Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Cyber War in Ukraine, Ransomware Fears Drive 2022 Surge in Demand for Threat Intelligence Tools

Amid the heightened fear of ransomware in 2022, threat intelligence emerged as a core requirement of doing business in a world gone mad.

A sizable amount of interest in the historically tech-centric discipline was fuelled in part by fear of cyber attacks tied to the war between Russia and Ukraine. In one example, the Ukrainian government warned the world that the Russian military was planning for multi-pronged attacks targeting the energy sector. Other nation-state cyber attack operations also contributed to the demand, including one June 2022 incident were Iran’s Cobalt Mirage exploited PowerShell vulnerabilities to launch ransomware attacks.

And of course, headlines of data breaches tied to vulnerabilities that organisations did not even know existed within their networks caught the attention not just of security teams, but the C-Suite and corporate board. A misconfigured Microsoft server, for example, wound up exposing years of sensitive data for tens of thousands of its customers, including personally identifiable information, user data, product and project details and intellectual property.

Indeed, according to 183 security pros surveyed by CyberRisk Alliance Business Intelligence in June 2022, threat intelligence has become critical in arming their security operations centres (SOCs) and incident response teams with operational data to help them make timely, informed decisions to prevent system downtime, thwart the theft of confidential data, and protect intellectual property.

Threat intelligence has emerged as a useful tool for educating executives. Many also credited threat intelligence for helping them protect their company and customer data — and potentially saving their organisation's reputation.

https://www.scmagazine.com/resource/threat-intelligence/2022-year-in-review-threat-intelligence-tools

• Cyber Premiums Holding Firms to Ransom

Soaring premiums for cyber security insurance are leaving businesses struggling to pay other bills, a key industry player has warned.

Mactavish, which buys insurance policies on behalf of companies, said that more than half of big businesses that had bought cyber security insurance had been forced to make cuts elsewhere to pay for it.

In a survey of 200 companies with a turnover above £10 million, Mactavish found that businesses were reducing office costs and staff bonuses and were cutting other types of insurance to meet the higher payments.

Last month Marsh, an insurance broker, revealed that costs for cyber insurance had increased by an average of 66 per cent in the third quarter compared with last year.

Meanwhile, the risk to businesses from hackers continues to rise. A government report on digital threats, published this month, showed the proportion of businesses experiencing cyber security incidents at least monthly had increased from 53 per cent to 60 per cent in the past year. Uber, Cisco and InterContinental Hotels Group were among high-profile targets this year.

https://www.thetimes.co.uk/article/cyber-safety-premiums-hold-firms-to-ransom-tnrsz3vs2

• Ransomware Ecosystem Becoming More Diverse for 2023

The ransomware ecosystem has changed significantly in 2022, with attackers shifting from large groups that dominated the landscape toward smaller ransomware-as-a-service (RaaS) operations in search of more flexibility and drawing less attention from law enforcement. This democratisation of ransomware is bad news for organisations because it also brought in a diversification of tactics, techniques, and procedures (TTPs), more indicators of compromise (IOCs) to track, and potentially more hurdles to jump through when trying to negotiate or pay ransoms.

Since 2019 the ransomware landscape has been dominated by big and professionalised ransomware operations that constantly made the news headlines and even looked for media attention to gain legitimacy with potential victims. We've seen ransomware groups with spokespeople who offered interviews to journalists or issued "press releases" on Twitter and their data leak websites in response to big breaches.

The DarkSide attack against Colonial Pipeline that led to a major fuel supply disruption along the US East Coast in 2021 highlighted the risk that ransomware attacks can have against critical infrastructure and led to increased efforts to combat this threat at the highest levels of government. This heightened attention from law enforcement made the owners of underground cyber crime forums reconsider their relationship with ransomware groups, with some forums banning the advertising of such threats. DarkSide ceased operations soon thereafter and was followed later in the year by REvil, also known as Sodinokibi, whose creators were indicted and one was even arrested. REvil was one of the most successful ransomware groups since 2019.

Russia's invasion of Ukraine in February 2022 quickly put a strain on the relationship between many ransomware groups who had members and affiliates in both Russia and Ukraine, or other former USSR countries. Some groups, such as Conti, rushed to take sides in the war, threatening to attack Western infrastructure in support of Russia. This was a departure from the usual business-like apolitical approach in which ransomware gangs had run their operations and drew criticism from other competing groups.

This was also followed by a leak of internal communications that exposed many of Conti's operational secrets and caused uneasiness with its affiliates. Following a major attack against the Costa Rican government the US State Department put up a reward of $10 million for information related to the identity or location of Conti's leaders, which likely contributed to the group's decision to shut down operations in May.

Conti's disappearance led to a drop in ransomware activity for a couple of months, but it didn't last long as the void was quickly filled by other groups, some of them newly set up and suspected to be the creation of former members of Conti, REvil and other groups that ceased operations over the past two years.

https://www.csoonline.com/article/3684248/ransomware-ecosystem-becoming-more-diverse-for-2023.html#tk.rss_news

• Attackers Evolve Strategies to Outmanoeuvre Security Teams

Attackers are expected to broaden their targeting strategy beyond regulated verticals such as financial services and healthcare. Large corporations (41%) will be the top targeted sector for cyber attacks in 2023, favoured over financial institutions (36%), government (14%), healthcare (9%), and education (8%), according to cyber security solution provider Titaniam.

The fast pace of change has introduced new vulnerabilities into corporate networks, making them an increasingly attractive target for cyber attackers. To compete in the digital marketplace, large companies are adopting more cloud services, aggregating data, pushing code into production faster, and connecting applications and systems via APIs.

As a result, misconfigured services, unprotected databases, little-tested applications, and unknown and unsecured APIs abound, all of which can be exploited by attackers.

The top four threats in 2022 were malware (30%), ransomware and extortion (27%), insider threats (26%), and phishing (17%).

The study found that enterprises expected malware (40%) to be their biggest challenge in 2023, followed by insider threats (26%), ransomware and related extortion (21%), and phishing (16%).

Malware, however, has more enterprises worried for 2023 than it did for 2022. It is important to note that these threats can overlap, where insiders can have a hand in ransomware attacks, phishing can be a source of malware, etc.

Attackers are evolving their strategies to surprise and outmanoeuvre security teams, which have hardened ransomware defences and improved phishing detection. They’re using new malware, such as loaders, infostealers, and wipers to accelerate attacks, steal sensitive data and create mayhem.

They’re also buying and stealing employee credentials to walk in through the front door of corporate networks.

https://www.helpnetsecurity.com/2023/01/04/attackers-evolve-strategies-outmaneuver-security-teams/

• Building a Security-First Culture: The Key to Cyber Success

Everyone has heard a car alarm go off in the middle of the night, but how often does that notification actually lead to action? Most people will hear the alarm, glance in its direction and then hope the owner will quickly remedy the situation.

Cars alarms often fail because they go off too often, leading to apathy and annoyance instead of being a cause for emergency. For many, cyber security has also become this way. While we see an increase in the noise surrounding the need for organisations to improve the security skillset and knowledge base of employees, there continues to be little proactive action on this front. Most organisations only provide employees with elementary-grade security training, often during their initial onboarding process or as part of a standard training requirement.

At the same time, many organisations also make the grave mistake of leaving all of their security responsibilities and obligations in the hands of IT and security teams. Time and time again, this approach has proven to be highly ineffective, especially as cyber criminals refine their social engineering tactics and target user accounts to execute their attacks.

Alarmingly, recent research found that 30% of employees do not think that they play a role in maintaining their company’s cyber security posture. The same report also revealed that only 39% of employees say they are likely to report a security incident.

As traditional boundaries of access disintegrate and more employees obtain permissions to sensitive company data and systems to carry out their tasks, business leaders must change the mindset of their employees when it comes to the role they play in keeping the organisation safe from cyber crime. The key is developing an integrated cyber security strategy that incorporates all aspects—including all stakeholders—of the organisation. This should be a strategy that breaks down departmental barriers and creates a culture of security responsibility where every team member plays a part.

https://www.forbes.com/sites/forbestechcouncil/2023/01/03/building-a-security-first-culture-the-key-to-cyber-success/

• Adobe, Apple, Cisco, Microsoft Flaws Make Up Half of Known Exploited Vulnerabilities Catalogue

Back in November 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) published the Known Exploited Vulnerabilities (KEV) Catalogue to help federal agencies and critical infrastructure organisations identify and remediate vulnerabilities that are actively being exploited. CISA added 548 new vulnerabilities to the catalogue across 58 updates from January to end of November 2022, according to cyber security solution provider Grey Noise in its first-ever "GreyNoise Mass Exploits Report."

Including the approximately 300 vulnerabilities added in November and December 2021, CISA listed approximately 850 vulnerabilities in the first year of the catalogue's existence.

Actively exploited vulnerabilities in Microsoft, Adobe, Cisco, and Apple products accounted for over half of the updates to the KEV catalogue in 2022, Grey Noise found. Seventy-seven percent of the updates to the KEV catalogue were older vulnerabilities dating back to before 2022. Many of these vulnerabilities have been around for two decades.

Several of the vulnerabilities in the KEV catalogue are from products that have already entered end-of-life (EOL) and end-of-service-life (EOSL), according to an analysis by a team from cyber security solution provider Cyber Security Works. Even though Windows Server 2008 and Windows 7 are EOSL products, the KEV catalogue lists 127 Server 2008 vulnerabilities and 117 Windows 7 vulnerabilities.

Even though the catalogue was originally intended for critical infrastructure and public-sector organisations, it has become the authoritative source on which vulnerabilities are – or have been – exploited by attackers. This is key because the National Vulnerability Database (NVD) assigned Common Vulnerabilities and Exposures (CVE) identifiers for over 12,000 vulnerabilities in 2022, and it would be unwieldy for enterprise defenders to assess every single one to identify the ones relevant to their environments. Enterprise teams can use the catalogue's curated list of CVEs under active attack to create their priority lists.

https://www.darkreading.com/edge-threat-monitor/adobe-apple-cisco-microsoft-flaws-make-up-half-of-kev-catalog

• First LastPass, Now Slack and CircleCI. The Hacks Go On (and will likely worsen)

In the past week, the world has learned of serious breaches hitting chat service Slack and software testing and delivery company CircleCI, though giving the companies' opaque wording—“security issue” and “security incident,” respectively—you'd be forgiven for thinking these events were minor.

The compromises—in Slack’s case, the theft of employee token credentials and for CircleCI, the possible exposure of all customer secrets it stores—come two weeks after password manager LastPass disclosed its own security failure: the theft of customers’ password vaults containing sensitive data in both encrypted and clear text form. It’s not clear if all three breaches are related, but that’s certainly a possibility.

The most concerning of the two new breaches is the one hitting CircleCI. The company reported a “security incident” that prompted it to advise customers to rotate “all secrets” they store on the service. The alert also informed customers that it had invalidated their Project API tokens, an event requiring them to go through the hassle of replacing them.

CircleCI says it’s used by more than 1 million developers in support of 30,000 organisations and runs nearly 1 million daily jobs. The potential exposure of all those secrets—which could be login credentials, access tokens, and who knows what else—could prove disastrous for the security of the entire Internet.

It’s possible that some or all of these breaches are related. The Internet relies on a massive ecosystem of content delivery networks, authentication services, software development tool makers, and other companies. Threat actors frequently hack one company and use the data or access they obtain to breach that company's customers or partners. That was the case with the August breach of security provider Twilio. The same threat actor targeted 136 other companies. Something similar played out in the last days of 2020 when hackers compromised Solar Winds, gained control of its software build system, and used it to infect roughly 40 Solar Winds customers.

For now, people should brace themselves for additional disclosures from companies they rely on. Checking internal system logs for suspicious entries, turning on multifactor authentication, and patching network systems are always good ideas, but given the current events, those precautions should be expedited. It’s also worth checking logs for any contact with the IP address 54.145.167.181, which one security practitioner said was connected to the CircleCI breach.

https://arstechnica.com/information-technology/2023/01/first-lastpass-now-slack-and-circleci-the-hacks-go-on-and-will-likely-worsen/

• Data of 235 Million Twitter Users Leaked Online

A data leak containing email addresses for 235 million Twitter users has been published on a popular hacker forum. Many experts have immediately analysed it and confirmed the authenticity of many of the entries in the huge leaked archive.

In January 2022, a report claimed the discovery of a vulnerability that can be exploited by an attacker to find a Twitter account by the associated phone number/email, even if the user has opted to prevent this in the privacy options. The vulnerability was exploited by multiple threat actors to scrape Twitter user profiles containing both private (phone numbers and email addresses) and public data, and was present within the social media platforms application programming interface (API) from June 2021 until January 2022.

At the end of July 2022, a threat actor leaked data of 5.4 million Twitter accounts that were obtained by exploiting the forementioned, now-fixed vulnerability in the popular social media platform. The scraped data was then put up for sale on various online cyber crime marketplaces. In August, Twitter confirmed that the data breach was caused by a now-patched zero-day flaw.

In December another Twitter data leak made the headlines, a threat actor obtained data of 400,000,000 Twitter users and attempted to sell it. The seller claimed the database is private, and he provided a sample of 1,000 accounts as proof of claims which included the private information of prominent users such as Donald Trump JR, Brian Krebs, and many more. The seller, who is a member of a popular data breach forum, claimed the data was scraped via a vulnerability. The database includes emails and phone numbers of celebrities, politicians, companies, normal users, and a lot of special usernames.

https://securityaffairs.com/140352/data-breach/twitter-data-leak-235m-users.html

• 16 Car Makers, including BMW, Ferrari, Ford, Honda, Kia, Land Rover, Mercedes and Toyota, and Their Vehicles Hacked via Telematics, APIs, and Infrastructure

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car functions and start or stop the engine.

Multiple other security defects, the researchers say, allowed them to access a car maker’s internal applications and systems, leading to the exposure of personally identifiable information (PII) belonging to customers and employees, and account takeover, among others. The hacks targeted telematic systems, automotive APIs, and infrastructure.

Impacted car models include Acura, BMW, Ferrari, Ford, Genesis, Honda, Hyundai, Infiniti, Jaguar, Kia, Land Rover, Mercedes-Benz, Nissan, Porsche, Rolls Royce, and Toyota. The vulnerabilities were identified over the course of 2022. Car manufacturers were informed about the security holes and they released patches.

According to the researchers, they were able to send commands to Acura, Genesis, Honda, Hyundai, Kia, Infiniti, Nissan, and Porsche vehicles.

Using only the VIN (vehicle identification number), which is typically visible on the windshield, the researchers were able to start/stop the engine, remotely lock/unlock the vehicle, flash headlights, honk vehicles, and retrieve the precise location of Acura, Honda, Kia, Infiniti, and Nissan cars.

They could also lock users out of remote vehicle management and could change car ownership.

https://www.securityweek.com/16-car-makers-and-their-vehicles-hacked-telematics-apis-infrastructure

• Ransomware Gang Apologises, and Gives SickKids Hospital Free Decrypter

The LockBit ransomware gang has released a free decrypter for the Hospital for Sick Children (SickKids), saying one of its members violated rules by attacking the healthcare organisation. SickKids is a teaching and research hospital in Toronto that focuses on providing healthcare to sick children.

On December 18th, the hospital suffered a ransomware attack that impacted internal and corporate systems, hospital phone lines, and the website. While the attack only encrypted a few systems, SickKids stated that the incident caused delays in receiving lab and imaging results and resulted in longer patient wait times.

On December 29th, SickKids announced that it had restored 50% of its priority systems, including those causing diagnostic or treatment delays. Two days after SickKids' latest announcement, the LockBit ransomware gang apologised for the attack on the hospital and released a decrypter for free.

“We formally apologise for the attack on sikkids.ca and give back the decrypter for free, the partner who attacked this hospital violated our rules, is blocked and is no longer in our affiliate programme," stated the ransomware gang.

https://www.bleepingcomputer.com/news/security/ransomware-gang-apologizes-gives-sickkids-hospital-free-decryptor/

Threats

Ransomware, Extortion and Destructive Attacks

• Rackspace: Ransomware Attack Bypassed ProxyNotShell Mitigations (darkreading.com)

• Hackers Leverage Compromised Fortinet Devices to Distribute Ransomware - Infosecurity Magazine (infosecurity-magazine.com)

• Rackspace: Customer email data accessed in ransomware attack (bleepingcomputer.com)

• Ransomware gang cloned victim’s website to leak stolen data (bleepingcomputer.com)

• Rackspace identifies hacking group responsible for early December ransomware attack | TPR

• Ransomware ecosystem becoming more diverse for 2023 | CSO Online

• Lockbit apologized for the attack on SickKids pediatric hospital and releases a free decryptor - Security Affairs

• The FBI's Perspective on Ransomware (thehackernews.com)

• Rackspace Sunsets Email Service Downed in Ransomware Attack (darkreading.com)

• Ransomware: The security debt collector - Help Net Security

• December ransomware disclosures reveal high-profile victims | TechTarget

• The Guardian ransomware attack hits week two as staff WFH • The Register

• Unraveling the techniques of Mac ransomware - Microsoft Security Blog

• Bitdefender releases free MegaCortex ransomware decryptor (bleepingcomputer.com)

• Ransomware Research: More than 200 US Infrastructure Organisations Attacked in 2022 - MSSP Alert

• Ransomware impacts over 200 govt, edu, healthcare orgs in 2022 (bleepingcomputer.com)

• Guardian ransomware attack: Staff told work from home to 23 Jan (pressgazette.co.uk)

• Rail giant Wabtec discloses data breach after Lockbit ransomware attack (bleepingcomputer.com)

• Hackers target Arnold Clark in Christmas Eve cyber attack as bosses insist customer information is safe – Car Dealer Magazine

• Christmas Eve 'cyber attack' forced Arnold Clark's network down | STV News

• Royal ransomware claims attack on Queensland University of Technology (bleepingcomputer.com)

• LockBit: Sorry for SickKids, but not housing authority • The Register

• New Survey: 1 In 4 Schools Were Victims Of Cyber Attacks In the Last Year; Administrators To Increase Spending On Privacy and Security (darkreading.com)

• Canadian mining firm shuts down mill after ransomware attack (bleepingcomputer.com)

Phishing & Email Based Attacks

• Data of 235 million Twitter users leaked online - Security Affairs

• Is NHS The Most Impersonated UK Government "Brand"? (informationsecuritybuzz.com)

• The Evolving Tactics of Vidar Stealer: From Phishing Emails to Social Media (thehackernews.com)

• New Phishing Campaign Targets Cyber security Professionals Using Hacking Tool Flipper Zero - Infosecurity Magazine (infosecurity-magazine.com)

• Ongoing Flipper Zero phishing attacks target infosec community (bleepingcomputer.com)

Other Social Engineering; Smishing, Vishing, etc

• Ukrainian Cops Bust Prolific Fraud Call Centre - Infosecurity Magazine (infosecurity-magazine.com)

• Inside a scammers’ lair: Ukraine busts 40 in fake bank call-centre raid – Naked Security (sophos.com)

Malware

• Raspberry Robin Worm Evolves to Attack Financial and Insurance Sectors in Europe (thehackernews.com)

• Hackers abuse Windows error reporting tool to deploy malware (bleepingcomputer.com)

• New SHC-compiled Linux malware installs cryptominers, DDoS bots (bleepingcomputer.com)

• Bluebottle hackers used signed Windows driver in attacks on banks (bleepingcomputer.com)

• Dridex Returns, Targets MacOS Using New Entry Method (trendmicro.com)

• New Linux malware uses 30 plugin exploits to backdoor WordPress sites (bleepingcomputer.com)

• PyTorch discloses malicious dependency chain compromise over holidays (bleepingcomputer.com)

• Hackers Using Stolen Bank Information to Trick Victims into Downloading BitRAT Malware (thehackernews.com)

• WordPress Sites Under Attack from Newly Found Linux Trojan (darkreading.com)

• Blind Eagle Hackers Return with Refined Tools and Sophisticated Infection Chain (thehackernews.com)

• Raspberry Robin Worm Hatches a Highly Complex Upgrade (darkreading.com)

• The Evolving Tactics of Vidar Stealer: From Phishing Emails to Social Media (thehackernews.com)

Denial of Service/DoS/DDOS

• War and Geopolitical Conflict: The New Battleground for DDoS Attacks (darkreading.com)

Internet of Things – IoT

• Ongoing Flipper Zero phishing attacks target infosec community (bleepingcomputer.com)

Data Breaches/Leaks

• Data of over 200 million Deezer users stolen, leaks on hacking forum • Graham Cluley

• Five Guys Data Breach Puts HR Data Under a Heat Lamp (darkreading.com)

• Analysis Of Top 10 Countries Mostly Targeted By Data Breaches (informationsecuritybuzz.com)

• Twitter said to have suffered data breach as hackers expose 235 million users' information (thenationalnews.com)

• I bought a $15 router at Goodwill — and found a millionaire's dirty secrets (nypost.com)

• Critical flaws found in Ferrari, BMW, Porsche, and other carmakers - Security Affairs

• Toyota, Mercedes, BMW API flaws exposed owners’ personal info (bleepingcomputer.com)

• Threat actors stole Slack private source code repositories - Security Affairs

• Data of over 200 million Deezer users stolen, leaks on hacking forum • Graham Cluley

Organised Crime & Criminal Actors

• Threat Actors Evade Detection Through Geofencing & Fingerprinting (darkreading.com)

• A sneak peek into the dark web dealings | Nation

• Attackers create 130K fake accounts to abuse limited-time cloud computing resources | CSO Online

• Cyber criminals we lost to law in 2022

• Inside a scammers’ lair: Ukraine busts 40 in fake bank call-centre raid – Naked Security (sophos.com)

• Ukrainian Cops Bust Prolific Fraud Call Centre - Infosecurity Magazine (infosecurity-magazine.com)

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• New SHC-compiled Linux malware installs cryptominers, DDoS bots (bleepingcomputer.com)

Insider Risk and Insider Threats

• Software engineer busted after being inspired by Office Space scam | PC Gamer

• Are Meta and Twitter Ushering in a New Age of Insider Threats? (darkreading.com)

• Ex-GE engineer sentenced for stealing turbine tech for China • The Register

Fraud, Scams & Financial Crime

• Avast: Expect Cyber crime "Scamdemic" to Continue in 2023 - MSSP Alert

• Software engineer busted after being inspired by Office Space scam | PC Gamer

• US regulators warn banks over cryptocurrency risks - BBC News

• What Is a Pig Butchering Scam? | WIRED

• RedZei Chinese Scammers Targeting Chinese Students in the UK (thehackernews.com)

• Inside a scammers’ lair: Ukraine busts 40 in fake bank call-centre raid – Naked Security (sophos.com)

• Ukrainian Cops Bust Prolific Fraud Call Centre - Infosecurity Magazine (infosecurity-magazine.com)

Impersonation Attacks

• Is NHS The Most Impersonated UK Government "Brand"? (informationsecuritybuzz.com)

AML/CFT/Sanctions

• Iran's Revolutionary Guards set to be labelled as terrorist group by UK - BBC News

Insurance

• Cyber safety premiums holding firms to ransom | Business | The Times

• How can businesses decrease cyber insurance premiums while maintaining coverage? - Help Net Security

Dark Web

• A sneak peek into the dark web dealings | Nation

Supply Chain and Third Parties

• First LastPass, now Slack and CircleCI. The hacks go on (and will likely worsen) | Ars Technica

Software Supply Chain

• There is no secure software supply-chain. - by John McBride (substack.com)

Cloud/SaaS

• Attackers create 130K fake accounts to abuse limited-time cloud computing resources | CSO Online

Encryption

• Encryption Faces an Existential Threat in Europe | WIRED

• 2023 Will See Renewed Focus on Quantum Computing (darkreading.com)

• Chinese researchers claim to find way to break encryption using quantum computers | Financial Times (ft.com)

API

• API Security Is the New Black (darkreading.com)

• Car companies massively exposed to web vulnerabilities | The Daily Swig (portswigger.net)

• 16 Car Makers and Their Vehicles Hacked via Telematics, APIs, Infrastructure | SecurityWeek.Com

• What Are Some Ways to Make APIs More Secure? (darkreading.com)

• Critical flaws found in Ferrari, BMW, Porsche, and other carmakers - Security Affairs

Open Source

• New SHC-compiled Linux malware installs cryptominers, DDoS bots (bleepingcomputer.com)

• New Linux malware uses 30 plugin exploits to backdoor WordPress sites (bleepingcomputer.com)

Social Media

• Data of 235 million Twitter users leaked online - Security Affairs

• Twitter said to have suffered data breach as hackers expose 235 million users' information (thenationalnews.com)

• The Evolving Tactics of Vidar Stealer: From Phishing Emails to Social Media (thehackernews.com)

• Are Meta and Twitter Ushering in a New Age of Insider Threats? (darkreading.com)

• Meta fined €390m over use of data for targeted ads - BBC News

• More Political Storms for TikTok After US Government Ban | SecurityWeek.Com

Parental Controls and Child Safety

• Cops Catch Serial Child Abuser After Tech Breakthrough - Infosecurity Magazine (infosecurity-magazine.com)

Regulations, Fines and Legislation

• Meta fined €390m over use of data for targeted ads - BBC News

• Google will pay $29.5M to settle two lawsuits over its location tracking practices - Security Affairs

Governance, Risk and Compliance

• Cyber safety premiums holding firms to ransom | Business | The Times

• Cyber war in Ukraine, ransomware fears drive 2022 surge in demand for threat intelligence tools | SC Media (scmagazine.com)

• Attackers never let a critical vulnerability go to waste - Help Net Security

• Attackers evolve strategies to outmanoeuvre security teams - Help Net Security

• How to start planning for disaster recovery - Help Net Security

• Building A Security-First Culture: The Key To Cyber Success (forbes.com)

• Data backup is no longer just about operational fallback - Help Net Security

• Threat Actors Evade Detection Through Geofencing & Fingerprinting (darkreading.com)

• How can businesses decrease cyber insurance premiums while maintaining coverage? - Help Net Security

Secure Disposal

• I bought a $15 router at Goodwill — and found a millionaire's dirty secrets (nypost.com)

Backup and Recovery

• Data backup is no longer just about operational fallback - Help Net Security

Data Protection

• Getting data loss prevention right - Help Net Security

Law Enforcement Action and Take Downs

• Cyber criminals we lost to law in 2022

• Cops Catch Serial Child Abuser After Tech Breakthrough - Infosecurity Magazine (infosecurity-magazine.com)

• Inside a scammers’ lair: Ukraine busts 40 in fake bank call-centre raid – Naked Security (sophos.com)

• Ukrainian Cops Bust Prolific Fraud Call centre - Infosecurity Magazine (infosecurity-magazine.com)

Privacy, Surveillance and Mass Monitoring

• National security fears over police using Chinese tech | News | The Times

• Meta fined €390m over use of data for targeted ads - BBC News

• Google will pay $29.5M to settle two lawsuits over its location tracking practices - Security Affairs

Artificial Intelligence

• ChatGPT: An Easy Cyber crime Target For Cyber attacks (informationsecuritybuzz.com)

• OpenAI's ChatGPT previews how AI can help hackers breach more networks (axios.com)

• How hackers might be exploiting ChatGPT - Security Affairs

• NATO tests AI’s ability to protect critical infrastructure against cyber attacks | CSO Online

Misinformation, Disinformation and Propaganda

• It's time to focus on information warfare's hard questions (cyberscoop.com)

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• War and Geopolitical Conflict: The New Battleground for DDoS Attacks (darkreading.com)

• Cyber attacks against governments jumped 95% in last half of 2022, CloudSek says | CSO Online

• It's time to focus on information warfare's hard questions (cyberscoop.com)

• National security fears over police using Chinese tech | News | The Times

• Ex-GE engineer sentenced for stealing turbine tech for China • The Register

• Pro-Russia cyber attacks aim at destabilizing Poland - Security Affairs

• Poland warns of attacks by Russia-linked Ghostwriter hacking group (bleepingcomputer.com)

Nation State Actors

Nation State Actors – Russia

• Russia Cyber attacks, China Covid Are Overlooked 2023 Threats - Bloomberg

Nation State Actors – China

• National security fears over police using Chinese tech | News | The Times

• Ex-GE engineer sentenced for stealing turbine tech for China • The Register

Nation State Actors – Iran

• Iran's Revolutionary Guards set to be labelled as terrorist group by UK - BBC News

Nation State Actors – Misc

• Blind Eagle Hackers Return with Refined Tools and Sophisticated Infection Chain (thehackernews.com)

Vulnerability Management

• Adobe, Apple, Cisco, Microsoft Flaws Make Up Half of KEV Catalog (darkreading.com)

• Attackers never let a critical vulnerability go to waste - Help Net Security

Vulnerabilities

• Over 60,000 Exchange servers vulnerable to ProxyNotShell attacks (bleepingcomputer.com)

• Adobe, Apple, Cisco, Microsoft Flaws Make Up Half of KEV Catalog (darkreading.com)

• Rackspace: Ransomware Attack Bypassed ProxyNotShell Mitigations (darkreading.com)

• Zoho urges admins to patch severe ManageEngine bug immediately (bleepingcomputer.com)

• Android's First Security Updates for 2023 Patch 60 Vulnerabilities | SecurityWeek.Com

• Fortinet and Zoho Urge Customers to Patch Enterprise Software Vulnerabilities (thehackernews.com)

• Qualcomm, Lenovo flag multiple high impact firmware vulnerabilities | SC Media (scmagazine.com)

• Netgear Wi-Fi routers need to be patched immediately | TechRadar

• Synology Releases Patch for Critical RCE Vulnerability Affecting VPN Plus Servers (thehackernews.com)

• Fortinet Releases Security Updates for FortiADC | CISA

Tools and Controls

• How Confidential Computing Can Change Cyber security (darkreading.com)

• Data backup is no longer just about operational fallback - Help Net Security

• Getting data loss prevention right - Help Net Security

• Things to know and do before you switch from VPN to ZTNA - Help Net Security

Other News

• The cyber security industry will undergo significant changes in 2023 - Help Net Security

• SecurityAffairs Top 10 cybersecurity posts of 2022 - Security Affairs

• BleepingComputer's most popular cybersecurity stories of 2022

• WordPress Security: 22 Ways To Protect Your Website (informationsecuritybuzz.com)

• Cyber attacks against governments jumped 95% in last half of 2022, CloudSek says | CSO Online

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Ransomware Attacks Surged to New Highs in 2021

Ransomware attacks are getting more frequent, more successful and more expensive.

Sixty-six percent of the organisations surveyed by Sophos for its annual State of Ransomware report admitted that they were hit with a ransomware attack last year, up from 37% in 2020. And 65 percent of those attacks were successful in encrypting their victims' data, up from 54 percent the year before.

On top of that, the average ransom paid by organisations for their most significant ransomware attack grew by nearly five times, to just over $800,000, while the number of organisations that paid ransoms of $1 million or more tripled to 11%, the UK-based cybersecurity company said. For its annual report, Sophos surveyed 5,600 organisations from 31 countries. A total of 965 of those polled shared details of their ransomware attacks.

The numbers aren't a huge surprise after a year of epic ransomware attacks that shut down everything from a major oil pipeline to one of the largest meat processors in the US. While both Colonial Pipeline and JBS US Holdings paid millions in ransom, the attacks paused their operations long enough to spark panic buying and drive prices up for consumers.

https://www.cnet.com/tech/services-and-software/ransomware-attacks-surged-to-new-highs-in-2021/#ftag=CAD-09-10aai5b

• NCSC and Allies Publish Advisory on The Most Commonly Exploited Vulnerabilities In 2021

The UK and international partners have published an advisory for public and private sector organisations on the 15 most commonly exploited vulnerabilities in 2021.

The National Cyber Security Centre (NCSC), a part of GCHQ, has jointly published an advisory with agencies in the US, Australia, Canada and New Zealand, showing that malicious cyber actors aggressively targeted newly disclosed critical software vulnerabilities across the public and private sectors worldwide.

Threat actors often geared their efforts towards targeting internet-facing systems, such as email and virtual private network (VPN) servers.

It also indicates that, to a lesser extent, actors continue to exploit publicly known – and often dated – vulnerabilities, some of which were routinely exploited in 2020 or earlier.

The advisory directs organisations to follow specific mitigation advice to protect against exploitation, which includes applying timely patches, using a centralised patch management system and replacing any software no longer supported by the vendor.

https://www.ncsc.gov.uk/news/ncsc-and-allies-publish-advisory-on-the-most-commonly-exploited-vulnerabilities-in-2021

•  Network Attacks Increased to a 3-Year High

WatchGuard Technologies’ Internet Security Report for Q4 2021 revealed all threats were up, whether they’re network attacks or malware.

When the pandemic started, their research team saw a big drop in malware being detected by network security devices. In this period, tech based jobs moved to remote work, which meant a lot of users were no longer browsing the internet and encountering bad things through the network security control at the office. That’s probably why network detection for malware dropped quite a bit at the beginning of the pandemic.

Meanwhile, network attacks continued to rise even through the pandemic, since the servers still lived at the offices and the cloud, and network security still protected those.

The big takeaway in Q4 2021 is that malware rose significantly, returning to normal levels. The reason might be the holiday season, but it’s most probably the fact that, at the end of last year, a lot of tech-based offices started reopening and offering employees to come back in, and thus there’s a bigger chance for network security controls to catch malware.

https://www.helpnetsecurity.com/2022/04/25/network-attacks-q4-2021-video/

• World War Three Is Far More Likely Than Anyone Is Prepared to Admit

A Telegraph article looks at the Russia-Ukraine conflict and considers risks posed by new weapons and how the West’s failure to understand our enemies are raising the chances of a horrific conflict.

The fact is the world is becoming more, rather than less, dangerous: there are plenty of other wannabe Putins, and they are better equipped to sow death and destruction. Not only traditional and nuclear threats but bioterrorism is a growing worry and a major cyber attack or assault on transatlantic cables could be so devastating to an internet-based economy as to be seen as a declaration of war.

https://www.telegraph.co.uk/news/2022/04/27/world-war-three-far-likely-anyone-prepared-admit/

• The Ransomware Crisis Deepens, While Data Recovery Stalls

Higher probabilities of attack, soaring ransoms, and less chance of getting data back — the ransomware plague gets worse, and cyber insurance fails to be a panacea.

When it comes to ransomware, more companies are seeing attacks and have had data encrypted, according to research out this week. And even though more companies are backing up or paying ransom demands, less data was recovered in 2021 compared with the previous year.

For instance, in its "State of Ransomware 2022" report, cybersecurity firm Sophos found that 66% of surveyed companies had encountered ransomware in 2021, with two-thirds of those firms — or 43% overall — suffering from an actual attack that encrypted data. In its previous report covering 2020, the frequency of successful attacks was much smaller, with about 20% overall resulting in encryption.

The deteriorating cyberthreat landscape is largely due to the evolution of ransomware groups and their techniques, says Sean Gallagher, senior threat researcher with Sophos.

"Over the past couple of years, there has been a massive transition from ransomware to ransomware-as-a-service," he says. "There are very well-established [groups] that are doing these attacks, and as a result, the number of attacks companies are seeing has gone up."

Ransomware continues to plague companies with business-disrupting attacks and defy efforts by cybersecurity experts to rein in the operators behind the criminals’ campaigns. Not only did the portion of companies affected by ransomware more than double last year, but the mean ransomware payment more than quadrupled to $812,000, according to the Sophos report.

https://www.darkreading.com/attacks-breaches/ransomware-crisis-deepens-data-recovery-stalls

• Ransoms Only Make Up 15% of Ransomware Costs

New research suggests that paying ransoms is only the tip of the cost iceberg when it comes to ransomware attacks.

Researchers at Check Point have revealed that the collateral damage of ransomware attacks make up costs roughly seven times higher than the ransom demanded by threat actors.

The costs include financial implications caused by incident response efforts, system restoration, legal fees, monitoring costs and the overall impact of business disruption.

Ransomware attacks are an increasingly popular attack method, typically involving stealing data from the victim, encrypting data and forcing them to pay for decryption and avoiding a data leak.

Check Point said in the report:

“Most other losses, including response and restoration costs, legal fees, monitoring costs, etc., are applied whether the extortion demand was paid or not. The year 2020 showed that the average total cost of a ransomware attack was more than seven times higher than the average ransom paid.”

https://www.itsecurityguru.org/2022/04/28/ransoms-only-make-up-15-of-ransomware-costs/

• Defending Your Business Against Russian Cyber Warfare

We are likely to see Russian state sponsored attacks escalate as the West continues to increase sanctions and support Ukraine.

The eyes of the world are focused on the war in Ukraine. As expected, Russia has targeted Ukraine with cyber attacks first, and much of the West is wondering when Russia will also retaliate against countries supporting Ukraine. Most agree that some attacks are already in progress, and the attacks against western entities are sure to escalate as the war continues and more sanctions are put in place. 

The first wave of companies targeted by the Russian state, and threat actors it supports, will be those that suspend Russian operations or take direct action to support Ukraine. Information operations and subversion against these companies will likely ensue. In the event of Russian cyberwarfare, reviewing the industries, styles, and objectives of their attacks can help organisations to prepare and implement more robust defences. These defences include actions both inside and outside an enterprise's perimeter.

https://www.securityweek.com/defending-your-business-against-russian-cyberwarfare

• 5-Year Vulnerability Trends Are Both Surprising and Sadly Predictable

What 5,800+ pentests show us: Companies have been struggling with the same known and preventable security bugs year over year. Bandwidth stands at the heart of the problem.

Cyber crime can cause major disruption when it comes to the sustainability and long-term success of companies. Teams want to have robust security but often struggle to meet that objective. It's crucial for security professionals to leverage insights into emerging trends in cybersecurity to pinpoint which vulnerabilities put organisations at the greatest risk, and Cobalt's "State of Pentesting" reports explore how to achieve efficiency to strengthen security.

The "State of Pentesting 2022" surveyed 602 cybersecurity and software development professionals and analysed data from 2,380 pentests conducted over the course of 2021 to pull key insights that are relevant to security and development teams when it comes to fixing vulnerabilities.

As a result of the data collected, the top five most common vulnerability categories outlined in this year's "State of Pentesting" report include:

·       Server Security Misconfigurations

·       Cross-Site Scripting (XSS)

·       Broken Access Control

·       Sensitive Data Exposure

·       Authentication and Sessions

Surprisingly — yet predictably — these vulnerability categories have stayed at the top of the list for at least the last five years in a row. They're also recognisable to those who are familiar with OWASP Top 10 list for Web Application Security Risks.

The majority of these findings are connected to missing configurations, outdated software, and a lack of access management controls — all common and easily preventable security flaws. So, what's holding companies back from preventing well-known security flaws? Why does this come as a surprise?

https://www.darkreading.com/vulnerabilities-threats/5-year-vulnerability-trends-are-both-surprising-and-sadly-predictable

• Cisco Talos Observes 'Novel Increase' in APT Activity in Q1

Advanced persistent threat actors have been busy over the past few months, according to Cisco Talos.

The security vendor released its Quarterly Trends report, which examined incident response trends from engagements in the first quarter of 2022. While ransomware remained the top threat, as it has for the past two years now, Cisco observed a new trend of increased APT activity. The Cisco Talos Incident Response (CTIR) team attributed some of the increase to groups like Iranian state-sponsored Muddywater and China-based Mustang Panda.

One suspected Chinese APT, dubbed "Deep Panda," was connected to exploitation of the Log4j flaw that was discovered last year in the widely used Java logging tool. Log4j exploitation was the second most common threat for Q1 behind ransomware, indicating the bug is a growing threat despite a patch being available.

https://www.techtarget.com/searchsecurity/news/252516380/Cisco-Talos-observes-novel-increase-in-APT-activity-in-Q1

• Deepfakes Set to Be Used in Organised Crime

New research from Europol suggests that deepfakes will be used extensively in organised crime operations.

Europol has warned of a projected rise in the use of deepfake technology by organised crime organisations.

Deepfakes involve the use of artificial intelligence to create realistic audio and audio-visual content “that convincingly shows people saying or doing things they never did, or create personas that never existed in the first place.”

Law enforcement and the challenge of deepfakes is the first published analysis of the Europol Innovation Lab’s Observatory function, warning that law enforcement agencies must rapidly improve skills and technologies utilised by officers in order to keep up with criminal deepfake use.

The analysis report highlighted how deepfakes are used primarily in disinformation, non-consensual pornography and document fraud campaigns, which will grow more realistic in years to come.

https://www.itsecurityguru.org/2022/04/29/deepfakes-set-to-be-used-in-organised-crime/

• Smart Contract Developers Not Really Focused on Security. Who Knew?

"Smart contracts," which consist of self-executing code on a blockchain, are not nearly as smart as the label suggests.

They are at least as error-prone as any other software, where historically the error rate has been about one bug per hundred lines of code.

And they may be shoddier still due to disinterest in security among smart contract developers, and perhaps inadequate technical resources.

Multi-million dollar losses attributed to smart contract bugs – around $31m stolen from MonoX via smart contract exploit and ~$34m locked into a contract forever due to bad increment math, to name a few – illustrate the consequences.

https://www.theregister.com/2022/04/26/smart_contract_losses/

• Tractor-Trailer Brake Controllers Vulnerable to Remote Hacker Attacks

We’ve been predicting this for a while now and the move to more and more connected systems, autonomous and semi-autonomous vehicles, how long until someone is subject to threats to disconnect a vehicle’s brakes as they are driving along a motorway? Who wouldn’t pay the ransom demand in that scenario?

A report this week is related to articulated lorries but this is something that will be affecting all vehicles unless safeguards are put in place.

Researchers have analysed the cyber security of heavy vehicles and discovered that the brake controllers found on many tractor-trailers in North America are susceptible to remote hacker attacks.

The research was conducted by the US National Motor Freight Traffic Association (NMFTA), which is a non-profit organisation that represents roughly 500 motor freight carriers, in collaboration with Assured Information Security, Inc.

NMFTA has been analysing the cyber security of heavy vehicles since 2015 and it has periodically disclosed its findings. The latest report from the organisation came in early March, when the US Cybersecurity and Infrastructure Security Agency (CISA) also issued an advisory to describe two vulnerabilities affecting trailer brake controllers.

The flaws described in the CISA advisory are related to the power line communications (PLC) between tractors and trailers, specifically the PLC4TRUCKS technology, which uses a standard named J2497 for bidirectional communications between the tractor and trailer without adding new wires.

https://www.securityweek.com/tractor-trailer-brake-controllers-vulnerable-remote-hacker-attacks

Threats

Ransomware

• Prevent HEAT Attacks to Foil Ransomware Incidents - Help Net Security

• 4-Hour Time-to-Ransom Seen in Quantum Attack as Accelerated Ransomware Increasingly Common | SecurityWeek.Com

• Conti Ransomware Operations Surge Despite Recent Leak - Security Affairs

• Beware: Onyx Ransomware Destroys Files Instead of Encrypting Them (bleepingcomputer.com)

• FBI says BlackCat Rust-Based Ransomware Scratched 60+ Orgs • The Register

• REvil Ransomware Attacks Resume, But Operators Are Unknown (techtarget.com)

• Fake Windows 10 Updates Infect You with Magniber Ransomware (bleepingcomputer.com)

• New Black Basta Ransomware Springs into Action with A Dozen Breaches (bleepingcomputer.com)

• Companies Can't Get Enough of Good Ol' Tape Storage For Ransomware Resistance | PC Gamer

Phishing & Email Based Attacks

• Phishing Goes KISS: Don’t Let Plain and Simple Messages Catch You Out! – Naked Security (sophos.com)

• Phishing Attacks Benefiting from Shady SEO Practices (techtarget.com)

• Cyber Criminals Deliver IRS Tax Scams and Phishing Campaigns by Mimicking Government Vendors - Help Net Security

Malware

• Emotet Malware Now Installs Via Powershell in Windows Shortcut Files (bleepingcomputer.com)

• It’s Called BadUSB for a Reason - Security Affairs

• New RIG Exploit Kit Campaign Infecting Victims' PCs with RedLine Stealer (thehackernews.com)

• Emotet Tests New Attack Techniques: Sign of Things to Come? | CSO Online

• Cyber Criminals Using New Malware Loader 'Bumblebee' in the Wild (thehackernews.com)

• New Powerful Prynt Stealer Malware Sells for Just $100 Per Month (bleepingcomputer.com)

Mobile

• These Are Signs That Your Phone Could Be Infected with Malware - PhoneArena

Organised Crime & Criminal Actors

• Interpol: We Can't Arrest Our Way Out of Cyber Crime • The Register

Cryptocurrency/Cryptomining/Cryptojacking/NFTs

• Scammers Are Copying News Sites To Push Elon Musk-themed Crypto Scams - Information Security Buzz

• Why Did Hackers Target DeFi L1, L2 Solutions for a $1.2 Billion Theft in 2022? (watcher.guru)

• Intuit Sued Over Phishing Attack Targeting Trezor Crypto Wallet Users - Decrypt

• Crypto Trading Fund Partners Accused of Fraud - Infosecurity Magazine

• LemonDuck Botnet Evades Detection in Cryptomining Attacks (techtarget.com)

• Bored Ape Yacht Club Instagram Hacked, NFTs Worth Millions Stolen (vice.com)

Insider Risk and Insider Threats

• Don't Ignore Risks Lurking Within Your Own Network - Help Net Security

AML/CFT

• Two More Indicted Over North Korean Sanctions Evasion Plot - Infosecurity Magazine

• FCA: Challenger Banks Failing to Spot Money Launderers - Infosecurity Magazine

Denial of Service DoS/DDoS

• Cloudflare Stomps On 15.3 Million Requests Per Second DDoS • The Register

• How a New Generation of IoT Botnets Is Amplifying DDoS Attacks | CSO Online

• Attackers Remain Persistent and Indiscriminate As Multi-Vector DDoS Attacks Continue To Rise - Help Net Security

• DDoS Attacks Target Healthcare, Education Markets, Research Finds - MSSP Alert

Cloud

• Is Cloud Critical Infrastructure? Prep Now for Provider Outages (techtarget.com)

• Shadow IT Is A Top Concern Related To SaaS Adoption - Help Net Security

• Security Turbulence in the Cloud: Survey Says… | Threatpost

Travel

• Finnish Hotels' Data Compromised - Infosecurity Magazine

Parental Controls and Child Safety

• Hackers Sexually Extort Kids with Stolen Data: Report (gizmodo.com)

Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• The Hybrid War in Ukraine - Microsoft On the Issues

• Data-Wiper Malware Strains Surge Amid Ukraine Invasion • The Register

• Russia Is Being Hacked at an Unprecedented Scale | WIRED

• Chinese Hackers Targeting Russian Military Personnel with Updated PlugX Malware (thehackernews.com)

• Cyber Attacks Rage in Ukraine, Support Military Operations | Threatpost

• Ongoing DDoS Attacks from Compromised Sites Hit Ukraine - Security Affairs

• Anonymous Hacked Russian PSCB Commercial Bank and Energy Firms - Security Affairs

• Russia-Linked Threat Actors Launched Hundreds of Cyber Attacks on Ukraine - Security Affairs

• Russian Hacktivists Launch DDoS Attacks on Romanian Govt Sites (bleepingcomputer.com)

• Cyber Espionage APT Now Identified as Three Separate Actors | Threatpost

Nation State Actors

Nation State Actors – Russia

• Microsoft Documents Over 200 Cyber Attacks by Russia Against Ukraine (thehackernews.com)

• Russian Govt Impersonators Target Telcos in Phishing Attacks (bleepingcomputer.com)

• The Subject of Trusting ‘Russian’ Applications - Information Security Buzz

Nation State Actors – North Korea

• Nation-state Hackers Target Journalists with Goldbackdoor Malware | Threatpost

Nation State Actors – Iran

• Iran's Rocket Kitten Likely Behind VMware Exploitation • The Register

Nation State Actors – Misc

• Case Study: Why It's Difficult To Attribute Nation-State Attacks (techtarget.com)

• Experts Detail 3 Hacking Teams Working Under the Umbrella of TA410 Group (thehackernews.com)

Vulnerability Management

• Five Eyes Nations Reveal 2021's Fifteen Most-Exploited Flaws • The Register

• Experts Warn of A Surge In Zero-Day Flaws Observed And Exploited in 2021 - Security Affairs

• Cyber Criminals are Feasting Over 'Zero-day Hacks' While the World Watches (analyticsinsight.net)

Vulnerabilities

• CISA Adds 7 Vulnerabilities to List Of Bugs Exploited In Attacks (bleepingcomputer.com)

• Cisco Patches 11 High-Severity Vulnerabilities in Security Products | SecurityWeek.Com

• Update Now! Critical Patches for Chrome and Edge | Malwarebytes Labs

• Microsoft Patches Pair of Dangerous Vulnerabilities in Azure PostgreSQL (darkreading.com)

• Log4j Attack Surface Remains Massive (darkreading.com)

• Microsoft Discovers New Privilege Escalation Flaws in Linux Operating System (thehackernews.com)

• Millions of Java Apps Remain Vulnerable to Log4Shell | Threatpost

• Organisations Warned of Attacks Exploiting WSO2 Vulnerability | SecurityWeek.Com

• Critical Vulnerabilities Leave Some Network-Attached Storage Devices Open to Attack (darkreading.com)

• Vulnerability Found in WordPress Anti-Malware Firewall (searchenginejournal.com)

Sector Specific

Financial Services Sector

• Private Investigator Admits Role in Hedge Fund Hack - Infosecurity Magazine

Government

• Governments Under Attack Must Think Defensively - Help Net Security

• Data Breach Disrupts UK Army Recruitment - Infosecurity Magazine

Health/Medical/Pharma Sector

• French Hospital Group Disconnects Internet After Hackers Steal Data (bleepingcomputer.com)

• Medical Software Firm Fined €1.5M for Leaking Data of 490k Patients (bleepingcomputer.com)

• Data breach at US healthcare provider ARcare impacts 345,000 individuals | The Daily Swig (portswigger.net)

• DDoS Attacks Target Healthcare, Education Markets, Research Finds - MSSP Alert

• Smile Brands Breach Impacts 2.5 Million Individuals - Infosecurity Magazine

CNI, OT, ICS, IIoT and SCADA

• Why Is It So Easy To Break Into The Systems That Run The World’s Most Critical, Expert Weighs In - Information Security Buzz

• Chickens Baked Alive Due to Computer Glitch - Infosecurity Magazine

Education and Academia

• Universities Lose Over £2m to Ransomware - IT Security Guru

• DDoS Attacks Target Healthcare, Education Markets, Research Finds - MSSP Alert

Gaming/Gambling

• New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware (trendmicro.com)

Reports Published in the Last Week

• Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: Quarterly Report: Incident Response trends in Q1 2022

• Internet Security Report - Q4 2021 | WatchGuard Technologies

• State of Pentesting Report 2022 | Cobalt

Other News

• SolarWinds Breach Lawsuits: 6 Takeaways for CISOs | CSO Online

• 41% Of Businesses Had an API Security Incident Last Year - Help Net Security

• Security Leaders Relying More Heavily on MSPs Amid Talent Crunch - Help Net Security

• 2022 Security Priorities: Staffing and Remote Work (darkreading.com)

• GitHub: How Stolen OAuth Tokens Helped Breach Dozens of Orgs (bleepingcomputer.com)

• Why Companies Should Focus on Preventing Privilege Escalation (techtarget.com)

• German Wind Turbine Firm Hit by 'Targeted, Professional Cyber Attack' | SecurityWeek.Com

• 308,000 Exposed Databases Discovered, Proper Management Is Key - Help Net Security

• Lapsus$ targeting SharePoint, VPNs and virtual machines (techtarget.com)

• Indian Govt Orders Organisations to Report Security Breaches Within 6 Hours to CERT-In (thehackernews.com)

• Top Five Post-Pandemic Priorities for Cyber Security Leaders - Help Net Security

• Security Spending Set to Hit $198bn by 2025 - Infosecurity Magazine

• Companies Poorly Prepared to Meet CCPA, CPRA and GDPR Compliance Requirements - Help Net Security

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

SMBs Increasingly Vulnerable To Ransomware, Despite The Perception They Are Too Small To Target

A new report this week warns that small and medium-sized businesses (SMBs) are at particular risk based on the attack trends seen during the first six months of the year. The report revealed that during the first half of 2021, 4 out of 5 organisations experienced a cyber security breach originating from a vulnerability in their third-party vendor ecosystem. That’s at a time when the average cost of a data breach rose to around $3.56 million, with the average ransomware payment jumping 33% to more than $100,000.

https://www.helpnetsecurity.com/2021/08/10/smbs-ransomware/

May 2021 Saw A 440% Increase In Phishing, The Single Largest Phishing Spike On Record

In May 2021, a report revealed a 440% increase in phishing, holding the record for the single largest phishing spike in a single month. It also showed that industries such as oil, gas and mining saw a 47% increase in the same six-month period, with manufacturing and wholesale traders seeing a 32% increase. The report extends its yearly threat intelligence report, with updated metrics between January 1 and June 30 2021. It also investigates the latest trends in malware, phishing and crypto exchanges.

https://www.infosecurity-magazine.com/news/may-phishing-increase-webroot/

Users Can Be Just As Dangerous As Hackers

Most organisations should be at least as worried about user management as they are about Bond villain-type hackers launching compromises from abroad. Most organisations have deployed single sign-on and modern identity-management solutions. These generally allow easy on-boarding, user management, and off-boarding. However, on mobile devices, these solutions have been less effective. Examples include mobile applications such as WhatsApp, Signal, Telegram, or even SMS-which are common in the workforce. All these tools allow for low-friction, agile communication in an increasingly mobile business environment. Today, many of these tools offer end-to-end encryption (e2ee), which is a boon when viewed through the lens of protecting against outside attackers. However, e2ee also resists internal governance and compliance programs.

https://thehackernews.com/2021/08/users-can-be-just-as-dangerous-as.html?m=1

With Crime-As-A-Service, Anyone Can Be An Attacker

Crime-as-a-Service (CaaS) is the practice of experienced cybercriminals selling access to the tools and knowledge needed to execute cyber crime – in particular, it’s often used to create phishing attacks. For hackers, phishing is one of the easiest ways to steal your organisation’s data. Traditionally, executing a successful phishing campaign required a seasoned cyber criminal with technical expertise and knowledge of social engineering. However, with the emergence of CaaS, just about anyone can become a master of phishing for a small fee.

https://www.helpnetsecurity.com/2021/08/03/crime-as-a-service/

The Rise Of Cloud Is Creating Security Blindspots

Businesses are growing increasingly reliant on cloud services, but with all the good, businesses must also face the bad, according to a new report which says that the rise of cloud means greater complexity and more security blind spots.

Increased expansion into the cloud has led to new risks. All of the respondents in the report had suffered at least one incident in their public cloud environment in the last year, with 30 percent saying they had no formal sign-off before pushing to production.

https://www.itproportal.com/news/the-rise-of-cloud-is-creating-security-blindspots/

Connected Devices Increasingly At Risk As New Ransomware Attacks Are Reported Almost Daily

A report has been released on the state of connected devices. The 2021 study addresses pandemic-related cyber security challenges, including the growth of connected devices and related increase of security risks from these devices as threat actors took advantage of chaos to launch attacks. The study incorporates security risk and trend analysis of anonymized data for the past 12 months (June 2020 through June 2021) across the company’s 500+ deployments in healthcare, life sciences, retail, and manufacturing verticals. The number of agentless and un-agentable devices increased to 42% in this year’s report (compared to 32% of agentless or un-agentable devices in 2020).

https://www.helpnetsecurity.com/2021/08/12/connected-devices-risks/

The Value Of PII And How It Still Fuels Malign Activities In The Digital Ecosystem

The COVID-19 pandemic engendered new vulnerabilities in the digital ecosystem for threat actors to exploit, resulting in items like vaccines, fraudulent vaccine certificates, and other COVID-19 related items being sold in dark marketplaces and underground forums, an Intelligence report reveals. The research analysed the value of personally identifiable information (PII), drawing links between the breach economy, PII, and a range of emerging digital threats to executives and brands.

https://www.helpnetsecurity.com/2021/08/10/pii-value-digital-ecosystem/

Ransomware Payments Explode Amid ‘Quadruple Extortion’

Two reports slap hard figures on what’s already crystal clear: Ransomware attacks have skyrocketed, and ransomware payments are the comet trails that have followed them skyward. The average ransomware payment spiked 82 percent year over year: It’s now over half a million dollars, according to the first-half 2021 update report. As far as the sheer multitude of attacks goes, researchers on Thursday reported that they’ve identified and analysed 121 ransomware incidents so far in 2021, a 64 percent increase in attacks, year-over-year.

https://threatpost.com/ransomware-payments-quadruple-extortion/168622/

Hackers Netting Average Of Nearly $10,000 For Stolen Network Access

A new report from a cyber security company has spotlighted the thriving market on the dark web for network access that nets cyber criminals thousands of dollars. Researchers have examined network access sales on underground Russian and English-language forums before compiling a study on why criminals sell their network access and how criminals transfer their network access to buyers. More than 37% of all victims in a sample of the data were based in North America while there was an average price of $9,640 and a median price of $3,000.

https://www.zdnet.com/article/hackers-netting-average-of-nearly-10000-for-stolen-network-access/

1M Stolen Credit Cards Hit Dark Web For Free

Threat actors have leaked 1 million stolen credit cards for free online as a way to promote a fairly new and increasingly popular cyber criminal site dedicated to…selling payment-card credentials. Researchers noticed the leak of the payment-card data during a “routine monitoring of cyber crime and Dark Web marketplaces,” researchers said in a post published over the weekend. The cards were published on an underground card-selling market, AllWorld.Cards, and stolen between 2018 and 2019, according to info posted on the forum.

https://threatpost.com/1m-stolen-credit-cards-dark-web/168514/

Ransomware Group Demanding $50M In Accenture Security Breach

The hacker group behind a ransomware attack on global solution provider giant Accenture has made a ransom demand for $50 million, according to a cyber security firm that reports seeing the demand. The threat actor is demanding the $50 million in exchange for more than 6 TB of data, according to a tweet.

https://www.crn.com/news/security/ransomware-group-demanding-50m-in-accenture-security-breach-cyber-firm

Threats

Ransomware

• Top 5 Ransomware Operators By Income

• Ransomware Gangs Exploiting Windows Print Spooler Vulnerabilities

• Hackers Reportedly Threaten To Leak Data From Gigabyte Ransomware Attack

• Bitcoin Ransomware Hackers Hit Accenture

• Why Ransomware Is Such A Threat To Critical Infrastructure

• Ransomware Demands And Payments Hit New Records

• Synology Warns Of Malware Infecting NAS Devices With Ransomware

Phishing

• AI Wrote Better Phishing Emails Than Humans In A Recent Test

Other Social Engineering

• Cyber Fraud Shifts To Gaming, Travel And Leisure, Report Finds

Malware

• Discord Malware Is A Persistent And Growing Threat Warns Sophos

• Microsoft Warning: This Unusual Malware Attack Has Just Added Some New Tricks

• Experts Shed Light On New Russian Malware-As-A-Service Written In Rust

• IISpy: A Complex Server‑Side Backdoor With Anti‑Forensic Features

• Anatomy Of Native IIS Malware

Mobile

• A 5G Shortcut Leaves Phones Exposed to Stingray Surveillance

• Beware! New Android Malware Hacks Thousands of Facebook Accounts

IOT

• A Critical Random Number Generator Flaw Affects Billions Of IoT Devices

Vulnerabilities

• Microsoft's August 2021 Patch Tuesday: 44 Flaws Fixed, Seven Critical Including Print Spooler Vulnerability

• Microsoft Confirms There's Yet Another New Windows Print Spooler Security Bug

• Microsoft Exchange Server: Threat Actors Actively Scanning For Proxyshell Vulnerability, Researchers Warn

• Magento Update Released To Fix Critical Flaws Affecting E-Commerce Sites

• Vulnerability Found In Kindle E-Reader

• Got A Cheap Cisco Router In Your Home Office? If It's One Of These, There's An Exposed RCE Hole You Need To Plug

Organised Crime & Criminal Actors

• Attackers Started Exploiting a Router Vulnerability Just 2 Days After Its Disclosure

• Hackers Steal $600 Million In Crypto From DeFi Site Poly Network

Dark Web

• 1M Stolen Credit Cards Hit Dark Web For Free

Supply Chain

• MSSPs Particularly Vulnerable To Cisco FDM Flaw

DoS/DDoS

• Attackers Increasingly Turning to DDoS As A Ransom Vector

Nation State Actors

• Briton Suspected Of Spying For Russia Arrested In Germany

• Putin Is Crushing Biden’s Room To Negotiate On Ransomware

Cloud

• Data Of Three Million Elderly Citizens Exposed In Cloud Security Oversight

• AWS S3 Can Be A Security Risk For Your Business

Privacy

• UN Human Rights Experts Call For Spyware Crackdown

• Apple Says ‘Screeching Minority” Who Object Against Their Photos Being Scanned For The Police ‘Have Misunderstanding’

• Is Your Router Giving Away Your Location?

Other News

• The Challenges Healthcare CISOs Face In An Evolving Threat Landscape

• Hacker Shares The Scariest Things He's Seen On The Dark Web

• Researchers Develop RISC-V Chip for Quantum-Resistant Encryption

• Quantum Computers Could Threaten Blockchain Security. These New Defenses Might Be The Answer

• Saving Money By Holding Onto Old Tech Is Costing Us All Billions

• Unwanted Bot Traffic Costs Businesses $250 Million A Year

• Attacks Against Industrial Networks Will Become A Bigger Problem. We Need To Fix Security Now

• Kaseya's Universal Revil Decryption Key Leaked On A Hacking Forum

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.