyber Ambassador says China can win on AI, cloud • The Register

• Cadet Blizzard emerges as a novel and distinct Russian threat actor | Microsoft Security Blog

• State-Backed Hackers Employ Advanced Methods to Target Middle Eastern and African Governments (thehackernews.com)

• The Israeli weapons and spyware falling into the hands of despots | Financial Times (ft.com)

• The US Navy, NATO, and NASA are using a shady Chinese company’s encryption chips | Ars Technica

• Zeeland port website hit by DDOS attack, possibly by Russian hackers | NL Times

• A Russian national charged for committing LockBit Ransomware attacks - Security Affairs

• Hacktivist group Anonymous Sudan a ‘bear in wolf’s clothing’ | SC Media (scmagazine.com)

• APT37 hackers deploy new FadeStealer eavesdropping malware (bleepingcomputer.com)

• ScarCruft Hackers Exploit Ably Service for Stealthy Wiretapping Attacks (thehackernews.com)

• 20-Year-Old Chinese APT15 Finds New Life in Foreign Ministry Attacks (darkreading.com)

• Chinese Hacker Group 'Flea' Targets American Ministries with Graphican Backdoor (thehackernews.com)

• North Korean APT targets defectors, activists with infostealer malware | SC Media (scmagazine.com)

• RedEyes Group Targets Individuals with Wiretapping Malware - Infosecurity Magazine (infosecurity-magazine.com)

• US Justice Department Launches New National Security Cyber Section - Infosecurity Magazine (infosecurity-magazine.com)

• China-sponsored APT group targets government ministries in the Americas | CSO Online

• Chinese malware accidentally infects networked storage • The Register

• Trellix Detects Leading Threat Actor Countries Behind Nation-State Activity - MSSP Alert

Vulnerability Management

• Guess what happened to this US agency that didn't patch? • The Register

• EU Council mulls pan-European platform to handle cyber vulnerabilities – EURACTIV.com

• The Benefits of Red Zone Threat Intelligence - SecurityWeek

Vulnerabilities

• VMware warns of critical vRealize flaw exploited in attacks (bleepingcomputer.com)

• Microsoft Teams Vulnerability: The GIFShell Attack (latesthackingnews.com)

• Zero-Day Alert: Apple Releases Patches for Actively Exploited Flaws in iOS, macOS, and Safari (thehackernews.com)

• Patch Now: Cisco AnyConnect Bug Exploit Released in the Wild (darkreading.com)

• Zyxel addressed critical flaw CVE-2023-27992 in NAS Devices - Security Affairs

• Microsoft Teams bug allows malware delivery from external accounts (bleepingcomputer.com)

• Chrome and Its Vulnerabilities - Is the Web Browser Safe to Use? - SecurityWeek

• Critical WordPress Plugin Vulnerabilities Impact Thousands of Sites - SecurityWeek

• SMB Edge Devices Walloped With Asus, Zyxel Patch Warnings (darkreading.com)

• VMware fixes vCenter Server bugs allowing code execution, auth bypass (bleepingcomputer.com)

• Azure AD 'Log in With Microsoft' Authentication Bypass Affects Thousands (darkreading.com)

• Western Digital Blocks Unpatched Devices From Cloud Services - SecurityWeek

• Risk & Repeat: Mandiant sheds light on Barracuda ESG attacks | TechTarget

• ASUS warns router customers: Patch now, or block all inbound requests – Naked Security (sophos.com)

• Firmware Backdoor Discovered in Gigabyte Motherboards, Hundreds of Models Affected - CPO Magazine

• Apple fixes zero-days used to deploy Triangulation spyware via iMessage (bleepingcomputer.com)

• A (cautionary) tale of two patched bugs, both under exploit • The Register

• Millions of GitHub repos likely vulnerable to RepoJacking, researchers say (bleepingcomputer.com)

• Windows 11 KB5027231 also breaks Chrome for Cisco, WatchGuard EDR users (bleepingcomputer.com)

• Gaps in Azure Service Fabric’s Security Call for User Vigilance (trendmicro.com)

Tools and Controls

• Getting Over the DNS Security Awareness Gap (darkreading.com)

• Zscaler CEO: Firewalls Are Going The Way Of The Mainframe | CRN

• The future of passwords and authentication - Help Net Security

• Understanding Cyber Resilience: Building A Holistic Approach To Cyber security (informationsecuritybuzz.com)

• Increased spending doesn't translate to improved cyber security posture - Help Net Security

• Placing People & Realism at the Center of Your Cyber security Strategy (darkreading.com)

• Security investments that help companies navigate the macroeconomic climate - Help Net Security

• The Benefits of Red Zone Threat Intelligence - SecurityWeek

Reports Published in the Last Week

• Proofpoint’s 2023 Human Factor Report: Threat Actors Scale and Commoditise Uncommon Tools and Techniques | Proofpoint UK

• Trellix Detects Leading Threat Actor Countries Behind Nation-State Activity - MSSP Alert

• The Threat Report: June 2023 | Trellix

• Navigating The Cyber Threat Landscape: Key Insights From Trellix ARC's Q1 2023 Report (informationsecuritybuzz.com)

Other News

• Boris Johnson’s notebooks cause national security alarm (thetimes.co.uk)

• ‘It could be taken down by an enthusiastic child’: Whitehall wide open to cyber attack, warn campaigners | Cyber crime | The Guardian

• Keep it, Tweak it, Trash it – What to do with Aging Tech in an Era of Consolidation - SecurityWeek

• Cyber attacks on OT, ICS Lay Groundwork for Kinetic Warfare (darkreading.com)

• Why CISOs should be concerned about space-based attacks | CSO Online

• Legal firms urged to strengthen cyber defences with latest... - NCSC.GOV.UK

• 6 Attack Surfaces You Must Protect (darkreading.com)

• GCHQ’s top hacker James Babbage quits to join NCA in blow to UK cyber force (telegraph.co.uk)

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Gen Z, Millennials Really Don’t Care About Workplace Cyber Security

When it comes to cyber security in the workplace, younger employees don’t really seem to care that much, which is putting their organisations in serious harm’s way, new research has claimed.

Surveying approximately 1,000 workers using devices issued by their employers, professional services firm EY found Gen Z enterprise employees were more apathetic about cyber security than their Boomer counterparts in adhering to their employer's safety policies.

This is despite the fact that four in five (83%) of all those surveyed claimed to understand their employer’s security protocol.

When it comes to implementing mandatory IT updates, for example, 58% of Gen Z’ers and 42% of millennials would disregard them for as long as possible. Less than a third (31%) of Gen X’ers, and just 15% of baby boomers said they do the same.

Apathy in the young extends to password reuse between private and business accounts. A third of Gen Z and millennial workers surveyed admitted to this, compared to less than a quarter of all Gen X’ers and baby boomers.

Some say the apathy of young people towards technology is down to their over-familiarity with technology, and never having been without it. Being too comfortable with tech undoubtedly makes an enterprise's younger employees a major target for cyber criminals looking to exploit any hole in security. 

If an organisation's cyber security practices aren't upheld strongly, threat actors can compromise huge networks with simple social engineering attacks.

https://www.techradar.com/news/younger-workers-dont-care-about-workplace-cybersecurity

• Supply Chain Attacks Increased Over 600% This Year and Companies Are Falling Behind

The number of documented supply chain attacks involving malicious third-party components has increased 633% over the past year, now sitting at over 88,000 known instances, according to a new report from software supply chain management company Sonatype. Meanwhile, instances of transitive vulnerabilities that software components inherit from their own dependencies have also reached unprecedented levels and plague two-thirds of open-source libraries.

“The networked nature of dependencies highlights the importance of having visibility and awareness about these complex supply chains” Sonatype said in its newly released State of the Software Supply Chain report. “These dependencies impact our software, so having an understanding of their origins is critical to vulnerability response. Many organisations did not have the needed visibility and continued their incident response procedures for Log4Shell well beyond the summer of 2022 as a result.”

Log4Shell is a critical vulnerability discovered in November 2021 in Log4j, a widely popular open-source Java library used for logging and bundled in millions of enterprise applications and software products, often as an indirect dependency. According to Sonatype’s monitoring, as of August 2022, the adoption rate for fixed versions of Log4j sits at around 65%. Moreover, this doesn’t even account for the fact that the Log4Shell vulnerability originated in a Java class called JndiManager that is part of Log4j-core, but which has also been borrowed by 783 other projects and is now found in over 19,000 software components.

Log4Shell served as a watershed moment, highlighting the inherent risks that exist in the open-source software ecosystem – which sits at the core of modern software development – and the need to manage them properly. It also led to several initiatives to secure the software supply chain by private organisations, software repository managers, the Linux Foundation, and government bodies. Yet, most organisations are far from where they need to be in terms of open-source supply chain management.

https://www.csoonline.com/article/3677228/supply-chain-attacks-increased-over-600-this-year-and-companies-are-falling-behind.html#tk.rss_news

• Cyber-Enabled Crimes Are Biggest Police Concerns

Cyber-related crimes such as money laundering, ransomware and phishing pose the biggest threat to society, according to the first ever Interpol Global Crime Trend report.

The inaugural study was compiled from data received from the policing organisation’s 195 member countries, as well as information and analysis from external sources.

Money laundering was ranked the number one threat, with 67% of respondents claiming it to be a “high” or “very high” risk. Ransomware came second (66%) but was the crime type that most (72%) expected to increase in the next 3–5 years.

Of the nine top crime trends identified in the report, six are directly cyber-enabled, including money laundering, ransomware, phishing, financial fraud, computer intrusion and child sexual exploitation.

Interpol warned that the pandemic had fomented new underground offerings like “financial crime-as-a-service,” including digital money laundering tools which help to lower the barrier to entry for criminal gangs. It also claimed that demand for online child sexual exploitation and abuse (OCSEA) content surged during the pandemic. Some 62% of respondents expect it to increase or significantly increase in the coming years.

The findings represent something of a turnaround from pre-pandemic times, when drug trafficking regularly topped the list of police concerns. Thanks to a surge in corporate digitalisation, home working and online shopping, there are now rich pickings to be had from targeting consumers and business users with cyber-scams and attacks, Interpol claimed.

https://www.infosecurity-magazine.com/news/cyberenabled-crimes-are-biggest/

• List of Common Passwords Accounts for Nearly All Cyber Attacks

Half of a million passwords from the RockYou2021 list account for 99.997% of all credential attacks against a variety of honeypots, suggesting attackers are just taking the easy road.

Tens of millions of credential-based attacks targeting two common types of servers boiled down to a small fraction of the passwords that formed a list of leaked credentials, known as the RockYou2021 list.

Vulnerability management firm Rapid7, via its network of honeypots, recorded every attempt to compromise those servers over a 12-month period, finding that the attempted credential attacks resulted in 512,000 permutations. Almost all of those passwords (99.997%) are included in a common password list — the RockYou2021 file, which has 8.4 billion entries — suggesting that attackers, or the subset of threat actors attacking Rapid7's honeypots, are sticking to a common playbook.

The overlap in all the attacks also suggest attackers are taking the easy road, said Rapid7. "We know now, in a provable and demonstrable way, that nobody — 0% of attackers — is trying to be creative when it comes to unfocused, untargeted attacks across the Internet," they said. "Therefore, it's very easy to avoid this kind of opportunistic attack, and it takes very little effort to take this threat off the table entirely, with modern password managers and configuration controls."

Every year, security firms present research suggesting users are continuing to pick bad passwords. In 2019, an evaluation of passwords leaked to the Internet found that the top password was "123456," followed by "123456789" and "qwerty," and unfortunately things have not got much better since then.

https://www.darkreading.com/endpoint/a-common-password-list-accounts-for-nearly-all-cyberattacks

• Shared Responsibility or Shared Fate? Decentralised IT Means We Are All Cyber Defenders

Does your organisation truly understand the shared responsibility model? Shared responsibility emerged from the early days of cloud computing as a way to delineate responsibilities between cloud providers and their customers, but often there's a gap between what shared responsibility means and how it is interpreted. With the decentralisation of IT, this gap is getting worse.

Applications, servers, and overall technology used to be under the purview and control of the IT department, yet with the shift to cloud, and specifically software-as-a-service (SaaS), this dynamic has changed. Whether it's the sales team bringing in a customer relationship management (CRM) system like Salesforce, or the HR department operating a human resources information system (HRIS) like Workday, there's a clear "expanding universe" of IT that no longer sits where it used to. Critical business workflows exist in separate business units far from IT and security and are managed as such. Our corporate IT footprints have become decentralised.

This is not some minor, temporary trend. With the ease and speed of adopting new SaaS applications and the desire to "lift and shift" code into cloud-based environments, this is the future. The future is decentralised.

The shift to business-owned and -operated applications puts security teams in a position where risk management is their responsibility; they are not even able to log into some of these critical systems. It's like asking your doctor to keep you healthy but not giving her access to your information or having regular check-ups. It doesn't work that way.

Beyond the challenging human skills gap, there's technical entropy and diversity everywhere, with different configuration settings, event logs, threat vectors, and data sensitivities. On the access side, there are different admins, users, integrations, and APIs. If you think managing security on Windows and Mac is a lot, try it across many huge applications.

With this reality, how can the security team be expected to combat a growing amount of decentralised business technology risk?

We must operate our technology with the understanding that shared responsibility is the vertical view between cloud provider and customer, but that enterprise-owned piece of shared responsibility is the burden of multiple teams horizontally across an organisation. Too often the mentality is us versus them, availability versus security, too busy to care about risk, too concerned with risk to understand "the business."

https://www.darkreading.com/vulnerabilities-threats/shared-responsibility-or-shared-fate-decentralized-it-means-we-are-all-cyber-defenders

• Ukraine War Cuts Ransomware as Kremlin Co-Opts Hackers

The Ukraine war has helped reduce global ransomware attacks by 10pc in the last few months, a British cyber security company has said.

Criminal hacking gangs, usually engaged in corporate ransomware activities, are increasingly being co-opted by the Russian military to launch cyber attacks on Ukraine, according to Digital Shadows. “The war is likely to continue to motivate ransomware actors to target government and critical infrastructure entities,” according to the firm. Such attacks partly contributed to a 10pc drop in the number of ransomware threats launched during the three months to September, said the London-based company.

The drop in ransomware may also partly be caused by tit-for-tat digital attacks between rival hacking gangs. Researchers said the Lockbit gang, who recently targeted LSE-listed car retailer Pendragon with a $60m (£53.85m) ransom demand, were the target of attacks from their underworld rivals. The group is increasingly inviting resentment from competing threat groups and possibly former members.

Some cyber criminals’ servers went offline in September after what appeared to be an attack from competitors. In the world of cyber criminality, it is not uncommon for tensions to flare among rival groups.

Officials from GCHQ’s National Cyber Security Centre have said ransomware is one of the biggest cyber threats facing the UK. Figures published by the Department for Digital, Culture, Media and Sport this year revealed the average costs to businesses caused by ransomware attacks is around £19,000 per incident.

US-based cyber security company Palo Alto Networks, however, warned that the average ransom payment it saw in the early part of this year was $925,000 (£829,000).

https://www.telegraph.co.uk/business/2022/10/23/ukraine-war-cuts-ransomware-kremlin-co-opts-hackers/

• 96% Of Companies Report Insufficient Security for Sensitive Cloud Data

The vast majority of organisations lack confidence in securing their data in cloud, while many companies acknowledge they lack sufficient security even for their most sensitive data, according to a new report by the Cloud Security Alliance (CSA).

The CSA report surveyed 1,663 IT and security professionals from organisations of various sizes and in various locations. "Only 4% report sufficient security for 100% of their data in the cloud. This means that 96% of organisations have insufficient security for at least some of their sensitive data," according to the report, which was sponsored by data intelligence firm BigID.

Apart from struggling with securing sensitive data, organisations are also having trouble tracking data in the cloud. Over a quarter of organisations polled aren’t tracking regulated data, nearly a third aren’t tracking confidential or internal data, and 45% aren’t tracking unclassified data, the report said.

“This suggests that organisations’ current methods of classifying data aren’t sufficient for their needs. However, if the tracking is this low, it could be a contributing factor to the issue of dark data. Organisations need to utilise data discovery and classification tools to properly understand the data they have and how to protect it,” the CSA study noted.

https://www.csoonline.com/article/3677491/96-of-companies-report-insufficient-security-for-sensitive-cloud-data.html#tk.rss_news

• Your Microsoft Exchange Server Is a Security Liability

With endless vulnerabilities, widespread hacking campaigns, slow and technically tough patching, it's time to say goodbye to on-premise Exchange.

Once, reasonable people who cared about security, privacy, and reliability ran their own email servers. Today, the vast majority host their personal email in the cloud, handing off that substantial burden to the capable security and engineering teams at companies like Google and Microsoft. Now, cyber security experts argue that a similar switch is due - or long overdue - for corporate and government networks. For enterprises that use on-premise Microsoft Exchange, still running their own email machine somewhere in a closet or data centre, the time has come to move to a cloud service, if only to avoid the years-long plague of bugs in Exchange servers that has made it nearly impossible to keep determined hackers out.

The latest reminder of that struggle arrived earlier this week, when Taiwanese security researcher Orange Tsai published a blog post laying out the details of a security vulnerability in Microsoft Exchange. Tsai warned Microsoft about this vulnerability as early as June of 2021, and while the company responded by releasing some partial fixes, it took Microsoft 14 months to fully resolve the underlying security problem. Tsai had earlier reported a related vulnerability in Exchange that was massively exploited by a group of Chinese state-sponsored hackers known as Hafnium, which last year penetrated more than 30,000 targets by some counts. Yet according to the timeline described in Tsai’s post this week, Microsoft repeatedly delayed fixing the newer variation of that same vulnerability, assuring Tsai no fewer than four times that it would patch the bug before pushing off a full patch for months longer. When Microsoft finally released a fix, Tsai wrote, it still required manual activation and lacked any documentation for four more months.

Meanwhile, another pair of actively exploited vulnerabilities in Exchange that were revealed last month still remain unpatched after researchers showed that Microsoft’s initial attempts to fix the flaws had failed. Those vulnerabilities were just the latest in a years-long pattern of security bugs in Exchange’s code. And even when Microsoft does release Exchange patches, they’re often not widely implemented, due to the time-consuming technical process of installing them.

The result of those compounding problems, for many who have watched the hacker-induced headaches of running an Exchange server pile up, is a clear message: An Exchange server is itself a security vulnerability, and the fix is to get rid of it.

“You need to move off of on-premise Exchange forever. That’s the bottom line,” says Dustin Childs, the head of threat awareness at security firm Trend Micro’s Zero Day Initiative (ZDI), which pays researchers for finding and reporting vulnerabilities in commonly used software and runs the Pwn2Own hacking competition. “You’re not getting the support, as far as security fixes, that you would expect from a really mission-critical component of your infrastructure.”

https://www.wired.com/story/microsoft-exchange-server-vulnerabilities/

• Are Cyber Security Vendors Pushing Snake Oil?

Survey: 96 percent of cyber security decision makers confused by vendor marketing.

The availability of new security products increases, the amount of budget spent on cyber security grows, and the number of security breaches seems to outpace both. This basic lack of correlation between increasing cyber security spend and any clear increase in cyber security effectiveness is the subject of a new analytical survey from Egress.

With 52 million data breaches in Q2 2022 alone (Statista), Egress questioned 800 cyber security and IT leaders on why vendor claims and reality aren’t aligned. The headline response in the survey is that 91% of decision makers have difficulty in selecting cyber security vendors due to unclear marketing about their specific offerings.

The financial investment cycle doesn’t help in this. For many investors, the strength of the management team is more important than the product. The argument is not whether this product is a cyber security silver bullet, but whether this management can take the company to a point where it can exit with serious profits.

If investment is achieved, much of it will go into marketing. That marketing must compete against existing, established vendors – so it tends to be louder, more aggressive, and replete with hyperbole. Marketing noise can lead to increased valuation, which can lead to a successful and profitable exit by the investors.

Of course, this is an oversimplification and doesn’t always happen. The point, however, is that it does happen and has no relevance to the real effectiveness of the product in question. Without any doubt, there are many products that have been over-hyped by marketing funds provided by profit-driven investors.

https://www.securityweek.com/are-cybersecurity-vendors-pushing-snake-oil

• Ransomware Preparedness: What Are You Doing Wrong?

Axio released its 2022 State of Ransomware Preparedness research report, revealing that although notable improvements have been made since Axio’s 2021 report, organisational ransomware preparedness continues to be insufficient to keep pace with new attack vectors.

The report reveals that the lack of fundamental cyber security practices and controls, including critical vulnerability patching and employee cyber security training, continues to undermine organisational attempts to improve ransomware defences.

“Ransomware continues to wreak havoc on global organisations, regardless of size or industry,” remarked the report’s co-author David White, President of Axio. “As the number of attacks will most likely continue on an exponential trajectory, it’s more important than ever for companies to re-evaluate their cyber security practices and make the needed improvements to help combat these attacks.”

The report identifies several emerging patterns that yield insights into why organisations are increasingly susceptible to ransomware attacks. In 2021, seven key areas where organisations were deficient in implementing and sustaining basic cyber security practices were identified, and these patterns dominated the 2022 study results as well:

• Managing privileged access

• Improving basic cyber hygiene

• Reducing exposure to supply chain and third-party risk

• Monitoring and defending networks

• Managing ransomware incidents

• Identifying and addressing vulnerabilities in a timely manner

• Improving cyber security training and awareness

Overall, most organisations surveyed are not adequately prepared to manage the risk associated with a ransomware attack. Key data findings include:

• The number of organisations with a functional privileged access management solution in place increased by 10% but remains low at 33% overall.

• Limitations on the use of service and local administrator accounts remain average overall, with nearly 50% of organisations reporting implementing these practices.

• Approximately 40% of organisations monitor third-party network access, evaluate third-party cyber security posture, and limit the use of third-party software.

• Less than 50% of respondents implement basic network segmentation and only 40% monitor for anomalous connections.

• Critical vulnerability patching within 24 hours was reported by only 24% of organisations.

• A ransomware-specific playbook for incident management is in place for only 30% of organisations.

• Active phishing training has improved but is still not practiced by 40% of organisations.

https://www.helpnetsecurity.com/2022/10/20/insufficient-ransomware-preparedness/

• NSA Cybersecurity Director's Six Takeaways from the War in Ukraine

From the warning banner ‘Be afraid and expect the worst’ that was shown on several Ukrainian government websites on January 13, 2022, after a cyber-attack took them down, the US National Security Agency’s (NSA) cybersecurity director, Rob Joyce, knew that something was going to be different, and very aggressive, between Ukraine and Russia, and that it would be happening in the cyber space as well.

Ten months on, he was invited to speak at one of Mandiant Worldwide Information Security Exchange's (mWISE) opening keynotes on October 18, 2022. Joyce shared six takeaways from the Russia-Ukraine cyber-conflict in terms of what we learned from it and its impact on how nations should protect their organisations.

1. Both espionage and destructive attacks will occur in conflict

2. The cyber security industry has unique insight into these conflicts

3. Sensitive intelligence can make a decisive difference

4. You can develop resiliency skills

5. Don’t try to go it alone

6. You have not planned enough yet for the contingencies

Toward the end of the keynote, Joyce suggested the audience simulate a scenario based on what happened in Ukraine with the China-Taiwan conflict escalating and see what they should put in place to better prepare for such an event.

https://www.infosecurity-magazine.com/news/nsa-6-takeaways-war-ukraine/

• Microsoft Confirms Server Misconfiguration Led to 65,000+ Companies' Data Leak

Microsoft this week confirmed that it inadvertently exposed information related to thousands of customers following a security lapse that left an endpoint publicly accessible over the internet sans any authentication.

"This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provisioning of Microsoft services," Microsoft said in an alert.

Microsoft also emphasised that the B2B leak was "caused by an unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem and was not the result of a security vulnerability."

The misconfiguration of the Azure Blob Storage was spotted on September 24, 2022, by cyber security company SOCRadar, which termed the leak BlueBleed. Microsoft said it's in the process of directly notifying impacted customers.

The Windows maker did not reveal the scale of the data leak, but according to SOCRadar, it affects more than 65,000 entities in 111 countries. The exposure amounts to 2.4 terabytes of data that consists of invoices, product orders, signed customer documents, partner ecosystem details, among others.

https://thehackernews.com/2022/10/microsoft-confirms-server.html

Threats

Ransomware and Extortion

• Сryptocurrency and Ransomware — The Ultimate Friendship (thehackernews.com)

• Venus Ransomware targets publicly exposed Remote Desktop services (bleepingcomputer.com)

• Pendragon being held to $60m ransom by dark web hackers – Car Dealer Magazine

• Magniber Ransomware Is Targeting Home PC (informationsecuritybuzz.com)

• Hackers exploit critical VMware flaw to drop ransomware, miners (bleepingcomputer.com)

• Ransomware Now Deployed as a Precursor to Physical War - MSSP Alert

• TommyLeaks and SchoolBoys: Two sides of the same ransomware gang (bleepingcomputer.com)

• With Conti gone, LockBit takes lead of the ransomware threat landscape | CSO Online

• Tactics Tie Ransom Cartel Group to Defunct REvil Ransomware (darkreading.com)

• Wholesale giant METRO hit by IT outage after cyber attack (bleepingcomputer.com)

• The link between Ransom Cartel and REvil ransomware gangs - Security Affairs

• Deadbolt Ransomware Targets NAS Devices - IT Security Guru

• Black Basta Ransomware Hackers Infiltrate Networks via Qakbot to Deploy Brute Ratel C4 (thehackernews.com)

• How Vice Society Got Away With a Global Ransomware Spree | WIRED

• Microsoft warns over unusual ransomware attacks | ZDNET

• Defenders beware: A case for post-ransomware investigations - Microsoft Security Blog

• Ransomware crews regrouping as LockBit rise continues (computerweekly.com)

• Singapore Creates Counter Ransomware Task Force to Tackle Threats - Infosecurity Magazine (infosecurity-magazine.com)

• Ransom Cartel linked to notorious REvil ransomware operation (bleepingcomputer.com)

• Hackney Council Ransomware Attack £12m+ Recovery - IT Security Guru

• Microsoft Warns of Novel Ransomware Attacking Ukraine, Poland - MSSP Alert

• Prestige ransomware hits victims of HermeticWiper • The Register

• New ransomware targets transportation sectors in Ukraine, Poland | SC Media (scmagazine.com)

• Japanese tech firm Oomiya hit by LockBit 3.0 - Security Affairs

• Ransomware attack halts circulation of some German newspapers (bleepingcomputer.com)

• Ransomware Insurance Security Requirement Strategies (trendmicro.com)

• Australian insurance firm Medibank confirms ransomware attack (bleepingcomputer.com)

• Ransomware attack impacted some CommonSpirit sites, but few details released | SC Media (scmagazine.com)

• BlackByte ransomware uses new data theft tool for double-extortion (bleepingcomputer.com)

Phishing & Email Based Attacks

• Phishing works so well crims won't use deepfakes: Sophos • The Register

• Phishing Mitigation Can Cost Businesses More Than $1M Annually (darkreading.com)

• Securing your organisation against phishing can cost up to $85 per email | CSO Online

• How phishing campaigns abuse Google Ad click tracking redirects - Help Net Security

• Attackers switch to self-extracting password-protected archives to distribute email malware | CSO Online

Other Social Engineering; Smishing, Vishing, etc

• Amazon customers warned about text message scam that is trying to steal personal details | The Northern Echo

Malware

• VMware bug with 9.8 severity rating exploited to install witch’s brew of malware | Ars Technica

• Microsoft’s out-of-date driver list left Windows PCs open to malware attacks for years - The Verge

• Ursnif malware switches from bank account theft to initial access (bleepingcomputer.com)

• Experts spotted a new undetectable PowerShell Backdoor - Security Affairs

• Emotet Botnet Distributing Self-Unlocking Password-Protected RAR Files to Drop Malware (thehackernews.com)

• Typosquat campaign mimics 27 brands to push Windows, Android malware (bleepingcomputer.com)

• Thousands of GitHub repositories deliver fake PoC exploits with malware (bleepingcomputer.com)

• Hackers use new stealthy PowerShell backdoor to target 60+ victims (bleepingcomputer.com)

• Hijacking of Popular Minecraft Launcher by Rogue Developer Raises Malware Fears - IGN

• URSNIF (aka Gozi) banking trojan morphs into backdoor • The Register

• What is a RAT (Remote Access Trojan)? | Definition from TechTarget

Mobile

• QR codes could unlock phone to hackers, security expert warns (nypost.com)

• These 16 Clicker Malware Infected Android Apps Were Downloaded Over 20 Million Times (thehackernews.com)

Internet of Things – IoT

• Riskiest IoT Devices - Cameras, VoIP And Video Conferencing (informationsecuritybuzz.com)

• NCSC CEO Calls for International Standards on IoT Security - Infosecurity Magazine (infosecurity-magazine.com)

• Securing IoT devices against attacks that target critical infrastructure - Microsoft Security Blog

• 74% say connected cars and EV chargers need cyber security ratings | Ars Technica

Data Breaches/Leaks

• The companies most likely to lose your data - Help Net Security

• Fines are not enough! Data breach victims want better security - Help Net Security

• Medibank hack turned into a data breach: The attackers are demanding money - Help Net Security

• Mormon Church Hit By Cyber attack, Personal Data Exposed (informationsecuritybuzz.com)

• Keystone Health Data Breach Impacts 235,000 Patients | SecurityWeek.Com

• Fashion brand SHEIN fined $1.9m for lying about data breach – Naked Security (sophos.com)

• Client Data Exfiltrated In Advanced NHS cyber Attack (informationsecuritybuzz.com)

• Optus tells customers affected by data breach they can no longer use passports as online ID | Optus | The Guardian

• Australian Wine Dealer Suffers Data Breach, 500,000 Customers May Be (informationsecuritybuzz.com)

• Advocate Aurora Health in potential 3 million patient leak • The Register

Organised Crime & Criminal Actors

• Cyber criminals jailed for cryptocurrency theft, death threats (bleepingcomputer.com)

• Israeli cyber intel firm shines bright light on new, shadowy cyber crime collective | The Times of Israel

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Why Crypto Winter is No Excuse to Let Your Cyber Defences Falter (thehackernews.com)

• North Korea’s Lazarus Group Attacks Japanese Crypto Firms - Decrypt

• Coinbase users scammed out of $21M in crypto sue company for negligence | Ars Technica

• SIM Swappers Sentenced to Prison for Hacking Accounts, Stealing Cryptocurrency | SecurityWeek.Com

Fraud, Scams & Financial Crime

• Financial losses to synthetic identity-based fraud to double by 2024 | CSO Online

• AI is Key to Tackling Money Mules and Disrupting Fraud: Industry Group | SecurityWeek.Com

• Cops Arrest Suspected Multimillion-Dollar Fraud Mastermind - Infosecurity Magazine (infosecurity-magazine.com)

Deepfakes

• Deepfakes: What they are and how to spot them - Help Net Security

• Phishing works so well crims won't use deepfakes: Sophos • The Register

Insurance

• Ransomware Insurance Security Requirement Strategies (trendmicro.com)

Supply Chain and Third Parties

• How supply chain threats will evolve in 2023 - Help Net Security

Software Supply Chain

• Software Supply Chain Attacks Soar 742% In Three Years (informationsecuritybuzz.com)

• SBOMs: An Overhyped Concept That Won't Secure Your Software Supply Chain (darkreading.com)

Denial of Service DoS/DDoS

• Pro-Russia Hackers DDoS Bulgarian Government - Infosecurity Magazine (infosecurity-magazine.com)

Cloud/SaaS

• Microsoft Data-Exposure Incident Highlights Risk of Cloud Storage Misconfiguration (darkreading.com)

• 3 cloud security posture questions CISOs should answer (techtarget.com)

• 10 Steps to Securing the Cloud - MSSP Alert

Attack Surface Management

• Attack Surface Management 2022 Midyear Review Part 1 (trendmicro.com)

Identity and Access Management

• What Is the Difference Between Identity Verification and Authentication? (darkreading.com)

Encryption

• The quantum computing threat is real. Now we need to act. - CyberScoop

API

• Thousands of Publicly Exposed API Tokens Could Threaten Software Integrity - Infosecurity Magazine (infosecurity-magazine.com)

• Open banking API security: Best practices to ensure a safe journey - Help Net Security

Open Source

• New security concerns for the open-source software supply chain - Help Net Security

• Python vulnerability highlights open source security woes (techtarget.com)

• Researchers find 633% increase in cyber-attacks aimed at open source repositories | The Daily Swig (portswigger.net)

• 3 Ways to Help Customers Defend Against Linux-Based Cyber attacks - MSSP Alert

• OldGremlin hackers use Linux ransomware to attack Russian orgs (bleepingcomputer.com)

Passwords, Credential Stuffing & Brute Force Attacks

• Most People Still Reuse Their Passwords Despite Years Of Hacking (informationsecuritybuzz.com)

• Password Report: Honeypot Data Shows Bot Attack Trends Against RDP, SSH | SecurityWeek.Com

• Eight RTX 4090s Can Break Passwords in Under an Hour | Tom's Hardware (tomshardware.com)

Training, Education and Awareness

• Security Awareness Urged to Grow Beyond Compliance (darkreading.com)

• Raising cyber security awareness is good for everyone - but it needs to be done better | ZDNET

• Millennials, Gen Z blamed for poor company security • The Register

Privacy, Surveillance and Mass Monitoring

• Amazon and the Rise of ‘Luxury Surveillance’ - The Atlantic

• Google sued over biometric data collection without consent (bleepingcomputer.com)

Regulations, Fines and Legislation

• Fines are not enough! Data breach victims want better security - Help Net Security

• Fashion brand SHEIN fined $1.9m for lying about data breach – Naked Security (sophos.com)

• New York fines EyeMed $4.5 million for 2020 email hack, data breach | SC Media (scmagazine.com)

• Health insurer pays out $4.5m over bungled data security • The Register

Law Enforcement Action and Take Downs

• INTERPOL-led Operation Takes Down 'Black Axe' Cyber Crime Organisation (thehackernews.com)

• Law enforcement arrested 31 suspects for stealing cars by hacking key fobs - Security Affairs

• Cops Arrest Suspected Multimillion-Dollar Fraud Mastermind - Infosecurity Magazine (infosecurity-magazine.com)

• Interpol is setting up its own metaverse to learn how to police the virtual world | Euronews

• Brazilian Police Nab Suspected Member of Lapsus$ Group (darkreading.com)

• Interpol Report: "Financial Crime-as-a-Service" an Emerging Threat - MSSP Alert

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Ransomware Now Deployed as a Precursor to Physical War - MSSP Alert

• US, China, Russia, more meet at Singapore infosec event • The Register

• NSA cyber chief says Ukraine war is compelling more intelligence sharing with industry - CyberScoop

• China-Linked Cyber-Espionage Team Homes In on Hong Kong Government Orgs (darkreading.com)

• Microsoft Warns of Novel Ransomware Attacking Ukraine, Poland - MSSP Alert

• Hackers target Asian casinos in lengthy cyber espionage campaign (bleepingcomputer.com)

• Prestige ransomware hits victims of HermeticWiper • The Register

• Pro-Russia Hackers DDoS Bulgarian Government - Infosecurity Magazine (infosecurity-magazine.com)

• OldGremlin Ransomware Targeted Over a Dozen Russian Entities in Multi-Million Scheme (thehackernews.com)

Nation State Actors

Nation State Actors – Russia

• Ukraine war: Life appears normal in Moscow... but a sinister undercurrent exists as Putin's conflict drags on | World News | Sky News

• Ukraine's cyber chief calls for global anti-fake news fight • The Register

• German Cyber security Boss Sacked Over Kremlin Connection (darkreading.com)

• Killing Starlink! Russian Media Says Over 4000 Missiles Required To Destroy Starlink Service; Experts Say 'Mission Impossible' (eurasiantimes.com)

• New ransomware targets transportation sectors in Ukraine, Poland | SC Media (scmagazine.com)

• Bulgaria hit by a cyber attack originating from Russia - Security Affairs

Nation State Actors – China

• As China-Taiwan tensions mount, how's your cyber defence? • The Register

• Chinese 'Spyder Loader' Malware Spotted Targeting Organisations in Hong Kong (thehackernews.com)

• Hackers compromised Hong Kong govt agency network for a year (bleepingcomputer.com)

• WIP19 Threat Group Cyber attacks Target IT Service Providers, Telcos - MSSP Alert

Nation State Actors – North Korea

• North Korea’s Lazarus Group Attacks Japanese Crypto Firms - Decrypt

Nation State Actors – Iran

• FBI Warns of Iranian Cyber Firm's Hack-and-Leak Operations | SecurityWeek.Com

• 'FurBall' Spyware Being Used Against Iranian Citizens (darkreading.com)

Vulnerability Management

• Compare vulnerability assessment vs. vulnerability management (techtarget.com)

Vulnerabilities

• 45,654 VMware ESXi servers reached End of Life on Oct. 15 - Security Affairs

• VMware bug with 9.8 severity rating exploited to install witch’s brew of malware | Ars Technica

• Hackers Started Exploiting Critical "Text4Shell" Apache Commons Text Vulnerability (thehackernews.com)

• Text message verification flaws in your Windows Active Directory (bleepingcomputer.com)

• Apache Commons Vulnerability: Patch but Don't Panic (darkreading.com)

• Zoom for Mac patches sneaky “spy-on-me” bug – update now! – Naked Security (sophos.com)

• ProxyLogon researcher details new Exchange Server flaws (techtarget.com)

• Over 17000 Fortinet devices exposed online are very likely vulnerable to CVE-2022-40684 - Security Affairs

• Exploited Windows zero-day lets JavaScript files bypass security warnings (bleepingcomputer.com)

• Dozen High-Severity Vulnerabilities Patched in F5 Products | SecurityWeek.Com

• Oracle Releases 370 New Security Patches With October 2022 CPU | SecurityWeek.Com

• Palo Alto Networks fixed a high-severity flaw in PAN-OS - Security Affairs

• Hackers exploit critical VMware flaw to drop ransomware, miners (bleepingcomputer.com)

• Zimbra Patches Under-Attack Code Execution Bug | SecurityWeek.Com

• WordPress Security Update 6.0.3 Patches 16 Vulnerabilities | SecurityWeek.Com

• Python vulnerability highlights open source security woes (techtarget.com)

• Critical Flaw Reported in Move Virtual Machine Powering the Aptos Blockchain Network (thehackernews.com)

• Analysis of a Remote Code Execution (RCE) Vulnerability in Cobalt Strike 4.7.1 (securityintelligence.com)

Reports Published in the Last Week

• Financial and cyber crimes top global police concerns, says new INTERPOL report

• Post-Quantum Cryptography: Anticipating Threats and Preparing the Future — ENISA (europa.eu)

• Attack Surface Management 2022 Midyear Review Part 1 (trendmicro.com)

Other News

• Zero trust is misused in security, say Cloudflare, Zscaler - Protocol

• How to manage and reduce secret sprawl (techtarget.com)

• Cyber professional shortfall hits 3.4 million (computerweekly.com)

• Infosec still (mostly) a boys club • The Register

• Cyber security Workforce Gap Grows by 26% in 2022 - Infosecurity Magazine (infosecurity-magazine.com)

• VPN use prevails despite interest in VPN alternatives (techtarget.com)

• JP Morgan Bans Staff From Working Remotely In Hotels and Coffee Shops-But Not Airbnbs | Inc.com

• Experts discovered millions of .git folders exposed to public - Security Affairs

• Microsoft Defender is lacking in offline detection capabilities, says AV-Comparatives | TechSpot

• Internet connectivity worldwide impacted by severed fiber cables in France (bleepingcomputer.com)

• UK's Remote Shetland Mysteriously Lose Phone, Internet After Cable Cut (businessinsider.com)

• CISOs, rejoice! Security spending is increasing - Help Net Security

• Equifax surveilled 1,000 remote workers, fired 24 found juggling two jobs | Ars Technica

• Do You Think Businesses Must Do More To Boost Cyber Defences, Says Nadhim (informationsecuritybuzz.com)

• NATO Just Deployed Its First Killer Ground Robot (futurism.com)

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• CFOs’ Overconfidence in Cyber Security Can Cost Millions

Kroll announced its report entitled ‘Cyber Risk and CFOs: Over-Confidence is Costly’ which found chief financial officers (CFOs) to be woefully in the dark regarding cyber security, despite confidence in their company’s ability to respond to an incident.

The report, conducted by StudioID of Industry Dive, exposed three key themes among the 180 senior finance executives surveyed worldwide:

1. Ignorance is bliss. Eighty-seven percent of CFOs are either very or extremely confident in their organisation’s cyber attack response. This is at odds with the level of visibility CFOs have into cyber risk issues, given only four out of 10 surveyed have regular briefings with their cyber teams.

2. Wide-ranging damages. 71% of the represented organisations suffered more than $5 million in financial losses stemming from cyber incidents in the previous 18 months, and 61% had suffered at least three significant cyber incidents in that time. Eighty-two percent of the executives in the survey said their companies suffered a loss of 5% or more in their valuations following their largest cyber security incident in the previous 18 months.

3. Increasing investment in cyber security. Forty-five percent of respondents plan to increase the percentage of their overall IT budget dedicated to information security by at least 10%.

According to Kroll: “We often see that CFOs are not aware enough of the financial risk presented by cyber threats until they face an incident. At that point, it’s clear that they need to be involved not only in the recovery, including permitting access to emergency funds and procuring third-party suppliers, but also in the strategy and investment around cyber both pre- and post-incident.”

“Ultimately, cyber attacks represent a financial risk to the business, and incidents can have a significant impact on value. It is, therefore, critical that this is included in wider business risk considerations. A CFO and CISO should work side-by-side, helping the business navigate the operational and financial risk of cyber.”

https://www.helpnetsecurity.com/2022/09/14/cfos-cybersecurity-confidence/

• Cyber Security Outflanks Inflation, Talent, Logistics in Business Worries

Nearly six in 10 IT leaders in a new study view cyber security as their top business concern, ranking it higher than inflation, retaining talent and supply chain/logistics management.

Less than half of respondents (43%) believe their critical data and assets are protected from cyber threats despite increased cyber security investments by their organisations, greater board visibility and increased collaboration between the security team and the C-suite, Rackspace said in its new survey of 1,420 IT professionals worldwide.

The multi-cloud technology services specialist said that a “large majority” of the survey respondents report being either unprepared or only “somewhat prepared” to respond to major threats, such as identifying and mitigating threats and areas of concern (62%), recovering from cyber attacks (61%) or preventing lapses and breaches (63%).

Cloud native security is where organisations are most likely to rely on an outside partner, such as a managed security service provider, for expertise.

Here are more of the survey’s findings:

• The top three cyber security challenges their organisation is facing: migrating and operating apps (45%); shortage of workers with cyber security skills (39%); lack of visibility of vulnerabilities across all infrastructure (38%).

• 70% of survey respondents report that their cyber security budgets have increased over the past three years.

• The leading recipients of new investment are cloud native security (59%); data security (50%), consultative security services (44%); and application security (41%).

• Investments align closely with the areas where organisations perceive their greatest concentration of threats, led by network security (58%), closely followed by web application attacks (53%) and cloud architecture attacks (50%).

• 70% of respondents said there has been an increase in board visibility for cyber security over the past five years, while 69% cite better collaboration between the security team and members of the C-suite.

• Only 13% of respondents said there were significant communications gaps between the security team and C-suite, while 69% of IT executives view their counterparts in the C-suite as advocates for their concerns.

The authors stated “We are seeing a major shift in how organisations are allocating resources to address cyber threats, even as budgets increase. The cloud brings with it a new array of security challenges that require new expertise, and often reliance on external partners who can help implement cloud native security tools, automate security, provide cloud native application protection, offer container security solutions and other capabilities”.

https://www.msspalert.com/cybersecurity-research/cybersecurity-outflanks-inflation-talent-logistics-in-business-worries-rackspace-research/

• Attackers Can Compromise Most Cloud Data in Just 3 Steps

An analysis of cloud services finds that known vulnerabilities typically open the door for attackers, while insecure cloud architectures allow them to gain access to the crown jewels.

Companies and their cloud providers often leave vulnerabilities open in their system and services, gifting attackers with an easy path to gain access to critical data.

According to an Orca Security analysis of data collected from major cloud services, attackers only need on average three steps to gain access to sensitive data, the so-called "crown jewels," starting most often — in 78% of cases — with the exploitation of a known vulnerability.

While much of the security discussion has focused on the misconfigurations of cloud resources by companies, cloud providers have often been slow to plug vulnerabilities.

The key is to fix the root causes, which is the initial vector, and to increase the number of steps that they attacker needs to take. Proper security controls can make sure that even if there is an initial attack vector, you are still not able to reach the crown jewels.

The report analysed data from Orca's security research team using data from a "billions of cloud assets on AWS, Azure, and Google Cloud," which the company's customers regularly scan. The data included cloud workload and configuration data, environment data, and information on assets collected in the first half of 2022.

https://www.darkreading.com/cloud/cyberattackers-compromise-most-cloud-data-3-steps

• Cyber Insurance Premiums Soar 80% As Claims Surge

Cyber insurance premiums have soared in the past year as claims surged in response to a rise in damaging attacks by hackers.

The cost of taking out cyber cover had doubled on average every year for the past three years, said global insurance broker Marsh. Honan Group, another broker, pointed to an 80 per cent rise in premiums in the past 12 months, following a 20 per cent increase in the cost of cover in each of the previous two years.

Brokers are calling cyber “the new D&O”, referring to sharp rises in directors and officers insurance premiums since 2018. Brokers were hopeful premiums would ease, but have warned insurers would continue to demand companies prove they had strong security systems and policies in place before agreeing to sell them insurance.

There’ll be a number of insurance companies that won’t even look at a business that doesn’t have a bunch of security measures in place. They’ll just turn around and say, ‘we’re not going to insure you’. The chief reason for the price rises is the increase in the number and size of claims relating to ransomware, where criminals use malicious software to block access to an organisation’s computer system until a sum of money is paid. In addition, some insurers left the market, while remaining players attempted to recoup the cost of under-priced contracts written in previous years.

The rise in the premiums is mainly due to ransomware and cyber attacks across the board have risen sharply over the past few years.

https://www.afr.com/work-and-careers/management/cyber-insurance-premiums-soar-80pc-as-claims-surge-20220908-p5bglo

• One In 10 Employees Leaks Sensitive Company Data Every 6 Months

Departing employees are most likely to leak sensitive information to competitors, criminals or the media in exchange for cash.

Insider threats are an ongoing menace that enterprise security teams need to handle. It's a global problem but especially acute in the US, with 47 million Americans quitting their jobs in 2021. The threat of ex-employees taking sensitive information to competitors, selling it to criminals in exchange for cash, and leaking files to media is making data exfiltration a growing concern. 

About 1.4 million people who handle sensitive information in their organisation globally were tracked over the period from January to June 30 this year by cyber security firm Cyberhaven to find out when, how and who is involved in data exfiltration.

On average, 2.5% of employees exfiltrate sensitive information in a month, but over a six-month period, nearly one in 10, or 9.4% of employees, do so, Cyberhaven noted in its report. Data exfiltration incidents occur when data is transferred outside the organisation in unapproved ways.

Among employees that exfiltrated data, the top 1% most prolific “super stealers” were responsible for 7.7% of incidents, and the top 10% were responsible for 34.9% of incidents.

North America accounted for the highest number of incidents at 44%, followed by the Asia Pacific region at 27%. Europe, the Middle East, and Africa accounted for 24% of incidents while 5% of incidents were recorded in South America.

https://www.csoonline.com/article/3673260/one-in-10-employees-leaks-sensitive-company-data-every-6-months-report.html#tk.rss_news

• Business Application Compromise and the Evolving Art of Social Engineering

Social engineering is hardly a new concept, even in the world of cyber security. Phishing scams alone have been around for nearly 30 years, with attackers consistently finding new ways to entice victims into clicking a link, downloading a file, or providing sensitive information.

Business email compromise (BEC) attacks iterated on this concept by having the attacker gain access to a legitimate email account and impersonate its owner. Attackers reason that victims won't question an email that comes from a trusted source — and all too often, they're right.

But email isn't the only effective means cyber criminals use to engage in social engineering attacks. Modern businesses rely on a range of digital applications, from cloud services and VPNs to communications tools and financial services. What's more, these applications are interconnected, so an attacker who can compromise one can compromise others, too. Organisations can't afford to focus exclusively on phishing and BEC attacks — not when business application compromise (BAC) is on the rise.

https://www.darkreading.com/vulnerabilities-threats/business-application-compromise-the-evolving-art-of-social-engineering

• SMBs Are Hardest-Hit By Ransomware

Coalition announced the mid-year update to its 2022 Cyber Claims Report detailing the evolution of cyber trends, revealing that small businesses have become bigger targets, overall incidents are down, and ransomware attacks are declining as demands go unpaid.

During the first half of 2022, the average cost of a claim for a small business owner increased to $139,000, which is 58% higher than levels during the first half of 2021.

“Across industries, we continue to see high-profile attacks targeting organisations with weak or exposed infrastructure — which has become exacerbated by today’s remote working culture and companies’ dependence on third-party vendors,” said Coalition’s Head of Claims.

“Small businesses are especially vulnerable because they often lack resources. For these businesses, avoiding downtime and disruption is essential, and they must understand that Active Insurance is accessible.”

The good news: both Coalition and the broader insurance industry observed a decrease in ransomware attack frequency and the amount of ransom demanded between the second half of 2021 and the first half of 2022. Ransomware demands decreased from $1.37M in H2 2021 to $896,000 in H1 2022.

“Organisations are increasingly aware of the threat ransomware poses. They have started to implement controls such as offline data backups that allow them to refuse to pay the ransom and restore operations through other means,” said Coalition’s Head of Incident Response. “As ransomware is on the decline, attackers are turning to reliable methods. Phishing, for example, has skyrocketed – and only continues to grow.”

https://www.helpnetsecurity.com/2022/09/15/small-businesses-ransomware-targets/

• 65% Say Legacy Backup Solutions Aren’t Up To Ransomware Challenges

HYCU researchers are reporting 65% of respondents lack full confidence in their legacy backup solutions (HYCU is a multi-cloud backup-as-a-service provider).

According to the report, 65% of surveyed enterprise organisations are increasing spending on detection, prevention and recovery, and respondents are beginning to understand that air-gapped or immutable backups are the only ways to ensure that the backups themselves don’t fall prey to encryption worms when ransomware hits.

Key findings include:

• 52% of ransomware victims suffered data loss

• 63% of victims suffered an operational disruption

• Just 41% air gap their backups

• Just 47% routinely test their backups

• Only 35% of respondents believe their current backup and recovery tools are sufficient.

https://informationsecuritybuzz.com/expert-comments/65-say-legacy-backup-solutions-arent-up-to-ransomware-challenges/

• Four-Fifths of Firms Hit by Critical Cloud Security Incident

Some 80% of organisations suffered a “severe” cloud security incident over the past year, while a quarter worry they’ve suffered a cloud data breach and aren’t aware of it, according to new research from Snyk.

The developer security specialist polled 400 cloud engineering and security practitioners from organisations of various sizes and sectors, to compile its State of Cloud Security Report.

Among the incidents flagged by respondents over the past 12 months were breaches, leaks, intrusions, crypto-mining, compliance violations, failed audits and system downtime in the cloud.

Startups (89%) and public sector organisations (88%) were the most likely to have suffered such an incident over the period.

The bad news is that 58% of respondents predict they will suffer another severe incident in the cloud over the coming year. Over three-quarters (77%) of those questioned cited poor training and collaboration as a major challenge in this regard.

“Many cloud security failures result from a lack of effective cross-team collaboration and team training. When different teams use different tools or policy frameworks, reconciling work across those teams and ensuring consistent enforcement can be challenging,” the report argued.

https://www.infosecurity-magazine.com/news/fourfifths-firms-critical-cloud/

• Homeworkers Putting Home and Business Cyber Safety at Risk

BlackBerry published a European research report exposing the cyber security risk created by cost-conscious homeworkers who prioritise security behind price, usability and ease of set up in their purchase of domestic smart devices.

32% of European home workers who own a smart device surveyed said security was a top three factor when choosing a smart device, compared to 50% who prioritised price. 28% of businesses aren’t putting adequate security provisions in place to extend cyber protection as far as homes. This heightens the risk of cyber attacks for businesses and their employees, as hybrid and home working become the norm.

The survey of 4,000 home workers in the UK, France, Germany, and the Netherlands revealed that 28% of people say that their employer has not done or communicated anything about protecting their home network or smart devices, or they don’t know if they are protected.

Furthermore, 75% of Europeans say their employers have taken no steps to secure the home internet connection or provide software protection for home devices. This failure to extend network security to home devices increases risk of the vulnerabilities created by hybrid and home working being successfully exploited. These are particularly sobering findings for small and mid-sized businesses who face upwards of eleven cyber attacks per device, per day, according to the research.

Through even the most innocent of devices, bad actors can access home networks with connections to company devices – or company data on consumer devices – and seize the opportunity to steal data and intellectual property worth millions. It’s likely businesses will bear the brunt of cyber attacks caused by unsecured home devices, with knock-on effects to employees themselves.

https://www.helpnetsecurity.com/2022/09/12/homeworkers-smart-devices-security/

• Uber Hacked, Internal Systems Breached and Vulnerability Reports Stolen

Uber suffered a cyber attack Thursday afternoon with an allegedly 18-year-old hacker downloading HackerOne vulnerability reports and sharing screenshots of the company's internal systems, email dashboard, and Slack server.

The screenshots shared by the hacker and seen by BleepingComputer show what appears to be full access to many critical Uber IT systems, including the company's security software and Windows domain.

Other systems accessed by the hacker include the company's Amazon Web Services console, VMware vSphere/ESXi virtual machines, and the Google Workspace admin dashboard for managing the Uber email accounts.

The threat actor also breached the Uber Slack server, which he used to post messages to employees stating that the company was hacked. However, screenshots from Uber's slack indicate that these announcements were first met with memes and jokes as employees had not realised an actual cyber attack was taking place.

Uber has since confirmed the attack, tweeting that they are in touch with law enforcement and will post additional information as it becomes available. "We are currently responding to a cyber security incident. We are in touch with law enforcement and will post additional updates here as they become available," tweeted the Uber Communications account.

The New York Times, which first reported on the breach, said they spoke to the threat actor, who said they breached Uber after performing a social engineering attack on an employee and stealing their password. The threat actor then gained access to the company's internal systems using the stolen credentials.

https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/

• IHG Hack: 'Vindictive' Couple Deleted Hotel Chain Data for Fun

Hackers have told the BBC they carried out a destructive cyber-attack against Holiday Inn owner Intercontinental Hotels Group (IHG) "for fun".

Describing themselves as a couple from Vietnam, they say they first tried a ransomware attack, then deleted large amounts of data when they were foiled. They accessed the FTSE 100 firm's databases thanks to an easily found and weak password, Qwerty1234. An expert says the case highlights the vindictive side of criminal hackers.

UK-based IHG operates 6,000 hotels around the world, including the Holiday Inn, Crowne Plaza and Regent brands. On Monday last week, customers reported widespread problems with booking and check-in. For 24 hours IHG responded to complaints on social media by saying that the company was "undergoing system maintenance".

Then on the Tuesday afternoon it told investors that it had been hacked.

https://www.bbc.co.uk/news/technology-62937678

Threats

Ransomware and Extortion

• How prepared are organisations to tackle ransomware attacks? - Help Net Security

• Lorenz ransomware breaches corporate network via phone systems (bleepingcomputer.com)

• 3 Iranian nationals are accused of ransomware attacks on US victims (cnbc.com)

• Emotet botnet now pushes Quantum and BlackCat ransomware (bleepingcomputer.com)

• Cisco confirms Yanluowang ransomware leaked stolen company data (bleepingcomputer.com)

• DEV-0270 Hacker Group Uses Windows BitLocker Feature to Encrypt Systems (gbhackers.com)

• New York ambulance service discloses data breach after ransomware attack (bleepingcomputer.com)

• The ransomware problem won't get better until we change one thing | ZDNET

• Iranian Hackers Used Victims’ Printers to Issue Ransom Demands, DOJ Says (vice.com)

• Transparency, disclosure key to fighting ransomware (techtarget.com)

• Researchers Warn of 674% Surge in Deadbolt Ransomware - Infosecurity Magazine (infosecurity-magazine.com)

• Over Three-Quarters of Retailers Hit by Ransomware in 2021 - Infosecurity Magazine (infosecurity-magazine.com)

• Cisco Data Breach Attributed to Lapsus$ Ransomware Group (darkreading.com)

• Ransomware Group Leaks Files Stolen From Cisco | SecurityWeek.Com

• The LA School District Cyber Attack Keeps Unravelling – Expert Comments (informationsecuritybuzz.com)

Phishing & Email Based Attacks

• Revolut hit by ‘phishing’ cyber attack | Business | The Times

• Crooks are using lures related to Her Majesty Queen Elizabeth II in phishing attacks - Security Affairs

• Phishing page embeds keylogger to steal passwords as you type (bleepingcomputer.com)

• Hackers now use ‘sock puppets’ for more realistic phishing attacks (bleepingcomputer.com)

• Phishers take aim at Facebook page owners - Help Net Security

• New Spear Phish Methodology Relies on PuTTY SSH Client to Infect Systems - Infosecurity Magazine (infosecurity-magazine.com)

• Real Estate Phish Swallows 1,000s of Microsoft 365 Credentials (darkreading.com)

• Death of Queen Elizabeth II exploited to steal Microsoft credentials (bleepingcomputer.com)

• Potential phishing activity update - NCSC.GOV.UK

Other Social Engineering; Smishing, Vishing, etc

• Serious Breach at Uber Spotlights Hacker Social Deception | SecurityWeek.Com

Malware

• Hackers Are Using WeTransfer Links To Spread Malware (informationsecuritybuzz.com)

• New malware bundle self-spreads through YouTube gaming videos (bleepingcomputer.com)

• Linux variant of the SideWalk backdoor discovered - Help Net Security

• Malware on Pirated Content Sites a Major WFH Risk for Enterprises (darkreading.com)

• How to spot and avoid scams and malware in search results - The Washington Post

• Gay hookup site typosquatted to push dodgy Chrome extensions, scams (bleepingcomputer.com)

Mobile

• Google Patches Critical Vulnerabilities in Pixel Phones | SecurityWeek.Com

• Apple patches iPhone and macOS flaws under active attack • The Register

Internet of Things – IoT

• Securing your IoT devices against cyber attacks in 5 steps (bleepingcomputer.com)

• EU Wants to Toughen Cyber Security Rules for Smart Devices | SecurityWeek.Com

Data Breaches/Leaks

• Uber hacked, internal systems breached and vulnerability reports stolen (bleepingcomputer.com)

• LastPass says hackers had internal access for four days (bleepingcomputer.com)

• Hacker sells stolen Starbucks data of 219,000 Singapore customers (bleepingcomputer.com)

• U-Haul discloses data breach exposing customer driver licenses (bleepingcomputer.com)

• Hackers Compromise Employee Data at PVC-Maker Eurocell - Infosecurity Magazine (infosecurity-magazine.com)

Organised Crime & Criminal Actors

• Chinese-linked cyber crims nab $529 million from India • The Register

• Cyber Crime Forum Admins Steal from Site Users - Infosecurity Magazine (infosecurity-magazine.com)

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Police arrest man for laundering tens of millions in stolen crypto (bleepingcomputer.com)

• US regulators say multi-billion-dollar crypto lender Celsius was operating like a ponzi scheme | PC Gamer

• Hackers Targeting WebLogic Servers and Docker APIs for Mining Cryptocurrencies (thehackernews.com)

• Fake cryptocurrency giveaway sites have tripled this year (bleepingcomputer.com)

• Crypto Scams Skyrocket - IT Security Guru

• A Post-exploitation Look at Coinminers Abusing WebLogic Vulnerabilities (trendmicro.com)

• DOJ drops report on cryptocurrency crime efforts (techtarget.com)

• 76% Of Financial Institutions Plan On Using Crypto In The Next 3 Years (informationsecuritybuzz.com)

• How Can You Tell if a Cryptocurrency is Legitimate? Read Our Guide To Find Out - IT Security Guru

Insider Risk and Insider Threats

• 5 Ways to Mitigate Your New Insider Threats in the Great Resignation (thehackernews.com)

• Ex-Broadcom engineer asks for no prison in trade secret case • The Register

Fraud, Scams & Financial Crime

• Microsoft Edge’s News Feed ads abused for tech support scams (bleepingcomputer.com)

• Cops Raid Suspected Fraudster Penthouses - Infosecurity Magazine (infosecurity-magazine.com)

• How to spot and avoid scams and malware in search results - The Washington Post

• Tax fraud ring leader jailed for selling children’s stolen identities (bleepingcomputer.com)

AML/CFT/Sanctions

• Spanish police arrest ‘one of Europe’s biggest money launderers’ | Financial Times (ft.com)

Insurance

• Coalition Cyber Insurance - Small Businesses Prime Targets (informationsecuritybuzz.com)

Dark Web

• Documents For Sale on the Dark Web - IT Security Guru

Supply Chain and Third Parties

• Hackers breach software vendor for Magento supply-chain attacks (bleepingcomputer.com)

• WordPress sites backdoored after FishPig supply chain attack • The Register

Denial of Service DoS/DDoS

• DDoS Attacks on UK Firms Surge During Ukraine War - Infosecurity Magazine (infosecurity-magazine.com)

• Akamai stopped new record-breaking DDoS attack in Europe (bleepingcomputer.com)

Cloud/SaaS

• 5 ways to improve your cloud security posture (techtarget.com)

• Excess privilege in the cloud is a universal security problem, IBM says | CSO Online

• Organisations lack visibility into unauthorised public cloud data access - Help Net Security

• One-third of enterprises don’t encrypt sensitive data in the cloud | CSO Online

Attack Surface Management

• Cyber attack trends vs. growing IT complexity - Help Net Security

• Outdated infrastructure remains a problem against sophisticated cyber attacks - Help Net Security

Shadow IT

• Use shadow IT discovery to find unauthorized devices and apps (techtarget.com)

Encryption

• Keep Today's Encrypted Data From Becoming Tomorrow's Treasure (darkreading.com)

API

• Hackers Targeting WebLogic Servers and Docker APIs for Mining Cryptocurrencies (thehackernews.com)

• API security—and even visibility—isn’t getting handled by enterprises | CSO Online

• Bad bots are coming at APIs! How to beat the API bot attacks? - Help Net Security

Open Source

• When It Comes to Security, Don’t Overlook Your Linux Systems | SecurityWeek.Com

• 40% of pros scaled back back open source use over security • The Register

• You never walk alone: The SideWalk backdoor gets a Linux variant | WeLiveSecurity

Passwords, Credential Stuffing & Brute Force Attacks

• IHG Was Hacked Using Password “Qwerty1234” - LoyaltyLobby

Social Media

• Thwarting attackers in their favourite new playground: Social media - Help Net Security

• Twitter whistleblower tells Senate of ‘egregious’ security failings by company | Twitter | The Guardian

• Cyber attackers Abuse Facebook Ad Manager in Savvy Credential-Harvesting Campaign (darkreading.com)

Training, Education and Awareness

• Security Awareness Training Must Evolve to Align With Growing E-Commerce Security Threats (darkreading.com)

Parental Controls and Child Safety

• Cyber Crime Fears for Children as Cost-of-Living Bites - Infosecurity Magazine (infosecurity-magazine.com)

Regulations, Fines and Legislation

• 10 Steps to Successfully Navigate Cyber Security Compliance - MSSP Alert

Models, Frameworks and Standards

• Don’t Put Preparation on Pause: CMMC 2.0 is Coming Quicker Than You Think - MSSP Alert

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Montenegro Under Cyber Attack, Russia Blamed, All NATO States Would Be (informationsecuritybuzz.com)

• DDoS Attacks on UK Firms Surge During Ukraine War - Infosecurity Magazine (infosecurity-magazine.com)

• New Cyberespionage Group 'Worok' Targeting Entities in Asia | SecurityWeek.Com

• ShadowPad Threat Actors Return With Fresh Government Strikes, Updated Tools (darkreading.com)

Nation State Actors

Nation State Actors – Russia

• Montenegro Wrestles With Massive Cyber Attack, Russia Blamed | SecurityWeek.Com

• Russia’s cyber future connected at the waist to Soviet military industrial complex | CSO Online

Nation State Actors – North Korea

• North Korea-linked APT spreads tainted versions of PuTTY via WhatsApp - Security Affairs

Nation State Actors – Iran

• Iranian cyber spies use multi-persona impersonation in phishing threads | CSO Online

• Albania says Iranian hackers hit the country with another cyber attack - CyberScoop

• US, UK, Canada and Australia Link Iranian Government Agency to Ransomware Attacks | SecurityWeek.Com

• Iranian Hackers Target High-Value Targets in Nuclear Security and Genomic Research (thehackernews.com)

• Iranian Hackers Used Victims’ Printers to Issue Ransom Demands, DOJ Says (vice.com)

Vulnerability Management

• Backlogs larger than 100K+ vulnerabilities but too time-consuming to address - Help Net Security

Vulnerabilities

• Microsoft September 2022 Patch Tuesday fixes zero-day used in attacks, 63 flaws (bleepingcomputer.com)

• Adobe Patches 63 Security Flaws in Patch Tuesday Bundle | SecurityWeek.Com

• CISA orders agencies to patch vulnerability used in Stuxnet attacks (bleepingcomputer.com)

• Chrome 105 Update Patches High-Severity Vulnerabilities | SecurityWeek.Com

• Microsoft Teams stores auth tokens as cleartext in Windows, Linux, Macs (bleepingcomputer.com)

• Microsoft Quashes Actively Exploited Zero-Day, Wormable Critical Bugs (darkreading.com)

• Apple fixed the eighth actively exploited zero-day this year - Security Affairs

• Cisco Patches High-Severity Vulnerability in SD-WAN vManage | SecurityWeek.Com

• Over 280,000 WordPress Sites Attacked Using WPGateway Plugin Zero-Day Vulnerability (thehackernews.com)

• Over 280,000 WordPress sites may have been hijacked by zero-day hiding in popular plugin | TechRadar

• High-Severity Firmware Security Flaws Left Unpatched in HP Enterprise Devices (thehackernews.com)

• CISA added 2 more security flaws to its Known Exploited Vulnerabilities Catalog - Security Affairs

• ManageEngine Password Management Vulnerability and Patch: Details for MSPs, MSSPs - MSSP Alert

Reports Published in the Last Week

• Falcon OverWatch Threat Hunting Report 2022 | CrowdStrike

• Cyber Security: Benchmarking Security Gaps & Privileged Access (delinea.com)

Other News

• MSPs and cyber security: The time for turning a blind eye is over - Help Net Security

• Red Teaming to Reduce Cyber Risk (trendmicro.com)

• Organisations should fear misconfigurations more than vulnerabilities - Help Net Security

• Companies need data privacy plan before joining metaverse (techtarget.com)

• Lens reflections may betray your secrets in Zoom video calls • The Register

• US Government Wants Security Guarantees From Software Vendors | SecurityWeek.Com

• Serious Security: Browser-in-the-browser attacks – watch out for windows that aren’t! – Naked Security (sophos.com)

• The Cyber Security Head Game | Psychology Today South Africa

• Cyber Security Report: Average Data Breach in US Costs $9.4 Million - MSSP Alert

• 5 Best Practices for Building Your Data Loss Prevention Strategy (darkreading.com)

• Hands-on cyber attacks jump 50%, CrowdStrike reports | CSO Online

• Penetration Testing Report: Security Misconfiguration Is "Top Vulnerability" - MSSP Alert

• Twitter whistleblower: Lack of access, data controls invite exploitation | SC Media (scmagazine.com)

• Cost of Living Crisis Impact on Online Activity - IT Security Guru

• Attacker Apparently Didn't Have to Breach a Single System to Pwn Uber (darkreading.com)

• Zoom outage left users unable to sign in or join meetings (bleepingcomputer.com)

• Five ways your data may be at risk — and what to do about it (bleepingcomputer.com)

• Notepad++ Plugins Allow Attackers to Infiltrate Systems, Achieve Persistence - Infosecurity Magazine (infosecurity-magazine.com)

• Twitter's ex-security boss Zatko disses biz as dysfunctional • The Register

• Don't Let Your Home Wi-Fi Get Hacked. Here's What to Do - CNET

• How serious are organisations about their data sovereignty strategies? - Help Net Security

• Undermining Microsoft Teams Security By Mining Tokens (informationsecuritybuzz.com)

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Average Cost of Data Breaches Hits Record High of $4.35 Million: IBM

The global average cost of data breaches reached an all-time high of $4.35 million in 2022 compared with $4.24 million in 2021, according to a new IBM Security report. About 60% of the breached organisations raised product and services prices due to the breaches.

The annual report, conducted by Ponemon Institute and analysed and sponsored by IBM Security, is based on the analysis of real-world data breaches experienced by 550 organisations globally between March 2021 and March 2022.

According to the report, about 83% of the organisations have experienced more than one breach in their lifetime, with nearly half of the costs reported to be incurred more than a year after the breach.

The report revealed that ransomware and destructive attacks represented 28% of breaches among the critical infrastructure organisations studied, indicating that threat actors are specifically targeting the sector to disrupt global supply chains. The critical infrastructure sector includes financial services, industrial, transportation, and healthcare companies.

https://www.csoonline.com/article/3668655/average-cost-of-data-breaches-hits-record-high-of-435-million-ibm.html#tk.rss_news

• Researchers Warns of Large-Scale Adversary-in-the-Middle (AiTM) Attacks Targeting Enterprise Users

A new, large-scale phishing campaign has been observed using adversary-in-the-middle (AitM) techniques to get around security protections and compromise enterprise email accounts.

It uses a technique capable of bypassing multi-factor authentication. The campaign is specifically designed to reach end users in enterprises that use Microsoft's email services.

Prominent targets include fintech, lending, insurance, energy, manufacturing, and federal credit union verticals located in the US, UK, New Zealand, and Australia.

This is not the first time such a phishing attack has come to light. Last month, Microsoft disclosed that over 10,000 organisations had been targeted since September 2021 by means of AitM techniques to breach accounts secured with multi-factor authentication (MFA).

The ongoing campaign, effective June 2022, commences with an invoice-themed email sent to targets containing an HTML attachment, which includes a phishing URL embedded within it.

https://thehackernews.com/2022/08/researchers-warns-of-large-scale-aitm.html

• UK NHS Suffers Outage After Cyber Attack on Managed Service Provider

The UK National Health Service (NHS) 111 emergency services were affected by a significant and ongoing outage triggered by a cyber attack that hit the systems of British managed service provider (MSP) Advanced.

Advanced's Adastra client patient management solution, which is used by 85% of NHS 111 services, was hit by a major outage together with several other services provided by the MSP, according to a status page.

"There was a major outage of a computer system that is used to refer patients from NHS 111 Wales to out-of-hours GP providers," the Welsh Ambulance Services said. "This system is used by Local Health Boards to coordinate these services for patients. The ongoing outage is significant and has been far-reaching, impacting each of the four nations in the UK."

The UK public was advised to access the NHS 111 emergency services using the online platform until the incident is resolved.

While no details were provided regarding the nature of the cyber attack, based on the wording, it is likely that this was a ransomware or data extortion attack.

https://www.bleepingcomputer.com/news/security/uk-nhs-suffers-outage-after-cyberattack-on-managed-service-provider/

• A Third of Organisations Experience a Ransomware Attack Once a Week

Ransomware attacks show no sign of slowing. According to new research published by Menlo Security, a third of organisations experience a ransomware attack at least once a week, with one in 10 experiencing them more than once a day.

The research, conducted among 500+ IT security decision makers at US and UK organisations with more than 1,000 employees, highlights the impact this is having on security professionals’ own wellbeing. When asked what keeps them awake at night, 41% of respondents say they worry about ransomware attacks evolving beyond their team’s knowledge and skillset, while 39% worry about them evolving beyond their company’s security capabilities.

Their biggest concern, however, is the risk of employees ignoring corporate security advice and clicking on links or attachments containing malware (46%). Respondents worry more about this than they do their own job security, with just a quarter (26%) of respondents worried about losing their job.

According to the report, around half of organisations (61% US and 44% UK) have been the victim of a successful ransomware attack in the last 18 months, with customers and prospects the most likely entry point for an attack.

Partners/suppliers and employees/contractors are also seen as serious security risks, although one in 10 admit they are unable to identify how the attacks got in. The top three ransomware attack vectors are email (54%), web browsers via a desktop or laptop (49%) and mobile devices (39%).

https://www.helpnetsecurity.com/2022/08/04/organizations-experience-ransomware-attack/

• Ransomware Products and Services Ads on Dark Web Show Clues to Danger

Why is ransomware’s destructive potential so daunting? Some clues are in the “for sale” ads. In an examination of some 35 million dark web URLs, a provider of machine identity management and a forensic specialist found some 475 web pages peddling sophisticated ransomware products and services with a number of high profile crews hawking ransomware-as-a-service.

The work is a joint effort between the Salt Lake City-based Venafi and Forensic Pathways, which took place between November 2021 and March 2022. Researchers used Forensic’s Dark Search Engine to carry out the investigation.

Here are some of the research findings:

• 87% of the ransomware found on the dark web has been delivered via malicious macros to infect targeted systems.

• 30 different “brands” of ransomware were identified within marketplace listings and forum discussions.

• Many strains of ransomware being sold — such as Babuk, GoldenEye, Darkside/BlackCat, Egregor, HiddenTear and WannaCry — have been successfully used in high-profile attacks.

• Ransomware strains used in high-profile attacks command a higher price for associated services. For example, the most expensive listing was $1,262 for a customised version of Darkside ransomware, which was used in the Colonial Pipeline ransomware attack.

• Source code listings for well-known ransomware generally command higher price points. For example, Babuk source code is listed for $950 and Paradise source code is selling for $593.

Ransomware Sold for as Little as $1: In addition to a variety of ransomware at various price points, a wide range of services and tools that help make it easier for attackers with minimal technical skills to launch ransomware attacks are for sale on the dark web, Venafi said. Services with the greatest number of listings include those offering source code, build services, custom development services and ransomware packages that include step-by-step tutorials.

https://www.msspalert.com/cybersecurity-breaches-and-attacks/ransomware/ransomware-products-services-ads-on-dark-web-show-clues-to-danger/

• Wolf In Sheep’s Clothing: How Malware Tricks Users and Antivirus

One of the primary methods used by malware distributors to infect devices is by deceiving people into downloading and running malicious files, and to achieve this deception, malware authors are using a variety of tricks.

Some of these tricks include masquerading malware executables as legitimate applications, signing them with valid certificates, or compromising trustworthy sites to use them as distribution points.

According to VirusTotal, a security platform for scanning uploaded files for malware, some of these tricks are happening on a much larger scale than initially thought.

The platform has compiled a report presenting stats from January 2021 until July 2022, based on the submission of two million files daily, illustrating trends in how malware is distributed.

• Abusing legitimate domains: Distributing malware through legitimate, popular, and high-ranking websites allows threat actors to evade IP-based blocklists, enjoy high availability, and provide a greater level of trust.

• Using stolen code-signing certificates: Signing malware samples with valid certificates stolen from companies is a reliable way to evade AV detection and security warnings on the host. Of all the malicious samples uploaded to VirusTotal between January 2021 and April 2022, over a million were signed, and 87% used a valid certificate.

• Disguised as popular software: Masquerading a malware executable as a legitimate, popular application has seen an upward trend in 2022. Victims download these files thinking they’re getting the applications they need, but upon running the installers, they infect their systems with malware. The most mimicked applications are Skype, Adobe Acrobat, VLC, and 7zip.

• Lacing legitimate installers - Finally, there’s the trick of hiding malware inside legitimate application installers and running the infection process in the background while the real apps execute in the foreground. Based on VirusTotal stats, this practice also appears to be on the rise this year, using Google Chrome, Malwarebytes, Windows Updates, Zoom, Brave, Firefox, ProtonVPN, and Telegram as lures.

https://www.bleepingcomputer.com/news/security/wolf-in-sheep-s-clothing-how-malware-tricks-users-and-antivirus/

• Microsoft Accounts Targeted with New MFA-Bypassing Phishing Kit

A new large-scale phishing campaign targeting credentials for Microsoft email services use a custom proxy-based phishing kit to bypass multi-factor authentication.

Researchers believe the campaign's goal is to breach corporate accounts to conduct BEC (business email compromise) attacks, diverting payments to bank accounts under their control using falsified documents.

The phishing campaign's targets include fin-tech, lending, accounting, insurance, and Federal Credit Union organisations in the US, UK, New Zealand, and Australia.

The campaign was discovered by Zscaler's ThreatLabz researchers, who report that the operation is still ongoing, and the phishing actors register new phishing domains almost daily.

Starting in June 2022, Zscaler's analysts noticed a spike in sophisticated phishing attempts against specific sectors and users of Microsoft email services.

Some of the newly registered domains used in the campaign are typo-squatted versions of legitimate domains.

Notably, many phishing emails originated from the accounts of executives working in these organisations, whom the threat actors most likely compromised earlier.

https://www.bleepingcomputer.com/news/security/microsoft-accounts-targeted-with-new-mfa-bypassing-phishing-kit/

• Cyber Attack Prevention Is Cost-Effective, So Why Aren’t Businesses Investing to Protect?

Cyber attacks like ransomware, BEC scams and data breaches are some of the key issues businesses are facing today, but despite the number of high-profile incidents, many boardrooms are reluctant to free up budget to invest in the cyber security measures necessary to avoid becoming the next victim.

In a Help Net Security interview, Former Pentagon Chief Strategy Officer Jonathan Reiber, VP Cyber security Strategy and Policy, AttackIQ, discusses how now, more than ever, companies need to protect themselves from cyber threat actors. He offers insight for CISOs, from talking to the Board to proper budget allocation.

https://www.helpnetsecurity.com/2022/08/01/cyberattack-prevention-investing/

• Securing Your Move to the Hybrid Cloud

The combination of private and public cloud infrastructure, which most organisations are already using, poses unique security challenges. There are many reasons why organisations adopt the public cloud, from enabling rapid growth without the burden of capacity planning to leveraging flexibility and agility in delivering customer-centric services. However, this use can leave companies open to threats.

Since regulatory requirements or other preferences dictate that certain applications remain on private (on-prem) infrastructure, many organisations choose to maintain a mix of private and public infrastructure. Additionally, organisations typically use multiple cloud providers simultaneously or preserve the option to move between providers. However, this hybrid approach presents unique and diverse security challenges. Different cloud providers and private cloud platforms may offer similar capabilities but different ways of implementing security controls, along with disparate management tools.

The question then becomes: How can an organisation maintain consistent governance, policy enforcement and controls across different clouds? And how can it ensure that it maintains its security posture when moving between them? Fortunately, there are steps professionals can take to ensure that applications are continuously secure, starting from the early stages of development and extending throughout the lifecycle.

https://threatpost.com/secure-move-cloud/180335/

• Lessons from the Russian Cyber Warfare Attacks

Cyber warfare tactics may not involve tanks and bombs, but they often go hand-in-hand with real combat.

The Russian invasion of Ukraine is a prime example. Before Russian troops crossed the border, Russian hackers had already taken down Ukrainian government websites. And after the conflict started, the hacktivist group Anonymous turned the tables by hacking Russian media to shut down propaganda about the war.

In these unprecedented times of targeted attacks against governments and financial institutions, every organisation should be on heightened alert about protecting their critical infrastructure and digital attack surface.

With the Russia-Ukraine conflict as a backdrop, two Trend Micro security experts recently discussed cyber warfare techniques and how they’re an important reminder for every business to proactively manage cyber risk.

https://www.trendmicro.com/en_us/ciso/22/h/russian-cyber-warfare-attacks.html

• Four Sneaky Attacker Evasion Techniques You Should Know About

Remember those portrayals of hackers in the 80s and 90s where you just knew when you got pwned? A blue screen of death, a scary message, a back-and-forth text exchange with a hacker—if you got pwned in a movie in the 80s and 90s, you knew it right off the bat.

What a shame that today’s hackers have learned to be quiet when infiltrating an environment. Sure, “loud” attacks like ransomware still exist, but threat actors have learned that if they keep themselves hidden, they can usually do far more damage. For hackers, a little stealth can go a long way. Some attack tactics are inherently quiet, making them arguably more dangerous as they can be harder to detect. Here are four of these attack tactics you should know about.

1. Trusted Application Abuse: Attackers know that many people have applications that they inherently trust, making those trusted applications the perfect launchpad for cyber attacks. Threat actors know that defenders and the tools they use are often on the hunt for new malware presenting itself in environments. What isn’t so easy to detect is when the malware masquerades under legitimate applications.

2. Trusted Infrastructure Abuse: Much like trusted application abuse, trusted infrastructure abuse is the act of using legitimate, publicly hosted services and toolsets (such as Dropbox or Google Drive) as part of the attack infrastructure. Threat actors know that people tend to trust Dropbox and Google Drive. As a result, this makes these tools a prime means for threat actors to carry out malicious activity. Threat actors often find trusted infrastructure abuse easy because these services aren’t usually blocked at an enterprise’s gateway. In turn, outbound communications can hide in plain sight.

3. Obfuscation: Although cyber security has more than its fair share of tedious acronyms, the good news is that many terms can be broken down by their generic dictionary definitions. According to dictionary.com, this is what obfuscate means: “To make something unclear, obscure or difficult to understand.” And that’s exactly what it means in cyber security: finding ways to conceal malicious behaviour. In turn, this makes it more difficult for analysts and the tools they use to flag suspicious or malicious activity.

4. Persistence: Imagine writing up documentation using your computer, something you may well do in your role. You’ve spent a ton of time doing the research required, finding the right sources and compiling all your information into a document. Now, imagine not hitting save on that document and losing it as soon as you reboot your computer. Sound like a nightmare—or perhaps a real anxiety-inducing experience you’ve been through before? Threat actors agree. And that’s why they establish persistence. They don’t want all of their hard work to get into your systems in the first place to be in vain just because you restart your computer. They establish persistence to make sure they can still hang around even after you reboot.

https://www.msspalert.com/cybersecurity-guests/four-sneaky-attacker-evasion-techniques-you-should-know-about/

• Zero-Day Defence: Tips for Defusing the Threat

Because they leave so little time to patch and defuse, zero-day threats require a proactive, multi-layered approach based on zero trust.

The recent Atlassian Confluence remote code execution bug is just the latest example of zero-day threats targeting critical vulnerabilities within major infrastructure providers. The specific threat, an Object-Graph Navigation Language (OGNL) injection, has been around for years but took on new significance given the scope of the Atlassian exploit. And OGNL attacks are on the rise.

Once bad actors find such a vulnerability, proof-of-concept exploits start knocking at the door, seeking unauthenticated access to create new admin accounts, execute remote commands, and take over servers. In the Atlassian case, Akamai's threat research team identified that the number of unique IP addresses attempting these exploits grew to more than 200 within just 24 hours.

Defending against these exploits becomes a race against time worthy of a 007 movie. The clock is ticking and you don't have much time to implement a patch and "defuse" the threat before it's too late. But first you need to know that an exploit is underway. That requires a proactive, multi-layered approach to online security based on zero trust.

What do these layers look like? There are a number of different practices that security teams — and their third-party Web application and infrastructure partners — should be aware of.

https://www.darkreading.com/attacks-breaches/zero-day-defense-tips-for-defusing-the-threat

Threats

Ransomware

• Reported ransomware attacks are just the tip of the iceberg. That's a problem for everyone | ZDNet

• Initial Access Brokers - Key to Rise In Ransomware Attacks (informationsecuritybuzz.com)

• Ransomware gangs are hitting roadblocks, but aren't stopping (yet) - Help Net Security

• SonicWall: Ransomware Global Cyber Attack Volume Shrinks, Still Exceeds Totals for 2017-2019 - MSSP Alert

• 87% of the ransomware found on the dark web has been delivered via malicious macros - Help Net Security

• LockBit Ransomware Abuses Windows Defender for Payload Loading | SecurityWeek.Com

• German Chambers of Industry and Commerce hit by 'massive' cyber attack (bleepingcomputer.com)

• Brand-New HavanaCrypt Ransomware Poses as Google Software Update App Uses Microsoft Hosting Service IP Address as C&C Server (trendmicro.com)

• Ransomware Task Force releases SMB blueprint for defence and mitigation (scmagazine.com)

• Prepare for ransomware before you're hit • The Register

• German semiconductor giant Semikron says hackers encrypted its network | TechCrunch

• Ransomware Hit on European Pipeline & Energy Supplier Encevo Linked to BlackCat (darkreading.com)

• Luxembourg Energy Company Hit by Ransomware | SecurityWeek.Com

• Spanish research agency still recovering after ransomware attack (bleepingcomputer.com)

Phishing & Email Based Attacks

• Countdown Clock Puts Pressure on Phishing Targets - Infosecurity Magazine

• The most impersonated brand in phishing attacks? Microsoft - Help Net Security

• Open Redirect Flaw Snags Amex, Snapchat User Data | Threatpost

• American Express, Snapchat Open-Redirect Vulnerabilities Exploited in Phishing Scheme (darkreading.com)

• A new malware threat is spying on users' Gmail inbox — do this before you're next | Laptop Mag

• Massive New Phishing Campaign Targets Microsoft Email Service Users (darkreading.com)

• North Korean Hackers Use Browser Extension to Spy on Gmail and AOL Accounts - Infosecurity Magazine

Other Social Engineering; SMishing, Vishing, etc

• US FCC warns of the rise of smishing attacks - Security Affairs

Malware

• VirusTotal Reveals Most Impersonated Software in Malware Attacks (thehackernews.com)

• Gootkit Loader Resurfaces with Updated Tactic to Compromise Targeted Computers (thehackernews.com)

• Woody RAT: A new feature-rich malware spotted in the wild | Malwarebytes Labs

• VirusTotal: Threat Actors Mimic Legitimate Apps, Use Stolen Certs to Spread Malware (darkreading.com)

• New IoT RapperBot Malware Targeting Linux Servers via SSH Brute-Forcing Attack (thehackernews.com)

• New Linux malware brute-forces SSH servers to breach networks (bleepingcomputer.com)

• Credential Stealer Malware Raccoon Updated to Obtain Passwords More Efficiently - Infosecurity Magazine

• Attackers cause Discord discord with malicious npm packages • The Register

• Gootkit AaaS malware is still active and uses updated tactics - Security Affairs

Mobile

• Facebook finds new Android malware used by APT hackers (bleepingcomputer.com)

• Google Patches Critical Android Bluetooth Flaw in August Security Bulletin - Infosecurity Magazine

• Banking trojan finds new routes to accounts by infiltrating Google Play Store (scmagazine.com)

Internet of Things – IoT

• A Digital Home Has Many Open Doors (darkreading.com)

• All the Data Amazon's Ring Cameras Collect About You | WIRED

Organised Crime & Criminal Actors

• Thousands of hackers flock to 'Dark Utilities' C2-as-a-Service (bleepingcomputer.com)

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Phishing campaign targets Coinbase wallet holders to steal cryptocurrency in real-time - Help Net Security

• Nearly $200 Million Stolen from Cryptocurrency Bridge Nomad | SecurityWeek.Com

• Crypto firm that promised security loses $200 million in 'frenzied free-for-all' hack | PC Gamer

• Nomad to crooks: Keep 10% as a bounty, return the rest • The Register

• Cyber attackers Drain Nearly $6M From Solana Crypto Wallets (darkreading.com)

• Man robbed of $800,000 in cryptocurrency sues Google • The Register

Insider Risk and Insider Threats

• T-Mobile Store Owner Made $25M Using Stolen Employee Credentials (darkreading.com)

Fraud, Scams & Financial Crime

• UK Branded Europe’s “Capital of Card Fraud” - Infosecurity Magazine

• Huge network of 11,000 fake investment sites targets Europe (bleepingcomputer.com)

• Online payment fraud losses accelerate at an alarming rate - Help Net Security

• COMMENT: 'Hi Mum, Hi Dad' Scams On The Rise - Britons Already (informationsecuritybuzz.com)

• Increase in Fake Tickets Being Sold by Cyber criminals on Social Media - IT Security Guru

AML/CFT/Sanctions

• Robinhood Crypto Penalized $30M for Violating NY Cybersecurity Regulations | SecurityWeek.Com

Dark Web

• A Ransomware Explosion Fosters Thriving Dark Web Ecosystem (darkreading.com)

• The popularity of Dark Utilities 'C2-as-a-Service' rapidly increases - Security Affairs

Software Supply Chain

• Now is the time to focus on software supply chain security improvements - Help Net Security

Cloud/SaaS

• Cyber attackers Increasingly Target Cloud IAM as a Weak Link (darkreading.com)

• What Worries Security Teams About the Cloud? (darkreading.com)

• Who Has Control: The SaaS App Admin Paradox (thehackernews.com)

• Enterprises face a multitude of barriers to securing diverse cloud environments - Help Net Security

Open Source

• New Linux malware brute-forces SSH servers to breach networks (bleepingcomputer.com)

Passwords, Credential Stuffing & Brute Force Attacks

• Hackers stole passwords for accessing 140,000 payment terminals | TechCrunch

• Credential Canaries Create Minefield for Attackers (darkreading.com)

• 5 reasons why businesses should never use consumer-grade password managers | TechRadar

Social Media

• Hackers Exploit Twitter Vulnerability to Exposes 5.4 Million Accounts (thehackernews.com)

• Parliament shuts down TikTok account over China data security concerns (telegraph.co.uk)

• Over 3,200 Apps Leak Twitter API Keys, Some Allowing Account Hijacks (informationsecuritybuzz.com)

• Increase in Fake Tickets Being Sold by Cyber criminals on Social Media - IT Security Guru

Privacy

• DuckDuckGo browser now blocks all Microsoft trackers, most of the time (bleepingcomputer.com)

Cyber Bullying and Cyber Stalking

• Australia charges dev of Imminent Monitor RAT used by domestic abusers (bleepingcomputer.com)

Regulations, Fines and Legislation

• Most companies are unprepared for CCPA and GDPR compliance - Help Net Security

• Data privacy: Collect what you need, protect what you collect | CSO Online

• India scraps data protection law, promises better successor • The Register

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Austrian Investigation Reveals Spyware Targeting Law Firms, Finance Institutions - Infosecurity Magazine

• Ukraine takes down 1,000,000 bots used for disinformation (bleepingcomputer.com)

• Nancy Pelosi ties Chinese cyber-attacks to Taiwan visit • The Register

• Spanish Research Center Suffers Cyber attack Linked to Russia | SecurityWeek.Com

• Russian organisations attacked with new Woody RAT malware (bleepingcomputer.com)

• Greek intelligence spied on journalist with a surveillance spyware - Security Affairs

• Rare Pegasus screenshots depict NSO Group's spyware capabilities | AppleInsider

Nation State Actors

Nation State Actors – Russia

• Double Whammy: Russian Hackers Launch Cyber Attacks On Lockheed Martin; Armed Forces Hack Into HIMARS -- Reports (eurasiantimes.com)

• Ukraine Shutters Major Russian Bot Farm - Infosecurity Magazine

Nation State Actors – China

• Chinese hackers use new Cobalt Strike-like attack framework (bleepingcomputer.com)

• Massive China-Linked Disinformation Campaign Taps PR Firm for Help (darkreading.com)

• Parliament shuts down TikTok account over China data security concerns (telegraph.co.uk)

• China, Huawei, and the eavesdropping threat | CSO Online

• Global network of fake news sites push Chinese propaganda, researchers find - CyberScoop

• Taiwanese military reports DDoS in wake of US Speaker visit • The Register

Nation State Actors – North Korea

• Cyber crime a Key Revenue Stream For North Korea's Weapons Program - Infosecurity Magazine (infosecurity-magazine.com)

• North Korean Hackers Use Browser Extension to Spy on Gmail and AOL Accounts - Infosecurity Magazine (infosecurity-magazine.com)

Nation State Actors – Iran

• Iranian Hackers Likely Behind Disruptive Cyber attacks Against Albanian Government (thehackernews.com)

• Disruptive Cyber attacks on NATO Member Albania Linked to Iran | SecurityWeek.Com

Nation State Actors – Misc APT

• Twitter breach exposes anonymous accounts to nation state hackers - CyberScoop

Vulnerabilities

• VMware urges admins to patch critical auth bypass bug immediately (bleepingcomputer.com)

• Critical RCE Bug in DrayTek Routers Opens SMBs to Zero-Click Attacks (darkreading.com)

• Cisco fixes critical remote code execution bug in VPN routers (bleepingcomputer.com)

• F5 Fixes 21 Vulnerabilities With Quarterly Security Patches | SecurityWeek.Com

• High-Severity Bug in Kaspersky VPN Client Opens Door to PC Takeover (darkreading.com)

• Hackers Exploit Atlassian Confluence Vulnerability to Deploy New 'Ljl' Backdoor - Infosecurity Magazine

• Slack Resets Passwords After a Bug Exposed Hashed Passwords for Some Users (thehackernews.com)

• VMware Releases Patches for Several New Flaws Affecting Multiple Products (thehackernews.com)

• Hackers are actively exploiting password-stealing flaw in Zimbra (bleepingcomputer.com)

• Google fixed Critical Remote Code Execution flaw in Android - Security Affairs

• CISA adds Zimbra bug to Known Exploited Vulnerabilities Catalogue - Security Affairs

• Warning! Critical flaws found in US Emergency Alert System • The Register

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

Other News

• APIs attacked in 94% of companies in past year - IT Security Guru

• Over 60% of Organisations Expose SSH to the Internet - Infosecurity Magazine

• How IT and security teams can work together to improve endpoint security - Microsoft Security Blog

• Burnout and attrition impact tech teams sustaining modern digital systems - Help Net Security

• Machine learning creates a new attack surface requiring specialized defences - Help Net Security

• Cyber security lessons learned from COVID-19 pandemic (techtarget.com)

• 10 enterprise database security best practices (techtarget.com)

• Resolving Availability vs. Security, a Constant Conflict in IT (thehackernews.com)

• Tips to prevent RDP and other remote attacks on Microsoft networks | CSO Online

• 5 ways to unite security and compliance | CSO Online

• The Myth of Protection Online — and What Comes Next (darkreading.com)

• The Importance of Data Security in the Enterprise (techtarget.com)

• Who Needs Macros? | Threat Actors Pivot to Abusing Explorer and Other LOLBins via Windows Shortcuts - SentinelOne

• How IT Teams Can Use 'Harm Reduction' for Better Cyber security Outcomes (darkreading.com)

• Businesses lack visibility into run-time threats against mobile apps and APIs - Help Net Security

• Browser synchronization abuse: Bookmarks as a covert data exfiltration channel - Help Net Security

• Threats emanating from digital ecosystems can be a blind spot for businesses - Help Net Security

• Busting the Myths of Hardware Based Security - Security Affairs

• New Traffic Light Protocol standard released after five years (bleepingcomputer.com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• 1 in 3 Employees Don’t Understand Why Cyber Security Is Important

According to a new Tessian report, 30% of employees do not think they personally play a role in maintaining their company’s cyber security posture.

What’s more, only 39% of employees say they’re very likely to report a security incident, making investigation and remediation even more challenging and time-consuming for security teams. When asked why, 42% of employees said they wouldn’t know if they had caused an incident in the first place, and 25% say they just don’t care enough about cyber security to mention it.

Virtually all IT and security leaders agreed that a strong security culture is important in maintaining a strong security posture. Yet, despite rating their organisation’s security 8 out 10, on average, three-quarters of organisations experienced a security incident in the last 12 months.

The report suggests this could stem from a reliance on traditional training programs: 48% of security leaders say training is one of the most important influences on building a positive security posture. But the reality is that employees aren’t engaged; just 28% of UK and US workers say security awareness training is engaging and only 36% say they’re paying full attention. Of those who are, only half say it’s helpful, while another 50% have had a negative experience with a phishing simulation. With recent headlines depicting how phishing simulations can go awry, negative experiences like these further alienate employees and decrease engagement.

https://www.helpnetsecurity.com/2022/07/28/employees-dont-understand-why-cybersecurity-is-important/

• As Companies Calculate Cyber Risk, the Right Data Makes a Big Difference

The proposed US Securities and Exchange Commission’s stronger rules for reporting cyber attacks will have ramifications beyond increased disclosure of attacks to the public. By requiring not just quick reporting of incidents, but also disclosure of cyber policies and risk management, such regulation will ultimately bring more accountability for cyber security to the highest levels of corporate leadership. Other jurisdictions will very likely follow the US in requiring more stringent cyber controls and governance.

This means that boards and executives everywhere will need to increase their understanding of cyber security, not only from a tech point of view, but from a risk and business exposure point of view. The CFO, CMO and the rest of the C-suite and board will want and need to know what financial exposure the business faces from a data breach, and how likely it is that breaches will happen. This is the only way they will be able to develop cyber policies and plans and react properly to the proposed regulations.

Companies will therefore need to be able to calculate and put a dollar value on their exposure to cyber risk. This is the starting point for the ability to make cyber security decisions not in a vacuum, but as part of overall business decisions. To accurately quantify cyber security exposure, companies need to understand what the threats are and which data and business assets are at risk, and they then need to multiply the cost of a breach by the probability that such an event will take place in order to put a dollar figure on their exposure.

While there are many automated tools, including those that use artificial intelligence (AI), that can help with this, the key to doing this well is to make sure calculations are rooted in real and relevant data – which is different for each company or organisation.

https://venturebeat.com/2022/07/22/as-companies-calculate-cyber-risk-the-right-data-makes-a-big-difference/

• Only 25% Of Organisations Consider Their Biggest Threat to Be from Inside the Business

A worrying 73.5% of organisations feel they have wasted the majority of their cyber security budget on failing to remediate threats, despite having an over-abundance of security tools at their disposal, according to Gurucul.

Only 25% of organisations consider their biggest threat to be from inside the business, despite insider threats increasing by 47% over the past two years. With only a quarter of businesses seeing their biggest threat emanating from inside their organisation, it seems over 70% saw the biggest cyber security challenges emanating from external threats such as ransomware. In fact, although external threats account for many security incidents, we must never forget to look beyond those external malicious and bad actors to insider threats to effectively secure corporate data and IP.

The survey also found 33% of respondents said they are able to detect threats within hours, while 27.07% even claimed they can detect threats in real-time. However, challenges persist with 33% of respondents stating that it still takes their organisation days and weeks to detect threats, with 6% not being able to detect them at all.

https://www.helpnetsecurity.com/2022/07/28/biggest-threat-inside-the-business/

• The Global Average Cost of a Data Breach Reaches an All-Time High of $4.35 Million

IBM Security released the 2022 Cost of a Data Breach Report, revealing costlier and higher-impact data breaches than ever before, with the global average cost of a data breach reaching an all-time high of $4.35 million for studied organisations.

With breach costs increasing nearly 13% over the last two years of the report, the findings suggest these incidents may also be contributing to rising costs of goods and services. In fact, 60% of studied organisations raised their product or services prices due to the breach, when the cost of goods is already soaring worldwide amid inflation and supply chain issues.

The perpetuality of cyber attacks is also shedding light on the “haunting effect” data breaches are having on businesses, with the IBM report finding 83% of studied organisations have experienced more than one data breach in their lifetime. Another factor rising over time is the after-effects of breaches on these organisations, which linger long after they occur, as nearly 50% of breach costs are incurred more than a year after the breach.

The 2022 Cost of a Data Breach Report is based on in-depth analysis of real-world data breaches experienced by 550 organisations globally between March 2021 and March 2022. The research, which was sponsored and analysed by IBM Security, was conducted by the Ponemon Institute.

https://www.helpnetsecurity.com/2022/07/27/2022-cost-of-a-data-breach-report/

• Race Against Time: Hackers Start Hunting for Victims Just 15 Minutes After a Bug Is Disclosed

Attackers are becoming faster at exploiting previously undisclosed zero-day flaws, according to Palo Alto Networks.  This means that the amount of time that system admins have to patch systems before exploitation happens is shrinking fast..

The company warns in its 2022 report covering 600 incident response (IR) cases that attackers typically start scanning for vulnerabilities within 15 minutes of one being announced.

Among this group are 2021's most significant flaws, including the Exchange Server ProxyShell and ProxyLogon sets of flaws, the persistent Apache Log4j flaws aka Log4Shell, the SonicWall zero-day flaws, and Zoho ManageEngine ADSelfService Plus.

While phishing remains the biggest method for initial access, accounting for 37% of IR cases, software vulnerabilities accounted of 31%. Brute-force credential attacks (like password spraying) accounted for 9%, while smaller categories included previously compromised credentials (6%), insider threat (5%), social engineering (5%), and abuse of trusted relationships/tools (4%).    

Over 87% of the flaws identified as the source of initial access fell into one of six vulnerability categories.

https://www.zdnet.com/article/race-against-time-hackers-start-hunting-for-victims-just-15-minutes-after-a-bug-is-disclosed/

• Ransomware-as-a-Service Groups Forced to Change Tack as Payments Decline

Ransomware-as-a-service (RaaS) operators are evolving their tactics yet again in response to more aggressive law enforcement efforts, in a move that is reducing their profits but also making affiliates harder to track, according to Coveware.

The security vendor’s Q2 2022 ransomware report revealed that concerted efforts to crack down on groups like Conti and DarkSide have forced threat actors to adapt yet again.

It identified three characteristics of RaaS operations that used to be beneficial, but are increasingly seen as a hinderance.

The first is RaaS branding, which has helped to cement the reputation of some groups and improve the chances of victims paying, according to Coveware. However, branding also makes attribution easier and can draw the unwanted attention of law enforcement, it said.

“RaaS groups are keeping a lower profile and vetting affiliates and their victims more thoroughly,” Coveware explained.

“More RaaS groups have formed, resulting in less concentration among the top few variants. Affiliates are frequently shifting between RaaS variants on different attacks, making attribution beyond the variant more challenging.”

In some cases, affiliates are also using “unbranded” malware to make attribution more difficult, it added.

The second evolution in RaaS involves back-end infrastructure, which used to enable scale and increase profitability. However, it also means a larger attack surface and a digital footprint that’s more expensive and challenging to maintain.

As a result, RaaS developers are being forced to invest more in obfuscation and redundancy, which is hitting profits and reducing the amount of resources available for expansion, Coveware claimed.

Finally, RaaS shared services used to help affiliates with initial access, stolen data storage, negotiation management and leak site support.

https://www.infosecurity-magazine.com/news/raas-groups-forced-change-payments/

• Phishers Targeted Financial Services Most During H1 2022

Banks received the lion’s share of phishing attacks during the first half of 2022, according to figures published by cyber security company Vade.

The analysis also found that attackers were most likely to send their phishing emails on weekdays, with most arriving between Monday and Wednesday. Attacks tapered off towards the end of the week, Vade said.

While financial services scored highest on a per-sector basis, Microsoft was the most impersonated brand overall. The company’s Microsoft 365 cloud productivity services are a huge draw for cyber-criminals hoping to access accounts using phishing attacks.

Phishing attacks on Microsoft customers have become more creative, according to Vade, which identified several phone-based attacks. It highlighted a campaign impersonating Microsoft’s Defender anti-malware product, fraudulently warning that the company had debited a subscription fee. It encouraged victims to fix the problem by phone.

Facebook came a close second, followed by financial services company Crédit Agricole, WhatsApp and Orange.

https://www.infosecurity-magazine.com/news/phishers-financial-services-h1-2022/

• HR Emails Dupe Employees the Most – KnowBe4 research reveals

In phishing tests conducted on business emails, more than half of the subject lines clicked imitated Human Resources communications.

New research has revealed the top email subjects clicked on in phishing tests were those related to or from Human Resources, according to the latest ‘most clicked phishing tests‘ conducted by KnowBe4. In fact, half of those that were clicked on had subject lines related to Human Resources, including vacation policy updates, dress code changes, and upcoming performance reviews. The second most clicked category were those send from IT, which include requests or actions of password verifications that were needed immediately.

KnowBe4’s CEO commented “More than 80% of company data breaches globally come from human error, so security awareness training for your staff is one of the least costly and most effective methods to thwart social engineering attacks. Training gives employees the ability to rapidly recognise a suspicious email, even if it appears to come from an internal source, causing them to pause before clicking. That moment where they stop and question the email is a critical and often overlooked element of security culture that could significantly reduce your risk surface.”

This research comes hot off the heels of the recent KnowBe4 industry benchmarking report which found one in three untrained employees will click on a phishing link. The worst performing industries were Energy & Utilities, Insurance and Consulting, with all labelled the most at risk for social engineering in the large enterprise category.

https://www.itsecurityguru.org/2022/07/27/hr-emails-dupe-employees-the-most-knowbe4-research-reveals/

• 84% Of Organisations Experienced an Identity-Related Breach in the Past 18 Months

60% of IT security decision makers believe their overall security strategy does not keep pace with the threat landscape, and that they are either lagging behind (20%), treading water (13%), or merely running to keep up (27%), according to a survey by Sapio Research.

The report also highlights differences between the perceived and actual effectiveness of security strategies. While 40% of respondents believe they have the right strategy in place, 84% of organisations reported that they have experienced an identity-related breach or an attack using stolen credentials during the previous year and a half.

Promisingly, many organisations are hungry to make a change, particularly when it comes to protecting identities. In fact, 90% of respondents state that their organisations fully recognise the importance of identity security in enabling them to achieve their business goals, and 87% say that it is one of the most important security priorities for the next 12 months.

However, 75% of IT and security professionals also believe that they’ll fall short of protecting privileged identities because they won’t get the support they need. This is largely due to a lack of budget and executive alignment, with 63% of respondents saying that their company’s board still doesn’t fully understand identity security and the role it plays in enabling better business operations.

While the importance of identity security is acknowledged by business leaders, most security teams will not receive the backing and budget they need to put vital security controls and solutions in place to reduce major risks. This means that the majority of organisations will continue to fall short of protecting privileges, leaving them vulnerable to cyber criminals looking to discover privileged accounts and abuse them.

https://www.helpnetsecurity.com/2022/07/28/identity-related-breach/

• Economic Downturn Raises Risk of Insiders Going Rogue

Declining economic conditions could make insiders more susceptible to recruitment offers from threat actors looking for allies to assist them in carrying out various attacks.

Enterprise security teams need to be aware of the heightened risk and strengthen measures for protecting against, detecting, and responding to insider threats, researchers from Palo Alto Network's Unit 42 threat intelligence team recommended in a report this week.

The security vendor's report highlighted several other important takeaways for security operations teams, including the fact that ransomware and business email compromise attacks continue to dominate incident response cases and vulnerability exploits — accounting for nearly one-third of all breaches.

Unit 42 researchers analysed data from a sampling of over 600 incident response engagements between April 2021 and May 2022 and determined that difficult economic times could lure more actors to cyber crime. This could include both people with technical skills looking to make a fast buck, as well as financially stressed insiders with legitimate access to valuable enterprise data and IT assets. The prevalence of remote and hybrid work models has created an environment where it's easier for workers to steal intellectual property or carry out other malicious activity, the researchers found.

https://www.darkreading.com/risk/economic-downturn-raises-the-risk-of-insiders-going-rogue

• 5 Trends Making Cyber Security Threats Riskier and More Expensive

Since the pandemic the cyber world has become a far riskier place. According to the Hiscox Cyber Readiness Report 2022, almost half (48%) of organisations across the US and Europe experienced a cyber attack in the past 12 months. Even more alarming is that these attacks are happening despite businesses doubling down on their cyber security spend.

Cyber security is at a critical inflection point where five megatrends are making the threat landscape riskier, more complicated, and costlier to manage than previously reported. To better understand the evolution of this threat landscape, let’s examine these trends in more detail.

1. Everything becomes digital

2. Organisations become ecosystems

3. Physical and digital worlds collide

4. New technologies bring new risks

5. Regulations become more complex

Organisations can follow these best practices to elevate cyber security performance:

• Identify, prioritise, and implement controls around risks.

• Adopt a framework such as ISO 27001 or NIST Cyber Security Framework.

• Develop human-layered cyber security.

• Fortify your supply chain.

• Avoid using too many tools.

• Prioritise protection of critical assets.

• Automate where you can.

• Monitor security metrics regularly to help business leaders get insight into security effectiveness, regulatory compliance, and levels of security awareness in the organisation.

Cyber security will always be a work in progress. The key to effective risk management is having proactive visibility and context across the entire attack surface. This helps to understand which vulnerabilities, if exploited, can cause the greatest harm to the business. Not all risks can be mitigated; some risks will have to be accepted and trade-offs will have to be negotiated.

https://www.csoonline.com/article/3667442/5-trends-making-cybersecurity-threats-riskier-and-more-expensive.html#tk.rss_news

• Ransomware: Publicly Reported Incidents Are Only the Tip of the Iceberg

The threat landscape report on ransomware attacks published this week by the European Union Agency for Cybersecurity (ENISA) uncovers the shortcomings of the current reporting mechanisms across the EU.

As one of the most devastating types of cyber security attacks over the last decade, ransomware, has grown to impact organisations of all sizes across the globe.

This threat landscape report analysed a total of 623 ransomware incidents across the EU, the United Kingdom and the United States for a reporting period from May 2021 to June 2022. The data was gathered from governments' and security companies' reports, from the press, verified blogs and in some cases using related sources from the dark web.

Between May 2021 and June 2022 about 10 terabytes of data were stolen each month by ransomware threat actors. 58.2% of the data stolen included employees' personal data.

At least 47 unique ransomware threat actors were found.

For 94.2% of incidents, we do not know whether the company paid the ransom or not. However, when the negotiation fails, the attackers usually expose and make the data available on their webpages. This is what happens in general and is a reality for 37.88% of incidents.

We can therefore conclude that the remaining 62.12% of companies either came to an agreement with the attackers or found another solution.

The study also shows that companies of every size and from all sectors are affected.

The figures in the report can however only portray a part of the overall picture. In reality, the study reveals that the total number of ransomware attacks is much larger. At present this total is impossible to capture since too many organisations still do not make their incidents public or do not report on them to the relevant authorities.

https://www.enisa.europa.eu/news/ransomware-publicly-reported-incidents-are-only-the-tip-of-the-iceberg

Threats

Ransomware

• LockBit 3.0: Significantly Improved Ransomware Helps the Gang Stay on Top (darkreading.com)

• Ransomware looms large over the cyber insurance industry - Help Net Security

• 800,000 businesses fall victim to ransomware each year (komando.com)

• Business services top target of ransomware attacks (securitybrief.co.nz)

• How Crypto is Driving the Ransomware Epidemic | Cryptoland Roundtable - YouTube

• On security researcher's newsletter, exposing cyber criminals behind ransomware - CyberScoop

• LockBit ransomware abuses Windows Defender to load Cobalt Strike (bleepingcomputer.com)

• Mailing List Provider WordFly Scrambling to Recover Following Ransomware Attack | SecurityWeek.Com

• No More Ransom helps millions of ransomware victims in 6 years (bleepingcomputer.com)

• Lockbit ransomware gang claims to have breached the Italian Revenue Agency - Security Affairs

• Lockbit Ramps Up Attacks on Public Sector - Infosecurity Magazine (infosecurity-magazine.com)

• A ‘Top Tier’ Hacking Gang Is Likely To Be Behind Entrust Ransomware (informationsecuritybuzz.com)

• No More Ransom Helped More Than 1.5 Million People Decrypt Their Devices (darkreading.com)

• Ransomware caused American Dental Association outage, led to stolen data (scmagazine.com)

• The road to ransomware recovery starts before an attack • The Register

• LockBit Ransomware Group Augments Its Latest Variant, LockBit 3.0, With BlackMatter Capabilities (trendmicro.com)

BEC – Business Email Compromise

• Crackdown on BEC Schemes: 100 Arrested in Europe, Man Charged in US | SecurityWeek.Com

• European Police Arrest 100 Suspects in BEC Crackdown - Infosecurity Magazine (infosecurity-magazine.com)

Phishing & Email Based Attacks

• Phishing Attacks Skyrocket with Microsoft and Facebook as Most Abused Brands | Threatpost

• Three of the world's most expensive phishing attacks and how they could have been prevented (betanews.com)

• Threat Actors Respond To Microsoft Blocking Macros with New Email Tactics (informationsecuritybuzz.com)

• Phishing scam targeting Bank of America, Citi and Wells Fargo customers (komando.com)

• APT-Like Phishing Threat Mirrors Landing Pages (darkreading.com)

• New Callback Malware Campaign Impersonates Legitimate Cyber Security Providers - MSSP Alert

• Microsoft Tops Brands Phishers Prefer (darkreading.com)

• Phishing Attacks: Microsoft Leads Top 25 of Impersonated Brands - MSSP Alert

• Researchers Warns of Increase in Phishing Attacks Using Decentralized IPFS Network (thehackernews.com)

• 1,000s of Phishing Attacks Blast Off From InterPlanetary File System (darkreading.com)

• New ‘Robin Banks’ phishing service targets BofA, Citi, and Wells Fargo (bleepingcomputer.com)

Other Social Engineering; SMishing, Vishing, etc

• US govt warns Americans of escalating SMS phishing attacks (bleepingcomputer.com)

Malware

• Cisco Incident Response Report: Commodity Malware Top Threat in Q2 - MSSP Alert

• Discovery of new UEFI rootkit exposes an ugly truth: The attacks are invisible to us | Ars Technica

• As Microsoft blocks Office macros, hackers find new attack vectors (bleepingcomputer.com)

• Microsoft Links Raspberry Robin USB Worm to Russian Evil Corp Hackers (thehackernews.com)

• Microsoft links Raspberry Robin malware to Evil Corp attacks (bleepingcomputer.com)

• Malware-laced npm packages used to target Discord users - Security Affairs

• CosmicStrand UEFI malware found in Gigabyte, ASUS motherboards (bleepingcomputer.com)

• Sophisticated UEFI rootkit of Chinese origin shows up again in the wild after 3 years | CSO Online

• Attackers are slowly abandoning malicious macros - Help Net Security

• One of the most beloved Windows tools could actually be a huge security risk | TechRadar

• QBot phishing uses Windows Calculator DLL hijacking to infect devices (bleepingcomputer.com)

• Gootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike (trendmicro.com)

• Microsoft: Austrian company DSIRF selling Subzero malware (techtarget.com)

• Threat actors leverages DLL-SideLoading to spread Qakbot - Security Affairs

• Rare 'CosmicStrand' UEFI Rootkit Swings into Cyber crime Orbit (darkreading.com)

Mobile

• Here are the top phone security threats in 2022 and how to avoid them | ZDNet

• New Android malware apps installed 10 million times from Google Play (bleepingcomputer.com)

• Roaming Mantis Financial Hackers Targeting Android and iPhone Users in France (thehackernews.com)

• Facebook ads push Android adware with 7 million installs on Google Play (bleepingcomputer.com)

• Millions of Android devices infected with wallet-draining malware | TechRadar

• Over a Dozen Android Apps on Google Play Store Caught Dropping Banking Malware (thehackernews.com)

• These 28+ Android Apps with 10 Million Downloads from the Play Store Contain Malware (thehackernews.com)

Internet of Things – IoT

• IoT Botnets Fuels DDoS Attacks – Are You Prepared? | Threatpost

• Dahua IP Camera Vulnerability Could Let Attackers Take Full Control Over Devices (thehackernews.com)

Data Breaches/Leaks

• US court system suffered ‘incredibly significant attack’ • The Register

• Congress Warns of US Court Records System Breach - Infosecurity Magazine (infosecurity-magazine.com)

• Uber admits covering up massive 2016 data breach in settlement with US prosecutors - The Verge

• T-Mobile to pay $500M for one of the largest data breaches in US history [Updated] | Ars Technica

• Data Stolen in Breach at Security Company Entrust | SecurityWeek.Com

• Fallout from massive Shanghai Police data breach reverberates on dark web - CyberScoop

• Big Questions Remain Around Massive Shanghai Police Data Breach (darkreading.com)

Organised Crime & Criminal Actors

• Cyber-mercenaries represent shifting criminal business model • The Register

• Messaging Apps Tapped as Platform for Cyber Criminal Activity | Threatpost

• Teenager Jailed for Snapchat Blackmail Cyber Crimes- IT Security Guru

• DUCKTAIL operation targets Facebook’s Business and Ad accounts - Security Affairs

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Crypto fraud on the rise as consumers fall for fake celebrity endorsements | Cybernews

• Hackers Increasingly Using WebAssembly Coded Cryptominers to Evade Detection (thehackernews.com)

• NFT Hacking Group Attacks On The Rise, Report Finds- IT Security Guru

• Hackers steal $6 million from blockchain music platform Audius (bleepingcomputer.com)

 Fraud, Scams & Financial Crime

• Major shifts and the growing risk of identity fraud - Help Net Security

• Uber's former head of security faces fraud charges after allegedly covering up data breach (bitdefender.com)

• JPMorgan, UBS accused of shoddy identity theft protection • The Register

• Euro Police Bust €3m Internet Fraud Gang - Infosecurity Magazine (infosecurity-magazine.com)

• Romance scammers jailed after tricking Irish OAP out of €250k (bitdefender.com)

• Get a family safeword to make sure you don’t fall for the Mum and Dad scam | Money | The Sunday Times (thetimes.co.uk)

• What the Titanic Can Teach Us About Fraud? | SecurityWeek.Com

AML/CFT/Sanctions

• Russia declares Guernsey an 'unfriendly state' - BBC News

• Crypto exchange Kraken reportedly probed over Iran sanctions • The Register

Insurance

• Ransomware looms large over the cyber insurance industry - Help Net Security

Dark Web

• Cyber crime goods and services are cheap and plentiful - Help Net Security

• Hackers Selling Malware on Dark Web Underground Market (cybersecuritynews.com)

Supply Chain and Third Parties

• Experts warn of hacker claiming access to 50 US companies through breached MSP - The Record by Recorded Future

• Crook calls for help extorting service provider's clients • The Register

• Getting Ahead of Supply Chain Attacks (darkreading.com)

Software Supply Chain

• 8 top SBOM tools to consider | CSO Online

Denial of Service DoS/DDoS

• Akamai blocked the largest DDoS attack ever on its European customers - Security Affairs

• DDoS Attack Trends in 2022: Ultrashort, Powerful, Multivector Attacks (bleepingcomputer.com)

Cloud/SaaS

• Kansas MSP shuts down cloud services to fend off cyber attack (bleepingcomputer.com)

• Organisations are struggling with SaaS security. Why? - Help Net Security

Attack Surface Management

• 4 Steps the Financial Industry Can Take to Cope With Their Growing Attack Surface (thehackernews.com)

Identity and Access Management

• Why firms need to harness identity management before it spirals into an identity crisis - Help Net Security

• Benefits of modern PAM: Efficiency, security, compliance - Help Net Security

Encryption

• Transport Layer Security (TLS): Issues & Protocol (trendmicro.com)

• SSH2 vs. SSH1 and why SSH versions still matter (techtarget.com)

Passwords, Credential Stuffing & Brute Force Attacks

• Inadequate password and authentication requirements found in popular business web apps - Help Net Security

• Using Account Lockout policies to block Windows Brute Force Attacks (bleepingcomputer.com)

• Stop Putting Your Accounts At Risk, and Start Using a Password Manager (thehackernews.com)

Social Media

• Facebook security cracked by Malware made in Vietnam • The Register

• Cyber-Criminal Offers 5.4m Twitter Users’ Data - Infosecurity Magazine (infosecurity-magazine.com)

• Social Media Accounts Hijacked to Post Indecent Images - Infosecurity Magazine (infosecurity-magazine.com)

Training, Education and Awareness

• Poor Training and Communications Hindering Cyber security Efforts - Infosecurity Magazine (infosecurity-magazine.com)

Privacy

• US, UK law enforcement to implement data sharing law, troubling privacy advocates - CyberScoop

Law Enforcement Action and Take Downs

• UK Seizes Nearly $27m in Crypto-Assets - Infosecurity Magazine (infosecurity-magazine.com)

• European Cops Helped 1.5 Million People Decrypt Their Ransomwared Computers (vice.com)

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• World entering 'dangerous new age' of threats, says UK's top national security adviser | World News | Sky News

• Cyberspies use Google Chrome extension to steal emails undetected (bleepingcomputer.com)

• Microsoft says it caught an Austrian spyware group using Windows 0-day exploits - The Verge

• Pegasus spyware: Just 'tip of the iceberg' seen so far • The Register

• Cyber attacks by Iran and Israel now target critical infrastructure. - The Washington Post

• Ukraine Cyber War Fall-out and Ransomware Trends Areas of Focus in New CyberCube Research | Business Wire

• US and Ukraine Sign Agreement to Deepen Cyber security Operational Collaboration - MSSP Alert

• CISA, Ukrainian cyber agency deepen partnership to combat Russian threat - CyberScoop

• How is Anonymous attacking Russia? The top six ways ranked (cnbc.com)

• European Lawmaker Targeted With Cytrox Predator Surveillance Spyware | SecurityWeek.Com

Nation State Actors

Nation State Actors – Russia

• Russia is quietly ramping up its Internet censorship machine | Ars Technica

• Apple network traffic takes mysterious detour through Russia • The Register

• 'Crippling' Western sanctions are hitting Russia much harder than Putin is letting on, say Yale economists (inews.co.uk)

Nation State Actors – China

• Chinese APTs: Interlinked networks and side hustles – Intrusion Truth (wordpress.com)

• OneWeb sale risks giving China a stake in ‘Five Eyes’ spying tech (telegraph.co.uk)

Nation State Actors – North Korea

• North Korean Hackers Using Malicious Browser Extension to Spy on Email Accounts (thehackernews.com)

• North Korean hackers attack EU targets with Konni RAT malware (bleepingcomputer.com)

• US puts $10 million bounty on North Korean threat groups • The Register

• Is APT28 behind the STIFF#BIZON attacks attributed to North Korea-linked APT37? Security Affairs

Nation State Actors – Iran

• Cyber attacks by Iran and Israel now target critical infrastructure. - The Washington Post

Vulnerability Management

• Hackers scan for vulnerabilities within 15 minutes of disclosure (bleepingcomputer.com)

• Attackers Have 'Favourite' Vulnerabilities to Exploit (darkreading.com)

• Taking the Risk-Based Approach to Vulnerability Patching (thehackernews.com)

• Organisations struggle to manage devices and stay ahead of vulnerabilities - Help Net Security

• 2022 Unit 42 Incident Response Report: How Attackers Exploit Zero-Days (paloaltonetworks.com)

• Security Teams Overwhelmed With Bugs, Bitten by Patch Prioritization (darkreading.com)

• Time between vuln disclosures, exploits is getting smaller • The Register

Vulnerabilities

• Critical Samba bug could let anyone become Domain Admin – patch now! – Naked Security (sophos.com)

• Multiple Windows, Adobe Zero-Days Anchor Knotweed Commercial Spyware (darkreading.com)

• How to Fix CVE-2022-30190 vulnerability using Microsoft Intune - CloudInfra

• CISA releases IOCs for attacks exploiting Log4Shell in VMware Horizon and UAG | CSO Online

• Critical FileWave MDM Flaws Open Organisation-Managed Devices to Remote Hackers (thehackernews.com)

• Hackers are abusing IIS extensions to establish covert backdoors - Security Affairs

• FileWave fixes bugs that left 1,000+ orgs open to ransomware • The Register

• Google Chrome Zero-day Vulnerability Discovered By Avast (informationsecuritybuzz.com)

• LibreOffice fixed 3 flaws, including a code execution issue - Security Affairs

• Critical security vulnerability in Grails could lead to remote code execution | The Daily Swig (portswigger.net)

• Drupal developers fixed a code execution flaw in the popular CMS - Security Affairs

• LibreOffice Releases Software Update to Patch 3 New Vulnerabilities (thehackernews.com)

• Hackers Exploit PrestaShop Zero-Day to Steal Payment Data from Online Stores (thehackernews.com)

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

Reports Published in the Last Week

• Hiscox Cyber Readiness Report 2022

• ENISA Threat Landscape for Ransomware Attacks — ENISA (europa.eu)

Other News

• A Retrospective on the 2015 Ashley Madison Breach – Krebs on Security

• The Great BizApp Hack: Cyber-Risks in Your Everyday Business Applications (darkreading.com)

• Threat Actors Pivot Around Microsoft’s Macro-Blocking in Office | Threatpost

• Strong Authentication - Robust Identity and Access Management Is a Strategic Choice - Security Affairs

• You Pay More When Companies Get Hacked | WIRED

• Microsoft again reverses course, will block macros by default (scmagazine.com)

• Is Your Home or Small Business Built on Secure Foundations? Think Again… (darkreading.com)

• Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits - Microsoft Security Blog

• Infosec pros want more industry cooperation and support for open standards - Help Net Security

• We pass cyber attack costs onto customers, businesses admit • The Register

• How to Combat the Biggest Security Risks Posed by Machine Identities (thehackernews.com)

• Discord, Telegram Services Hijacked to Launch Array of Cyber Attacks (darkreading.com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Executive Summary

Ransomware specifically designed to target VMware systems has been found to be in use by malicious attackers. VMware systems have been a prime target for attackers, as many different services which organisations rely on run on these systems. By compromising these systems, all of the hosted services can also be impacted.

What’s the risk to me or my business?

This attack works by shutting down virtual machines running on a VMware system, and encrypting them before demanding a ransom. If the ransom is not paid within three days, then there is a further threat to release the data which the attacker has exfiltrated. This requires an attacker to be able to gain prior access to the system, and to enable ‘Shell’ access to run the malicious script.

What can I do?

Ensure that appropriate security measures are applied to these critical systems, to prevent an attacker from being able to access them. This includes up to date patching of the systems, and appropriate network segregation to prevent end user devices from being able to access the systems. Ensure that Shell access to the server is not left enabled.

The adoption of a security framework such as NIST CSF would greatly assist with applying appropriate controls to prevent this type of attack.

Technical Summary

Trend Micro has conducted the research into this specific strain of ransomware. This strain works by accessing VMware Servers using Secure Shell (SSH), and running a script which shuts down all active virtual machines in order to encrypt them, with the file extension ‘.cheers’. It is worth noting that the renaming of the files happens before the encryption starts, so it is possible that a file is renamed but is in fact not encrypted due to a permissions issue on the account logged in via SSH.

A full break down of the attack can be read here: New Linux-Based Ransomware Cheerscrypt Targets ESXi Devices (trendmicro.com)

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity