Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 22 September 2023
Black Arrow Cyber Threat Intelligence Briefing 22 September 2023:
-New Ransomware Victims Surge by 47% as Small Businesses Targeted
-MGM Resorts Lost Millions of Dollars a Day in What Should be a Wakeup Call for Corporate Boards
-SMEs Overestimate Their Cyber Security Preparedness
-China’s Hacking Power Bigger Than Rest of World Combined
-Cyber Insurance Claims for Ransomware Reach Record High
-Cyber Security Still Remains the Greatest Concern for Many C-Suite Executives
-Bad Torts: Law Firms Feel the Heat from Rising Cyber Threats
-Attacker Deepfakes IT Employees’ Voice in Phone Call to Breach Company
-Insider Risks are Getting Increasingly Costly as Organisations Fail to Proactively Address Them
-Half of Executives Expect Supply Chain Challenges
-How Social Engineering Takes Advantage of Your Kindness
-Employers Blame Employees as 54% of Firms Face Cyber Attacks Annually
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
New Ransomware Victims Surge by 47% as Small Businesses Targeted
Ransomware attackers are shifting away from “big game” targets and towards easier, less defended organisations, a new report from Trend Micro has found. The report observed a 47% increase in the number of new victims of this vector from the second half of 2022, many of which were small organisations with less mature cyber postures. In fact, 57% of victims of the infamous ransomware gang LockBit, were of organisations up to 200 employees.
Small businesses can be attractive targets; they don’t have the budget of a large organisation and therefore they are more likely to have gaps that can be exploited. To combat this, small businesses need to prioritise their security budgets effectively, to allow themselves the most protection that their budget allows.
Source [Infosecurity Magazine]
MGM Resorts Lost Millions of Dollars a Day in What Should be a Wakeup Call for Corporate Boards
The recent ransomware attack on MGM Resorts has resulted in the loss of millions of dollars daily, not accounting for ransomware fees and reputational damage. MGM Resorts are a client of Okta, who noted that Caesars entertainment and three (not named) other organisations have been hit. Although the other victims have not yet been named, it has been revealed that they are in the manufacturing, retail and technology sectors. As a result of the attacks, Beazley and AIG, who provide cyber insurance, are likely to face significant losses.
The attack should act as wakeup call for corporate boards, as it once again highlights how anyone can be a victim, and if the right controls are not in place, an attack won’t be stopped. Cyber incidents are a matter of when, not if, and boards need to ensure they are prepared, and prepared to handle the fallout when an attack happens.
Sources: [Proactive Investors] [Reuters] [Insurance Insider] [OODA Loop] [Claims Journal]
SMEs Overestimate Their Cyber Security Preparedness
According to a recent report, 57% of small and medium enterprises (SMEs) have experienced a cyber security breach, with 31% facing such an incident in the past year. Despite the increasing threat, 70% are confident in their defences, though 44% solely rely on their antivirus solutions, and a quarter don't regularly train employees on cyber security best practices or never have.
The report also found that many SMEs either underestimate the importance of robust security, believing they’re too small to be targeted, or put too much trust in their current defences. The increasing number of evolving cyber threats poses a significant risk to SMEs. Rising patterns show frequent and sophisticated attacks, highlighting the urgent need for effective security measures. Understandably, not all small business owners have the resources to obtain in-house cyber security experts. Black Arrow works with organisations of all sizes and sectors to design and prepare for managing a cyber security incident; this can include an Incident Response Plan and an educational tabletop exercise for the leadership team that highlights the proportionate controls to help the organisation prevent and mitigate an incident.
Sources: [Helpnet Security] [Security Magazine]
China’s Hacking Power Bigger Than Rest of World Combined
In a recent conference the director of the FBI highlighted the magnitude of China’s cyber power, most notably explaining that China has a bigger hacking program than the competition combined.
This comes as recent attacks have seen malicious USB drives used to spread malware and now, something we’ve not seen much before, financially motivated hacks by Chinese-speaking actors through a piece of malware known as “ValleyRAT”.
Sources: [Reuters] [Infosecurity Magazine] [WIRED] [Inforisk Today] [TechRadar]
Cyber Insurance Claims for Ransomware Reach Record High
A new report from cyber insurance provider Coalition shows a 12% increase in cyber claims over the first six months of this year, driven by the notable spikes in ransomware (19%), business email compromise (BEC) attacks (26%) and funds transfer fraud (FTF) (31%). The report found that claims severity also increased 61% from the previous six months and 117% over the last year. The average ransom demand was $1.62 million, a 47% increase over the previous six months and a 74% increase over the past year.
The report comes as the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory warning that ransomware gangs are increasingly evolving their tactics while targeting critical infrastructure sectors, including Information Technology, and Food and Agriculture. The advisory strongly discourages organisations from paying ransoms and encourages victims to report ransomware incidents to a local agency’s reporting channel. Similar advisories were released earlier in the year warning of ransomware groups such as Cl0p who exploited the vulnerability in MOVEit earlier this year.
Sources: [NextGov] [BetanNews] [Security Magazine] [CSO Online]
Cyber Security Still Remains the Greatest Concern for Many C-Suite Executives
Almost three-quarters (73%) of nearly 700 board members surveyed in a new study, believe their organisations are at risk of cyber attack, including targeted attacks; a sizable increase from the 65% last year, according to a recently released Proofpoint report. Worryingly, with the high number believing they are at risk from an attack, 53% still believed they would be unprepared for such an attack. When it came to their main concerns, malware was the top concern (40%), followed by insider threat (36%) and cloud account compromise (36%).
C-suite concern has propelled budgets, with a third of businesses increasing cyber security spending by a significant margin. As IT has become less centralised with a move towards cloud-based systems, combined with a shortage of skilled cyber security workers, businesses are having to rely more heavily on third party security according to a recent report.
This investment, along with improved security communications to executives, should enhance IT upskilling and employee awareness of cyber security.
Sources: [MSSP Alert] [Tech Radar]
Bad Torts: Law Firms Feel the Heat from Rising Cyber Threats
Publicly available reports of ransomware attacks on law firms have accelerated this year, with massive amounts of sensitive client data now in the hands of threat actors, highlighting a growing trend of cyber incidents afflicting the legal business.
One of the reasons law firms are increasingly targeted is due to the amount of sensitive data that they hold. This data can be used for extortion, insider training and general ransom purposes. In addition, many law firms utilise third parties to handle their data, increasing their risk of becoming a victim through their supply chain.
Source: [Synack]
Attacker Deepfakes IT Employees’ Voice in Phone Call to Breach Company
A recent cyber attack used AI to deepfake an IT employee’s voice. The attack started off with a phishing mail, which the unsuspecting victim employee clicked. The attacker then hit a challenge: multi-factor authentication (MFA). That was until they decided to use artificial intelligence to clone the voice of an IT employee. The attacker, now speaking as if they were the IT employee, was then able to convince the victim employee to provide the needed MFA code. As a result, the attack was successful.
The attack highlights the increase in AI for attacks, whilst also demonstrating that cyber security is more than just technology: it is people and operations too. Think about voice cloning, how would your organisation prepare for this?
Sources [PC Mag]
Insider Risks are Getting Increasingly Costly as Organisations Fail to Proactively Address Them
With the cost of insider risk the highest it has ever been (£13.25m per incident), organisations need to effectively budget and find ways to proactively address insider risk. A report found that 55% of money spent on insider incident response went toward problems caused by negligence or mistakes, and 25% for those were caused by actively malicious insiders, with the remaining 20% being attacks that out-smarted employees.
The cost and damage is acknowledged by organisations, with a separate report finding 46% of organisations self-reported that they were actively planning to spend more on proactively addressing insider risk in 2024. Budgets are not infinite however, and organisations need to effectively allocate their spending to ensure they are getting the most protection for their spend.
Sources: [Computer Weekly] [CSO Online]
Half of Executives Expect Supply Chain Challenges
With the surge in the number of attacks taking place through the software supply chain, it is no wonder almost half of executives expect supply chain challenges in the year ahead according to a survey by Deloitte. When asked about their experience, 34% of respondents self-reported that their organisation has experienced one or more supply chain cyber security events during the past year.
One of the ways to improve organisations’ supply chain security is to conduct assessments on the third parties they use, yet 21% of respondents did not do this at all. Potentially, one of the reasons for this is not knowing the correct questions to ask. Black Arrow can support you through a structured approach to asking a suite of targeted questions to your third parties, and assessing the responses for indicators of risk to your business.
Sources [PRnewswire] [SiliconANGLE]
How Social Engineering Takes Advantage of Your Kindness
Last week, MGM Resorts disclosed a massive systems issue that reportedly rendered slot machines, room keys and other critical devices inoperable. What elaborate methods were required to crack a nearly $34 billion casino and hotel empire? According to the hackers themselves, all it took was a ten minute phone call, allowing them to gain access through a simple social engineering attack. Social engineering psychologically manipulates a target into doing what the attacker wants, or giving up information that they shouldn’t. The consequences range from taking down global corporations to devastating the personal finances of unfortunate individual victims.
Extroverted, agreeable, and open individuals are often cyber victims; fear is an attack vector and so is helpfulness. As comfort increases, so too does vulnerability to being hacked. Social engineering attacks target both corporations and individuals. A person’s positive traits can be weaknesses against such threats. Balancing kindness with scepticism is essential.
Source: [Engadget]
Employers Blame Employees as 54% of Firms Face Cyber Attacks Annually
A survey found that despite the percentage of companies that have encountered a cyber security incident in the last 12 months, a worrying 24% of employees have never had any cyber security training. The survey further found that alarmingly 42% of respondents used the same password for both home and work accounts, increasing the risk of exposing their organisational passwords. This risk was furthered by 40% of the total number of respondents keeping their password in an open file or physical notebook.
Organisations, including those already providing training, should look to ensure they implement training from experts that covers such areas; by effectively training employees, organisations will increase their cyber resilience and reduce their risk of suffering a cyber attack. Black Arrow supports organisations of all sizes in designing and delivering proportionate user education and awareness programmes, including in-person and online training as well as simulated phishing campaigns. Our programmes are secure employee engagement and build a cyber security culture to protect the organisation.
Source: [Information Security Buzz]
Governance, Risk and Compliance
Cyber security still remains the greatest concern for many executives | TechRadar
Cyber attacks are constant and test even the best | Newsroom
Companies Struggling With Cyber security: Big Players In Bad Situations (forbes.com)
SMEs overestimate their cyber security preparedness - Help Net Security
Almost Half of Executives Expect Supply Chain Security Challenges in Year Ahead (prnewswire.com)
Organisations failing to proactively address insider cyber risk | Computer Weekly
Expensive Investigations Drive Surging Data Breach Costs (bleepingcomputer.com)
Most Global Board Members Unprepared for “Targeted” Cyber attack, Report Finds | MSSP Alert
Changing Role of the CISO: A Holistic Approach Drives the Future (darkreading.com)
How to Get Your Board on Board With Cyber security (darkreading.com)
Regulatory activity forces compliance leaders to spend more on GRC tools - Help Net Security
Going Up! How to Handle Rising Cyber security Costs (securityintelligence.com)
Balancing budget and system security: Approaches to risk tolerance - Help Net Security
Is Director Liability For Cyber security Failure An Immediate Risk? (forbes.com)
83% of IT Security Professionals Say Burnout Causes Data Breaches (prnewswire.com)
Why Cyber security Compliance Standards Still Have A Long Way To Go (forbes.com)
Bot Attack Costs Double to $86m Annually - Infosecurity Magazine (infosecurity-magazine.com)
Adapting to new rule changes in cyber risk management: How the SEC changed the game - SiliconANGLE
Poor digital experience a blocker for cyber resilience | Computer Weekly
What is Governance, Risk and Compliance (GRC)? | TechTarget Definition
How to prevent and prepare for a cyber catastrophe (securityintelligence.com)
2023 Cyber Risk and Resiliency Report: How CIOs Are Dueling Disaster (informationweek.com)
Why more security doesn’t mean more effective compliance - Help Net Security
Threats
Ransomware, Extortion and Destructive Attacks
Digesting the Digits - 2023 ‘record year’ for ransomware attacks - PaymentExpert.com
Attacks on Casino Giants Heralds Resurgence in Ransomware Attacks (claimsjournal.com)
Beazley and AIG likely to face cyber attack losses on casinos (insuranceinsider.com)
LockBit Is Using RMMs to Spread Its Ransomware (darkreading.com)
‘Top’ ransomware gangs favour smaller businesses | Computer Weekly
US cyber insurance claims spike amid ransomware, funds transfer fraud, BEC attacks | CSO Online
Ransomware group's evolving tactics pose growing threat - Nextgov/FCW
Malware distributor Storm-0324 facilitates ransomware access | Microsoft Security Blog
Who is behind the latest wave of UK ransomware attacks? | Cyber crime | The Guardian
NCSC: Why Cyber Extortion Attacks No Longer Require Ransomware (darkreading.com)
Scattered Spider, Alphv, and the MGM hack, explained - The Hustle
Quadruple extortion ransomware maximising monetisation (securitybrief.co.nz)
What is Extortionware? How is it Different from Ransomware? (techtarget.com)
Ransomware cyber insurance claims rose by 27% | Security Magazine
Cyber insurance claims for ransomware reach record high (betanews.com)
Ransomware gang targeting defence firms, FBI warns - Defence One
Scattered Spider snares 100+ victims, moves into ransomware • The Register
BlackCat ransomware hits Azure Storage with Sphynx encryptor (bleepingcomputer.com)
FBI, CISA Issue Joint Warning on 'Snatch' Ransomware-as-a-Service (darkreading.com)
Critical Infrastructure Organisations Warned of Snatch Ransomware Attacks - Security Week
Healthcare's ransomware defences need more preventative action (securitybrief.co.nz)
Ransomware vs. resources: A higher education dilemma - eCampus News
Ransomware Victims
Hackers who breached casino giants MGM, Caesars also hit 3 other firms, Okta says | Reuters
Okta Agent Involved in MGM Resorts Breach, Attackers Claim (darkreading.com)
Hackers claim it only took a 10-minute phone call to shut down MGM Resorts (engadget.com)
MGM, Caesars Face Regulatory, Legal Maze After Cyber Incidents (darkreading.com)
Beazley and AIG likely to face cyber attack losses on casinos (insuranceinsider.com)
Greater Manchester Police Hack Follows Third-Party Supplier Fumble (darkreading.com)k
Clorox products in short supply after cyber attack disrupts operations | CNN Business
Psychiatric hospital near Jerusalem hit by suspected cyber attack | The Times of Israel
UMass Medical School Sued Over MOVEit File-Transfer Data Breach (bloomberglaw.com)
UK IT services provider Agilitas hit by Donut ransomware attack? (techmonitor.ai)
Cyber attack blamed for outages at hospitals in Illinois, Wisconsin (scrippsnews.com)
Major trucking software provider confirms ransomware incident (therecord.media)
Handbag maker Radley London hit by RansomHouse cyber attack? (techmonitor.ai)
Phishing & Email Based Attacks
HR phishing: self-evaluation questionnaire | Kaspersky official blog
Phishing victim sends eye-watering $4.5M in USDT to scammer (cointelegraph.com)
BEC – Business Email Compromise
Other Social Engineering; Smishing, Vishing, etc
Hackers claim it only took a 10-minute phone call to shut down MGM Resorts (engadget.com)
How social engineering takes advantage of your kindness (engadget.com)
Artificial Intelligence
Hacker Deepfakes Employee's Voice in Phone Call to Breach IT Company | PCMag
NSA Report: Deepfakes Threaten National Security | MSSP Alert
Microsoft AI Researchers Accidentally Expose 38 Terabytes of Confidential Data (thehackernews.com)
Artificial Intelligence Making Cyber Crime Harder to Fight (govtech.com)
Companies still don’t know how to handle generative AI risks - Help Net Security
85% of cyber leaders believe AI will outpace cyber defences (electronicspecifier.com)
McAfee CEO Greg Johnson on the Cyber security Threat From Generative AI (businessinsider.com)
Companies Rely on Multiple Methods to Secure Generative AI Tools (darkreading.com)
2FA/MFA
Malware
NodeStealer Malware Now Targets Facebook Business Accounts on Multiple Browsers (thehackernews.com)
Malware distributor Storm-0324 facilitates ransomware access | Microsoft Security Blog
macOS MetaStealer attacks take aim at business Mac users (appleinsider.com)
Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement (trendmicro.com)
A mysterious new Chinese malware strain is targeting large firms across the globe | TechRadar
New SprySOCKS Linux malware used in cyber espionage attacks (bleepingcomputer.com)
Bumblebee malware returns in new attacks abusing WebDAV folders (bleepingcomputer.com)
Fake WinRAR exploit PoC drops VenomRAT malware | SC Media (scmagazine.com)
P2PInfect botnet activity surges 600x with stealthier malware variants (bleepingcomputer.com)
Ukrainian Hacker Suspected to be Behind "Free Download Manager" Malware Attack (thehackernews.com)
‘Sandman’ hackers backdoor telcos with new LuaDream malware (bleepingcomputer.com)
Kaspersky uncovers 3-year old supply chain attack campaign (securitybrief.co.nz)
Mobile
Dangerous permissions detected in top Android health apps (securityaffairs.com)
Android security updates: Everything you need to know | Android Central
Hook: New Android Banking Trojan That Expands on ERMAC's Legacy (thehackernews.com)
APT36 state hackers infect Android devices using YouTube app clones (bleepingcomputer.com)
Botnets
Bot Attack Costs Double to $86m Annually - Infosecurity Magazine (infosecurity-magazine.com)
P2PInfect botnet activity surges 600x with stealthier malware variants (bleepingcomputer.com)
Vast majority of bot attacks emanate from China and Russia | SC Media (scmagazine.com)
Denial of Service/DoS/DDOS
Internet of Things – IoT
Hikvision Intercoms Allow Snooping on Neighbors (darkreading.com)
No dedicated hardware security for 66% IoT modules: IoT Analytics (securitybrief.co.nz)
Data Breaches/Leaks
Pirated Software Likely Cause of Airbus Breach - Infosecurity Magazine (infosecurity-magazine.com)
Microsoft AI Researchers Accidentally Expose 38 Terabytes of Confidential Data (thehackernews.com)
Police data breach: 20,000 data points 'at risk' (computing.co.uk)
CardX released a data leak notification impacting their customers in Thailand (securityaffairs.com)
Pizza Hut Australia hack: data breach exposes customer information and order details | Australia
Air Canada says unauthorized group breached employee data, hacked internal system (databreaches.net)
83% of IT Security Professionals Say Burnout Causes Data Breaches (prnewswire.com)
T-Mobile app glitch let users see other people's account info (bleepingcomputer.com)
T-Mobile Racks Up Third Consumer Data Exposure of 2023 (darkreading.com)Over a Third of UK
TransUnion says dump of customer data came from third party • The Register
US govt IT worker accused of leaking top secrets • The Register
Organised Crime & Criminal Actors
Europol lifts the lid on cyber crime tactics (malwarebytes.com)
One of the FBI’s most wanted hackers is trolling the US government | TechCrunch
India's biggest tech centres named as cyber crime hotspots • The Register
Scattered Spider snares 100+ victims, moves into ransomware • The Register
Financially Motivated Hacks by Chinese-Speaking Actors Surge (inforisktoday.com)
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Multiple crypto raids net Lazarus Group $290M in 15 weeks | SC Media (scmagazine.com)
TikTok flooded by 'Elon Musk' cryptocurrency giveaway scams (bleepingcomputer.com)
Phishing victim sends eye-watering $4.5M in USDT to scammer (cointelegraph.com)
Mark Cuban loses $870k to a crypto scam: ‘They must have been watching’ – DL News
How Sam Bankman-Fried's parents enabled his criminal empire | Fortune Crypto
Insider Risk and Insider Threats
Organisations failing to proactively address insider cyber risk | Computer Weekly
HR’s role in cyber security and insider threat mitigation - Hindustan Times
Fraud, Scams & Financial Crime
Brits Lose $9.3bn to Scams in a Year - Infosecurity Magazine (infosecurity-magazine.com)
US cyber insurance claims spike amid ransomware, funds transfer fraud, BEC attacks | CSO Online
TikTok flooded by 'Elon Musk' cryptocurrency giveaway scams (bleepingcomputer.com)
Mark Cuban loses $870k to a crypto scam: ‘They must have been watching’ – DL News
How Sam Bankman-Fried's parents enabled his criminal empire | Fortune Crypto
Payment Card-Skimming Campaign Now Targeting Websites in North America (darkreading.com)
Court sentences pair for India-based robocall scam • The Register
Shift from UK Analogue to Digital Phone Lines Breeds New SCAMs - ISPreview UK
Singapore to detail fraud liability split for bank & victim • The Register
Deepfakes
Insurance
Cyber insurance claims for ransomware reach record high (betanews.com)
US cyber insurance claims spike amid ransomware, funds transfer fraud, BEC attacks | CSO Online
Beazley and AIG likely to face cyber attack losses on casinos (insuranceinsider.com)
Ransomware cyber insurance claims rose by 27% | Security Magazine
Dark Web
Supply Chain and Third Parties
Almost Half of Executives Expect Supply Chain Security Challenges in Year Ahead (prnewswire.com)
Okta Agent Involved in MGM Resorts Breach, Attackers Claim (darkreading.com)
Greater Manchester Police Hack Follows Third-Party Supplier Fumble (darkreading.com)
Kaspersky uncovers 3-year old supply chain attack campaign (securitybrief.co.nz)
Evaluating New Partners and Vendors from an Identity Security Perspective (darkreading.com)
How cyber attacks on Taiwan are hurting global business - Raconteur
Software Supply Chain
Cloud/SaaS
Why Shared Fate is a Better Way to Manage Cloud Risk (darkreading.com)
IBM X-Force: Use of compromised credentials darkens cloud security picture | Network World
Retool blames breach on Google Authenticator MFA cloud sync feature (bleepingcomputer.com)
Mastering Defence-In-Depth and Data Security in the Cloud Era (darkreading.com)
Understanding the Differences Between On-Premises and Cloud Cyber security (darkreading.com)
Hybrid/Remote Working
Shadow IT
Identity and Access Management
Encryption
EU's quest to fix the internet could become a privacy nightmare | TechRadar
UK Minister Warns Meta Over End-to-End Encryption - Security Week
Signal Messenger Introduces PQXDH Quantum-Resistant Encryption (thehackernews.com)
Open Source
Kaspersky uncovers 3-year old supply chain attack campaign (securitybrief.co.nz)
Chinese hackers have unleashed a never-before-seen Linux backdoor | Ars Technica
New SprySOCKS Linux malware used in cyber espionage attacks (bleepingcomputer.com)
Ukrainian Hacker Suspected to be Behind "Free Download Manager" Malware Attack (thehackernews.com)
Passwords, Credential Stuffing & Brute Force Attacks
Are your end-users' passwords compromised? Here's how to check. (bleepingcomputer.com)
Why employee login credentials are 'the weakest link in security' (siliconrepublic.com)
Social Media
TikTok fined 345m euro by watchdog over how it processed children’s data | The Independent
NodeStealer Malware Now Targets Facebook Business Accounts on Multiple Browsers (thehackernews.com)
APT36 state hackers infect Android devices using YouTube app clones (bleepingcomputer.com)
Donald Trump Jr.'s X Account Appears To Have Been Hacked (dailydot.com)
UK Minister Warns Meta Over End-to-End Encryption - Security Week
TikTok flooded by 'Elon Musk' cryptocurrency giveaway scams (bleepingcomputer.com)
Malvertising
Training, Education and Awareness
Parental Controls and Child Safety
Regulations, Fines and Legislation
UK Minister Warns Meta Over End-to-End Encryption - Security Week
EU's quest to fix the internet could become a privacy nightmare | TechRadar
TikTok Is Hit With $368 Million Fine Under Europe's Strict Data Privacy Rules - Security Week
MGM, Caesars Face Regulatory, Legal Maze After Cyber Incidents (darkreading.com)
California Settles With Google Over Location Privacy Practices for $93 Million - Security Week
Why Cyber security Compliance Standards Still Have A Long Way To Go (forbes.com)
Adapting to new rule changes in cyber risk management: How the SEC changed the game - SiliconANGLE
Models, Frameworks and Standards
How to Interpret the 2023 MITRE ATT&CK Evaluation Results (darkreading.com)
How NIST Cyber security Framework 2.0 Tackles Risk Management (securityintelligence.com)
Data Protection
Careers, Working in Cyber and Information Security
Expert: Three Skills Cyber security Professionals Should Have in 2024 (newswise.com)
83% of IT Security Professionals Say Burnout Causes Data Breaches (prnewswire.com)
IT pros told to accept burnout as normal part of their job - Help Net Security
Wanted: another 3mn cyber professionals | Financial Times (ft.com)
Law Enforcement Action and Take Downs
How the FBI Fights Back Against Worldwide Cyber attacks (securityintelligence.com)
Court sentences pair for India-based robocall scam • The Register
Finnish Authorities Dismantle Notorious PIILOPUOTI Dark Web Drug Marketplace (thehackernews.com)
Privacy, Surveillance and Mass Monitoring
California Settles With Google Over Location Privacy Practices for $93 Million - Security Week
TikTok fined 345m euro by watchdog over how it processed children’s data | The Independent
EU's quest to fix the internet could become a privacy nightmare | TechRadar
Misinformation, Disinformation and Propaganda
Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare and Cyber Espionage
Russia
China, Russia ‘Prepared’ to Use Cyber If War Breaks Out, US Warns (thedefencepost.com)
International Criminal Court hacked amid Russia probe • The Register
Portuguese company detects 961 pro-Russian cyber attacks in Western Europe – EURACTIV.com
Vast majority of bot attacks emanate from China and Russia | SC Media (scmagazine.com)
One of the FBI’s most wanted hackers is trolling the US government | TechCrunch
Senators want clarity from Pentagon on Ukraine Starlink access fiasco | SC Media (scmagazine.com)
Russian allegedly smuggled US weapons electronics to Moscow • The Register
China
China, Russia ‘Prepared’ to Use Cyber If War Breaks Out, US Warns (thedefencepost.com)
FBI chief says China has bigger hacking program than the competition combined | Reuters
EU warns China on Ukraine disinformation and cyber attacks – POLITICO
Chinese Spies Infected Dozens of Networks With Thumb Drive Malware | WIRED
Chinese hackers have unleashed a never-before-seen Linux backdoor | Ars Technica
Trouble brews after embassy worker finds spy bug in China teapot (thetimes.co.uk)
Vast majority of bot attacks emanate from China and Russia | SC Media (scmagazine.com)
A mysterious new Chinese malware strain is targeting large firms across the globe | TechRadar
Financially Motivated Hacks by Chinese-Speaking Actors Surge (inforisktoday.com)
Growing Chinese Tech Influence in Africa Spurs 'Soft Power' Concerns (darkreading.com)
How cyber attacks on Taiwan are hurting global business - Raconteur
DoD: China's ICS Cyber Onslaught Aimed at Gaining Kinetic Warfare Advantage (darkreading.com)
Iran
Microsoft: 'Peach Sandstorm' Cyber attacks Target Defence, Pharmaceutical Orgs (darkreading.com)
Pro-Iranian Attackers Target Israeli Railroad Network (darkreading.com)
North Korea
Multiple crypto raids net Lazarus Group $290M in 15 weeks | SC Media (scmagazine.com)
How a North Korean cyber group impersonated a Washington D.C. analyst (cnbc.com)
Misc Nation State/Cyber Warfare
Vulnerability Management
KEV Catalog Reaches 1000, What Does That Mean and What Have We Learned | CISA
Vulnerability management, its impact and threat modeling methodologies (securityintelligence.com)
How SBOMs Help Uncover Vulnerabilities In Enterprise Applications (forbes.com)
Vulnerabilities
Fortinet Releases Security Updates for Multiple Products | CISA
Critical Trend Micro vulnerability exploited in the wild (CVE-2023-41179) - Help Net Security
iOS 17.0.1 re-patches 3 actively exploited security flaws - 9to5Mac
If you're still using WinRAR, watch out for this dangerous exploit - and please stop | TechRadar
GitLab Releases Urgent Security Patches for Critical Vulnerability (thehackernews.com)
Microsoft releases firmware update for all Surface devices | TechSpot
Tools and Controls
Expensive Investigations Drive Surging Data Breach Costs (bleepingcomputer.com)
Enterprise networks are evolving; your security architecture needs to evolve, too (betanews.com)
Think Your MFA and PAM Solutions Protect You? Think Again (thehackernews.com)
Do You Really Trust Your Web Application Supply Chain? (thehackernews.com)
Regulatory activity forces compliance leaders to spend more on GRC tools - Help Net Security
Going Up! How to Handle Rising Cyber security Costs (securityintelligence.com)
Shadow IT: Security policies may be a problem - Help Net Security
Balancing budget and system security: Approaches to risk tolerance - Help Net Security
How NIST Cyber security Framework 2.0 Tackles Risk Management (securityintelligence.com)
How Choosing Authentication Is a Business-Critical Decision (darkreading.com)
Understanding the Differences Between On-Premises and Cloud Cyber security (darkreading.com)
Adapting to new rule changes in cyber risk management: How the SEC changed the game - SiliconANGLE
Reports Published in the Last Week
Other News
Why automakers are worried your car is the next target for cyber attacks - CityAM
Consumers are being bombarded with billions of threats every year | TechRadar
Bad torts: Law firms feel the heat from rising cyber threats (synack.com)
SME Cyber Security – Time for a New Approach? - IT Security Guru
Time to Demand IT Security by Design and Default - Infosecurity Magazine (infosecurity-magazine.com)
Australia’s new cyber security strategy: Build “cyber shields” around the country | CSO Online
Home Office sets up cyber security for Emergency Services Network | UKAuthority
Cyber security Tops Business Risks Challenging European Auditors (bloomberglaw.com)
Energy Is the Most-Targeted Sector for Cyber attacks: Here’s What to Do (powermag.com)
Cyber on the battlefield is about more than IT - Nextgov/FCW
Every Network Is Now an OT Network. Can Your Security Keep Up? - Security Week
Pentagon's 2023 Cyber Strategy Focuses on Helping Allies - Security Week
Singapore's retail banks take steps to enhance cyber security (finextra.com)
Experts fret over fate of CISA cyber programs as shutdown clouds loom | SC Media (scmagazine.com)
Strong compliance management is crucial for fintech-bank partnerships - Help Net Security
Rail Travel Free in Estonia as Cyber Attack Disrupts Ticketing (eturbonews.com)
Dairy industry teams with cyber security group to beef up defences | Food Dive
Securing Eurovision’s online voting system against cyber attacks (computerweekly.com)
GCHQ chief takes job in private security company | The Independent
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 01 September 2023
Black Arrow Cyber Threat Intelligence Briefing 01 September 2023:
-66 Percent of Businesses Don't Understand Their Cyber Risks
-Massive Supplier Cyber Breach Puts London’s Metropolitan Police on Red Alert After Officer and Staff Details Hacked
-Pay our Ransom Instead of a GDPR Fine, Cyber Crime Gang Tells Targets, as Attacks Against Small Businesses Ramp Up
-Survey Finds In-house Counsel Cyber Anxiety Skyrocketing
-58% of Malicious Emails Contained Spoofed Content
-Cyber Attacks Remain a Top Concern for Organisations Across All Industries
-BYOD Security Gap: Survey Finds 49% of European Firms Unprotected
-13% of Employees Admit to Falling for Phishing Attacks Working at Home, 9% Would Wait to Report After the Weekend
-Numbers Don't Lie: Exposing the Harsh Truths of Cyber Attacks in New Report
-Kroll’s Breach Highlights SIM-Swapping Risk
-Reducing The Risk of AI, What Can You Do?
-Debunking Popular Cyber Security Myths
-3 Malware Loaders Responsible for 80% of Intrusions
-MOVEit Hack Shows Attackers Still Use Old Tricks
-Barracuda Thought it Drove 0-day Hackers out of Customers’ Networks. It was Wrong
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
66 Percent of Businesses Don't Understand Their Cyber Risks
A survey has found that 67% of organisations have experienced a breach requiring attention within the last two years, despite having traditional security measures in place. Worryingly, 66% self-reported having limited visibility and insight into their cyber risk profiles.
83% of organisations agreed that a comprehensive cyber risk reduction strategy would yield a reduction in the likelihood of a significant cyber incident occurring, yet a number of organisations are finding it difficult to implement this and as a result are looking for outside assistance too. The report found that 93 percent of organisations plan to offload specific segments of cyber risk reduction workstreams or projects to security service providers within the next two years.
Source: [Beta News]
Massive Supplier Cyber Breach Puts London’s Metropolitan Police on Red Alert After Officer and Staff Details Hacked
All 47,000 personnel working for the Met Police were warned of the risk their photos, names and ranks having been stolen when cyber crooks penetrated the IT systems of a contractor printing warrant cards and staff passes. The supplier had access to names, ranks, photos, vetting levels and pay numbers of officers and staff, but did not hold information such as addresses, phone numbers or financial details.
The attack shows the importance of understanding the supply chain, and what access your supplier has access to. Without knowing who has your data, and what data, you will be left clueless if a breach on a supplier occurs.
Sources [Data Breaches] [UKAuthority]
Pay our Ransom Instead of a GDPR Fine, Cyber Crime Gang Tells Targets, as Attacks Against Small Businesses Ramp Up
Ransomware actors are always evolving their tactics, with gangs now telling victims if they don’t pay, then they will face fines under data protection laws. Additionally, small businesses are on the radar, partially due to them being easier targets for actors; some gangs have shifted from asking for millions from a large organisation, to requesting small ransoms from multiple small businesses.
As a result in both the number and sophistication of ransomware attacks, 80% of organisations expect their spending to increase. Not every organisation has an unlimited budget and so it is important that organisations are able to prioritise and allocate their budget effectively, to give them the most protection that their budget allows, especially small to medium-sized businesses.
Sources [Dark Reading] [The Record] [Security Magazine]
Survey Finds In-house Counsel Cyber Anxiety Skyrocketing
In a recent report, only 25% of legal professionals said they felt fully prepared to deal with a cyber attack, with 78% ranking the task of shielding their organisation from cyber attacks as the greatest regulatory concern over the next 12 months; previously, this figure was only 30% in 2021.
There has been a growing number of attacks, due to the sensitive data that is held and the number of attacks will continue to rise. With regulatory concerns adding to this, in-house counsel should be looking to have their concerns heard and drive the organisation to bolster their defences, and this may include outsourcing expert advice to make sure it is done correctly.
Source: [Law.com]
58% of Malicious Emails Contained Spoofed Content
According to a recent report, 58% of malicious emails contained spoof content and spam emails had increased by 30% from Q1 to Q2 2023. The report identified a surge in the number of uses of QR codes as a primary attack method, showing that attack methods are evolving, and in some cases, choosing not to use traditional methods.
The report reinforces the need for constant user education training, to reduce the risk of an employee falling for a phishing email. With this training, new evolving techniques such as that with QR codes, should also be addressed.
Source: [Security Magazine]
Cyber Attacks Remain a Top Concern for Organisations Across All Industries
Cyber attacks remain a top threat to organisations’ ability to do business across all industries. When asked in a recent report, 18% of respondents reported that cyber attacks threatened or disrupted their business.
With cyber attacks being a huge concern, many organisations have an incident response plan in place; yet despite this, nearly one quarter (23%) of companies surveyed have either never conducted tests or are unsure if their teams have tested. Cyber incidents are a matter of when, not if, and a strong incident response plan is always needed and can prevent a bad situation from being made worse by doing the wrong things in the immediate aftermath of an attack.
Source: [Business Wire]
BYOD Security Gap: Survey Finds 49% of European Firms Unprotected
A recent survey found that a concerning 49% of European businesses are operating without having a formal bring-your-own-device (BYOD) policy, highlighting a lack of visibility and control over such devices. The report found that organisations are concerned about compliance-based issues, with 43% noting increased worries.
The benefits of BYOD are clear, allowing organisations to save money and eliminate the need for multiple devices. But without a formal BYOD policy, organisations are risking having employees bring in devices that are effectively invisible to IT. This means that the vulnerabilities that come with it, and the risks it can bring, also go unnoticed. To mitigate the risk, a formalised BYOD policy is required.
Source: [Infosecurity Magazine]
13% of Employees Admit to Falling for Phishing Attacks Working at Home, 9% Would Wait to Report After the Weekend
In a recent report, it was found that 13% of employees admitted they had fallen for a phishing attack whilst working from home. Rather worryingly, 21% said they would continue working business as usual in the event of falling victim to a phishing attack whilst working remotely on a Friday, with 9% indicating they’d wait until after the weekend to report it, effectively, giving the attacker a 48 hour period in which they go unnoticed, if the employee even remembers to report it on the Monday.
It is important that users are educated, both on spotting phishing attacks and the reporting process, so that organisations can be best protected. By providing regular and effective user training, employees will be at less risk of falling victim to a phishing attack, even from home. Additionally, by understanding the reporting process and why there is a need to report as soon as possible, organisations will shorten their detection time.
Source: [Security Magazine]
Numbers Don't Lie: Exposing the Harsh Truths of Cyber Attacks in New Report
In their most recent quarterly report, BlackBerry focused on a 90-day window, identifying over 1.5 million malware-based attacks, over 200,000 unique attacks, 17,000 attacks per day and 12 per minute to name a few. The report found that financial institutions were amongst the most targeted.
Source: [The Hacker News]
Kroll’s Breach Highlights SIM-Swapping Risk
A recent supply chain breach at Kroll, the risk and financial advisory firm, affected downstream customers and exposed personal information on hundreds of claimants in bankruptcy proceedings. The breach occurred when a threat actor had transferred an employee’s phone number to a device in the attackers possession, which was then subsequently used to access sensitive information.
In this attack, the actor had convinced T-Mobile to port the employee’s number over, allowing the actor to access files containing bankruptcy details. A mitigation recommended for this is to ask your network provider if they offer port freeze or number lock, to protect it from unauthorised transfer.
Source [Dark Reading]
Reducing The Risk of AI, What Can You Do?
Threat actors' use of generative AI has fuelled a significant rise in attacks worldwide during the last 12 months according to a recent report. Yet despite this, AI is still seen as a positive thing for organisations, with the power of generative AI quickly realised.
Certainly, AI can be used in the organisation to increase efficiency and automate tasks, but it must be used with vigilance. Organisations implementing AI should have governance over the usage of AI to eliminate the chance of data leaking. This governance may include policies, procedures and approved AI software.
Sources: [CSO Online] [UKTech News]
Debunking Popular Cyber Security Myths
At a time when cyber security is a constant feature in the news and our daily lives, it is important to debunk a few myths surrounding it. One of the biggest, is the assumption that cyber defence is all about the technical controls; in fact, 89% of cyber attacks involved social engineering. The prevalence of social engineering further shows that strong passwords, firewalls and antivirus are not enough; what’s the use in having a password that takes years to crack if you hand it over to someone?
When we think cyber security, we often think of external threat actors, but insider risk is a real threat: whether by malicious actions, negligence or misunderstanding, those inside your organisation can be a real risk to your organisation.
So what’s the take home? Cyber is more than just technology, and it is not just an outside attacker. Organisations’ cyber efforts should focus on more than just the technical requirements; by having things such as user education training, organisations can mitigate their cyber risk.
Sources: [Forbes] [Trend Micro]
3 Malware Loaders Responsible for 80% of Intrusions
Three malware loaders, QBot, SocGholish, and Raspberry Robin, are responsible for 80 percent of observed attacks on computers and networks so far this year. The malware are all distributed differently; Qbot is typically deployed through a phishing email, SocGholish is downloaded without user interaction, and Raspberry Robin is through USB devices.
Sources: [The Register] [Infosecurity Magazine]
MOVEit Hack Shows Attackers Still Use Old Tricks
SQL injection has been around for a quarter of a century, yet it still features amongst the top 10 list of security vulnerabilities. In fact, SQL injection was the method of attack for the infamous MOVEit hacks, which has impacted over 700 organisations, with the number still growing.
The MOVEit attack highlights just how easily old, over-looked vulnerabilities can be used to target an organisation. Consider your organisation now: are there any legacy systems or software in place?
Source: [Dark Reading]
Barracuda Thought it Drove 0-day Hackers out of Customers’ Networks. It was Wrong.
In late May, security vendor Barracuda had released a patch for their email security gateway (ESG), which was being actively exploited. Having already accounted for this, the threat actors utilised a new attack, which meant infected devices would reinfect themselves, effectively negating Barracuda’s patch. Unfortunately, this meant that for a while, Barracuda thought it was in the clear, when it was still under attack.
Upon realising this, Barracuda’s security advisory changed from recommending a patch to requiring an immediate replacement of compromised ESG appliances, regardless of the patch level. This shows the need for organisations to keep up to date with the latest threat intelligence, as missing the second update could mean infected devices are still in the wild, with organisations under the false perception that they were safe.
Source: [Ars Technica]
Governance, Risk and Compliance
66 percent of businesses don't understand their cyber risks (betanews.com)
Survey of In-House Counsel Finds Cyber Anxiety Skyrocketing | Law.com
Numbers Don't Lie: Exposing the Harsh Truths of Cyber Attacks in New Report (thehackernews.com)
Cyber Security Enters Conversation About Executive Pay - WSJ
Cyber defence makes up majority of cyber security budgets | Security Magazine
How international cyber security frameworks can help CISOs | CSO Online
Balancing risk and compliance: implications of the SEC’s new cyber security regulations | CSO Online
SEC cyber attack regulations prompt 10 questions for CISOs | TechTarget
Should Senior IT Professionals Be Accountable for Professional Decisions? (darkreading.com)
Threats
Ransomware, Extortion and Destructive Attacks
80% of organisations expect ransomware spending to increase | Security Magazine
Akira Ransomware gang targets Cisco ASA without Multi-Factor Auth (securityaffairs.com)
Citrix NetScaler Alert: Ransomware Hackers Exploiting Critical Vulnerability (thehackernews.com)
MOVEit Was a SQL Injection Accident Waiting to Happen (darkreading.com)
Nearly 1,000 Organisations, 60 Million Individuals Impacted by MOVEit Hack - SecurityWeek
Ransomware With an Identity Crisis Targets Small Businesses, Individuals (darkreading.com)
Pay our ransom instead of a GDPR fine, cyber crime gang tells its targets (therecord.media)
Ransomware Attack Cleanup Costs: $11M So Far for Rackspace (govinfosecurity.com)
LogicMonitor customers who didn’t change default passwords were hit by hackers (databreaches.net)
LockBit 3.0 Ransomware Builder Leak Gives Rise to Hundreds of New Variants (thehackernews.com)
Deconstructing ransomware, cyber criminals and their modus operandi | TechRadar
Ransomware Evolution: Smaller Actors, Bigger Impact (govinfosecurity.com)
Ransomware hackers dwell time drops to 5 days, RDP still widely used (bleepingcomputer.com)
Financial Firms Breached in MOVEit Cyber Attacks Now Face Lawsuits (darkreading.com)
Should Companies Pay After Ransomware Attacks? Is It Illegal? (techtarget.com)
How Ransomware Groups Respond to External Pressure (inforisktoday.com)
Decoding the DNA of Ransomware Attacks: Unveiling the Anatomy Behind the Threat (trellix.com)
Rackspace Faces Massive Cleanup Costs After Ransomware Attack (darkreading.com)
8 Types of Ransomware: Examples of Past and Current Attacks (techtarget.com)
Black Basta Besting Your Network? (securityintelligence.com)
Ransomware Victims
Financial Firms Breached in MOVEit Cyber Attacks Now Face Lawsuits (darkreading.com)
Ransomware Attack Cleanup Costs: $11M So Far for Rackspace (govinfosecurity.com)
St Helens Council still dealing with suspected cyber-attack - BBC News
Rhysida claims ransomware attack on Prospect Medical, threatens to sell data (bleepingcomputer.com)
University of Michigan shuts down network after cyber attack (bleepingcomputer.com)
Social Security Numbers leaked in ransomware attack on Ohio History Connection (malwarebytes.com)
Phishing & Email Based Attacks
Phishing as a service continues to plague business users - SiliconANGLE
58% of malicious emails contained spoof content | Security Magazine
13% of employees admit to falling for phishing attacks working at home | Security Magazine
New phishing attacks target FTX users following Kroll data breach – Cryptopolitan
Phishing-as-a-Service Gets Smarter: Microsoft Sounds Alarm on AiTM Attacks (thehackernews.com)
Spain warns of LockBit Locker ransomware phishing attacks (bleepingcomputer.com)
US govt email servers hacked in Barracuda zero-day attacks (bleepingcomputer.com)
Rising Phishing Scams Impact Small Businesses Relying on Social Media (smallbiztrends.com)
Can You Spot Phishing Emails? Test Your Awareness With These Quizzes (makeuseof.com)
How to Spot Phishing Emails & Tips to Avoid Them | Proofpoint US
Other Social Engineering; Smishing, Vishing, etc
Kroll Suffers Data Breach: Employee Falls Victim to SIM Swapping Attack (thehackernews.com)
New phishing attacks target FTX users following Kroll data breach – Cryptopolitan
3 Cryptocurrency Firms Suffer Data Breach After Kroll SIM Swapping Attack - SecurityWeek
Artificial Intelligence
Cyber security agency gives AI chatbot warning (uktech.news)
Why generative AI is a double-edged sword for the cyber security sector | VentureBeat
IT leaders alarmed by generative AI's SaaS security implications - Help Net Security
Is Bias in AI Algorithms a Threat to Cloud Security? (darkreading.com)
Shifting Cyber Security: The Impact and Implications of LLMs (inforisktoday.com)
Vendors Training AI With Customer Data is an Enterprise Risk (darkreading.com)
Advanced Malware: Why AI Can't Help All Hackers (inforisktoday.com)
Hacking the future: Notes from DEF CON’s Generative Red Team Challenge | CSO Online
How to minimize data risk for generative AI and LLMs in the enterprise | VentureBeat
Google launches tool to identify AI-generated images - Help Net Security
2FA/MFA
AITM/MITM
Malware
These 3 loaders were behind 80% of intrusions this year • The Register
20+ Malware Statistics You Need to Know in 2023 (techreport.com)
'Whiffy Recon' Malware Transmits Device Location Every 60 Seconds (darkreading.com)
Top 3 Malware Threatening Businesses in Q2 2023 (cybersecuritynews.com)
Malware Unleashed: Public Sector Hit in Sudden Surge, Reveals New Research (darkreading.com)
Japan's JPCERT warns of new 'MalDoc in PDF' attack technique (securityaffairs.com)
Advanced Malware: Why AI Can't Help All Hackers (inforisktoday.com)
DarkGate Malware Activity Spikes as Developer Rents Out Malware to Affiliates (thehackernews.com)
DreamBus malware exploits RocketMQ flaw to infect servers (bleepingcomputer.com)
Microsoft is using malware-like pop-ups in Windows 11 to get people to ditch Google - The Verge
APT Attacks From 'Earth Estries' Hit Gov't, Tech With Custom Malware (darkreading.com)
SapphireStealer Malware: A Gateway to Espionage and Ransomware Operations (thehackernews.com)
Mobile
Kroll's Crypto Breach Highlights SIM-Swapping Risk (darkreading.com)
Is Mobile Hacking Still a Big Threat in 2023? (makeuseof.com)
New Android MMRat malware uses Protobuf protocol to steal your data (bleepingcomputer.com)
What Are Overlay Attacks? How Do You Protect Against Them? (makeuseof.com)
New Android Banking Trojan Targets Southeast Asia Region (inforisktoday.com)
China-Linked BadBazaar Android Spyware Targeting Signal and Telegram Users (thehackernews.com)
Five Eyes Report: New Russian Malware Targeting Ukrainian Military Android Devices - Security Week
Chinese APT Uses Fake Messenger Apps to Spy on Android Users (inforisktoday.com)
8 Ways To Boost Your Android Phone's Security (slashgear.com)
Botnets
Denial of Service/DoS/DDOS
BYOD
Internet of Things – IoT
Data Breaches/Leaks
Metropolitan Police reports supplier cyber breach | UKAuthority
Kroll Suffers Data Breach: Employee Falls Victim to SIM Swapping Attack (thehackernews.com)
American Express admits APAC employees' data leak, blames a third-party payroll service
Leaseweb is restoring ‘critical’ systems after security breach (bleepingcomputer.com)
French employment agency Pôle emploi data breach impacted 10M peopleSecurity Affairs
Mom’s Meals discloses data breach impacting 1.2 million people (bleepingcomputer.com)
3 Cryptocurrency Firms Suffer Data Breach After Kroll SIM Swapping Attack - Security Week
Paramount discloses data breach following security incident (bleepingcomputer.com)
Cost of a data breach 2023: Financial industry impacts (securityintelligence.com)
Organised Crime & Criminal Actors
Moscow helping cyber criminals operate with 'near impunity': report | The Province
Hacking gangs launch cyber crime syndicate the Five Families (techmonitor.ai)
Microsoft weighs in on Russian-led UN cyber crime treaty • The Register
‘Billion Dollar Heist’: The Wild Story That Should Have Us All Petrified (thedailybeast.com)
Microsoft: UN treaty creates 'ideal conditions' for cyber crime (telecomstechnews.com)
Cyber Criminals use research contests to create new attack methods - Help Net Security
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Fraud, Scams & Financial Crime
Impersonation Attacks
Deepfakes
Insurance
Insurers End Tussle Over Ransomware Attack Coverage - Law360 UK
Delinea Research Reveals a Cyber Insurance Gap (darkreading.com)
Understand the fine print of your cyber insurance policies - Help Net Security
Supply Chain and Third Parties
American Express admits APAC employees' data leak, blames a third-party payroll service
Met should thoroughly investigate cyber security practices, say experts | Evening Standard
Cloud/SaaS
CrowdStrike CTO: 'Rookie mistakes' are hurting cloud security | TechTarget
Better SaaS Security Goes Beyond Procurement (darkreading.com)
Considerations for Reducing Risk When Migrating to the Cloud (darkreading.com)
Hybrid/Remote Working
Identity and Access Management
Encryption
Quantum threats loom in Gartner's 2023 Hype Cycle for data security | VentureBeat
How Quantum Computing Will Impact Cyber Security - Security Week
Passwords, Credential Stuffing & Brute Force Attacks
Four common password mistakes hackers love to exploit (bleepingcomputer.com)
Hackers Launch Brute-Force Attack Cisco ASA SSL VPNs (cybersecuritynews.com)
LogicMonitor customers who didn’t change default passwords were hit by hackers (databreaches.net)
Biometrics
Police Scotland digital strategy seeks real-time biometrics within 5 years | Biometric Update
Elon Musk's X to collect biometric data, work and school history - The Japan Times
Home Office and MoD seeking new facial-recognition tech | Computer Weekly
Social Media
ICO calls social media firms to protect people's data from scraping (bleepingcomputer.com)
EU safety laws start to bite for TikTok, Instagram and others - BBC News
Rising Phishing Scams Impact Small Businesses Relying on Social Media (smallbiztrends.com)
X Plans to Collect Biometric Data, Job and School History (1) (bloomberglaw.com)
Anonymous Sudan hacks X to put pressure on Elon Musk over Starlink - BBC News
Training, Education and Awareness
Can You Spot Phishing Emails? Test Your Awareness With These Quizzes (makeuseof.com)
Cyber awareness education is a change-management initiative | CSO Online
Cyber Bullying, Cyber Stalking and Sextortion
Regulations, Fines and Legislation
Pay our ransom instead of a GDPR fine, cyber crime gang tells its targets (therecord.media)
New law could turn UK into a hacker's playground | Computerworld
Changes to UK Surveillance Regime May Violate International Law (justsecurity.org)
EU safety laws start to bite for TikTok, Instagram and others - BBC News
Draft Cyber Security Audit and Risk Assessment Regulations Issued by CPPA | Mintz - JDSupra
Balancing risk and compliance: implications of the SEC’s new cyber security regulations | CSO Online
Legal Liability for Insecure Software Might Work, but It's Dangerous (darkreading.com)
Models, Frameworks and Standards
What are the Cyber Security Standards of Basel III? | UpGuard
Best practices for MITRE ATT&CK(R) mapping. (thecyberwire.com)
Is the new OWASP API Top 10 helpful to defenders? - Help Net Security
How international cyber security frameworks can help CISOs | CSO Online
Data Protection
ICO calls social media firms to protect people's data from scraping (bleepingcomputer.com)
Are you properly protecting your employees' personal information? | Burr & Forman - JDSupra
Data Protection: One of These Incidents Is Not Like the Other | Troutman Pepper - JDSupra
Draft Cyber Security Audit and Risk Assessment Regulations Issued by CPPA | Mintz - JDSupra
Careers, Working in Cyber and Information Security
Addressing Cyber Security's Talent Shortage & Its Impact on CISOs (darkreading.com)
Unfilled Cyber Security Positions Threaten the Future of Businesses Everywhere | Inc.com
How the Talent Shortage Impacts Cyber Security Leadership (securityintelligence.com)
Law Enforcement Action and Take Downs
Privacy, Surveillance and Mass Monitoring
Police Scotland digital strategy seeks real-time biometrics within 5 years | Biometric Update
Expert shares stark safety warning over Twitter updates | Tech News | Metro News
Misinformation, Disinformation and Propaganda
Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare and Cyber Espionage
Russia
'Five Eyes' nations release technical details of Sandworm malware 'Infamous Chisel' | CyberScoop
New York Times Spoofed to Hide Russian Disinformation Campaign (darkreading.com)
NCSC, SBU reveal overt Russian cyber campaign as cyber war continues to evolve | ITPro
Russian 'hybrid' war threatens NATO's eastern flank, Poles warn - Washington Times
Microsoft weighs in on Russian-led UN cyber crime treaty • The Register
Five Eyes Report: New Russian Malware Targeting Ukrainian Military Android Devices - Security Week
Anonymous Sudan hacks X to put pressure on Elon Musk over Starlink - BBC News
China
Microsoft signing keys keep getting hijacked, to the delight of Chinese threat actors | Ars Technica
China-Based APT Flies Under Radar in Espionage Attacks | Decipher (duo.com)
China-Linked Flax Typhoon Cyber Espionage Targets Taiwan's Key Sectors (thehackernews.com)
Barracuda flaw: FBI warns customers over ineffective patch | ITPro
Almost a third of compromised Barracuda ESGs were govt owned • The Register
James Cleverly's China cyber security talks unlikely to spur change (techmonitor.ai)
Japan’s cyber security agency suffers months-long breach | Financial Times (ft.com)
China-Linked BadBazaar Android Spyware Targeting Signal and Telegram Users (thehackernews.com)
APT Attacks From 'Earth Estries' Hit Gov't, Tech With Custom Malware (darkreading.com)
Chinese APT Uses Fake Messenger Apps to Spy on Android Users (inforisktoday.com)
North Korea
North Korea’s Lazarus Group hits organisations with two new RATs | CSO Online
Lazarus Group Debuts Tiny Trojan for Espionage Attacks (databreachtoday.co.uk)
Cyber Scams Keep North Korean Missiles Flying – Analysis – Eurasia Review
North Korea’s Lazarus hackers behind recent crypto heists: FBI (therecord.media)
North Korean hackers behind malicious VMConnect PyPI campaign (bleepingcomputer.com)
Vulnerability Management
New law could turn UK into a hacker's playground | Computerworld
40% of Log4j Downloads Still Vulnerable (securityintelligence.com)
How did Clop get its hands on the MOVEit zero day? (therecord.media)
Vulnerabilities
Cisco fixes 3 high-severity DoS flaws in NX-OS and FXOS software (securityaffairs.com)
Citrix NetScaler Alert: Ransomware Hackers Exploiting Critical Vulnerability (thehackernews.com)
Microsoft Teams attack exposes collab platform security gaps | TechTarget
Barracuda flaw: FBI warns customers over ineffective patch | ITPro
Barracuda thought it drove 0-day hackers out of customers’ networks. It was wrong. | Ars Technica
CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA
Exploit released for Juniper firewall bugs allowing RCE attacks (bleepingcomputer.com)
Google Chrome 116's second point update addresses a security issue - gHacks Tech News
Forminator WordPress Plugin Vulnerability Affects Up To 400,000+ Websites (searchenginejournal.com)
Threat actors started exploiting Juniper flaws shortly after PoC release (securityaffairs.com)
Hackers Launch Brute-Force Attack Cisco ASA SSL VPNs (cybersecuritynews.com)
Splunk Patches High-Severity Flaws in Enterprise, IT Service Intelligence - Security Week
This WordPress plugin with 5 million users could have a serious security flaw | TechRadar
Cyber Attackers Swarm OpenFire Cloud Servers With Takeover Barrage (darkreading.com)
Tools and Controls
Why generative AI is a double-edged sword for the cyber security sector | VentureBeat
Cyber defence makes up majority of cyber security budgets | Security Magazine
Ransomware hackers dwell time drops to 5 days, RDP still widely used (bleepingcomputer.com)
Think twice before accepting notifications on Chrome: threats on the rise | Cybernews
Considerations for Reducing Risk When Migrating to the Cloud (darkreading.com)
Enterprise dark web monitoring: Why it's worth the investment | TechTarget
Phishing Simulations Boost Cyber Awareness and Defences | Mimecast
Is the new OWASP API Top 10 helpful to defenders? - Help Net Security
Here's What Your Breach Response Plan Might Be Missing (darkreading.com)
Why Traditional Firewalls Are Not Adequate for Your Network Security (makeuseof.com)
Combining EPP and EDR tools can boost your endpoint security (securityintelligence.com)
Automated Threat Hunting: AI Helps Spot Shady Network Activity (readwrite.com)
Detecting the Undetected: The Risk to Your Info (securityintelligence.com)
National Grid plots ‘honeypots’ to catch hackers as cyber attacks ramp up (telegraph.co.uk)
Other News
Cyber attacks reveal threat to democracy (ukdefencejournal.org.uk)
Hackers Use $30 Gear To Bring Poland's Railways To A Grinding Halt
When lives rely on equipment, cyber security is essential | Healthcare IT News
Think twice before accepting notifications on Chrome: threats on the rise | Cybernews
Rising cyber incidents challenge healthcare organisations - Help Net Security
Updated Best Practice Playbook for Healthcare Cyber Threats (inforisktoday.com)
Navigating Legacy Infrastructure: A CISO's Actionable Strategy for Success (thehackernews.com)
Legal Liability for Insecure Software Might Work, but It's Dangerous (darkreading.com)
69% of educational organisations suffered cyber attack in the past year - Netwrix survey
Out-Of-Office: How To Ensure Cyber Security During Vulnerable Periods (forbes.com)
Manufacturing firms hit by the worst encryption rate in three years (manufacturing-today.com)
Cyber Attacks Targeting E-commerce Applications (thehackernews.com)
Industrial networks need better security as attacks gain scale | ZDNET
National Grid plots ‘honeypots’ to catch hackers as cyber attacks ramp up (telegraph.co.uk)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 05 May 2023
Black Arrow Cyber Threat Briefing 05 May 2023:
- Boards Need Better Conversations About Cyber Security
- Uber’s Ex-Security Chief Sentenced for Security Breach
- Global Cyber Attacks Rise by 7% in Q1 2023
- Three-Quarters of Firms Predict Breach in Coming Year
- The Costly Threat That Many Businesses Fail to Address
- European Data at Risk with Tick-box GDPR Compliance and High Cyber Attack Volumes
- Understanding Cyber Threat Intelligence for Business Security
- Hackers Are Finding Ways to Evade Latest Cyber Security Tools
- Study Shows a 27% Spike in Publicly Known Ransomware Victims
- Data Loss Costs Are Going Up – and Not Just for Those Who Choose to Pay Thieves
- Give NotPetya-hit Merck that $1.4B, Appeals Court Tells Insurers
- 4 Ways Leaders Should Re-evaluate Their Cyber Security's Focus
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Boards Need Better Conversations About Cyber Security
In a survey by Harvard Business Review, 65% of directors believed their organisations were at risk of a cyber attack within the next 12 months, and almost half believed they were unprepared to cope with such an attack. Boards that struggle with their role in providing oversight for cyber security create a security problem for their organisations. By not focusing on resilience, boards fail their companies and their stakeholders.
Regarding board interactions with CISOs, just 69% of responding board members see eye-to-eye with their chief information security officers (CISOs). Fewer than half (47%) of members serve on boards that interact with their CISOs regularly, and almost a third of them only see their CISOs at board presentations. This is worrying, as this leaves little time for leaders to have a meaningful dialogue about cyber security.
As a result, boards need to discuss their organisations’ cyber security-induced risks and evaluate plans to manage those risks frequently; the CISO should be involved in this. With the right conversations about keeping the organisation resilient, they can take the next step to provide adequate cyber security oversight. To bring more cyber security into the board room, board members may need to gain expertise, whether through frequent training or development programmes.
https://hbr.org/2023/05/boards-are-having-the-wrong-conversations-about-cybersecurity
Uber’s Ex-Security Chief Sentenced for Security Breach
Earlier this week, Uber’s former head of cyber security, Joseph Sullivan, faced several years of prison time for covering up a massive security breach at the ride-hailing company seven years ago. When it actually came to sentencing he managed to avoid jail but received three years of probation and 200 hours of community service, despite pleas from the prosecution to throw him in jail.
The case highlights the seriousness of covering up a security breach, as at one point the ex-security chief was looking at 24-30 months of jail time. With increasing regulations and focus on cyber security, it is unlikely that this is a one-off incident.
https://gizmodo.com/uber-security-joe-sullivan-sentenced-prison-data-breach-1850403347
Global Cyber Attacks Rise by 7% in Q1 2023
Weekly cyber attacks have increased worldwide by 7% in Q1 2023 compared to the same period last year, with each firm facing an average of 1,248 attacks per week according to Check Point’s latest research. The report highlights a number of sophisticated campaigns including using ChatGPT for code generation to help less-skilled threat actors effortlessly launch cyber attacks.
The Check Point report also shows that 1 in 31 organisations worldwide experienced a ransomware attack weekly over the first quarter of 2023. To defend against such threats, the security researchers recommended a series of cyber safety tips, such as keeping computers and servers up-to-date, conducting regular cyber awareness training and utilising better threat prevention tools, among others.
https://www.infosecurity-magazine.com/news/global-cyber-attacks-rise-7-q1-2023/
Three-Quarters of Firms Predict a Breach in the Coming Year
Most global organisations anticipate suffering a data breach or cyber attack in the next 12 months. Trend Micro’s six-monthly Cyber Risk Index (CRI) was compiled from interviews with 3,729 global organisations.
While results of the index score move in a positive direction showing organisations are taking steps to improve cyber preparedness, most responding organisations are pessimistic about the year ahead.
Respondents pointed to both negligent insiders and mobile users, and a lack of trained staff, as a key cause of concern going forward. Alongside cloud infrastructure and virtual computing environments, these comprised the top five infrastructure risks.
https://www.infosecurity-magazine.com/news/threequarters-firms-predict-breach/
The Costly Threat That Many Businesses Fail to Address
Insider attacks such as fraud, sabotage, and data theft plague 71% of businesses, according to a recent report. The report found companies that allow excessive data access are much more likely to suffer insider attacks. However, only 57% of companies limit data appropriately while 31% allow employees access to more data than necessary and 12% allow employees access to all company data.
Alarmingly, of the companies that have experienced insider attacks, one in three (34%) report that the attack involved an employee with privileged access. Data theft was the most common type of insider attack, reported by 38% of businesses.
Insider attacks can damage businesses’ reputations, finances, and competitiveness, and therefore companies should take a proactive approach in preventing these incidents.
https://www.helpnetsecurity.com/2023/05/02/insider-attacks-damage/
European Data at Risk with Tick-box GDPR Compliance and High Cyber Attack Volumes
Recent research revealed that European IT and security leaders may be dangerously over-confident in their ability to avoid cyber attacks and mitigate the risk of serious data compromise. The findings reveal that most organisations have suffered a serious cyber attack in the last two years, with over half of respondents saying their company suffered an attack 1 to 3 times in this time period. Worryingly, 20% of respondents claim to have been attacked 4 to 6 times. Only 18% managed to avoid an attack altogether.
Worryingly, three-quarters (76%) of those interviewed admit they’re taking a tick-box approach to GDPR compliance, which involves doing the bare minimum on data privacy and security. Although most (97%) have a contingency plan in place should they get breached, a quarter (26%) have not tested it.
Around two-thirds of respondents say their organisation considers customer (66%) and financial data (63%) to be “risky.” But the figure drops to 60% for employee data, and even further for intellectual property (45%) and health data (28%). Alarmingly, health-related data is classified as a special category data by GDPR, meaning it requires more protection.
Understanding Cyber Threat Intelligence for Business Security
Cyber threat intelligence is not a solution itself, but a crucial component of any mature security programme, enabling organisations to gain insights into the motives, targets and behaviours of threat actors. As such, it is crucial for businesses looking to protect themselves from the ever-evolving cyber threat landscape.
Some of the benefits of effective cyber threat intelligence to a business include early threat detection, improved response, regulation compliance, competitive advantage and cost savings. It is important to highlight that an organisation does not need to come up with their own cyber threat intelligence initiative, it can instead be purchased as a service.
Hackers Are Finding Ways to Evade Latest Cyber Security Tools
As hacking has gotten more destructive and pervasive, new defensive tools continue to be developed. One such tool is called endpoint detection and response (EDR) software, it’s designed to spot early signs of malicious activity on laptops, servers and other devices known as “endpoints” on a computer network — and block them before intruders can steal data or lock the machines.
Experts however, claim hackers have developed workarounds for some forms of the technology, allowing them to slip past products that have become the gold standard for protecting critical systems. Security software is not enough on its own, it is just one of the layers of defence that organisations should employ as part of their cyber resilience; there is no silver bullet.
https://finance.yahoo.com/news/hackers-finding-ways-evade-latest-131600565.html
Study Shows a 27% Spike in Publicly Known Ransomware Victims
A report released this week highlights a 27% increase in publicly known ransomware victims in the first quarter of the year. Some of the report’s key findings include the fact that manufacturing, technology, education, banking, finance, and healthcare organisations are the largest to be exposed to ransomware.
The report identified an increase in the use of “double extortion” as an attack model. This method is where ransomware groups not only encrypt files but also exfiltrate data. The top five most active ransomware threat actors are LockBit, Clop, AlphV, Royal and BianLian.
Data Loss Costs Are Going Up – and Not Just for Those Who Choose to Pay Thieves
A recent report found while the number of ransomware incidents that firms responded to dipped in early 2022, it came roaring back toward the end of the year and into early 2023. With this came higher ransom demands and, eventually, payments. The largest ransom demand last year was more than $90 million, with the largest payment exceeding $8 million. Both were larger than in 2021 (more than $60 million and $5.5 million respectively).
Ransomware groups are upping their attacks all the time and you don’t want to be an easy target.
https://www.theregister.com/2023/05/02/data_breach_costs_rise/
Give NotPetya-hit Merck that $1.4B, Appeals Court Tells Insurers
In a significant ruling this week a court in the US found that pharmaceutical company Merck's insurers can't use an "act of war" clause to deny the pharmaceutical giant an enormous payout to clean up its NotPetya infection from 2017. The ruling will also undoubtedly affect the language used in underwriting policies, especially when it comes to risks such as ransomware and cyber warfare.
https://www.theregister.com/2023/05/03/merck_14bn_insurance_payout_upheld/
4 Ways Leaders Should Re-evaluate Their Cyber Security's Focus
The technology industry has long been building walls around structured data and communications—with little consideration of how employees use that information. Outlined below are four 4 ways leaders can better protect raw data.
Recognise that priorities have evolved.
Understand that security burdens have changed.
Understand why, despite best efforts, criminals are still successful.
Evaluate the ways in which you are protecting your most vulnerable data.
Threats
Ransomware, Extortion and Destructive Attacks
Data loss costs go up, and not just from ransom shakedowns • The Register
To Fight Ransomware, Move Beyond Detection to Real-Time Response, Fortinet Study Says - MSSP Alert
Using Threat Intelligence to Get Smarter About Ransomware – Security Week
Merck's $1.4B NotPetya insurance payout upheld by court • The Register
GuidePoint Study Shows a 27% Spike in Public Ransomware Victims - MSSP Alert
Rapture, a Ransomware Family With Similarities to Paradise (trendmicro.com)
The Tragic Fallout From a School District’s Ransomware Breach | WIRED
Hackers leak images to taunt Western Digital's cyber attack response (bleepingcomputer.com)
‘Big game hunting’ hackers ALPHV claim major breach of law firm HWL Ebsworth (afr.com)
FBI Uncovers 9 Crypto Exchanges In Ransomware Laundering (informationsecuritybuzz.com)
Legitimate Software Abuse: A Disturbing Trend in Ransomware Attacks (darkreading.com)
US, Ukraine Shut Down Cryptocurrency Exchanges Used by Cyber criminals – Security Week
BlackCat group releases screenshots of stolen Western Digital data | CSO Online
Ransomware Attack Affects Dallas Police, Court Websites – Security Week
Studies show ransomware has already caused patient deaths | TechTarget
Cold storage giant Americold outage caused by network breach (bleepingcomputer.com)
Payment software giant AvidXchange suffers its second ransomware attack of 2023 | TechCrunch
City of Dallas hit by Royal ransomware attack impacting IT services (bleepingcomputer.com)
Ransomware gang hijacks university alert system to issue threats (bleepingcomputer.com)
Cyber attack cost conveyancing giant £7m - but the insurers paid up | News | Law Gazette
Teiss - News - Lockbit 3.0 targets Fullerton India, demands a £2.3 million ransom
Phishing & Email Based Attacks
Malicious HTML Attachment Volumes Surge - Infosecurity Magazine (infosecurity-magazine.com)
A Comprehensive Look At Email-Based Threats In 2023 (informationsecuritybuzz.com)
Other Social Engineering; Smishing, Vishing, etc
Malware
ViperSoftX info-stealing malware now targets password managers (bleepingcomputer.com)
Google Ads Abused to Lure Corporate Workers to LOBSHOT Backdoor (darkreading.com)
Security experts are using malware's own code to protect potential victims | TechSpot
New Decoy Dog Malware Toolkit Uncovered: Targeting Enterprise Networks (thehackernews.com)
How to Detect and Remove a Keylogger From Your Computer (howtogeek.com)
Hackers start using double DLL sideloading to evade detection (bleepingcomputer.com)
Mobile
Apple pushes first-ever 'rapid' patch, rapidly screws up • The Register
Google fought a mountain of malware in 2022 | Android Central
Google Bans Thousands of Play Store Developer Accounts to Block Malware (darkreading.com)
Digital Intruders – Top Ways Hackers Can Breach Your Smartphone’s Security (freecodecamp.org)
Smartphone owners warned about ‘shoulder-surfing’ thieves (thetimes.co.uk)
Botnets
Cyber criminals use proxies to legitimise fraudulent requests - Help Net Security
Bot Attacks Are Easy to Launch, Human Security Reports - MSSP Alert
Denial of Service/DoS/DDOS
Internet of Things – IoT
Hackers exploit 5-year-old unpatched flaw in TBK DVR devices (bleepingcomputer.com)
CISA warns of Mirai botnet exploiting TP-Link routers • The Register
Drone goggles maker claims firmware sabotaged to ‘brick’ devices (bleepingcomputer.com)
Data Breaches/Leaks
Kodi Forum Data Breach - Lessons Learned, Actions Taken | News | Kodi
T-Mobile suffered the second data breach in 2023 - Security Affairs
Sensitive data is being leaked from servers running Salesforce software | Ars Technica
ChatGPT Confirms Data Breach, Raising Security Concerns (securityintelligence.com)
Millions of patients’ data confirmed stolen after Fortra mass-hack | TechCrunch
TikTok security breach allowed attackers to leak personal information (ynetnews.com)
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Crooks broke into AT&T email accounts to empty their crypto wallets - Security Affairs
Level Finance crypto exchange hacked after two security audits (bleepingcomputer.com)
Hackers stole $93M from crypto projects in April (cryptoslate.com)
Insider Risk and Insider Threats
The costly threat that many businesses fail to address - Help Net Security
The hidden security risks in tech layoffs and how to mitigate them | CSO Online
Fraud, Scams & Financial Crime
Hackers swap stealth for realistic checkout forms to steal credit cards (bleepingcomputer.com)
Advanced Fee Fraud Surges by Over 600% - Infosecurity Magazine (infosecurity-magazine.com)
Cyber criminals use proxies to legitimize fraudulent requests - Help Net Security
UK to ban all cold calls selling financial products - BBC News
Smartphone owners warned about ‘shoulder-surfing’ thieves (thetimes.co.uk)
UK intelligence agencies to step up anti-fraud efforts | Financial Times (ft.com)
National Crime Agency urged to crush rogue US candy stores (thetimes.co.uk)
Clampdown on cold calls and mass texting technology announced in UK | Scams | The Guardian
AML/CFT/Sanctions
Dark Web
FBI Uncovers 9 Crypto Exchanges In Ransomware Laundering (informationsecuritybuzz.com)
US, Ukraine Shut Down Cryptocurrency Exchanges Used by Cyber criminals – Security Week
Supply Chain and Third Parties
How to keep calm and carry on in a supply chain attack • The Register
SolarWinds: The Untold Story of the Boldest Supply-Chain Hack | WIRED
DOJ Detected SolarWinds Breach Months Before Public Disclosure | WIRED
Aviva says it thinks customer data secure after Capita cyber attack (proactiveinvestors.co.uk)
Cloud/SaaS
Using just-in-time access to reduce cloud security risk - Help Net Security
Cloud security threats are growing faster than ever | TechRadar
Hybrid/Remote Working
Employees Using ‘Productivity Theater’ To Protect Against Surveillance, Study Finds (forbes.com)
White House seeks information on tools used for automated employee surveillance | Computerworld
Attack Surface Management
Encryption
API
Report shows 92% of orgs experienced an API security incident last year | VentureBeat
Researchers Discover 3 Vulnerabilities in Microsoft Azure API Management Service (thehackernews.com)
5 API security best practices you must implement - Help Net Security
Top API vulnerabilities organisations can't afford to ignore - Help Net Security
Open Source
Passwords, Credential Stuffing & Brute Force Attacks
ViperSoftX info-stealing malware now targets password managers (bleepingcomputer.com)
Your passwords could be cracked using thermal cameras powered by AI | TechRadar
Your Google Account is getting rid of its password (androidpolice.com)
PSA. Don’t share your password in your app’s release notes • Graham Cluley
Social Media
TikTok security breach allowed attackers to leak personal information (ynetnews.com)
Twitter outage logs you out and won’t let you back in (bleepingcomputer.com)
Meta kills over 1,000 ChatGPT-related malicious spoofs • The Register
Strike 3: FTC says Meta still failing to protect privacy • The Register
Malvertising
Regulations, Fines and Legislation
European Data at Risk With Tick-box GDPR Compliance and High Cyber attack Volumes- IT Security Guru
White House unveils AI rules to address safety and privacy | Computerworld
Governance, Risk and Compliance
Hackers Are Finding Ways to Evade Latest Cyber security Tools (yahoo.com)
Global Cyber Attacks Rise by 7% in Q1 2023 - Infosecurity Magazine (infosecurity-magazine.com)
European Data at Risk With Tick-box GDPR Compliance and High Cyber attack Volumes- IT Security Guru
Data loss costs go up, and not just from ransom shakedowns • The Register
Boards Are Having the Wrong Conversations About Cyber security (hbr.org)
Uber Ex-Security Chief Joe Sullivan to Be Sentenced for Breach (gizmodo.com)
Trends and Insights from the New Global Threat Intelligence Report - MSSP Alert
Why Your Detection-First Security Approach Isn't Working (thehackernews.com)
How Strategic Threat Intelligence Elevates a Cyber security Program (accelerationeconomy.com)
Benefits and Challenges of Data Analytics in Cyber security (analyticsinsight.net)
What the Cyber security Industry Can Learn From the SVB Crisis (darkreading.com)
4 Ways Leaders Should Reevaluate Their Cyber security's Focus (forbes.com)
Optimising Cyber Security Costs In A Recession (informationsecuritybuzz.com)
Malicious content lurks all over the web - Help Net Security
Microsoft Digital Defence Report: Key Cyber crime Trends (darkreading.com)
Closing up holes: Infoseccers on being less reactive • The Register
Organisations brace for cyber attacks despite improved preparedness - Help Net Security
Global Cyber Risk Lowers to Moderate Level in 2H' 2022 (trendmicro.com)
Japan’s ‘myth of security’ raises cyber attack risk | Financial Times (ft.com)
Secure Disposal
Careers, Working in Cyber and Information Security
UK Cyber Security Council launches certification mapping tool - Help Net Security
DHS’ cyber talent management system slowly gaining traction | Federal News Network
The warning signs for security analyst burnout and ways to prevent - Help Net Security
Google Launches Cyber security Career Certificate Program (darkreading.com)
Law Enforcement Action and Take Downs
FBI Uncovers 9 Crypto Exchanges In Ransomware Laundering (informationsecuritybuzz.com)
US, Ukraine Shut Down Cryptocurrency Exchanges Used by Cyber criminals - SecurityWeek
Privacy, Surveillance and Mass Monitoring
Open Banking: A Perfect Storm for Security and Privacy? - SecurityWeek
Employees Using ‘Productivity Theater’ To Protect Against Surveillance, Study Finds (forbes.com)
Apple and Google Team Up to Stop Unwanted Tracking by AirTags, Other Devices - CNET
White House seeks information on tools used for automated employee surveillance | Computerworld
Strike 3: FTC says Meta still failing to protect privacy • The Register
Artificial Intelligence
5 ways threat actors can use ChatGPT to enhance attacks | CSO Online
Workers are secretly using ChatGPT, AI, with big risks for companies (cnbc.com)
AI will do 'real damage', warns Microsoft chief (telegraph.co.uk)
Microsoft’s chief economist says A.I. can be dangerous | Fortune
It's time to harden AI and ML for cyber security | TechTarget
Stop using generative-AI tools, Samsung orders staff | Digital Trends
ChatGPT Confirms Data Breach, Raising Security Concerns (securityintelligence.com)
How To Secure Web Applications Against AI-assisted Cyber Attacks (bleepingcomputer.com)
PrivateGPT Tackles Sensitive Info in ChatGPT Prompts (darkreading.com)
Meta kills over 1,000 ChatGPT-related malicious spoofs • The Register
How AI is reshaping the cyber security landscape - Help Net Security
White House unveils AI rules to address safety and privacy | Computerworld
Misinformation, Disinformation and Propaganda
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Hackers use fake ‘Windows Update’ guides to target Ukrainian govt (bleepingcomputer.com)
Russian APT Hacked Tajikistani Carrier to Spy on Government, Public Services - SecurityWeek
Russian APT Nomadic Octopus hacked Tajikistani carrier - Security Affairs
Russia’s APT28 targets Ukraine with bogus Windows updates • The Register
Russian spy network smuggles sensitive EU tech despite sanctions | Financial Times (ft.com)
Finnish newspaper hides Ukraine news reports for Russians in online game | Censorship | The Guardian
Meta Unravels Social Media Cyber Espionage Operations In South Asia (informationsecuritybuzz.com)
Nation State Actors
China’s Hackers Vastly Outnumber US. Cyber Agents by 50 to 1, FBI Director Testifies - MSSP Alert
Chinese APT Uses New 'Stack Rumbling' Technique to Disable Security Software - SecurityWeek
China 'Innovated' Its Cyber attack Tradecraft, Mandia Says (darkreading.com)
'BellaCiao' Showcases How Iran's Threat Groups Are Modernizing Their Malware (darkreading.com)
APT41 Subgroup Plows Through Asia-Pacific, Utilizing Layered Stealth Tactics (darkreading.com)
APT41’s PowerShell Backdoor Download Files From Windows (cyber securitynews.com)
US Chamber of Commerce warns of major increase in risks for businesses in China | CNN Business
China’s ‘men in black’ step up scrutiny of foreign corporate sleuths | Financial Times (ft.com)
Microsoft says Iranian hackers combine influence ops with hacking for maximum impact | CyberScoop
Attack on Security Titans: Earth Longzhi Returns With New Tricks (trendmicro.com)
North Korean APT Gets Around Macro-Blocking With LNK Switch-Up (darkreading.com)
Meta Unravels Social Media Cyber Espionage Operations In South Asia (informationsecuritybuzz.com)
China labels USA ‘Empire of hacking’ citing old WikiLeaks • The Register
Kimsuky hackers use new recon tool to find security gaps (bleepingcomputer.com)
Vulnerability Management
Vulnerabilities
WordPress Vulnerability Hits +1 Million Using Header & Footer Plugin (searchenginejournal.com)
Cisco discloses a bug in Prime Collaboration Deployment solution - Security Affairs
Cisco Warns of Critical Vulnerability in EoL Phone Adapters - SecurityWeek
Apple pushes first-ever 'rapid' patch, rapidly screws up • The Register
Zyxel Firewall Devices Vulnerable to Remote Code Execution Attacks — Patch Now (thehackernews.com)
Researchers Uncover New BGP Flaws in Popular Internet Routing Protocol Software (thehackernews.com)
AMD TPM Exploit: faulTPM Attack Defeats BitLocker and TPM-Based Security (Updated) (msn.com)
Netgear Vulnerabilities Lead to Credentials Leak, Privilege Escalation - SecurityWeek
Researchers Discover 3 Vulnerabilities in Microsoft Azure API Management Service (thehackernews.com)
Apple Releases First-Ever Security Updates for Beats, AirPods Headphones - SecurityWeek
Some of the top AMD chips are suffering a serious security flaw | TechRadar
Tools and Controls
How Strategic Threat Intelligence Elevates a Cyber security Program (accelerationeconomy.com)
86 percent of developers knowingly deploy vulnerable code (betanews.com)
The hidden security risks in tech layoffs and how to mitigate them | CSO Online
Benefits and Challenges of Data Analytics in Cyber security (analyticsinsight.net)
ViperSoftX info-stealing malware now targets password managers (bleepingcomputer.com)
It's time to harden AI and ML for cyber security | TechTarget
Using just-in-time access to reduce cloud security risk - Help Net Security
Using multiple solutions adds complexity to your zero trust strategy - Help Net Security
Your decommissioned routers could be a security disaster | Network World
Wanted Dead or Alive: Real-Time Protection Against Lateral Movement (thehackernews.com)
5 API security best practices you must implement - Help Net Security
3 questions CISOs expect you to answer during a security pitch | TechCrunch
Level Finance crypto exchange hacked after two security audits (bleepingcomputer.com)
4 Principles for Creating a New Blueprint for Secure Software Development (darkreading.com)
How To Secure Web Applications Against AI-assisted Cyber Attacks (bleepingcomputer.com)
AppSec Making Progress or Spinning Its Wheels? (darkreading.com)
Windows admins can now sign up for ‘known issue’ email alerts (bleepingcomputer.com)
Top API vulnerabilities organisations can't afford to ignore - Help Net Security
How AI is reshaping the cyber security landscape - Help Net Security
Getting cyber-resilience right in a zero-trust world starts at the endpoint | VentureBeat
Practical Protection: Limiting the Damage from Local Admin Accounts (practical365.com)
To Fight Cyber Extortion and Ransomware, Shift Left (trendmicro.com)
Using Threat Intelligence to Get Smarter About Ransomware – Security Week
New Generative AI Tools Aim to Improve Security (darkreading.com)
Other News
Firmware Looms as the Next Frontier for Cyber security (darkreading.com)
Open Banking: A Perfect Storm for Security and Privacy? – Security Week
Malicious content lurks all over the web - Help Net Security
How Public-Private Information Sharing Can Level the Cyber security Playing Field (darkreading.com)
Eric Idle tells RSAC to look in the bright side of life • The Register
Your decommissioned routers could be a security disaster | Network World
FBI Focuses on Cyber security With $90M Budget Request (darkreading.com)
Google will remove secure website indicators in Chrome 117 (bleepingcomputer.com)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 27 January 2023
Black Arrow Cyber Threat Briefing 27 January 2023:
-Supply Chain Attacks Caused More Data Compromises Than Malware
-What Makes Small and Medium-Sized Businesses Vulnerable to BEC Attacks
-Understanding Your Attack Surface Makes It Easier to Prioritise Technologies and Systems
-Cyber Security Pros Sound Alarm Over Insider Threats
-Ransomware Attack Hit KFC and Pizza Hut Stores in the UK
-Forthcoming SEC Rules Will Trigger ‘Tectonic Shift’ in How Corporate Boards Treat Cyber Security
-Why CISOs Make Great Board Members
-View From Davos: The Changing Economics of Cyber Crime
-Cloud Based Networks Under Increasing Attack, Report Finds
-GoTo Admits: Customer Cloud Backups Stolen Together with Decryption Key
-State-Linked Hackers in Russia and Iran are Targeting UK Groups, NCSC Warns
-3.7 Million Customers’ Data of Hilton Hotels Put Up For Sale
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Supply Chain Attacks Caused More Data Compromises Than Malware
According to the Identity Theft Resource Center, data compromises steadily increased in the second half of 2022 and cyber attacks remained the primary source of data breaches.
The number of data breaches resulting from supply chain attacks exceeded malware related compromises in 2022 by 40%. According to the report, more than 10 million people were impacted by supply chain attacks targeting 1,743 entities. By comparison, 70 malware-based cyber attacks affected 4.3 million people.
https://www.helpnetsecurity.com/2023/01/26/data-compromises-2022/
What Makes Small and Medium-Sized Businesses Vulnerable to BEC Attacks
According to the United States’ FBI’s 2021 Internet Crime Report, business email compromise (BEC) accounted for almost a third of the country’s $6.9 billion in cyber losses that year – around $2.4 billion. In surprisingly sharp contrast, ransomware attacks accounted for only $50 million of those losses.
Small and medium-sized businesses (SMBs) are especially vulnerable to this form of attack and BEC’s contribution to annual cyber losses not only makes sense but is also likely underreported.
In stark contrast to highly disruptive ransomware attacks, BEC is subversive and is neither technically complicated nor expensive to deploy. In the case of large organisations, the financial fallout of BEC is almost negligible. That’s not the case for small and medium-sized businesses, which often lack the means to absorb similar financial losses.
BEC’s simplicity gives more credence for attackers to target smaller organisations, and because of that, it’s doubly essential for SMBs to be vigilant.
Understanding Your Attack Surface Makes It Easier to Prioritise Technologies and Systems
It has been observed that attackers will attempt to start exploiting vulnerabilities within the first fifteen minutes of their disclosure. As the time to patch gets shorter, organisations need to be more pragmatic when it comes to remediating vulnerabilities, particularly when it comes to prioritisation.
Attack surfaces constantly evolve and change as new applications are developed, old systems are decommissioned, and new assets are registered. Also, more and more organisations are moving towards cloud-hosted infrastructure, which changes the risk and responsibility for securing those assets. Therefore, it is essential to carry out continuous or regular assessments to understand what systems are at risk, instead of just taking a point-in-time snapshot of how the attack surface looks at that moment.
The first step would be to map “traditional” asset types – those easily associated with an organisation and easy to monitor, such as domains and IP addresses. Ownership of these assets can be easily identified through available information (e.g., WHOIS data). The less traditional asset types (such as GitHub repositories) aren’t directly owned by the organisation but can also provide high-value targets or information for attackers.
It’s also important to understand which technologies are in use to make sound judgements based on the vulnerabilities relevant to the organisation. For example, out of one hundred vulnerabilities released within one month only 20% might affect the organisation’s technologies.
Once organisations have a good understanding of which assets might be at risk, context and prioritisation can be applied to the vulnerabilities affecting those assets. Threat intelligence can be utilised to determine which vulnerabilities are already being exploited in the wild.
What is then the correct answer for this conundrum? The answer is that there is no answer! Instead, organisations should consider a mindset shift and look towards preventing issues whilst adopting a defence-in-depth approach; focus on minimising impact and risk by prioritising assets that matter the most and reducing time spent on addressing those that don’t. This can be achieved by understanding your organisation’s attack surface and prioritising issues based on context and relevance.
https://www.helpnetsecurity.com/2023/01/24/understanding-your-attack-surface/
Cyber Security Pros Sound Alarm Over Insider Threats
Gurucul, a security information and event management (SIEM) solution provider, and Cyber security Insiders, a 600,000-plus member online community for information security professionals, found in their annual 2023 Insider Threat Report that only 3% of respondents surveyed are not concerned with insider risk.
Among all potential insiders, cyber security professionals are most concerned about IT users and admins with far-reaching access privileges (60%). This is followed by third-party contractors (such as MSPs and MSSPs) and service providers (57%), regular employees (55%), and privileged business users (53%).
The research also found that more than half of organisations in the study had been victimised by an insider threat in the past year. According to the data, 75% of the respondents believe they are moderately to extremely vulnerable to insider threats, an 8% spike from last year. That coincided with a similar percentage who said attacks have become more frequent, with 60% experiencing at least one attack and 25% getting hit by more than six attacks.
Ransomware Attack Hit KFC and Pizza Hut Stores in the UK
Nearly 300 fast food restaurants, including branches of KFC and Pizza Hut, were forced to close following a ransomware attack against parent company Yum! Brands. In a statement dated 18 January 2023, Yum! confirmed that unnamed ransomware had impacted some of its IT infrastructure, and that data had been exfiltrated by hackers from its servers. However, although an investigation into the security breach continues, the company said that it had seen no evidence that customer details had been exposed.
What has not yet been made public, and may not even be known to those investigating the breach, is how long hackers might have had access to the company's IT infrastructure, and how they might have been able to gain access to what should have been a secure system. Yum! has also not shared whether it has received a ransom demand from its attackers, and if it did how much ransom was demanded, and whether it would be prepared to negotiate with its extortionists.
Forthcoming SEC Rules Will Trigger ‘Tectonic Shift’ in How Corporate Boards Treat Cyber Security
Under rules first proposed in 2022 but expected to be finalised as soon as April 2023, publicly traded companies in the US that determine a cyber incident has become “material”, meaning it could have a significant impact on the business, must disclose details to the SEC and investors within four business days. That requirement would also apply “when a series of previously undisclosed, individually immaterial cyber security incidents has become material in the aggregate.
The SEC’s rules will also require the boards of those companies to disclose significant information on their security governance, such as how and when it exercises oversight on cyber risks. That info includes identifying who on the board (or which subcommittee) is responsible for cyber security and their relevant expertise. Required disclosures will also include how often and by which processes board members are informed and discuss cyber risk. The former cyber adviser to the SEC commented that “The problem we have with the current cyber security ecosystem is that it’s very focused on technical mitigation measures and does not contemplate these business, operational, [or] financial factors.”
Whilst this only impacts US firms, we can expect other jurisdictions to follow suit.
Why CISOs Make Great Board Members
Cyber security-related risk is a top concern, so boards need to know they have the proper oversight in place. The past three years created a perfect storm situation with lasting consequences for how we think about cyber security, and as a result cyber security technologies and teams have shifted from being viewed as a cost centre to a business enabler.
Gartner predicts that by 2025, 40% of companies will have a dedicated cyber security committee. Who is better suited than a CISO to lead that conversation? Cyber security-related risk is a top concern, so boards need to know they have the proper oversight in place. CISOs can provide advice on moving forward with digital change initiatives and help companies prepare for the future. They can explain the organisation’s risk posture, including exposure related to geopolitical conflict as well as to new business initiatives and emerging threats, and what can be done to mitigate risk.
Lastly, the role of the CISO has evolved from being a risk metrics presenter to a translator of risk to the business. Therefore, the expertise CISOs have developed in recent years in how to explain risk to the board makes them valuable contributors to these conversations. They can elevate the discussion to ensure deep understanding of the trade-offs between growth and risk, enable more informed decision-making, and serve as guardrails for total business alignment.
https://www.securityweek.com/why-cisos-make-great-board-members/
View From Davos: The Changing Economics of Cyber Crime
Cyber crime is a risk created by humans, driven by the economic conditions of high profit and easy opportunity. Ransomware is the most recent monetisation of these motives and opportunities, and it has evolved from simple malware to advanced exploits and double or triple extortion models.
The motive for cyber crime is clear: to steal money, but the digital nature of cyber crime makes the opportunity uniquely attractive, due to the following:
· Cryptocurrency makes online extortion, trading illicit goods and services, and laundering fraudulent funds highly anonymous and usually beyond the reach of financial regulators or inspection
· There isn't enough fear of getting caught for cyber crime.
· With the explosion in spending on digital transformation, data is the new gold and it is incredibly easy to steal, due to lapses in basic hygiene like encrypting data-at-rest and in-transit or limiting access to only authorised users.
· Paying extortion through extensive cyber insurance policies only feeds the ransomware epidemic by incentivising further crime, as noted by the FBI.
Fighting cyber crime is a team sport, and to succeed, we must adopt this framework of cyber resilience that integrates the technical, policy, behavioural, and economic elements necessary to manage the reality of ever-growing cyber crime as a predictable and manageable cyber risk.
https://www.darkreading.com/edge-articles/view-from-davos-the-changing-economics-of-cybercrime
Cloud Based Networks Under Increasing Attack, Report Finds
As enterprises around the world continue to move to the cloud, cyber criminals are following right behind them. There was a 48 percent year-over-year jump in 2022 in cyber attacks on cloud-based networks, and it comes at a time when 98 percent of global organisations use cloud services, according to Check Point. The increases in cyber attacks were experienced in various regions, including Asia (with a 60 percent jump), Europe (50 percent), and North America (28 percent) according to a report by Checkpoint last week.
Check Point explained that "The rise in attacks on the cloud was driven both by an overall increase in cyber attacks globally (38 percent overall in 2022, compared to 48 percent in the cloud) and also by the fact that it holds much more data and incorporates infrastructure and services from large amounts of potential victims, so when exploited the attacks could have a larger impact,". Later, Checkpoint highlighted that human error is a significant factor in the vulnerability of cloud-based networks.
The report highlighted the need for defence capabilities in the cloud to improve. According to Check Point, this means adopting zero-trust cloud network security controls, incorporating security and compliance earlier in the development lifecycle, avoiding misconfigurations, and using tools such as an intrusion detection and prevention systems and next-generation web application firewalls. As commented by Check Point “it is still up to the network and security admins to make sure all their infrastructure is not vulnerable.
https://www.theregister.com/2023/01/20/cloud_networks_under_attack/
GoTo Admits: Customer Cloud Backups Stolen Together with Decryption Key
On 2022-11-30, GoTo informed customers that it had suffered “a security incident”, summarising the situation as follows:
“Based on the investigation to date, we have detected unusual activity within our development environment and third-party cloud storage service. The third-party cloud storage service is currently shared by both GoTo and its affiliate, LastPass.”
Two months later, GoTo has come back with an update, and the news isn’t great:
“[A] threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere. We also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups. The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information.”
The company also noted that although MFA settings for some Rescue and GoToMyPC customers were stolen, their encrypted databases were not.
State-Linked Hackers in Russia and Iran are Targeting UK Groups, NCSC Warns
Russian and Iranian state-linked hackers are increasingly targeting British politicians, journalists and researchers with sophisticated campaigns aimed at gaining access to a person’s email, Britain’s online security agency warned on Thursday. The National Cyber Security Centre (NCSC) issued an alert about two groups from Russia and Iran, warning those in government, defence, thinktanks and the media against clicking on malicious links from people posing as conference hosts, journalists or even colleagues.
Both groups have been active for some years, but it is understood they have recently stepped up their activities in the UK as the war in Ukraine continues, as well as operating in the US and other NATO countries.
The hackers typically seek to gain confidence of a target by impersonating somebody likely to make contact with them, such as by falsely impersonating a journalist, and ultimately luring them to click on a malicious link, sometimes over the course of several emails and other online interactions.
NCSC encourages people to use strong email passwords. One technique is to use three random words, and not replicate it as a login credential on other websites. It recommends people use two-factor authentication, using a mobile phone as part of the log on process, ideally by using a special authenticator app.
The cyber agency also advises people exercise particular caution when receiving plausible sounding messages from strangers who rely on Gmail, Yahoo, Outlook or other webmail accounts, sometimes impersonating “known contacts” of the target culled from social media.
3.7 Million Customers’ Data of Hilton Hotels Put Up For Sale
A member of a hacker forum going by the name IntelBroker, has offered a database allegedly containing the personal information of 3.7 million people participating in the Hilton Hotels Honors program. According to the actor, the data in question includes personally identifying information such as name, address and Honors IDs. According to the Hilton Hotel, no guest login credentials, contacts, or financial information have been leaked.
https://informationsecuritybuzz.com/3-7-millions-customers-data-hilton-hotel-up-for-sale/
Threats
Ransomware, Extortion and Destructive Attacks
Rebranded Ransomware Crews Spike Number of Hijacking Incidents in Q4 2022 - MSSP Alert
The Unrelenting Menace of the LockBit Ransomware Gang | WIRED
Ransomware access brokers use Google ads to breach your network (bleepingcomputer.com)
FBI hacked into Hive ransomware gang, disrupted operations | TechTarget
Ransomware victims are refusing to pay, tanking attackers’ profits | Ars Technica
Vice Society Ransomware Group Targets Manufacturing Companies (trendmicro.com)
New Mimic ransomware abuses ‘Everything’ Windows search tool (bleepingcomputer.com)
Contractor error led to Baltimore schools ransomware attack | TechTarget
LAUSD says Vice Society ransomware gang stole contractors’ SSNs (bleepingcomputer.com)
Riot Games receives ransom demand from hackers, refuses to pay (bleepingcomputer.com)
Phishing & Email Based Attacks
State-linked hackers in Russia and Iran are targeting UK groups, NCSC warns | Hacking | The Guardian
ChatGPT is a bigger threat to cyber security than most realize - Help Net Security
Yahoo Most Faked Brand Name in Phishing Attempts by Threat Actors in Q4 2022 - MSSP Alert
SEABORGIUM and TA453 continue their respective... - NCSC.GOV.UK
Bitwarden password vaults targeted in Google ads phishing attack (bleepingcomputer.com)
New 'Blank Image' attack hides phishing scripts in SVG files (bleepingcomputer.com)
Hackers now use Microsoft OneNote attachments to spread malware (bleepingcomputer.com)
BEC – Business Email Compromise
Other Social Engineering; Smishing, Vishing, etc
Malware
BlackBerry: Threat Actors Launch A Unique Malware Sample Every Minute - MSSP Alert
Consumers Face Greater Risks from Malware but Many are Unprepared and Vulnerable - MSSP Alert
New 'Blank Image' attack hides phishing scripts in SVG files (bleepingcomputer.com)
ChatGPT Could Create Polymorphic Malware Wave, Researchers Warn (darkreading.com)
Hackers now use Microsoft OneNote attachments to spread malware (bleepingcomputer.com)
ChatGPT Can Write Polymorphic Malware to Infect Your Computer (gizmodo.com)
Microsoft plans to kill malware delivery via Excel XLL add-ins (bleepingcomputer.com)
Hackers use Golang source code interpreter to evade detection (bleepingcomputer.com)
Emotet Malware Makes a Comeback with New Evasion Techniques (thehackernews.com)
'DragonSpark' Malware: East Asian Cyber Attackers Create an OSS Frankenstein (darkreading.com)
Malware exploited critical Realtek SDK bug in millions of attacks (bleepingcomputer.com)
Mobile
Massive Ad Fraud Scheme Targeted Over 11 Million Devices with 1,700 Spoofed Apps (thehackernews.com)
New 'Hook' Android malware lets hackers remotely control your phone (bleepingcomputer.com)
Pair of Galaxy App Store Bugs Offer Cyber Attackers Mobile Device Access (darkreading.com)
Google to phase out legacy apps with Android 14 to improve security - GSMArena.com news
Botnets
Denial of Service/DoS/DDOS
Why a hybrid approach can help mitigate DDoS attacks | SC Media
Russia’s largest ISP says 2022 broke all DDoS attack records (bleepingcomputer.com)
Internet of Things – IoT
Nice smart device – how long does it get software updates? • The Register
Why British homes are at risk from ‘Trojan Horse’ smart devices (telegraph.co.uk)
Why most IoT cyber security strategies give zero hope for zero trust - Help Net Security
Data Breaches/Leaks
Companies impacted by Mailchimp breach warn their customers - Security Affairs
LastPass owner GoTo says hackers stole customers’ backups | TechCrunch
GoTo warns customers of crypto key and backup heist • The Register
3.7 Million Customers Data Of Hilton Hotels Put Up For Sale (informationsecuritybuzz.com)
QUT confirms personal data of thousands of staff compromised in cyber attack - ABC News
Riot Games hacked, now it faces problems to release content - Security Affairs
ICE releases asylum seekers after exposing their data • The Register
Hacker Gets Hands on No-Fly List of Alleged Terrorist Suspects (gizmodo.com)
Risk & Repeat: Breaking down the LastPass breach | TechTarget
T-Mobile Cyber Attack Spurs Law Firm Investigation - MSSP Alert
Risk & Repeat: Another T-Mobile data breach disclosed | TechTarget
Entire US "No Fly List" Exposed Online Via Unsecured Server (informationsecuritybuzz.com)
Near-Record Year for US Data Breaches in 2022 - Infosecurity Magazine (infosecurity-magazine.com)
Zacks data breach impacted hundreds of thousands of customers - Security Affairs
French rugby club Stade Français leaks source code - Security Affairs
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Inside the crypto ‘prisons’ scamming Britons out of their life savings (telegraph.co.uk)
Hackers Take Over Robinhood Twitter Account To Promote Scam - Decrypt
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
Inside the crypto ‘prisons’ scamming Britons out of their life savings (telegraph.co.uk)
P-to-P fraud most concerning cyber threat in 2023: CSI | CSO Online
Hackers Take Over Robinhood Twitter Account To Promote Scam - Decrypt
Insurance
4 tips to find cyber insurance coverage in 2023 | TechTarget
Insurers in talks on adding state-backed cyber to UK reinsurance scheme | Financial Times (ft.com)
Cyber Security Posture & Insurance Outlook with Advisen (trendmicro.com)
Dark Web
Software Supply Chain
Cloud/SaaS
Report: Cloud-based networks under growing attack • The Register
Chinese 8220 Gang Aims For Public Clouds And Vulnerable Apps (informationsecuritybuzz.com)
Microsoft Azure-Based Kerberos Attacks Crack Open Cloud Accounts (darkreading.com)
Attack Surface Management
Encryption
API
Passwords, Credential Stuffing & Brute Force Attacks
Bitwarden password vaults targeted in Google ads phishing attack (bleepingcomputer.com)
Bitwarden responds to encryption design flaw criticism | The Daily Swig (portswigger.net)
Social Media
Malvertising
Massive Ad Fraud Scheme Targeted Over 11 Million Devices with 1,700 Spoofed Apps (thehackernews.com)
Google Ads invites being abused to push spam, adult sites (bleepingcomputer.com)
Ransomware access brokers use Google ads to breach your network (bleepingcomputer.com)
Over 4,500 WordPress Sites Hacked to Redirect Visitors to Sketchy Ad Pages (thehackernews.com)
Training, Education and Awareness
Regulations, Fines and Legislation
Governance, Risk and Compliance
View from Davos: The Changing Economics of Cyber Crime (darkreading.com)
Awareness Training Must Change | CSA (cloudsecurityalliance.org)
Despite Slowing Economy, Demand for Cyber Security Workers Remains Strong (darkreading.com)
Organisations Must Brace for Privacy Impacts This Year (darkreading.com)
Data Protection
Ireland’s data protection watchdog fines WhatsApp €5.5m • The Register
ICO Offers Data Protection Advice to SMBs - Infosecurity Magazine (infosecurity-magazine.com)
Careers, Working in Cyber and Information Security
Despite Slowing Economy, Demand for Cyber Security Workers Remains Strong (darkreading.com)
Can't Fill Open Positions? Rewrite Your Minimum Requirements (darkreading.com)
Veterans bring high-value, real-life experience as potential cyber security employees | CSO Online
Dozens of Cyber Security Companies Announced Layoffs in Past Year - SecurityWeek
Law Enforcement Action and Take Downs
FBI hacked into Hive ransomware gang, disrupted operations | TechTarget
Dutchman Detained for Dealing Details of Tens of Millions of People (darkreading.com)
Dutch suspect locked up for alleged personal data megathefts – Naked Security (sophos.com)
Privacy, Surveillance and Mass Monitoring
Organisations Must Brace for Privacy Impacts This Year (darkreading.com)
Scientists use Wi-Fi routers to see humans through walls | ZDNET
Most consumers would share anonymised personal data to improve AI products - Help Net Security
Artificial Intelligence
ChatGPT is a bigger threat to cyber security than most realize - Help Net Security
Learning to Lie: AI Tools Adept at Creating Disinformation - SecurityWeek
FBI Chief Says He's 'Deeply concerned' by China's AI Program | SecurityWeek.Com
ChatGPT Can Write Polymorphic Malware to Infect Your Computer (gizmodo.com)
Chat Cyber Security: AI Promises a Lot, but Can It Deliver? (darkreading.com)
Misinformation, Disinformation and Propaganda
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
State-linked hackers in Russia and Iran are targeting UK groups, NCSC warns | Hacking | The Guardian
UK authorities warn of phishing from Iran, Russia • The Register
Armis State of Cyberwarfare and Trends Report - IT Security Guru
SEABORGIUM and TA453 continue their respective... - NCSC.GOV.UK
Gamaredon Group Launches Cyber Attacks Against Ukraine Using Telegram (thehackernews.com)
Chinese 8220 Gang Aims For Public Clouds And Vulnerable Apps (informationsecuritybuzz.com)
FBI Chief Says He's 'Deeply concerned' by China's AI Program | SecurityWeek.Com
“Pegasus” lifts the lid on a sophisticated piece of spyware | The Economist
North Korea-linked TA444 turns to credential harvesting activity - Security Affairs
Nation State Actors
Nation State Actors – Russia
State-linked hackers in Russia and Iran are targeting UK groups, NCSC warns | Hacking | The Guardian
UK authorities warn of phishing from Iran, Russia • The Register
SEABORGIUM and TA453 continue their respective... - NCSC.GOV.UK
Gamaredon Group Launches Cyber Attacks Against Ukraine Using Telegram (thehackernews.com)
Russia’s largest ISP says 2022 broke all DDoS attack records (bleepingcomputer.com)
Nation State Actors – China
Chinese 8220 Gang Aims For Public Clouds And Vulnerable Apps (informationsecuritybuzz.com)
FBI Chief Says He's 'Deeply concerned' by China's AI Program | SecurityWeek.Com
Nation State Actors – North Korea
Nation State Actors – Iran
Vulnerability Management
Extent of reported CVEs overwhelms critical infrastructure asset owners - Help Net Security
Log4j Vulnerabilities Are Here to Stay — Are You Prepared? (darkreading.com)
Trained developers get rid of more vulnerabilities than code scanning tools - Help Net Security
New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch - SecurityWeek
Halo Security unveils KEV feature to improve attack surface visibility - Help Net Security
Vulnerabilities
Crims can still exploit this NSA-discovered Microsoft bug • The Register
75k WordPress sites impacted by critical online course plugin flaws (bleepingcomputer.com)
Log4j Vulnerabilities Are Here to Stay — Are You Prepared? (darkreading.com)
Chrome 109 update addresses six security vulnerabilities - Security Affairs
Microsoft urges admins to patch on-premises Exchange servers (bleepingcomputer.com)
Drupal Patches Vulnerabilities Leading to Information Disclosure | SecurityWeek.Com
Critical Vulnerabilities Patched in OpenText Enterprise Content Management System | SecurityWeek.Com
Around 19,500 end-of-life Cisco routers exposed to hack - Security Affairs
In-the-Wild Exploitation of Recent ManageEngine Vulnerability Commences | SecurityWeek.Com
Apple patches are out – old iPhones get an old zero-day fix at last! – Naked Security (sophos.com)
Apple Patches WebKit Code Execution in iPhones, MacBooks - SecurityWeek
Crooks are already exploiting this bug in old iPhones • The Register
Logfile nightmare deepens thanks to critical VMware flaws • The Register
Malware exploited critical Realtek SDK bug in millions of attacks (bleepingcomputer.com)
Realtek SDK flaw CVE-2021-35394 actively exploited in the wild- Security Affairs
Lexmark warns of RCE bug affecting 100 printer models, PoC released (bleepingcomputer.com)
Crims can still exploit this NSA-discovered Microsoft bug • The Register
Tools and Controls
Is Once-Yearly Pen Testing Enough for Your Organisation? (thehackernews.com)
LastPass owner GoTo says hackers stole customers’ backups | TechCrunch
Bitwarden password vaults targeted in Google ads phishing attack (bleepingcomputer.com)
Bitwarden responds to encryption design flaw criticism | The Daily Swig (portswigger.net)
Companies Struggle With Zero Trust as Attackers Adapt to Get Around It (darkreading.com)
Federal Agencies Infested by Cyber Attackers via Legit Remote Management Systems (darkreading.com)
Why a hybrid approach can help mitigate DDoS attacks | SC Media
Steps To Planning And Implementation Of Endpoint Protection (informationsecuritybuzz.com)
Other News
Hackers can make computers destroy their own chips with electricity | New Scientist
Scientists use Wi-Fi routers to see humans through walls | ZDNET
Microsoft 365 outage takes down Teams, Exchange Online, Outlook (bleepingcomputer.com)
Lessons Learned from the Windows Remote Desktop Honeypot Report (bleepingcomputer.com)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 20 January 2023
Black Arrow Cyber Threat Briefing 20 January 2023:
-Experts at Davos 2023 Call for a Global Response to the Gathering 'Cyber Storm'
-Cost of Data Breaches to Global Businesses at Five-Year High
-European Data Protection Authorities Issue Record €2.92 Billion In GDPR Fines, an Increase of 168%
-PayPal Accounts Breached in Large-Scale Credential Stuffing Attack
-Royal Mail Boss to Face MPs’ Questions Over Russian Ransomware Attack
-Third-Party Risk Management: Why 2023 Could be the Perfect Time to Overhaul your TPRM Program
-EU Cyber Resilience Regulation Could Translate into Millions in Fines
-Russian Hackers Try to Bypass ChatGPT's Restrictions for Malicious Purposes
-New Report Reveals CISOs Rising Influence
-ChatGPT and its Perilous Use as a "Force Multiplier" for Cyber Attacks
-Mailchimp Discloses a New Security Breach, the Second One in 6 Months
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Experts at Davos 2023 Call for a Global Response to the Gathering 'Cyber Storm'
As economic and geopolitical instability spills into the new year, experts predict that 2023 will be a consequential year for cyber security. The developments, they say, will include an expanded threat landscape and increasingly sophisticated cyber attacks.
"There's a gathering cyber storm," Sadie Creese, a Professor of Cyber Security at the University of Oxford, said during an interview at the World Economic Forum’s Annual Meeting 2023 in Davos, Switzerland. "This storm is brewing, and it's really hard to anticipate just how bad that will be."
Already, cyber attacks such as phishing, ransomware and distributed denial-of-service (DDoS) attacks are on the rise. Cloudflare, a major US cyber security firm that provides protection services for over 30% of Fortune 500 companies, found that DDoS attacks—which entail overwhelming a server with a flood of traffic to disrupt a network or webpage—increased last year by 79% year-over-year.
"There's been an enormous amount of insecurity around the world," Matthew Prince, the CEO of Cloudflare, stated during the Annual Meeting. "I think 2023 is going to be a busy year in terms of cyber attacks."
https://www.weforum.org/agenda/2023/01/cybersecurity-storm-2023-experts-davos23/
Cost of Data Breaches to Global Businesses at Five-Year High
Research from business insurer Hiscox shows that the cost of dealing with cyber events for businesses has more than tripled since 2018. The study, which collated data from the organisation’s previous five annual Cyber Readiness reports, has revealed that:
Since 2018 the median IT budgets for cyber security more than tripled.
Between 2020 and 2022 cyber-attacks increased by over a quarter.
Businesses are increasing their cyber security budgets year-on-year.
In the Hiscox 2022 Cyber Readiness report, the financial toll of cyber incidents, including data breaches, was estimated to be $16,950 (£15,265) on average. As the cost of cyber crime grew, so did organisations’ cyber security budgets – average spending on cyber security tripled from 2018 to 2022, rocketing from $1,470,196 (£1,323,973) to $5,235,162 (£4,714,482).
Hiscox has also revealed that half of all companies surveyed suffered at least one cyber attack in 2022, up 11% from 2020. Financial Services, as well as Technology, Media and Telecom (TMT) sectors even reported a minimum of one attack for three consecutive years. Financial Services firms, however, seemed to be hit the hardest, with 66% reporting being impacted by cyber attacks in 2021-2022.
Cyber risk has risen to the same strategic level as traditional financial and operational risks, thanks to a growing realisation by businesses that the impact can be just as severe.
European Data Protection Authorities Issue Record €2.92 Billion in GDPR Fines, an Increase of 168%
European data regulators issued a record €2.92 billion in fines last year, a 168% increase from 2021. That’s according to the latest GDPR and Data Breach survey from international law firm DLA Piper, which covers all 27 Member States of the European Union, plus the UK, Norway, Iceland, and Liechtenstein. This year’s biggest fine of €405 million was imposed by the Irish Data Protection Commissioner (DPC) against Meta Platforms Ireland Limited relating to Instagram for alleged failures to protect children’s personal data. The Irish DPC also fined Meta €265 million for failing to comply with the GDPR obligation for Data Protection by Design and Default. Both fines are currently under appeal.
Despite the overall increase in fines since January 28, 2022, the fine of €746 million that Luxembourg authorities levied against Amazon last year remains the biggest to be issued by an EU-based data regulator to date (though the retail giant is still believed to be appealing).
The report also revealed a notable increase in focus by supervisory authorities on the use of artificial intelligence (AI), while the volume of data breaches reported to regulators decreased slightly against the previous year’s total.
PayPal Accounts Breached in Large-Scale Credential Stuffing Attack
PayPal is sending out data breach notifications to thousands of users who had their accounts accessed through credential stuffing attacks that exposed some personal data.
Credential stuffing are attacks where hackers attempt to access an account by trying out username and password pairs sourced from data leaks on various websites. This type of attack relies on an automated approach with bots running lists of credentials to "stuff" into login portals for various services. Credential stuffing targets users that employ the same password for multiple online accounts, which is known as "password recycling."
PayPal explains that the credential stuffing attack occurred between December 6 and December 8, 2022. The company detected and mitigated it at the time but also started an internal investigation to find out how the hackers obtained access to the accounts. By December 20, 2022, PayPal concluded its investigation, confirming that unauthorised third parties logged into the accounts with valid credentials. The electronic payments platform claims that this was not due to a breach on its systems and has no evidence that the user credentials were obtained directly from them.
According to the data breach reporting from PayPal, 34,942 of its users have been impacted by the incident. During the two days, hackers had access to account holders' full names, dates of birth, postal addresses, social security numbers, and individual tax identification numbers. Transaction histories, connected credit or debit card details, and PayPal invoicing data are also accessible on PayPal accounts.
Royal Mail Boss to Face MPs’ Questions Over Russian Ransomware Attack
Royal Mail’s chief executive faced questions from MPs last week over the Russia-linked ransomware attack that caused international deliveries to grind to a halt.
Simon Thompson, chief executive of Royal Mail, was asked about the recent cyber attack when he appeared before the Commons Business Select Committee to discuss Royal Mail’s response to the cyber attack at the evidence session on Tuesday Jan 17.
A Royal Mail spokesman said: “Royal Mail has been subject to a cyber incident that is affecting our international export service. We are focused on restoring this service as soon as we are able.”
Royal Mail was forced to suspend all outbound international post after machines used for printing customs dockets were disabled by the Russia-linked Lockbit cyber crime gang. Lockbit’s attackers used ransomware, malicious software that scrambles vital computer files before the gang demands payment to unlock them again. The software also took over printers at Royal Mail’s international sorting offices and caused ransom notes to “spout” from them, according to reports.
Cyber security industry sources cautioned that while Lockbit is known to be Russian in origin, it is not known whether a stolen copy of the gang’s signature ransomware had been deployed by rival hackers.
Third-Party Risk Management: Why 2023 Could be the Perfect Time to Overhaul your TPRM Program
Ensuring risk caused by third parties does not occur to your organisation is becoming increasingly difficult. Every business outsources some aspects of its operations, and ensuring these external entities are a strength and not a weakness isn’t always a straightforward process.
In the coming years we’ll see organisations dedicate more time and resources to developing detailed standards and assessments for potential third-party vendors. Not only will this help to mitigate risk within their supply chain network, it will also provide better security.
As demand for third-party risk management (TPRM) grows, there are key reasons why we believe 2023 could be pivotal for the future of your organisation’s TPRM program, cyber risk being principal amongst them.
Forrester predicted that 60% of security incidents in 2022 would stem from third parties. In 2021 there was a 300% increase in supply chain attacks, a trend that has continued to increase over the past 12 months also. For example, Japanese car manufacturer Toyota was forced to completely shut down its operations due to a security breach with a third-party plastics supplier.
It’s not only the frequency of third-party attacks that has increased, but also the methods that cyber criminals are using are becoming increasingly sophisticated. For example, the SolarWinds cyber breach in 2020 was so advanced that Microsoft estimated it took over a thousand engineers to stop the impact of the attack.
As the sophistication and frequency of supply chain attacks increases, the impact they have on businesses reputations and valuations is also becoming apparent. There is a need for organisations to conduct thorough due diligence of the third parties they choose to work with, otherwise the consequences could be disastrous.
Remember always that cyber security should be a non-negotiable feature of all business transactions.
EU Cyber Resilience Regulation Could Translate into Millions in Fines
The EU Commission’s Cyber Resilience Act (CRA) is intended to close the digital fragmentation problem surrounding devices and systems with network connections – from printers and routers to smart household appliances and industrial control systems. Industrial networks and critical infrastructures require special protection.
According to the European Union, there is currently a ransomware attack every eleven seconds. In the last few weeks alone, among others, a leading German children’s food manufacturer and a global Tier1 automotive supplier headquartered in Germany were hit, with the latter becoming the victim of a massive ransomware attack. Such an attack even led to insolvency at the German manufacturer Prophete in January 2023. To press manufacturers, distributors and importers into action, they face significant penalties if security vulnerabilities in devices are discovered and not properly reported and closed.
“The pressure on the industry – manufacturers, distributors and importers – is growing immensely. The EU will implement this regulation without compromise, even though there are still some work packages to be done, for example regarding local country authorities,” says Jan Wendenburg, CEO, ONEKEY.
The financial fines for affected manufacturers and distributors are therefore severe: up to 15 million euros or 2.5 percent of global annual revenues in the past fiscal year – the larger number counts. “This makes it absolutely clear: there will be substantial penalties on manufacturers if the requirements are not implemented,” Wendenburg continues.
Manufacturers, distributors and importers are required to notify ENISA – the European Union’s cyber security agency – within 24 hours if a security vulnerability in one of their products is exploited. Exceeding the notification deadlines is already subject to sanctions.
https://www.helpnetsecurity.com/2023/01/19/eu-cyber-resilience-regulation-fines/
Russian Hackers Try to Bypass ChatGPT's Restrictions for Malicious Purposes
Russian cyber-criminals have been observed on dark web forums trying to bypass OpenAI’s API restrictions to gain access to the ChatGPT chatbot for nefarious purposes.
Various individuals have been observed, for instance, discussing how to use stolen payment cards to pay for upgraded users on OpenAI (thus circumventing the limitations of free accounts). Others have created blog posts on how to bypass the geo controls of OpenAI, and others still have created tutorials explaining how to use semi-legal online SMS services to register to ChatGPT.
“Generally, there are a lot of tutorials in Russian semi-legal online SMS services on how to use it to register to ChatGPT, and we have examples that it is already being used,” wrote Check Point Research (CPR). “It is not extremely difficult to bypass OpenAI’s restricting measures for specific countries to access ChatGPT,” said Check Point. “Right now, we are seeing Russian hackers already discussing and checking how to get past the geofencing to use ChatGPT for their malicious purposes.”
They added that they believe these hackers are most likely trying to implement and test ChatGPT in their day-to-day criminal operations. “Cyber-criminals are growing more and more interested in ChatGPT because the AI technology behind it can make a hacker more cost-efficient,” they explained.
Case in point, just last week, Check Point Research published a separate advisory highlighting how threat actors had already created malicious tools using ChatGPT. These included infostealers, multi-layer encryption tools and dark web marketplace scripts.
More generally, the cyber security firm is not the only one believing ChatGPT could democratise cyber crime, with various experts warning that the AI bot could be used by potential cyber-criminals to teach them how to create attacks and even write ransomware.
https://www.infosecurity-magazine.com/news/russian-hackers-to-bypass-chatgpt/
New Report Reveals CISOs Rising Influence
Cyber security firm Coalfire this week unveiled its second annual State of CISO Influence report, which explores the expanding influence of Chief Information Security Officers (CISOs) and other security leaders.
The report revealed that the CISO role is maturing quickly, and the position is experiencing more equity in the boardroom. In the last year alone, there was a 10-point uptick in CISOs doing monthly reporting to the board. These positive outcomes likely stem from the increasingly metrics-driven reporting CISOs provide, where data is more effectively leveraged to connect security outcomes to business objectives.
An especially promising development in this year's report is how security teams are being looped into corporate projects. Of the security leaders surveyed, 78% say they are consulted early in project development when business objectives are first identified, and two-thirds are now making presentations to the highest levels of enterprise authority. 56% of CISOs present security metrics to their CEOs, up from 43% in 2021.
Cloud migration was universally identified as one of those top business objectives. The move to the cloud saddles CISOs with many challenges. The top priorities listed by CISOs include dealing with an expanding attack surface, staffing, and new compliance requirements — all within constrained budgets. In fact, 43% of security leaders said their budgets remained static or were reduced following business migration to the cloud.
Given these challenges, leading CISOs are transforming their approaches. To address multiple cloud compliance requirements, security leaders are focusing on the most onerous set of rules and creating separate environments for different requirements. Risk assessments were identified as the key tool used to secure funding for these and other cyber initiatives and to set top priorities.
"Costs and risks are up, while at the same time, cyber budgets are trending flat or down," said Colefire. "Cyber security has historically been lower in priority for organisations, but we are witnessing a big shift in enterprise cyber expectations. CISOs are rising to meet those expectations, speaking to the business, and as a result, solidifying their role in the C-suite."
https://www.darkreading.com/threat-intelligence/new-coalfire-report-reveals-cisos-rising-influence
ChatGPT and its Perilous Use as a "Force Multiplier" for Cyber Attacks
As a form of OpenAI technology, ChatGPT has the ability to mimic natural language and human interaction with remarkable efficiency. However, from a cyber security perspective, this also means it can be used in a variety of ways to lower the bar for threat actors.
One key method is the ability for ChatGPT to draft cunning phishing emails en masse. By feeding ChatGPT with minimal information, it can create content and entire emails that will lure unsuspecting victims to provide their passwords. With the right API setup, thousands of unique, tailored, and sophisticated phishing emails can be sent almost simultaneously.
Another interesting capability of ChatGPT is the ability to write malicious code. While OpenAI has put some controls in place to prevent ChatGPT from creating malware, it is possible to convince ChatGPT to create ransomware and other forms of malware as code that can be copied and pasted into an integrated development environment (IDE) and used to compile actual malware. ChatGPT can also be used to identify vulnerabilities in code segments and reverse engineer applications.
ChatGPT will expedite a trend that is already wreaking havoc across sectors – lowering the bar for less sophisticated threat actors, enabling them to conduct attacks while evading security controls and bypassing advanced detection mechanisms. And currently, there is not much that organisations can do about it. ChatGPT represents a technological marvel that will usher in a new era, not just for the cyber security space.
https://www.calcalistech.com/ctechnews/article/sj0lfp11oi
Mailchimp Discloses a New Security Breach, the Second One in 6 Months
The popular email marketing and newsletter platform Mailchimp was hacked twice in the past six months. The news of a new security breach was confirmed by the company; the incident exposed the data of 133 customers.
Threat actors targeted the company’s employees and contractors to gain access to an internal support and account admin tool.
“On January 11, the Mailchimp Security team identified an unauthorised actor accessing one of our tools used by Mailchimp customer-facing teams for customer support and account administration. The unauthorised actor conducted a social engineering attack on Mailchimp employees and contractors, and obtained access to select Mailchimp accounts using employee credentials compromised in that attack.” reads the notice published by the company. “Based on our investigation to date, this targeted incident has been limited to 133 Mailchimp accounts.”
The malicious activity was discovered on January 11, 2023; in response to the intrusion the company temporarily suspended access for impacted accounts. The company also notified the primary contacts for all affected accounts less than 24 hours after the initial discovery.
https://securityaffairs.com/140997/data-breach/mailchimp-security-breach.html
Threats
Ransomware, Extortion and Destructive Attacks
Yum Brands says nearly 300 restaurants in UK impacted due to cyber attack | Reuters
Royal Mail boss to face MPs’ questions over Russian ransomware attack (telegraph.co.uk)
What is LockBit ransomware and how does it operate? | Royal Mail | The Guardian
How cyber-attack on Royal Mail has left firms in limbo - BBC News
Royal Mail restarts limited overseas post after cyber-attack - BBC News
How Royal Mail’s hacker became the world’s most prolific ransomware group | Financial Times (ft.com)
Ransomware Trends In Q4 2022: Key Findings And Recommendations (informationsecuritybuzz.com)
Microsoft: Cuba ransomware hacking Exchange servers via OWASSRF flaw (bleepingcomputer.com)
Microsoft retracts its report on Mac ransomware (techrepublic.com)
Ransomware Dips During 2022: Are Cyber attacks Slowing or Just a Blip? - MSSP Alert
Up to 1,000 ships affected by DNV ransomware attack - Splash247
Avast releases free BianLian ransomware decryptor (bleepingcomputer.com)
Vice Society ransomware leaks University of Duisburg-Essen’s data (bleepingcomputer.com)
Ransomware attack cuts 1,000 ships off from on-shore servers • The Register
Royal Mail promises ‘workarounds’ to restore services after ransomware attack | Computer Weekly
Cyber-crime gangs' earnings slide as victims refuse to pay - BBC News
Ransomware gang steals data from KFC, Taco Bell, and Pizza Hut brand owner (bleepingcomputer.com)
Phishing & Email Based Attacks
How AI chatbot ChatGPT changes the phishing game | CSO Online
The big risk in the most-popular, and aging, big tech email programs (cnbc.com)
Why encrypting emails isn't as simple as it sounds - Help Net Security
Fake DHL emails allow hackers to breach Microsoft 365 accounts (msn.com)
Other Social Engineering; Smishing, Vishing, etc
Techniques that attackers use to trick victims into visiting malicious content - Help Net Security
As Social Engineering Tactics Change, So Must Your Security Training (darkreading.com)
2FA/MFA
CircleCI's hack caused by malware stealing engineer's 2FA-backed session (bleepingcomputer.com)
The Importance of Multi-Factor Authentication (MFA) - MSSP Alert
Malware
New Backdoor Created Using Leaked CIA's Hive Malware Discovered in the Wild (thehackernews.com)
Experts spotted a backdoor that borrows code from CIA's Hive malware - Security Affairs
ChatGPT Creates Polymorphic Malware - Infosecurity Magazine (infosecurity-magazine.com)
Attackers Crafted Custom Malware for Fortinet Zero-Day (darkreading.com)
New Chinese Malware Spotted Exploiting Recent Fortinet Firewall Vulnerability (thehackernews.com)
Malicious ‘Lolip0p’ PyPi packages install info-stealing malware (bleepingcomputer.com)
Hackers exploit Cacti critical bug to install malware, open reverse shells (bleepingcomputer.com)
Hackers can use GitHub Codespaces to host and deliver malware (bleepingcomputer.com)
Hackers turn to Google search ads to push info-stealing malware (bleepingcomputer.com)
How to spot a cyberbot – five tips to keep your device safe (theconversation.com)
Mobile
New 'Hook' Android malware lets hackers remotely control your phone (bleepingcomputer.com)
Roaming Mantis’ Android malware adds DNS changer to hack WiFi routers (bleepingcomputer.com)
Botnets
Denial of Service/DoS/DDOS
Internet of Things – IoT
Data Breaches/Leaks
6,000+ Customer Accounts Breached, NortonLifeLock Alert Users (informationsecuritybuzz.com)
1.7 TB of data from digital intelligence firm Cellebrite leaked online - Security Affairs
LastPass faces mounting criticism over recent breach | TechTarget
Mailchimp discloses a new incident, the second one in 6 months - Security Affairs
PayPal Breach Exposed PII of Nearly 35K Accounts (darkreading.com)
T-Mobile US says hacker accessed personal data of 37 million customers • TechCrunch
Twitter says leaked emails not hacked from its systems - BBC News
Hacked! My Twitter user data is out on the dark web -- now what? | ZDNET
Twitter sued over data leak that it denied was caused by a flaw | Business
Nissan North America data breach caused by vendor-exposed database (bleepingcomputer.com)
18k Nissan Customers Affected by Data Breach at Third-Party Software Developer | SecurityWeek.Com
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Crypto exchanges freeze accounts tied to North Korea • The Register
Europol arrested cryptocurrency scammers that stole millions from victims - Security Affairs
FTX Says $415 Million Of Its Crypto Assets Was Hacked (informationsecuritybuzz.com)
Google Ads-delivered malware drains NFT influencer’s entire crypto wallet (cointelegraph.com)
Bitcoin is a ‘hyped-up fraud’, says JP Morgan chief (telegraph.co.uk)
International Arrests Over 'Criminal' Crypto Exchange | SecurityWeek.Com
Fraud, Scams & Financial Crime
Hacker stole credit cards from Canada alcohol retailer LCBO - Security Affairs
Europol arrested cryptocurrency scammers that stole millions from victims - Security Affairs
New York man defrauded thousands using credit cards sold on dark web (bleepingcomputer.com)
FTX Says $415 Million Of Its Crypto Assets Was Hacked (informationsecuritybuzz.com)
The US Has a Massive Money Transfer Surveillance Apparatus (gizmodo.com)
The threat of location spoofing and fraud - Help Net Security
HUMAN Security Stops VASTFLUX Digital Ad Fraud Operation - MSSP Alert
International Arrests Over 'Criminal' Crypto Exchange | SecurityWeek.Com
Insurance
Dark Web
New York man defrauded thousands using credit cards sold on dark web (bleepingcomputer.com)
Illegal Solaris darknet market hijacked by competitor Kraken (bleepingcomputer.com)
Supply Chain and Third Parties
Cloud/SaaS
The Dangers of Default Cloud Configurations (darkreading.com)
Report: Cloud-based networks under growing attack • The Register
Data Security in Multicloud: Limit Access, Increase Visibility (darkreading.com)
Hybrid/Remote Working
Encryption
Vulnerabilities in cryptographic libraries found through modern fuzzing - Help Net Security
teiss - Cyber Threats - Managing the treat from quantum computers
Threats Of Quantum: The Solution Lies In Quantum Cryptography (informationsecuritybuzz.com)
Why encrypting emails isn't as simple as it sounds - Help Net Security
TLS Connection Cryptographic Protocol Vulnerabilities (trendmicro.com)
Passwords, Credential Stuffing & Brute Force Attacks
Compromise of employee device, credentials led to CircleCI breach | SC Media (scmagazine.com)
PayPal accounts breached in large-scale credential stuffing attack (bleepingcomputer.com)
NortonLifeLock: threat actors breached Norton Password Manager accounts - Security Affairs
Social Media
Twitter says leaked emails not hacked from its systems - BBC News
Hacked! My Twitter user data is out on the dark web -- now what? | ZDNET
French CNIL fined Tiktok $5.4 Million for violating cookie laws - Security Affairs
Malvertising
Hackers turn to Google search ads to push info-stealing malware (bleepingcomputer.com)
Google Ads-delivered malware drains NFT influencer’s entire crypto wallet (cointelegraph.com)
HUMAN Security Stops VASTFLUX Digital Ad Fraud Operation - MSSP Alert
Training, Education and Awareness
Training, endpoint management reduce remote working cyber security risks - Help Net Security
As Social Engineering Tactics Change, So Must Your Security Training (darkreading.com)
Regulations, Fines and Legislation
GDPR Fines Surge 168% in a Year - Infosecurity Magazine (infosecurity-magazine.com)
European data protection authorities issue record €2.92 billion in GDPR fines | CSO Online
How data protection is evolving in a digital world - Help Net Security
EU cyber resilience regulation could translate into millions in fines - Help Net Security
Online safety bill: Attempt to jail tech bosses ‘could backfire’ | News | The Times
Culture secretary examines plans to punish tech bosses over online harms | Financial Times (ft.com)
French CNIL fined Tiktok $5.4 Million for violating cookie laws - Security Affairs
State legislators aren't waiting for Congress to regulate children's online privacy - CyberScoop
How Would the FTC Rule on Noncompetes Affect Data Security? (darkreading.com)
The US Has a Massive Money Transfer Surveillance Apparatus (gizmodo.com)
Governance, Risk and Compliance
Technology is a fragile machine that seems to power everything | Android Central
Training, endpoint management reduce remote working cyber security risks - Help Net Security
New Coalfire Report Reveals CISOs Rising Influence (darkreading.com)
Cost of data breaches to global businesses at five-year high- IT Security Guru
Experts at Davos 2023 sound the alarm on cyber security | World Economic Forum (weforum.org)
Why Mean Time to Repair Is Not Always A Useful Security Metric (darkreading.com)
Why are there so many cyber attacks lately? An explainer on the rising trend | Globalnews.ca
How To Build A Network Of Security Champions In Your Organisation (forbes.com)
EU cyber resilience regulation could translate into millions in fines - Help Net Security
What is Business Attack Surface Management? (trendmicro.com)
How to build a cyber-resilience culture in the enterprise | TechTarget
Why Businesses Need to Think Like Hackers This Year (darkreading.com)
How to prioritize resilience in the face of cyber-attacks | World Economic Forum (weforum.org)
Cyber-attack contributes to major Harrogate district firm posting £4.1m loss - The Stray Ferret
Data Protection
GDPR Fines Surge 168% in a Year - Infosecurity Magazine (infosecurity-magazine.com)
European data protection authorities issue record €2.92 billion in GDPR fines | CSO Online
How data protection is evolving in a digital world - Help Net Security
State legislators aren't waiting for Congress to regulate children's online privacy - CyberScoop
Careers, Working in Cyber and Information Security
New Coalfire Report Reveals CISOs Rising Influence (darkreading.com)
IT Burnout may be Putting Your Organisation at Risk (bleepingcomputer.com)
Sophos Joins List of Cyber security Companies Cutting Staff | SecurityWeek.Com
Law Enforcement Action and Take Downs
Privacy, Surveillance and Mass Monitoring
UK supermarket uses facial recognition tech to track shoppers - Coda Story
State legislators aren't waiting for Congress to regulate children's online privacy - CyberScoop
Artificial Intelligence
How AI chatbot ChatGPT changes the phishing game | CSO Online
ChatGPT and its perilous use as a "Force Multiplier" for cyber attacks | Ctech (calcalistech.com)
Potential threats and sinister implications of ChatGPT - Help Net Security
Criminals seek OpenAI guardrail bypass, use ChatGPT for evil • The Register
ChatGPT Creates Polymorphic Malware - Infosecurity Magazine (infosecurity-magazine.com)
Misinformation, Disinformation and Propaganda
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Putin’s Russian cyber attacks could target UK’s infrastructure | News | The Times
Industrial espionage: How China sneaks out America's technology secrets - BBC News
Ukraine blames Russia for most of over 2,000 cyber attacks in 2022 | Reuters
Beware: Tainted VPNs Being Used to Spread EyeSpy Surveillanceware (thehackernews.com)
Is Elon Musk’s Starlink winning the war for Ukraine? | World | The Sunday Times (thetimes.co.uk)
Pro-Russia Hacktivist Group NoName057(16) Strikes Again (informationsecuritybuzz.com)
Russian hacktivists NoName057 offer cash for DDoS attacks (techmonitor.ai)
Ukraine links data-wiping attack on news agency to Russian hackers (bleepingcomputer.com)
Russian hackers target Ukrainian press briefing about cyber attacks (axios.com)
Chinese hackers targeted Iranian government entities for months: Report | CSO Online
Nation State Actors
Nation State Actors – Russia
Putin’s Russian cyber attacks could target UK’s infrastructure | News | The Times
Ukraine blames Russia for most of over 2,000 cyber attacks in 2022 | Reuters
Is Elon Musk’s Starlink winning the war for Ukraine? | World | The Sunday Times (thetimes.co.uk)
Pro-Russia Hacktivist Group NoName057(16) Strikes Again (informationsecuritybuzz.com)
Russian hacktivists NoName057 offer cash for DDoS attacks (techmonitor.ai)
Ukraine links data-wiping attack on news agency to Russian hackers (bleepingcomputer.com)
Russian hackers target Ukrainian press briefing about cyber attacks (axios.com)
Russians say they can download software from Intel again • The Register
Nation State Actors – China
Industrial espionage: How China sneaks out America's technology secrets - BBC News
Attackers Crafted Custom Malware for Fortinet Zero-Day (darkreading.com)
New Chinese Malware Spotted Exploiting Recent Fortinet Firewall Vulnerability (thehackernews.com)
China wants 30 percent CAGR for its infosec industry • The Register
Chinese hackers targeted Iranian government entities for months: Report | CSO Online
Nation State Actors – North Korea
Nation State Actors – Iran
Nation State Actors – Misc
Vulnerability Management
The Top 10 Vulnerabilities of 2022: Mastering Vulnerability Management - Security Boulevard
3 Lessons Learned in Vulnerability Management (darkreading.com)
Vulnerabilities
Cisco won’t fix critical flaw in small business routers • The Register
Unpatched Zoho ManageEngine Products Under Active Cyber attack (darkreading.com)
Oracle's First Security Update for 2023 Includes 327 New Patches | SecurityWeek.Com
Why it's time to review your on-premises Microsoft Exchange patch status | CSO Online
Attackers Crafted Custom Malware for Fortinet Zero-Day (darkreading.com)
New Chinese Malware Spotted Exploiting Recent Fortinet Firewall Vulnerability (thehackernews.com)
Cacti Servers Under Attack as Majority Fail to Patch Critical Vulnerability (thehackernews.com)
PoC exploits released for critical bugs in popular WordPress plugins (bleepingcomputer.com)
Vulnerabilities in cryptographic libraries found through modern fuzzing - Help Net Security
Microsoft: Exchange Server 2013 reaches end of support in 90 days (bleepingcomputer.com)
Hackers are using this old trick to dodge security protections | ZDNET
Attackers deploy sophisticated Linux implant on Fortinet network security devices | CSO Online
Researchers to release PoC exploit for critical Zoho RCE bug, patch now (bleepingcomputer.com)
MSI accidentally breaks Secure Boot for hundreds of motherboards (bleepingcomputer.com)
Microsoft fixes SSRF vulnerabilities found in Azure services | TechTarget
Over 4,000 Sophos Firewall devices vulnerable to RCE attacks (bleepingcomputer.com)
Critical Security Vulnerabilities Discovered in Netcomm and TP-Link Routers (thehackernews.com)
Exploited Control Web Panel Flaw Added to CISA 'Must-Patch' List | SecurityWeek.Com
Two critical flaws discovered in Git system - Security Affairs
Vendors Actively Bypass Security Patch for Year-Old Magento Vulnerability | SecurityWeek.Com
Cisco Patches High-Severity SQL Injection Vulnerability in Unified CM | SecurityWeek.Com
CVE-2022-47966: Rapid7 Observed Exploitation of Critical ManageEngine Vulnerability | Rapid7 Blog
Critical Microsoft Azure RCE flaw impacted multiple services - Security Affairs
New Microsoft Azure Vulnerability Uncovered — EmojiDeploy for RCE Attacks (thehackernews.com)
Tools and Controls
Training, endpoint management reduce remote working cyber security risks - Help Net Security
Why encrypting emails isn't as simple as it sounds - Help Net Security
As Social Engineering Tactics Change, So Must Your Security Training (darkreading.com)
Zero trust network access for Desktop as a Service - Help Net Security
How to prioritize resilience in the face of cyber-attacks | World Economic Forum (weforum.org)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 23 December 2022
Black Arrow Cyber Threat Briefing 23 December 2022:
-LastPass Users: Your Info and Password Vault Data are Now in Hackers’ Hands
-Ransomware Attacks Increased 41% In November
-The Risk of Escalation from Cyber Attacks Has Never Been Greater
-FBI Recommends Ad Blockers as Cyber Criminals Impersonate Brands in Search Engine Ads
-North Korea-Linked Hackers Stole $626 Million in Virtual Assets in 2022
-UK Security Agency Wants Fresh Approach to Combat Phishing
-GodFather Android malware targets 400 banks, crypto exchanges
-Companies Overwhelmed by Available Tech Solutions
-Nine in 10 Third-party Contractors, Freelancers Use Personal, Unmanaged Devices Likely to be Infected
-UK Privacy Regulator Names and Shames Breached Firms
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
LastPass Admits Attackers have an Encrypted Copy of Customers’ Password Vaults
Password locker LastPass has warned customers that the August 2022 attack on its systems saw unknown parties copy encrypted files that contain the passwords to their accounts.
In a December 22nd update to its advice about the incident, LastPass brings customers up to date by explaining that in the August 2022 attack “some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.” Those creds allowed the attacker to copy information “that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.”
The update reveals that the attacker also copied “customer vault” data, the file LastPass uses to let customers record their passwords. That file “is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.” The passwords are encrypted with “256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password”.
LastPass’ advice is that even though attackers have that file, customers who use its default settings have nothing to do as a result of this update as “it would take millions of years to guess your master password using generally-available password-cracking technology.” One of those default settings is not to re-use the master password that is required to log into LastPass. The outfit suggests you make it a complex credential and use that password for just one thing: accessing LastPass.
LastPass therefore offered the following advice to individual and business users: If your master password does not make use of the defaults above, then it would significantly reduce the number of attempts needed to guess it correctly. In this case, as an extra security measure, you should consider minimising risk by changing passwords of websites you have stored.
LastPass’s update concludes with news it decommissioned the systems breached in August 2022 and has built new infrastructure that adds extra protections.
https://www.theregister.com/2022/12/23/lastpass_attack_update/
Ransomware Attacks Increased 41% In November
Ransomware attacks rose 41% last month as groups shifted among the top spots and increasingly leveraged DDoS attacks, according to new research from NCC Group.
A common thread of NCC Group's November Threat Pulse was a "month full of surprises," particularly related to unexpected shifts in threat actor behaviour. The Cuba ransomware gang resurged with its highest number of attacks recorded by NCC Group. Royal replaced LockBit 3.0 as the most active strain, a first since September of last year.
These factors and more contributed to the significant jump in November attacks, which rose from 188 in October to 265.
"For 2022, this increase represents the most reported incidents in one month since that of April, when there were 289 incidents, and is also the largest month-on-month increase since June-July's marginally larger increase of 47%," NCC Group wrote in the report.
Operators behind Royal ransomware, a strain that emerged earlier this year that operates without affiliates and utilises intermittent encryption to evade detection, surpassed LockBit 3.0 for the number one spot, accounting for 16% of hack and leak incidents last month.
The Risk of Escalation from Cyber Attacks Has Never Been Greater
In 2022, an American dressed in his pyjamas took down North Korea’s Internet from his living room. Fortunately, there was no reprisal against the United States. But Kim Jong Un and his generals must have weighed retaliation and asked themselves whether the so-called independent hacker was a front for a planned and official American attack.
In 2023, the world might not get so lucky. There will almost certainly be a major cyber attack. It could shut down Taiwan’s airports and trains, paralyse British military computers, or swing a US election. This is terrifying, because each time this happens, there is a small risk that the aggrieved side will respond aggressively, maybe at the wrong party, and (worst of all) even if it carries the risk of nuclear escalation.
This is because cyber weapons are different from conventional ones. They are cheaper to design and wield. That means great powers, middle powers, and pariah states can all develop and use them.
More important, missiles come with a return address, but virtual attacks do not. Suppose in 2023, in the coldest weeks of winter, a virus shuts down American or European oil pipelines. It has all the markings of a Russian attack, but intelligence experts warn it could be a Chinese assault in disguise. Others see hints of the Iranian Revolutionary Guard. No one knows for sure. Presidents Biden and Macron have to decide whether to retaliate at all, and if so, against whom … Russia? China? Iran? It's a gamble, and they could get unlucky.
Neither country wants to start a conventional war with one another, let alone a nuclear one. Conflict is so ruinous that most enemies prefer to loathe one another in peace. During the Cold War, the prospect of mutual destruction was a huge deterrent to any great power war. There were almost no circumstances in which it made sense to initiate an attack. But cyber warfare changes that conventional strategic calculus. The attribution problem introduces an immense amount of uncertainty, complicating the decision our leaders have to make.
FBI Recommends Ad Blockers as Cyber Criminals Impersonate Brands in Search Engine Ads
The Federal Bureau of Investigation (FBI) this week raised the alarm on cyber criminals impersonating brands in advertisements that appear in search engine results. The agency has advised consumers to use ad blockers to protect themselves from such threats.
The attackers register domains similar to those of legitimate businesses or services, and use those domains to purchase ads from search engine advertisement services, the FBI says in an alert. These nefarious ads are displayed at the top of the web page when the user searches for that business or service, and the user might mistake them for an actual search result.
Links included in these ads take users to pages that are identical to the official web pages of the impersonated businesses, the FBI explains. If the user searches for an application, they are taken to a fake web page that uses the real name of the program the user searches for, and which contains a link to download software that is, in fact, malware.
“These advertisements have also been used to impersonate websites involved in finances, particularly cryptocurrency exchange platforms,” the FBI notes. Seemingly legitimate exchange platforms, the malicious sites prompt users to provide their login and financial information, which the cyber criminals then use to steal the victim’s funds.
“While search engine advertisements are not malicious in nature, it is important to practice caution when accessing a web page through an advertised link,” the FBI says.
Businesses are advised to use domain protection services to be notified of domain spoofing, and to educate users about spoofed websites and on how to find legitimate downloads for the company’s software.
Users are advised to check URLs to make sure they access authentic websites, to type a business’ URL into the browser instead of searching for that business, and to use ad blockers when performing internet searches. Ad blockers can have a negative impact on the revenues of online businesses and advertisers, but they can be good for online security, and even the NSA and CIA are reportedly using them.
North Korea-Linked Hackers Stole $626 Million in Virtual Assets in 2022
South Korea’s spy agency, the National Intelligence Service, estimated that North Korea-linked threat actors have stolen an estimated 1.5 trillion won ($1.2 billion) in cryptocurrency and other virtual assets in the past five years.
According to the spy agency, more than half the crypto assets (about 800 billion won ($626 million)) have been stolen this year alone, reported the Associated Press. The Government of Pyongyang focuses on crypto hacking to fund its military program following harsh UN sanctions.
“South Korea’s main spy agency, the National Intelligence Service, said North Korea’s capacity to steal digital assets is considered among the best in the world because of the country’s focus on cyber crimes since UN economic sanctions were toughened in 2017 in response to its nuclear and missile tests.” reported the AP agency. North Korea cannot export its products due to the UN sanctions imposed in 2016 and 1017, and the impact on its economy is dramatic.
The NIS added that more than 100 billion won ($78 million) of the total stolen funds came from South Korea. Cyber security and intelligence experts believe that attacks aimed at the cryptocurrency industry will continue to increase next year. National Intelligence Service experts believe that North Korea-linked APT groups will focus on the theft of South Korean technologies and confidential information on South Korean foreign policy and national security.
Data published by the National Intelligence Service agency confirms a report published by South Korean media outlet Chosun early this year that revealed North Korean threat actors have stolen around $1.7 billion (2 trillion won) worth of cryptocurrency from multiple exchanges during the past five years.
https://securityaffairs.co/wordpress/139909/intelligence/north-korea-cryptocurrency-theft.html
UK Security Agency Wants Fresh Approach to Combat Phishing
The UK National Cyber Security Centre (NCSC) has called for a defence-in-depth approach to help mitigate the impact of phishing, combining technical controls with a strong reporting culture.
Writing in the agency’s blog, technical director and principal architect, “Dave C,” argued that many of the well-established tenets of anti-phishing advice simply don’t work. For example, advising users not to click on links in unsolicited emails is not helpful when many need to do exactly that as part of their job.
This is often combined with a culture where users are afraid to report that they’ve accidentally clicked, which can delay incident response, he said. It’s not the user’s responsibility to spot a phish – rather, it’s their organisation’s responsibility to protect them from such threats, Dave C argued.
As such, they should build layered technical defences, consisting of email scanning and DMARC/SPF policies to prevent phishing emails from arriving into inboxes. Then, organisations should consider the following to prevent code from executing:
Allow-listing for executables
Registry settings changes to ensure dangerous scripting or file types are opened in Notepad and not executed
Disabling the mounting of .iso files on user endpoints
Making sure macro settings are locked down
Enabling attack surface reduction rules
Ensuring third-party software is up to date
Keeping up to date about current threats
Additionally, organisations should take steps such as DNS filtering to block suspicious connections and endpoint detection and response (EDR) to monitor for suspicious behaviour, the NCSC advised.
https://www.infosecurity-magazine.com/news/uk-security-agency-combat-phishing/
GodFather Android malware targets 400 banks, crypto exchanges
An Android banking malware named 'Godfather' has been targeting users in 16 countries, attempting to steal account credentials for over 400 online banking sites and cryptocurrency exchanges.
The malware generates login screens overlaid on top of the banking and crypto exchange apps' login forms when victims attempt to log into the site, tricking the user into entering their credentials on well-crafted HTML phishing pages.
The Godfather trojan was discovered by Group-IB analysts, who believe it is the successor of Anubis, a once widely-used banking trojan that gradually fell out of use due to its inability to bypass newer Android defences. ThreatFabric first discovered Godfather in March 2021, but it has undergone massive code upgrades and improvements since then.
Also, Cyble published a report yesterday highlighting a rise in the activity of Godfather, pushing an app that mimics a popular music tool in Turkey, downloaded 10 million times via Google Play. Group-IB has found a limited distribution of the malware in apps on the Google Play Store; however, the main distribution channels haven't been discovered, so the initial infection method is largely unknown.
Almost half of all apps targeted by Godfather, 215, are banking apps, and most of them are in the United States (49), Turkey (31), Spain (30), Canada (22), France (20), Germany (19), and the UK (17).
Apart from banking apps, Godfather targets 110 cryptocurrency exchange platforms and 94 cryptocurrency wallet apps.
Companies Overwhelmed by Available Tech Solutions
92% of executives reported challenges in acquiring new tech solutions, highlighting the complexities that go into the decision-making process, according to GlobalDots.
Moreover, some 34% of respondents said the overwhelming amount of options was a challenge when deciding on the right solutions, and 33% admitted the time needed to conduct research was another challenge in deciding.
Organisations of all varieties rely on technology more than ever before. The constant adoption of innovation is no longer a luxury but rather a necessity to stay on par in today’s fast-paced and competitive digital landscape. In this environment, IT and security leaders are coming under increased pressure to show ROIs from their investment in technology while balancing operational excellence with business innovation. Due to current market realities, IT teams are short-staffed and suffering from a lack of time and expertise, making navigating these challenges even more difficult.
The report investigated how organisations went about finding support for their purchasing decisions. Conferences, exhibitions, and online events served as companies’ top source of information for making purchasing decisions, at 52%. Third-party solutions, such as value-added resellers and consultancies, came in second place at 48%.
54% are already using third parties to purchase, implement, or support their solutions, highlighting the value that dedicated experts with in-depth knowledge of every solution across a wide range of IT fields provide.
We are living in an age of abundance when it comes to tech solutions for organisations, and this makes researching and purchasing the right solutions for your organisation extremely challenging.
https://www.helpnetsecurity.com/2022/12/20/tech-purchasing-decisions/
Nine in 10 Third-party Contractors, Freelancers Use Personal, Unmanaged Devices Likely to be Infected
Talon Cyber Security surveyed 258 third-party providers to better understand the state of third-party working conditions, including work models, types of devices and security technologies used, potentially risky actions taken, and how security and IT tools impact productivity.
Looking at recent high-profile breaches, third parties have consistently been at the epicenter, so they took a step back with their research to better understand the potential root causes. The findings paint a picture of a third-party work landscape where individuals are consistently working from personal, unmanaged devices, conducting risky activities, and having their productivity impacted by legacy security and IT solutions.
Here’s what Talon discovered:
Most third parties (89%) work from personal, unmanaged devices, where organisations lack visibility and cannot enforce the enterprise’s security posture on. Talon pointed to a Microsoft data point that estimated users are 71% more likely to be infected on an unmanaged device.
With third parties working from personal devices, they tend to carry out personal, potentially risky tasks. Respondents note that at least on occasion, they have used their devices to:
Browse the internet for personal needs (76%)
Indulge in online shopping (71%)
Check personal email (75%)
Save weak passwords in the web browser (61%)
Play games (53%)
Allow family members to browse (36%)
Share passwords with co-workers (24%)
Legacy apps such as Virtual Desktop Infrastructure (VDI) and Desktop-as-a-Service (DaaS) solutions are prominent, with 45% of respondents using such technologies while working for organisations.
UK Privacy Regulator Names and Shames Breached Firms
The UK Information Commissioner’s Office (ICO) has taken the unusual step of publishing details of personal data breaches, complaints and civil investigations on its website, according to legal experts.
The data, available from Q4 2021 onwards, includes the organisation’s name and sector, the relevant legislation and the type of issues involved, the date of completion and the outcome.
Given the significance of this development, it’s surprising that the ICO has (1) chosen to release it with limited fanfare, and (2) buried the data sets on its website. Indeed, it seems to have flown almost entirely under the radar.
Understanding whether their breach or complaint will be publicised by European regulators is one of – if not the – main concern that organisations have when working through an incident, and the answer has usually been no. That is particularly the understanding or assumption where the breach or complaint is closed without regulatory enforcement. Now, at least in the UK, the era of relative anonymity looks to be over.
Despite the lack of fanfare around the announcement, this naming and shaming approach could make the ICO one of the more aggressive privacy regulators in Europe. In the future, claimant firms in class action lawsuits may adopt “US-style practices” of scanning the ICO database to find evidence of repeat offending or possible new cases.
The news comes even as data reveals the value of ICO fines issued in the past year tripled from the previous 12 months. In the year ending October 31 2022, the regulator issued fines worth £15.2m, up from £4.8m the previous year. The sharp increase in the value of fines shows the ICO’s increasing willingness selectively to crack down on businesses – particularly those that the ICO perceives has not taken adequate measures to protect customer and employee data.
https://www.infosecurity-magazine.com/news/uk-privacy-regulator-names-and/
Threats
Ransomware, Extortion and Destructive Attacks
20 companies affected by major ransomware attacks in 2021 | TechTarget
NCC Group: Ransomware attacks increased 41% in November | TechTarget
Adversarial risk in the age of ransomware - Help Net Security
FIN7 hackers create auto-attack platform to breach Exchange servers (bleepingcomputer.com)
Ransomware Uses New Exploit to Bypass ProxyNotShell Mitigations | SecurityWeek.Com
British newspaper The Guardian says it’s been hit by ransomware | TechCrunch
Play ransomware actors bypass ProxyNotShell mitigations | TechTarget
FIN7 Cyber crime Syndicate Emerges as Major Player in Ransomware Landscape (thehackernews.com)
Vice Society ransomware gang is using a custom locker - Security Affairs
NIO suffers user data breach, hacker demands $2.25 million worth of bitcoin - CnEVPost
German industrial giant ThyssenKrupp targeted in a cyber attack - Security Affairs
Paying Ransom: Why Manufacturers Shell Out to Cyber criminals (darkreading.com)
France Seeks to Protect Hospitals After Series of Cyber attacks | SecurityWeek.Com
Fire and rescue service in Victoria, Australia, confirms cyber attack - Security Affairs
Play Ransomware Gang Lay Claims For Cyber Attack On H-Hotels (informationsecuritybuzz.com)
Evolving threats and broadening responses to Ransomware in the UAE - Security Boulevard
Phishing & Email Based Attacks
Five Best Practices for Consumers to Beat Phishing Campaigns This Holiday Season - CPO Magazine
Hackers continue to exploit hijacked MailChimp accounts in cyber crime campaigns (bitdefender.com)
Holiday Spam, Phishing Campaigns Challenge Retailers (darkreading.com)
Email hijackers scam food out of businesses, not just money • The Register
Telling users to ‘avoid clicking bad links’ still isn’t working - NCSC.GOV.UK
“Suspicious login” scammers up their game – take care at Christmas – Naked Security (sophos.com)
Simple Steps to Avoid Phishing Attacks During This Festive season | Tripwire
BEC – Business Email Compromise
Telling users to ‘avoid clicking bad links’ still isn’t working - NCSC.GOV.UK
What happens once scammers receive funds from their victims - Help Net Security
Other Social Engineering; Smishing, Vishing, etc
2FA/MFA
Why Security Teams Shouldn't Snooze on MFA Fatigue (darkreading.com)
Comcast Xfinity accounts hacked in widespread 2FA bypass attacks (bleepingcomputer.com)
Malware
Malicious ‘SentinelOne’ PyPI package steals data from developers (bleepingcomputer.com)
Glupteba Botnet Continues to Thrive Despite Google's Attempts to Disrupt It (thehackernews.com)
Ukraine's DELTA military system users targeted by info-stealing malware (bleepingcomputer.com)
Sophisticated DarkTortilla Malware Serves Imposter Cisco, Grammarly Pages (darkreading.com)
Trojanized Windows 10 installers compromised the Ukrainian government | SC Media (scmagazine.com)
Raspberry Robin Worm Targets Telcos & Governments (darkreading.com)
Raspberry Robin worm drops fake malware to confuse researchers (bleepingcomputer.com)
Number of command-and-control servers spiked in 2022: report - The Record by Recorded Future
Mobile
GodFather Android malware targets 400 banks, crypto exchanges (bleepingcomputer.com)
Godfather makes banking apps an offer they can’t refuse • The Register
T-Mobile hacker gets 10 years for $25 million phone unlock scheme (bleepingcomputer.com)
Botnets
Glupteba Botnet Continues to Thrive Despite Google's Attempts to Disrupt It (thehackernews.com)
Zerobot malware now spreads by exploiting Apache vulnerabilities (bleepingcomputer.com)
Flaws within IoT devices exploited by the Zerobot botnet (izoologic.com)
Zerobot Adds Brute Force, DDoS to Its IoT Attack Arsenal (darkreading.com)
Denial of Service/DoS/DDOS
DDoS Attacks are Slowly Growing in the Technology Era (analyticsinsight.net)
Zerobot Adds Brute Force, DDoS to Its IoT Attack Arsenal (darkreading.com)
BYOD
Internet of Things – IoT
Millions of IP cameras around the world are unprotected | TechRadar
Zerobot Adds Brute Force, DDoS to Its IoT Attack Arsenal (darkreading.com)
Throw away all your Eufy cameras right now | Android Central
Read what Anker’s customer support is telling worried Eufy camera owners - The Verge
Amazon Ring Cameras Used in Nationwide ‘Swatting’ Spree, US Says - Bloomberg
Connected homes are expanding, so is attack volume - Help Net Security
Security Risks, Serious Vulnerabilities Rampant Among XIoT Devices in the Workplace - CPO Magazine
Data Breaches/Leaks
LastPass users: Your info and password vault data are now in hackers’ hands | Ars Technica
Okta's source code stolen after GitHub repositories hacked (bleepingcomputer.com)
McGraw Hill's S3 buckets exposed 100,000 students' grades • The Register
NIO suffers user data breach, hacker demands $2.25 million worth of bitcoin - CnEVPost
Shoemaker Ecco leaks over 60GB of sensitive data for 500+ days - Security Affairs
Restaurant CRM platform ‘SevenRooms’ confirms breach after data for sale (bleepingcomputer.com)
Leading sports betting firm BetMGM discloses data breach (bleepingcomputer.com)
Organised Crime & Criminal Actors
'Russian hackers' help two New York men game JFK taxi system - CyberScoop
What happens once scammers receive funds from their victims - Help Net Security
[FIN7] Fin7 Unveiled: A deep dive into notorious cyber crime gang - PRODAFT
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
FTX's alleged run-of-the-mill frauds depended entirely on crypto (yahoo.com)
GodFather Android malware targets 400 banks, crypto exchanges (bleepingcomputer.com)
Two associates of Sam Bankman-Fried plead guilty to fraud charges in FTX fall | FTX | The Guardian
North Korea-linked hackers stole $626M in virtual assets in 2022 - Security Affairs
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
FTX's alleged run-of-the-mill frauds depended entirely on crypto (yahoo.com)
“Suspicious login” scammers up their game – take care at Christmas – Naked Security (sophos.com)
Fraudulent ‘popunder’ Google Ad campaign generated millions of dollars • The Register
Over 67,000 DraftKings Betting Accounts Hit by Hackers (gizmodo.com)
What happens once scammers receive funds from their victims - Help Net Security
T-Mobile hacker gets 10 years for $25 million phone unlock scheme (bleepingcomputer.com)
Google Ad fraud campaign used adult content to make millions (bleepingcomputer.com)
Two associates of Sam Bankman-Fried plead guilty to fraud charges in FTX fall | FTX | The Guardian
Inside The Next-Level Fraud Ring Scamming Billions Off Holiday Retailers (darkreading.com)
Supply Chain and Third Parties
Cloud/SaaS
McGraw Hill's S3 buckets exposed 100,000 students' grades • The Register
AWS simplifies Simple Storage Service to prevent data leaks • The Register
New Brand of Security Threats Surface in the Cloud (darkreading.com)
Google WordPress Plug-in Bug Allows AWS Metadata Theft (darkreading.com)
Security on a Shoestring? Cloud, Consolidation Best Bets for Businesses (darkreading.com)
Hybrid/Remote Working
Attack Surface Management
Encryption
API
Open Source
Passwords, Credential Stuffing & Brute Force Attacks
LastPass admits attackers copied password vaults • The Register
LastPass users: Your info and password vault data are now in hackers’ hands | Ars Technica
Social Media
Malvertising
Fraudulent ‘popunder’ Google Ad campaign generated millions of dollars • The Register
Don't click too quick! FBI warns of malicious search engine ads | Tripwire
Google Ad fraud campaign used adult content to make millions (bleepingcomputer.com)
Parental Controls and Child Safety
Buggy parental-control apps could allow device takeover • The Register
Children And The Dangers Of The Virtual World (informationsecuritybuzz.com)
Regulations, Fines and Legislation
TSB fined nearly $60m for platform migration disaster • The Register
FCC proposes record-breaking $300 million fine against robocaller (bleepingcomputer.com)
France Fines Microsoft 60 Million Euros Over Advertising Cookies | SecurityWeek.Com
The long, long reach of the UK’s national security laws | Financial Times
Governance, Risk and Compliance
Make sure your company is prepared for the holiday hacking season - Help Net Security
The benefit of adopting a hacker mindset for building security strategies - Help Net Security
Careers, Working in Cyber and Information Security
CISO roles continue to expand beyond technical expertise - Help Net Security
UK secret services wants ‘corkscrew thinkers’ for new cyber force | News | The Times
Law Enforcement Action and Take Downs
Privacy, Surveillance and Mass Monitoring
France Fines Microsoft 60 Million Euros Over Advertising Cookies | SecurityWeek.Com
What is surveillance capitalism? - Definition from WhatIs.com (techtarget.com)
Google Maps: Important reason you should blur your house on Street View (ladbible.com)
Blur Your House ASAP if It's on Google Maps. Here's Why - CNET
Artificial Intelligence
Threat Modeling in the Age of OpenAI's Chatbot (darkreading.com)
This is how OpenAI's ChatGPT can be used to launch cyber attacks (techmonitor.ai)
Misinformation, Disinformation and Propaganda
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
State level cyber attacks – Why and how (ukdefencejournal.org.uk)
The risk of escalation from cyber attacks has never been greater | Ars Technica
Ukraine's DELTA military system users targeted by info-stealing malware (bleepingcomputer.com)
Trojanized Windows 10 installers compromised the Ukrainian government | SC Media (scmagazine.com)
NATO-Member Oil Refinery Targeted in Russian APT Blitz Against Ukraine (darkreading.com)
Russian APT Gamaredon Changes Tactics in Attacks Targeting Ukraine | SecurityWeek.Com
Kremlin-linked hackers tried to spy on oil firm in NATO country, researchers say | CNN Politics
‘Our weapons are computers’: Ukrainian coders aim to gain battlefield edge | Ukraine | The Guardian
The long, long reach of the UK’s national security laws | Financial Times
UK secret services wants ‘corkscrew thinkers’ for new cyber force | News | The Times
Nation State Actors
Nation State Actors – Russia
Nation State Actors – China
Apple accused of censoring apps in Hong Kong and Russia • The Register
The long, long reach of the UK’s national security laws | Financial Times
Nation State Actors – North Korea
Vulnerability Management
Open source vulnerabilities add to security debt - Help Net Security
Top 5 Vulnerabilities Routinely Exploited by Threat Actors in 2022 (socradar.io)
Over 50 New CVE Numbering Authorities Announced in 2022 | SecurityWeek.Com
A Guide to Efficient Patch Management with Action1 (thehackernews.com)
Digging into the numbers one year after Log4Shell | SC Media (scmagazine.com)
Vulnerabilities
Critical Windows code-execution vulnerability went undetected until now | Ars Technica
FoxIt Patches Code Execution Flaws in PDF Tools | SecurityWeek.Com
Old vulnerabilities in Cisco products actively exploited in the wild - Security Affairs
OWASSRF: CrowdStrike Identifies New Method for Bypassing ProxyNotShell Mitigations
Microsoft reports macOS Gatekeeper has an 'Achilles' heel • The Register
Microsoft will turn off Exchange Online basic auth in January (bleepingcomputer.com)
Cisco’s Talos security bods predict new wave of Excel Hell • The Register
Microsoft pushes emergency fix for Windows Server Hyper-V VM issues (bleepingcomputer.com)
Ransomware Uses New Exploit to Bypass ProxyNotShell Mitigations | SecurityWeek.Com
Zerobot malware now spreads by exploiting Apache vulnerabilities (bleepingcomputer.com)
Two New Security Flaws Reported in Ghost CMS Blogging Software (thehackernews.com)
Critical Security Flaw Reported in Passwordstate Enterprise Password Manager (thehackernews.com)
This critical Windows security flaw could be as serious as WannaCry, experts claim | TechRadar
Google WordPress Plug-in Bug Allows AWS Metadata Theft (darkreading.com)
Microsoft Details Gatekeeper Bypass Vulnerability in Apple macOS Systems (thehackernews.com)
Tools and Controls
Companies overwhelmed by available tech solutions - Help Net Security
Is Enterprise VPN on Life Support or Ripe for Reinvention? | SecurityWeek.Com
Reports Published in the Last Week
Other News
The Growing Risk Of Malicious QR Codes (informationsecuritybuzz.com)
NASA infosec again falls short of required standard • The Register
US Joint Cyber Force Elevated to Newest Subordinate Unified Command - MSSP Alert
The Rise of the Rookie Hacker - A New Trend to Reckon With (thehackernews.com)
What enumeration attacks are and how to prevent them | TechTarget
US consumers seriously concerned over their personal data | CSO Online
The FBI is worried about wave of crime against small businesses (cnbc.com)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 11 November 2022
Black Arrow Cyber Threat Briefing 11 November 2022:
-Research Finds Organisations Lack Tools and Teams to Address Cyber Security Threats
-Some 98% of Global Firms Suffer Supply Chain Breach in 2021
-Only 30% of Cyber Insurance Holders Say Ransomware is Covered
-Companies Hit by Ransomware Often Targeted Again, Research Says
-Ransomware Remains Top Cyber Risk for Organisations Globally, Says Allianz
-How Geopolitical Turmoil Changed the Cyber Security Threat Landscape
-Swiss Re Wants Government Bail Out academias Cyber Crime Insurance Costs Spike
-Extortion Economics: Ransomware's New Business Model
-Confidence in Data Recovery Tools Low
-Russia’s Sway Over Criminal Ransomware Gangs Is Coming into Focus
-Insider Risk on the Rise: 12% of Employees Take IP When Leaving Jobs
-Why a Clear Cyber Policy is Critical for Companies
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Research Finds Organisations Lack Tools and Teams to Address Cyber Security Threats
In research conducted in the summer of 2022 by BlackBerry, the findings describe the situation facing organisations regardless of size or vertical.
The survey of 405 senior IT, networking, and security decision-makers in the US, Canada, and the UK revealed 83% of organisations agreed building cyber security programs is expensive due to required tools, licenses, and personnel, and 80% agreed it’s challenging to fill specialised security roles. Most organisations (78%) have an incident management process, but about half (49%) agree they lack the teams and tools to be effective 24x7x365. Evolving security threats (53%) and the task of integrating new technology (53%) are cited as top challenges in maintaining security posture.
While it’s likely these findings surprise no one, they do reveal the challenges facing organisations who are caught between limited resources and increased risk. The urgency increases if we look at the critical infrastructure that keeps things running–like utilities, banks, transportation, key suppliers, industrial controls, and more.
Some 98% of Global Firms Suffer Supply Chain Breach in 2021
Just 2% of global organisations didn’t suffer a supply chain breach last year, with visibility into cyber risk getting harder as these ecosystems expand, according to BlueVoyant.
The security firm polled 2100 C-level execs with responsibility for supply chain and cyber risk management from companies with 1000+ employees to compile its study, The State of Supply Chain Defense: Annual Global Insights Report 2022.
It found the top challenges listed by respondents were:
Awareness internally that third-party suppliers are part of their cyber security posture
Meeting regulatory requirements and ensuring third-party cyber security compliance
Working with third-party suppliers to improve their posture.
Supply chains are growing: the number of firms with over 1000 suppliers increased from 38% in 2021’s report to 50%. Although 53% of organisations audited or reported on supplier security more than twice annually, 40% still rely on suppliers to ensure security levels are sufficient. That means they have no way of knowing if an issue arises with a supplier.
Worse, 42% admitted that if they do discover an issue in their supply chain and inform their supplier, they cannot verify that the issue was resolved. Just 3% monitor their supply chain daily, although the number of respondents using security ratings services to enhance visibility and reduce cyber risk increased from 36% last year to 39% in this year’s report.
With the escalating threat landscape and number of high-profile incidents being reported, firms should focus more strategically on addressing supply chain cyber security risk. In the current volatile economic climate, the last thing any business needs is any further disruption to their operations, any unexpected costs, or negative impact on their brand.
https://www.infosecurity-magazine.com/news/98-global-firms-supply-chain/
Only 30% of Cyber Insurance Holders Say Ransomware is Covered
Cyber insurance providers appear to be limiting policy coverage due to surging costs from claimants, according to a new study from Delinea.
The security vendor polled 300 US-based IT decision makers to compile its latest report, Cyber insurance: if you get it be ready to use it.
Although 93% were approved for specialised cyber insurance cover by their provider, just 30% said their policy covered “critical risks” including ransomware, ransom negotiations and payments. Around half (48%) said their policy covers data recovery, while just a third indicated it covers incident response, regulatory fines and third-party damages.
That may be because many organisations are regularly being breached and look to their providers for pay-outs, driving up costs for carriers. Some 80% of those surveyed said they’ve had to call on their insurance, and half of these have submitted claims multiple times, the study noted.
As a result, many insurers are demanding that prospective policyholders implement more comprehensive security controls before they’re allowed to sign up.
Half (51%) of respondents said that security awareness training was a requirement, while (47%) said the same about malware protection, AV software, multi-factor authentication (MFA) and data backups.
However, high-level checks may not be enough to protect insurers from surging losses, as they can’t guarantee customers are properly deploying security controls.
Cyber insurance providers need to start advancing beyond simple checklists for security controls. They must require their customers to validate that their security controls work as designed and expected. They need their customers to simulate their adversaries to ensure that when they are attacked, the attack will not result in a breach. In fact, we're already starting to see government regulations and guidance that includes adversary simulation as part of their proactive response to threats.
https://www.infosecurity-magazine.com/news/cyberinsurance-ransomware-cover/
Companies Hit by Ransomware Often Targeted Again, Research Says
It has been reported that more than a third of companies who paid a ransom to cyber criminals after being hit by a ransomware attack went on to be targeted for a second time, according to a new report.
The Hiscox Cyber Readiness Report found that 36% of companies that made the ransom payment were hit again, while 41% who paid failed to recover all of their data.
The head of the UK’s National Cyber Security Centre (NCSC), Lindy Cameron, said last year that ransomware attacks were the “most immediate danger” to the UK and urged companies to take more steps to protect themselves and their data.
The NCSC urges firms not to pay ransoms as it not only helps fund further crime but offers no guarantee that criminals will return the stolen or locked data. The Hiscox report appeared to back up the NCSC’s warnings, with 43% of the businesses who paid a ransom saying they still had to rebuild their systems while 29% said that despite making the payment their stolen data was still leaked. A further 26% said a ransomware attack had had a significant financial impact on their business.
Ransomware Remains Top Cyber Risk for Organisations Globally, Says Allianz
According to an Allianz Global Corporate & Specialty cyber report, ransomware remains a top cyber risk for organisations globally, while the threat of state-sponsored cyber attacks grows.
There were a record 623 million attacks in 2021, which was double that of 2020, says Allianz.
It also notes that despite the frequency reducing 23% globally during H1 of 2022, the year-to-date total still exceeds that of the full years of 2017, 2018 and 2019, while Europe saw attacks surge over this period. Allianz suggests that ransomware is forecast to cause $30bn in damages to organisations globally by 2023.
It adds that from an Allianz perspective, the value of ransomware claims the company was involved in together with other insurers, accounted for well over 50% of all cyber claims costs during 2020 and 2021.
The cyber risk landscape doesn’t allow for any resting on laurels. Ransomware and phishing scams are as active as ever and on top of that there is the prospect of a hybrid cyber war.
Most companies will not be able to evade a cyber threat. However, it is clear that organisations with good cyber maturity are better equipped to deal with incidents. Even when they are attacked, losses are typically less severe due to established identification and response mechanisms.
Many companies still need to strengthen their cyber controls, particularly around IT security trainings, better network segmentation for critical environments and cyber incident response plans and security governance.
Allianz observes that geopolitical tensions, such as the war in Ukraine, are a major factor reshaping the cyber threat landscape as the risks of espionage, sabotage, and destructive cyber-attacks against companies with ties to Russia and Ukraine increase, as well as allies and those in neighbouring countries.
How Geopolitical Turmoil Changed the Cyber Security Threat Landscape
ENISA, EU’s Agency for Cybersecurity, released its annual Threat Landscape report, covering the period from July 2021 up to July 2022.
With more than 10 terabytes of data stolen monthly, ransomware still fares as one of the prime threats in the new report with phishing now identified as the most common initial vector of such attacks. The other threats to rank highest along ransomware are attacks against availability also called Distributed Denial of Service (DDoS) attacks.
However, the geopolitical situations particularly the Russian invasion of Ukraine have acted as a game changer over the reporting period for the global cyber domain. While we still observe an increase of the number of threats, we also see a wider range of vectors emerge such as zero-day exploits and AI-enabled disinformation and deepfakes. As a result, more malicious and widespread attacks emerge having more damaging impact.
EU Agency for Cybersecurity Executive Director, Juhan Lepassaar stated that “Today’s global context is inevitably driving major changes in the cyber security threat landscape. The new paradigm is shaped by the growing range of threat actors. We enter a phase which will need appropriate mitigation strategies to protect all our critical sectors, our industry partners and therefore all EU citizens.”
State sponsored, cyber crime, hacker-for-hire actors and hacktivists remain the prominent threat actors during the reporting period of July 2021 to July 2022.
ENISA sorted threats into 8 groups. Frequency and impact determine how prominent all of these threats still are.
Ransomware: 60% of affected organisations may have paid ransom demands
Malware: 66 disclosures of zero-day vulnerabilities observed in 2021
Social engineering: Phishing remains a popular technique but we see new forms of phishing arising such as spear-phishing, whaling, smishing and vishing
Threats against data: Increasing in proportionally to the total of data produced
Disinformation – misinformation: Escalating AI-enabled disinformation, deepfakes and disinformation-as-a-service
Supply chain targeting: Third-party incidents account for 17% of the intrusions in 2021 compared to less than 1% in 2020
Threats against availability:
Largest denial of service (DDoS) attack ever was launched in Europe in July 2022
Internet: destruction of infrastructure, outages and rerouting of internet traffic.
https://www.helpnetsecurity.com/2022/11/08/cybersecurity-threat-landscape-2022/
Swiss Re Wants Government Bail Out as Cyber Crime Insurance Costs Spike
As insurance companies struggle to stay afloat amid rising cyber claims, Swiss Re has recommended a public-private partnership insurance scheme with one option being a government-backed fund to help fill the coverage gap.
Global cyber insurance premiums hit $10 billion in 2021, according to Swiss Re's estimates. In a study published this week, the insurance giant forecasted 20 percent annual growth to 2025, with premiums rising to $23 billion over the next few years.
Meanwhile, annual cyber attack-related losses total about $945 billion globally, and about 90% of that risk remains uninsured, according to insurance researchers at the Geneva Association.
While Forrester estimates a typical data breach costs an average $2.4 million for investigation and recovery, only 55 percent of companies currently have cyber insurance policies. Additionally, less than 20 percent have coverage limits in excess of $600,000, which the analyst firm cites as the median ransomware demand in 2021.
https://www.theregister.com/2022/11/08/government_cyber_insurance/
Extortion Economics: Ransomware's New Business Model
Ransomware-as-a-service lowers the barriers to entry, hides attackers’ identities, and creates multitier, specialised roles in service of ill-gotten gains.
Did you know that more than 80% of ransomware attacks can be traced to common configuration errors in software and devices? This ease of access is one of many reasons why cyber criminals have become emboldened by the underground ransomware economy.
And yet many threat actors work within a relatively small and interconnected ecosystem of players. This pool of cyber criminals has created specialised roles and consolidated the cyber crime economy, fuelling ransomware-as-a-service (RaaS) to become the dominant business model. In doing so, they've enabled a wider range of criminals to deploy ransomware regardless of their technical expertise and forced all of us to become cyber security defenders in the process.
Ransomware takes advantage of existing security compromises to gain access to internal networks. In the same way businesses hire gig workers to cut costs, cyber criminals have turned to renting or selling their ransomware tools for a portion of the profits rather than performing the attacks themselves.
This flourishing RaaS economy allows cyber criminals to purchase access to ransomware payloads and data leakage, as well as payment infrastructure. What we think of as ransomware gangs are actually RaaS programs like Conti or REvil, used by the many different actors who switch between RaaS programs and payloads.
RaaS lowers the barrier to entry and obfuscates the identity of the attackers behind the ransoming. Some programs can have 50 or more "affiliates," as they refer to their users, with varying tools, tradecraft, and objectives. Anyone with a laptop and credit card who is willing to search the Dark Web for penetration-testing tools or out-of-the-box malware can join this maximum efficiency economy.
https://www.darkreading.com/microsoft/extortion-economics-ransomware-s-new-business-model
Confidence in Data Recovery Tools Low
A recent IDC and Druva survey asked 505 respondents across 10 industries about their ransomware experiences and found that many organisations struggle to recover after an attack. In the survey, 85% of the respondents said their organisations had a ransomware recovery plan. The challenge seems to lie in effectively executing that plan.
"A majority of organisations suffered significant consequences from ransomware attacks including long recoveries and unrecoverable data despite paying a ransom," states the "You Think Ransomware Is Your Only Problem? Think Again" report.
Data resiliency is such an important element of cyber security that 96% of respondents considered it a top priority for their organisations, with a full 77% placing it in the top 3. What's striking about the survey results is that only 14% of respondents said they were "extremely confident" in their tools, even though 92% called their data resiliency tools "efficient" or "highly efficient."
When data is spread across hybrid, cloud, and edge environments, data resiliency becomes much more complicated. A plan might seem to cover everything, but then you realise that you lost your backup or can't find the latest restore point.
The ability to recover from an attack is vital, since the growth in ransomware makes it likely that your organisation will get hit. This is why agencies like NIST recommend preparing for when an attacker pierces your defences rather than trying to keep out every intruder. That mindset also shifts the priority to preparation and planning; you need to create a disaster recovery plan that includes policy on restore points and recovery tools — and you need to practice implementing that plan before disaster strikes.
The report lists three key performance indicators that reveal the success of an organisation's recovery from a cyber attack:
The ability to fully recover encrypted or deleted data without paying a ransom.
Zero data loss in the process of recovering the data.
Rapid recovery as defined by applicable service-level requirements.
When a recovery fails to meet these criteria, then the organisation may suffer financial loss, loss of reputation, permanently lost customers, and reduced employee productivity.
https://www.darkreading.com/tech-trends/confidence-in-data-recovery-tools-low
Russia’s Sway Over Criminal Ransomware Gangs Is Coming into Focus
Russia-based ransomware gangs are some of the most prolific and aggressive, in part thanks to an apparent safe harbour the Russian government extends to them. The Kremlin doesn't cooperate with international ransomware investigations and typically declines to prosecute cyber criminals operating in the country so long as they don't attack domestic targets. A long-standing question, though, is whether these financially motivated hackers ever receive directives from the Russian government and to what extent the gangs are connected to the Kremlin's offensive hacking. The answer is starting to become clearer.
New research presented at the Cyberwarcon security conference in Arlington, Virginia, this week looked at the frequency and targeting of ransomware attacks against organisations based in the United States, Canada, the United Kingdom, Germany, Italy, and France in the lead-up to these countries' national elections. The findings suggest a loose but visible alignment between Russian government priorities and activities and ransomware attacks leading up to elections in the six countries.
The project analysed a data set of over 4,000 ransomware attacks perpetrated against victims in 102 countries between May 2019 and May 2022. The analysis showed a statistically significant increase in ransomware attacks from Russia-based gangs against organisations in the six victim countries ahead of their national elections. These nations suffered the most total ransomware attacks per year in the data set, about three-quarters of all the attacks.
The data was used to compare the timing of attacks for groups believed to be based out of Russia and groups based everywhere else. They looked at the number of attacks on any given day, and what they found was an interesting relationship where for these Russia-based groups, there was an increase in the number of attacks starting four months before an election and moving three, two, one month in, up to the event.
The findings showed broadly that non-Russian ransomware gangs didn't have a statistically significant increase in attacks in the lead-up to elections. Whereas two months out from a national election, for example, the researchers found that organisations in the six top victim countries were at a 41 percent greater chance of having a ransomware attack from a Russia-based gang on a given day, compared to the baseline.
https://www.wired.com/story/russia-ransomware-gang-connections/
Insider Risk on the Rise: 12% of Employees Take IP When Leaving Jobs
Twelve percent of all employees take sensitive intellectual property (IP) with them when they leave an organisation.
The data comes from workforce cyber intelligence and security company Dtex, which published a report about top insider risk trends for 2022. “Customer data, employee data, health records, sales contacts, and the list goes on,” reads the document. “More and more applications are providing new features that make data exfiltration easier. For example, many now provide the ability to maintain clipboard history and sync across multiple devices.”
Case in point, the report also suggests a 55% increase in unsanctioned application usage, including those making data exfiltration easier by allowing users to maintain clipboard history and sync IP across multiple devices. “Bring Your Own Applications (BYOA) or Shadow IT can be a source of intelligence for business innovation,” Dtex wrote. “Still, they pose a major risk if the security team has not tested these tools thoroughly.”
Further, the new data highlight a 20% increase in resignation letter research and creation from employees taking advantage of the tight labour market to switch positions for higher wages.
“In most cases, an individual planning to leave the business is not pleased with the company’s product, co-workers, work environment, or compensation,” reads the report. “Disgruntled employees are usually jaded by a business that has not shown any steps to alleviate concerns, even after communication attempts.”
Finally, the Dtex report says the industry has witnessed a 200% increase in unsanctioned third-party work on corporate devices from a high prevalence of employees engaged in side gigs.
https://www.infosecurity-magazine.com/news/12-of-employees-take-ip-when/
Why a Clear Cyber Policy is Critical for Companies
In October, Joe Sullivan, Uber’s former head of security, was convicted of covering up a 2016 data breach at the ride hailing giant by hiding details from US regulators and then paying off the hackers.
It was a trial followed nervously by cyber security professionals around the world — coming eight years after an incident that had compromised the personal information of more than 57mn people.
“Any news about another company dealing with a data security incident can strike a bit of fear across industries,” notes Mary Pothos, chief privacy officer at digital travel company Booking.com. She adds that incidents like these cause “many companies to pause, rethink or revisit their internal processes to make sure that they are operating effectively”.
These incidents, and threats, are growing at lightning speed, too. War in Ukraine is now being played out as much in cyber space as on the battlefield. The Covid pandemic has forced businesses to rethink where their employees work, and handle or access data. At the same time, the sheer number of web-connected devices is multiplying.
“We need to be people who can predict what is coming along the line, predict the future, almost” said Victor Shadare, head of cyber security at media company Condé Nast, at a recent FT event on cyber security.
Palo Alto Networks, a specialist security company, found that cyber extortion grew rapidly in 2021. Some 35 new ransomware gangs emerged, the average ransom demand increasing 144 per cent that year to $2.2mn, and the average payment rose by 78 per cent to $541,010.
Meanwhile, cyber security personnel have found themselves hemmed in by increasingly onerous regulations. These include threats of legal action if the right people are not informed about breaches, or if products come to market that are not safe enough. On September 15, for example, the European Commission presented a proposal for a new Cyber Resilience Act to protect consumers from products with inadequate security features.
“New domains of security have sprung up over the past years, so it’s not just an information technology problem any more, it’s really a full company risk issue,” says Kevin Tierney, vice-president of global cyber security at automotive group General Motors. He warns that automated and connected vehicles have thrown up additional threats to be addressed.
“You have to start out with the right governance structure and the right policies and procedures — that’s step one of really getting the company to understand what it needs to do,” he says. These include clear rules on how to disable access to tech equipment, on data protection and storage, on transferring and disposing of data, on using corporate networks, and on reporting any data breaches.
Security experts also tend to agree that there need to be robust systems of governance and accountability, to prevent the sort of trouble that befell Sullivan at Uber. Perhaps most crucially, staff across the organisation, from C-suite to assistants, need to know how to spot and manage a threat.
https://www.ft.com/content/0bb6df09-7d77-4605-aac3-89443ed65a18
Threats
Ransomware and Extortion
Medibank: Hackers release abortion data after stealing Australian medical records - BBC News
Medical data hacked from 10m Australians begins to appear on dark web | World news | The Guardian
How ransomware gangs and malware campaigns are changing - Help Net Security
Thales confirms hackers have released its data on the dark web | Reuters
Most SMBs Fear Ransomware Attack Amid Heightened Geopolitical Tensions - MSSP Alert
Australia to consider banning paying of ransoms to cyber criminals | Reuters
LockBit gang claims to have stolen data from Kearney & Company - Security Affairs
Azov Ransomware is a wiper, destroying data 666 bytes at a time (bleepingcomputer.com)
Ransomware Gang Offers to Sell Files Stolen From Continental for $50 Million | SecurityWeek.Com
Canadian food retail giant Sobeys hit by Black Basta ransomware (bleepingcomputer.com)
LockBit affiliate uses Amadey Bot malware to deploy ransomware (bleepingcomputer.com)
Russia-linked IRIDIUM APT linked to Prestige ransomware attacks against Ukraine - Security Affairs
US Health Dept warns of Venus ransomware targeting healthcare orgs (bleepingcomputer.com)
Ransomware attacks on hospitals take toll on patients (nbcnews.com)
Hackers post Hereford schoolchildren's data records on dark web | Hereford Times
CISA and Spain Partnership to Develop Tool to Help Countries Combat Ransomware - MSSP Alert
Phishing & Email Based Attacks
Phishing threats are increasingly convincing and evasive - Help Net Security
Robin Banks phishing-as-a-service platform continues to evolve - Security Affairs
Phishing drops IceXLoader malware on thousands of home, corporate devices (bleepingcomputer.com)
Massive Phishing Campaigns Target India Banks’ Clients (trendmicro.com)
BEC – Business Email Compromise
Malware
Phishing drops IceXLoader malware on thousands of home, corporate devices (bleepingcomputer.com)
Cloud9 Malware Offers a Paradise of Cyber attack Methods (darkreading.com)
More malware is being hidden in PNG images, so watch out | TechRadar
Attackers Using IPFS for Distributed, Bulletproof Malware Hosting | SecurityWeek.Com
Malicious extension lets attackers control Google Chrome remotely (bleepingcomputer.com)
New hacking group uses custom 'Symatic' Cobalt Strike loaders (bleepingcomputer.com)
New StrelaStealer malware steals your Outlook, Thunderbird accounts (bleepingcomputer.com)
Mobile
5 Common Smartphone Security Myths, Debunked (makeuseof.com)
Oh, look: More malware in the Google Play store • The Register
Malicious app in the Play Store spotted distributing Xenomorph Banking Trojan - Security Affairs
Malicious droppers on Google Play deliver banking malware to victims - Help Net Security
Samsung phones are being targeted by some seriously shady zero-days | TechRadar
New BadBazaar Android malware linked to Chinese cyber spies (bleepingcomputer.com)
Worok hackers hide new malware in PNGs using steganography (bleepingcomputer.com)
Internet of Things – IoT
Organised Crime & Criminal Actors
An initial access broker claims to have hacked Deutsche Bank - Security Affairs
Cyber crime costs to hit $10.5tn by 2025 hears Saudi forum - Arabian Business
Cyber crime Group OPERA1ER Stole $11M From 16 African Businesses (darkreading.com)
Instagram star gets 11 years for $300m BEC conspiracy • The Register
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
FTX says it is probing ‘abnormal transactions’ after potential hack | Financial Times
Kraken's CSO Claims To Have Identified The $600 Million FTX Hacker (coingape.com)
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
Fifth Of 18 To 34-year-olds Have Fallen Victim To Financial Scams – Information Security Buzz
Ukrainian Cyber Cops Bust $200m Fraud Ring - Infosecurity Magazine (infosecurity-magazine.com)
Retail Sector Prepares for Annual Holiday Cyber crime Onslaught (darkreading.com)
US seized 18 web domains used for recruiting money mules (bleepingcomputer.com)
Insurance
Rising cost of cyber attacks sends insurance policy charges soaring | Financial Times (ft.com)
Just 25% of businesses are insured against cyber attacks. Here's why (theconversation.com)
Re-Focusing Cyber Insurance with Security Validation (thehackernews.com)
Swiss Re: Cyber-Insurance Industry Must Reform - Infosecurity Magazine (infosecurity-magazine.com)
Dark Web
DoJ seizes $3.36B Bitcoin from Silk Road hacker - Security Affairs
Silk Road drugs market hacker pleads guilty, faces 20 years inside – Naked Security (sophos.com)
Supply Chain and Third Parties
Hybrid Working
Attack Surface Management
Identity and Access Management
API
Passwords, Credential Stuffing & Brute Force Attacks
Microsoft Password Hacking Increase – Information Security Buzz
False sense of safety undermines good password hygiene - Help Net Security
Password-hacking attacks are on the rise. Here's how to stop your accounts from being stolen | ZDNET
Social Media
Twitter blue check unavailable after impostor accounts erupt on platform | Twitter | The Guardian
Twitter chief information security officer Lea Kissner departs | TechCrunch
Privacy, Surveillance and Mass Monitoring
World Cup apps pose a data security and privacy nightmare • The Register
Surveillance 'Existential' Danger of Tech: Signal Boss | SecurityWeek.Com
Regulations, Fines and Legislation
Careers, Working in Cyber and Information Security
Three million empty seats: What can we do about the cyber skills shortage? (computerweekly.com)
Cyber security, cloud and coding: Why these three skills will lead demand in 2023 | ZDNET
Cyber security leaders want to quit. Here's what is pushing them to leave | ZDNET
Law Enforcement Action and Take Downs
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Red Cross seeks digital equivalent of its emblems • The Register
Russia’s New Cyberwarfare in Ukraine Is Fast, Dirty, and Relentless | WIRED
EU calls for joint cyber defence in response to Russia • The Register
Nation-State Hacker Attacks on Critical Infrastructure Soar: Microsoft | SecurityWeek.Com
What Ukraine’s cyber defence tactics can teach other nations | Financial Times (ft.com)
Russia-linked IRIDIUM APT linked to Prestige ransomware attacks against Ukraine - Security Affairs
APT29 abused Windows Credential Roaming in attacks - Security Affairs
Dutch MEP says illegal spyware ‘a grave threat to democracy’ | European Commission | The Guardian
Greece Is Banning Spyware After Predator Phone-Tapping Scandal (gizmodo.com)
British embassy security guard David Smith admits spying for Russia - BBC News
Nation State Actors
Nation State Actors – Russia
EU calls for joint cyber defence in response to Russia • The Register
Ukraine war: Russians kept in the dark by internet search - BBC News
Microsoft links Russia’s military to cyber attacks in Poland and Ukraine | Ars Technica
Putin ally Yevgeny Prigozhin admits interfering in US elections | Russia | The Guardian
Russia-linked IRIDIUM APT linked to Prestige ransomware attacks against Ukraine - Security Affairs
Nation State Actors – China
Nation State Actors – Misc
Vulnerability Management
Why CVE Management as a Primary Strategy Doesn't Work (darkreading.com)
Why it's time to review your Microsoft patch management options | CSO Online
Risk-Based Vulnerability Management: Understanding the RBVM Trend (darkreading.com)
How can CISOs catch up with the security demands of their ever-growing networks? - Help Net Security
Microsoft: Nation-state threats, zero-day attacks increasing (techtarget.com)
Types of vulnerability scanning and when to use each (techtarget.com)
Vulnerabilities
Microsoft November 2022 Patch Tuesday fixes 6 exploited zero-days, 68 flaws (bleepingcomputer.com)
VMware fixes three critical auth bypass bugs in remote access tool (bleepingcomputer.com)
Citrix ADC and Citrix Gateway are affected by a critical auth bypass - Security Affairs
Cisco Patches 33 Vulnerabilities in Enterprise Firewall Products | SecurityWeek.Com
Microsoft Patches MotW Zero-Day Exploited for Malware Delivery | SecurityWeek.Com
Apple out-of-band patches fix RCE bugs in iOS and macOS - Security Affairs
Microsoft fixes ProxyNotShell Exchange zero-days exploited in attacks (bleepingcomputer.com)
SAP Patches Critical Vulnerabilities in BusinessObjects, SAPUI5 | SecurityWeek.Com
Lenovo driver goof poses security risk for users of 25 notebook models | Ars Technica
Foxit Patches Several Code Execution Vulnerabilities in PDF Reader | SecurityWeek.Com
LiteSpeed Vulnerabilities Can Lead to Complete Web Server Takeover | SecurityWeek.Com
Reports Published in the Last Week
Other News
What Is Threat Hunting? A Definition for MSPs and Channel Partners - MSSP Alert
Cyber security: These are the new things to worry about in 2023 | ZDNET
What We Really Mean When We Talk About ‘Cyber security’ (darkreading.com)
Personal cyber security is now a company problem - Help Net Security
History of Computer Viruses & Malware | What Was Their Impact? (esecurityplanet.com)
5 Reasons to Consolidate Your Tech Stack (thehackernews.com)
Cookies for MFA Bypass Gain Traction Among Cyber attackers (darkreading.com)
Common lateral movement techniques and how to prevent them (techtarget.com)
Beyond the Pen Test: How to Protect Against Sophisticated Cyber criminals (darkreading.com)
5 ways to overcome multifactor authentication vulnerabilities (techtarget.com)
15,000 sites hacked for massive Google SEO poisoning campaign (bleepingcomputer.com)
Unencrypted Traffic Still Undermining Wi-Fi Security (darkreading.com)
Researchers Devise Wi-Peep Drone That Can 'See Through Walls' (gizmodo.com)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 05 August 2022
Black Arrow Cyber Threat Briefing 05 August 2022
-Average Cost of Data Breaches Hits Record High of $4.35 Million: IBM
-Researchers Warns of Large-Scale Adversary-in-the-Middle (AiTM) Attacks Targeting Enterprise Users
-UK NHS Suffers Outage After Cyber Attack on Managed Service Provider
-A Third of Organisations Experience a Ransomware Attack Once a Week
-Ransomware Products, Services Ads on Dark Web Show Clues to Danger
-Wolf In Sheep’s Clothing, How Malware Tricks Users and Antivirus
-Microsoft Accounts Targeted with New MFA-Bypassing Phishing Kit
-Cyber Attack Prevention Is Cost-Effective, So Why Aren’t Businesses Investing to Protect?
-Securing Your Move to the Hybrid Cloud
-Lessons from the Russian Cyber Warfare Attacks
-Four Sneaky Attacker Evasion Techniques You Should Know About
-Zero-Day Defence: Tips for Defusing the Threat
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Average Cost of Data Breaches Hits Record High of $4.35 Million: IBM
The global average cost of data breaches reached an all-time high of $4.35 million in 2022 compared with $4.24 million in 2021, according to a new IBM Security report. About 60% of the breached organisations raised product and services prices due to the breaches.
The annual report, conducted by Ponemon Institute and analysed and sponsored by IBM Security, is based on the analysis of real-world data breaches experienced by 550 organisations globally between March 2021 and March 2022.
According to the report, about 83% of the organisations have experienced more than one breach in their lifetime, with nearly half of the costs reported to be incurred more than a year after the breach.
The report revealed that ransomware and destructive attacks represented 28% of breaches among the critical infrastructure organisations studied, indicating that threat actors are specifically targeting the sector to disrupt global supply chains. The critical infrastructure sector includes financial services, industrial, transportation, and healthcare companies.
Researchers Warns of Large-Scale Adversary-in-the-Middle (AiTM) Attacks Targeting Enterprise Users
A new, large-scale phishing campaign has been observed using adversary-in-the-middle (AitM) techniques to get around security protections and compromise enterprise email accounts.
It uses a technique capable of bypassing multi-factor authentication. The campaign is specifically designed to reach end users in enterprises that use Microsoft's email services.
Prominent targets include fintech, lending, insurance, energy, manufacturing, and federal credit union verticals located in the US, UK, New Zealand, and Australia.
This is not the first time such a phishing attack has come to light. Last month, Microsoft disclosed that over 10,000 organisations had been targeted since September 2021 by means of AitM techniques to breach accounts secured with multi-factor authentication (MFA).
The ongoing campaign, effective June 2022, commences with an invoice-themed email sent to targets containing an HTML attachment, which includes a phishing URL embedded within it.
https://thehackernews.com/2022/08/researchers-warns-of-large-scale-aitm.html
UK NHS Suffers Outage After Cyber Attack on Managed Service Provider
The UK National Health Service (NHS) 111 emergency services were affected by a significant and ongoing outage triggered by a cyber attack that hit the systems of British managed service provider (MSP) Advanced.
Advanced's Adastra client patient management solution, which is used by 85% of NHS 111 services, was hit by a major outage together with several other services provided by the MSP, according to a status page.
"There was a major outage of a computer system that is used to refer patients from NHS 111 Wales to out-of-hours GP providers," the Welsh Ambulance Services said. "This system is used by Local Health Boards to coordinate these services for patients. The ongoing outage is significant and has been far-reaching, impacting each of the four nations in the UK."
The UK public was advised to access the NHS 111 emergency services using the online platform until the incident is resolved.
While no details were provided regarding the nature of the cyber attack, based on the wording, it is likely that this was a ransomware or data extortion attack.
A Third of Organisations Experience a Ransomware Attack Once a Week
Ransomware attacks show no sign of slowing. According to new research published by Menlo Security, a third of organisations experience a ransomware attack at least once a week, with one in 10 experiencing them more than once a day.
The research, conducted among 500+ IT security decision makers at US and UK organisations with more than 1,000 employees, highlights the impact this is having on security professionals’ own wellbeing. When asked what keeps them awake at night, 41% of respondents say they worry about ransomware attacks evolving beyond their team’s knowledge and skillset, while 39% worry about them evolving beyond their company’s security capabilities.
Their biggest concern, however, is the risk of employees ignoring corporate security advice and clicking on links or attachments containing malware (46%). Respondents worry more about this than they do their own job security, with just a quarter (26%) of respondents worried about losing their job.
According to the report, around half of organisations (61% US and 44% UK) have been the victim of a successful ransomware attack in the last 18 months, with customers and prospects the most likely entry point for an attack.
Partners/suppliers and employees/contractors are also seen as serious security risks, although one in 10 admit they are unable to identify how the attacks got in. The top three ransomware attack vectors are email (54%), web browsers via a desktop or laptop (49%) and mobile devices (39%).
https://www.helpnetsecurity.com/2022/08/04/organizations-experience-ransomware-attack/
Ransomware Products and Services Ads on Dark Web Show Clues to Danger
Why is ransomware’s destructive potential so daunting? Some clues are in the “for sale” ads. In an examination of some 35 million dark web URLs, a provider of machine identity management and a forensic specialist found some 475 web pages peddling sophisticated ransomware products and services with a number of high profile crews hawking ransomware-as-a-service.
The work is a joint effort between the Salt Lake City-based Venafi and Forensic Pathways, which took place between November 2021 and March 2022. Researchers used Forensic’s Dark Search Engine to carry out the investigation.
Here are some of the research findings:
87% of the ransomware found on the dark web has been delivered via malicious macros to infect targeted systems.
30 different “brands” of ransomware were identified within marketplace listings and forum discussions.
Many strains of ransomware being sold — such as Babuk, GoldenEye, Darkside/BlackCat, Egregor, HiddenTear and WannaCry — have been successfully used in high-profile attacks.
Ransomware strains used in high-profile attacks command a higher price for associated services. For example, the most expensive listing was $1,262 for a customised version of Darkside ransomware, which was used in the Colonial Pipeline ransomware attack.
Source code listings for well-known ransomware generally command higher price points. For example, Babuk source code is listed for $950 and Paradise source code is selling for $593.
Ransomware Sold for as Little as $1: In addition to a variety of ransomware at various price points, a wide range of services and tools that help make it easier for attackers with minimal technical skills to launch ransomware attacks are for sale on the dark web, Venafi said. Services with the greatest number of listings include those offering source code, build services, custom development services and ransomware packages that include step-by-step tutorials.
Wolf In Sheep’s Clothing: How Malware Tricks Users and Antivirus
One of the primary methods used by malware distributors to infect devices is by deceiving people into downloading and running malicious files, and to achieve this deception, malware authors are using a variety of tricks.
Some of these tricks include masquerading malware executables as legitimate applications, signing them with valid certificates, or compromising trustworthy sites to use them as distribution points.
According to VirusTotal, a security platform for scanning uploaded files for malware, some of these tricks are happening on a much larger scale than initially thought.
The platform has compiled a report presenting stats from January 2021 until July 2022, based on the submission of two million files daily, illustrating trends in how malware is distributed.
Abusing legitimate domains: Distributing malware through legitimate, popular, and high-ranking websites allows threat actors to evade IP-based blocklists, enjoy high availability, and provide a greater level of trust.
Using stolen code-signing certificates: Signing malware samples with valid certificates stolen from companies is a reliable way to evade AV detection and security warnings on the host. Of all the malicious samples uploaded to VirusTotal between January 2021 and April 2022, over a million were signed, and 87% used a valid certificate.
Disguised as popular software: Masquerading a malware executable as a legitimate, popular application has seen an upward trend in 2022. Victims download these files thinking they’re getting the applications they need, but upon running the installers, they infect their systems with malware. The most mimicked applications are Skype, Adobe Acrobat, VLC, and 7zip.
Lacing legitimate installers - Finally, there’s the trick of hiding malware inside legitimate application installers and running the infection process in the background while the real apps execute in the foreground. Based on VirusTotal stats, this practice also appears to be on the rise this year, using Google Chrome, Malwarebytes, Windows Updates, Zoom, Brave, Firefox, ProtonVPN, and Telegram as lures.
Microsoft Accounts Targeted with New MFA-Bypassing Phishing Kit
A new large-scale phishing campaign targeting credentials for Microsoft email services use a custom proxy-based phishing kit to bypass multi-factor authentication.
Researchers believe the campaign's goal is to breach corporate accounts to conduct BEC (business email compromise) attacks, diverting payments to bank accounts under their control using falsified documents.
The phishing campaign's targets include fin-tech, lending, accounting, insurance, and Federal Credit Union organisations in the US, UK, New Zealand, and Australia.
The campaign was discovered by Zscaler's ThreatLabz researchers, who report that the operation is still ongoing, and the phishing actors register new phishing domains almost daily.
Starting in June 2022, Zscaler's analysts noticed a spike in sophisticated phishing attempts against specific sectors and users of Microsoft email services.
Some of the newly registered domains used in the campaign are typo-squatted versions of legitimate domains.
Notably, many phishing emails originated from the accounts of executives working in these organisations, whom the threat actors most likely compromised earlier.
Cyber Attack Prevention Is Cost-Effective, So Why Aren’t Businesses Investing to Protect?
Cyber attacks like ransomware, BEC scams and data breaches are some of the key issues businesses are facing today, but despite the number of high-profile incidents, many boardrooms are reluctant to free up budget to invest in the cyber security measures necessary to avoid becoming the next victim.
In a Help Net Security interview, Former Pentagon Chief Strategy Officer Jonathan Reiber, VP Cyber security Strategy and Policy, AttackIQ, discusses how now, more than ever, companies need to protect themselves from cyber threat actors. He offers insight for CISOs, from talking to the Board to proper budget allocation.
https://www.helpnetsecurity.com/2022/08/01/cyberattack-prevention-investing/
Securing Your Move to the Hybrid Cloud
The combination of private and public cloud infrastructure, which most organisations are already using, poses unique security challenges. There are many reasons why organisations adopt the public cloud, from enabling rapid growth without the burden of capacity planning to leveraging flexibility and agility in delivering customer-centric services. However, this use can leave companies open to threats.
Since regulatory requirements or other preferences dictate that certain applications remain on private (on-prem) infrastructure, many organisations choose to maintain a mix of private and public infrastructure. Additionally, organisations typically use multiple cloud providers simultaneously or preserve the option to move between providers. However, this hybrid approach presents unique and diverse security challenges. Different cloud providers and private cloud platforms may offer similar capabilities but different ways of implementing security controls, along with disparate management tools.
The question then becomes: How can an organisation maintain consistent governance, policy enforcement and controls across different clouds? And how can it ensure that it maintains its security posture when moving between them? Fortunately, there are steps professionals can take to ensure that applications are continuously secure, starting from the early stages of development and extending throughout the lifecycle.
https://threatpost.com/secure-move-cloud/180335/
Lessons from the Russian Cyber Warfare Attacks
Cyber warfare tactics may not involve tanks and bombs, but they often go hand-in-hand with real combat.
The Russian invasion of Ukraine is a prime example. Before Russian troops crossed the border, Russian hackers had already taken down Ukrainian government websites. And after the conflict started, the hacktivist group Anonymous turned the tables by hacking Russian media to shut down propaganda about the war.
In these unprecedented times of targeted attacks against governments and financial institutions, every organisation should be on heightened alert about protecting their critical infrastructure and digital attack surface.
With the Russia-Ukraine conflict as a backdrop, two Trend Micro security experts recently discussed cyber warfare techniques and how they’re an important reminder for every business to proactively manage cyber risk.
https://www.trendmicro.com/en_us/ciso/22/h/russian-cyber-warfare-attacks.html
Four Sneaky Attacker Evasion Techniques You Should Know About
Remember those portrayals of hackers in the 80s and 90s where you just knew when you got pwned? A blue screen of death, a scary message, a back-and-forth text exchange with a hacker—if you got pwned in a movie in the 80s and 90s, you knew it right off the bat.
What a shame that today’s hackers have learned to be quiet when infiltrating an environment. Sure, “loud” attacks like ransomware still exist, but threat actors have learned that if they keep themselves hidden, they can usually do far more damage. For hackers, a little stealth can go a long way. Some attack tactics are inherently quiet, making them arguably more dangerous as they can be harder to detect. Here are four of these attack tactics you should know about.
Trusted Application Abuse: Attackers know that many people have applications that they inherently trust, making those trusted applications the perfect launchpad for cyber attacks. Threat actors know that defenders and the tools they use are often on the hunt for new malware presenting itself in environments. What isn’t so easy to detect is when the malware masquerades under legitimate applications.
Trusted Infrastructure Abuse: Much like trusted application abuse, trusted infrastructure abuse is the act of using legitimate, publicly hosted services and toolsets (such as Dropbox or Google Drive) as part of the attack infrastructure. Threat actors know that people tend to trust Dropbox and Google Drive. As a result, this makes these tools a prime means for threat actors to carry out malicious activity. Threat actors often find trusted infrastructure abuse easy because these services aren’t usually blocked at an enterprise’s gateway. In turn, outbound communications can hide in plain sight.
Obfuscation: Although cyber security has more than its fair share of tedious acronyms, the good news is that many terms can be broken down by their generic dictionary definitions. According to dictionary.com, this is what obfuscate means: “To make something unclear, obscure or difficult to understand.” And that’s exactly what it means in cyber security: finding ways to conceal malicious behaviour. In turn, this makes it more difficult for analysts and the tools they use to flag suspicious or malicious activity.
Persistence: Imagine writing up documentation using your computer, something you may well do in your role. You’ve spent a ton of time doing the research required, finding the right sources and compiling all your information into a document. Now, imagine not hitting save on that document and losing it as soon as you reboot your computer. Sound like a nightmare—or perhaps a real anxiety-inducing experience you’ve been through before? Threat actors agree. And that’s why they establish persistence. They don’t want all of their hard work to get into your systems in the first place to be in vain just because you restart your computer. They establish persistence to make sure they can still hang around even after you reboot.
Zero-Day Defence: Tips for Defusing the Threat
Because they leave so little time to patch and defuse, zero-day threats require a proactive, multi-layered approach based on zero trust.
The recent Atlassian Confluence remote code execution bug is just the latest example of zero-day threats targeting critical vulnerabilities within major infrastructure providers. The specific threat, an Object-Graph Navigation Language (OGNL) injection, has been around for years but took on new significance given the scope of the Atlassian exploit. And OGNL attacks are on the rise.
Once bad actors find such a vulnerability, proof-of-concept exploits start knocking at the door, seeking unauthenticated access to create new admin accounts, execute remote commands, and take over servers. In the Atlassian case, Akamai's threat research team identified that the number of unique IP addresses attempting these exploits grew to more than 200 within just 24 hours.
Defending against these exploits becomes a race against time worthy of a 007 movie. The clock is ticking and you don't have much time to implement a patch and "defuse" the threat before it's too late. But first you need to know that an exploit is underway. That requires a proactive, multi-layered approach to online security based on zero trust.
What do these layers look like? There are a number of different practices that security teams — and their third-party Web application and infrastructure partners — should be aware of.
https://www.darkreading.com/attacks-breaches/zero-day-defense-tips-for-defusing-the-threat
Threats
Ransomware
Reported ransomware attacks are just the tip of the iceberg. That's a problem for everyone | ZDNet
Initial Access Brokers - Key to Rise In Ransomware Attacks (informationsecuritybuzz.com)
Ransomware gangs are hitting roadblocks, but aren't stopping (yet) - Help Net Security
LockBit Ransomware Abuses Windows Defender for Payload Loading | SecurityWeek.Com
German Chambers of Industry and Commerce hit by 'massive' cyber attack (bleepingcomputer.com)
Ransomware Task Force releases SMB blueprint for defence and mitigation (scmagazine.com)
German semiconductor giant Semikron says hackers encrypted its network | TechCrunch
Ransomware Hit on European Pipeline & Energy Supplier Encevo Linked to BlackCat (darkreading.com)
Luxembourg Energy Company Hit by Ransomware | SecurityWeek.Com
Spanish research agency still recovering after ransomware attack (bleepingcomputer.com)
Phishing & Email Based Attacks
Countdown Clock Puts Pressure on Phishing Targets - Infosecurity Magazine
The most impersonated brand in phishing attacks? Microsoft - Help Net Security
Open Redirect Flaw Snags Amex, Snapchat User Data | Threatpost
A new malware threat is spying on users' Gmail inbox — do this before you're next | Laptop Mag
Massive New Phishing Campaign Targets Microsoft Email Service Users (darkreading.com)
North Korean Hackers Use Browser Extension to Spy on Gmail and AOL Accounts - Infosecurity Magazine
Other Social Engineering; SMishing, Vishing, etc
Malware
VirusTotal Reveals Most Impersonated Software in Malware Attacks (thehackernews.com)
Gootkit Loader Resurfaces with Updated Tactic to Compromise Targeted Computers (thehackernews.com)
Woody RAT: A new feature-rich malware spotted in the wild | Malwarebytes Labs
New IoT RapperBot Malware Targeting Linux Servers via SSH Brute-Forcing Attack (thehackernews.com)
New Linux malware brute-forces SSH servers to breach networks (bleepingcomputer.com)
Attackers cause Discord discord with malicious npm packages • The Register
Gootkit AaaS malware is still active and uses updated tactics - Security Affairs
Mobile
Facebook finds new Android malware used by APT hackers (bleepingcomputer.com)
Google Patches Critical Android Bluetooth Flaw in August Security Bulletin - Infosecurity Magazine
Banking trojan finds new routes to accounts by infiltrating Google Play Store (scmagazine.com)
Internet of Things – IoT
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Nearly $200 Million Stolen from Cryptocurrency Bridge Nomad | SecurityWeek.Com
Crypto firm that promised security loses $200 million in 'frenzied free-for-all' hack | PC Gamer
Nomad to crooks: Keep 10% as a bounty, return the rest • The Register
Cyber attackers Drain Nearly $6M From Solana Crypto Wallets (darkreading.com)
Man robbed of $800,000 in cryptocurrency sues Google • The Register
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
UK Branded Europe’s “Capital of Card Fraud” - Infosecurity Magazine
Huge network of 11,000 fake investment sites targets Europe (bleepingcomputer.com)
Online payment fraud losses accelerate at an alarming rate - Help Net Security
COMMENT: 'Hi Mum, Hi Dad' Scams On The Rise - Britons Already (informationsecuritybuzz.com)
Increase in Fake Tickets Being Sold by Cyber criminals on Social Media - IT Security Guru
AML/CFT/Sanctions
Dark Web
A Ransomware Explosion Fosters Thriving Dark Web Ecosystem (darkreading.com)
The popularity of Dark Utilities 'C2-as-a-Service' rapidly increases - Security Affairs
Software Supply Chain
Cloud/SaaS
Cyber attackers Increasingly Target Cloud IAM as a Weak Link (darkreading.com)
What Worries Security Teams About the Cloud? (darkreading.com)
Who Has Control: The SaaS App Admin Paradox (thehackernews.com)
Enterprises face a multitude of barriers to securing diverse cloud environments - Help Net Security
Open Source
Passwords, Credential Stuffing & Brute Force Attacks
Hackers stole passwords for accessing 140,000 payment terminals | TechCrunch
Credential Canaries Create Minefield for Attackers (darkreading.com)
5 reasons why businesses should never use consumer-grade password managers | TechRadar
Social Media
Hackers Exploit Twitter Vulnerability to Exposes 5.4 Million Accounts (thehackernews.com)
Parliament shuts down TikTok account over China data security concerns (telegraph.co.uk)
Over 3,200 Apps Leak Twitter API Keys, Some Allowing Account Hijacks (informationsecuritybuzz.com)
Increase in Fake Tickets Being Sold by Cyber criminals on Social Media - IT Security Guru
Privacy
Cyber Bullying and Cyber Stalking
Regulations, Fines and Legislation
Most companies are unprepared for CCPA and GDPR compliance - Help Net Security
Data privacy: Collect what you need, protect what you collect | CSO Online
India scraps data protection law, promises better successor • The Register
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Ukraine takes down 1,000,000 bots used for disinformation (bleepingcomputer.com)
Nancy Pelosi ties Chinese cyber-attacks to Taiwan visit • The Register
Spanish Research Center Suffers Cyber attack Linked to Russia | SecurityWeek.Com
Russian organisations attacked with new Woody RAT malware (bleepingcomputer.com)
Greek intelligence spied on journalist with a surveillance spyware - Security Affairs
Rare Pegasus screenshots depict NSO Group's spyware capabilities | AppleInsider
Nation State Actors
Nation State Actors – Russia
Nation State Actors – China
Chinese hackers use new Cobalt Strike-like attack framework (bleepingcomputer.com)
Massive China-Linked Disinformation Campaign Taps PR Firm for Help (darkreading.com)
Parliament shuts down TikTok account over China data security concerns (telegraph.co.uk)
Global network of fake news sites push Chinese propaganda, researchers find - CyberScoop
Taiwanese military reports DDoS in wake of US Speaker visit • The Register
Nation State Actors – North Korea
Nation State Actors – Iran
Nation State Actors – Misc APT
Vulnerabilities
VMware urges admins to patch critical auth bypass bug immediately (bleepingcomputer.com)
Critical RCE Bug in DrayTek Routers Opens SMBs to Zero-Click Attacks (darkreading.com)
Cisco fixes critical remote code execution bug in VPN routers (bleepingcomputer.com)
F5 Fixes 21 Vulnerabilities With Quarterly Security Patches | SecurityWeek.Com
High-Severity Bug in Kaspersky VPN Client Opens Door to PC Takeover (darkreading.com)
Slack Resets Passwords After a Bug Exposed Hashed Passwords for Some Users (thehackernews.com)
VMware Releases Patches for Several New Flaws Affecting Multiple Products (thehackernews.com)
Hackers are actively exploiting password-stealing flaw in Zimbra (bleepingcomputer.com)
Google fixed Critical Remote Code Execution flaw in Android - Security Affairs
CISA adds Zimbra bug to Known Exploited Vulnerabilities Catalogue - Security Affairs
Warning! Critical flaws found in US Emergency Alert System • The Register
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
Other News
APIs attacked in 94% of companies in past year - IT Security Guru
Over 60% of Organisations Expose SSH to the Internet - Infosecurity Magazine
How IT and security teams can work together to improve endpoint security - Microsoft Security Blog
Burnout and attrition impact tech teams sustaining modern digital systems - Help Net Security
Machine learning creates a new attack surface requiring specialized defences - Help Net Security
Cyber security lessons learned from COVID-19 pandemic (techtarget.com)
10 enterprise database security best practices (techtarget.com)
Resolving Availability vs. Security, a Constant Conflict in IT (thehackernews.com)
Tips to prevent RDP and other remote attacks on Microsoft networks | CSO Online
The Myth of Protection Online — and What Comes Next (darkreading.com)
The Importance of Data Security in the Enterprise (techtarget.com)
How IT Teams Can Use 'Harm Reduction' for Better Cyber security Outcomes (darkreading.com)
Businesses lack visibility into run-time threats against mobile apps and APIs - Help Net Security
Browser synchronization abuse: Bookmarks as a covert data exfiltration channel - Help Net Security
Threats emanating from digital ecosystems can be a blind spot for businesses - Help Net Security
Busting the Myths of Hardware Based Security - Security Affairs
New Traffic Light Protocol standard released after five years (bleepingcomputer.com)
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 29 July 2022
Black Arrow Cyber Threat Briefing 29 July 2022
-1 in 3 Employees Don’t Understand Why Cyber Security Is Important
-As Companies Calculate Cyber Risk, The Right Data Makes a Big Difference
-Only 25% Of Organizations Consider Their Biggest Threat to Be from Inside the Business
-The Global Average Cost of a Data Breach Reaches an All-Time High of $4.35 Million
-Race Against Time: Hackers Start Hunting for Victims Just 15 Minutes After a Bug Is Disclosed
-Ransomware-as-a-Service Groups Forced to Change Tack as Payments Decline
-Phishers Targeted Financial Services Most During H1 2022
-HR Emails Dupe Employees the Most – KnowBe4 research reveals
-84% Of Organizations Experienced an Identity-Related Breach In The Past 18 Months
-Economic Downturn Raises Risk of Insiders Going Rogue
-5 Trends Making Cyber Security Threats Riskier and More Expensive
-Ransomware: Publicly Reported Incidents Are Only the Tip of the Iceberg
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
1 in 3 Employees Don’t Understand Why Cyber Security Is Important
According to a new Tessian report, 30% of employees do not think they personally play a role in maintaining their company’s cyber security posture.
What’s more, only 39% of employees say they’re very likely to report a security incident, making investigation and remediation even more challenging and time-consuming for security teams. When asked why, 42% of employees said they wouldn’t know if they had caused an incident in the first place, and 25% say they just don’t care enough about cyber security to mention it.
Virtually all IT and security leaders agreed that a strong security culture is important in maintaining a strong security posture. Yet, despite rating their organisation’s security 8 out 10, on average, three-quarters of organisations experienced a security incident in the last 12 months.
The report suggests this could stem from a reliance on traditional training programs: 48% of security leaders say training is one of the most important influences on building a positive security posture. But the reality is that employees aren’t engaged; just 28% of UK and US workers say security awareness training is engaging and only 36% say they’re paying full attention. Of those who are, only half say it’s helpful, while another 50% have had a negative experience with a phishing simulation. With recent headlines depicting how phishing simulations can go awry, negative experiences like these further alienate employees and decrease engagement.
https://www.helpnetsecurity.com/2022/07/28/employees-dont-understand-why-cybersecurity-is-important/
As Companies Calculate Cyber Risk, the Right Data Makes a Big Difference
The proposed US Securities and Exchange Commission’s stronger rules for reporting cyber attacks will have ramifications beyond increased disclosure of attacks to the public. By requiring not just quick reporting of incidents, but also disclosure of cyber policies and risk management, such regulation will ultimately bring more accountability for cyber security to the highest levels of corporate leadership. Other jurisdictions will very likely follow the US in requiring more stringent cyber controls and governance.
This means that boards and executives everywhere will need to increase their understanding of cyber security, not only from a tech point of view, but from a risk and business exposure point of view. The CFO, CMO and the rest of the C-suite and board will want and need to know what financial exposure the business faces from a data breach, and how likely it is that breaches will happen. This is the only way they will be able to develop cyber policies and plans and react properly to the proposed regulations.
Companies will therefore need to be able to calculate and put a dollar value on their exposure to cyber risk. This is the starting point for the ability to make cyber security decisions not in a vacuum, but as part of overall business decisions. To accurately quantify cyber security exposure, companies need to understand what the threats are and which data and business assets are at risk, and they then need to multiply the cost of a breach by the probability that such an event will take place in order to put a dollar figure on their exposure.
While there are many automated tools, including those that use artificial intelligence (AI), that can help with this, the key to doing this well is to make sure calculations are rooted in real and relevant data – which is different for each company or organisation.
Only 25% Of Organisations Consider Their Biggest Threat to Be from Inside the Business
A worrying 73.5% of organisations feel they have wasted the majority of their cyber security budget on failing to remediate threats, despite having an over-abundance of security tools at their disposal, according to Gurucul.
Only 25% of organisations consider their biggest threat to be from inside the business, despite insider threats increasing by 47% over the past two years. With only a quarter of businesses seeing their biggest threat emanating from inside their organisation, it seems over 70% saw the biggest cyber security challenges emanating from external threats such as ransomware. In fact, although external threats account for many security incidents, we must never forget to look beyond those external malicious and bad actors to insider threats to effectively secure corporate data and IP.
The survey also found 33% of respondents said they are able to detect threats within hours, while 27.07% even claimed they can detect threats in real-time. However, challenges persist with 33% of respondents stating that it still takes their organisation days and weeks to detect threats, with 6% not being able to detect them at all.
https://www.helpnetsecurity.com/2022/07/28/biggest-threat-inside-the-business/
The Global Average Cost of a Data Breach Reaches an All-Time High of $4.35 Million
IBM Security released the 2022 Cost of a Data Breach Report, revealing costlier and higher-impact data breaches than ever before, with the global average cost of a data breach reaching an all-time high of $4.35 million for studied organisations.
With breach costs increasing nearly 13% over the last two years of the report, the findings suggest these incidents may also be contributing to rising costs of goods and services. In fact, 60% of studied organisations raised their product or services prices due to the breach, when the cost of goods is already soaring worldwide amid inflation and supply chain issues.
The perpetuality of cyber attacks is also shedding light on the “haunting effect” data breaches are having on businesses, with the IBM report finding 83% of studied organisations have experienced more than one data breach in their lifetime. Another factor rising over time is the after-effects of breaches on these organisations, which linger long after they occur, as nearly 50% of breach costs are incurred more than a year after the breach.
The 2022 Cost of a Data Breach Report is based on in-depth analysis of real-world data breaches experienced by 550 organisations globally between March 2021 and March 2022. The research, which was sponsored and analysed by IBM Security, was conducted by the Ponemon Institute.
https://www.helpnetsecurity.com/2022/07/27/2022-cost-of-a-data-breach-report/
Race Against Time: Hackers Start Hunting for Victims Just 15 Minutes After a Bug Is Disclosed
Attackers are becoming faster at exploiting previously undisclosed zero-day flaws, according to Palo Alto Networks. This means that the amount of time that system admins have to patch systems before exploitation happens is shrinking fast..
The company warns in its 2022 report covering 600 incident response (IR) cases that attackers typically start scanning for vulnerabilities within 15 minutes of one being announced.
Among this group are 2021's most significant flaws, including the Exchange Server ProxyShell and ProxyLogon sets of flaws, the persistent Apache Log4j flaws aka Log4Shell, the SonicWall zero-day flaws, and Zoho ManageEngine ADSelfService Plus.
While phishing remains the biggest method for initial access, accounting for 37% of IR cases, software vulnerabilities accounted of 31%. Brute-force credential attacks (like password spraying) accounted for 9%, while smaller categories included previously compromised credentials (6%), insider threat (5%), social engineering (5%), and abuse of trusted relationships/tools (4%).
Over 87% of the flaws identified as the source of initial access fell into one of six vulnerability categories.
Ransomware-as-a-Service Groups Forced to Change Tack as Payments Decline
Ransomware-as-a-service (RaaS) operators are evolving their tactics yet again in response to more aggressive law enforcement efforts, in a move that is reducing their profits but also making affiliates harder to track, according to Coveware.
The security vendor’s Q2 2022 ransomware report revealed that concerted efforts to crack down on groups like Conti and DarkSide have forced threat actors to adapt yet again.
It identified three characteristics of RaaS operations that used to be beneficial, but are increasingly seen as a hinderance.
The first is RaaS branding, which has helped to cement the reputation of some groups and improve the chances of victims paying, according to Coveware. However, branding also makes attribution easier and can draw the unwanted attention of law enforcement, it said.
“RaaS groups are keeping a lower profile and vetting affiliates and their victims more thoroughly,” Coveware explained.
“More RaaS groups have formed, resulting in less concentration among the top few variants. Affiliates are frequently shifting between RaaS variants on different attacks, making attribution beyond the variant more challenging.”
In some cases, affiliates are also using “unbranded” malware to make attribution more difficult, it added.
The second evolution in RaaS involves back-end infrastructure, which used to enable scale and increase profitability. However, it also means a larger attack surface and a digital footprint that’s more expensive and challenging to maintain.
As a result, RaaS developers are being forced to invest more in obfuscation and redundancy, which is hitting profits and reducing the amount of resources available for expansion, Coveware claimed.
Finally, RaaS shared services used to help affiliates with initial access, stolen data storage, negotiation management and leak site support.
https://www.infosecurity-magazine.com/news/raas-groups-forced-change-payments/
Phishers Targeted Financial Services Most During H1 2022
Banks received the lion’s share of phishing attacks during the first half of 2022, according to figures published by cyber security company Vade.
The analysis also found that attackers were most likely to send their phishing emails on weekdays, with most arriving between Monday and Wednesday. Attacks tapered off towards the end of the week, Vade said.
While financial services scored highest on a per-sector basis, Microsoft was the most impersonated brand overall. The company’s Microsoft 365 cloud productivity services are a huge draw for cyber-criminals hoping to access accounts using phishing attacks.
Phishing attacks on Microsoft customers have become more creative, according to Vade, which identified several phone-based attacks. It highlighted a campaign impersonating Microsoft’s Defender anti-malware product, fraudulently warning that the company had debited a subscription fee. It encouraged victims to fix the problem by phone.
Facebook came a close second, followed by financial services company Crédit Agricole, WhatsApp and Orange.
https://www.infosecurity-magazine.com/news/phishers-financial-services-h1-2022/
HR Emails Dupe Employees the Most – KnowBe4 research reveals
In phishing tests conducted on business emails, more than half of the subject lines clicked imitated Human Resources communications.
New research has revealed the top email subjects clicked on in phishing tests were those related to or from Human Resources, according to the latest ‘most clicked phishing tests‘ conducted by KnowBe4. In fact, half of those that were clicked on had subject lines related to Human Resources, including vacation policy updates, dress code changes, and upcoming performance reviews. The second most clicked category were those send from IT, which include requests or actions of password verifications that were needed immediately.
KnowBe4’s CEO commented “More than 80% of company data breaches globally come from human error, so security awareness training for your staff is one of the least costly and most effective methods to thwart social engineering attacks. Training gives employees the ability to rapidly recognise a suspicious email, even if it appears to come from an internal source, causing them to pause before clicking. That moment where they stop and question the email is a critical and often overlooked element of security culture that could significantly reduce your risk surface.”
This research comes hot off the heels of the recent KnowBe4 industry benchmarking report which found one in three untrained employees will click on a phishing link. The worst performing industries were Energy & Utilities, Insurance and Consulting, with all labelled the most at risk for social engineering in the large enterprise category.
84% Of Organisations Experienced an Identity-Related Breach in the Past 18 Months
60% of IT security decision makers believe their overall security strategy does not keep pace with the threat landscape, and that they are either lagging behind (20%), treading water (13%), or merely running to keep up (27%), according to a survey by Sapio Research.
The report also highlights differences between the perceived and actual effectiveness of security strategies. While 40% of respondents believe they have the right strategy in place, 84% of organisations reported that they have experienced an identity-related breach or an attack using stolen credentials during the previous year and a half.
Promisingly, many organisations are hungry to make a change, particularly when it comes to protecting identities. In fact, 90% of respondents state that their organisations fully recognise the importance of identity security in enabling them to achieve their business goals, and 87% say that it is one of the most important security priorities for the next 12 months.
However, 75% of IT and security professionals also believe that they’ll fall short of protecting privileged identities because they won’t get the support they need. This is largely due to a lack of budget and executive alignment, with 63% of respondents saying that their company’s board still doesn’t fully understand identity security and the role it plays in enabling better business operations.
While the importance of identity security is acknowledged by business leaders, most security teams will not receive the backing and budget they need to put vital security controls and solutions in place to reduce major risks. This means that the majority of organisations will continue to fall short of protecting privileges, leaving them vulnerable to cyber criminals looking to discover privileged accounts and abuse them.
https://www.helpnetsecurity.com/2022/07/28/identity-related-breach/
Economic Downturn Raises Risk of Insiders Going Rogue
Declining economic conditions could make insiders more susceptible to recruitment offers from threat actors looking for allies to assist them in carrying out various attacks.
Enterprise security teams need to be aware of the heightened risk and strengthen measures for protecting against, detecting, and responding to insider threats, researchers from Palo Alto Network's Unit 42 threat intelligence team recommended in a report this week.
The security vendor's report highlighted several other important takeaways for security operations teams, including the fact that ransomware and business email compromise attacks continue to dominate incident response cases and vulnerability exploits — accounting for nearly one-third of all breaches.
Unit 42 researchers analysed data from a sampling of over 600 incident response engagements between April 2021 and May 2022 and determined that difficult economic times could lure more actors to cyber crime. This could include both people with technical skills looking to make a fast buck, as well as financially stressed insiders with legitimate access to valuable enterprise data and IT assets. The prevalence of remote and hybrid work models has created an environment where it's easier for workers to steal intellectual property or carry out other malicious activity, the researchers found.
https://www.darkreading.com/risk/economic-downturn-raises-the-risk-of-insiders-going-rogue
5 Trends Making Cyber Security Threats Riskier and More Expensive
Since the pandemic the cyber world has become a far riskier place. According to the Hiscox Cyber Readiness Report 2022, almost half (48%) of organisations across the US and Europe experienced a cyber attack in the past 12 months. Even more alarming is that these attacks are happening despite businesses doubling down on their cyber security spend.
Cyber security is at a critical inflection point where five megatrends are making the threat landscape riskier, more complicated, and costlier to manage than previously reported. To better understand the evolution of this threat landscape, let’s examine these trends in more detail.
Everything becomes digital
Organisations become ecosystems
Physical and digital worlds collide
New technologies bring new risks
Regulations become more complex
Organisations can follow these best practices to elevate cyber security performance:
Identify, prioritise, and implement controls around risks.
Adopt a framework such as ISO 27001 or NIST Cyber Security Framework.
Develop human-layered cyber security.
Fortify your supply chain.
Avoid using too many tools.
Prioritise protection of critical assets.
Automate where you can.
Monitor security metrics regularly to help business leaders get insight into security effectiveness, regulatory compliance, and levels of security awareness in the organisation.
Cyber security will always be a work in progress. The key to effective risk management is having proactive visibility and context across the entire attack surface. This helps to understand which vulnerabilities, if exploited, can cause the greatest harm to the business. Not all risks can be mitigated; some risks will have to be accepted and trade-offs will have to be negotiated.
Ransomware: Publicly Reported Incidents Are Only the Tip of the Iceberg
The threat landscape report on ransomware attacks published this week by the European Union Agency for Cybersecurity (ENISA) uncovers the shortcomings of the current reporting mechanisms across the EU.
As one of the most devastating types of cyber security attacks over the last decade, ransomware, has grown to impact organisations of all sizes across the globe.
This threat landscape report analysed a total of 623 ransomware incidents across the EU, the United Kingdom and the United States for a reporting period from May 2021 to June 2022. The data was gathered from governments' and security companies' reports, from the press, verified blogs and in some cases using related sources from the dark web.
Between May 2021 and June 2022 about 10 terabytes of data were stolen each month by ransomware threat actors. 58.2% of the data stolen included employees' personal data.
At least 47 unique ransomware threat actors were found.
For 94.2% of incidents, we do not know whether the company paid the ransom or not. However, when the negotiation fails, the attackers usually expose and make the data available on their webpages. This is what happens in general and is a reality for 37.88% of incidents.
We can therefore conclude that the remaining 62.12% of companies either came to an agreement with the attackers or found another solution.
The study also shows that companies of every size and from all sectors are affected.
The figures in the report can however only portray a part of the overall picture. In reality, the study reveals that the total number of ransomware attacks is much larger. At present this total is impossible to capture since too many organisations still do not make their incidents public or do not report on them to the relevant authorities.
Threats
Ransomware
LockBit 3.0: Significantly Improved Ransomware Helps the Gang Stay on Top (darkreading.com)
Ransomware looms large over the cyber insurance industry - Help Net Security
800,000 businesses fall victim to ransomware each year (komando.com)
Business services top target of ransomware attacks (securitybrief.co.nz)
How Crypto is Driving the Ransomware Epidemic | Cryptoland Roundtable - YouTube
On security researcher's newsletter, exposing cyber criminals behind ransomware - CyberScoop
LockBit ransomware abuses Windows Defender to load Cobalt Strike (bleepingcomputer.com)
Mailing List Provider WordFly Scrambling to Recover Following Ransomware Attack | SecurityWeek.Com
No More Ransom helps millions of ransomware victims in 6 years (bleepingcomputer.com)
Lockbit ransomware gang claims to have breached the Italian Revenue Agency - Security Affairs
Lockbit Ramps Up Attacks on Public Sector - Infosecurity Magazine (infosecurity-magazine.com)
A ‘Top Tier’ Hacking Gang Is Likely To Be Behind Entrust Ransomware (informationsecuritybuzz.com)
No More Ransom Helped More Than 1.5 Million People Decrypt Their Devices (darkreading.com)
Ransomware caused American Dental Association outage, led to stolen data (scmagazine.com)
The road to ransomware recovery starts before an attack • The Register
BEC – Business Email Compromise
Phishing & Email Based Attacks
Phishing Attacks Skyrocket with Microsoft and Facebook as Most Abused Brands | Threatpost
Phishing scam targeting Bank of America, Citi and Wells Fargo customers (komando.com)
APT-Like Phishing Threat Mirrors Landing Pages (darkreading.com)
New Callback Malware Campaign Impersonates Legitimate Cyber Security Providers - MSSP Alert
Phishing Attacks: Microsoft Leads Top 25 of Impersonated Brands - MSSP Alert
1,000s of Phishing Attacks Blast Off From InterPlanetary File System (darkreading.com)
New ‘Robin Banks’ phishing service targets BofA, Citi, and Wells Fargo (bleepingcomputer.com)
Other Social Engineering; SMishing, Vishing, etc
Malware
Cisco Incident Response Report: Commodity Malware Top Threat in Q2 - MSSP Alert
Discovery of new UEFI rootkit exposes an ugly truth: The attacks are invisible to us | Ars Technica
As Microsoft blocks Office macros, hackers find new attack vectors (bleepingcomputer.com)
Microsoft Links Raspberry Robin USB Worm to Russian Evil Corp Hackers (thehackernews.com)
Microsoft links Raspberry Robin malware to Evil Corp attacks (bleepingcomputer.com)
Malware-laced npm packages used to target Discord users - Security Affairs
CosmicStrand UEFI malware found in Gigabyte, ASUS motherboards (bleepingcomputer.com)
Sophisticated UEFI rootkit of Chinese origin shows up again in the wild after 3 years | CSO Online
Attackers are slowly abandoning malicious macros - Help Net Security
One of the most beloved Windows tools could actually be a huge security risk | TechRadar
QBot phishing uses Windows Calculator DLL hijacking to infect devices (bleepingcomputer.com)
Gootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike (trendmicro.com)
Microsoft: Austrian company DSIRF selling Subzero malware (techtarget.com)
Threat actors leverages DLL-SideLoading to spread Qakbot - Security Affairs
Rare 'CosmicStrand' UEFI Rootkit Swings into Cyber crime Orbit (darkreading.com)
Mobile
Here are the top phone security threats in 2022 and how to avoid them | ZDNet
New Android malware apps installed 10 million times from Google Play (bleepingcomputer.com)
Roaming Mantis Financial Hackers Targeting Android and iPhone Users in France (thehackernews.com)
Facebook ads push Android adware with 7 million installs on Google Play (bleepingcomputer.com)
Millions of Android devices infected with wallet-draining malware | TechRadar
Over a Dozen Android Apps on Google Play Store Caught Dropping Banking Malware (thehackernews.com)
Internet of Things – IoT
IoT Botnets Fuels DDoS Attacks – Are You Prepared? | Threatpost
Dahua IP Camera Vulnerability Could Let Attackers Take Full Control Over Devices (thehackernews.com)
Data Breaches/Leaks
US court system suffered ‘incredibly significant attack’ • The Register
Congress Warns of US Court Records System Breach - Infosecurity Magazine (infosecurity-magazine.com)
Uber admits covering up massive 2016 data breach in settlement with US prosecutors - The Verge
T-Mobile to pay $500M for one of the largest data breaches in US history [Updated] | Ars Technica
Data Stolen in Breach at Security Company Entrust | SecurityWeek.Com
Fallout from massive Shanghai Police data breach reverberates on dark web - CyberScoop
Big Questions Remain Around Massive Shanghai Police Data Breach (darkreading.com)
Organised Crime & Criminal Actors
Cyber-mercenaries represent shifting criminal business model • The Register
Messaging Apps Tapped as Platform for Cyber Criminal Activity | Threatpost
Teenager Jailed for Snapchat Blackmail Cyber Crimes- IT Security Guru
DUCKTAIL operation targets Facebook’s Business and Ad accounts - Security Affairs
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Crypto fraud on the rise as consumers fall for fake celebrity endorsements | Cybernews
Hackers Increasingly Using WebAssembly Coded Cryptominers to Evade Detection (thehackernews.com)
NFT Hacking Group Attacks On The Rise, Report Finds- IT Security Guru
Hackers steal $6 million from blockchain music platform Audius (bleepingcomputer.com)
Fraud, Scams & Financial Crime
Major shifts and the growing risk of identity fraud - Help Net Security
JPMorgan, UBS accused of shoddy identity theft protection • The Register
Euro Police Bust €3m Internet Fraud Gang - Infosecurity Magazine (infosecurity-magazine.com)
Romance scammers jailed after tricking Irish OAP out of €250k (bitdefender.com)
What the Titanic Can Teach Us About Fraud? | SecurityWeek.Com
AML/CFT/Sanctions
Insurance
Dark Web
Cyber crime goods and services are cheap and plentiful - Help Net Security
Hackers Selling Malware on Dark Web Underground Market (cybersecuritynews.com)
Supply Chain and Third Parties
Software Supply Chain
Denial of Service DoS/DDoS
Akamai blocked the largest DDoS attack ever on its European customers - Security Affairs
DDoS Attack Trends in 2022: Ultrashort, Powerful, Multivector Attacks (bleepingcomputer.com)
Cloud/SaaS
Kansas MSP shuts down cloud services to fend off cyber attack (bleepingcomputer.com)
Organisations are struggling with SaaS security. Why? - Help Net Security
Attack Surface Management
Identity and Access Management
Encryption
Transport Layer Security (TLS): Issues & Protocol (trendmicro.com)
SSH2 vs. SSH1 and why SSH versions still matter (techtarget.com)
Passwords, Credential Stuffing & Brute Force Attacks
Using Account Lockout policies to block Windows Brute Force Attacks (bleepingcomputer.com)
Stop Putting Your Accounts At Risk, and Start Using a Password Manager (thehackernews.com)
Social Media
Facebook security cracked by Malware made in Vietnam • The Register
Cyber-Criminal Offers 5.4m Twitter Users’ Data - Infosecurity Magazine (infosecurity-magazine.com)
Training, Education and Awareness
Privacy
Law Enforcement Action and Take Downs
UK Seizes Nearly $27m in Crypto-Assets - Infosecurity Magazine (infosecurity-magazine.com)
European Cops Helped 1.5 Million People Decrypt Their Ransomwared Computers (vice.com)
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Cyberspies use Google Chrome extension to steal emails undetected (bleepingcomputer.com)
Microsoft says it caught an Austrian spyware group using Windows 0-day exploits - The Verge
Pegasus spyware: Just 'tip of the iceberg' seen so far • The Register
Cyber attacks by Iran and Israel now target critical infrastructure. - The Washington Post
US and Ukraine Sign Agreement to Deepen Cyber security Operational Collaboration - MSSP Alert
CISA, Ukrainian cyber agency deepen partnership to combat Russian threat - CyberScoop
How is Anonymous attacking Russia? The top six ways ranked (cnbc.com)
European Lawmaker Targeted With Cytrox Predator Surveillance Spyware | SecurityWeek.Com
Nation State Actors
Nation State Actors – Russia
Russia is quietly ramping up its Internet censorship machine | Ars Technica
Apple network traffic takes mysterious detour through Russia • The Register
Nation State Actors – China
Chinese APTs: Interlinked networks and side hustles – Intrusion Truth (wordpress.com)
OneWeb sale risks giving China a stake in ‘Five Eyes’ spying tech (telegraph.co.uk)
Nation State Actors – North Korea
North Korean Hackers Using Malicious Browser Extension to Spy on Email Accounts (thehackernews.com)
North Korean hackers attack EU targets with Konni RAT malware (bleepingcomputer.com)
US puts $10 million bounty on North Korean threat groups • The Register
Is APT28 behind the STIFF#BIZON attacks attributed to North Korea-linked APT37? Security Affairs
Nation State Actors – Iran
Vulnerability Management
Hackers scan for vulnerabilities within 15 minutes of disclosure (bleepingcomputer.com)
Attackers Have 'Favourite' Vulnerabilities to Exploit (darkreading.com)
Taking the Risk-Based Approach to Vulnerability Patching (thehackernews.com)
Organisations struggle to manage devices and stay ahead of vulnerabilities - Help Net Security
2022 Unit 42 Incident Response Report: How Attackers Exploit Zero-Days (paloaltonetworks.com)
Security Teams Overwhelmed With Bugs, Bitten by Patch Prioritization (darkreading.com)
Time between vuln disclosures, exploits is getting smaller • The Register
Vulnerabilities
Critical Samba bug could let anyone become Domain Admin – patch now! – Naked Security (sophos.com)
Multiple Windows, Adobe Zero-Days Anchor Knotweed Commercial Spyware (darkreading.com)
How to Fix CVE-2022-30190 vulnerability using Microsoft Intune - CloudInfra
CISA releases IOCs for attacks exploiting Log4Shell in VMware Horizon and UAG | CSO Online
Critical FileWave MDM Flaws Open Organisation-Managed Devices to Remote Hackers (thehackernews.com)
Hackers are abusing IIS extensions to establish covert backdoors - Security Affairs
FileWave fixes bugs that left 1,000+ orgs open to ransomware • The Register
Google Chrome Zero-day Vulnerability Discovered By Avast (informationsecuritybuzz.com)
LibreOffice fixed 3 flaws, including a code execution issue - Security Affairs
Drupal developers fixed a code execution flaw in the popular CMS - Security Affairs
LibreOffice Releases Software Update to Patch 3 New Vulnerabilities (thehackernews.com)
Hackers Exploit PrestaShop Zero-Day to Steal Payment Data from Online Stores (thehackernews.com)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
Reports Published in the Last Week
Other News
A Retrospective on the 2015 Ashley Madison Breach – Krebs on Security
The Great BizApp Hack: Cyber-Risks in Your Everyday Business Applications (darkreading.com)
Threat Actors Pivot Around Microsoft’s Macro-Blocking in Office | Threatpost
Microsoft again reverses course, will block macros by default (scmagazine.com)
Is Your Home or Small Business Built on Secure Foundations? Think Again… (darkreading.com)
Infosec pros want more industry cooperation and support for open standards - Help Net Security
We pass cyber attack costs onto customers, businesses admit • The Register
How to Combat the Biggest Security Risks Posed by Machine Identities (thehackernews.com)
Discord, Telegram Services Hijacked to Launch Array of Cyber Attacks (darkreading.com)
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 31 December 2021
Black Arrow Cyber Threat Briefing 31 December 2021
-The Log4j Flaw Will Take Years to be Fully Addressed
-Copycat And Fad Hackers Will Be The Bane Of Supply Chain Security In 2022
-This Nightmare Incident Shows Why You Really Shouldn't Store Passwords In Your Browser
-Kaspersky Research: 47% of Incident Response Requests Linked to Ransomware
-Global Cyber Attacks from Nation-State Actors Posing Greater Threats
-Y2k22 Bug Is Causing Microsoft Exchange Server To Fail Worldwide: FIP-FS Scan Engine Failed To Load
-External Attackers Can Penetrate Most Local Company Networks
-The Have I Been Pwned Service Now Includes 441K Accounts Stolen By RedLine Malware
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
The Log4j Flaw Will Take Years to be Fully Addressed
More than 80% of Java packages affected by the vulnerability in the Apache Log4j library cannot be updated directly, and will require coordination between different project teams to address the flaw.
Shortly after the first vulnerability in the Apache Log4j library (CVE-2021-44228) was disclosed, Google's Open Source Insights Team surveyed all the Java packages in the Maven Central Repository "to determine the scope of the issue in the open source ecosystem of JVM based languages, and to track the ongoing efforts to mitigate the affected packages," say team members James Wetter and Nicky Ringland. The team estimates it could take years before the vulnerability is fully addressed within the Java ecosystem.
A significant part of the problem has to do with indirect dependencies. Direct dependencies, or the cases where package explicitly pulls log4j into the code, are relatively straightforward to fix, as the developer or project owner just has to update log4j to the latest version.
https://www.darkreading.com/tech-trends/the-log4j-flaw-will-take-years-to-be-fully-addressed
Copycat And Fad Hackers Will Be The Bane Of Supply Chain Security In 2022
Replicable attacks and a low barrier to entry will ensure the rate of supply chain attacks increases next year, cyber security researchers have warned.
The supply chain is a consistent attack vector for threat actors today. By compromising a centralized service, platform, or software, attackers can then either conduct widespread infiltration of the customers and clients of the original -- singular -- victim or may choose to cherry-pick from the most valuable potential targets.
This can save cyber criminals time and money, as one successful attack can open the door to potentially thousands of victims at once.
A ransomware attack levied against Kaseya in 2021 highlighted the disruption a supply chain-based attack can cause. Ransomware was deployed by exploiting a vulnerability in Kaseya's VSA software, leading to the compromise of multiple managed service providers (MSP) in Kaseya's customer base.
This Nightmare Incident Shows Why You Really Shouldn't Store Passwords In Your Browser
An infostealer is scooping up passwords stored in browsers, experts warn
An unnamed company was recently breached after an employee stored their corporate account password in their web browser, a new report suggests.
According to research from security company AhnLab, the employee was working from home on a device shared with other household members, which was already infected with Redline Stealer, an infostealing malware.
Although the computer was equipped with antivirus software, the malware was able to evade detection, before stealing the passwords stored in the victim's browser.
Kaspersky Research: 47% of Incident Response Requests Linked to Ransomware
This year — 2021 — marked a “new era of ransomware,” said Vladimir Kuskov, head of threat exploration at Russian cyber security company Kaspersky. This is reflected in security incident requests handled by Kaspersky’s Global Emergency Response Team (GERT) between January and November 2021.
Kaspersky reported 46.7 percent of the security incidents that GERT handled in the first 11 months of 2021 were related to ransomware. Comparatively, Kaspersky attributed ransomware to 37.9 percent of security incidents that GERT handled for all of 2020 and 34 percent for 2019.
In addition, the government and industrial sectors have been the most common targets for ransomware attacks in 2021 to date, Kaspersky indicated. These industries accounted for nearly 50 percent of ransomware-related incident response requests that GERT has handled.
Global Cyber Attacks from Nation-State Actors Posing Greater Threats
Casey Ellis, CTO at Bugcrowd, outlines how international relations have deteriorated into a new sort of Cold War, with espionage playing out in the cyber-domain.
The macro-trend I’m most alarmed by today is the fact that attackers don’t seem to care about getting caught anymore. We have seen an increase in temerity of attacks by nation-states, such as the Russian attack on SolarWinds, and seen their attack tactics shift from targeted, stealthy operations into opportunistic hacks for potential future uses, such as the attacks attributed to Hafnium.
Such a brazen approach hasn’t been a common tactic of nation-states in the past, but now seems to be the status quo. In part, this trend may also be due to a destabilization of the international relations climate stemming from COVID-19, as well as work-from-home forcing core business services out onto the internet to facilitate employee access.
Broadly speaking, we should see China as a rising cyber security threat on the international stage. That has been the case for some time in terms of their economic, defense and military posture, but 2021 has quite clearly demonstrated that the relationship has deteriorated into a sort of Cold War, with espionage playing out in the cyber-domain.
https://threatpost.com/global-cyberattacks-nation-state-threats/177253/
Y2k22 Bug Is Causing Microsoft Exchange Server To Fail Worldwide: FIP-FS Scan Engine Failed To Load
Company admins are having their New Year’s celebrations interrupted by reports that their Exchange Servers are failing with the error “FIP-FS Scan Engine failed to load – Can’t Convert “2201010001” to long (2022/01/01 00:00 UTC)“.
The issue appears to be due to Microsoft using the first two numbers of the update version to denote the year of the update, which caused the “long” version of the date to overflow.
At present, it seems the main workaround is to disable the anti-malware scanner on the Exchange Server by using Set-MalwareFilteringServer -BypassFiltering $True -identity <server name> and restarting the Microsoft Exchange Transport service.
It appears Microsoft has not acknowledged the issue yet, but if you are affected some peer support is available at Reddit here.
Update: Microsoft has now acknowledged the issue and is working on a fix
https://mspoweruser.com/y2k22-bug-is-causing-microsoft-exchange-server-to-fail-worldwide/
External Attackers Can Penetrate Most Local Company Networks
In 93% of cases, external attackers can breach the organisation’s network perimeter and gain access to local network resources, and it takes an average of two days to penetrate the company’s internal network. In 100% of companies analysed, an insider can gain full control over the infrastructure.
These are the results of a new research report by Positive Technologies, analyzing results of the company’s penetration testing projects carried out in the second half of 2020 and first half of 2021.
The study was conducted among financial organizations (29%), fuel and energy organizations (18%), government (16%), industrial (16%), IT companies (13%), and other sectors.
During the assessment of protection against external attacks, Positive Technologies experts managed to breach the network perimeter in 93% of cases. According to the company’s researchers, this figure has remained high for many years, confirming that criminals are able to breach almost any corporate infrastructure.
https://www.helpnetsecurity.com/2021/12/28/external-attackers-local-company-networks/
The Have I Been Pwned Service Now Includes 441K Accounts Stolen By RedLine Malware
The Have I Been Pwned data breach notification service now allows victims of the RedLine malware to check if their credentials have been stolen. The service now includes credentials for 441K accounts stolen by the popular info-stealer.
The RedLine malware allows operators to steal several information, including credentials, credit card data, cookies, autocomplete information stored in browsers, cryptocurrency wallets, credentials stored in VPN clients and FTP clients. The malicious code can also act as a first-stage malware.
Stolen data are stored in an archive (logs) before being uploaded to a server under the control of the attackers.
A few days ago the data breach hunter Bob Diachenko discovered an unsecured server exposing over 6 million RedLine logs containing data harvested between August and September 2021. The server is still accessible, but the researchers pointed out that threat actors abandoned it because the the number of logs is not increasing.
https://securityaffairs.co/wordpress/126186/malware/redline-malware-hibp.html
Threats
Ransomware
Organisations Targeted With Babuk-Based Rook Ransomware | SecurityWeek.Com
QNAP NAS Devices Hit With Surge Of Ransomware Attacks | TechRadar
Shutterfly Hit By A Conti Ransomware Attack - Security Affairs
Malware
Threat Actor Uses HP iLO Rootkit To Wipe Servers - The Record by Recorded Future
New Malware Uses SSD Over-Provisioning to Bypass Security Measures | Tom's Hardware
Threat Actors Are Abusing MSBuild To Implant Cobalt Strike Beacons - Security Affairs
Data Breaches/Leaks
LastPass Says No Passwords Were Compromised Following Breach Scare - The Verge
T-Mobile Welcomed Christmas With Its Second Data Breach In Less Than Six Months - Phonearena
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking
Insider Risk and Insider Threats
Scams, Fraud & Financial Crime
Nation State Actors
China-linked BlackTech APT Uses New Flagpro Malware In Recent Attacks - Security Affairs
APT ‘Aquatic Panda’ Targets Universities with Log4Shell Exploit Tools | Threatpost
Passwords
Other News
What the Rise in Cyber-Recon Means for Your Security Strategy | Threatpost
Most Companies Struggling To Achieve Observability Despite Investing In Tools - Help Net Security
A New Year Will Bring New Targets: What to Look for in 2022 | SecurityWeek.Com
University Loses 77TB Of Research Data Due To Backup Error (bleepingcomputer.com)
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 17 September 2021
Black Arrow Cyber Threat Briefing 17 September 2021
-Ransomware Preparedness Is Low Despite Executives’ Concerns
-MSPs That Cannot Modernize Will Find Themselves And Their Clients Falling Behind
-Two-Thirds Of Cloud Attacks Could Be Stopped By Checking Configurations, Research Finds
-Open Source Software Cyber Attacks Increasing By 650%, Popular Projects More Vulnerable
-Third-Party Cloud Providers: Expanding The Attack Surface
-Ransomware Encrypts South Africa's Entire Dept Of Justice Network
-2021’s Most Dangerous Software Weaknesses
-46% Of All On-Prem Databases Are Vulnerable To Attack, Breaches Expected To Grow
-Most Fortune 500 Companies’ External IT Infrastructure Considered At Risk
-Thousands Of Internet-Connected Databases Contain High Or Critical Vulnerabilities
-Only 30% Of Enterprises Use Cloud Services With End to End Encryption For External File Sharing
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Ransomware Preparedness Is Low Despite Executives’ Concerns
86.7% of C-suite and other executives say they expect the number of cyber attacks targeting their organisations to increase over the next 12 months, according to a recent poll conducted by researchers. While 64.8% of polled executives say that ransomware is a cyber threat posing major concern to their organisations over the next 12 months, only 33.3% say that their organisations have simulated ransomware attacks to prepare for such an incident. https://www.helpnetsecurity.com/2021/09/15/ransomware-preparedness/
MSPs That Cannot Modernize Will Find Themselves And Their Clients Falling Behind
Researchers sought feedback from IT professionals to explore the performance of modern (and not-so-modern) managed service providers (MSPs). The survey found that even satisfactory MSPs are falling short in certain key areas: cloud strategy, security, and IT spending. https://www.helpnetsecurity.com/2021/09/16/msps-falling-behind/
Two-Thirds Of Cloud Attacks Could Be Stopped By Checking Configurations, Research Finds
On Wednesday, researchers published its latest Cloud Security Threat Landscape report, spanning Q2 2020 through Q2 2021. According to the research, two out of three breached cloud environments observed by the tech giant "would likely have been prevented by more robust hardening of systems, such as properly implementing security policies and patching systems." https://www.zdnet.com/article/two-thirds-of-cloud-attacks-could-be-stopped-by-checking-configurations-research-finds/
Open Source Software Cyber Attacks Increasing By 650%, Popular Projects More Vulnerable
Researchers released a report that revealed continued strong growth in open source supply and demand dynamics. Further, with regard to open source security risks, the report reveals a 650% year over year increase in supply chain attacks aimed at upstream public repositories, and a fascinating dichotomy pertaining to the level of known vulnerabilities present in popular and non-popular project versions. https://www.helpnetsecurity.com/2021/09/17/open-source-cyberattacks/
Third-Party Cloud Providers: Expanding The Attack Surface
In the era of digital transformation, which is essentially an organisation’s way of stating they are increasing their reliance on cloud-based services—enterprises’, digital landscapes are more interconnected than ever before. This means that the company you buy a technology function from may have downstream third-party providers that enable plumbing, infrastructure and development technology that drive their business. With modern computing environments moving further away from the enterprise, the safety assumption paradigm is shifting. This has impacted the threat landscape because as organisations increase migration to the cloud (a third party), they must now consider that these newly onboarded third parties may have serious security issues that could present adversaries with opportunities to infiltrate your network. https://www.helpnetsecurity.com/2021/09/13/third-party-cloud-providers/
Ransomware Encrypts South Africa's Entire Dept Of Justice Network
The justice ministry of the South African government is working on restoring its operations after a recent ransomware attack encrypted all its systems, making all electronic services unavailable both internally and to the public. As a consequence of the attack, the Department of Justice and Constitutional Development said that child maintenance payments are now on hold until systems are back online. https://www.bleepingcomputer.com/news/security/ransomware-encrypts-south-africas-entire-dept-of-justice-network/
2021’s Most Dangerous Software Weaknesses
Researchers recently updated a list of the top 25 most dangerous software bugs, and it’s little surprise that a number of them have been on that list for years. The Common Weakness Enumeration (CWE) list represents vulnerabilities that have been widely known for years, yet are still being coded into software and being bypassed by testing. Both developers and testers presumably know better by now, but keep making the same mistakes in building applications. https://threatpost.com/2021-angerous-software-weaknesses/169458/
46% Of All On-Prem Databases Are Vulnerable To Attack, Breaches Expected To Grow
A five-year longitudinal study comprising nearly 27,000 scanned databases discovered that the average database contains 26 existing vulnerabilities. 56% of the Common Vulnerabilities and Exposures (CVEs) found were ranked as ‘High’ or ‘Critical’ severity, aligned with guidelines from the National Institute of Standards and Technology (NIST). This indicates that many organisations are not prioritizing the security of their data and neglecting routine patching exercises. Based on Imperva scans, some CVEs have gone unaddressed for three or more years. https://www.helpnetsecurity.com/2021/09/15/on-prem-databases-vulnerable/
Most Fortune 500 Companies’ External IT Infrastructure Considered At Risk
Nearly three quarters of Fortune 500 companies’ IT infrastructure exists outside their organisation, a quarter of which was found to have a known vulnerability that threat actors could infiltrate to access sensitive employee or customer data, as research reveal. https://www.helpnetsecurity.com/2021/09/15/external-it-infrastructure-risk/
Thousands Of Internet-Connected Databases Contain High Or Critical Vulnerabilities
After spending five years poring over port scan results, researchers reckon there's about 12,000 vulnerability-containing databases accessible through the internet. The study also found that of the 46 per cent of 27,000 databases scanned, just over half that number contained "high" or "critical" vulns as defined by their CVE score. https://www.theregister.com/2021/09/14/imperva_12k_database_vuln_report/
Only 30% Of Enterprises Use Cloud Services With End to End Encryption For External File Sharing
A recent study of enterprise IT security decision makers conducted by researchers shows that majority of enterprises use additional encryption methods to boost the security of cloud collaboration and file transfer, however, tools with built-in end-to-end encryption are still less frequent despite the growing popularity of this privacy and security enhancing technology. https://www.helpnetsecurity.com/2021/09/13/external-file-sharing/
Threats
Ransomware
The State Of Ransomware: National Emergencies And Million-Dollar Blackmail
Ransomware Attackers Targeted App Developers With Malicious Office Docs, Says Microsoft
Microsoft: Windows MSHTML Bug Now Exploited By Ransomware Gangs
Ransomware Gang Threatens To Wipe Decryption Key If Negotiator Hired
US General In Charge Of Cyber Security Pledges ‘Surge’ To Address Ransomware Attacks
REvil Ransomware Is Back In Full Attack Mode And Leaking Data
Ransomware-Hit Law Firm Secures High Court Judgment Against Unknown Criminals
Ransomware Encrypts South Africa's Entire Dept Of Justice Network
BEC
Phishing
Other Social Engineering
Brits Open Doors For Tech-Enabled Fraudsters Because They 'Don't Want To Seem Rude'
Scammers In Russia Offer Free Bitcoin On A Hacked Government Website
Malware
Mobile
Cyber Security Expert: Israeli Spyware Company NSO Group Poses ‘A Serious Threat To Phone Users’
After The T-Mobile Breach, Companies Are Preventing Customers From Securing Their Accounts
IOT
Vulnerabilities
Microsoft September 2021 Patch Tuesday Fixes 2 Zero-Days, 60 Flaws
Third Critical Bug Affects Netgear Smart Switches — Details And PoC Released
Patch Now! PrintNightmare Over, MSHTML Fixed, A New Horror Appears … OMIGOD
No Patch For High-Severity Bug In Legacy IBM System X Servers
Experts Warn About Vulnerabilities of U.S. GPS System To Cyber Terrorists
Data Breaches/Leaks
Organised Crime & Criminal Actors
Cryptocurrency/Cryptojacking
DoS/DDoS
Nation State Actors
Cloud
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 03 September 2021
Black Arrow Cyber Threat Briefing 03 September 2021
-Ransomware Attacks Soar 288% in H1 2021
-Ransomware Costs Expected To Reach $265 Billion By 2031
-Brute Force Email Attacks and Account Takeover Attempts Rise 671%, Reaching Unprecedented Levels, Causing Financial And Reputational Damage
-Investigation Into Hacked "Map" Of UK Gun Owners
-Eight US Financial Services Firms Given Six-Figure Fines Over BEC Data Breaches
-Ransomware Has Been A ‘Game Changer’ For Cyber Insurance
-WhatsApp hit with $267 million GDPR fine for bungling user privacy disclosure
-Microsoft Warns About Open Redirect Phishing Campaign
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Ransomware Attacks Soar 288% in First Half of 2021
The number of ransomware attacks surged by 288% between the first and second quarters of 2021 as double extortion attempts grew, according to the latest data.
Nearly a quarter (22%) of data leaks in the second quarter came from the Conti ransomware group, who typically gain initial network access to victim organisations via phishing emails.
It’s an unfortunate fact that no organisation in any sector is safe from ransomware today.
Targets range from IT companies and suppliers to financial institutions and critical national infrastructure providers, with ransomware-as-a-service increasingly being sold by ransomware gangs in a subscription model. https://www.infosecurity-magazine.com/news/ransomware-attacks-soar-half-2021/
Ransomware Costs Expected To Reach $265 Billion By 2031
Think ransomware is expensive now? It’s not predicted to get any cheaper over the next decade. Ransoms could cost victims a collective total of $265 billion by 2031. The estimate is based on the prediction that the price tag will increase 30% every year over the next 10 years. https://securityintelligence.com/news/ransomware-costs-expected-265-billion-2031/
Brute Force Email Attacks and Account Takeover Attempts Rise 671%, Reaching Unprecedented Levels, Causing Financial And Reputational Damage
A new Email Threat Report for Q3 2021 examines the escalating adverse impact of socially-engineered and never-seen-before email attacks, and other advanced email threats—both financial and reputational—to organisations worldwide. The report surveyed advanced email attacks across eight major industry sectors, including retail and consumer goods, manufacturing, technology, energy and infrastructure services, medical, media and television, finance, and hospitality.
The report also finds 61% of organisations experienced a vendor email compromise/supply chain attack in Q2 2021.
Key report findings include:
32.5% of all companies were targeted by brute force attacks in early June 2021
137 account takeovers occurred per 100,000 mailboxes for members of the C-suite
61% of organisations experienced a vendor email compromise attack this quarter
22% more business email compromise attacks since Q4 2020
60% chance of a successful account takeover each week for organisations with 50,000+ employees
73% of all advanced threats were credential phishing attacks
80% probability of attack every week for retail and consumer goods, technology, and media and television companies
https://finance.yahoo.com/news/brute-force-email-attacks-account-120100299.html
Investigation Into Hacked "Map" Of UK Gun Owners
Gun-selling site Guntrader announced a data breach affecting more than 100,000 customers in July. This week, reports emerged that an animal rights activist blog had published the information. The group had formatted the data so it could be easily imported into mapping software to show individual homes. The National Crime Agency, which has been investigating the data breach and its fallout, said it "is aware that information has been published online as a result of a recent data breach which impacted Guntrader". https://www.bbc.co.uk/news/technology-58413847
Eight US Financial Services Firms Given Six-Figure Fines Over BEC Data Breaches
The US Securities and Exchange Commission (SEC) has sanctioned multiple financial services firms for cyber security failures that led to the compromise of corporate email accounts and the personal data of thousands of individuals. The case was brought after the unauthorised takeover of cloud-based email accounts at Seattle-based KMS Financial Services, and subsidiaries of California-headquartered Cetera Financial Group and Iowa-based Cambridge Investment Group. https://portswigger.net/daily-swig/eight-us-financial-services-firms-given-six-figure-fines-over-bec-data-breaches
Ransomware Has Been A ‘Game Changer’ For Cyber Insurance
Ransomware attacks accounted for nearly one quarter of all cyber incidents globally last year, according to a software company. The researchers “think of December 2019 as the tipping point for when we started to see ransomware take hold”. The U.S. was hit by a barrage of ransomware attacks in 2019 that impacted at least 966 government agencies, educational establishments, and healthcare providers at a potential cost in excess of $7.5 billion. All of this has a massive knock-on affect for the Insurance firms. https://www.insurancejournal.com/news/national/2021/08/30/628672.htm
Getting Ahead Of A Major Blind Spot For CISOs: Third-Party Risk
For many CISOs and security leaders, it was not long ago that their remit focused on the networks and digital ecosystems for their organisation alone. In today’s digital world, those days are a thing of the past with a growing number of businesses relying on third-party vendors to scale, save time and outsource expertise to stay ahead. With this change, new security risks affiliated with third-party vendors are more prevalent than ever before. https://www.helpnetsecurity.com/2021/09/01/getting-ahead-of-a-major-blind-spot-for-cisos-third-party-risk/
WhatsApp Hit With $267 Million GDPR Fine For Bungling User Privacy Disclosure
Ireland’s Data Protection Commission fined Facebook-owned messenger WhatsApp for $225 million for failing to provide users enough information about the data it shared with other Facebook companies.
The fine is the largest penalty that the Irish regulator has waged since the European Union data protection law, the General Data Protection Regulation, or GDPR, went into effect in 2018. https://www.cyberscoop.com/whatsapp-hit-with-267-million-gdpr-fine-for-bungling-user-privacy-disclosure/
Microsoft Warns About Open Redirect Phishing Campaign
Microsoft’s Security Intelligence team is warning over phishing campaigns using open redirector links, links crafted to subvert normal inspection efforts. Smart users know to hover over links to see where they're going to lead, but these links are prepared for that type of user and display a safe destination designed to lure targets into a false sense of security. Click the link and you'll be redirected to a domain that appears legit (such as a Microsoft 365 login page, for example) and sets the stage for you to voluntarily hand over credentials to bad actors without even realising it until it's too late. https://www.windowscentral.com/microsoft-warns-about-open-redirect-phishing-campaign
Previous Employees With Access To Corporate Data Remain A Threat To Businesses
Offboarding employees securely is a key problem for business leaders, with 40% concerned that employees who leave a company retain knowledge of passwords that grant access to corporate data. This is according to a report, which found few organisations are implementing access management solutions that work with all applications, meaning most lack the ability to revoke access to all corporate data as soon as an employee leaves. https://www.helpnetsecurity.com/2021/09/02/previous-employees-access-data/
BEC Scammers Seek Native English Speakers On Underground
Looking for work? Speak fluent English? Capable of convincingly portraying a professional – as in, somebody a highly ranked corporate leader would talk to? If you lack scruples and disregard those pesky things called “laws,” it could be your lucky day: Cyber Crooks are putting up help-wanted ads, looking for native English speakers to carry out the social-engineering elements of business email compromise (BEC) attacks. https://threatpost.com/bec-scammers-native-english-speakers/169092/
Half Of Businesses Can't Spot These Signs Of Insider Cyber Security Threats
Most businesses are struggling to identify and detect early indicators that could suggest an insider is plotting to steal data or carry out other cyber attacks. Research suggests that over half of companies find it impossible or very difficult to prevent insider attacks. These businesses are missing indicators that something might be wrong. Those include unusual amounts of files being opened, attempts to use USB devices, staff purposefully circumventing security controls, masking their online activities, or moving and saving files to unusual locations. All these and more might suggest that a user is planning malicious activity, including the theft of company data. https://www.zdnet.com/article/half-of-businesses-cant-spot-these-signs-of-insider-cybersecurity-threats/
Threats
Ransomware
Conti Ransomware Now Hacking Exchange Servers With ProxyShell Exploits
LockFile Ransomware Bypasses Protection Using Intermittent File Encryption
FBI, CISA: Ransomware Attack Risk Increases On Holidays, Weekends
LockBit Jumps Its Own Countdown, Publishes Bangkok Air Files
Phishing
Malware
Cyber Attackers Are Now Quietly Selling Off Their Victim's Internet Bandwidth
Cyber Criminal Sells Tool To Hide Malware In AMD, NVIDIA GPUS
Cyber Criminals Abusing Internet-Sharing Services To Monetise Malware Campaigns
Mobile
Snowden Slams Apple CSAM: Warns iPad, iPhone, Mac Users Worldwide
Kaspersky Lab Has Reported About Android Viruses Designed To Steal Money Automatically
Dangerous Android Malware Is Spreading — Beware Of Text Message Scam
Vulnerabilities
New BrakTooth Flaws Leave Millions Of Bluetooth-Enabled Devices Vulnerable
Meltdown-Like Vulnerability Disclosed For AMD Zen+ And Zen 2 Processors
NPM Package With 3 Million Weekly Downloads Had A Severe Vulnerability
Cisco Patches Critical Authentication Bug With Public Exploit
QNAP Working On Patches For OpenSSL Flaws Affecting Its NAS Devices
This Top TP-Link Router Ships With Some Serious Security Flaws
Data Breaches/Leaks
Organised Crime & Criminal Actors
Dark Web
DoS/DDoS
OT, ICS, IIoT and SCADA
Cloud
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 27 August 2021
Black Arrow Cyber Threat Briefing 27 August 2021
-Cyber Crime Losses Triple To £1.3bn In 1h 2021
-New Ransomware Wake-Up Call
-22% Of Cyber Security Incidents In H1 2021 Were Ransomware Attacks
-Key Email Threats And The High Cost Of Business Email Compromise
-Microsoft Warns Thousands Of Cloud Customers Of Exposed Databases
-58% Of IT Leaders Worried Their Business Could Become A Target Of Rising Nation State Attacks
-Cyber Insurance Market Encounters ‘Crisis Moment’ As Ransomware Costs Pile Up
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Cyber Crime Losses Triple To £1.3bn In H1 2021
Individuals and organisations lost three times more money to cyber crime and fraud in the first half of the year compared to the same period in 2020, as incidents soared, according to new figures. The report revealed that between January 1 and July 31 2020, victims lost £414.7m to cyber crime and fraud. However, the figure surged to £1.3bn for the same period in 2021. This can be partly explained by the huge increase in cases from last year to this. In the first half of 2020, there were just 39,160 reported to Action Fraud, versus 289,437 in the first six months of 2021. https://www.infosecurity-magazine.com/news/cybercrime-losses-triple-to-13bn/
Ransomware On A Rampage; A New Wake-Up Call
The ransomware rampage is continuing at pace and continues to create significant cyber security challenges. The use of ransomware by hackers to leverage exploits and extract financial benefits is not new. Ransomware has been around for over 2 decades, (early use of basic ransomware malware was used in the late 1980s) but as of late, it has become a trending and more dangerous cybersecurity threat. The inter-connectivity of digital commerce and expanding attack surfaces have enhanced the utility of ransomware as cyber weapon of choice for bad actors. Like bank robbers, cyber criminals go where the money is accessible. And it is now easier for them to reap benefits from extortion. Hackers can now demand cryptocurrencies payments or pre-paid cards that can be anonymously transacted. Those means of digital payments are difficult to trace by law enforcement. https://www.forbes.com/sites/chuckbrooks/2021/08/21/ransomware-on-a-rampage-a-new-wake-up-call/?sh=64a622362e81
22% Of Cyber Security Incidents In H1 2021 Were Ransomware Attacks
A report uncovered the number and nature of UK cyber security breaches reported to the UK Information Commissioner’s Office (ICO) in 2020 and 2021. So far in 2021 phishing was to blame for most incidents, accounting for 40% of all cyber security cases reported to the ICO, slightly down from 44% the year before. However, ransomware is surging, up from 11% of all reported incidents in the first half of 2020 to 22% in 2021. https://www.helpnetsecurity.com/2021/08/25/cybersecurity-incidents-h1-2021/
Ransomware: These Four Rising Gangs Could Be Your Next Major Cyber Security Threat
In recent months some significant ransomware operators have seemingly disappeared. But that doesn't mean that ransomware is any less of a problem, quite the opposite – new groups are emerging to fill the gaps and are often worse than the gangs that went before them. Cyber security researchers have detailed four upcoming families of ransomware discovered during investigations – and under the right circumstances, any of them could become the next big ransomware threat. One of these is LockBit 2.0, a ransomware-as-a-service operation that has existed since September 2019 but has gained major traction over the course of this summer. Those behind it revamped their dark web operations in June – when they launched the 2.0 version of LockBit – and aggressive advertising has drawn attention from cyber criminals. https://www.zdnet.com/article/ransomware-these-four-rising-threats-could-be-the-next-major-cybersecurity-risk-facing-your-business/
Key Email Threats And The High Cost Of Business Email Compromise
Researchers published the results of a study analysing over 31 million threats across multiple organisations and industries, with new findings and warnings issued by technical experts that every organisation should be aware of. A key aspect to preventing attacks is having a deep understanding of cyber actor patterns and continuously monitoring and deconstructing campaigns to anticipate future ones. Phishing can be a profitable business model, and most breaches begin with a phishing email. What appears to be an innocent email from a trusted vendor or internal department can lead to firm-wide shutdowns, loss of crucial data, and millions in financial costs. As detailed in the report, threats ranging from ransomware, credential harvesters to difficult-to-discover but costly Business Email Compromise (BEC) targeted inboxes, could have resulted in over $354 million in direct losses had they been successful. https://www.helpnetsecurity.com/2021/08/23/key-email-threats/
Microsoft Warns Thousands Of Cloud Customers Of Exposed Databases
Microsoft on Thursday warned thousands of its cloud computing customers, including some of the world's largest companies, that intruders could have the ability to read, change or even delete their main databases, according to a copy of the email and a cyber security researcher. The vulnerability is in Microsoft Azure's flagship Cosmos DB database. A research team at security a company discovered it was able to access keys that control access to databases held by thousands of companies. https://www.reuters.com/technology/exclusive-microsoft-warns-thousands-cloud-customers-exposed-databases-emails-2021-08-26/
58% Of IT Leaders Worried Their Business Could Become A Target Of Rising Nation State Attacks
Researchers released the findings of a global survey of 1,100 IT decision makers (ITDMs), examining their concerns around rising nation state attacks. 72% of respondents said they worry that nation state tools, techniques, and procedures (TTPs) could filter through to the dark net and be used to attack their business. https://www.helpnetsecurity.com/2021/08/23/rising-nation-state-attacks/
Cyber Insurance Market Encounters ‘Crisis Moment’ As Ransomware Costs Pile Up
It’s a sure sign of trouble when leading insurance industry executives are worried about their own prices going up. Ransomware now accounts for 75% of all cyber insurance claims, up from 55% in 2016, according to the credit ratings agency. The percentage increase in claims is outpacing that of premiums, said a June report which concluded that “the prospects for the cyber insurance market are grim.” Fitch Ratings in April found that the ratio of losses to premiums earned was at 73% last year, jeopardizing the profitability of the industry. https://www.cyberscoop.com/cyber-insurance-ransomware-crisis/
Security Teams Report Rise In Cyber Risk
Do you feel like you are gaining in your ability to protect your data and your network? If you are like 80% of respondents to the a recent report, you expect to experience a data breach that compromises customer data in the next 12 months. The report surveyed more than 3,600 businesses of all sizes and industries across North America, Europe, Asia-Pacific, and Latin America for their thoughts on cyber risk. Despite an increased focus on security due to high-profile ransomware and other attacks in the past year, respondents reported a rise in risk due to inadequate security processes like backing up key assets. https://www.csoonline.com/article/3629477/security-teams-report-rise-in-cyber-risk.html
WARNING: Microsoft Exchange Under Attack With ProxyShell Flaws
The U.S. Cyber security and Infrastructure Security Agency is warning of active exploitation attempts that leverage the latest line of "ProxyShell" Microsoft Exchange vulnerabilities that were patched earlier this May, including deploying LockFile ransomware on compromised systems. The vulnerabilities enable adversaries to bypass ACL controls, elevate privileges on the Exchange PowerShell backend, effectively permitting the attacker to perform unauthenticated, remote code execution. While the former two were addressed by Microsoft on April 13, a patch for CVE-2021-31207 was shipped as part of the Windows maker's May Patch Tuesday updates. https://thehackernews.com/2021/08/microsoft-exchange-under-attack-with.html
Threats
Ransomware
70% of Cyber Pros Believe Cyber Insurance is Exacerbating Ransomware
Nigerian Threat Actors Solicit Employees To Deploy Ransomware for Cut Of Profits
New Ransomware Called LockFile Targets Microsoft Exchange Servers
Researchers Find New Evidence Linking Diavol Ransomware To TrickBot Gang
FBI Sends Its First-Ever Alert About A ‘Ransomware Affiliate’
Phishing
That Email Asking For Proof Of Vaccination Might Be A Phishing Scam
Phishing Could Have Cost Businesses $354m In Potential Direct Losses
Other Social Engineering
Scammers Impersonate Europol Chief In An Effort To Defraud Belgians
Man Admits Impersonating Apple Support Staff To Steal 620,000 Photos From iCloud Accounts
Malware
New SideWalk Backdoor Targets U.S.-Based Computer Retail Business
Mozi Botnet Gains The Ability To Tamper With Its Victims’ Traffic
Shadowpad Malware Is Becoming A Favourite Choice Of Chinese Espionage Groups
Mobile
IOT
Mirai-Style Iot Botnet Is Now Scanning For Router-Pwning Critical Vuln In Realtek Kit
IoT Market To Reach $1.5 Trillion By 2027, Security Top Priority
Hackers Could Increase Medication Doses Through Infusion Pump Flaws
Vulnerabilities
VMware Issues Patches To Fix New Flaws Affecting Multiple Products
Critical Flaw Discovered In Cisco APIC for Switches — Patch Released
CISA Warns Admins To Urgently Patch Exchange ProxyShell Bugs
Data Breaches/Leaks
Guernsey Data Authority Imposed Sanctions On 11 Firms For Breaches Last Year
Data Leak Exposed 38 Million Records, Including COVID-19 Vaccination Statuses
Nokia Subsidiary Discloses Data Breach After Conti Ransomware Attack
T-Mobile Breach Hits 53 Million Customers As Probe Finds Wider Impact
Organised Crime & Criminal Actors
Cryptocurrency/Cryptojacking
Insider Threats
DoS/DDoS
OT, ICS, IIoT and SCADA
Nation State Actors
Cloud
Privacy
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 08 January 2021
Black Arrow Cyber Threat Briefing 08 January 2021: Ryuk gang estimated to have made more than $150 million from ransomware; China's hackers move to ransomware; Amid hardened security, attackers seek softer targets; Hackney Council files leaked online after cyber attack; PayPal users targeted in new SMS phishing campaign; the rise of cyber-mercenaries; Declutter Your Devices to Reduce Security Risks
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.
Top Cyber Headlines of the Week
Ryuk gang estimated to have made more than $150 million from ransomware attacks
In a joint report published today, threat intel company Advanced Intelligence and cyber security firm HYAS said they tracked payments to 61 Bitcoin addresses previously attributed and linked to Ryuk ransomware attacks. "Ryuk receives a significant amount of their ransom payments from a well-known broker that makes payments on behalf of the ransomware victims," the two companies said. "These payments sometimes amount to millions of dollars and typically run in the hundreds of thousands range."
China's APT hackers move to ransomware attacks
Security researchers investigating a set of ransomware incidents at multiple companies discovered malware indicating that the attacks may be the work of a hacker group believed to operate on behalf of China. Although the attacks lack the sophistication normally seen with advanced threat actors, there is strong evidence linking them to APT27, a group normally involved in cyber espionage campaigns, also known as TG-3390, Emissary Panda, BRONZE UNION, Iron Tiger, and LuckyMouse.
https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/
SolarWinds hack: Amid hardened security, attackers seek softer targets
Reported theories by SolarWinds hack investigators that federal agencies and private companies were too busy focusing on election security to recognize vulnerabilities tied to the software supply chain are unfair and misleading. And yet, those same experts acknowledge that such accusations offer an important cyber security lesson for businesses: organizations must ensure that their entire attack surface receives attention.
Hackney Council files including alleged passport documents leaked online after cyber attack
The council in East London was hit by what it described as a "serious cyber attack" in October. It reported itself to the data watchdog due to the risk criminals accessed staff and residents' data. The council said it was working with the UK's National Cyber Security Centre (NCSC) and the Ministry of Housing to investigate and understand the impact of the incident.
PayPal users targeted in new SMS phishing campaign
Now, at first glance the message may not seem all that suspicious since PayPal may, in fact, impose limits on sending and withdrawing money. The payment provider usually does so when it suspects that an account has been accessed by a third party without authorization, when it has detected high-risk activities on an account, or when a user has violated its Acceptable Use Policy. However, in this case it really is a case of SMS-borne phishing, also known as Smishing. If you click on the link, you will be redirected to a login phishing page that will request your access credentials. Should you proceed to “log in”, your credentials will be sent to the scammers behind the ruse and the fraudulent webpage will attempt to gather further information, including the full name, date of birth address, and bank details.
https://www.welivesecurity.com/2021/01/04/paypal-users-targeted-new-sms-phishing-campaign/
SolarWinds, top executives hit with class action lawsuit over Orion software breach
SolarWinds and some of its top executives have been hit with a class action lawsuit by stockholders, who allege the company lied and materially misled them about security practices leading up to a massive breach of its Orion management software that has reverberated throughout the public and private sector.
The rise of cyber-mercenaries poses a growing threat for both governments and companies
These days, 21st century mercenaries are as likely to be seated behind a computer screen, wreaking havoc for their paymasters’ enemies as slugging it out on a real-world battlefield. But the rapid rise of cyber-mercenaries - or Private Sector Offensive Actors (PSOAs) - is vexing some of the biggest names in the global technology industry, and for good reason. Globally, the cyber security industry is already vast, raking in an estimated $156bn in revenues in 2019. It is set to nearly double in size by 2027.
Declutter Your Devices to Reduce Security Risks
Everyone should set aside time to review what they’ve installed on their various devices—typically apps, but that can also include games and addons. In fact, this should be an annual cleaning, at minimum.
You’re not just doing this because you want your device to look good. That’s one benefit you get from cleaning up your digital life, but it’s not the most important one. You’re also doing this to bolster your digital security. Yes, security.
https://lifehacker.com/declutter-your-devices-to-reduce-security-risks-1845991606
Threats
Ransomware
New Year, New Ransomware: Babuk Locker Targets Large Corporations
Phishing
This new phishing attack uses an odd lure to deliver Windows trojan malware
Facebook ads used to steal 615000+ credentials in a phishing campaign
Malware
North Korean hackers launch RokRat Trojan in campaigns against the South
Thousands infected by trojan that targets cryptocurrency users on Windows, Mac and Linux
A hacker’s predictions on enterprise malware risk
Vulnerabilities
Google Warns of Critical Android Remote Code Execution Bug
Hackers are actively exploiting this leading VPN, so patch now
Data Breaches
Hacker posts data of 10,000 American Express accounts for free
Vodafone's ho. Mobile admits data breach, 2.5m users impacted
T-Mobile data breach: ‘Malicious, unauthorized’ hack exposes customer call information
Exclusive Networks hit by cyberattack on New Year's Eve
Up to half a million victims of BA data breach could be eligible for compensation
Nation State Actors
Even Small Nations Have Jumped into the Cyber Espionage Game
Denial of Service
Ransom DDoS attacks target a Fortune Global 500 company
Privacy
Telegram feature exposes your precise address to hackers
Whatsapp Competitor Signal Stops Working Properly As Users Rush To Leave Over Privacy Update
Google Chrome browser privacy plan investigated in UK
Singapore police can access COVID-19 contact tracing data for criminal investigations
Other News
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 31 December 2020
Black Arrow Cyber Threat Briefing 31 December 2020: SolarWinds hack may be much worse than originally feared; Threat actor selling 368.8 million records from 26 data breaches; The Worst Hacks of 2020; Nasty Strain of malware is back and hits 100K recipients per day; Ransomware in 2020: A Banner Year for Extortion; Russia’s global hacking efforts are going to unwind in 2021
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.
Top Cyber Headlines of the Week
SolarWinds hack may be much worse than originally feared
The Russia-linked SolarWinds hack which targeted US government agencies and private corporations may be even worse than officials first realized, with some 250 federal agencies and business now believed affected.
Microsoft has said the hackers compromised SolarWinds’ Orion monitoring and management software, allowing them to “impersonate any of the organisation’s existing users and accounts, including highly privileged accounts.” The Times reports that Russia exploited layers of the supply chain to access the agencies’ systems.
https://www.theverge.com/2021/1/2/22210667/solarwinds-hack-worse-government-microsoft-cybersecurity
Threat actor is selling 368.8 million records from 26 data breaches
Security experts reported that a threat actor is selling user records allegedly stolen from twenty-six companies on a hacker forum.
The total volume of data available for sale is composed of 368.8 million stolen user records.
For some of these companies, the data breaches have not been previously disclosed, including Teespring.com, MyON.com, Chqbook.com, Anyvan.com, Eventials.com, Wahoofitness.com, Sitepoint.com, and ClickIndia.com.
https://securityaffairs.co/wordpress/112842/data-breach/data-breaches-records-sale.html
The Worst Hacks of 2020, a Surreal Pandemic Year
WHAT A WAY to kick off a new decade. 2020 showcased all of the digital risks and cybersecurity woes you've come to expect in the modern era, but this year was unique in the ways Covid-19 radically and tragically transformed life around the world. The pandemic also created unprecedented conditions in cyberspace, reshaping networks by pushing people to work from home en masse, creating a scramble to access vaccine research by any means, generating new fodder for criminals to launch extortion attempts and scams, and producing novel opportunities for nation-state espionage.
https://www.wired.com/story/worst-hacks-2020-surreal-pandemic-year/
A Nasty Strain of malware is back and hits 100K recipients per day
The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542. In the middle-August, the malware was employed in fresh COVID19-themed spam campaign Recent spam campaigns used messages with malicious Word documents, or links to them, pretending to be an invoice, shipping information, COVID-19 information, resumes, financial documents, or scanned documents.
https://securityaffairs.co/wordpress/112650/malware/december-emotet-redacted.html
Ransomware in 2020: A Banner Year for Extortion
From attacks on the UVM Health Network that delayed chemotherapy appointments, to ones on public schools that delayed students going back to the classroom, ransomware gangs disrupted organizations to inordinate levels in 2020. Remote learning platforms shut down. Hospital chemotherapy appointments cancelled. Ransomware attacks in 2020 dominated as a top threat vector this past year. Couple that with the COVID-19 pandemic, putting strains on the healthcare sector, and we witnessed ransomware exact a particularly cruel human toll as well. Attacks had an impact on nearly all sectors of the global economy – costing business $20 billion collectively and creating major cybersecurity headaches for others.
https://threatpost.com/ransomware-2020-extortion/162319/
Ransomware Is Headed Down a Dire Path
AT THE END of September, an emergency room technician in the United States gave WIRED a real-time account of what it was like inside their hospital as a ransomware attack raged. With their digital systems locked down by hackers, health care workers were forced onto backup paper systems. They were already straining to manage patients during the pandemic; the last thing they needed was more chaos. "It is a life-or-death situation," the technician said at the time.
The same scenario was repeated around the country this year, as waves of ransomware attacks crashed down on hospitals and health care provider networks, peaking in September and October. School districts, meanwhile, were walloped by attacks that crippled their systems just as students were attempting to come back to class, either in person or remotely. Corporations and local and state governments faced similar attacks at equally alarming rates.
https://www.wired.com/story/ransomware-2020-headed-down-dire-path/
Russia’s global hacking efforts are going to unwind in 2021
Russia has become adept at using cyberattacks and digital-media manipulation to influence events in other countries. We know there was Russian digital interference in the 2016 US general election and the 2017 presidential election in France: both involved fake social-media accounts and “hack-and-leak” operations to steal emails. The UK government has not investigated whether, as must be probable, Russia had also been using its tools of covert subversion during the Scottish independence and Brexit referenda, but it has said that it is almost certain that Russian actors sought to interfere in the 2019 general election through the online dissemination of illicitly acquired government documents, thought to relate to US/UK trade negotiations.
Threats
IOT
FBI Warn Hackers are Using Hijacked Home Security Devices for ‘Swatting’
Malware
New Golang worm turns Windows and Linux servers into monero miners
Emotet malware hits Lithuania's National Public Health Centre
GitHub-hosted malware calculates Cobalt Strike payload from Imgur pic
Vulnerabilities
Cross-layer attacks: New hacking technique raises DNS cache poisoning, user tracking risk
Windows Zero-Day Still Circulating After Faulty Fix
Backdoor account discovered in more than 100,000 Zyxel firewalls, VPN gateways
Data Breaches
T-Mobile warns customers of second data breach in less than a year
Kawasaki discloses security breach, potential data leak
Finland says hackers accessed MPs' emails accounts
Organised Crime
21 arrests in nationwide cyber crackdown
Nation State Actors
India: A Growing Cyber Security Threat
Denial of Service
Citrix devices are being abused as DDoS attack vectors
Privacy
Mapped: The Top Surveillance Cities Worldwide
Cryptocurrency
Voyager cryptocurrency broker halted trading due to cyber attack
Other News
Brexit deal mentions Netscape browser and Mozilla Mail
6 Questions Attackers Ask Before Choosing an Asset to Exploit
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.