Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Advisory 30 April 2024 – New Android Malware Disguised as Chrome Update can Steal Your Data and Access Your Banking Information
Black Arrow Cyber Advisory 30 April 2024 – New Android Malware Disguised as Chrome Update can Steal Your Data and Access Your Banking Information
Executive summary
A new strain of Android mobile malware dubbed “Brokewell” is being used to spread fake browser updates to steal user data. The malware has the ability to overlay banking application screens, capturing credentials without the users knowledge, as well as allowing remote access by an attacker. The malware has also been recorded as using popular ‘buy now, pay later’ service “Klarna” in addition to the fake Google Chrome update. Research indicates that the malware is in active development.
What’s the risk?
Due to the sensitive nature of the information sought by the malware, there is a genuine risk to the confidentiality and integrity of data. Features of the malware include the ability to overlay applications to steal user credentials and allow an attacker remote access, including the commands which record audio, take screenshots, access locations, and send communications from the victim phone.
The list of potential targets is extensive, especially so with many employees using personal devices for corporate purposes, including the storage of corporate credentials. A recent report from Google owned Mandiant found that 10% of intrusions began with evidence of stolen credentials.
What can I do?
It is recommended to employ a multi-layer defence to mitigate the risk of such malware succeeding. This should include only downloading updates from the official application in the Google Play store and enabling Google Play Protect will help to prevent malware. To further bolster defence, it is recommended that anti-virus applications are run in parallel.
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity
Further information can be found below:
https://www.threatfabric.com/blogs/brokewell-do-not-go-broke-by-new-banking-malware
Black Arrow Cyber Threat Briefing 08 October 2021
Black Arrow Cyber Threat Briefing 08 October 2021
-Half of Regulated Firms See Pandemic Spike in Financial Crime
-Large Ransom Demands And Password-Guessing Attacks Escalate
-How Insurers Play a Big Role in Spurring Cyber Crime
-How Fraudsters Can Use The Forgotten Details Of Your Online Life To Reel You In
-Malicious Hackers Are Exploiting Known Vulnerabilities Because Organisations Aren’t Quick Enough To Patch – Report
-Ransomware: Cyber Criminals Are Still Exploiting These Old Vulnerabilities, So Patch Now
-Why Today’s Cyber Security Threats Are More Dangerous
-One In Three IT Security Managers Don’t Have A Formal Cybersecurity Incident Response Plan
-Cyber Security Best Practices Lagging, Despite People Being Aware Of The Risks
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Half of Regulated Firms See Pandemic Spike in Financial Crime
Around half of firms in the financial services, property and legal sectors have reported rising levels of financial crime over the past 12 months, according to new data from an anti-money laundering (AML) specialist which polled 500 regulated businesses in the UK to better understand the levels of risk facing players in each vertical.
Overall, 48% of respondents said they’d seen a rise in financial crime, and a quarter (26%) admitted they’d been a victim of attacks. Legal firms, including conveyancers, experienced the most significant number of compromises, with a third (33%) saying they had been a victim of financial crime.
The sector is an increasingly attractive target for both state-backed and financially motivated cyber-criminals, given the wealth of sensitive client information that legal practices typically hold. https://www.infosecurity-magazine.com/news/half-firms-pandemic-spike/
Large Ransom Demands And Password-Guessing Attacks Escalate
ESET released a report that summarizes key statistics from its detection systems and highlights notable examples of its cyber security research.
The latest issue of the report highlights several concerning trends that were recorded by ESET telemetry, including increasingly aggressive ransomware tactics, intensifying brute-force attacks, and deceptive phishing campaigns targeting people working from home who have gotten used to performing many administrative tasks remotely.
Ransomware, showing three major detection spikes during T2, saw the largest ransom demands to date. The attack shutting down the operations of Colonial Pipeline – the largest pipeline company in the US – and the supply-chain attack leveraging a vulnerability in the Kaseya VSA IT management software, sent shockwaves that were felt far beyond the cybersecurity industry. https://www.helpnetsecurity.com/2021/10/05/large-ransom-demands/
Malicious Hackers Are Exploiting Known Vulnerabilities Because Organizations Aren’t Quick Enough To Patch – Report
Organizations are urged to be more proactive when it comes to protecting against vulnerabilities, after a report found that malicious attackers routinely exploit unpatched systems.
The 2021 Trustwave SpiderLabs Telemetry Report, released this week, found that a huge number of companies are falling foul to cyber-attacks despite having ready access to suitable fixes.
This is happening because malicious actors are using Shodan to scan for networks that are exposed to known vulnerabilities and exploit them before the victim can apply the patch. https://portswigger.net/daily-swig/malicious-hackers-are-exploiting-known-vulnerabilities-because-organizations-arent-quick-enough-to-patch-report
Ransomware: Cyber Criminals Are Still Exploiting These Old Vulnerabilities, So Patch Now
Some of the cyber security vulnerabilities most commonly exploited by cybercriminals to help distribute ransomware are years old -- but attackers are still able to take advantage of them because security updates aren't being applied.
Cybersecurity researchers at Qualys examined the Common Vulnerabilities and Exposures (CVEs) most used in ransomware attacks in recent years. They found that some of these vulnerabilities have been known for almost a decade and had vendor patches available. But because many organizations still haven't applied the available security updates, they remain vulnerable to ransomware attacks. https://www.zdnet.com/article/ransomware-cyber-criminals-are-still-exploiting-years-old-vulnerabilities-to-launch-attacks/
How Insurers Play a Big Role in Spurring Cyber Crime
Ransomware extracted $18 billion in payments last year, and it’s expected there will be an attack every 11 seconds by this year’s end, a problem that some security experts and academic researchers say is exacerbated by the system meant to protect against cybercrime: the insurance industry.
Organizations with cyber insurance are more than twice as likely to pay ransoms as those without, according to a global survey commissioned by UK-based cyber security and software firm Sophos of 1,823 companies, governments, health systems, and other organizations that had been hit by ransomware. This is one of the first times such data have been gathered that show the extent of the relationship between cyber insurance and ransomware payments. Critics say that relationship helps fuel a ransomware economy that the federal government estimates causes $445 billion in damages to the global economy every year. https://www.barrons.com/articles/ransomware-attack-cyber-insurance-industry-51633075202
Why Today’s Cyber Security Threats Are More Dangerous
Over the past two years, the rise of big-ticket ransomware attacks and revelations of harmful software supply chain infections have elevated cyber security to the top of governments’ and corporate agendas.
The opportunities for threat actors are growing faster than firms are able to mitigate them.
Unlike 20 years ago, when even extensive IT systems were comparatively standalone and straightforward, the interdependencies of systems now make dealing with and defending against threats a much more difficult proposition. The core problems being complexity and interdependence and neither are going away because that is what is providing organisations with the flexibility, functionality and all these other critical functions that they need. https://www.csoonline.com/article/3635097/why-today-s-cybersecurity-threats-are-more-dangerous.html
How Fraudsters Can Use The Forgotten Details Of Your Online Life To Reel You In
You may think you’ve been careful, but a determined scammer can probably find enough to manipulate you. https://www.theguardian.com/money/2021/oct/03/how-fraudsters-can-use-the-forgotten-details-of-your-online-life-to-reel-you-in
One In Three IT Security Managers Don’t Have A Formal Cybersecurity Incident Response Plan
Regardless of industry, information security incidents have become more of a targeted threat for businesses, increasing in amount and efficacy, according to a new report.
Of all the security incidents identified by over 900 surveyed employees at U.S. businesses, the three most threatening incidents were: increasingly severe ransomware attacks, more effective phishing schemes, and rampant reusing of passwords.
· Respondents reported phishing emails have nearly tripled in effectiveness over the past two years. Phishing emails are rapidly becoming more difficult to spot and thus far more destructive.
· Over the past year, ransomware attacks have increased by 25%. Ransom demands were significantly higher than average for businesses in specific industries, such as banking and financial services and construction, with higher payouts.
· The report found that password reuse is strongly associated with higher incidences of security breaches. Reported account takeovers were three times as common among people who reuse passwords as those who don’t.
Alarmingly, 23% of the IT security managers surveyed say their company doesn’t have protocols in place to report a suspected cyberattack and 33% don’t have a formal cybersecurity incident response plan. https://www.helpnetsecurity.com/2021/10/06/response-plan-cybersecurity/
Cyber Security Best Practices Lagging, Despite People Being Aware Of The Risks
The National Cybersecurity Alliance and CybSafe announced the release of a report which polled 2,000 individuals across the U.S. and UK. The report examined key cybersecurity trends, attitudes, and behaviours ahead of Cybersecurity Awareness Month this month.
The daily headlines of data breaches and ransomware attacks is a testament to the problem getting worse, yet most people aren’t aware of the simple steps they can take to be a part of the solution. It’s critical to have a deeper understanding of both the challenges we face and the prevailing attitudes and behaviors among the public.
Too often people are forgotten in cybersecurity conversations and this is borne out by cyber crime being more common among Millenials and Gen Z, and the public not embracing cyber security best practices.
The report also found that many users had limited access to cyber training, with 64% of respondents having no access to cybersecurity training, while 27% of those who do have access choose not to use it. https://www.helpnetsecurity.com/2021/10/07/cybersecurity-best-practices-lagging/
Threats
Ransomware
Ransomware: Cyber Criminals Are Still Exploiting These Old Vulnerabilities, So Patch Now | ZDNet
Revil Alone Accounts For A Significant Portion Of Q2 2021 Ransomware Attacks | Techspot
Behind the Crypto Broker Accused of Enabling Ransomware Hackers - Bloomberg
Atom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack – Sophos News
US Ransomware Law Would Require Victims To Disclose Ransom Payments Within 48 Hours | ZDNet
Ransomware Group FIN12 Aggressively Going After Healthcare Targets (thehackernews.com)
Other Social Engineering
Malware
Researchers Discover UEFI Bootkit Targeting Windows Computers Since 2012 (thehackernews.com)
91.5% Of Malware Arrived Over Encrypted Connections During Q2 2021 - Help Net Security
IOT
BYOD
Vulnerabilities
Data Breaches/Leaks
Cryptocurrency/Cryptojacking
Insider Threats
Dark Web
Nation State Actors
Chinese Hackers Used a New Rootkit to Spy on Targeted Windows 10 Users (thehackernews.com)
Microsoft: 58% of Nation-State Cyber Attacks Come From Russia (darkreading.com)
Google Warns 14,000 Gmail Users Targeted By Russian Hackers (Bleepingcomputer.Com)
Solarwinds Hack Saw Russia Steal Us Anti-Spy Probe Details • The Register
A New APT Hacking Group Targeting Fuel, Energy, and Aviation Industries (thehackernews.com)
New Study Links Seemingly Disparate Malware Attacks to Chinese Hackers (thehackernews.com)
Iranian APT Targets Aerospace And Telecom Firms With Stealthy ShellClient Trojan | CSO Online
Cloud
Reports Published in the Last Week
Other News
The Cyber Security Issues Organizations Deal With Remain Complex And Numerous - Help Net Security
Company That Routes SMS For All Major US Carriers Was Hacked For Five Years | Ars Technica
New £5 Billion GCHQ Digital Warfare Centre Capable Of 'Cyber Attacks' Set For Lancashire - Lancslive
Superhero Passwords Pose Serious Risk to Personal, Enterprise Accounts | SecurityWeek.Com
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 01 October 2021
Black Arrow Cyber Threat Briefing 01 October 2021:
-Cyber Second Only To Climate Change As Biggest Global Risk
-Businesses Unsure Which Tech Is Essential Against Ransomware
-Cyber Crime Awareness Heightened, Yet People Still Engage In Risky Online Behaviours
-Attacks Against Remote Desktop Protocol Endpoints Have Exploded This Year
-Ransomware Attacks Up 1,070% Year Over Year
-Baby’s Death Alleged To Be Linked To Ransomware
-Ransomware Shame: More Than Half Of Business Owners Conceal Cyber-Breach
-More Than 90% Of Q2 Malware Was Hidden In Encrypted Traffic
-Cyber Attack Floors British Payroll Firm
-GriftHorse Malware Infected More Than 10 Million Android Phones From 70 Countries
-50% Of Servers Have Weak Security Long After Patches Are Released
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Cyber Second Only To Climate Change As Biggest Global Risk
Cyber security has been ranked as the second largest threat to our way of life in a major new survey of 23,000 people, comprised of both experts and members of the public. Cyber came second only to climate change on the world stage, but was ranked as the number one risk in the Americas and second in Asia, Africa, and Europe. https://www.infosecurity-magazine.com/news/cyber-second-biggest-global-risk/
Businesses Unsure Which Tech Is Essential Against Ransomware
As ransomware attacks grow in number, a new report finds that many organisations are under the impression they have things in hand but most are unsure what protections they should have in place. The report, based on a survey of 455 business leaders and cyber security professionals, claims businesses are on top of employee training, risk assessments and cyber insurance. Where firms fall flat however is their “clear gap” in thinking, in what many respondents see as “essential tech” in the fight against ransomware – nearly half of respondents (49%) thought paying up was their best option. https://www.techradar.com/news/businesses-unsure-which-tech-is-essential-against-ransomware
Cyber Crime Awareness Heightened, Yet People Still Engage In Risky Online Behaviours
A survey of over 2,000 adults suggests that 76% of respondents recognise the severity of data breaches. This heightened awareness may be driven by constant news of major consumer, enterprise and infrastructural breaches over the last year alone. https://www.helpnetsecurity.com/2021/10/01/risky-online-behaviors/
Attacks Against Remote Desktop Protocol Endpoints Have Exploded This Year
A recent report warns of a huge increase in attacks on the Remote Desktop Protocol (RDP), an almost universal protocol used by nearly every business in operation today. The figures show attacks on RDP have jumped 103.9% since its T1 report in June and represents around 55 billion devices. The RDP protocol is leveraged by threat actors to deploy ransomware and has become a popular target due to both heavy use by IT service providers and common misconfigurations. https://www.theregister.com/2021/09/30/eset_threat_report/
Ransomware Attacks Up 1,070% Year Over Year
The prevalence of ransomware is growing rapidly, according to the 2021 Ransomware Survey Report. The report shockingly found many of the ransom demands are paid, and comes as a result in the rise of “ransomware as-a-service”. The report found 94% of businesses are concerned about ransomware, with 49% stating they would simply pay the ransom outright. Respondents in Europe were more concerned than those in North America, and around 67% felt they had already been the target of ransomware. https://www.msspalert.com/cybersecurity-research/fortinet-report-ransomware-attacks-up-1070-year-over-year/
Baby’s Death Alleged To Be Linked To Ransomware
A US hospital paralyzed by ransomware in 2019 will be defending itself in court this November over the death of a newborn. The baby was born amid the hospital’s eighth day of fending off the attack. Court filings show the hospital – Springhill Medical Center in Alabama – believes wireless tracking systems and heartbeat monitoring equipment were compromised by the ransomware, leading to the death.
https://threatpost.com/babys-death-linked-ransomware/175232/
Ransomware Shame: More Than Half Of Business Owners Conceal Cyber-Breach
Around a third (32%) of enterprises experienced a six-figure breach last year, but well over half (61%) admitted to concealing it. The findings come as a global survey of 1,400 decision makers in cyber is released. https://www.foxbusiness.com/technology/ransomware-cyber-breach-concealed
More Than 90% Of Q2 Malware Was Hidden In Encrypted Traffic
Around 91.5% of malware detections in Q1 2021 were concealed in HTTPS-encrypted connections. A ubiquitous protocol – used to secure traffic any time you open a web page – only 20% of organisations have mechanisms in place to scan the arriving HTTPS traffic. The terrifying result found that most firms are missing over nine-tenths of malware hitting their networks every day. https://www.darkreading.com/perimeter/more-than-90-of-q2-malware-was-hidden-in-encrypted-traffic
Cyber Attack Floors British Payroll Firm
A "sophisticated" cyber attack has forced a British payroll company to shut down its entire network, leaving some contractors without pay. Giant Group confirmed on September 24 that it had taken its network, fully integrated IT infrastructure, phone, and email systems offline last Wednesday after detecting suspicious activity. https://www.infosecurity-magazine.com/news/cyberattack-floors-british-payroll/#.YVQiuXlCjOA.twitter
GriftHorse Malware Infected More Than 10 Million Android Phones From 70 Countries
A malicious trojan has been making its way through the Google Play Store since at least November of 2020. The app, purportedly harmless on the surface, hijacks payments on the victim device, resulting in a series of hidden charges and a nasty surprise at the end of the month. Researchers who discovered the malware estimate its impact to be over 10 million victims in 70 countries, and several hundreds of millions of Euros in losses. https://securityaffairs.co/wordpress/122730/malware/grifthorse-malware-campaign.html
50% Of Servers Have Weak Security Long After Patches Are Released
Over 50% of servers scanned still have weak security, a new study suggests, even after patches have been issued. Researchers found that servers were still vulnerable weeks and even months after critical updates, leaving many businesses wide open to attack. https://www.darkreading.com/vulnerabilities-threats/50-of-servers-have-weak-security-long-after-patches-are-released
Threats
Ransomware
United Health Centres Reportedly Compromised By Ransomware Attack
JVCKenwood Hit By Conti Ransomware Claiming Theft Of 1.5TB Data
Ransomware Gangs Are Complaining That Other Crooks Are Stealing Their Ransoms
United Health Centers Reportedly Compromised By Ransomware Attack
REvil Customers Complain Ransomware Gang Uses Backdoors To Filch Ransoms
The Biggest Problem With Ransomware Is Not Encryption, But Credentials
Phishing
Other Social Engineering
Malware
Thousands Of Online Gaming Accounts Hit In Major Cyber Attack
Microsoft Warns of FoggyWeb Malware Targeting Active Directory FS Servers
New Malware Steals Steam, Epic Games Store, And EA Origin Accounts
Vulnerabilities
Threat Actors Use Recently Discovered CVE-2021-26084 Atlassian Confluence
New Azure AD Bug Lets Hackers Brute-Force Passwords Without Getting Caught
Thousands of University Wi-Fi Networks Expose Log-In Credentials
Exploit Released For VMware Vulnerability After CISA Warning
Outsourced Software Poses Greater Risks to Enterprise Application Security
Working Exploit Is Out for VMware vCenter CVE-2021-22005 Flaw
Apple Responds To Security Researcher Who Found Multiple iOS 15 Zero-Day Flaws
Windows 10 Emergency Update Resolves KB5005565 App Freezes, Crashes
Cyber Security Vulnerability Could Affect Millions Of Hikvision Cameras
Data Breaches/Leaks
Anonymous: We've Leaked Disk Images Stolen From Far-Right-Friendly Web Host Epik
3.8 Billion Users’ Combined Clubhouse, Facebook Data Up for Sale
Emails, Chat Logs, More Leaked Online From Far-Right Militia Linked To US Capitol Riot
Cryptocurrency/Cryptojacking
Ethereum Dev Admits Helping North Korea Mine Crypto-Bucks, Faces 20 Years Jail
China Says All Crypto Currency-Related Transactions Are Illegal And Must Be Banned
Insider Threats
Dark Web
DoS/DDoS
Nation State Actors
APT Focus: ‘Noisy’ Russian Hacking Crews Are Among The World’s Most Sophisticated
APT29 Targets Active Directory Federation Services With Stealthy Backdoor
Nation-State Attacks Fears Grow, Execs Don’t Trust Governments To Protect Them From Cyber Threats
APT focus: ‘Noisy’ Russian hacking crews are among the world’s most sophisticated
Cloud
Huawei Cloud Services: U.S. Lawmakers Express Security Concerns
Why CEOs Should Absolutely Concern Themselves With Cloud Security
Cloud Security: Report Finds 68% of Malware Delivered From Cloud Apps
Privacy
Reports Published in the Last Week
Other News
Revealed: How To Steal Money From Victims' Contactless Apple Pay Wallets
Threat Actors Weaponize Telegram Bots to Compromise PayPal Accounts
Report Highlights Cyber Security Dangers Of Elastic Stack Implementation Mistakes
Russian Authorities Arrest Cyber Security Giant Group-IB’s CEO On Treason Charges
Corporate Attack Surface Exploding As A Result Of Remote Work
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Threat Alert - GriftHorse Malware Saddles 10 Million Android Users with Sophisticated Billing Malware
GriftHorse Malware Saddles 10 Million Android Users with Sophisticated Billing Malware
Black Arrow Threat Alert - GriftHorse Malware Saddles 10 Million Android Users with Sophisticated Billing Malware
Over 10 million Android users have been infected by a particularly lucrative form of malware. Distributed through Google Play, more than 200 apps have been found to contain GriftHorse, a sophisticated trojan used to secretly bill for premium “services”.
Victims have been recorded in 70 countries, with GriftHorse netting its implementers hundreds of millions of euros since it came on scene. The malware was first detected by Zimperium, a mobile security researcher, who stated that GriftHorse was “one of the most widespread campaigns” they’d seen in 2021.
So, how does it work? With names like “Handy Translator Pro” and “Call Recorder Pro”, users are enticed to download the apps, before being bombarded with pop-ups. These pop-ups appear and re-appear with alarming frequency, until the user finally relents.
In a complex move, users are then directed to a custom page based on their location, both for believability and to adapt and outmaneuver anti-virus. Once successful, the device is signed up for a premium text message service, adding a hefty chunk to the victim’s phone bill every month.
A full list of compromised apps and associated URLs can be found here https://pastebin.com/cqRVtsSp
Black Arrow Cyber Threat Briefing 09 July 2021
Black Arrow Cyber Threat Briefing 09 July 2021: Hackers Demand $70 Million To End Biggest Ransomware Attack On Record; Zero Day Malware Reached An All-Time High In Q1 2021; New Trojan Malware Steals Millions Of Login Credentials; MacOS Targeted In WildPressure APT Malware Campaign; The Cost Of Cyber Insurance Increased 32% Last Year And Shows No Signs Of Easing; Critical Flaws In Windows Print Spooler Service Could Allow For Remote Attacks; British Airways Settles Over Record Claim For Data Breach; Hackers On Loose As 9,000 Data Leaks A Year Recorded
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Hackers Demand $70 Million To End Biggest Ransomware Attack On Record
An affiliate of the notorious REvil gang, best known for extorting $11 million from the meat-processor JBS after a Memorial Day attack, infected thousands of victims in at least 17 countries on Friday, largely through firms that remotely manage IT infrastructure for multiple customers. REvil was demanding ransoms of up to $5 million, the researchers said. But late Sunday it offered in a posting on its dark web site a universal decryptor software key that would unscramble all affected machines in exchange for $70 million in crypto currency.
https://www.cbsnews.com/news/ransomware-attack-revil-hackers-demand-70-million/
Zero Day Malware Reached An All-Time High Of 74% In Q1 2021
74% of threats detected in Q1 2021 were zero day malware – or those for which a signature-based antivirus solution did not detect at the time of the malware release – capable of circumventing conventional antivirus solutions. The report also covers new threat intelligence on rising network attack rates, how attackers are trying to disguise and repurpose old exploits, the quarter’s top malware attacks, and more.
https://www.helpnetsecurity.com/2021/06/29/zero-day-malware-q1-2021/
New Trojan Malware Steals Millions Of Login Credentials
There is a new custom Trojan-type malware that managed to infiltrate over three million Windows computers and steal nearly 26 million login credentials for about a million websites. The findings suggest that the Trojan classifies the websites into a dozen categories, which include virtually all popular email services, social media platforms, file storage and sharing services, ecommerce platforms, financial platforms, and more. In all, the unnamed malware managed to siphon away 1.2 terabytes of personal data including over a million unique email addresses, over two billion cookies, and more than six million other files.
https://www.techradar.com/news/malware-steals-millions-of-login-credentials-for-popular-websites
Ransomware As A Service: Negotiators Are Now In High Demand
The Ransomware-as-a-Service (RaaS) ecosystem is evolving into something akin to a corporate structure, with new openings available for "negotiators" -- a role focused on extorting victims to pay a ransom. A study in RaaS trends has recently come out saying that one-man-band operations have almost "completely dissolved" due to the lucrative nature of the criminal ransomware business. Showing the potential financial gains squeezed from companies desperate to unlock their systems have given rise to specialists in cyber crime and extortion and have also led to a high demand for individuals to take over the negotiation part of an attack chain.
MacOS Targeted In WildPressure APT Malware Campaign
Recently, threat actors known as WildPressure have added a MacOS malware variant to their latest campaign targeting energy sector businesses, while enlisting compromised WordPress websites to carry out attacks. Furthermore, known novel malware, initially identified in March 2020 and dubbed Milum, has now been retooled with a PyInstaller bundle containing a trojan dropper compatible with Windows and MacOS systems, according to researchers. Compromised endpoints allow the advanced persistent threat (APT) group to download and upload files and executing commands.
The Cost Of Cyber Insurance Increased 32% Last Year And Shows No Signs Of Easing
The cost of insurance to protect businesses and organisations against the ever-increasing threat of cyber crimes has soared by a third in the last year. Also adding that global cyber insurance pricing has increased by an average of 32 percent in the year to June. Not only are premiums going through the roof, insurers are also attaching more strings to their policies, demanding ever more assurances that firms taking out cover have the necessary systems and processes in place to prevent a cyber mishap. Previous research also suggests that the upward squeeze on premiums shows no sign of easing, which, in turn, is putting more strain on the sector.
https://www.theregister.com/2021/07/05/cyber_insurance_report/
Critical Flaws In Windows Print Spooler Service Could Allow For Remote Attacks
Administrators are urged to apply the latest patches from Microsoft and disable the Windows Print spooler service in domain controllers and systems not used for printing. This is because Microsoft is currently grappling with a couple of security holes in its Windows Print spooler service that could allow attackers to remotely control an affected system. Anyone able to exploit the more recent vulnerability of the two would be able to run code on the compromised computer with full system privileges. That attacker could then install software, modify data and create new user accounts.
End Users In The Dark About Latest Cyber Threats, Attacks
According to a recent survey, which polled consumers and end users, high-profile incidents such as the ransomware attack on Colonial Pipeline Co. and the breach of a Florida city's water utilities were either overlooked or ignored by many outside the IT and information security fields. As a result, the responsibility for keeping users informed and aware of the need for heightened security appears to fall on administrators and IT staff.
British Airways Settles Over Record Claim For Data Breach
British Airways has settled what is thought to be the biggest claim for a data breach in British legal history, involving 16,000 victims. However, the amount was not disclosed. When The breach took place three years ago, multiple data sources and customer data was leaked, including the leakage of names, addresses and card payment details which affected 420,000 customers and staff. As a result, in 2019 the Information Commissioner’s Office hit BA with its largest ever fine at £20 million.
Hackers On Loose As 9,000 Data Leaks A Year Recorded
Public bodies and the private sector suffered nearly 9,000 data security incidents in 12 months with sensitive and private information hacked, lost or accidentally given to the wrong people. This Data was seen to lists more than 500 organisations hit by ransomware attacks and a further 562 incidents of hacking. There was also a total of 8,815 data security incidents in 2020/21 with the most breaches in the health and education sectors. Furthermore, over the past three years, police forces across England and Wales suffered an average eight breaches a week. Even security experts announced that these figures were “alarming” and that the public would be “disturbed” to learn how often important information/data was being lost.
https://www.thetimes.co.uk/article/hackers-9000-data-leaks-recorded-cyber-crime-56nvs7t6w
Threats
Ransomware
Swedish Coop Supermarkets Shut Due To US Ransomware Cyber Attack
Ransomware-Hit Law Firm Gets Court Order Asking Crooks Not To Publish The Data They Stole
This Crowd Sourced Ransomware Payment Tracker Shows How Much Cyber Criminals Have Heisted
Ransomware: US Warns Russia To Take Action After Latest Attacks
Kaseya Says Up To 1,500 Businesses Compromised In Massive Ransomware Attack
Phishing
Malware
Vulnerabilities
Microsoft Issues Emergency Patch for Critical Windows PrintNightmare Vulnerability
Microsoft Warns Of Critical PowerShell 7 Code Execution Vulnerability
Researchers Briefly Posted PoC For Windows Print Spooler RCE Flaw
Kaseya Patches Imminent After Zero-Day Exploits, 1,500 Impacted
SonicWall Addresses Critical CVE-2021-20026 Flaw In NSM Devices
Kaseya Left Customer Portal Vulnerable To 2015 Flaw In Its Own Software
Morgan Stanley Announces Breach Of Customer SSNs Through Accellion FTA Vulnerability
Data Breaches
Organised Crime & Criminal Actors
UK, US Agencies Warn Of Large-Scale Brute-Force Attacks Carried Out By Russian APT
Moroccan Hacker Dr Hex Arrested For Phishing Attacks, Malware Distribution
Supply Chain
OT, ICS, IIoT and SCADA
Nation State Actors
SolarWinds Hackers Breached RNC Via Synnex In New Attack: Report
Lazarus gang targets engineers with job offers using poisoned emails (tripwire.com)
Cloud
Privacy
Other News
IT Manager Who Swindled Essex Hospital Trust Out Of £800k Gets 5 Years In Prison
Website Of Mongolian Certificate Authority Served Backdoored Client Installer
Security Problems Worsen As Enterprises Build Hybrid And Multiloud Systems
Leaked infrastructure code, credentials and keys costing orgs an average of $1.2 million per year
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 14 May 2021
Black Arrow Cyber Threat Briefing 14 May 2021: Two Thirds Of CISOs Expect Damaging Cyber Attack In Next 12 Months; Ransomware - Don't Pay, It Just Shows Cyber Criminals That Attacks Work; Most Significant Cyber Attacks 2006-2020; The Shape Of Fraud And Cyber Crime, 10 Things We Learned From 2020; US Pipeline Ransomware Serves As Warning To Persistent Corporate Inertia Over Security; Ransomware Attackers Now Using Triple Extortion Tactics; AXA Pledges To Stop Reimbursing French Ransomware Victims; Cyber Experts Warn Over Online Wine Scams
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Two Thirds Of CISOs Across World Expect Damaging Cyber Attack In Next 12 Months
More than 1,000 CISOs around the world have expressed concerns about the security ramifications of the massive shift to remote work since the beginning of the pandemic. One hundred CISOs from the US, Canada, the UK, France, Germany, Italy, Spain, Sweden, the Netherlands, UAE, Saudi Arabia, Australia, Japan, and Singapore were interviewed for the report, with many highlighting significant problems in the current cyber security landscape.
Ransomware: Don't Pay Up, It Just Shows Cyber Criminals That Attacks Work, Warns Home Secretary
For victims of ransomware attacks, paying the ransom does not guarantee that their network will be restored – and handing money to criminals only encourages them to try their luck infecting more companies with the file-encrypting malware. The impact of ransomware attacks continues to rise as cyber criminals encrypt networks, while also blackmailing victims with the prospect of stolen data being published, to generate as much money as possible from extortion.
The Most Significant Cyber Attacks From 2006-2020, By Country
Committing a cyber crime can have serious consequences. In the US, a cyber criminal can receive up to 20 years in prison for hacking into a government institution if it compromises national security. Yet, despite the consequences, cyber criminals continue to wreak havoc across the globe. But some countries seem to be targeted more than others. Using data from SpecOps Software, this graphic looks at the countries that have experienced the most significant cyber attacks over the last two decades.
https://www.visualcapitalist.com/cyber-attacks-worldwide-2006-2020/
The Shape Of Fraud And Cyber Crime: 10 Things We Learned From 2020
While it remains true that the older you are, the greater the financial loss, why would fraudsters target the young, who are arguably less well off? The answer lies in volume. Criminals have been offsetting higher monetary gain for higher attack rates, capitalising on the fact that the young are perhaps both more liberal with personal information (and privacy in general) and, at the same time, heavy digital users (social media, surveys, games, and so on). In fact, it is scary to see how much value the humble email address can have for criminals. We often forget that once obtained, it can be used further down the line to commit more fraud.
Is Third-Party Software Leaving You Vulnerable To Cyber Attacks?
When companies buy digital products, they expect them to be secure. In most cases, they do not test for vulnerabilities down the digital supply chain — and do not even have adequate processes or tools to do so. Hackers have taken note, and incidents of supply chain cyber attacks, which exploit weaknesses within the digital supply chain to break into organisations’ internal networks, are on the rise. As a result, there have been many headline incidents that not only bring shame to the companies involved, but rachet up the visibility of these threats to top executives who want to know their offerings are secure.
https://hbr.org/2021/05/is-third-party-software-leaving-you-vulnerable-to-cyberattacks
US Pipeline Ransomware Attack Serves As Fair Warning To Persistent Corporate Inertia Over Security
Organisations that continue to disregard the need to ensure they have adopted basic cyber security hygiene practices should be taken to task. This will be critical, especially as cyber criminals turn their attention to sectors where cyber threats can result in real-world risks, as demonstrated in the US Colonial Pipeline attack. In many of my conversations with cyber security experts, there is a shared sense of frustration that businesses still are failing to get some of the most basic things right. Default passwords are left unchanged, frontline staff and employees are still falling for common scams and phishing attacks, and major businesses think nothing of using technology that are decades old.
Ransomware Attackers Are Now Using Triple Extortion Tactics
The number of organisations affected by ransomware so far this year has more than doubled, compared with the same period in 2020, according to the report. Since April, Check Point researchers have observed an average of 1,000 organisations impacted by ransomware every week. For all of 2020, ransomware cost businesses worldwide around $20 billion, more than 75% higher than the amount in 2019. The healthcare sector has been seeing the highest volume of ransomware with around 109 attacks per organization each week. Amid news of a ransomware attack against gas pipeline company Colonial Pipeline, the utilities sector has experienced 59 attacks per organization per week. Organisations in the insurance and legal sector have been affected by 34 such attacks each week.
https://www.techrepublic.com/article/ransomware-attackers-are-now-using-triple-extortion-tactics/
AXA Pledges To Stop Reimbursing Ransom Payments For French Ransomware Victims
Insurance company AXA has revealed that, at the request of French government officials, it will end cyber insurance policies in France that pay ransomware victims back for ransoms paid out to cyber criminals. While unconfirmed, the Associated Press reported that the move was an industry first. AXA is one of the five biggest insurers in Europe and made the decision as ransomware attacks become a daily occurrence for organisations across the world.
The Dystopic Future Of Cyber Security And The Importance Of Empowering CISOs
Over a decade ago, in 2007, the first iPhone was released and with it emerged an ecosystem of apps that continues to expand to this day. This was a watershed moment, not solely for the technology industry, but civilization. It was a catalyst for what was to come. Suddenly, every consumer could access the internet at a touch of a button, and the accumulation of their data by private companies began en masse. It was at this point that data was established as an increasingly valuable commodity, and in turn, became a heightened exploitation risk. It also instigated a wave of innovation that has yet to break and is only growing rapidly in pace. In this state, technology providers, users, and manufacturers get excited about new functionalities, new features, new developments, while little thought is given to the negative consequences that could arise as a result. Indeed, fear has no place in the state of innovation as it is this primal thinking that inhibits creativity.
https://www.infosecurity-magazine.com/blogs/the-dystopic-future-of/
Cyber Security Experts Warn Over Online Wine Scams
Online wine scams became a bigger threat as cyber criminals sought to take advantage of more people and businesses organising virtual drinks and ordering bottles on the internet in the wake of Covid-19 restrictions, suggests the report. So-called ‘phishing emails’ were a particular concern, according to findings published in April by US-based group Recorded Future in partnership with Area 1 Security. From January 2020 onwards, the authors found a significant rise in legitimate wine-themed web domain registrations using terms like Merlot, Pinot, Chardonnay or Vino.
https://www.decanter.com/wine-news/cyber-security-experts-warn-over-online-wine-scams-457647/
Threats
Ransomware
New Ransomware: CISA Warns Over Fivehands File-Encrypting Malware Variant
Energy Companies Are The Firms Most Likely To Pay Cyber Attack Ransoms
A Student Pirating Software Led To A Full-Blown Ryuk Ransomware Attack
BEC
Phishing
Other Social Engineering
Coronavirus-Related Cyber Crime Contributes To 15-Fold Surge In Scam Takedowns
She Responded To A Smishing Scam. Then The Spam Texts Got Worse.
Malware
Mobile
IOT
Vulnerabilities
Don’t Delay Installing Your Windows 10 May Patch Tuesday Update – It Fixes 3 Zero-Day Exploits
WiFi Vulnerability May Leave Millions Of Devices Open To 'Frag Attacks'
Remote Mouse Mobile App Contains Raft Of Zero-Day RCE Vulnerabilities
Lemon Duck Hacking Group Adopts Microsoft Exchange Server Vulnerabilities In New Attacks
Data Breaches
Organised Crime & Criminal Actors
Supply Chain
Nation State Actors
Russian Hackers Are Targeting These Vulnerabilities, So Patch Now
NCSC Warns British Start-Ups Of Threat From Chinese And Russian Hackers
Privacy
Reports Published in the Last Week
Other News
Your Old Mobile Phone Number Could Compromise Your Cyber Security
Biden Signs Executive Order Aiming To Prevent Future Cyber Security Disasters
Train Firm’s ‘Worker Bonus’ Email Is Actually Cyber Security Test
Half Of Government Security Incidents Caused By Missing Patches
90% Of Security Leaders View Bot Management As A Top Priority
'Everyone Had To Rethink Security': What Microsoft Learned In Last Year
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 08 January 2021
Black Arrow Cyber Threat Briefing 08 January 2021: Ryuk gang estimated to have made more than $150 million from ransomware; China's hackers move to ransomware; Amid hardened security, attackers seek softer targets; Hackney Council files leaked online after cyber attack; PayPal users targeted in new SMS phishing campaign; the rise of cyber-mercenaries; Declutter Your Devices to Reduce Security Risks
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.
Top Cyber Headlines of the Week
Ryuk gang estimated to have made more than $150 million from ransomware attacks
In a joint report published today, threat intel company Advanced Intelligence and cyber security firm HYAS said they tracked payments to 61 Bitcoin addresses previously attributed and linked to Ryuk ransomware attacks. "Ryuk receives a significant amount of their ransom payments from a well-known broker that makes payments on behalf of the ransomware victims," the two companies said. "These payments sometimes amount to millions of dollars and typically run in the hundreds of thousands range."
China's APT hackers move to ransomware attacks
Security researchers investigating a set of ransomware incidents at multiple companies discovered malware indicating that the attacks may be the work of a hacker group believed to operate on behalf of China. Although the attacks lack the sophistication normally seen with advanced threat actors, there is strong evidence linking them to APT27, a group normally involved in cyber espionage campaigns, also known as TG-3390, Emissary Panda, BRONZE UNION, Iron Tiger, and LuckyMouse.
https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/
SolarWinds hack: Amid hardened security, attackers seek softer targets
Reported theories by SolarWinds hack investigators that federal agencies and private companies were too busy focusing on election security to recognize vulnerabilities tied to the software supply chain are unfair and misleading. And yet, those same experts acknowledge that such accusations offer an important cyber security lesson for businesses: organizations must ensure that their entire attack surface receives attention.
Hackney Council files including alleged passport documents leaked online after cyber attack
The council in East London was hit by what it described as a "serious cyber attack" in October. It reported itself to the data watchdog due to the risk criminals accessed staff and residents' data. The council said it was working with the UK's National Cyber Security Centre (NCSC) and the Ministry of Housing to investigate and understand the impact of the incident.
PayPal users targeted in new SMS phishing campaign
Now, at first glance the message may not seem all that suspicious since PayPal may, in fact, impose limits on sending and withdrawing money. The payment provider usually does so when it suspects that an account has been accessed by a third party without authorization, when it has detected high-risk activities on an account, or when a user has violated its Acceptable Use Policy. However, in this case it really is a case of SMS-borne phishing, also known as Smishing. If you click on the link, you will be redirected to a login phishing page that will request your access credentials. Should you proceed to “log in”, your credentials will be sent to the scammers behind the ruse and the fraudulent webpage will attempt to gather further information, including the full name, date of birth address, and bank details.
https://www.welivesecurity.com/2021/01/04/paypal-users-targeted-new-sms-phishing-campaign/
SolarWinds, top executives hit with class action lawsuit over Orion software breach
SolarWinds and some of its top executives have been hit with a class action lawsuit by stockholders, who allege the company lied and materially misled them about security practices leading up to a massive breach of its Orion management software that has reverberated throughout the public and private sector.
The rise of cyber-mercenaries poses a growing threat for both governments and companies
These days, 21st century mercenaries are as likely to be seated behind a computer screen, wreaking havoc for their paymasters’ enemies as slugging it out on a real-world battlefield. But the rapid rise of cyber-mercenaries - or Private Sector Offensive Actors (PSOAs) - is vexing some of the biggest names in the global technology industry, and for good reason. Globally, the cyber security industry is already vast, raking in an estimated $156bn in revenues in 2019. It is set to nearly double in size by 2027.
Declutter Your Devices to Reduce Security Risks
Everyone should set aside time to review what they’ve installed on their various devices—typically apps, but that can also include games and addons. In fact, this should be an annual cleaning, at minimum.
You’re not just doing this because you want your device to look good. That’s one benefit you get from cleaning up your digital life, but it’s not the most important one. You’re also doing this to bolster your digital security. Yes, security.
https://lifehacker.com/declutter-your-devices-to-reduce-security-risks-1845991606
Threats
Ransomware
New Year, New Ransomware: Babuk Locker Targets Large Corporations
Phishing
This new phishing attack uses an odd lure to deliver Windows trojan malware
Facebook ads used to steal 615000+ credentials in a phishing campaign
Malware
North Korean hackers launch RokRat Trojan in campaigns against the South
Thousands infected by trojan that targets cryptocurrency users on Windows, Mac and Linux
A hacker’s predictions on enterprise malware risk
Vulnerabilities
Google Warns of Critical Android Remote Code Execution Bug
Hackers are actively exploiting this leading VPN, so patch now
Data Breaches
Hacker posts data of 10,000 American Express accounts for free
Vodafone's ho. Mobile admits data breach, 2.5m users impacted
T-Mobile data breach: ‘Malicious, unauthorized’ hack exposes customer call information
Exclusive Networks hit by cyberattack on New Year's Eve
Up to half a million victims of BA data breach could be eligible for compensation
Nation State Actors
Even Small Nations Have Jumped into the Cyber Espionage Game
Denial of Service
Ransom DDoS attacks target a Fortune Global 500 company
Privacy
Telegram feature exposes your precise address to hackers
Whatsapp Competitor Signal Stops Working Properly As Users Rush To Leave Over Privacy Update
Google Chrome browser privacy plan investigated in UK
Singapore police can access COVID-19 contact tracing data for criminal investigations
Other News
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Cyber Weekly Flash Briefing 18 Sept 2020: Higher cyber losses; old MS Office exploit; banking Trojan given away free; new Bluetooth flaw; IoT risks; DDoS attacks up; US charge Iranians & Russians
Cyber Weekly Flash Briefing 18 September 2020: Cyber losses increasing in frequency & severity, decade-old MS Office exploit, Cerberus banking Trojan released for free to attackers, Bluetooth vulnerability affects billions of devices, The Internet of Things devices that could put you at risk from hackers
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Cyber losses are increasing in frequency and severity
Research by a cyber insurance provider in North America shows cyber attacks have increased in number and severity since the onset of the coronavirus pandemic. The changes that organisations implemented to facilitate remote work have given cyber criminals new opportunities to launch campaigns exploiting mass uncertainty and fear.
The severity of ransomware attacks has increased since the beginning of COVID-19, with researchers having observed a 47% increase on top of a 100% increase in Q1 2020.
Researchers also found that newer strains of ransomware have been particularly malicious, with costly ransom demands and criminal actors threatening to expose an organisation’s data if they don’t pay. They report that the average demand from attackers using the Maze variety of ransomware is approximately six times larger than the overall average.
Researchers also reported a 35% increase in funds transfer fraud and social engineering claims filed by their policyholders since the pandemic began. Reported losses from these types of attack have ranged from the low thousands to well above $1 million per event.
Additionally, COVID-19 has resulted in a notable surge of business email compromise. The insurer observed a 67% increase in the number of email attacks during the pandemic.
Why this matters:
The report refers to North America but the findings are applicable to us all. They indicate that the most frequent types of losses incurred by victims were from ransomware (41%), funds transfer loss (27%), and business email compromise incidents (19%) — accounting for 87% of reported incidents and 84% of the insurer’s claim pay-outs in the first half of 2020.
Clearly with the landscape getting worse, firms more likely to fall victim, and with losses increasing all the time, firms should ensure they are taking these threats seriously.
Read more: https://www.helpnetsecurity.com/2020/09/14/cyber-losses-are-increasing-in-frequency-and-severity/
Hackers have revived a decade-old Microsoft Office exploit - and they’re having a field day
Hackers have ramped up attempts to abuse a decade-old Microsoft Office flaw with the help of creative new email scams, new research has found.
According to analysis commissioned by NordVPN, attempts to exploit the vulnerability (CVE-2017-11882) rose by 400% in the second quarter of the year - with further growth expected.
Why this matters:
If exploited successfully, the memory corruption bug could allow attackers to execute code on the target device remotely. This is especially problematic if the affected user’s account has administrative privileges, in which case the hacker could seize control of the system.
Cerberus banking Trojan source code released for free to cyber attackers
The source code of the Cerberus banking Trojan has been released as free malware on underground hacking forums following a failed auction.
The leaked code, distributed under the name Cerberus v2, presents an increased threat for smartphone users and the banking sector at large.
Why this matters:
Cerberus is a mobile banking Trojan designed for the Google Android operating system. In circulation since at least July 2019, the Remote Access Trojan (RAT) is able to conduct covert surveillance, intercept communication, tamper with device functionality, and steal data including banking credentials by creating overlays on existing banking, retail, and social networking apps.
The malware is able to read text messages that may contain one-time passcodes (OTP) and two-factor authentication (2FA) codes, thereby bypassing typical 2FA account protections. OTPs generated through Google Authenticator may also be stolen.
Critical Bluetooth security vulnerability could affect billions of devices worldwide
A new security flaw in the Bluetooth software stack discovered over the summer has the potential to affect billions of smartphones, laptops and IoT devices using the Bluetooth Low Energy (BLE) protocol.
The new vulnerability has been given the name BLESA (Bluetooth Low Energy Spoofing Attack) by the team of seven academic researchers at Purdue University who first discovered it.
Unlike the recently discovered BLURtooth vulnerability that deals with how Bluetooth devices pair with one another, BLESA was found in the reconnection process. Reconnections occur when two BLE devices move out of range and then move back into range. Normally BLE devices check the cryptographic keys negotiated during the pairing process when reconnecting.
The research team found that the official BLE specification did not contain strong-enough language to describe the reconnection process properly leading to two systemic issues making their way into BLE software implementations.
The first deals with the fact that authentication during device reconnection is optional as opposed to mandatory while the second relates to how authentication can potentially be circumvented if a user's BLE device fails to force another device to authenticate the cryptographic keys sent while reconnecting.
Why this matters:
Billions of devices could be vulnerable to these BLESA attacks where a nearby attacker bypasses reconnection verification and sends spoofed data to a BLE device with incorrect information. This can lead both humans and automated processes to make incorrect decisions when it comes to allowing two devices to reconnect with one another.
Coffee machines, cuddly toys and cars: The Internet of Things devices that could put you at risk from hackers
Connected teddy bears, connected coffee machines and connected cars are just some of the unusual Internet of Things (IoT) devices being insecurely connected to corporate networks that could leave whole organisations open to cyber attacks.
A research paper by Palo Alto Networks details the surge in IoT devices being connected to corporate networks and their wide variety.
Some of the most common irregular devices being connected to organisations' networks include connected vehicles, connected toys and connected medical devices, with connected sports equipment such as fitness trackers, gaming devices and connected cars also being deployed.
These devices are being connected because they can often help people through the working day or help manage aspects of their personal life, but they're also creating additional problems for the corporate network.
Why this matters:
In many cases, these 'shadow IoT' devices are being added to the network without the knowledge of the security team.
This could potentially leave the corporate network vulnerable because not only do some IoT devices have poor security that means they can easily be discovered and exploited, but some workplaces still have flat networks and if a device is compromised then an attacker can move from the IoT product to another system.
DDoS Attacks Skyrocket as Pandemic Bites
More people being online during lockdowns and more people working from home has proven to be lucrative for DDoS type attacks.
The first half of 2020 saw a significant uptick in the number of distributed denial-of-service (DDoS) attacks compared to the same period last year — a phenomenon that appears to be directly correlated to the global coronavirus pandemic.
One firm’s Security Operations Centre (SOC) saw a 151 percent increase in DDoS activity in the period, including one of the largest and longest attacks they had has ever mitigated – that attack came in at 1.17 terabits-per-second (Tbps), and lasted five days and 18 hours.
These figures are representative of the growing number, volume and intensity of network-type cyber attacks as organizations shifted to remote operations and workers’ reliance on the internet increased.
Why this matters:
DDoS attacks are getting bigger, with a “noticeable spike” in volume: The number of attacks sized 100Gbps and above grew a whopping 275 percent. Emblematic of this is a 2.3Tbps attack targeting an Amazon Web Services client in February – the largest volumetric DDoS attack on record. And the aforementioned 1.17Tbps attack was 192 percent bigger than the largest attack mitigated during the first half of 2019.
Read more: https://threatpost.com/ddos-attacks-skyrocket-pandemic/159301/
US charges two Russians for stealing $16.8m via cryptocurrency phishing sites
The US Department of Justice has filed charges this week against two Russian nationals for orchestrating a multi-year phishing operation against the users of three cryptocurrency exchanges.
The two suspects stand accused of creating website clones for the Poloniex, Binance, and Gemini cryptocurrency exchanges, luring users on these fake sites, and collecting their account credentials. These phishing operations began around June 2017.
US officials said the Russian duo — made up of Danil Potekhin (aka cronuswar) and Dmitrii Karasavidi; residents of Voronezh and Moscow, respectively — used the stolen credentials to access victim accounts and steal their Bitcoin (BTC) and Ether (ETH) crypto-assets.
Why this matters:
In total, US officials estimated the victims in the hundreds. Court documents cite 313 defrauded Poloniex users, 142 Binance victims, and 42 users at Gemini. Losses were estimated at $16,876,000.
Whilst bitcoin has waned in popularity after its highs a few years back there is still value in holdings held in different exchanges and these holdings remain popular targets for attackers.
US charges two Iranian hackers for years-long cyber-espionage, cybercrime spree
The US has also filed charges against and is seeking the arrest of two Iranian nationals believed to have carried out cyber-intrusions at the behest of the Iranian government and for their own personal financial gain.
In an indictment unsealed this week, prosecutors accused Hooman Heidarian and Mehdi Farhadi, both from Hamedan, Iran, of launching cyber-attacks against a wide range of targets since at least 2013.
Past victims included several US and foreign universities, a Washington think tank, a defense contractor, an aerospace company, a foreign policy organization, non-governmental organizations (NGOs), non-profits, and foreign government and other entities the defendants identified as rivals or adversaries to Iran, with most targets located in the US, Israel, and Saudi Arabia.
US officials said Heidarian and Farhadi focused on gaining access to their victims' accounts, computers, and internal networks, from where they stole confidential data and communications pertaining to topics such as national security, foreign policy, nuclear energy, and aerospace.
Why this matters:
Financial data and personally identifiable information wasn't off-limits, and the two also stole intellectual property, such as unpublished scientific research.
In addition, the two also targeted and stole personal information and communications of Iranian dissidents, human rights activists, and opposition leaders, according to George M. Crouch Jr., Special Agent in Charge of the FBI Newark Division.
Prosecutors believe that some of the stolen data was handed over to Iranian government intelligence officials, but that other information was also sold on black markets for the hackers' personal gains.
Alert issued to UK universities and colleges about spike in cyber attacks
British universities and colleges have been warned about a spike in ransomware attacks targeting the education sector by the UK's National Cyber Security Centre (NCSC), a part of GCHQ.
Academic institutions are being urged to follow NCSC guidance following a sharp increase in attacks which have left some teachers fearing they won't be able to accept students when term begins.
Last week staff at Newcastle University warned Sky News they had "no idea how we are going to welcome students in three weeks' time" following one such ransomware attack, which has impacted IT services across the whole university.
Similar attacks in which criminal hackers infiltrated computer networks and stole data before encrypting the machines and demanding a ransom payment to unlock them again, have hit Northumbria University, Bolton Sixth Form College, Leeds City College and others in August alone.
Speaking to Sky News, NCSC's director of operations Paul Chichester said the agency had seen an increase in the "utterly reprehensible" attacks over the past 18 months and was concerned they would disrupt young people's education.
Why this matters:
There are more than a dozen criminal groups which are currently earning millions by encrypting their victim's computer networks and then leaking stolen documents online to pressure the victims into paying up.