Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 06 August 2021
Black Arrow Cyber Threat Briefing 06 August 2021:
-Ransomware Volumes Hit Record High
-Ransomware Gangs Recruiting Insiders To Breach Corporate Networks
-More Than 12,500 Vulnerabilities Disclosed In First Half Of 2021
-New DNS Vulnerability Allows 'Nation-State Level Spying' On Companies
-Constant Review Of Third Party Security Critical As Ransomware Threat Climbs
-Kaseya Ransomware Attack Sets Off Race To Hack Service Providers
-Joint UK/US Advisory Detailing Top 30 Vulnerabilities Include Plenty Of Usual Suspects
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Ransomware Volumes Hit Record Highs As 2021 Wears On
Ransomware has seen a significant uptick so far in 2021, with global attack volume increasing by 151 percent for the first six months of the year as compared with the year-ago half. Meanwhile, the FBI has warned that there are now 100 different strains circulating around the world. From a hard-number perspective, the ransomware scourge hit a staggering 304.7 million attempted attacks. To put that in perspective, the firm logged 304.6 million ransomware attempts for the entirety of 2020.
https://threatpost.com/ransomware-volumes-record-highs-2021/168327/
Ransomware Gangs Recruiting Insiders To Breach Corporate Networks
The LockBit 2.0 ransomware gang is actively recruiting corporate insiders to help them breach and encrypt networks. In return, the insider is promised million-dollar payouts. Many ransomware gangs operate as a Ransomware-as-a-Service, which consists of a core group of developers, who maintain the ransomware and payment sites, and recruited affiliates who breach victims' networks and encrypt devices. Any ransom payments that victims make are then split between the core group and the affiliate, with the affiliate usually receiving 70-80% of the total amount. However, in many cases, the affiliates purchase access to networks from other third-party pentesters rather than breaching the company themselves. With LockBit 2.0, the ransomware gang is trying to remove the middleman and instead recruit insiders to provide them access to a corporate network.
More Than 12,500 Vulnerabilities Disclosed In First Half Of 2021
Two new reports were released, covering data breaches and vulnerabilities in the first half of 2021, finding that there was a decline in the overall number of reported breaches but an increase in the number of vulnerabilities disclosed. The company's data breach report found that there were 1,767 publicly reported breaches in the first six months of 2021, a 24% decline compared to the same period last year. The number of reported breaches grew in the US by 1.5% while 18.8 billion records were exposed year to date, a 32% decline compared to the 27.8 billion records leaked in the first half of 2020.
New DNS Vulnerability Allows 'Nation-State Level Spying' On Companies
Security researchers found a new class of DNS vulnerabilities impacting major DNS-as-a-Service (DNSaaS) providers that could allow attackers to access sensitive information from corporate networks.
DNSaaS providers (also known as managed DNS providers) provide DNS renting services to other organisations that do not want to manage and secure yet another network asset on their own.
These DNS flaws provide threat actors with nation-state intelligence harvesting capabilities with a simple domain registration.
Constant Review Of Third Party Security Critical As Ransomware Threat Climbs
Enterprises typically would give their third-party suppliers "the keys to their castle" after carrying out the usual checks on the vendor's track history and systems, according to a New York-based Forrester analyst who focuses on security and risk. They believed they had done their due diligence before establishing a relationship with the supplier, but they failed to understand that they should be conducting reviews on a regular basis, especially with their critical systems suppliers. Third-party suppliers should have the ability to deal with irregular activities in their systems and the appropriate security architecture in place to prevent any downstream effects, he added.
Kaseya Ransomware Attack Sets Off Race To Hack Service Providers
A ransomware attack in July that paralyzed as many as 1,500 organisations by compromising tech-management software from a company called Kaseya has set off a race among criminals looking for similar vulnerabilities, cyber security experts said. An affiliate of a top Russian-speaking ransomware gang known as REvil used two gaping flaws in software from Florida-based Kaseya to break into about 50 managed services providers (MSPs) that used its products, investigators said. Now that criminals see how powerful MSP attacks can be, "they are already busy, they have already moved on and we don’t know where," said head of the non-profit Dutch Institute for Vulnerability Disclosure, which warned Kaseya of the weaknesses before the attack.
‘It’s Quite Feasible To Start A War’: Just How Dangerous Are Ransomware Hackers?
Secretive gangs are hacking the computers of governments, firms, even hospitals, and demanding huge sums. But if we pay these ransoms, are we creating a ticking time bomb? They have the sort of names that only teenage boys or aspiring Bond villains would dream up (REvil, Grief, Wizard Spider, Ragnar), they base themselves in countries that do not cooperate with international law enforcement and they don’t care whether they attack a hospital or a multinational corporation. Ransomware gangs are suddenly everywhere, seemingly unstoppable – and very successful.
Joint UK/US Advisory Detailing Top 30 Vulnerabilities Include Plenty Of Usual Suspects
A joint advisory from law enforcement agencies in the US, UK, and Australia this week tallied the 30 most-frequently exploited vulnerabilities. Perhaps not surprisingly, the list includes a preponderance of flaws that were disclosed years ago; everything on the list has a patch available for whoever wants to install it. But as we've written about time and again, many companies are slow to push updates through for all kinds of reasons, whether it's a matter of resources, know-how, or an unwillingness to accommodate the downtime often necessary for a software refresh. Given how many of these vulnerabilities can cause remote code execution—you don't want this—hopefully they'll start to make patching more of a priority.
https://www.wired.com/story/top-vulnerabilities-russia-nso-group-iran-security-news/
Average Total Cost Of A Data Breach Increased By Nearly 10% Year Over Year
Based on in-depth analysis of real-world data breaches experienced by over 500 organisations, the global study suggests that security incidents became more costly and harder to contain due to drastic operational shifts during the pandemic, with costs rising 10% compared to the prior year. Businesses were forced to quickly adapt their technology approaches last year, with many companies encouraging or requiring employees to work from home, and 60% of organisations moving further into cloud-based activities during the pandemic. The new findings suggest that security may have lagged behind these rapid IT changes, hindering organizations’ ability to respond to data breaches.
https://www.helpnetsecurity.com/2021/07/29/total-cost-data-breach/
65% Of All DDoS Attacks Target US And UK
Distributed denial of service (DDoS) attacks are common for cyber criminals who want to disrupt online-dependent businesses. According to the data analysed by a VPN team, 65% of all distributed denial of service (DDoS) attacks are directed at the US or UK. Computers and the internet industry are the favourite among cyber criminals. The United States was a target for 35% of all DDoS attacks in June 2021. Cyber criminals launched DDoS attacks against Amazon Web Services, Google, and other prominent US-based companies in the past. The United Kingdom comes second as it fell victim to 29% of all DDoS attacks. As the UK has many huge businesses, they often are targeted by hackers for valuable data or even a ransom. China was threatened by 18% of all DDoS attacks in June 2021. Assaults from and to China happen primarily due to political reasons, to interrupt some government agency.
https://www.pcr-online.biz/2021/08/05/65-of-all-ddos-attacks-target-us-and-uk/
Threats
Ransomware
Ransomware Attacks Rise Despite US Call For Clampdown On Cyber Criminals
BlackMatter Ransomware Gang Rises From The Ashes Of DarkSide, Revil
Criminals Are Using Call Centres To Spread Ransomware In A Crafty Scheme
Phishing
Microsoft Warns Office 365 Users Over This Sneaky Phishing Campaign
Spear Phishing Now Targets Employees Outside The Finance And Executive Teams, Report Says
Other Social Engineering
Malware
A Wide Range Of Cyber Attacks Leveraging Prometheus TDS Malware Service
Several Malware Families Targeting IIS Web Servers With Malicious Modules
Microsoft: This Windows And Linux Malware Does Everything It Can To Stay On Your Network
Mobile
An Explosive Spyware Report Shows Limits Of IOS, Android Security
This Android Malware Steals Your Data In The Most Devious Way
The Latest Android Bank-Fraud Malware Uses A Clever Tactic To Steal Credentials
Vulnerabilities
Code Execution Flaw Found In Cisco Firepower Device Manager On-Box Software
Cisco Issues Critical Security Patches To Fix Small Business VPN Router Bugs
Decade-Long Vulnerability In Multiple Routers Could Allow Network Compromise
Security Researchers Warn Of TCP/IP Stack Flaws In Operational Technology Devices
PwnedPiper PTS Security Flaws Threaten 80% of Hospitals In The U.S.
Data Breaches
Threat Actors Leaked Data Stolen From EA, Including FIFA Code
Hackers Breach San Diego Hospital, Gaining Access To Patients'... Well, Uh, Everything
OT, ICS, IIoT and SCADA
Organised Crime & Criminal Actors
Cryptocurrency/Cryptojacking
Supply Chain
Nation State Actors
Here's 30 Servers Russian Intelligence Uses To Fling Malware At The West, Beams RiskIQ
Russian Federal Agencies Were Attacked With Chinese Webdav-O Virus
New Chinese Spyware Being Used In Widespread Cyber Espionage Attacks
Suspected Chinese Hackers Took Advantage Of Microsoft Exchange Vulnerability To Steal Call Records
Iranian APT Lures Defense Contractor In Catfishing-Malware Scam
Chinese Hackers Target Major Southeast Asian Telecom Companies
Cloud
Reports Published in the Last Week
Other News
Leaked Document Says Google Fired Dozens Of Employees For Data Misuse
Hybrid Work Is Here To Stay – But What Does That Mean For Cyber Security?
Huawei To America: You're Not Taking Cyber Security Seriously Until You Let China Vouch For Us
Trusted Platform Module Security Defeated In 30 Minutes, No Soldering Required
Credit-Card-Stealing, Backdoored Packages Found In Python's PyPi Library Hub
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Cyber Weekly Flash Briefing 18 Sept 2020: Higher cyber losses; old MS Office exploit; banking Trojan given away free; new Bluetooth flaw; IoT risks; DDoS attacks up; US charge Iranians & Russians
Cyber Weekly Flash Briefing 18 September 2020: Cyber losses increasing in frequency & severity, decade-old MS Office exploit, Cerberus banking Trojan released for free to attackers, Bluetooth vulnerability affects billions of devices, The Internet of Things devices that could put you at risk from hackers
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Cyber losses are increasing in frequency and severity
Research by a cyber insurance provider in North America shows cyber attacks have increased in number and severity since the onset of the coronavirus pandemic. The changes that organisations implemented to facilitate remote work have given cyber criminals new opportunities to launch campaigns exploiting mass uncertainty and fear.
The severity of ransomware attacks has increased since the beginning of COVID-19, with researchers having observed a 47% increase on top of a 100% increase in Q1 2020.
Researchers also found that newer strains of ransomware have been particularly malicious, with costly ransom demands and criminal actors threatening to expose an organisation’s data if they don’t pay. They report that the average demand from attackers using the Maze variety of ransomware is approximately six times larger than the overall average.
Researchers also reported a 35% increase in funds transfer fraud and social engineering claims filed by their policyholders since the pandemic began. Reported losses from these types of attack have ranged from the low thousands to well above $1 million per event.
Additionally, COVID-19 has resulted in a notable surge of business email compromise. The insurer observed a 67% increase in the number of email attacks during the pandemic.
Why this matters:
The report refers to North America but the findings are applicable to us all. They indicate that the most frequent types of losses incurred by victims were from ransomware (41%), funds transfer loss (27%), and business email compromise incidents (19%) — accounting for 87% of reported incidents and 84% of the insurer’s claim pay-outs in the first half of 2020.
Clearly with the landscape getting worse, firms more likely to fall victim, and with losses increasing all the time, firms should ensure they are taking these threats seriously.
Read more: https://www.helpnetsecurity.com/2020/09/14/cyber-losses-are-increasing-in-frequency-and-severity/
Hackers have revived a decade-old Microsoft Office exploit - and they’re having a field day
Hackers have ramped up attempts to abuse a decade-old Microsoft Office flaw with the help of creative new email scams, new research has found.
According to analysis commissioned by NordVPN, attempts to exploit the vulnerability (CVE-2017-11882) rose by 400% in the second quarter of the year - with further growth expected.
Why this matters:
If exploited successfully, the memory corruption bug could allow attackers to execute code on the target device remotely. This is especially problematic if the affected user’s account has administrative privileges, in which case the hacker could seize control of the system.
Cerberus banking Trojan source code released for free to cyber attackers
The source code of the Cerberus banking Trojan has been released as free malware on underground hacking forums following a failed auction.
The leaked code, distributed under the name Cerberus v2, presents an increased threat for smartphone users and the banking sector at large.
Why this matters:
Cerberus is a mobile banking Trojan designed for the Google Android operating system. In circulation since at least July 2019, the Remote Access Trojan (RAT) is able to conduct covert surveillance, intercept communication, tamper with device functionality, and steal data including banking credentials by creating overlays on existing banking, retail, and social networking apps.
The malware is able to read text messages that may contain one-time passcodes (OTP) and two-factor authentication (2FA) codes, thereby bypassing typical 2FA account protections. OTPs generated through Google Authenticator may also be stolen.
Critical Bluetooth security vulnerability could affect billions of devices worldwide
A new security flaw in the Bluetooth software stack discovered over the summer has the potential to affect billions of smartphones, laptops and IoT devices using the Bluetooth Low Energy (BLE) protocol.
The new vulnerability has been given the name BLESA (Bluetooth Low Energy Spoofing Attack) by the team of seven academic researchers at Purdue University who first discovered it.
Unlike the recently discovered BLURtooth vulnerability that deals with how Bluetooth devices pair with one another, BLESA was found in the reconnection process. Reconnections occur when two BLE devices move out of range and then move back into range. Normally BLE devices check the cryptographic keys negotiated during the pairing process when reconnecting.
The research team found that the official BLE specification did not contain strong-enough language to describe the reconnection process properly leading to two systemic issues making their way into BLE software implementations.
The first deals with the fact that authentication during device reconnection is optional as opposed to mandatory while the second relates to how authentication can potentially be circumvented if a user's BLE device fails to force another device to authenticate the cryptographic keys sent while reconnecting.
Why this matters:
Billions of devices could be vulnerable to these BLESA attacks where a nearby attacker bypasses reconnection verification and sends spoofed data to a BLE device with incorrect information. This can lead both humans and automated processes to make incorrect decisions when it comes to allowing two devices to reconnect with one another.
Coffee machines, cuddly toys and cars: The Internet of Things devices that could put you at risk from hackers
Connected teddy bears, connected coffee machines and connected cars are just some of the unusual Internet of Things (IoT) devices being insecurely connected to corporate networks that could leave whole organisations open to cyber attacks.
A research paper by Palo Alto Networks details the surge in IoT devices being connected to corporate networks and their wide variety.
Some of the most common irregular devices being connected to organisations' networks include connected vehicles, connected toys and connected medical devices, with connected sports equipment such as fitness trackers, gaming devices and connected cars also being deployed.
These devices are being connected because they can often help people through the working day or help manage aspects of their personal life, but they're also creating additional problems for the corporate network.
Why this matters:
In many cases, these 'shadow IoT' devices are being added to the network without the knowledge of the security team.
This could potentially leave the corporate network vulnerable because not only do some IoT devices have poor security that means they can easily be discovered and exploited, but some workplaces still have flat networks and if a device is compromised then an attacker can move from the IoT product to another system.
DDoS Attacks Skyrocket as Pandemic Bites
More people being online during lockdowns and more people working from home has proven to be lucrative for DDoS type attacks.
The first half of 2020 saw a significant uptick in the number of distributed denial-of-service (DDoS) attacks compared to the same period last year — a phenomenon that appears to be directly correlated to the global coronavirus pandemic.
One firm’s Security Operations Centre (SOC) saw a 151 percent increase in DDoS activity in the period, including one of the largest and longest attacks they had has ever mitigated – that attack came in at 1.17 terabits-per-second (Tbps), and lasted five days and 18 hours.
These figures are representative of the growing number, volume and intensity of network-type cyber attacks as organizations shifted to remote operations and workers’ reliance on the internet increased.
Why this matters:
DDoS attacks are getting bigger, with a “noticeable spike” in volume: The number of attacks sized 100Gbps and above grew a whopping 275 percent. Emblematic of this is a 2.3Tbps attack targeting an Amazon Web Services client in February – the largest volumetric DDoS attack on record. And the aforementioned 1.17Tbps attack was 192 percent bigger than the largest attack mitigated during the first half of 2019.
Read more: https://threatpost.com/ddos-attacks-skyrocket-pandemic/159301/
US charges two Russians for stealing $16.8m via cryptocurrency phishing sites
The US Department of Justice has filed charges this week against two Russian nationals for orchestrating a multi-year phishing operation against the users of three cryptocurrency exchanges.
The two suspects stand accused of creating website clones for the Poloniex, Binance, and Gemini cryptocurrency exchanges, luring users on these fake sites, and collecting their account credentials. These phishing operations began around June 2017.
US officials said the Russian duo — made up of Danil Potekhin (aka cronuswar) and Dmitrii Karasavidi; residents of Voronezh and Moscow, respectively — used the stolen credentials to access victim accounts and steal their Bitcoin (BTC) and Ether (ETH) crypto-assets.
Why this matters:
In total, US officials estimated the victims in the hundreds. Court documents cite 313 defrauded Poloniex users, 142 Binance victims, and 42 users at Gemini. Losses were estimated at $16,876,000.
Whilst bitcoin has waned in popularity after its highs a few years back there is still value in holdings held in different exchanges and these holdings remain popular targets for attackers.
US charges two Iranian hackers for years-long cyber-espionage, cybercrime spree
The US has also filed charges against and is seeking the arrest of two Iranian nationals believed to have carried out cyber-intrusions at the behest of the Iranian government and for their own personal financial gain.
In an indictment unsealed this week, prosecutors accused Hooman Heidarian and Mehdi Farhadi, both from Hamedan, Iran, of launching cyber-attacks against a wide range of targets since at least 2013.
Past victims included several US and foreign universities, a Washington think tank, a defense contractor, an aerospace company, a foreign policy organization, non-governmental organizations (NGOs), non-profits, and foreign government and other entities the defendants identified as rivals or adversaries to Iran, with most targets located in the US, Israel, and Saudi Arabia.
US officials said Heidarian and Farhadi focused on gaining access to their victims' accounts, computers, and internal networks, from where they stole confidential data and communications pertaining to topics such as national security, foreign policy, nuclear energy, and aerospace.
Why this matters:
Financial data and personally identifiable information wasn't off-limits, and the two also stole intellectual property, such as unpublished scientific research.
In addition, the two also targeted and stole personal information and communications of Iranian dissidents, human rights activists, and opposition leaders, according to George M. Crouch Jr., Special Agent in Charge of the FBI Newark Division.
Prosecutors believe that some of the stolen data was handed over to Iranian government intelligence officials, but that other information was also sold on black markets for the hackers' personal gains.
Alert issued to UK universities and colleges about spike in cyber attacks
British universities and colleges have been warned about a spike in ransomware attacks targeting the education sector by the UK's National Cyber Security Centre (NCSC), a part of GCHQ.
Academic institutions are being urged to follow NCSC guidance following a sharp increase in attacks which have left some teachers fearing they won't be able to accept students when term begins.
Last week staff at Newcastle University warned Sky News they had "no idea how we are going to welcome students in three weeks' time" following one such ransomware attack, which has impacted IT services across the whole university.
Similar attacks in which criminal hackers infiltrated computer networks and stole data before encrypting the machines and demanding a ransom payment to unlock them again, have hit Northumbria University, Bolton Sixth Form College, Leeds City College and others in August alone.
Speaking to Sky News, NCSC's director of operations Paul Chichester said the agency had seen an increase in the "utterly reprehensible" attacks over the past 18 months and was concerned they would disrupt young people's education.
Why this matters:
There are more than a dozen criminal groups which are currently earning millions by encrypting their victim's computer networks and then leaking stolen documents online to pressure the victims into paying up.
Cyber Weekly Flash Briefing 11 September 2020: Ransomware 41% of H1 2020 cyber insurance claims, MS Critical RCE Bugs, 60% of emails May/June fraudulent, Insider Data Breaches, Linux Targeting More
Cyber Weekly Flash Briefing 11 September 2020: Ransomware 41% of all H1 2020 cyber insurance claims, MS Patch Tuesday Critical RCE Bugs, 60 percent of emails May/ June were fraudulent, Insider-Enabled Data Breaches, Linux-Based Devices Targeted More, Chilean bank shut down following ransomware, meddling in US politics by Russia, China & Iran, TikTok battles to remove video of livestreamed suicide
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Ransomware accounted for 41% of all cyber insurance claims in H1 2020
Ransomware incidents have accounted for 41% of cyber insurance claims filed in the first half of 2020, according to a report published today by one of the largest providers of cyber insurance services in North America.
The high number of claims comes to confirm previous reports from multiple cyber-security firms that ransomware is one of today's most prevalent and destructive threats.
Ransomware doesn't discriminate by industry. An increase in ransom attacks has been seen across almost every industry.
In the first half of 2020 alone, they observed a 260% increase in the frequency of ransomware attacks amongst their policyholders, with the average ransom demand increasing 47%.
Among the most aggressive gangs, the cyber insurer listed Maze and DoppelPaymer, which have recently begun exfiltrating data from hacked networks, and threatening to release data on specialized leak sites, as part of double extortion schemes.
Why this matters:
Ransomware remains, and is likely to remain, by far one of the biggest menaces on the web, it is indiscriminate, anyone can be affected, it can be business destroying, and it is getting worse all the time.
Read more: https://www.zdnet.com/article/ransomware-accounts-to-41-of-all-cyber-insurance-claims/
Microsoft’s Patch Tuesday Packed with Critical RCE Bugs
Microsoft has released patches for 129 security bugs in its September Patch Tuesday update. These include 23 critical flaws, 105 that are important in severity and one moderate bug. Fortunately, none are publicly known or under active exploitation, Microsoft said.
The most severe issue in the bunch is CVE-2020-16875, according to researchers. This is a memory-corruption problem in Microsoft Exchange that allows remote code-execution (RCE) just by sending an email to a target. Running arbitrary code could grant attackers the access they need to create new accounts, access, modify or remove data, and install programs.
Why this matters:
Many organisations are struggling to keep up with the volume of updates and keeping on top of them, or knowing which to prioritise, is critical for firms. At a time while many organisations continue to struggle to support the ongoing distribution of remote workers, Microsoft continues to pile on the updates and finding an efficient method for rolling out these patches has become even more imperative as companies begin to abandon the idea of a short-term fix and shift operations to embrace remote work as part of a lasting, long-term progression of how organisations operate moving forward.
Firms are beginning to realise the negative outcomes of the lenient security measures put in place to quickly adapt to a decentralised workforce and it’s become more important than ever to establish patching policies that can securely support remote endpoints for the foreseeable future.
Read more: https://threatpost.com/microsofts-patch-tuesday-critical-rce-bugs/159044/
60 percent of emails in May and June were fraudulent
The COVID-19 pandemic has seen a spike in scams, phishing and malware across all platforms and attack vectors. The latest mid-year threat landscape report from Bitdefender shows that in May and June, an average of 60 percent of all received emails were fraudulent.
In addition there’s been a five-fold increase in the number of coronavirus-themed attacks and a 46 percent increase in attacks aimed at home IoT devices.
IoT malware has become versatile, robust, and is constantly updated. IrcFlu, Dark_Nexus7 and InterPLanetary Storm are some of the examples malware that gained in popularity during the first half of 2020.
Mobile malware has been quick to capitalise too, with malware developers rushing to weaponise popular applications, such as the Zoom video conferencing application, used by employees now working from home. Packing RAT (Remote Access Trojan) capabilities, or bundling them with ransomware, banking malware, or even highly aggressive adware, Android malware developers were also fully exploiting the pandemic wave.
Why this matters:
As we keep saying malicious actors never let a good crisis or tragedy go to waste and will exploit whatever is going on in the world or anything there is a collective interest in to real in unsuspecting victims.
Good awareness and education are key in keeping your employees and users safe and ensuring users at all levels, including board members – who present a significant risk, are up to date with latest tactics and threats.
Email in particular will remain primary vector for attack and this is unlikely to change any time soon.
Read more: https://betanews.com/2020/09/08/60-percent-of-emails-in-may-and-june-were-fraudulent/
Businesses [should] Fear Insider-Enabled Data Breaches
Businesses fear suffering a data breach and expect it to be caused by an insider or internal error.
A survey of 500 IT professionals found that 94% of respondents have experienced a data breach, and 79% were worried their organisation could be next.
The fear associated with breaches stems from the security culture within the organisation, along with the security reporting structure.
Having security teams in close dialogue with executive leadership, supporting the leadership to make informed risk-based decisions and driving the business strategy, including the technologies used, reduces this fear significantly.
Secondly, not understanding information security, its components and principles drives fear and anxiety of the unknown, so having security education training, and developing awareness and consciousness of threats, will enable and empower the entire organisation to act with a ‘security first’ mindset.
Finally, recognising the importance of access control to protect systems and data is a foundational level control that organisations can apply to reduce the risk of a data breach. Hand in hand with this is partnering with trusted identity and access control platform providers who can provide enterprises with that security expertise and industry leadership.
Why this matters:
In terms of what is causing the breaches, 40% of respondents to the survey said accidental employee incidents were to blame, compared to 21% who said it is external attackers. Asked if this is a case of businesses not having a handle on what leaves their organisations (either intentionally or accidentally), insiders already have access and can leave with data invisibly, which might turn up somewhere embarrassing later.
Read more: https://www.infosecurity-magazine.com/news/businesses-insider-breaches/
4 top vulnerabilities ransomware attackers exploited in 2020
As more employees work from home, attackers have more endpoints to target. These unpatched vulnerabilities in remote access tools and Windows makes their job easier.
The biggest security trend for 2020 has been the increase of COVID-19-related phishing and other attacks targeting remote workers. New York City, for example, has gone from having to protect 80,000 endpoints to around 750,000 endpoints in its threat management since work-from-home edicts took place.
As noted in a recent Check Point Software Technologies mid-year review, “The first impact of the pandemic was the proliferation of malware attacks that used social engineering techniques with COVID-19 thematic lures for the delivery stage.” Domain names were set up and parked with names relating to the pandemic. As workers started to use videoconferencing platforms, attacks moved to attacking Zoom, Teams and other videoconferencing platforms.
One disturbing trend is that 80% of the observed attacks in the first half of 2020 used vulnerabilities reported and registered in 2017 and earlier, according to the Check Point report, and more than 20% of the attacks used vulnerabilities that are at least seven years old. This showcases that we have a problem in keeping our software up to date.
Why this matters:
Ransomware remains a big threat 2020 and expanding attack surfaces with staff working from home is making the situation worse. Attackers use vulnerabilities in tools used for remote access into Windows networks.
Click read more below to find out the top four vulnerabilities the researchers identified.
APT Groups Increasingly Targeting Linux-Based Devices
APT groups are increasingly executing targeted attacks against Linux-based devices as well as developing more Linux-focused tools, according to an investigation by Kaspersky.
This is as a result of a growing number of organisations’ selecting Linux ahead of Windows to run their strategically important servers and systems, and the perception that the Linux operating system is safer and less likely to be targeted by malware as it is less popular.
However, threat-actors have been observed to adapt their tactics to take advantage of this trend, and Kaspersky noted that “over a dozen APT actors have been observed to use Linux malware or some Linux-based modules” during the past eight years.
These include notorious groups such as Turla, Lazarus, Barium, Sofacy, the Lamberts and Equation. Kaspersky highlighted the example of Russian speaking APT group Turla using Linux backdoors as part of its changing toolset in recent years.
Why this matters:
Attacks that target Linux-based systems are still fewer in number than attacks on Windows based systems, but there is still malware designed to target them, including webshells, backdoors, rootkits and even custom-made exploits.
Read more: https://www.infosecurity-magazine.com/news/apt-targeting-linux-based-devices/
Major Chilean bank shuts down all branches following ransomware attack
Banco Estado, the only public bank in Chile and one of the three largest in the country, had to shut down its nationwide operations on Monday due to a cyberattack that turned out to be a ransomware launched by REvil.
According to a public statement, the branches will remain closed for at least one day, but clarified that customers’ funds have not been affected by the incident.
Sources close to the investigation reported that the REvil ransomware gang is behind the attack. It reportedly originated from an Office document infected with the malware that an employee received and proceeded to open.
The incident was reported to the Chilean authorities, who issued a cyber-security alert that warned about a massive ransomware campaign targeting the private sector in the country.
Why this matters:
As above ransomware is not going away and is getting worse all the time. Too many users don’t realise that simply opening a document or clicking on a link in an email could bring down their entire organisations. Staff and users need to be educated about the role they play in securing their organisations.
Vulnerabilities discovered in PAN-OS, which powers Palo Alto Networks’ firewalls
Palo Alto Networks this week remediated vulnerabilities in PAN-OS (operating systems version 8.1 or later) which command injection, cross site scripting and the ability to upload unauhtoised files to a directory which might lead to denial of service.
Why this matters:
Attackers can use these vulnerabilities to gain access to sensitive data or develop the attack to gain access to the internal segments of the network of a company that uses vulnerable protection tools.
Any security fixes for known vulnerabilities across any different product, software or firmware should be tested and applied as soon as possible, so those vulnerabilities cannot be used against you or your organisation.
Read more: https://www.helpnetsecurity.com/2020/09/10/vulnerabilities-discovered-in-pan-os/
Russia, China and Iran hackers target Trump and Biden, Microsoft says
Hackers with ties to Russia, China and Iran are attempting to snoop on people and groups involved with the US 2020 presidential election, Microsoft says.
The Russian hackers who breached the 2016 Democratic campaign are again involved, said the US tech firm.
Microsoft said it was "clear that foreign activity groups have stepped up their efforts" targeting the election.
Both President Donald Trump and Democrat Joe Biden's campaigns are in the cyber-raiders' sights.
Russian hackers from the Strontium group have targeted more than 200 organisations, many of which are linked to US political parties - both Republicans and Democrats, Microsoft said in a statement.
Why this matters:
The same attackers have also targeted British political parties, said Microsoft, without specifying which ones. Any meddling in politics by foreign states is a clear threat to the democratic process and shows that unfriendly states will interfere to further their own agendas.
Read more: https://www.bbc.co.uk/news/world-us-canada-54110457
TikTok battles to remove video of livestreamed suicide
TikTok is battling to remove a graphic video of a livestreamed suicide, after the footage was uploaded to the service on Sunday night from Facebook, where it was initially broadcast.
Although the footage was rapidly taken down from TikTok, users spent much of Monday re-uploading it, initially unchanged, but later incorporated into so-called bait-and-switch videos, which are designed to shock and upset unsuspecting users.
One such video, for instance, begins with a conventional video of an influencer talking to camera, before cutting without warning to the graphic footage.
Why this matters:
Parents, especially of younger children, may think that certain sites and social media channels are safe for children and the content is suitable vetted and controlled, but as this illustrates that is often not the case and caution should be exercised in allow young children unfettered access to social media.