Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Nearly Two-Thirds of Ransomware Victims Paid Ransoms Last Year, Finds "2022 Cyberthreat Defense Report"

CyberEdge Group, a leading research and marketing firm serving the cyber security industry’s top vendors, announced the launch of its ninth annual Cyberthreat Defense Report (CDR). The award-winning CDR is the standard for assessing organisations’ security posture, gauging perceptions of information technology (IT) security professionals, and ascertaining current and planned investments in IT security infrastructure – across all industries and geographic regions.

A record 71% of organisations were impacted by successful ransomware attacks last year, according to the 2022 CDR, up from 55% in 2017. Of those that were victimised, nearly two-thirds (63%) paid the requested ransom, up from 39% in 2017.

https://www.darkreading.com/attacks-breaches/nearly-two-thirds-of-ransomware-victims-paid-ransoms-last-year-finds-2022-cyberthreat-defense-report-

• New Android Banking Malware Remotely Takes Control of Your Device

A new Android banking malware named Octo has appeared in the wild, featuring remote access capabilities that allow malicious operators to perform on-device fraud.

Octo is an evolved Android malware based on ExoCompact, a malware variant based on the Exo trojan that quit the cyber crime space and had its source code leaked in 2018.

The new variant has been discovered by researchers at ThreatFabric, who observed several users looking to purchase it on darknet forums.

https://www.bleepingcomputer.com/news/security/new-android-banking-malware-remotely-takes-control-of-your-device/

• Network Intrusion Detections Skyrocketing

A WatchGuard report shows a record number of evasive network malware detections with advanced threats increasing by 33%, indicating a higher level of zero day threats than ever before.

Researchers detected malware threats in EMEA at a much higher rate than other regions of the world in Q4 2021, with malware detections per Firebox at 49%, compared to Americas at 23% and APAC at 29%. The trajectory of network intrusion detections also continued its upward climb with the largest total detections of any quarter in the last three years and a 39% increase quarter over quarter.

Researchers suggest that this may be due to the continued targeting of old vulnerabilities as well as the growth in organisations’ networks. As new devices come online and old vulnerabilities remain unpatched, network security is becoming more complex.

https://www.helpnetsecurity.com/2022/04/08/network-malware-detections/

• Organisations Underestimating the Seriousness of Insider Threats

Imperva releases data that shows organisations are failing to address the issue of insider threats during a time when the risk is at its greatest.

New research, conducted by Forrester, found that 59% of incidents in EMEA organisations that negatively impacted sensitive data in the last 12 months were caused by insider threats, and yet 59% do not prioritise insider threats the way they prioritise external threats. Despite the fact that insider events occur more often than external ones, they receive lower levels of investment.

This approach is at odds with today’s threat landscape where the risk of malicious insiders has never been higher. The rapid shift to remote working means many employees are now outside the typical security controls that organisations employ, making it harder to detect and prevent insider threats.

Further, the Great Resignation is creating an environment where there is a higher risk of employees stealing data. This data could be stolen intentionally by people looking to help themselves in future employment, because they are disgruntled and want revenge, or it could be taken unintentionally when a careless employee leaves the business with important information.

https://www.helpnetsecurity.com/2022/04/08/organizations-insider-threats-issue/

• Watch Out for Phishing Emails from Genuine Mailing Lists, Following Mailchimp Hack

A Mailchimp hack means that you’ll want to be even more vigilant than usual about phishing emails. Attackers have taken a clever approach to making their emails appear genuine …

When you subscribe to an email list, there’s a decent chance that the emails you received are actually sent by a company called Mailchimp, rather than directly by the company itself. Mailchimp offers companies a range of tools that make it easy to manage email databases, and send marketing emails and newsletters.

Hackers managed to gain access to more than 100 Mailchimp customer accounts, giving them the ability to send emails that would appear to have come from any one of those businesses.

Users will need to be more vigilant when receiving emails and avoid clicking on links in emails, even if they appear genuine.

https://9to5mac.com/2022/04/05/mailchimp-hack-phishing-alert/

• SpringShell Attacks Target About One in Six Vulnerable Orgs

Roughly one out of six organisations worldwide that are impacted by the Spring4Shell zero-day vulnerability have already been targeted by threat actors, according to statistics from one cyber security company.

The exploitation attempts took place in the first four days since the disclosure of the severe remote code execution (RCE) flaw, tracked as CVE-2022-22965, and the associated exploit code.

According to Check Point, who compiled the report based on their telemetry data, 37,000 Spring4Shell attacks were detected over the past weekend alone.

https://www.bleepingcomputer.com/news/security/springshell-attacks-target-about-one-in-six-vulnerable-orgs/

• New Threat Group Underscores Mounting Concerns Over Russian Cyber Threats

Crowdstrike says Ember Bear is likely responsible for the wiper attack against Ukrainian networks and that future Russian cyber attacks might target the West.

As fears mount over the prospects of a “cyberwar” initiated by the Russian government, the number of identified Russian threat actors also continues to climb. Last week CrowdStrike publicly revealed a Russia-nexus state-sponsored actor that it tracks as Ember Bear.

CrowdStrike says that Ember Bear (also known as UAC-0056, Lorec53, Lorec Bear, Bleeding Bear, Saint Bear) is likely an intelligence-gathering adversary group that has operated against government and military organisations in eastern Europe since early 2021. The group seems “motivated to weaponize the access and data obtained during their intrusions to support information operations (IO) aimed at creating public mistrust in targeted institutions and degrading government ability to counter Russian cyber operations,” according to CrowdStrike intelligence.

Despite its state-sponsored Russia nexus, Ember Bear differs from its better-known kin such as Fancy Bear or Voodoo Bear because CrowdStrike can’t tie it to a specific Russian organisation. Its target profile, assessed intent, and technical tactics, techniques, and procedures (TTPs) are consistent with other Russian GRU cyber operations.

https://www.csoonline.com/article/3655976/new-threat-group-underscores-mounting-concerns-over-russian-cyber-threats.html

• Consumer Fraud Tripled in The Last Two Years

Reported cases of consumer fraud more than tripled in the years 2020-2021 from prior years, finds a new report by Accenture, presenting a growing challenge for public safety agencies to find new strategies to counter the trend.

The report compiled data from eight developed nations (Australia, Canada, France, Germany, Italy, Singapore, the United Kingdom, and the United States) on consumer fraud, defined as any fraud directly targeting citizens and excluding fraud targeting government agencies and companies. Reports of such fraud increased at an estimated 6.8% rate annually during 2013-2019 and then increased to a 22.5% annual growth rate yearly during 2020-2021 in parallel with the large shift of workers and consumers to digital channels and greater use of technology during the pandemic.

https://www.helpnetsecurity.com/2022/04/08/consumer-fraud-tripled/

• Borat RAT: Multiple Threat of Ransomware, DDoS and Spyware

A new remote access trojan (RAT) dubbed "Borat" doesn't come with many laughs but offers bad actors a menu of cyberthreats to choose from.

RATs are typically used by cyber criminals to get full control of a victim's system, enabling them to access files and network resources and manipulate the mouse and keyboard. Borat does all this and also delivers features to enable hackers to run ransomware, distributed denial of service attacks (DDoS) and other online assaults and to install spyware, according to researchers at cyber security biz Cyble.

"The Borat RAT provides a dashboard to Threat Actors (TAs) to perform RAT activities and also has an option to compile the malware binary for performing DDoS and ransomware attacks on the victim's machine," the researchers wrote in a blog post, noting the malware is being made available for sale to hackers.

Borat – named after the character made famous by actor Sacha Baron Cohen in two comedy films – comes with the standard requisite of RAT features in a package that includes such functions as builder binary, server certificate and supporting modules.

https://www.theregister.com/2022/04/04/borat-rat-ransomware-ddos/

• Bank Had No Firewall License, Intrusion or Phishing Protection – Guess the Rest

An Indian bank that did not have a valid firewall license, had not employed phishing protection, lacked an intrusion detection system and eschewed use of any intrusion prevention system has, shockingly, been compromised by criminals who made off with millions of rupees.

The unfortunate institution is called the Andra Pradesh Mahesh Co-Operative Urban Bank. Its 45 branches and just under $400 million of deposits make it one of India's smaller banks.

It certainly thinks small about security – at least according to Hyderabad City Police, which last week detailed an attack on the Bank that started with over 200 phishing emails being sent across three days in November 2021. At least one of those mails succeeded in fooling staff, resulting in the installation of a Remote Access Trojan (RAT).

Another technology the bank had chosen not to adopt was virtual LANs, so once the RAT went to work the attackers gained entry to the Bank's systems and were able to roam widely – even in its core banking application

https://www.theregister.com/2022/04/05/mahesh_bank_no_firewall_attack/

• Global APT Groups Use Ukraine War for Phishing Lures

Security researchers have detected multiple APT campaigns leveraging Ukraine war-themed documents and news sources to lure victims into clicking on spear-phishing links.

Check Point Research said victim locations ranged from South America to the Middle East, with malware downloads designed to perform keylogging and screenshotting and execute commands.

The threat groups in question include El Machete, which is targeting the financial and government sectors in Nicaragua and Venezuela with malicious macro-laden Word documents containing articles on the war.

One of the docs was an article written by the Russian ambassador to Nicaragua titled: “Dark plans of the neo-Nazi regime in Ukraine.”

Another is Lyceum, an Iranian state-linked group targeting the energy sector with emails about war crimes in Ukraine that link to a malicious document hosted elsewhere. Its victims so far have been in Israel and Saudi Arabia, according to Check Point.

One email contained a link to an article from The Guardian hosted on the news-spot[.]live domain, alongside several malicious docs about the war.

https://www.infosecurity-magazine.com/news/global-apt-ukraine-war-phishing/

• Paying Ransom Doesn’t Guarantee Data Recovery

OwnBackup announced the findings of a global survey conducted by Enterprise Strategy Group (ESG) that reveals a staggering 79% of respondent organisations have been targeted by ransomware within the past 12 months. Of those organisations, nearly three quarters said the attack was successful, meaning that it disrupted business operations.

Other key findings

·       Of the respondents that said their organisation paid a cyber ransom to regain access to data, applications, and/or systems after an attack, only 14% were able to recover all of their data.

·       87% of respondents who made ransom payments said that they experienced additional extortion attempts beyond the initial ransomware demand.

·       31% of respondent organisations targeted by ransomware indicated that application user and permission misconfigurations were the initial point of compromise.

·       87% of respondents are very or somewhat concerned about their backups being infected by ransomware attacks.

https://www.helpnetsecurity.com/2022/04/07/organizations-targeted-by-ransomware/

Threats

Ransomware

• March Ransomware Attacks Strike Finance, Government Targets (techtarget.com)

• Why Paying The Ransom Isn’t The Answer For Ransomware Victims - Information Security Buzz

• Companies Are More Prepared to Pay Ransoms Than Ever Before (tripwire.com)

• Conti Ransomware Deployed in IcedID Banking Trojan Attack (techtarget.com)

• Researchers Connect BlackCat Ransomware with Past BlackMatter Malware Activity (thehackernews.com)

• Notorious Hacking Group FIN7 Adds Ransomware to Its Repertoire - CyberScoop

• BlackCat Purveyor Shows Ransomware Operators Have 9 Lives (darkreading.com)

• FIN7 Hackers Evolve Toolset, Work with Multiple Ransomware Gangs (bleepingcomputer.com)

• LockBit Ransomware Attack Costs CRM Services Provider Over $42 Million - MSSP Alert

• Snap-on Discloses Data Breach Claimed by Conti Ransomware Gang (bleepingcomputer.com)

Phishing & Email Based Attacks

• Phishing Hook: Are you on the line? Cyber Security Experts Explain How the Criminals Lure You In. (winknews.com)

Other Social Engineering

• Hackers Employ Voicemail Phishing Attacks On WhatsApp Users | TechRepublic

Malware

• Borat RAT Malware: A 'Unique' Triple Threat That Is Far from Funny | ZDNet

• Multiple Hacker Groups Capitalizing on Ukraine Conflict for Distributing Malware (thehackernews.com)

• Experts Shed Light on BlackGuard Infostealer Malware Sold on Russian Hacking Forums (thehackernews.com)

• Malicious Web Redirect Service Infects 16,500 Sites to Push Malware (bleepingcomputer.com)

• Researchers Uncover How Colibri Malware Stays Persistent on Hacked Systems (thehackernews.com)

Mobile

• 44 Vulnerabilities Patched in Android With April 2022 Security Updates | SecurityWeek.Com

• Fake Versions of Real Smartphone Apps Are Being Used To Spread Malware. Here's How to Stay Safe | ZDNet

• Samsung Security Flaw Left Phones Exposed for Years (androidpolice.com)

• Six 'Antivirus' Apps Were Caught Spreading Malware That Steals Banking Info — Here Are the Culprits | Laptop Mag

• SharkBot Android Malware Continues Popping Up on Google Play | SecurityWeek.Com

• Android Apps With 45 Million Installs Used Data Harvesting SDK (bleepingcomputer.com)

• New Android Spyware Uses Turla-Linked Infrastructure | SecurityWeek.Com

Organised Crime & Criminal Actors

• Cyber Criminals Taking Advantage of The Ukraine Crisis To Create Charity Donation Scams - Help Net Security

Cryptocurrency/Cryptomining/Cryptojacking

• Crypto 2022: Hackers Have Nabbed $1.22 Billion Already (yahoo.com)

• Malicious Crypto Miners Can Make A Profit In A Few Hours - Help Net Security

• Malicious Actors Targeting the Cloud For Cryptocurrency-Mining Activities - Help Net Security

• Cryptocurrency-Mining AWS Lambda-Specific Malware Spotted • The Register

• MailChimp Breached, Intruders Conducted Phishing Attacks Against Crypto Customers - Security Affairs

• Turkey Seeks 40,000-Year Sentences for Alleged Cryptocurrency Exit Scammers | ZDNet

Insider Risk and Insider Threats

• New Insider Threat: Bad Business Decisions That Put IP At Risk | CSO Online

Fraud, Scams & Financial Crime

• Traditional Identity Fraud Losses Soar, Totalling $52 Billion in 2021 - Help Net Security

• Online Fraud Up 233% - Infosecurity Magazine

• Internal Auditors Stepping Up to Become Strategic Advisors In The Fight Against Fraud - Help Net Security

• South African and US Officers Swoop on Fraud Gang - Infosecurity Magazine

Insurance

• 18% Of the Top 99 Insurance Carriers Have A High Susceptibility To Ransomware - Help Net Security

Supply Chain

• The Blurring Line, and Growing Risk, Between Physical and Digital Supply Chains (darkreading.com)

Cloud

• The Importance of Understanding Cloud Native Security Risks - Help Net Security

• 15 Cyber Security Measures for the Cloud Era - Security Affairs

Privacy

• How You’re Still Being Tracked on the Internet - The New York Times (nytimes.com)

• Using Google's Chrome Browser? This New Feature Will Help You Fix Your Security Settings | ZDNet

Passwords & Credential Stuffing

• Attack on Ukraine Telecoms Provider Caused by Compromised Employee Credentials - Infosecurity Magazine (infosecurity-magazine.com)

• FIN7 Hackers Leveraging Password Reuse and Software Supply Chain Attacks (thehackernews.com)

Travel

• Hotels In Hackers’ Sights as Technology Replaces Personal Touch | Financial Times (ft.com)

Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Hackers Use Conti's Leaked Ransomware to Attack Russian Companies (bleepingcomputer.com)

• Hacking Group Claim It Has Leaked More Than 900,000 Emails from Russian State Media | The Independent

• What Is the Risk Of Retaliation For Taking A Corporate Stance on Russia? | CSO Online

• Anonymous and the IT ARMY of Ukraine Continue to Target Russian Entities - Security Affairs

Nation State Actors

Nation State Actors – Russia

• The Russian Cyber Attack Threat Might Force a New IT Stance | Computerworld

• FBI Operation Aims to Take Down Massive Russian GRU Botnet | TechCrunch

• Microsoft Sinkholes Russian Hacking Group's Domains Targeting Ukraine (darkreading.com)

• FBI Disrupts Russian Military Hackers, Preventing Botnet Amid Ukraine War | Fox News

• Russia (still) Trying To Weaponize Facebook Amid Ukraine War • The Register

Nation State Actors – China

• Symantec: Chinese APT Group Targeting Global MSPs | SecurityWeek.Com

• Chinese Hackers Are Using VLC Media Player to Launch Malware Attacks (androidpolice.com)

• Hacked: Inside the US-China Cyberwar | Cybersecurity | Al Jazeera

• China Uses AI Software to Improve Its Surveillance Capabilities | Reuters

Nation State Actors – Misc

• Israeli Officials Are Being Catfished by APT-C-23 Hackers | ZDNet

Vulnerabilities

• CISA Warns of Active Exploitation of Critical Spring4Shell Vulnerability (thehackernews.com)

• Palo Alto Networks firewalls, VPNs vulnerable to OpenSSL bug (bleepingcomputer.com)

• A Vulnerability in Zyxel Firewall Could Allow for Authentication Bypass (cisecurity.org)

• Citrix Releases Security Updates for Hypervisor | CISA

• Spring4Shell Patching Is Going Slow but Risk Not Comparable To Log4Shell | CSO Online

• VMware Releases Critical Patches for New Vulnerabilities Affecting Multiple Products (thehackernews.com)

• Apple Leaves Big Sur, Catalina Exposed to Critical Flaws: Intego | SecurityWeek.Com

• A Mirai-Based Botnet Is Exploiting the Spring4Shell Vulnerability - Security Affairs

• Steady Rise in Severe Web Vulnerabilities - Help Net Security

• ACF WordPress Plugin Vulnerability Affects Up To +2 Million Sites (searchenginejournal.com)

• Zero Days Are for Life, Not Just For Christmas. Here’s How to Deal With Them • The Register

Sector Specific

Financial Services Sector

• March Ransomware Attacks Strike Finance, Government Targets (techtarget.com)

FinTech

• Server-Side-Request-Forgery Enabled Administrative Account Takeover on FinTech Platform - IT Security Guru

Health/Medical/Pharma Sector

• 49% of Small Medical Practices Lack a Cyber Attack Response Plan - Help Net Security

Manufacturing

• A Cyber Attack Forced The Wind Turbine Manufacturer Nordex Group To Shut Down Some of IT Systems - Security Affairs

CNI, OT, ICS, IIoT and SCADA

• Europe Warned About Cyber Threat to Industrial Infrastructure | SecurityWeek.Com

• BlackCat Ransomware Targets Industrial Companies | SecurityWeek.Com

Energy & Utilities

• Spanish Energy Giant Hit by Data Breach - IT Security Guru

Reports Published in the Last Week

• Cyberthreat Defense Report 2021 - CyberEdge Group (cyber-edge.com)

Other News

• Okta CEO Says Lapsus$ Hack is 'Big Deal,' Aims to Restore Trust (yahoo.com)

• 86% of Developers Don't Prioritise Application Security - Help Net Security

• Digital Transformation Requires Security Intelligence - Help Net Security

• Government Officials: AI Threat Detection Still Needs Humans (techtarget.com)

• The Original APT: Advanced Persistent Teenagers – Krebs on Security

• Scan This: There's Danger in QR Codes (darkreading.com)

• How Many Steps Does It Take for Attackers To Compromise Critical Assets? - Help Net Security

• Cyber Talent Shortage Remains A Top Problem For Sec Pros – CEO Perspective - Information Security Buzz

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Guernsey Cyber Security Warning for Islanders and Businesses

There has been a rise in cyber-attacks since the war in Ukraine began, according to the States of Guernsey and a cyber-security firm.

The States said: "We have seen a noticeable increase in the number of phishing emails since the war began."

The Channel Islands see more than 10 million cyber attacks every month, according to research by Guernsey firm Black Arrow Cyber Consulting.

It encouraged vigilance, as the islands are not immune to these attacks.

A States spokesman said: "The whole community needs to remain vigilant against such emails, which are designed to appear to be from reputable sources in order to dupe people into providing personal information or access to their device via the clicking of a link."

Bruce McDougall, from Black Arrow Cyber Consulting, said: "Criminals don't let a good opportunity go to waste. So they're conducting scams encouraging people to make false payments in the belief they're collecting for charities."

https://www.bbc.co.uk/news/world-europe-guernsey-60763398

CISOs Face 'Perfect Storm' Of Ransomware and State-Supported Cyber Crime

As some nations turn a blind eye, defence becomes life-or-death matter

With ransomware gangs raiding network after network, and nation states consciously turning a blind eye to it, today's chief information security officers are caught in a "perfect storm," says Cybereason CSO Sam Curry.

"There's this marriage right now of financially motivated cyber crime that can have a critical infrastructure and economic impact," Curry said during a CISO roundtable hosted by his endpoint security shop. "And there are some nation states that do what we call state-ignored sanctioning," he continued, using Russia-based REvil and Conti ransomware groups as examples of criminal operations that benefit from their home governments looking the other way. 

"You get the umbrella of sovereignty, and you get the free license to be a privateer in essence," Curry said. "It's not just an economic threat. It's not just a geopolitical threat. It's a perfect storm."

It's probably not a huge surprise to anyone that destructive cyber attacks keep CISOs awake at night. But as chief information security officers across industries — in addition to Curry, the four others on the roundtable spanned retail, biopharmaceuticals, electronics manufacturing, and a cruise line — have watched threats evolve and criminal gangs mature, it becomes a battle to see who can innovate faster; the attackers or the defenders.

https://www.theregister.com/2022/03/18/ciso_security_storm/

Four Key Risks Exacerbated by Russia’s Invasion of Ukraine

Russia’s invasion of Ukraine has altered the emerging risk landscape, and it requires enterprise risk management (ERM) leaders to reassess previously established organisational risk profiles in at least four key areas, according to Gartner.

“Russia’s invasion of Ukraine has increased the velocity of many risks we have tracked on a quarterly basis in our Emerging Risks survey,” said Matt Shinkman, VP with the Gartner Risk and Audit Practice.

“As ERM leaders reassess their organisational risk models, they must also ensure a high frequency of communication with the C-Suite as to the critical changes that require attention now.”

There are four major areas of risk that ERM leaders should continually monitor and examine their mitigation strategies as part of a broader aligned assurance approach as the war continues: Talent Risk, Cyber Security Risk, Financial Risk and Supply Chain Risk

https://www.helpnetsecurity.com/2022/03/17/erm-leaders-risk/

These Four Types of Ransomware Make Up Nearly Three-Quarters of Reported Incidents

Any ransomware is a cyber security issue, but some strains are having more of an impact than others.

Ransomware causes problems no matter what brand it is, but some forms are noticeably more prolific than others, with four strains of the malware accounting for a combined total of almost 70% of all attacks.

According to analysis by cyber security company Intel 471, the most prevalent ransomware threat towards the end of 2021 was LockBit 2.0, which accounted for 29.7% of all reported incidents. Recent victims of LockBit have included Accenture and the French Ministry of Justice. 

Almost one in five reported incidents involved Conti ransomware, famous for several incidents over the past year, including an attack against the Irish Healthcare Executive. The group recently had chat logs leaked, providing insights into how a ransomware gang works. PYSA and Hive account for one in 10 reported ransomware attacks each.

"The most prevalent ransomware strain in the fourth quarter of 2021 was LockBit 2.0, which was responsible for 29.7% of all reported incidents, followed by Conti at 19%, PYSA at 10.5% and Hive at 10.1%," said the researchers.

https://www.zdnet.com/article/these-four-types-of-ransomware-make-up-nearly-three-quarters-of-reported-incidents/

Critical Infrastructure Threat as Ransomware Groups Target 'Enemies of Russia'

The cyber crime underground has fractured into pro-Ukraine and pro-Russia camps, with the latter increasingly focused on critical national infrastructure (CNI) targets in the West, according to a new report from Accenture.

The consulting giant’s Accenture Cyber Threat Intelligence (ACTI) arm warned that the ideological schism could spell mounting risk for Western organisations as pro-Kremlin criminal groups adopt quasi-hacktivist tactics to choose their next victims.

Organisations in the government, media, finance, insurance, utilities and resources sectors should be braced for more attacks, said ACTI.

https://www.infosecurity-magazine.com/news/critical-infrastructure-threat/

Cyber Insurance War Exclusions Loom Amid Ukraine Crisis

An expanding threat landscape is testing the limits of cyber insurance coverage.

The industry experienced a rapid maturation over the past three years as enterprises required a broader umbrella of insurance coverage to combat increasing cyber risks. While demands and premiums continue to rise, one recent area of contention involves war and hostile acts, an exclusion that's becoming harder to categorize.

A judgment in December, coupled with the Russian invasion last month that posed potential cyber retaliations to Ukraine allies, highlighted shortcomings in insurance policies when it comes to cyber conflicts.

https://www.techtarget.com/searchsecurity/news/252514592/Cyber-insurance-war-exclusions-loom-amid-Ukraine-crisis

Zelenskyy Deepfake Crude, But Still Might Be a Harbinger of Dangers Ahead

Several deepfake video experts called a doctored video of Ukrainian President Volodymyr Zelenskyy that went viral this week before social media platforms removed it a poorly executed example of the form, but nonetheless damaging.

Elements of the Zelenskyy deepfake — which purported to show him calling for surrender — made it easy to debunk, they said. But that won’t always be the case.

https://www.cyberscoop.com/zelenskyy-deepfake-troubles-experts/

Cyber Crooks’ Political In-Fighting Threatens the West

They’re choosing sides in the Russia-Ukraine war, beckoning previously shunned ransomware groups and thereby reinvigorating those groups’ once-diminished power.

A rift has formed in the cyber crime underground: one that could strengthen, rather than cripple, the cyber-onslaught of ransomware.

According to a report, ever since the outbreak of war in Ukraine, “previously coexisting, financially motivated threat actors divided along ideological factions.”

“Pro-Ukrainian actors are refusing to sell, buy, or collaborate with Russian-aligned actors, and are increasingly attempting to target Russian entities in support of Ukraine,” wrote researchers from Accenture’s Cyber Threat Intelligence (ACTI). “However, pro-Russian actors are increasingly aligning with hacktivist-like activity targeting ‘enemies of Russia,’ especially Western entities due to their claims of Western warmongering.”

What might otherwise seem like a good thing – bad guys fighting bad guys – may in fact pose an increased threat to the West.

https://threatpost.com/cybercrooks-political-in-fighting-threatens-the-west/178899/

Cloud-Based Email Threats Surge 50% in 2021

There was a 50% year-on-year surge in cloud-based email threats in 2021, but a drop in ransomware and business email compromise (BEC) detections as attacks became more targeted, according to Trend Micro.

The security vendor’s 2021 roundup report, Navigating New Frontiers, was compiled from data collected by customer-installed products and cloud-based threat intelligence.

It revealed that Trend Micro blocked 25.7 million email threats targeting Google Workspace and Microsoft 365 users last year, versus 16.7 million in 2020.

The number of phishing attempts almost doubled during the period, as threat actors continued to target home workers. Of these, 38% were focused on stealing credentials, the report claimed.

https://www.infosecurity-magazine.com/news/cloudbased-email-threats-surge-2021/

Millions of New Mobile Malware Strains Blitzed Enterprise in 2021

Researchers uncovered more than two million new mobile malware samples in the wild last year, Zimperium said in a new report.

Those threats spanned some 10 million mobile devices in at least 214 countries, the Dallas, Texas-based solution provider said in its newly released 2022 Global Mobile Threat Report. Indeed, mobile malware proved in 2021 to be the most prevalent security threat to enterprises, encountered by nearly 25 percent mobile endpoints among Zimperium’s customers worldwide. The 2.3 million new mobile strains Zimperium’s researchers located amount to nearly 36,000 new strains of malware weekly and roughly 5,000 each day.

https://www.msspalert.com/cybersecurity-services-and-products/mobile/millions-of-new-mobile-malware-strains-blitzed-enterprises-in-2021/

UK Criminal Defence Lawyer Hadn't Patched When Ransomware Hit

Criminal defence law firm Tuckers Solicitors is facing a fine from the UK's data watchdog for failing to properly secure data that included information on case proceedings which was scooped up in a ransomware attack in 2020.

The London-based business was handed a £98,000 penalty notice by the Information Commissioner's Office under Article 83 of the EU's General Data Protection Regulation 2018.

The breach was first noted by Tuckers on August 23 2020 when part of its IT system became unavailable. On closer inspection, resident techies found a note from the attackers confirming they had compromised part of the infrastructure. The Microsoft Exchange server was out of action and two days' worth of emails were lost, as detailed by the company blog at the time.

https://www.theregister.com/2022/03/15/brit_solicitor_fined_for_failing/

Russian Ransomware Gang Retool Custom Hacking Tools of Other APT Groups

A Russian-speaking ransomware outfit likely targeted an unnamed entity in the gambling and gaming sector in Europe and Central America by repurposing custom tools developed by other APT groups like Iran's MuddyWater, new research has found.

The unusual attack chain involved the abuse of stolen credentials to gain unauthorized access to the victim network, ultimately leading to the deployment of Cobalt Strike payloads on compromised assets, said Felipe Duarte and Ido Naor, researchers at Israeli incident response firm Security Joes, in a report published last week.

Although the infection was contained at this stage, the researchers characterized the compromise as a case of a suspected ransomware attack.

The intrusion is said to have taken place in February 2022, with the attackers making use of post-exploitation tools such as ADFind, NetScan, SoftPerfect, and LaZagne. Also employed is an AccountRestore executable to brute-force administrator credentials and a forked version of a reverse tunneling tool called Ligolo.

https://thehackernews.com/2022/03/russian-ransomware-gang-retool-custom.html

The Massive Impact of Vulnerabilities in Critical Infrastructure

Recent cyber events have shown how extremely vulnerable critical infrastructure is. What are the biggest security concerns?

In any world conflict, one of the primary threats posed is cyber actors disabling or destroying the core infrastructure of the adversary. Based on the global reaction to the current world conflict, countries fear reprisals. The worry is that there will be collateral damage to the critical infrastructure of other countries not directly involved in the current conflict.

Today, services such as healthcare systems, power grids, transportation and other critical industries are increasingly integrating their operational technology with traditional IT systems in order to modernize their infrastructure, and this has opened up a new wave of cyber attacks. Though businesses are ramping up their security initiatives and investments to defend and protect, their efforts have largely been siloed, reactive, and lack business context. Lack of visibility of risk across the estate is a huge problem for this sector.

https://www.helpnetsecurity.com/2022/03/15/critical-infrastructure-security/

Threats

Ransomware

• Nearly 34 Ransomware Variants Observed in Hundreds of Cyber Attacks in Q4 2021 (thehackernews.com)

• Franchises, Partnerships Emerge in Ransomware-as-a-Service Operations | ZDNet

• Dozens of Ransomware Variants Used In 722 Attacks Over 3 Months (bleepingcomputer.com)

• Conti Leak: A Ransomware Gang's Chats Expose Its Crypto Plans | WIRED

• 6 Reasons Not to Pay Ransomware Attackers (darkreading.com)

• Google Blows Lid Off Conti, Diavol Ransomware Access-Broker Ops | Threatpost

• SEC Filings Show Hidden Ransomware Costs And Losses | CSO Online

• Exotic Lily Sells Ransomware Groups Access To Targets • The Register

• New "Initial Access Broker" Working with Conti gang - IT Security Guru

• Google Exposes Tactics Of A Conti Ransomware Access Broker (bleepingcomputer.com)

• Avoslocker Ransomware Gang Targets US Critical Infrastructure - Security Affairs

• How Prepared Are Organisations To Face A Ransomware Attack On Kubernetes? - Help Net Security

• Experts Find Some Affiliates of BlackMatter Now Spreading BlackCat Ransomware (thehackernews.com)

• The Lapsus$ Hacking Group Is Off to a Chaotic Start | WIRED

• Bridgestone Cyber Attack Timeline and Ransomware Recovery Details - MSSP Alert

• Automotive Giant Denso Confirms Hack, Pandora Ransomware Group Takes Credit | ZDNet

Phishing & Email

• Massive Phishing Campaign Uses 500+ Domains To Steal Credentials (bleepingcomputer.com)

• How CAPTCHA Puzzles Cloak Phishing Page URLs In Emails • The Register

• Microsoft the No. 1 Most-Spoofed Brand in Phishing Attacks (darkreading.com)

• 76,000 Scams Taken Down Through Email Reporting - IT Security Guru

• Phony Instagram ‘Support Staff’ Emails Hit Insurance Company | Threatpost

• NCSC Catches 10 Million Phishes (computerweekly.com)

• This Browser-In-The-Browser Attack Is Perfect For Phishing • The Register

Malware

• New "B1txor20" Linux Botnet Uses DNS Tunnel and Exploits Log4J Flaw (thehackernews.com)

• Attacker Uses Websites' Contact Forms To Spread BazarLoader Malware | TechRepublic

• Gh0stCringe RAT Targeting Database Servers in Recent Attacks | SecurityWeek.Com

• Cyclops Blink Malware Sets Up Shop in ASUS Routers • The Register

• DirtyMoe Botnet Gains New Exploits in Wormable Module to Spread Rapidly (thehackernews.com)

• Linux Botnet Exploits Log4j Flaw To Hijack Arm, x86 Systems • The Register

• New Threat: B1txor20, A Linux Backdoor Using DNS Tunnel (360.com)

• Russian Cyclops Blink Botnet Launches Assault Against Asus Routers | ZDNet

• Uncovering Trickbot’s Use of IoT Devices In Command-And-Control Infrastructure - Microsoft Security Blog

• TrickBot Malware Abusing MikroTik Routers as Proxies for Command-and-Control (thehackernews.com)

Mobile

• Mobile Threats Skyrocket (darkreading.com)

• 2021 Mobile Security: Android More Vulnerabilities, iOS More Zero-Days (bleepingcomputer.com)

• Mobile Devices See 466% Annual Increase in Zero-Day Attacks - Infosecurity Magazine (infosecurity-magazine.com)

• 'Escobar' Android malware steals your 2FA codes — and takes over your phone | Tom's Guide (tomsguide.com)

• Thousands of Secret Keys Found in Leaked Samsung Source Code | SecurityWeek.Com

• Scammers Have 2 Clever New Ways To Install Malicious Apps on iOS Devices | Ars Technica

• Threat Intel Report: Who Is Behind Staggering 190GB Samsung Galaxy Hack? (forbes.com)

• Android Trojan Persists On The Google Play Store Since January (bleepingcomputer.com)

• Mobile App Data Found Exposing API’s & Data In 1,000’s Of Cloud Databases - Information Security Buzz

IoT

• Smart Devices Spy On You – 2 Computer Scientists Explain How The Internet Of Things Can Violate Your Privacy (theconversation.com)

Organised Crime & Criminal Actors

• Who's Who In The Cyber Criminal Underground | CSO Online

• Financially Motivated Threat Actors Willing To Go After Russian Targets - Help Net Security

• A Third of Malicious Logins Originate in Nigeria - Infosecurity Magazine

• Phishers Exploit Ukraine Conflict To Solicit Crypto - IT Security Guru

Insider Risk and Insider Threats

• MITRE and Partners Build Insider Threat Knowledge Base | CSO Online

Fraud, Scams & Financial Crime

• UK Shoppers Face More Identity Checks When Buying Online | Consumer affairs | The Guardian

Supply Chain

• Container Vulnerability Opens Door For Supply Chain Attacks (techtarget.com)

DoS/DDoS

• Israeli Govt Sites Hit By Huge DDoS Attack • The Register

Cloud

• How Cloud Services Become Weapons In Russia-Ukraine Cyber Conflict | ZDNet

• The Next Big Cyber Security Threat Is Connected SaaS Platforms (thenextweb.com)

Privacy

• Smart Devices Are Spying on You Everywhere, And That's a Problem (sciencealert.com)

Passwords & Credential Stuffing

• NVIDIA Staff Shouldn’t Have Chosen Passwords Like These… • Graham Cluley

• Attackers Using Default Credentials To Target Businesses, Raspberry Pi And Linux Top Targets - Help Net Security

Regulations, Fines and Legislation

• CafePress Fined For Covering Up Customer Info Leak • The Register

• Meta Fined €17 Million by Irish Regulator for GDPR Violations | CSO Online

Spyware, Espionage & Cyber Warfare

• Would 'Cyber Geneva Conventions' Defuse Online Aggression? (darkreading.com)

Nation State Actors

Nation State Actors – Russia

• Conti Leaks Reveal the Ransomware Group’s Links to Russia | WIRED

• How The Cyber World Can Support Ukraine | World Economic Forum (weforum.org)

• Russia's Disinformation Uses Deepfake Video Of Zelenskyy Telling People To Lay Down Arms - Security Affairs

• FBI Warns of MFA Flaw Used By State Hackers For Lateral Movement (bleepingcomputer.com)

• Ukraine Secret Service Arrests Hacker Helping Russian Invaders (thehackernews.com)

• Open Source Maintainer Sabotages Code to Wipe Russian, Belarusian Computers (vice.com)

• German Government Advises Against Using Kaspersky Antivirus (bleepingcomputer.com)

• Russia Could Use Kaspersky Antivirus Software In Cyber Attacks In Europe, German Agency Warns | Euronews

• ‘It’s The Right Thing To Do’: The 300,000 Volunteer Hackers Coming Together To Fight Russia | Ukraine | The Guardian

• Ukraine's "IT Army" Hit With Info-Stealing Malware- IT Security Guru

• Viasat, Rosneft Hit By Cyber Attacks • The Register

• Mozilla Firefox Removes Russian Search Providers Over Misinformation Concerns (bleepingcomputer.com)

• Fake Antivirus Updates Used To Deploy Cobalt Strike in Ukraine (bleepingcomputer.com)

• Ukrainian Hacktivists Allegedly Dumps Kaspersky Product Source Code Online (Updated) - Lowyat.NET

• New CaddyWiper Data Wiping Malware Hits Ukrainian Networks (bleepingcomputer.com)

• Top Ukrainian Cyber Official Praises Volunteer Hacks On Russian Targets, Offers Updates - CyberScoop

• Anonymous Sent A Message To Russians: "Remove Putin" - Security Affairs

• Cyber Attacks Cripple Russian Websites After Ukraine Invasion (gizmodo.com)

• Russia Faces IT Crisis With Just Two Months Of Data Storage Left (bleepingcomputer.com)

• Russia Labels Meta 'Extremist Organisation, Bans Instagram • The Register

Nation State Actors – China

• China-Linked Threat Actors Are Targeting The Government Of Ukraine - Security Affairs

• China Claims It Captured NSA Spy Tool That Already Leaked • The Register

Nation State Actors – Iran

• Researchers Find New Evidence Linking Kwampirs Malware to Shamoon APT Hackers (thehackernews.com)

Vulnerabilities

• CISA Adds 15 Vulnerabilities To List Of Flaws Exploited In Attacks (bleepingcomputer.com)

• New Linux Bug in Netfilter Firewall Module Lets Attackers Gain Root Access (thehackernews.com)

• Apple Patch Day: Gaping Security Holes in iOS, macOS, iPadOS | SecurityWeek.Com

• OpenSSL Patches Denial-Of-Service Certificate Flaw • The Register

• OpenSSL Patches Infinite-Loop DoS Bug In Certificate Verification – Naked Security (sophos.com)

• Nasty Linux Netfilter Firewall Security Hole Found | ZDNet

• SolarWinds Warns Of Attacks Targeting Web Help Desk Instances (bleepingcomputer.com)

• High-Severity Vulnerabilities Patched in BIND Server | SecurityWeek.Com

• QNAP Warns Severe Linux Bug Affects Most Of Its NAS Devices (bleepingcomputer.com)

Sector Specific

Financial Services Sector

• Top Threats For The Financial Sector - Help Net Security

• Hackers Target Bank Networks with new Rootkit to Steal Money from ATM Machines (thehackernews.com)

• Banks on Alert For Russian Reprisal Cyber Attacks on Swift | Ars Technica

• Fraudsters Use Intelligent Bots To Attack Financial Institutions (scmagazine.com)

• 70% of Financial Service Providers Are Implementing API Security - Help Net Security

• Report: Payment Fraud Attacks Against Fintech Companies Soar By 70% In 2021 - Information Security Buzz

Health/Medical/Pharma Sector

• Healthcare Cyber Security Trends: Organisations Not Quite Ready To Deal With Threats - Help Net Security

• Hospitals Warned Of 'Phone Calls And Emails From Hackers' As Russia-Ukraine War Rages - Manchester Evening News

• Nearly 300k Heart Patients’ Data Exposed - Infosecurity Magazine

Transport and Aviation

• Aircraft Disrupted by Satellite Jamming Following Russian Invasion - Infosecurity Magazine

• EU & US Agencies Warn That Russia Could Attack Satellite Communications - Security Affairs

Reports Published in the Last Week

• 2022 Global Mobile Threat Report: Key Insights on the State of Mobile Security - Zimperium Mobile Security Blog

Other News

• Does the Free World Need a Global Cyber Alliance? | SecurityWeek.Com

• Why EDR Is Not Sufficient To Protect Your Organisation - Help Net Security

• Public and Private Sector Security: Better Protection by Collaboration | SecurityWeek.Com

• The Importance Of Building In Security During Software Development - Help Net Security

• How Fast Can Organisations Respond To A Cyber Security Crisis? - Help Net Security

• Researcher Uses 379-Year-Old Algorithm To Crack Crypto Keys Found In The Wild | Ars Technica

• How Pen Testing Gains Critical Security Buy-in and Defence Insight (darkreading.com)

• DarkHotel APT Targets Wynn, Macao Hotels to Rip Off Guest Data | Threatpost

• When IT Spending Plans Don't Reflect Security Priorities (darkreading.com)

• Half of People Accept All Cookies Despite The Security Risk | TechRadar

• Business Is At Last Collaborating On Cyber Security | Financial Times (ft.com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.