Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 23 December 2022
Black Arrow Cyber Threat Briefing 23 December 2022:
-LastPass Users: Your Info and Password Vault Data are Now in Hackers’ Hands
-Ransomware Attacks Increased 41% In November
-The Risk of Escalation from Cyber Attacks Has Never Been Greater
-FBI Recommends Ad Blockers as Cyber Criminals Impersonate Brands in Search Engine Ads
-North Korea-Linked Hackers Stole $626 Million in Virtual Assets in 2022
-UK Security Agency Wants Fresh Approach to Combat Phishing
-GodFather Android malware targets 400 banks, crypto exchanges
-Companies Overwhelmed by Available Tech Solutions
-Nine in 10 Third-party Contractors, Freelancers Use Personal, Unmanaged Devices Likely to be Infected
-UK Privacy Regulator Names and Shames Breached Firms
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
LastPass Admits Attackers have an Encrypted Copy of Customers’ Password Vaults
Password locker LastPass has warned customers that the August 2022 attack on its systems saw unknown parties copy encrypted files that contain the passwords to their accounts.
In a December 22nd update to its advice about the incident, LastPass brings customers up to date by explaining that in the August 2022 attack “some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.” Those creds allowed the attacker to copy information “that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.”
The update reveals that the attacker also copied “customer vault” data, the file LastPass uses to let customers record their passwords. That file “is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.” The passwords are encrypted with “256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password”.
LastPass’ advice is that even though attackers have that file, customers who use its default settings have nothing to do as a result of this update as “it would take millions of years to guess your master password using generally-available password-cracking technology.” One of those default settings is not to re-use the master password that is required to log into LastPass. The outfit suggests you make it a complex credential and use that password for just one thing: accessing LastPass.
LastPass therefore offered the following advice to individual and business users: If your master password does not make use of the defaults above, then it would significantly reduce the number of attempts needed to guess it correctly. In this case, as an extra security measure, you should consider minimising risk by changing passwords of websites you have stored.
LastPass’s update concludes with news it decommissioned the systems breached in August 2022 and has built new infrastructure that adds extra protections.
https://www.theregister.com/2022/12/23/lastpass_attack_update/
Ransomware Attacks Increased 41% In November
Ransomware attacks rose 41% last month as groups shifted among the top spots and increasingly leveraged DDoS attacks, according to new research from NCC Group.
A common thread of NCC Group's November Threat Pulse was a "month full of surprises," particularly related to unexpected shifts in threat actor behaviour. The Cuba ransomware gang resurged with its highest number of attacks recorded by NCC Group. Royal replaced LockBit 3.0 as the most active strain, a first since September of last year.
These factors and more contributed to the significant jump in November attacks, which rose from 188 in October to 265.
"For 2022, this increase represents the most reported incidents in one month since that of April, when there were 289 incidents, and is also the largest month-on-month increase since June-July's marginally larger increase of 47%," NCC Group wrote in the report.
Operators behind Royal ransomware, a strain that emerged earlier this year that operates without affiliates and utilises intermittent encryption to evade detection, surpassed LockBit 3.0 for the number one spot, accounting for 16% of hack and leak incidents last month.
The Risk of Escalation from Cyber Attacks Has Never Been Greater
In 2022, an American dressed in his pyjamas took down North Korea’s Internet from his living room. Fortunately, there was no reprisal against the United States. But Kim Jong Un and his generals must have weighed retaliation and asked themselves whether the so-called independent hacker was a front for a planned and official American attack.
In 2023, the world might not get so lucky. There will almost certainly be a major cyber attack. It could shut down Taiwan’s airports and trains, paralyse British military computers, or swing a US election. This is terrifying, because each time this happens, there is a small risk that the aggrieved side will respond aggressively, maybe at the wrong party, and (worst of all) even if it carries the risk of nuclear escalation.
This is because cyber weapons are different from conventional ones. They are cheaper to design and wield. That means great powers, middle powers, and pariah states can all develop and use them.
More important, missiles come with a return address, but virtual attacks do not. Suppose in 2023, in the coldest weeks of winter, a virus shuts down American or European oil pipelines. It has all the markings of a Russian attack, but intelligence experts warn it could be a Chinese assault in disguise. Others see hints of the Iranian Revolutionary Guard. No one knows for sure. Presidents Biden and Macron have to decide whether to retaliate at all, and if so, against whom … Russia? China? Iran? It's a gamble, and they could get unlucky.
Neither country wants to start a conventional war with one another, let alone a nuclear one. Conflict is so ruinous that most enemies prefer to loathe one another in peace. During the Cold War, the prospect of mutual destruction was a huge deterrent to any great power war. There were almost no circumstances in which it made sense to initiate an attack. But cyber warfare changes that conventional strategic calculus. The attribution problem introduces an immense amount of uncertainty, complicating the decision our leaders have to make.
FBI Recommends Ad Blockers as Cyber Criminals Impersonate Brands in Search Engine Ads
The Federal Bureau of Investigation (FBI) this week raised the alarm on cyber criminals impersonating brands in advertisements that appear in search engine results. The agency has advised consumers to use ad blockers to protect themselves from such threats.
The attackers register domains similar to those of legitimate businesses or services, and use those domains to purchase ads from search engine advertisement services, the FBI says in an alert. These nefarious ads are displayed at the top of the web page when the user searches for that business or service, and the user might mistake them for an actual search result.
Links included in these ads take users to pages that are identical to the official web pages of the impersonated businesses, the FBI explains. If the user searches for an application, they are taken to a fake web page that uses the real name of the program the user searches for, and which contains a link to download software that is, in fact, malware.
“These advertisements have also been used to impersonate websites involved in finances, particularly cryptocurrency exchange platforms,” the FBI notes. Seemingly legitimate exchange platforms, the malicious sites prompt users to provide their login and financial information, which the cyber criminals then use to steal the victim’s funds.
“While search engine advertisements are not malicious in nature, it is important to practice caution when accessing a web page through an advertised link,” the FBI says.
Businesses are advised to use domain protection services to be notified of domain spoofing, and to educate users about spoofed websites and on how to find legitimate downloads for the company’s software.
Users are advised to check URLs to make sure they access authentic websites, to type a business’ URL into the browser instead of searching for that business, and to use ad blockers when performing internet searches. Ad blockers can have a negative impact on the revenues of online businesses and advertisers, but they can be good for online security, and even the NSA and CIA are reportedly using them.
North Korea-Linked Hackers Stole $626 Million in Virtual Assets in 2022
South Korea’s spy agency, the National Intelligence Service, estimated that North Korea-linked threat actors have stolen an estimated 1.5 trillion won ($1.2 billion) in cryptocurrency and other virtual assets in the past five years.
According to the spy agency, more than half the crypto assets (about 800 billion won ($626 million)) have been stolen this year alone, reported the Associated Press. The Government of Pyongyang focuses on crypto hacking to fund its military program following harsh UN sanctions.
“South Korea’s main spy agency, the National Intelligence Service, said North Korea’s capacity to steal digital assets is considered among the best in the world because of the country’s focus on cyber crimes since UN economic sanctions were toughened in 2017 in response to its nuclear and missile tests.” reported the AP agency. North Korea cannot export its products due to the UN sanctions imposed in 2016 and 1017, and the impact on its economy is dramatic.
The NIS added that more than 100 billion won ($78 million) of the total stolen funds came from South Korea. Cyber security and intelligence experts believe that attacks aimed at the cryptocurrency industry will continue to increase next year. National Intelligence Service experts believe that North Korea-linked APT groups will focus on the theft of South Korean technologies and confidential information on South Korean foreign policy and national security.
Data published by the National Intelligence Service agency confirms a report published by South Korean media outlet Chosun early this year that revealed North Korean threat actors have stolen around $1.7 billion (2 trillion won) worth of cryptocurrency from multiple exchanges during the past five years.
https://securityaffairs.co/wordpress/139909/intelligence/north-korea-cryptocurrency-theft.html
UK Security Agency Wants Fresh Approach to Combat Phishing
The UK National Cyber Security Centre (NCSC) has called for a defence-in-depth approach to help mitigate the impact of phishing, combining technical controls with a strong reporting culture.
Writing in the agency’s blog, technical director and principal architect, “Dave C,” argued that many of the well-established tenets of anti-phishing advice simply don’t work. For example, advising users not to click on links in unsolicited emails is not helpful when many need to do exactly that as part of their job.
This is often combined with a culture where users are afraid to report that they’ve accidentally clicked, which can delay incident response, he said. It’s not the user’s responsibility to spot a phish – rather, it’s their organisation’s responsibility to protect them from such threats, Dave C argued.
As such, they should build layered technical defences, consisting of email scanning and DMARC/SPF policies to prevent phishing emails from arriving into inboxes. Then, organisations should consider the following to prevent code from executing:
Allow-listing for executables
Registry settings changes to ensure dangerous scripting or file types are opened in Notepad and not executed
Disabling the mounting of .iso files on user endpoints
Making sure macro settings are locked down
Enabling attack surface reduction rules
Ensuring third-party software is up to date
Keeping up to date about current threats
Additionally, organisations should take steps such as DNS filtering to block suspicious connections and endpoint detection and response (EDR) to monitor for suspicious behaviour, the NCSC advised.
https://www.infosecurity-magazine.com/news/uk-security-agency-combat-phishing/
GodFather Android malware targets 400 banks, crypto exchanges
An Android banking malware named 'Godfather' has been targeting users in 16 countries, attempting to steal account credentials for over 400 online banking sites and cryptocurrency exchanges.
The malware generates login screens overlaid on top of the banking and crypto exchange apps' login forms when victims attempt to log into the site, tricking the user into entering their credentials on well-crafted HTML phishing pages.
The Godfather trojan was discovered by Group-IB analysts, who believe it is the successor of Anubis, a once widely-used banking trojan that gradually fell out of use due to its inability to bypass newer Android defences. ThreatFabric first discovered Godfather in March 2021, but it has undergone massive code upgrades and improvements since then.
Also, Cyble published a report yesterday highlighting a rise in the activity of Godfather, pushing an app that mimics a popular music tool in Turkey, downloaded 10 million times via Google Play. Group-IB has found a limited distribution of the malware in apps on the Google Play Store; however, the main distribution channels haven't been discovered, so the initial infection method is largely unknown.
Almost half of all apps targeted by Godfather, 215, are banking apps, and most of them are in the United States (49), Turkey (31), Spain (30), Canada (22), France (20), Germany (19), and the UK (17).
Apart from banking apps, Godfather targets 110 cryptocurrency exchange platforms and 94 cryptocurrency wallet apps.
Companies Overwhelmed by Available Tech Solutions
92% of executives reported challenges in acquiring new tech solutions, highlighting the complexities that go into the decision-making process, according to GlobalDots.
Moreover, some 34% of respondents said the overwhelming amount of options was a challenge when deciding on the right solutions, and 33% admitted the time needed to conduct research was another challenge in deciding.
Organisations of all varieties rely on technology more than ever before. The constant adoption of innovation is no longer a luxury but rather a necessity to stay on par in today’s fast-paced and competitive digital landscape. In this environment, IT and security leaders are coming under increased pressure to show ROIs from their investment in technology while balancing operational excellence with business innovation. Due to current market realities, IT teams are short-staffed and suffering from a lack of time and expertise, making navigating these challenges even more difficult.
The report investigated how organisations went about finding support for their purchasing decisions. Conferences, exhibitions, and online events served as companies’ top source of information for making purchasing decisions, at 52%. Third-party solutions, such as value-added resellers and consultancies, came in second place at 48%.
54% are already using third parties to purchase, implement, or support their solutions, highlighting the value that dedicated experts with in-depth knowledge of every solution across a wide range of IT fields provide.
We are living in an age of abundance when it comes to tech solutions for organisations, and this makes researching and purchasing the right solutions for your organisation extremely challenging.
https://www.helpnetsecurity.com/2022/12/20/tech-purchasing-decisions/
Nine in 10 Third-party Contractors, Freelancers Use Personal, Unmanaged Devices Likely to be Infected
Talon Cyber Security surveyed 258 third-party providers to better understand the state of third-party working conditions, including work models, types of devices and security technologies used, potentially risky actions taken, and how security and IT tools impact productivity.
Looking at recent high-profile breaches, third parties have consistently been at the epicenter, so they took a step back with their research to better understand the potential root causes. The findings paint a picture of a third-party work landscape where individuals are consistently working from personal, unmanaged devices, conducting risky activities, and having their productivity impacted by legacy security and IT solutions.
Here’s what Talon discovered:
Most third parties (89%) work from personal, unmanaged devices, where organisations lack visibility and cannot enforce the enterprise’s security posture on. Talon pointed to a Microsoft data point that estimated users are 71% more likely to be infected on an unmanaged device.
With third parties working from personal devices, they tend to carry out personal, potentially risky tasks. Respondents note that at least on occasion, they have used their devices to:
Browse the internet for personal needs (76%)
Indulge in online shopping (71%)
Check personal email (75%)
Save weak passwords in the web browser (61%)
Play games (53%)
Allow family members to browse (36%)
Share passwords with co-workers (24%)
Legacy apps such as Virtual Desktop Infrastructure (VDI) and Desktop-as-a-Service (DaaS) solutions are prominent, with 45% of respondents using such technologies while working for organisations.
UK Privacy Regulator Names and Shames Breached Firms
The UK Information Commissioner’s Office (ICO) has taken the unusual step of publishing details of personal data breaches, complaints and civil investigations on its website, according to legal experts.
The data, available from Q4 2021 onwards, includes the organisation’s name and sector, the relevant legislation and the type of issues involved, the date of completion and the outcome.
Given the significance of this development, it’s surprising that the ICO has (1) chosen to release it with limited fanfare, and (2) buried the data sets on its website. Indeed, it seems to have flown almost entirely under the radar.
Understanding whether their breach or complaint will be publicised by European regulators is one of – if not the – main concern that organisations have when working through an incident, and the answer has usually been no. That is particularly the understanding or assumption where the breach or complaint is closed without regulatory enforcement. Now, at least in the UK, the era of relative anonymity looks to be over.
Despite the lack of fanfare around the announcement, this naming and shaming approach could make the ICO one of the more aggressive privacy regulators in Europe. In the future, claimant firms in class action lawsuits may adopt “US-style practices” of scanning the ICO database to find evidence of repeat offending or possible new cases.
The news comes even as data reveals the value of ICO fines issued in the past year tripled from the previous 12 months. In the year ending October 31 2022, the regulator issued fines worth £15.2m, up from £4.8m the previous year. The sharp increase in the value of fines shows the ICO’s increasing willingness selectively to crack down on businesses – particularly those that the ICO perceives has not taken adequate measures to protect customer and employee data.
https://www.infosecurity-magazine.com/news/uk-privacy-regulator-names-and/
Threats
Ransomware, Extortion and Destructive Attacks
20 companies affected by major ransomware attacks in 2021 | TechTarget
NCC Group: Ransomware attacks increased 41% in November | TechTarget
Adversarial risk in the age of ransomware - Help Net Security
FIN7 hackers create auto-attack platform to breach Exchange servers (bleepingcomputer.com)
Ransomware Uses New Exploit to Bypass ProxyNotShell Mitigations | SecurityWeek.Com
British newspaper The Guardian says it’s been hit by ransomware | TechCrunch
Play ransomware actors bypass ProxyNotShell mitigations | TechTarget
FIN7 Cyber crime Syndicate Emerges as Major Player in Ransomware Landscape (thehackernews.com)
Vice Society ransomware gang is using a custom locker - Security Affairs
NIO suffers user data breach, hacker demands $2.25 million worth of bitcoin - CnEVPost
German industrial giant ThyssenKrupp targeted in a cyber attack - Security Affairs
Paying Ransom: Why Manufacturers Shell Out to Cyber criminals (darkreading.com)
France Seeks to Protect Hospitals After Series of Cyber attacks | SecurityWeek.Com
Fire and rescue service in Victoria, Australia, confirms cyber attack - Security Affairs
Play Ransomware Gang Lay Claims For Cyber Attack On H-Hotels (informationsecuritybuzz.com)
Evolving threats and broadening responses to Ransomware in the UAE - Security Boulevard
Phishing & Email Based Attacks
Five Best Practices for Consumers to Beat Phishing Campaigns This Holiday Season - CPO Magazine
Hackers continue to exploit hijacked MailChimp accounts in cyber crime campaigns (bitdefender.com)
Holiday Spam, Phishing Campaigns Challenge Retailers (darkreading.com)
Email hijackers scam food out of businesses, not just money • The Register
Telling users to ‘avoid clicking bad links’ still isn’t working - NCSC.GOV.UK
“Suspicious login” scammers up their game – take care at Christmas – Naked Security (sophos.com)
Simple Steps to Avoid Phishing Attacks During This Festive season | Tripwire
BEC – Business Email Compromise
Telling users to ‘avoid clicking bad links’ still isn’t working - NCSC.GOV.UK
What happens once scammers receive funds from their victims - Help Net Security
Other Social Engineering; Smishing, Vishing, etc
2FA/MFA
Why Security Teams Shouldn't Snooze on MFA Fatigue (darkreading.com)
Comcast Xfinity accounts hacked in widespread 2FA bypass attacks (bleepingcomputer.com)
Malware
Malicious ‘SentinelOne’ PyPI package steals data from developers (bleepingcomputer.com)
Glupteba Botnet Continues to Thrive Despite Google's Attempts to Disrupt It (thehackernews.com)
Ukraine's DELTA military system users targeted by info-stealing malware (bleepingcomputer.com)
Sophisticated DarkTortilla Malware Serves Imposter Cisco, Grammarly Pages (darkreading.com)
Trojanized Windows 10 installers compromised the Ukrainian government | SC Media (scmagazine.com)
Raspberry Robin Worm Targets Telcos & Governments (darkreading.com)
Raspberry Robin worm drops fake malware to confuse researchers (bleepingcomputer.com)
Number of command-and-control servers spiked in 2022: report - The Record by Recorded Future
Mobile
GodFather Android malware targets 400 banks, crypto exchanges (bleepingcomputer.com)
Godfather makes banking apps an offer they can’t refuse • The Register
T-Mobile hacker gets 10 years for $25 million phone unlock scheme (bleepingcomputer.com)
Botnets
Glupteba Botnet Continues to Thrive Despite Google's Attempts to Disrupt It (thehackernews.com)
Zerobot malware now spreads by exploiting Apache vulnerabilities (bleepingcomputer.com)
Flaws within IoT devices exploited by the Zerobot botnet (izoologic.com)
Zerobot Adds Brute Force, DDoS to Its IoT Attack Arsenal (darkreading.com)
Denial of Service/DoS/DDOS
DDoS Attacks are Slowly Growing in the Technology Era (analyticsinsight.net)
Zerobot Adds Brute Force, DDoS to Its IoT Attack Arsenal (darkreading.com)
BYOD
Internet of Things – IoT
Millions of IP cameras around the world are unprotected | TechRadar
Zerobot Adds Brute Force, DDoS to Its IoT Attack Arsenal (darkreading.com)
Throw away all your Eufy cameras right now | Android Central
Read what Anker’s customer support is telling worried Eufy camera owners - The Verge
Amazon Ring Cameras Used in Nationwide ‘Swatting’ Spree, US Says - Bloomberg
Connected homes are expanding, so is attack volume - Help Net Security
Security Risks, Serious Vulnerabilities Rampant Among XIoT Devices in the Workplace - CPO Magazine
Data Breaches/Leaks
LastPass users: Your info and password vault data are now in hackers’ hands | Ars Technica
Okta's source code stolen after GitHub repositories hacked (bleepingcomputer.com)
McGraw Hill's S3 buckets exposed 100,000 students' grades • The Register
NIO suffers user data breach, hacker demands $2.25 million worth of bitcoin - CnEVPost
Shoemaker Ecco leaks over 60GB of sensitive data for 500+ days - Security Affairs
Restaurant CRM platform ‘SevenRooms’ confirms breach after data for sale (bleepingcomputer.com)
Leading sports betting firm BetMGM discloses data breach (bleepingcomputer.com)
Organised Crime & Criminal Actors
'Russian hackers' help two New York men game JFK taxi system - CyberScoop
What happens once scammers receive funds from their victims - Help Net Security
[FIN7] Fin7 Unveiled: A deep dive into notorious cyber crime gang - PRODAFT
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
FTX's alleged run-of-the-mill frauds depended entirely on crypto (yahoo.com)
GodFather Android malware targets 400 banks, crypto exchanges (bleepingcomputer.com)
Two associates of Sam Bankman-Fried plead guilty to fraud charges in FTX fall | FTX | The Guardian
North Korea-linked hackers stole $626M in virtual assets in 2022 - Security Affairs
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
FTX's alleged run-of-the-mill frauds depended entirely on crypto (yahoo.com)
“Suspicious login” scammers up their game – take care at Christmas – Naked Security (sophos.com)
Fraudulent ‘popunder’ Google Ad campaign generated millions of dollars • The Register
Over 67,000 DraftKings Betting Accounts Hit by Hackers (gizmodo.com)
What happens once scammers receive funds from their victims - Help Net Security
T-Mobile hacker gets 10 years for $25 million phone unlock scheme (bleepingcomputer.com)
Google Ad fraud campaign used adult content to make millions (bleepingcomputer.com)
Two associates of Sam Bankman-Fried plead guilty to fraud charges in FTX fall | FTX | The Guardian
Inside The Next-Level Fraud Ring Scamming Billions Off Holiday Retailers (darkreading.com)
Supply Chain and Third Parties
Cloud/SaaS
McGraw Hill's S3 buckets exposed 100,000 students' grades • The Register
AWS simplifies Simple Storage Service to prevent data leaks • The Register
New Brand of Security Threats Surface in the Cloud (darkreading.com)
Google WordPress Plug-in Bug Allows AWS Metadata Theft (darkreading.com)
Security on a Shoestring? Cloud, Consolidation Best Bets for Businesses (darkreading.com)
Hybrid/Remote Working
Attack Surface Management
Encryption
API
Open Source
Passwords, Credential Stuffing & Brute Force Attacks
LastPass admits attackers copied password vaults • The Register
LastPass users: Your info and password vault data are now in hackers’ hands | Ars Technica
Social Media
Malvertising
Fraudulent ‘popunder’ Google Ad campaign generated millions of dollars • The Register
Don't click too quick! FBI warns of malicious search engine ads | Tripwire
Google Ad fraud campaign used adult content to make millions (bleepingcomputer.com)
Parental Controls and Child Safety
Buggy parental-control apps could allow device takeover • The Register
Children And The Dangers Of The Virtual World (informationsecuritybuzz.com)
Regulations, Fines and Legislation
TSB fined nearly $60m for platform migration disaster • The Register
FCC proposes record-breaking $300 million fine against robocaller (bleepingcomputer.com)
France Fines Microsoft 60 Million Euros Over Advertising Cookies | SecurityWeek.Com
The long, long reach of the UK’s national security laws | Financial Times
Governance, Risk and Compliance
Make sure your company is prepared for the holiday hacking season - Help Net Security
The benefit of adopting a hacker mindset for building security strategies - Help Net Security
Careers, Working in Cyber and Information Security
CISO roles continue to expand beyond technical expertise - Help Net Security
UK secret services wants ‘corkscrew thinkers’ for new cyber force | News | The Times
Law Enforcement Action and Take Downs
Privacy, Surveillance and Mass Monitoring
France Fines Microsoft 60 Million Euros Over Advertising Cookies | SecurityWeek.Com
What is surveillance capitalism? - Definition from WhatIs.com (techtarget.com)
Google Maps: Important reason you should blur your house on Street View (ladbible.com)
Blur Your House ASAP if It's on Google Maps. Here's Why - CNET
Artificial Intelligence
Threat Modeling in the Age of OpenAI's Chatbot (darkreading.com)
This is how OpenAI's ChatGPT can be used to launch cyber attacks (techmonitor.ai)
Misinformation, Disinformation and Propaganda
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
State level cyber attacks – Why and how (ukdefencejournal.org.uk)
The risk of escalation from cyber attacks has never been greater | Ars Technica
Ukraine's DELTA military system users targeted by info-stealing malware (bleepingcomputer.com)
Trojanized Windows 10 installers compromised the Ukrainian government | SC Media (scmagazine.com)
NATO-Member Oil Refinery Targeted in Russian APT Blitz Against Ukraine (darkreading.com)
Russian APT Gamaredon Changes Tactics in Attacks Targeting Ukraine | SecurityWeek.Com
Kremlin-linked hackers tried to spy on oil firm in NATO country, researchers say | CNN Politics
‘Our weapons are computers’: Ukrainian coders aim to gain battlefield edge | Ukraine | The Guardian
The long, long reach of the UK’s national security laws | Financial Times
UK secret services wants ‘corkscrew thinkers’ for new cyber force | News | The Times
Nation State Actors
Nation State Actors – Russia
Nation State Actors – China
Apple accused of censoring apps in Hong Kong and Russia • The Register
The long, long reach of the UK’s national security laws | Financial Times
Nation State Actors – North Korea
Vulnerability Management
Open source vulnerabilities add to security debt - Help Net Security
Top 5 Vulnerabilities Routinely Exploited by Threat Actors in 2022 (socradar.io)
Over 50 New CVE Numbering Authorities Announced in 2022 | SecurityWeek.Com
A Guide to Efficient Patch Management with Action1 (thehackernews.com)
Digging into the numbers one year after Log4Shell | SC Media (scmagazine.com)
Vulnerabilities
Critical Windows code-execution vulnerability went undetected until now | Ars Technica
FoxIt Patches Code Execution Flaws in PDF Tools | SecurityWeek.Com
Old vulnerabilities in Cisco products actively exploited in the wild - Security Affairs
OWASSRF: CrowdStrike Identifies New Method for Bypassing ProxyNotShell Mitigations
Microsoft reports macOS Gatekeeper has an 'Achilles' heel • The Register
Microsoft will turn off Exchange Online basic auth in January (bleepingcomputer.com)
Cisco’s Talos security bods predict new wave of Excel Hell • The Register
Microsoft pushes emergency fix for Windows Server Hyper-V VM issues (bleepingcomputer.com)
Ransomware Uses New Exploit to Bypass ProxyNotShell Mitigations | SecurityWeek.Com
Zerobot malware now spreads by exploiting Apache vulnerabilities (bleepingcomputer.com)
Two New Security Flaws Reported in Ghost CMS Blogging Software (thehackernews.com)
Critical Security Flaw Reported in Passwordstate Enterprise Password Manager (thehackernews.com)
This critical Windows security flaw could be as serious as WannaCry, experts claim | TechRadar
Google WordPress Plug-in Bug Allows AWS Metadata Theft (darkreading.com)
Microsoft Details Gatekeeper Bypass Vulnerability in Apple macOS Systems (thehackernews.com)
Tools and Controls
Companies overwhelmed by available tech solutions - Help Net Security
Is Enterprise VPN on Life Support or Ripe for Reinvention? | SecurityWeek.Com
Reports Published in the Last Week
Other News
The Growing Risk Of Malicious QR Codes (informationsecuritybuzz.com)
NASA infosec again falls short of required standard • The Register
US Joint Cyber Force Elevated to Newest Subordinate Unified Command - MSSP Alert
The Rise of the Rookie Hacker - A New Trend to Reckon With (thehackernews.com)
What enumeration attacks are and how to prevent them | TechTarget
US consumers seriously concerned over their personal data | CSO Online
The FBI is worried about wave of crime against small businesses (cnbc.com)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 09 September 2022
Black Arrow Cyber Threat Briefing 09 September 2022
-Why It’s Mission-critical That All-sized Businesses Stay Cyber Secure
-Half of Firms Report Supply Chain Ransomware Compromise
-Vulnerability Exploits, Not Phishing, Are the Top Cyber Attack Vector for Initial Compromise
-Uber’s Ex-Security Chief Faces Landmark Trial Over Data Breach That Hit 57m Users
-Over 10% of Enterprise IT Assets Found Missing Endpoint Protection
-Some Employees Aren't Just Leaving Companies — They're Defrauding Them
-Ransomware Gangs Switching to New Intermittent Encryption Tactic
-How Posting Personal and Business Photos Can Be a Security Risk
-Your Vendors Are Likely Your Biggest Cyber Security Risk
-A Recent Chinese Hack Is a Wake-up Call for the Security of the World’s Software Supply Chain
-Massive Hotels Group IHG Struck by Cyber Attack Which Disrupts Booking Systems
-London's Biggest Bus Operator Hit by Cyber "Incident"
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Why It’s Mission-Critical That All-Sized Businesses Stay Cyber Secure
A study analysing millions of emails across thousands of companies found that on average, employees of small businesses with less than 100 employees experience 350% more social engineering attacks than employees of larger enterprises. 57% of these are phishing attacks – the most prevalent social engineering attack of 2021.
Add to the mix that the global average cost of a data breach for businesses has skyrocketed. According to IBM Security’s annual Cost of a Data Breach Report, the average global cost is now a phenomenal $4.35 million.
Generally, larger corporations tend to have bigger security budgets, making them less of a target than smaller businesses with lesser budgets, and as such, more attractive to cyber criminals. This means that for small and medium-sized enterprises (SMEs) – with fewer resources and money – protection from cyber-attacks is now a matter of survival.
Ease of attack is not the only reason why criminals attack SMEs either. SMEs are often an entry point to target bigger organisations within the same supply chain. These larger corporations can either be crucial partners, suppliers, or customers, making SMEs prime targets.
But with efficient cyber security measures, every business regardless of size can keep themselves and their network safe.
Half of Firms Report Supply Chain Ransomware Compromise
Over half (52%) of global organisations know a partner that has been compromised by ransomware, yet few are doing anything to improve the security of their supply chain, according to Trend Micro.
The security vendor polled nearly 3,000 IT decision makers across 26 countries to produce its latest report, ‘Everything is connected: Uncovering the ransomware threat from global supply chains’.
It revealed that 90% of global IT leaders believe their partners and customers are making their own organisation a more attractive ransomware target.
That might be down in part to the fact that SMBs comprise a significant chunk of the supply chain for 52% of respondents. The security of SMBs is generally thought to be less effective than protection in larger, better resourced companies.
However, despite their concerns, less than half (47%) of respondents said they share knowledge about ransomware attacks with their suppliers, while a quarter (25%) claimed they don’t share potentially useful threat information with partners.
https://www.infosecurity-magazine.com/news/half-firms-supply-chain-ransomware/
Vulnerability Exploits, Not Phishing, Are the Top Cyber Attack Vector for Initial Compromise
Breaches involving phishing and credential compromise have received a lot of attention in recent years because of how frequently threat actors have employed the tactics in executing both targeted and opportunistic attacks. But that doesn't mean that enterprise organisations can afford to lessen their focus on vulnerability patching one bit.
A report from Kaspersky this week identified more initial intrusions last year resulting from exploitation of vulnerabilities in Internet-facing applications than breaches involving malicious emails and compromised accounts combined. And data that the company has collected through the second quarter of 2022 suggests the same trend might be playing out this year as well.
Kaspersky's analysis of its 2021 incident-response data showed that breaches involving vulnerability exploits surged from 31.5% of all incidents in 2020 to 53.6% in 2021. Over the same period, attacks associated with the use of compromised accounts to gain initial access declined from 31.6% in 2020 to 17.9% last year. Initial intrusions resulting from phishing emails decreased from 23.7% to 14.3% during the same period.
Uber’s Ex-Security Chief Faces Landmark Trial Over Data Breach That Hit 57m Users
Uber’s former security officer, Joe Sullivan, is standing trial this week in what is believed to be the first case of an executive facing criminal charges in relation to a data breach.
The US district court in San Francisco will start hearing arguments on whether Sullivan, the former head of security at the ride-share giant, failed to properly disclose a 2016 data breach affecting 57 million Uber riders and drivers around the world.
At a time when reports of ransomware attacks have surged and cyber security insurance premiums have risen, the case could set an important precedent regarding the culpability of US security staffers and executives for the way the companies they work for handle cyber security incidents.
The breach first came to light in November 2017, when Uber’s chief executive, Dara Khosrowshahi, revealed that hackers had gained access to the driver’s licence numbers of 600,000 US Uber drivers as well as the names, email addresses and phone numbers of as many as 57 million Uber riders and drivers.
Public disclosures like Khosrowshahi’s are required by law in many US states, with most regulations mandating that the notification be made “in the most expedient time possible and without unreasonable delay”.
But Khosrowshahi’s announcement came with an admission: a whole year had passed since the information had been breached.
https://www.theguardian.com/technology/2022/sep/06/uber-joe-sullivan-trial-security-data-breach
Over 10% of Enterprise IT Assets Found With Missing Endpoint Protection
More than 10% of enterprise IT assets are missing endpoint protection and roughly 5% are not covered by enterprise patch management solutions.
The figures come from new research by Sevco Security, which the company has compiled in the State of the Cybersecurity Attack Surface report.
"Attackers are very adept at exploiting enterprise vulnerabilities. Security and IT teams already have their hands full mitigating the vulnerabilities that they know about, and our data confirms that this is just the tip of the iceberg," Sevco told Infosecurity Magazine.
The document analyses data aggregated from visibility into more than 500,000 IT assets, and underlines existential and underreported cyber security issues in relation to securing enterprises’ assets.
“The uncertainty of enterprise inventory – the elements that make up an organisation’s cyber security attack surface – upends the foundation of every major security framework and presents a challenge to security teams: it’s impossible to protect what you can’t see,” they said.
For instance, the data found that roughly 3% of all IT assets are “stale” in endpoint protection, while 1% are stale from the perspective of patch management coverage.
https://www.infosecurity-magazine.com/news/enterprise-assets-miss-endpoint/
Some Employees Aren't Just Leaving Companies — They're Defrauding Them
Since the Great Resignation in 2021, millions of employees have left their roles with current employers in search of better ones. According to Microsoft, 40% of employees reported they are considering leaving their current roles by the end of 2022. With many still working in remote or hybrid positions due to the pandemic, larger businesses have started implementing measures to gain a better understanding of employee morale and sentiment to prevent turnover.
While most employees leave companies on good terms, some may become extremely unhappy or disgruntled prior to their departure and are more likely to defraud the company either before leaving or on their way out the door. The unfortunate reality is that no business is immune to fraud, but luckily, there are several steps you can take to prevent it from happening.
According to the Cressey Fraud Triangle, fraudulent behaviour often occurs due to three contributing factors. These include pressure or motive to commit a fraud (usually a personal financial problem), perceived opportunity within the organisation to commit a fraud (poor oversight or internal controls), and rationalisation (the ability to justify the crime to make it seem acceptable).
Very often, a fraudster needs all three sides of the triangle to successfully commit a crime. Therefore, it is extremely important for organisations to do their best to create controls and understand the risk associated with each of these areas. For example, an employee may be disgruntled and also have personal financial issues. However, if internal controls are robust and the employee doesn't have access to financial instruments, valuable assets or software systems, their ability to defraud the company is extremely limited or will get identified immediately.
Ransomware Gangs Switching to New Intermittent Encryption Tactic
A growing number of ransomware groups are adopting a new tactic that helps them encrypt their victims' systems faster while reducing the chances of being detected and stopped.
This tactic is called intermittent encryption, and it consists of encrypting only parts of the targeted files' content, which would still render the data unrecoverable without using a valid decryption key.
For example, by skipping every other 16 bytes of a file, the encryption process takes almost half of the time required for full encryption but still locks the contents for good.
Additionally, because the encryption is milder, automated detection tools that rely on detecting signs of trouble in the form of intense file IO operations are more likely to fail.
SentinelLabs has posted a report examining a trend started by LockFile in mid-2021 and now adopted by the likes of Black Basta, ALPHV (BlackCat), PLAY, Agenda, and Qyick.
These groups actively promote the presence of intermittent encryption features in their ransomware family to entice affiliates to join the RaaS operation.
"Notably, Qyick features intermittent encryption, which is what the cool kids are using as you read this. Combined with the fact that is written in Go, the speed is unmatched," describes a Qyick advertisement on hacking forums.
How Posting Personal and Business Photos Can Be a Security Risk
Image geotags, metadata, and location information can allow competitors, cyber criminals, and even nation-state threat actors to gain knowledge they can use against organisations.
Marketers in every industry enjoy evidencing their reach to their superiors and providing tangible examples of their width and breadth of influence via social networks, media, and other means of engagement. Photos of both customers and employees engaging at hosted social events, trade shows, conferences, and direct one-on-one encounters are often viewed as gold. Couple this with the individual employee’s or customer’s photos working their way onto social network platforms for others to see and admire, and the value of that gold increases, success being quantified by impressions, views and individual engagements.
The value of that gold doubles when not only does the company harvest data and call it a success, but their competitors also analyse such photos capturing a plethora of useful data points, including geotagged data, metadata of the photo, and identity of the individuals caught in the frame. They, too, call it a success. Yes, the digital engagement involving location data and or location hints within photos is a double-edged sword.
It isn’t just competitors who harvest the data. Criminal elements and nation-state intelligence and security elements do as well. Francis Bacon’s adage, “Knowledge itself is power,” applies. With location, time and place, and identity, competitors, criminals, and nation-states are given their initial tidbits of openly acquired information from which to begin to build their mosaic.
Your Vendors Are Likely Your Biggest Cyber Security Risk
As speed of business increases, more and more organisations are looking to either buy companies or outsource more services to gain market advantage. With organisations expanding their vendor base, there is a critical need for holistic third-party risk management (TPRM) and comprehensive cyber security measures to assess how much risk vendors pose.
While organisations assess and manage risk on a multitude of layers, none present bigger threats to business resiliency than third-party risk and a lack of robust cyber security controls. Breaches and service interruptions tied to these risk areas have brought down critical systems of major organisations. In 2021, 53% of CISOs surveyed by Black Kite reported being hit by at least one ransomware attack.
It bears repeating: Cyber security and third-party risk are the two biggest problems facing your long-term viability. Businesses need to be able to tackle these risk vectors individually to gain a complete view of their risk profile. A cross-functional process is essential to managing the overlap between these risk areas to better protect your organisation and increase workflow efficiency.
Ensuring that the cyber security practices of your vendors align with your organisation’s standards is critical to safeguarding your systems and data. In fact, it is just as important as how stable the business is or how well it delivers products and services.
https://www.helpnetsecurity.com/2022/09/05/vendors-cybersecurity-risk/
A Recent Chinese Hack Is a Wake-up Call for the Security of the World’s Software Supply Chain
It’s perhaps only a coincidence that there’s a famous Chinese saying ‘No one knows, not even the ghosts’ that neatly summarises a recent hack on MiMi, a Chinese messaging app. According to recent reports, a Chinese state-backed hacking group inserted malicious code into this messaging app, essentially pulling off the equivalent of the infamous SolarWinds hack. Users of MiMi were served a version of the app with malicious code added, thanks to attackers taking control of the servers that delivered the app. In short, this was a software supply chain attack in which the software delivery pipeline was compromised.
Observers could be forgiven for thinking that this is just another hack. Chinese hacking groups, and those of Western countries too, have developed a reputation over the past two decades for spying, surveillance, and sabotage. But this attack is different than typical hacking fare because the attackers rode in on the back of a trusted piece of software. This is a software supply chain attack, where the attackers tamper with either source code, the software build system, or the software publishing pipeline, all of which have become essential to the functioning of the world’s digital economy.
Software supply chain attacks have been rapidly growing in frequency. Twenty years ago, there might have been one or two a year. These days, depending on the methodology, there are either hundreds or thousands a year, and that’s only counting the reported attacks. And increasingly anybody who depends upon software (read: everybody) is or shortly will be a victim: the U.S. government, Microsoft, thousands of other companies and, apparently in this MiMi attack, individuals.
Massive Hotels Group IHG Struck by Cyber Attack Which Disrupts Booking Systems
InterContinental Hotels Group (IHG), which owns brands such as InterContinental, Crowne Plaza, Holiday Inn, and many others, has had its IT systems breached by malicious hackers.
In a filing with the London Stock Exchange, the multinational hospitality company reported that "parts of the company's technology systems have been subject to unauthorised activity."
As a result, the company said, "IHG's booking channels and other applications have been significantly disrupted since [Monday], and this is ongoing."
The first indication that the company was experiencing problems appeared early on Monday morning UK time, when anyone who tried to book a hotel room via the company's website or app, or access their IHG One Rewards account was greeted by a maintenance message.
Although it has made no declaration regarding the nature of the security breach, in its filing with the London Stock Exchange, IHG mentioned they were "working to fully restore all systems". This would fit into the scenario of IHG having hit been hit with ransomware, which may not only have encrypted data - locking the company out of its systems and demanding a ransom be paid - but could have also caused even more problems.
London's Biggest Bus Operator Hit by Cyber "Incident"
Travellers in London were braced for more delays last week after the city’s largest bus operator revealed it has been hit by a “cyber security incident,” according to reports.
Newcastle-based transportation group Go-Ahead shared a statement with the London Stock Exchange indicating “unauthorised activity” had been discovered on its network yesterday.
“Upon becoming aware of the incident, Go-Ahead immediately engaged external forensic specialists and has taken precautionary measures with its IT infrastructure whilst it continues to investigate the nature and extent of the incident and implement its incident response plans,” it stated. “Go-Ahead will continue to assess the potential impact of the incident but confirms that there is no impact on UK or International rail services which are operating normally.”
However, the same may not be true of its bus services. Sky News reported that bus and driver rosters may have been impacted by the attack, which could disrupt operations.
Go-Ahead operates multiple services in the South, South West, London, North West, East Anglia, East Yorkshire and its native North East. It is London’s largest bus company, operating over 2400 buses in the capital and employing more than 7000 staff.
https://www.infosecurity-magazine.com/news/londons-biggest-bus-operator-hit/
Threats
Ransomware and Extortion
Interpol dismantles sextortion ring, warns of increased attacks (bleepingcomputer.com)
Play Ransomware Attack Playbook Similar to that of Hive, Nokoyawa (trendmicro.com)
Some Members of Conti Group Targeting Ukraine in Financially Motivated Attacks (thehackernews.com)
How to Improve Mean Time to Detect for Ransomware | SecurityWeek.Com
Google: Former Conti ransomware members attacking Ukraine (techtarget.com)
Hackers Are Using NASA Telescope Images To Push Ransomware (informationsecuritybuzz.com)
Ransomware gang's Cobalt Strike servers DDoSed with anti-Russia messages (bleepingcomputer.com)
Everything You Need To Know About BlackCat (AlphaV) (darkreading.com)
Microsoft: Iranian hackers encrypt Windows systems using BitLocker (bleepingcomputer.com)
Microsoft Warns of Ransomware Attacks by Iranian Phosphorus Hacker Group (thehackernews.com)
Clarion Housing: Anger over landlord silence since cyber attack - BBC News
New Ransomware Hits Windows, Linux Servers Of Chile Govt Agency (informationsecuritybuzz.com)
QNAP warns new Deadbolt ransomware attacks exploiting 0day - Security Affairs
Second largest U.S. school district LAUSD hit by ransomware (bleepingcomputer.com)
Windows Defender identified Chromium, Electron apps as Hive Ransomware - Security Affairs
Phishing & Email Based Attacks
EvilProxy Commodifies Reverse-Proxy Tactic for Phishing, Bypassing 2FA (darkreading.com)
Criminals harvest users' PI by impersonating popular brands - Help Net Security
Lampion malware returns in phishing attacks abusing WeTransfer (bleepingcomputer.com)
A new phishing scam targets American Express cardholders - Security Affairs
EvilProxy phishing-as-a-service with MFA bypass emerged on the dark web - Help Net Security
GIFShell attack creates reverse shell using Microsoft Teams GIFs (bleepingcomputer.com)
Other Social Engineering; Smishing, Vishing, etc
Malware
Cyber criminals targeting Minecraft fans with malware • The Register
Next-Gen Linux Malware Takes Over Devices With Unique Tool Set (darkreading.com)
TeslaGun Primed to Blast a New Wave of Backdoor Cyber attacks (darkreading.com)
New Linux malware evades detection using multi-stage deployment (bleepingcomputer.com)
Bumblebee malware adds post-exploitation tool for stealthy infections (bleepingcomputer.com)
North Korean Hackers Deploying New MagicRAT Malware in Targeted Campaigns (thehackernews.com)
Mobile
Internet of Things – IoT
Data Breaches/Leaks
NATO docs sold on darkweb after they were stolen from Portugal - Security Affairs
Criminals claim they've stolen NATO missile plans • The Register
TikTok denies data breach following leak of user data - Security Affairs
IRS mistakenly published confidential info for roughly 120K taxpayers - Security Affairs
Samsung US Says Customer Data Compromised in July Data Breach | SecurityWeek.Com
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Scammers live-streamed on YouTube a fake Apple crypto event - Security Affairs
FBI: Crooks are using these DeFi flaws to steal your money | ZDNET
Feds freeze $30m in cryptocurrency stolen from Axie Infinity • The Register
Fraud, Scams & Financial Crime
62% of consumers see fraud as an inevitable risk of online shopping - Help Net Security
Islanders in Jersey lose nearly £400,000 to romance fraud | ITV News Channel
The Advantages of Threat Intelligence for Combating Fraud | SecurityWeek.Com
AML/CFT/Sanctions
UK forces crypto exchanges to report suspected sanction breaches | Cryptocurrencies | The Guardian
US Treasury sanctioned Iran ’s Ministry of Intelligence over Albania cyber attack - Security Affairs
Insurance
Supply Chain and Third Parties
Supply chain risk is a top security priority as confidence in partners wanes - Help Net Security
KeyBank: Hackers of third-party provider stole customer data | The Seattle Times
Government guide for supply chain security: The good, the bad and the ugly - Help Net Security
Software Supply Chain
Denial of Service DoS/DDoS
Cloud/SaaS
Defenders Be Prepared: Cyber attacks Surge Against Linux Amid Cloud Migration (darkreading.com)
Hybrid Cloud Security Challenges & Solutions (trendmicro.com)
Identity and Access Management
Encryption
API
Open Source
Passwords, Credential Stuffing & Brute Force Attacks
Are Default Passwords Hiding in Your Active Directory? Here's how to check (bleepingcomputer.com)
200,000 North Face accounts hacked in credential stuffing attack (bleepingcomputer.com)
Social Media
TikTok denies security breach after hackers leak user data, source code (bleepingcomputer.com)
Facebook Engineers Admit They Don’t Know What They Do With Your Data (vice.com)
Privacy
Parental Controls and Child Safety
Cyber Bullying and Cyber Stalking
Regulations, Fines and Legislation
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Google Details Recent Ukraine Cyber attacks | SecurityWeek.Com
Ukraine dismantles more bot farms spreading Russian disinformation (bleepingcomputer.com)
Ukraine is under attack by hacking tools repurposed from Conti cyber crime group | Ars Technica
Newly discovered cyber spy group targets Asia • The Register
New Iranian hacking group APT42 deploys custom Android spyware (bleepingcomputer.com)
Israeli Defence Minister's Cleaner Sentenced for Spying Attempt | SecurityWeek.Com
Researchers Find New Android Spyware Campaign Targeting Uyghur Community (thehackernews.com)
Anonymous hacked Yandex taxi causing a traffic jam in Moscow - Security Affairs
Nation State Actors
Nation State Actors – Russia
Nation State Actors – China
Nation State Actors – North Korea
North Korean Hackers Deploying New MagicRAT Malware in Targeted Campaigns (thehackernews.com)
North Korea's Lazarus Targets Energy Firms With Three RATs | SecurityWeek.Com
Nation State Actors – Iran
Microsoft: Iranian hackers encrypt Windows systems using BitLocker (bleepingcomputer.com)
UK condemns Iran for reckless cyber attack against Albania - GOV.UK (www.gov.uk)
US Treasury sanctioned Iran ’s Ministry of Intelligence over Albania cyber attack - Security Affairs
NATO Condemns Alleged Iranian Cyber attack on Albania | SecurityWeek.Com
New Iranian hacking group APT42 deploys custom Android spyware (bleepingcomputer.com)
Microsoft investigates Iranian attacks against the Albanian government - Microsoft Security Blog
Microsoft Warns of Ransomware Attacks by Iranian Phosphorus Hacker Group (thehackernews.com)
Nation State Actors – Misc
Vulnerabilities
CISA adds 12 new flaws to Known Exploited Vulnerabilities Catalog - Security Affairs
September 2022 Patch Tuesday forecast: No sign of cooling off - Help Net Security
High-risk ConnectWise Automate vulnerability fixed, admins urged to patch ASAP - Help Net Security
Hackers Exploit Zero-Day in WordPress BackupBuddy Plugin in ~5 Million Attempts (thehackernews.com)
Mirai Variant MooBot Botnet Exploiting D-Link Router Vulnerabilities (thehackernews.com)
Cisco won’t fix authentication bypass zero-day in EoL routers (bleepingcomputer.com)
Critical RCE Vulnerability Affects Zyxel NAS Devices — Firmware Patch Released (thehackernews.com)
Chrome and Edge fix zero-day security hole – update now! – Naked Security (sophos.com)
Google Patches Sixth Chrome Zero-Day of 2022 | SecurityWeek.Com
QNAP patches zero-day used in new Deadbolt ransomware attacks (bleepingcomputer.com)
HP fixes severe bug in pre-installed Support Assistant tool (bleepingcomputer.com)
Other News
The Heartbleed bug: How a flaw in OpenSSL caused a security crisis | CSO Online
Cyber Security - the More Things Change, the More They Are The Same | SecurityWeek.Com
CISOs say stress and burnout are their top personal risks (cnbc.com)
How to deal with unprecedented levels of regulatory change - Help Net Security
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.