Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 10 June 2022
Black Arrow Cyber Threat Briefing 10 June 2022
-Business Email Compromise (BEC) Attacks Have Risen 53% Year-Over-Year
-Ransomware Attacks Setting New Records
-Hackers Are Now Hiding Inside Networks for Longer. That's Not a Good Sign
-Paying Ransomware Paints Bigger Bullseye on Target’s Back
-Organisations Fix Only 1 in 10 Vulnerabilities Monthly
-Cyber Attack Surface "Spiralling Out of Control"
-Phishing Hits All-Time High in Q1 2022
-Ransomware's ROI Retreat Will Drive More BEC Attacks
-The Real Cost of Cyber Attacks: What Organisations Should Be Prepared For
-Why Smishing and Vishing Attempts Surged In 2021?
-Know Your Enemy! Learn How Cyber Crime Adversaries Get In…
-Small Businesses Struggle with an Increase in Cyber Attacks
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Business Email Compromise (BEC) Attacks Have Risen 53% Year-Over-Year
Armorblox released a report which highlights the use of language-based attacks that bypass existing email security controls. The report uncovers how the continued increase in remote working has made critical business workflows even more vulnerable to new forms of email-based attacks, often resulting in financial fraud or credential theft.
Language-based attacks have become the new normal for business email compromise (BEC) with 74% of these attacks using language as the main attack vector.
Security teams spend a massive amount of time configuring rules and exceptions in their email security solutions to block impersonation emails – both for executives and other employees. Despite all of that manual work and rule writing, 70% of impersonation emails evaded email security controls.
https://www.helpnetsecurity.com/2022/06/06/language-based-attacks-email-video/
Ransomware Attacks Setting New Records
Zscaler released the findings of its annual ThreatLabz Ransomware Report, which revealed an 80 percent increase in ransomware attacks year-over-year.
In 2022, the most prevalent ransomware trends include double-extortion, supply chain attacks, ransomware-as-a-service, ransomware rebranding, and geo-political incited ransomware attacks. The report details which industries are being targeted the most by cyber criminals, explains the damage caused by double-extortion and supply chain attacks, and catalogues the most active ransomware groups operating today.
Modern ransomware attacks require a single successful asset compromise to gain initial entry, move laterally, and breach the entire environment, making legacy VPN and flat networks extremely vulnerable. Attackers are finding success exploiting weaknesses across businesses’ supply chains as well as critical vulnerabilities like Log4Shell, PrintNightmare, and others. And with ransomware-as-a-service available on the darkweb, more and more criminals are turning to ransomware, realising that the odds of receiving a big payday are high.
The tactics and scope of ransomware attacks have been steadily evolving, but the end goal continues to be a disruption of the target organisation and theft of sensitive information for the purposes of ransom. The size of the ransom often depends on the number of systems infected and the value of the data stolen: the higher the stakes, the higher the payment. In 2019, many ransomware groups updated their tactics to include data exfiltration, commonly referred to as a ‘double extortion’ ransomware.
https://www.helpnetsecurity.com/2022/06/07/ransomware-attacks-increase/
Hackers Are Now Hiding Inside Networks for Longer. That's Not a Good Sign
Cyber criminals are spending more time inside networks before they're discovered, and that's allowing them to do more damage.
The amount of time cyber criminal intruders are spending inside victims' networks is increasing, providing them with the ability to carry out higher complexity campaigns and more damaging cyber attacks.
According to analysis by cyber security researchers at Sophos, who examined incidents targeting organisations around the world and across a wide range of industry sectors, the median dwell time that cyber criminals spend inside compromised networks is now 15 days, up from 11 days the previous year.
Dwell time is the amount of time hackers are inside the network before they're discovered or before they leave – and being able to spend an increased amount of time inside a compromised network undetected means they're able to more carefully conduct malicious activity, such as monitoring users, stealing data or laying the foundations for a malware or ransomware attack.
Paying Ransomware Paints Bigger Bullseye on Target’s Back
Ransomware attackers often strike targets twice, regardless of whether the ransom was paid.
Paying ransomware attackers doesn’t pay off and often paints a bigger target on a victim’s back. Eighty percent of ransomware victims that paid their attackers were hit a second time by the malware scourge.
New ransomware numbers come from a Cybereason’s April ransomware survey of 1,456 cyber security professionals. According to the gated report (registration required), victims that were successfully extorted were not only targeted a second time, but frequently data encrypted by criminals later became unusable during the decryption process because of corruption issues.
The fact that ransomware gangs strike so quickly a second and third time isn’t surprising, because they will try to profit in any possible way so why not hit the same company, demand a higher ransom, and get paid again?
https://threatpost.com/paying-ransomware-bullseye-back/179915/
Organisations Fix Only 1 in 10 Vulnerabilities Monthly
New research from SecurityScorecard features a couple of eye-popping “only” findings: Only 10 percent of vulnerabilities are remediated each month, and only 60 percent of companies have improved their security profile despite a 15-fold increase in the number of cyber incidents in the last three years.
That’s not good. The research, which sought to measure how long it took the 1.6 million organisations assessed to remediate vulnerabilities in the three-year period from 2019 to 2022, also found the following:
· 53% had at least one exposed vulnerability to the internet, while 22% of organisations amassed more than 1,000 vulnerabilities each, confirming more progress is required to protect organisations’ critical assets.
· The financial sector is among the slowest remediation rates (median to fix 50% = 426 days), while utilities ranked among the fastest (median = 270 days).
· Despite a 15-fold increase in exploitation activity for vulnerabilities with published exploit code, there was little evidence that organisations in the financial sector fixed exploited flaws faster.
· The IT sector (62.6%) and public sector (61.6%) had the highest prevalence of open vulnerabilities.
· The financial sector (48.6%) exhibited the lowest proportion of open vulnerabilities; however, there is less than a 10% difference between this and other sectors in terms of industries with the most open vulnerabilities.
· It typically takes organisations 12 months to remediate half of the vulnerabilities in their internet-facing infrastructure.
· When firms have fewer than 10 open vulnerabilities, it can take about a month to close just half of them, but when the list grows into the hundreds, it takes up to a year to reach the halfway point.
Cyber Attack Surface "Spiralling Out of Control"
Global organisations are still beset with cyber visibility and control challenges, with two-fifths (43%) admitting their digital attack surface is out of control as a result, according to new Trend Micro research.
The security vendor polled over 6200 IT and business decision-makers to compile its new study, ‘Mapping the digital attack surface: Why global organisations are struggling to manage cyber risk’.
It revealed that nearly three-quarters (73%) are concerned about the increasing size of their attack surface. Over a third (37%) said it is “constantly evolving and messy,” and just half (51%) thought they were able to fully define its extent.
These visibility challenges are greatest in cloud environments, although problems persist across the board. The report highlights complex supply chains, tool bloat and home working-driven shadow IT as additional contributory factors.
On average, respondents estimated having just 62% visibility of their attack surface.
https://www.infosecurity-magazine.com/news/cyberattack-surface-out-of-control/
Phishing Hits All-Time High in Q1 2022
The first quarter of 2022 saw phishing attacks hit a record high, topping one million for the first time, according to data from the Anti Phishing Working Group (APWG).
The industry, law enforcement and government coalition’s new Phishing Activity Trends Report also revealed that March was the worst month on record for phishing, with 384,291 attacks detected.
The financial sector was the worst hit, accounting for 24% of all detected attacks, although webmail and SaaS providers were also popular targets.
Attacks spoofing retailers dropped 17% from the previous quarter to 15% following the busy holiday shopping season, while those against social media services rose significantly, from nearly 9% percent of all attacks to 13% over the same period.
https://www.infosecurity-magazine.com/news/phishing-hits-all-time-high-q1/
Ransomware's ROI Retreat Will Drive More BEC Attacks
Law enforcement crackdowns, tighter cryptocurrency regulations, and ransomware-as-a-service (RaaS) operator shutdowns are driving down the return on investment for ransomware operations across the globe.
A presentation at the RSA Conference last week laid out analysis of the ransomware threat landscape, predicting that there will be a pivot from ransomware toward renewed interest in basic business email compromise (BEC) attacks in the next 6 to 12 months.
Ransomware attacks grab headlines and have been supercharged by a few prolific RaaS operators, but crackdowns on just one group can make an enormous dent.
Ransomware is a centralised ecosystem with small numbers of operators responsible for the majority of attacks.
The recent disappearance of Pysa, left just two groups, Conti and Lockbit, with more than 50% of the share of the total ransomware attacks in the first half of 2022. BEC groups, on the other hand, are diffuse and scattered, making them much harder to eradicate.
Although they're not as quick to make the headlines, BEC attacks have cost business more than $43 billion since 2016, according to the FBI, and make up $1 out of every $3 lost to cyber attacks, far outpacing ransomware losses.
Ransomware has had a moment over the past couple of years, in part because once threat actors were able to abandon arcane wire transfers to collect ransoms and rely on cryptocurrency, caps on transactions were lifted and it became simple to collect much larger amounts. But new crypto regulations are chilling the ability of these cyber criminals to rely on its infrastructure to do business, adding "friction" to the transactions.
BEC attacks, by comparison, rely on social engineering to corrupt a business's financial supply chain to get employees to willingly part with the cash, making them exponentially harder to track and stop.
The Real Cost of Cyber Attacks: What Organisations Should Be Prepared For
With each passing year, hackers and cyber criminals of all kinds are becoming more sophisticated, malicious, and greedy conducting brazen and often destructive cyber-attacks that can severely disrupt a company’s business operations. And this is a big problem, because, first and foremost, customers rely on a company’s ability to deliver services or products in a timely manner. Cyber attacks not only can affect customers’ data, but they can impact service delivery.
Data breaches and costs associated with them have been on the rise for the past few years, but, according to a 2021 report, the average cost per breach increased from $3.86 million in 2020 to $4.24 million in 2021. The report also identified four categories contributing most global data breach costs – Lost business cost (38%), Detection and escalation (29%), Post breach response (27%), and Notification (6%).
Ransomware attacks cost an average of $4.62 million (the cost of a ransom is not included), and destructive wiper-style attacks cost an average of $4.69 million, the report said.
For a business, a data breach is not just a loss of data, it can also have a long-lasting impact on operations and undermine customers’ trust in the company. In fact, a survey revealed that 87% of consumers are willing to take their business elsewhere if they don’t trust a company is handling their data responsibly. Therefore, the reputational damage might be detrimental to a business’ ability to attract new customers.
Why Smishing and Vishing Attempts Surged In 2021
In The Human Factor Report 2022, security vendor Proofpoint found that SMS phishing (smishing) attacks more than doubled year-on-year in 2021. The report is based on their analysis of over 2.6 billion email messages, 49 billion URLs, 1.9 billion attachments, 28 million cloud accounts and 1.7 billion mobile messages.
The study details the most common attack surfaces and methods including categories of risk, vulnerabilities, attacks, Russian Aligned APT’s, and Privilege as a vector.
Key Findings:
Managers and executives make up only 10% of users, but almost 50% of the most severe attack risk
Attackers attempt to initiate more than 100,000 telephone-oriented attacks every day.
Malicious URLS are 3-4x more common than malicious attachments.
Smishing attempts more than doubled in the US over the year, while in the UK over 50% of lures are themed around delivery notification.
More than 20 million messages attempted to deliver malware linked to eventual ransomware attack
Data loss prevention alerts have stabilised as businesses adopt permanent hybrid work models.
80% of businesses are attacked by a compromised supplier account in any given month.
35% of cloud tenants that received a suspicious login also saw suspicious post-access activity.
Know Your Enemy! Learn How Cyber Crime Adversaries Get In…
Cyber security vendor Sophos dug into the incident reports of 144 real-life cyber attacks investigated by its Rapid Response team during 2021.
What they found might not surprise you, but it’s vital information nevertheless, because it’s what really happened, not merely what might have.
Notably:
Unpatched vulnerabilities were the entry point for close to 50% of the attackers.
Attackers stuck around for more than a month on average when ransomware wasn’t their primary goal.
Attackers were known to have stolen data in about 40% of incidents. (Not all data thefts can be proved, of course, given that there isn’t a gaping hole where your copy of the data used to be, so the true number could be much higher.)
RDP was abused to circumnavigate the network by more than 80% of attackers once they’d broken in.
Intriguingly, if perhaps unsurprisingly, the smaller the organisation, the longer the crooks had generally been in the network before anyone noticed and decided it was time to kick them out.
In businesses with 250 staff and below, the crooks stuck around (in the jargon, this is known by the quaintly archaic automotive metaphor of dwell time) for more than seven weeks on average.
This compared with an average dwell time of just under three weeks for organisations with more than 3000 employees.
As you can imagine, however, ransomware criminals typically stayed hidden for much shorter periods (just under two weeks, instead of just over a month), not least because ransomware attacks are inherently self-limiting.
After all, once ransomware crooks have scrambled all your data, they’re out of hiding and straight into their in-your-face blackmail phase.
https://nakedsecurity.sophos.com/2022/06/07/know-your-enemy-learn-how-cybercrime-adversaries-get-in/
Small Businesses Struggle with an Increase in Cyber Attacks
Part of the problem: They don’t believe they are targets, so they don’t make security a priority. Cyber attacks are becoming more common for small businesses, and many aren’t prepared to deal with an attack.
As small businesses have accelerated their adoption of new technologies for remote work, communication, production and sales during the pandemic, their expanded computer networks have created new vulnerabilities to phishing and ransomware attacks. But many small businesses still don’t expect to be targeted by hackers, so preparing for a cyber attack is well down their list of priorities.
https://www.wsj.com/articles/small-business-cyberattacks-increase-11654540786
Threats
Ransomware
Ransomware attacks have increased by 80% year-over-year - Help Net Security
How the Russia-Ukraine war makes ransomware payments harder | CSO Online
How Poor Communication Opens the Door to Ransomware and Extortion (darkreading.com)
Cuba ransomware returns to extorting victims with updated encryptor (bleepingcomputer.com)
Vice Society gang adds the Italian City of Palermo to its data leak site - Security Affairs
Qbot - known channel for ransomware - delivered via phishing and Follina exploit - Help Net Security
Black Basta Ransomware Targets ESXi Servers in Active Campaign (darkreading.com)
Mandiant: Cyber extortion schemes increasing pressure to pay (techtarget.com)
Roblox Game Pass store used to sell ransomware decryptor (bleepingcomputer.com)
Costa Rican government held up by ransomware … again • The Register
BEEF ALERT: Ransomware Group Very Mad at Being Associated with Lavish Russian Hackers (vice.com)
Ransomware Pressure Forcing UK CISOs to Consider Quitting - Infosecurity Magazine
BEC – Business Email Compromise
Phishing & Email Based Attacks
Evasive phishing mixes reverse tunnels and URL shortening services (bleepingcomputer.com)
Proofpoint: We Block Up to Two Million Extortion Emails Daily - Infosecurity Magazine
Massive Facebook Messenger phishing operation generates millions (bleepingcomputer.com)
Facebook phishing campaign nets millions in IDs and cash • The Register
Other Social Engineering
Malware
Symantec sees more malware operators exploiting Follina • The Register
Potent Emotet Variant Spreads Via Stolen Email Credentials | Threatpost
Symbiote Malware Poses Stealthy, Linux-Based Threat to Financial Industry (darkreading.com)
This advanced new malware strain leaves you practically defenceless | TechRadar
MacOS malware attacks slipping through the cracks (techtarget.com)
11 infamous malware attacks: The first and the worst | CSO Online
9 types of computer virus and how they do their dirty work | CSO Online
Mobile
IoT
New Privacy Framework for IoT Devices Gives Users Control Over Data Sharing (thehackernews.com)
How to Compromise a Printer in Three Simple Steps | CrowdStrike
Data Breaches/Leaks
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking/NFTs
Researchers Detail How Cyber Criminals Targeting Cryptocurrency Users (thehackernews.com)
7 NFT Scams That Could Be Targeting Your Brand (darkreading.com)
Hackers stole +$250,000 in Ethereum from Bored Ape Yacht ClubSecurity Affairs
Fraud, Scams & Financial Crime
Pandemic-related identity fraud: How serious is it? - Help Net Security
Apple Release 2021 Fraud Prevention Analysis- IT Security Guru
AML/CFT/Sanctions
Insurance
Dark Web
Software Supply Chain
82% of CIOs believe their software supply chains are vulnerable - Help Net Security
Boards, CEOs demand software supply chain security improvements - Help Net Security
Denial of Service DoS/DDoS
Cloud/SaaS
Cloud Security Tops Ransomware As Primary RSA Conference Attendee Concern - MSSP Alert
Only 13.5% of IT pros have mastered security in the cloud native space - Help Net Security
OMIGOD: Cloud providers still using secret middleware • The Register
Attack Surface Management
Open Source
Privacy
Researchers Find Bluetooth Signals Can be Fingerprinted to Track Smartphones (thehackernews.com)
New Privacy Framework for IoT Devices Gives Users Control Over Data Sharing (thehackernews.com)
Parental Controls and Child Safety
Law Enforcement Action and Take Downs
Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine
“Cyber Spetsnaz” is Attacking Government Agencies - Security Affairs
Russian Ministry Website Reportedly Hacked- IT Security Guru
Ordinary Ukrainians wage war with digital tools and drones | Financial Times (ft.com)
Ukraine's secret cyber-defence: Excellent backups • The Register
Major DDoS attacks increasing after invasion of Ukraine (techtarget.com)
Nation State Actors
Nation State Actors – Russia
Russia escalates threats against West in response to cyber attacks - CyberScoop
Russia, China, oppose US cyber support of Ukraine • The Register
Nation State Actors – China
Russia, China, oppose US cyber support of Ukraine • The Register
Chinese hacking group Aoqin Dragon quietly spied orgs for a decade (bleepingcomputer.com)
People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices | CISA
US: Chinese govt hackers breached telcos to snoop on network traffic (bleepingcomputer.com)
Nation State Actors – Iran
Microsoft seized 41 domains used by Iran-linked Bohrium APT - Security Affairs
Iranian hackers target energy sector with new DNS backdoor (bleepingcomputer.com)
Nation State Actors – Misc APT
Vulnerability Management
Vulnerabilities
Windows zero-day exploited in US local govt phishing attacks (bleepingcomputer.com)
DogWalk zero-day Windows bug receives patch - but not from Microsoft (bitdefender.com)
Chrome 102 Update Patches High-Severity Vulnerabilities | SecurityWeek.Com
NSA, FBI warning: Hackers are using these flaws to target VPNs and network devices | ZDNet
Ubuntu Users Get a Massive Linux Kernel Update, 35 Security Vulnerabilities Patched - 9to5Linux
Critical U-Boot Vulnerability Allows Rooting of Embedded Systems | SecurityWeek.Com
Sector Specific
Financial Services Sector
Telecoms
US: Chinese govt hackers breached telcos to snoop on network traffic (bleepingcomputer.com)
People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices | CISA
Health/Medical/Pharma Sector
Healthcare-specific cyber security problems and how to address them - Help Net Security
Data for 2 million patients stolen in largest healthcare breach so far of 2022 (scmagazine.com)
Retail/eCommerce
Energy & Utilities
Iranian hackers target energy sector with new DNS backdoor (bleepingcomputer.com)
US Water Utilities Prime Cyber Attack Target, Experts | Threatpost
Education and Academia
Reports Published in the Last Week
Other News
This hacking group quietly spied on their targets for 10 years | ZDNet
Identity-based Attacks and Living-of-the-land Tactics Represent Top Threats - MSSP Alert
Over Half of CISOs Struggling for Board Investment - Infosecurity Magazine
Cisco EVP: Cyber security poverty line is human-rights issue • The Register
Top three most critical areas of web security - Help Net Security
How the Colonial Pipeline attack has changed cyber security | CSO Online
Five Eyes alliance’s top cop: tech is the future of Policing • The Register
An Emerging Threat: Attacking 5G Via Network Slices (darkreading.com)
How AI Is Useful — and Not Useful — for Cyber security (darkreading.com)
Only 43% of security pros can respond to critical alerts in less than an hour - Help Net Security
Now Is the Time to Plan for Post-Quantum Cryptography (darkreading.com)
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 05 May 2022
Black Arrow Cyber Threat Briefing 05 May 2022
-Cyber Scams Cost Victims $6.9b-Plus Worldwide in 2021
-Bad Actors Are Maximizing Remote Everything
-New Hacker Group Pursuing Corporate Employees Focused on Mergers and Acquisitions
-FBI: Business Email Compromise: The $43 Billion Scam
-Disgruntled Employees Cashing in On Confidential Information Over Dark Web
-Google Sees More APTs Using Ukraine War-Related Themes
-Cryptocurrency Regulators Are Scrambling to Catch Up with Hackers Who Are Swiping Billions
-Tackling the Threats Posed by Shadow IT
-Hackers Used the Log4j Flaw to Gain Access Before Moving Across a Company's Network, Say Security Researchers
-This Sneaky Hacking Group Hid Inside Networks For 18 Months Without Being Detected
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Cyber Scams Cost Victims $6.9b-Plus Worldwide in 2021
Cyber-scams cost victims around the globe at least $6.9 billion last year, according to the FBI's latest Internet Crime Report.
Since 2017, the bureau's Internet Crime Complaint Center (IC3) received an average of 552,000 complaints per year. This includes reports of extortion, identity theft, phishing, fraud, and a slew of other nefarious schemes that cost victims no less than $18.7 billion in losses over the five-year period.
Unsurprisingly, the volume of these crimes — and related costs — have grown every year; 2021 set records for the total number of complaints (847,376) as well as losses exceeding $6.9 billion, a jump from the $4.2 billion reported a year earlier.
As with earlier years, phishing attacks were by far the most commonly reported crimes, with 323,972 last year. A subset of this category, business email compromise (BEC), is proving very lucrative and cost victims almost $2.4 billion from 19,954 victims, according to the Feds.
BEC involves a cyber criminal compromising a legitimate email account, and then tricking a business or individual into transferring funds, sending employees' personal data, or unlocking cryptocurrency wallets. The fraudster then steals the cash, drains the crypto wallet and/or sells employees' identities and credentials on the dark web.
https://www.theregister.com/2022/05/05/fbi_cyber_scams/
Bad Actors Are Maximising Remote Everything
The rise of remote work and learning opened new opportunities for many people – as we’ve seen by the number of people who have moved to new places or adapted to “workcations.” Cyber criminals are taking advantage of the same opportunities – just in a different way. Evaluating the prevalence of malware variants by region reveals a sustained interest by cyber adversaries in maximising the remote work and learning attack vector.
As hybrid work and learning become embedded paradigms in our culture, there are fewer layers of protection between malware and would-be victims. And bad actors are gaining access to more tools to help them pull off their nefarious deeds – like exploit kits. At the same time, the attack surface has rapidly expanded and continues to do so.
That means enterprises must take a work-from-anywhere approach to their security. They need to deploy solutions capable of following, enabling and protecting users no matter where they are located. They need security on the endpoint (EDR) combined with zero trust network access (ZTNA) approaches.
https://threatpost.com/bad-actors-remote-everything/179458/
This Sneaky Hacking Group Hid Inside Networks For 18 Months Without Being Detected
A previously undisclosed cyber-espionage group is using clever techniques to breach corporate networks and steal information related to mergers, acquisitions and other large financial transactions – and they've been able to remain undetected by victims for periods of more than 18 months.
Detailed by cyber security researchers at Mandiant, who've named it UNC3524, the hacking operation has been active since at least December 2019 and uses a range of advanced methods to infiltrate and maintain persistence on compromised networks that set it apart from most other hacking groups. These methods include the ability to immediately re-infect environments after access is removed. It's currently unknown how initial access is achieved.
One of the reasons UNC3524 is so successful at maintaining persistence on networks for such a long time is because it installs backdoors on applications and services that don't support security tools, such as anti-virus or endpoint protection.
FBI: Business Email Compromise: The $43 Billion Scam
According to the FBI, business email compromise (BEC) and email account compromise (EAC) losses have surpassed $43 billion globally. BEC/EAC is a sophisticated scam that targets both businesses and individuals who perform legitimate transfer-of-funds requests.
The BEC/EAC scam continues to grow and evolve, targeting small local businesses to larger corporations, and personal transactions. Between July 2019 and December 2021, there was a 65% increase in identified global exposed losses, meaning the dollar loss that includes both actual and attempted loss in United States dollars.
The following information was derived from filings with financial institutions between June 2016 and December 2021:
Domestic and international incidents: 241,206
Domestic and international exposed dollar loss: $43,312,749,946
The following BEC/EAC statistics were reported in victim complaints to the IC3 between October 2013 and December 2021:
Total US victims: 116,401
Total US exposed dollar loss: $14,762,978,290
Total non-US victims: 5,260
Total non-US exposed dollar loss: $1,277,131,099
Disgruntled Employees Cashing in On Confidential Information Over Dark Web
Disgruntled employees are making hundreds of thousands of dollars by leaking confidential information over a new platform on the so-called dark web, cyber researchers have said.
Hidden in a part of the internet that is only accessible using special software, the Industrial Spy platform promises huge payouts to staff willing to hand over "dirty secrets" to competitors, according to experts at intelligence business Cyberint.
Industrial Spy currently has data on twelve companies from a range of industries available to people who sign up, Cyberint said.
The platform recently managed to sell two tranches of company data for $400,000 (£318,236) and $750,000 each.
An individual has advertised the platform to potential purchasers of the data on the dark web.
The post said: "With our information you could refuse partnership with an unscrupulous partner, reveal dirty secrets of your competitors and earn millions of dollars using insider information."
Cyber criminals have long approached employees individually and offered a bribe to release sensitive information such as internal data and passwords to access computer systems.
But this new platform allows employees to act on their own initiative to steal data and sell it online.
Google Sees More APTs Using Ukraine War-Related Themes
Researchers at Google's Threat Analysis Group (TAG) say the number of advanced threat actors using Ukraine war-related themes in cyber attacks went up in April with a surge in malware attacks targeting critical infrastructure.
According to Google, known state-backed APT groups from China, Iran, North Korea, and Russia, along with various unattributed groups have been using war-related themes in phishing and malware distribution campaigns.
Looking at the cyber attacks that target Eastern Europe, however, a new Google report notes there hasn't been a significant change from the normal levels of activity, despite the increased adoption of lures related to the Ukraine war.
https://www.securityweek.com/google-sees-more-apts-using-ukraine-war-related-themes
Cryptocurrency Regulators Are Scrambling to Catch Up with Hackers Who Are Swiping Billions
Just four months in, 2022 has been a banner year for hackers, and fraudsters targeting the industry have swindled more than $1 billion from cryptocurrency investors, according to separate estimates by cryptocurrency analysis firm Immunefi.
The rise in fraud has put US regulators on the offensive. The US Securities and Exchange Commission, which has positioned itself as the industry’s main regulator and enforcer, announced on Tuesday that it was going to double its staff working to resources to combat the rise in fraud.
“Crypto markets have exploded in recent years, with retail investors bearing the brunt of abuses in this space. Meanwhile, cyber-related threats continue to pose existential risks to our financial markets and participants,” Gurbir Grewal, director of the SEC’s Division of Enforcement said in a statement. “The bolstered Crypto Assets and Cyber Unit will be at the forefront of protecting investors and ensuring fair and orderly markets in the face of these critical challenges.”
https://www.cyberscoop.com/cryptocurrency-sec-cybersecurity-bitcoin-regulation-enforcement/
Tackling the Threats Posed by Shadow IT
While remote technologies have allowed businesses to shift their workforces online, this flexibility has created a swathe of challenges for IT teams who must provide a robust security framework for their organisation – encompassing all the personnel and devices within their remit. In addition to the ever-increasing number of personal devices, corporate devices and programs, more and more applications are moving to the cloud as workloads become increasingly distributed across public clouds and software-as-a-service (SaaS).
This means IT teams are even harder pressed to secure and manage the complex environments they operate in. The unsanctioned use of corporate IT systems, devices, and software – known as shadow IT – has increased significantly during the shift to remote work, and recent research found almost one in seven (68%) are concerned about information security because of employees following shadow IT practices.
Shadow IT can allow hackers to steal employee and customer identities, company intellectual property, and cause companies to fail compliance audits. It can also open the door to enterprises accidentally breaking laws and exposes organisations to data exfiltration, malware, and phishing.
https://www.helpnetsecurity.com/2022/05/05/shadow-it-risk/
Hackers Used the Log4j Flaw to Gain Access Before Moving Across a Company's Network, Say Security Researchers
State-backed hacking groups are some of the most advanced cyber attack operations in the world - but criminals don't need to rely on them if they can exploit unpatched cyber security flaws.
A North Korean hacking and cyber espionage operation breached the network of an engineering firm linked to military and energy organisations by exploiting a cyber security vulnerability in Log4j.
First detailed in December, the vulnerability (CVE-2021-44228) allows attackers to remotely execute code and gain access to systems that use Log4j, a widely used Java logging library.
The ubiquitous nature of Log4j meant cyber security agencies urged organisations globally to apply security updates as quickly as possible, but months on from disclosure, many are still vulnerable to the flaw.
According to cyber security researchers at Symantec, one of those companies that was still vulnerable was an undisclosed engineering firm that works in the energy and military sectors. That vulnerability resulted in the company being breached when attackers exploited the gap on a public-facing VMware View server in February this year. From there, attackers were able to move around the network and compromise at least 18 computers.
New Hacker Group Pursuing Corporate Employees Focused on Mergers and Acquisitions
[Explanatory note from Black Arrow: When a group of cyber attackers is identified by the cyber security community, it is given a code name usually composed of letters and digits. These groups are also sometimes referred to as APTs., or Advanced Persistent Threats, because the groups are highly skilled and are persistent in their attacks; they are often supported by their state government].
A newly discovered suspected espionage threat actor has been targeting employees focusing on mergers and acquisitions as well as large corporate transactions to facilitate bulk email collection from victim environments.
Mandiant is tracking the activity cluster under the uncategorised moniker UNC3524, citing a lack of evidence linking it to an existing group. However, some of the intrusions are said to mirror techniques used by different Russia-based hacking crews like APT28 and APT29.
"The high level of operational security, low malware footprint, adept evasive skills, and a large Internet of Things (IoT) device botnet set this group apart and emphasise the 'advanced' in Advanced Persistent Threat," the threat intelligence firm said in a report.
The initial access route is unknown but upon gaining a foothold, attack chains involving UNC3524 culminate in the deployment of a novel backdoor called QUIETEXIT for persistent remote access for as long as 18 months without getting detected in some cases.
https://thehackernews.com/2022/05/new-hacker-group-pursuing-corporate.html
Threats
Ransomware
US DoS Offers a Reward of Up To $15M For Info on Conti Ransomware Gang - Security Affairs
Trend Micro Discovers AvosLocker Can Disable Antivirus Software (techtarget.com)
Experts Analyse Conti and Hive Ransomware Gangs' Chats with Their Victims (thehackernews.com)
New Ransomware Strains Linked to North Korean Govt Hackers (bleepingcomputer.com)
REvil Revival: Are Ransomware Gangs Ever Really Gone? (darkreading.com)
What We've Learned in the 12 Months Since the Colonial Pipeline Attack (darkreading.com)
Phishing & Email Based Attacks
Google SMTP Relay Service Abused for Sending Phishing Emails (bleepingcomputer.com)
US DoD Scammed Out of $23M in Phishing Attack on Jet-Fuel Vendors (darkreading.com)
1000s of Phishing Emails Sent from NHS Inboxes - IT Security Guru
Malware
This New Fileless Malware Hides Shellcode in Windows Event Logs (thehackernews.com)
Raspberry Robin Spreads Via Removable USB Devices - Security Affairs
Hackers Using PrivateLoader PPI Service to Distribute New NetDooka Malware (thehackernews.com)
Mobile
IoT
Unpatched DNS Bug Affects Millions of Routers and IoT Devices (bleepingcomputer.com)
What Should I Know About Defending IoT Attack Surfaces? (darkreading.com)
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking/NFTs
Crypto Hackers Stole More Than $370 Million In April Alone (vice.com)
Ferrari Subdomain Hijacked to Push Fake Ferrari NFT Collection (bleepingcomputer.com)
Supply Chain
Open Source
Open-Source Security: It's Too Easy to Upload 'Devastating' Malicious Packages, Warns Google | ZDNet
How Linux Became the New Bullseye for Bad Guys | SecurityWeek.Com
Passwords & Credential Stuffing
Good End User Passwords Begin with A Well-Enforced Password Policy - Help Net Security
55% of People Rely on Their Memory To Manage Passwords - Help Net Security
A Third of Americans Use Easy-to-Guess Pet Passwords (darkreading.com)
Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Mandiant CEO: False-flag Ops a Red Line For Nation-States • The Register
Anonymous and Ukraine IT Army Continue to Target Russian Entities - Security Affairs
Pro-Ukraine Hackers Use Docker Images to DDoS Russian Sites (bleepingcomputer.com)
Russia Hammered by Pro-Ukrainian Hackers Following Invasion | Ars Technica
Nation State Actors
Nation State Actors – Russia
Russia-Linked APT29 Targets Diplomatic and Government Organisations - Security Affairs
Russian Ransomware Group Claims Attack on Bulgarian Refugee Agency - CyberScoop
Russia Cyber Attacks Raise Questions About Hacking Red Lines - Bloomberg
Putin Threatens Supply Chains with Counter-Sanction Order • The Register
Russian Hackers Targeting Diplomatic Entities in Europe, Americas, and Asia (thehackernews.com)
China-linked APT Curious Gorge Targeted Russian Govt Agencies - Security Affairs
Russia-Ukraine War Prompts Security Best Practices Refresher (techtarget.com)
Nation State Actors – China
China-Linked Winnti APT Group Silently Stole Trade Secrets for Years: Report | SecurityWeek.Com
State-Backed Chinese Hackers Target Russia - Infosecurity Magazine (infosecurity-magazine.com)
Chinese "Override Panda" Hackers Resurface With New Espionage Attacks (thehackernews.com)
Experts Uncover New Espionage Attacks by Chinese 'Mustang Panda' Hackers (thehackernews.com)
China Not Happy With South Korea Joining NATO Cyber Defense Center | SecurityWeek.Com
Nation State Actors – North Korea
Security Researchers: Here's How the Lazarus Hackers Start Their Attacks | ZDNet
VHD Ransomware Variant Linked to North Korean Cyber Army (darkreading.com)
Nation State Actors – Misc
Vulnerabilities
CISA Adds Five Known Exploited Vulnerabilities to Catalogue | CISA
Aruba and Avaya Network Switches Are Vulnerable to RCE Attacks (bleepingcomputer.com)
Cisco Issues Patches for 3 New Flaws Affecting Enterprise NFVIS Software (thehackernews.com)
F5 Warns of a New Critical BIG-IP Remote Code Execution Vulnerability (thehackernews.com)
May 2022 Patch Tuesday Forecast: Look Beyond Just Application and OS Updates - Help Net Security
Critical Cisco VM-Escape Bug Threatens Host Takeover (darkreading.com)
Researchers Disclose Years-Old Vulnerabilities in Avast and AVG Antivirus (thehackernews.com)
QNAP Releases Firmware Patches for 9 New Flaws Affecting NAS Devices (thehackernews.com)
Critical RCE Bug Reported in dotCMS Content Management Software (thehackernews.com)
Sector Specific
Financial Services Sector
Telecoms
Health/Medical/Pharma Sector
Education and Academia
Other News
Car Rental Company Sixt Hit by a Cyber Attack that Caused Disruptions - Security Affairs
White House Says To Prepare For Cryptography-Cracking Quantum Computers - Information Security Buzz
CMS-Based Sites Under Attack: The Latest Threats and Trends - Help Net Security
Mozilla Finds Mental Health Apps Fail 'Spectacularly' at User Security, Data Policies | ZDNet
UK to Place Security Requirements on App Developers and Store Operators - Infosecurity Magazine
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 15 April 2022
Black Arrow Cyber Threat Briefing 15 April 2022:
-Cyber Security Is Getting Harder: More Threats, More Complexity, Fewer People
-Terrible Cloud Security Is Leaving the Door Open for Hackers. Here's What You're Doing Wrong
-More Organisations Are Paying the Ransom. Why?
-Cyber Attack Puts City Firms on High Alert To Bolster Defences
-More Than 60% of Organisations Suffered a Breach in the Past 12 Months
-Account Takeover Poised to Surpass Malware as The No. 1 Security Concern
-Security Research Reveals 42% Rise In New Ransomware Programs In 2021
-Fraudsters Stole £58m with Remote Access Trojans (RATs) in 2021
-As State-Backed Cyber Threats Grow, Here's How the World Is Reacting
-Q1 Reported Data Compromises Up 14% Over 2021
-Europol Announces Operation to Hit Russian Sanctions-Evaders
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Cyber Security Is Getting Harder: More Threats, More Complexity, Fewer People
Splunk and Enterprise Strategy Group released a global research report that examines the security issues facing the modern enterprise. More than 1,200 security leaders participated in the survey, revealing they’ve seen an increase in cyber attacks while their teams are facing widening talent gaps.
According to the report, 65% of respondents say they have seen an increase in attempted cyber attacks. In addition, many have been directly impacted by data breaches and costly ransomware attacks, which have left security teams exhausted:
· 49% of organisations say they have suffered a data breach over the past two years, an increase from 39% a year earlier.
· 79% of respondents say they’ve encountered ransomware attacks, and 35% admit that one or more of those attacks led them to lose access to data and systems.
· 59% of security teams say they had to devote significant time and resources to remediation, an increase from 42% a year ago.
· 54% of respondents report that their business-critical applications have suffered from unplanned outages related to cyber security incidents on at least a monthly basis, with a median of 12 outages per year. The median time to recover from unplanned downtime tied to cyber security incidents is 14 hours. Respondents estimated the cost of this downtime averaged about $200,000 per hour.
· 64% of security professionals have stated that it’s challenging to keep up with new security requirements, up from 49% a year ago.
https://www.helpnetsecurity.com/2022/04/13/modern-enterprise-security-issues/
Terrible Cloud Security Is Leaving the Door Open for Hackers. Here's What You're Doing Wrong
A rise in hybrid work and a shift to cloud platforms has changed how businesses operate - but it's also leaving them vulnerable to cyber attacks.
Cloud applications and services are a prime target for hackers because poor cyber security management and misconfigured services are leaving them exposed to the internet and vulnerable to simple cyber attacks.
Analysis of identity and access management (IAM) polices taking into account hundreds of thousands of users in 18,000 cloud environments across 200 organisations by cyber security researchers at Palo Alto Networks found that cloud accounts and services are leaving open doors for cyber criminals to exploit – and putting businesses and users at risk.
The global pandemic pushed organisations and employees towards new ways of remote and hybrid working, with the aid of cloud services and applications. While beneficial to businesses and employees, it also created additional cyber security risks – and malicious hackers know this.
More Organisations Are Paying the Ransom. Why?
Most organisations (71%) have been hit by ransomware in 2021, and most of those (63%) opted for paying the requested ransom, the 2022 Cyberthreat Defense Report (CDR) by the CyberEdge Group has shown.
The research company says that possible explanations for the steady yearly rise of the percentage of organisations that decided to pay the ransom may include: the threat of exposing exfiltrated data, increased confidence for data recovery, and the fact that many organisations find that paying a ransom is significantly less costly than system downtime, customer disruption, and potential lawsuits.
“72% of ransom-paying victims recovered their data [in 2021], up from 49% in 2017. This increased confidence for successful data recovery is often factored into the ransom-paying decision,” the company noted.
Similarly, BakerHostatler’s 2022 Data Security Incident Response Report says that in ransomware incidents the US-based law firm was called in to manage in 2021, ransomware groups provided decryptors and stuck to their promise to not publish stolen data 97% of the time.
https://www.helpnetsecurity.com/2022/04/11/organizations-paying-ransom/
Cyber Attack Puts City Firms on High Alert to Bolster Defences
Experts warn a combination of 'ignorance and arrogance' makes City executives vulnerable to attacks.
City firms on high alert for cyber attacks were sent a clear warning recently, bolstering concerns of the potential for breaches from Russia.
Ince Group, the London-listed law firm, last month fell prey to hackers who infiltrated its computer systems and stole confidential data. The company's security systems detected the intrusion on March 13, prompting the IT team to shut down servers to try and prevent widespread damage.
But soon after, the hackers demanded a ransom for stolen data and threatened to publish it on the dark web if Ince Group, which has clients in the shipping, energy and healthcare sectors, didn't pay up.
The incident has intensified worries of possible breaches after warnings that City firms could be targeted by Russian hackers following Putin’s invasion of Ukraine.
Julia O'Toole, chief executive of MyCena Security Solutions, says executives should be "very concerned" about any news of a cyber attack at a rival company.
More Than 60% of Organisations Suffered a Breach in the Past 12 Months
Firms focus too narrowly on external attackers when it's insiders, third parties, and stolen assets that cause many breaches, new study shows.
The majority of companies — 63% — have suffered at least one breach in the past 12 months. The global average breach cost $2.4 million — a price tag that increases to $3.0 million for companies unprepared to respond to compromises.
The new data from Forrester Research, released on April 8 in a report titled "The 2021 State Of Enterprise Breaches," found that the number of breaches and the cost of breaches varied widely depending on the geographic location of the business and to what degree the organisation is prepared to respond to breaches. Companies in North America had the largest disparity between the haves and have-nots: While the average organisation required 38 days to find, eradicate, and recover from a breach, companies that failed to adequately prepare for security challenges took 62 days.
The difference in response resulted in a large difference in cost as well, with the average North American company paying $3.0 million to recover from a breach, a bill that rises to $4.0 million if the company suffered from a lack of incident-response preparation.
"The misalignment between the expectation and the reality of breaches has become very important," says Allie Mellen, an analyst with Forrester's Security and Risk group. "On a global scale, there is a big disparity of about $600,000 between those who are prepared to respond to a breach and those who are not."
Account Takeover Poised to Surpass Malware as The No. 1 Security Concern
As most researchers and financial executives can attest, virtually all types of fraud have dramatically risen over the past two years. However, attackers taking over legitimate financial accounts have become even more of a favourite with cyber criminals than most fraud schemes.
Many major recent research reports have pointed out that account takeover (ATO), a form of identity theft where bad actors access legitimate bank accounts, change the account information and passwords, and hijack a real customer’s account, has skyrocketed since last year. According to Javelin Research’s annual "Identity Fraud Study: The Virtual Battleground" report, account takeover increased by 90% to an estimated $11.4 billion in 2021 when compared with 2020 — representing roughly one-quarter of all identity fraud losses last year.
Like many types of financial fraud, cyber thieves are betting on the fact that if they attempt to seize a large number of legitimate accounts, eventually they will get a payoff.
Account takeovers are a numbers game, the more accounts that an organisation has, the bigger their risk that some of them will be compromised.
Account takeovers often piggyback off of previous attacks, making these crimes a way for hackers to make the most out of stolen information. Diskin pointed out that account takeovers most commonly happen when a password is “taken from another data leak and reused for different accounts. But there are a variety of risky scenarios that can lead to compromise.”
Security Research Reveals 42% Rise in New Ransomware Programs In 2021
Critical infrastructure in the crosshairs: operational technology vulnerabilities jump 88% .
Threat intelligence analysts at Skybox Research Lab uncovered a 42% increase in new ransomware programs targeting known vulnerabilities in 2021. The Silicon Valley cyber security company released its annual 2022 Vulnerability and Threat Trends Report, revealing how quickly cyber criminals capitalise on new security weaknesses – shrinking the window that organisations have to remediate vulnerabilities ahead of an attack.
With 20,175 new vulnerabilities published in 2021, Skybox Research Lab witnessed the most vulnerabilities ever reported in a single year. And these new vulnerabilities are just the tip of the iceberg. The total number of vulnerabilities published over the last 10 years reached 166,938 in 2021 — a three-fold increase over a decade. These cumulative vulnerabilities, piling up year after year, represent an enormous aggregate risk, and they’ve left organisations struggling with a mountain of cyber security debt. As the US Cybersecurity and Infrastructure Security Agency (CISA) highlights in its Top Routinely Exploited Vulnerabilities list, threat actors are routinely exploiting publicly disclosed vulnerabilities from years past.
The sheer volume of accumulated risks — hundreds of thousands or even millions of vulnerability instances within organisations — means they can’t possibly patch all of them. To prevent cyber security incidents, it is critical to prioritise exposed vulnerabilities that could cause the most significant disruption, then, apply appropriate remediation options including configuration changes or network segmentation to eliminate risk, even before patches are applied or in cases where patches aren’t available.
Fraudsters Stole £58m with Remote Access Trojans (RATs) in 2021
2021 saw victims of Remote Access Tool (RAT) scams lose £58m in 2021, official UK police figures show.
RAT scams involve scammers taking control of a victim’s device, typically in order to access bank accounts.
Some 20,144 victims fell for this type of scam in 2021, averaging around £2800 stolen per incident.
Typically, RAT attacks begin with a victim being inundated with pop-ups claiming there is a problem with the computer. Users are often then asked to call a “hotline” number, when a scammer will persuade them to download a RAT.
RAT scams are often compared to the classic “tech support” scams. Modern RAT scams are typically more devious, however, with scammers often cold-calling their victims pretending to work for their bank and claiming that they need computer access to investigate a fraudulent transaction.
https://www.itsecurityguru.org/2022/04/11/fraudsters-stole-58m-with-rats-in-2021/
As State-Backed Cyber Threats Grow, Here's How the World Is Reacting
With the ongoing conflict in Eurasia, cyber warfare is inevitably making its presence felt. The fight is not only being fought on the fields. There is also a big battle happening in cyberspace. Several cyber-attacks have been reported over the past months.
Notably, cyber attacks backed by state actors are becoming prominent. There have been reports of a rise of ransomware and other malware attacks such as Cyclops Blink, HermeticWiper, and BlackCat. These target businesses as well as government institutions and nonprofit organisations. There have been cases of several attempts to shut down online communications and IT infrastructure.
The ongoing list of significant cyber incidents curated by the Center for Strategic and International Studies (CSIS) shows that the number of major incidents in January 2022 is 100% higher compared to the same period in the previous year. With the recent activities in cyberspace impacted by the emergence of the geopolitical tumult in February, it is not going to be surprising to see an even more dramatic rise in the number of significant incidents.
https://thehackernews.com/2022/04/as-state-backed-cyber-threats-grow.html
Q1 Reported Data Compromises Up 14% Over 2021
The Identity Theft Resource Center published a First Quarter 2022 Data Breach Analysis which found that Q1 of 2022 began with the highest number of publicly reported data compromises in the past three years.
Publicly reported data compromises totalled 404 through March 31, 2022, a 14 percent increase compared to Q1 2021.
This is the third consecutive year when the number of total data compromises increased compared to Q1 of the previous year. It also represents the highest number of Q1 data compromises since 2020.
https://informationsecuritybuzz.com/expert-comments/q1-reported-data-compromises-up-14-over-2021/
Europol Announces Operation to Hit Russian Sanctions-Evaders
European police have announced a major new operation designed to crack down on Russian oligarchs and businesses looking to circumvent sanctions.
Operation Oscar will run for at least a year as an umbrella initiative that will feature many separate investigations, Europol explained.
The policing organisation’s European Financial and Economic Crime Centre will work to exchange information and intelligence with partners and provide operational support in financial crime investigations.
A key focus appears to be on illicit flows of money, which Russian individuals and entities will be trying to move around the region in order to bypass sanctions imposed since President Putin’s invasion of Ukraine.
“Europol will centralise and analyse all information contributed under this operation to identify international links, criminal groups and suspects, as well as new criminal trends and patterns,” Europol said.
“Europol will further provide tailor-made analytical support to investigations, as well as operational coordination, forensics and technical expertise, and financial support to the relevant national authorities.”
https://www.infosecurity-magazine.com/news/europol-hit-russian/
Threats
Ransomware
Ransomware: These Two Gangs Are Behind Half of All Attacks | ZDNet
Don't Let Ransomware Gangs Spend Months in Your Network • The Register
Karakurt Data Thieves Linked to Larger Conti Hacking Group | CSO Online
Conti Ransomware Gang Claims Responsibility for The Nordex Hack - Security Affairs
OldGremlin Ransomware Gang Targets Russia with New Malware (bleepingcomputer.com)
Conti Ransomware Offshoot Targets Russian Organisations | Malwarebytes Labs
Other Social Engineering
FBI: Payment App Users Targeted in Social Engineering Attacks (bleepingcomputer.com)
These Hackers Pretend to Poach, Recruit Rival Bank Staff In New Cyber Attacks | ZDNet
Malware
Microsoft Sounds The Alarm Over New Cunning Windows Malware | TechRadar
Spring4Shell Under Active Exploit by Mirai Botnet Herders • The Register
Haskers Gang Gives Away ZingoStealer Malware to Other Cyber Criminals for Free (thehackernews.com)
Hackers Hijack Adult Websites to Infect Victims With Malware | TechRadar
Qbot Malware Switches To New Windows Installer Infection Vector (bleepingcomputer.com)
Windows 11 tool to Add Google Play Secretly Installed Malware (bleepingcomputer.com)
Over 16,500 Sites Hacked to Distribute Malware via Web Redirect Service (thehackernews.com)
Enemybot: a New Mirai, Gafgyt Hybrid Botnet Joins The Scene | ZDNet
Mobile
Android Banking Malware Intercepts Calls to Customer Support (bleepingcomputer.com)
How to Stop Octo Malware From Remotely Accessing Your Android (lifehacker.com)
IoT
New EnemyBot DDoS Botnet Recruits Routers and IoTs Into Its Army (bleepingcomputer.com)
3 Reasons Connected Devices are More Vulnerable than Ever (bleepingcomputer.com)
Data Breaches/Leaks
Organised Crime & Criminal Actors
New Industrial Spy Stolen Data Market Promoted Through Cracks, Adware (bleepingcomputer.com)
Google Files Suit Against Cameroonian Cyber Criminal Who Used Puppies as Lures - CyberScoop
Cryptocurrency/Cryptomining/Cryptojacking
10 NFT and Cryptocurrency Security Risks That CISOs Must Navigate | CSO Online
A Practical Reason Why Crypto Might Not Work for Large-Scale Sanctions Evasion - CyberScoop
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
Denial of Service DoS/DDoS
New Fodcha DDoS Botnet Targets Over 100 Victims Every Day (bleepingcomputer.com)
New EnemyBot DDoS Botnet Borrows Exploit Code from Mirai and Gafgyt (thehackernews.com)
Cloud
99% Of Cloud Identities Are Overly Permissive, Opening Door to Attackers | CSO Online
Top Attack Techniques for Breaching Enterprise And Cloud Environments - Help Net Security
Finding Attack Paths in Cloud Environments (thehackernews.com)
The Two Words You Should Never Forget When You’re Securing a Cloud - Help Net Security
Privacy
Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Preparing for Armageddon: How Ukraine Battles Russian hackers | Ars Technica
Hackers Target Ukrainian Govt with IcedID Malware, Zimbra Exploits (bleepingcomputer.com)
Russia’s Sandworm Hackers Attempted a Third Blackout In Ukraine | Ars Technica
The Unceasing Action of Anonymous Against Russia - Security Affairs
European Officials Reportedly Targeted by NSO Spyware • The Register
Nation State Actors
Nation State Actors – Russia
Nation State Actors – China
Nation State Actors – North Korea
US Gov Believes Lazarus APT is Behind Ronin Validator Cyber Heist - Security Affairs
Feds Offer $5m Reward for Info on North Korean Cyber Crooks • The Register
FBI Links Largest Crypto Hack Ever to North Korean Hackers (bleepingcomputer.com)
Symantec: North Korea's Lazarus Targets Chemical Companies • The Register
Vulnerabilities
Microsoft Issues Patches for 2 Windows Zero-Days and 126 Other Vulnerabilities (thehackernews.com)
Google Issues Third Emergency Fix For Chrome This Year • The Register
Critical HP Teradici PCoIP Flaws Impact 15 Million Endpoints (bleepingcomputer.com)
Critical Windows RPC Vulnerability Raises Alarm (techtarget.com)
VMware Workspace One Flaw Actively Exploited in The Wild (techtarget.com)
Adobe Patches Gaping Security Holes in Acrobat, Reader, Photoshop | SecurityWeek.Com
Cisco Vulnerability Lets Hackers Craft Their Own Login Credentials (bleepingcomputer.com)
Several Vulnerabilities Allow Disabling of Palo Alto Networks Products | SecurityWeek.Com
Cisco Patches Critical Vulnerability in Wireless LAN Controller | SecurityWeek.Com
Critical Flaw in Elementor WordPress Plugin May Affect 500k Sites (bleepingcomputer.com)
Critical Apache Struts RCE Vulnerability Wasn't Fully Fixed, Patch Now (bleepingcomputer.com)
Attackers Are Exploiting VMware RCE to Deliver Malware (CVE-2022-22954) - Help Net Security
These D-Link Routers Are Vulnerable To Remote Hacks And Should Be Retired Immediately | HotHardware
Upgrades for Spring Framework Have Stalled (darkreading.com)
Sector Specific
CNI, OT, ICS, IIoT and SCADA
CISA Alert on ICS, SCADA Devices Highlights Growing Enterprise IoT Security Risks (darkreading.com)
Pipedream Malware: Feds Uncover 'Swiss Army Knife' for Industrial System Hacking | WIRED
New Malware Tools Pose 'Clear and Present Threat' to ICS Environments (darkreading.com)
US Warns of APT Hackers Targeting ICS/SCADA Systems with Specialized Malware (thehackernews.com)
Flaws in ABB Network Interface Modules Expose Industrial Systems to DoS Attacks | SecurityWeek.Com
Energy & Utilities
Reports Published in the Last Week
Other News
Singapore To License Infosec Service Providers • The Register
What Is the Cyber Kill Chain? A Model for Tracing Cyber Attacks | CSO Online
Cyber Defense: Prioritized By Real-World Threat Data - Help Net Security
The Cyber Criminal Isn’t Necessarily Who You Think… | Mind Matters
How Cryptocurrency Gave Birth to the Ransomware Epidemic (vice.com)
Dark Data Is a Pain Point For Many Security Leaders - Help Net Security
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 08 April 2022
Black Arrow Cyber Threat Briefing 08 April 2022
-Nearly Two-Thirds of Ransomware Victims Paid Ransoms Last Year, Finds "2022 Cyberthreat Defense Report"
-New Android Banking Malware Remotely Takes Control of Your Device
-Network Intrusion Detections Skyrocketing
-Organisations Underestimating the Seriousness Of Insider Threats
-Watch Out For Phishing Emails From Genuine Mailing Lists, Following Mailchimp Hack
-SpringShell Attacks Target About One in Six Vulnerable Orgs
-New Threat Group Underscores Mounting Concerns Over Russian Cyber Threats
-Consumer Fraud Tripled in The Last Two Years
-Borat RAT: Multiple Threat of Ransomware, DDoS and Spyware
-Bank Had No Firewall License, Intrusion or Phishing Protection – Guess The Rest
-Global APT Groups Use Ukraine War for Phishing Lures
-Paying Ransom Doesn’t Guarantee Data Recovery
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Nearly Two-Thirds of Ransomware Victims Paid Ransoms Last Year, Finds "2022 Cyberthreat Defense Report"
CyberEdge Group, a leading research and marketing firm serving the cyber security industry’s top vendors, announced the launch of its ninth annual Cyberthreat Defense Report (CDR). The award-winning CDR is the standard for assessing organisations’ security posture, gauging perceptions of information technology (IT) security professionals, and ascertaining current and planned investments in IT security infrastructure – across all industries and geographic regions.
A record 71% of organisations were impacted by successful ransomware attacks last year, according to the 2022 CDR, up from 55% in 2017. Of those that were victimised, nearly two-thirds (63%) paid the requested ransom, up from 39% in 2017.
New Android Banking Malware Remotely Takes Control of Your Device
A new Android banking malware named Octo has appeared in the wild, featuring remote access capabilities that allow malicious operators to perform on-device fraud.
Octo is an evolved Android malware based on ExoCompact, a malware variant based on the Exo trojan that quit the cyber crime space and had its source code leaked in 2018.
The new variant has been discovered by researchers at ThreatFabric, who observed several users looking to purchase it on darknet forums.
Network Intrusion Detections Skyrocketing
A WatchGuard report shows a record number of evasive network malware detections with advanced threats increasing by 33%, indicating a higher level of zero day threats than ever before.
Researchers detected malware threats in EMEA at a much higher rate than other regions of the world in Q4 2021, with malware detections per Firebox at 49%, compared to Americas at 23% and APAC at 29%. The trajectory of network intrusion detections also continued its upward climb with the largest total detections of any quarter in the last three years and a 39% increase quarter over quarter.
Researchers suggest that this may be due to the continued targeting of old vulnerabilities as well as the growth in organisations’ networks. As new devices come online and old vulnerabilities remain unpatched, network security is becoming more complex.
https://www.helpnetsecurity.com/2022/04/08/network-malware-detections/
Organisations Underestimating the Seriousness of Insider Threats
Imperva releases data that shows organisations are failing to address the issue of insider threats during a time when the risk is at its greatest.
New research, conducted by Forrester, found that 59% of incidents in EMEA organisations that negatively impacted sensitive data in the last 12 months were caused by insider threats, and yet 59% do not prioritise insider threats the way they prioritise external threats. Despite the fact that insider events occur more often than external ones, they receive lower levels of investment.
This approach is at odds with today’s threat landscape where the risk of malicious insiders has never been higher. The rapid shift to remote working means many employees are now outside the typical security controls that organisations employ, making it harder to detect and prevent insider threats.
Further, the Great Resignation is creating an environment where there is a higher risk of employees stealing data. This data could be stolen intentionally by people looking to help themselves in future employment, because they are disgruntled and want revenge, or it could be taken unintentionally when a careless employee leaves the business with important information.
https://www.helpnetsecurity.com/2022/04/08/organizations-insider-threats-issue/
Watch Out for Phishing Emails from Genuine Mailing Lists, Following Mailchimp Hack
A Mailchimp hack means that you’ll want to be even more vigilant than usual about phishing emails. Attackers have taken a clever approach to making their emails appear genuine …
When you subscribe to an email list, there’s a decent chance that the emails you received are actually sent by a company called Mailchimp, rather than directly by the company itself. Mailchimp offers companies a range of tools that make it easy to manage email databases, and send marketing emails and newsletters.
Hackers managed to gain access to more than 100 Mailchimp customer accounts, giving them the ability to send emails that would appear to have come from any one of those businesses.
Users will need to be more vigilant when receiving emails and avoid clicking on links in emails, even if they appear genuine.
https://9to5mac.com/2022/04/05/mailchimp-hack-phishing-alert/
SpringShell Attacks Target About One in Six Vulnerable Orgs
Roughly one out of six organisations worldwide that are impacted by the Spring4Shell zero-day vulnerability have already been targeted by threat actors, according to statistics from one cyber security company.
The exploitation attempts took place in the first four days since the disclosure of the severe remote code execution (RCE) flaw, tracked as CVE-2022-22965, and the associated exploit code.
According to Check Point, who compiled the report based on their telemetry data, 37,000 Spring4Shell attacks were detected over the past weekend alone.
New Threat Group Underscores Mounting Concerns Over Russian Cyber Threats
Crowdstrike says Ember Bear is likely responsible for the wiper attack against Ukrainian networks and that future Russian cyber attacks might target the West.
As fears mount over the prospects of a “cyberwar” initiated by the Russian government, the number of identified Russian threat actors also continues to climb. Last week CrowdStrike publicly revealed a Russia-nexus state-sponsored actor that it tracks as Ember Bear.
CrowdStrike says that Ember Bear (also known as UAC-0056, Lorec53, Lorec Bear, Bleeding Bear, Saint Bear) is likely an intelligence-gathering adversary group that has operated against government and military organisations in eastern Europe since early 2021. The group seems “motivated to weaponize the access and data obtained during their intrusions to support information operations (IO) aimed at creating public mistrust in targeted institutions and degrading government ability to counter Russian cyber operations,” according to CrowdStrike intelligence.
Despite its state-sponsored Russia nexus, Ember Bear differs from its better-known kin such as Fancy Bear or Voodoo Bear because CrowdStrike can’t tie it to a specific Russian organisation. Its target profile, assessed intent, and technical tactics, techniques, and procedures (TTPs) are consistent with other Russian GRU cyber operations.
Consumer Fraud Tripled in The Last Two Years
Reported cases of consumer fraud more than tripled in the years 2020-2021 from prior years, finds a new report by Accenture, presenting a growing challenge for public safety agencies to find new strategies to counter the trend.
The report compiled data from eight developed nations (Australia, Canada, France, Germany, Italy, Singapore, the United Kingdom, and the United States) on consumer fraud, defined as any fraud directly targeting citizens and excluding fraud targeting government agencies and companies. Reports of such fraud increased at an estimated 6.8% rate annually during 2013-2019 and then increased to a 22.5% annual growth rate yearly during 2020-2021 in parallel with the large shift of workers and consumers to digital channels and greater use of technology during the pandemic.
https://www.helpnetsecurity.com/2022/04/08/consumer-fraud-tripled/
Borat RAT: Multiple Threat of Ransomware, DDoS and Spyware
A new remote access trojan (RAT) dubbed "Borat" doesn't come with many laughs but offers bad actors a menu of cyberthreats to choose from.
RATs are typically used by cyber criminals to get full control of a victim's system, enabling them to access files and network resources and manipulate the mouse and keyboard. Borat does all this and also delivers features to enable hackers to run ransomware, distributed denial of service attacks (DDoS) and other online assaults and to install spyware, according to researchers at cyber security biz Cyble.
"The Borat RAT provides a dashboard to Threat Actors (TAs) to perform RAT activities and also has an option to compile the malware binary for performing DDoS and ransomware attacks on the victim's machine," the researchers wrote in a blog post, noting the malware is being made available for sale to hackers.
Borat – named after the character made famous by actor Sacha Baron Cohen in two comedy films – comes with the standard requisite of RAT features in a package that includes such functions as builder binary, server certificate and supporting modules.
https://www.theregister.com/2022/04/04/borat-rat-ransomware-ddos/
Bank Had No Firewall License, Intrusion or Phishing Protection – Guess the Rest
An Indian bank that did not have a valid firewall license, had not employed phishing protection, lacked an intrusion detection system and eschewed use of any intrusion prevention system has, shockingly, been compromised by criminals who made off with millions of rupees.
The unfortunate institution is called the Andra Pradesh Mahesh Co-Operative Urban Bank. Its 45 branches and just under $400 million of deposits make it one of India's smaller banks.
It certainly thinks small about security – at least according to Hyderabad City Police, which last week detailed an attack on the Bank that started with over 200 phishing emails being sent across three days in November 2021. At least one of those mails succeeded in fooling staff, resulting in the installation of a Remote Access Trojan (RAT).
Another technology the bank had chosen not to adopt was virtual LANs, so once the RAT went to work the attackers gained entry to the Bank's systems and were able to roam widely – even in its core banking application
https://www.theregister.com/2022/04/05/mahesh_bank_no_firewall_attack/
Global APT Groups Use Ukraine War for Phishing Lures
Security researchers have detected multiple APT campaigns leveraging Ukraine war-themed documents and news sources to lure victims into clicking on spear-phishing links.
Check Point Research said victim locations ranged from South America to the Middle East, with malware downloads designed to perform keylogging and screenshotting and execute commands.
The threat groups in question include El Machete, which is targeting the financial and government sectors in Nicaragua and Venezuela with malicious macro-laden Word documents containing articles on the war.
One of the docs was an article written by the Russian ambassador to Nicaragua titled: “Dark plans of the neo-Nazi regime in Ukraine.”
Another is Lyceum, an Iranian state-linked group targeting the energy sector with emails about war crimes in Ukraine that link to a malicious document hosted elsewhere. Its victims so far have been in Israel and Saudi Arabia, according to Check Point.
One email contained a link to an article from The Guardian hosted on the news-spot[.]live domain, alongside several malicious docs about the war.
https://www.infosecurity-magazine.com/news/global-apt-ukraine-war-phishing/
Paying Ransom Doesn’t Guarantee Data Recovery
OwnBackup announced the findings of a global survey conducted by Enterprise Strategy Group (ESG) that reveals a staggering 79% of respondent organisations have been targeted by ransomware within the past 12 months. Of those organisations, nearly three quarters said the attack was successful, meaning that it disrupted business operations.
Other key findings
· Of the respondents that said their organisation paid a cyber ransom to regain access to data, applications, and/or systems after an attack, only 14% were able to recover all of their data.
· 87% of respondents who made ransom payments said that they experienced additional extortion attempts beyond the initial ransomware demand.
· 31% of respondent organisations targeted by ransomware indicated that application user and permission misconfigurations were the initial point of compromise.
· 87% of respondents are very or somewhat concerned about their backups being infected by ransomware attacks.
https://www.helpnetsecurity.com/2022/04/07/organizations-targeted-by-ransomware/
Threats
Ransomware
March Ransomware Attacks Strike Finance, Government Targets (techtarget.com)
Why Paying The Ransom Isn’t The Answer For Ransomware Victims - Information Security Buzz
Companies Are More Prepared to Pay Ransoms Than Ever Before (tripwire.com)
Conti Ransomware Deployed in IcedID Banking Trojan Attack (techtarget.com)
Researchers Connect BlackCat Ransomware with Past BlackMatter Malware Activity (thehackernews.com)
Notorious Hacking Group FIN7 Adds Ransomware to Its Repertoire - CyberScoop
BlackCat Purveyor Shows Ransomware Operators Have 9 Lives (darkreading.com)
FIN7 Hackers Evolve Toolset, Work with Multiple Ransomware Gangs (bleepingcomputer.com)
LockBit Ransomware Attack Costs CRM Services Provider Over $42 Million - MSSP Alert
Snap-on Discloses Data Breach Claimed by Conti Ransomware Gang (bleepingcomputer.com)
Phishing & Email Based Attacks
Other Social Engineering
Malware
Borat RAT Malware: A 'Unique' Triple Threat That Is Far from Funny | ZDNet
Multiple Hacker Groups Capitalizing on Ukraine Conflict for Distributing Malware (thehackernews.com)
Malicious Web Redirect Service Infects 16,500 Sites to Push Malware (bleepingcomputer.com)
Researchers Uncover How Colibri Malware Stays Persistent on Hacked Systems (thehackernews.com)
Mobile
44 Vulnerabilities Patched in Android With April 2022 Security Updates | SecurityWeek.Com
Samsung Security Flaw Left Phones Exposed for Years (androidpolice.com)
SharkBot Android Malware Continues Popping Up on Google Play | SecurityWeek.Com
Android Apps With 45 Million Installs Used Data Harvesting SDK (bleepingcomputer.com)
New Android Spyware Uses Turla-Linked Infrastructure | SecurityWeek.Com
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking
Crypto 2022: Hackers Have Nabbed $1.22 Billion Already (yahoo.com)
Malicious Crypto Miners Can Make A Profit In A Few Hours - Help Net Security
Malicious Actors Targeting the Cloud For Cryptocurrency-Mining Activities - Help Net Security
Cryptocurrency-Mining AWS Lambda-Specific Malware Spotted • The Register
MailChimp Breached, Intruders Conducted Phishing Attacks Against Crypto Customers - Security Affairs
Turkey Seeks 40,000-Year Sentences for Alleged Cryptocurrency Exit Scammers | ZDNet
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
Traditional Identity Fraud Losses Soar, Totalling $52 Billion in 2021 - Help Net Security
South African and US Officers Swoop on Fraud Gang - Infosecurity Magazine
Insurance
Supply Chain
Cloud
The Importance of Understanding Cloud Native Security Risks - Help Net Security
15 Cyber Security Measures for the Cloud Era - Security Affairs
Privacy
How You’re Still Being Tracked on the Internet - The New York Times (nytimes.com)
Using Google's Chrome Browser? This New Feature Will Help You Fix Your Security Settings | ZDNet
Passwords & Credential Stuffing
Travel
Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Nation State Actors
Nation State Actors – Russia
The Russian Cyber Attack Threat Might Force a New IT Stance | Computerworld
FBI Operation Aims to Take Down Massive Russian GRU Botnet | TechCrunch
Microsoft Sinkholes Russian Hacking Group's Domains Targeting Ukraine (darkreading.com)
FBI Disrupts Russian Military Hackers, Preventing Botnet Amid Ukraine War | Fox News
Russia (still) Trying To Weaponize Facebook Amid Ukraine War • The Register
Nation State Actors – China
Symantec: Chinese APT Group Targeting Global MSPs | SecurityWeek.Com
Chinese Hackers Are Using VLC Media Player to Launch Malware Attacks (androidpolice.com)
Hacked: Inside the US-China Cyberwar | Cybersecurity | Al Jazeera
China Uses AI Software to Improve Its Surveillance Capabilities | Reuters
Nation State Actors – Misc
Vulnerabilities
CISA Warns of Active Exploitation of Critical Spring4Shell Vulnerability (thehackernews.com)
Palo Alto Networks firewalls, VPNs vulnerable to OpenSSL bug (bleepingcomputer.com)
A Vulnerability in Zyxel Firewall Could Allow for Authentication Bypass (cisecurity.org)
Spring4Shell Patching Is Going Slow but Risk Not Comparable To Log4Shell | CSO Online
Apple Leaves Big Sur, Catalina Exposed to Critical Flaws: Intego | SecurityWeek.Com
A Mirai-Based Botnet Is Exploiting the Spring4Shell Vulnerability - Security Affairs
Steady Rise in Severe Web Vulnerabilities - Help Net Security
ACF WordPress Plugin Vulnerability Affects Up To +2 Million Sites (searchenginejournal.com)
Zero Days Are for Life, Not Just For Christmas. Here’s How to Deal With Them • The Register
Sector Specific
Financial Services Sector
FinTech
Health/Medical/Pharma Sector
Manufacturing
CNI, OT, ICS, IIoT and SCADA
Europe Warned About Cyber Threat to Industrial Infrastructure | SecurityWeek.Com
BlackCat Ransomware Targets Industrial Companies | SecurityWeek.Com
Energy & Utilities
Reports Published in the Last Week
Other News
Okta CEO Says Lapsus$ Hack is 'Big Deal,' Aims to Restore Trust (yahoo.com)
86% of Developers Don't Prioritise Application Security - Help Net Security
Digital Transformation Requires Security Intelligence - Help Net Security
Government Officials: AI Threat Detection Still Needs Humans (techtarget.com)
The Original APT: Advanced Persistent Teenagers – Krebs on Security
How Many Steps Does It Take for Attackers To Compromise Critical Assets? - Help Net Security
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.