Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 03 May 2024
Black Arrow Cyber Threat Intelligence Briefing 03 May 2024:
-Most Attacks Impacting SMB’s Target Older, Unpatched Vulnerabilities
-91% of Ransomware Victims Paid At least One Ransom in the Past Year, as 1 in 5 Ransomware Attacks Triggers Lawsuit
-BEC and Fund Transfer Fraud Top Insurance Claims
-Correlating Cyber Investments with Business Outcomes
-Vulnerability Exploitation up 180%, 68% of Breaches involved Humans and Supply Chain Weak Link
-MOVEit & Change Healthcare Attacks Designated as Cyber Catastrophe Loss Events by Insurer
-Securing Your Organisation’s Supply Chain: Reducing the Risks of Third Parties
-Why Remote Desktop Tools are Facing an Onslaught of Cyber Threats
-95% of Organisations Revamped Cyber Security Strategies in the Last Year: Make Sure Yours is Right
-Human Factor a Significant Risk for Small and Medium-Sized Businesses.
-Microsoft CEO Says it is Putting Security Above All Else in Major Refocus
-Ending the Culture of Silence in Cyber Security; Three Ways to Empower Teams
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Most Attacks Impacting SMB’s Target Older, Unpatched Vulnerabilities
Attackers continue to aggressively target small and mid-size businesses using specific high-profile vulnerabilities dating back a decade or more, network telemetry shows. Findings have shown that this is due to these vulnerabilities featuring in a wide range of products. Due to their prevalence, they can often become missed by organisations conducting patch management and therefore leave the organisation open.
For this reason it is critical that all organisations, including smaller organisations, have internal as well as external vulnerability scanning. You might believe your systems are patched up to date but there is no way to confirm without scanning , or to know which patches might have been missed.
Sources: [Infosecurity Magazine]
91% of Ransomware Victims Paid At least One Ransom in the Past Year, as 1 in 5 Ransomware Attacks Triggers Lawsuit
Ransomware attacks saw a significant surge in 2023, following a dip in 2022. The number of victims increased by 66% from 2022 to 2023, with 91% of those affected paying at least one ransom. 58% of organisations have been targeted six times or more.
The Sophos State of Ransomware 2023 report highlighted ransom payments rose by 500%; nearly two-thirds exceeded $1m or more, with an average payment of $2m. Furthermore, 30% of the demands were for over $5m.
In the US, 18% of incidents led to litigation, with 123 lawsuits filed in 2023 and 355 over five years. Data breaches, affecting 283.3 million records, primarily triggered these lawsuits, especially in healthcare and finance sectors. The resolution rate is 59%, with the highest settlement at $8.7m. Regulatory fines added nearly $10m to the financial impact. These figures underscore the significant financial implications of ransomware attacks and the urgent need for robust cyber security measures.
Sources: [ZD Net] [Infosecurity Magazine] [Security Magazine] [PrNewsWire] [Infosecurity Magazine]
BEC and Fund Transfer Fraud Top Insurance Claims
Cyber Insurer Coalition's 2024 Cyber Claims Report highlights a significant trend in cyber security threats, identifying email-based fraud as the predominant cause of insurance claims in 2023, accounting for 53% of all claims. Business email compromise (BEC) and funds transfer fraud (FTF) topped the list, contributing to 28% of claims and increasing claim amounts by 24% to an average loss exceeding $278,000. In contrast, ransomware, while less frequent at 19% of claims, also saw a rise in both frequency and severity, with average losses climbing to over $263,000. The report also notes a 13% year-on-year surge in overall claims, with substantial losses tied to compromised network security devices and a notable vulnerability in organisations using exposed remote desktop protocols.
Source: [Infosecurity Magazine]
Correlating Cyber Investments with Business Outcomes
The US Securities and Exchange Commission (SEC) has implemented stringent new rules compelling organisations to report significant cyber incidents within four days and to annually disclose details concerning their cyber security risk management, strategy, and governance. These mandates are seen as giving “more teeth to the idea that cyber security is a business problem” and “bringing an element of cyber security to the boardroom” according to cyber security solutions provider SecurityGate. Highlighted in the "Cybersecurity Insights" podcast, experts argue for simplifying cyber security strategies, advocating sustained resource allocation over reactive measures, and emphasising the importance of training over expensive solutions. These steps are deemed crucial for enhancing organisational resilience and security in a landscape where cyber threats are increasingly sophisticated and pervasive.
Source: [InfoRisk Today]
Verizon: Vulnerability Exploitation up 180%, 68% of Breaches involved Humans and Supply Chain Weak Link
Verizon has released the findings of its 17th Annual Data Breach Investigations Report, which showed security incidents doubled year over year in 2023 to a record high 30,458 security events and 10,626 confirmed breaches. Some of the key takeaways from the 100-page report include zero-day attacks on unpatched systems and devices rising 180% in 2023, most breaches (68%) involving a non-malicious human element and the median time for users to fall for phishing emails falling just south of 60 seconds. In its first inclusion as a separate metric, supply chain attacks were found to contribute to 15% of all attacks.
Sources: [MSSP Alert] [Verizon]
MOVEit & Change Healthcare Attacks Designated as Cyber Catastrophe Loss Events by Insurer
Verisk’s Property Claim Services (PCS) has recently identified the MOVEit and Change Healthcare cyber attacks as significant Cyber Catastrophe Loss Events. These designations are part of PCS’s Global Cyber solution, which tracks cyber incidents and their potential impact on the insurance market. The designation indicates that each attack is anticipated to result in insurance industry losses exceeding USD 250 million.
The MOVEit attack, linked to the Russian-affiliated group Cl0p, compromised over 2,700 organisations globally, affecting up to 90 million individuals. The Change Healthcare attack, attributed to the ALPHV/Blackcat gang, notably disrupted UnitedHealth Group’s operations, with projected costs and lost revenue totalling up to USD 1.6 billion. These designations highlight the escalating scale and financial impact of cyber incidents on global markets.
Source: [Reinsurance News]
Securing Your Organisation’s Supply Chain: Reducing the Risks of Third Parties
Nearly every organisation is part of a supply chain, where a significant amount of data is transferred. When data leaves your infrastructure, its security depends on the third party. The risks of a cyber incident increases as the supply chain increases.
Organisations need to mitigate the risks that their third party brings. This requires an understanding of the supply chain actors, and performing cyber security assessments of the most critical ones. The objective is to ensure that your organisation is satisfied with the third party’s security controls, or to work together to remediate any gaps.
Source: [Help Net Security]
Why Remote Desktop Tools are Facing an Onslaught of Cyber Threats
In the era of hybrid work, remote desktop tools have become crucial yet vulnerable points within corporate networks, attracting significant cyber criminal attention. A study by Barracuda Networks underscores the challenges of securing these tools. Virtual Network Computing (VNC) is particularly susceptible; it is targeted in 98% of these types of attacks due to its use of multiple, sometimes unsecured ports. VNC attacks predominantly exploit weak password practices, notably through brute force methods. Conversely, Remote Desktop Protocol (RDP) accounts for about 1.6% of these attacks but is favoured for more extensive network breaches, often involving ransomware or crypto mining. The study highlights a pressing need for robust endpoint management and heightened security measures to mitigate these threats.
Source: [ITPro]
95% of Organisations Revamped Cyber Security Strategies in the Last Year: Make Sure Yours is Right
A recent report found that 95% of companies have altered their cyber security strategies in the last twelve months. This was driven by keeping pace with the shifting regulatory landscape (98%), the need to meet customer expectations for data protection and privacy (89%), and the rise of AI-driven threats and solutions (65%). Almost half (44%) of non-security executives do not understand the regulatory requirements their organisation must adhere to.
When it came to reporting, the study found that security teams aren’t reporting on key operational metrics that define whether their security investments and strategy changes have a measurable impact. It is evident that there is a disconnect between security and non-security professionals when it comes to the business strategy.
Sources: [Business Wire] [Security Magazine]
Human Factor a Significant Risk for Small and Medium-Sized Businesses.
A survey of business and IT security in small and medium-sized businesses (SMBs) conducted by LastPass found that roughly one in five business leaders admits to circumventing security policies, as do one in 10 IT security leaders. The survey found that password management is critically important to cyber security, with nearly half (47%) reporting recent breaches due to compromised passwords.
Sources: [Beta News] [Business Wire]
Microsoft CEO Says it is Putting Security Above All Else in Major Refocus
Following a series of high-profile attacks in recent months and a report by the US Cyber Safety Review Board (CSRB), Microsoft’s CEO has revealed it will now focus its efforts on an increase in the commitment to security. Investigating a summer 2023 attack, Microsoft was deemed to have made a series of “avoidable errors”, including the failure to detect several compromises, the CSRB said.
Sources: [TechRadar]
Ending the Culture of Silence in Cyber Security; Three Ways to Empower Teams
A recent discussion on workplace errors highlights the significant repercussions of cyber breaches compared to typical office mistakes. In the UK, nearly a third of businesses face cyber attacks weekly, with each breach costing approximately £4,000. However, a concerning trend is that 41% of these breaches are not reported to internal leadership, often due to fears among staff about the consequences of admitting faults. A three-pronged approach has been suggested to foster a blame-free culture: providing tailored and evolving cyber training, establishing safe zones for admitting mistakes, and implementing robust recovery plans. This approach not only prepares employees to handle potential breaches more effectively but also encourages them to report incidents promptly, reducing the overall impact and aiding quicker recovery. Such strategies are essential for maintaining resilience against increasingly sophisticated cyber threats.
Source: [Minute Hack]
Governance, Risk and Compliance
Verizon 2024 Data Breach Investigations Report: 5 Takeaways | MSSP Alert
Verizon DBIR: Vulnerability exploitation in breaches up 180% | TechTarget
Verizon DBIR: Basic Security Gaffes Cause Breach Surge (darkreading.com)
95% of Organisations Revamped Their Cyber Security Strategies in the Last Year | Business Wire
95% of organisations adjusted cyber security strategies this past year | Security Magazine
1 in 5 US Ransomware Attacks Triggers Lawsuit - Infosecurity Magazine (infosecurity-magazine.com)
Are Enterprises Overconfident About Cyber Security Readiness? (govinfosecurity.com)
How CISOs Can Contend with Increasing Scrutiny from Regulators (informationweek.com)
Correlating Cyber Investments with Business Outcomes (inforisktoday.com)
Ending The Culture of Silence In Cyber Security – 3 Ways To Empower Teams - Minutehack
97% of security leaders have increased SaaS security budgets - Help Net Security
The rise in CISO job dissatisfaction – what’s wrong and how can it be fixed? | CSO Online
Should Cyber Security Leadership Finally be Professionalized? - SecurityWeek
What needs to change to overcome nonchalant security approaches | TechRadar
Agile by Design: Cyber Security at the Heart of Transformation (noeticcyber.com)
Threats
Ransomware, Extortion and Destructive Attacks
Q1 2024 Ransomware Report: 21% Increase in Q1 2023 Ransomware Activity (corvusinsurance.com)
91% of ransomware victims paid at least one ransom in the past year, survey finds | ZDNET
1 in 5 US Ransomware Attacks Triggers Lawsuit - Infosecurity Magazine (infosecurity-magazine.com)
There was an 81% year-over-year increase in ransomware attacks | Security Magazine
Ransom recovery costs reach $2.73 million - Help Net Security
Cactus Ransomware Group Targets Qlik Sense Servers | Decipher (duo.com)
How AI and data protection intersect in today's threat era - SiliconANGLE
Better hygiene may mitigate the need to ban ransomware payments | Computer Weekly
Ukrainian REvil Hacker Sentenced to 13 Years and Ordered to Pay $16 Million (thehackernews.com)
How Businesses Should Grapple With Ransomware Threats (eetimes.eu)
Cyber security consultant arrested after allegedly extorting IT firm (bleepingcomputer.com)
Ransomware Victims
Change Healthcare breached via Citrix portal with no MFA | TechTarget
Almost all US hospitals took financial hit from Change hack, AHA says | Reuters
Another major pharmacy chain shuts following possible cyber attack | TechRadar
Hack That Paralyzed US Health Care Turns Up Scrutiny on Insurer (claimsjournal.com)
Cyber attack to cost Western Isles Council half a million pounds (holyrood.com)
LockBit publishes confidential data stolen from Cannes hospital in France (therecord.media)
French hospital CHC-SV refuses to pay LockBit extortion demand (bleepingcomputer.com)
'Cybersecurity incident' closes London Drugs' pharmacies • The Register
Phishing & Email Based Attacks
AI-driven phishing attacks deceive even the most aware users - Help Net Security
US Post Office phishing sites get as much traffic as the real one (bleepingcomputer.com)
If you receive a Shein mystery box, do not open it | TechRadar
Why the automotive sector is a target for email-based cyber attacks - Help Net Security
BEC
BEC and Fund Transfer Fraud Top Insurance Claims - Infosecurity Magazine (infosecurity-magazine.com)
Other Social Engineering
FBI warns of fake verification schemes targeting dating app users (bleepingcomputer.com)
A Lot of People Are Falling for Those 'Your Package Cannot Be Delivered' Texts | PCMag
Artificial Intelligence
AI-driven phishing attacks deceive even the most aware users - Help Net Security
AI is creating a new generation of cyber attacks - Help Net Security
Combating the Rising Tide of AI-Driven Cyber Crime (cryptopolitan.com)
Businesses turn to generative AI but many don't have policies on it (betanews.com)
How AI and data protection intersect in today's threat era - SiliconANGLE
Understanding emerging AI and data privacy regulations - Help Net Security
To understand the risks posed by AI, follow the money – O’Reilly (oreilly.com)
From Risk to Resilience: Managing Data Security in AI-Driven Enterprises | Inc.com
Cyber security experts face AI risks, deepfakes, burnout | Fortune
US Government Releases New AI Security Guidelines for Critical Infrastructure (thehackernews.com)
Why Using Microsoft Copilot Could Amplify Existing Data Quality and Privacy Issues - SecurityWeek
2FA/MFA
Malware
New "Goldoon" Botnet Targets D-Link Routers With Decade-Old Flaw (thehackernews.com)
New SOHO router malware aims for cloud accounts, internal company resources - Help Net Security
Guarding the Gates: The Growing Abundance of Linux Malware - VMRay
Bogus npm Packages Used to Trick Software Developers into Installing Malware (thehackernews.com)
Millions of Malicious 'Imageless' Containers Planted on Docker Hub Over 5 Years (thehackernews.com)
ZLoader Malware Evolves with Anti-Analysis Trick from Zeus Banking Trojan (thehackernews.com)
New Cuttlefish malware infects routers to monitor traffic for credentials (bleepingcomputer.com)
Mobile
Powerful 'Brokewell' Android Trojan Allows Attackers to Takeover Devices - SecurityWeek
Google Prevented 2.28 Million Malicious Apps from Reaching Play Store in 2023 (thehackernews.com)
New Wpeeper Android malware hides behind hacked WordPress sites (bleepingcomputer.com)
Microsoft warns of "Dirty Stream" attack impacting Android apps (bleepingcomputer.com)
Denial of Service/DoS/DDOS
Internet of Things – IoT
NCSC: New UK law bans default passwords on smart devices (securityaffairs.com)
A glaring Android TV security flaw might put your Gmail at risk | Android Central
Data Breaches/Leaks
PSNI data breach: Almost 5,000 officers and staff in legal action - BBC News
Kaiser Permanente data breach may have impacted 13.4 million patients (securityaffairs.com)
FBCS data breach impacted 2M individuals (securityaffairs.com)
States shares health debt data of 5,000 in an email | Guernsey Press
Qantas app exposed sensitive traveller details to random users (bleepingcomputer.com)
Philadelphia Inquirer: Data of over 25,000 people stolen in 2023 breach (bleepingcomputer.com)
Australian pubgoers' personal info posted to leak site • The Register
Monash Health data breach exposes sexual assault and family violence claims (smh.com.au)
Panda Restaurant Group disclosed a data breach (securityaffairs.com)
Organised Crime & Criminal Actors
AI is creating a new generation of cyber attacks - Help Net Security
Combating the Rising Tide of AI-Driven Cyber Crime (cryptopolitan.com)
Router Roulette: Cyber Criminals and Nation-States Sharing Compromised Networks | Trend Micro (US)
Insider Risk and Insider Threats
How insider threats can cause serious security breaches - Help Net Security
Ex-NSA Employee Sentenced to 22 Years for Trying to Sell U.S. Secrets to Russia (thehackernews.com)
Insurance
Cyber facility in capacity raise as risk severity grows (emergingrisks.co.uk)
Hack That Paralyzed US Health Care Turns Up Scrutiny on Insurer (claimsjournal.com)
Supply Chain and Third Parties
Cloud/SaaS
New SOHO router malware aims for cloud accounts, internal company resources - Help Net Security
97% of security leaders have increased SaaS security budgets - Help Net Security
Encryption
UK's Investigatory Powers Bill approved to become law • The Register
Ten years of Heartbleed: Lessons learned | SC Media (scmagazine.com)
Linux and Open Source
Passwords, Credential Stuffing & Brute Force Attacks
Change Healthcare breached via Citrix portal with no MFA | TechTarget
Okta warns of "unprecedented" credential stuffing attacks on customers (bleepingcomputer.com)
NCSC: New UK law bans default passwords on smart devices (securityaffairs.com)
New Cuttlefish malware infects routers to monitor traffic for credentials (bleepingcomputer.com)
How to use a YubiKey to log into Windows and macOS (xda-developers.com)
Social Media
How TikTok Grew From a Fun App for Teens Into a Potential National Security Threat - SecurityWeek
Facebook at 20: Contemplating the Cost of Privacy (darkreading.com)
Training, Education and Awareness
Ending The Culture Of Silence In Cyber Security – 3 Ways To Empower Teams - Minutehack
Everyone's an Expert: How to Empower Your Employees for Cyber Security Success (thehackernews.com)
Regulations, Fines and Legislation
UK's Investigatory Powers Bill approved to become law • The Register
UK rolls out new consumer safeguards for smart devices (betanews.com)
FCC fines major wireless carriers over illegal location data sharing - Help Net Security
Understanding emerging AI and data privacy regulations - Help Net Security
CISA's incident reporting requirements go too far, trade groups and lawmakers say | CyberScoop
Data Protection
Careers, Working in Cyber and Information Security
Cyber security experts face AI risks, deepfakes, burnout | Fortune
The rise in CISO job dissatisfaction – what’s wrong and how can it be fixed? | CSO Online
Agencies to turn toward ‘skill-based hiring’ for cyber and tech jobs, ONCD says | CyberScoop
Cyber Security Degrees, Are They Really Worth It? | HackerNoon
Beyond the Buzz: Rethinking Alcohol as a Cyber Security Bonding Ritual - SecurityWeek
Law Enforcement Action and Take Downs
Ukrainian REvil Hacker Sentenced to 13 Years and Ordered to Pay $16 Million (thehackernews.com)
Police shuts down 12 fraud call centres, arrests 21 suspects (bleepingcomputer.com)
Cyber security consultant arrested after allegedly extorting IT firm (bleepingcomputer.com)
CEO who sold fake Cisco devices to US military gets 6 years in prison (bleepingcomputer.com)
Misinformation, Disinformation and Propaganda
Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity
Cyber Warfare and Cyber Espionage
Nation State Actors
China
‘Honeypots’ and influence operations: China’s spies turn to Europe (ft.com)
Philippines Pummelled by Cyber Attacks & Misinformation Tied to China (darkreading.com)
Germany grapples with wave of spying threats from Russia and China - BBC News
How TikTok Grew From a Fun App for Teens Into a Potential National Security Threat - SecurityWeek
Think tank: Tech companies spread China's propaganda • The Register
China's attacks on critical infrastructure ‘tip of the iceberg' | SC Media (scmagazine.com)
Chinese Hackers Have Been Probing DNS Networks Globally for Years: Report - SecurityWeek
Muddling Meerkat hackers manipulate DNS using China’s Great Firewall (bleepingcomputer.com)
Chinese government website security has big problems • The Register
Espionage breaches account for 25% in APAC, report reveals (securitybrief.co.nz)
Russia
Router Roulette: Cyber Criminals and Nation-States Sharing Compromised Networks | Trend Micro (US)
Russian Hackers Target Industrial Systems in North America, Europe - SecurityWeek
Pro-Russia hacktivists attacking vital tech in water and other sectors, agencies say | CyberScoop
Germany grapples with wave of spying threats from Russia and China - BBC News
Ukraine Targeted in Cyber Attack Exploiting 7-Year-Old Microsoft Office Flaw (thehackernews.com)
Germany Warns Of Consequences For Alleged Russian Cyber Attack (rferl.org)
Hackers Claim to Have Infiltrated Belarus’ Main Security Service - SecurityWeek
Military Tank Manual, 2017 Zero-Day Anchor Latest Ukraine Cyber Attack (darkreading.com)
Sweden prepares for Eurovision amidst fears of protests, cyber attacks and unrest | Euronews
Ex-NSA Employee Sentenced to 22 Years for Trying to Sell U.S. Secrets to Russia (thehackernews.com)
Two British men charged with helping Russian intelligence - BBC News
Two hackers in Ukraine accused of spreading Russian propaganda (therecord.media)
Iran
North Korea
Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence
Vulnerability Management
When is One Vulnerability Scanner Not Enough? (thehackernews.com)
Vulnerability exploitation nearly tripled in 2023 (telecoms.com)
Vulnerabilities
Cisco devices again targeted by state-linked threat campaign - TechCentral.ie
Okta warns of "unprecedented" credential stuffing attacks on customers (bleepingcomputer.com)
1,200+ Vulnerabilities Detected In Microsoft Products In 2023 (gbhackers.com)
Most attacks affecting SMBs target five older vulnerabilities | CSO Online
Severe Flaws Disclosed in Brocade SANnav SAN Management Software (thehackernews.com)
UnitedHealth hackers took advantage of Citrix vulnerability to break in, CEO says (yahoo.com)
Palo Alto Updates Remediation for Max-Critical Firewall Bug (darkreading.com)
WordPress plugin vulnerability poses severe security risk, allows for site takeovers | TechSpot
Ukraine Targeted in Cyber Attack Exploiting 7-Year-Old Microsoft Office Flaw (thehackernews.com)
New R Programming Vulnerability Exposes Projects to Supply Chain Attacks (thehackernews.com)
Grafana Tool Vulnerability Let Attackers Inject SQL Queries (gbhackers.com)
Microsoft says April Windows updates break VPN connections (bleepingcomputer.com)
NTLM auth traffic spikes after Windows Server patch • The Register
New "Goldoon" Botnet Targets D-Link Routers With Decade-Old Flaw (thehackernews.com)
Four Critical Vulnerabilities Expose HPE Aruba Devices to RCE Attacks (thehackernews.com)
Ten years of Heartbleed: Lessons learned | SC Media (scmagazine.com)
1,400 GitLab Servers Impacted by Exploited Vulnerability - SecurityWeek
Tools and Controls
Why remote desktop tools are facing an onslaught of cyber threats | ITPro
Correlating Cyber Investments With Business Outcomes (inforisktoday.com)
When is One Vulnerability Scanner Not Enough? (thehackernews.com)
Microsoft CEO says it is "putting security above all else" in major refocus | TechRadar
Can automating security relieve CISO pressure? (techinformed.com)
10 Critical Endpoint Security Tips You Should Know (thehackernews.com)
Businesses turn to generative AI but many don't have policies on it (betanews.com)
Ending The Culture Of Silence In Cyber Security – 3 Ways To Empower Teams - Minutehack
Organisations Struggle with Zero Trust: Gartner | MSSP Alert
Tech Tip: Why Haven't You Set Up DMARC Yet? (darkreading.com)
97% of security leaders have increased SaaS security budgets - Help Net Security
DPRK's Kimsuky APT Abuses Weak DMARC Policies, Feds Warn (darkreading.com)
How to Red Team GenAI: Challenges, Best Practices, and Learnings (darkreading.com)
Chinese Hackers Have Been Probing DNS Networks Globally for Years: Report - SecurityWeek
Muddling Meerkat hackers manipulate DNS using China’s Great Firewall (bleepingcomputer.com)
Why LLMs are predicting the future of compliance and risk management | VentureBeat
Other News
Microsoft CEO says it is "putting security above all else" in major refocus | TechRadar
A Season Of Health Breaches, A Season Of Changes (forbes.com)
Bank of England tells payment firms to step up disruption mitigation plans (yahoo.com)
NCSC updates warning over hacktivist threat to CNI | Computer Weekly
The EU's Strategy for a Cyber Secure Digital Single Market | UpGuard
To Damage OT Systems, Hackers Tap USBs, Old Bugs & Malware (darkreading.com)
During National Small Business Week, Take Steps to Secure Your Business | CISA
At Microsoft, years of security debt come crashing down | Cybersecurity Dive
Sweden prepares for Eurovision amidst fears of protests, cyber attacks and unrest | Euronews
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 19 April 2024
Black Arrow Cyber Threat Intelligence Briefing 19 April 2024:
-94% of Ransomware Victims Have Their Backups Targeted by Attackers
-Sharing IT Providers Is a Risk for Financial Services, Says IMF, as Rising Cyber Threats Pose Serious Concerns for Financial Stability
-Hackers are Threatening to Publish a Huge Stolen Sanctions and Financial Crimes Watchlist
-Your Annual Cyber Security Is Not Working, but There is a Solution
-73% of Security Professionals Say They’ve Missed, Ignored or Failed to Act on a High Priority Security Alert
-Russia and Ukraine Top Inaugural World Cyber Crime Index
-Police Takedown Major Cyber Fraud Superstore: Will the Cyber Crime Industry Become More Fragmented?
-Small Businesses See Stable Business Climate; Cite Cyber Security as Top Threat
-The Threat from Inside: 14% Surge in Insider Threats Compared to Previous Year
-Dark Web Sales Driving Major Rise in Credential Attacks as Attackers Pummel Networks with Millions of Login Attempts
-Large Enterprises Experience Breaches, Despite Large Security Stacks - Report Finds 93% of Breaches Lead to Downtime and Data Loss
-Charities Doing Worse than Private Sector in Staving off Cyber Attacks
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
94% of Ransomware Victims Have Their Backups Targeted by Attackers
Organisations that have backed up sensitive data may believe they are safe from the effects of ransomware attacks; however a new study by Sophos reported that cyber criminals attempted to compromise the backups of 94% of companies hit by ransomware in the past year. The research found that criminals can demand a higher ransom when they compromise an organisation’s backup data, and those victims are twice as likely to pay. The median ransom demand is $2.3 million when backups are compromised, compared to $1 million otherwise.
Additionally, sectors like state and local governments, along with media and entertainment, are particularly vulnerable with nearly all affected organisations experiencing backup compromises.
Source: [Tech Republic]
Sharing IT Providers Is a Risk for Financial Services, Says IMF, as Rising Cyber Threats Pose Serious Concerns for Financial Stability
The International Monetary Fund has found that with greater digitalisation and heightened geopolitical tensions comes a greater risk of cyber attack with systemic consequences. The IMF noted that losses more than quadrupled since 2017 to $2.5 billion.
The push for technology has led to a number of financial services institutions relying on third-party IT firms, increasing their susceptibility to cyber disruption on a wider scale and a potential ripple effect were a third party to be hit. Whilst such third parties can increase the cyber resilience of a financial services institution, they also expose the industry to systemwide shocks, the IMF reports.
The IMF recommend institutions should identify potential systematic risks in their third-party IT firms. If the organisation is unable to perform such risk assessments, they should seek the expert support of an independent cyber security specialist.
Sources: [The Banker] [IMF]
Hackers are Threatening to Publish a Huge Stolen Sanctions and Financial Crimes Watchlist
A cyber crime group named GhostR has claimed responsibility for stealing 5.3 million records from the World-Check database, which companies use for "know your customer" (KYC) checks to screen potential clients for financial crime risks. The data theft occurred in March and originated from a Singapore-based firm with access to World-Check. The London Stock Exchange Group (LSEG), which owns World-Check, confirmed that the breach involved a third-party's dataset and not their systems directly. The stolen data includes sensitive information on individuals identified as high-risk, such as government-sanctioned figures and those linked to organised crime. LSEG is coordinating with the affected third party and authorities to protect the compromised data and prevent its dissemination.
Source: [TechCrunch]
Your Annual Cyber Security Is Not Working, But There is a Solution
Most organisations utilise annual security training in an attempt to ensure every department develops their cyber awareness skills and is able to spot and report a threat. However, this training is often out of date. Additionally, often training has limited interactivity, failing to capture and maintain employees’ attention and retention. On top of this, many training courses fail to connect employees to real-world scenarios that could occur in their specific job.
To get the most return on investment, organisations need to have more regular education, with the aim of long-term behavioural shifts in the work place, nudging employees towards greater cyber hygiene.
Source: [TechRadar]
73% of Security Professionals Say They’ve Missed, Ignored or Failed to Act on a High Priority Security Alert
A new survey from Coro, targeting small medium enterprises (SME) cyber security professionals, reveals that 73% have missed or ignored high priority security alerts due to overwhelming workloads and managing multiple security tools. The 2024 SME Security Workload Impact Report highlights that SMEs are inundated with alerts and responsibilities, which dilute their focus from critical security threats. On average, these professionals manage over 11 security tools and spend nearly five hours daily on tasks like monitoring and patching vulnerabilities. Respondents handle an average of over 2,000 endpoint security agents across 656 devices, more than half dealing with frequent vendor updates.
Source: [Business Wire]
Russia and Ukraine Top Inaugural World Cyber Crime Index
The inaugural World Cybercrime Index (WCI) identifies Russia, Ukraine, and China as the top sources of global cyber crime. This index, the first of its kind, was developed over four years by an international team from the University of Oxford and the University of New South Wales, with input from 92 cyber crime experts. These experts ranked countries based on the impact, professionalism, and technical skills of their cyber criminals across five cyber crime categories, including data theft, scams, and money laundering. Russia topped the list, followed by Ukraine and China, highlighting their significant roles in high-tech cyber criminal activities. The index, expected to be updated regularly, aims to provide a clearer understanding of cyber crime's global geography and its correlation with national characteristics like internet penetration and GDP. Of note the UK and US also made the top ten list, so it is not just other countries we need to worry about.
Top ten Countries in full:
1. Russia
2. Ukraine
3. China
4. United States
5. Nigeria
6. Romania
7. North Korea
8. United Kingdom
9. Brazil
10. India
Source: [Infosecurity Magazine]
Police Takedown Major Cyber Fraud Superstore: Will the Cyber Crime Industry Become More Fragmented?
The London Metropolitan Police takedown of online fraud service LabHost serves as a reminder of the industrial scale on which cyber crimes are being performed, with the service amassing 480,000 debit or credit card numbers and 64,000 PINs: all for the subscription price of £300 a month. The site even included tutorial videos on how to commit crime and offered customer service.
Such takedowns can lead to fragmentation. The 2,000 individuals subscribed to LabHost may have lost access but where there is demand, supply will be found. The takedown of one service allows other, small services to fill the gap. As the saying goes ‘nature abhors a vacuum’ and it is especially true when it comes to cyber crime; there is too much business for empty spaces not to be filled.
Sources: [ITPro] [The Guardian]
Small Businesses See Stable Business Climate; Cite Cyber Security as Top Threat
Small businesses are experiencing a stable business climate, as reflected by the Small Business Index, indicating an increasing optimism about the economy. However, the recent surge in cyber attacks, including major assaults on UnitedHealth Group and MGM Resorts, has underscored the growing vulnerability of these businesses to cyber crime. Despite 80% of small to medium-sized enterprises feeling well-protected by their IT defences, a Devolutions survey reveals that 69% of them still fell victim to cyber attacks last year. This has led to cyber security being viewed as the greatest threat by 60% of small businesses, even surpassing concerns over supply chain disruptions and the potential for another pandemic.
The average cost of these attacks ranges from $120,000 to $1.24 million, leading to 60% of affected businesses closing within six months. This vulnerability is further compounded by a common underestimation of the ransomware threat. While 71% of businesses feel prepared for future threats, the depth of this preparedness varies, with only 23% feeling very prepared for cyber security challenges.
Sources: [Claims Journal] [Inc.com]
The Threat from Inside: Insider Threats Surge 14% Annually as Cost-of-Living Crisis Bites
Employee fraud grew significantly last year thanks to the opportunities afforded by remote working and the pressures of a cost-of-living crisis in the UK, according to Cifas, an anti-fraud non-profit. The number of individuals recorded in its cross-sector Insider Threat Database (ITD) increased 14% year-on-year (YoY) in 2023, with the most common reason being “dishonest action to obtain benefit by theft or deception” (49%).
Insider threats – both by accident or with malicious intent – by their own employees are overlooked, despite accounting for 58% of cybersecurity breaches in recent years. As a result, a large proportion of businesses may lack any strategy to address insider risks, leaving them vulnerable to financial, operational and reputational harm.
Source: [Infosecurity Magazine] [TechRadar]
Dark Web Sales Driving Major Rise in Credential Attacks as Attackers Pummel Networks with Millions of Login Attempts
Dark web sales are driving a major rise in credential attacks, with a surge in infostealer malware attacks over the last three years significantly heightening the cyber crime landscape. Kaspersky reports a sevenfold increase in data theft attacks, leading to the compromise of over 26 million devices since 2022. Cyber criminals stole roughly 400 million login credentials last year alone, often sold on dark web markets for as low as $10 per log file. These stolen credentials have become a lucrative commodity, fostering a complex economy of initial access brokers who facilitate broader corporate network infiltrations. The Asia-Pacific and Latin America regions have been particularly affected, with millions of credentials stolen annually.
Simultaneously, Cisco’s Talos team warns of a current credential compromise campaign targeting networks via mass login attempts to VPN, SSH, and web apps. Attackers use a mix of generic and specific usernames with nearly 100 passwords from about 4,000 IP addresses, likely routed through anonymising services (such as TOR). These attacks pose risks like unauthorised access, account lockouts, and potential denial-of-service. The attack volume has increased since 18 March this year mirroring a previous alert by Cisco about a similar campaign affecting VPNs. Despite method and infrastructure similarities, a direct link between these campaigns is yet to be confirmed.
Sources: [Ars Technica] [Data Breach Today]
Large Enterprises Experience Breaches, Despite Large Security Stacks; Report Finds 93% of Breaches Lead to Downtime and Data Loss
93% of enterprises admitting to having had a breach have suffered significant consequences, ranging from unplanned downtime to data exposure or financial loss, according to a recent report. 73% of organisations made changes to their IT environment at least quarterly, however only 40% tested their security at the same frequency. Unfortunately, this means that many organisations are facing a significant gap in which changes in the IT environment are untested, and therefore their risk unknown.
Security tools can aid this, however as the report finds, despite having a large number of security stacks, 51% still reported a breach in the past 24 months. Organisations must keep in mind that security extends beyond the technical realm, and it needs to include people and operations.
Sources: [Infosecurity Magazine] [Help Net Security]
Charities Doing Worse than Private Sector in Staving off Cyber Attacks
Recent UK Government data reveals a significant cyber security challenge for charities, with about a third experiencing breaches this past year, equating to nearly 924,000 cyber crimes. Notably, 83% of these incidents involved phishing, with other prevalent threats including fraud emails and malware. The data found that 63% of charities said cyber security was a high priority for senior management, however, charities lag behind the private sector in adopting security monitoring tools and conducting risk assessments.
Additionally, while half of the charities implement basic cyber hygiene defences like malware protection and password policies, only about 40% seek external cyber security guidance.
Source: [TFN]
Governance, Risk and Compliance
Cyber attack volumes peak in first quarter | SC Media (scmagazine.com)
Annual cyber security training isn’t working, so what’s the alternative? | TechRadar
Security breaches are causing more damage than ever before | TechRadar
Small Businesses See Stable Business Climate; Cite Cyber Security as Top Threat (claimsjournal.com)
51% of enterprises experienced a breach despite large security stacks - Help Net Security
Rising Cyber Threats Pose Serious Concerns for Financial Stability (imf.org)
Ex-Uber security exec Joe Sullivan is advising CISOs on how to avoid his legal fate (axios.com)
Cyber Security Tips for Small Businesses Now Considered Big Hacking Targets | Inc.com
The Five Main Steps In A Compliance Risk Assessment Plan (forbes.com)
Pentesting accounts for an average of 13% of total IT security budgets | Security Magazine
Threats
Ransomware, Extortion and Destructive Attacks
Sophos Study: 94% of Ransomware Victims Have Their Backups Targeted (techrepublic.com)
FBI: Akira ransomware raked in $42 million from 250+ victims (bleepingcomputer.com)
What if we made ransomware payments illegal? | SC Media (scmagazine.com)
Critical Atlassian Flaw Exploited to Deploy Linux Variant of Cerber Ransomware (thehackernews.com)
Moldovan charged for operating botnet used to push ransomware (bleepingcomputer.com)
Ransomware, meet DRaaS: The future of disaster mitigation (betanews.com)
A whole new generation of ransomware makers are attempting to shake up the market | TechRadar
Security Think Tank: Approaches to ransomware need a course correction | Computer Weekly
Ransomware Victims Who Pay a Ransom Drops to Record Low (databreachtoday.co.uk)
Ransomware Victims
Change Healthcare’s ransomware attack costs reach nearly $1B • The Register
Ransomware attacks against food, agriculture industry examined | SC Media (scmagazine.com)
Ransomware attack compromises UN agency data | SC Media (scmagazine.com)
840-bed hospital in France postpones procedures after cyber attack (bleepingcomputer.com)
US think tank Heritage Foundation hit by cyber attack | TechCrunch
Daixin ransomware gang claims attack on Omni Hotels (bleepingcomputer.com)
Ransomware feared as Octapharma Plasma closes 150+ centers • The Register
Cyber Attack Takes Frontier Communications Offline (darkreading.com)
Phishing & Email Based Attacks
FBI warns of massive wave of road toll SMS phishing attacks (bleepingcomputer.com)
FIN7 targets American automaker’s IT staff in phishing attacks (bleepingcomputer.com)
Other Social Engineering
Quishing: The New Cyber Threat to the Cleared Workplace - ClearanceJobs
FBI warns of massive wave of road toll SMS phishing attacks (bleepingcomputer.com)
Cyber criminals pose as LastPass staff to hack password vaults (bleepingcomputer.com)
Artificial Intelligence
CISOs not changing priorities in response to AI threats (betanews.com)
92% of enterprises unprepared for AI security challenges - Help Net Security
AI Copilot: Launching Innovation Rockets, But Beware of the Darkness Ahead (thehackernews.com)
Best Practices & Guidance For AI Security Deployment 2024 (gbhackers.com)
C-suite weighs in on generative AI and security (securityintelligence.com)
2FA/MFA
Cisco Duo warns third-party data breach exposed SMS MFA logs (bleepingcomputer.com)
Roku Mandates 2FA for Customers After Credential-Stuffing Compromise (darkreading.com)
Malware
LockBit 3.0 Variant Generates Custom, Self-Propagating Malware (darkreading.com)
TA558 Hackers Weaponize Images for Wide-Scale Malware Attacks (thehackernews.com)
Evil XDR: Researcher Turns Palo Alto Software Into Perfect Malware (darkreading.com)
Firebird RAT creator and seller arrested in the US and Australia (bleepingcomputer.com)
Destructive ICS Malware 'Fuxnet' Used by Ukraine Against Russian Infrastructure - Security Week
New SteganoAmor attacks use steganography to target 320 orgs globally (bleepingcomputer.com)
Russian APT Deploys New 'Kapeka' Backdoor in Eastern European Attacks (thehackernews.com)
Malicious Google Ads Pushing Fake IP Scanner Software with Hidden Backdoor (thehackernews.com)
Fake cheat lures gamers into spreading infostealer malware (bleepingcomputer.com)
Mobile
Government spyware is another reason to use an ad blocker | TechCrunch
iPhone users warned to disable iMessage temporarily to avoid getting hacked - PhoneArena
Enterprises face significant losses from mobile fraud - Help Net Security
SoumniBot malware exploits Android bugs to evade detection (bleepingcomputer.com)
Denial of Service/DoS/DDOS
Internet of Things – IoT
How to protect IP surveillance cameras from Wi-Fi jamming - Help Net Security
CISA warns of critical vulnerability in Chirp smart locks • The Register
New rules for security of connected products in the UK and EU - Lexology
Data Breaches/Leaks
CISA orders agencies impacted by Microsoft hack to mitigate risks (bleepingcomputer.com)
Panama Papers: Money laundering trial of 27 defendants begins
Giant Tiger data breach may have impacted millions of customers (securityaffairs.com)
5 Ways Your Personal Information May End Up On The Dark Web (slashgear.com)
Law Firm to Pay $8M to Settle Health Data Hack Lawsuit (databreachtoday.co.uk)
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Chinese fraud victims seek return of £3bn in bitcoin seized in UK (ft.com)
Ex-Amazon engineer gets 3 years for hacking crypto exchanges (bleepingcomputer.com)
Security engineer jailed for 3 years for $12M crypto hacks | TechCrunch
Hackers hijack OpenMetadata apps in Kubernetes cryptomining attacks (bleepingcomputer.com)
Insider Risk and Insider Threats
Insurance
Cloud/SaaS
What Is Microsoft's Role in the Shared Responsibility Model for Data Security? (prweb.com)
For Service Accounts, Accountability Is Key to Security (darkreading.com)
Identity and Access Management
Linux and Open Source
Open source groups say more software projects may have been targeted for sabotage (yahoo.com)
Critical Atlassian Flaw Exploited to Deploy Linux Variant of Cerber Ransomware (thehackernews.com)
Passwords, Credential Stuffing & Brute Force Attacks
Attackers are pummelling networks around the world with millions of login attempts | Ars Technica
Roku Mandates 2FA for Customers After Credential-Stuffing Compromise (darkreading.com)
Cisco warns of large-scale brute-force attacks against VPN and SSH services (securityaffairs.com)
For Service Accounts, Accountability Is Key to Security (darkreading.com)
Dark Web Sales Driving Major Rise in Credential Attacks (databreachtoday.co.uk)
Social Media
Malvertising
Government spyware is another reason to use an ad blocker | TechCrunch
Google to crack down on third-party YouTube apps that block ads (bleepingcomputer.com)
Training, Education and Awareness
Annual cyber security training isn’t working, so what’s the alternative? | TechRadar
Cyber security training: How to make it more motivating (hrexecutive.com)
Regulations, Fines and Legislation
US Supreme Court ruling suggests change in cyber security disclosure process | CSO Online
New rules for security of connected products in the UK and EU - Lexology
Congress votes to kick Uncle Sam’s data broker habit • The Register
Cops can force suspect to unlock phone with thumbprint, US court rules | Ars Technica
Models, Frameworks and Standards
Backup and Recovery
Data Protection
Careers, Working in Cyber and Information Security
IT and security professionals demand more workplace flexibility - Help Net Security
National Security at Risk as Essential Cyber Security Roles Face Sharp Decline (prnewswire.com)
Break Security Burnout: Combining Leadership With Neuroscience (darkreading.com)
Law Enforcement Action and Take Downs
Firebird RAT creator and seller arrested in the US and Australia (bleepingcomputer.com)
Moldovan charged for operating botnet used to push ransomware (bleepingcomputer.com)
Misinformation, Disinformation and Propaganda
Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity
Cyber Warfare and Cyber Espionage
China
Chinese, Russian Hackers Keep Getting Past Microsoft's Security (businessinsider.com)
Leaked FBI document shows MPs were kept in dark over China hack for two years (inews.co.uk)
Risks are higher than ever for US- China cyber war | Responsible Statecraft
State-Sponsored Hackers Exploit Zero-Day to Backdoor Palo Alto Networks Firewalls - Security Week
Singapore infosec boss: splinternet hinders interoperability • The Register
FBI says Chinese hackers preparing to attack US infrastructure | Reuters
Chinese fraud victims seek return of £3bn in bitcoin seized in UK (ft.com)
Russia
Chinese, Russian Hackers Keep Getting Past Microsoft's Security (businessinsider.com)
CISA orders agencies impacted by Microsoft hack to mitigate risks (bleepingcomputer.com)
Microsoft breach allowed Russia to steal Feds' emails • The Register
State-Sponsored Hackers Exploit Zero-Day to Backdoor Palo Alto Networks Firewalls - Security Week
How Ukraine’s cyber police fights back against Russia’s hackers | TechCrunch
Russian 'Cyber Sabotage' A Global Threat: Security Firm | IBTimes
Mandiant upgrades Sandworm to APT44 due to increasing threat | TechTarget
Russia's Sandworm 'cyber attacked US, EU water utilities' • The Register
Sandworm Group Shifts to Espionage Attacks, Hacktivist Personas | Decipher (duo.com)
Russia is trying to sabotage European railways, Czech minister said (securityaffairs.com)
Singapore infosec boss: splinternet hinders interoperability • The Register
Russian APT Deploys New 'Kapeka' Backdoor in Eastern European Attacks (thehackernews.com)
Destructive ICS Malware 'Fuxnet' Used by Ukraine Against Russian Infrastructure - Security Week
Iran
Iranian MuddyWater Hackers Adopt New C2 Tool 'DarkBeatC2' in Latest Campaign (thehackernews.com)
Middle East Cyber Ops Intensify, With Israel the Main Target (darkreading.com)
Iran-Backed Hackers Blast Out Threatening Texts to Israelis (darkreading.com)
Israel Holds Hybrid Cyber & Military Readiness Drills (darkreading.com)
North Korea
Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence
Vulnerability Management
How to conduct security patch validation and verification | TechTarget
Zero-Day Vulnerabilities: A Beginner’s Guide - The New Stack
The importance of the Vulnerability Operations Centre for cyber security | TechRadar
Vulnerabilities
State-Sponsored Hackers Exploit Zero-Day to Backdoor Palo Alto Networks Firewalls - Security Week
“Highly capable” hackers root corporate networks by exploiting firewall 0-day | Ars Technica
Cisco discloses root escalation flaw with public exploit code (bleepingcomputer.com)
PuTTY SSH client flaw allows recovery of cryptographic private keys (bleepingcomputer.com)
Citrix Releases Security Updates for XenServer and Citrix Hypervisor | CISA
Yubico Issues YubiKey Security Alert For Windows Users (forbes.com)
Samsung Issues Update Now Warning For Millions Of Galaxy Users (forbes.com)
Juniper Networks Publishes Dozens of New Security Advisories - Security Week
Ivanti warns of critical flaws in its Avalanche MDM solution (bleepingcomputer.com)
Oracle Patches 230 Vulnerabilities With April 2024 CPU - Security Week
iPhone users warned to disable iMessage temporarily to avoid getting hacked - PhoneArena
Delinea Fixes Flaw After Analyst Goes Public With Disclosure First (darkreading.com)
Critical Atlassian Flaw Exploited to Deploy Linux Variant of Cerber Ransomware (thehackernews.com)
Telegram fixes Windows app zero-day used to launch Python scripts (bleepingcomputer.com)
Critical RCE Vulnerability in 92,000 D-Link NAS Devices - Security Boulevard
Tools and Controls
Sophos Study: 94% of Ransomware Victims Have Their Backups Targeted (techrepublic.com)
Evil XDR: Researcher Turns Palo Alto Software Into Perfect Malware (darkreading.com)
CISA's Malware Analysis Platform Could Foster Better Threat Intel (darkreading.com)
Pentesting accounts for an average of 13% of total IT security budgets | Security Magazine
Annual cyber security training isn’t working, so what’s the alternative? | TechRadar
6 Ways Businesses Can Boost Their Cloud Security Resilience - Compare the Cloud
Dark Web Monitoring: What's the Value? (bleepingcomputer.com)
Ransomware, meet DRaaS: The future of disaster mitigation (betanews.com)
Cyber security training: How to make it more motivating (hrexecutive.com)
The Five Main Steps In A Compliance Risk Assessment Plan (forbes.com)
AI set to enhance cyber security roles, not replace them - Help Net Security
Stateful vs. stateless firewalls: Understanding the differences | TechTarget
Reports Published in the Last Week
Other News
Charities doing worse than private sector in staving off cyber attacks - TFN
The US counterintelligence head says the list of threats is long and getting longer (cfpublic.org)
Critical Infrastructure Security: Observations From the Front Lines (darkreading.com)
Geopolitical tensions escalate OT cyber attacks - Help Net Security
Microsoft, Beset by Hacks, Grapples With Problem Years in the Making - BNN Bloomberg
The invisible seafaring industry that keeps the internet afloat (theverge.com)
Do we have a plan on how to deal with subsea cables sabotage? | Euronews
Ex-GCHQ chief: Cyber attacks could target fragile trust in utilities - Utility Week
University chiefs to get security service Cobra briefing on hostile states | The Argus
SAP Applications Increasingly in Attacker Crosshairs, Report Shows - Security Week
Emergency services a likely target for cyber attacks, warns DHS - ABC News (go.com)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 12 April 2024
Black Arrow Cyber Threat Intelligence Briefing 12 April 2024:
-UK Cyber Breaches Survey Finds Business Falling Short on Cyber, as Half Suffer Breach and Many Fail to Report
-The Cyber Attack Stopped by a Microsoft Engineer Was Scarier Than We Realise
-UK Government Urged to Get on ‘Front Foot’ with Ransomware Instead of ‘Absorbing the Punches’
-74% of Employees Falling Victim to Phishing Attacks Hit with Disciplinary Actions; Egress Reveals
-Why Are Many Businesses Turning to Third-Party Security Partners?
-60% of SMBs and 74% of Businesses with up to 500 Employees are Concerned About Cyber Security as Attacks Rise
-Cyber Attacks Cost Financial Firms $12bn Says IMF
-LastPass: Hackers Targeted Employee in Failed Deepfake CEO Call
-Most Cyber Criminal Threats are Concentrated in Just a Few Countries
-Why Incident Response is the Best Cyber Security ROI
-Ransomware Attacks are the Canaries in the Cyber Coal Mine
-Cyber Security is Crucial, but What is Risk and How do You Assess it?
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
UK Cyber Breaches Survey Finds Business Falling Short on Cyber, as Half Suffer Breach and Many Fail to Report
Half of UK businesses experienced a cyber breach last year, according to a survey by the UK Government. The figure could be much higher however, as the survey found only 34% report breaches externally.
It is said that a cyber incident is a matter of when, not if. Nonetheless, 78% of organisations lack a dedicated response plan outlining actions to be taken in the event of a cyber incident and only 11% review their immediate suppliers for risks. To improve cyber resilience, there needs to be a paradigm shift.
Sources: [Computer Weekly] [Computing] [Infosecurity Magazine] [Info Risk Today]
Cyber Attacks Cost Financial Firms $12bn Says IMF
A recent International Monetary Fund (IMF) report has highlighted significant financial losses in the financial services sector, totalling $12 billion over the last two decades due to cyber attacks, with losses accelerating post-pandemic. The number of incidents and the scale of extreme losses have sharply increased, prompting the IMF to urge enhanced cross-border cooperation to uphold the stability of the global financial system.
The report underscores the critical threat that cyber attacks pose to financial stability, particularly for banks in advanced economies which are more exposed to such risks. With major institutions like JP Morgan facing up to 45 billion cyber threats daily, the IMF emphasises the need for international collaboration to effectively manage and mitigate these risks.
Source: [Finextra]
The Cyber Attack Stopped by a Microsoft Engineer Was Scarier Than We Realise
A critical security breach was narrowly avoided when a Microsoft developer detected suspicious activity in XZ Utils, an open-source library crucial to internet infrastructure. This discovery revealed that a new developer had implanted a sophisticated backdoor in the software, potentially giving unauthorised access to millions of servers worldwide. This incident has intensified scrutiny on the vulnerabilities of open-source software, which is largely maintained by unpaid or underfunded volunteers and serves as a backbone for the internet economy. The situation has prompted discussions among government officials and cyber security experts about enhancing the protection of open-source environments. This close call, described by some as a moment of "unreasonable luck," underscores the pressing need for sustainable support and rigorous security measures in the open-source community.
Source: [Inc.com]
UK Government Urged to Get on ‘Front Foot’ with Ransomware Instead of ‘Absorbing the Punches’
Amidst a rising tide of ransomware attacks affecting wide range of UK services, officials in Westminster are being pressured to enhance funding for operations aimed at disrupting ransomware gangs. The current strategy focuses on bolstering organisational cyber security and recovery preparedness, a stance under the second pillar of the UK's National Cyber Strategy known as resilience. However, this approach has not curbed the frequency of incidents, which have steadily increased over the past five years, impacting sectors including the NHS and local governments. In contrast to the proactive disruption efforts seen in the US, the UK has yet to allocate new funds for such measures, despite successful disruptions like the recent takedown of the LockBit gang by the US National Crime Agency, which underscored the potential benefits of increased resources for cyber crime disruption.
Source: [The Record Media]
74% of Employees Falling Victim to Phishing Attacks Hit with Disciplinary Actions
The Egress 'Email Threat Landscape 2024' report reveals a surge in phishing attacks, with 94% of companies falling victim to this type of crime in this past year alone, leading to increasingly complex cyber security challenges. According to the report, 96% of these companies suffered significant repercussions, including operational disruption and data breaches, with common attack vectors being malicious URLs, and malware or ransomware attachments.
The human cost is also notable, with 74 per cent of employees involved in attacks having faced disciplinary actions, dismissals, or voluntary departures, underscoring the severity of the issue and the heightened vigilance among companies in addressing the phishing threat. Financial losses primarily stem from customer churn, which accounts for nearly half of the total impact. Amidst rising attacks through compromised third-party accounts, Egress advocates for stronger monitoring and defence strategies to protect critical data and reduce organisational and individual hardships.
Source: [The Fintech Times]
Why Are Many Businesses Turning to Third-Party Security Partners?
In 2023, 71% of organisations reported being impacted by a cyber security skills shortage, leading many to scale back their cyber security initiatives amid escalating threats. To bridge the gap, businesses are increasingly turning to third-party security partnerships, reflecting a shift towards outsourcing crucial cyber security operations to handle complex challenges more efficiently. This approach is driven by the need to fill technical and resource gaps in the face of a severe workforce shortfall, with an estimated 600,000 unfilled security positions in the US alone. Moreover, these strategic partnerships allow organisations to leverage external expertise for scalable and effective security solutions, alleviating the burden of staying updated with the rapidly evolving threat landscape.
Source: [Help Net Security]
74% of Businesses with up to 500 Employees are Concerned About Cyber Security as Attacks Rise
According to a recent poll by the US Chamber of Commerce, 60% of small businesses expressed concerns about threats, with 58% concerned about a supply chain breakdown. The highest concern came from businesses with 20-500 employees (74%). Despite such concern, only 49% had trained staff on cyber security. When it came to the impact of a cyber event, 27% of respondents say they are one disaster or threat away from shutting down their business.
Sources: [Malwcv arebytes][Marketplace] [US Chamber]
LastPass: Hackers Targeted Employee in Failed Deepfake CEO Call
LastPass recently reported a thwarted voice phishing attack targeting one of its employees using deepfake audio technology to impersonate CEO Karim Toubba. The attack, conducted via WhatsApp, was identified by the employee as suspicious due to the unusual communication channel and clear signs of social engineering, such as forced urgency. Despite the failure of this particular attempt, LastPass has shared the incident publicly to highlight the growing use of AI-generated deepfakes in executive impersonation schemes. This incident underscores a broader trend, as indicated by alerts from both the US Department of Health and Human Services and the FBI, pointing to an increase in sophisticated cyber attacks employing deepfake technology for fraud, social engineering, and potential influence operations.
Source: [Bleepingcomputer]
Most Cyber Criminal Threats are Concentrated in Just a Few Countries
Oxford researchers have developed the world's first cyber crime index to identify global hotspots of cyber criminal activity, ranking countries based on the prevalence and sophistication of cyber threats. The index reveals that a significant portion of cyber threats is concentrated in a few countries, with Russia and Ukraine positioned at the top, with the USA and the UK also ranking prominently. The results indicate that countries like China, Russia, Ukraine, the US, Romania, and Nigeria are among the top hubs for activities ranging from technical services to money laundering. This tool aims to refine the focus for cyber crime research and prevention efforts, although the study acknowledges the need for a broader and more representative sample of expert opinions to enhance the accuracy and applicability of the findings. The index underscores that while cyber crime may appear globally fluid, it has pronounced local concentrations.
Sources: [ThisisOxfordshire] [Phys Org]
Why Incident Response is the Best Cyber Security ROI
The Microsoft Incident Response Reference Guide predicts that most organisations will encounter one or more major security incidents where attackers gain administrative control over crucial IT systems and data. While complete prevention of cyber attacks may not be feasible, prompt and effective incident response is essential to mitigate damage and protect reputations. However, many organisations may not be adequately budgeting for incident response, and the recent UK Government report found that 78% of organisations do not have formalised incident response plans, risking prolonged recovery and increased costs. Cyber crime damages hit $23b in 2023, but the true costs of incidents includes non-financial damage such as reputational harm. If a cyber incident is a matter of when, not if, then a prepared incident response plan is the best cyber security ROI.
Black Arrow works with organisations of all sizes and sectors to design and prepare for managing a cyber security incident; this can include an Incident Response Plan and an educational tabletop exercise for the leadership team that highlights the proportionate controls to help the organisation prevent and mitigate an incident.
Source: [CSO Online]
Ransomware Attacks are the Canaries in the Cyber Coal Mine
A recent report has found that ransomware attacks were up 110% compared to the prior month, stating that unreported attacks were up to 6 times higher. The report found that tactics are increasingly using data extortion, with 92% of attacks utilising this method.
Sources: [Silicon Republic] [The Hill]
Cyber Security is Crucial, but What is Risk and How do You Assess it?
Cyber security is an increasingly sophisticated game of cat and mouse, where the landscape is constantly shifting. Your cyber risk is the probability of negative impacts stemming from a cyber incident, but how do you assess risk?
One thing to understand is that there are a multitude of risks: risks from phishing, risks from insiders, risks from network attacks, risks of supply chain compromise, and of course, nation states. To understand risk, an organisation must first identify the information that it needs to protect, to avoid only learning of the information asset’s existence from a successful attacker. Once all assets are identified, then organisations should conduct risk assessments to identify threats and an evaluation the potential damage that can be done.
Sources: [Security Boulevard] [International Banker]
Governance, Risk and Compliance
Cyber attacks cost financial firms $12bn says IMF (finextra.com)
UK business falling short on cybersecurity warns government report (computing.co.uk)
60% of small businesses are concerned about cyber security threats | Malwarebytes
Cyber attacks on small businesses are on the rise - Marketplace
What is cyber security risk & how to assess - Security Boulevard
Cyber Security Regulations Aren’t Static—Your Practices Can’t Be Either (forbes.com)
Why Cyber Security Is More Crucial Today Than Ever Before (internationalbanker.com)
Why are many businesses turning to third-party security partners? - Help Net Security
CISO Perspectives on Complying with Cyber Security Regulations (thehackernews.com)
Why incident response is the best cyber security ROI | CSO Online
Privacy Versus Cyber – What is the Bigger Risk? | Jackson Lewis P.C. - JDSupra
Large businesses struggle to tackle cyber threats (betanews.com)
Resilience And Antifragility Are The Best Strategies For 2024 (forbes.com)
The state of secrets security: 7 action items for better managing risk - Security Boulevard
Former Uber CSO Joe Sullivan and lessons learned from the infamous 2016 Uber breach | CSO Online
Why cyberpsychology is such an important part of effective cyber security | CSO Online
Cyber Security in the Evolving Threat Landscape (securityaffairs.com)
How CISOs can make themselves ready to serve on the board | CSO Online
CISOs Need A Data-Driven Approach To Offensive Security (forbes.com)
Threats
Ransomware, Extortion and Destructive Attacks
Ransomware surged 110pc last month, report claims (siliconrepublic.com)
Ransomware attacks are the canaries in the cyber coal mine | The Hill
Ransomware gang’s new extortion trick? Calling the front desk | TechCrunch
Frameworks, Guidelines & Bounties Alone Won't Defeat Ransomware (darkreading.com)
Ransomware group maturity should influence ransom payment decision - Help Net Security
Proactive and Reactive Ransomware Protection Strategies - Security Boulevard
How can the energy sector bolster its resilience to ransomware attacks? - Help Net Security
CL0P's Ransomware Rampage - Security Measures for 2024 (thehackernews.com)
LockBit copycat DarkVault spurs rebranding rumour | SC Media (scmagazine.com)
Ransomware payouts hit all-time high, but that’s not the whole story (securityintelligence.com)
Ransomware Victims
Second ransomware gang says it’s extorting Change Healthcare • The Register
Targus says it is facing major cyber attack, global operations hit | TechRadar
Optics giant Hoya hit with $10 million ransomware demand (bleepingcomputer.com)
Panera Bread week-long IT outage caused by ransomware attack (bleepingcomputer.com)
Phishing & Email Based Attacks
Honeytrap sext scandal MP William Wragg will keep Tory whip (thetimes.co.uk)
How malicious email campaigns continue to slip through the cracks - Help Net Security
TA547 Phishing Attack Hits German Firms with Rhadamanthys Stealer (thehackernews.com)
Cyber Criminals Invade Inboxes: What Small Businesses Can Do (pymnts.com)
Phishing Detection and Response: What You Need to Know - Security Boulevard
Other Social Engineering
Cyber Criminals Target Victims Using Social Engineering Techniques (ic3.gov)
Honeytrap sext scandal MP William Wragg will keep Tory whip (thetimes.co.uk)
LastPass: Hackers targeted employee in failed deepfake CEO call (bleepingcomputer.com)
Artificial Intelligence
China is using generative AI to carry out influence operations (securityaffairs.com)
What Lies Ahead for Cyber Security in the Era of Generative AI? - IT Security Guru
AI risks under the auditor's lens more than ever - Help Net Security
Speed of AI development is outpacing risk assessment | Ars Technica
Malicious PowerShell script pushing malware looks AI-written (bleepingcomputer.com)
LastPass: Hackers targeted employee in failed deepfake CEO call (bleepingcomputer.com)
AI-as-a-Service Providers Vulnerable to PrivEsc and Cross-Tenant Attacks (thehackernews.com)
How Artificial Intelligence Is Fuelling Incel Communities (yahoo.com)
2FA/MFA
Malware
Urgent Security Alert! Hackers Hijacked Notepad++ Plugin (gbhackers.com)
Sophisticated Latrodectus Malware Linked to 2017 Strain (inforisktoday.com)
Critical Flaws Leave 92,000 D-Link NAS Devices Vulnerable to Malware Attacks (thehackernews.com)
Bing ad posing as NordVPN aims to spread SecTopRAT malware | SC Media (scmagazine.com)
ScrubCrypt used to drop VenomRAT along with many malicious plugins (securityaffairs.com)
Unit 42: Malware-initiated scanning attacks on the rise | TechTarget
RUBYCARP hackers linked to 10-year-old cryptomining botnet (bleepingcomputer.com)
Raspberry Robin Returns: New Malware Campaign Spreading Through WSF Files (thehackernews.com)
Malicious PowerShell script pushing malware looks AI-written (bleepingcomputer.com)
TA547 Phishing Attack Hits German Firms with Rhadamanthys Stealer (thehackernews.com)
Mobile
Denial of Service/DoS/DDOS
How Nation-State DDoS Attacks Impact Us All (darkreading.com)
DDoS Protection Needs Detective and Preventive Controls (darkreading.com)
French cities knocked offline by 'large-scale cyber attack' • The Register
Internet of Things – IoT
Amazon Removes a Feature From Fire TVs Over Security Concerns | Cord Cutters News
Over 90,000 LG Smart TVs may be exposed to remote attacks (bleepingcomputer.com)
EV Charging Stations Still Riddled With Cyber Security Vulnerabilities (darkreading.com)
UK town halls given green light to use Chinese CCTV — despite Westminster ban – POLITICO
Hotel check-in terminal leaks rafts of guests' room codes • The Register
Data Breaches/Leaks
Many of the world's biggest companies reported data breaches last year | TechRadar
US Data Breach Reports Surge 90% Annually in Q1 - Infosecurity Magazine (infosecurity-magazine.com)
37% of publicly shared files expose personal information - Help Net Security
Acuity confirms hackers stole non-sensitive govt data from GitHub repos (bleepingcomputer.com)
Home Depot confirms third-party data breach exposed employee info (bleepingcomputer.com)
AT&T now says data breach impacted 51 million customers (bleepingcomputer.com)
DOJ data on 340,000 individuals stolen in consulting firm hack | SC Media (scmagazine.com)
Taxi software vendor exposes personal details of nearly 300K • The Register
Employee credentials leaked in Microsoft security lapse (techmonitor.ai)
Organised Crime & Criminal Actors
Russia ranked biggest cyber crime threat to rest of the world | Tech News | Metro News
Oxford research uncovers world cyber crime hotspots | thisisoxfordshire
Cyber crooks poison GitHub search to fool developers | Computer Weekly
Zambia Busts 77 People in China-Backed Cyber Crime Op (darkreading.com)
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Hackers deploy crypto drainers on thousands of WordPress sites (bleepingcomputer.com)
RUBYCARP hackers linked to 10-year-old cryptomining botnet (bleepingcomputer.com)
Insider Risk and Insider Threats
Microsoft employees exposed internal passwords in security lapse | TechCrunch
Insider Threats Surge Amid Growing Foreign Interference - Security Boulevard
Insurance
US insurers using drones to deny home insurance policies • The Register
Cyber Insurance: Sexy? No. Important? Critically yes. - Security Boulevard
Supply Chain and Third Parties
Why a near-miss cyber attack put US officials and the tech industry on edge - The Japan Times
DOJ data on 340,000 individuals stolen in consulting firm hack | SC Media (scmagazine.com)
Encryption
Linux and Open Source
The Cyber Attack Stopped by a Microsoft Engineer Was Scarier Than We Realize | Inc.com
Supply chain attack sends shockwaves through open-source community | CyberScoop
German state ditches Microsoft for Linux and LibreOffice | ZDNET
Open source foundations unite on common standards for EU’s Cyber Resilience Act | TechCrunch
Who’s the bigger cyber security risk – Microsoft or open source? (reason.com)
Passwords, Credential Stuffing & Brute Force Attacks
Reusing passwords: The hidden cost of convenience (bleepingcomputer.com)
Microsoft employees exposed internal passwords in security lapse | TechCrunch
CISA says Sisense hack impacts critical infrastructure orgs (bleepingcomputer.com)
Social Media
Regulations, Fines and Legislation
Cyber Security Regulations Aren’t Static—Your Practices Can’t Be Either (forbes.com)
Open source foundations unite on common standards for EU’s Cyber Resilience Act | TechCrunch
Spy Law Needs Fixing Now to Stop Overreach—Not a Backdoor Boost (bloomberglaw.com)
CISA: 300,000+ Small Entities Covered By Proposed Cyber Reporting Regs | MSSP Alert
CISO Perspectives on Complying with Cyber Security Regulations (thehackernews.com)
Models, Frameworks and Standards
HIPAA Fundamentals for Providers | Tucker Arensberg, P.C. - JDSupra
Process and Control Today | NIS2 – cyber security directive from the EU. Get ready! (pandct.com)
Backup and Recovery
Data Protection
Careers, Working in Cyber and Information Security
Law Enforcement Action and Take Downs
Misinformation, Disinformation and Propaganda
Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity
Nation State Actors
China
A TikTok Whistleblower Got DC’s Attention. Do His Claims Add Up? | WIRED
China is using generative AI to carry out influence operations (securityaffairs.com)
Zambia Busts 77 People in China-Backed Cyber Crime Op (darkreading.com)
Honeytrap sext scandal MP William Wragg will keep Tory whip (thetimes.co.uk)
UK town halls given green light to use Chinese CCTV — despite Westminster ban – POLITICO
China flooding Britain with fake stamps in act of 'economic warfare' (telegraph.co.uk)
Russia
Germany to launch cyber military branch to combat Russian threats (therecord.media)
US says Russian hackers stole federal government emails during Microsoft cyber attack | TechCrunch
Macron: Russia will target Paris Olympics (insidethegames.biz)
Cyber attack on TV channel BabyTV: Toddlers suddenly exposed to Russian propaganda | NL Times
Cyber security in 2023: Estonia's year of advanced threats (e-estonia.com)
Oxford research uncovers world cyber crime hotspots | thisisoxfordshire
Most cyber criminal threats are concentrated in just a few countries, new index shows (phys.org)
Extensive Russian criminal record leak conducted by hacktivist group | SC Media (scmagazine.com)
Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence
Top Israeli spy chief exposes his true identity in online security lapse | Israel | The Guardian
Extensive Russian criminal record leak conducted by hacktivist group | SC Media (scmagazine.com)
Apple Updates Spyware Alert System to Warn Victims of Mercenary Attacks (thehackernews.com)
Apple Warns of iPhone "Mercenary Attack" Across 92 Countries (cnet.com)
Vulnerability Management
Zero-Day Attacks on the Rise: Google Reports 50% Increase in 2023 - Security Boulevard
How exposure management elevates cyber resilience - Help Net Security
Company Offering $30 Million for Android, iOS, Browser Zero-Day Exploits - Security Week
Unit 42: Malware-initiated scanning attacks on the rise | TechTarget
Vulnerabilities
Microsoft Fixes 149 Flaws in Huge April Patch Release, Zero-Days Included (thehackernews.com)
Patch Tuesday: Code Execution Flaws in Multiple Adobe Software Products - Security Week
SAP's April 2024 Updates Patch High-Severity Vulnerabilities - Security Week
Microsoft Plugs Gaping Hole in Azure Kubernetes Service Confidential Containers - Security Week
Two new bugs can bypass detection and steal SharePoint data | SC Media (scmagazine.com)
New SharePoint flaws help hackers evade detection when stealing files (bleepingcomputer.com)
Hackers Claiming of Working Windows 0-Day LPE Exploit (cybersecuritynews.com)
Microsoft fixes five security vulnerabilities in Edge 123 - Neowin
Cisco Warns of Vulnerability in Discontinued Small Business Routers - Security Week
Urgent Security Alert! Hackers Hijacked Notepad++ Plugin (gbhackers.com)
+16K Ivanti VPN gateways still vulnerable to RCE CVE-2024-21894 (securityaffairs.com)
Over 92,000 exposed D-Link NAS devices have a backdoor account (bleepingcomputer.com)
Company Offering $30 Million for Android, iOS, Browser Zero-Day Exploits - Security Week
Critical 'BatBadBut' Rust Vulnerability Exposes Windows Systems to Attacks (thehackernews.com)
Intel and Lenovo servers impacted by 6-year-old BMC flaw (bleepingcomputer.com)
Critical Flaws Leave 92,000 D-Link NAS Devices Vulnerable to Malware Attacks (thehackernews.com)
Fortinet Patches Critical RCE Vulnerability in FortiClientLinux - Security Week
Researchers Resurrect Spectre v2 Attack Against Intel CPUs - Security Week
AI-as-a-Service Providers Vulnerable to PrivEsc and Cross-Tenant Attacks (thehackernews.com)
Severe Vulnerabilities Discovered in Software to Protect Internet Routing (prleap.com)
Tools and Controls
Seven ways to be sure you can restore from backup | Computer Weekly
Why incident response is the best cyber security ROI | CSO Online
Improving Dark Web Investigations with Threat Intelligence | Recorded Future
What Lies Ahead for Cyber Security in the Era of Generative AI? - IT Security Guru
What is cyber security risk & how to assess - Security Boulevard
Your Guide to Threat Detection and Response - Security Boulevard
Report finds 90% of cyber attacks in 2023 exploited RDP (securitybrief.co.nz)
How exposure management elevates cyber resilience - Help Net Security
Phishing Detection and Response: What You Need to Know - Security Boulevard
The state of secrets security: 7 action items for better managing risk - Security Boulevard
How Red Team Exercises Increases Your Cyber Health | Trend Micro (US)
How Google’s 90-day TLS certificate validity proposal will affect enterprises - Help Net Security
Reports Published in the Last Week
Other News
Third of charities experienced a cyber breach last year, government reports (civilsociety.co.uk)
Hackers Exploit Magento Bug to Steal Payment Data from E-commerce Websites (thehackernews.com)
OODA Loop - The Water Sector Is Being Threatened. That Should Worry Everyone
France Bracing for Cyber Attacks During Summer Olympics - The New York Times (nytimes.com)
Risk & Repeat: Cyber Safety Review Board takes Microsoft to task | TechTarget
The Baltimore Bridge Collapse Is a Warning | Proceedings - April 2024 Vol. 150/4/1,454 (usni.org)
Report finds 90% of cyber attacks in 2023 exploited RDP (securitybrief.co.nz)
Financial sector cyber security at the helm of investor protection | Mint (livemint.com)
US Health Dept warns hospitals of hackers targeting IT help desks (bleepingcomputer.com)
Former Uber CSO Joe Sullivan and lessons learned from the infamous 2016 Uber breach | CSO Online
Software-Defined Vehicle Fleets Face a Twisty Road on Cyber Security (darkreading.com)
Independent Pharmacies Must Prioritize Cyber Security (drugtopics.com)
Devious 'man in the middle' hacks on the rise: How to stay safe | PCWorld
Top 10 Attacker Techniques: What do They Mean for MSSPs? | MSSP Alert
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 17 November 2023
Black Arrow Cyber Threat Intelligence Briefing 17 November 2023:
-Cyber Resilience Requires Maturity, Persistence & Board Engagement
-Security is a Process, Not a Tool
-46% of SMBs and Enterprises Have Experienced a Ransomware Attack
-Cyber Threat Intelligence: Getting on the Front Foot Against Adversaries
-67% of Workers Put Businesses at Risk by Downloading Applications and Software Without Permission
-The Persistent Menace: Understanding And Combating Ransomware, as New Ransomware Groups Account for Quarter of All Leaks in 2023
-Financial Services still Stubbornly Vulnerable to Cyber Disruption
-Worlds Biggest Bank Hit by Ransomware, Workers Forced to Trade With USB Sticks
-NCSC Warns UK Over Significant Threat to Critical Infrastructure
-Ransomware Gang Files SEC Complaint Over Victim’s Undisclosed Breach
-Businesses are Losing Huge Chunks of Their Revenue to Cyber Attacks
-Phishing Emails Are More Believable Than Ever. Here's What to Do About It.
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Cyber Resilience Requires Maturity, Persistence & Board Engagement
Cyber resilience is more important than ever, particularly with the added dimensions of deepening geopolitical threats and risks coming from new technology like AI. In cyber security, it is commonly accepted that it is a matter of when, not if, an organisation will experience an attack. It is imperative to ensure there is an ability across the organisation to bounce back.
Source: [Dark Reading]
Security is a Process, not a Tool
The cyber security industry is constantly seeing tools that claim to make organisations 100% secure, despite this never being achievable. A recent report found 55% of all security tools are not put into operation or are not actively managed. Additionally, the report found that 33% of all security incidents are identifiably traced to process errors. The findings are further evidence that cyber security is more than just technology tools: it requires a mindset that aligns controls across people, operations and technology.
Source: [Dark Reading]
46% of SMBs and Enterprises Have Experienced a Ransomware Attack
A recent report found that 46% of small and medium businesses (SMBs) and enterprises have experienced ransomware attacks. In addition, 90% of SMBs and 87% of enterprises are extremely or somewhat concerned about ransomware attacks, and 64% of SMBs and 70% of enterprises don’t believe in paying a ransom.
Despite the fact that nearly 50% of the firms have suffered ransomware, too many businesses still seem to think this is something that will not happen to them and is something only other businesses need to worry about.
Source: [Security Magazine] [IT Business]
Cyber Threat Intelligence: Getting on the Front Foot Against Adversaries
In the realm of cyber security, threat intelligence (TI) is a crucial yet often underused asset for countering sophisticated cyber attacks. TI involves gathering, analysing, and contextualising information about potential cyber threats, including advanced ones, thus enabling organisations to identify, assess, and mitigate cyber risks effectively. The TI market, expected to exceed $44 billion by 2033, offers four main types: Strategic, Tactical, Technical, and Operational.
Each type serves different organisational needs, from informing senior leadership to aiding security operations teams. When thinking about TI, organisations should focus on completeness, accuracy, relevance, timeliness, scalability, vendor reputation, and integration capabilities. The rapidly evolving nature of TI demands a careful, long-term approach to choosing the right services, considering an organisation's maturity and specific needs. Effective TI not only aids in countering immediate threats but also builds long-term resilience. With 80% of the top 2000 global companies projected to increase their TI investment in 2024, it's crucial for organisations to find a trusted vendor to ensure their cyber security success.
Black Arrow conducts daily threat intelligence analyses from trusted specialist sources, and interprets the TI in the context of our client organisations to support them in proactively addressing risks. In addition to our weekly Threat Briefing and subscription email, we offer tailored briefings for organisations in various sectors and geographies.
Source: [welivesecurity]
67% of Workers Put Businesses at Risk by Downloading Applications and Software Without Permission
New research has found that 67% of UK employees are endangering their business by downloading applications and software without the knowledge of IT or security teams.
Other key findings included 39% of respondent organisations lacked total visibility of applications and software on company owned assets, and 77% lacked visibility over employee owned assets connected to the corporate environment. Of total respondents, 69% acknowledged their organisations required better policies and procedures in order to deal with security vulnerabilities, with 39% of total respondents feeling challenged by UK and other jurisdictions’ increasingly complicated regulations and governance requirements.
Black Arrow help organisations of all sizes to design and deliver comprehensive asset visibility programmes that lay the foundation for proportionate and credible cyber security controls to protect the organisation. We enable organisations to adhere to regulatory and governance requirements, by providing expert cyber security resources on a flexible basis for technical, governance and transformational positions.
Sources: [Tech Radar] [the HR Director]
The Persistent Menace: Understanding and Combating Ransomware, as New Ransomware Groups Account for Quarter of All Leaks in 2023
In 2023, the landscape of cyber threats, particularly ransomware, has significantly evolved, remaining a primary concern for businesses.
This change has been further facilitated by the emergence of Ransomware as a Service (RaaS) and the increased sophistication of phishing attacks, supported by advancements in AI. This has led at least in part to almost half (29) of the ransomware groups tracked by WithSecure in 2023 having begun operations this year. These groups accounted for 25% of data leaks in this period, helping to drive a 50% year-on-year increase in data leaks.
Businesses face not only the immediate costs of ransom demands but also indirect impacts such as operational downtime and damage to reputation. Key trends include the exploitation of basic security vulnerabilities, the role of access brokers in facilitating attacks, and innovative evasion techniques used by ransomware groups. Ransomware is not going away, and organisations need to ensure they are prepared given the realistic probability of an attack.
Black Arrow works with organisations of all sizes and sectors to design and prepare for managing a cyber security incident such as ransomware; this can include an Incident Response Plan and an educational tabletop exercise for the leadership team that highlights the proportionate controls to help the organisation prevent and mitigate an incident.
Sources: [Forbes] [Infosecurity Magazine] [ITPro]
Financial Services Still Stubbornly Vulnerable to Cyber Disruption
A recent report found the UK financial system remains stubbornly vulnerable to disruption caused by cyber and IT-related incidents, and that regulated firms are not acting quickly enough to affect required changes designed to ensure firms’ systems are resilient against significant operational shocks.
According to the UK FCA’s records, the total number of cyber incidents reported between January 2018 to May 2023 was 4,192. In general terms, incidents are reportable where they are of a certain level of materiality; for instance, where there has been a “significant failure in the firm's systems or controls.
Source: [FTAdviser]
World’s Biggest Bank Hit by Ransomware; Workers Forced to Trade with USB Sticks
The US subsidiary of the Industrial and Commercial Bank of China (ICBC) experienced a ransomware attack earlier this month, which reportedly forced the bank (ICBC Financial Services) to handle trades through messengers carrying USB thumb drives. This attack has sent shockwaves through financial services and banking and has prompted an increase in vigilance within the financial sector. The US Financial Services Information Sharing and Analysis Center (FS-ISAC) has urged financial services organisations to ensure their systems are protected and vulnerabilities are immediately resolved.
Sources: [SC Media] [Bit Defender]
NCSC Warns UK Over Significant Threat to Critical Infrastructure
The UK's National Cyber Security Centre (NCSC) has once again sounded its concern over the rising threat level to the nation's critical national infrastructure (CNI), with its annual review admitting the level of cyber security resilience in the UK’s most critical areas is not in a satisfactory place.
The NCSC stated that CNI in the UK faces an “enduring and significant” threat from state-aligned threat actors aggressively ramping up activity, and the UK must therefore work more closely with allies and industry in countering “epoch-defining” cyber challenges.
They noted a 64% increase on last year’s voluntary report figures; to note, this refers to organisations voluntarily self-reporting suffering a cyber incident.
For wider context, the Russian cyber attacks on Ukraine began a month and a half before the invasion. In 2022 Ukraine’s national incident response team dealt with 2,194 cyber incidents, followed by another 2,054 attacks in the first 10 months of this year and Ukraine’s defence chief warns that Russia will soon attack companies that provide services to Ukraine as part of their larger cyber efforts.
This comes as Russian hackers were linked to what is being described as the largest ever cyber attack on Danish critical infrastructure. The attack involved 22 companies associated with the operation of Denmark’s energy sector.
Sources: [Computer Weekly] [The Register] [The Record Media] [The Irish Times] [The Hacker News]
Ransomware Gang Files SEC Complaint Over Victim’s Undisclosed Breach
The ALPHV ransomware group, also known as BlackCat, has taken extortion to a new level by filing a US Securities and Exchange Commission (SEC) complaint against one of their alleged victims, MeridianLink, for not complying with the four-day rule to disclose a cyber attack. The ransomware group said it compromised the digital lending solutions provider on November 7 and told the SEC the victim suffered a “significant breach and did not disclose it as required in Form 8-k”. While many ransomware and extortion gangs have threatened to report breaches and data theft to the SEC, this may be the first public confirmation that they have done so. Previously, ransomware actors exerted pressure on victims by contacting customers to let them know of the intrusion. Sometimes, they would also try to intimidate the victim by contacting them directly over the phone.
Sources: [Infosecurity Magazine] [Bleeping Computer]
Businesses are Losing Huge Chunks of Their Revenue to Cyber Attacks
A new report has found that businesses are paying a huge price for not properly securing their digital assets. The report found that businesses on average suffered 46 attacks (successful and unsuccessful) over the last year, resulting in the loss of 9% of their annual income. Cyber attacks are hurting their businesses in other ways such as network outages (34%), data loss (29%), web apps going offline (24%) and customer account compromises (22%).
Firms are reevaluating their cyber security approaches, with 76% planning increased spending despite concerns about current investment efficiency, as 35% feel they've overspent and only 55% of tools are fully utilised. A significant talent gap is also a challenge, with 30% attributing recent issues to a shortage of skilled personnel, and 33% expecting this trend to continue. Nearly half are seeking to address this by boosting recruitment budgets. Additionally, 51% of respondents are focusing on investing in Generative AI tools for cyber security in the next two years.
Source: [TechRadar]
Phishing Emails Are More Believable Than Ever. Here's What to Do About It.
Phishing is not new. This social engineering tactic has existed in the attack toolbox for decades, with threat actors posing as trusted contacts and then targeting unsuspecting victims through email or text messages to steal sensitive data. According to a recent report by Fortinet, phishing is the top tactic (56%) malicious actors use to infiltrate a network and launch ransomware successfully. With the turn of AI-driven content tools, cyber criminals are using them to make their phishing emails and texts appear more realistic than ever before.
It is crucial to focus on employee education to protect organisations. Customised training programs are essential. Security awareness training is fundamental in creating a cyber-aware culture, keeping employees informed about current security threats and meeting compliance requirements.
Black Arrow supports organisations of all sizes in designing and delivering proportionate user education and awareness programmes, including in-person and online training as well as simulated phishing campaigns. Our programmes help secure employee engagement and build a cyber security culture to protect the organisation.
Source: [CSO Online]
Top Cyber Stories of the Last Week
Governance, Risk and Compliance
29% of organisations cite data loss as top security breach result | Security Magazine
Financial services still 'stubbornly vulnerable' to cyber disruption - FTAdviser
Cyber Resilience Requires Maturity, Persistence & Board Engagement (darkreading.com)
Businesses are losing huge chunks of their revenue to cyber attacks | TechRadar
6% of companies have not had a digital risk cyber attack since 2020 | Security Magazine
Cyber threat intelligence: Getting on the front foot against adversaries (welivesecurity.com)
Should cyber security overconfidence be on your threat radar? | TechRadar
Insiders and outsiders: Why cyber security strategies need to look all ways - Digital Journal
Navigating the complex role of the CISO under SEC disclosure rules (betanews.com)
Every Business Owner Should Be Thinking About Improving Online Security | Inc.com
The Role of Cyber Wellness in Safeguarding Businesses - IT Security Guru
The cultural shift that’s needed to see greater ROI in cyber | Federal News Network
Business urged to increase cyber resilience as 2024 set to deliver new threats (emergingrisks.co.uk)
How to withstand the onslaught of cyber security threats - Help Net Security
Threats
Ransomware, Extortion and Destructive Attacks
Financial services still 'stubbornly vulnerable' to cyber disruption - FTAdviser
Law practices and government agencies experience the largest ransomware spikes - Digital Journal
Orgs still losing logs, powerless to speedy ransomware • The Register
Ransomware gang files SEC complaint over victim’s undisclosed breach (bleepingcomputer.com)
46% of SMBs and enterprises have experienced a ransomware attack | Security Magazine
Many organisations don’t believe they are targets of ransomware gangs: OpenText | IT Business
LockBit ransomware exploits Citrix Bleed in attacks, 10K servers exposed (bleepingcomputer.com)
The Persistent Menace: Understanding And Combating Ransomware (forbes.com)
Phishing emails are more believable than ever. Here’s what to do about it. | CSO Online
Ransomware tracker: The latest figures [November 2023] (therecord.media)
Nuclear and Oil & Gas are Major Targets of Ransomware Groups in 2024 (securityaffairs.com)
Ransomware Gang LockBit Revises Its Tactics as Payouts Slip (bloomberglaw.com)
Fast-acting cyber gangs increasingly disabling telemetry logs | Computer Weekly
Uncovering the ransomware threat from global supply chains | ITPro
Business leaders need help in getting off the ransomware merry-go-round (thetimes.co.uk)
Hackers Could Exploit Google Workspace and Cloud Platform for Ransomware Attacks (thehackernews.com)
BlackCat affiliate seen using malvertising to spread ransomware | Computer Weekly
The Rise of Ransomware in Healthcare: What IT Leaders Need to Know (bleepingcomputer.com)
What Do You Do When You’re Hit by Russian Ransomware? - Bloomberg
Success eludes the International Counter Ransomware Initiative - Help Net Security
New Ransomware Group Emerges with Hive's Source Code and Infrastructure (thehackernews.com)
How to combat ransomware in the face of tight security staffing | SC Media (scmagazine.com)
Ransomware attacks: Cyber criminals tout their ‘honesty’ in negotiating ransoms (afr.com)
New approaches to fighting ransomware are emerging | Mimecast
FBI 'Knows Identities' Of MGM, Caesars Hacking Gang | Silicon UK
FBI and CISA warn of opportunistic Rhysida ransomware attacks (bleepingcomputer.com)
FBI pumping 'significant' resources into Scattered Spider • The Register
New BiBi-Windows Wiper Targets Windows Systems in Pro-Hamas Attacks (thehackernews.com)
It ain’t what you store, it’s the way you restore it. • The Register
Ransomware Victims
Ransomware gang files SEC complaint over victim’s undisclosed breach (bleepingcomputer.com)
How a cyber attack crippled the world's largest bank for hours | Euronews
ICBC -- China's biggest bank -- paid ransom: Lockbit hackers (nypost.com)
FBI: Royal ransomware asked 350 victims to pay $275 million (bleepingcomputer.com)
Rackspace Ransomware Costs Soar to Nearly $12M (darkreading.com)
Tri-City Medical Center cyber attack impacting patient care (10news.com)
Maine govt notifies 1.3 million people of MOVEit data breach (bleepingcomputer.com)
LockBit leaks Boeing files after failed ransom negotiations • The Register
'CitrixBleed' Linked to Ransomware Hit on China's State-Owned Bank (darkreading.com)
World's biggest bank hit by ransomware, forced to trade via USB stick (bitdefender.com)
Mortgage giant Mr. Cooper says customer data exposed in breach (bleepingcomputer.com)
British Library’s Halloween cyber scare was ransomware | Computer Weekly
Royal Mail ransomware recovery to cost at least $12 million • The Register
9 million patients had data stolen after US medical transcription firm hacked | TechCrunch
Clorox CISO flushes self after multimillion-dollar attack • The Register
Toyota confirms breach after Medusa ransomware threatens to leak data (bleepingcomputer.com)
Government doesn't know details behind cyber hack that shut down port operator DP World - ABC News
Lorenz ransomware gang hit Texas-based Cogdell Memorial Hospital (securityaffairs.com)
Dragos Says No Evidence of Breach After Ransomware Gang Claims Hack via Third Party - Security Week
Long Beach, California turns off IT systems after cyber attack (bleepingcomputer.com)
Stellantis production affected by cyber attack at auto supplier - The Columbian
Phishing & Email Based Attacks
Phishing emails are more believable than ever. Here’s what to do about it. | CSO Online
From Scanning to Scamming: The Rise of QR Codes in Phishing - VMRay
Zero-Day Flaw in Zimbra Email Software Exploited by Four Hacker Groups (thehackernews.com)
APTs Swarm Zimbra Zero-Day to Steal Government Info Worldwide (darkreading.com)
FBI Warns: Five Weeks In, Gaza Email Scams Still Thriving (darkreading.com)
Police takes down BulletProftLink large-scale phishing provider (bleepingcomputer.com)
Artificial Intelligence
UK told of significant threat as state actors seek to use AI attack systems (emergingrisks.co.uk)
UK NCSC Warns Of Threat To Critical Infrastructure | Silicon UK
AI disinformation campaigns pose major threat to 2024 elections - Help Net Security
Microsoft blocks internal access to ChatGPT over security • The Register
This new ChatGPT-powered infostealer is targeting cloud platforms | TechRadar
The US and 30 Other Nations Agree to Set Guardrails for Military AI | WIRED
Mitigating Deepfake Threats in the Corporate World | MSSP Alert
A Closer Look at ChatGPT's Role in Automated Malware Creation (trendmicro.com)
Organisations Rush to Use Generative AI Tools Despite Risks (globenewswire.com)
How scammers' use of AI is affecting fintech investment | PaymentsSource | American Banker
Malware
This new ChatGPT-powered infostealer is targeting cloud platforms | TechRadar
Infostealers and the high value of stolen data - Help Net Security
Malware was downloaded over 600 million times in 2023 from the Google Play Store - PhoneArena
This fake Windows news site is spreading malware via hacked Google ads | TechRadar
A Closer Look at ChatGPT's Role in Automated Malware Creation (trendmicro.com)
Russian-Moldovan National Admits to Infecting 23,000 Devices with Botnet Malware (occrp.org)
Children’s tablet has malware and exposes kids’ data, researcher finds | TechCrunch
Ducktail Malware Targets the Fashion Industry (darkreading.com)
Mobile
Malware was downloaded over 600 million times in 2023 from the Google Play Store - PhoneArena
Temu Sued in Class Action for Risking User Data to Chinese Government Control | Law.com
Children’s tablet has malware and exposes kids’ data, researcher finds | TechCrunch
How to spot a fake data blocker that could hack your computer in seconds | ZDNET
Denial of Service/DoS/DDOS
Misconfigured Docker API endpoints allow attackers to deliver DDoS botnet agent | CSO Online
How DDoS attacks are taking down even the largest tech companies (bleepingcomputer.com)
Internet of Things – IoT
How to protect your organisation from IoT malware | TechTarget
Defending Against Attacks on Vulnerable IoT Devices (darkreading.com)
Data Breaches/Leaks
Infostealers and the high value of stolen data - Help Net Security
29% of organisations cite data loss as top security breach result | Security Magazine
McLaren Health Care revealed that a data breach impacted 2.2 million people (securityaffairs.com)
Hacker Leaks 800,000 Scraped Chess.com User Records (hackread.com)
Hacker Leaks 35 Million Scraped LinkedIn User Records (hackread.com)
Fourth time unlucky: Okta hit by new cyber attack - Digital Journal
Maine govt notifies 1.3 million people of MOVEit data breach (bleepingcomputer.com)
The real cost of healthcare cyber security breaches - Help Net Security
Mortgage giant Mr. Cooper says customer data exposed in breach (bleepingcomputer.com)
Pharmacy provider Truepill data breach hits 2.3 million customers (bleepingcomputer.com)
Samsung warns some customers their data may have been stolen by hackers | TechRadar
Hackers Claim Major Data Breach at Smart WiFi Provider Plume (hackread.com)
Vietnam Post exposes 1.2TB of data, including email addresses (securityaffairs.com)
Morgan Stanley fined over computers with personal data (cnbc.com)
Samsung says hackers accessed customer data during year-long breach | TechCrunch
A Spy Agency Leaked People's Data Online—Then the Data Was Stolen | WIRED
Organised Crime & Criminal Actors
Russian admits building now-dismantled IPStorm proxy botnet • The Register
Australian Intelligence Report Identifies China as Major Backer of Cyber Crime (voanews.com)
'AlphaLock' Hackers Launch 'Pen-Testing Training' Group (darkreading.com)
Cyber crime Victims Can Turn to New Nonprofit, Intelligence for Good | MSSP Alert
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Ethereum hacked to steal millions from users across the world | TechRadar
Fraudsters make $50,000 a day by spoofing crypto researchers (bleepingcomputer.com)
Insider Risk and Insider Threats
Insiders and outsiders: Why cyber security strategies need to look all ways - Digital Journal
The Role of Cyber Wellness in Safeguarding Businesses - IT Security Guru
3 Ways Behavioural Economics Obstructs Cyber security (darkreading.com)
Insurance
Bridging the Gap: The Vital Role of Skilled Brokers in Cyber Insurance
Aon president warns insurers against ‘walking away’ from major risks (ft.com)
Cyber insurance market attractive despite ransomware uptick: JP Morgan - Reinsurance News
Supply Chain and Third Parties
Uncovering the ransomware threat from global supply chains | ITPro
How top CISOs are transforming third-party risk management | SC Media (scmagazine.com)
Cloud/SaaS
This new ChatGPT-powered infostealer is targeting cloud platforms | TechRadar
Hackers Could Exploit Google Workspace and Cloud Platform for Ransomware Attacks (thehackernews.com)
Traditional cloud security isn't up to the task - Help Net Security
Transforming cyber security from reactive to proactive with attack path analysis - Help Net Security
Identity and Access Management
Encryption
The new frontier in online security: Quantum-safe cryptography (techxplore.com)
In a first, cryptographic keys protecting SSH connections stolen in new attack | Ars Technica
TETRA encryption algorithms entering the public domain • The Register
Passwords, Credential Stuffing & Brute Force Attacks
70% of passwords can be cracked in less than a second, shows NordPass study (business-standard.com)
Google Workspace security flaws could see hackers easily snaffle your password | TechRadar
Stop using weak passwords for streaming services - it's riskier than you think | ZDNET
The worst passwords of 2023 are also the most common, "123456" comes in first | TechSpot
Social Media
Meta and YouTube face criminal surveillance complaints • The Register
How Much Your Social Media Profile Data Is Worth on the Dark Web (makeuseof.com)
Malvertising
BlackCat affiliate seen using malvertising to spread ransomware | Computer Weekly
This fake Windows news site is spreading malware via hacked Google ads | TechRadar
Training, Education and Awareness
Phishing emails are more believable than ever. Here’s what to do about it. | CSO Online
The Role of Cyber Wellness in Safeguarding Businesses - IT Security Guru
3 Ways Behavioural Economics Obstructs Cyber security (darkreading.com)
Regulations, Fines and Legislation
EU Tightens Cyber security Requirements for Critical Infrastructure and Services (darkreading.com)
Meta and YouTube face criminal surveillance complaints • The Register
SEC Suit Ushers in New Era of Cyber Enforcement (darkreading.com)
Make Changes to be Ready for the New SEC Cyber security Disclosure Rule (darkreading.com)
Navigating the complex role of the CISO under SEC disclosure rules (betanews.com)
Clorox CISO flushes self after multimillion-dollar attack • The Register
Morgan Stanley fined over computers with personal data (cnbc.com)
White House is ‘working on version 2.0’ of cyber implementation plan | CyberScoop
Models, Frameworks and Standards
What You Need to Know About NIST CSF 2.0 | Accelerynt, Inc. - JDSupra
Modelling organisations' defensive mechanisms with MITRE D3FEND - Help Net Security
Backup and Recovery
Data Protection
Web browsing data collected in more detail than previously known, report finds (ft.com)
Online ad auction data harms national security – claim • The Register
Careers, Working in Cyber and Information Security
The challenges and opportunities of working in cyber security | TechRadar
How US SEC legal actions put CISOs at risk and what to do about it | CSO Online
Is ‘overwork’ culture a problem for cyber security professionals? (siliconrepublic.com)
Law Enforcement Action and Take Downs
Serbian pleads guilty to running ‘Monopoly’ dark web drug market (securityaffairs.com)
Russian admits building now-dismantled IPStorm proxy botnet • The Register
European Police Take Down $9m Vishing Gang - Infosecurity Magazine (infosecurity-magazine.com)
Russian-Moldovan National Admits to Infecting 23,000 Devices with Botnet Malware (occrp.org)
Private Investigator Aviram Azar Gets Almost 7 Years for Hedge Fund Hacking Ring - Bloomberg
Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Activity
Cyber Warfare and Cyber Espionage
NCSC Annual Review on 'state-aligned actors' | Professional Security
Zero-Days in Edge Devices Become China's Cyber Warfare Tactic of Choice (darkreading.com)
Cyber espionage operation on embassies linked to Russia’s Cozy Bear hackers (therecord.media)
New NATO cyber forum to support collective response to cyber attacks – EURACTIV.com
Nation State Actors
China
China's Lending Giant Paid Ransom To Russia-Linked Group After It Got Hacked Last Week - Benzinga
ICBC/ransomware: China’s cyber security industry moves out of the shadows
Cyber attack shines light on role of China’s largest lender in US Treasury market (ft.com)
Australian Intelligence Report Identifies China as Major Backer of Cyber Crime (voanews.com)
Zero-Days in Edge Devices Become China's Cyber Warfare Tactic of Choice (darkreading.com)
Labour warns against watering down of UK’s takeover screening powers
Russia
China's Lending Giant Paid Ransom To Russia-Linked Group After It Got Hacked Last Week - Benzinga
Cyber attack shines light on role of China’s largest lender in US Treasury market (ft.com)
Danish Energy Attacks Portend Targeting More Critical Infrastructure (darkreading.com)
Could Russia’s Ukraine Cyber attacks Clue Global Threat? | MSSP Alert
EU Formalizes Cyber security Support For Ukraine - Infosecurity Magazine (infosecurity-magazine.com)
Meet the Unique New "Hacking" Group: AlphaLock (bleepingcomputer.com)
Cyber espionage operation on embassies linked to Russia’s Cozy Bear hackers (therecord.media)
What Do You Do When You’re Hit by Russian Ransomware? - Bloomberg
Ukraine at D+670: GRU may be expanding its targeting. (thecyberwire.com)
Iran
North Korea
Microsoft Warns of Fake Skills Assessment Portals Targeting IT Job Seekers (thehackernews.com)
Novel social engineering attack infrastructure established by BlueNoroff | SC Media (scmagazine.com)
Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence
Vulnerabilities
'CitrixBleed' Linked to Ransomware Hit on China's State-Owned Bank (darkreading.com)
LockBit ransomware exploits Citrix Bleed in attacks, 10K servers exposed (bleepingcomputer.com)
Zero-Day Flaw in Zimbra Email Software Exploited by Four Hacker Groups (thehackernews.com)
APTs Swarm Zimbra Zero-Day to Steal Government Info Worldwide (darkreading.com)
CISA warns of actively exploited Juniper pre-auth RCE exploit chain (bleepingcomputer.com)
WP Fastest Cache plugin bug exposes 600K WordPress sites to attacks (bleepingcomputer.com)
Microsoft November 2023 Patch Tuesday fixes 5 zero-days, 58 flaws (bleepingcomputer.com)
Microsoft fixes critical Azure CLI flaw that leaked credentials in logs (bleepingcomputer.com)
Adobe Releases Security Updates for Multiple Products | CISA
ICS Patch Tuesday: 90 Vulnerabilities Addressed by Siemens and Schneider Electric - Security Week
Chipmaker Patch Tuesday: Intel, AMD Address Over 130 Vulnerabilities - Security Week
Fortinet Releases Security Updates for FortiClient and FortiGate | CISA
Urgent: VMware Warns of Unpatched Critical Cloud Director Vulnerability (thehackernews.com)
New PoC Exploit for Apache ActiveMQ Flaw Could Let Attackers Fly Under the Radar (thehackernews.com)
SAP Patches Critical Vulnerability in Business One Product - Security Week
Critical flaw fixed in SAP Business One product (securityaffairs.com)
Citrix Releases Security Updates for Citrix Hypervisor | CISA
Fortinet warns of critical command injection bug in FortiSIEM (bleepingcomputer.com)
An email vulnerability let hackers steal data from governments around the world (engadget.com)
Experts Uncover DarkCasino: New Emerging APT Threat Exploiting WinRAR Flaw (thehackernews.com)
Some AMD EPYC server CPUs have a serious security flaw, so patch now | TechRadr
Microsoft Extends Windows Server 2012 ESUs Until 2026 (petri.com)
Tools and Controls
Building resilience to shield your digital transformation from cyber threats - Help Net Security
Against the Clock: Cyber Incident Response Plan (trendmicro.com)
Fast-acting cyber gangs increasingly disabling telemetry logs | Computer Weekly
Cyber threat intelligence: Getting on the front foot against adversaries (welivesecurity.com)
The New 80/20 Rule for SecOps: Customize Where it Matters, Automate the Rest (thehackernews.com)
Phishing emails are more believable than ever. Here’s what to do about it. | CSO Online
Web Application Attacks | Types of Web Application Attacks | Mimecast
Traditional cloud security isn't up to the task - Help Net Security
National security at risk from web browsing data collection, report finds (ft.com)Zero-Days in Edge Devices Become China's Cyber Warfare Tactic of Choice (darkreading.com)
The cultural shift that’s needed to see greater ROI in cyber | Federal News Network
NCSC backs use of security.txt for cyber resilience | UKAuthority
New approaches to fighting ransomware are emerging | Mimecast
Telemetry gaps leave networks vulnerable as attackers move faster - Help Net Security
The new imperative in API security strategy - Help Net Security
How to Automate the Hardest Parts of Employee Offboarding (thehackernews.com)
Steps CISOs Should Take Before, During & After a Cyber attack (darkreading.com)
Threat Intel: To Share or Not to Share is Not the Question - Security Week
As perimeter defences fall, the identify-first approach steps into the breach | CSO Online
The Role of Cyber Wellness in Safeguarding Businesses - IT Security Guru
OODA Loop - A Model for Cyber security Threat Sharing: Embracing the USA PATRIOT Act & FinCEN
How to speak the board's language with cyber security ROI so it makes sense | Fierce Electronics
Three Ways Generative AI Can Bolster Cyber security | NVIDIA Blogs
Hackers breach healthcare orgs via ScreenConnect remote access (bleepingcomputer.com)
Kubernetes adoption creates new cyber security challenges - Help Net Security
Aon president warns insurers against ‘walking away’ from major risks (ft.com)
CISOs vs. developers: A battle over security priorities - Help Net Security
Hundreds of websites cloned to run ads for Chinese gambling • The Register
AI helps leaders optimize costs and mitigate risks - Help Net Security
It ain’t what you store, it’s the way you restore it. • The Register
Reports Published in the Last Week
Other News
'Alarming': big gaps in organisations' cyber security | The Canberra Times | Canberra, ACT
National security at risk from web browsing data collection, report finds (ft.com)
CISOs vs. developers: A battle over security priorities - Help Net Security
Collaborative strategies are key to enhanced ICS security - Help Net Security
Web Application Attacks | Types of Web Application Attacks | Mimecast
Telemetry gaps leave networks vulnerable as attackers move faster - Help Net Security
Cyber crime Victims Can Turn to New Nonprofit, Intelligence for Good | MSSP Alert
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 21 July 2023
Black Arrow Cyber Threat Briefing 21 July 2023:
-Cyber Attacks Reach Two-Year High Amid Ransomware Resurgence as Financial Service Firms Lose $32 Billion in 5 Years
-MOVEit Body Count Closes in on 400 orgs, 20M+ Individuals
-IT Worker Jailed for Impersonating Ransomware Gang to Extort Employer
-Stabilising the Cyber Security Landscape: The CISO Exodus and the Rise of vCISOs
-Risk is Driving Medium-Sized Business Decisions
-Talent and Governance, Not Technology, are Key to Drive Change around Cyber Security
-Hybrid Work, Digital Transformation can Exploit Security Gaps
-Human Cyber-Risk Can Be Demonstrably Mitigated by Behaviour Changing Training
-AI Tool WormGPT Enables Convincing Fake Emails For BEC Attacks
-Pro-Russian Hacktivists Increase Focus on Western Targets
-Infosec Doesn't Know What AI Tools Orgs Are Using
-Google Restricting Internet Access to Some Employees to Reduce Cyber Attack Risk
-Unlocking Business Potential: How CISOs are Transforming Cyber Security into a Strategic Asset
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Cyber Attacks Reach Two-Year High Amid Ransomware Resurgence as Financial Service Firms Lose $32 Billion in 5 Years
The average weekly volume of cyber attacks reached a two-year high in the second quarter of 2023 amid a spike in activity among ransomware groups according to Check Point Research, with healthcare in particular facing a significant year-on-year increase. The impact of ransomware hits every organisation, with separate research finding global financial services organisations having lost over $32bn in downtime since 2018 due to ransomware breaches.
A recent report found that the ransomware gangs LockBit and Cl0p alone accounted for nearly 40% of all recorded ransomware attacks across June 2023. The impact from Cl0p’s MOVEit attack alone has been felt by over 400 organisations since May 2023. One of the key takeaways from the MOVEit attack is that no matter the sector, any organisation can be a victim and as such it is essential to have effective controls in place, incorporating defence-in-depth. It’s worth considering how many organisations are still running vulnerable instances of MOVEit, or have someone in their supply chain who is.
https://www.infosecurity-magazine.com/news/ransomware-costs-financial-32bn/
MOVEit Body Count Closes in on 400 Organisations, 20M+ Individuals
The number of victims and the costs tied to the MOVEit file transfer hack continues to climb as the fallout from the massive supply chain attack enters week seven. In late May 2023, Russian ransomware gang Cl0p exploited a security hole in Progress Software's MOVEit product suite to steal documents from vulnerable networks. As of last week, the number of affected organisations was closing in on 400 and individual victims exceed 20 million.
The attack highlights the need for organisations to have policies and procedures in place for third parties, and to be aware of the data which a third party supplier has on them. It will be the organisation who will need to let their customers know in the event of a breach.
https://www.theregister.com/2023/07/20/moveit_victim_count/
IT Worker Jailed for Impersonating Ransomware Gang to Extort Employer
28-year-old Ashley Liles, a former IT employee, has been sentenced to over three years in prison for attempting to blackmail his employer during a ransomware attack. Liles, an IT security analyst at an Oxford-based company in the UK, exploited his position to intercept a ransomware payment following an attack suffered by his employer. To deceive the company, he impersonated the ransomware gang extorting them. He tried to redirect the ransomware payments by switching the cyber criminals' cryptocurrency wallet to one under his control. He also accessed a board member's private emails over 300 times.
Insider threat is a risk that organisations need to be aware of and, although it was malicious in this case, it can also come from employee negligence. Organisations looking to achieve a strong level of cyber resilience should incorporate insider risk into their training and controls.
Stabilising the Cyber Security Landscape: The CISO Exodus and the Rise of vCISOs
In today's evolving digital landscape, the role of a chief information security officer (CISO) is critical. These professionals defend against the rising tide of daily cyber threats. Yet many CISOs are leaving or considering leaving their jobs; this trend seems to reflect the intense pressure CISOs endure. They face a constant stream of complex cyber threats, manage compliance issues and struggle with a talent deficit in cyber security. Paired with high expectations, many reconsider their roles which can lead to a leadership gap.
A virtual CISO (vCISO) is an outsourced security practitioner who offers their expertise to businesses on a part-time or contractual basis. These professionals provide many of the same services as a traditional CISO, such as developing and implementing security strategies, ensuring compliance with regulations, training staff and managing a company's cyber security posture. vCISOs, such as from Black Arrow, are often part of a larger team and can bring a wide range of experiences and skills. They are exposed to diverse security landscapes across industries, and can provide a fresh perspective and innovative solutions to your security challenges. The vCISO model may not replace the need for a full-time CISO in all cases, but it can certainly add a flexible and cost-effective tool to the arsenal of businesses looking to bolster their cyber security posture.
Risk is Driving Medium-Sized Business Decisions
Small and medium sized businesses (SMBs) have long lacked the tools, expertise, staff and budget to make major cyber security investments. However, as threats become more mainstream and more advanced, the focus is shifting, so SMBs need to take the threats seriously and evaluate their cyber security controls.
In a survey of 140 SMBs, it was found that 40% of respondents believe they are very likely or extremely likely to experience a cyber security attack target in the next 12 months. That fear is founded, as 34% of organisations stated they experienced a malware attack in the past year, and 29% experienced a phishing or spear phishing incident. SMBs are putting their time, energy, and budget toward risk management. When it came to budgeting, 67% list their primary budgeting method as “risk-based”, and only 32% as “ad hoc/following an attack or breach”. It was found that over two-thirds of businesses would rather spend money now than pay a ransom later.
Talent and Governance, Not Technology, are Key to Drive Change Around Cyber Security
For the last 20 years, large organisations have been spending significant amounts of money on cyber security products and solutions, on managed services, or with consultancies large and small. Yet maturity levels remain elusive: a report found that 70% of firms surveyed had yet to fully advance to a mature-based approach. Cyber security good practices have been well established for the best part of the last 20 years and continue to provide, in most industries, an acceptable level of protection against most threats and an acceptable level of compliance against most regulations.
However cyber security is often viewed as something external to the business. This perspective leads to talent alienation and execution failures because the employees who should be invested in maintaining and improving cyber security may feel disconnected from these efforts. To make genuine progress, cyber security needs to be intrinsically linked to business values as a visible priority, owned and directed from the highest levels of an organisation.
This approach underlines the importance of governance in setting effective cyber security policies and procedures. It also highlights the crucial role of nurturing talent within the organisation to ensure active involvement in maintaining and improving cyber security measures. While technology is undoubtedly an essential element of cyber security, prioritising talent and governance can lead to lasting progress.
Hybrid Work, Digital Transformation can Exploit Security Gaps
A new study showed that larger organisations generally recognise malware threats but they lack protection against malicious actors and ways to properly remediate infections. The report revealed security leaders are concerned about attacks that leverage malware-exfiltrated authentication data. 53% say they are extremely concerned about attacks, with 1% of security leaders saying they weren’t concerned at all. 98% said that better visibility into at-risk applications would significantly improve their security posture.
The most overlooked entry points for malware include 57% of organisations allowing employees to sync browser data between personal and corporate devices. 54% of organisations struggle with shadow IT, due to employees’ unsanctioned adoption of applications and systems, creating gaps not only in visibility but also in basic security controls and corporate policies.
Human Cyber Risk Can Be Demonstrably Mitigated by Behaviour Changing Training
The process of encouraging secure cyber habits in end users is evolving from traditional awareness training toward changing end user behaviour. It reflects a growing acceptance that traditional methods haven’t worked. While traditional security awareness teaches users how to recognise social engineering, new behaviour changing trains the brain – almost pre-programs it – on the correct recognition and response to phishing.
What is considered a standard phishing email today may not be tomorrow, and changes in user behaviour will help to combat this. It is simply not enough to be shown one phishing email and be told to follow procedures. Training should instead be focused on going beyond; this should look to change how the user approaches things such as phishing, and gamifying the recognition and reporting of it.
AI Tool WormGPT Enables Convincing Fake Emails For BEC Attacks
A generative AI tool, WormGPT, has emerged as a powerful weapon in the hands of cyber criminals, specifically for launching business email compromise (BEC) attacks, according to new findings. The tool is designed for malicious purposes and has no restrictions on what a user can request. Such a tool allows for impeccable grammar in emails to reduce suspicion and allows sophistication with no restrictions on prompts. The lowered entry threshold enables cyber criminals with limited skills to execute sophisticated attacks, democratising the use of this technology.
https://www.infosecurity-magazine.com/news/wormgpt-fake-emails-bec-attacks/
https://www.independent.co.uk/tech/chatgpt-dark-web-wormgpt-hack-b2376627.html
Pro-Russian Hacktivists Increase Focus on Western Targets
‘Anonymous Sudan’, apparent pro-Russian hacktivists, claimed a one-hour distributed denial of service attack on the social platform OnlyFans last week. This was the latest in a string of operations aimed at targets in the US and Europe. The group’s digital assaults coincide with attacks coming from a broader network of hackers aligned with Moscow that seek attention by taking down high-profile victims and strategic targets; many of the targets support Ukraine in its ongoing war against Russia.
The pro-Russian group appears to be affiliated with Killnet, a pro-Russian hacktivist group that emerged in late 2021 or early 2022 and has claimed distributed denial of service (DDoS) attacks, data theft and leaks on perceived adversaries of the Russian government, according to an analysis from Google’s Mandiant released earlier this week. The collective’s apparent significant growth in capabilities, demonstrated by Microsoft’s confirmation that Anonymous Sudan was responsible for the outages they experienced, potentially indicates a significant increase in outside investment in the collective, further suggesting a potential tie to the Russian state.
https://cyberscoop.com/anonymous-sudan-killnet-russia-onlyfans/
Infosec Doesn't Know What AI Tools Organisations Are Using
With the marketplace awash in new artificial intelligence (AI) tools and new AI features being added to existing tools, organisations are finding themselves lacking visibility into what AI tools are in use, how they are used, who has access, and what data is being shared. As businesses try, adopt, and abandon new generative AI tools, it falls on enterprise IT, risk, and security leaders to govern and secure their use without hindering innovation. While developing security policies to govern AI use is important, it is not possible without knowing what tools are being used in the first place.
Enterprise security teams have to consider how to handle discovery, learning which generative AI tools have been introduced into the environment and by whom, as well as risk assessment.
https://www.darkreading.com/tech-trends/infosec-doesnt-know-what-ai-tools-orgs-are-using
Google Restricting Internet Access to Some Employees to Reduce Cyber Attack Risk
In a bid to shrink the attack surface of its employees, and thus boost security, Google is taking an experimental, and some might say extreme, approach: cutting some of their workstations off from the internet. The company originally selected more than 2,500 employees to participate and will disable internet access on the selected desktops, except for internal web-based tools and Google owned websites like Google Drive and Gmail. Some workers who need the internet to do their job will get exceptions, the company stated in materials.
Google is running the programme to reduce the risk of cyber attacks, according to internal materials. If a Google employee’s device is compromised, the attackers may have access to user data and infrastructure code, which could result in a major incident and undermine user trust. The program comes as companies face increasingly sophisticated cyber attacks. Just last week, Microsoft said Chinese intelligence hacked into company email accounts belonging to two dozen government agencies in the US and Western Europe, including the US State Department, in a “significant” breach.
https://www.theregister.com/2023/07/19/google_cuts_internet/
Unlocking Business Potential: How CISOs are Transforming Cyber Security into a Strategic Asset
Enterprises are responding to growing cyber security threats by working to make the best use of tools and services to ensure business resilience, according to a recent report. Chief information security officers (CISOs) and virtual CISOs (vCISOS) in particular, want more solutions and services that help them align security measures with enterprise objectives and C-level executives have become more aware of the need for cyber resilience. As a result, security investments have expanded beyond detection and response to include rapid recovery and business continuity.
The report found that amongst other things, enterprises are investing in risk assessments and outsourcing more services. In some cases, where a CISO cannot be hired, organisations may look to hire a vCISO. It is important that the vCISO is able to understand cyber in context to the business and help to align security objectives with the organisations objectives. Black Arrow supports clients as their vCISO with specialist experience in cyber security risk management in a business context.
https://www.blackarrowcyber.com/blog/threat-briefing-14-july-2023
Governance, Risk and Compliance
Risk is Driving Small and Medium-Sized Businesses (SMB) Decisions - MSSP Alert
Stabilising The Cyber security Landscape: The Rise Of vCISOs (forbes.com)
Talent and Governance, not Technology, are Key to Drive Change around Cyber Security - TechNative
Hybrid Work, Digital Transformation Can Exploit Security Gaps, Study Finds - MSSP Alert
Stress, data privacy, zero trust to shape cyber security trends | SC Media (scmagazine.com)
Network, IAM, cloud are 2023's top cyber security spend priorities | VentureBeat
CISOs are making cyber security a business problem - Help Net Security
Top Information Security Threats for Businesses 2023 (cybersecuritynews.com)
Best practices for an effective cyber security strategy | CSO Online
Exploring the macro shifts in enterprise security - Help Net Security
Google Cloud CISO Phil Venables On Cyber security, Cloud Adoption And The Boardroom (forbes.com)
Threats
Ransomware, Extortion and Destructive Attacks
MOVEit victim count closes in on 400 orgs, 20M+ individuals • The Register
Weekly cyber attacks reach two-year high amid ransomware resurgence | ITPro
Ransomware attacks are on the rise—and so are ransom payments (fastcompany.com)
IT worker jailed for impersonating ransomware gang to extort employer (bleepingcomputer.com)
Security Patch Management Strengthens Ransomware Defence (trendmicro.com)
The rise in ransomware attacks this year may be related to Russia's war in Ukraine : NPR
Cyber security firm Sophos impersonated by new SophosEncrypt ransomware (bleepingcomputer.com)
Trends in ransomware-as-a-service and cryptocurrency to monitor - Help Net SecurityFIN8 deploys ALPHV ransomware using Sardonic malware variant (bleepingcomputer.com)
Linux Ransomware Poses Significant Threat to Critical Infrastructure (darkreading.com)
Financial cyber crime syndicate deploys reworked backdoor malware | CyberScoop
Ransomware attackers getting more sophisticated: Canadian Centre for Cyber Security (yahoo.com)
SophosEncrypt Ransomware Fools Security Researchers (darkreading.com)
Mallox Ransomware Exploits Weak MS-SQL Servers to Breach Networks (thehackernews.com)
New Ransomware With RAT Capabilities Impersonating Sophos - SecurityWeek
Google’s Bard poses ransomware risk, say researchers | Cybernews
FIN8 Group spotted delivering the BlackCat Ransomware - Security Affairs
Cyber insurers adapting to data-centric ransomware threats | TechTarget
Shutterfly says Clop ransomware attack did not impact customer data (bleepingcomputer.com)
Ransomware Victims
MOVEit victim count closes in on 400 orgs, 20M+ individuals • The Register
Ofcom says it won’t pay ransom, as new MOVEit hack victims come forward | TechCrunch
MOVEit Transfer vulnerability: New Cl0p 'victims' include Discovery (techmonitor.ai)
BlackCat and Clop gangs both claim cyber attack on Estée Lauder | Computer Weekly
Iron ore giant Fortescue Metals targeted by Russian ransomware group | Cybercrime | The Guardian
Russian medical lab suspends some services after ransomware attack (therecord.media)
Recycling Giant Tomra Takes Systems Offline Following Cyber attack - SecurityWeek
Shutterfly says Clop ransomware attack did not impact customer data (bleepingcomputer.com)
Phishing & Email Based Attacks
Typo leaks millions of US military emails to Mali web operator | Financial Times (ft.com)
Microsoft Exchange servers compromised by Turla APT - Help Net Security
Microsoft takes pains to obscure role in 0-days that caused email breach | Ars Technica
Analysis of Storm-0558 techniques for unauthorised email access | Microsoft Security Blog
Only a handful of hackers are responsible for all email extortion attacks | TechRadar
Microsoft Tops List of the Most Impersonated Brand for Phishing Scams in Q2 2023 - MSSP Alert
Enhanced Monitoring to Detect APT Activity Targeting Outlook Online | CISA
Gmail encouraging users to enable Enhanced Safe Browsing (9to5google.com)
BEC – Business Email Compromise
Only a handful of hackers are responsible for all email extortion attacks | TechRadar
Nigerian Man Sentenced to 8 Years in US Prison for $8 Million BEC Scheme - SecurityWeek
Other Social Engineering; Smishing, Vishing, etc
Artificial Intelligence
ChatGPT rival WormGPT with ‘no ethical boundaries’ sold to hackers on dark web | The Independent
Infosec Doesn't Know What AI Tools Orgs Are Using (darkreading.com)
AI models must be reconciled with data protection laws • The Register
1 in 4 Brits play with generative AI and some believe it too • The Register
OpenAI credentials stolen by the thousands for sale on the dark web (bleepingcomputer.com)
AI must have better security, says top cyber official - BBC News
Google Categorises 6 Real-World AI Attacks to Prepare for Now (darkreading.com)
How to Use Generative AI Tools While Still Protecting Your Privacy | WIRED
Google’s Bard poses ransomware risk, say researchers | Cybernews
Malware
Microsoft: Hackers turn Exchange servers into malware control centers (bleepingcomputer.com)
Malicious USB Drives Targeting Global Targets with SOGU and SNOWYDRIVE Malware (thehackernews.com)
Financial cyber crime syndicate deploys reworked backdoor malware | CyberScoop
New SOHO Router Botnet AVrecon Spreads to 70,000 Devices Across 20 Countries (thehackernews.com)
Hackers Target Gamers With Microsoft-Signed Rootkit (darkreading.com)
Source code of the BlackLotus UEFI Bootkit was leaked on GitHub - Security Affairs
Are Viruses Still a Threat to Cyber security? (makeuseof.com)
Black Hat Hacker Exposes Real Identity After Infecting Own Computer With Malware - SecurityWeek
Pernicious Rootkits Pose Growing Blight On Threat Landscape (darkreading.com)
Mobile
Hackers Exploit WebAPK to Deceive Android Users into Installing Malicious Apps (thehackernews.com)
Meta confirms WhatsApp is down worldwide (bleepingcomputer.com)
Botnets
New SOHO Router Botnet AVrecon Spreads to 70,000 Devices Across 20 Countries (thehackernews.com)
Ukraine's cyber police dismantled a massive bot farm - Security Affairs
Denial of Service/DoS/DDOS
Cloudflare reports 'alarming surge' in DDoS sophistication, escalation in recent months | CyberScoop
Attackers intensify DDoS attacks with new tactics - Help Net Security
Internet of Things – IoT
How your internet-connected domestic devices can be a critical tool of cyber attack (mid-day.com)
US preparing Cyber Trust Mark for more secure smart devices (bleepingcomputer.com)
Seven new gadgets added to riskiest connected devices list | SC Media (scmagazine.com)
Data Breaches/Leaks
MOVEit Hack: Number of Impacted Organisations Exceeds 340 - SecurityWeek
Data compromises on track to set a new record - Help Net Security
Virustotal data leak exposed data of some registered customers - Security Affairs
What to do (and what not to do) after a data breach - Help Net Security
Thousands of images on Docker Hub leak auth secrets, private keys (bleepingcomputer.com)
Met Police ‘passed victims’ data to Facebook via online tracking tool’ | Evening Standard
LastPass: The lessons we learnt from our devastating breach | TechRadar
JumpCloud, an IT firm serving 200,000 orgs, says it was hacked by nation-state | Ars Technica
Rogue Azure AD Guests Can Steal Data via Power Apps (darkreading.com)
FIA World Endurance Championship driver passports leaked - Security Affairs
Typo leaks millions of US military emails to Mali web operator | Financial Times (ft.com)
Colorado State University says data breach impacts students, staff (bleepingcomputer.com)
Organised Crime & Criminal Actors
Only a handful of hackers are responsible for all email extortion attacks | TechRadar
Nigerian Man Sentenced to 8 Years in US Prison for $8 Million BEC Scheme - SecurityWeek
Owner of BreachForums Pleads Guilty to Cyber crime and Child Pornography Charges (thehackernews.com)
Genesis Market infrastructure and inventory sold on hacker forum (bleepingcomputer.com)
Black Hat Hacker Exposes Real Identity After Infecting Own Computer With Malware - SecurityWeek
Police arrests Ukrainian scareware developer after 10-year hunt (bleepingcomputer.com)
Extremist-friendly tech company closes after fine for securities fraud | Technology | The Guardian
Hacker Conversations: Inside the Mind of Daniel Kelley, ex-Blackhat - SecurityWeek
Go Beyond the Headlines for Deeper Dives into the Cyber criminal Underground (thehackernews.com)
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Insider Risk and Insider Threats
IT worker jailed for impersonating ransomware gang to extort employer (bleepingcomputer.com)
Former contractor accused of remotely accessing town's water treatment facility | Tripwire
Insider Risk Management Starts With SaaS Security (darkreading.com)
Fraud, Scams & Financial Crime
Growing scam activity linked to social media and automation - Help Net Security
A fresh look at the current state of financial fraud - Help Net Security
Tech support scammers now accepting cash via snail mail • The Register
Extremist-friendly tech company closes after fine for securities fraud | Technology | The Guardian
The cruel new holiday scams you need to know about | This is Money
Airbnb-Related Scams Surge: Beware Of ‘Too Good To Be True’ Offers (forbes.com)
AML/CFT/Sanctions
Insurance
Cyber insurers adapting to data-centric ransomware threats | TechTarget
Strengthening Password Security may Lower Cyber Insurance Premiums (bleepingcomputer.com)
Dark Web
Genesis Market infrastructure and inventory sold on hacker forum (bleepingcomputer.com)
OpenAI credentials stolen by the thousands for sale on the dark web (bleepingcomputer.com)
Supply Chain and Third Parties
JumpCloud, an IT firm serving 200,000 orgs, says it was hacked by nation-state | Ars Technica
Google Cloud Build bug lets hackers launch supply chain attacks (bleepingcomputer.com)
Supply chain executives unaware of growing customer trust issues - Help Net Security
Possible Supply Chain Attack Targeting Pakistani Government Delivers Shadowpad (trendmicro.com)
Cloud/SaaS
Microsoft makes cloud security logs available for free • The Register
Microsoft Expands Cloud Logging to Counter Rising Nation-State Cyber Threats (thehackernews.com)
Network, IAM, cloud are 2023's top cyber security spend priorities | VentureBeat
Google Cloud Build bug lets hackers launch supply chain attacks (bleepingcomputer.com)
Three key unanswered questions about the Chinese breach of Microsoft cloud services | CyberScoop
TeamTNT's Cloud Credential Stealing Campaign Now Targets Azure and Google Cloud (thehackernews.com)
Hybrid/Remote Working
Hybrid Work, Digital Transformation Can Exploit Security Gaps, Study Finds - MSSP Alert
Securing The Hybrid Workforce Begins With Browsing (forbes.com)
Attack Surface Management
Identity and Access Management
Network, IAM, cloud are 2023's top cyber security spend priorities | VentureBeat
The rise of hassle-free and secure authentication | CyberScoop
Encryption
Real-world examples of quantum-based attacks - Help Net Security
EU Urged to Prepare for Quantum Cyber Attacks - Infosecurity Magazine (infosecurity-magazine.com)
Signal president rejects ‘mass surveillance’ UK law | Fortune
API
Docker Leaks API Secrets & Private Keys, as Cyber criminals Pounce (darkreading.com)
API keys: Weaknesses and security best practices | TechTarget
Open Source
Passwords, Credential Stuffing & Brute Force Attacks
LastPass: The lessons we learnt from our devastating breach | TechRadar
Millions of Keyboard Walk Patterns Found in Compromised Passwords - IT Security Guru
TeamTNT's Cloud Credential Stealing Campaign Now Targets Azure and Google Cloud (thehackernews.com)
Strengthening Password Security may Lower Cyber Insurance Premiums (bleepingcomputer.com)
Social Media
Growing scam activity linked to social media and automation - Help Net Security
Met Police ‘passed victims’ data to Facebook via online tracking tool’ | Evening Standard
Training, Education and Awareness
Security Awareness Training Isn’t Working - How Can We Improve It? - SecurityWeek
Companywide Cyber security Training: 20 Tips To Make It ‘Stick’ (forbes.com)
Digital Transformation
Travel
The cruel new holiday scams you need to know about | This is Money
Airbnb-Related Scams Surge: Beware Of ‘Too Good To Be True’ Offers (forbes.com)
Regulations, Fines and Legislation
AI models must be reconciled with data protection laws • The Register
Online Safety Bill Last chance for Lords to stop surveillance | Evening Standard
Models, Frameworks and Standards
Data Protection
Careers, Working in Cyber and Information Security
Career Benefits of Learning Ethical Hacking (analyticsinsight.net)
Should You Be Using a Cyber security Careers Framework? (darkreading.com)
Law Enforcement Action and Take Downs
Nigerian Man Sentenced to 8 Years in US Prison for $8 Million BEC Scheme - SecurityWeek
Owner of BreachForums Pleads Guilty to Cyber crime and Child Pornography Charges (thehackernews.com)
Police arrests Ukrainian scareware developer after 10-year hunt (bleepingcomputer.com)
Ukraine's cyber police dismantled a massive bot farm - Security Affairs
Privacy, Surveillance and Mass Monitoring
Online Safety Bill Last chance for Lords to stop surveillance | Evening Standard
Stress, data privacy, zero trust to shape cyber security trends | SC Media (scmagazine.com)
How to Use Generative AI Tools While Still Protecting Your Privacy | WIRED
Misinformation, Disinformation and Propaganda
Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare and Cyber Espionage
Russia
The rise in ransomware attacks this year may be related to Russia's war in Ukraine : NPR
Gamaredon hackers start stealing data 30 minutes after a breach (bleepingcomputer.com)
Analysis of Storm-0558 techniques for unauthorised email access | Microsoft Security Blog
Microsoft Exchange servers compromised by Turla APT - Help Net Security
Pro-Russian hacktivists increase focus on Western targets. The latest is OnlyFans. | CyberScoop
Elon Musk’s Starlink is putting our soldiers at risk, Ukraine warns (telegraph.co.uk)
Thousands of Russian officials to give up iPhones over US spying fears | Financial Times (ft.com)
Ukraine innovates on cyber defence | Financial Times (ft.com)
China
Three key unanswered questions about the Chinese breach of Microsoft cloud services | CyberScoop
China Espionage Operatives Left Empty Handed in Email Heist, White House Official Says - MSSP Alert
Xi wants to make the Great Firewall of China even greater • The Register
North Korea
JumpCloud breach traced back to North Korean state hackers (bleepingcomputer.com)
North Korean hackers breached a US tech company to steal crypto | Reuters
Misc/Other/Unknown
JumpCloud, an IT firm serving 200,000 orgs, says it was hacked by nation-state | Ars Technica
APT Protection: The Key to Safeguarding Your Business (ts2.space)
How to Secure Your OT Network Against Advanced Persistent Threats (APTs) (ts2.space)
Microsoft Expands Cloud Logging to Counter Rising Nation-State Cyber Threats (thehackernews.com)
Vulnerability Management
CVSS 4.0 released, to help assess real-time threat and impact of vulnerabilities - Help Net Security
Security Patch Management Strengthens Ransomware Defence (trendmicro.com)
What is Vulnerability Assessment In Cyber security? (gbhackers.com)
Vulnerabilities
Windows Users Urged To Update As Microsoft Confirms New Zero-Day Exploits (forbes.com)
Microsoft still unsure how hackers stole Azure AD signing key (bleepingcomputer.com)
Microsoft takes pains to obscure role in 0-days that caused email breach | Ars Technica
CVE-2023-38408: Remote Code Execution in OpenSSH’s forwarded ssh-agent | Qualys Security Blog
New critical Citrix ADC and Gateway flaw exploited as zero-day (bleepingcomputer.com)
OpenSSH Addresses Remote Code Execution Vulnerability: CVE-2023-38408 - VULNERA
Adobe Rolls Out New Patches for Actively Exploited ColdFusion Vulnerability (thehackernews.com)
Cisco fixed a critical flaw in SD-WAN vManage - Security Affairs
Hacking campaign targets sites using WordPress WooCommerce Payments Plugin - Security Affairs
Microsoft hit by Storm season – a tale of two semi-zero days – Naked Security (sophos.com)
5 Major Takeaways From Microsoft's July Patch Tuesday (darkreading.com)
Two Jira Plugin Vulnerabilities in Attacker Crosshairs - SecurityWeek
Google says Apple employee found a zero-day but did not report it | TechCrunch
Tools and Controls
Network, IAM, cloud are 2023's top cyber security spend priorities | VentureBeat
Stress, data privacy, zero trust to shape cyber security trends | SC Media (scmagazine.com)
Leverage Threat Intelligence, AI, and Data at Scale to Boost Cyber Defences (darkreading.com)
A Few More Reasons Why RDP is Insecure (Surprise!) (thehackernews.com)
Enterprise communication security a growing risk, priority | TechTarget
MIT’s Cyber security Metior: A Secret Weapon Against Side-Channel Attacks (scitechdaily.com)
NCSC Shares Alternatives to Using a SOC - Infosecurity Magazine (infosecurity-magazine.com)
Microsoft's security roadmap: Protect Azure DevOps secrets • The Register
CISA shares free tools to help secure data in the cloud (bleepingcomputer.com)
What is the new Enhanced Safe Browsing for Gmail (and should you enable it)? | ZDNET
Insider Risk Management Starts With SaaS Security (darkreading.com)
67% of daily security alerts overwhelm SOC analysts - Help Net Security
Gmail encouraging users to enable Enhanced Safe Browsing (9to5google.com)
Microsoft Expands Cloud Logging to Counter Rising Nation-State Cyber Threats (thehackernews.com)
Microsoft makes cloud security logs available for free • The Register
Security Awareness Training Isn’t Working - How Can We Improve It? - SecurityWeek
API keys: Weaknesses and security best practices | TechTarget
Other News
Google restricting internet access to some employees for security (cnbc.com)
Enterprise communication security a growing risk, priority | TechTarget
Healthcare organisations in the crosshairs of cyber attackers - Help Net Security
Broadband consumers demand security and sustainability - Help Net Security
Microsoft Exchange Online hit by new outage blocking emails (bleepingcomputer.com)
Cyber security measures SMBs should implement - Help Net Security
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 31 March 2023
Black Arrow Cyber Threat Briefing 31 March 2023:
-Phishing Emails Up a Whopping 569% in 2022
-The End User Password Mistakes Putting Your Organisation at Risk
-Millions of Penetration Tests Show Companies’ Security Postures are Getting Worse
-71% of Employees Keep Work Passwords on Personal Devices
-Cyber Crime Frontlines in Russia-Ukraine War Move to Eastern and Northern Europe
-Security Flaws Cost Fifth of Executive’s Businesses
-Companies Struggle to Build and Run Effective Programs to Protect Data from Insider Threats
-Only 10% of Workers Remember All Their Cyber Security Training
-Silence Gets You Nowhere in a Data Breach
-Just 1% of Cloud Permissions are Actively Used
-Dangerous Misconceptions About Emerging Cyber Threats
-‘Grim’ Criminal Abuse of ChatGPT is Coming, Europol Warns
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Phishing Emails Up a Whopping 569% in 2022
The volume of phishing emails sent in 2022 spiked by a jaw-dropping 569% according to a new report. Based on data from 35 million users, the report details the astronomical rise of email phishing as a tactic among threat actors in 2022. Key findings from the report include the number of credential phishing emails sent spiked by 478% and, for the eighth consecutive year, business email compromise (BEC) ranked as the top cyber crime.
https://www.darkreading.com/attacks-breaches/phishing-emails-up-whopping-569-percent-2022
The End User Password Mistakes Putting Your Organisation at Risk
Businesses rely on their end users, but those same users often don't follow the best security practices. Without the right password security policies, a single end user password mistake can be a costly breach of your organisation's defences. End users want to do their work quickly and efficiently, but sharing, reusing and weak passwords can put your organisation at risk so having the right policies in place is essential for security.
Millions of Penetration Tests Show Companies’ Security Postures are Getting Worse
The risk score for the average company worsened in the past year as companies fail to adapt to data exfiltration techniques and adequately protect web applications. Companies' effective data-exfiltration risk increased to 44 out of 100 (with 100 indicating the riskiest posture) in 2022, from an average score of 30 in the previous year, indicating that the overall risk of data being compromised has increased. That's according to rankings by Cymulate, who crunched data on 1.7 million hours of offensive cyber security testing. The research noted that while many companies are improving the adoption of strict network and group policies, attackers are adapting to sidestep such protections. They also found that four of the top-10 CVEs (known vulnerabilities) identified in customer environments were more than two years old.
https://www.darkreading.com/cloud/millions-pen-tests-companies-security-posture-getting-worse
71% of Employees Keep Work Passwords on Personal Devices
71% of employees store sensitive work passwords on their personal phones, and 66% use their personal texting apps for work, according to a new mobile bring your own device (BYOD) security report this week, with the report also suggesting 95% of security leaders are increasingly concerned about phishing attacks via private messaging apps. With the widespread use of personal mobile devices in the workplace, it is increasingly difficult for employers to ensure the security of sensitive information. The use of personal devices and personal apps was the direct cause of many high-profile corporate breaches and this is a trend that will surely continue, as employees often use corporate and personal devices for work, effectively doubling the attack surface for cyber criminals as threat actors know there are fewer security controls on personal mobile devices than on corporate ones.
https://www.infosecurity-magazine.com/news/70-employees-keep-work-passwords/
Cyber Frontlines in Russia-Ukraine War Move to Eastern and Northern Europe
More than a year into the war in Ukraine, hackers have extended the cyber battleground to Eastern and Northern Europe with the number of incidents in those geographies spiking noticeably. A new report shows that cyber warfare inside the conflict has “clearly moved on” from the beginnings of the war. Over the last 12 months, the research reports that the majority of incidents only affecting Ukraine in the first quarter of 2022 (50.4%) sank to 28.6% in the third period. But European Union countries have seen a spike in incidents related to the war in the past six months from 9.8% to 46.5%. Indeed, the number of attacks on EU countries in the third quarter of 2022 totalled just slightly less than those in the Ukraine. And, in the first quarter of this year, more than 80% of incidents occurred inside the European Union. Cyber is now a crucial weapon in the arsenal of new instruments of war, alongside disinformation, manipulation of public opinion, economic warfare, sabotage and guerrilla tactics. With the lateralisation of the conflict from Ukraine to the rest of Europe, Western Europe should be wary of possible attacks on critical infrastructure in the short term if the conflict continues to accelerate.
Security Flaws Cost Fifth of Executives New Business
Boards continue to under-appreciate the value of cyber security to the business, despite acknowledging its critical role in winning new business and talent, according to Trend Micro. The security giant polled 2,718 business decision makers globally to compile its Risky Rewards study and it found that half (51%) believe cyber security is a necessary cost but not a revenue contributor. 48% argue that its value is limited to threat prevention and two-fifths (38%) see security as a barrier rather than a business enabler. That’s despite a fifth (19%) acknowledging that poor security posture has already impacted their ability to win new business, and 57% thinking there is a strong connection between cyber and client acquisition.
https://www.infosecurity-magazine.com/news/fifth-execs-security-flaws-cost/
Companies Struggle to Build and Run Effective Programs to Protect Data from Insider Threats
Insider risk is emerging as one of the most challenging threats for organisations to detect, mitigate and manage, Code42 Software said in its annual Data Exposure Report for 2023. To compile data for the study they surveyed some 700 cyber security leaders, managers and practitioners and whilst more than 72% of companies indicated they have an insider risk management (IRM) program in place, the same companies experienced a year-over-year increase in data loss incidents of 32%. 71% of respondees expect data loss from insider events to increase in the next 12 months. Insider incidents are costing organisations $16 million per incident on average, and chief information security officers (CISOs) say that insider risks are the most challenging type of threat to detect. Data loss from insiders is not a new problem but it has become more complex with workforce turnover and cloud adoption.
Only 10% of Workers Remember All Their Cyber Security Training
New research has found that only 10% of workers remember all their cyber security training. Furthermore, only half of employees are undergoing regular training, and a quarter aren’t receiving any training at all. Organisations should look to carry out effective and regular training that is tailored to their employees to increase the chance of training content being retained, with a programme of ongoing continual reinforcement.
Silence Gets You Nowhere in a Data Breach
In cyber security, the phrase “what they don’t know won’t hurt them” is not only wrong, it’s dangerous. Despite this, it’s a motto that remains in many organisations’ PR playbooks, as demonstrated by the recent LastPass and Fortra data breaches. Smaller companies, too, are employing a silent-treatment approach to data breaches, and cyber attacks are now a fact of doing business with almost half of US organisations having suffered a cyber attack in 2022. Attackers are increasingly targeting smaller businesses due to the fact they are seen as easier targets than large companies.
https://techcrunch.com/2023/03/29/silence-gets-you-nowhere-in-a-data-breach/
Just 1% of Cloud Permissions are Actively Used
According to Microsoft, a surge in workload identities, super admins and “over-permissioning” is driving the increase in cyber risk for organisations. Just 1% of users are using the permissions granted to them for day-to-day work. Worryingly, this leaves a significant number of unnecessary permissions which could be used by an attacker to elevate their privileges.
https://www.infosecurity-magazine.com/news/just-1-of-cloud-permissions-used/
Dangerous Misconceptions About Emerging Cyber Threats
Organisations are leaving common attack paths exposed in their quest to combat emergent threats, according to a new report that delves into the efficacy of different security controls, the most concerning threats as tested by organisations worldwide, and top cyber security best practices for 2023. One of the key findings of the report is that many organisations are actively testing against threats seen in the news, likely from pressure to report on their exposure risk to emergent threats, and whilst this is good, it should not take away from assessing threats and exposures that are more likely actively targeting the business.
https://www.helpnetsecurity.com/2023/03/30/misconceptions-emerging-cyber-threats/
‘Grim’ Criminal Abuse of ChatGPT is Coming, Europol Warns
Europol has warned that criminals are set to take advantage of artificial intelligence to commit fraud and other crimes. Europol highlighted that ChatGPT could be used to speed up criminal research, impersonate speech styles for phishing and write code. Furthermore, despite ChatGPT having safeguards, Europol note that these can be circumvented.
https://www.securityweek.com/grim-criminal-abuse-of-chatgpt-is-coming-europol-warns/
Threats
Ransomware, Extortion and Destructive Attacks
Why CISOs Are Looking to Lateral Security to Mitigate Ransomware | CIO
Clop Keeps Racking Up Ransomware Victims With GoAnywhere Flaw (darkreading.com)
New IcedID malware variants shift from banking trojans to ransomware | SC Media (scmagazine.com)
Publicly disclosed US ransomware attacks in 2023 | TechTarget
Virgin Group added to Cl0p gang’s victim leak site | Cybernews
New York law firm coughs up $200k after hospital data stolen • The Register
Telecom giant Lumen suffered a ransomware attack-Security Affairs
Ransomware crooks are exploiting IBM file exchange bug with a 9.8 severity | Ars Technica
DarkBit puts data from Israel’s Technion university on sale | CSO Online
Crown Resorts investigating potential data breach after being contacted by hacking group - ABC News
Children’s data feared stolen in Fortra ransomware attack | TechCrunch
Phishing & Email Based Attacks
Phishing Emails Up a Whopping 569% in 2022 (darkreading.com)
IRS Phishing Emails Used to Distribute Emotet - Infosecurity Magazine (infosecurity-magazine.com)
These next-level phishing scams use PayPal or Google Docs to steal your data | TechRadar
Winter Vivern hackers exploit Zimbra flaw to steal NATO emails (bleepingcomputer.com)
BEC – Business Email Compromise
BEC scammers are after physical goods, the FBI warns - Help Net Security
Australian police arrest four BEC actors who stole $1.7 million (bleepingcomputer.com)
New BEC Tactics Enable Fake Asset Purchases - Infosecurity Magazine (infosecurity-magazine.com)
FBI: Business email compromise tactics used to defraud US vendors (bleepingcomputer.com)
Other Social Engineering; Smishing, Vishing, etc
2FA/MFA
Malware
New IcedID malware variants shift from banking trojans to ransomware | SC Media (scmagazine.com)
MacStealer macOS malware appears in cyber crime underground--Security Affairs
Cyber Scammers Using Decentralized File Distribution System to Spread Malware - MSSP Alert
Microsoft confirms Defender has gone rogue as it's flagging legit links as malware - Neowin
North Korean malware-spreading, crypto-stealing gang named • The Register
Malware disguised as Tor browser steals $400k in cryptocash • The Register
NullMixer Polymorphic Malware Variant Infects 8K Targets in Just a Month (darkreading.com)
Chinese Cyber spies Use 'Melofee' Linux Malware for Stealthy Attacks - SecurityWeek
Chinese RedGolf Group Targeting Windows and Linux Systems with KEYPLUG Backdoor (thehackernews.com)
Realtek and Cacti flaws now actively exploited by malware botnets (bleepingcomputer.com)
AlienFox malware caught in the cloud hen house • The Register
Microsoft OneNote will block 120 dangerous file extensions (bleepingcomputer.com)
IRS Phishing Emails Used to Distribute Emotet - Infosecurity Magazine (infosecurity-magazine.com)
Mobile
Android-based banking Trojan Nexus now available as malware-as-a-service | CSO Online
Inaudible ultrasound attack can stealthily control your phone, smart speaker (bleepingcomputer.com)
Russia’s Rostec allegedly can de-anonymize Telegram users (bleepingcomputer.com)
Android app from China executed 0-day exploit on millions of devices | Ars Technica
Google again accused of destroying evidence in Android case • The Register
Google finds more Android, iOS zero-days used to install spyware (bleepingcomputer.com)
Samsung keeps ignoring a huge security flaw in millions of Galaxy phones - SamMobile
iOS Vs. Android – Which Is The More Secure Platform? (informationsecuritybuzz.com)
Botnets
Denial of Service/DoS/DDOS
Internet of Things – IoT
Inaudible ultrasound attack can stealthily control your phone, smart speaker (bleepingcomputer.com)
This devious cyber attack can target all your smart speakers without you realizing | TechRadar
Gone in 120 seconds: Tesla Model 3 child's play for hackers • The Register
Data Breaches/Leaks
Fortra told breached companies their data was safe | TechCrunch
Procter & Gamble confirms data theft via GoAnywhere zero-day (bleepingcomputer.com)
New York law firm coughs up $200k after hospital data stolen • The Register
Toyota scrambles to patch customer data leak-Security Affairs
500k Impacted by Data Breach at Debt Buyer NCB - SecurityWeek
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Malware disguised as Tor browser steals $400k in cryptocash • The Register
NullMixer Polymorphic Malware Variant Infects 8K Targets in Just a Month (darkreading.com)
Insider Risk and Insider Threats
Only 10% of workers remember all their cyber security training - IT Security Guru
Data loss from insider events increase despite IRM programs, says study | CSO Online
Stop Blaming the End User for Security Risk (darkreading.com)
Fraud, Scams & Financial Crime
Visa fraud expert outlines the many faces of payment ecosystem fraud - Help Net Security
Cyber Scammers Using Decentralized File Distribution System to Spread Malware - MSSP Alert
Deepfakes
AML/CFT/Sanctions
Insurance
Beazley working on standalone cyber war product in market first (insuranceinsider.com)
Organisations Reassess Cyber Insurance as Self-Insurance Strategies Emerge (darkreading.com)
Supply Chain and Third Parties
Hackers compromise 3CX desktop app in a supply chain attack (bleepingcomputer.com)
Winter Vivern hackers exploit Zimbra flaw to steal NATO emails (bleepingcomputer.com)
Cloud/SaaS
Just 1% of Cloud Permissions Are Actively Used - Infosecurity Magazine (infosecurity-magazine.com)
Where SSO Falls Short in Protecting SaaS (thehackernews.com)
CISA Releases Hunt Tool for Microsoft's Cloud Services (darkreading.com)
Balancing security risks and innovation potential of shadow IT teams - Help Net Security
AlienFox malware caught in the cloud hen house • The Register
Hybrid/Remote Working
Cyber security focus in second Digital Europe work programme – EURACTIV.com
More companies are watching their remote workers WFH on camera | Fortune
Shadow IT
Identity and Access Management
Encryption
API
Passwords, Credential Stuffing & Brute Force Attacks
The End-User Password Mistakes Putting Your Organisation at Risk (bleepingcomputer.com)
New Research Examines Traffers and the Business of Stolen Credentials - IT Security Guru
Social Media
Training, Education and Awareness
The era of passive cyber security awareness training is over - Help Net Security
Only 10% of workers remember all their cyber security training - IT Security Guru
Parental Controls and Child Safety
Regulations, Fines and Legislation
Governance, Risk and Compliance
Beazley working on standalone cyber war product in market first (insuranceinsider.com)
Cyber security vs. Everyone: From Conflict to Collaboration (darkreading.com)
Using Observability to Power a Smarter Cyber security Strategy (darkreading.com)
How cyber security decision-makers perceive cyber resilience - Help Net Security
NCSC issues revised security Board Toolkit for business leaders | Computer Weekly
The CISO Mantra: Get Ready to Do More With Less (darkreading.com)
Models, Frameworks and Standards
Backup and Recovery
Law Enforcement Action and Take Downs
FBI confirms access to Breached cyber crime forum database (bleepingcomputer.com)
UK creates fake DDoS-for-hire sites to identify cyber criminals (bleepingcomputer.com)
Australian police arrest four BEC actors who stole $1.7 million (bleepingcomputer.com)
20-Year-Old BreachForums Founder Faces Up to 5 Years in Prison (thehackernews.com)
Privacy, Surveillance and Mass Monitoring
UK Introduces Mass Surveillance With Online Safety Bill - SecurityWeek
FBI Spent Tens of Thousands of Dollars on Bulk Data Collection (gizmodo.com)
Clearview AI used nearly 1m times by US police, it tells the BBC - BBC News
More companies are watching their remote workers WFH on camera | Fortune
Artificial Intelligence
'Grim' Criminal Abuse of ChatGPT is Coming, Europol Warns - SecurityWeek
In Sudden Alarm, Tech Doyens Call for a Pause on ChatGPT | WIRED
Musk, Scientists Call for Halt to AI Race Sparked by ChatGPT - SecurityWeek
AI-fuelled search gives more power to the bad guys | CSO Online
Hacker demonstrates security flaws in GPT-4 just one day after launch | VentureBeat
Godfather of AI Says There's a Minor Risk It'll Eliminate Humanity (futurism.com)
Clearview AI used nearly 1m times by US police, it tells the BBC - BBC News
AI has figured out how to draw deepfake hands | The Independent
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Putin and Xi’s plot to control the internet will leave the West in the dust (telegraph.co.uk)
In A Surprise, China-Linked TikTok Grabs Power Norway Needs To Make Ammo (forbes.com)
Cyber crime Front Lines in Russia-Ukraine War Move to Eastern and Northern Europe - MSSP Alert
Beazley working on standalone cyber war product in market first (insuranceinsider.com)
'Bitter' espionage hackers target Chinese nuclear energy orgs (bleepingcomputer.com)
Earth Preta’s Cyber Espionage Campaign Hits Over 200 (trendmicro.com)
Biden White House Issues Executive Order on Commercial Spyware (gizmodo.com)
North Korean APT43 Group Uses Cybercrime to Fund Espionage Operations (thehackernews.com)
Google finds more Android, iOS zero-days used to install spyware (bleepingcomputer.com)
Over 200 Organisations Targeted in Chinese Cyber Espionage Campaign - SecurityWeek
Google: Commercial Spyware Used by Governments Laden With Zero-Day Exploits (darkreading.com)
Chinese Cyber spies Use 'Melofee' Linux Malware for Stealthy Attacks - SecurityWeek
Chinese RedGolf Group Targeting Windows and Linux Systems with KEYPLUG Backdoor (thehackernews.com)
Pro-Russian hackers target elected US officials supporting Ukraine | Ars Technica
Russian spies more effective than army, say experts - BBC News
Cyber warfare leaks show Russian army is adopting mindset of secret police | Cyberwar | The Guardian
Nation State Actors
Uncle Sam sent cyber-soldiers to Albania to combat Iran • The Register
Russia’s Rostec allegedly can de-anonymize Telegram users (bleepingcomputer.com)
Android app from China executed 0-day exploit on millions of devices | Ars Technica
China urges Apple to improve security and privacy • The Register
North Korean malware-spreading, crypto-stealing gang named • The Register
Chinese RedGolf Group Targeting Windows and Linux Systems with KEYPLUG Backdoor (thehackernews.com)
Vulnerability Management
What you need before the next vulnerability hits - Help Net Security
Vulnerability management vs. risk management, compared | TechTarget
Most Weaponized Vulnerabilities of 2022 and 5 Key Risks: Report - SecurityWeek
Microsoft shares tips on detecting Outlook zero-day exploitation (bleepingcomputer.com)
Ignoring network automation is a ticking time bomb for security - Help Net Security
Vulnerabilities
Microsoft: No-Interaction Outlook Zero Day Exploited Since Last April - SecurityWeek
Microsoft shares tips on detecting Outlook zero-day exploitation (bleepingcomputer.com)
Apple patches everything, including a zero-day fix for iOS 15 users – Naked Security (sophos.com)
QNAP fixed Sudo privilege escalation bug in NAS devices-Security Affairs
Patch Now: Cyber criminals Set Sights on Critical IBM File Transfer Bug (darkreading.com)
Super FabriXss flaw in Microsoft Azure SFX could lead to RCE-Security Affairs
OpenAI quickly fixed account takeover bugs in ChatGPT-Security Affairs
Tools and Controls
Even with defence tools, CISOs say cyber attacks are ‘inevitable’ (techrepublic.com)
The era of passive cyber security awareness training is over - Help Net Security
Only 10% of workers remember all their cyber security training - IT Security Guru
Prioritizing data security amid workforce disruptions - Help Net Security
Using Observability to Power a Smarter Cyber security Strategy (darkreading.com)
For database security it's down to people, not tech fixes • The Register
Known unknowns: Refining your approach to uncategorized web traffic - Help Net Security
Understanding adversaries through dark web intelligence - Help Net Security
Where SSO Falls Short in Protecting SaaS (thehackernews.com)
How Does Data Literacy Enhance Data Security? (darkreading.com)
CISA Releases Hunt Tool for Microsoft's Cloud Services (darkreading.com)
With Security Copilot, Microsoft brings the power of AI to cyber defence - Stories
Compare breach and attack simulation vs. penetration testing | TechTarget
Ignoring network automation is a ticking time bomb for security - Help Net Security
Microsoft's ‘Security Copilot’ Sics ChatGPT on Security Breaches | WIRED
Breaking the Mold: Pen Testing Solutions That Challenge the Status Quo (thehackernews.com)
Diagnose your SME’s Cyber security and Scan for Recommendations — ENISA (europa.eu)
Protect your entire business with the right authentication method - Help Net Security
Microsoft Defender is flagging legit URLs as malicious • The Register
Managing security in the cloud through Microsoft Intune | CSO Online
Top 5 SD-WAN Challenges and How to Prepare for Them | TechTarget
Organisations Reassess Cyber Insurance as Self-Insurance Strategies Emerge (darkreading.com)
The best defence against cyber threats for lean security teams - Help Net Security
Overcoming obstacles to introduce zero-trust security in established systems - Help Net Security
The foundation of a holistic identity security strategy - Help Net Security
The CISO Mantra: Get Ready to Do More With Less (darkreading.com)
Other News
Hackers changed tactics, went cross-platform in 2022, says Trend Micro | CSO Online
WiFi protocol flaw allows attackers to hijack network traffic (bleepingcomputer.com)
Microsoft OneNote will block 120 dangerous file extensions (bleepingcomputer.com)
How CISOs Can Reduce the Danger of Using Data Brokers (darkreading.com)
How Does Data Literacy Enhance Data Security? (darkreading.com)
Microsoft uses carrot and stick with Exchange Online admins • The Register
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 03 March 2023
Black Arrow Cyber Briefing 03 March 2023:
-It’s Time to Evaluate Your Security Education Plan Amongst the Rise in Social Engineering Attacks
-Mobile Users are More Susceptible to Phishing Attacks
-Phishing as a Service Stimulates Cyber Crime
-Attacker Breakout Time Drops to Just 84 Minutes
-Attackers are Developing and Deploying Exploits Faster Than Ever
-Old Vulnerabilities are Haunting Organisations and Aiding Attackers
-Scams Drive Nearly $9bn Fraud Surge in 2022
-Economic Pressure are Increasing Cyber Security Risks and a Recession Would Only Further This
-Cyber Security in This Era of Polycrisis
-Russian Ransomware Projects Rebranded to Avoid Western Sanctions
-Ransomware Attacks Ravaged Big Names in February
-Firms Who Pay Ransom Subsidise New Attacks
-How the Ukraine War Opened a Fault Line in Cyber Crime
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
It’s Time to Evaluate Your Security Education Plan with the Rise in Social Engineering Attacks
Security provider Purplesec found 98% of attacks in 2022 involved an element of social engineering. Social engineering attacks can take many forms including phishing, smishing, vishing and quishing and it’s vital to educate your organisation on how to best prepare for these. Education plans should focusing on educating all levels of users, including those at the top. These plans should also be tested to allow organisations to assess where they are at and identify where they can improve.
Mobile Users are More Susceptible to Phishing Attacks
A report conducted by mobile security provider Lookout focused on the impact of mobile phishing. Some of the key findings from the report included that more than 50% of personal devices were exposed to a mobile phishing attack every quarter, the percentage of users falling for multiple mobile phishing links increasing and an increased targeting of highly regulated industries such as insurance, banking and financial services. It is likely that this has resulted from the increase in relaxed bring your own device (BYOD) policies.
Phishing as a Service Stimulates Cyber Crime
Phishing attacks are at an all-time high and the usage of Phishing as a Service (PaaS) opens this attack technique to virtually anyone. The sale of “phishing kits” and usage of artificial intelligence has further increased the availability of this attack technique. In response, organisations should look to improve their email security, cloud security and education programs for employees.
https://www.trendmicro.com/en_us/ciso/23/c/phishing-as-a-service-phaas.html
Attacker Breakout Time Drops to Just 84 Minutes
The average time it takes for a threat actor to move laterally from a compromised host within an organisation dropped 14% between 2012 and 2022 down to 84 minutes, according to a report by security provider Crowdstrike. With the reduction in time it takes a threat actor to move across systems, organisations have even less time to enact their incident response plans and contain breaches effectively, putting further pressure on the incident response team. By responding quickly, organisations can minimise the cost and damage of a breach. The report from Crowdstrike found that organisations were facing increasing difficulty in detecting suspicious activity as attackers are choosing to use valid organisation credentials rather than malware, to gain access to an organisation’s systems.
https://www.infosecurity-magazine.com/news/attacker-breakout-time-drops-just/
Attackers are Developing and Deploying Exploits Faster Than Ever
A report from security provider Rapid7 found that over 56% of vulnerabilities were exploited within seven days of public disclosure. Worryingly, the median time for exploitation in 2022 was just one day. The finding from the report highlights the need for organisations to not only conduct threat intelligence to be aware of vulnerabilities but to also look to employ patches where possible in a timely manner.
https://www.helpnetsecurity.com/2023/03/03/attackers-developing-deploying-exploits/
Old Vulnerabilities are Haunting Organisations and Aiding Attackers
Known vulnerabilities, vulnerabilities for which patches have already been made available, are one of the primary attack vectors for threat actors. Vulnerability management vendor Tenable found that the top exploited vulnerabilities were originally disclosed as far back as 2017 and organisations that had not applied these patches were at increased risks of attack.
https://www.helpnetsecurity.com/2023/03/03/known-exploitable-vulnerabilities/
Scams Drive Nearly $9bn Fraud Surge in 2022
Americans lost $8.8 billion to fraud last year, with imposter scams responsible for $2.8 billion of that amount, according to the Federal Trade Commission (FTC). Losses to business imposters were particularly damaging, climbing to $660 million from the previous year. Interestingly, the FTC found that younger people reported losing money to fraud the most often.
https://www.infosecurity-magazine.com/news/investment-scams-drive-9bn-in/
Economic Pressure are Increasing Cyber Security Risks and a Recession Would Only Further This
The World Economic Forum’s recent report found that 93% of cyber security leaders and 86% of business leaders think it is moderately or very likely that global geopolitical instability will lead to a catastrophic cyber event in the next two years. Reinforcing this, a report from (ISC)² found that 80% of business executives believe a weakening economy will increase cyber threats and a recession will only amplify this.
Cyber Security in this Era of Polycrisis
A year since Russia invaded Ukraine, the geopolitical context is increasingly tense and volatile. The world faces several major crises in what has been coined a 'polycrisis,' a cluster of global shocks with compounding effects. This, along with increasing geopolitical tensions causes a rise in risk from cyber attacks. In fact, the European Union Agency for Cyber Security (ENISA) recently issued an alert regarding actors conducting malicious cyber activities against businesses and governments in the European Union and findings from Google show a 300% increase in state-sponsored cyber attacks targeting users in NATO countries.
https://www.weforum.org/agenda/2023/02/cybersecurity-in-an-era-of-polycrisis/
Russian Ransomware Projects Rebranded to Avoid Western Sanctions
Research provider TRM labs found that some major Russian-linked ransomware crime gangs have rebranded their activities in 2022 to avoid sanctions. To strengthen their anonymity, two major ransomware crime gangs LockBit and Conti restructured their activities. Conti is reported to have restructured into three smaller groups named Black Besta, BlackByte, Karakurt. LockBit on the other hand launched LockBit 3.0, which is focused on monetary gain. Additionally, the report found that Russian-speaking darknet markets had amassed over $130 million in sales.
https://cryptopotato.com/russian-ransomware-projects-rebranded-to-avoid-western-sanctions-report/
Ransomware Attacks Ravaged Big Names in February
Despite the apparent slight drop in ransomware activity last month, several high profile targets of various industries were hit; this ranges from the likes of the US Marshal Service, retailer WH Smith, satellite provider Dish and many more. These attacks reinforce the concept that any organisation can be a victim, regardless of industry.
Firms Who Pay Ransoms Subsidise New Attacks
A report from security provider Trend Micro found that whilst only a relatively small number of ransomware victims pay their extorters, those that do pay are effectively funding 6-10 new attacks. The report also found that attackers are aware of which industries and countries pay ransoms more often, so organisations belonging to those industries and countries may find themselves an even more attractive target.
https://www.infosecurity-magazine.com/news/firms-pay-ransom-subsidise-10/
How the Ukraine War Opened a Fault Line in Cyber Crime
A report from threat intelligence provider Recorded Future has highlighted the impact that the Russian invasion of Ukraine has had on cyber. Recorded Future explain how a number of threat actor groups fled during the war and in addition to differing political views between groups, there has been a disruption to the cyber environment. In fact, Recorded Future found that Russian-language dark web marketplaces have taken a major hit and the prediction is that the epicentre of cyber crime may shift to English-speaking dark web forums, shops and marketplaces.
https://www.darkreading.com/analytics/ukraine-war-fault-line-cybercrime-forever
Threats
Ransomware, Extortion and Destructive Attacks
Well-funded security systems fail to prevent cyber attacks in US and Europe: Report | CSO Online
Russian Ransomware Projects Rebranded to Avoid Western Sanctions: Report (cryptopotato.com)
New cyber attack tactics rise up as ransomware payouts increase | CSO Online
Ransomware Attacks: Don’t Let Your Guard Down - SecurityWeek
Ransomware attacks ravaged big names in February | TechTarget
Cyber Insurance Market Back From Brink After Onslaught of Ransomware Attacks (insurancejournal.com)
Royal Mail schools LockBit in leaked negotiation (malwarebytes.com)
'Ethical hacker' among ransomware suspects arrested • The Register
Wiper malware goes global, destructive attacks surge - Help Net Security
A Deep Dive into the Evolution of Ransomware Part 3 (trendmicro.com)
New Exfiltrator-22 post-exploitation kit linked to LockBit ransomware (bleepingcomputer.com)
PureCrypter malware hits govt orgs with ransomware, info-stealers (bleepingcomputer.com)
Bitdefender Releases Free Decryptor for MortalKombat Ransomware Strain (thehackernews.com)
Dish Network confirms ransomware attack behind multi-day outage (bleepingcomputer.com)
US Marshals Ransomware Hit Is 'Major' Incident (darkreading.com)
The DoJ Disruption of the Hive Ransomware Group Is a Short-Lived Win (darkreading.com)
Vice Society publishes data stolen during Vesuvius ransomware attack • Graham Cluley
US Cybersecurity Agency Raises Alarm Over Royal Ransomware's Deadly Capabilities (thehackernews.com)
Phishing & Email Based Attacks
New cyber attack tactics rise up as ransomware payouts increase | CSO Online
Mobile Users More Susceptible to Phishing Attacks than Two Years Ago - MSSP Alert
Phishing as a Service Stimulates Cyber crime (trendmicro.com)
BEC – Business Email Compromise
New cyber attack tactics rise up as ransomware payouts increase | CSO Online
Expert strategies for defending against multilingual email-based attacks - Help Net Security
Hackers Target Young Gamers: How Your Child Can Cause Business Compromise (darkreading.com)
Other Social Engineering; Smishing, Vishing, etc
As Social Engineering Attacks Skyrocket, Evaluate Your Security Education Plan (darkreading.com)
The Top 5 New Social Engineering Attacks in 2023 - (ISC)² Blog (isc2.org)
How to Prevent Callback Phishing Attacks on Your Organization (bleepingcomputer.com)
2FA/MFA
Malware
RIG Exploit Kit still infects enterprise users via Internet Explorer (bleepingcomputer.com)
Exfiltrator-22 Post-Exploitation Toolkit Nips At Cobalt Strike's Heels (darkreading.com)
Malicious package flood on PyPI might be sign of new attacks to come | CSO Online
Iron Tiger hackers create Linux version of their custom malware (bleepingcomputer.com)
It's official: BlackLotus malware can bypass secure boot • The Register
Threat actors target law firms with GootLoader and SocGholish--Security Affairs
Mobile
Mobile Users More Susceptible to Phishing Attacks than Two Years Ago - MSSP Alert
Mobile Banking Trojans Surge, Doubling in Volume (darkreading.com)
Signal would 'walk' from UK if Online Safety Bill undermined encryption - BBC News
Don't be fooled by a pretty icon, malicious apps hide in plain sight - Help Net Security
Denial of Service/DoS/DDOS
Data Breaches/Leaks
LastPass Says DevOps Engineer Home Computer Hacked - SecurityWeek
LastPass Reveals Second Attack Resulting in Breach of Encrypted Password Vaults (thehackernews.com)
Stanford University discloses data breach affecting PhD applicants (bleepingcomputer.com)
Threat actors leak Activision employee data on hacking forum--Security Affairs
10 US states that suffered the most devastating data breaches in 2022 - Help Net Security
Australian orgs lodged 497 data breach notices in back half of 2022 - Security - iTnews
Hatch Bank discloses data breach after GoAnywhere MFT hack (bleepingcomputer.com)
GunAuction site was hacked and data of 565k accounts were exposed--Security Affairs
Chick-fil-A confirms accounts hacked in months-long "automated" attack (bleepingcomputer.com)
What GoDaddy's Years-Long Breach Means for Millions of Clients (darkreading.com)
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Cryptocurrency Bitcoin mining rig found in school crawlspace • The Register
Highly evasive cryptocurrency miner targets macOS--Security Affairs
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
Investment Scams Drive $9bn Fraud Surge in 2022 - Infosecurity Magazine (infosecurity-magazine.com)
How I Broke Into a Bank Account With an AI-Generated Voice (vice.com)
FTC reveals alarming increase in scam activity, costing consumers billions - Help Net Security
Resecurity identified the investment scam network Digital Smoke - Help Net Security
Pig butchering scam explained: Everything you need to know (techtarget.com)
AML/CFT/Sanctions
Insurance
Dark Web
Supply Chain and Third Parties
Third-party risks overwhelm traditional ERM setups - Help Net Security
Third-Party Risks: Challenges for MSSPs and How to Overcome Them - MSSP Alert
Shocking Findings from the 2023 Third-Party App Access Report (thehackernews.com)
Software Supply Chain
Shocking Findings from the 2023 Third-Party App Access Report (thehackernews.com)
SBOM is a 'massive galaxy of mess' for supply chain security • The Register
IBM Contributes Supply Chain Security Tools to OWASP (darkreading.com)
Cloud/SaaS
How to Tackle the Top SaaS Challenges of 2023 (thehackernews.com)
Cloud incident response: Frameworks and best practices | TechTarget
Security teams have no control over risky SaaS-to-SaaS connections - Help Net Security
It only takes one over-privileged identity to do major damage to a cloud - Help Net Security
SCARLETEEL hackers use advanced cloud skills to steal source code, data (bleepingcomputer.com)
Shocking Findings from the 2023 Third-Party App Access Report (thehackernews.com)
Google Cloud Platform allows data exfiltration without a (forensic) trace - Help Net Security
What Happened in That Cyber attack? With Some Cloud Services, You May Never Know (darkreading.com)
New Report: Inside the High Risk of Third-Party SaaS Apps (darkreading.com)
Containers
Hybrid/Remote Working
Work-From-Home Regulations Are Coming. Companies Aren’t Ready. (mit.edu)
How to work from home securely, the NSA way (malwarebytes.com)
Encryption
API
Open Source
Iron Tiger hackers create Linux version of their custom malware (bleepingcomputer.com)
Should organisations swear off open-source software altogether? | VentureBeat
IBM Contributes Supply Chain Security Tools to OWASP (darkreading.com)
Passwords, Credential Stuffing & Brute Force Attacks
LastPass Says DevOps Engineer Home Computer Hacked - SecurityWeek
Critical Vulnerabilities Allowed Booking.com Account Takeover - SecurityWeek
Sale of Stolen Credentials and Initial Access Dominate Dark Web Markets (darkreading.com)
Social Media
White House: No More TikTok on Gov't Devices Within 30 Days - SecurityWeek
EU Parliament bans staff from using TikTok over ‘cybersecurity concerns’ – POLITICO
TikTok answers three big cyber-security fears about the app - BBC News
Meta says $725M deal ends all Cambridge Analytica claims; one state disagrees | Ars Technica
Training, Education and Awareness
Parental Controls and Child Safety
Regulations, Fines and Legislation
UK seeks to ‘focus’ espionage bill to head off Lords rebellion | Financial Times (ft.com)
Cyber resilience in focus: EU act to set strict standards - Help Net Security
Work-From-Home Regulations Are Coming. Companies Aren’t Ready. (mit.edu)
ML practitioners push for mandatory AI Bill of Rights - Help Net Security
Governance, Risk and Compliance
Third-party risks overwhelm traditional ERM setups - Help Net Security
CISOs Share Their 3 Top Challenges for Cybersecurity Management (darkreading.com)
The Importance of Recession-Proofing Security Operations (darkreading.com)
Third-Party Risks: Challenges for MSSPs and How to Overcome Them - MSSP Alert
CISO Conversations: Code42, BreachQuest Leaders Discuss Combining CISO and CIO Roles - SecurityWeek
Models, Frameworks and Standards
Careers, Working in Cyber and Information Security
Gartner Prediction: Nearly Half of Cybersecurity Pros Will Change Jobs by 2025 - MSSP Alert
Growing Demand For Skilled Cybersecurity Workforce In Digital Age (informationsecuritybuzz.com)
Partnering With a Cybersecurity Vendor Can Help You Recruit Top Talent - MSSP Alert
CISOs Are Stressed Out and It's Putting Companies at Risk (thehackernews.com)
Law Enforcement Action and Take Downs
'Ethical hacker' among ransomware suspects arrested • The Register
The DoJ Disruption of the Hive Ransomware Group Is a Short-Lived Win (darkreading.com)
Privacy, Surveillance and Mass Monitoring
UK seeks to ‘focus’ espionage bill to head off Lords rebellion | Financial Times (ft.com)
Press greets Home Office redraft of national security bill with scepticism | Media | The Guardian
The Air Force Is Now Using Facial Recognition Drones (gizmodo.com)
How dog tracker apps are snooping on humans, according to cyber security experts (telegraph.co.uk)
Artificial Intelligence
Generative AI Changes Everything We Know About Cyber attacks (darkreading.com)
ChatGPT is bringing advancements and challenges for cybersecurity - Help Net Security
How I Broke Into a Bank Account With an AI-Generated Voice (vice.com)
ML practitioners push for mandatory AI Bill of Rights - Help Net Security
Misinformation, Disinformation and Propaganda
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Cyber security must be tightened up in this era of polycrisis | World Economic Forum (weforum.org)
How the Ukraine War Opened a Fault Line in Cyber crime, Possibly Forever (darkreading.com)
Russia-Ukraine War: A Year of Cyber Shortfalls (foreignpolicy.com)
Evaluating the Cyberwar Set Off by Russian Invasion of Ukraine (darkreading.com)
CERT of Ukraine: Russia-linked APT backdoored multiple govt sites-Security Affairs
White House: No More TikTok on Gov't Devices Within 30 Days - SecurityWeek
Russian charged with smuggling US counterintel tech • The Register
Cyber security in wartime: how Ukraine's infosec community is coping | CSO Online
China's BlackFly Targets Materials Sector in 'Relentless' Quest for IP (darkreading.com)
'Hackers' Behind Air Raid Alerts Across Russia: Official - SecurityWeek
China spends billions on pro-Russia disinformation, US special envoy says | China | The Guardian
Nation State Actors
Cyber security must be tightened up in this era of polycrisis | World Economic Forum (weforum.org)
How the Ukraine War Opened a Fault Line in Cyber crime, Possibly Forever (darkreading.com)
Hacker group defaces Russian websites to display the Kremlin on fire | TechCrunch
Russia-Ukraine War: A Year of Cyber Shortfalls (foreignpolicy.com)
CERT of Ukraine: Russia-linked APT backdoored multiple govt sites-Security Affairs
Evaluating the Cyberwar Set Off by Russian Invasion of Ukraine (darkreading.com)
White House: No More TikTok on Gov't Devices Within 30 Days - SecurityWeek
Russian charged with smuggling US counterintel tech • The Register
Cyber security in wartime: how Ukraine's infosec community is coping | CSO Online
EU Parliament bans staff from using TikTok over ‘cybersecurity concerns’ – POLITICO
China's BlackFly Targets Materials Sector in 'Relentless' Quest for IP (darkreading.com)
'Hackers' Behind Air Raid Alerts Across Russia: Official - SecurityWeek
China spends billions on pro-Russia disinformation, US special envoy says | China | The Guardian
TikTok answers three big cyber-security fears about the app - BBC News
Russia bans foreign messaging apps in government organisations (bleepingcomputer.com)
Chinese hackers use new custom backdoor to evade detection (bleepingcomputer.com)
Vulnerability Management
Vulnerabilities
A world of hurt for Fortinet and ManageEngine after users fail to install patches | Ars Technica
Hackers are actively exploiting Zoho ManageEngine flaw-Security Affairs
All In One SEO WordPress Plugin Vulnerability Affects Up To 3+ Million (searchenginejournal.com)
CISA warns of hackers exploiting ZK Java Framework RCE flaw (bleepingcomputer.com)
Cisco patches critical Web UI RCE flaw in multiple IP phones (bleepingcomputer.com)
Aruba Networks fixes six critical vulnerabilities in ArubaOS (bleepingcomputer.com)
Microsoft releases Windows security updates for Intel CPU flaws (bleepingcomputer.com)
Tools and Controls
LastPass Reveals Second Attack Resulting in Breach of Encrypted Password Vaults (thehackernews.com)
Well-funded security systems fail to prevent cyber attacks in US and Europe: Report | CSO Online
The Future of Network Security: Predictive Analytics and ML-Driven Solutions (thehackernews.com)
Microsoft announces automatic BEC, ransomware attack disruption capabilities - Help Net Security
How to use zero trust and IAM to defend against cyber attacks in an economic downturn | VentureBeat
Pentesting No Longer Driven by Regulatory Compliance, New Study Finds - MSSP Alert
Application Security vs. API Security: What is the difference? (thehackernews.com)
Accurately assessing the success of zero-trust initiatives | TechTarget
Other News
Attackers are developing and deploying exploits faster than ever - Help Net Security
Attacker Breakout Time Drops to Just 84 Minutes - Infosecurity Magazine (infosecurity-magazine.com)
Moving target defence must keep cyber attackers guessing - Help Net Security
Covert cyber attacks on the rise as attackers shift tactics for maximum impact - Help Net Security
Dormant accounts are a low-hanging fruit for attackers - Help Net Security
Dish Network goes offline after likely cyber attack, employees cut off (bleepingcomputer.com)
News Corp says state hackers were on its network for two years (bleepingcomputer.com)
UK won the Military Cyberwarfare exercise Defence Cyber Marvel-Security Affairs
To Safeguard Critical Infrastructure, Go Back to Basics (darkreading.com)
Feds accuse Google of destroying evidence in antitrust case • The Register
Microsoft recommending you scan more Exchange server files • The Register
CISA director urges tech sector to stop shipping unsafe products | CyberScoop
Developers can make a great extension of your security team - Help Net Security
2023 Browser Security Report Uncovers Major Browsing Risks and Blind Spots (thehackernews.com)
Uncovering the most pressing cybersecurity concerns for SMBs - Help Net Security
Wiz execs: Most overhyped security tool is technology itself • The Register
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 17 February 2023
Black Arrow Cyber Threat Briefing 17 February 2023:
-High Risk Users May be Few, but the Threat They Pose is Huge
-The Cost of Cyber Security Insurance is Soaring so Firms Need to Take Prevention More Seriously
-Cyber Attacks Worldwide Increased to an All-Time Record Breaking High
-Most Organisations Make Cyber Security Decisions Without Insights
-Ransomware Attackers Finding New Ways to Weaponise Old Vulnerabilities
-Are Executives Fluent in IT Security Speak? 5 Reasons Why the Communication Gap is Wider Than You Think
-Business Email Compromise Groups Target Firms with Multilingual Impersonation Attacks
-EU Countries Told to Step up Defence Against State Hackers
-Cyber Criminals Exploit Fear and Urgency to Trick Consumers
-How to Manage Third Party and Supply Chain Cyber Security Risks that are Too Costly to Ignore
-Russian Spear Phishing Campaign Escalates Efforts Towards Critical UK, US and European Targets
-5 Biggest Risks of Using Third Party Managed Service Providers
-Cyber Crime as a Service: A Subscription Based Model in the Wrong Hands
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
High Risk Users May be Few, but the Threat They Pose is Huge
High risk users represent approximately 10% of the worker population according to research provider, Elevate Security research. The research found that high risk users were responsible for 41% of all simulated phishing clicks, 30% of all real-world phishing clicks, 54% of all secure-browsing incidents and 42% of all malware events. This is worrying, considering the rise in sophisticated targeted phishing campaigns.
https://www.helpnetsecurity.com/2023/02/16/high-risk-behavior/
The Cost of Cyber Security Insurance is Soaring so Firms Need to Take Prevention More Seriously
State-backed cyber attacks are on the rise, but they are not raising the level of alarm that they should in the corporate world. Unfortunately, this is not a productive way of thinking. Come the end of March, insurance provider Lloyds will no longer cover damage from cyber attacks carried out by state or state-backed groups. In the worst cases, this reduced insurance coverage could exacerbate the trend of companies taking a passive approach toward state-backed attacks as they feel there is now really nothing they can do to protect themselves. The uncertainty however, could be the motivation for companies to take the threat of state-backed attacks more seriously.
Cyber Attacks Worldwide Increased to an All-Time Record-Breaking High, Report Shows
According to a report by security provider Check Point, cyber attacks rose 38% in 2022 compared to the previous year. Some of the key trends in the report included an increase in the number of cloud-based networking attacks, with a 48% rise and non-state affiliated hacktivist groups becoming more organised and effective than ever before. Additionally, ransomware is becoming more difficult to attribute and track and extra focus should be placed on exfiltration detection.
Most Organisations Make Cyber Security Decisions Without Insights
A report by security provider Mandiant found some worrying results when it came to organisational understanding of threat actors. Some of the key findings include, 79% of respondents stating that most of their cyber security decisions are made without insight into the treat actors targeting them, 79% believing their organisation could focus more time and energy on identifying critical security trends, 67% believing senior leadership teams underestimate the cyber threats posed to their organisation and finally, 47% of respondents felt that they could not prove to senior leadership that their organisation has a highly effective cyber security program.
Ransomware Attackers Finding New Ways to Weaponise Old Vulnerabilities
Ransomware attackers are finding new ways to exploit organisations’ security weaknesses by weaponising old vulnerabilities. A report by security provider Cyber Security Works had found that 76% of the vulnerabilities currently being exploited were first discovered between 2010-2019.
Are Executives Fluent in IT Security Speak? 5 Reasons Why the Communication Gap is Wider Than You Think
Using data from two different reports conducted by security provider Kaspersky, the combined data showed some worrying results. Some of the results include 98% of respondents revealing they faced at least one IT security miscommunication that regularly leads to bad consequences, 62% of managers revealing miscommunication led to at least one cyber security incident, 42% of business leaders wanting their IT security team to better communicate and 34% of C-level executives struggle to speak about adopting new security solutions.
Business Email Compromise Groups Target Firms with Multilingual Impersonation Attacks
Security providers Abnormal Security have identified two Business Email Compromise (BEC) groups “Midnight Hedgehog” and “Mandarin Capybara” which are conducting impersonation attacks in at least 13 different languages. Like many payment fraud attacks, finance managers or other executives are often targeted. In a separate report by Abnormal Security, it was found that business email compromise (BEC) attacks increased by more than 81% during 2022.
https://www.infosecurity-magazine.com/news/bec-groups-multilingual/
EU Countries Told to Step up Defence Against State Hackers
European states have raced to protect their energy infrastructure from physical attacks but the European Systemic Risk Board (ESRB) said more needed to be done against cyber warfare against financial institutions and the telecommunications networks and power grids they rely on. "The war in Ukraine, the broader geopolitical landscape and the increasing use of cyber attacks have significantly heightened the cyber threat environment," the ESRB said in a report. In addition, the ESRB highlight an increased risk of cyber attacks on the EU financial system, suggesting that stress tests and impact analyses should be carried out to identify weaknesses and measure resilience.
Cyber Criminals Exploit Fear and Urgency to Trick Consumers
Threats using social engineering to steal money, such as refund and invoice fraud and tech support scams, increased during Q4 of 2022 according to a report by software provider Avast. “At the end of 2022, we have seen an increase in human-centred threats, such as scams tricking people into thinking their computer is infected, or that they have been charged for goods they didn’t order. It’s human nature to react to urgency, fear and try to regain control of issues, and that’s where cyber criminals succeed” Avast commented.
https://www.helpnetsecurity.com/2023/02/13/cybercriminals-exploit-fear-urgency-trick-consumers/
How to Manage Third Party and Supply Chain Cyber Security Risks that are Too Costly to Ignore
Many organisations have experienced that “after the breach” feeling — the moment they realise they have to tell customers their personal information may have been compromised because one of the organisations’ vendors had a data breach. Such situations involve spending significant amount of money and time to fix a problem caused by a third party. An organisation’s ability to handle third-party cyber risk proactively depends on its risk management strategies.
https://techcrunch.com/2023/02/10/why-third-party-cybersecurity-risks-are-too-costly-to-ignore/
Russian Spear Phishing Campaign Escalates Efforts Towards Critical UK, US and European Targets
Following the advisory from the NCSC, it is clear that Russian state-sponsored hackers have become increasingly sophisticated at launching phishing attacks against critical targets in the UK, US and Europe over the last 12 months. The attacks included the creation of fake personas, supported by social media accounts, fake profiles and academic papers, to lure targets into replying to sophisticated phishing emails. In some cases, the bad actor may never leverage the account to send emails from and only use it to make decisions based on intelligence collection.
5 Biggest Risks of Using Third Party Managed Service Providers
As business processes become more complex, companies are turning to third parties to boost their ability to provide critical services from cloud storage to data management to security. It’s often more efficient and less expensive to contract out work. But it does present risks. 5 of the biggest risks to be considered are: indirect cyber attacks, financial risks from incident costs, reputational damage, geopolitical risk and regulatory compliance risk.
Cyber Crime as a Service: A Subscription Based Model in the Wrong Hands
Arguably nothing in tech has changes the landscape more than ‘as a Service’ offerings, the subscription-based IT service delivery model, in fact, the ‘as a Service’ offering has made its way into the cyber crime landscape. And cyber crime, for its part, has evolved beyond a nefarious hobby; today it’s a means of earning for cyber criminals. Organised cyber crime services are available for hire, particularly to those lacking resources and hacking expertise but willing to buy their way into cyber criminal activities. Underground cyber crime markets have thus emerged, selling cyber attack tools and services ranging from malware injection to botnet tools, Denial of Service and targeted spyware services.
https://www.splunk.com/en_us/blog/learn/cybercrime-as-a-service.html
Threats
Ransomware, Extortion and Destructive Attacks
Ransomware attackers finding new ways to weaponize old vulnerabilities | VentureBeat
US, UK slap sanctions on Russians linked to Conti and more • The Register
Clop ransomware claims it breached 130 orgs using GoAnywhere zero-day (bleepingcomputer.com)
Members of Russian cyber crime network unmasked by US and UK authorities - The Verge
Over 500 ESXiArgs Ransomware infections in one day in Europe-Security Affairs
New ESXi ransomware strain spreads, foils decryption tools | TechTarget
North Korea Using Healthcare Ransomware To Fund More Hacking (informationsecuritybuzz.com)
Cisco Talos spots new MortalKombat ransomware attacks | TechTarget
Hackers Target Israel’s Technion Demanding Huge Sum In Bitcoin - I24NEWS
City of Oakland systems offline after ransomware attack (bleepingcomputer.com)
MTU cyber breach: Probe after ransomware attacks 'like a murder investigation' (irishexaminer.com)
MTU data appears on dark web after cyber attack – The Irish Times
Oakland City Services Struggle to Recover From Ransomware Attack (darkreading.com)
Ransomware gang uses new zero-day to steal data on 1 million patients | TechCrunch
City of Oakland issued state of emergency after ransomware attack-Security Affairs
Glasgow Arnold Clark customers at risk after major cyber attack | HeraldScotland
No relief in sight for ransomware attacks on hospitals | TechTarget
Burton Snowboards cancels online orders after 'cyber incident' (bleepingcomputer.com)
Dallas Central Appraisal District paid $170,000 to ransomware attackers (bitdefender.com)
Phishing & Email Based Attacks
NameCheap's email hacked to send Metamask, DHL phishing emails (bleepingcomputer.com)
Spain, US dismantle phishing gang that stole $5 million in a year (bleepingcomputer.com)
BEC – Business Email Compromise
2FA/MFA
Malware
Experts Warn of Surge in Multipurpose Malware - Infosecurity Magazine (infosecurity-magazine.com)
Microsoft OneNote Abuse for Malware Delivery Surges - Security Week
New TA886 group targets companies with Screenshotter malware-Security Affairs
Novel phishing campaign takes screenshots ahead of payload delivery | SC Media (scmagazine.com)
Great, hackers are now using ChatGPT to generate malware | Digital Trends
Devs targeted by W4SP Stealer malware in malicious PyPi packages (bleepingcomputer.com)
Pepsi distributor blames info-stealing malware for breach • The Register
Malware that can do anything and everything is on the rise - Help Net Security
New stealthy 'Beep' malware focuses heavily on evading detection (bleepingcomputer.com)
Thousands of WordPress sites have been infected by a mystery malware | TechRadar
Beep: New Evasive Malware That Can Escape Under The Radar (informationsecuritybuzz.com)
Hackers start using Havoc post-exploitation framework in attacks (bleepingcomputer.com)
Malware authors leverage more attack techniques that enable lateral movement | CSO Online
Mobile
Botnets
Denial of Service/DoS/DDOS
Cloudflare blocks record-breaking 71 million RPS DDoS attack (bleepingcomputer.com)
87% of largest DDoS attacks in Q4 targeted telecoms: Lumen (fiercetelecom.com)
The Tor network hit by wave of DDoS attacks for at least 7 months-Security Affairs
Internet of Things – IoT
Digital burglaries: The threat from your smart home devices | Fox News
Mirai V3G4 botnet exploits 13 flaws to target IoT devices-Security Affairs
New Mirai malware variant infects Linux devices to build DDoS botnet (bleepingcomputer.com)
Data Breaches
MP’s laptop and iPad stolen from pub in 'worrying' security breach | Metro News
Reddit was hit with a phishing attack. How it responded is a lesson for everyone | ZDNET
Reddit Hack Shows Limits of MFA, Strengths of Security Training (darkreading.com)
Highmark data breach affecting about 300,000 members exposed personal information to hackers – WPXI
Gulp! Pepsi hack sees personal information stolen by data-stealing malware (bitdefender.com)
Nearly 50 million Americans impacted by health data breaches in 2022 (chiefhealthcareexecutive.com)
My Password Manager was Hacked! How to Prevent a Catastrophe (bleepingcomputer.com)
After apparent hack, data from Australian tech giant Atlassian dumped online | CyberScoop
Atlassian: Leaked Data Stolen via Third-Party App (darkreading.com)
Health info for 1 million patients stolen using critical GoAnywhere vulnerability | Ars Technica
Scandinavian Airlines says cyber attack caused passenger data leak (bleepingcomputer.com)
Organised Crime & Criminal Actors
Cyber crime as a Service: A Subscription-based Model in The Wrong Hands | Splunk
A Hacker’s Mind — how the elites exploit the system | Financial Times (ft.com)
Dark Web Revenue Down Dramatically After Hydra's Demise (darkreading.com)
Russian hacker convicted of $90 million hack-to-trade charges (bleepingcomputer.com)
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Enigma, Vector, and TgToxic: The New Threats to Cryptocurrency Users (thehackernews.com)
Lazarus hackers use new mixer to hide $100 million in stolen crypto (bleepingcomputer.com)
451 PyPI packages install Chrome extensions to steal crypto (bleepingcomputer.com)
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
Russian IT biz owner made $90M from stolen financial info • The Register
Refund and Invoice Scams Surge in Q4 - Infosecurity Magazine (infosecurity-magazine.com)
Russian Hackers Disrupt NATO Earthquake Relief Operations (darkreading.com)
Romance scam targets security researcher, hilarity ensues • The Register
10 signs that scammers have you in their sights | WeLiveSecurity
AML/CFT/Sanctions
Insurance
Dark Web
Supply Chain and Third Parties
How to manage third-party cyber security risks that are too costly to ignore | TechCrunch
5 biggest risks of using third-party services providers | CSO Online
Cloud/SaaS
Cloud security: Where do CSP and client responsibilities begin and end? | VentureBeat
Application and cloud security is a shared responsibility - Help Net Security
Attack Surface Management
Open Source
Configuration Issues in SaltStack IT Tool Put Enterprises at Risk (darkreading.com)
Solving open-source security — from Alpha to Omega | SC Media (scmagazine.com)
New Mirai malware variant infects Linux devices to build DDoS botnet (bleepingcomputer.com)
Passwords, Credential Stuffing & Brute Force Attacks
Eek! You Can Steal Passwords From This Password Manager Using the Notepad App | PCMag
Eurostar forces 'password resets' — then fails and locks users out (bleepingcomputer.com)
My Password Manager was Hacked! How to Prevent a Catastrophe (bleepingcomputer.com)
Social Media
Metaverse Adds New Dimensions to Web 3.0 Cyber security | TechRepublic
Elon Musk Seems to Think His Own Employees Are Shadowbanning Him (gizmodo.com)
Malvertising
Training, Education and Awareness
High-risk users may be few, but the threat they pose is huge - Help Net Security
Reddit Hack Shows Limits of MFA, Strengths of Security Training (darkreading.com)
Regulations, Fines and Legislation
The Online Safety Bill: An attack on encryption (element.io)
As regulations skyrocket, is compliance even possible anymore? - Help Net Security
Governance, Risk and Compliance
Security buyers lack insight into threats, attackers, report finds | Computer Weekly
Cyber attacks Worldwide Increased to an All-Time High, Check Point Research Reveals - MSSP Alert
Actionable intelligence is the key to better security outcomes - Help Net Security
Build Cyber Resiliency With These Security Threat-Mitigation Considerations (darkreading.com)
Evolving cyber attacks, alert fatigue creating DFIR burnout, regulatory risk | CSO Online
As regulations skyrocket, is compliance even possible anymore? - Help Net Security
Storage security for compliance and cyberwar in 2023 • The Register
Backup and Recovery
Careers, Working in Cyber and Information Security
Get hired in cyber security: Expert tips for job seekers - Help Net Security
3 Ways CISOs Can Lead Effectively and Avoid Burnout (darkreading.com)
Cyber security Jobs Remain Secure Despite Recession Fears (darkreading.com)
Law Enforcement Action and Take Downs
Members of Russian cyber crime network unmasked by US and UK authorities - The Verge
Spain, US dismantle phishing gang that stole $5 million in a year (bleepingcomputer.com)
Privacy, Surveillance and Mass Monitoring
Artificial Intelligence
Russian hackers are trying to break into ChatGPT, says Check Point | ZDNET
Cyber criminals Bypass ChatGPT Restrictions to Generate Malicious Content - Check Point Software
Great, hackers are now using ChatGPT to generate malware | Digital Trends
Eric Schmidt Is Building the Perfect AI War-Fighting Machine | WIRED
A.I. in the military could be a game changer in warfare | Fortune US issues declaration on responsible use of AI in the military | Reuters
Misinformation, Disinformation and Propaganda
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
EU countries told to step up defence against state hackers | Reuters
Britain must ‘wake up’ to China security challenges, ex-MI6 head says | The Independent
Hacks, leaks and wipers: Google analyses a year of Russian cyber attacks on Ukraine | Cyber scoop
Google: Russia continues to set cyber sights on NATO nations | TechTarget
US shoots down ‘high-altitude object’ above Alaska | Financial Times (ft.com)
Military Organizations in Pakistan Targeted With Sophisticated Espionage Tool - security Week
SpaceX curbed Ukraine's use of Starlink terminals - Militarnyi
US shoots down ‘octagonal’ flying object near military sites in Michigan | US news | The Guardian
Six companies join US entity list after Chinese spy balloon • The Register
How Alan Turing still casts his genius in the age of cyberwar | Metro News
US warns its citizens in Russia to get out immediately over security fears | Euronews
Russian Hackers Disrupt NATO Earthquake Relief Operations (darkreading.com)
Ukraine’s use of SpaceX satellites risks starting World War Three, says Elon Musk (telegraph.co.uk)
Eric Schmidt Is Building the Perfect AI War-Fighting Machine | WIRED
Albanian gangs set up hundreds of spy cameras to keep ahead of police | Financial Times (ft.com)
A.I. in the military could be a game changer in warfare | Fortune
Chinese cameras leave British police vulnerable to spying, says watchdog | Espionage | The Guardian
China-based cyber espionage actor seen targeting South America | CSO Online
The Lessons From Cyberwar, Cyber-in-War and Ukraine - security Week
Storage security for compliance and cyberwar in 2023 • The Register
Nation State Actors
EU countries told to step up defence against state hackers | Reuters
Britain must ‘wake up’ to China security challenges, ex-MI6 head says | The Independent
Hacks, leaks and wipers: Google analyses a year of Russian cyber attacks on Ukraine | CyberScoop
Google: Russia continues to set cyber sights on NATO nations | TechTarget
Military Organizations in Pakistan Targeted With Sophisticated Espionage Tool - Security Week
MagicWeb Mystery Highlights Nobelium Attacker's Sophistication (darkreading.com)
Russian hackers are trying to break into ChatGPT, says Check Point | ZDNET
Six companies join US entity list after Chinese spy balloon • The Register
Lazarus hackers use new mixer to hide $100 million in stolen crypto (bleepingcomputer.com)
Russian Hackers Disrupt NATO Earthquake Relief Operations (darkreading.com)
Chinese Hackers Targeting South American Diplomatic Entities with ShadowPad (thehackernews.com)
Ukraine’s use of SpaceX satellites risks starting World War Three, says Elon Musk (telegraph.co.uk)
Chinese cameras leave British police vulnerable to spying, says watchdog | Espionage | The Guardian
China-based cyber espionage actor seen targeting South America | CSO Online
UK Policing Riddled with Chinese CCTV Cameras - Infosecurity Magazine (infosecurity-magazine.com)
A new operating system has been released in Russia! (gizchina.com)
Vulnerability Management
Vulnerabilities
Microsoft Patch Tuesday: 36 RCE bugs, 3 zero-days, 75 CVEs – Naked Security (sophos.com)
Citrix Patches High-Severity Vulnerabilities in Windows, Linux Apps - Security Week
Adobe Plugs Critical Security Holes in Illustrator, After Effects Software - Security Week
Apple releases new fix for iPhone zero-day exploited by hackers | TechCrunch
Firefox Updates Patch 10 High-Severity Vulnerabilities - Security Week
Critical RCE Vulnerability Discovered in ClamAV Open-Source Antivirus Software (thehackernews.com)
Microsoft says Intel driver bug crashes apps on Windows PCs (bleepingcomputer.com)
Serious Security: GnuTLS follows OpenSSL, fixes timing attack bug – Naked Security (sophos.com)
Splunk Enterprise Updates Patch High-Severity Vulnerabilities - Security Week
Dozens of Vulnerabilities Patched in Intel Products - Security Week
High-severity DLP flaw impacts Trellix for Windows | SC Media (scmagazine.com)
Critical Vulnerability Patched in Cisco Security Products - Security Week
Health info for 1 million patients stolen using critical GoAnywhere vulnerability | Ars Technica
Tools and Controls
A CISOs Practical Guide to Storage and Backup Ransomware Resiliency (thehackernews.com)
Combining identity and security strategies to mitigate risks - Help Net Security
Defending against attacks on Azure AD: Goodbye firewall, hello identity protection | CSO Online
Regular Pen Testing Is Key to Resolving Conflict Between SecOps and DevOps (thehackernews.com)
Attack surface management (ASM) is not limited to the surface - Help Net Security
How to filter Security log events for signs of trouble | TechTarget
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
Black Arrow Cyber Threat Briefing 03 February 2023
Black Arrow Cyber Threat Briefing 03 February 2023:
-Business Leaders Need a Hands-on Approach to Stop Cyber Crime, Says Spy Chief
-Rising ‘Firebrick Ostrich’ BEC Group Launches Industrial Scale Cyber Attacks
-The Corporate World is Losing its Grip on Cyber Risk
-Microsoft Reveals Over 100 Threat Actors are Deploying Ransomware in Attacks
-Greater Incident Complexity, a Shift in How Threat Actors Use Stolen Data Will Drive the Cyber Threat Landscape in 2023
-The Threat from Within: 71% of Business Leaders Surveyed Think Next Cyber Security Breach Will come from the Inside
-98% of Organisations Have a Supply Chain Relationship That Has Been Breached
-New Survey Reveals 40% of Companies Experienced a Data Leak in the Past Year
-Russian Hackers Launch Cyber Attack on Germany in Leopard Tank Retaliation
-Financial Services Targeted in 28% of UK Cyber Attacks Last Year
-Phishing Attacks are Getting Scarily Sophisticated. Here’s what to Watch Out For
-City of London on High Alert After Ransomware Attack
-Ransomware Conversations: Why the CFO is Pivotal to Discussing and Preparing for Risk
-JD Sports Warns of 10 Million Customers Put at Risk in Cyber Attack
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Business Leaders Need a Hands-on Approach to Stop Cyber Crime, Says Spy Chief
Business leaders must not see cyber crime as “just a technical issue” that can be left up to IT departments, said Lindy Cameron, chief executive of the National Cyber Security Centre (NCSC). Ms Cameron later commented that “In the world of cyber security, the new year has brought with it some sadly familiar themes - a continuation of cyber incidents affecting organisations large and small as well as the British public”.
Along with this, came the urge for business leaders to step up their efforts in combating cyber crime by taking an active interest and educating themselves on the subject. When commenting upon board members’ level of understanding, Ms Cameron said “I’d also encourage board members to develop a basic understanding of cyber security, which can help when seeking assurances from IT teams about the resilience of an organisation - in a similar way that leaders have a certain level of understanding of finance to assess financial health”.
Rising ‘Firebrick Ostrich’ BEC Group Launches Industrial Scale Cyber Attacks
Business email compromise (BEC) has become one of the most popular methods of financially motivated hacking. And over the past year, one group in particular has demonstrated just how quick, easy, and lucrative it really is.
"Firebrick Ostrich" is a threat actor that's been performing BEC at a near-industrial scale. Since April 2021, the group has carried out more than 350 BEC campaigns, impersonating 151 organisations and utilising 212 malicious domains in the process. This volume of attacks is made possible by the group's wholesale gunslinging approach. Firebrick Ostrich doesn't discriminate much when it comes to targets, or gather exceptional intelligence in order to craft the perfect phishing bait. It throws darts at a wall because, evidently, when it comes to BEC at scale, that's enough.
BEC is attractive to bad actors due to the lower barriers to entry than malware, less risk, faster scaling opportunities, and way more profit potential to higher echelons than other methods of attack. These factors may explain why such attacks are absolutely the emerging trend, potentially even leaving even ransomware in the dust. There are literally hundreds, if not thousands, of these groups out there.
The Corporate World is Losing its Grip on Cyber Risk
Lloyd's of London’s insurance market prides itself on being able to put a price on anything, from Tina Turner’s legs or Bruce Springsteen’s vocal cords, to the risk that a bounty hunter might claim the reward from Cutty Sark Whisky in the 1970s for capturing the Loch Ness monster.
But from the end of March, there will be something it won’t price: systemic cyber risk, or the type of major, catastrophic disruption caused by state-backed cyber warfare. In one sense, this isn’t surprising. Insurance policies typically exclude acts of war. Russia’s NotPetya attack on Ukraine in 2017 showed how state-backed cyber assaults can surpass traditional definitions of armed conflict and overspill their sovereign target to hit global businesses. It caused an estimated $10bn in damages and years of wrangling between companies like pharma group Merck and snack maker Mondelez and their insurers.
But the move is prompting broader questions about the growing pains in this corner of the insurance world. “Cyber insurance isn’t working anywhere at the moment as a public good for society,” says Ciaran Martin, former head of the UK National Cyber Security Centre. “It has a huge role to play in improving defences in a market-based economy and it has been a huge disappointment in that sense so far.”
The Lloyd’s move is designed, say insurers, to clarify rather than restrict coverage. Whether it succeeds is another matter: this is a murky world, where cyber crime groups operate with impunity in certain jurisdictions.
https://www.ft.com/content/78bfdf29-1e20-4c12-a348-06e98d5ae906
Microsoft Reveals Over 100 Threat Actors are Deploying Ransomware in Attacks
Microsoft revealed this week that its security teams are tracking over 100 threat actors deploying ransomware during attacks. In all, the company says it monitors over 50 unique ransomware families, with some of the most prominent ransomware payloads in recent campaigns including Lockbit, BlackCat (aka ALPHV), Play, Vice Society, Black Basta, and Royal.
Microsoft said that defence strategies should focus less on payloads themselves but more on the chain of activities that lead to their deployment, since ransomware gangs are still targeting servers and devices not yet patched against common or recently addressed vulnerabilities.
Furthermore, while new ransomware families launch all the time, most threat actors utilise the same tactics when breaching and spreading through networks, making the effort of detecting such behaviour even more helpful in thwarting their attacks.
Attackers are increasingly relying on tactics beyond phishing to conduct their attacks, with threat actors for example capitalising on recently patched Exchange Server vulnerabilities to hack vulnerable servers and deploy Cuba and Play ransomware.
Ransomware Conversations: Why the CFO is Pivotal to Discussing and Preparing for Risk
With the amount of cyber attacks in all industries, organisations are beginning to grasp the significance of cyber risk and how it is integral to protecting and maintaining an efficient business. In fact, the first half of 2022 alone saw 236.1 million cases of ransomware.
Whilst the expectation for responsibility has typically fallen on Chief Information Security Officers (CISOs), Chief Financial Officers (CFOs) are just as vital in managing cyber risk, which is now inherently also business risk. The CFO plays an important part in determining whether cyber security incidents will become material and affect the business more seriously. Their insight is critical across many areas which include ransomware, cyber insurance, regulatory compliance and budget management.
Greater Incident Complexity, a Shift in How Threat Actors Use Stolen Data Will Drive the Cyber Threat Landscape in 2023
Insurance provider Beazley released their Cyber Services Snapshot Report which claims the cyber security landscape will be influenced by greater complexity and the way threat actors use stolen data. The report also found that as a category, fraudulent instruction experienced a growth as a cause of loss in 2022, up 13% year-over year.
In response to vulnerabilities such as fraudulent instructions, the report suggests organisations must get smarter about educating users to spot things such as spoofed emails or domain names. The report also cautions organisations to watch for social engineering, spear phishing, bypassing of multi-factor authentication (MFA), targeting of managed service providers (MSP) and the compromise of cloud environments as areas of vulnerability.
The Threat from Within: 71% of Business Leaders Surveyed Think Next Cyber Security Breach Will Come from the Inside
A survey conducted by IT provider EisnerAmper found that 71% of business executives worry about accidental internal staff error as one of the top threats facing their organisation and 23% of these worried about malicious intent by an employee. In comparison, 75% of business executives had concerns about external hackers. The survey also asked about current safety measures, with 51% responding that they were “somewhat prepared”. Despite this, only 50% of respondents reported conducting regular cyber security training.
98% of Organisations Have a Supply Chain Relationship That Has Been Breached
A report from SecurityScorecard found that 98% of organisations have a relationship with at least one third party that has experienced a breach in the last two years, while more than 50% have an indirect relationship with more than 200 fourth parties that have been breached. Of course, this is keeping in mind that not all organisations disclose or even know they have been breached.
New Survey Reveals 40% of Companies Experienced a Data Leak in the Past Year
Software provider SysKit has published a report on the effects of digital transformation on IT administrators and the current governance landscape. The report found that 40% of organisations experienced a data leak in the previous year. A data leak can have severe consequences on an organisation's efficiency and the impact can lead to large fines, downtime, and loss of business-critical certifications and customers.
In addition, the Survey found that the biggest challenge for IT administrators was a lack of understanding from superiors, huge workloads and misalignment of IT and business strategies.
Russian Hackers Launch Cyber Attack on Germany in Leopard Tank Retaliation
The websites of key German administrations, including companies and airports, have been targeted by cyber attacks, the German Federal Office for Information Security (BSI) stated.
The BSI commented they had been informed of DDoS (distributed denial of service) attacks “currently in progress against targets in Germany". This was followed by the statement that “Individual targets in the financial sector” and federal government sites were also attacked, with some websites becoming temporarily unavailable. It is believed that this is due to the approved deployment of Leopard 2 tanks to Ukraine, with Russian hacker site Killnet taking credit.
Financial Services Targeted in 28% of UK Cyber Attacks Last Year
Based on data from security provider Imperva, security researchers have identified that over a quarter (28%) of all cyber attacks in the UK hit the financial services and insurance (FSI) industry in the last 12 months. The data also found that Application Programme Interface (API) attacks, malicious automated software and distributed denial of service (DDoS) attacks were the most challenging for the industry. In addition, the data found that roughly 40% of all account takeover attempts were targeted at the FSI industry.
https://www.infosecurity-magazine.com/news/quarter-cyber-attacks-uk-financial/
Phishing Attacks are Getting Scarily Sophisticated. Here’s What to Watch Out For
Hackers are going to great lengths, including mimicking real people and creating and updating fake social media profiles, to trick victims into clicking phishing links and handing over usernames and passwords. The National Cyber Security Centre (NCSC) warns that these phishing attacks are targeting a range of sectors.
The NCSC has also released mitigation advice to help organisations and individuals protect themselves online. The mitigation advice included the use of strong passwords, separate to other accounts; enabling multi-factor authentication (MFA); and applying the latest security updates.
City of London on High Alert After Ransomware Attack
A suspected ransomware attack on a key supplier of trading software to the City of London this week appears to have disrupted activity in the derivatives market. The company impacted, Ion Cleared Derivatives, is investigating. It is reported that 42 clients were impacted by the attack.
https://www.infosecurity-magazine.com/news/city-of-london-high-alert/
JD Sports Warns of 10 Million Customers Put at Risk in Cyber Attack
Sportswear retailer JD Sports said it was the victim of a cyber attack that exposed the data of 10 million customers, in the latest spate of hacks on UK companies.
JD Sports explained that the attack involved unauthorised access to a system that contained “the name, billing address, delivery address, phone number, order details and the final four digits of payment cards”. The data related to customers’ orders made between November 2018 and October 2020, with outdoor gear companies Millets and Blacks also impacted. A full review with cyber security and external specialists is underway.
https://www.ft.com/content/afe00f2f-afcd-478f-9e4d-1cf9c943fa79
Threats
Ransomware, Extortion and Destructive Attacks
City Of London Traders Hit By Russia-Linked Cyber Attack (informationsecuritybuzz.com)
New Nevada Ransomware targets Windows and VMware ESXi systems (bleepingcomputer.com)
US puts a $10m bounty on Hive while Russia shuts down access • The Register
Copycat Criminals mimicking Lockbit gang in northern Europe security affairs
Most criminal cryptocurrency is funneled through just 5 exchanges | Ars Technica
Cyber Attack Hits Derivatives Unit of Trading Software Firm ION - Bloomberg
Regulators weigh in on ION attack as LockBit takes credit • The Register
New Mimic Ransomware Abuses Windows Search Engine (cyber securitynews.com)
Stratford University discloses ransomware attack — but which ransomware attack? (databreaches.net)
Schools don't pay, but ransomware attacks still increasing | TechTarget
Poser Hackers Impersonate LockBit in SMB Cyber attacks (darkreading.com)
Risk & Repeat: The FBI's Hive ransomware takedown | TechTarget
Nevada Ransomware Has Released Upgraded Locker security affairs
LockBit Green ransomware variant borrows code from Conti one security affairs
Arnold Clark customer data stolen in attack claimed by Play ransomware (bleepingcomputer.com)
Ransomware attacks on public sector persist in January | TechTarget
Ransomware attack on data firm ION could take days to fix -sources | Reuters
APT groups use ransomware TTPs as cover for intelligence gathering and sabotage | CSO Online
Phishing & Email Based Attacks
Phishing attacks are getting scarily sophisticated. Here's what to watch out for | ZDNET
Rising ‘Firebrick Ostrich’ BEC Group Launches Industrial-Scale Cyber attacks (darkreading.com)
Porsche halts NFT launch, phishing sites fill the void (bleepingcomputer.com)
Phishers Trick Microsoft Into Granting Them 'Verified' Cloud Partner Status (darkreading.com)
BEC – Business Email Compromise
Other Social Engineering; Smishing, Vishing, etc
2FA/MFA
Malware
How Can Disrupting DNS Communications Thwart a Malware Attack? (darkreading.com)
Hackers use new IceBreaker malware to breach gaming companies (bleepingcomputer.com)
New Threat: Stealthy HeadCrab Malware Compromised Over 1,200 Redis Servers (thehackernews.com)
PoS malware can block contactless payments to steal credit cards (bleepingcomputer.com)
HeadCrab malware targets Redis to mine cryptocurrency | TechTarget
Malvertising attacks are distributing .NET malware loaders • The Register
Hackers weaponize Microsoft Visual Studio add-ins to push malware (bleepingcomputer.com)
Mobile
Google Fi data breach let hackers carry out SIM swap attacks (bleepingcomputer.com)
Over 1,800 Android phishing forms for sale on cyber crime market (bleepingcomputer.com)
Mobile phone fraud: 'They stole £22,500 using my banking app' - BBC News
Botnets
Denial of Service/DoS/DDOS
Killnet Attackers DDoS US and Dutch Hospitals - Infosecurity Magazine (infosecurity-magazine.com)
New DDoS-as-a-Service platform used in recent attacks on hospitals (bleepingcomputer.com)
Internet of Things – IoT
IoT, connected devices biggest contributors to expanding application attack surface | CSO Online
European IoT Manufacturers Lag in Vulnerability Disclosure (databreachtoday.co.uk)
Anker finally comes clean about its Eufy security cameras - The Verge
Data Breaches/Leaks
JD Sports warns data of 10mn customers put at risk in cyber attack | Financial Times (ft.com)
New Survey Reveals 40% of Companies Experienced a Data Leak in the Past Year (darkreading.com)
Planet Ice hacked! 240,000 skating fans' details stolen (bitdefender.com)
Organised Crime & Criminal Actors
Cyber crime job ads on the dark web pay up to $20k per month (bleepingcomputer.com)
Most criminal cryptocurrency is funneled through just 5 exchanges | Ars Technica
Cyber crime Ecosystem Spawns Lucrative Underground Gig Economy (darkreading.com)
Cyber crime job ads on the dark web pay up to $20k per month (bleepingcomputer.com)
Developers, Attackers Top List of Most In Demand Dark Web Jobs, Kaspersky Reports - MSSP Alert
Report on hackers' salaries shows poor wages for developers • The Register
6 Examples of the Evolution of a Scam Site (darkreading.com)
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Most criminal cryptocurrency is funneled through just 5 exchanges | Ars Technica
FBI: North Korea’s Lazarus Group behind $100m crypto attack • The Register
Oxford student jailed for £2m crypto theft after PhD blunder | News | The Times
Porsche halts NFT launch, phishing sites fill the void (bleepingcomputer.com)
Crypto theft: North Korea-linked hackers stole $1.7b in 2022 - BBC News
HeadCrab malware targets Redis to mine cryptocurrency | TechTarget
Insider Risk and Insider Threats
Insider attacks becoming more frequent, more difficult to detect - Help Net Security
Are Your Employees Thinking Critically About Their Online Behaviours? (darkreading.com)
The next cyber threat may come from within - Help Net Security
Insider threats: The cyber risks lurking in the dark (betanews.com)
Former Ubiquiti dev pleads guilty to data theft, extortion • The Register
Fraud, Scams & Financial Crime
FBI: North Korea’s Lazarus Group behind $100m crypto attack • The Register
Oxford student jailed for £2m crypto theft after PhD blunder | News | The Times
Porsche halts NFT launch, phishing sites fill the void (bleepingcomputer.com)
Russian Millionaire on Trial in Hack, Insider Trade Scheme - SecurityWeek
6 Examples of the Evolution of a Scam Site (darkreading.com)
Mobile phone fraud: 'They stole £22,500 using my banking app' - BBC News
Crypto theft: North Korea-linked hackers stole $1.7b in 2022 - BBC News
Romance fraud losses rose 91% during the pandemic, claims UK's TSB bank | Tripwire
Romance Fraudsters Have Stolen £65m From Brits Since 2020 (informationsecuritybuzz.com)
Impersonation Attacks
AML/CFT/Sanctions
Insurance
Dark Web
There’s a Wild Scramble for Control of the Dark Web Taking Place in Russia (vice.com)
Cyber crime job ads on the dark web pay up to $20k per month (bleepingcomputer.com)
Developers, Attackers Top List of Most In Demand Dark Web Jobs, Kaspersky Reports - MSSP Alert
Report on hackers' salaries shows poor wages for developers • The Register
Supply Chain and Third Parties
98% of Firms Have a Supply Chain Relationship That Has Been Breached: Analysis - SecurityWeek
Cyber attack Impact “Catastrophic” for Third Parties, New Study Finds MSSPs at Risk? - MSSP Alert
New “MITRE ATT&CK-like” framework outlines software supply chain attack TTPs | CSO Online
CISA to Open Supply Chain Risk Management Office (darkreading.com)
Cloud/SaaS
Misconfiguration and vulnerabilities biggest risks in cloud security: Report | CSO Online
Hybrid cloud storage security challenges - Help Net Security
Short-staffed SOCs struggle to gain visibility into cloud activities - Help Net Security
Containers
Encryption
Serious Security: The Samba logon bug caused by outdated crypto – Naked Security (sophos.com)
Encryption Explained: At Rest, In Transit & End-To-End Encryption | Splunk
Cyber Insights 2023 | Quantum Computing and the Coming Cryptopocalypse - SecurityWeek
API
The emergence of trinity attacks on APIs - Help Net Security
API management (APIM): What It Is and Where It’s Going security affairs
Open Source
Passwords, Credential Stuffing & Brute Force Attacks
Bitwarden Password Manager users are being targeted by phishing ads on Google- gHacks Tech News
KeePass disputes vulnerability allowing stealthy password theft (bleepingcomputer.com)
Social Media
Inside TikTok’s proposal to address US national security concerns | CyberScoop
Facebook Bug Allows 2FA Bypass Via Instagram (darkreading.com)
Malvertising
Training, Education and Awareness
Regulations, Fines and Legislation
Regulators weigh in on ION attack as LockBit takes credit • The Register
New UN cyber crime convention has a long way to go in a tight timeframe | CSO Online
Governance, Risk and Compliance
Business leaders need hands-on approach to stop cyber crime, says spy chief (telegraph.co.uk)
New Survey Reveals 40% of Companies Experienced a Data Leak in the Past Year (darkreading.com)
70% of CIOs anticipate their involvement in cyber security to increase - Help Net Security
Cyber security Budgets Are Going Up. So Why Aren't Breaches Going Down? (thehackernews.com)
The corporate world is losing its grip on cyber risk | Financial Times (ft.com)
Careers, Working in Cyber and Information Security
The Effect of Cyber security Layoffs on Cyber security Recruitment - SecurityWeek
Economic headwinds could deepen the cyber security skills shortage | CSO Online
Law Enforcement Action and Take Downs
7 Ways Hive Ransomware Gang Caused Chaos Before FBI Hacked It (gizmodo.com)
US puts a $10m bounty on Hive while Russia shuts down access • The Register
Hacker accused of having stolen personal data of all Austrians security affairs
Risk & Repeat: The FBI's Hive ransomware takedown | TechTarget
Privacy, Surveillance and Mass Monitoring
On Data Privacy Day, Organisations Fail Data Privacy Expectations (darkreading.com)
Hacker accused of having stolen personal data of all Austrians security affairs
Enterprises Need to Do More to Assure Consumers About Privacy (darkreading.com)
Artificial Intelligence
Foreign states already using ChatGPT maliciously, UK IT leaders believe | CSO Online
OpenAI releases tool to detect AI-written text (bleepingcomputer.com)
Reality check: Is ChatGPT really the next big cyber security threat? | CyberScoop
Misinformation, Disinformation and Propaganda
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Iranian APT Leaks Data From Saudi Arabia Government Under New Persona - SecurityWeek
Ukraine Links Media Centre Attack to Russian Intelligence (govinfosecurity.com)
Russia-Linked APT29 Uses New Malware in Embassy Attacks - SecurityWeek
Russia's Sandworm APT Launches Swarm of Wiper Attacks in Ukraine (darkreading.com)
Russia-linked Hackers Launch DDoS Attacks on Germany and US. Hospitals, Threaten Canada - MSSP Alert
Latvia says Russian hackers tried to phish its Ministry of Defence (bitdefender.com)
Inside Killnet: Pro-Russia Hacktivist Group's Support and Influence Grows (darkreading.com)
Crypto theft: North Korea-linked hackers stole $1.7b in 2022 - BBC News
North Korean hackers stole research data in two-month-long breach (bleepingcomputer.com)
APT groups use ransomware TTPs as cover for intelligence gathering and sabotage | CSO Online
Nation State Actors
Nation State Actors – Russia
Russian Nuisance Hacking Group KillNet Targets Germany (govinfosecurity.com)
Russian hackers launch cyber attack on Germany in Leopard retaliation | Euronews
Ukraine Links Media Centre Attack to Russian Intelligence (govinfosecurity.com)
A Link to News Site Meduza Can (Technically) Land You in Russian Prison | WIRED
Russia-Linked APT29 Uses New Malware in Embassy Attacks - SecurityWeek
Russia's Sandworm APT Launches Swarm of Wiper Attacks in Ukraine (darkreading.com)
Russia-linked Hackers Launch DDoS Attacks on Germany and US. Hospitals, Threaten Canada - MSSP Alert
Latvia says Russian hackers tried to phish its Ministry of Defence (bitdefender.com)
Killnet Attackers DDoS US and Dutch Hospitals - Infosecurity Magazine (infosecurity-magazine.com)
IT Army of Ukraine gained access to 1.5GB archive from Gazprom security affairs
There’s a Wild Scramble for Control of the Dark Web Taking Place in Russia (vice.com)
Inside Killnet: Pro-Russia Hacktivist Group's Support and Influence Grows (darkreading.com)
Nation State Actors – China
Google deletes 50,000 pro-China fake-news vids and blogs • The Register
TikTok CEO to testify before US. Congress over security concerns | Reuters
Nation State Actors – North Korea
FBI: North Korea’s Lazarus Group behind $100m crypto attack • The Register
Crypto theft: North Korea-linked hackers stole $1.7b in 2022 - BBC News
North Korean hackers stole research data in two-month-long breach (bleepingcomputer.com)
Nation State Actors – Iran
Nation State Actors – Misc
Vulnerability Management
The future of vulnerability management and patch compliance - Help Net Security
What is the CVSS (Common Vulnerability Scoring System)? (techtarget.com)
Vulnerabilities
Researchers to release VMware vRealize Log RCE exploit, patch now (bleepingcomputer.com)
Patch management is crucial to protect Exchange servers, Microsoft warns security affairs
QNAP Fixes Critical Vulnerability in NAS Devices with Latest Security Updates (thehackernews.com)
Over 29,000 QNAP devices unpatched against new critical flaw (bleepingcomputer.com)
Firmware Flaws Could Spell 'Lights Out' for Servers (darkreading.com)
Why you might not be done with your January Microsoft security patches | CSO Online
HPE, NetApp warn of critical open-source bug | SC Media (scmagazine.com)
High-severity bug in F5 BIG-IP can lead to code execution and DoS security affairs
Cisco fixes bug allowing backdoor persistence between reboots (bleepingcomputer.com)
CISA Alert: Oracle E-Business Suite and SugarCRM Vulnerabilities Under Attack (thehackernews.com)
Threat activity increasing around Fortinet VPN vulnerability | TechTarget
Remote code execution exploit chain available for VMware vRealize Log Insight | CSO Online
Tools and Controls
Other News
We can't rely on goodwill to protect our critical infrastructure - Help Net Security
Playing Military Sim War Thunder May Get You Classed as a National Security Risk
Cyber attacks in space: How safe are our satellites? | Metro News
Massive Microsoft 365 outage caused by WAN router IP change (bleepingcomputer.com)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 06 January 2023
Black Arrow Cyber Threat Briefing 06 January 2023:
-Cyber War in Ukraine, Ransomware Fears Drive Surge in Demand for Threat Intelligence Tools
-Cyber Premiums Holding Firms to Ransom
-Ransomware Ecosystem Becoming More Diverse For 2023
-Attackers Evolve Strategies to Outmanoeuvre Security Teams
-Building a Security-First Culture: The Key to Cyber Success
-Adobe, Apple, Cisco, Microsoft Flaws Make Up Half of Known Exploited Vulnerabilities Catalogue
-First LastPass, Now Slack and CircleCI. The Hacks Go On (and will likely worsen)
-Data of 235 Million Twitter Users Leaked Online
-16 Car Makers, including BMW, Ferrari, Ford, Honda, Kia, Land Rover, Mercedes and Toyota, and Their Vehicles Hacked via Telematics, APIs, Infrastructure
-Ransomware Gang Apologizes, Gives SickKids Hospital Free Decryptor
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Cyber War in Ukraine, Ransomware Fears Drive 2022 Surge in Demand for Threat Intelligence Tools
Amid the heightened fear of ransomware in 2022, threat intelligence emerged as a core requirement of doing business in a world gone mad.
A sizable amount of interest in the historically tech-centric discipline was fuelled in part by fear of cyber attacks tied to the war between Russia and Ukraine. In one example, the Ukrainian government warned the world that the Russian military was planning for multi-pronged attacks targeting the energy sector. Other nation-state cyber attack operations also contributed to the demand, including one June 2022 incident were Iran’s Cobalt Mirage exploited PowerShell vulnerabilities to launch ransomware attacks.
And of course, headlines of data breaches tied to vulnerabilities that organisations did not even know existed within their networks caught the attention not just of security teams, but the C-Suite and corporate board. A misconfigured Microsoft server, for example, wound up exposing years of sensitive data for tens of thousands of its customers, including personally identifiable information, user data, product and project details and intellectual property.
Indeed, according to 183 security pros surveyed by CyberRisk Alliance Business Intelligence in June 2022, threat intelligence has become critical in arming their security operations centres (SOCs) and incident response teams with operational data to help them make timely, informed decisions to prevent system downtime, thwart the theft of confidential data, and protect intellectual property.
Threat intelligence has emerged as a useful tool for educating executives. Many also credited threat intelligence for helping them protect their company and customer data — and potentially saving their organisation's reputation.
Cyber Premiums Holding Firms to Ransom
Soaring premiums for cyber security insurance are leaving businesses struggling to pay other bills, a key industry player has warned.
Mactavish, which buys insurance policies on behalf of companies, said that more than half of big businesses that had bought cyber security insurance had been forced to make cuts elsewhere to pay for it.
In a survey of 200 companies with a turnover above £10 million, Mactavish found that businesses were reducing office costs and staff bonuses and were cutting other types of insurance to meet the higher payments.
Last month Marsh, an insurance broker, revealed that costs for cyber insurance had increased by an average of 66 per cent in the third quarter compared with last year.
Meanwhile, the risk to businesses from hackers continues to rise. A government report on digital threats, published this month, showed the proportion of businesses experiencing cyber security incidents at least monthly had increased from 53 per cent to 60 per cent in the past year. Uber, Cisco and InterContinental Hotels Group were among high-profile targets this year.
https://www.thetimes.co.uk/article/cyber-safety-premiums-hold-firms-to-ransom-tnrsz3vs2
Ransomware Ecosystem Becoming More Diverse for 2023
The ransomware ecosystem has changed significantly in 2022, with attackers shifting from large groups that dominated the landscape toward smaller ransomware-as-a-service (RaaS) operations in search of more flexibility and drawing less attention from law enforcement. This democratisation of ransomware is bad news for organisations because it also brought in a diversification of tactics, techniques, and procedures (TTPs), more indicators of compromise (IOCs) to track, and potentially more hurdles to jump through when trying to negotiate or pay ransoms.
Since 2019 the ransomware landscape has been dominated by big and professionalised ransomware operations that constantly made the news headlines and even looked for media attention to gain legitimacy with potential victims. We've seen ransomware groups with spokespeople who offered interviews to journalists or issued "press releases" on Twitter and their data leak websites in response to big breaches.
The DarkSide attack against Colonial Pipeline that led to a major fuel supply disruption along the US East Coast in 2021 highlighted the risk that ransomware attacks can have against critical infrastructure and led to increased efforts to combat this threat at the highest levels of government. This heightened attention from law enforcement made the owners of underground cyber crime forums reconsider their relationship with ransomware groups, with some forums banning the advertising of such threats. DarkSide ceased operations soon thereafter and was followed later in the year by REvil, also known as Sodinokibi, whose creators were indicted and one was even arrested. REvil was one of the most successful ransomware groups since 2019.
Russia's invasion of Ukraine in February 2022 quickly put a strain on the relationship between many ransomware groups who had members and affiliates in both Russia and Ukraine, or other former USSR countries. Some groups, such as Conti, rushed to take sides in the war, threatening to attack Western infrastructure in support of Russia. This was a departure from the usual business-like apolitical approach in which ransomware gangs had run their operations and drew criticism from other competing groups.
This was also followed by a leak of internal communications that exposed many of Conti's operational secrets and caused uneasiness with its affiliates. Following a major attack against the Costa Rican government the US State Department put up a reward of $10 million for information related to the identity or location of Conti's leaders, which likely contributed to the group's decision to shut down operations in May.
Conti's disappearance led to a drop in ransomware activity for a couple of months, but it didn't last long as the void was quickly filled by other groups, some of them newly set up and suspected to be the creation of former members of Conti, REvil and other groups that ceased operations over the past two years.
Attackers Evolve Strategies to Outmanoeuvre Security Teams
Attackers are expected to broaden their targeting strategy beyond regulated verticals such as financial services and healthcare. Large corporations (41%) will be the top targeted sector for cyber attacks in 2023, favoured over financial institutions (36%), government (14%), healthcare (9%), and education (8%), according to cyber security solution provider Titaniam.
The fast pace of change has introduced new vulnerabilities into corporate networks, making them an increasingly attractive target for cyber attackers. To compete in the digital marketplace, large companies are adopting more cloud services, aggregating data, pushing code into production faster, and connecting applications and systems via APIs.
As a result, misconfigured services, unprotected databases, little-tested applications, and unknown and unsecured APIs abound, all of which can be exploited by attackers.
The top four threats in 2022 were malware (30%), ransomware and extortion (27%), insider threats (26%), and phishing (17%).
The study found that enterprises expected malware (40%) to be their biggest challenge in 2023, followed by insider threats (26%), ransomware and related extortion (21%), and phishing (16%).
Malware, however, has more enterprises worried for 2023 than it did for 2022. It is important to note that these threats can overlap, where insiders can have a hand in ransomware attacks, phishing can be a source of malware, etc.
Attackers are evolving their strategies to surprise and outmanoeuvre security teams, which have hardened ransomware defences and improved phishing detection. They’re using new malware, such as loaders, infostealers, and wipers to accelerate attacks, steal sensitive data and create mayhem.
They’re also buying and stealing employee credentials to walk in through the front door of corporate networks.
https://www.helpnetsecurity.com/2023/01/04/attackers-evolve-strategies-outmaneuver-security-teams/
Building a Security-First Culture: The Key to Cyber Success
Everyone has heard a car alarm go off in the middle of the night, but how often does that notification actually lead to action? Most people will hear the alarm, glance in its direction and then hope the owner will quickly remedy the situation.
Cars alarms often fail because they go off too often, leading to apathy and annoyance instead of being a cause for emergency. For many, cyber security has also become this way. While we see an increase in the noise surrounding the need for organisations to improve the security skillset and knowledge base of employees, there continues to be little proactive action on this front. Most organisations only provide employees with elementary-grade security training, often during their initial onboarding process or as part of a standard training requirement.
At the same time, many organisations also make the grave mistake of leaving all of their security responsibilities and obligations in the hands of IT and security teams. Time and time again, this approach has proven to be highly ineffective, especially as cyber criminals refine their social engineering tactics and target user accounts to execute their attacks.
Alarmingly, recent research found that 30% of employees do not think that they play a role in maintaining their company’s cyber security posture. The same report also revealed that only 39% of employees say they are likely to report a security incident.
As traditional boundaries of access disintegrate and more employees obtain permissions to sensitive company data and systems to carry out their tasks, business leaders must change the mindset of their employees when it comes to the role they play in keeping the organisation safe from cyber crime. The key is developing an integrated cyber security strategy that incorporates all aspects—including all stakeholders—of the organisation. This should be a strategy that breaks down departmental barriers and creates a culture of security responsibility where every team member plays a part.
Adobe, Apple, Cisco, Microsoft Flaws Make Up Half of Known Exploited Vulnerabilities Catalogue
Back in November 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) published the Known Exploited Vulnerabilities (KEV) Catalogue to help federal agencies and critical infrastructure organisations identify and remediate vulnerabilities that are actively being exploited. CISA added 548 new vulnerabilities to the catalogue across 58 updates from January to end of November 2022, according to cyber security solution provider Grey Noise in its first-ever "GreyNoise Mass Exploits Report."
Including the approximately 300 vulnerabilities added in November and December 2021, CISA listed approximately 850 vulnerabilities in the first year of the catalogue's existence.
Actively exploited vulnerabilities in Microsoft, Adobe, Cisco, and Apple products accounted for over half of the updates to the KEV catalogue in 2022, Grey Noise found. Seventy-seven percent of the updates to the KEV catalogue were older vulnerabilities dating back to before 2022. Many of these vulnerabilities have been around for two decades.
Several of the vulnerabilities in the KEV catalogue are from products that have already entered end-of-life (EOL) and end-of-service-life (EOSL), according to an analysis by a team from cyber security solution provider Cyber Security Works. Even though Windows Server 2008 and Windows 7 are EOSL products, the KEV catalogue lists 127 Server 2008 vulnerabilities and 117 Windows 7 vulnerabilities.
Even though the catalogue was originally intended for critical infrastructure and public-sector organisations, it has become the authoritative source on which vulnerabilities are – or have been – exploited by attackers. This is key because the National Vulnerability Database (NVD) assigned Common Vulnerabilities and Exposures (CVE) identifiers for over 12,000 vulnerabilities in 2022, and it would be unwieldy for enterprise defenders to assess every single one to identify the ones relevant to their environments. Enterprise teams can use the catalogue's curated list of CVEs under active attack to create their priority lists.
First LastPass, Now Slack and CircleCI. The Hacks Go On (and will likely worsen)
In the past week, the world has learned of serious breaches hitting chat service Slack and software testing and delivery company CircleCI, though giving the companies' opaque wording—“security issue” and “security incident,” respectively—you'd be forgiven for thinking these events were minor.
The compromises—in Slack’s case, the theft of employee token credentials and for CircleCI, the possible exposure of all customer secrets it stores—come two weeks after password manager LastPass disclosed its own security failure: the theft of customers’ password vaults containing sensitive data in both encrypted and clear text form. It’s not clear if all three breaches are related, but that’s certainly a possibility.
The most concerning of the two new breaches is the one hitting CircleCI. The company reported a “security incident” that prompted it to advise customers to rotate “all secrets” they store on the service. The alert also informed customers that it had invalidated their Project API tokens, an event requiring them to go through the hassle of replacing them.
CircleCI says it’s used by more than 1 million developers in support of 30,000 organisations and runs nearly 1 million daily jobs. The potential exposure of all those secrets—which could be login credentials, access tokens, and who knows what else—could prove disastrous for the security of the entire Internet.
It’s possible that some or all of these breaches are related. The Internet relies on a massive ecosystem of content delivery networks, authentication services, software development tool makers, and other companies. Threat actors frequently hack one company and use the data or access they obtain to breach that company's customers or partners. That was the case with the August breach of security provider Twilio. The same threat actor targeted 136 other companies. Something similar played out in the last days of 2020 when hackers compromised Solar Winds, gained control of its software build system, and used it to infect roughly 40 Solar Winds customers.
For now, people should brace themselves for additional disclosures from companies they rely on. Checking internal system logs for suspicious entries, turning on multifactor authentication, and patching network systems are always good ideas, but given the current events, those precautions should be expedited. It’s also worth checking logs for any contact with the IP address 54.145.167.181, which one security practitioner said was connected to the CircleCI breach.
Data of 235 Million Twitter Users Leaked Online
A data leak containing email addresses for 235 million Twitter users has been published on a popular hacker forum. Many experts have immediately analysed it and confirmed the authenticity of many of the entries in the huge leaked archive.
In January 2022, a report claimed the discovery of a vulnerability that can be exploited by an attacker to find a Twitter account by the associated phone number/email, even if the user has opted to prevent this in the privacy options. The vulnerability was exploited by multiple threat actors to scrape Twitter user profiles containing both private (phone numbers and email addresses) and public data, and was present within the social media platforms application programming interface (API) from June 2021 until January 2022.
At the end of July 2022, a threat actor leaked data of 5.4 million Twitter accounts that were obtained by exploiting the forementioned, now-fixed vulnerability in the popular social media platform. The scraped data was then put up for sale on various online cyber crime marketplaces. In August, Twitter confirmed that the data breach was caused by a now-patched zero-day flaw.
In December another Twitter data leak made the headlines, a threat actor obtained data of 400,000,000 Twitter users and attempted to sell it. The seller claimed the database is private, and he provided a sample of 1,000 accounts as proof of claims which included the private information of prominent users such as Donald Trump JR, Brian Krebs, and many more. The seller, who is a member of a popular data breach forum, claimed the data was scraped via a vulnerability. The database includes emails and phone numbers of celebrities, politicians, companies, normal users, and a lot of special usernames.
https://securityaffairs.com/140352/data-breach/twitter-data-leak-235m-users.html
16 Car Makers, including BMW, Ferrari, Ford, Honda, Kia, Land Rover, Mercedes and Toyota, and Their Vehicles Hacked via Telematics, APIs, and Infrastructure
A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car functions and start or stop the engine.
Multiple other security defects, the researchers say, allowed them to access a car maker’s internal applications and systems, leading to the exposure of personally identifiable information (PII) belonging to customers and employees, and account takeover, among others. The hacks targeted telematic systems, automotive APIs, and infrastructure.
Impacted car models include Acura, BMW, Ferrari, Ford, Genesis, Honda, Hyundai, Infiniti, Jaguar, Kia, Land Rover, Mercedes-Benz, Nissan, Porsche, Rolls Royce, and Toyota. The vulnerabilities were identified over the course of 2022. Car manufacturers were informed about the security holes and they released patches.
According to the researchers, they were able to send commands to Acura, Genesis, Honda, Hyundai, Kia, Infiniti, Nissan, and Porsche vehicles.
Using only the VIN (vehicle identification number), which is typically visible on the windshield, the researchers were able to start/stop the engine, remotely lock/unlock the vehicle, flash headlights, honk vehicles, and retrieve the precise location of Acura, Honda, Kia, Infiniti, and Nissan cars.
They could also lock users out of remote vehicle management and could change car ownership.
https://www.securityweek.com/16-car-makers-and-their-vehicles-hacked-telematics-apis-infrastructure
Ransomware Gang Apologises, and Gives SickKids Hospital Free Decrypter
The LockBit ransomware gang has released a free decrypter for the Hospital for Sick Children (SickKids), saying one of its members violated rules by attacking the healthcare organisation. SickKids is a teaching and research hospital in Toronto that focuses on providing healthcare to sick children.
On December 18th, the hospital suffered a ransomware attack that impacted internal and corporate systems, hospital phone lines, and the website. While the attack only encrypted a few systems, SickKids stated that the incident caused delays in receiving lab and imaging results and resulted in longer patient wait times.
On December 29th, SickKids announced that it had restored 50% of its priority systems, including those causing diagnostic or treatment delays. Two days after SickKids' latest announcement, the LockBit ransomware gang apologised for the attack on the hospital and released a decrypter for free.
“We formally apologise for the attack on sikkids.ca and give back the decrypter for free, the partner who attacked this hospital violated our rules, is blocked and is no longer in our affiliate programme," stated the ransomware gang.
Threats
Ransomware, Extortion and Destructive Attacks
Rackspace: Ransomware Attack Bypassed ProxyNotShell Mitigations (darkreading.com)
Rackspace: Customer email data accessed in ransomware attack (bleepingcomputer.com)
Ransomware gang cloned victim’s website to leak stolen data (bleepingcomputer.com)
Rackspace identifies hacking group responsible for early December ransomware attack | TPR
Ransomware ecosystem becoming more diverse for 2023 | CSO Online
Rackspace Sunsets Email Service Downed in Ransomware Attack (darkreading.com)
December ransomware disclosures reveal high-profile victims | TechTarget
The Guardian ransomware attack hits week two as staff WFH • The Register
Unraveling the techniques of Mac ransomware - Microsoft Security Blog
Bitdefender releases free MegaCortex ransomware decryptor (bleepingcomputer.com)
Ransomware Research: More than 200 US Infrastructure Organisations Attacked in 2022 - MSSP Alert
Ransomware impacts over 200 govt, edu, healthcare orgs in 2022 (bleepingcomputer.com)
Guardian ransomware attack: Staff told work from home to 23 Jan (pressgazette.co.uk)
Rail giant Wabtec discloses data breach after Lockbit ransomware attack (bleepingcomputer.com)
Christmas Eve 'cyber attack' forced Arnold Clark's network down | STV News
Royal ransomware claims attack on Queensland University of Technology (bleepingcomputer.com)
LockBit: Sorry for SickKids, but not housing authority • The Register
Canadian mining firm shuts down mill after ransomware attack (bleepingcomputer.com)
Phishing & Email Based Attacks
Data of 235 million Twitter users leaked online - Security Affairs
Is NHS The Most Impersonated UK Government "Brand"? (informationsecuritybuzz.com)
The Evolving Tactics of Vidar Stealer: From Phishing Emails to Social Media (thehackernews.com)
Ongoing Flipper Zero phishing attacks target infosec community (bleepingcomputer.com)
Other Social Engineering; Smishing, Vishing, etc
Malware
Raspberry Robin Worm Evolves to Attack Financial and Insurance Sectors in Europe (thehackernews.com)
Hackers abuse Windows error reporting tool to deploy malware (bleepingcomputer.com)
New SHC-compiled Linux malware installs cryptominers, DDoS bots (bleepingcomputer.com)
Bluebottle hackers used signed Windows driver in attacks on banks (bleepingcomputer.com)
Dridex Returns, Targets MacOS Using New Entry Method (trendmicro.com)
New Linux malware uses 30 plugin exploits to backdoor WordPress sites (bleepingcomputer.com)
PyTorch discloses malicious dependency chain compromise over holidays (bleepingcomputer.com)
WordPress Sites Under Attack from Newly Found Linux Trojan (darkreading.com)
Blind Eagle Hackers Return with Refined Tools and Sophisticated Infection Chain (thehackernews.com)
Raspberry Robin Worm Hatches a Highly Complex Upgrade (darkreading.com)
The Evolving Tactics of Vidar Stealer: From Phishing Emails to Social Media (thehackernews.com)
Denial of Service/DoS/DDOS
Internet of Things – IoT
Data Breaches/Leaks
Data of over 200 million Deezer users stolen, leaks on hacking forum • Graham Cluley
Five Guys Data Breach Puts HR Data Under a Heat Lamp (darkreading.com)
Analysis Of Top 10 Countries Mostly Targeted By Data Breaches (informationsecuritybuzz.com)
I bought a $15 router at Goodwill — and found a millionaire's dirty secrets (nypost.com)
Critical flaws found in Ferrari, BMW, Porsche, and other carmakers - Security Affairs
Toyota, Mercedes, BMW API flaws exposed owners’ personal info (bleepingcomputer.com)
Threat actors stole Slack private source code repositories - Security Affairs
Data of over 200 million Deezer users stolen, leaks on hacking forum • Graham Cluley
Organised Crime & Criminal Actors
Threat Actors Evade Detection Through Geofencing & Fingerprinting (darkreading.com)
Attackers create 130K fake accounts to abuse limited-time cloud computing resources | CSO Online
Ukrainian Cops Bust Prolific Fraud Call Centre - Infosecurity Magazine (infosecurity-magazine.com)
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Insider Risk and Insider Threats
Software engineer busted after being inspired by Office Space scam | PC Gamer
Are Meta and Twitter Ushering in a New Age of Insider Threats? (darkreading.com)
Ex-GE engineer sentenced for stealing turbine tech for China • The Register
Fraud, Scams & Financial Crime
Avast: Expect Cyber crime "Scamdemic" to Continue in 2023 - MSSP Alert
Software engineer busted after being inspired by Office Space scam | PC Gamer
US regulators warn banks over cryptocurrency risks - BBC News
RedZei Chinese Scammers Targeting Chinese Students in the UK (thehackernews.com)
Ukrainian Cops Bust Prolific Fraud Call Centre - Infosecurity Magazine (infosecurity-magazine.com)
Impersonation Attacks
AML/CFT/Sanctions
Insurance
Cyber safety premiums holding firms to ransom | Business | The Times
How can businesses decrease cyber insurance premiums while maintaining coverage? - Help Net Security
Dark Web
Supply Chain and Third Parties
Software Supply Chain
Cloud/SaaS
Encryption
API
Car companies massively exposed to web vulnerabilities | The Daily Swig (portswigger.net)
16 Car Makers and Their Vehicles Hacked via Telematics, APIs, Infrastructure | SecurityWeek.Com
What Are Some Ways to Make APIs More Secure? (darkreading.com)
Critical flaws found in Ferrari, BMW, Porsche, and other carmakers - Security Affairs
Open Source
New SHC-compiled Linux malware installs cryptominers, DDoS bots (bleepingcomputer.com)
New Linux malware uses 30 plugin exploits to backdoor WordPress sites (bleepingcomputer.com)
Social Media
Data of 235 million Twitter users leaked online - Security Affairs
The Evolving Tactics of Vidar Stealer: From Phishing Emails to Social Media (thehackernews.com)
Are Meta and Twitter Ushering in a New Age of Insider Threats? (darkreading.com)
Meta fined €390m over use of data for targeted ads - BBC News
More Political Storms for TikTok After US Government Ban | SecurityWeek.Com
Parental Controls and Child Safety
Regulations, Fines and Legislation
Governance, Risk and Compliance
Cyber safety premiums holding firms to ransom | Business | The Times
Attackers never let a critical vulnerability go to waste - Help Net Security
Attackers evolve strategies to outmanoeuvre security teams - Help Net Security
How to start planning for disaster recovery - Help Net Security
Building A Security-First Culture: The Key To Cyber Success (forbes.com)
Data backup is no longer just about operational fallback - Help Net Security
Threat Actors Evade Detection Through Geofencing & Fingerprinting (darkreading.com)
How can businesses decrease cyber insurance premiums while maintaining coverage? - Help Net Security
Secure Disposal
Backup and Recovery
Data Protection
Law Enforcement Action and Take Downs
Privacy, Surveillance and Mass Monitoring
National security fears over police using Chinese tech | News | The Times
Meta fined €390m over use of data for targeted ads - BBC News
Artificial Intelligence
ChatGPT: An Easy Cyber crime Target For Cyber attacks (informationsecuritybuzz.com)
OpenAI's ChatGPT previews how AI can help hackers breach more networks (axios.com)
NATO tests AI’s ability to protect critical infrastructure against cyber attacks | CSO Online
Misinformation, Disinformation and Propaganda
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
War and Geopolitical Conflict: The New Battleground for DDoS Attacks (darkreading.com)
Cyber attacks against governments jumped 95% in last half of 2022, CloudSek says | CSO Online
It's time to focus on information warfare's hard questions (cyberscoop.com)
National security fears over police using Chinese tech | News | The Times
Ex-GE engineer sentenced for stealing turbine tech for China • The Register
Pro-Russia cyber attacks aim at destabilizing Poland - Security Affairs
Poland warns of attacks by Russia-linked Ghostwriter hacking group (bleepingcomputer.com)
Nation State Actors
Nation State Actors – Russia
Nation State Actors – China
National security fears over police using Chinese tech | News | The Times
Ex-GE engineer sentenced for stealing turbine tech for China • The Register
Nation State Actors – Iran
Nation State Actors – Misc
Vulnerability Management
Adobe, Apple, Cisco, Microsoft Flaws Make Up Half of KEV Catalog (darkreading.com)
Attackers never let a critical vulnerability go to waste - Help Net Security
Vulnerabilities
Over 60,000 Exchange servers vulnerable to ProxyNotShell attacks (bleepingcomputer.com)
Adobe, Apple, Cisco, Microsoft Flaws Make Up Half of KEV Catalog (darkreading.com)
Rackspace: Ransomware Attack Bypassed ProxyNotShell Mitigations (darkreading.com)
Zoho urges admins to patch severe ManageEngine bug immediately (bleepingcomputer.com)
Android's First Security Updates for 2023 Patch 60 Vulnerabilities | SecurityWeek.Com
Fortinet and Zoho Urge Customers to Patch Enterprise Software Vulnerabilities (thehackernews.com)
Qualcomm, Lenovo flag multiple high impact firmware vulnerabilities | SC Media (scmagazine.com)
Netgear Wi-Fi routers need to be patched immediately | TechRadar
Other News
The cyber security industry will undergo significant changes in 2023 - Help Net Security
SecurityAffairs Top 10 cybersecurity posts of 2022 - Security Affairs
BleepingComputer's most popular cybersecurity stories of 2022
WordPress Security: 22 Ways To Protect Your Website (informationsecuritybuzz.com)
Cyber attacks against governments jumped 95% in last half of 2022, CloudSek says | CSO Online
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 30 December 2022
Black Arrow Cyber Threat Briefing 30 December 2022:
-Cyber Attacks Set to Become ‘Uninsurable’, Says Zurich Chief
-Your Business Should Compensate for Modern Ransomware Capabilities Right Now
-Reported Phishing Attacks Have Quintupled
-Ransomware, DDoS See Major Upsurge Led by Upstart Hacker Group
-Videoconferencing Worries Grow, With SMBs in Cyber Attack Crosshairs
-Will the Crypto Crash Impact Cyber Security in 2023? Maybe.
-The Worst Hacks of 2022
-Geopolitical Tensions Expected to Further Impact Cyber Security in 2023
-Fraudsters’ Working Patterns Have Changed in Recent Years
-Hacktivism is Back and Messier Than Ever
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Cyber Attacks Set to Become ‘Uninsurable’, Says Zurich Chief
The chief executive of one of Europe’s biggest insurance companies has warned that cyber attacks, rather than natural catastrophes, will become “uninsurable” as the disruption from hacks continues to grow.
Insurance executives have been increasingly vocal in recent years about systemic risks, such as pandemics and climate change, that test the sector’s ability to provide coverage. For the second year in a row, natural catastrophe-related claims are expected to top $100bn.
But Mario Greco, chief executive at insurer Zurich, told the Financial Times that cyber was the risk to watch. “What will become uninsurable is going to be cyber,” he said. “What if someone takes control of vital parts of our infrastructure, the consequences of that?” Recent attacks that have disrupted hospitals, shut down pipelines and targeted government departments have all fed concern about this expanding risk among industry executives. Focusing on the privacy risk to individuals was missing the bigger picture, Greco added: “First off, there must be a perception that this is not just data . . . this is about civilisation. These people can severely disrupt our lives.”
Spiralling cyber losses in recent years have prompted emergency measures by the sector’s underwriters to limit their exposure. As well as pushing up prices, some insurers have responded by tweaking policies so clients retain more losses. There are exemptions written into policies for certain types of attacks. In 2019, Zurich initially denied a $100mn claim from food company Mondelez, arising from the NotPetya attack, on the basis that the policy excluded a “warlike action”. The two sides later settled. In September, Lloyd’s of London defended a move to limit systemic risk from cyber attacks by requesting that insurance policies written in the market have an exemption for state-backed attacks.
https://www.ft.com/content/63ea94fa-c6fc-449f-b2b8-ea29cc83637d
Your Business Should Compensate for Modern Ransomware Capabilities Right Now
The “if, not when” mentality surrounding ransomware may be the biggest modern threat to business longevity. Companies of all sizes and across all industries are increasingly common targets for ransomware attacks, and we know that 94% of organisations experienced a cyber security incident last year alone. Yet, many enterprises continue to operate with decades-old security protocols that are unequipped to combat modern ransomware. Leaders have prioritised improving physical security measures in light of the pandemic — so why haven’t ransomware protections improved?
Maybe it’s the mistaken notion that ransomware attacks are declining. In reality, Q1 of 2022 saw a 200% YoY increase in ransomware incidents. Meanwhile, the rise in Ransomware as a Service (RaaS) offerings suggests that cyber threats have become a commodity for bad actors.
The RaaS market presents a new and troubling trend for business leaders and IT professionals. With RaaS — a subscription ransomware model that allows affiliates to deploy malware for a fee — the barrier to entry for hackers is lower than ever. The relatively unskilled nature of RaaS hackers may explain why the average ransomware downtime has plummeted to just 3.85 days (compared to an average attack duration of over two months in 2019).
While the decrease in attack duration is promising, the rise of RaaS still suggests an inconvenient truth for business leaders: All organisations are at risk. And in time, all organisations will become a target, which is why it’s time for IT and business leaders to implement tough cyber security protocols.
Reported Phishing Attacks Have Quintupled
In the third quarter of 2022, the international Anti-Phishing Working Group (APWG) consortium observed 1,270,883 total phishing attacks; the worst quarter for phishing that APWG has ever observed. The total for August 2022 was 430,141 phishing sites, the highest monthly total ever reported to APWG.
Over recent years, reported phishing attacks submitted to APWG have more than quintupled since the first quarter of 2020, when APWG observed 230,554 attacks. The rise in Q3 2022 was attributable, in part, to increasing numbers of attacks reported against several specific targeted brands. These target companies and their customers suffered from large numbers of attacks from persistent phishers.
Threat researchers at the cyber security solution provider Fortra noted a 488 percent increase in response-based email attacks in Q3 2022 compared to the prior quarter. While every subtype of these attacks increased compared to Q2, the largest increase was in Advance Fee Fraud schemes, which rose by a staggering 1,074 percent.
In the third quarter of 2022, APWG founding member OpSec Security found that phishing attacks against the financial sector, which includes banks, remained the largest set of attacks, accounting for 23.2 percent of all phishing. Attacks against webmail and software-as-a-service (SaaS) providers remained prevalent as well. Phishing against social media services fell to 11 percent of the total, down from 15.3 percent.
Phishing against cryptocurrency targets — such as cryptocurrency exchanges and wallet providers — fell from 4.5 percent of all phishing attacks in Q2 2022 to 2 percent in Q3. This mirrored the fall in value of many cryptocurrencies since mid-year.
https://www.helpnetsecurity.com/2022/12/28/reported-phishing-attacks-quintupled/
Ransomware, DDoS See Major Upsurge Led by Upstart Hacker Group
Cyber threat actors Cuba and Royal are driving a 41% boom in ransomware and other attacks hitting industry and consumer goods and services.
According to the Global Threat Intelligence team of information assurance firm NCC Group, November saw a 41% increase in ransomware attacks from 188 incidents to 265. In its most recent Monthly Threat Pulse, the group reported that the month was the most active for ransomware attacks since April this year.
Key takeaways from the study:
Ransomware attacks rose by 41% in November.
Threat group Royal (16%) was the most active, replacing LockBit as the worst offender for the first time since September 2021.
Industrials (32%) and consumer cyclicals (44%) remain the top two most targeted sectors, but technology experienced a large 75% increase over the last month.
Regional data remains consistent with last month — North America (45%), Europe (25%) and Asia (14%)
DDoS attacks continue to increase.
Recent examples in the services sector include the Play ransomware group’s claimed attack of the German H-Hotels chain, resulting in communications outages. This attack reportedly uses a vulnerability in Microsoft Exchange called ProxyNotShell, which as the name implies, has similarities to the ProxyShell zero-day vulnerability revealed in 2021.
Also, back on the scene is the TrueBot malware downloader (a.k.a., the silence.downloader), which is showing up in an increasing number of devices. TrueBot Windows malware, designed by a Russian-speaking hacking group identified as Silence, has resurfaced bearing Ransom.Clop, which first appeared in 2019. Clop ransomware encrypts systems and exfiltrates data with the threat that if no ransom is forthcoming, the data will show up on a leak site.
https://www.techrepublic.com/article/ransomware-ddos-major-upsurge-led-upstart-hacker-group/
Videoconferencing Worries Grow, With SMBs in Cyber Attack Crosshairs
Securing videoconferencing solutions is just one of many IT security challenges small businesses are facing, often with limited financial and human resources.
It's no secret that the acceleration of work-from-home and distributed workforce trends — infamously spurred on by the pandemic — has occurred in tandem with the rise of video communications and collaboration platforms, led by Zoom, Microsoft, and Cisco.
But given that videoconferencing now plays a critical role in how businesses interact with their employees, customers, clients, vendors, and others, these platforms carry significant potential security risks, researchers say.
Organisations use videoconferencing to discuss M&A, legal, military, healthcare, intellectual property and other topics, and even corporate strategies. A loss of that data could be catastrophic for a company, its employees, its clients, and its customers.
However, a recent report on videoconferencing security showed that 93% of IT professionals surveyed acknowledged security vulnerabilities and gaping risks in their videoconferencing solutions.
Among the most relevant risks is the lack of controlled access to conversations that could result in disruption, sabotage, compromise, or exposure of sensitive information, while use of nonsecure, outdated, or unpatched videoconferencing applications can expose security flaws.
The risks include the potential for interruptions, unauthorised access, and perhaps most concerning, the opportunity for a bad actor to acquire sensitive information.
Will the Crypto Crash Impact Cyber Security in 2023? Maybe.
With the implosion of the FTX exchange putting a punctuation mark on the cryptocurrency crash of 2022, one of the natural questions for those in the cyber security world is, how will this rapid decline of cryptocurrency valuations change the cyber crime economy?
Throughout the most recent crypto boom, and even before then, cyber criminals have used and abused cryptocurrency to build up their empires. The cryptocurrency market provides the extortionary medium for ransomware; it's a hotbed of scams against consumers to steal their wallets and accounts. Traditionally, it's provided a ton of anonymous cover for money laundering on the back end of a range of cyber criminal enterprises.
Even so, according to cyber security experts and intelligence analysts, while there certainly have been some shifts in trends and tactics that they believe are loosely tied to the crypto crash, the jury's still out on long-term impacts.
Regardless of crypto values, cyber criminals this year have definitely become more sophisticated in how they use cryptocurrencies to monetise their attacks including the use by some ransomware groups taking advantage of yield farming within decentralised finance (DeFi), as an example.
The concept of yield farming is the same as lending money, with a contract in place that clearly shows how much interest will need to be paid. The advantage for ransomware groups is that the 'interest' will be legitimate proceeds, so there will be no need to launder or hide it.
Threat actors are increasingly turning toward 'stablecoins,' which are usually tied to fiat currencies or gold to stem their volatility. In many ways, the downturn in crypto values has increased the risk appetite of cyber criminals and is spurring them into more investment fraud and cryptocurrency scams.
https://www.darkreading.com/threat-intelligence/crypto-crash-impact-cybersecurity-2023-maybe
The Worst Hacks of 2022
The year was marked by sinister new twists on cyber security classics, including phishing, breaches, and ransomware attacks.
With the pandemic evolving into an amorphous new phase and political polarisation on the rise around the world, 2022 was an uneasy and often perplexing year in digital security. And while hackers frequently leaned on old chestnuts like phishing and ransomware attacks, they still found vicious new variations to subvert defences.
Technology magazine Wired looked back on the year's worst breaches, leaks, ransomware attacks, state-sponsored hacking campaigns, and digital takeovers. If the first years of the 2020s are any indication, the digital security field in 2023 will be more bizarre and unpredictable than ever. Stay alert, and stay safe out there.
Russia Hacking Ukraine
For years, Russia has pummelled Ukraine with brutal digital attacks causing blackouts, stealing and destroying data, meddling in elections, and releasing destructive malware to ravage the country's networks. Since invading Ukraine in February, though, times have changed for some of Russia's most prominent and most dangerous military hackers. Shrewd long-term campaigns and grimly ingenious hacks have largely given way to a stricter and more regimented clip of quick intrusions into Ukrainian institutions, reconnaissance, and widespread destruction on the network—and then repeated access over and over again, whether through a new breach or by maintaining the old access.
Twilio and the 0ktapus Phishing Spree
Over the summer, a group of researchers dubbed 0ktapus went on a massive phishing bender, compromising nearly 10,000 accounts within more than 130 organisations. The majority of the victim institutions were US-based, but there were dozens in other countries as well.
Ransomware Still Hitting the Most Vulnerable Targets
In recent years, countries around the world and the cyber security industry have increasingly focused on countering ransomware attacks. While there has been some progress on deterrence, ransomware gangs were still on a rampage in 2022 and continued to target vulnerable and vital social institutions, including health care providers and schools. The Russian-speaking group Vice Society, for example, has long specialised in targeting both categories, and it focused its attacks on the education sector this year.
The Lapsus$ Rampage Continues
The digital extortion gang Lapsus$ was on an intense hacking spree at the beginning of 2022, stealing source code and other sensitive information from companies like Nvidia, Samsung, Ubisoft, and Microsoft and then leaking samples as part of apparent extortion attempts. Lapsus$ has a sinister talent for phishing, and in March, it compromised a contractor with access to the ubiquitous authentication service Okta.
LastPass
The beleaguered password manager giant LastPass, which has repeatedly dealt with data breaches and security incidents over the years, said at the end of December that a breach of its cloud storage in August led to a further incident in which hackers targeted a LastPass employee to compromise credentials and cloud storage keys.
Vanuatu
At the beginning of November, Vanuatu, an island nation in the Pacific, was hit by a cyber attack that took down virtually all of the government's digital networks. Agencies had to move to conducting their work on paper because emergency systems, medical records, vehicle registrations, driver's license databases, and tax systems were all down.
Honourable Mention: Twitter-Related Bedlam
Twitter has been in chaos mode for months following Elon Musk's acquisition of the company earlier this year. Amidst the tumult, reports surfaced in July and then again in November of a trove of 5.4 million Twitter users' data that has been circulating on criminal forums since at least July, if not earlier. The data was stolen by exploiting a vulnerability in a Twitter application programming interface, or API.
https://www.wired.com/story/worst-hacks-2022/
Geopolitical Tensions Expected to Further Impact Cyber Security in 2023
Geopolitics will continue to have an impact on cyber security and the security posture of organisations long into 2023.
The impact of global conflicts on cyber security was thrust into the spotlight when Russia made moves to invade Ukraine in February 2022. Ukraine’s Western allies were quick to recognise that with this came the threat of Russian-backed cyber-attacks against critical national infrastructure (CNI), especially in retaliation to hefty sanctions. While this may not have materialised in the way many expected, geopolitics is still front of mind for many cyber security experts looking to 2023.
Russia has always been among a handful of states recognised for their cyber prowess and being the source of many cyber criminal gangs. As previously mentioned, we have failed to see a significant cyber-attack, at least one comparable to the Colonial Pipeline incident, in 2022. However the cyber security services provider, e2e-assure, warned: “We have underestimated Russia’s cyber capability. There is a wide view that Russian cyber activity leading up to and during their invasion of Ukraine indicated that they aren’t the cyber power we once thought. Patterns and evidence will emerge in 2023 that shows this wasn’t the case, instead Russia was directing its cyber efforts elsewhere, with non-military goals (financial and political).”
NordVPN, the virtual private network (VPN) provider, warns that the cyber-war is only just starting: “With China’s leader securing his third term and Russia’s war in Ukraine, many experts predict an increase in state-sponsored cyber-attacks. China may increase cyber-attacks on Taiwan, Hong Kong, and other countries opposing the regime. Meanwhile, Russia is predicted to sponsor attacks on countries supporting Ukraine.”
We are used to seeing cyber-attacks that encrypt data and ask for ransom, but it is likely in this era of nation-state sponsored attacks we could experience attacks for the sake of disruption.
https://www.infosecurity-magazine.com/news/geopolitical-tensions-impact/
Fraudsters’ Working Patterns Have Changed in Recent Years
Less sophisticated fraud — in which doctored identity documents are readily spotted — has jumped 37% in 2022, according to the identify verfication provider Onfido. Fraudsters can scale these attacks on an organisation’s systems around the clock.
It is estimated that the current global financial cost of fraud is $5.38 trillion (£4.37 trillion), which is 6.4% of the world’s GDP. With most fraud now happening online (80% of reported fraud is cyber-enabled), Onfido’s Identity Fraud Report uncovers patterns of fraudster behaviour, attack techniques, and emerging tactics.
Over the last four years, fraudsters’ working patterns have dramatically changed. In 2019, attacks mirrored a typical working week, peaking Monday to Friday and dropping off during the weekends. Yet over the last three years, fraudulent activity started to shift so that levels of fraud span every day of the week.
In 2022, fraud levels were consistent across 24 hours, seven days a week. With technology, fraudsters are more connected across the globe and are able to traverse regions and time zones, and can easily take advantage of businesses’ closed hours when staff are likely offline. This hyperconnectivity means there are no more ‘business hours’ for fraudsters and sophisticated fraud rings — they will scam and defraud 24/7.
“As criminals look to take advantage of digitisation processes, they’re able to commit financial crimes with increasing efficiency and sophistication, to the extent that financial crime and cyber crime are now invariably linked,” said Interpol. “A significant amount of financial fraud takes place through digital technologies, and the pandemic has only hastened the emergence of digital money laundering tools and other cyber-enabled financial crimes.”
https://www.helpnetsecurity.com/2022/12/29/less-sophisticated-fraud/
Hacktivism is Back and Messier Than Ever
Throughout 2022, geopolitics has given rise to a new wave of politically motivated attacks with an undercurrent of state-sponsored meddling.
During its brutal war in Ukraine, Russian troops have burnt cities to the ground, raped and tortured civilians, and committed scores of potential war crimes. On November 23, lawmakers across Europe overwhelmingly labelled Russia a “state sponsor” of terrorism and called for ties with the country to be reduced further. The response to the declaration was instant. The European Parliament’s website was knocked offline by a DDoS attack.
The unsophisticated attack—which involves flooding a website with traffic to make it inaccessible—disrupted the Parliament’s website offline for several hours. Pro-Russian hacktivist group Killnet claimed responsibility for the attack. The hacktivist group has targeted hundreds of organisations around the world this year, having some limited small-scale successes knocking websites offline for short periods of time. It’s been one player in a bigger hacktivism surge.
Following years of sporadic hacktivist activity, 2022 has seen the re-emergence of hacktivism on a large scale. Russia’s full-scale invasion of Ukraine spawned scores of hacktivist groups on both sides of the conflict, while in Iran and Israel, so-called hacktivist groups are launching increasingly destructive attacks. This new wave of hacktivism, which varies between groups and countries, comes with new tactics and approaches and, increasingly, is blurring lines between hacktivism and government-sponsored attacks.
Threats
Ransomware, Extortion and Destructive Attacks
Jersey school locked out of systems as hackers demand "ransom" | Bailiwick Express Jersey
Vice Society Ransomware Attackers Adopt Robust Encryption Methods (thehackernews.com)
Global counter-ransomware task force to become active in January - CyberScoop
Fool Me Thrice? How to Avoid Double and Triple Ransomware Extortion (darkreading.com)
Rackspace criticized for PR response to ransomware attack (expressnews.com)
Ransomware, DDoS see major upsurge led by upstart hacker group (techrepublic.com)
6 Ways to Protect Your Organisation Against LAPSUS$ (darkreading.com)
Your business should compensate for modern ransomware capabilities right now | VentureBeat
Vice Society Adds Custom-branded Payload PolyVice to its Arsenal | Cyware Alerts - Hacker News
Hackers stole data from multiple electric utilities in recent ransomware attack | CNN Politics
Ransomware attack at Louisiana hospital impacts 270,000 patients (bleepingcomputer.com)
The mounting death toll of hospital cyber attacks - POLITICO
Royal ransomware claims attack on Intrado telecom provider (bleepingcomputer.com)
Healthcare Providers and Hospitals Under Ransomware's Siege (darkreading.com)
Guardian Australia staff sent home after cyber attack takes out systems (theage.com.au)
Dumfries Arnold Clark garages hit by company-wide cyber attack - Daily Record
Ransom Deadline Given By LockBit In Port Of Lisbon Attack (informationsecuritybuzz.com)
Phishing & Email Based Attacks
Reported phishing attacks have quintupled - Help Net Security
6 Ways to Protect Your Organisation Against LAPSUS$ (darkreading.com)
Other Social Engineering; Smishing, Vishing, etc
Malware
GuLoader implements new evasion techniques - Security Affairs
PrivateLoader PPI Service Found Distributing Info-Stealing RisePro Malware (thehackernews.com)
2022 sees over 5000 times new Windows malware vs macOS, over 60 times vs Linux - Neowin
APT Hackers Turn to Malicious Excel Add-ins as Initial Intrusion Vector (thehackernews.com)
New information-stealing malware is being spread by fake pirate sites | TechSpot
Mobile
Denial of Service/DoS/DDOS
Internet of Things – IoT
Smart Home Cyber security Hubs: Protecting Endpoints in Your Smarthome (compuquip.com)
Google Home speakers allowed hackers to snoop on conversations (bleepingcomputer.com)
Data Breaches/Leaks
BetMGM discloses security breach impacting 1.5 Million customers - Security Affairs
Massive Twitter data leak investigated by EU privacy watchdog (bleepingcomputer.com)
Massive EDiscovery Provider Shut Down Over 'Unauthorized Access' - Above the LawAbove the Law
Data of 400 Million Twitter users up for sale - Security Affairs
It’s all in the (lack of) details: 2022’s badly handled data breaches | TechCrunch
Military device with biometric database of 2K people sold on eBay for $68 | Ars Technica
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
How ‘brazen’ multibillion-dollar crypto fraud fell to pieces | Business | The Times
BTC.com lost $3 million worth of cryptocurrency in cyber attack (bleepingcomputer.com)
Hackers steal $8 million from users running trojanized BitKeep apps (bleepingcomputer.com)
Bitcoin Mining Pool Btc.com Suffers $3 Million Cyber attack – Mining Bitcoin News
Crypto wallet BitKeep lost over $9M over a cyber attack - Security Affairs
Case for blockchain in financial services dented by failures | Financial Times (ft.com)
Digital Assets Of $9.9 Million Stolen In BitKeep Cyber Attack (informationsecuritybuzz.com)
Crypto platform 3Commas admits hackers stole API keys (bleepingcomputer.com)
Fraud, Scams & Financial Crime
Linkedin Is Full Of Job Scams – Be Careful Out There (informationsecuritybuzz.com)
Scam complaints from Revolut users more than double since 2020 (telegraph.co.uk)
Fraudsters’ working patterns have changed in recent years - Help Net Security
Experts warn of attacks exploiting WordPress gift card plugin - Security Affairs
North Korean Hackers Created 70 Fake Bank, Venture Capital Firm Domains | SecurityWeek.Com
Ukraine shuts down fraudulent call center claiming 18,000 victims (bleepingcomputer.com)
Insurance
Supply Chain and Third Parties
Software Supply Chain
Why Attackers Target GitHub, and How You Can Secure It (darkreading.com)
Improving Software Supply Chain Cyber security (trendmicro.com)
Cloud/SaaS
Identity and Access Management
Enterprises waste money on identity tools they don't use - Help Net Security
Steps To Planning And Implementation Of PAM Solutions (informationsecuritybuzz.com)
Encryption
API
Crypto platform 3Commas admits hackers stole API keys (bleepingcomputer.com)
Google: With Cloud Comes APIs & Security Headaches (darkreading.com)
Passwords, Credential Stuffing & Brute Force Attacks
Biometrics
Social Media
TikTok User Data Has Been Compromised (giantfreakinrobot.com)
Elon Musk ‘orders Twitter to remove suicide prevention feature’ | Twitter | The Guardian
Massive Twitter data leak investigated by EU privacy watchdog (bleepingcomputer.com)
Meta settles Cambridge Analytica scandal case for $725m - BBC News
TikTok bans haven't really banned much of anything - The Washington Post
Twitter restores suicide prevention feature | Twitter | The Guardian
Data of 400 Million Twitter users up for sale - Security Affairs
Hacker claims to be selling Twitter data of 400 million users (bleepingcomputer.com)
Malvertising
Privacy
Regulations, Fines and Legislation
Governance, Risk and Compliance
IBM and 70 Global Banks Co-Create New Cyber security, Risk Framework (accelerationeconomy.com)
Economic uncertainty compels IT leaders to rethink their strategy - Help Net Security
3 important changes in how data will be used and treated - Help Net Security
2022 Top Five Immediate Threats in Geopolitical Context (thehackernews.com)
Secure Disposal
Careers, Working in Cyber and Information Security
IT Jobs: How To Become An Information Security Analyst (informationsecuritybuzz.com)
‘There's a career in cyber security for everyone,’ Microsoft Security CVP says | Fortune
Law Enforcement Action and Take Downs
Privacy, Surveillance and Mass Monitoring
Google Home speakers allowed hackers to snoop on conversations (bleepingcomputer.com)
Police in China can track protests by enabling ‘alarms’ on Hikvision software | China | The Guardian
The Threat of Predictive Policing to Data Privacy and Personal Liberty (darkreading.com)
Meta settles Cambridge Analytica scandal case for $725m - BBC News
78% of Employers Are Using Remote Work Tools to Spy on You (entrepreneur.com)
Germany: Police surveillance software a legal headache – DW – 12/22/2022
Artificial Intelligence
Code-generating AI can introduce security vulnerabilities, study finds | TechCrunch
AI cyber attacks are a ‘critical threat’. This is how NATO is countering them | Euronews
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
2022 Top Five Immediate Threats in Geopolitical Context (thehackernews.com)
Russia’s Cyberwar Foreshadowed Deadly Attacks on Civilians | WIRED
Hundreds of Russian cyber attacks on CHPPs, regional power plants prevented - SBU
Ukrainian Hackers Gather Data on Russian Soldiers, Minister Says - Bloomberg
North Korean hackers targeted nearly 1,000 South Korean foreign policy experts
German double agent ‘passed Ukraine intelligence to Russia’ (telegraph.co.uk)
Nation State Actors
Nation State Actors – Russia
Hundreds of Russian cyber attacks on CHPPs, regional power plants prevented - SBU
Russian mobile calls, internet seen deteriorating after Nokia, Ericsson leave – EURACTIV.com
Nation State Actors – China
Police in China can track protests by enabling ‘alarms’ on Hikvision software | China | The Guardian
Nation State Actors – North Korea
BlueNoroff APT Hackers Using New Ways to Bypass Windows MotW Protection (thehackernews.com)
North Korean Hackers Created 70 Fake Bank, Venture Capital Firm Domains | SecurityWeek.Com
North Korean hacking outfit impersonating venture capital firms | SC Media (scmagazine.com)
North Korean hackers targeted nearly 1,000 South Korean foreign policy experts
Nation State Actors – Iran
Nation State Actors – Misc
Vulnerability Management
Vulnerabilities
Patch now: Serious Linux kernel security hole uncovered | ZDNET
Microsoft Patches Azure Cross-Tenant Data Access Flaw | SecurityWeek.Com
Critical Linux Kernel flaw affects SMB servers with ksmbd enabled - Security Affairs
Critical “10-out-of-10” Linux kernel SMB hole – should you worry? – Naked Security (sophos.com)
Log4Shell remains a big threat and a common cause for security breaches | CSO Online
Thousands of Citrix servers vulnerable to patched critical flaws (bleepingcomputer.com)
Netgear warns users to patch recently fixed WiFi router bug (bleepingcomputer.com)
CISA Warns of Active exploitation of JasperReports Vulnerabilities (thehackernews.com)
Tools and Controls
Other News
AI cyber attacks are a ‘critical threat’. This is how NATO is countering them | Euronews
Review: 10 Biggest Hacks And Cyber Security Threats Of 2022 (informationsecuritybuzz.com)
New information-stealing malware is being spread by fake pirate sites | TechSpot
Trend Micro: Expect 2023 to Bring Uncertainty to Cyber Attackers and Defenders - MSSP Alert
After the Uber Breach: 3 Questions All CISOs Should Ask Themselves (darkreading.com)
Top 10 Cyber Security Predictions For 2023 Based On Expert Responses (informationsecuritybuzz.com)
The Five Stories That Shaped Cyber security in 2022 | SecurityWeek.Com
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 23 December 2022
Black Arrow Cyber Threat Briefing 23 December 2022:
-LastPass Users: Your Info and Password Vault Data are Now in Hackers’ Hands
-Ransomware Attacks Increased 41% In November
-The Risk of Escalation from Cyber Attacks Has Never Been Greater
-FBI Recommends Ad Blockers as Cyber Criminals Impersonate Brands in Search Engine Ads
-North Korea-Linked Hackers Stole $626 Million in Virtual Assets in 2022
-UK Security Agency Wants Fresh Approach to Combat Phishing
-GodFather Android malware targets 400 banks, crypto exchanges
-Companies Overwhelmed by Available Tech Solutions
-Nine in 10 Third-party Contractors, Freelancers Use Personal, Unmanaged Devices Likely to be Infected
-UK Privacy Regulator Names and Shames Breached Firms
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
LastPass Admits Attackers have an Encrypted Copy of Customers’ Password Vaults
Password locker LastPass has warned customers that the August 2022 attack on its systems saw unknown parties copy encrypted files that contain the passwords to their accounts.
In a December 22nd update to its advice about the incident, LastPass brings customers up to date by explaining that in the August 2022 attack “some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.” Those creds allowed the attacker to copy information “that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.”
The update reveals that the attacker also copied “customer vault” data, the file LastPass uses to let customers record their passwords. That file “is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.” The passwords are encrypted with “256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password”.
LastPass’ advice is that even though attackers have that file, customers who use its default settings have nothing to do as a result of this update as “it would take millions of years to guess your master password using generally-available password-cracking technology.” One of those default settings is not to re-use the master password that is required to log into LastPass. The outfit suggests you make it a complex credential and use that password for just one thing: accessing LastPass.
LastPass therefore offered the following advice to individual and business users: If your master password does not make use of the defaults above, then it would significantly reduce the number of attempts needed to guess it correctly. In this case, as an extra security measure, you should consider minimising risk by changing passwords of websites you have stored.
LastPass’s update concludes with news it decommissioned the systems breached in August 2022 and has built new infrastructure that adds extra protections.
https://www.theregister.com/2022/12/23/lastpass_attack_update/
Ransomware Attacks Increased 41% In November
Ransomware attacks rose 41% last month as groups shifted among the top spots and increasingly leveraged DDoS attacks, according to new research from NCC Group.
A common thread of NCC Group's November Threat Pulse was a "month full of surprises," particularly related to unexpected shifts in threat actor behaviour. The Cuba ransomware gang resurged with its highest number of attacks recorded by NCC Group. Royal replaced LockBit 3.0 as the most active strain, a first since September of last year.
These factors and more contributed to the significant jump in November attacks, which rose from 188 in October to 265.
"For 2022, this increase represents the most reported incidents in one month since that of April, when there were 289 incidents, and is also the largest month-on-month increase since June-July's marginally larger increase of 47%," NCC Group wrote in the report.
Operators behind Royal ransomware, a strain that emerged earlier this year that operates without affiliates and utilises intermittent encryption to evade detection, surpassed LockBit 3.0 for the number one spot, accounting for 16% of hack and leak incidents last month.
The Risk of Escalation from Cyber Attacks Has Never Been Greater
In 2022, an American dressed in his pyjamas took down North Korea’s Internet from his living room. Fortunately, there was no reprisal against the United States. But Kim Jong Un and his generals must have weighed retaliation and asked themselves whether the so-called independent hacker was a front for a planned and official American attack.
In 2023, the world might not get so lucky. There will almost certainly be a major cyber attack. It could shut down Taiwan’s airports and trains, paralyse British military computers, or swing a US election. This is terrifying, because each time this happens, there is a small risk that the aggrieved side will respond aggressively, maybe at the wrong party, and (worst of all) even if it carries the risk of nuclear escalation.
This is because cyber weapons are different from conventional ones. They are cheaper to design and wield. That means great powers, middle powers, and pariah states can all develop and use them.
More important, missiles come with a return address, but virtual attacks do not. Suppose in 2023, in the coldest weeks of winter, a virus shuts down American or European oil pipelines. It has all the markings of a Russian attack, but intelligence experts warn it could be a Chinese assault in disguise. Others see hints of the Iranian Revolutionary Guard. No one knows for sure. Presidents Biden and Macron have to decide whether to retaliate at all, and if so, against whom … Russia? China? Iran? It's a gamble, and they could get unlucky.
Neither country wants to start a conventional war with one another, let alone a nuclear one. Conflict is so ruinous that most enemies prefer to loathe one another in peace. During the Cold War, the prospect of mutual destruction was a huge deterrent to any great power war. There were almost no circumstances in which it made sense to initiate an attack. But cyber warfare changes that conventional strategic calculus. The attribution problem introduces an immense amount of uncertainty, complicating the decision our leaders have to make.
FBI Recommends Ad Blockers as Cyber Criminals Impersonate Brands in Search Engine Ads
The Federal Bureau of Investigation (FBI) this week raised the alarm on cyber criminals impersonating brands in advertisements that appear in search engine results. The agency has advised consumers to use ad blockers to protect themselves from such threats.
The attackers register domains similar to those of legitimate businesses or services, and use those domains to purchase ads from search engine advertisement services, the FBI says in an alert. These nefarious ads are displayed at the top of the web page when the user searches for that business or service, and the user might mistake them for an actual search result.
Links included in these ads take users to pages that are identical to the official web pages of the impersonated businesses, the FBI explains. If the user searches for an application, they are taken to a fake web page that uses the real name of the program the user searches for, and which contains a link to download software that is, in fact, malware.
“These advertisements have also been used to impersonate websites involved in finances, particularly cryptocurrency exchange platforms,” the FBI notes. Seemingly legitimate exchange platforms, the malicious sites prompt users to provide their login and financial information, which the cyber criminals then use to steal the victim’s funds.
“While search engine advertisements are not malicious in nature, it is important to practice caution when accessing a web page through an advertised link,” the FBI says.
Businesses are advised to use domain protection services to be notified of domain spoofing, and to educate users about spoofed websites and on how to find legitimate downloads for the company’s software.
Users are advised to check URLs to make sure they access authentic websites, to type a business’ URL into the browser instead of searching for that business, and to use ad blockers when performing internet searches. Ad blockers can have a negative impact on the revenues of online businesses and advertisers, but they can be good for online security, and even the NSA and CIA are reportedly using them.
North Korea-Linked Hackers Stole $626 Million in Virtual Assets in 2022
South Korea’s spy agency, the National Intelligence Service, estimated that North Korea-linked threat actors have stolen an estimated 1.5 trillion won ($1.2 billion) in cryptocurrency and other virtual assets in the past five years.
According to the spy agency, more than half the crypto assets (about 800 billion won ($626 million)) have been stolen this year alone, reported the Associated Press. The Government of Pyongyang focuses on crypto hacking to fund its military program following harsh UN sanctions.
“South Korea’s main spy agency, the National Intelligence Service, said North Korea’s capacity to steal digital assets is considered among the best in the world because of the country’s focus on cyber crimes since UN economic sanctions were toughened in 2017 in response to its nuclear and missile tests.” reported the AP agency. North Korea cannot export its products due to the UN sanctions imposed in 2016 and 1017, and the impact on its economy is dramatic.
The NIS added that more than 100 billion won ($78 million) of the total stolen funds came from South Korea. Cyber security and intelligence experts believe that attacks aimed at the cryptocurrency industry will continue to increase next year. National Intelligence Service experts believe that North Korea-linked APT groups will focus on the theft of South Korean technologies and confidential information on South Korean foreign policy and national security.
Data published by the National Intelligence Service agency confirms a report published by South Korean media outlet Chosun early this year that revealed North Korean threat actors have stolen around $1.7 billion (2 trillion won) worth of cryptocurrency from multiple exchanges during the past five years.
https://securityaffairs.co/wordpress/139909/intelligence/north-korea-cryptocurrency-theft.html
UK Security Agency Wants Fresh Approach to Combat Phishing
The UK National Cyber Security Centre (NCSC) has called for a defence-in-depth approach to help mitigate the impact of phishing, combining technical controls with a strong reporting culture.
Writing in the agency’s blog, technical director and principal architect, “Dave C,” argued that many of the well-established tenets of anti-phishing advice simply don’t work. For example, advising users not to click on links in unsolicited emails is not helpful when many need to do exactly that as part of their job.
This is often combined with a culture where users are afraid to report that they’ve accidentally clicked, which can delay incident response, he said. It’s not the user’s responsibility to spot a phish – rather, it’s their organisation’s responsibility to protect them from such threats, Dave C argued.
As such, they should build layered technical defences, consisting of email scanning and DMARC/SPF policies to prevent phishing emails from arriving into inboxes. Then, organisations should consider the following to prevent code from executing:
Allow-listing for executables
Registry settings changes to ensure dangerous scripting or file types are opened in Notepad and not executed
Disabling the mounting of .iso files on user endpoints
Making sure macro settings are locked down
Enabling attack surface reduction rules
Ensuring third-party software is up to date
Keeping up to date about current threats
Additionally, organisations should take steps such as DNS filtering to block suspicious connections and endpoint detection and response (EDR) to monitor for suspicious behaviour, the NCSC advised.
https://www.infosecurity-magazine.com/news/uk-security-agency-combat-phishing/
GodFather Android malware targets 400 banks, crypto exchanges
An Android banking malware named 'Godfather' has been targeting users in 16 countries, attempting to steal account credentials for over 400 online banking sites and cryptocurrency exchanges.
The malware generates login screens overlaid on top of the banking and crypto exchange apps' login forms when victims attempt to log into the site, tricking the user into entering their credentials on well-crafted HTML phishing pages.
The Godfather trojan was discovered by Group-IB analysts, who believe it is the successor of Anubis, a once widely-used banking trojan that gradually fell out of use due to its inability to bypass newer Android defences. ThreatFabric first discovered Godfather in March 2021, but it has undergone massive code upgrades and improvements since then.
Also, Cyble published a report yesterday highlighting a rise in the activity of Godfather, pushing an app that mimics a popular music tool in Turkey, downloaded 10 million times via Google Play. Group-IB has found a limited distribution of the malware in apps on the Google Play Store; however, the main distribution channels haven't been discovered, so the initial infection method is largely unknown.
Almost half of all apps targeted by Godfather, 215, are banking apps, and most of them are in the United States (49), Turkey (31), Spain (30), Canada (22), France (20), Germany (19), and the UK (17).
Apart from banking apps, Godfather targets 110 cryptocurrency exchange platforms and 94 cryptocurrency wallet apps.
Companies Overwhelmed by Available Tech Solutions
92% of executives reported challenges in acquiring new tech solutions, highlighting the complexities that go into the decision-making process, according to GlobalDots.
Moreover, some 34% of respondents said the overwhelming amount of options was a challenge when deciding on the right solutions, and 33% admitted the time needed to conduct research was another challenge in deciding.
Organisations of all varieties rely on technology more than ever before. The constant adoption of innovation is no longer a luxury but rather a necessity to stay on par in today’s fast-paced and competitive digital landscape. In this environment, IT and security leaders are coming under increased pressure to show ROIs from their investment in technology while balancing operational excellence with business innovation. Due to current market realities, IT teams are short-staffed and suffering from a lack of time and expertise, making navigating these challenges even more difficult.
The report investigated how organisations went about finding support for their purchasing decisions. Conferences, exhibitions, and online events served as companies’ top source of information for making purchasing decisions, at 52%. Third-party solutions, such as value-added resellers and consultancies, came in second place at 48%.
54% are already using third parties to purchase, implement, or support their solutions, highlighting the value that dedicated experts with in-depth knowledge of every solution across a wide range of IT fields provide.
We are living in an age of abundance when it comes to tech solutions for organisations, and this makes researching and purchasing the right solutions for your organisation extremely challenging.
https://www.helpnetsecurity.com/2022/12/20/tech-purchasing-decisions/
Nine in 10 Third-party Contractors, Freelancers Use Personal, Unmanaged Devices Likely to be Infected
Talon Cyber Security surveyed 258 third-party providers to better understand the state of third-party working conditions, including work models, types of devices and security technologies used, potentially risky actions taken, and how security and IT tools impact productivity.
Looking at recent high-profile breaches, third parties have consistently been at the epicenter, so they took a step back with their research to better understand the potential root causes. The findings paint a picture of a third-party work landscape where individuals are consistently working from personal, unmanaged devices, conducting risky activities, and having their productivity impacted by legacy security and IT solutions.
Here’s what Talon discovered:
Most third parties (89%) work from personal, unmanaged devices, where organisations lack visibility and cannot enforce the enterprise’s security posture on. Talon pointed to a Microsoft data point that estimated users are 71% more likely to be infected on an unmanaged device.
With third parties working from personal devices, they tend to carry out personal, potentially risky tasks. Respondents note that at least on occasion, they have used their devices to:
Browse the internet for personal needs (76%)
Indulge in online shopping (71%)
Check personal email (75%)
Save weak passwords in the web browser (61%)
Play games (53%)
Allow family members to browse (36%)
Share passwords with co-workers (24%)
Legacy apps such as Virtual Desktop Infrastructure (VDI) and Desktop-as-a-Service (DaaS) solutions are prominent, with 45% of respondents using such technologies while working for organisations.
UK Privacy Regulator Names and Shames Breached Firms
The UK Information Commissioner’s Office (ICO) has taken the unusual step of publishing details of personal data breaches, complaints and civil investigations on its website, according to legal experts.
The data, available from Q4 2021 onwards, includes the organisation’s name and sector, the relevant legislation and the type of issues involved, the date of completion and the outcome.
Given the significance of this development, it’s surprising that the ICO has (1) chosen to release it with limited fanfare, and (2) buried the data sets on its website. Indeed, it seems to have flown almost entirely under the radar.
Understanding whether their breach or complaint will be publicised by European regulators is one of – if not the – main concern that organisations have when working through an incident, and the answer has usually been no. That is particularly the understanding or assumption where the breach or complaint is closed without regulatory enforcement. Now, at least in the UK, the era of relative anonymity looks to be over.
Despite the lack of fanfare around the announcement, this naming and shaming approach could make the ICO one of the more aggressive privacy regulators in Europe. In the future, claimant firms in class action lawsuits may adopt “US-style practices” of scanning the ICO database to find evidence of repeat offending or possible new cases.
The news comes even as data reveals the value of ICO fines issued in the past year tripled from the previous 12 months. In the year ending October 31 2022, the regulator issued fines worth £15.2m, up from £4.8m the previous year. The sharp increase in the value of fines shows the ICO’s increasing willingness selectively to crack down on businesses – particularly those that the ICO perceives has not taken adequate measures to protect customer and employee data.
https://www.infosecurity-magazine.com/news/uk-privacy-regulator-names-and/
Threats
Ransomware, Extortion and Destructive Attacks
20 companies affected by major ransomware attacks in 2021 | TechTarget
NCC Group: Ransomware attacks increased 41% in November | TechTarget
Adversarial risk in the age of ransomware - Help Net Security
FIN7 hackers create auto-attack platform to breach Exchange servers (bleepingcomputer.com)
Ransomware Uses New Exploit to Bypass ProxyNotShell Mitigations | SecurityWeek.Com
British newspaper The Guardian says it’s been hit by ransomware | TechCrunch
Play ransomware actors bypass ProxyNotShell mitigations | TechTarget
FIN7 Cyber crime Syndicate Emerges as Major Player in Ransomware Landscape (thehackernews.com)
Vice Society ransomware gang is using a custom locker - Security Affairs
NIO suffers user data breach, hacker demands $2.25 million worth of bitcoin - CnEVPost
German industrial giant ThyssenKrupp targeted in a cyber attack - Security Affairs
Paying Ransom: Why Manufacturers Shell Out to Cyber criminals (darkreading.com)
France Seeks to Protect Hospitals After Series of Cyber attacks | SecurityWeek.Com
Fire and rescue service in Victoria, Australia, confirms cyber attack - Security Affairs
Play Ransomware Gang Lay Claims For Cyber Attack On H-Hotels (informationsecuritybuzz.com)
Evolving threats and broadening responses to Ransomware in the UAE - Security Boulevard
Phishing & Email Based Attacks
Five Best Practices for Consumers to Beat Phishing Campaigns This Holiday Season - CPO Magazine
Hackers continue to exploit hijacked MailChimp accounts in cyber crime campaigns (bitdefender.com)
Holiday Spam, Phishing Campaigns Challenge Retailers (darkreading.com)
Email hijackers scam food out of businesses, not just money • The Register
Telling users to ‘avoid clicking bad links’ still isn’t working - NCSC.GOV.UK
“Suspicious login” scammers up their game – take care at Christmas – Naked Security (sophos.com)
Simple Steps to Avoid Phishing Attacks During This Festive season | Tripwire
BEC – Business Email Compromise
Telling users to ‘avoid clicking bad links’ still isn’t working - NCSC.GOV.UK
What happens once scammers receive funds from their victims - Help Net Security
Other Social Engineering; Smishing, Vishing, etc
2FA/MFA
Why Security Teams Shouldn't Snooze on MFA Fatigue (darkreading.com)
Comcast Xfinity accounts hacked in widespread 2FA bypass attacks (bleepingcomputer.com)
Malware
Malicious ‘SentinelOne’ PyPI package steals data from developers (bleepingcomputer.com)
Glupteba Botnet Continues to Thrive Despite Google's Attempts to Disrupt It (thehackernews.com)
Ukraine's DELTA military system users targeted by info-stealing malware (bleepingcomputer.com)
Sophisticated DarkTortilla Malware Serves Imposter Cisco, Grammarly Pages (darkreading.com)
Trojanized Windows 10 installers compromised the Ukrainian government | SC Media (scmagazine.com)
Raspberry Robin Worm Targets Telcos & Governments (darkreading.com)
Raspberry Robin worm drops fake malware to confuse researchers (bleepingcomputer.com)
Number of command-and-control servers spiked in 2022: report - The Record by Recorded Future
Mobile
GodFather Android malware targets 400 banks, crypto exchanges (bleepingcomputer.com)
Godfather makes banking apps an offer they can’t refuse • The Register
T-Mobile hacker gets 10 years for $25 million phone unlock scheme (bleepingcomputer.com)
Botnets
Glupteba Botnet Continues to Thrive Despite Google's Attempts to Disrupt It (thehackernews.com)
Zerobot malware now spreads by exploiting Apache vulnerabilities (bleepingcomputer.com)
Flaws within IoT devices exploited by the Zerobot botnet (izoologic.com)
Zerobot Adds Brute Force, DDoS to Its IoT Attack Arsenal (darkreading.com)
Denial of Service/DoS/DDOS
DDoS Attacks are Slowly Growing in the Technology Era (analyticsinsight.net)
Zerobot Adds Brute Force, DDoS to Its IoT Attack Arsenal (darkreading.com)
BYOD
Internet of Things – IoT
Millions of IP cameras around the world are unprotected | TechRadar
Zerobot Adds Brute Force, DDoS to Its IoT Attack Arsenal (darkreading.com)
Throw away all your Eufy cameras right now | Android Central
Read what Anker’s customer support is telling worried Eufy camera owners - The Verge
Amazon Ring Cameras Used in Nationwide ‘Swatting’ Spree, US Says - Bloomberg
Connected homes are expanding, so is attack volume - Help Net Security
Security Risks, Serious Vulnerabilities Rampant Among XIoT Devices in the Workplace - CPO Magazine
Data Breaches/Leaks
LastPass users: Your info and password vault data are now in hackers’ hands | Ars Technica
Okta's source code stolen after GitHub repositories hacked (bleepingcomputer.com)
McGraw Hill's S3 buckets exposed 100,000 students' grades • The Register
NIO suffers user data breach, hacker demands $2.25 million worth of bitcoin - CnEVPost
Shoemaker Ecco leaks over 60GB of sensitive data for 500+ days - Security Affairs
Restaurant CRM platform ‘SevenRooms’ confirms breach after data for sale (bleepingcomputer.com)
Leading sports betting firm BetMGM discloses data breach (bleepingcomputer.com)
Organised Crime & Criminal Actors
'Russian hackers' help two New York men game JFK taxi system - CyberScoop
What happens once scammers receive funds from their victims - Help Net Security
[FIN7] Fin7 Unveiled: A deep dive into notorious cyber crime gang - PRODAFT
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
FTX's alleged run-of-the-mill frauds depended entirely on crypto (yahoo.com)
GodFather Android malware targets 400 banks, crypto exchanges (bleepingcomputer.com)
Two associates of Sam Bankman-Fried plead guilty to fraud charges in FTX fall | FTX | The Guardian
North Korea-linked hackers stole $626M in virtual assets in 2022 - Security Affairs
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
FTX's alleged run-of-the-mill frauds depended entirely on crypto (yahoo.com)
“Suspicious login” scammers up their game – take care at Christmas – Naked Security (sophos.com)
Fraudulent ‘popunder’ Google Ad campaign generated millions of dollars • The Register
Over 67,000 DraftKings Betting Accounts Hit by Hackers (gizmodo.com)
What happens once scammers receive funds from their victims - Help Net Security
T-Mobile hacker gets 10 years for $25 million phone unlock scheme (bleepingcomputer.com)
Google Ad fraud campaign used adult content to make millions (bleepingcomputer.com)
Two associates of Sam Bankman-Fried plead guilty to fraud charges in FTX fall | FTX | The Guardian
Inside The Next-Level Fraud Ring Scamming Billions Off Holiday Retailers (darkreading.com)
Supply Chain and Third Parties
Cloud/SaaS
McGraw Hill's S3 buckets exposed 100,000 students' grades • The Register
AWS simplifies Simple Storage Service to prevent data leaks • The Register
New Brand of Security Threats Surface in the Cloud (darkreading.com)
Google WordPress Plug-in Bug Allows AWS Metadata Theft (darkreading.com)
Security on a Shoestring? Cloud, Consolidation Best Bets for Businesses (darkreading.com)
Hybrid/Remote Working
Attack Surface Management
Encryption
API
Open Source
Passwords, Credential Stuffing & Brute Force Attacks
LastPass admits attackers copied password vaults • The Register
LastPass users: Your info and password vault data are now in hackers’ hands | Ars Technica
Social Media
Malvertising
Fraudulent ‘popunder’ Google Ad campaign generated millions of dollars • The Register
Don't click too quick! FBI warns of malicious search engine ads | Tripwire
Google Ad fraud campaign used adult content to make millions (bleepingcomputer.com)
Parental Controls and Child Safety
Buggy parental-control apps could allow device takeover • The Register
Children And The Dangers Of The Virtual World (informationsecuritybuzz.com)
Regulations, Fines and Legislation
TSB fined nearly $60m for platform migration disaster • The Register
FCC proposes record-breaking $300 million fine against robocaller (bleepingcomputer.com)
France Fines Microsoft 60 Million Euros Over Advertising Cookies | SecurityWeek.Com
The long, long reach of the UK’s national security laws | Financial Times
Governance, Risk and Compliance
Make sure your company is prepared for the holiday hacking season - Help Net Security
The benefit of adopting a hacker mindset for building security strategies - Help Net Security
Careers, Working in Cyber and Information Security
CISO roles continue to expand beyond technical expertise - Help Net Security
UK secret services wants ‘corkscrew thinkers’ for new cyber force | News | The Times
Law Enforcement Action and Take Downs
Privacy, Surveillance and Mass Monitoring
France Fines Microsoft 60 Million Euros Over Advertising Cookies | SecurityWeek.Com
What is surveillance capitalism? - Definition from WhatIs.com (techtarget.com)
Google Maps: Important reason you should blur your house on Street View (ladbible.com)
Blur Your House ASAP if It's on Google Maps. Here's Why - CNET
Artificial Intelligence
Threat Modeling in the Age of OpenAI's Chatbot (darkreading.com)
This is how OpenAI's ChatGPT can be used to launch cyber attacks (techmonitor.ai)
Misinformation, Disinformation and Propaganda
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
State level cyber attacks – Why and how (ukdefencejournal.org.uk)
The risk of escalation from cyber attacks has never been greater | Ars Technica
Ukraine's DELTA military system users targeted by info-stealing malware (bleepingcomputer.com)
Trojanized Windows 10 installers compromised the Ukrainian government | SC Media (scmagazine.com)
NATO-Member Oil Refinery Targeted in Russian APT Blitz Against Ukraine (darkreading.com)
Russian APT Gamaredon Changes Tactics in Attacks Targeting Ukraine | SecurityWeek.Com
Kremlin-linked hackers tried to spy on oil firm in NATO country, researchers say | CNN Politics
‘Our weapons are computers’: Ukrainian coders aim to gain battlefield edge | Ukraine | The Guardian
The long, long reach of the UK’s national security laws | Financial Times
UK secret services wants ‘corkscrew thinkers’ for new cyber force | News | The Times
Nation State Actors
Nation State Actors – Russia
Nation State Actors – China
Apple accused of censoring apps in Hong Kong and Russia • The Register
The long, long reach of the UK’s national security laws | Financial Times
Nation State Actors – North Korea
Vulnerability Management
Open source vulnerabilities add to security debt - Help Net Security
Top 5 Vulnerabilities Routinely Exploited by Threat Actors in 2022 (socradar.io)
Over 50 New CVE Numbering Authorities Announced in 2022 | SecurityWeek.Com
A Guide to Efficient Patch Management with Action1 (thehackernews.com)
Digging into the numbers one year after Log4Shell | SC Media (scmagazine.com)
Vulnerabilities
Critical Windows code-execution vulnerability went undetected until now | Ars Technica
FoxIt Patches Code Execution Flaws in PDF Tools | SecurityWeek.Com
Old vulnerabilities in Cisco products actively exploited in the wild - Security Affairs
OWASSRF: CrowdStrike Identifies New Method for Bypassing ProxyNotShell Mitigations
Microsoft reports macOS Gatekeeper has an 'Achilles' heel • The Register
Microsoft will turn off Exchange Online basic auth in January (bleepingcomputer.com)
Cisco’s Talos security bods predict new wave of Excel Hell • The Register
Microsoft pushes emergency fix for Windows Server Hyper-V VM issues (bleepingcomputer.com)
Ransomware Uses New Exploit to Bypass ProxyNotShell Mitigations | SecurityWeek.Com
Zerobot malware now spreads by exploiting Apache vulnerabilities (bleepingcomputer.com)
Two New Security Flaws Reported in Ghost CMS Blogging Software (thehackernews.com)
Critical Security Flaw Reported in Passwordstate Enterprise Password Manager (thehackernews.com)
This critical Windows security flaw could be as serious as WannaCry, experts claim | TechRadar
Google WordPress Plug-in Bug Allows AWS Metadata Theft (darkreading.com)
Microsoft Details Gatekeeper Bypass Vulnerability in Apple macOS Systems (thehackernews.com)
Tools and Controls
Companies overwhelmed by available tech solutions - Help Net Security
Is Enterprise VPN on Life Support or Ripe for Reinvention? | SecurityWeek.Com
Reports Published in the Last Week
Other News
The Growing Risk Of Malicious QR Codes (informationsecuritybuzz.com)
NASA infosec again falls short of required standard • The Register
US Joint Cyber Force Elevated to Newest Subordinate Unified Command - MSSP Alert
The Rise of the Rookie Hacker - A New Trend to Reckon With (thehackernews.com)
What enumeration attacks are and how to prevent them | TechTarget
US consumers seriously concerned over their personal data | CSO Online
The FBI is worried about wave of crime against small businesses (cnbc.com)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 16 December 2022
Black Arrow Cyber Threat Briefing 16 December 2022:
-Executives Take More Cyber Security Risks Than Office Workers
-CISO Role is Diversifying from Technology to Leadership & Communication Skills
-How Emerging AIs, Like ChatGPT, Can Turn Anyone into a Ransomware and Malware Threat Actor
-Cyber Security Drives Improvements in Business Goals
-Incoming FCA Chair Says Crypto Firms Facilitate Money Laundering
-Managing Cyber Risk in 2023: The People Element
-What We Can't See Can Hurt Us
-Uber Suffers New Data Breach After Attack on Vendor, Info Leaked Online
-When Companies Compensate the Hackers, We All Foot the Bill
-HSE Cyber-Attack Costs Ireland $83m So Far
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Executives Take More Cyber Security Risks Than Office Workers
IT software company Ivanti worked with cyber security experts and surveyed 6,500 executive leaders, cybersecurity professionals, and office workers to understand the perception of today’s cybersecurity threats and to find out how companies are preparing for yet-unknown future threats.
The report revealed that despite 97% of leaders and security professionals reporting their organisation is as prepared, or more prepared, to defend against cybersecurity attacks than they were a year ago, one in five wouldn’t bet a chocolate bar that they could prevent a damaging breach.
In fact, the study finds that organisations are racing to fortify against cyber attacks, but the industry still struggles with a reactive, checklist mentality. This is most pronounced in how security teams are prioritising patches. While 92% of security professionals reported they have a method to prioritise patches, they also indicated that all types of patches rank high – meaning none do.
“Patching is not nearly as simple as it sounds,” said Ivanti. “Even well-staffed, well-funded IT and security teams experience prioritisation challenges amidst other pressing demands. To reduce risk without increasing workload, organisations must implement a risk-based patch management solution and leverage automation to identify, prioritise, and even address vulnerabilities without excess manual intervention”.
Cyber security insiders view phishing, ransomware, and software vulnerabilities as top industry-level threats for 2023. Approximately half of respondents indicated they are “very prepared” to meet the growing threat landscape including ransomware, poor encryption, and malicious employees, but the expected safeguards such as deprovisioning credentials is ignored a third of a time and nearly half of those surveyed say they suspect a former employee or contractor still has active access to company systems and files.
The report also revealed that leaders engage in more dangerous behaviour and are four times more likely to be victims of phishing compared to office workers.
Additionally:
More than 1 in 3 leaders have clicked on a phishing link
Nearly 1 in 4 use easy-to-remember birthdays as part of their password
They are much more likely to hang on to passwords for years
And they are 5x more likely to share their password with people outside the company.
One survey taker shared, “We’ve experienced a few advanced phishing attempts and the employees were totally unaware they were being targeted. These types of attacks have become so much more sophisticated over the last two years – even our most experienced staff are falling prey to it.”
To cope with a rapidly expanding threat landscape, organisations must move beyond a reactive, rules-based approach.
CISO Role is Diversifying from Technology to Leadership & Communication Skills
The role of chief information security officer (CISO), a relatively new executive position, is undergoing some significant changes and an archetype has yet to emerge, a new global report from Marlin Hawk, an executive recruiting and leadership consultant, said.
CISOs are still more likely to serve on advisory boards or industry bodies than on the board of directors. Only 13% of the global CISOs analysed are women; approximately 20% are non-white. Each diversity dimension analysed is down one percentage point year-on-year.
According to James Larkin, managing partner at Marlin Hawk, “Today’s CISOs are taking up the mantle of responsibilities that have traditionally fallen solely to the chief information officer (CIO), which is to act as the primary gateway from the tech department into the wider business and the outside marketplace. This widening scope requires CISOs to be adept communicators to the board, the broader business, as well as the marketplace of shareholders and customers. By thriving in the ‘softer’ skill sets of communication, leadership, and strategy, CISOs are now setting the new industry standards of today and, I predict, will be progressing into the board directors of tomorrow.”
The job does not come without its downsides. For one, according to the search firm, many CISOs change roles and leave their jobs. Their skillset may not be adequate or new leaders get appointed to the job, they lack the necessary internal support, or their company may not have the required commitment to cyber security to make the job effective.
Key findings from the report include:
45% of global CISOs have been in their current role for two years or less, down from 53% in 2021, with 18% turnover year-on-year. While there is still a lot of movement in the CISO seat, there is potentially some stabilisation emerging.
Approximately 62% of global CISOs were hired from another company, indicating a slight increase in the number of CISOs hired internally (38% were hired internally compared to 36% in 2021) but a large gap remains in appropriate successors.
36% of CISOs analysed with a graduate degree received a higher degree in business administration or management. This is down 10% from last year (46% in 2021). Conversely, there has been an increase to 61% of CISOs receiving a higher degree in STEM subjects (up from 46% in 2021).
How Emerging AIs, Like ChatGPT, Can Turn Anyone into a Ransomware and Malware Threat Actor
Ever since OpenAI launched ChatGPT at the end of November, commentators on all sides have been concerned about the impact AI-driven content-creation will have, particularly in the realm of cybersecurity. In fact, many researchers are concerned that generative AI solutions will democratise cyber crime.
With ChatGPT, any user can enter a query and generate malicious code and convincing phishing emails without any technical expertise or coding knowledge.
While security teams can also leverage ChatGPT for defensive purposes such as testing code, by lowering the barrier for entry for cyber attacks, the solution has complicated the threat landscape significantly. From a cyber security perspective, the central challenge created by OpenAI’s creation is that anyone, regardless of technical expertise, can create code to generate malware and ransomware on-demand.
Whilst it can be used for good to assist developers in writing code for good, it can (and already has) been used for malicious purposes. Examples including asking the bot to create convincing phishing emails or assist in reverse engineering code to find zero-day exploits that could be used maliciously instead of reporting them to a vendor.
ChatGPT does have inbuilt guardrails designed to prevent the solution from being used for criminal activity. For instance, it will decline to create shell code or provide specific instructions on how to create shellcode or establish a reverse shell and flag malicious keywords like phishing to block the requests.
The problem with these protections is that they’re reliant on the AI recognising that the user is attempting to write malicious code (which users can obfuscate by rephrasing queries), while there’s no immediate consequences for violating OpenAI’s content policy.
https://venturebeat.com/security/chatgpt-ransomware-malware/
Cyber Security Drives Improvements in Business Goals
Cyber threats should no longer be viewed as just an IT problem, but also a business problem, Deloitte said in its latest Future of Cyber study. Operational disruption, loss of revenue, and loss of customer trust are the top three significant impacts of cyber incidents. More than half, or 56%, of respondents told Deloitte they suffered related consequences to a moderate or large extent.
In 2021, the top three negative consequences from cyber incidents and breaches were operational disruption, which includes supply chain and the partner ecosystem, intellectual property theft, and a drop in share price. While operational disruption remained the top concern in 2022, loss of revenue and loss of customer trust and negative brand impact moved up in importance. Intellectual property theft and drop in share price dropped to eighth and ninth (out of ten) in ranking. Losing funding for a strategic initiative, loss of confidence in the integrity of the technology, and impact on employee recruitment and retention moved up in ranking in 2022. Respondents were also asked to mark two consequences they felt would be most important in 2023: Operational disruption and loss of revenue topped the list.
"Today, cyber means business, and it is difficult to overstate the importance of cyber as a foundational and integral business imperative," Deloitte noted in its report. "It [cyber] should be included in every functional area, as an essential ingredient for success—to drive continuous business value, not simply mitigate risks to IT."
Deloitte categorised organisations' cyber security maturity based on their adoption of cyber planning, risk management, and board engagement. Risk management included activities such as industry benchmarking, incident response, scenario planning, and qualitative and quantitative risk assessment.
Whether or not the organisation adopted any of these three practices hinged on stakeholders recognising the importance of cyber responsibility and engagement across the whole organisation, Deloitte said in its report. Examples included having a governing body that comprises IT and senior business leaders to oversee the cyber program, conducting incident-response scenario planning and simulation at the organisational and/or board level, regularly providing cyber updates to the board to secure funding, and conducting regular cyber awareness training for all employees.
https://www.darkreading.com/edge-threat-monitor/cybersecurity-drives-improvements-in-business-goals
Incoming FCA Chair Says Crypto Firms Facilitate Money Laundering
The man who will lead UK efforts to regulate cryptocurrency firms issued a stark condemnation of the sector on Wednesday, telling MPs that in his experience crypto platforms were “deliberately evasive”, facilitated money laundering at scale and created “massively untoward risk”.
The comments from Ashley Alder, the incoming chair of the Financial Conduct Authority, suggest that crypto firms hoping to build businesses in the UK will face an uphill battle when the FCA assumes new powers to regulate broad swaths of the sector.
They also put Alder, who will become FCA chair in February, on a potential collision course with the government’s aspiration to create a high quality crypto hub that fosters innovation, a vision ministers have remained loyal to even as the global crypto market lurches from crisis to crisis, epitomised by the collapse of FTX. The FCA declined to comment on whether their incoming chair’s views were at odds with those of the government.
Alder comments came during a sometimes terse appointment hearing with the cross-party Treasury select committee, where he faced sustained criticism for appearing virtually from Hong Kong and for his lack of familiarity with some parts of the UK market place and its accountability structures.
https://www.ft.com/content/7bf0a760-5fb5-4146-b757-1acc5fc1dee5
Managing Cyber Risk in 2023: The People Element
2022 has had many challenges from cyber war between Russia and Ukraine, continuing ransomware attacks, and a number of high-profile vulnerabilities and zero day attacks. With the attack surface constantly expanding, CISOs and security leaders are acutely aware of the need to minimise risk across people, processes, and technology.
Top infrastructure risk: people
It’s common knowledge that it’s not if, but when, your organisation will be the target of a cyber attack. CISOs and security leaders seem to share the same opinion—according to Trend Micro’s latest Cyber Risk Index (CRI) (1H’2022), 85% of 4,100 respondents across four global regions said its somewhat to very likely they will experience a cyber attack in the next 12 months. More concerning was 90% of respondents had at least one successful cyber attack in the past 12 months.
The CRI (1H’2022) also found that CISOs, IT practitioners, and managers identified that most organisations’ IT security objectives are not aligned with the business objectives, which could cause challenges when trying to implement a sound cyber security strategy.
It’s important to note that while ideal, avoiding a cyber attack isn’t the main goal—companies need to address critical challenges across their growing digital attack surface to enable faster detection and response, therefore minimising cyber risk.
While it's commonly assumed that security efforts should be largely focused on protecting critical servers and infrastructure, the human attack vector shouldn’t be so quickly forgotten.
https://www.trendmicro.com/en_us/ciso/22/e/managing-cyber-risk.html
What We Can't See Can Hurt Us
In speaking with security and fraud professionals, visibility remains a top priority. This is no surprise, since visibility into the network, application, and user layers is one of the fundamental building blocks of both successful security programs and successful fraud programs. This visibility is required across all environments — whether on-premises, private cloud, public cloud, multicloud, hybrid, or otherwise.
Given this, it is perhaps a bit surprising that visibility in the cloud has lagged behind the move to those environments. This occurred partially because few options for decent visibility were available to businesses as they moved to the cloud. But it also partially happened because higher priority was placed on deploying to the cloud than on protecting those deployments from security and fraud threats.
This is unfortunate, since what we can't see can hurt us. That being said, cloud visibility is becoming a top priority for many businesses. There are a few areas where many businesses are looking for visibility to play a key role, including Compliance, Monitoring, Investigation, Response, API Discovery, Application Breaches, and Malicious User Detection.
Organisation have been a bit behind in terms of ensuring the requisite visibility into cloud environments. Whilst time has been lost, it does seem that gaining visibility into the network, application, and user layers is now a priority for many businesses. This is a positive development, as it enables those businesses to better mitigate the risks that operating blindly creates.
https://www.darkreading.com/edge-articles/what-we-can-t-see-can-hurt-us
Uber Suffers New Data Breach After Attack on Vendor, Info Leaked Online
Uber has suffered a new data breach after a threat actor leaked employee email addresses, corporate reports, and IT asset information stolen from a third-party vendor in a cyber security incident.
On Saturday last week, a threat actor named 'UberLeaks' began leaking data they claimed was stolen from Uber and Uber Eats on a hacking forum known for publishing data breaches. The leaked data includes numerous archives claiming to be source code associated with mobile device management platforms (MDM) used by Uber and Uber Eats and third-party vendor services.
The threat actor created four separate topics, allegedly for Uber MDM at uberhub.uberinternal.com and Uber Eats MDM, and the third-party Teqtivity MDM and TripActions MDM platforms. Each post refers to a member of the Lapsus$ hacking group who is believed to be responsible for numerous high-profile attacks, including a September cyber attack on Uber where threat actors gained access to the internal network and the company's Slack server.
News outlet BleepingComputer has been told that the newly leaked data consists of source code, IT asset management reports, data destruction reports, Windows domain login names and email addresses, and other corporate information. One of the documents seen by BleepingComputer includes email addresses and Windows Active Directory information for over 77,000 Uber employees.
While BleepingComputer initially thought this data was stolen during the September attack, Uber told BleepingComputer it believes it is related to a security breach on a third-party vendor.
When Companies Compensate the Hackers, We All Foot the Bill
Companies are always absorbing costs that are seen as par for the course of budget planning: maintenance, upgrades, office supplies, wastage, shrinkage, etc. These costs ratchet up the price of a company's products and are then passed on to the consumer. Breaches in cyber security and paying out ransoms to hackers should be outside of this remit, and yet more than half of all companies admit to transferring the costs of data breaches on to consumers. Careless or ill-informed employees and other weaknesses in a company's protections lead to catastrophic losses to businesses of around $1,797,945 per minute — and the consumers are paying it off.
If a company estimates the recovery costs from a ransomware attack to exceed the requested payment from the hacker, then it feels like a no-brainer — they're better off just cutting their losses and giving in to the cyber criminal's demands. The issue is that this creates an unvirtuous circle of paying the hacker, which enforces nefarious behaviour and empowers hackers to increase the number and volume of ransoms.
When it comes to ransomware, 32% of companies pay off hackers, and, of that percentage, the average company only retrieves about 65% of its data. Giving in to hackers is counterintuitive. On an even more disturbing note, one study found that 80% of companies that paid a ransom were targeted a second time, with about 40% paying again and a majority of that 40% paying a higher ransom the second time round. This is ludicrous. With 33% of companies suspending operations following an attack, and nearly 40% resorting to laying off staff, it comes as no surprise that the downstream costs are picked up to some extent by the consumer.
As for smaller companies, about 50% of US small businesses don't have a cyber security plan in place, despite the fact that small businesses are three times more likely to be targeted by cyber criminals than larger companies. An average breach costs these companies around $200,000 and has put many out of business. It isn't simply the cost passed on to consumers, it's also the intangible assets, such as brand reputation.
When data is leaked and a site goes down, customers become rightly anxious when their information is sold to the highest bidder on the Dark Web. To safeguard against this, companies of all sizes should exploit automated solutions while training every single member of staff to recognise and report online threats. Paying a ransom does not guarantee the return of data, and for a smaller business, losing valuable customer information could cause long-term damage way beyond the initial attack.
Cyber security professionals, governments, and law enforcement agencies all advise companies to avoid paying the hackers' ransoms. This strategy is affirmed by the success businesses have had in retrieving the stolen data and turning the lights back on — 78% of organisations who say they did not pay a ransom were able to fully restore systems and data without the decryption key. This evidently is not enough to reassure companies who, at the click of a dangerous email being opened, have lost sensitive information and access to their systems and are desperate to get back online. There are many preventative techniques businesses can take advantage of before it even gets to that stage.
HSE Cyber-Attack Costs Ireland $83m So Far
The cost of the cyber-attack that hit the Irish Health Service Executive (HSE) last year has officially reached €80m ($83.75m).
The figures come from a letter from HSE’s chief information officer, seen by The Irish Times. This comes months after the Department of Health suggested in February the attack could end up costing up to €100m ($104m). The letter confirmed that the costs reached €42m ($43.97m) in 2021 and almost €39m ($40.83m) until October of this year.
Ireland has a very capable national cyber security centre and a well-oiled CSIRT team that engages the public/private sector. If the cost does continue to escalate to €100m, that is the equivalent to everyone in the Republic of Ireland having been defrauded by €20. According to The Irish Times, the costs were said to be “enormous,” and the government has been asked to complete a comprehensive assessment of the impact caused by the breach.
The cyber-attack, believed to have been conducted by Russia-based state actors, was reportedly caused by a malicious Microsoft Excel file delivered via a phishing email. According to a December 2021 report, the file was opened at an HSE workstation in March 2021. The malware would have been latent for two months before the breach, which was reportedly discovered in May, two months later. A total of roughly 100,000 people had their personal data stolen during the cyber-attack.
Healthcare continues to be a target of attacks given their enormous attack surface across critical applications, cloud environments and IoT devices.
https://www.infosecurity-magazine.com/news/hse-cyber-attack-ireland-dollar83m/
Threats
Ransomware, Extortion and Destructive Attacks
HSE Cyber-Attack Costs Ireland $83m So Far - Infosecurity Magazine (infosecurity-magazine.com)
Ransomware-hit Rackspace email outage enters 12th day • The Register
The Dark Web is Getting Darker - Ransomware Thrives on Illegal Markets (bleepingcomputer.com)
Rash of New Ransomware Variants Springs Up in the Wild (darkreading.com)
Patch Tuesday: Microsoft Plugs Windows Hole Exploited in Ransomware Attacks | SecurityWeek.Com
Preventing a ransomware attack with intelligence: Strategies for CISOs - Help Net Security
LockBit ransomware crew claims attack on California Department of Finance - CyberScoop
When Companies Compensate the Hackers, We All Foot the Bill (darkreading.com)
Clop ransomware uses TrueBot malware for access to networks (bleepingcomputer.com)
TrueBot infections were observed in Clop ransomware attacks - Security Affairs
Play ransomware claims attack on Belgium city of Antwerp (bleepingcomputer.com)
Brooklyn hospital network victim of cyber hack crash (msn.com)
Cyber security Experts Uncover Inner Workings of Destructive Azov Ransomware (thehackernews.com)
Cybereason warns of rapid increase in Royal ransomware | TechTarget
New Royal ransomware group evades detection with partial encryption | CSO Online
How ChatGPT can turn anyone into a ransomware and malware threat actor | VentureBeat
Check Point classifies Azov as wiper, not ransomware | TechTarget
Phishing & Email Based Attacks
Open-source repositories flooded by 144,000 phishing packages (bleepingcomputer.com)
Phishing attack uses Facebook posts to evade email security (bleepingcomputer.com)
BEC – Business Email Compromise
Other Social Engineering; Smishing, Vishing, etc
Malware
Microsoft digital certificates have once again been abused to sign malware | Ars Technica
Hackers target Japanese politicians with new MirrorStealer malware (bleepingcomputer.com)
Zscaler: Nearly 90% of Cyber attacks Now Use Encrypted Channels, Malware Tops - MSSP Alert
Crooks use HTML smuggling to spread QBot malware via SVG files - Security Affairs
A clever trick turns antivirus software into unstoppable data wiping scourges | TechSpot
How ChatGPT can turn anyone into a ransomware and malware threat actor | VentureBeat
Mobile
Android Malware Campaign Leverages Money-Lending Apps to Blackmail Victims (thehackernews.com)
Why You Should Enable Apple’s New iOS 16.2 Security Feature | Reviews by Wirecutter (nytimes.com)
Xnspy stalkerware spied on thousands of iPhones and Android devices | TechCrunch
Internet of Things – IoT
3.5m IP cameras exposed, with US in the lead - Security Affairs
Are robots too insecure for lethal use by law enforcement? | CSO Online
10 Ways Doorbell Cameras Pose a Threat to Privacy and Security - Listverse
Data Breaches/Leaks
Uber suffers new data breach after attack on vendor, info leaked online (bleepingcomputer.com)
Twitter confirms recent user data leak is from 2021 breach (bleepingcomputer.com)
HR platform Sequoia says hackers accessed customer SSNs and COVID-19 data | TechCrunch
Australia's Telstra suffers privacy breach, 132,000 customers impacted | Reuters
Unauthorised server access caused AirAsia data leak: Fahmi | Malaysia | The Vibes
FBI's InfraGard Cyber security Program Breached by Hackers (gizmodo.com)
Aussie Data Breaches Surge 489% in Q4 2022 - Infosecurity Magazine (infosecurity-magazine.com)
Uber staff information leaks after IT supply chain attack • The Register
TPG Telecom joins list of hacked Australian companies, shares slide | Reuters
How companies can avoid costly data breaches - Help Net Security
Hackers leak personal info allegedly stolen from 5.7M Gemini users (bleepingcomputer.com)
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Incoming FCA chair says crypto firms facilitate money laundering | Financial Times (ft.com)
Britons lose life savings to ‘Ali Baba and the cryptocurrency scammers’ | News | The Times
DOJ divided over charging Binance for alleged crypto crimes, report says | Ars Technica
Facebook Asks Lawmakers Not to Regulate Crypto Too Harshly Just Because of All the Fraud (vice.com)
The amateur sleuths who helped to bring down Sam Bankman-Fried - New Statesman
Hackers leak personal info allegedly stolen from 5.7M Gemini users (bleepingcomputer.com)
Insider Risk and Insider Threats
Executives take more cyber security risks than office workers - Help Net Security
Managing Cyber Risk in 2023: The People Element (trendmicro.com)
Fraud, Scams & Financial Crime
Britons lose life savings to ‘Ali Baba and the cryptocurrency scammers’ | News | The Times
Restaurant closes after fraudsters posing as officials steal thousands | News | The Times
Woman gets 66 months in prison for role in $3.3 million ID fraud op (bleepingcomputer.com)
Patrick Giblin conned women all over the US. Now he's going to prison for 5 years | CNN
UK arrests five for selling dodgy point of sale software • The Register
The amateur sleuths who helped to bring down Sam Bankman-Fried - New Statesman
8 charged with conspiracy to commit securities fraud • The Register
AML/CFT/Sanctions
Insurance
Dark Web
Supply Chain and Third Parties
Uber staff information leaks after IT supply chain attack • The Register
Report highlights serious cyber security issues with US defence contractors | CSO Online
Software Supply Chain
How Naming Can Change the Game in Software Supply Chain Security (darkreading.com)
Microsoft digital certificates have once again been abused to sign malware | Ars Technica
Denial of Service DoS/DDoS
FBI Charges 6, Seizes 48 Domains Linked to DDoS-for-Hire Service Platforms (thehackernews.com)
Prosecutors charge 6 people for allegedly waging massive DDoS attacks | Ars Technica
‘Booter’ sites taken down in global cyber crime bust (gbnews.uk)
Microsoft discovers Windows/Linux botnet used in DDoS attacks | Ars Technica
Cloud/SaaS
Microsoft launches EU 'data boundary' from next year • The Register
HR platform Sequoia says hackers accessed customer SSNs and COVID-19 data | TechCrunch
Lego fixes dangerous API vulnerability in BrickLink service | TechTarget (computerweekly.com)
Data Destruction Policies in the Age of Cloud Computing (darkreading.com)
Hybrid/Remote Working
Encryption
Zscaler: Nearly 90% of Cyber attacks Now Use Encrypted Channels, Malware Tops - MSSP Alert
The FBI Says Apple’s New Encryption Is “Deeply Concerning” (futurism.com)
Over 85% of Attacks Hide in Encrypted Channels - Infosecurity Magazine (infosecurity-magazine.com)
Privacy advocates are aghast at UK’s anti-encryption plans (thenextweb.com)
API
Open Source
Google Launches OSV-Scanner Tool to Identify Open Source Vulnerabilities (thehackernews.com)
Open-source repositories flooded by 144,000 phishing packages (bleepingcomputer.com)
Passwords, Credential Stuffing & Brute Force Attacks
Social Media
TikTok may push potentially harmful content to teens within minutes, study finds | CNN Business
Meta warns spyware still being used to target people on social media | Meta | The Guardian
Elon Musk Bans Journalists From Twitter After Reinstating Nazis (gizmodo.com)
Russian disinformation rampant on far-right social media platforms - CyberScoop
HowTo: Fight Cyber-Threats in the Metaverse - Infosecurity Magazine
US politicians propose TikTok ban over China security concerns (telegraph.co.uk)
Training, Education and Awareness
Keep Your Grinch at Bay: Here's How to Stay Safe Online this Holiday Season (thehackernews.com)
Remote Work Cyber security Requires a Change in Mindset (informationsecuritybuzz.com)
Parental Controls and Child Safety
TikTok may push potentially harmful content to teens within minutes, study finds | CNN Business
Microsoft Teams is a vector for child sexual abuse material • The Register
Cyber Bullying, Cyber Stalking and Sextortion
Xnspy stalkerware spied on thousands of iPhones and Android devices | TechCrunch
Proposed law offers support to tech-enabled abuse survivors • The Register
Regulations, Fines and Legislation
Privacy concerns are limiting data usage abilities - Help Net Security
European Commission takes step toward approving EU-US data privacy pact | Computerworld
Governance, Risk and Compliance
Managing Cyber Risk in 2023: The People Element (trendmicro.com)
Executives take more cyber security risks than office workers - Help Net Security
Cyber security Drives Improvements in Business Goals (darkreading.com)
Compliance Is Not Enough: How to Manage Your Customer Data (darkreading.com)
5 tips for building a culture of cyber security accountability - Help Net Security
Data Destruction Policies in the Age of Cloud Computing (darkreading.com)
What CISOs consider when building up security resilience - Help Net Security
CISO Role is Diversifying From Technology to Leadership & Communication Skills - MSSP Alert
Models, Frameworks and Standards
Why PCI DSS 4.0 Should Be on Your Radar in 2023 (thehackernews.com)
PCI Secure Software Standard version 1.2 sets out new payment security requirements | CSO Online
Backup and Recovery
Why Your MSSP Should Offer Backup-as-a-Service (BaaS) - MSSP Alert
CISA Warns Veeam Backup & Replication Vulnerabilities Exploited in Attacks | SecurityWeek.Com
Data Protection
Careers, Working in Cyber and Information Security
Law Enforcement Action and Take Downs
FBI Charges 6, Seizes 48 Domains Linked to DDoS-for-Hire Service Platforms (thehackernews.com)
Prosecutors charge 6 people for allegedly waging massive DDoS attacks | Ars Technica
8 charged with conspiracy to commit securities fraud • The Register
Privacy, Surveillance and Mass Monitoring
Privacy advocates are aghast at UK’s anti-encryption plans (thenextweb.com)
Apple should pay €6m for tracking users – French official • The Register
European Commission takes step toward approving EU-US data privacy pact | Computerworld
Privacy concerns are limiting data usage abilities - Help Net Security
Artificial Intelligence
Are robots too insecure for lethal use by law enforcement? | CSO Online
How ChatGPT can turn anyone into a ransomware and malware threat actor | VentureBeat
Misinformation, Disinformation and Propaganda
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Trojanized Windows 10 Operating System Installers Targeted Ukrainian Government | Mandiant
Reassessing cyberwarfare. Lessons learned in 2022 | Securelist
As Wiretap Claims Rattle Government, Greece Bans Spyware | SecurityWeek.Com
Ex-Twitter Worker Gets Prison Time in Saudi 'Spy' Case | SecurityWeek.Com
Reassessing cyberwarfare. Lessons learned in 2022 | Securelist
Nation State Actors
Nation State Actors – Russia
Seven accused of smuggling out US military tech for Moscow • The Register
Neo-Nazi Russian militia appeals for intelligence on Nato member states | Ukraine | The Guardian
NSA cyber director warns of Russian digital assaults on global energy sector - CyberScoop
Russian disinformation rampant on far-right social media platforms - CyberScoop
Nation State Actors – China
NSA Outs Chinese Hackers Exploiting Citrix Zero-Day | SecurityWeek.Com
US politicians propose TikTok ban over China security concerns (telegraph.co.uk)
Hackers target Japanese politicians with new MirrorStealer malware (bleepingcomputer.com)
US to add Chinese chipmaker to trade blacklist | Financial Times (ft.com)
AIIMS cyber attack suspected to have originated in China, Hong Kong - Rediff.com India News
Spies and Lies by Alex Joske — inside China’s intelligence operation | Financial Times (ft.com)
Nation State Actors – North Korea
Nation State Actors – Iran
Vulnerability Management
Transitive Dependencies Account for 95% of Bugs - Infosecurity Magazine (infosecurity-magazine.com)
24% of technology applications contain high-risk security flaws - Help Net Security
Vulnerabilities
Hackers exploit critical Citrix ADC and Gateway zero day, patch now (bleepingcomputer.com)
CISA Warns Veeam Backup & Replication Vulnerabilities Exploited in Attacks | SecurityWeek.Com
Adobe Patches 38 Flaws in Enterprise Software Products | SecurityWeek.Com
VMware fixed critical VM Escape bug demonstrated at Geekpwn hacking contest - Security Affairs
Samba Issues Security Updates to Patch Multiple High-Severity Vulnerabilities (thehackernews.com)
Fortinet says SSL-VPN pre-auth RCE bug is exploited in attacks (bleepingcomputer.com)
Transitive Dependencies Account for 95% of Bugs - Infosecurity Magazine (infosecurity-magazine.com)
Citrix Releases Security Updates for Citrix ADC, Citrix Gateway | CISA
Security Flaw in Atlassian Products Affecting Multiple Companies (darkreading.com)
Patch Tuesday: 0-days, RCE bugs, and a curious tale of signed malware – Naked Security (sophos.com)
Patch Tuesday: Microsoft Plugs Windows Hole Exploited in Ransomware Attacks | SecurityWeek.Com
New Actively Exploited Zero-Day Vulnerability Discovered in Apple Products (thehackernews.com)
Apple patches everything, finally reveals mystery of iOS 16.1.2 – Naked Security (sophos.com)
Apple fixed the tenth actively exploited zero-day this year - Security Affairs
High-Severity Memory Safety Bugs Patched With Latest Chrome 108 Update | SecurityWeek.Com
Top 5 Web App Vulnerabilities and How to Find Them (thehackernews.com)
Severe vulnerabilities found in most industrial controllers - The Washington Post
Akamai WAF bypassed via Spring Boot to trigger RCE | The Daily Swig (portswigger.net)
Tools and Controls
CISA Warns Veeam Backup & Replication Vulnerabilities Exploited in Attacks | SecurityWeek.Com
Why Your MSSP Should Offer Backup-as-a-Service (BaaS) - MSSP Alert
Data Destruction Policies in the Age of Cloud Computing (darkreading.com)
Other News
Cyber Threats Loom as 5B People Prepare to Watch World Cup Final (darkreading.com)
Tech companies must start sharing intelligence to avert global conflicts | Financial Times (ft.com)
Microsoft Defender, Avast, AVG turned against Windows to permanently delete files - Neowin
Analysis Shows Attackers Favour PowerShell, File Obfuscation (darkreading.com)
Automated Cyber campaign Creates Masses of Bogus Software Building Blocks (darkreading.com)
12 types of wireless network attacks and how to prevent them | TechTarget
FuboTV says World Cup streaming outage caused by a cyber attack (bleepingcomputer.com)
MTTR “not a viable metric” for complex software system reliability and security | CSO Online
Low-code/no-code security risks climb as tools gain traction | TechTarget
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 25 November 2022
Black Arrow Cyber Threat Briefing 25 November 2022:
-Hackers Hit One Third of Organisations Worldwide Multiple Times
-Firms Spend $1,197 Per Employee Yearly to Address Cyber Attacks
-90% of Organisations have Microsoft 365 Security Gaps
-Luna Moth Phishing Extortion Campaign Targets Businesses in Multiple Sectors
-The Real Cost of Cyber Attacks: What Organisations Should Be Prepared For
-34 Russian Cyber Crime Groups Stole Over 50 Million Passwords with Stealer Malware
-“Password” Continues to Be the Most Common Password in 2022
-Lasts Year’s Massive Twitter Data Breach Was Far Worse Than Reported, Reveal Security Researchers
-European Parliament Declares Russia to be a State Sponsor of Terrorism – then Gets Attacked
-The Changing Nature of Nation-State Cyber Warfare
-Is Your Company Covered for a Cyber Security Attack? That’s the £2 Million Question
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Hackers Hit One Third of Organisations Worldwide Multiple Times
Hackers have stolen customer records multiple times from nearly a third of organisations worldwide in the past 12 months, security provider Trend Micro said in its newly released, twice-yearly Cyber Risk Index (CRI) report.
The report features interviews with some 4,100 organisations across North America, Europe, Latin/South America and Asia-Pacific. Respondents stressed that customer records are at increased risk as organisations struggle to profile and defend an expanding attack surface.
Overall, respondents rated the following as the top cyber threats in 1H 2022:
Business Email Compromise (BEC)
Clickjacking
Fileless attacks
Ransomware
Login attacks (Credential Theft)
Here are some key findings from the study:
The CRI calculates the gap between organisational preparedness and the likelihood of being attacked, with -10 representing the highest level of risk. The global CRI index moved from –0.04 in 2H 2021 to –0.15 in 1H 2022, indicating a surging level of risk over the past six months.
This is a slight increase in risk from the second half of 2021, when it was -0.04. Organisations in North America and Asia-Pacific saw an increase in their cyber risk from that period while Europe and Latin/South America’s risk decreased in comparison.
The number of global organisations experiencing a “successful” cyber-attack increased from 84% to 90% over the same period.
The number now expected to be compromised over the coming year has also increased from 76% to 85%.
From the business perspective, the biggest concern is the misalignment between CISOs and business executives, Trend Micro said. The answers given by respondents to the question: “My organisation’s IT security objectives are aligned with business objectives,” only made a score of 4.79 out of 10.0
By addressing the shortage of cyber security professionals and improving security processes and technology, organisations will significantly reduce their vulnerability to attacks.
You can’t protect what you can’t see. But with hybrid working ushering in a new era of complex, distributed IT environments, many organisations are finding it difficult to eradicate growing security coverage and visibility gaps. To avoid the attack surface spiraling out of control, they need to combine asset discovery and monitoring with threat detection and response on a single platform.
Firms Spend $1,197 Per Employee Yearly to Address Cyber Attacks
Companies pay an average of $1,197 per employee yearly to address successful cyber incidents against email services, cloud collaboration apps or services and browsers.
Security researchers at Perception Point shared the findings with Infosecurity before publishing them in a new white paper this month.
According to the new data, the above figures exclude compliance fines, ransomware mitigation costs and losses from non-operational processes, all of which can cause further spending.
The survey, conducted in conjunction with Osterman Research in June, considers the responses of 250 security and IT decision-makers at various enterprises and reveals additional discoveries regarding today’s enterprise threat landscape.
These findings demonstrate the urgent need for organisations to find the most accurate and efficient cyber security solutions which provide the necessary protection with streamlined processes and managed services.
Among the findings is that malicious incidents against new cloud-based apps and services occur at 60% of the frequency with which they take place on email-based services.
Additionally, some attacks, like those involving malware installed on an endpoint, happen on cloud collaboration apps at a much higher rate (87%) when compared to email-based services.
The Perception Point report also shows that a successful email-based cyber incident takes security staff an average of 86 hours to address.
In light of these figures, the security company added that one security professional with no additional support can only handle 23 email incidents annually, representing a direct cost of $6452 per incident alone.
Conversely, incidents detected on cloud collaboration apps or services take, on average, 71 hours to resolve. In these cases, one professional can handle just 28 incidents yearly at an average cost of $5305 per incident.
https://www.infosecurity-magazine.com/news/firms-dollar1197-per-employee/
90% of Organisations have Microsoft 365 Security Gaps
A recently published study evaluated 1.6 million Microsoft 365 users across three continents, finding that 90% of organisations had gaps in essential security protections. Managing Microsoft 365 (M365) is complicated. How can IT teams avoid management headaches, stay 100% compliant, and truly take control of their M365 instance?
Research from the study reveals that many common security procedures are not being followed 100% of the time. This leaves gaping holes in most organisations’ security defences. While most companies have strong documented security policies, the research uncovered that most aren’t being implemented consistently due to difficulties in reporting and limited IT resources:
90% of companies had gaps across all four key areas studied – multi-factor authentication (MFA), email security, password policies, and failed logins
87% of companies have MFA disabled for some or all their admins (which are the most critical accounts to protect, due to their higher access levels)
Only 17% of companies had strong password requirements that were being consistently followed.
Overall, nearly every organisation is leaving the door open for cyber security threats due to weak credentials, particularly for administrator accounts.
In addition to security challenges, the study identified key areas for improvement in managing Microsoft 365 licences as well, such as:
The average company had 21.6% of their licenses unassigned or “sitting on the shelf.” Another 10.2% of licenses were inactive, for an average of 31.9% unused licenses.
17% of companies had over 10,000 licenses unassigned or inactive. These cases represent big opportunities to optimise licence spend with better tools.
Overall, the study reveals that reporting challenges make security and licence management incredibly difficult, leading to unnecessary risks and costs.
https://www.helpnetsecurity.com/2022/11/22/microsoft-365-security-protections/
Luna Moth Phishing Extortion Campaign Targets Businesses in Multiple Sectors
A callback phishing extortion campaign by Luna Moth (aka Silent Ransom Group) has targeted businesses in multiple sectors, including legal and retail.
The findings come from Palo Alto Network’s security team Unit 42, which described the campaign in a new advisory.
“This campaign leverages extortion without encryption, has cost victims hundreds of thousands of dollars and is expanding in scope,” reads the technical write-up. At the same time, Unit 42 said that this type of social engineering attack leaves very few artifacts because it relies on legitimate technology tools to carry out attacks. In fact, callback phishing, also known as telephone-oriented attack delivery (TOAD), is a social engineering method that requires a threat actor to interact with the victim to accomplish their goals.
“This attack style is more resource intensive but less complex than script-based attacks, and it tends to have a much higher success rate,” reads the advisory. According to Unit 42, threat actors associated with the Conti group have extensively used this attack style in BazarCall campaigns. “Early iterations of this attack focused on tricking the victim into downloading the BazarLoader malware using documents with malicious macros,” explained the researchers.
As for the new campaign, which Sygnia security researchers first unveiled in July, it removes the malware portion of the attack. “In this campaign, attackers use legitimate and trusted systems management tools to interact directly with a victim’s computer to manually exfiltrate data [...] As these tools are not malicious, they’re not likely to be flagged by traditional antivirus products,” Unit 42 wrote.
The researchers also said that they expect callback phishing attacks to increase in popularity because of low per-target cost, low risk of detection and fast monetisation factors.
https://www.infosecurity-magazine.com/news/luna-moth-phishing-target-multiple/
The Real Cost of Cyber Attacks: What Organisations Should Be Prepared For
With each passing year, hackers and cyber criminals of all kinds are becoming more sophisticated, malicious, and greedy conducting brazen and often destructive cyber-attacks that can severely disrupt a company’s business operations. And this is a big problem, because, first and foremost, customers rely on a company’s ability to deliver services or products in a timely manner. Cyber-attacks not only can affect customers’ data, but they can impact service delivery.
In one of the recent incidents, the UK’s discount retailer The Works has been forced to temporarily shut down some of its stores after a ransomware attack. While the tech team quickly shut down the company’s computers after being alerted to the security breach by the firewall system, the attack caused disruption to deliveries and store functionality including till operations.
A cyber security incident can greatly affect a business due to the consequences associated with cyber-attacks like potential lawsuits, hefty fines and damage payments, insurance rate hikes, criminal investigations and bad publicity. For example, shares of Okta, a major provider of authentication services, fell 9% after the company revealed it was a victim of a major supply chain incident via an attack on a third-party contractor’s laptop, which affected some of its customers.
Another glaring example is a 2021 cyber-attack launched by the Russian-speaking ransomware gang called DarkSide against the operator of one of the US’ largest fuel pipelines Colonial Pipeline, which crippled fuel delivery across the Southeastern United States impacting lives of millions due to supply shortages. Colonial paid the DarkSide hackers a $4.4 million ransom soon after the incident. The attackers also stole nearly 100GB of data from Colonial Pipeline and threatened to leak it if the ransom wasn’t paid. It’s also worth noting that the company is now facing a nearly $1 million penalty for failure “to plan and prepare for a manual restart and shutdown operation, which contributed to the national impacts after the cyber-attack.”
Data breaches and costs associated with them have been on the rise for the past few years, but, according to a 2021 report, the average cost per breach increased from $3.86 million in 2020 to $4.24 million in 2021. The report also identified four categories contributing most global data breach costs – Lost business cost (38%), Detection and escalation (29%), Post breach response (27%), and Notification (6%).
Ransomware attacks cost an average of $4.62 million (the cost of a ransom is not included), and destructive wiper-style attacks cost an average of $4.69 million, the report said.
For a business, a data breach is not just a loss of data, it can also have a long-lasting impact on operations and undermine customers’ trust in the company. In fact, a survey revealed that 87% of consumers are willing to take their business elsewhere if they don’t trust a company is handling their data responsibly. Therefore, the reputational damage might be detrimental to a business’ ability to attract new customers.
34 Russian Cyber Crime Groups Stole Over 50 Million Passwords with Stealer Malware
As many as 34 Russian-speaking gangs, distributing information-stealing malware under the stealer-as-a-service model, stole no fewer than 50 million passwords in the first seven months of 2022.
"The underground market value of stolen logs and compromised card details is estimated around $5.8 million" Singapore-headquartered Group-IB said in a report shared with The Hacker News.
Aside from looting passwords, the stealers also harvested 2.11 billion cookie files, 113,204 crypto wallets, and 103,150 payment cards.
A majority of the victims were located in the US, followed by Brazil, India, Germany, Indonesia, the Philippines, France, Turkey, Vietnam, and Italy. In total, over 890,000 devices in 111 countries were infected during the time frame.
Group-IB said the members of several scam groups who are propagating the information stealers previously participated in the Classiscam operation. These groups, which are active on Telegram and have around 200 members on average, are hierarchical, consisting of administrators and workers (or traffers), the latter of whom are responsible for driving unsuspecting users to info-stealers like RedLine and Raccoon. This is achieved by setting up bait websites that impersonate well-known companies and luring victims into downloading malicious files. Links to such websites are, in turn, embedded into YouTube video reviews for popular games and lotteries on social media, or shared directly with non-fungible token (NFT) artists.
https://thehackernews.com/2022/11/34-russian-hacker-groups-stole-over-50.html
“Password” Continues to Be the Most Common Password in 2022
You would think the time spent working from home in the last two years or so helped netizens across the planet figure out how to master the world of WWW in a more efficient manner.
But new research from NordPass shows that despite so many people relying on an Internet connection for their daily activities, few actually care about the security of their data when they go online.
As a result, “password” continues to be the number one password out there, with the aforementioned company claiming that this particular keyword was detected close to 5 million times in a 3TB database. It takes less than one second to crack this password, the company says.
“123456” is currently the second most-used password worldwide, followed by its longer sibling known as “123456789” because, you know, hackers don’t know how to count to 10.
“There’s more than one way to get swindled on Tinder: using “tinder” as your password is more risky than swiping right on a billionaire. In total, this password was used 36,384 times” NordPass says. “The glitziest film industry event of the year – the Oscars ceremony – inspired many to use not-so-glitzy passwords: the password “Oscars” was used 62,983 times.”
Of course, it’s no surprise that Internet users out there turn to movies to get inspiration for their passwords, so unfortunately, “batman” is currently one of the most used keywords supposed to secure Internet accounts.
“Films and shows like Batman, Euphoria, and Encanto were among the most popular releases in 2021/2022. All are also popular passwords: “batman” was used 2,562,776 times, “euphoria” 53,993, and “encanto” 10,808 times,” the company says.
The most common password in the United States is “guest,” while in the United Kingdom, quite a lot of people go for “liverpool” (despite hackers needing just 1 second to crack it).
Lasts Year’s Massive Twitter Data Breach Was Far Worse Than Reported, Reveal Security Researchers
A massive Twitter data breach last year, exposing more than five million phone numbers and email addresses, was worse than initially reported. The same security vulnerability appears to have been exploited by multiple bad actors, and the hacked data has been offered for sale on the dark web by several sources.
It had previously been thought that only one hacker gained access to the data, and Twitter’s belated admission reinforced this impression. HackerOne first reported the vulnerability back in January, which allowed anyone to enter a phone number or email address, and then find the associated twitterID. This is an internal identifier used by Twitter, but can be readily converted to a Twitter handle. A bad actor would be able to put together a single database which combined Twitter handles, email addresses, and phone numbers.
At the time, Twitter admitted that the vulnerability had existed, and subsequently been patched, but said nothing about anyone exploiting it. Restore Privacy subsequently reported that a hacker had indeed used the vulnerability to obtain personal data from millions of accounts.
https://9to5mac.com/2022/11/25/massive-twitter-data-breach/
European Parliament Declares Russia to be a State Sponsor of Terrorism – Then Gets Attacked
On Wednesday, the European Parliament adopted a resolution on the latest developments in Russia’s brutal war of aggression against Ukraine. MEPs highlight that the deliberate attacks and atrocities committed by Russian forces and their proxies against civilians in Ukraine, the destruction of civilian infrastructure and other serious violations of international and humanitarian law amount to acts of terror and constitute war crimes. In light of this, they recognise Russia as a state sponsor of terrorism and as a state that “uses means of terrorism”.
As the EU currently cannot officially designate states as sponsors of terrorism, the European Parliament calls on the EU and its member states to put in place the proper legal framework and consider adding Russia to such a list. This would trigger a number of significant restrictive measures against Moscow and have profound restrictive implications for EU relations with Russia.
In the meantime, MEPs call on the Council to include the Russian paramilitary organisation ‘the Wagner Group’, the 141st Special Motorized Regiment, also known as the “Kadyrovites”, and other Russian-funded armed groups, militias and proxies, on the EU’s terrorist list.
Almost immediately after the vote the European Parliament suffered a sustained denial of service attack that shut down email services and disrupted internet access for more than an hour. A pro-Russian group called KILLNET then claimed responsibility in a Telegram post.
The Changing Nature of Nation-State Cyber Warfare
Military conflict is ever shifting from beyond the battlefield and into cyber space. Ever more sophisticated and ruthless groups of nation-state actors and their proxies continue to target critical systems and infrastructure for political and ideological leverage. These criminals’ far-reaching objectives include intelligence gathering, financial gain, destabilising other nations, hindering communications, and the theft of intellectual property.
The risks to individuals and society are clear. Due to its importance to daily life and the economy, the UK’s critical national infrastructure (CNI) is a natural target for malicious nation-state cyber-attacks. We only need look at the Colonial Pipeline ransomware attack in the US – at the hands of the Russia-affiliated DarkSide group – to appreciate the potential for one criminal act to escalate and cause large-scale societal impact: panic and disruption. Even though the pipeline was shut down for less than a week, the havoc caused by suspending fuel supplies gave CNI operators everywhere a worrying taste of things to come.
Closer to home, the recent cyber attack on South Staffordshire Water highlights the need for all utilities providers to take proactive measures and precautions to better secure essential human sustenance supplies. With the risk of coordinated attacks by criminals backed by nation states rising, the potential for human casualties if attacks against CNI go unchecked is becoming starkly clear.
The Russia-Ukraine war has heightened awareness of the cyber threats posed by all nation-state adversaries. Unsurprisingly, challenges and conflicts in the physical world tend to bleed through into the cyber domain. And with relations between Western nations and Russia, China, Iran, and North Korea more fraught than ever, UK organisations can expect to see further increases in cyber threats at the hands of hostile nation-state actors.
https://informationsecuritybuzz.com/the-changing-nature-of-nation-state-cyber-warfare/
Is Your Company Covered for a Cyber Security Attack? That’s the £2 Million Question
Cyber crime continues to be a persistent and pressing issue for all sized businesses, particularly smaller organisations. In fact, according to the National Cyber Security Alliance, nearly 60% of small businesses that experience a cyber attack shut their doors within six months.
Despite the continuing rise in risk, many small businesses remain vulnerable to cyber attacks due to a lack of resources and – surprisingly – a lack of knowledge of the existing threats. Moreover, companies are now being exposed to cyber risks even further as they struggle to get appropriate cyber insurance, which, if needed, can be devastating should bad actors circumvent your company’s defences.
Cyber insurance is a policy that helps an organisation pay for any financial losses incurred following a data breach or cyber attack. It also helps cover any costs related to the remediation process, such as paying for the investigation, crisis communication, legal services, and customer refunds.
With the constant – and ever-increasing – threat of potential cyber attacks and the need to protect their assets, many companies are applying for cyber insurance, which generally covers a variety of different types of cyber-attacks, including data breaches; business email compromises; cyber extortion demands; malware infections and ransomware.
But, despite the benefits of cyber insurance, it remains surprisingly undervalued. The UK government’s Cyber Security Breaches Survey 2022 found that only 43% of businesses have a cyber insurance policy in place.
Organisations must always seek cost-effective ways to address the cyber security risks they face – as no business is safe in the modern security landscape from a cyber threat. One of the most common ways to mitigate the risk of a cyber security incident is cyber insurance. While all-sized businesses can benefit from having cyber insurance, small businesses frequently lack the knowledge and importance of securing it. This is usually because of the cost, the time involved in finding a provider, and a lack of understanding of the importance of a cyber insurance policy.
Threats
Ransomware and Extortion
Yanluowang Ransomware's Russian Links Laid Bare - Infosecurity Magazine (infosecurity-magazine.com)
Fake subscription invoices lead to corporate data theft and extortion - Help Net Security
Ransomware gang targets Belgian municipality, hits police instead (bleepingcomputer.com)
New ransomware encrypts files, then steals your Discord account (bleepingcomputer.com)
Donut extortion group also targets victims with ransomware (bleepingcomputer.com)
Daixin Ransomware Gang Steals 5 Million AirAsia Passengers' and Employees' Data (thehackernews.com)
Ransomware attacks: Making cyber ransom payments unlawful would help boards (afr.com)
An aggressive Black Basta Ransomware campaign targets US-based companies - Security Affairs
Luna Moth ransomware group invests in call centres to target individual victims - SiliconANGLE
New ransomware attacks in Ukraine linked to Russian Sandworm hackers (bleepingcomputer.com)
Cybereason warns of fast-moving Black Basta campaign (techtarget.com)
Enterprise healthcare providers warned of Lorenz ransomware threat | SC Media (scmagazine.com)
Montreal-area city hit by ransomware: Report | IT World Canada News
Phishing & Email Based Attacks
Google Blocks 231B Spam, Phishing Emails in Past 2 Weeks (darkreading.com)
World Cup phishing emails spike in Middle Eastern countries • The Register
Microsoft Email Security Bypasses Instagram Credential Phishing Attacks - IT Security Guru
Researcher warns that Cisco Secure Email Gateways can easily be circumvented - Security Affairs
SocGholish finds success through novel email techniques | SC Media (scmagazine.com)
BEC – Business Email Compromise
Malware
Cyber criminals are increasingly using info-stealing malware to target victims | CSO Online
A security firm hacked malware operators, locking them out of their own C&C servers | TechSpot
Emotet is back and delivers payloads like IcedID and Bumblebee - Security Affairs
All You Need to Know About Emotet in 2022 (thehackernews.com)
New attacks use Windows security bypass zero-day to drop malware (bleepingcomputer.com)
Multi-Purpose Botnet and Infostealer 'Aurora' Rising to Fame | SecurityWeek.Com
DUCKTAIL malware campaign targeting Facebook business and ads accounts is back | CSO Online
Aurora infostealer malware increasingly adopted by cybergangs (bleepingcomputer.com)
This new malware is able to bypass all of Microsoft's security warnings | TechRadar
Backdoored Chrome extension installed by 200,000 Roblox players (bleepingcomputer.com)
Mobile
'Patch Lag' Leaves Millions of Android Devices Vulnerable (darkreading.com)
Millions of Android Devices Still Don't Have Patches for Mali GPU Flaws (thehackernews.com)
Your iPhone may be collecting more personal data than you think | Digital Trends
Bahamut cybermercenary group targets Android users with fake VPN apps | WeLiveSecurity
WhatsApp data leak: 500 million user records for sale | Cybernews
Internet of Things – IoT
Data Breaches/Leaks
WhatsApp data leak: 500 million user records for sale - Security Affairs
California County Says Personal Information Compromised in Data Breach | SecurityWeek.Com
Organised Crime & Criminal Actors
Russian cyber gangs stole over 50 million passwords this year (bleepingcomputer.com)
How social media scammers buy time to steal your 2FA codes – Naked Security (sophos.com)
DEV-0569 Group Switches Tactics, Abuses Google Ads to Deliver Payloads | Cyware Alerts - Hacker News
Hackers are locking out Mars Stealer operators from their own servers | TechCrunch
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Bank Of England Says Crypto Needs Regulation Now - Information Security Buzz
Two Estonians arrested for running $575M crypto Ponzi scheme (bleepingcomputer.com)
Cyber crooks to ditch BTC as regulation and tracking improves: Kaspersky (cointelegraph.com)
Google Chrome extension used to steal cryptocurrency, passwords (bleepingcomputer.com)
Bahamas SEC Or Hacker? Stolen Funds From FTX Keep On Moving (bitcoinist.com)
Fraud, Scams & Financial Crime
'iSpoof' service dismantled, main operator and 145 users arrested (bleepingcomputer.com)
Operation Elaborate - UK police text 70,000 suspected victims of iSpoof bank fraudsters | Tripwire
DUCKTAIL malware campaign targeting Facebook business and ads accounts is back | CSO Online
Beware - Black Friday online shopping scams are here now | TechRadar
Online retailers should prepare for a holiday season spike in bot-operated attacks | CSO Online
Pig butchering domains seized and slaughtered by the Feds • The Register
Insurance
Software Supply Chain
Denial of Service DoS/DDoS
Cloud/SaaS
Hybrid/Remote Working
Identity and Access Management
Encryption
API
5 API Vulnerabilities That Get Exploited by Criminals - Security Affairs
Three security design principles for public REST APIs - Help Net Security
Passwords, Credential Stuffing & Brute Force Attacks
Russian cyber gangs stole over 50 million passwords this year (bleepingcomputer.com)
Guess the most common password. Hint: We just told you • The Register
World Cup Players Among Most Breached Passwords - IT Security Guru
Google Chrome extension used to steal cryptocurrency, passwords (bleepingcomputer.com)
Microsoft Email Security Bypasses Instagram Credential Phishing Attacks - IT Security Guru
Hackers steal $300,000 in DraftKings credential stuffing attack (bleepingcomputer.com)
Social Media
Ducktail hackers now use WhatsApp to phish for Facebook Ad accounts (bleepingcomputer.com)
Cyber security Pros Put Mastodon Flaws Under the Microscope (darkreading.com)
Musk to abused Twitter users: Your tormentors will return • The Register
Facebook sued for collecting personal data to sell adverts | News | The Times
DUCKTAIL malware campaign targeting Facebook business and ads accounts is back | CSO Online
Microsoft Email Security Bypasses Instagram Credential Phishing Attacks - IT Security Guru
Beyond Trump, Twitter welcomes back purveyors of far-right disinformation - CyberScoop
Cyber Bullying, Cyber Stalking and Sextortion
Regulations, Fines and Legislation
Bank Of England Says Crypto Needs Regulation Now - Information Security Buzz
How US cyber incident reporting law could finally fix the information sharing problem - CyberScoop
Law Enforcement Action and Take Downs
Operation Elaborate - UK police text 70,000 suspected victims of iSpoof bank fraudsters | Tripwire
'iSpoof' service dismantled, main operator and 145 users arrested (bleepingcomputer.com)
Privacy, Surveillance and Mass Monitoring
iPhones are not as privacy-focused as Apple claims, researchers point out - India Today
Thinking about taking your computer to the repair shop? Be very afraid | Ars Technica
Misinformation, Disinformation and Propaganda
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Ukraine shows how space is now central to warfare | Financial Times (ft.com)
New ransomware attacks in Ukraine linked to Russian Sandworm hackers (bleepingcomputer.com)
EU Parliament Putin things back together after cyber attack • The Register
Opinion | Democracies flirting with spyware like Pegasus raises dangers - The Washington Post
Scotland's broadband builder linked to Israeli spyware | HeraldScotland
Russia-based RansomBoggs Ransomware Targeted Several Ukrainian Organisations (thehackernews.com)
Nation State Actors
Nation State Actors – Russia
Russian Tech Giant Wants Out of the Country As Ukraine War Rages on (insider.com)
Yanluowang Ransomware's Russian Links Laid Bare - Infosecurity Magazine (infosecurity-magazine.com)
Nation State Actors – China
Vulnerability Management
Vulnerabilities
73 Percent of Retail Applications Contain Security Flaws, but Only a Quarter Are Fixed (yahoo.com)
Researcher warns that Cisco Secure Email Gateways can easily be circumvented - Security Affairs
AWS fixes 'confused deputy' vulnerability in AppSync • The Register
How to hack an unpatched Exchange server with rogue PowerShell code – Naked Security (sophos.com)
Google pushes emergency Chrome update to fix 8th zero-day in 2022 (bleepingcomputer.com)
Upgrade to Apache Commons Text 1.10 to Avoid New Exploit (infoq.com)
Security experts are laying Mastodon's flaws bare | TechRadar
Devices from Dell, HP, and Lenovo used outdated OpenSSL versions - Security Affairs
PoC Code Published for High-Severity macOS Sandbox Escape Vulnerability | SecurityWeek.Com
5 API Vulnerabilities That Get Exploited by Criminals - Security Affairs
Reports Published in the Last Week
Other News
Know thy enemy: thinking like a hacker can boost cyber security strategy | CSO Online
Security Culture Matters when IT is Decentralized (trendmicro.com)
Legacy IT system modernization largely driven by security concerns - Help Net Security
Been Doing It The Same Way For Years? Think Again. (thehackernews.com)
Docker Hub repositories hide over 1,650 malicious containers (bleepingcomputer.com)
How Tech Companies Can Slow Down Spike in Breaches (darkreading.com)
Inventor of the Web Sir Tim Berners-Lee wants to save your data from Big Tech with Web3.0 | Euronews
Deloitte reveals 10 strategic cyber security predictions for 2023 | VentureBeat
The Biden administration has racked up a host of cyber security accomplishments | CSO Online
US Navy Forced to Pay Software Company for Licensing Breach (gizmodo.com)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 04 November 2022
Black Arrow Cyber Threat Briefing 04 November 2022:
-NCSC Looks Back on Year Of ‘Profound Change’ for Cyber
-LastPass Research Finds False Sense of Cyber Security Running Rampant
-Insurance Giant Settles NotPetya ‘Act of War’ Lawsuit, Signaling Cyber Insurance Shakeup
-Microsoft Warns of Uptick in Hackers Leveraging Publicly-Disclosed 0-Day Vulnerabilities
-Chinese Mob Has 100K Slaves Working in Cambodian Cyber Crime Mills
-Ransomware Research: 17 Leaked Databases Operated by Threat Actors Threaten Third Party Organisations
-Not Enough Ransomware Victims Are Reporting Attacks, And That's a Problem for Everyone
-Hackers Selling Access to 576 Corporate Networks for $4 Million
-Cyber Security Recovery is a Process That Starts Long Before a Cyber Attack Occurs
-Geopolitics Plays Major Role in Cyber Attacks, Says EU Cyber Security Agency
-Russian Hackers Account for Most 2021 Ransomware Schemes, US Says
-Exposed: The Global Hacking Network That Targets VIPs
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
NCSC Looks Back on Year Of ‘Profound Change’ for Cyber
The UK’s National Cyber Security Centre (NCSC) provided support for 18 nationally significant ransomware attacks; removed 2.1 million cyber-enabled commodity campaigns; issued 34 million early warning alerts about attacks, compromises, vulnerabilities or open ports; and received 6.5 million reports of suspicious emails in the past 12 months – but in a year of “profound change” in the cyber security landscape, it was Russia’s invasion of Ukraine that dominated the agenda.
Reflecting on the past 12 months as she launched the NCSC’s latest annual report on 1 November at an event in London, NCSC CEO Lindy Cameron said that the return of war to Europe with Russia’s invasion of Ukraine presented a unique set of challenges in cyber space for the NCSC and its partners and allies.
Cameron added that while the cyber threat from Russia has perhaps been the most visible security issue of 2022, it was also important not to forget that when it comes to nation-state actors, it will likely be the technical development and evolution of China that ultimately has the more lasting impact on the UK’s national cyber security.
https://www.computerweekly.com/news/252526766/NCSC-looks-back-on-year-of-profound-change-for-cyber
LastPass Research Finds False Sense of Cyber Security Running Rampant
LastPass released findings from its fifth annual Psychology of Password findings, which revealed even with cyber security education on the rise, password hygiene has not improved. Regardless of generational differences across Boomers, Millennials and Gen Z, the research shows a false sense of password security given current behaviours across the board. In addition, LastPass found that while 65% of all respondents have some form of cyber security education — through school, work, social media, books or via online courses — the reality is that 62% almost always or mostly use the same or variation of a password.
The survey, which explored the password security behaviours of 3,750 professionals across seven countries, asked about respondents’ mindset and behaviours surrounding their online security. The findings highlighted a clear disconnect between high confidence when it comes to their password management and their unsafe actions. While the majority of professionals surveyed claimed to be confident in their current password management, this doesn’t translate to safer online behaviour and can create a detrimental false sense of safety.
Key findings from the research include:
Gen Z is confident when it comes to their password management, while also being the biggest offenders of poor password hygiene.
Cyber security education doesn’t necessarily translate to action.
Confidence creates a false sense of password security.
The latest research showcases that even in the face of a pandemic, where we spent more time online amid rising cyber attacks, there continues to be a disconnect for people when it comes to protecting their digital lives. Even though nearly two-thirds of respondents had some form of cyber security education, it is not being put into practice for varying reasons.
https://www.darkreading.com/vulnerabilities-threats/untitled
Insurance Giant Settles NotPetya ‘Act of War’ Lawsuit, Signaling Cyber Insurance Shakeup
The settlement last week in a $100 million lawsuit over whether insurance giant Zurich should cover losses Mondelez International suffered from NotPetya may very well reshape the entire cyber insurance marketplace.
Zurich initially denied claims from Mondelez after the malware, which experts estimate caused some $10 billion in damages globally, wreaked havoc on its computer networks. The insurance provider claimed an act of war exemption since it’s widely believed Russian military hackers unleashed NotPetya on a Ukrainian company before it spread around the world.
Now, however, it’s increasingly clear insurers aren’t off the hook for NotPetya payouts or from covering losses from other attacks with clear links to nation-state hackers.
That’s because in this case, what Mondelez and many other corporations endured was not an act of war, but “collateral damage” in a much larger cyber conflict that had nothing to do with them, said the Center for Strategic and International Studies.
There needs to be a rethink what act of war means in cyber space when it comes to insurance. The current definitions come out of the 19th century when we had pirates, navies and privateers.
Last week’s ruling in favour of Mondelez follows a January ruling in a New Jersey court that sided with global pharmaceutical company Merck in a similar case. Its insurance companies initially refused to pay for damages from NotPetya. Merck claimed losses that amounted to $1.4 billion. The insurers are appealing the ruling.
Insurers seized on the NotPetya episode to test how courts would rule on cyber coverage questions, particularly when there’s so much evidence pointing to one particular nation-state actor. Since NotPetya was widely attributed to the Russian government it gave the industry a “really strong opportunity” to set legal precedent limiting their responsibility in these instances.
Insurers will start to be much more upfront about the fact that they aren’t going to cover acts of cyber war or limit payouts for NotPetya type incidents in the future.
https://www.cyberscoop.com/insurance-giant-settles-notpetya-lawsuit/
Microsoft Warns of Uptick in Hackers Leveraging Publicly-Disclosed 0-Day Vulnerabilities
Microsoft is warning of an uptick among nation-state and criminal actors increasingly leveraging publicly-disclosed zero-day vulnerabilities for breaching target environments.
The tech giant, in its 114-page Digital Defense Report, said it has "observed a reduction in the time between the announcement of a vulnerability and the commoditisation of that vulnerability," making it imperative that organisations patch such exploits in a timely manner.
This also corroborates with an April 2022 advisory from the US Cybersecurity and Infrastructure Security Agency (CISA), which found that bad actors are "aggressively" targeting newly disclosed software bugs against broad targets globally.
Microsoft noted that it only takes 14 days on average for an exploit to be available in the wild after public disclosure of a flaw, stating that while zero-day attacks are initially limited in scope, they tend to be swiftly adopted by other threat actors, leading to indiscriminate probing events before the patches are installed.
It further accused Chinese state-sponsored groups of being "particularly proficient" at discovering and developing zero-day exploits. This has been compounded by the fact that the Cyberspace Administration of China (CAC) enacted a new vulnerability reporting regulation in September 2021 that requires security flaws to be reported to the government prior to them being shared with the product developers.
Redmond further said the law could enable government-backed elements to stockpile and weaponise the reported bugs, resulting in the increased use of zero-days for espionage activities designed to advance China's economic and military interests.
https://thehackernews.com/2022/11/microsoft-warns-of-uptick-in-hackers.html
Chinese Mob Has 100K Slaves Working in Cambodian Cyber Crime Mills
Up to 100,000 people from across Asia have been lured to Cambodia by Chinese crime syndicates with the promise of good jobs. When they arrive, their passports are seized and they are put to work in modern-day sweatshops, running cyber crime campaigns.
The Los Angeles Times reported that Cambodia, which was hit hard economically by the pandemic, has allowed Chinese mobsters to set up enormous cyber crime operations using human trafficked labour without consequence, because of the revenue it generates for the country. The campaigns they carry out run the gamut from romance scams to fake sports betting.
Although the Cambodian government acknowledges that as many as 100,000 workers are involved in these activities, it denies anyone is being held against their will. However, the stories from traumatised victims rescued from cyber crime mills include tales of beatings and torture for failing to meet quotas, and of being sold and passed around from gang to gang.
https://www.darkreading.com/attacks-breaches/chinese-mob-100k-slaves-cambodian-cybercrime-mills
Ransomware Research: 17 Leaked Databases Operated by Threat Actors Threaten Third Party Organisations
Ransomware remains a serious threat to organisations, Deep Instinct, a New York-based deep learning cyber security specialist, said in its recently released 2022 Interim Cyber Threat Report.
It’s no surprise, the company said, as there are currently 17 leaked databases operated by threat actors who are leveraging the data for attacks on third-party companies, most notably social engineering, credential theft, and triple-extortion attacks.
Here are the report’s key findings:
Changes in ransomware gangs, including LockBit, Hive, BlackCat, and Conti. The latter has spawned “Conti Splinters” made up of former affiliates Quantum, BlackBasta, and BlackByte.
Significant changes to tactics by Emotet, Agent Tesla, NanoCore, and others. For example, Emotet uses highly obfuscated VBA macros to avoid detection.
The use of documents for malware has decreased as the top attack vector, following Microsoft’s move to disable macros by default in Microsoft Office files. Threat actors have already pivoted to other methods such as LNK, HTML, and archive email attachments.
Vulnerabilities such as SpoolFool, Follina and DirtyPipe highlighted the exploitability of both Windows and Linux systems despite efforts to enhance their security.
The number of exploited in-the-wild vulnerabilities spikes every 3-4 months. The next spike is expected to occur by the end of the year.
Threat actor groups are extending data exfiltration attacks to demand ransoms from third-party companies if the leaked data contains their sensitive information.
The report also makes three predictions:
More inside jobs. Malicious threat actors look for the weakest link, which is often in the supply chain. Groups like Lapsus$ do not rely on exploits but instead look for insiders who are willing to sell access to data within their organisation.
Rise of protestware. Look for a spike in protestware, which is self-sabotaging one’s software and weaponising it with malware capabilities in an effort to harm all or some of its users. The war between Russia and Ukraine has caused a surge in protestware.
End of year attacks. While no major vulnerability in 2022 has emerged similar to the Log4J or the Exchange cases in 2021, there is an increase year-over-year in the number of publicly assigned CVEs for reported vulnerabilities. For now, threat actors are still exploiting old vulnerabilities during 2022 simply because there is a plethora of unpatched systems for 2021 CVEs but that will change.
Organisations are warned to be on their guard. 2022 has been another record year for cyber criminals and ransomware gangs. It’s no secret that these threat actors are constantly upping their game with new and improved tactics designed to evade traditional cyber defences. Defenders must continue to be vigilant and find new approaches to prevent these attacks from happening.
Ransomware: Not Enough Victims Are Reporting Attacks, And That's a Problem for Everyone
Ransomware continues to be a significant cyber threat to businesses and the general public – but it's difficult to know the true impact of attacks because many victims aren't coming forward to report them.
The warning comes in the National Cyber Security Centre (NCSC) Annual Review for 2022, which looks back at key developments and incidents in cyber crime over the last year, with ransomware described as an "ever present" threat and a "major challenge" to businesses and public services.
That's demonstrated by how the review details how in the 12-month period between 1 September 2021 and 31 August 2022 there were 18 ransomware incidents that needed a "nationally coordinated" response. These included attacks on a supplier to the National Health Service (NHS) and a ransomware attack against South Staffordshire Water.
However, the true impact of ransomware remains unclear, because the NCSC says that many organisations that fall prey to ransomware attacks aren't disclosing them.
That lack of reporting is despite the significant and disruptive consequences ransomware attacks can have, not only for organisations that fall victim, but for wider society – which is why it's vital that cyber security is taken seriously and incidents are reported.
Hackers Selling Access to 576 Corporate Networks for $4 Million
A new report shows that hackers are selling access to 576 corporate networks worldwide for a total cumulative sales price of $4,000,000, fuelling attacks on the enterprise.
The research comes from Israeli cyber-intelligence firm KELA which published its Q3 2022 ransomware report, reflecting stable activity in the sector of initial access sales but a steep rise in the value of the offerings.
Although the number of sales for network access remained about the same as in the previous two quarters, the cumulative requested price has now reached $4,000,000. For comparison, the total value of initial access listings in Q2 2022 was $660,000, recording a drop in value that coincided with the summer ransomware hiatus that hurt demand.
Initial access brokers (IABs) are hackers who sell access to corporate networks, usually achieved through credential theft, webshells, or exploiting vulnerabilities in publicly exposed hardware. After establishing a foothold on the network, the threat actors sell this corporate access to other hackers who use it to steal valuable data, deploy ransomware, or conduct other malicious activity. The reasons IABs choose not to leverage network access vary, ranging from lacking diverse intrusion skills to preferring not to risk increased legal trouble.
IABs still play a crucial role in the ransomware infection chain, even if they got sidelined last year when big ransomware gangs that operated as crime syndicates operated their own IAB departments.
Cyber Security Recovery is a Process That Starts Long Before a Cyber Attack Occurs
Organisations are racing to stay ahead of cyber criminals, and as a result, we see businesses investing a lot of money on identifying and detecting attacks, on preventing attacks in the first place, and in responding to live attacks. But they are not spending the same amounts on attack recovery. They may have followed all the relevant guidelines, and even implemented the ISO 27000 standard, but none of that helps them to understand how to build the business back after a serious cyber attack.
Until recent years, this cyber security recovery investment would be spent on an annual tabletop exercise or disaster recovery test and auditing recovery plans. While this should be done, it isn’t enough on its own.
Cyber security insurance is also critical, of course, but it only covers some of the losses. It won’t cover future loss. The reality is most organisations find it very difficult to fully recover from an attack. Those that invest more in disaster recovery and business continuity recover from these attacks far more swiftly than their less-prepared competitors.
The four core components of an effective cyber security recovery program
Pre-emptive action
Responsibilities and accountability
Having the right IT architecture, security and recovery process in place
Learning lessons and implementing changes.
Once these factors are understood, and any weak spots identified, the organisation can focus on re-designing or updating architecture and procedures, and on retraining employees (something that should happen regularly).
Recovery is a process that starts long before a cyber attack occurs. It concludes not when the data is secured, but when the organisation can say that it’s learned everything it can from the event and has made the changes necessary to avoid it happening again.
https://www.helpnetsecurity.com/2022/11/03/cybersecurity-recovery/
Geopolitics Plays Major Role in Cyber Attacks, Says EU Cyber Security Agency
The ongoing Russia-Ukraine conflict has resulted in an increase in hacktivist activity in the past year, with state-sponsored threat actors targeting 128 governmental organisations in 42 countries that support Ukraine, according to the European Union Agency for Cybersecurity (ENISA).
In addition, some threat actors targeted Ukrainian and Russian entities during the early days of the conflict, likely for the collection of intelligence, according to the 10th edition of the ENISA threat landscape report. The report, this year titled Volatile Geopolitics Shake the Trends of the 2022 Cybersecurity Threat Landscape, notes that in general geopolitical situations continue to have a high impact on cyber security.
This year's report identified several attack types frequently used by state-sponsored attackers. These include zero-day and critical vulnerability exploitation; attacks on operational technology (OT) networks; wiper attacks to destroy and disrupt networks of governmental agencies and critical infrastructure entities; and supply chain attacks. Attacks also featured social engineering, disinformation, and threats against data.
State-sponsored threat actors have also been observed targeting entities from countries in Southeast Asia, Japan, Australia, and Taiwan. Due to increased tensions between specific countries in Asia, state-sponsored threat actors have targeted countries (including EU member states) that had established closer ties with Taiwan.
Ransomware remains the top cyber crime attack type this year as well. More than 10 terabytes of data were stolen monthly during the period studied, with phishing identified as the most common initial vector of such attacks. The report also noted that 60% of affected organisations likely have paid the ransom demanded.
The second most used form of attack was DDoS. The largest DDoS attack ever was launched in Europe in July 2022 against a European customer of Akamai. The attack hit a peak at 853.7Gbps and 659.6Mpps (megapackets per second) over 14 hours.
While all sectors fell victim to attacks, public administration and government entities were the most affected, making up 24% of all cyber attack victims. This was followed by digital service providers at 13% and the general public at 12%. These three sectors alone accounted for 50% of all the attacks during this year.
Russian Hackers Account for Most 2021 Ransomware Schemes, US Says
Payment-seeking software made by Russian hackers was used in three quarters of all the ransomware schemes reported to a US financial crime agency in the second half of 2021, a Treasury Department analysis released on Tuesday showed.
In an analysis issued in response to the increase in number and severity of ransomware attacks against critical infrastructure in the United States since late 2020, the US Financial Crimes Enforcement Network (FinCEN) said it had received 1,489 ransomware-related filings worth nearly $1.2 billion in 2021, a 188% jump from the year before.
Out of 793 ransomware incidents reported to FinCEN in the second half of 2021, 75% "had a nexus to Russia, its proxies, or persons acting on its behalf," the report said.
Washington last week hosted a meeting with officials from 36 countries and the European Union, as well as 13 global companies to address the growing threat of ransomware and other cyber crime, including the illicit use of cryptocurrencies.
Exposed: The Global Hacking Network That Targets VIPs
Private investigators linked to the City of London are using an India-based computer hacking gang to target British businesses, government officials and journalists.
The Sunday Times and the Bureau of Investigative Journalism have been given access to the gang’s database, which reveals the extraordinary scale of the attacks. It shows the criminals targeted the private email accounts of more than 100 victims on behalf of investigators working for autocratic states, British lawyers and their wealthy clients. Critics of Qatar who threatened to expose wrongdoing by the Gulf state in the run-up to this month’s World Cup were among those hacked.
It is the first time the inner workings of a major “hack-for-hire” gang have been leaked to the media and it reveals multiple criminal conspiracies. Some of the hackers’ clients are private investigators used by major law firms with bases in the City of London.
The investigation — based on the leaked documents and undercover work in India — reveals:
Orders went out to the gang to target the BBC’s political editor Chris Mason in May, three weeks after his appointment was announced.
The president of Switzerland and his deputy were targeted just days after he met Boris Johnson and Liz Truss in Downing Street to discuss Russian sanctions.
Philip Hammond, then chancellor, was hacked as he was dealing with the fallout of Russia’s novichok poisonings in Salisbury.
A private investigator hired by a London law firm acting for the Russian state ordered the gang to target a British-based oligarch fleeing President Putin.
Michel Platini, the former head of European football, was hacked shortly before he was due to talk to French police about corruption allegations relating to this year’s World Cup.
The hackers broke into the email inboxes of the Formula One motor racing bosses Ruth Buscombe, the British head of race strategy at the Alfa Romeo team, and Otmar Szafnauer, who was chief executive of the Aston Martin team.
The gang seized control of computers owned by Pakistan’s politicians, generals and diplomats and eavesdropped on their private conversations apparently at the behest of the Indian secret services.
The commissioning of hacking is a criminal offence punishable with a maximum sentence of ten years in jail in Britain. The Metropolitan Police was tipped off about the allegations regarding Qatar in October last year, yet chose not to take any action. David Davis, the former cabinet minister, said that the force should reopen its investigation into the cyber attacks against British citizens. Davis said the investigation exposed how London has become “the global centre of hacking”.
https://www.thetimes.co.uk/article/exposed-the-global-hacking-network-that-targets-vips-nff67j67z
Threats
Ransomware and Extortion
International Counter Ransomware Initiative 2022 Joint Statement | The White House
Oreo Giant Mondelez Settles NotPetya 'Act of War' Insurance Suit (darkreading.com)
Extortion fears after hacker stole patient files from Dutch mental health clinics (bitdefender.com)
Ransomware activity and network access sales in Q3 2022 - Security Affairs
Ransomware costs top $1 billion as White House inks new threat-sharing initiative - CyberScoop
FIN7 Cyber crime Group Likely Behind Black Basta Ransomware Campaign (darkreading.com)
Yanluowang ransomware gang goes dark after leaks (techtarget.com)
LockBit 3.0 gang claims to have stolen data from Thales - Security Affairs
Ransomware cost US banks $1.2 billion last year • The Register
Australia sees rise in cyber crimes on back of 'destructive' ransomware, state actors | ZDNET
Australian Defence Department Impacted In Ransomware Attack (informationsecuritybuzz.com)
LockBit ransomware gang claims the hack of the Continental automotive group - Security Affairs
Cyber attack Strikes Global Copper Conglomerate (darkreading.com)
ALMA Observatory shuts down operations due to a cyber attack (bleepingcomputer.com)
Phishing & Email Based Attacks
Robin Banks phishing service returns to steal banking accounts (bleepingcomputer.com)
Attackers leverage Microsoft Dynamics 365 to phish users - Help Net Security
CISA Urges Organisations to Implement Phishing-Resistant MFA | SecurityWeek.Com
130 private Dropbox GitHub repos copied after phish attack • The Register
As Twitter brings on $8 fee, phishing emails target verified accounts (bleepingcomputer.com)
BEC – Business Email Compromise
New Crimson Kingsnake gang impersonates law firms in BEC attacks (bleepingcomputer.com)
Double-check those demand-payment emails from law firms • The Register
Malware
RomCom RAT malware campaign impersonates KeePass, SolarWinds NPM, Veeam (bleepingcomputer.com)
Emotet botnet starts blasting malware again after 4 month break (bleepingcomputer.com)
Drinik banking malware returns: Things you can do to keep your data safe | Mint (livemint.com)
Hacking group abuses antivirus software to launch LODEINFO malware (bleepingcomputer.com)
This stealthy hacking campaign uses a new trick to deliver its malware | ZDNET
Cranefly threat group uses innocent-looking info-stealer • The Register
250+ US news sites spotted spreading FakeUpdates malware in a supply-chain attack - Security Affairs
New Azov data wiper tries to frame researchers and BleepingComputer
Dozens of PyPI packages caught dropping 'W4SP' info-stealing malware (bleepingcomputer.com)
Mobile
US govt employees exposed to mobile attacks from outdated Android, iOS (bleepingcomputer.com)
Cyber-Threat Actor Uses Booby-Trapped VPN App to Deploy Android Spyware (darkreading.com)
Malicious dropper apps on Play Store totaled 30.000+ installations - Security Affairs
New SandStrike spyware infects Android devices via malicious VPN app (bleepingcomputer.com)
Internet of Things – IoT
IoT devices can undermine your security. Here are four ways to boost your defences | ZDNET
Understanding The Importance Of Cyber Resilience In Smart Buildings - IT Security Guru
Data Breaches/Leaks
Royal Mail customer data leak shutters online Click and Drop • The Register
Vodafone Italy discloses data breach after reseller hacked (bleepingcomputer.com)
LockBit 3.0 gang claims to have stolen data from Thales - Security Affairs
Dropbox discloses breach after hacker stole 130 GitHub repositories (bleepingcomputer.com)
Experian tool exposed partial Social Security numbers, putting customers at risk - CyberScoop
Label Giant Multi-Color Corporation Discloses Data Breach | SecurityWeek.Com
Bed Bath & Beyond Discloses Data Breach to SEC (darkreading.com)
Organised Crime & Criminal Actors
Four-year cyber crime campaign targeting African banks netted $30 million - CyberScoop
French-speaking crooks stole $30m in bank cyber-heist spree • The Register
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Fraud, Scams & Financial Crime
Fraudulent Instruction Losses Spike in 2022 - Infosecurity Magazine (infosecurity-magazine.com)
Former Apple worker pleads guilty to $17m fraud charges • The Register
Insurance
Dark Web
Supply Chain and Third Parties
NCSC issues fresh guidance following recent rise in supply chain cyber attacks – Intelligent CISO
Hundreds of US news sites push malware in supply-chain attack (bleepingcomputer.com)
Software Supply Chain
You can up software supply chain security by implementing these measures - Help Net Security
W4SP Stealer Stings Python Developers in Supply Chain Attack (darkreading.com)
Denial of Service DoS/DDoS
FBI: Hacktivist DDoS attacks had minor impact on critical orgs (bleepingcomputer.com)
DDoS Attacks are Upgrading 70% with The Help of CLDAP (analyticsinsight.net)
Cloud/SaaS
Why Identity & Access Management Governance is a Core Part of Your SaaS Security (thehackernews.com)
Top 4 priorities for cloud data protection - Help Net Security
Zscaler's Cloud-Based Cyber security Outages Showcase Redundancy Problem (darkreading.com)
API
Open Source
Passwords, Credential Stuffing & Brute Force Attacks
Social Media
Training, Education and Awareness
Travel
Regulations, Fines and Legislation
ICO Slashes Government Data Breach Fine - Infosecurity Magazine (infosecurity-magazine.com)
SolarWinds reaches $26m settlement, expects SEC action • The Register
How to Prepare for New SEC Cyber security Disclosure Requirements | SecurityWeek.Com
Careers, Working in Cyber and Information Security
How Microsoft works to grow the next generation of cyber defenders - Microsoft Security Blog
Economic Uncertainty Isn't Stopping Cyber crime Recruitment — It's Fueling It (darkreading.com)
How to Narrow the Talent Gap in Cyber security (darkreading.com)
Is there a problem with stress and burnout in cyber security? - IT Security Guru
Law Enforcement Action and Take Downs
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Will cyber saber-rattling drive us to destruction? - Help Net Security
No.10 WhatsApp Use Is Critical Danger To Security (informationsecuritybuzz.com)
Oreo Giant Mondelez Settles NotPetya 'Act of War' Insurance Suit (darkreading.com)
Cyber Threat Actor Uses Booby-Trapped VPN App to Deploy Android Spyware (darkreading.com)
New SandStrike spyware infects Android devices via malicious VPN app (bleepingcomputer.com)
Russian missile strikes overshadow cyber attacks as Ukraine reels from blackouts | CNN Politics
Nation State Actors
Nation State Actors – Russia
Liz Truss 's phone was allegedly hacked by Russian spies - Security Affairs
MPs 'constantly' warned their phones are national security risk (telegraph.co.uk)
US Treasury thwarted attack by Russian hacker group last month-official | Reuters
Russia tries to impose switch to Linux from Windows (freethink.com)
Nation State Actors – China
China-Backed APT10 Supercharges Spy Game With Custom Fileless Backdoor (darkreading.com)
Chinese Hackers Using New Stealthy Infection Chain to Deploy LODEINFO Malware (thehackernews.com)
Nation State Actors – Misc
Vulnerabilities
Critical ConnectWise Vulnerability Affects Thousands of Internet-Exposed Servers | SecurityWeek.Com
Fortinet fixed 16 vulnerabilities, 6 rated as high severity - Security Affairs
Cisco Patches High-Severity Bugs in Email, Identity, Web Security Products | SecurityWeek.Com
You Need to Update Google Chrome, Windows, and Zoom Right Now | WIRED UK
The Sky Is Not Falling: Disclosed OpenSSL Bugs Are Serious but Not Critical (darkreading.com)
Splunk Patches 9 High-Severity Vulnerabilities in Enterprise Product | SecurityWeek.Com
OpenSSL downgrades horror bug after week of speculation • The Register
Follina Exploit Leads to Domain Compromise (thedfirreport.com)
Patch Now: Dangerous RCE Bug Lays Open ConnectWise Server Backup Managers (darkreading.com)
Other News
Meet fundamental cyber security needs before aiming for more - Help Net Security
NCSC Issued 34 Million Cyber Alerts in Past Year - Infosecurity Magazine (infosecurity-magazine.com)
Multi-factor authentication fatigue can blow open security • The Register
WiFi security flaw lets a drone track devices through walls | Engadget
Build Security Around Users: A Human-First Approach to Cyber Resilience (darkreading.com)
The Role of Ethical Hacking in Cyber security (bolton.ac.uk)
Top 10 Ethical Hacking Trends and Predictions for 2023 (analyticsinsight.net)
British govt is scanning all Internet devices hosted in UK (bleepingcomputer.com)
Red Cross Eyes Digital Emblem for Cyber space Protection | SecurityWeek.Com
Security hygiene and posture management requires new tools (techtarget.com)
Offense Gets the Glory, but Defence Wins the Game | SecurityWeek.Com
The 7 Core Pillars of a Zero-Trust Architecture (techtarget.com)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 21 October 2022
Black Arrow Cyber Threat Briefing 21 October 2022:
-Gen Z, Millennials Really Doesn't Care About Workplace Cyber Security
-Supply Chain Attacks Increased Over 600% This Year and Companies Are Falling Behind
-Cyber-Enabled Crimes Are Biggest Police Concerns
-List of Common Passwords Accounts for Nearly All Cyber Attacks
-Shared Responsibility or Shared Fate? Decentralized IT Means We Are All Cyber Defenders
-Ukraine War Cuts Ransomware as Kremlin Co-Opts Hackers
-96% Of Companies Report Insufficient Security for Sensitive Cloud Data
-Your Microsoft Exchange Server Is a Security Liability
-Are Cyber Security Vendors Pushing Snake Oil?
-Ransomware Preparedness, What Are You Doing Wrong?
-NSA Cybersecurity Director's Six Takeaways from the War in Ukraine
-Microsoft Confirms Server Misconfiguration Led to 65,000+ Companies' Data Leak
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Gen Z, Millennials Really Don’t Care About Workplace Cyber Security
When it comes to cyber security in the workplace, younger employees don’t really seem to care that much, which is putting their organisations in serious harm’s way, new research has claimed.
Surveying approximately 1,000 workers using devices issued by their employers, professional services firm EY found Gen Z enterprise employees were more apathetic about cyber security than their Boomer counterparts in adhering to their employer's safety policies.
This is despite the fact that four in five (83%) of all those surveyed claimed to understand their employer’s security protocol.
When it comes to implementing mandatory IT updates, for example, 58% of Gen Z’ers and 42% of millennials would disregard them for as long as possible. Less than a third (31%) of Gen X’ers, and just 15% of baby boomers said they do the same.
Apathy in the young extends to password reuse between private and business accounts. A third of Gen Z and millennial workers surveyed admitted to this, compared to less than a quarter of all Gen X’ers and baby boomers.
Some say the apathy of young people towards technology is down to their over-familiarity with technology, and never having been without it. Being too comfortable with tech undoubtedly makes an enterprise's younger employees a major target for cyber criminals looking to exploit any hole in security.
If an organisation's cyber security practices aren't upheld strongly, threat actors can compromise huge networks with simple social engineering attacks.
https://www.techradar.com/news/younger-workers-dont-care-about-workplace-cybersecurity
Supply Chain Attacks Increased Over 600% This Year and Companies Are Falling Behind
The number of documented supply chain attacks involving malicious third-party components has increased 633% over the past year, now sitting at over 88,000 known instances, according to a new report from software supply chain management company Sonatype. Meanwhile, instances of transitive vulnerabilities that software components inherit from their own dependencies have also reached unprecedented levels and plague two-thirds of open-source libraries.
“The networked nature of dependencies highlights the importance of having visibility and awareness about these complex supply chains” Sonatype said in its newly released State of the Software Supply Chain report. “These dependencies impact our software, so having an understanding of their origins is critical to vulnerability response. Many organisations did not have the needed visibility and continued their incident response procedures for Log4Shell well beyond the summer of 2022 as a result.”
Log4Shell is a critical vulnerability discovered in November 2021 in Log4j, a widely popular open-source Java library used for logging and bundled in millions of enterprise applications and software products, often as an indirect dependency. According to Sonatype’s monitoring, as of August 2022, the adoption rate for fixed versions of Log4j sits at around 65%. Moreover, this doesn’t even account for the fact that the Log4Shell vulnerability originated in a Java class called JndiManager that is part of Log4j-core, but which has also been borrowed by 783 other projects and is now found in over 19,000 software components.
Log4Shell served as a watershed moment, highlighting the inherent risks that exist in the open-source software ecosystem – which sits at the core of modern software development – and the need to manage them properly. It also led to several initiatives to secure the software supply chain by private organisations, software repository managers, the Linux Foundation, and government bodies. Yet, most organisations are far from where they need to be in terms of open-source supply chain management.
Cyber-Enabled Crimes Are Biggest Police Concerns
Cyber-related crimes such as money laundering, ransomware and phishing pose the biggest threat to society, according to the first ever Interpol Global Crime Trend report.
The inaugural study was compiled from data received from the policing organisation’s 195 member countries, as well as information and analysis from external sources.
Money laundering was ranked the number one threat, with 67% of respondents claiming it to be a “high” or “very high” risk. Ransomware came second (66%) but was the crime type that most (72%) expected to increase in the next 3–5 years.
Of the nine top crime trends identified in the report, six are directly cyber-enabled, including money laundering, ransomware, phishing, financial fraud, computer intrusion and child sexual exploitation.
Interpol warned that the pandemic had fomented new underground offerings like “financial crime-as-a-service,” including digital money laundering tools which help to lower the barrier to entry for criminal gangs. It also claimed that demand for online child sexual exploitation and abuse (OCSEA) content surged during the pandemic. Some 62% of respondents expect it to increase or significantly increase in the coming years.
The findings represent something of a turnaround from pre-pandemic times, when drug trafficking regularly topped the list of police concerns. Thanks to a surge in corporate digitalisation, home working and online shopping, there are now rich pickings to be had from targeting consumers and business users with cyber-scams and attacks, Interpol claimed.
https://www.infosecurity-magazine.com/news/cyberenabled-crimes-are-biggest/
List of Common Passwords Accounts for Nearly All Cyber Attacks
Half of a million passwords from the RockYou2021 list account for 99.997% of all credential attacks against a variety of honeypots, suggesting attackers are just taking the easy road.
Tens of millions of credential-based attacks targeting two common types of servers boiled down to a small fraction of the passwords that formed a list of leaked credentials, known as the RockYou2021 list.
Vulnerability management firm Rapid7, via its network of honeypots, recorded every attempt to compromise those servers over a 12-month period, finding that the attempted credential attacks resulted in 512,000 permutations. Almost all of those passwords (99.997%) are included in a common password list — the RockYou2021 file, which has 8.4 billion entries — suggesting that attackers, or the subset of threat actors attacking Rapid7's honeypots, are sticking to a common playbook.
The overlap in all the attacks also suggest attackers are taking the easy road, said Rapid7. "We know now, in a provable and demonstrable way, that nobody — 0% of attackers — is trying to be creative when it comes to unfocused, untargeted attacks across the Internet," they said. "Therefore, it's very easy to avoid this kind of opportunistic attack, and it takes very little effort to take this threat off the table entirely, with modern password managers and configuration controls."
Every year, security firms present research suggesting users are continuing to pick bad passwords. In 2019, an evaluation of passwords leaked to the Internet found that the top password was "123456," followed by "123456789" and "qwerty," and unfortunately things have not got much better since then.
https://www.darkreading.com/endpoint/a-common-password-list-accounts-for-nearly-all-cyberattacks
Shared Responsibility or Shared Fate? Decentralised IT Means We Are All Cyber Defenders
Does your organisation truly understand the shared responsibility model? Shared responsibility emerged from the early days of cloud computing as a way to delineate responsibilities between cloud providers and their customers, but often there's a gap between what shared responsibility means and how it is interpreted. With the decentralisation of IT, this gap is getting worse.
Applications, servers, and overall technology used to be under the purview and control of the IT department, yet with the shift to cloud, and specifically software-as-a-service (SaaS), this dynamic has changed. Whether it's the sales team bringing in a customer relationship management (CRM) system like Salesforce, or the HR department operating a human resources information system (HRIS) like Workday, there's a clear "expanding universe" of IT that no longer sits where it used to. Critical business workflows exist in separate business units far from IT and security and are managed as such. Our corporate IT footprints have become decentralised.
This is not some minor, temporary trend. With the ease and speed of adopting new SaaS applications and the desire to "lift and shift" code into cloud-based environments, this is the future. The future is decentralised.
The shift to business-owned and -operated applications puts security teams in a position where risk management is their responsibility; they are not even able to log into some of these critical systems. It's like asking your doctor to keep you healthy but not giving her access to your information or having regular check-ups. It doesn't work that way.
Beyond the challenging human skills gap, there's technical entropy and diversity everywhere, with different configuration settings, event logs, threat vectors, and data sensitivities. On the access side, there are different admins, users, integrations, and APIs. If you think managing security on Windows and Mac is a lot, try it across many huge applications.
With this reality, how can the security team be expected to combat a growing amount of decentralised business technology risk?
We must operate our technology with the understanding that shared responsibility is the vertical view between cloud provider and customer, but that enterprise-owned piece of shared responsibility is the burden of multiple teams horizontally across an organisation. Too often the mentality is us versus them, availability versus security, too busy to care about risk, too concerned with risk to understand "the business."
Ukraine War Cuts Ransomware as Kremlin Co-Opts Hackers
The Ukraine war has helped reduce global ransomware attacks by 10pc in the last few months, a British cyber security company has said.
Criminal hacking gangs, usually engaged in corporate ransomware activities, are increasingly being co-opted by the Russian military to launch cyber attacks on Ukraine, according to Digital Shadows. “The war is likely to continue to motivate ransomware actors to target government and critical infrastructure entities,” according to the firm. Such attacks partly contributed to a 10pc drop in the number of ransomware threats launched during the three months to September, said the London-based company.
The drop in ransomware may also partly be caused by tit-for-tat digital attacks between rival hacking gangs. Researchers said the Lockbit gang, who recently targeted LSE-listed car retailer Pendragon with a $60m (£53.85m) ransom demand, were the target of attacks from their underworld rivals. The group is increasingly inviting resentment from competing threat groups and possibly former members.
Some cyber criminals’ servers went offline in September after what appeared to be an attack from competitors. In the world of cyber criminality, it is not uncommon for tensions to flare among rival groups.
Officials from GCHQ’s National Cyber Security Centre have said ransomware is one of the biggest cyber threats facing the UK. Figures published by the Department for Digital, Culture, Media and Sport this year revealed the average costs to businesses caused by ransomware attacks is around £19,000 per incident.
US-based cyber security company Palo Alto Networks, however, warned that the average ransom payment it saw in the early part of this year was $925,000 (£829,000).
https://www.telegraph.co.uk/business/2022/10/23/ukraine-war-cuts-ransomware-kremlin-co-opts-hackers/
96% Of Companies Report Insufficient Security for Sensitive Cloud Data
The vast majority of organisations lack confidence in securing their data in cloud, while many companies acknowledge they lack sufficient security even for their most sensitive data, according to a new report by the Cloud Security Alliance (CSA).
The CSA report surveyed 1,663 IT and security professionals from organisations of various sizes and in various locations. "Only 4% report sufficient security for 100% of their data in the cloud. This means that 96% of organisations have insufficient security for at least some of their sensitive data," according to the report, which was sponsored by data intelligence firm BigID.
Apart from struggling with securing sensitive data, organisations are also having trouble tracking data in the cloud. Over a quarter of organisations polled aren’t tracking regulated data, nearly a third aren’t tracking confidential or internal data, and 45% aren’t tracking unclassified data, the report said.
“This suggests that organisations’ current methods of classifying data aren’t sufficient for their needs. However, if the tracking is this low, it could be a contributing factor to the issue of dark data. Organisations need to utilise data discovery and classification tools to properly understand the data they have and how to protect it,” the CSA study noted.
Your Microsoft Exchange Server Is a Security Liability
With endless vulnerabilities, widespread hacking campaigns, slow and technically tough patching, it's time to say goodbye to on-premise Exchange.
Once, reasonable people who cared about security, privacy, and reliability ran their own email servers. Today, the vast majority host their personal email in the cloud, handing off that substantial burden to the capable security and engineering teams at companies like Google and Microsoft. Now, cyber security experts argue that a similar switch is due - or long overdue - for corporate and government networks. For enterprises that use on-premise Microsoft Exchange, still running their own email machine somewhere in a closet or data centre, the time has come to move to a cloud service, if only to avoid the years-long plague of bugs in Exchange servers that has made it nearly impossible to keep determined hackers out.
The latest reminder of that struggle arrived earlier this week, when Taiwanese security researcher Orange Tsai published a blog post laying out the details of a security vulnerability in Microsoft Exchange. Tsai warned Microsoft about this vulnerability as early as June of 2021, and while the company responded by releasing some partial fixes, it took Microsoft 14 months to fully resolve the underlying security problem. Tsai had earlier reported a related vulnerability in Exchange that was massively exploited by a group of Chinese state-sponsored hackers known as Hafnium, which last year penetrated more than 30,000 targets by some counts. Yet according to the timeline described in Tsai’s post this week, Microsoft repeatedly delayed fixing the newer variation of that same vulnerability, assuring Tsai no fewer than four times that it would patch the bug before pushing off a full patch for months longer. When Microsoft finally released a fix, Tsai wrote, it still required manual activation and lacked any documentation for four more months.
Meanwhile, another pair of actively exploited vulnerabilities in Exchange that were revealed last month still remain unpatched after researchers showed that Microsoft’s initial attempts to fix the flaws had failed. Those vulnerabilities were just the latest in a years-long pattern of security bugs in Exchange’s code. And even when Microsoft does release Exchange patches, they’re often not widely implemented, due to the time-consuming technical process of installing them.
The result of those compounding problems, for many who have watched the hacker-induced headaches of running an Exchange server pile up, is a clear message: An Exchange server is itself a security vulnerability, and the fix is to get rid of it.
“You need to move off of on-premise Exchange forever. That’s the bottom line,” says Dustin Childs, the head of threat awareness at security firm Trend Micro’s Zero Day Initiative (ZDI), which pays researchers for finding and reporting vulnerabilities in commonly used software and runs the Pwn2Own hacking competition. “You’re not getting the support, as far as security fixes, that you would expect from a really mission-critical component of your infrastructure.”
https://www.wired.com/story/microsoft-exchange-server-vulnerabilities/
Are Cyber Security Vendors Pushing Snake Oil?
Survey: 96 percent of cyber security decision makers confused by vendor marketing.
The availability of new security products increases, the amount of budget spent on cyber security grows, and the number of security breaches seems to outpace both. This basic lack of correlation between increasing cyber security spend and any clear increase in cyber security effectiveness is the subject of a new analytical survey from Egress.
With 52 million data breaches in Q2 2022 alone (Statista), Egress questioned 800 cyber security and IT leaders on why vendor claims and reality aren’t aligned. The headline response in the survey is that 91% of decision makers have difficulty in selecting cyber security vendors due to unclear marketing about their specific offerings.
The financial investment cycle doesn’t help in this. For many investors, the strength of the management team is more important than the product. The argument is not whether this product is a cyber security silver bullet, but whether this management can take the company to a point where it can exit with serious profits.
If investment is achieved, much of it will go into marketing. That marketing must compete against existing, established vendors – so it tends to be louder, more aggressive, and replete with hyperbole. Marketing noise can lead to increased valuation, which can lead to a successful and profitable exit by the investors.
Of course, this is an oversimplification and doesn’t always happen. The point, however, is that it does happen and has no relevance to the real effectiveness of the product in question. Without any doubt, there are many products that have been over-hyped by marketing funds provided by profit-driven investors.
https://www.securityweek.com/are-cybersecurity-vendors-pushing-snake-oil
Ransomware Preparedness: What Are You Doing Wrong?
Axio released its 2022 State of Ransomware Preparedness research report, revealing that although notable improvements have been made since Axio’s 2021 report, organisational ransomware preparedness continues to be insufficient to keep pace with new attack vectors.
The report reveals that the lack of fundamental cyber security practices and controls, including critical vulnerability patching and employee cyber security training, continues to undermine organisational attempts to improve ransomware defences.
“Ransomware continues to wreak havoc on global organisations, regardless of size or industry,” remarked the report’s co-author David White, President of Axio. “As the number of attacks will most likely continue on an exponential trajectory, it’s more important than ever for companies to re-evaluate their cyber security practices and make the needed improvements to help combat these attacks.”
The report identifies several emerging patterns that yield insights into why organisations are increasingly susceptible to ransomware attacks. In 2021, seven key areas where organisations were deficient in implementing and sustaining basic cyber security practices were identified, and these patterns dominated the 2022 study results as well:
Managing privileged access
Improving basic cyber hygiene
Reducing exposure to supply chain and third-party risk
Monitoring and defending networks
Managing ransomware incidents
Identifying and addressing vulnerabilities in a timely manner
Improving cyber security training and awareness
Overall, most organisations surveyed are not adequately prepared to manage the risk associated with a ransomware attack. Key data findings include:
The number of organisations with a functional privileged access management solution in place increased by 10% but remains low at 33% overall.
Limitations on the use of service and local administrator accounts remain average overall, with nearly 50% of organisations reporting implementing these practices.
Approximately 40% of organisations monitor third-party network access, evaluate third-party cyber security posture, and limit the use of third-party software.
Less than 50% of respondents implement basic network segmentation and only 40% monitor for anomalous connections.
Critical vulnerability patching within 24 hours was reported by only 24% of organisations.
A ransomware-specific playbook for incident management is in place for only 30% of organisations.
Active phishing training has improved but is still not practiced by 40% of organisations.
https://www.helpnetsecurity.com/2022/10/20/insufficient-ransomware-preparedness/
NSA Cybersecurity Director's Six Takeaways from the War in Ukraine
From the warning banner ‘Be afraid and expect the worst’ that was shown on several Ukrainian government websites on January 13, 2022, after a cyber-attack took them down, the US National Security Agency’s (NSA) cybersecurity director, Rob Joyce, knew that something was going to be different, and very aggressive, between Ukraine and Russia, and that it would be happening in the cyber space as well.
Ten months on, he was invited to speak at one of Mandiant Worldwide Information Security Exchange's (mWISE) opening keynotes on October 18, 2022. Joyce shared six takeaways from the Russia-Ukraine cyber-conflict in terms of what we learned from it and its impact on how nations should protect their organisations.
Both espionage and destructive attacks will occur in conflict
The cyber security industry has unique insight into these conflicts
Sensitive intelligence can make a decisive difference
You can develop resiliency skills
Don’t try to go it alone
You have not planned enough yet for the contingencies
Toward the end of the keynote, Joyce suggested the audience simulate a scenario based on what happened in Ukraine with the China-Taiwan conflict escalating and see what they should put in place to better prepare for such an event.
https://www.infosecurity-magazine.com/news/nsa-6-takeaways-war-ukraine/
Microsoft Confirms Server Misconfiguration Led to 65,000+ Companies' Data Leak
Microsoft this week confirmed that it inadvertently exposed information related to thousands of customers following a security lapse that left an endpoint publicly accessible over the internet sans any authentication.
"This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provisioning of Microsoft services," Microsoft said in an alert.
Microsoft also emphasised that the B2B leak was "caused by an unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem and was not the result of a security vulnerability."
The misconfiguration of the Azure Blob Storage was spotted on September 24, 2022, by cyber security company SOCRadar, which termed the leak BlueBleed. Microsoft said it's in the process of directly notifying impacted customers.
The Windows maker did not reveal the scale of the data leak, but according to SOCRadar, it affects more than 65,000 entities in 111 countries. The exposure amounts to 2.4 terabytes of data that consists of invoices, product orders, signed customer documents, partner ecosystem details, among others.
https://thehackernews.com/2022/10/microsoft-confirms-server.html
Threats
Ransomware and Extortion
Сryptocurrency and Ransomware — The Ultimate Friendship (thehackernews.com)
Venus Ransomware targets publicly exposed Remote Desktop services (bleepingcomputer.com)
Pendragon being held to $60m ransom by dark web hackers – Car Dealer Magazine
Magniber Ransomware Is Targeting Home PC (informationsecuritybuzz.com)
Hackers exploit critical VMware flaw to drop ransomware, miners (bleepingcomputer.com)
Ransomware Now Deployed as a Precursor to Physical War - MSSP Alert
TommyLeaks and SchoolBoys: Two sides of the same ransomware gang (bleepingcomputer.com)
With Conti gone, LockBit takes lead of the ransomware threat landscape | CSO Online
Tactics Tie Ransom Cartel Group to Defunct REvil Ransomware (darkreading.com)
Wholesale giant METRO hit by IT outage after cyber attack (bleepingcomputer.com)
The link between Ransom Cartel and REvil ransomware gangs - Security Affairs
How Vice Society Got Away With a Global Ransomware Spree | WIRED
Defenders beware: A case for post-ransomware investigations - Microsoft Security Blog
Ransomware crews regrouping as LockBit rise continues (computerweekly.com)
Ransom Cartel linked to notorious REvil ransomware operation (bleepingcomputer.com)
Hackney Council Ransomware Attack £12m+ Recovery - IT Security Guru
Microsoft Warns of Novel Ransomware Attacking Ukraine, Poland - MSSP Alert
Prestige ransomware hits victims of HermeticWiper • The Register
New ransomware targets transportation sectors in Ukraine, Poland | SC Media (scmagazine.com)
Japanese tech firm Oomiya hit by LockBit 3.0 - Security Affairs
Ransomware attack halts circulation of some German newspapers (bleepingcomputer.com)
Ransomware Insurance Security Requirement Strategies (trendmicro.com)
Australian insurance firm Medibank confirms ransomware attack (bleepingcomputer.com)
BlackByte ransomware uses new data theft tool for double-extortion (bleepingcomputer.com)
Phishing & Email Based Attacks
Phishing works so well crims won't use deepfakes: Sophos • The Register
Phishing Mitigation Can Cost Businesses More Than $1M Annually (darkreading.com)
Securing your organisation against phishing can cost up to $85 per email | CSO Online
How phishing campaigns abuse Google Ad click tracking redirects - Help Net Security
Other Social Engineering; Smishing, Vishing, etc
Malware
VMware bug with 9.8 severity rating exploited to install witch’s brew of malware | Ars Technica
Microsoft’s out-of-date driver list left Windows PCs open to malware attacks for years - The Verge
Ursnif malware switches from bank account theft to initial access (bleepingcomputer.com)
Experts spotted a new undetectable PowerShell Backdoor - Security Affairs
Typosquat campaign mimics 27 brands to push Windows, Android malware (bleepingcomputer.com)
Thousands of GitHub repositories deliver fake PoC exploits with malware (bleepingcomputer.com)
Hackers use new stealthy PowerShell backdoor to target 60+ victims (bleepingcomputer.com)
Hijacking of Popular Minecraft Launcher by Rogue Developer Raises Malware Fears - IGN
URSNIF (aka Gozi) banking trojan morphs into backdoor • The Register
What is a RAT (Remote Access Trojan)? | Definition from TechTarget
Mobile
Internet of Things – IoT
Riskiest IoT Devices - Cameras, VoIP And Video Conferencing (informationsecuritybuzz.com)
Securing IoT devices against attacks that target critical infrastructure - Microsoft Security Blog
74% say connected cars and EV chargers need cyber security ratings | Ars Technica
Data Breaches/Leaks
The companies most likely to lose your data - Help Net Security
Fines are not enough! Data breach victims want better security - Help Net Security
Medibank hack turned into a data breach: The attackers are demanding money - Help Net Security
Mormon Church Hit By Cyber attack, Personal Data Exposed (informationsecuritybuzz.com)
Keystone Health Data Breach Impacts 235,000 Patients | SecurityWeek.Com
Fashion brand SHEIN fined $1.9m for lying about data breach – Naked Security (sophos.com)
Client Data Exfiltrated In Advanced NHS cyber Attack (informationsecuritybuzz.com)
Australian Wine Dealer Suffers Data Breach, 500,000 Customers May Be (informationsecuritybuzz.com)
Advocate Aurora Health in potential 3 million patient leak • The Register
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Why Crypto Winter is No Excuse to Let Your Cyber Defences Falter (thehackernews.com)
North Korea’s Lazarus Group Attacks Japanese Crypto Firms - Decrypt
Coinbase users scammed out of $21M in crypto sue company for negligence | Ars Technica
SIM Swappers Sentenced to Prison for Hacking Accounts, Stealing Cryptocurrency | SecurityWeek.Com
Fraud, Scams & Financial Crime
Financial losses to synthetic identity-based fraud to double by 2024 | CSO Online
AI is Key to Tackling Money Mules and Disrupting Fraud: Industry Group | SecurityWeek.Com
Deepfakes
Deepfakes: What they are and how to spot them - Help Net Security
Phishing works so well crims won't use deepfakes: Sophos • The Register
Insurance
Supply Chain and Third Parties
Software Supply Chain
Software Supply Chain Attacks Soar 742% In Three Years (informationsecuritybuzz.com)
SBOMs: An Overhyped Concept That Won't Secure Your Software Supply Chain (darkreading.com)
Denial of Service DoS/DDoS
Cloud/SaaS
Microsoft Data-Exposure Incident Highlights Risk of Cloud Storage Misconfiguration (darkreading.com)
3 cloud security posture questions CISOs should answer (techtarget.com)
Attack Surface Management
Identity and Access Management
Encryption
API
Open Source
New security concerns for the open-source software supply chain - Help Net Security
Python vulnerability highlights open source security woes (techtarget.com)
3 Ways to Help Customers Defend Against Linux-Based Cyber attacks - MSSP Alert
OldGremlin hackers use Linux ransomware to attack Russian orgs (bleepingcomputer.com)
Passwords, Credential Stuffing & Brute Force Attacks
Most People Still Reuse Their Passwords Despite Years Of Hacking (informationsecuritybuzz.com)
Password Report: Honeypot Data Shows Bot Attack Trends Against RDP, SSH | SecurityWeek.Com
Eight RTX 4090s Can Break Passwords in Under an Hour | Tom's Hardware (tomshardware.com)
Training, Education and Awareness
Security Awareness Urged to Grow Beyond Compliance (darkreading.com)
Raising cyber security awareness is good for everyone - but it needs to be done better | ZDNET
Millennials, Gen Z blamed for poor company security • The Register
Privacy, Surveillance and Mass Monitoring
Regulations, Fines and Legislation
Fines are not enough! Data breach victims want better security - Help Net Security
Fashion brand SHEIN fined $1.9m for lying about data breach – Naked Security (sophos.com)
New York fines EyeMed $4.5 million for 2020 email hack, data breach | SC Media (scmagazine.com)
Health insurer pays out $4.5m over bungled data security • The Register
Law Enforcement Action and Take Downs
INTERPOL-led Operation Takes Down 'Black Axe' Cyber Crime Organisation (thehackernews.com)
Law enforcement arrested 31 suspects for stealing cars by hacking key fobs - Security Affairs
Interpol is setting up its own metaverse to learn how to police the virtual world | Euronews
Brazilian Police Nab Suspected Member of Lapsus$ Group (darkreading.com)
Interpol Report: "Financial Crime-as-a-Service" an Emerging Threat - MSSP Alert
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Ransomware Now Deployed as a Precursor to Physical War - MSSP Alert
US, China, Russia, more meet at Singapore infosec event • The Register
NSA cyber chief says Ukraine war is compelling more intelligence sharing with industry - CyberScoop
China-Linked Cyber-Espionage Team Homes In on Hong Kong Government Orgs (darkreading.com)
Microsoft Warns of Novel Ransomware Attacking Ukraine, Poland - MSSP Alert
Hackers target Asian casinos in lengthy cyber espionage campaign (bleepingcomputer.com)
Prestige ransomware hits victims of HermeticWiper • The Register
Pro-Russia Hackers DDoS Bulgarian Government - Infosecurity Magazine (infosecurity-magazine.com)
Nation State Actors
Nation State Actors – Russia
Ukraine's cyber chief calls for global anti-fake news fight • The Register
German Cyber security Boss Sacked Over Kremlin Connection (darkreading.com)
New ransomware targets transportation sectors in Ukraine, Poland | SC Media (scmagazine.com)
Bulgaria hit by a cyber attack originating from Russia - Security Affairs
Nation State Actors – China
As China-Taiwan tensions mount, how's your cyber defence? • The Register
Chinese 'Spyder Loader' Malware Spotted Targeting Organisations in Hong Kong (thehackernews.com)
Hackers compromised Hong Kong govt agency network for a year (bleepingcomputer.com)
WIP19 Threat Group Cyber attacks Target IT Service Providers, Telcos - MSSP Alert
Nation State Actors – North Korea
Nation State Actors – Iran
Vulnerability Management
Vulnerabilities
45,654 VMware ESXi servers reached End of Life on Oct. 15 - Security Affairs
VMware bug with 9.8 severity rating exploited to install witch’s brew of malware | Ars Technica
Text message verification flaws in your Windows Active Directory (bleepingcomputer.com)
Apache Commons Vulnerability: Patch but Don't Panic (darkreading.com)
Zoom for Mac patches sneaky “spy-on-me” bug – update now! – Naked Security (sophos.com)
ProxyLogon researcher details new Exchange Server flaws (techtarget.com)
Exploited Windows zero-day lets JavaScript files bypass security warnings (bleepingcomputer.com)
Dozen High-Severity Vulnerabilities Patched in F5 Products | SecurityWeek.Com
Oracle Releases 370 New Security Patches With October 2022 CPU | SecurityWeek.Com
Palo Alto Networks fixed a high-severity flaw in PAN-OS - Security Affairs
Hackers exploit critical VMware flaw to drop ransomware, miners (bleepingcomputer.com)
Zimbra Patches Under-Attack Code Execution Bug | SecurityWeek.Com
WordPress Security Update 6.0.3 Patches 16 Vulnerabilities | SecurityWeek.Com
Python vulnerability highlights open source security woes (techtarget.com)
Other News
Zero trust is misused in security, say Cloudflare, Zscaler - Protocol
Cyber professional shortfall hits 3.4 million (computerweekly.com)
VPN use prevails despite interest in VPN alternatives (techtarget.com)
JP Morgan Bans Staff From Working Remotely In Hotels and Coffee Shops-But Not Airbnbs | Inc.com
Experts discovered millions of .git folders exposed to public - Security Affairs
Microsoft Defender is lacking in offline detection capabilities, says AV-Comparatives | TechSpot
Internet connectivity worldwide impacted by severed fiber cables in France (bleepingcomputer.com)
UK's Remote Shetland Mysteriously Lose Phone, Internet After Cable Cut (businessinsider.com)
CISOs, rejoice! Security spending is increasing - Help Net Security
Equifax surveilled 1,000 remote workers, fired 24 found juggling two jobs | Ars Technica
NATO Just Deployed Its First Killer Ground Robot (futurism.com)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 14 October 2022
Black Arrow Cyber Threat Briefing 14 October 2022:
-Ransomware Report: Most Organisations Unprepared for an Attack, Lack Incident Playbook, Research Finds
-LinkedIn Scams, Fake Instagram Accounts Hit Businesses, Execs
-Study Highlights Surge in Identity Theft and Phishing Attacks
-Increase in Cyber Liability Insurance Claims as Cyber Crime Skyrockets
-UK Government Urges Action to Enhance Supply Chain Security
-For Most Companies Ransomware Is the Scariest Of All Cyber Attacks
-EDR Is Not a Silver Bullet
-Attackers Use Automation to Speed from Exploit to Compromise
-Rising Premiums, More Restricted Cyber Insurance Coverage Poses Big Risk for Companies
-Why CISO Roles Require Business and Technology Savvy
-Wi-Fi Spy Drones Used to Snoop on Financial Firm
-Magniber Ransomware Attacking Individuals and Home Users
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Ransomware Report: Most Organisations Unprepared for an Attack, Lack Incident Playbook, Research Finds
Some organisations have made significant improvements to their ransomware readiness profile in the last year, Axio said in a newly released report. However, a lack of fundamental cyber security practices and controls, inadequate vulnerability patching and employee training continues to leave ransomware defences lacking in potency.
Axio’s report reveals that only 30% of organisations have a ransomware-specific playbook for incident management in place. In 2021’s report Axio, maker of a cloud-based cyber management software platform, identified seven key areas emerged where organisations were deficient in implementing and sustaining basic cyber security practices.
The same patterns showed up in the 2022 report:
Managing privileged access.
Improving basic cyber hygiene.
Reducing exposure to supply chain and third-party risk.
Monitoring and defending networks.
Managing ransomware incidents.
Identifying and addressing vulnerabilities in a timely manner.
Improving cyber security training and awareness.
Overall, most organisations surveyed are not adequately prepared to manage the risk associated with a ransomware attack. Key data findings include:
The number of organisations with a functional privileged access management solution in place increased by 10% but remains low at 33% overall.
Limitations on the use of service and local administrator accounts remain average overall, with nearly 50% of organisations reporting implementing these practices.
Approximately 40% of organisations monitor third-party network access, evaluate third-party cyber security posture, and limit the use of third-party software.
Less than 50% of respondents implement basic network segmentation and only 40% monitor for anomalous connections.
Critical vulnerability patching within 24 hours was reported by only 24% of organisations.
Active phishing training has improved but is still not practiced by 40% of organisations.
LinkedIn Scams, Fake Instagram Accounts Hit Businesses, Execs
Business owners with public social media accounts are easy targets for scammers who lift information to create fake accounts. The arduous process for removing fraudulent accounts leaves victims frustrated and vulnerable to further data privacy issues. Victims say platform providers, particularly Facebook and Instagram, must improve their responses to reports of fraud.
Impersonation of a brand or executive contributed to more than 40% of all phishing and social media incidents in the second quarter, according to the Agari and Phish Labs Quarterly Threat Trends and Intelligence Report released in August. Q2 marks the second quarter that impersonation attacks have represented the majority of threats, despite a 6.1% decrease from Q1.
Executive impersonation has been on the rise over the past four quarters — representing more than 15% of attacks, according to the report — as impersonating a corporate figure or company on social media is simple and effective for threat actors.
Thom Singer, CEO for the Austin Technology Council and a public speaker, was recently impersonated on Instagram. A scammer created a fake Instagram account with his name and photos, creating a handle with an extra "r" at the end of Singer. That account appeared to amass over 2,300 followers – nearly as many as Singer's own account – lending to its appearance of authenticity.
He learned of the fake account from a contact who texted to ask if he'd reached out on Instagram, which wasn't a channel Singer typically uses to communicate. Singer reported the fraudulent account using the platform's report button and asked his followers to do the same.
"You can't reach anyone at these platforms, so it takes days to get a fake account removed," Singer said. "These social media sites have no liability, nothing to lose when fraud is happening. They need to up their game and have a better process to get [fraud] handled in a timely manner."
Study Highlights Surge in Identity Theft and Phishing Attacks
A new study from behavioural risk firm CybSafe and the National Cybersecurity Alliance (NCA) has been launched and it highlights an alarming surge in phishing and identity theft attacks.
The report, titled ‘Oh, Behave! The Annual Cybersecurity Attitudes and Behaviors report’, studied the opinions of 3,000 individuals across the US, the UK and Canada towards cyber security and revealed that nearly half (45%) of users are connected to the internet all the time, however, this has led to a surge in identity theft with almost 1 in 4 people being affected by the attack.
Furthermore, 1 in 3 (36%) respondents revealed they have lost money or data due to a phishing attack. Yet the study also revealed that 70% of respondents feel confident in their ability to identify a malicious email, but only 45% will confirm the authenticity of a suspicious email by reaching out to the apparent sender.
When it comes to implementing cyber security best practices, only 33% of respondents revealed they use a unique password for important online accounts, while only 16% utilise passwords of over 12 characters in length. Furthermore, only 18% of participants have downloaded a stand-alone password manager, while 43% of respondents have not even heard of multi-factor authentication.
Increase in Cyber Liability Insurance Claims as Cyber Crime Skyrockets
A cyber insurer, Acuity Insurance, is reporting an increased need for cyber liability insurance across both personal and business policyholders. From June 2021 to June 2022, the insurer saw cyber liability insurance claims on its commercial insurance policies increase by more than 50%. For personal policies, they saw more than a 90% increase in cyber claims being reported in 2021 compared with 2020.
Our lives, homes and businesses are more connected than ever before. Being connected leads to a greater risk of cyber attacks, which aren't covered under standard homeowners or business insurance policies.
The insurance experts caution that everyone is at risk — whether you are a small business owner or an individual — as cyber attacks continue to pose a serious financial threat. From 2019 to 2021, cyber attacks were up 50% from the previous year, according to recent research. Wire fraud and gift card scams are two of the most common types of cyber attacks impacting both businesses and individuals.
Scams involving social engineering are some of the easiest to fall for, as fraudsters exploit a person's trust to obtain money or personal information, which can then be used for unauthorised withdrawals of money. Cyber insurance can protect you from financial loss caused by wire transfer fraud, phishing attacks, cyber extortion, cyberbullying and more, Acuity reported.
While all cyber crimes have a financial impact, fraudulent wire transfers often come with greater losses. Banks are typically not responsible for funds lost as a result of a fraudulent wire transfer inadvertently authorised by the customer. Whether it's a wrongful money transfer by a business or an individual, cyber insurance can help mitigate some of the financial loss caused by these scams.
UK Government Urges Action to Enhance Supply Chain Security
The UK government has warned organisations to take steps to strengthen their supply chain security.
New National Cyber Security Centre (NCSC) guidance has been issued amid a significant increase in supply chain attacks in recent years, such as the SolarWinds incident in 2020. The NCSC cited official government data showing that just over one in 10 businesses review the risks posed by their immediate suppliers (13%), while the proportion covering the wider supply chain is just 7%.
Aimed at medium-to-large organisations, the document sets out practical steps to better assess cyber security across increasingly complex supply chains. This includes a description of typical supplier relationships and ways that organisations are exposed to vulnerabilities and cyber-attacks via the supply chain, and the expected outcomes and key steps needed to assess suppliers’ approaches to security.
The new guidance followed a government response to a call for views last year which highlighted the need for further advice. Supply chain attacks are a major cyber threat facing organisations and incidents can have a profound, long-lasting impact on businesses and customers. With incidents on the rise, it is vital organisations work with their suppliers to identify supply chain risks and ensure appropriate security measures are in place.
https://www.infosecurity-magazine.com/news/uk-government-supply-chain-security/
For Most Companies Ransomware Is the Scariest Of All Cyber Attacks
SonicWall released the 2022 SonicWall Threat Mindset Survey which found that 66% of customers are more concerned about cyber attacks in 2022, with the main threat being focused on financially motivated attacks like ransomware.
“No one is safe from cyber attacks — businesses or individuals,” said SonicWall Executive Chairman of the Board Bill Conner. “Today’s business landscape requires persistent digital trust to exist. Supply-chain attacks have dramatically changed the attack surface of the typical enterprise in the past few years, with more suppliers and service providers touching sensitive data than ever before.
“It’s likely we’ll see continued acceleration and evolution of ransomware tactics, as well as other advanced persistent threats (APTs), as cyber crime continues to scale the globe seeking both valuable and weak targets.”
Companies are not only losing millions of dollars to unending malware and ransomware strikes, but cyber attacks on essential infrastructure are impacting real-world services. Despite the growing concern of cyber attacks, organisations are struggling to keep pace with the fast-moving threat landscape as they orient their business, networks, data and employees against unwavering cyber attacks.
“The evolving cyber threat landscape has made us train our staff significantly more,” said Stafford Fields, IT Director, Cavett Turner & Wyble. “It’s made us spend more on cyber security. And what scares me is that an end-user can click on something and bring all our systems down — despite being well protected.”
https://www.helpnetsecurity.com/2022/10/12/customers-concerned-ransomware/
EDR Is Not a Silver Bullet
Old lore held that shooting a werewolf, vampire, or even just your average nasty villain with a silver bullet was a sure-fire takedown: one hit, no more bad guy.
As cyber security professionals, we understand – much like folks in the Old West knew – that there are no panaceas, no actual silver bullets. Yet humans gravitate towards simple solutions to complex challenges, and we are constantly (if unconsciously) seeking silver bullet technology.
Endpoint Detection and Response (EDR) tools have become Standard Operating Procedures for cyber security regimes. They are every CIO’s starting point, and there’s nothing wrong with this. In a recent study by Cymulate of over one million tests conducted by customers in 2021, the most popular testing vector was EDR.
Yet cyber security stakeholders should not assume that EDR is a silver bullet. The fact is that EDR’s efficacy and protective prowess as a standalone solution has been slowly diminished over the decade since the term was first coined by Gartner. Even as it became a mainstay of enterprise and SMB/SME security posture – attacks have skyrocketed in frequency, severity, and success. Today, EDR is facing some of its greatest challenges, including threats laser-targeting EDR systems like the highly-successful Grandoiero banking trojan.
While EDR should not be your only line of defence against advanced threats, including it in a defence solution array is paramount. It should be installed on all organisational servers – including Linux-based ones. Yet installation is not enough. Your organisation is at significant risk if the underlying OS and EDR are not both implemented and fine-tuned.
https://www.helpnetsecurity.com/2022/10/11/edr-is-not-a-silver-bullet/
Attackers Use Automation to Speed from Exploit to Compromise
A report from Laceworks examines the cloud security threat landscape over the past three months and unveils the new techniques and avenues cyber criminals are exploiting for profit at the expense of businesses. In this latest edition, the Lacework Labs team found a significantly more sophisticated attacker landscape, with an increase in attacks against core networking and virtualisation software, and an unprecedented increase in the speed of attacks following a compromise. Key trends and threats identified include:
Increased speed from exposure to compromise: Attackers are advancing to keep pace with cloud adoption and response time. Many classes of attacks are now fully automated to capitalise on timing. Additionally, one of the most common targets is credential leakage. In a specific example from the report, a leaked AWS access key was caught and flagged by AWS in record time. Despite the limited exposure, an unknown adversary was able to log in and launch tens of GPU EC2 instances, underscoring just how quickly attackers can take advantage of a single simple mistake.
Increased focus on infrastructure, specifically attacks against core networking and virtualisation software: Commonly deployed core networking and related infrastructure consistently remains a key target for adversaries. Core flaws in infrastructure often appear suddenly and are shared openly online, creating opportunities for attackers of all kinds to exploit these potential targets.
Continued Log4j reconnaissance and exploitation: Nearly a year after the initial exploit, the Lacework Labs team is still commonly observing vulnerable software targeted via OAST requests. Analysis of Project Discovery (interact.sh) activity revealed Cloudflare and DigitalOcean as the top originators.
Rising Premiums, More Restricted Cyber Insurance Coverage Poses Big Risk for Companies
Among the many consequences of the rising number of costly data breaches, ransomware, and other security attacks are pricier premiums for cyber security insurance. The rise in costs could put many organisations out of the running for this essential coverage, a risky proposition given the current threat landscape.
Cyber insurance is a type of specialty insurance that protects organisations against a variety of risks related to information security attacks such as ransomware and data breaches. Ordinarily, these types of risks aren’t included with traditional commercial general liability policies or are not specifically defined in these insurance plans.
Given the rise in attacks, the growing sophistication of these incidents and the potential financial impact, having cyber insurance coverage has become critical for many organisations. Premiums for these plans have been on the rise because of the increase in security-related losses and rising demand for coverage.
Cyber insurance premiums increased by an average of 28% in the first quarter of 2022 compared with the fourth quarter of 2021, according to the Council of Insurance Agents & Brokers (CIAB), an association for commercial insurance and employee benefits intermediaries.
Among the primary drivers for the continued price increases were a reduced carrier appetite for the risk and high demand for coverage, CIAB said. The high demand for cyber coverage is in part fueled by greater awareness among companies of the threat cyber risk poses for businesses of all sizes, it said.
https://www.cnbc.com/2022/10/11/companies-are-finding-it-harder-to-get-cyber-insurance-.html
Why CISO Roles Require Business and Technology Savvy
Listening and communicating to both the technical and business sides is critical to successfully leading IT teams and business leaders to the same end-goal.
Of all the crazy postings that advertise for CISO jobs, the one asking for a CISO to code in Python was probably the most outrageous example of the disconnect about a CISO’s role, says Joe Head, CISO search director at UK-based search firm, Intaso. This was a few years ago, and one can only guess that the role had been created by a technologist who didn’t care about or didn’t understand the business — or, inversely by a businessperson who didn’t understand enough about technology.
In either case, the disconnect is real. However, Head and other experts say that when it comes to achieving the true, executive role and reporting to the CEO and board, business skills rule. That doesn’t mean, however, that most CISOs know nothing about technology, because most still start out with technology backgrounds.
In the 2022 CISO survey by executive placement firm, Heidrick & Struggles, most CISOs come from a functional IT background that reflects the issues of the time. For example, in 2022 10% of CISOs came from software engineering backgrounds, which tracks with the White House directive to protect the software supply chain. The report notes that the majority of CISOs have experience in the financial services industry, which has a low risk tolerance and where more money is spent on security.
The survey also indicates that only a small core of CISOs (working primarily for the Fortune 500) rise to the executive level with the combination of business and technical responsibilities that come with the role. In it, more than two-thirds of CISOs responding to the survey worked for companies worth over $5 billion. So, instead of bashing a CISO’s lack of IT skills, the real need lies in developing business skills for the technologists coming up the ranks.
Wi-Fi Spy Drones Used to Snoop on Financial Firm
Modified off-the-shelf drones have been found carrying wireless network-intrusion kit in a very unlikely place.
The idea of using consumer-oriented drones for hacking has been explored over the past decade at security conferences like Black Hat 2016, in both the US and in Europe, but now these sort of attacks are actually taking place. A security researcher recently recounted an incident that occurred over the summer at a US East Coast financial firm focused on private investment.
The hacking incident was discovered when the financial firm spotted unusual activity on its internal Atlassian Confluence page that originated from within the company's network. The company's security team responded and found that the user whose MAC address was used to gain partial access to the company Wi-Fi network was also logged in at home several miles away. That is to say, the user was active off-site but someone within Wi-Fi range of the building was trying to wirelessly use that user's MAC address, which is a red flag. The team then took steps to trace the Wi-Fi signal and used a Fluke system to identify the Wi-Fi device.
This led the team to the roof, where two modified commercially available consumer drones series were discovered. One drone was in fine condition and had a modified Wi-Fi Pineapple device, used for network penetration testing. The second drone was carrying a case that contained a Raspberry Pi, several batteries, a GPD mini laptop, a 4G modem, and another Wi-Fi device. It had landed near the building's heating and ventilation system and appeared to be damaged but still operable.
During their investigation, they determined that the first drone had originally been used a few days prior to intercept a worker's credentials and Wi-Fi, and this data was then hard coded into the tools that were deployed on the second drone.
https://www.theregister.com/2022/10/12/drone-roof-attack/
Magniber Ransomware Attacking Individuals and Home Users
A recent analysis shows that Magniber ransomware has been targeting home users by masquerading as software updates.
Reports have shown a ransomware campaign isolated by HP Wolf Security in September 2022 saw Magniber ransomware spread. The malware is known as a single-client ransomware family that demands $2,500 from victims. Magniber was previously primarily spread through MSI and EXE files, but in September 2022 HP Wolf Security began seeing campaigns distributing the ransomware in JavaScript files.
HP Wolf Security reported that some malware families rely exclusively on JavaScript, but have done so for some time. Currently, analysts are also seeing more HTML smuggling, such as with Qakbot and IcedID. This technique also makes use of JavaScript to decode malicious content. The only difference is that the HTML file is executed in the context of the browser and therefore usually requires further user interaction.
Remarkably, HP Wolf Security said, the attackers used clever techniques to evade detection, such as running the ransomware in memory, bypassing User Account Control (UAC) in Windows, and bypassing detection techniques that monitor user-mode hooks by using syscalls instead of standard Windows API libraries.
It appears that with the UAC bypass, the malware deletes the infected system’s shadow copy files and disables backup and recovery features, preventing the victim from recovering their data using Windows tools.
Having recently described the ransomware campaign in a recent interview, HP Wolf noted that the infection chain starts with a web download from an attacker-controlled website.
Threats
Ransomware and Extortion
More and more ransomware is just data theft, no encryption • The Register
Magniber ransomware now infects Windows users via JavaScript files (bleepingcomputer.com)
Fake adult sites push data wipers disguised as ransomware (bleepingcomputer.com)
It was LockBit that forced NHS tech supplier to shut down • The Register
Ransomware posing as Windows antivirus update will just empty your wallet | TechRadar
Microsoft: New Prestige ransomware targets orgs in Ukraine, Poland (bleepingcomputer.com)
BlackByte ransomware uses new EDR evasion technique (techtarget.com)
Prevent Ransomware Attacks on Critical Infrastructure (trendmicro.com)
Microsoft Exchange servers hacked to deploy LockBit ransomware (bleepingcomputer.com)
Harvard Business Publishing licensee hit by ransomware - Security Affairs
LockBit affiliates compromise Microsoft Exchange servers to deploy ransomware - Security Affairs
Police tricks DeadBolt ransomware out of 155 decryption keys (bleepingcomputer.com)
Phishing & Email Based Attacks
Caffeine service lets anyone launch Microsoft 365 phishing attacks (bleepingcomputer.com)
A whole load of phishing emails make it past Microsoft Defender, researchers say | TechRadar
Google Forms abused in new COVID-19 phishing wave in the U.S. (bleepingcomputer.com)
US election workers hit with phishing, malware emails • The Register
Cyber criminals are having it easy with phishing-as-a-service - Help Net Security
Other Social Engineering; Smishing, Vishing, etc
Malware
How a Microsoft blunder opened millions of PCs to potent malware attacks | Ars Technica
Banks face their 'darkest hour' as crimeware powers up • The Register
Emotet Rises Again With More Sophistication, Evasion (darkreading.com)
QAKBOT Attacks Spike Amid Concerning Cyber Criminal Collaborations (darkreading.com)
Hackers behind IcedID malware attacks diversify delivery tactics (bleepingcomputer.com)
Eternity threat group’s LilithBot: A criminal multitool • The Register
Here's another excellent reason not to browse adult websites at work | TechRadar
Experts analysed the evolution of the Emotet supply chain - Security Affairs
Mobile
Modified WhatsApp App Caught Infecting Android Devices with Malware (thehackernews.com)
Meta uncovers 400 malicious apps on Android and iOS apps | SC Media (scmagazine.com)
‘Zero-Click’ Spyware Emerges as a Menacing Mobile Threat - Bloomberg
Mullvad: Android may leak information when connected to a VPN - gHacks Tech News
Android Security Updates Patch Critical Vulnerabilities | SecurityWeek.Com
Hackers Using Vishing to Trick Victims into Installing Android Banking Malware (thehackernews.com)
Mystery iPhone update patches against iOS 16 mail crash-attack – Naked Security (sophos.com)
Internet of Things – IoT
Data Breaches/Leaks
Client data exfiltrated in Advanced NHS cyber attack (digitalhealth.net)
Mormon Church data stolen in 'state-sponsored' cyber attack • The Register
2K Customer Data Stolen, Sold Online After Support Desk Scam (kotaku.com)
Toyota discloses data leak after access key exposed on GitHub (bleepingcomputer.com)
Fast Company says Executive Board member info was not stolen in attack (bleepingcomputer.com)
State Bar of Georgia Confirms Data Breach Following Ransomware Attack | SecurityWeek.Com
Singtel's second unit faces cyber attack weeks after Optus data breach | Reuters
Zoetop pays $1.9m to settle customer data theft case • The Register
CommonSpirit Health IT still suffering after cyber attack • The Register
Over 80,000 DJI drone IDs exposed in data leak: Report (dronedj.com)
High-Value Targets: String of Aussie Telco Breaches Continues (darkreading.com)
Data of 380K patients compromised in hack of 13 anesthesia practices | SC Media (scmagazine.com)
Australian police secret agents exposed in Colombian data leak (bleepingcomputer.com)
Toyota Reveals Data Leak of 300,000 Customers - Infosecurity Magazine (infosecurity-magazine.com)
Organised Crime & Criminal Actors
INTERPOL arrests ‘Black Axe’ cyber crime syndicate members (bleepingcomputer.com)
Caffeine Phishing-as-a-Service toolkit available in the underground - Security Affairs
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
North Korea's Crypto Hackers Are Paving the Road to Nuclear Armageddon - CNET
Fake Solana Phantom security updates push crypto-stealing malware (bleepingcomputer.com)
'Baby Al Capone' to pay $22m to SIM-swap crypto-heist victim • The Register
Fraud, Scams & Financial Crime
Alternative payment methods are creating new fraud risks - Help Net Security
Prison inmate charged with $11m fraud via cell phone • The Register
Mastercard moves to protect ‘risky and frisky’ transactions • The Register
Deepfakes
AML/CFT/Sanctions
Insurance
Dark Web
Software Supply Chain
Denial of Service DoS/DDoS
US airports' sites taken down in DDoS attacks by pro-Russian hackers (bleepingcomputer.com)
Russian DDoS attack project pays contributors for more firepower (bleepingcomputer.com)
Cloud/SaaS
Encryption
Microsoft Office 365 uses insecure block ciphers • The Register
Microsoft Office 365 email encryption could expose message content (bleepingcomputer.com)
Passwords, Credential Stuffing & Brute Force Attacks
Social Media
Training, Education and Awareness
Parental Controls and Child Safety
Cyber Bullying and Cyber Stalking
Regulations, Fines and Legislation
Backup and Recovery
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Vladimir Putin’s hybrid war has begun and the West must be ready | Evening Standard
Internet outages hit Ukraine following Russian missile strikes (bitdefender.com)
Seven 'Creepy' Backdoors Used by Lebanese Cyberspy Group in Israel Attacks | SecurityWeek.Com
Researchers Uncover Custom Backdoors and Spying Tools Used by Polonium Hackers (thehackernews.com)
We must tackle Europe’s winter cyber threats head-on – POLITICO
Researchers Detail Malicious Tools Used by Cyber Espionage Group Earth Aughisky (thehackernews.com)
‘Zero-Click’ Spyware Emerges as a Menacing Mobile Threat - Bloomberg
SpaceX’s Starlink terminals in Ukraine back online after outages | Financial Times
Nation State Actors
Nation State Actors – Russia
German Cyber security Chief Accused of Russian Contact Faces Sacking - IT Security Guru
Russian DDoS attack project pays contributors for more firepower (bleepingcomputer.com)
Extreme Networks admits sales to banned Russian arms maker • The Register
Nation State Actors – China
UK Spy Chief to Warn of 'Huge' China Tech Threat | SecurityWeek.Com
China’s attack motivations, tactics, and how CISOs can mitigate threats | CSO Online
China will manipulate new tech for global influence, warns GCHQ boss | Metro News
UK telcos legally required to remove Huawei equipment • The Register
Chinese-linked hackers targeted U.S. state legislature, researchers say - CyberScoop
New Chinese Malware Attack Framework Targets Windows, macOS, and Linux Systems (thehackernews.com)
UK to designate China a ‘threat’ in hawkish foreign policy shift | Foreign policy | The Guardian
WIP19, a new Chinese APT targets IT Service Providers and Telcos - Security Affairs
China-linked Budworm APT returns to target a US entity - Security Affairs
We must tackle China’s satellite-busting technology, says GCHQ chief | News | The Times
GCHQ boss: China could use Digital Yuan to swerve sanctions • The Register
Young people using TikTok is no problem, GCHQ chief says | TikTok | The Guardian
Nation State Actors – North Korea
Nation State Actors – Misc
Vulnerability Management
Vulnerabilities
Concerns Over Fortinet Flaw Mount; PoC Released, Exploit Activity Grows (darkreading.com)
Microsoft October 2022 Patch Tuesday fixes zero-day used in attacks, 84 flaws (bleepingcomputer.com)
Microsoft Addresses Zero-Days, but Exchange Server Exploit Chain Remains Unpatched (darkreading.com)
Auth bypass bug in FortiOS, FortiProxy is exploited in the wild (CVE-2022-40684) - Help Net Security
Chrome 106 Update Patches Several High-Severity Vulnerabilities | SecurityWeek.Com
Researchers Detail Windows Zero-Day Vulnerability Patched Last Month (thehackernews.com)
Almost 900 servers hacked using Zimbra zero-day flaw (bleepingcomputer.com)
Patch Tuesday: Critical Flaws in ColdFusion, Adobe Commerce | SecurityWeek.Com
Aruba fixes critical RCE and auth bypass flaws in EdgeConnect (bleepingcomputer.com)
WordPress Vulnerability In Shortcodes Ultimate Impacts 700,000 Sites (searchenginejournal.com)
Critical Open Source vm2 Sandbox Escape Bug Affects Millions (darkreading.com)
VMware vCenter Server bug disclosed last year still not patched (bleepingcomputer.com)
Other News
Board members should make CISOs their strategic partners - Help Net Security
5 Attack Elements Every Organisations Should Be Monitoring (darkreading.com)
Ukraine’s Starlink problems show the dangers of digital dependency | Financial Times (ft.com)
Here's 5 of the world's riskiest connected devices - Help Net Security
Older, Stored Data Is Cyber Security Risk, Report Warns - MSSP Alert
What the Uber Breach Verdict Means for CISOs in the US (darkreading.com)
Increasing network visibility is critical to improving security posture - Help Net Security
What the Uber Hack can teach us about navigating IT Security (bleepingcomputer.com)
Consumers want more transparency on how companies manage their data - Help Net Security
Gaming Is Booming. That’s Catnip for Cyber criminals. - The New York Times (nytimes.com)
Fear of cyber criminals drives cyber security improvements - Help Net Security
The next Ford Mustang won’t be easy to tune; blame cyber security | Ars Technica
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 07 October 2022
Black Arrow Cyber Threat Briefing 07 October 2022:
-Russian Sanctions Instigator Lloyd's Possibly Hit by Cyber Attack
-Former Uber Security Chief Convicted of Covering Up Data Breach
-First 72 Hours of Incident Response Critical to Taming Cyber Attack Chaos
-Email Defences Under Siege: Phishing Attacks Dramatically Improve
-Remote Services Are Becoming an Attractive Target for Ransomware
-Growing Reliance on Cloud Brings New Security Challenges
-Many IT Pros Don’t Think a Ransomware Attack Can Impact Microsoft 365 Data
-Ransomware Group Bypasses "Enormous" Range of EDR Tools
-MS Exchange Zero-Days: The Calm Before the Storm?
-Average Company with Data in the Cloud Faces $28 Million in Data-Breach Risk
-Secureworks Finds Network Intruders See Little Resistance
-Regulations, Laws and Accountability are Changing the Cyber Security Landscape
-This Year’s Biggest Cyber Threats
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Russian Sanctions Instigator Lloyd's Possibly Hit by Cyber Attack
Lloyd’s of London, the London-based insurance market heavily involved in implementing sanctions against Russia, may have been hit by a cyber-attack. On Wednesday, October 5, 2022, the British insurance market revealed it had detected “unusual activity” on its systems and has turned off all external connectivity “as a precautionary measure.”
“We have informed market participants and relevant parties, and we will provide more information once our investigations have concluded,” said a Lloyd’s spokesperson.
The company did not comment on whether or not it has been contacted by hackers, if a ransom demand has been issued, or on the possible source of the attack.
However, the insurance market has been closely involved with the design and implementation of sanctions imposed on Russia in response to its invasion of Ukraine – a potential motive for the attack. Lloyd’s itself has confirmed it was working closely with British and international governments to implement such sanctions.
Around 100 insurance syndicates operate at Lloyd's.
Earlier in 2022, Lloyd’s instructed its 76 insurance syndicates to remove “nation-state-backed cyber attacks” from insurance policies by March 2023, as well as losses “arising from a war.”
https://www.infosecurity-magazine.com/news/lloyds-possibly-hit-by-cyberattack/
Former Uber Security Chief Convicted of Covering Up Data Breach
Uber’s former head of security has been convicted of covering up a 2016 data breach at the rideshare giant, hiding details from US regulators and paying off a pair of hackers in return for their discretion.
The trial, closely watched in cyber security circles, is believed to be the first criminal prosecution of a company executive over the handling of a data breach.
Joe Sullivan, who was fired in 2017 over the incident, was found guilty by a San Francisco jury of obstructing an investigation by the Federal Trade Commission. At the time of the 2016 breach, the regulator had been investigating the car-booking service over a different cyber security lapse that had occurred two years earlier.
Jurors also convicted Sullivan of a second count related to having knowledge of but failing to report the 2016 breach to the appropriate government authorities. The incident eventually became public in 2017 when Dara Khosrowshahi, who had just taken over as chief executive, disclosed details of the attack.
Prosecutors said Sullivan had taken steps to make sure data compromised in the attack would not be revealed. According to court documents, two hackers approached Sullivan’s team to notify Uber of a security flaw that exposed the personal information of almost 60mn drivers and riders on the platform.
https://www.ft.com/content/051af6a1-41d1-4a6c-9e5a-d23d46b2a9c9
First 72 Hours of Incident Response Critical to Taming Cyber Attack Chaos
Cyber security professionals tasked with responding to attacks experience stress, burnout, and mental health issues that are exacerbated by a lack of breach preparedness and sufficient incident response practice in their organisations.
A new IBM Security-sponsored survey published this week found that two-thirds (67%) of incident responders suffer stress and anxiety during at least some of their engagements, while 44% have sacrificed the well-being of their relationships, and 42% have suffered burnout, according to the survey conducted by Morning Consult. In addition, 68% of incidents responders often have to work on two or more incidents at the same time, increasing their stress, according to the survey's results.
Companies that plan and practice responding to a variety of incidents can lower the stress levels of their incident responders, employees, and executives, says John Dwyer, head of research for IBM Security's X-Force response team.
"Organisations are not effectively establishing their response strategies with the responders in mind — it does not need to be as stressful as it is," he says. "There is a lot of time when the responders are managing organisations during an incident, because those organisations were not prepared for the crisis that occurs. These attacks happen every day."
The IBM Security-funded study underscores why the cyber security community has focused increasingly on the mental health of its members. About half (51%) of cyber security defenders have suffered burnout or extreme stress in the past year, according to a VMware survey released in August 2021. Cyber security executives have also spotlighted the issue as one that affects the community and companies' ability to retain skilled workers.
Email Defences Under Siege: Phishing Attacks Dramatically Improve
This week's report that cyber attackers are laser-focused on crafting attacks specialised to bypass Microsoft's default security showcases an alarming evolution in phishing tactics, security experts said this week.
Threat actors are getting better at slipping phishing attacks through the weak spots in platform email defences, using a variety of techniques, such as zero-point font obfuscation, hiding behind cloud-messaging services, and delaying payload activation, for instance. They're also doing more targeting and research on victims.
As a result, nearly 1 in 5 phishing emails (18.8%) bypassed Microsoft's platform defences and landed in workers' inboxes in 2022, a rate that increased 74% compared to 2020, according to research published by cyber security firm Check Point Software. Attackers increasingly used techniques to pass security checks, such as Sender Policy Framework (SPF), and obfuscate functional components of an e-mail, such as using zero-size fonts or hiding malicious URLs from analysis.
The increasing capabilities of attackers is due to the better understanding of current defences, says Avanan, an email security firm acquired by Check Point in August 2021.
"It is a family of 10 to 20 techniques, but they all lead to the objective of deceiving a company's security layers," he says. "The end result is always an email that looks genuine to the recipient but looks different to the algorithm that analyses the content."
Microsoft declined to comment on the research. However, the company has warned of advanced techniques, such as adversary-in-the-middle phishing (AiTM), which uses a custom URL to place a proxy server between a victim and their desired site, allowing the attacker to capture sensitive data, such as usernames and passwords. In July, the company warned that more than 10,000 organisations had been targeted during one AiTM campaign.
Remote Services Are Becoming an Attractive Target for Ransomware
Stolen credentials are no longer the number one initial access vector for ransomware operators looking to infect a target network and its endpoints - instead, they’ve become more interested in exploiting vulnerabilities found in internet-facing systems.
A report from Secureworks claims ransomware-as-a-service developers are quick to add newly discovered vulnerabilities into their arsenals, allowing even less competent hackers to exploit them swiftly, and with relative ease.
In fact, the company's annual State of the Threat Report reveals that flaw exploitation in remote services accounted for 52% of all ransomware incidents the company analysed over the last 12 months.
Besides remote services, Secureworks also spotted a 150% increase in the use of infostealers, which became a “key precursor” to ransomware. Both these factors, the report stresses, kept ransomware as the number one threat for businesses of all sizes, “who must fight to stay abreast of the demands of new vulnerability prioritisation and patching”.
All things considered, ransomware is still the biggest threat for businesses. It takes up almost a quarter of all attacks that were reported in the last 12 months, Secureworks says, and despite law enforcement being actively involved, operators remained highly active.
https://www.techradar.com/news/remote-services-are-becoming-an-attractive-target-for-ransomware
Growing Reliance on Cloud Brings New Security Challenges
There was a time when cloud was just a small subset of IT infrastructure, and cloud security referred to a very specific set of tasks. The current reality is very different, organisations are heavily dependent on cloud technologies and cloud security has become a much more complex endeavour.
Organisations increasingly rely on the cloud to deliver new applications, reduce costs, and support business operations. One in every four organisations already have majority workloads in the cloud, and 44% of workloads currently run in some form of public cloud, says Omdia, a research and advisory group.
Practically every midsize and large organisation now operates in some kind of a hybrid cloud environment, with a mix of cloud and on-premises systems. For most organisations, software-as-a-service constitute the bulk (80%) of their cloud environments, followed by infrastructure-as-a-service and platform-as-a-service deployments.
In the past, cloud security conversations tended to focus on making sure cloud environments are being configured properly, but cloud security nowadays goes far beyond just configuration management. The sprawling cloud environment means security management has to be centralised, Omdia said. Security functions also need to be integrated into existing application deployment workflows.
On top of all of this, multicloud is becoming more common among organisations as they shift their workloads to avoid being dependent on a single platform. The three major cloud providers – Amazon Web Services, Microsoft Azure, and Google Cloud Platform – account for 65% of the cloud market.
https://www.darkreading.com/dr-tech/growing-reliance-on-cloud-brings-new-security-challenges
Many IT Pros Don’t Think a Ransomware Attack Can Impact Microsoft 365 Data
The 2022 Ransomware Report, which surveyed over 2,000 IT leaders, revealed that 24% have been victims of a ransomware attack, with 20% of attacks happening in the last year.
Cyber attacks are happening more frequently. Last year’s ransomware survey revealed that 21% of companies experienced an attack. This year it rose by three percent to 24%.
“Attacks on businesses are increasing, and there is a shocking lack of awareness and preparation by IT pros. Our survey shows that many in the IT community have a false sense of security. As bad actors develop new techniques, companies like ours have to do what it takes to come out ahead and protect businesses around the world,” said Hornetsecurity.
The report highlighted a lack of knowledge on the security available to businesses. 25% of IT professionals either don’t know or don’t think that Microsoft 365 data can be impacted by a ransomware attack.
Just as worryingly, 40% of IT professionals that use Microsoft 365 in their organisation admitted they do not have a recovery plan in case their Microsoft 365 data was compromised by a ransomware attack.
“Microsoft 365 is vulnerable to phishing attacks and ransomware attacks, but with the help of third-party tools, IT admins can backup their Microsoft 365 data securely and protect themselves from such attacks,” said Hofmann.
https://www.helpnetsecurity.com/2022/10/03/ransomware-attack-impact-microsoft-365-data/
Ransomware Group Bypasses "Enormous" Range of EDR Tools
A notorious ransomware group has been spotted leveraging sophisticated techniques to bypass endpoint detection and response (EDR) tools.
BlackByte, which the US government has said poses a serious threat to critical infrastructure, used a “Bring Your Own Driver” technique to circumvent over 1000 drivers used by commercially available EDR products, according to Sophos. The UK cyber security vendor explained in a new report that the group had exploited a known vulnerability, CVE-2019-16098, in Windows graphics utility driver RTCorec6.sys. This enabled it to communicate directly with a victim system’s kernel and issue commands to disable callback routines used by EDR tools.
The group also used EDR bypass techniques borrowed from open source tool EDRSandblast to deactivate the Microsoft-Windows-Threat-Intelligence ETW (Event Tracing for Windows) provider. This is a Windows feature “that provides logs about the use of commonly maliciously abused API calls such as NtReadVirtualMemory to inject into another process’s memory,” explained Sophos. Neutralising it in this way renders any security tool relying on the feature also useless, the firm argued.
“If you think of computers as a fortress, for many EDR providers, ETW is the guard at the front gate,” said Sophos. “If the guard goes down, then that leaves the rest of the system extremely vulnerable. And, because ETW is used by so many different providers, BlackByte’s pool of potential targets for deploying this EDR bypass is enormous.”
BlackByte is not the only ransomware group using these advanced techniques to get around existing detection tools, illustrating the continued arms race between attackers and defenders. AvosLocker used a similar method in May, Sophos said. “Anecdotally, from what we’re seeing in the field, it does appear that EDR bypass is becoming a more popular technique for ransomware threat groups,” the firm confirmed. “This is not surprising. Threat actors often leverage tools and techniques developed by the ‘offensive security’ industry to launch attacks faster and with minimal effort.”
https://www.infosecurity-magazine.com/news/ransomware-bypasses-enormous-range/
MS Exchange Zero-Days: The Calm Before the Storm?
Two exploited MS Exchange zero-days that still have no official fix, have been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog.
But mitigating the risk of exploitation until patches are ready will require patience and doggedness, as Microsoft is still revising its advice to admins and network defenders, and still working on the patches.
The two vulnerabilities were publicly documented last Wednesday, by researchers with Vietnamese company GTSC, and Microsoft soon after sprung into (discernible) action by offering customer guidance, followed by an analysis of the attacks exploiting the two vulnerabilities. Several changes have been made to the documents since then, after the company found and other researchers pointed out several shortcomings.
Microsoft says its threat analysts observed “activity related to a single activity group in August 2022 that achieved initial access and compromised Exchange servers by chaining CVE-2022-41040 and CVE-2022-41082 in a small number of targeted attacks,” and that the attackers breached fewer than 10 organisations globally. “MSTIC assesses with medium confidence that the single activity group is likely to be a state-sponsored organisation,” they added.
The other good news is there are still no public exploits for the two vulnerabilities. But, Microsoft says, “Prior Exchange vulnerabilities that require authentication have been adopted into the toolkits of attackers who deploy ransomware, and these vulnerabilities are likely to be included in similar attacks due to the highly privileged access Exchange systems confer onto an attacker.”
Enterprise defenders should expect trouble via this attack path in the near future, it seems, so keeping abreast of the changing situation and springing into action as quickly as possible once the patches are made available is advised. Scammers have since started impersonating security researchers and offering non-existing PoC exploits for CVE-2022-41082 for sale via GitHub
https://www.helpnetsecurity.com/2022/10/03/ms-exchange-cve-2022-41040-cve-2022-41082/
Average Company with Data in the Cloud Faces $28 Million in Data-Breach Risk
Hard-to-control collaboration, complex SaaS permissions, and risky misconfigurations — such as admin accounts without multi-factor authentication (MFA) — have left a dangerous amount of cloud data exposed to insider threats and cyber attacks, according to Varonis.
For the report, researchers analysed nearly 10 billion cloud objects (more than 15 petabytes of data) across a random sample of data risk assessments performed at more than 700 companies worldwide. In the average company, 157,000 sensitive records are exposed to everyone on the internet by SaaS sharing features, representing $28 million in data-breach risk, Varonis researchers have found.
One out of every 10 records in the cloud is exposed to all employees — creating an impossibly large internal blast radius, which maximises damage during a ransomware attack. The average company has 4,468 user accounts without MFA enabled, making it easier for attackers to compromise internally exposed data.
Out of 33 super admin accounts in the average organisation, more than half did not have MFA enabled. This makes it easier for attackers to compromise these powerful accounts, steal more data, and create backdoors. Companies have more than 40 million unique permissions across SaaS applications, creating a nightmare for IT and security teams responsible for managing and reducing cloud data risk.
“Cloud security shouldn’t be taken for granted. When security teams lack critical visibility to manage and protect SaaS and IaaS apps and services, it’s nearly impossible to ensure your data isn’t walking out the door,” said Varonis. “This report is a true-to-life picture of over 700 real-world risk assessments of production SaaS environments. The results underscore the urgent need for CISOs to uncover and remediate their cloud risk as quickly as possible.”
https://www.helpnetsecurity.com/2022/10/05/company-data-breach-risk/
Secureworks Finds Network Intruders See Little Resistance
Attackers who break into networks only need to take a few basic measures in order to avoid detection.
Security vendor Secureworks said in its annual State of the Threat report that it observed several data breaches between June 2021 and June 2022 and found that, by and large, once network intruders gained a foothold on the targets' environment, they had to do relatively little to stay concealed.
"One thing that is notable about them is that none of these techniques are particularly sophisticated," the vendor said. "That is because threat actors do not need them to be; the adversary will only innovate enough to achieve their objectives. So there is a direct relationship between the maturity of the controls in a target environment and the techniques they employ to bypass those controls."
Among the more basic measures taken by the attackers was coding their tools in newer languages such as Go or Rust. This tweak created enough of a difference in the software to evade signature-checking tools, according to Secureworks' report. In other cases, the network intruders hid their activity by packing their malware within a trusted Windows installer or by sneaking it into the Authenticode signature of a trusted DLL. In another case, a malware infection was seen moving data out of the victim's network via TOR nodes. While effective, Secureworks said the techniques are hardly innovative. Rather, they indicate that threat actors find themselves only needing to do the bare minimum to conceal themselves from detection.
Regulations, Laws and Accountability are Changing the Cyber Security Landscape
As cyber criminals continue to develop new ways to wreak havoc, regulators have been working to catch up. They aim to protect data and consumers while avoiding nation-state attacks that are a risk to national and economic security. But some of these regulations may provide an opportunity for MSSPs.
Some of these regulations are a response to what’s generally been a hands-off approach to telling organisations what to do. Unfortunately, cyber security isn’t always prioritised when budgets and resources are allocated. The result is a steadily rising tide of breaches and exploits that have held organisations hostage and made private information available on the dark web.
The new regulations are coming from all directions: at the state and federal levels in the US and around the world. While many of these regulations aren’t yet final, there’s no reason not to start aligning with where trends will ease the impact of changing rules. At the same time, many organisations want to hold the government responsible for some kinds of attacks. It will be interesting to see how regulating works, as most politicians and bureaucrats aren’t known for their technological savvy.
In the US, for example, new regulations are in development in the Federal Trade Commission, Food and Drug Administration, Department of Homeland Security, Department of Transportation, Department of Energy, and the Cybersecurity and Infrastructure Security Agency. Thirty-six states have enacted cyber security legislation, and the count increases as other countries join.
One of the motivating factors for all these new regulations is that most cyber attacks aren’t reported. Lawmakers realise cyber security threats continue to be one of the top national security and economic risks. In the last year and a half (2020-2022), there have been attacks on America’s gas supply, meat supply, and various other companies, courts, and government agencies. One FBI cyber security official estimated the government only learns about 20% to 25% of intrusions at US business and academic institutions.
In March, Congress passed legislation requiring critical infrastructure operators to report significant cyber attacks to CISA within 72 hours of learning about the attack. It also required them to report a ransomware payment within 24 hours. These regulations will also consider reporting “near misses” so that this data can also be studied and tracked. The problem is, how does one define a “near miss”?
This Year’s Biggest Cyber Threats
OpenText announced the Nastiest Malware of 2022, a ranking of the year’s biggest cyber threats. For the fifth year running, experts combed through the data, analysed different behaviours, and determined which malicious payloads are the nastiest.
Emotet regained its place at the top, reminding the world that while affiliates may be taken down, the masterminds are resilient. LockBit evolved its tactics into something never seen before: triple extortion. Analysis also revealed an almost 1100% increase in phishing during the first four months of 2022 compared to the same period in 2021, indicating a possible end to the “hacker holiday,” a hacker rest period following the busy holiday season.
“The key takeaway from this year’s findings is that malware remains centre stage in the threats posed towards individuals, businesses, and governments,” said OpenText.
“Cyber criminals continue to evolve their tactics, leaving the infosec community in a constant state of catch-up. With the mainstream adoption of ransomware payloads and cryptocurrency facilitating payments, the battle will continue. No person, no business—regardless of size—is immune to these threats.”
While this year’s list may designate payloads into different categories of malware, it’s important to note many of these bad actor groups contract work from others. This allows each group to specialise in their respective payload and perfect it.
https://www.helpnetsecurity.com/2022/10/06/2022-nastiest-malware/
Threats
Ransomware and Extortion
Ransomware Attacks On The Rise, Secureworks Reveals in its State of the Threat Report - MSSP Alert
Ransomware: This is how half of attacks begin, and this is how you can stop them | ZDNET
Fake adult sites push data wipers disguised as ransomware (bleepingcomputer.com)
BlackByte ransomware abuses legit driver to disable security products (bleepingcomputer.com)
Ransomware attacks ravage schools, municipal governments (techtarget.com)
More and more ransomware is just data theft, no encryption • The Register
Netwalker ransomware affiliate sentenced to 20 years in prison (bleepingcomputer.com)
Cheerscrypt ransomware is linked to Chinese DEV-0401 APT group - Security Affairs
ADATA denies RansomHouse cyber attack, says leaked data from 2021 breach (bleepingcomputer.com)
Avast releases a free decryptor for some Hades ransomware variants - Security Affairs
Cyber criminals Leak LA School Data After It Refuses to Ransom (vice.com)
How Ransomware Is Causing Chaos in American Schools (vice.com)
Ransomware hunters: the self-taught tech geniuses fighting cyber crime | Cyber crime | The Guardian
BEC – Business Email Compromise
BEC fraudster and romance scammer sent to prison for 25 years – Naked Security (sophos.com)
Hackers Target Homebuyers’ Life Savings in Real Estate Scam - Bloomberg
Phishing & Email Based Attacks
Other Social Engineering; Smishing, Vishing, etc
Callback phishing attacks evolve their social engineering tactics (bleepingcomputer.com)
3 ways enterprises can mitigate social engineering risks - Help Net Security
Malware
OpenText Releases List Of The Year’s “Nastiest” Malware - MSSP Alert
This devious malware is able to disable your antivirus | TechRadar
Bumblebee Malware Loader's Payloads Significantly Vary by Victim System (darkreading.com)
Live support service hacked to spread malware in supply chain attack (bleepingcomputer.com)
NullMixer Dropper Delivers a Multimalware Code Bomb (darkreading.com)
Maggie malware already infected over 250 Microsoft SQL servers - Security Affairs
Mobile
Internet of Things – IoT
7 IoT Devices That Make Security Pros Cringe (darkreading.com)
Ikea Smart Light System Flaw Lets Attackers Turn Bulbs on Full Blast (darkreading.com)
Acronis founder is afraid of his own vacuum cleaner • The Register
Data Breaches/Leaks
“Egypt Leaks” – Hacktivists are Leaking Financial Data - Security Affairs
No Shangri-La for you: Top hotel chain confirms data leak • The Register
NSA: Someone hacked military contractor and stole data • The Register
City of Tucson discloses data breach affecting over 123,000 people (bleepingcomputer.com)
Optus Says ID Numbers of 2.1 Million Compromised in Data Breach | SecurityWeek.Com
Aussie Telco Telstra Breached, Reportedly Exposing 30,000 Employees' Data (darkreading.com)
2K warns users their info has been stolen following breach of its help desk | Ars Technica
Russian retail chain 'DNS' confirms hack after data leaked online (bleepingcomputer.com)
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Breaking: Scams Linked To Crypto Soared By 335% (informationsecuritybuzz.com)
Hacker steals $566 million worth of crypto from Binance Bridge (bleepingcomputer.com)
Hackers are breaching scam sites to hijack crypto transactions (bleepingcomputer.com)
Binance Says $100 Million Stolen in Latest Crypto Hack (gizmodo.com)
Hackers are breaching scam sites to hijack crypto transactions (bleepingcomputer.com)
Insider Risk and Insider Threats
Meta sues app dev for stealing over 1 million WhatsApp accounts (bleepingcomputer.com)
Microsoft publishes report on holistic insider risk management - Microsoft Security Blog
Unearth offboarding risks before your employees say goodbye - Help Net Security
Splunk alleges source code theft by former employee • The Register
Ex-NSA Employee Arrested for Trying to Sell U.S. Secrets to a Foreign Government (thehackernews.com)
Fraud, Scams & Financial Crime
Consumers Feel Hopeless in Protecting Themselves Against Cyber crime, ISACA Reports - MSSP Alert
BEC fraudster and romance scammer sent to prison for 25 years – Naked Security (sophos.com)
Hackers Target Homebuyers’ Life Savings in Real Estate Scam - Bloomberg
Russians dodging mobilization behind flourishing scam market (bleepingcomputer.com)
Scammers and rogue callers – can anything ever stop them? – Naked Security (sophos.com)
Online romance scam boss netted $9.5m, jailed for 25 years • The Register
Deepfakes
Supply Chain and Third Parties
Live support service hacked to spread malware in supply chain attack (bleepingcomputer.com)
Supply Chain Attack Targets Customer Engagement Firm Comm100 | SecurityWeek.Com
Denial of Service DoS/DDoS
Cloud/SaaS
Encryption
API
More Than 30% of All Malicious Attacks Target Shadow APIs (darkreading.com)
APIs are quickly becoming the most popular attack vector - Help Net Security
The Problem of API Security and How To Fix It (informationsecuritybuzz.com)
API authentication failures demonstrate the need for zero trust - Help Net Security
Shadow APIs hit with 5 billion malicious requests - Help Net Security
Open Source
When transparency is also obscurity: The conundrum that is open-source security - Help Net Security
How Secure is Using Open Source Components? - IT Security Guru
Passwords, Credential Stuffing & Brute Force Attacks
Microsoft warns Basic Auth users over password spray attacks • The Register
Is mandatory password expiration helping or hurting your password security? - Help Net Security
Detecting and preventing LSASS credential dumping attacks - Microsoft Security Blog
Meta Says It Has Busted More Than 400 Login-Stealing Apps This Year | WIRED
Privacy, Surveillance and Mass Monitoring
Regulations, Fines and Legislation
Models, Frameworks and Standards
Secure Disposal
Backup and Recovery
Law Enforcement Action and Take Downs
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Relentless Russian Cyber attacks on Ukraine Raise Important Policy Questions (darkreading.com)
Finnish intelligence warns of Russia's cyber espionage activities - Security Affairs
Kazakhstan Pins Wave Of Cyber attacks On Foreign Actors | OilPrice.com
Albania weighed invoking NATO’s Article 5 over Iranian cyber attack - POLITICO
We breached Russian satellite network, say pro-Ukraine partisans | Cybernews
Ukrainian forces report Starlink outages during push against Russia | Financial Times (ft.com)
Report: Mexico Continued to Use Spyware Against Activists | SecurityWeek.Com
Nation State Actors
Nation State Actors – China
US authorities name China's 20 favourite vulns to exploit • The Register
Cheerscrypt ransomware is linked to Chinese DEV-0401 APT group - Security Affairs
Nation State Actors – North Korea
Vulnerabilities
Fortinet warns admins to patch critical auth bypass bug immediately (bleepingcomputer.com)
Atlassian, Microsoft bugs make CISA’s must-patch list • The Register
US authorities name China's 20 favourite vulns to exploit • The Register
October 2022 Patch Tuesday forecast: Looking for treats, not more tricks - Help Net Security
Fake Microsoft Exchange ProxyNotShell exploits for sale on GitHub (bleepingcomputer.com)
CISA Warns of Attacks Exploiting Recent Atlassian Bitbucket Vulnerability | SecurityWeek.Com
No fix in sight for mile-wide loophole plaguing a key Windows defence for years | Ars Technica
Hackers Exploiting Unpatched RCE Flaw in Zimbra Collaboration Suite (thehackernews.com)
Lazarus employed an exploit in a Dell firmware driver in recent attacks - Security Affairs
Unpatched Zimbra flaw under attack is letting hackers backdoor servers | Ars Technica
macOS Archive Utility Bug Lets Malicious Apps Bypass Security Checks (darkreading.com)
Fortinet Warns of New Auth Bypass Flaw Affecting FortiGate and FortiProxy (thehackernews.com)
VMware fixed a high-severity bug in vCenter Server - Security Affairs
Reports Published in the Last Week
Other News
Guilty verdict in the Uber breach case makes personal liability real for CISOs | CSO Online
Cyber attackers view smaller organisations as easier targets - Help Net Security
Moody's turns up the heat on 'riskiest' sectors for attacks • The Register
5 reasons why security operations are getting harder | CSO Online
Former NSA Employee Faces Death Penalty for Selling Secrets (darkreading.com)
Fast Company Is Back From the Dead After Being Hacked (gizmodo.com)
Ready Or Not, Web 3 Is Coming And With It Comes Cybersquatting 2.0 (informationsecuritybuzz.com)
Cyber Hygiene: 5 Best Practices for Company Buy-In (trendmicro.com)
School Is in Session: 5 Lessons for Future Cyber Security Pros (darkreading.com)
Want More Secure Software? Start Recognizing Security-Skilled Developers (thehackernews.com)
Incident responders increasingly seek out mental health assistance - Help Net Security
You Are Not Alone If You're Unclear About Extended Detection and Response (XDR) - MSSP Alert
Why digital trust is the bedrock of business relationships - Help Net Security
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 30 September 2022
Black Arrow Cyber Threat Briefing 30 September 2022:
-UK Organisations, Ukraine's Allies Warned of Potential "Massive" Cyber Attacks By Russia
-Cyber Criminals See Allure in BEC Attacks Over Ransomware
-Most Hackers Need 5 Hours or Less to Break Into Enterprise Environments
-Global Firms Deal with 51 Security Incidents Each Day
-Phishing Attacks Crushed Records Last Quarter, Driven by Mobile
-Why Paying the Ransom is Still the Most Common Response to a Ransomware Attack?
-Ransomware Attacks Continue Increasing: 20% of All Reported Attacks Occurred in the Last 12 Months
-More Than Half of Security Pros Say Risks Higher in Cloud Than On Premise
-How To Outsmart Increasingly Complex Cyber Attacks
-Top Issues Driving Cyber Security: Growing Number of Cyber Criminals, Variety of Attacks
-Cyber Threats Top Business Leaders' Biggest Concerns
-Fired Admin Cripples Former Employer's Network Using Old Credentials
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
UK Organisations, Ukraine's Allies Warned of Potential "Massive" Cyber Attacks By Russia
The head of the UK National Cyber Security Centre (NCSC) Lindy Cameron has given an update on Russia’s cyber activity amid its war with Ukraine. Her speech at Chatham House last week came just a few days after Ukraine’s military intelligence agency issued a warning that Russia was “preparing massive cyber attacks on the critical infrastructure of Ukraine and its allies.” This coincides with a new Forrester report that reveals the extent to which the cyber impact of the Russia-Ukraine conflict has expanded beyond the conflict zone with malware attacks propagating into European entities.
Addressing Russian cyber activity this year, Cameron stated that, while we have not seen the “cyber-Armageddon” some predicted, there has been a “very significant conflict in cyber space – probably the most sustained and intensive cyber campaign on record – with the Russian State launching a series of major cyber attacks in support of their illegal invasion in February.”
Russian cyber forces from their intelligence and military branches have been busy launching a huge number of attacks in support of immediate military objectives.
Since the start of the year, the NCSC has been advising UK organisations to take a more proactive approach to cyber security in light of the situation in Ukraine. “There may be organisations that are beginning to think ‘is this still necessary?’ as in the UK we haven’t experienced a major incident related to the war in Ukraine. My answer is an emphatic yes,” Cameron said.
In response to significant recent battlefield set-backs, Putin has been reacting in unpredictable ways, and so we shouldn’t assume that just because the conflict has played out in one way to date, it will continue to go the same way, Cameron added. “There is still a real possibility that Russia could change its approach in the cyber domain and take more risks – which could cause more significant impacts in the UK.” UK organisations and their network defenders should therefore be prepared for this period of elevated alert with a focus on building long-term resilience, which is a “marathon not a sprint,” she said.
Cyber Criminals See Allure in BEC Attacks Over Ransomware
While published trends in ransomware attacks have been contradictory — with some firms tracking more incidents and other fewer — business email compromise (BEC) attacks continue to have proven success against organisations.
BEC cases, as a share of all incident-response cases, more than doubled in the second quarter of the year, to 34% from 17% in the first quarter of 2022. That's according to Arctic Wolf's "1H 2022 Incident Response Insights" report, published on 29 September, which found that specific industries — including financial, insurance, business services, and law firms, as well as government agencies — experienced more than double their previous number of cases, the company said.
Overall, the number of BEC attacks encountered per email box has grown by 84% in the first half of 2022, according to data from cyber security firm Abnormal Security.
Meanwhile, so far this year, threat reports released by organisations have revealed contradictory trends for ransomware. Arctic Wolf and the Identity Theft Resource Center (ITRC) have seen drops in the number of successful ransomware attacks, while business customers seem to be encountering ransomware less often, according to security firm Trellix. At the same time, network security firm WatchGuard had a contrary take, noting that its detection of ransomware attacks skyrocketed 80% in the first quarter of 2022, compared with all of last year.
The surging state of BEC landscape is unsurprising because BEC attacks offer cyber criminals advantages over ransomware. Specifically, BEC gains do not rely on the value of cryptocurrency, and attacks are often more successful at escaping notice while in progress. Threat actors are unfortunately very opportunistic.
For that reason, BEC — which uses social engineering and internal systems to steal funds from businesses — continues to be a stronger source of revenue for cyber criminals. In 2021, BEC attacks accounted for 35%, or $2.4 billion, of the $6.9 billion in potential losses tracked by the FBI's Internet Crime Complaint Center (IC3), while ransomware remained a small fraction (0.7%) of the total.
https://www.darkreading.com/threat-intelligence/cybercriminals-see-allure-bec-attacks-ransomware
Most Hackers Need 5 Hours or Less to Break Into Enterprise Environments
A new survey of 300 ethical hackers provides insight into not only the most common means of initial access, but how a complete end-to-end attack happens.
Around 40% of ethical hackers recently surveyed by the SANS Institute said they can break into most environments they test, if not all. Nearly 60% said they need five hours or less to break into a corporate environment once they identify a weakness.
The SANS ethical hacking survey, done in partnership with security firm Bishop Fox, is the first of its kind and collected responses from over 300 ethical hackers working in different roles inside organisations, with different levels of experience and specialisations in different areas of information security. The survey revealed that on average, hackers would need five hours for each step of an attack chain: reconnaissance, exploitation, privilege escalation and data exfiltration, with an end-to-end attack taking less than 24 hours.
The survey highlights the need for organisations to improve their mean time-to-detect and mean-time-to-contain, especially when considering that ethical hackers are restricted in the techniques they're allowed to use during penetration testing or red team engagements. Using black hat techniques, like criminals do, would significantly improve the success rate and speed of attack.
When asked how much time they typically need to identify a weakness in an environment, 57% of the polled hackers indicated ten or fewer hours: 16% responded six to ten hours, 25% three to five hours, 11% one to two hours and 5% less than an hour.
Global Firms Deal with 51 Security Incidents Each Day
Security operations (SecOps) teams are struggling to respond to dozens of cyber security incidents every single day, according to a new report from Trellix.
The security vendor polled 9000 security decision makers from organisations with 500+ employees across 15 markets to compile its latest study, ‘XDR: Redefining the future of cyber security’.
It found that the average SecOps team has to manage 51 incidents per day, with 36% of respondents claiming they deal with 50 to 200 daily incidents. Around half (46%) agreed that they are “inundated by a never-ending stream of cyber-attacks.”
Part of the problem is the siloed nature of security and detection and response systems, the study claimed. Some 60% of respondents argued that poorly integrated products mean teams can’t work efficiently, while a third (34%) admitted they have blind spots. It’s perhaps no surprise, therefore, that 60% admitted they can’t keep pace with the rapid evolution of security threats.
This could be having a major impact on the bottom line. The vast majority (84%) of security decision makers that Trellix spoke to estimated that their organisation lost up to 10% of revenue from security breaches in the past year.
Medium size businesses ($50–$100m in revenue) lost an average of 8% in revenue, versus 5% for large businesses with a turnover of $10bn–$25bn. That could mean hundreds of millions of dollars are being thrown away each year due to inadequate SecOps.
https://www.infosecurity-magazine.com/news/global-firms-51-security-incidents/
Phishing Attacks Crushed Records Last Quarter, Driven by Mobile
Last quarter saw a record-shattering number of observed phishing attacks, fuelled in large part by attempts to target users on their mobile devices.
The latest Anti-Phishing Working Group (APWG) "Phishing Activity Trends Report" for the second quarter of 2022 found 1,097,811 observed phishing attacks, the most the group has ever measured in its history.
The financial sector remained the top target for phishing lures (27.6%), along with other bombarded sectors, including webmail and software-as-a-service providers, social media sites, and cryptocurrency.
But much of the rise in phishing volume is due to a new threat actor focus on mobile devices, specifically vishing (voice phishing) and smishing (SMS phishing) attacks, the report noted.
https://www.darkreading.com/attacks-breaches/phishing-attacks-crushed-records-last-quarter
Why Paying the Ransom is Still the Most Common Response to a Ransomware Attack
According to new data from Databarracks, 44% of the organisations who experienced a ransomware assault paid the demanded ransom. 22% made use of ransomware decryption software, while 34% restored data from backups.
The Databarracks 2022 Data Health Check produced the results. The annual report has been collecting data on ransomware, cyber, backup, disaster recovery, and business continuity from more than 400 UK IT decision-makers since 2008.
From the victim’s standpoint, it’s logical why you may pay a ransom. You are unable to handle orders or provide customer support, and losses mount swiftly. Downtime expenses can easily surpass the ransom.
Organisations may believe that paying the ransom will solve the issue more quickly, allowing them to resume operations as usual. This strategy is faulty for a number of causes.
First of all, there is no assurance that your data will be returned. Second, once criminals know an organisation is an easy target, they frequently attack it again. Finally, it conveys the incorrect message. By paying, you are assisting the crooks by demonstrating that their strategies are effective.
Ransomware Attacks Continue Increasing: 20% of All Reported Attacks Occurred in the Last 12 Months
Nearly a quarter of businesses have suffered a ransomware attack, with a fifth occurring in the past 12 months, according to a latest annual report from cyber security specialist Hornetsecurity.
The 2022 Ransomware Report, which surveyed over 2,000 IT leaders, revealed that 24% have been victims of a ransomware attack, with one in five (20%) attacks happening in the last year.
Cyber attacks are happening more frequently. Last year's ransomware survey revealed one in five (21%) companies experienced an attack; this year it rose by three percent to 24%.
Attacks on businesses are increasing, and there is a shocking lack of awareness and preparation by IT pros. The survey shows that many in the IT community have a false sense of security as bad actors develop new techniques.
The 2022 Ransomware Report highlighted a lack of knowledge on the security available to businesses. A quarter (25%) of IT professionals either don't know or don't think that Microsoft 365 data can be impacted by a ransomware attack.
Just as worryingly, 40% of IT professionals that use Microsoft 365 in their organisation admitted they do not have a recovery plan in case their Microsoft 365 data was compromised by a ransomware attack.
Microsoft 365 is vulnerable to phishing attacks and ransomware attacks, but with the help of third-party tools, IT admins can back up their Microsoft 365 data securely and protect themselves from such attacks.
Industry responses showed the widespread lack of preparedness from IT professionals and businesses. There has been an increase in businesses not having a disaster recovery plan in place if they do succumb to the heightened threat of a cyber attack.
In 2021, 16% of respondents reported having no disaster recovery plan in place. In 2022, this grew to 19%, despite the rise in attacks.
More Than Half of Security Pros Say Risks Higher in Cloud Than On Premise
A recent survey from machine identity solutions provider Venafi aimed to explore the complexity of cloud environments and the resulting impact on cyber security.
Venafi surveyed 1,101 security decision makers (SDMs) in firms with more than 1,000 employees and found that eighty-one percent of companies have experienced a cloud security incident in the last year. Forty-five percent have suffered at least four security incidents in the same period. More than half of security decision makers believe that security risks are higher in the cloud than on-premise.
Twenty-four percent of the firms have more than 10,000 employees. Ninety-two percent of the SDMs are at manager level or above, with 49% at c-suite level or higher.
Most of the firms surveyed believe the underlying issue is the increasing complexity of their cloud deployments. Since these companies already host 41% of their applications in the cloud, and expect to increase this to 57% over the next 18 months, the problem is only likely to worsen in the future.
The ripest target of attack in the cloud is identity management, especially machine identities. Each of these cloud services, containers, Kubernetes clusters and microservices needs an authenticated machine identity – such as a TLS certificate – to communicate securely. If any of these identities is compromised or misconfigured, it dramatically increases security and operational risks.
Respondents reported that the most common cloud incidents are security incidents during runtime (34%), unauthorised access (33%), misconfigurations (32%), vulnerabilities that have not been remediated (24%), and failed audits (19%).
Their primary operational concerns are hijacking of accounts, services or traffic (35%), malware or ransomware (31%), privacy/data access issues such as those from GDPR (31%), unauthorised access (28%), and nation state attacks (26%).
https://www.securityweek.com/more-half-security-pros-say-risks-higher-cloud-premise
How To Outsmart Increasingly Complex Cyber Attacks
Threat detection is harder today than it was two years ago. Next year will be harder than this year. Why? It’s a compounding effect from skills shortages and threat varieties that’s making it more challenging for any one product to handle key security wins. And cyber security is a constantly evolving sector with 2022 a devastating year for cyber security. Both hackers and security experts are always in a battle to outsmart each other.
Even for businesses with good IT departments, data protection can too quickly become an afterthought. Today’s threat landscape is growing, not just in the frequency of attacks (and the number of high-profile breaches recorded in the media) but so is the complexity of any given threat. A recent piece of research found that in 93 percent of cases, an external attacker can breach an organisation’s network perimeter and gain access to local network resources. Following increasing levels of cyber-attacks, it’s a case of “not if I will be hit by a ransomware attack,” but “when…” Organisations need to do something to mitigate the risk and protect their businesses, and they need to do it now.
Planning and executing a better defence to outsmart attackers and win more security battles doesn’t have to feel like a military operation – but it does require the right service coverage to remove blind spots and reduce emerging risks before they escalate.
https://informationsecuritybuzz.com/articles/how-to-outsmart-increasingly-complex-cyber-attacks/
Top Issues Driving Cyber Security: Growing Number of Cyber Criminals, Variety of Attacks
Fortifying cyber security defences remains a work in progress for many organisations, who acknowledge their shortcomings but have yet to commit the necessary resources to the effort, according to new research from CompTIA.
While a majority of respondents in each of seven geographic regions feels that their company’s cyber security is satisfactory, CompTIA’s “State of Cybersecurity” shows that a much smaller number rank the situation as “completely satisfactory.” Nearly everyone feels that there is room for improvement.
“Companies are aware of the threats they face and the potential consequences of an attack or breach,” said Seth Robinson, VP of industry research, CompTIA. “But they may be underestimating their exposure and how much they need to invest in cyber security. Risk mitigation is the key, the filter through which everything should be viewed.”
Two of the top three issues driving cyber security considerations are the growing volume of cyber criminals, cited by 48% of respondents, and the growing variety of cyber attacks (45%). Additionally, ransomware and phishing have quickly become major areas of concern as digital operations have increased and human error has proven more costly.
“Digital transformation driven by cloud and mobile adoption requires a new strategic approach to cyber security, but this poses significant challenges, both tactically and financially,” Robinson said. “As IT operations and strategy have grown more complex, so has the management of cyber security.”
As cyber security is more tightly integrated with business objectives, zero trust is the overarching policy that should be guiding modern efforts, though its adoption will not take place overnight because it requires a drastically different way of thinking and acting. The report suggests there is small progress in recognising a holistic zero trust approach, but better progress in adopting some elements that are part of an overarching zero trust policy.
https://www.helpnetsecurity.com/2022/09/30/top-issues-driving-cybersecurity/
Cyber Threats Top Business Leaders' Biggest Concerns
Cyber threats are the number one concern for business decision makers, beating worries over economic uncertainty, rising energy costs and hiring, according to insurance provider Travelers. The firm polled over 1200 business leaders to compile its 2022 Travelers Risk Index report.
This is the third time in four years that cyber has emerged as the top concern, with more than half (57%) of respondents believing a future cyber-attack on their organisation is inevitable. A quarter (26%) said their company had already been a breach victim, the seventh successive year this figure has risen.
The top two cyber-related concerns were suffering a security breach (57%), and a system glitch causing computers to crash (55%). Becoming a cyber-extortion victim rose from eighth position to third this year.
However, despite general concern about cyber-threats, business decision-makers may also be guilty of overconfidence in their organisation’s security posture.
Nearly all respondents (93%) said they’re confident their company has implemented best practices to prevent or mitigate a cyber event. Yet most have not deployed endpoint detection and response tools (64%), they haven’t conducted a vendor cyber-assessment (59%), and don’t have an incident response plan (53%). Further, while 90% said they’re familiar with multi-factor authentication (MFA), only 52% had implemented it for remote access. This increasingly matters, not only to mitigate cyber-risk but also to reduce insurance premium costs and increase coverage.
Cyber attacks can shut down a company for a long period of time or even put it out of business, and it’s imperative that companies have a plan in place to mitigate any associated operational and financial disruptions.
Effective measures that have proven to reduce the risk of becoming a cyber victim are available, but based on these survey results, not enough companies are taking action. It’s never too late, and these steps can help businesses avoid a devastating cyber-event.
https://www.infosecurity-magazine.com/news/cyberthreats-top-business-big/
Fired Admin Cripples Former Employer's Network Using Old Credentials
After being laid off, an IT system administrator disrupted the operations of his former employer, a high-profile financial company in Hawaii, hoping to get his job back.
Casey K Umetsu, aged 40, worked as a network admin for the company between 2017 and 2019, when his employer terminated his contract. The US Department of Justice says in a press release that the defendant pled guilty to accessing his former employer's website and making configuration changes to redirect web and email traffic to external computers.
To prolong the business disruption for several more days, Umetsu performed additional actions that essentially locked out the firm's IT team from the website administration panel. In the end, the victimised company learned who was responsible for the sabotage after reporting the cyber security incident to the FBI.
Umetsu is awaiting sentence for his wrongdoings on January 19, 2023. He faces a maximum of 10 years of prison time and a fine of up to $250,000.
While Umetsu's actions are condemnable, the company's security practices cannot be overlooked since Umetsu used credentials that should have been invalidated the moment he got fired.
Threats
Ransomware and Extortion
Ransomware data theft tool may show a shift in extortion tactics (bleepingcomputer.com)
The various ways ransomware impacts your organization - Help Net Security
New Royal Ransomware emerges in multi-million dollar attacks (bleepingcomputer.com)
Research: 20% of All Reported Ransomware Attacks Occurred in the Last 12 Months - MSSP Alert
BlackCat Ransomware Attackers Spotted Fine-Tuning Their Malware Arsenal (thehackernews.com)
Noberus ransomware gets info-stealing upgrades • The Register
SQL Server admins warned to watch for Fargo ransomware • The Register
BlackCat/ALPHV Gang Adds Wiper Functionality as Ransomware Tactic (darkreading.com)
Leaked LockBit 3.0 builder used by ‘Bl00dy’ ransomware gang in attacks (bleepingcomputer.com)
NCC Group: IceFire ransomware gang ramping up attacks (techtarget.com)
MS SQL servers are getting hacked to deliver ransomware to orgs - Help Net Security
Hackers Leak French Hospital Patient Data in Ransom Fight | SecurityWeek.Com
Oxford Health: Cyber attack continues to hit NHS trust's services - BBC News
LA School District Ransomware Attackers Now Threaten to Leak Stolen Data (darkreading.com)
Phishing & Email Based Attacks
Fake US govt job offers push Cobalt Strike in phishing attacks (bleepingcomputer.com)
Germany arrests hacker for stealing €4 million via phishing attacks (bleepingcomputer.com)
Capital One Phish Showcases Growing Bank-Brand Targeting Trend (darkreading.com)
Other Social Engineering; Smishing, Vishing, etc
How cyber criminals use public online and offline data to target employees | CSO Online
Beware Revolut frozen card scams sent via SMS text • Graham Cluley
IRS warns Americans of massive rise in SMS phishing attacks (bleepingcomputer.com)
Malware
Office exploits continue to spread more than any other category of malware - Help Net Security
This credit card-stealing malware is spreading like wildfire | Digital Trends
Hacking group hides backdoor malware inside Windows logo image (bleepingcomputer.com)
Hackers now sharing cracked Brute Ratel post-exploitation kit online (bleepingcomputer.com)
Cobalt Strike malware campaign targets job seekers (techtarget.com)
New Botnet 'Chaos' Targeting Linux, Windows Systems (informationsecuritybuzz.com)
Malware targets VMware users for espionage, Mandiant says • The Register
Chaos Malware Resurfaces With All-New DDoS & Cryptomining Modules (darkreading.com)
Quantum Builder tool helps criminals spread Windows RATs • The Register
Unit 42 finds polyglot files delivering IcedID malware (techtarget.com)
Hackers use PowerPoint files for 'mouseover' malware delivery (bleepingcomputer.com)
Does AI-powered malware exist in the wild? Not yet (techtarget.com)
New Erbium password-stealing malware spreads as game cracks, cheats (bleepingcomputer.com)
Lazarus APT continues to target job seekers with macOS malware - Security Affairs
APT28 relies on PowerPoint Mouseover to deliver Graphite malware - Security Affairs
Mobile
WhatsApp 0-Day Bug Let Hackers Execute an Arbitary Code Remotely (gbhackers.com)
Adware on Google Play and Apple Store installed 13 million times (bleepingcomputer.com)
Samsung facing class action suit after customer data leak • The Register
Inside a cyber attack method that targets your cellphone - The Washington Post
Internet of Things – IoT
Data Breaches/Leaks
Watchfinder warns customers that hackers stole their data • Graham Cluley
Shangri-La hotels Customer Database Hacked | SecurityWeek.Com
Hacker Behind Optus Breach Releases 10,200 Customer Records in Extortion Scheme (thehackernews.com)
Australia government wants Optus to pay for data breach | ZDNET
Organised Crime & Criminal Actors
Ukraine Arrests Cyber Crime Group for Selling Data of 30 Million Accounts (thehackernews.com)
New hacking group ‘Metador’ lurking in ISP networks for months (bleepingcomputer.com)
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Scams targeting crypto enthusiasts are becoming increasingly common - Help Net Security
Chaos Malware Resurfaces With All-New DDoS & Cryptomining Modules (darkreading.com)
Cyber sleuth alleges $160M Wintermute hack was an inside job (cointelegraph.com)
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
Identities Stolen From 1 In 4 Internet Users (informationsecuritybuzz.com)
Fake Sites Siphon Millions of Dollars in 3-Year Scam (darkreading.com)
Here’s how crooks are using deepfakes to scam your biz • The Register
Deepfakes
Reshaping the Threat Landscape: Deepfake Cyber attacks Are Here (darkreading.com)
The deepfake danger: When it wasn’t you on that Zoom call | CSO Online
Software Supply Chain
Denial of Service DoS/DDoS
Hackers are making DDoS attacks sneakier and harder to protect against | ZDNET
UK's MI5 website briefly hit by denial of service attack - BBC | Reuters
Chaos Malware Resurfaces With All-New DDoS & Cryptomining Modules (darkreading.com)
Cloud/SaaS
Cloud security trends: What makes cloud infrastructure vulnerable to threats? - Help Net Security
81% of Companies Suffered A Cloud Security Incident Last Year – (informationsecuritybuzz.com)
What Lurks in the Shadows of Cloud Security? (darkreading.com)
Open Source
Open source projects under attack, with enterprises as the ultimate targets - Help Net Security
Microsoft: Lazarus hackers are weaponizing open-source software (bleepingcomputer.com)
Numerous orgs hacked after installing weaponized open source apps | Ars Technica
Passwords, Credential Stuffing & Brute Force Attacks
The Country Where You Live Impacts Password Choices (darkreading.com)
Five Steps to Mitigate the Risk of Credential Exposure (thehackernews.com)
Social Media
Fake CISO Profiles on LinkedIn Target Fortune 500s – Krebs on Security
Ofcom chair says tech firms must prioritise safety alongside clicks | Ofcom | The Guardian
UK may fine TikTok $29 million for failing to protect children's privacy | Reuters
Training, Education and Awareness
Parental Controls and Child Safety
Regulations, Fines and Legislation
Models, Frameworks and Standards
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Cyber Warfare Rife in Ukraine, But Impact Stays in Shadows | SecurityWeek.Com
Mystery hackers are “hyperjacking” targets for insidious spying | Ars Technica
Cyber espionage group developed backdoors tailored for VMware ESXi hypervisors | CSO Online
Taiwanese citizens prepare for possible cyber war (axios.com)
Malware targets VMware users for espionage, Mandiant says • The Register
Espionage Group Wields Steganographic Backdoor Against Govs, Stock Exchange (darkreading.com)
Nation State Actors
Nation State Actors – Russia
Researchers Identify 3 Hacktivist Groups Supporting Russian Interests (thehackernews.com)
APT28 relies on PowerPoint Mouseover to deliver Graphite malware - Security Affairs
Meta dismantles massive Russian network spoofing Western news sites (bleepingcomputer.com)
Nation State Actors – China
Chinese Cyberespionage Group 'Witchetty' Updates Toolset in Recent Attacks | SecurityWeek.Com
China’s infosec researchers may have dodged vuln report ban` • The Register
Nation State Actors – North Korea
Lazarus Lures Aspiring Crypto Pros With Fake Exchange Job Postings (darkreading.com)
Microsoft: Lazarus hackers are weaponizing open-source software (bleepingcomputer.com)
Lazarus APT continues to target job seekers with macOS malware - Security Affairs
Lazarus hackers abuse Dell driver bug using new FudModule rootkit (bleepingcomputer.com)
Nation State Actors – Iran
Nation State Actors – Misc
Vulnerabilities
Exchange Server zero-day being actively exploited • The Register
Microsoft Confirms Pair of Blindsiding Exchange Zero-Days, No Patch Yet (darkreading.com)
Cisco Patches High-Severity Vulnerabilities in Networking Software | SecurityWeek.Com
Sophos fixes critical code injection bug under exploit • The Register
Zoho ManageEngine flaw is actively exploited, CISA warns | CSO Online
Lazarus hackers abuse Dell driver bug using new FudModule rootkit (bleepingcomputer.com)
Google Quashes 5 High-Severity Bugs With Chrome 106 Update (darkreading.com)
Critical WhatsApp Bugs Could Have Let Attackers Hack Devices Remotely (thehackernews.com)
Go Update iOS, Chrome, and HP Computers to Fix Serious Flaws | WIRED
Reports Published in the Last Week
Other News
High-Profile Hacks Show Effectiveness of MFA Fatigue Attacks | SecurityWeek.Com
Poll Of IT Security Pros Suggests Gaps In UK Cyber Defence (informationsecuritybuzz.com)
Why Organisations Need Both EDR and NDR for Complete Network Protection (thehackernews.com)
Lessons From the GitHub Cyber Security Breach (darkreading.com)
Data security trends: 7 statistics you need to know - Help Net Security
Why does a Legacy WAF Fail to “Catch” Sophisticated Attacks? (informationsecuritybuzz.com)
Akamai finds 13 million malicious newly observed domains a month | SC Media (scmagazine.com)
Opinion | The Uber Hack Exposes More Than Failed Data Security - The New York Times (nytimes.com)
Cyber security Study Sees “Siloed” Security As Organisational Weak Spot - MSSP Alert
3 types of attack paths in Microsoft Active Directory environments - Help Net Security
97% of enterprises say VPNs are prone to cyber attacks: Study | CSO Online
65% of companies are considering adopting VPN alternatives - Help Net Security
Spoofing cyber attack can make cameras see things that aren’t there | New Scientist
Zero Trust is the Goal But Much Ground Yet to Cover, CompTIA Reports - MSSP Alert
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 23 September 2022
Black Arrow Cyber Threat Briefing 23 September 2022:
-Cyber Insurers Clamp Down on Clients' Self-Attestation of Security Controls
-Survey Shows CISOs Losing Confidence in Ability to Stop Ransomware Attacks
-MFA Fatigue: Hackers’ New Favourite Tactic In High-Profile Breaches
-Credential Stuffing Accounts For One-third Of Global Login Attempts, Okta Finds
-Ransomware Operators Might Be Dropping File Encryption In Favour Of Corrupting Files
-Revolut Hack Exposes Data Of 50,000 Users, Fuels New Phishing Wave
-Researchers Say Insider Threats Play A Larger Role In Security Incidents
-SMBs vs. Large Enterprises: Not All Compromises Are Created Equal
-Cyber Attack Costs for Businesses up by 80%
-Morgan Stanley Fined $35m By SEC For Data Security Lapse, Sold Devices Full of Customer PII
-Eyeglass Reflections Can Leak Information During Video Calls
-Uber Says It Was Likely Hacked by Teenage Hacker Gang LAPSUS$
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Cyber Insurers Clamp Down on Clients' Self-Attestation of Security Controls
After one company suffered a breach that could have been headed off by the MFA it claimed to have, insurers are looking to confirm claimed cyber security measures.
A voided lawsuit from a cyber insurance carrier claiming its customer misled it on its insurance application could potentially pave the way to change how underwriters evaluate self-attestation claims on insurance applications.
The case — Travelers Property Casualty Company of America v. International Control Services Inc. (ICS) — hinged on ICS claiming it had multifactor authentication (MFA) in place when the electronics manufacturer applied for a policy. In May the company experienced a ransomware attack. Forensics investigators determined there was no MFA in place, so Travelers asserted it should not be liable for the claim. The case was filed in the US District Court for the Central District of Illinois on July 6 and at the end of August, the litigants agreed to void the contract, ending ICS's efforts to have its insurer cover its losses.
This case was unusual in that Travelers maintained the misrepresentation "materially affected the acceptance of the risk and/or the hazard assumed by Travelers" in the court filing. Taking a client to court is a departure from other similar cases where an insurance company simply denied the claim.
Sean O'Brien of Yale Law School notes that security should be proactive, stopping possible breaches before they occur rather than simply responding to each successful attack. The insurance industry is likely to become more and more pernickety as cyber security claims rise, defending their bottom line and avoiding reimbursement wherever possible. This has always been the role of insurance adjusters, of course, and their business is in many ways adversarial to your organisation's interests after the dust settles from a cyber attack.
That said, organisations should not expect a payout for poor cyber security policies and practices, he notes.
Survey Shows CISOs Losing Confidence in Ability to Stop Ransomware Attacks
Despite an 86% surge in budget resources to defend against ransomware, 90% of organisations were impacted by attacks last year, a survey reveals.
An annual survey of CISOs from Canada, the UK, and US reveals that security teams are starting to lose hope that they can defend against the next ransomware attack. The survey was conducted by SpyCloud, and it showed that although budgets to protect against cyber attacks have swelled by 86%, a full 90% of organisations surveyed said they had been impacted by a ransomware over the past year.
More organisations have implemented 'Plan B' measures this year, from opening cryptocurrency accounts to purchasing ransomware insurance. These findings suggest that organisations realise threats are slipping through their defences and a ransomware attack is inevitable.
The survey did show some bright spots on the cyber security front — nearly three-quarters of those organisations surveyed are using multifactor authentication (MFA), with an increase from 44% to 73% year-over-year. The report added that respondents said they are focused on stopping credential-stealing malware, particularly on unmanaged network devices.
MFA Fatigue: Hackers’ New Favourite Tactic in High-Profile Breaches
Hackers are more frequently using social engineering attacks to gain access to corporate credentials and breach large networks. One component of these attacks that is becoming more popular with the rise of multi-factor authentication is a technique called MFA Fatigue.
When breaching corporate networks, hackers commonly use stolen employee login credentials to access VPNs and the internal network. The reality is that obtaining corporate credentials is far from difficult for threat actors, who can use various methods, including phishing attacks, malware, leaked credentials from data breaches, or purchasing them on dark web marketplaces.
To counter this, enterprises have increasingly adopted multi-factor authentication to prevent users from logging into a network without first entering an additional form of verification. This additional information can be a one-time passcode, a prompt asking you to verify the login attempt, or the use of hardware security keys.
While threat actors can use numerous methods to bypass multi-factor authentication, most revolve around stealing cookies through malware or man-in-the-middle phishing attack frameworks. However, a social engineering technique called 'MFA Fatigue' is growing more popular with threat actors as it does not require malware or phishing infrastructure and has proven to be successful in attacks.
An MFA Fatigue attack is when a threat actor runs a script that attempts to log in with stolen credentials over and over, causing what feels like an endless stream of MFA push requests to be sent to the account's owner's mobile device. The goal is to keep this up, day and night, to break down the target's cyber security posture and inflict a sense of "fatigue" regarding these MFA prompts.
Credential Stuffing Accounts for One-third Of Global Login Attempts
Okta’s global State of Secure Identity Report has found that credential stuffing is the top threat against customer accounts, outpacing legitimate login traffic in some countries. The report presents trends, examples and observations unearthed from the billions of authentications on Okta’s Auth0 platform.
Credential stuffing is when attacks take advantage of the practice of password reuse. It begins with a stolen login or password pair, then threat actors use these credentials across other common sites, using automated tooling used to “stuff” credential pairs into login forms. When an account holder reuses the same (or similar) passwords on multiple sites, it creates a domino effect in which a single credential pair can be used to breach multiple applications.
Across all industries globally, Okta found there were almost 10 billion credential stuffing attempts in the first 90 days of 2022, which amounts to 34% of authentication traffic.
Ransomware Operators Might Be Dropping File Encryption in Favour of Corrupting Files
Corrupting files is faster, cheaper, and less likely to be stopped by endpoint protection tools than encrypting them.
A recent attack that involved a threat actor believed to be an affiliate of the BlackCat/ALPHV ransomware-as-a-service (RaaS) operation was found to use a data exfiltration tool dubbed Exmatter. Exmatter is a tool that allows attackers to scan the victim computer's drives for files with certain extensions and then upload them to an attacker-controlled server in a unique directory created for every victim. The tool supports several exfiltration methods including FTP, SFTP, and webDAV.
The way the Eraser function works is that it loads two random files from the list into memory and then copies a random chunk from the second file to the beginning of the first file overwriting its original contents. This doesn't technically erase the file but rather corrupts it. The researchers believe this feature is still being developed because the command that calls the Eraser function is not yet fully implemented and the function’s code still has some inefficiencies. Since the selected data chunk is random, it can sometimes be very small, which makes some files more recoverable than others.
Why destroy files by overwriting them with random data instead of deploying ransomware to encrypt them? At a first glance these seem like similar file manipulation operations. Encrypting a file involves overwriting it, one block at a time, with random-looking data (the ciphertext). However, there are ways to detect these encryption operations when done in great succession and many endpoint security programs can now detect when a process exhibits this behaviour and can stop it. Meanwhile, the kind of file overwriting that Exmatter does is much more subtle.
The act of using legitimate file data from the victim machine to corrupt other files may be a technique to avoid heuristic-based detection for ransomware and wipers, as copying file data from one file to another is much more plausibly benign functionality compared to sequentially overwriting files with random data or encrypting them.
Another reason is that encrypting files is a more intensive task that takes a longer time. It's also much harder and costly to implement file encryption programs, which ransomware essentially are, without bugs or flaws that researchers could exploit to reverse the encryption. There have been many cases over the years where researchers found weaknesses in ransomware encryption implementations and were able to release decryptors. This has happened to BlackMatter, the Ransomwware-as-a-Service (RaaS) operation with which the Exmatter tool has been originally associated.
With data exfiltration now the norm among threat actors, developing stable, secure, and fast ransomware to encrypt files is a redundant and costly endeavour compared to corrupting files and using the exfiltrated copies as the means of data recovery.
It remains to be seen if this is the start of a trend where ransomware affiliates switch to data destruction instead of encryption, ensuring the only copy is in their possession, or if it's just an isolated incident where BlackMatter/BlackCat affiliates want to avoid mistakes of the past. However, data theft and extortion attacks that involve destruction are not new and have been widespread in the cloud database space. Attackers have hit unprotected S3 buckets, MongoDB databases, Redis instances, and ElasticSearch indexes for years, deleting their contents and leaving behind ransom notes so it wouldn't be a surprise to see this move to on-premises systems as well.
Revolut Hack Exposes Data Of 50,000 Users, Fuels New Phishing Wave
Revolut has suffered a cyber attack that gave an unauthorised third party access to personal information of tens of thousands of clients. The incident occurred over a week ago, on Sunday night, and has been described as "highly targeted."
Founded in 2015, Revolut is a financial technology company that has seen a rapid growth, now offering banking, money management, and investment services to customers all over the world. In a statement a company spokesperson said that an unauthorised party had access "for a short period of time" to details of only a 0.16% of its customers.
"We immediately identified and isolated the attack to effectively limit its impact and have contacted those customers affected. Customers who have not received an email have not been impacted" , Revolut said.
According to the breach disclosure to the State Data Protection Inspectorate in Lithuania, where Revolut has a banking license, 50,150 customers have been impacted. Based on the information from Revolut, the agency said that the number of affected customers in the European Economic Area is 20,687, and just 379 Lithuanian citizens are potentially impacted by this incident.
Details on how the threat actor gained access to the database have not been disclosed but it appears that the attacker relied on social engineering. The Lithuanian data protection agency notes that the likely exposed information includes:
Email addresses
Full names
Postal addresses
Phone numbers
Limited payment card data
Account data
However, in a message to an affected customer, Revolut says that the type of compromised personal data varies for different customers. Card details, PINs, or passwords were not accessed.
Researchers Say Insider Threats Play a Larger Role In Security Incidents
Insider threats are becoming an increasingly common part of the attack chain, with malicious insiders and unwitting assets playing critical roles in incidents over the past year, according to Cisco Talos research.
In a blog post, Cisco Talos researchers said organisations can mitigate these types of risks via education, user-access control, and ensuring proper processes and procedures are in place when and if employees leave the organisation.
There are a variety of reasons a user may choose to become a malicious insider, and unfortunately many of them are occurring today. The most obvious being financial distress, where a user has a lot of debt and selling the ability to infect their employer can be a tempting avenue. There have been examples of users trying to sell access into employer networks for more than a decade, having spotted them on dark web forums. The current climate, with the economy tilting toward recession, is ripe for this type of abuse.
The cyber crime underground remains a hot spot for insider threat recruitment efforts because of the relative anonymity, accessibility, and low barrier of entry it affords. Malicious actors use forums and instant messaging platforms to advertise their insider services or, vice versa, to recruit accomplices for specific schemes that require insider access or knowledge.
By far, the most popular motivation for insider threats is financial gain. There are plenty of examples of financially-motivated threat actors seeking employees at companies to provide data and access to sell in the underground or leverage against the organisation or its customers. There have also been instances where individuals turn to underground forums and instant messaging platforms claiming to be employees at notable organisations to sell company information.
SMBs vs. Large Enterprises: Not All Compromises Are Created Equal
Attackers view smaller organisations as having fewer security protocols in place, therefore requiring less effort to compromise. Lumu has found that compromise is significantly different for small businesses than for medium-sized and large enterprises.
There is no silver bullet for organisations to protect themselves from compromise, but there are critical steps to take to understand your potential exposure and make sure that your cyber security protocols are aligned accordingly.
Compromise often stay undetected for long periods of time – 201 days on average with compromise detection and containment taking approximately 271 days. It’s critical for smaller businesses to know they are more susceptible and to get ahead of the curve with safeguards.
Results from the Lumu Ransomware Assessment show a few reasons why attacks continue to stay undetected for such long periods of time:
· 58% of organisations aren’t monitoring roaming devices, which is concerning with a workforce that has embraced remote working
· 72% of organisations either don’t or only partially monitor the use of network resources and traffic, which is problematic given that most compromises tend to originate from within the network
· Crypto-mining doesn’t appear to be a concern for the majority of organisations as 76% either do not know or only partially know how to identify it; however, this is a commonly used technique for cyber criminals
Additionally, threat data unveils attack techniques used and how they vary based on the size of the organisation.
Small businesses are primarily targeted by malware attacks (60%) and are also at greater risk of Malware, Command and Control, and Crypto-Mining. Medium-sized businesses and large enterprises don’t see as much malware and are more susceptible to Domain Generated Algorithms (DGA). This type of attack allows adversaries to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains.
https://www.helpnetsecurity.com/2022/09/22/smaller-organizations-security-protocols/
Cyber Attack Costs for Businesses up by 80%
In seven out of eight countries, cyber attacks are now seen as the biggest risk to business — outranking COVID-19, economic turmoil, skills shortages, and other issues. The "Hiscox Cyber Readiness Report 2022," which assesses how prepared businesses are to fight back against cyber incidents and breaches, polled more than 5,000 corporate cyber security professionals in the US, UK, Belgium, France, Germany, Ireland, Spain, and the Netherlands. These experts had some enlightening things to say.
According to the report, IT pros are more worried about cyber attacks (46%) than the pandemic (43%) or skills shortages (38%). And the data prove it. The survey indicates that in the past 12 months, US businesses weathered a 7% increase in cyber attacks. Approximately half of all US businesses (47%) suffered an attack in the past year.
Remote work has caused many smaller organisations to use cloud solutions instead of utilizing in-house IT services. However, with more cloud applications and APIs in use, the attack surface has broadened, too, making these organisations more vulnerable to cyber crime.
Although the proportion of staff working remotely almost halved in the past year — from 62% of the workforce in 2021 to 39% in 2022 — overall IT expenditures doubled, from $11.5 million in 2021 to $24.2 million this year. "Despite 61% of survey respondents now being back in the office, businesses are still experiencing a hangover from the pandemic," Hiscox said in a statement. "Remote working provided a year-long Christmas for cyber criminals, and we can see the results of their cyber-feast in the increased frequency and cost of attacks. As we move into a new era of hybrid working, we all have an increased responsibility to continue learning, and managing our own cyber security."
It may come as no surprise that as more organisations evolve and scale their digital business models, the median cost of an attack has surged — from $10,000 last year to $18,000 in 2022. The US is bearing the brunt of generally higher cyber attack costs, with 40% of attack victims incurring costs of $25,000 or higher. The most common vulnerability — i.e., the entry point for cyber criminals — was a cloud-based corporate server.
However, in terms of attack costs, the report reveals major regional disparities. While one organisation in the UK suffered total attack costs of $6.7 million, the hardest-hit firms in Germany, Ireland, and the Netherlands paid out more than $5 million. In turn, Belgium, France, Germany, and Spain all experienced stable or lower median costs.
https://www.darkreading.com/attacks-breaches/cyberattack-costs-for-us-businesses-up-by-80-
Morgan Stanley Fined $35m By SEC For Data Security Lapse, Sold Devices Full of Customer PII
American financial services giant Morgan Stanley agreed to pay the Securities and Exchange Commission (SEC) a $35m penalty on Tuesday over data security lapses.
According to the SEC's complaint, the firm would have allowed roughly 1000 unencrypted hard drives (HDDs) and about 8000 backup tapes from decommissioned data centres to be resold on auction sites without first being wiped.
The improper disposal of the devices reportedly started in 2016 and per the SEC complaint, was part of an "extensive failure" that exposed 15 million customers' data.
In fact, instead of destroying the hard drives or employing an internal IT team to erase them, Morgan Stanley would have contracted an unnamed third–party moving company with allegedly no experience in decommissioning storage media to take care of the hardware.
The moving company initially subcontracted an IT firm to wipe the drives, but their business relationship went sour, so the mover started selling the storage devices to another firm that auctioned them online without erasing them.
"This is an astonishing security mistake by one of the world's most prestigious banks, who would be expected to have well–established procedures in system life cycle management," Jordan Schroeder, managing CISO at Barrier Networks, told Infosecurity Magazine.
"Not only does the situation mean that the bank put customer data at risk, but it also demonstrates the organisation was not following an expected policy which explained the secure disposing of IT equipment."
https://www.infosecurity-magazine.com/news/morgan-stanley-pay-dollar35m-sec/
Eyeglass Reflections Can Leak Information During Video Calls
A group of academic researchers have devised a method of reconstructing text exposed via participants’ eyeglasses and other reflective objects during video conferences.
Zoom and other video conferencing tools, which have been widely adopted over the past couple of years as a result of the Covid-19 pandemic, may be used by attackers to leak information unintentionally reflected in objects such as eyeglasses, the researchers say.
Using mathematical modelling and human subjects experiments, this research explores the extent to which emerging webcams might leak recognizable textual and graphical information gleaming from eyeglass reflections captured by webcams.
Dubbed ‘webcam peeking attack’, a threat model devised by academics shows that it is possible to obtain an accuracy of over 75% when reconstructing and recognizing text with heights as small as 10 mm, captured by a 720p webcam.
According to the academics, attackers can also rely on webcam peeking to identify the websites that the victims are using. Moreover, they believe that 4k webcams will allow attackers to easily reconstruct most header texts on popular websites.
To mitigate the risk posed by webcam peeking attacks, the researchers propose both near- and long-term mitigations, including the use of software that can blur the eyeglass areas of the video stream. Some video conferencing solutions already offer blurring capabilities, albeit not fine-tuned.
https://www.securityweek.com/eyeglass-reflections-can-leak-information-during-video-calls
Uber Says It Was Likely Hacked by Teenage Hacker Gang LAPSUS$
Uber has published additional information about how it was hacked, claiming that it was targeted by LAPSUS$, a cyber criminal gang with a hefty track record that is thought to be composed largely of teenagers.
Last week, someone broke into Uber’s network and used the access to cause all sorts of chaos. The culprit, who claims to be 18 years old, managed to spam company staff with vulgar Slack messages, post a picture of a penis on the company’s internal websites, and leak images of Uber’s internal environment to the web. Now, the ride-share giant has released a statement providing details on its ordeal.
In its update, the company has clarified how it was hacked, largely confirming an account made by the hacker themself. Uber says that the hacker exploited the login credentials of a company contractor to initially gain access to the network. The hacker may have originally bought access to those credentials via the dark web, Uber says. The hacker then used them to make multiple login attempts to the contractor’s account. The login attempts prompted a slew of multi-factor authentication requests for the contractor, who ultimately authenticated one of them. The hacker has previously claimed that it conducted a social engineering scheme to convince the contractor to authenticate the login attempt.
Security experts have called this an “MFA fatigue” attack. This increasingly common intrusion tactic seeks to overwhelm a victim with authentication push requests until they validate the hacker’s illegitimate login attempt.
Most interestingly, Uber has also claimed that whoever was behind this hacking episode is affiliated with the cyber crime gang “LAPSUS$.” It’s not totally clear how Uber knows that.
https://gizmodo.com/uber-says-it-was-hacked-by-teenage-hacker-gang-lapsus-1849554679
Threats
Ransomware and Extortion
Microsoft SQL servers hacked in TargetCompany ransomware attacks (bleepingcomputer.com)
BlackCat ransomware’s data exfiltration tool gets an upgrade (bleepingcomputer.com)
SpyCloud Report: 90% of Companies Affected by Ransomware in 2022 - MSSP Alert
Netflix-style Ransomware Makes Your Organisation’s Data The Prize In A (informationsecuritybuzz.com)
LockBit ransomware builder leaked online by “angry developer” (bleepingcomputer.com)
How to Prevent Ransomware as a Service (RaaS) Attacks (trendmicro.com)
The Risk of Ransomware Supply Chain Attacks (trendmicro.com)
Europol and Bitdefender Release Free Decryptor for LockerGoga Ransomware (thehackernews.com)
Vice Society Demands Ransom From LAUSD Two Weeks After Hack (gizmodo.com)
Phishing & Email Based Attacks
Microsoft: Exchange servers hacked via OAuth apps for phishing (bleepingcomputer.com)
LinkedIn Smart Links abused in evasive email phishing attacks (bleepingcomputer.com)
BBC Warns Of Cost-of-living Phishing, Expert Weighs In (informationsecuritybuzz.com)
Microsoft 365 phishing attacks impersonate US govt agencies (bleepingcomputer.com)
How DKIM records reduce email spoofing, phishing and spam (techtarget.com)
Security alert: new phishing campaign targets GitHub users | The GitHub Blog
American Airlines learned it was breached from phishing targets (bleepingcomputer.com)
Email-based threats: A pain point for organisations - Help Net Security
Other Social Engineering; Smishing, Vishing, etc
Malware
IT giants warn of ongoing Chromeloader malware campaigns - Security Affairs
Fake sites fool Zoom users into downloading deadly code • The Register
Malicious NPM package discovered in supply chain attack (techtarget.com)
How botnet attacks work and how to defend against them (bleepingcomputer.com)
Mobile
This dangerous Android spyware could affect millions of devices | TechRadar
Banking Users Faced With Rewards Phishing Scam - IT Security Guru
Malicious Apps With Millions of Downloads Found in Apple App Store, Google Play (darkreading.com)
Data Breaches/Leaks
Cyber Attack Steals Passenger Data From Portuguese Airline | SecurityWeek.Com
American Airlines discloses data breach after employee email compromise (bleepingcomputer.com)
Significant cyber attack hits Australian telco Optus • The Register
Organised Crime & Criminal Actors
London Police Arrested 17-Year-Old Hacker Suspected of Uber and GTA 6 Breaches (thehackernews.com)
Ukraine dismantles hacker gang that stole 30 million accounts (bleepingcomputer.com)
Cambodian authorities crack down on cyber slavery • The Register
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Cryptocurrency world's Wintermute loses $160m in cyber-heist • The Register
South Korean prosecutors ask Interpol to issue red notice for Do Kwon | Financial Times (ft.com)
"Fake crypto millionaire" charged with alleged $1.7M cryptomining scam (bitdefender.com)
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
Multi-million dollar credit card fraud operation uncovered (bleepingcomputer.com)
Microsoft Warns of Large-Scale Click Fraud Campaign Targeting Gamers (thehackernews.com)
Cyber crime cost American seniors $3 billion last year, a 62% jump (usatoday.com)
Insurance
Cyber Security Insurance Trends: Key Takeaways for MSPs - MSSP Alert
D&O insurance not yet a priority despite criminal trial of Uber’s former CISO | CSO Online
Supply Chain and Third Parties
Denial of Service DoS/DDoS
DDoS and bot attacks in 2022: Business sectors at risk and how to defend (bleepingcomputer.com)
Record DDoS Attack with 25.3 Billion Requests Abused HTTP/2 Multiplexing (thehackernews.com)
Imperva mitigated long-lasting, 25.3 billion request DDoS attack (bleepingcomputer.com)
Cloud/SaaS
Encryption
API
Open Source
Privacy, Surveillance and Mass Monitoring
Pressure mounts against Europol over data privacy • The Register
San Francisco cops can use private cameras for surveillance • The Register
Parental Controls and Child Safety
Regulations, Fines and Legislation
5 Data Privacy Laws That Could Affect Your Business (informationsecuritybuzz.com)
France and Germany fall foul of EU data retention rules • The Register
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Russia Makes Veiled Threat to Destroy SpaceX's Starlink (pcmag.com)
Researchers Uncover New Metador APT Targeting Telcos, ISPs, and Universities (thehackernews.com)
Russian Sandworm hackers pose as Ukrainian telcos to drop malware (bleepingcomputer.com)
Anonymous claims hacked website of Russian Ministry of Defence - Security Affairs
Pro-Ukraine Hacktivists Claim to Have Hacked Notorious Russian Mercenary Group (vice.com)
European Spyware Investigators Criticize Israel and Poland | SecurityWeek.Com
Hackathon finds dozens of Ukrainian refugees trafficked online | Ars Technica
Researchers Uncover Mysterious 'Metador' Cyber-Espionage Group (darkreading.com)
This dangerous Android spyware could affect millions of devices | TechRadar
Nation State Actors
Nation State Actors – Russia
Inside Russia’s Vast Surveillance State: ‘They Are Watching’ - The New York Times (nytimes.com)
Russian Cyberspies Targeting Ukraine Pose as Telecoms Providers | SecurityWeek.Com
Nation State Actors – China
Nation State Actors – Iran
FBI: Iranian hackers lurked in Albania’s govt network for 14 months (bleepingcomputer.com)
NATO's Team in Albania to Help on Iran-Alleged Cyber Attack | SecurityWeek.Com
Nation State Actors – Misc
Vulnerability Management
Vulnerabilities
Hackers Actively Exploiting New Sophos Firewall RCE Vulnerability (thehackernews.com)
CISA adds Zoho ManageEngine flaw to its Known Exploited Vulnerabilities Catalogue - Security Affairs
AttachMe: a critical flaw affects Oracle Cloud Infrastructure (OCI) - Security Affairs
BIND Updates Patch High-Severity Vulnerabilities | SecurityWeek.Com
15-year-old Python flaw found in 'over 350,000' projects • The Register
CISA warns of critical ManageEngine RCE bug used in attacks (bleepingcomputer.com)
Critical Magento vulnerability targeted in new surge of attacks (bleepingcomputer.com)
Reports Published in the Last Week
Other News
Why Even Big Tech Companies Keep Getting Hacked—and What They Plan to Do About It - WSJ
20/20 visibility is paramount to network security - Help Net Security
Domain shadowing becoming more popular among cyber criminals (bleepingcomputer.com)
Multi-factor authentication fatigue attacks are on the rise: How to defend against them | CSO Online
What's behind the different names for cyber hacker groups (axios.com)
IT services group Wipro fires 300 employees moonlighting for competitors | TechCrunch
How can organisations benefit from full-stack observability? - Help Net Security
Firing Your Entire Cyber Security Team? Are You Sure? (thehackernews.com)
Cyber criminals launching more MFA bypass attacks (techtarget.com)
Microsoft (MSFT) Says Managers Shouldn’t Spy on Staff to Ensure They’re Working - Bloomberg
A third of enterprises globally don’t prioritize digital trust: ISACA | CSO Online
How Malware Hides in Images and What You Can Do About It (gizmodo.com)
International cooperation is key to fighting threat actors and cyber crime | CSO Online
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.