Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• 79% Of Companies Only Invest in Cyber Security After Hacking Incidents

The British cyber security company Tanium published a survey on investments in digital protection in UK companies with alarming results: 79% of them only approve investments in cyber security after suffering a data breach; 92% experienced a data attack or breach, of which 74% occurred in 2021. Leadership reticence is also high, with 63% of leaders convinced cyber security is only a concern after an attack.

The complexity of the situation has grown with the digital transformation of work. If it streamlines many processes, it can also open up serious security gaps. A sensitive point is the “home office”: companies need effective solutions to eliminate gaps that may appear between employees’ computers (often shared devices) and the company’s internal network.

Putting in solutions is just the beginning of a necessary strategy and investment effort in virtual protection. Complex scams based on phishing, reverse engineering, and backdoor-type malicious programs (“planted” discreetly on a device and sometimes inactive for months) often combine real-world and virtual-world fraud.

The escalation of corporate data hijacking appears in this scenario. The most notorious case at a global level of such an incident, with a million-dollar ransom demand, was launched in 2021 on Colonial Pipeline. This US company paid $40 million to regain control over strategic data after fuel supplies through its pipelines to several states were threatened for days.

https://informationsecuritybuzz.com/infosec-news/79-of-the-companies-only-invest-in-cybersecurity-after-hacking-incidents/

• Nearly Half of Breaches During First Half of 2022 Involved Stolen Credentials

According to a new report by Acronis, a Switzerland-based cyber security company, nearly half of breaches during the first six months of 2022 involved stolen credentials.

The goal of stealing credentials is to launch ransomware attacks. According to the report, these “continue to be the number one threat to large and medium-sized businesses, including government organisations.”

Attackers usually use phishing techniques to extract these credentials. In the first half of the year, over 600 malicious email campaigns made their way across the internet, of which 58% were phishing attempts and 28% featured malware.

Acronis also added that “as reliance on the cloud increases, attackers have homed in on different entryways to cloud-based networks.”

Additionally, cyber criminals now also target unpatched or software vulnerabilities to extract data, with a recent increase on Linux operating systems and managed service providers (MSPs) and their network of SMB customers.

The third vector spotted by Acronis was “non-traditional entry avenues” such as cryptocurrencies and decentralised finance (DeFi) systems.

https://www.itsecurityguru.org/2022/08/30/nearly-half-of-breaches-during-first-half-of-2022-involved-stolen-credentials/

• Outdated Infrastructure Not Up to Today’s Ransomware Challenges

A global research commissioned by Cohesity reveals that nearly half of respondents say their company depends on outdated, legacy backup and recovery infrastructure to manage and protect their data. In some cases, this technology is more than 20 years old and was designed long before today’s multicloud era and onslaught of sophisticated cyber attacks plaguing enterprises globally.

Challenges pertaining to outdated infrastructure could easily be compounded by the fact that many IT and security teams don’t seem to have a plan in place to mobilise if and when a cyber attack occurs. Nearly 60% of respondents expressed some level of concern that their IT and security teams would be able to mobilise efficiently to respond to the attack.

These are just some of the findings from an April 2022 survey, conducted by Censuswide, of more than 2,000 IT and SecOps professionals (split nearly 50/50 between the two groups) in the United States, the United Kingdom, Australia and New Zealand. All respondents play a role in the decision-making process for IT or security within their organisations.

IT and security teams should raise the alarm bell if their organisation continues to use antiquated technology to manage and secure their most critical digital asset – their data.

Cyber criminals are actively preying on this outdated infrastructure as they know it was not built for today’s dispersed, multicloud environments, nor was it built to help companies protect and rapidly recover from sophisticated cyber attacks.

https://www.helpnetsecurity.com/2022/08/30/outdated-infrastructure-manage-data/

• Ghost Data Increases Enterprise Business Risk

IT has to get its hands around cloud data sprawl. Another area of focus should be on ghost data, as it expands the organisation's cloud attack surface.

Cloud sprawl is a big issue for organisations, with business teams spinning up cloud systems and services on their own, often without IT oversight. That leads to cloud data sprawl as data is scattered across different environments. If IT doesn’t know about the cloud systems and services, then IT is also not managing the data being collected, processed, and stored there.

We all know about shadow IT, the systems and network devices in the organisation’s environment that IT is not managing. Similarly, shadow data refers to unmanaged data store copies and snapshots or log data that are not part of IT’s backup and recovery strategy. Researchers at Cyera estimate that 60% of the data security posture issues that are present in cloud accounts stem from unsecured sensitive data.

Then there is the problem of ghost data. When data gets deleted from cloud systems, it isn’t fully gone. Copies linger in backups or snapshots of data stores. Ghost data refers to those copies left behind after the original has been deleted, and Cyera’s recent analysis show that enterprises have quite a lot of it.

After scanning the three major cloud providers (Amazon Web Services, Azure, and Google Cloud), Cyera researchers found that over 30% of scanned customer cloud data stores are ghost data and more than 58% contain sensitive, or very sensitive, data. For example, researchers found unsecured database snapshots in non-production environments that contained sensitive customer data where the original database had been destroyed. Researchers also uncovered sensitive personal and authentication data in plain text where the production data and application were no longer in use.

Ghost data usually has no business value - the data was deleted for a reason - and having it around unnecessarily increases business risk. Attackers don’t care if they get their hands on the original sensitive information or the copy because to them, all data has value, regardless of the form it takes.

https://www.darkreading.com/edge-threat-monitor/ghost-data-increases-enterprise-business-risk

• Detected Cyber Threats Surge 52% in 1H 2022

A leading cyber security vendor blocked 63 billion threats in the first half of 2022 alone, over 50% more than the same period a year ago.

The findings come from the Trend Micro 2022 Midyear Cybersecurity Report and illustrate the scale of the challenge facing network defenders.

Trend Micro highlighted the persistent threat posed by ransomware-as-a-service (RaaS) groups as one that will continue to cause major challenges for organisations in the years to come.

It said detections of prolific groups such as LockBit and Conti increased by 500% year-on-year in 1H 2022. Such groups will continue to adapt their tactics, techniques and procedures (TTPs) in the race for profits.

The report warned of a surge in threats targeting Linux systems, for example. It said detections of attacks on Linux servers and embedded systems grew 75% year-on-year in the first half of 2022. Both SMBs and larger organisations are now a target, it claimed.

Many RaaS groups exploit vulnerabilities as a primary attack vector. Their job is getting easier as the number of published common vulnerabilities and exposures (CVEs) continues to grow strongly.

Trend Micro’s Zero Day Initiative published advisories on 944 vulnerabilities in the first half of 2021, a 23% year-on-year increase. The number of critical bug advisories it published soared by 400% over the same period.

https://www.infosecurity-magazine.com/news/detected-cyberthreats-surge-52-in/

• An Interview with Initial Access Broker Wazawaka: ‘There Is No Such Money Anywhere as There is in Ransomware’

Last April, a ransomware group threatened to expose police informants and other sensitive information if the Washington, D.C. Metropolitan Police Department did not pay a demand.

The brazen attack was the work of a gang known as Babuk, which in early 2021 gained a reputation for posting stolen databases on its website from victims that refused to pay a ransom. Just days after it tried to extort the Metropolitan Police Department, Babuk announced it was closing its ransomware affiliate program, and would focus on data theft and extortion instead.

Earlier this year, cyber security journalist Brian Krebs uncovered details about one man behind the operation named Mikhail Matveev, who was also connected to a number of other groups and identities, including the handle ‘Wazawaka.’ According to Krebs, Matveev had become more unhinged than usual, “publishing bizarre selfie videos” and creating a Twitter account to share exploit code.

Matveev talked to Recorded Future about his interaction with other hackers, details about ransomware attacks he’s been involved in, and how he settled on the name Babuk.

Click the link below for the full interview but the long and short is ransomware has created a criminal ecosystem the likes of which the world has never seen.

https://therecord.media/an-interview-with-initial-access-broker-wazawaka-there-is-no-such-money-anywhere-as-there-is-in-ransomware/

• Cyber Crime Underground More Dangerous Than Organisations Realise

Kela, a cyber threat intelligence specialist, found in a new study of some 400 security pros in the US that organisations are more at risk from the “cyber crime underground” than they realise.

The Israel-based company surveyed security team members responsible for gathering cyber crime threat intelligence daily to better understand if they’re proactively scanning the dark web and other cyber crime sources, what tools they’re using and the gaps they see in their cyber crime threat intelligence approach. Nearly 60% of the respondents do not believe their current cyber crime prevention is effective, the results showed.

Here are the study’s key findings:

• 69% are concerned about threats from the cyber crime underground.

• 54% wouldn’t be surprised to find their organisation’s data on the cyber crime underground.

• Only 38% believe that they’re very likely to detect it if it was released.

• 48% have no documented cyber crime threat intelligence policy in place.

• Only 41% believe their current security program is very effective.

• 49% are not satisfied with the visibility they have of the cyber crime underground.

• Of the 51% who were satisfied with their visibility into the cyber crime underground, 39% were still unable to prevent an attack.

• Additional training and proficiency in cyber crime intelligence investigations is the most needed capability.

https://www.msspalert.com/cybersecurity-research/cybercrime-underground-more-dangerous-than-organizations-realize-threat-intelligence-firm-warns/

• New Ransomware Group BianLian Activity Exploding

A new ransomware group operating under the name BianLian emerged in late 2021 and has become increasingly active since.

The threat actor already has twenty alleged victims across several industries (insurance, medicine, law and engineering), according to a research paper from US cyber security firm Redacted, published on September 1, 2022. The majority of the victim organisations have been based in Australia, North America and the UK.

The research team has given no attribution yet but believes the threat actor “represents a group of individuals who are very skilled in network penetration but are relatively new to the extortion/ransomware business.”

BianLian uses a custom toolkit, including homemade encryptors and encryption backdoors. Both, as well as the command-and-control (C&C) software the hackers use, are written in Go, an increasingly popular programming language among ransomware threat actors.

Troublingly, the Redacted team of researchers has found evidence that BianLian is likely now trying to up their game.

https://www.infosecurity-magazine.com/news/new-ransomware-group-bianlian/

• Can Your Passwords Withstand Threat Actors’ Dirty Tricks?

Password security hinges on the answer to that seemingly simple question. Unfortunately, you can’t know the answer until you’ve engaged a ruthless penetration tester to find out if your environment can stand up to the frighteningly good password cracking skills of today’s most nefarious hackers.

The whole purpose of hiring skilled penetration testers (“pentesters”) is to find out if your environment is truly impenetrable — and if it’s not, exactly how you should shore up your defences. Good pentesters and red teamers spend their time trying to simulate and emulate the real bad actors. After all, what’s the point of pressure-testing your IT infrastructure if you don’t use the same pressure that you’ll face in the real world?

You should “train like you fight.” Without sparring, how can you expect to jump into a boxing ring and go a few rounds with a skilled boxer? That’s the entire point of goal-based penetration testing and red/purple team engagements that simulate real-world threat actors.

Password cracking will continue to evolve – and so should your penetration testing tactics and plans. By the time you get to your fourth or fifth round with a quality pentesting consultancy, your risk mitigation will have dramatically improved — which means you’ll be able to move on to the next stage of security maturity.

https://www.helpnetsecurity.com/2022/08/30/stand-up-to-password-cracking/

• Ransomware Gangs’ Favourite Targets

Barracuda released its fourth-annual threat research report which looks at ransomware attack patterns that occurred between August 2021 and July 2022.

For the 106 highly publicised attacks our researchers analysed, the dominant targets are still five key industries: education (15%), municipalities (12%), healthcare (12%), infrastructure (8%), and financial (6%). The number of ransomware attacks increased year-over-year across each of these five industry verticals, and attacks against other industries more than doubled compared to last year’s report.

While attacks on municipalities increased only slightly, the analysis over the past 12 months showed that ransomware attacks on educational institutions more than doubled, and attacks on the healthcare and financial verticals tripled. Many choose not to disclose when they get hit.

This year, researchers dug in deeper on these highly publicised attacks to see which other industries are starting to be targeted. Service providers were hit the most, and ransomware attacks on automobile, hospitality, media, retail, software, and technology organisations all increased as well.

Most ransomware attacks don’t make headlines, though. Many victims choose not to disclose when they get hit, and the attacks are often sophisticated and extremely hard to handle for small businesses.

As ransomware and other cyber threats continue to evolve, the need for adequate security solutions has never been greater. Many cyber criminals target small businesses in an attempt to gain access to larger organisations. As a result, it is essential for security providers to create products that are easy to use and implement, regardless of a company’s size.

Additionally, sophisticated security technologies should be available as services, so that businesses of all sizes can protect themselves against these ever-changing threats. By making security solutions more accessible and user-friendly, the entire industry can help to better defend against ransomware and other cyber attacks.

https://www.helpnetsecurity.com/2022/08/31/ransomware-attack-patterns/

• Tentacles of ‘0ktapus’ Threat Group Victimise 130 Firms

Over 130 companies were tangled in sprawling phishing campaign that spoofed a multi-factor authentication system.

Targeted attacks on Twilio and Cloudflare employees are tied to a massive phishing campaign that resulted in 9,931 accounts at over 130 organisations being compromised. The campaigns are tied to focused abuse of identity and access management firm Okta, which gained the threat actors the 0ktapus moniker, by researchers.

The primary goal of the threat actors was to obtain Okta identity credentials and multi-factor authentication (MFA) codes from users of the targeted organisations. These users received text messages containing links to phishing sites that mimicked the Okta authentication page of their organisation.

114 US-based firms were impacted, with additional victims of sprinkled across 68 additional countries. The full scope of the attack is still unknown but the 0ktapus campaign has been incredibly effective, and the full scale of it may not be known for some time.

The 0ktapus attackers are believed to have begun their campaign by targeting telecommunications companies in hopes of winning access to potential targets’ phone numbers.

While unsure exactly how threat actors obtained a list of phone numbers used in MFA-related attacks, one theory researchers posit is that 0ktapus attackers began their campaign targeting telecommunications companies.

https://threatpost.com/0ktapus-victimize-130-firms/180487/

• Organisations Are Spending Billions on Malware Defence That’s Easy to Bypass

Last year, organisations spent $2 billion on products that provide Endpoint Detection and Response, a relatively new type of security protection for detecting and blocking malware targeting network-connected devices. EDRs, as they're commonly called, represent a newer approach to malware detection. Static analysis, one of two more traditional methods, searches for suspicious signs in the DNA of a file itself. Dynamic analysis, the other more established method, runs untrusted code inside a secured "sandbox" to analyse what it does to confirm it's safe before allowing it to have full system access.

EDRs—which are forecasted to generate revenue of $18 billion by 2031 and are sold by dozens of security companies—take an entirely different approach. Rather than analyse the structure or execution of the code ahead of time, EDRs monitor the code's behaviour as it runs inside a machine or network. In theory, it can shut down a ransomware attack in progress by detecting that a process executed on hundreds of machines in the past 15 minutes is encrypting files en masse. Unlike static and dynamic analyses, EDR is akin to a security guard that uses machine learning to keep tabs in real time on the activities inside a machine or network.

Despite the buzz surrounding EDRs, new research suggests that the protection they provide isn't all that hard for skilled malware developers to circumvent. In fact, the researchers behind the study estimate EDR evasion adds only one additional week of development time to the typical infection of a large organisational network. That's because two fairly basic bypass techniques, particularly when combined, appear to work on most EDRs available in the industry.

https://arstechnica.com/information-technology/2022/08/newfangled-edr-malware-detection-generates-billions-but-is-easy-to-bypass/

Threats

Ransomware

• Global Ransomware Damages to Exceed $30bn by 2023 - Infosecurity Magazine (infosecurity-magazine.com)

• Ransomware Research: 10 Key Findings, Five Ways to Defend Against Hijackers - MSSP Alert

• Cyber Attack: Spike in Ransomware Threat to More Than 1.2 Million Per Month Between January-June, Says Report | LatestLY

• LockBit ransomware gang gets aggressive with triple-extortion tactic (bleepingcomputer.com)

• New Golang-based 'Agenda Ransomware' Can Be Customized For Each Victim (thehackernews.com)

• Chile and Montenegro Floored by Ransomware - Infosecurity Magazine (infosecurity-magazine.com)

• Researchers Detail Emerging Cross-Platform BianLian Ransomware Attacks (thehackernews.com)

• Ragnar Locker Brags About TAP Air Portugal Breach (darkreading.com)

• Police ‘negotiating with hackers’ who hit Paris hospital computer system | World | The Times

• Advanced cyber-attack: NHS doctors' paperwork piles up - BBC News

• Another Ransomware For Linux Likely In Development - Security Affairs

• Montenegro hit by ransomware attack, hackers demand $10 million (bleepingcomputer.com)

• Should ransomware payments be banned? A few considerations - Help Net Security

• Researchers Spot Snowballing BianLian Ransomware Gang Activity (darkreading.com)

• Ragnar Locker continues trend of ransomware targeting energy sector | CSO Online

• BlackCat ransomware claims attack on Italian energy agency (bleepingcomputer.com)

• Italian Oil Major Becomes Victim Of Ransomware Attack | OilPrice.com

• Damart clothing store hit by Hive ransomware, $2 million demanded (bleepingcomputer.com)

• Baker & Taylor's Systems Remain Offline a Week After Ransomware Attack - Infosecurity Magazine (infosecurity-magazine.com)

• Gloucester Council planning site still disrupted from cyber attack - BBC News

BEC – Business Email Compromise

• How BEC attacks on human capital management systems are increasing - Help Net Security

Malware

• Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users | McAfee Blog

• A study on malicious plugins in WordPress Marketplaces - Security Affairs

• Prynt Stealer Contains a Backdoor to Steal Victims' Data Stolen by Other Cyber criminals (thehackernews.com)

• New Evidence Links Raspberry Robin Malware to Dridex and Russian Evil Corp Hackers (thehackernews.com)

• BumbleBee a New Modular Backdoor Evolved From BookWorm (trendmicro.com)

• Malicious Chrome Extensions Plague 1.4M Users (darkreading.com)

Mobile

• Mobile banking apps put 300,000 digital fingerprints at risk • The Register

• Researcher unveils smart lock hack for fingerprint theft (techtarget.com)

• Source Code of Over 1800 Android and iOS Apps Gives Access to AWS Credentials - Infosecurity Magazine (infosecurity-magazine.com)

Internet of Things – IoT

• Skyrocketing IoT Bug Disclosures Put Pressure on Security Teams (darkreading.com)

• Singapore clocks higher ransomware attacks, warns of IoT risks | ZDNET

• Standards Body Publishes Guidelines for IoT Security Testing - Infosecurity Magazine (infosecurity-magazine.com)

• ieGeek Vulnerabilities still prevalent in 2022 - Amazon Ft. IG20 (realinfosec.net)

Data Breaches/Leaks

• Evil Corp and Conti Linked to Cisco Data Breach, eSentire Suggests - Infosecurity Magazine (infosecurity-magazine.com)

• Okta Says Customer Data Compromised in Twilio Hack | SecurityWeek.Com

• Password Manager With 25 Million Users Confirms Breach, Expert Weighs In (informationsecuritybuzz.com)

• Neopets says hackers had access to its systems for 18 months (bleepingcomputer.com)

• Akasa Air Suffers Data Leak on First Day of Operation- IT Security Guru

• Samsung says hackers obtained some customer data in newly disclosed breach | Engadget

• Millions of student loan accounts exposed in data breach | TechRadar

• Russian streaming platform confirms data breach affecting 7.5M users (bleepingcomputer.com)

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• FBI: Crooks stole $1b+ in cryptocurrency already this year • The Register

• Ukraine takes down cyber crime group hitting crypto fraud victims (bleepingcomputer.com)

• FBI: Crooks are using these DeFi flaws to steal your money | ZDNET

• Windows malware delays coinminer install by a month to evade detection (bleepingcomputer.com)

• Cryptominer Disguised as Google Translate Targeted 11 Countries - Infosecurity Magazine (infosecurity-magazine.com)

• Crypto-Crooks Spread Trojanized Google Translate App in Watering-Hole Attack (darkreading.com)

• Hackers Use ModernLoader to Infect Systems with Stealers and Cryptominers (thehackernews.com)

Insider Risk and Insider Threats

• West Yorkshire PC due in court over police computer searches - BBC News

Fraud, Scams & Financial Crime

• Big Banks vs. Big Tech: Who Is Liable For Online Fraud? (informationsecuritybuzz.com)

Insurance

• Cyber insurance has been around for 25 years. It’s still a bit of a mess. (slate.com)

• Who Pays for an Act of Cyber War? | WIRED

• Travelers, Policyholder Agree to Void Current Cyber Policy (insurancejournal.com)

• Cyber Frauds Skyrocket: Can Cyber Insurance Protect You in Real World? Experts Explain (news18.com)

• Google Cloud, Microsoft and AWS dive into cyber insurance - Protocol

• Cyber Insurance Price Hike Hits Local Governments Hard (insurancejournal.com)

• Insurers must rethink handling of cyber attacks on states | Financial Times (ft.com)

• Cyber insurance on rise as attacks surge | Mint (livemint.com)

Dark Web

• German man charged for trying to hire fake contract killer on darkweb | Euronews

• COVID-19 data put for sale on Dark Web - Security Affairs

• NATO Investigates Dark Web Leak of Data Stolen From Missile Vendor (darkreading.com)

Supply Chain and Third Parties

• PyPI Phishing Campaign | JuiceLedger Threat Actor Pivots From Fake Apps to Supply Chain Attacks - SentinelOne

Software Supply Chain

• NSA and CISA share tips to secure the software supply chain (bleepingcomputer.com)

Denial of Service DoS/DDoS

• DDoS activity launched by patriotic hacktivists is on the rise - Help Net Security

Cloud/SaaS

• 1 in 3 organisations don't know if their public cloud data was exfiltrated - Help Net Security

• Real-World Cloud Attacks: The True Tasks of Cloud Ransomware Mitigation (darkreading.com)

Encryption

• CISA: Prepare now for quantum computers, not when hackers use them (bleepingcomputer.com)

• Homomorphic encryption: a holy grail for privacy, explained (fastcompany.com)

API

• The 4 Most Common OWASP API Security - IT Security Guru

Open Source

• Linux devices 'increasingly' under attack from hackers, warn security researchers | ZDNET

Passwords, Credential Stuffing & Brute Force Attacks

• LastPass source code breach – do we still recommend password managers? – Naked Security (sophos.com)

Social Media

• Social media is ruining our lives and the public are finally waking up (telegraph.co.uk)

• LinkedIn New Hacking Scam (informationsecuritybuzz.com)

• Thousands lured with blue badges in Instagram phishing attack (bleepingcomputer.com)

Training, Education and Awareness

• (ISC)² Launches 'Certified in Cybersecurity' Entry-Level Certification to Address Global Workforce Gap (darkreading.com)

Privacy

• Trident Royal Navy staff reveal sensitive data on fitness app | News | The Times

• Cops wanted to keep mass surveillance app secret; privacy advocates refused | Ars Technica

• US telcos admit to storing, handing over location data • The Register

• Facebook moves to settle Cambridge Analytica lawsuit | TechCrunch

• Homomorphic encryption: a holy grail for privacy, explained (fastcompany.com)

• Nobody’s special to the WFH software spies | Comment | The Times

Travel

• Cyber Safety for Summer Vacation | SecurityWeek.Com

Parental Controls and Child Safety

• Scammers Targeting Thousands Of Children As Young As Six, Figures Show (informationsecuritybuzz.com)

• Over a Third of Parents Do Not Know What Online Accounts Their Children Use - IT Security Guru

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Why Russia's cyber war in Ukraine hasn't played out as predicted (newatlas.com)

• Ukraine's army of hackers failed to thwart Russia and quickly gave up | New Scientist

• Cyber criminals Apparently Involved in Russia-Linked Attack on Montenegro Government | SecurityWeek.Com

• Who Pays for an Act of Cyber War? | WIRED

• Moscow gridlock as hackers send dozens of taxis to Hotel Ukraine (telegraph.co.uk)

• Finland To Offer Businesses Cybersec Vouchers In Wake Of Nato-related (informationsecuritybuzz.com)

• China-linked APT40 used ScanBox Framework in a long-running espionage campaign - Security Affairs

• Montenegro says Russian cyber attacks threaten key state functions (bleepingcomputer.com)

• Google says it cut off Russian disinformation sites from its vast ad display network - CyberScoop

• Ex-spies banned from arms exports for UAE hack-for-hire work • The Register

Nation State Actors

Nation State Actors – Russia

• Third-party hacking groups lose interest in Russia-Ukraine conflict, study claims | SC Media (scmagazine.com)

• FBI deploys cyber team to Montenegro following massive cyber attack | The Hill

• New Evidence Links Raspberry Robin Malware to Dridex and Russian Evil Corp Hackers (thehackernews.com)

• Montenegro Sent Back to Analog by Unprecedented Cyber Attacks | Balkan Insight

Nation State Actors – China

• Chinese Hackers Target Energy Firms in South China Sea | SecurityWeek.Com

• China-linked APT40 targets wind turbines, Aust. government • The Register

Nation State Actors – Misc

• Insurers must rethink handling of cyber attacks on states | Financial Times (ft.com)

Vulnerabilities

• Apple Quietly Releases Another Patch for Zero-Day RCE Bug (darkreading.com)

• Google Chrome emergency update fixes new zero-day used in attacks (bleepingcomputer.com)

• URGENT! Apple slips out zero-day update for older iPhones and iPads – Naked Security (sophos.com)

• WordPress 6.0.2 Patches Vulnerability That Could Impact Millions of Legacy Sites | SecurityWeek.Com

• Critical hole in Atlassian Bitbucket needs patching now • The Register

Reports Published in the Last Week

• Tackling the Growing and Evolving Digital Attack Surface 2022 Midyear Cybersecurity Report (trendmicro.com)

Other News

• Former Cyber criminal: These Are the Biggest Threats on the Internet (businessinsider.com)

• Stuxnet explained: The first known cyber weapon | CSO Online

• Infra Used in Cisco Hack Also Targeted Workforce Management Solution (thehackernews.com)

• Flicking the kill switch: governments embrace internet shutdowns as a form of control | Internet | The Guardian

• Okta Impersonation Technique Could be Utilized by Attackers | SecurityWeek.Com

• Remote Work Cyber Security: 12 Risks and How to Prevent Them (techtarget.com)

• Does your cyber crime prevention program work? - Help Net Security

• Does Blockchain really offer Better Digital Security? - IT Security Guru

• IT and Employees Don’t Always See Eye to Eye on Cyber Security - IT Security Guru

• New Cyber Security Regulations Are Coming. Here’s How to Prepare. (hbr.org)

• 3 Cyber Security Trends for 2022 - IT Security Guru

• Cyber security budget breakdown and best practices (techtarget.com)

• How Just-in-Time privilege elevation prevents data breaches and lateral movement - Help Net Security

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Insurer Refuses to Pay Out After Victim Misrepresented Their Cyber Controls

In what may be one of the first court filings of its kind, insurer Travelers is asking a district court for a ruling to rescind a policy because the insured allegedly misrepresented its use of multifactor authentication (MFA) – a condition to get cyber coverage.

According to a July filing, Travelers said it would not have issued a cyber insurance policy in April to electronics manufacturing services company International Control Services (ICS) if the insurer knew the company was not using MFA as it said. Additionally, Travelers wants no part of any losses, costs, or claims from ICS – including from a May ransomware attack ICS suffered.

Travelers alleged ICS submitted a cyber policy application signed by its CEO and “a person responsible for the applicant’s network and information security” that the company used MFA for administrative or privileged access. However, following the May ransomware event, Travelers first learned during an investigation that the insured was not using the security control to protect its server and “only used MFA to protect its firewall, and did not use MFA to protect any other digital assets.”

Therefore, statements ICS made in the application were “misrepresentations, omissions, concealment of facts, and incorrect statements” – all of which “materially affected the acceptance of the risk and/or the hazard assumed by Travelers,” the insurer alleged in the filing.

ICS also was the victim of a ransomware attack in December 2020 when hackers gained access using the username and password of an ICS administrator, Travelers said. ICS told the insurer of the attack during the application process and said it improved the company’s cyber security.

Travelers said it wants the court to declare the insurance contract null and void, rescind the policy, and declare it has no duty to indemnify or defend ICS for any claim.

https://www.insurancejournal.com/news/national/2022/07/12/675516.htm#

• 5 Cyber Security Questions CFOs Should Ask CISOs

Armed with the answers, chief financial officers can play an essential role in reducing cyber risk.

Even in a shrinking economy, organisations are likely to maintain their level of cyber security spend. But that doesn’t mean in the current economic climate of burgeoning costs and a possible recession they won’t take a magnifying glass to how they are spending the money budgeted to defend systems and data. Indeed, at many companies, cyber security spending isn’t targeting the most significant dangers, according to experts — as evidenced by the large number of successful ransomware attacks and data breaches.

Without a comprehensive understanding of the security landscape and what the organisation needs to do to protect itself, how can CFOs make the right decisions when it comes to investments in cyber security technology and other resources? They can’t.

So, CFOs need to ensure they have a timely grasp of the security issues their organisation faces. That requires turning to the most knowledgeable people in the organisation: chief information security officers (CISOs) and other security leaders on the IT front lines.

Here are five questions CFOs should be asking their CISOs about the security of their companies.

1. How secure are we as an organisation?

2. What are the main security threats or risks in our industry?

3. How do we ensure that the cyber security team and the CISO are involved in business development?

4. What are the risks and potential costs of not implementing a cyber control?

5. Do employees understand information security and are they implementing security protocols successfully?

https://www.cfo.com/technology/cyber-security-technology/2022/07/cybersecurity-spending-protocols-ciso-security-threats-business-development-cyber-control/

• The Biggest Cyber Attacks in 2022 So Far — and it’s Just the Tip of the Iceberg

For those in the cyber resilience realm, it’s no surprise that there’s a continued uptick in cyber attacks. Hackers are hacking, thieves are thieving and ransomers are — you guessed it — ransoming. In other words, cyber crime is absolutely a growth industry.

As we cross into the second half of this year, let’s look at some of the most significant attacks so far:

• Blockchain schmockchain. Cryptocurrency exchange Crypto.com’s two-factor-identification (2FA) system was compromised as thieves made off with approximately $30 million.

• Still the one they run to. Microsoft’s ubiquity makes it a constant target. Earlier this year, the hacking collective Lapsus$ compromised Cortana and Bing, among other Microsoft products, posting source code online.

• Not necessarily the news. News Corp. journalist emails and documents were accessed at properties including the Wall Street Journal, Dow Jones and the New York Post in a hack tied to China.

• Uncharitable ways. The Red Cross was the target of an attack earlier this year, with more than half a million “highly vulnerable” records of Red Cross assistance recipients compromised.

• Victim of success. North Korea’s Lazarus Group made off with $600 million in cryptocurrencies after blockchain gaming platform Ronin relaxed some of its security protocols so its servers could better handle its growing popularity.

• We can hear you now. State-sponsored hackers in China have breached global telecom powerhouses worldwide this year, according to the U.S. Cybersecurity & Infrastructure Security Agency.

• Politics, the art of the possible. Christian crowdfunding site GiveSendGo was breached twice this year as hacktivists exposed the records of donors to Canada’s Freedom Convoy.

• Disgruntled revenge. Businesspeople everywhere were reminded of the risks associated with departing personnel when fintech powerhouse Block announced that a former employee accessed sensitive customer information, impacting eight million customers.

• Unhealthy habits. Two million sensitive customer records were exposed when hackers breached Shields Health Care’s network.

• They even stole the rewards points. General Motors revealed that hackers used a credentials stuffing attack to access personal information on an undisclosed number of car owners. They even stole gift-card-redeemable customer reward points.

For every breach or attack that generates headlines, millions of others that we never hear about put businesses at risk regularly. The Anti-Phishing Working Group just released data for the first quarter of this year, and the trend isn’t good. Recorded phishing attacks are at an all-time high (more than a million in just the first quarter) and were accelerating as the quarter closed, with March 2022 setting a new record for single-month attacks.

https://www.msspalert.com/cybersecurity-guests/the-biggest-cyberattacks-in-2022-so-far-and-its-just-the-tip-of-the-iceberg/

• Malware-as-a-Service Creating New Cyber Crime Ecosystem

This week HP released their report The Evolution of Cybercrime: Why the Dark Web is Supercharging the Threat Landscape and How to Fight Back, exploring how cyber-criminals are increasingly operating in a quasi-professional manner, with malware and ransomware attacks being offered on a ‘software-as-a-service’ basis.

The report’s findings showed how cyber crime is being supercharged through “plug and play” malware kits that are easier than ever to launch attacks. Additionally, cyber syndicates are now collaborating with amateur attackers to target businesses, putting the online world and its users at risk.

The report’s methodology saw HP’s Wolf Security threat team work in tandem with dark-web investigation firm Forensic Pathways to scrape and analyse over 35 million cyber criminal marketplaces and forum posts between February and March 2022, with the investigation helping to gain a deeper understanding of how cyber criminals operate, gain trust, and build reputation. Its key findings include:

Malware is cheap and readily available: Over three-quarters (76%) of malware advertisements listed, and 91% of exploits (i.e. code that gives attackers control over systems by taking advantage of software bugs), retail for under $10.

Trust and reputation are ironically essential parts of cyber-criminal commerce: Over three-quarters (77%) of cyber criminal marketplaces analysed require a vendor bond – a license to sell – which can cost up to $3000.  Of these, 92% have a third-party dispute resolution service.

Popular software is giving cyber criminals a foot in the door: Kits that exploit vulnerabilities in niche systems command the highest prices (typically ranging from $1,000-$4,000), while zero day vulnerabilities are retailing at 10s of thousands of pounds on dark web markets.

https://www.infosecurity-magazine.com/news/malware-service-cybercrime/

• The Rise and Continuing Popularity of LinkedIn-Themed Phishing

Phishing emails impersonating LinkedIn continue to make the bulk of all brand phishing attempts. According to Check Point, 45% of all email phishing attempts in Q2 2022 imitated the style of communication of the professional social media platform, with the goal of directing targets to a spoofed LinkedIn login page and collecting their account credentials.

The phishers are generally trying to pique the targets’ interest with fake messages claiming that they “have appeared in X searches this week”, that a new message is waiting for them, or that another user would like to do business with them, and are obviously taking advantage of the fact that a record number of individuals are switching or are considering quitting their job and are looking for a new one.

To compare: In Q4 2021, LinkedIn-themed phishing attempts were just 8 percent of the total brand phishing attacks flagged by Check Point. Also, according to Vade Secure, in 2021 the number of LinkedIn-themed phishing pages linked from unique phishing emails was considerably lower than those impersonating other social networks (Facebook, WhatsApp).

Other brands that phishers loved to impersonate during Q2 2022 are (unsurprisingly) Microsoft (13%), DHL (12%) and Amazon (9%).

https://www.helpnetsecurity.com/2022/07/21/linkedin-phishing/

• Microsoft Teams Default Settings Leave Organisations Open to Cyber Attacks

Relying on default settings on Microsoft Teams leaves organisations and users open to threats from external domains, and misconfigurations can prove perilous to high-value targets.

Microsoft Teams has over 270 million active monthly users, with government institutions using the software in the US, UK, Netherlands, Germany, Lithuania, and other countries at varying levels.

Cyber security researchers have discovered that relying on default MS Teams settings can leave firms and high-value users vulnerable to social engineering attacks. Attackers could create group chats, masquerade as seniors within the target organisation and observe whether users are online.

Attackers could, rather convincingly, impersonate high-ranking officials and possibly strike up conversations, fooling victims into believing they’re discussing sensitive topics with a superior. Skilled attackers could do a lot of harm with this capability.

https://cybernews.com/security/microsoft-teams-settings-leave-govt-officials-open-to-cyberattacks/

• Top 10 Cyber Security Attacks of Last Decade Show What is to Come

Past is prologue, wrote William Shakespeare in his play “The Tempest,” meaning that the present can often be determined by what has come before. So it is with cyber security, serving as the basis of which is Trustwave’s “Decade Retrospective: The State of Vulnerabilities” over the last 10 years.

Threat actors frequently revisit well-known and previously patched vulnerabilities to take advantage of continuing poor cyber security hygiene. “If one does not know what has recently taken place it leaves you vulnerable to another attack,” Trustwave said in its report that identifies and examines the “watershed moments” that shaped cyber security between 2011 and 2021.

With a backdrop of the number of security incidents and vulnerabilities increasing in volume and sophistication, here are Trustwave’s top 10 network vulnerabilities in no particular order that defined the decade and “won’t be forgotten.”

• SolarWinds hack and FireEye breach, Detected: December 8, 2020 (FireEye)

• EternalBlue Exploit, Detected: April 14, 2017

• Heartbleed, Detected: March 21, 2014

• Shellshock, Remote Code Execution in BASH, Detected: September 12, 2014

• Apache Struts Remote Command Injection & Equifax Breach, Detected: March 6, 2017

• Chipocalypse, Speculative Execution Vulnerabilities Meltdown & Spectre

• BlueKeep, Remote Desktop as an Access Vector, Detected: January, 2018

• Drupalgeddon Series, CMS Vulnerabilities, Detected: January, 2018

• Microsoft Windows OLE Vulnerability, Sandworm Exploit, Detected: September 3, 2014

• Ripple20 Vulnerabilities, Growing IoT landscape, Detected: June 16, 2020

https://www.msspalert.com/cybersecurity-news/top-10-cybersecurity-attacks-of-last-decade-show-what-is-to-come-report/

• Software Supply Chain Concerns Reach C-Suite

Major supply chain attacks have had a significant impact on software security awareness and decision-making, with more investment planned for monitoring attack surfaces.

Organisations are waking up to the need to establish better software supply chain risk management policies and are taking action to address the escalating threats and vulnerabilities targeting this expanding attack surface.

These were among the findings of a CyberRisk Alliance-conducted survey of 300 respondents from both software-buying and software-producing companies.

Most survey respondents (52%) said they are "very" or "extremely" concerned about software supply chain risks, and 84% of respondents said their organisation is likely to allocate at least 5% of their AppSec budgets to manage software supply chain risk.

Software buyers are planning to invest in procurement program metrics and reporting, application pen-testing, and software build of materials (SBOM) design and implementation, according to the findings.

Meanwhile, software developers said they plan to invest in secure code review as well as SBOM design and implementation.

https://www.darkreading.com/application-security/software-supply-chain-concerns-reach-c-suite

• EU Warns of Russian Cyber Attack Spillover, Escalation Risks

The Council of the European Union (EU) said that Russian hackers and hacker groups increasingly attacking "essential" organisations worldwide could lead to spillover risks and potential escalation.

"This increase in malicious cyber activities, in the context of the war against Ukraine, creates unacceptable risks of spillover effects, misinterpretation and possible escalation," the High Representative on behalf of the EU said.

"The latest distributed denial-of-service (DDoS) attacks against several EU Member States and partners claimed by pro-Russian hacker groups are yet another example of the heightened and tense cyber threat landscape that EU and its Member States have observed."

In this context, the EU reminded Russia that all United Nations member states must adhere to the UN's Framework of responsible state behaviour in cyberspace to ensure international security and peace.

The EU urged all states to take any actions required to stop malicious cyber activities conducted from their territory.

The EU's statement follows a February joint warning from CISA and the FBI that wiper malware attacks targeting Ukraine could spill over to targets from other countries.

Google's Threat Analysis Group (TAG) said in late March that it observed phishing attacks orchestrated by the Russian COLDRIVER hacking group against NATO and European military entities.

In May, the US, UK, and EU accused Russia of coordinating a massive cyber attack that hit the KA-SAT consumer-oriented satellite broadband service in Ukraine on February 24 with AcidRain data destroying malware, approximately one hour before Russia invaded Ukraine.

A Microsoft report from June also confirms the EU's observation of an increase in Russian malicious cyber activities. The company's president said that threat groups linked to Russian intelligence agencies (including the GRU, SVR, and FSB) stepped up cyber attacks against government entities in countries allied with Ukraine after Russia's invasion.

In related news, in July 2021, President Joe Biden warned that cyber attacks leading to severe security breaches could lead to a "real shooting war," a statement issued a month after NATO said that cyber attacks could be compared to "armed attacks" in some circumstances.

https://www.bleepingcomputer.com/news/security/eu-warns-of-russian-cyberattack-spillover-escalation-risks/

• Critical Flaws in GPS Tracker Enable “Disastrous” and “Life-Threatening” Hacks

A security firm and the US government are advising the public to immediately stop using a popular GPS tracking device or to at least minimise exposure to it, citing a host of vulnerabilities that make it possible for hackers to remotely disable cars while they’re moving, track location histories, disarm alarms, and cut off fuel.

An assessment from security firm BitSight found six vulnerabilities in the Micodus MV720, a GPS tracker that sells for about $20 and is widely available. The researchers who performed the assessment believe the same critical vulnerabilities are present in other Micodus tracker models. The China-based manufacturer says 1.5 million of its tracking devices are deployed across 420,000 customers. BitSight found the device in use in 169 countries, with customers including governments, militaries, law enforcement agencies, and aerospace, shipping, and manufacturing companies.

BitSight discovered what it said were six “severe” vulnerabilities in the device that allow for a host of possible attacks. One flaw is the use of unencrypted HTTP communications that makes it possible for remote hackers to conduct adversary-in-the-middle attacks that intercept or change requests sent between the mobile application and supporting servers. Other vulnerabilities include a flawed authentication mechanism in the mobile app that can allow attackers to access the hardcoded key for locking down the trackers and the ability to use a custom IP address that makes it possible for hackers to monitor and control all communications to and from the device.

https://arstechnica.com/information-technology/2022/07/critical-flaws-in-gps-tracker-enable-disastrous-and-life-threatening-hacks/

• Russian Hackers Behind Solarwinds Breach Continue to Scour US And European Organisations for Intel, Researchers Say

The Russian hackers behind a sweeping 2020 breach of US government networks have in recent months continued to hack US organisations to collect intelligence while also targeting an unnamed European government that is a NATO member.

The new findings show how relentless the hacking group — which US officials have linked with Russia's foreign intelligence service — is in its pursuit of intelligence held by the US and its allies, and how adept the hackers are at targeting widely used cloud-computing technologies.

The hacking efforts come as Russia's invasion of Ukraine continues to fray US-Russia relations and drive intelligence collection efforts from both governments.

In recent months, the hacking group has compromised the networks of US-based organisations that have data of interest to the Russian government.

In separate activity revealed Tuesday, US cyber security firm Palo Alto Networks said that the Russian hacking group had been using popular services like Dropbox and Google Drive to try to deliver malicious software to the embassies of an unnamed European government in Portugal and Brazil in May and June.

https://edition.cnn.com/2022/07/19/politics/russia-solarwinds-hackers/index.html

• The Next Big Security Threat Is Staring Us in The Face. Tackling It Is Going to Be Tough

If the ongoing fight against ransomware wasn't keeping security teams busy, along with the challenges of securing the ever-expanding galaxy of Internet of Things devices, or cloud computing, then there's a new challenge on the horizon – protecting against the coming wave of digital imposters or deepfakes.

A deepfake video uses artificial intelligence and deep-learning techniques to produce fake images of people or events.

One recent example is when the mayor of Berlin thought he was having an online meeting with former boxing champion and current mayor of Kyiv, Vitali Klitschko. But the mayor of Berlin grew suspicious when 'Klitschko' started saying some very out of character things relating to the invasion of Ukraine, and when the call was interrupted the mayor's office contacted the Ukrainian ambassador to Berlin – to discover that, whoever they were talking to, it wasn't the real Klitschko.

It's a sign that deepfakes are getting more advanced and quickly. Previous instances of deepfake videos that have gone viral often have tell-tale signs that something isn't real, such as unconvincing edits or odd movements, but the developments in deepfake technology mean it isn't difficult to imagine it being exploited by cyber criminals, particularly when it comes to stealing money.

While ransomware might generate more headlines, business email compromise (BEC) is the costliest form of cyber crime today. The FBI estimates that it costs businesses billions of dollars every year. The most common form of BEC attack involves cyber criminals exploiting emails, hacking into accounts belonging to bosses – or cleverly spoofing their email accounts – and asking staff to authorise large financial transactions, which can often amount to hundreds of thousands of dollars.

The emails claim that the money needs to be sent urgently, maybe as part of a secret business deal that can't be disclosed to anyone. It's a classic social-engineering trick designed to force the victim into transferring money quickly and without asking for confirmation from anyone else who could reveal it's a fake request. By the time anyone might be suspicious, the cyber criminals have taken the money, likely closed the bank account they used for the transfer – and run.

BEC attacks are successful, but many people might remain suspicious of an email from their boss that comes out the blue and they could avoid falling victim by speaking to someone to confirm that it's not real. But if cyber criminals could use a deepfake to make the request, it could be much more difficult for victims to deny the request, because they believe they're actually speaking to their boss on camera.

Many companies publicly list their board of directors and senior management on their website. Often, these high-level business executives will have spoken at events or in the media, so it's possible to find footage of them speaking. By using AI-powered deep-learning techniques, cyber criminals could exploit this public information to create a deepfake of a senior-level executive, exploit email vulnerabilities to request a video call with an employee, and then ask them to make the transaction. If the victim believes they're speaking to their CEO or boss, they're unlikely to deny the request.

https://www.zdnet.com/article/the-next-big-security-threat-is-staring-us-in-the-face-tackling-it-is-going-to-be-tough/

Threats

Ransomware

• Post-Breakup, Conti Ransomware Members Remain Dangerous (darkreading.com)

• The Kronos Ransomware Attack: What You Need to Know So Your Business Isn't Next (darkreading.com)

• New Luna ransomware encrypts Windows, Linux, and ESXi systems (bleepingcomputer.com)

• Digital security giant Entrust breached by ransomware gang (bleepingcomputer.com)

• Protecting Against Kubernetes-Borne Ransomware (darkreading.com)

• Knauf cyber attack: Black Basta ransomware gang claims responsibility (techmonitor.ai)

• New Redeemer ransomware version promoted on hacker forums (bleepingcomputer.com)

• Kaspersky report on Luna and Black Basta ransomware | Securelist

• Snowballing Ransomware Variants Highlight Growing Threat to VMware ESXi Environments (darkreading.com)

• New Cross-Platform 'Luna' Ransomware Only Offered to Russian Affiliates | SecurityWeek.Com

• Conti’s Reign of Chaos: Costa Rica in the Crosshairs | Threatpost

• Researchers uncover potential ransomware network with U.S. connections - CyberScoop

• How Conti ransomware hacked and encrypted the Costa Rican government (bleepingcomputer.com)

• A small Canadian town is being extorted by a global ransomware gang - The Verge

BEC – Business Email Compromise

• The biggest cyber-crime threat is also the one that nobody wants to talk about | ZDNet

Phishing & Email Based Attacks

• Phishing Bonanza: Social-Engineering Savvy Skyrockets as Malicious Actors Cash In (darkreading.com)

• Outlook users report suspicious activity from Microsoft IPs • The Register

• PayPal Used to Send Malicious “Double Spear” Invoices - Infosecurity Magazine

• LinkedIn remains the most impersonated brand in phishing attacks (bleepingcomputer.com)

• Google Calendar provides new way to block invitation phishing (bleepingcomputer.com)

Other Social Engineering

• Ongoing 'Roaming Mantis' Smishing Campaign Hits Over 70,000 Users in France | SecurityWeek.Com

Malware

• Hacking group '8220' grows cloud botnet to more than 30,000 hosts (bleepingcomputer.com)

• Buy ‘plug-n-play’ malware for the price of a pint of beer (computerweekly.com)

• The Market Is Teeming: Bargains on Dark Web Give Novice Cyber Criminals a Quick Start (darkreading.com)

• New ‘Lightning Framework’ Linux malware installs rootkits, backdoors (bleepingcomputer.com)

Mobile

• Google pulls malware-infected apps, 3 million users at risk • The Register

• Several New Play Store Apps Spotted Distributing Joker, Facestealer and Coper Malware (thehackernews.com)

• Roaming Mantis hits Android and iOS users in malware, phishing attacks (bleepingcomputer.com)

BYOD

• The New Weak Link in SaaS Security: Devices (thehackernews.com)

Data Breaches/Leaks

• Neopets data breach exposes personal data of 69 million members (bleepingcomputer.com)

• Verified Twitter Vulnerability Exposes Data from 5.4 Million Accounts | RestorePrivacy

• Mixed Messages as Neopets Scrambles to Respond to Mega Breach - Infosecurity Magazine

Organised Crime & Criminal Actors

• Cyber crime escalates as barriers to entry crumble | CSO Online

• Understanding the Evolution of Cyber Crime to Predict its Future | SecurityWeek.Com

• The growth in targeted, sophisticated cyber attacks troubles top FBI cyber official - CyberScoop

• 'AIG' Threat Group Launches with Unique Business Model (darkreading.com)

• US DOJ report warns of escalating cyber crime, 'blended' threats (techtarget.com)

• Chaotic LAPSUS$ Group Goes Quiet, but Threat Likely Persists (darkreading.com)

• Last member of Gozi malware troika arrives in US for criminal trial – Naked Security (sophos.com)

• Romanian hacker faces US trial over virus-for-hire service - The Verge

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• This Cloud Botnet Has Hijacked 30,000 Systems to Mine Cryptocurrencies (thehackernews.com)

• Hackers Use Evilnum Malware to Target Cryptocurrency and Commodities Platforms (thehackernews.com)

• Singapore distances itself from local crypto companies • The Register

• FBI Warns Fake Crypto Apps are Bilking Investors of Millions | Threatpost

• Ex-Coinbase manager charged in crypto insider trading case • The Register

• FBI Warns of Fake Cryptocurrency Apps Stealing Millions from Investors (thehackernews.com)

• My Big Coin founder guilty of $6m crypto-fraud • The Register

Insider Risk and Insider Threats

• Three Charged in First Crypto Insider-Trading Case- IT Security Guru

Fraud, Scams & Financial Crime

• How to identify and combat online fraud - Help Net Security

AML/CFT/Sanctions

• UK Regulator Issues Record Fines as Financial Crime Surges - Infosecurity Magazine

• Broker Fined £2m for Financial Crime Control Failings - Infosecurity Magazine

Insurance

• Graff paid a $7.5M ransom and sued its insurance firm for refusing to cover this payment - Security Affairs

• 82% of global insurers expect the rise in cyber insurance premiums to continue - Help Net Security

• Will Your Cyber Insurance Premiums Protect You in Times of War? (darkreading.com)

Dark Web

• Stolen Credentials Selling on the Dark Web for Price of a Gallon of Gas – Security Review Magazine

• The Market Is Teeming: Bargains on Dark Web Give Novice Cyber criminals a Quick Start (darkreading.com)

Supply Chain and Third Parties

• Supply chain security breaches jumped in 2021 | CSO Online

Software Supply Chain

• Improving Software Supply Chain Cyber Security (trendmicro.com)

• Why SBOMs aren't the silver bullet they're portrayed as - Help Net Security

• Breaking down CIS's new software supply chain security guidance | CSO Online

Cloud/SaaS

• 60% of IT leaders are not confident about their secure cloud access - Help Net Security

• Public Cloud Customers Admit Security Challenges - Infosecurity Magazine

• The New Weak Link in SaaS Security: Devices (thehackernews.com)

Identity and Access Management

• Authentication weakness responsible for 80% of financial breaches (scmagazine.com)

Encryption

• British recycle old arguments for bypassing E2E encryption • The Register

Open Source

• Open source security needs automation as usage climbs amongst organisations | ZDNet

• New ‘Lightning Framework’ Linux malware installs rootkits, backdoors (bleepingcomputer.com)

• The US military wants to understand the most important software on earth | MIT Technology Review

Passwords, Credential Stuffing & Brute Force Attacks

• The importance of secure passwords can't be emphasized enough - Help Net Security

• 3rd Party Services Are Falling Short on Password Security (bleepingcomputer.com)

• Okta Exposes Passwords in Clear Text for Possible Theft (darkreading.com)

• Enforcing Password History in Your Windows AD to Curb Password Reuse (bleepingcomputer.com)

Social Media

• LinkedIn remains the most impersonated brand in phishing attacks (bleepingcomputer.com)

• Hacker selling Twitter account data of 5.4 million users for $30k (bleepingcomputer.com)

• TikTok Engaging in Excessive Data Collection - Infosecurity Magazine

Privacy

• New Deanonymization Attack Works on Major Browsers, Websites | SecurityWeek.Com

Parental Controls and Child Safety

• UK cyber security chiefs back plan to scan phones for child abuse images | GCHQ | The Guardian

Regulations, Fines and Legislation

• UK Regulator Issues Record Fines as Financial Crime Surges - Infosecurity Magazine

• Legal Experts Concerned Over New UK Digital Reform Bill - Infosecurity Magazine

• Understanding Proposed SEC Rules Through an ESG Lens (darkreading.com)

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• What NATO's virtual rapid response cyber capability means for the fight against cyber warfare - Help Net Security

• EU warns of risks of spillover effects associated with ongoing war - Security Affairs

• Continued cyber activity in Eastern Europe observed by Google’s Threat Analysis Group (TAG) (blog.google)

• US Cyber Command IDs new malware strains targeting Ukraine • The Register

• Russian hackers use fake DDoS app to infect pro-Ukrainian activists (bleepingcomputer.com)

• Experts Uncover New CloudMensis Spyware Targeting Apple macOS Users (thehackernews.com)

• Hackers attempt to infiltrate Ukrainian tech company with backdoor malware, Talos says - CyberScoop

• Will Your Cyber-Insurance Premiums Protect You in Times of War? (darkreading.com)

• Hackers Target Ukrainian Software Company Using GoMet Backdoor (thehackernews.com)

• Copycat DoS App Created by Russian Hackers to Target Ukraine - IT Security Guru

• Inside Ukraine’s Decentralized Cyber Army (vice.com)

• Albanian government websites go dark after cyber attack • The Register

• China Accuses Indian APT Group of Cyber Warfare Against Pakistan; 2nd Major Accusation After 'Evil Flower' (eurasiantimes.com)

• Mysterious, Cloud-Enabled macOS Spyware Blows Onto the Scene (darkreading.com)

• Belgium claims China-linked APT groups hit its ministries - Security Affairs

• Hacked Ukrainian Radio Stations Broadcast Fake News About President Zelensky’s Health - Infosecurity Magazine

Nation State Actors

Nation State Actors – Russia

• Google, EU Warn of Malicious Russian Cyber Activity | SecurityWeek.Com

• Russian cyber spies targeting NATO countries in new hacking campaign | Science & Tech News | Sky News

• Google warns Kremlin-backed goons pose as pro-Ukraine app • The Register

• Russia Released a Ukrainian App for Hacking Russia That Was Actually Malware (vice.com)

• Cloaked Ursa (APT29) Hackers Use Trusted Online Storage Services (paloaltonetworks.com)

• Russian SVR hackers use Google Drive, Dropbox to evade detection (bleepingcomputer.com)

• Russia, Iran discuss broad tech collaboration • The Register

• Half of Russian spies in Europe expelled since Ukraine invasion, says MI6 chief | MI6 | The Guardian

Nation State Actors – China

• Belgium says Chinese APT gangs attacked its government • The Register

• A massive cyber attack hit Albania - Security Affairs

• Government blocks Chinese tech deal on national security grounds | Business News | Sky News

Nation State Actors – North Korea

• US seizes stolen funds from suspected North Korean hackers - BBC News

Nation State Actors – Iran

• Russia, Iran discuss broad tech collaboration • The Register

Nation State Actors – Misc APT

• Unit 42 Threat Group Naming Update (paloaltonetworks.com)

Vulnerability Management

• Mind the Gap – How to Ensure Your Vulnerability Detection Methods are up to Scratch (thehackernews.com)

• Zero-day attacks climb as hackers get more sophisticated (securitybrief.com.au)

Vulnerabilities

• Chrome 103 Update Patches High-Severity Vulnerabilities | SecurityWeek.Com

• Critical Bugs Threaten to Crack Atlassian Confluence Workspaces Wide Open (darkreading.com)

• WordPress Page Builder Plug-in Under Attack, Can't Be Patched (darkreading.com)

• Apple Releases Security Patches for all Devices Fixing Dozens of New Vulnerabilities (thehackernews.com)

• SonicWall: Patch critical SQL injection bug immediately (bleepingcomputer.com)

• Cisco fixes bug that lets attackers execute commands as root (bleepingcomputer.com)

• Atlassian reveals critical flaws across its product line • The Register

• Netwrix Auditor Vulnerability Can Facilitate Attacks on Enterprises | SecurityWeek.Com

• Azure's Security Vulnerabilities Are Out of Control - Last Week in AWS Blog

• Oracle Releases 349 New Security Patches With July 2022 CPU | SecurityWeek.Com

• 0-day used to infect Chrome users could pose threat to Edge and Safari users, too | Ars Technica

• Juniper Networks Patches Over 200 Third-Party Component Vulnerabilities | SecurityWeek.Com

• Experts Notice Sudden Surge in Exploitation of WordPress Page Builder Plugin Vulnerability (thehackernews.com)

• Google Chrome Zero-Day Weaponized to Spy on Journalists (darkreading.com)

• Apple Ships Urgent Security Patches for macOS, iOS | SecurityWeek.Com

• Cisco Releases Patches for Critical Flaws Impacting Nexus Dashboard for Data Centers (thehackernews.com)

• Juniper Releases Patches for Critical Flaws in Junos OS and Contrail Networking (thehackernews.com)

• Code Execution and Other Vulnerabilities Patched in Drupal | SecurityWeek.Com

• Atlassian Rolls Out Security Patch for Critical Confluence Vulnerability (thehackernews.com)

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

Reports Published in the Last Week

• The Evolution of Cyber Crime:  Why the Dark Web is Supercharging the Threat Landscape and How to Fight Back - HP

• Decade Retrospective: The State of Vulnerabilities | Trustwave

Other News

• Hackers for Hire: Adversaries Employ 'Cyber Mercenaries' | Threatpost

• Companies around the globe still not implementing MFA - Help Net Security

• Global Firms Fear the Worst Over Risk Management Failures - Infosecurity Magazine

• Humans are becoming the primary security risk for organisations around the world - Help Net Security

• What threats and challenges are CISOs and CROs most focused on? - Help Net Security

• What InfoSec Pros Can Teach the Organisation About ESG (darkreading.com)

• SATAn Turns Hard Drive Cable Into Antenna To Defeat Air-Gapped Security | Hackaday

• Cyber security hiring remains red-hot—the industry to surpass $400 billion market size by 2027 | Fortune

• Lack of staff and resources drives smaller teams to outsource security - Help Net Security

• Office macro security: on-again-off-again feature now BACK ON AGAIN! – Naked Security (sophos.com)

• New Study Finds Most Enterprise Vendors Failing to Mitigate Speculative Execution Attacks (thehackernews.com)

• Analysing Penetration-Testing Tools That Threat Actors Use to Breach Systems and Steal Data (trendmicro.com)

• Removing the blind spots that allow lateral movement - Help Net Security

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Cyber Second Only To Climate Change As Biggest Global Risk

Cyber security has been ranked as the second largest threat to our way of life in a major new survey of 23,000 people, comprised of both experts and members of the public. Cyber came second only to climate change on the world stage, but was ranked as the number one risk in the Americas and second in Asia, Africa, and Europe. https://www.infosecurity-magazine.com/news/cyber-second-biggest-global-risk/

Businesses Unsure Which Tech Is Essential Against Ransomware

As ransomware attacks grow in number, a new report finds that many organisations are under the impression they have things in hand but most are unsure what protections they should have in place. The report, based on a survey of 455 business leaders and cyber security professionals, claims businesses are on top of employee training, risk assessments and cyber insurance. Where firms fall flat however is their “clear gap” in thinking, in what many respondents see as “essential tech” in the fight against ransomware – nearly half of respondents (49%) thought paying up was their best option. https://www.techradar.com/news/businesses-unsure-which-tech-is-essential-against-ransomware

Cyber Crime Awareness Heightened, Yet People Still Engage In Risky Online Behaviours

A survey of over 2,000 adults suggests that 76% of respondents recognise the severity of data breaches. This heightened awareness may be driven by constant news of major consumer, enterprise and infrastructural breaches over the last year alone. https://www.helpnetsecurity.com/2021/10/01/risky-online-behaviors/

Attacks Against Remote Desktop Protocol Endpoints Have Exploded This Year

A recent report warns of a huge increase in attacks on the Remote Desktop Protocol (RDP), an almost universal protocol used by nearly every business in operation today. The figures show attacks on RDP have jumped 103.9% since its T1 report in June and represents around 55 billion devices. The RDP protocol is leveraged by threat actors to deploy ransomware and has become a popular target due to both heavy use by IT service providers and common misconfigurations.  https://www.theregister.com/2021/09/30/eset_threat_report/

Ransomware Attacks Up 1,070% Year Over Year

The prevalence of ransomware is growing rapidly, according to the 2021 Ransomware Survey Report. The report shockingly found many of the ransom demands are paid, and comes as a result in the rise of “ransomware as-a-service”. The report found 94% of businesses are concerned about ransomware, with 49% stating they would simply pay the ransom outright. Respondents in Europe were more concerned than those in North America, and around 67% felt they had already been the target of ransomware.  https://www.msspalert.com/cybersecurity-research/fortinet-report-ransomware-attacks-up-1070-year-over-year/

Baby’s Death Alleged To Be Linked To Ransomware

A US hospital paralyzed by ransomware in 2019 will be defending itself in court this November over the death of a newborn. The baby was born amid the hospital’s eighth day of fending off the attack. Court filings show the hospital – Springhill Medical Center in Alabama – believes wireless tracking systems and heartbeat monitoring equipment were compromised by the ransomware, leading to the death.

https://threatpost.com/babys-death-linked-ransomware/175232/

Ransomware Shame: More Than Half Of Business Owners Conceal Cyber-Breach

Around a third (32%) of enterprises experienced a six-figure breach last year, but well over half (61%) admitted to concealing it. The findings come as a global survey of 1,400 decision makers in cyber is released. https://www.foxbusiness.com/technology/ransomware-cyber-breach-concealed

More Than 90% Of Q2 Malware Was Hidden In Encrypted Traffic

Around 91.5% of malware detections in Q1 2021 were concealed in HTTPS-encrypted connections. A ubiquitous protocol – used to secure traffic any time you open a web page – only 20% of organisations have mechanisms in place to scan the arriving HTTPS traffic. The terrifying result found that most firms are missing over nine-tenths of malware hitting their networks every day. https://www.darkreading.com/perimeter/more-than-90-of-q2-malware-was-hidden-in-encrypted-traffic

Cyber Attack Floors British Payroll Firm

A "sophisticated" cyber attack has forced a British payroll company to shut down its entire network, leaving some contractors without pay.  Giant Group confirmed on September 24 that it had taken its network, fully integrated IT infrastructure, phone, and email systems offline last Wednesday after detecting suspicious activity. https://www.infosecurity-magazine.com/news/cyberattack-floors-british-payroll/#.YVQiuXlCjOA.twitter

GriftHorse Malware Infected More Than 10 Million Android Phones From 70 Countries

A malicious trojan has been making its way through the Google Play Store since at least November of 2020. The app, purportedly harmless on the surface, hijacks payments on the victim device, resulting in a series of hidden charges and a nasty surprise at the end of the month. Researchers who discovered the malware estimate its impact to be over 10 million victims in 70 countries, and several hundreds of millions of Euros in losses. https://securityaffairs.co/wordpress/122730/malware/grifthorse-malware-campaign.html

50% Of Servers Have Weak Security Long After Patches Are Released

Over 50% of servers scanned still have weak security, a new study suggests, even after patches have been issued. Researchers found that servers were still vulnerable weeks and even months after critical updates, leaving many businesses wide open to attack. https://www.darkreading.com/vulnerabilities-threats/50-of-servers-have-weak-security-long-after-patches-are-released

Threats

Ransomware

• United Health Centres Reportedly Compromised By Ransomware Attack

• JVCKenwood Hit By Conti Ransomware Claiming Theft Of 1.5TB Data

• Ransomware Gangs Are Complaining That Other Crooks Are Stealing Their Ransoms

• Ransomware Gangs Are Starting More Drama On Cyber Crime Forums, Upending 'Honor Among Thieves' Conventions

• Conti Ransomware Expands Ability To Blow Up Backups

• United Health Centers Reportedly Compromised By Ransomware Attack

• REvil Customers Complain Ransomware Gang Uses Backdoors To Filch Ransoms

• The Biggest Problem With Ransomware Is Not Encryption, But Credentials

Phishing

• 75K Email Inboxes Hit in New Credential Phishing Campaign

• Credential Spear-Phishing Uses Spoofed Zix Encrypted Email

• LinkedIn URLs are being hijacked For phishing

Other Social Engineering

• Scammers Capitalize on Release of New Bond Movie

Malware

• FinSpy Surveillance Kit Re-Emerges Stronger Than Ever

• Thousands Of Online Gaming Accounts Hit In Major Cyber Attack

• Microsoft Warns of FoggyWeb Malware Targeting Active Directory FS Servers

• New Malware Steals Steam, Epic Games Store, And EA Origin Accounts

Vulnerabilities

• Google Emergency Update Fixes Two Chrome Zero Days

• Threat Actors Use Recently Discovered CVE-2021-26084 Atlassian Confluence

• Apple AirTag Zero-Day Weaponizes Trackers

• New Azure AD Bug Lets Hackers Brute-Force Passwords Without Getting Caught

• Thousands of University Wi-Fi Networks Expose Log-In Credentials

• Exploit Released For VMware Vulnerability After CISA Warning

• Apple Pay Users ‘Vulnerable To Security Hack’

• Outsourced Software Poses Greater Risks to Enterprise Application Security

• Working Exploit Is Out for VMware vCenter CVE-2021-22005 Flaw

• Apple Responds To Security Researcher Who Found Multiple iOS 15 Zero-Day Flaws

• Windows 10 Emergency Update Resolves KB5005565 App Freezes, Crashes

• Cyber Security Vulnerability Could Affect Millions Of Hikvision Cameras

Data Breaches/Leaks

• Mental Healthcare Providers Report Data Breaches

• Anonymous: We've Leaked Disk Images Stolen From Far-Right-Friendly Web Host Epik

• 3.8 Billion Users’ Combined Clubhouse, Facebook Data Up for Sale

• Emails, Chat Logs, More Leaked Online From Far-Right Militia Linked To US Capitol Riot

Cryptocurrency/Cryptojacking

• Ethereum Dev Admits Helping North Korea Mine Crypto-Bucks, Faces 20 Years Jail

• China Says All Crypto Currency-Related Transactions Are Illegal And Must Be Banned

Insider Threats

• 10 Recent Examples of How Insider Threats Can Cause Big Breaches and Damage

Dark Web

• Computer Scientist Jailed Over Dark Web Conspiracy

DoS/DDoS

• Bandwidth.com Is Latest Victim Of DDoS Attacks Against VoIP Providers

Nation State Actors

• APT Focus: ‘Noisy’ Russian Hacking Crews Are Among The World’s Most Sophisticated

• APT29 Targets Active Directory Federation Services With Stealthy Backdoor

• GhostEmperor Hackers Use New Windows 10 Rootkit In Attacks

• Nation-State Attacks Fears Grow, Execs Don’t Trust Governments To Protect Them From Cyber Threats

• APT focus: ‘Noisy’ Russian hacking crews are among the world’s most sophisticated

Cloud

• Huawei Cloud Services: U.S. Lawmakers Express Security Concerns

• Cloud Security is the Weak Link

• Why CEOs Should Absolutely Concern Themselves With Cloud Security

• Cloud Security: Report Finds 68% of Malware Delivered From Cloud Apps

Privacy

• Which? Survey Finds People Would Actually Pay The Online Giants Not To Take Their Data

Reports Published in the Last Week

ESET Threat Report T2 2021

Other News

• Revealed: How To Steal Money From Victims' Contactless Apple Pay Wallets

• Threat Actors Weaponize Telegram Bots to Compromise PayPal Accounts

• Cyber Security Experts Have Discovered A New Hacker Group

• The Return Of The Hacktivists

• Report Highlights Cyber Security Dangers Of Elastic Stack Implementation Mistakes

• Russian Authorities Arrest Cyber Security Giant Group-IB’s CEO On Treason Charges

• US Deports Convicted Cyber Criminal to Russia

• OWASP Toasts 20th Anniversary With Revised Top 10 For 2021

• New Emergency Fraud Hotline Launched in UK

• Corporate Attack Surface Exploding As A Result Of Remote Work 

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.