Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 23rd June 2023
Black Arrow Cyber Threat Briefing 23 June 2023:
-How the MOVEit Breach Shows Hackers' Interest in Corporate File Transfer Tools
-Attackers Discovering Exposed Cloud Assets Within Minutes
-Majority of Users Neglect Best Password Practices
-One in Three Workers Susceptible to Phishing
-Ransomware Misconceptions Abound, to the Benefit of Attackers
-Threat Actors Scale and Commoditise Uncommon Tools and Techniques
-Goodbyes are Difficult, IT Offboarding Processes Make Them Harder
-Security Budget Hikes are Missing the Mark, CISOs Say
-Understanding Cyber Resilience: Building a Holistic Approach to Cyber Security
-Emerging Ransomware Group 8Base Releasing Data on SMBs Globally
-Cyber Security Industry Still Fighting to Recruit and Retain Talent
-Financial Firms to Build Resilience in Face of Growing Cyber-Threats
-Fulfilling Expected SEC Requirements for Cyber Security Expertise at Board Level
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Cyber Security Industry Still Fighting to Recruit and Retain Talent
Cyber security teams are struggling to find the right talent, with the right skills, and to retain experienced employees. The situation is only likely to worsen, as inflation and a tight labour market push up wages. Universities produce graduates with a strong focus on technical knowledge, but not always the broader skills they need to operate in a business environment. This includes the lack of communications skills, understanding of how businesses operate and even emotional intelligence. One solution is to outsource to a corporate cyber security provider or outsource to infill shortages whilst trying to recruit permanent staff.
https://www.infosecurity-magazine.com/news/cybersecurity-industry-recruit/
How the MOVEit Breach Shows Hackers' Interest in Corporate File Transfer Tools
The world of managed file transfer (MFT) software has become a lucrative target for ransom-seeking hackers, with significant breaches including those of Accellion Inc's File Transfer Appliance in 2021 and Fortra's GoAnywhere MFT earlier this year. These MFT programs, corporate versions of popular file sharing programs like Dropbox or WeTransfer, are highly desirable to hackers for the sensitive data they often transfer between organisations and partners. The recent mass compromise tied to Progress Software Corp's MOVEit transfer product has prompted governments and companies worldwide to scramble in response.
Hackers are shifting their tactics, with an increasing focus on MFT programs which typically face the open internet, making them more vulnerable to breaches. Once inside these file transfer points, hackers have direct access to a wealth of data. In addition, there's a noticeable shift from ransomware groups encrypting a company's network and demanding payment to unscramble it, to a simpler tactic of pure extortion by threatening to leak the data.
Attackers Discovering Exposed Cloud Assets within Minutes
The shift to cloud services, increased remote work, and reliance on third-parties has led to widespread use of Software-as-a-Service (SaaS) applications. This has also opened avenues for attackers to exploit weak security configurations and identities. Over the past year, attackers have intercepted authorisation tokens, bypassed multifactor authentication, and exploited misconfigured systems, targeting critical applications like GitHub, Microsoft 365, Google Workspace, Slack, and Okta. A study revealed alarmingly fast rates of breach discovery and compromise of exposed cloud assets, with assets being discovered within as little as two minutes for some and others within an hour.
https://www.darkreading.com/dr-tech/growing-saas-usage-means-larger-attack-surface
Majority of Users Neglect Best Password Practices
The latest Password Management Report by Keeper Security has shed light on the concerning state of password security practices. The survey found that only 25% of respondents used solid and unique passwords. In comparison, 34% admitted to using repeat variations of passwords, and 30% still relied on simple and easily guessable passwords. The survey also found that 44% of individuals who claimed to have well-managed passwords still admitted to using repeated variations, while 20% acknowledged having had at least one password involved in a data breach or available on the dark web. The document also revealed that 35% of respondents feel overwhelmed when it comes to improving their cyber security. Furthermore, 10% admitted to neglecting password management altogether. More generally, Keeper Security said the survey’s findings highlight a significant gap between perception and reality regarding password security.
https://www.infosecurity-magazine.com/news/users-neglect-best-password/
One in Three Workers Susceptible to Phishing
More than one in three workers in the UK and Ireland are susceptible to falling for phishing attacks, according to the new 2023 Phishing by Industry Benchmarking Report by KnowBe4. The study found that 35% of users who had received no security training were prone to clicking on suspicious links or engaging in fraudulent actions. Regular training and continual reinforcement can get this figure down but even with training very few organisations ever get click rates down to zero, and you only need one person to click to cause potentially devastating consequences.
Globally, ransomware was responsible for 24% of all data breaches in 2023, with human error accounting for 74% of these incidents. Phishing attacks can often lead to significant reputational damage, financial loss and disruption to business operations.
https://www.infosecurity-magazine.com/news/one-in-three-phishing/
Ransomware Misconceptions Abound, to the Benefit of Attackers
There is a common ransomware misperception that there's no capability to fight this all too common hostage taking of business data. This is not true. Proactive organisations are increasingly making more strategic use of threat intelligence to prevent or disrupt attacks.
Ransomware has evolved into a massive, often state-sponsored, industry where operators buy, develop, and resell ransomware code, infiltrate networks, and collect ransoms. The perception that a speedy response is critical to prevent data encryption and loss is outdated; attackers now focus on data exfiltration, using ransomware as a distraction. They often target smaller organisations that are linked to larger ones through supply chains, using them as stepping stones. It is important to use in-depth defence measures, including email security to prevent phishing and efficient detection and response systems to identify and recover from changes.
Threat Actors Scale and Commoditise Uncommon Tools and Techniques
Proofpoint’s 2023 Human Factor report highlights significant developments in the cyber attack landscape in 2022. Following two years of pandemic-induced disruption, cyber criminals returned to their usual operations, honing their social engineering skills and commoditising once sophisticated attack techniques. There was a noticeable increase in brute-force and targeted attacks on cloud tenants, conversational smishing attacks, and multifactor authentication (MFA) bypasses. Microsoft 365 formed a large part of organisations' attack surfaces and faced broad abuse, from Office macros to OneNote documents.
Despite some advances in security controls, threat actors continue to innovate and scale their bypasses. Techniques like MFA bypass and telephone-oriented attack delivery are now commonplace. Attackers consistently exploit people, who remain the most critical variable in the attack chain.
Goodbyes are Difficult, IT Offboarding Processes Make Them Harder
A recent survey found that 68% of organisations recognise the offboarding process as a major cyber security risk, but only 36% have adequate controls in place to secure data access when employees depart. The study revealed that 60% of organisations have discovered former employees still had access to corporate applications after leaving, and 52% have had security incidents linked to former employees. Interestingly, IT professionals are not always alerted when employees leave, leading to access not being revoked and IT assets being mishandled 34% of the time.
https://www.helpnetsecurity.com/2023/06/19/it-offboarding-processes/
Security Budget Hikes are Missing the Mark, CISOs Say
Misguided expectations on security spend are causing problems for CISOs despite notable budget increases. A recent report found that while most CISOs are experiencing noteworthy increases in security funding, impractical expectations of budget holders are leading to significant amounts being spent on what’s hitting the headlines instead of strategic, business-centric investment in security defences. This lack of understanding shows that a lot of work needs to be done to ensure that information security receives the attention it deserves, especially in the boardroom.
The report found that just 9% of CISOs said information security is always in the top three priorities on the boardroom’s meeting agenda, and less than a quarter (22%) of CISOs are actively participating in business strategy and decision-making processes. Talking to the board about cyber security in a way that is productive can be a significant challenge for CISOs, and failing to do so effectively can result in confusion, disillusionment, and a lack of cohesion among directors, the security function, and the rest of the organisation.
https://www.csoonline.com/article/3700073/security-budget-hikes-are-missing-the-mark-cisos-say.html
https://www.helpnetsecurity.com/2023/06/22/average-cybersecurity-budget-increase/
Understanding Cyber Resilience: Building a Holistic Approach to Cyber Security
In today’s interconnected world, the threat of cyber attacks is a constant concern for organisations of all sizes and across all industries. Cyber resilience entails not only making it difficult for attackers to infiltrate your systems but also ensuring that your organisation can bounce back quickly and continue operations successfully.
Cyber resilience offers a holistic approach to cyber security, emphasising the ability to withstand and recover from cyber attacks. By adopting the right mindset, leveraging advanced technology, addressing cyber hygiene, and measuring key metrics, organisations can enhance their cyber resilience. Additionally, collaboration within industries and proactive board engagement are crucial for effective risk management. As cyber threats continue to evolve, organisations must prioritise cyber resilience as an ongoing journey, continuously adapting and refining their strategies to stay ahead of malicious actors.
Emerging Ransomware Group 8Base Releasing Confidential Data from SMBs Globally
A ransomware group that operated under the radar for over a year has come to light in recent weeks, thanks to a series of business data leaks on the Dark Web. Since at least April 2022, 8base has been conducting double-extortion attacks against small and midsized businesses (SMBs). It all came to a head in May, when the group dumped data belonging to 67 organisations on the cyber underground.
Not much is known yet about the group's tactics, techniques, and procedures (TTPs), likely due to the low profile of their victims. The victims span science and technology, manufacturing, retail, construction, healthcare, and more, with victims from as far afield as India, Peru, Madagascar and Brazil, amongst others.
https://www.darkreading.com/vulnerabilities-threats/emerging-ransomware-8base-doxxes-smbs-globally
Financial Firms to Build Resilience in Face of Growing Cyber-Threats
Cyber resilience is now a key component of operational resilience for the UK’s financial markets, according to a Bank of England official. Cyber attacks have increased by 38% in 2022, and the range of firms and organisations being impacted seems to grow broader and broader.
Regulators want to see how financial firms will cope with an attack, and its impact on the wider financial services ecosystem. Similar work is being done at an international level by the G7, which has its own cyber expert group. In the UK, the main tools for improving resilience are threat intelligence sharing, better coordination between firms, regulators, the Bank and the Treasury, and penetration testing including CBEST. Financial services firms should have scenario specific playbooks, to set out how to contain intruders and stop them spreading to clients and counterparties. In the past, simulation exercises have been used to model terrorist incidents and pandemics and they are now being used to model cyber attacks.
https://www.infosecurity-magazine.com/news/financial-firms-to-build-resilience/
Fulfilling Expected SEC Requirements for Cyber Security Expertise at Board Level
The US Securities and Exchange Commission (SEC) is expected to introduce a rule requiring demonstration of cyber security expertise at the board level for public companies. A recent study found that currently up to 90% of companies in the Russell 3000 lack even a single director with the necessary cyber expertise. The simplest and speediest solution would be to promote the existing CISO, provided they have the appropriate qualities and experience, to the board but that would require transplanting a focused operational executive into a strategic business advisory role. A credible alternative is to bring in a cyber focused Non-Executive Director with the appropriate skills and experience.
Governance, Risk and Compliance
Why assessing third parties for security risk is still an unsolved problem | CSO Online
Navigating the Complex World of Cyber security Compliance - MSSP Alert
Security budget hikes are missing the mark, CISOs say | CSO Online
How to Weather the Coming Cyber security Storm - Infosecurity Magazine (infosecurity-magazine.com)
Certifications are no guarantee of security - Infosecurity Magazine (infosecurity-magazine.com)
Increased spending doesn't translate to improved cyber security posture - Help Net Security
Placing People & Realism at the Center of Your Cyber security Strategy (darkreading.com)
CISOs’ New Stressors Brought on by Digitalization: Report - SecurityWeek
Fulfilling Expected SEC Requirements for Cyber security Expertise at Board Level - SecurityWeek
From details to big picture: how to improve security effectiveness | CIO
IT Staff Increasingly Saddled with Data Protection Compliance (darkreading.com)
Threats
Ransomware, Extortion and Destructive Attacks
Explainer: How MOVEit breach shows hackers' interest in corporate file transfer tools | Reuters
Ransomware Misconceptions Abound, to the Benefit of Attackers (darkreading.com)
US Offers $10m Reward For MOVEit Attackers - Infosecurity Magazine (infosecurity-magazine.com)
Data leak at Australian law firm spooks government, business • The Register
Fresh Ransomware Gangs Emerge As Market Leaders Decline (darkreading.com)
Emerging Ransomware Group 8Base Doxxes SMBs Globally (darkreading.com)
A Russian national charged for committing LockBit Ransomware attacks - Security Affairs
Rorschach Ransomware: What You Need to Know (darkreading.com)
Ransomware is only getting faster: Six steps to a stronger defence (bleepingcomputer.com)
Ransomware gang preys on cancer centers, triggers alert | SC Media (scmagazine.com)
Ransomware attacks pose communications dilemmas for local governments | CSO Online
LockBit Developing Ransomware for Apple M1 Chips, Embedded Systems (darkreading.com)
Ransomware Victims
Australian Government Says Its Data Was Stolen in Law Firm Ransomware Attack - SecurityWeek
Hackers threaten to release photos of Beverly Hills plastic surgery patients (bitdefender.com)
Norton Parent Says Employee Data Stolen in MOVEit Ransomware Attack - SecurityWeek
BlackCat gang threatens to leak plastic surgery photos • The Register
Reddit confirms BlackCat ransomware gang stole its data • The Register
Adur and Worthing Councils investigating after contractor data breach | The Argus
Iowa’s largest school district confirms ransomware attack, data theft (bleepingcomputer.com)
Hackers warn University of Manchester students’ of imminent data leak (bleepingcomputer.com)
USDA is investigating a 'possible data breach' related to global Russian cyber criminal hack | CNN
Avast, Norton Parent Latest Victim of MOVEit Ransomware Attacks (darkreading.com)
MOVEit Vulnerability Breaches Targeted Fed Agencies (trendmicro.com)
Phishing & Email Based Attacks
Cyber crime: what does psychology have to do with phishing? – podcast | Science | The Guardian
Hackers Will Be Quick to Bypass Gmail's Blue Check Verification System (darkreading.com)
UPS discloses data breach after exposed customer info used in SMS phishing (bleepingcomputer.com)
Insurance companies neglect basic email security - Help Net Security
Other Social Engineering; Smishing, Vishing, etc
Artificial Intelligence
How generative AI is creating new classes of security threats | VentureBeat
Over 100,000 Stolen ChatGPT Account Credentials Sold on Dark Web Marketplaces (thehackernews.com)
‘With hackers adopting AI, it’s a cat-and-mouse game’ | Mint (livemint.com)
ChatGPT and data protection laws: Compliance challenges for businesses - Help Net Security
Google Tells Employees to Stay Away from Its Bard Chatbot (gizmodo.com)
Malware
Attacker seizes abandoned S3 bucket to launch malicious payloads | SC Media (scmagazine.com)
Hackers use fake OnlyFans pics to drop info-stealing malware (bleepingcomputer.com)
Researchers Discover New Sophisticated Toolkit Targeting Apple macOS Systems (thehackernews.com)
Mysterious Mystic Stealer Spreads Like Wildfire in Mere Months (darkreading.com)
Hackers infect Linux SSH servers with Tsunami botnet malware (bleepingcomputer.com)
To kill BlackLotus malware, patching is a good start, but... • The Register
Microsoft Teams bug allows malware delivery from external accounts (bleepingcomputer.com)
APT37 hackers deploy new FadeStealer eavesdropping malware (bleepingcomputer.com)
ScarCruft Hackers Exploit Ably Service for Stealthy Wiretapping Attacks (thehackernews.com)
Chinese Hacker Group 'Flea' Targets American Ministries with Graphican Backdoor (thehackernews.com)
USB Drives Spread Spyware as China's Mustang Panda APT Goes Global (darkreading.com)
NSA shares tips on blocking BlackLotus UEFI malware attacks (bleepingcomputer.com)
Chinese malware accidentally infects networked storage • The Register
ChamelDoH: New Linux Backdoor Utilising DNS-over-HTTPS Tunneling for Covert CnC (thehackernews.com)
Mobile
SMS delivery reports can be used to infer recipient's location (bleepingcomputer.com)
Apple fixes zero-days used to deploy Triangulation spyware via iMessage (bleepingcomputer.com)
Android spyware camouflaged as VPN, chat apps on Google Play (bleepingcomputer.com)
Botnets
Romanian cyber crime gang Diicot builds DDoS botnet with Mirai variant | CSO Online
New Condi malware builds DDoS botnet out of TP-Link AX21 routers (bleepingcomputer.com)
Hackers infect Linux SSH servers with Tsunami botnet malware (bleepingcomputer.com)
Mirai botnet targets 22 flaws in D-Link, Zyxel, Netgear devices (bleepingcomputer.com)
Denial of Service/DoS/DDOS
Police crack down on DDoS-for-hire service active since 2013 (bleepingcomputer.com)
New Condi malware builds DDoS botnet out of TP-Link AX21 routers (bleepingcomputer.com)
Zeeland port website hit by DDOS attack, possibly by Russian hackers | NL Times
From Cryptojacking to DDoS Attacks: Diicot Expands Tactics with Cayosin Botnet (thehackernews.com)
Internet of Things – IoT
Romanian cyber crime gang Diicot builds DDoS botnet with Mirai variant | CSO Online
Smart Pet Feeders Expose Personal Data - Infosecurity Magazine (infosecurity-magazine.com)
Security for embedded devices is ignored by too many companies, expert says | Fierce Electronics
Our cities are becoming increasingly automated—and we’re not ready (fastcompany.com)
US Military Personnel Receiving Unsolicited, Suspicious Smartwatches - SecurityWeek
Mirai botnet targets 22 flaws in D-Link, Zyxel, Netgear devices (bleepingcomputer.com)
Data Breaches/Leaks
Data leak at Australian law firm spooks government, business • The Register
Australian Government Says Its Data Was Stolen in Law Firm Ransomware Attack - SecurityWeek
Mondelez says crooks stole staff data in security breach • The Register
UPS discloses data breach after exposed customer info used in SMS phishing (bleepingcomputer.com)
Reddit hackers threaten to leak data stolen in February breach (bleepingcomputer.com)
Australia Inc roiled by raft of cyber attacks since late 2022 - The Economic Times (indiatimes.com)
SSD missing from SAP datacenter turns up on eBay • The Register
Smart Pet Feeders Expose Personal Data - Infosecurity Magazine (infosecurity-magazine.com)
Hackers warn University of Manchester students’ of imminent data leak (bleepingcomputer.com)
Organised Crime & Criminal Actors
Crypto and Cyber Security: A Complex Relationship (analyticsinsight.net)
Cyber attackers Got More Creative Post-Pandemic, Proofpoint Study Finds - MSSP Alert
The Great Exodus to Telegram: A Tour of the New Cyber crime Underground (bleepingcomputer.com)
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Crypto and Cyber Security: A Complex Relationship (analyticsinsight.net)
Blockchain security: Everything you should know for safe use | TechTarget
From Cryptojacking to DDoS Attacks: Diicot Expands Tactics with Cayosin Botnet (thehackernews.com)
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
Influencers in firing line as France tackles scams - BBC News
Keep Job Scams From Hurting Your Organisation (darkreading.com)
Impersonation Attacks
AML/CFT/Sanctions
Dark Web
Supply Chain and Third Parties
Capita faces first legal Letter of Claim over mega breach • The Register
Why assessing third parties for security risk is still an unsolved problem | CSO Online
Mondelez says crooks stole staff data in security breach • The Register
Untangling the web of supply chain security with Tony Turner - Help Net Security
Software Supply Chain
Cloud/SaaS
Growing SaaS Usage Means Larger Attack Surface (darkreading.com)
Explainer: How MOVEit breach shows hackers' interest in corporate file transfer tools | Reuters
A new threat to financial stability lurks in the cloud | Financial Times (ft.com)
Cloud CISO Perspectives: Early June 2023 | Google Cloud Blog
Western Digital Blocks Unpatched Devices From Cloud Services - SecurityWeek
Attacker seizes abandoned S3 bucket to launch malicious payloads | SC Media (scmagazine.com)
Attackers discovering exposed cloud assets within minutes | TechTarget
Cloud-native security hinges on open source - Help Net Security
Hybrid Microsoft network/cloud legacy settings may impact your future security posture | CSO Online
US cyber ambassador says China can win on AI, cloud • The Register
Hybrid/Remote Working
Shadow IT
Identity and Access Management
Encryption
Quantum hacking alert: Critical vulnerabilities found in quantum key distribution (techxplore.com)
The US Navy, NATO, and NASA are using a shady Chinese company’s encryption chips | Ars Technica
Physics - Long-Range Quantum Cryptography Gets Simpler (aps.org)
API
Open Source
Hackers infect Linux SSH servers with Tsunami botnet malware (bleepingcomputer.com)
Cloud-native security hinges on open source - Help Net Security
ChamelDoH: New Linux Backdoor Utilising DNS-over-HTTPS Tunneling for Covert CnC (thehackernews.com)
Passwords, Credential Stuffing & Brute Force Attacks
The future of passwords and authentication - Help Net Security
These are the most hacked passwords. Is yours on the list? | ZDNET
Social Media
Influencers in firing line as France tackles scams - BBC News
Reddit hackers threaten to leak data stolen in February breach (bleepingcomputer.com)
Training, Education and Awareness
Digital Transformation
Regulations, Fines and Legislation
ChatGPT and data protection laws: Compliance challenges for businesses - Help Net Security
Bill allowing CISA to assist foreign governments passes Senate committee | SC Media (scmagazine.com)
Fulfilling Expected SEC Requirements for Cyber security Expertise at Board Level - SecurityWeek
Models, Frameworks and Standards
The significance of CIS Control mapping in the 2023 Verizon DBIR - Help Net Security
What is PCI Compliance? 12 Requirements and More Explained | Definition from TechTarget
Secure Disposal
Data Protection
ChatGPT and data protection laws: Compliance challenges for businesses - Help Net Security
Consumer Data: The Risk and Reward for Manufacturing Companies (darkreading.com)
IT Staff Increasingly Saddled with Data Protection Compliance (darkreading.com)
Careers, Working in Cyber and Information Security
8 notable entry-level cyber security career and skills initiatives in 2023 | CSO Online
UK military is struggling to recruit tech experts, says report | Financial Times (ft.com)
Certifications are no guarantee of security - Infosecurity Magazine (infosecurity-magazine.com)
Google announces $20 million investment for cyber clinics | CyberScoop
Law Enforcement Action and Take Downs
Police crack down on DDoS-for-hire service active since 2013 (bleepingcomputer.com)
Megaupload duo will go to prison at last, but Kim Dotcom fights on… – Naked Security (sophos.com)
A Russian national charged for committing LockBit Ransomware attacks - Security Affairs
Privacy, Surveillance and Mass Monitoring
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Killnet Threatens Imminent SWIFT, World Banking Attacks (darkreading.com)
A Newly Named Group of GRU Hackers is Wreaking Havoc in Ukraine | WIRED
Russia sent its reserve team to wipe Ukrainian hard drives • The Register
Russian APT Group Caught Hacking Roundcube Email Servers - SecurityWeek
Hacktivist group Anonymous Sudan a ‘bear in wolf’s clothing’ | SC Media (scmagazine.com)
Russian APT28 hackers breach Ukrainian govt email servers (bleepingcomputer.com)
Strategies for staying ahead of modern cyber warfare - CyberTalk
German intelligence services point to increased hybrid security threats – EURACTIV.com
Nation State Actors
Microsoft Pins Early June DDoS Attacks on Russian-linked Cyber Crew - MSSP Alert
US DOJ Launches Cyber Unit to Prosecute Nation-State Threat Actors - SecurityWeek
US Military Personnel Receiving Unsolicited, Suspicious Smartwatches - SecurityWeek
USB Drives Spread Spyware as China's Mustang Panda APT Goes Global (darkreading.com)
CISA orders govt agencies to patch bugs exploited by Russian hackers (bleepingcomputer.com)
US Cyber Ambassador says China can win on AI, cloud • The Register
Cadet Blizzard emerges as a novel and distinct Russian threat actor | Microsoft Security Blog
The Israeli weapons and spyware falling into the hands of despots | Financial Times (ft.com)
The US Navy, NATO, and NASA are using a shady Chinese company’s encryption chips | Ars Technica
Zeeland port website hit by DDOS attack, possibly by Russian hackers | NL Times
A Russian national charged for committing LockBit Ransomware attacks - Security Affairs
Hacktivist group Anonymous Sudan a ‘bear in wolf’s clothing’ | SC Media (scmagazine.com)
APT37 hackers deploy new FadeStealer eavesdropping malware (bleepingcomputer.com)
ScarCruft Hackers Exploit Ably Service for Stealthy Wiretapping Attacks (thehackernews.com)
20-Year-Old Chinese APT15 Finds New Life in Foreign Ministry Attacks (darkreading.com)
Chinese Hacker Group 'Flea' Targets American Ministries with Graphican Backdoor (thehackernews.com)
North Korean APT targets defectors, activists with infostealer malware | SC Media (scmagazine.com)
China-sponsored APT group targets government ministries in the Americas | CSO Online
Chinese malware accidentally infects networked storage • The Register
Trellix Detects Leading Threat Actor Countries Behind Nation-State Activity - MSSP Alert
Vulnerability Management
Guess what happened to this US agency that didn't patch? • The Register
EU Council mulls pan-European platform to handle cyber vulnerabilities – EURACTIV.com
Vulnerabilities
VMware warns of critical vRealize flaw exploited in attacks (bleepingcomputer.com)
Microsoft Teams Vulnerability: The GIFShell Attack (latesthackingnews.com)
Patch Now: Cisco AnyConnect Bug Exploit Released in the Wild (darkreading.com)
Zyxel addressed critical flaw CVE-2023-27992 in NAS Devices - Security Affairs
Microsoft Teams bug allows malware delivery from external accounts (bleepingcomputer.com)
Chrome and Its Vulnerabilities - Is the Web Browser Safe to Use? - SecurityWeek
Critical WordPress Plugin Vulnerabilities Impact Thousands of Sites - SecurityWeek
SMB Edge Devices Walloped With Asus, Zyxel Patch Warnings (darkreading.com)
VMware fixes vCenter Server bugs allowing code execution, auth bypass (bleepingcomputer.com)
Azure AD 'Log in With Microsoft' Authentication Bypass Affects Thousands (darkreading.com)
Western Digital Blocks Unpatched Devices From Cloud Services - SecurityWeek
Risk & Repeat: Mandiant sheds light on Barracuda ESG attacks | TechTarget
ASUS warns router customers: Patch now, or block all inbound requests – Naked Security (sophos.com)
Firmware Backdoor Discovered in Gigabyte Motherboards, Hundreds of Models Affected - CPO Magazine
Apple fixes zero-days used to deploy Triangulation spyware via iMessage (bleepingcomputer.com)
A (cautionary) tale of two patched bugs, both under exploit • The Register
Millions of GitHub repos likely vulnerable to RepoJacking, researchers say (bleepingcomputer.com)
Windows 11 KB5027231 also breaks Chrome for Cisco, WatchGuard EDR users (bleepingcomputer.com)
Gaps in Azure Service Fabric’s Security Call for User Vigilance (trendmicro.com)
Tools and Controls
Getting Over the DNS Security Awareness Gap (darkreading.com)
Zscaler CEO: Firewalls Are Going The Way Of The Mainframe | CRN
The future of passwords and authentication - Help Net Security
Increased spending doesn't translate to improved cyber security posture - Help Net Security
Placing People & Realism at the Center of Your Cyber security Strategy (darkreading.com)
Security investments that help companies navigate the macroeconomic climate - Help Net Security
Reports Published in the Last Week
Other News
Boris Johnson’s notebooks cause national security alarm (thetimes.co.uk)
Keep it, Tweak it, Trash it – What to do with Aging Tech in an Era of Consolidation - SecurityWeek
Cyber attacks on OT, ICS Lay Groundwork for Kinetic Warfare (darkreading.com)
Why CISOs should be concerned about space-based attacks | CSO Online
Legal firms urged to strengthen cyber defences with latest... - NCSC.GOV.UK
GCHQ’s top hacker James Babbage quits to join NCA in blow to UK cyber force (telegraph.co.uk)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 22 July 2022
Black Arrow Cyber Threat Briefing 22 July 2022
-Insurer Refuses to Pay Out After Victim Misrepresented Their Cyber Controls
-5 Cyber Security Questions CFOs Should Ask CISOs
-The Biggest Cyber Attacks in 2022 So Far — and it’s Just the Tip of the Iceberg
-Malware-as-a-Service Creating New Cyber Crime Ecosystem
-The Rise and Continuing Popularity of LinkedIn-Themed Phishing
-Microsoft Teams Default Settings Leave Organisations Open to Cyber Attacks
-Top 10 Cyber Security Attacks of Last Decade Show What is to Come
-Software Supply Chain Concerns Reach C-Suite
-EU Warns of Russian Cyber Attack Spillover, Escalation Risks
-Critical Flaws in GPS Tracker Enable “Disastrous” and “Life-Threatening” Hacks
-Russian Hackers Behind Solarwinds Breach Continue to Scour US And European Organisations for Intel, Researchers Say
-The Next Big Security Threat Is Staring Us in The Face. Tackling It Is Going to Be Tough
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Insurer Refuses to Pay Out After Victim Misrepresented Their Cyber Controls
In what may be one of the first court filings of its kind, insurer Travelers is asking a district court for a ruling to rescind a policy because the insured allegedly misrepresented its use of multifactor authentication (MFA) – a condition to get cyber coverage.
According to a July filing, Travelers said it would not have issued a cyber insurance policy in April to electronics manufacturing services company International Control Services (ICS) if the insurer knew the company was not using MFA as it said. Additionally, Travelers wants no part of any losses, costs, or claims from ICS – including from a May ransomware attack ICS suffered.
Travelers alleged ICS submitted a cyber policy application signed by its CEO and “a person responsible for the applicant’s network and information security” that the company used MFA for administrative or privileged access. However, following the May ransomware event, Travelers first learned during an investigation that the insured was not using the security control to protect its server and “only used MFA to protect its firewall, and did not use MFA to protect any other digital assets.”
Therefore, statements ICS made in the application were “misrepresentations, omissions, concealment of facts, and incorrect statements” – all of which “materially affected the acceptance of the risk and/or the hazard assumed by Travelers,” the insurer alleged in the filing.
ICS also was the victim of a ransomware attack in December 2020 when hackers gained access using the username and password of an ICS administrator, Travelers said. ICS told the insurer of the attack during the application process and said it improved the company’s cyber security.
Travelers said it wants the court to declare the insurance contract null and void, rescind the policy, and declare it has no duty to indemnify or defend ICS for any claim.
https://www.insurancejournal.com/news/national/2022/07/12/675516.htm#
5 Cyber Security Questions CFOs Should Ask CISOs
Armed with the answers, chief financial officers can play an essential role in reducing cyber risk.
Even in a shrinking economy, organisations are likely to maintain their level of cyber security spend. But that doesn’t mean in the current economic climate of burgeoning costs and a possible recession they won’t take a magnifying glass to how they are spending the money budgeted to defend systems and data. Indeed, at many companies, cyber security spending isn’t targeting the most significant dangers, according to experts — as evidenced by the large number of successful ransomware attacks and data breaches.
Without a comprehensive understanding of the security landscape and what the organisation needs to do to protect itself, how can CFOs make the right decisions when it comes to investments in cyber security technology and other resources? They can’t.
So, CFOs need to ensure they have a timely grasp of the security issues their organisation faces. That requires turning to the most knowledgeable people in the organisation: chief information security officers (CISOs) and other security leaders on the IT front lines.
Here are five questions CFOs should be asking their CISOs about the security of their companies.
How secure are we as an organisation?
What are the main security threats or risks in our industry?
How do we ensure that the cyber security team and the CISO are involved in business development?
What are the risks and potential costs of not implementing a cyber control?
Do employees understand information security and are they implementing security protocols successfully?
The Biggest Cyber Attacks in 2022 So Far — and it’s Just the Tip of the Iceberg
For those in the cyber resilience realm, it’s no surprise that there’s a continued uptick in cyber attacks. Hackers are hacking, thieves are thieving and ransomers are — you guessed it — ransoming. In other words, cyber crime is absolutely a growth industry.
As we cross into the second half of this year, let’s look at some of the most significant attacks so far:
Blockchain schmockchain. Cryptocurrency exchange Crypto.com’s two-factor-identification (2FA) system was compromised as thieves made off with approximately $30 million.
Still the one they run to. Microsoft’s ubiquity makes it a constant target. Earlier this year, the hacking collective Lapsus$ compromised Cortana and Bing, among other Microsoft products, posting source code online.
Not necessarily the news. News Corp. journalist emails and documents were accessed at properties including the Wall Street Journal, Dow Jones and the New York Post in a hack tied to China.
Uncharitable ways. The Red Cross was the target of an attack earlier this year, with more than half a million “highly vulnerable” records of Red Cross assistance recipients compromised.
Victim of success. North Korea’s Lazarus Group made off with $600 million in cryptocurrencies after blockchain gaming platform Ronin relaxed some of its security protocols so its servers could better handle its growing popularity.
We can hear you now. State-sponsored hackers in China have breached global telecom powerhouses worldwide this year, according to the U.S. Cybersecurity & Infrastructure Security Agency.
Politics, the art of the possible. Christian crowdfunding site GiveSendGo was breached twice this year as hacktivists exposed the records of donors to Canada’s Freedom Convoy.
Disgruntled revenge. Businesspeople everywhere were reminded of the risks associated with departing personnel when fintech powerhouse Block announced that a former employee accessed sensitive customer information, impacting eight million customers.
Unhealthy habits. Two million sensitive customer records were exposed when hackers breached Shields Health Care’s network.
They even stole the rewards points. General Motors revealed that hackers used a credentials stuffing attack to access personal information on an undisclosed number of car owners. They even stole gift-card-redeemable customer reward points.
For every breach or attack that generates headlines, millions of others that we never hear about put businesses at risk regularly. The Anti-Phishing Working Group just released data for the first quarter of this year, and the trend isn’t good. Recorded phishing attacks are at an all-time high (more than a million in just the first quarter) and were accelerating as the quarter closed, with March 2022 setting a new record for single-month attacks.
Malware-as-a-Service Creating New Cyber Crime Ecosystem
This week HP released their report The Evolution of Cybercrime: Why the Dark Web is Supercharging the Threat Landscape and How to Fight Back, exploring how cyber-criminals are increasingly operating in a quasi-professional manner, with malware and ransomware attacks being offered on a ‘software-as-a-service’ basis.
The report’s findings showed how cyber crime is being supercharged through “plug and play” malware kits that are easier than ever to launch attacks. Additionally, cyber syndicates are now collaborating with amateur attackers to target businesses, putting the online world and its users at risk.
The report’s methodology saw HP’s Wolf Security threat team work in tandem with dark-web investigation firm Forensic Pathways to scrape and analyse over 35 million cyber criminal marketplaces and forum posts between February and March 2022, with the investigation helping to gain a deeper understanding of how cyber criminals operate, gain trust, and build reputation. Its key findings include:
Malware is cheap and readily available: Over three-quarters (76%) of malware advertisements listed, and 91% of exploits (i.e. code that gives attackers control over systems by taking advantage of software bugs), retail for under $10.
Trust and reputation are ironically essential parts of cyber-criminal commerce: Over three-quarters (77%) of cyber criminal marketplaces analysed require a vendor bond – a license to sell – which can cost up to $3000. Of these, 92% have a third-party dispute resolution service.
Popular software is giving cyber criminals a foot in the door: Kits that exploit vulnerabilities in niche systems command the highest prices (typically ranging from $1,000-$4,000), while zero day vulnerabilities are retailing at 10s of thousands of pounds on dark web markets.
https://www.infosecurity-magazine.com/news/malware-service-cybercrime/
The Rise and Continuing Popularity of LinkedIn-Themed Phishing
Phishing emails impersonating LinkedIn continue to make the bulk of all brand phishing attempts. According to Check Point, 45% of all email phishing attempts in Q2 2022 imitated the style of communication of the professional social media platform, with the goal of directing targets to a spoofed LinkedIn login page and collecting their account credentials.
The phishers are generally trying to pique the targets’ interest with fake messages claiming that they “have appeared in X searches this week”, that a new message is waiting for them, or that another user would like to do business with them, and are obviously taking advantage of the fact that a record number of individuals are switching or are considering quitting their job and are looking for a new one.
To compare: In Q4 2021, LinkedIn-themed phishing attempts were just 8 percent of the total brand phishing attacks flagged by Check Point. Also, according to Vade Secure, in 2021 the number of LinkedIn-themed phishing pages linked from unique phishing emails was considerably lower than those impersonating other social networks (Facebook, WhatsApp).
Other brands that phishers loved to impersonate during Q2 2022 are (unsurprisingly) Microsoft (13%), DHL (12%) and Amazon (9%).
https://www.helpnetsecurity.com/2022/07/21/linkedin-phishing/
Microsoft Teams Default Settings Leave Organisations Open to Cyber Attacks
Relying on default settings on Microsoft Teams leaves organisations and users open to threats from external domains, and misconfigurations can prove perilous to high-value targets.
Microsoft Teams has over 270 million active monthly users, with government institutions using the software in the US, UK, Netherlands, Germany, Lithuania, and other countries at varying levels.
Cyber security researchers have discovered that relying on default MS Teams settings can leave firms and high-value users vulnerable to social engineering attacks. Attackers could create group chats, masquerade as seniors within the target organisation and observe whether users are online.
Attackers could, rather convincingly, impersonate high-ranking officials and possibly strike up conversations, fooling victims into believing they’re discussing sensitive topics with a superior. Skilled attackers could do a lot of harm with this capability.
https://cybernews.com/security/microsoft-teams-settings-leave-govt-officials-open-to-cyberattacks/
Top 10 Cyber Security Attacks of Last Decade Show What is to Come
Past is prologue, wrote William Shakespeare in his play “The Tempest,” meaning that the present can often be determined by what has come before. So it is with cyber security, serving as the basis of which is Trustwave’s “Decade Retrospective: The State of Vulnerabilities” over the last 10 years.
Threat actors frequently revisit well-known and previously patched vulnerabilities to take advantage of continuing poor cyber security hygiene. “If one does not know what has recently taken place it leaves you vulnerable to another attack,” Trustwave said in its report that identifies and examines the “watershed moments” that shaped cyber security between 2011 and 2021.
With a backdrop of the number of security incidents and vulnerabilities increasing in volume and sophistication, here are Trustwave’s top 10 network vulnerabilities in no particular order that defined the decade and “won’t be forgotten.”
SolarWinds hack and FireEye breach, Detected: December 8, 2020 (FireEye)
EternalBlue Exploit, Detected: April 14, 2017
Heartbleed, Detected: March 21, 2014
Shellshock, Remote Code Execution in BASH, Detected: September 12, 2014
Apache Struts Remote Command Injection & Equifax Breach, Detected: March 6, 2017
Chipocalypse, Speculative Execution Vulnerabilities Meltdown & Spectre
BlueKeep, Remote Desktop as an Access Vector, Detected: January, 2018
Drupalgeddon Series, CMS Vulnerabilities, Detected: January, 2018
Microsoft Windows OLE Vulnerability, Sandworm Exploit, Detected: September 3, 2014
Ripple20 Vulnerabilities, Growing IoT landscape, Detected: June 16, 2020
Software Supply Chain Concerns Reach C-Suite
Major supply chain attacks have had a significant impact on software security awareness and decision-making, with more investment planned for monitoring attack surfaces.
Organisations are waking up to the need to establish better software supply chain risk management policies and are taking action to address the escalating threats and vulnerabilities targeting this expanding attack surface.
These were among the findings of a CyberRisk Alliance-conducted survey of 300 respondents from both software-buying and software-producing companies.
Most survey respondents (52%) said they are "very" or "extremely" concerned about software supply chain risks, and 84% of respondents said their organisation is likely to allocate at least 5% of their AppSec budgets to manage software supply chain risk.
Software buyers are planning to invest in procurement program metrics and reporting, application pen-testing, and software build of materials (SBOM) design and implementation, according to the findings.
Meanwhile, software developers said they plan to invest in secure code review as well as SBOM design and implementation.
https://www.darkreading.com/application-security/software-supply-chain-concerns-reach-c-suite
EU Warns of Russian Cyber Attack Spillover, Escalation Risks
The Council of the European Union (EU) said that Russian hackers and hacker groups increasingly attacking "essential" organisations worldwide could lead to spillover risks and potential escalation.
"This increase in malicious cyber activities, in the context of the war against Ukraine, creates unacceptable risks of spillover effects, misinterpretation and possible escalation," the High Representative on behalf of the EU said.
"The latest distributed denial-of-service (DDoS) attacks against several EU Member States and partners claimed by pro-Russian hacker groups are yet another example of the heightened and tense cyber threat landscape that EU and its Member States have observed."
In this context, the EU reminded Russia that all United Nations member states must adhere to the UN's Framework of responsible state behaviour in cyberspace to ensure international security and peace.
The EU urged all states to take any actions required to stop malicious cyber activities conducted from their territory.
The EU's statement follows a February joint warning from CISA and the FBI that wiper malware attacks targeting Ukraine could spill over to targets from other countries.
Google's Threat Analysis Group (TAG) said in late March that it observed phishing attacks orchestrated by the Russian COLDRIVER hacking group against NATO and European military entities.
In May, the US, UK, and EU accused Russia of coordinating a massive cyber attack that hit the KA-SAT consumer-oriented satellite broadband service in Ukraine on February 24 with AcidRain data destroying malware, approximately one hour before Russia invaded Ukraine.
A Microsoft report from June also confirms the EU's observation of an increase in Russian malicious cyber activities. The company's president said that threat groups linked to Russian intelligence agencies (including the GRU, SVR, and FSB) stepped up cyber attacks against government entities in countries allied with Ukraine after Russia's invasion.
In related news, in July 2021, President Joe Biden warned that cyber attacks leading to severe security breaches could lead to a "real shooting war," a statement issued a month after NATO said that cyber attacks could be compared to "armed attacks" in some circumstances.
Critical Flaws in GPS Tracker Enable “Disastrous” and “Life-Threatening” Hacks
A security firm and the US government are advising the public to immediately stop using a popular GPS tracking device or to at least minimise exposure to it, citing a host of vulnerabilities that make it possible for hackers to remotely disable cars while they’re moving, track location histories, disarm alarms, and cut off fuel.
An assessment from security firm BitSight found six vulnerabilities in the Micodus MV720, a GPS tracker that sells for about $20 and is widely available. The researchers who performed the assessment believe the same critical vulnerabilities are present in other Micodus tracker models. The China-based manufacturer says 1.5 million of its tracking devices are deployed across 420,000 customers. BitSight found the device in use in 169 countries, with customers including governments, militaries, law enforcement agencies, and aerospace, shipping, and manufacturing companies.
BitSight discovered what it said were six “severe” vulnerabilities in the device that allow for a host of possible attacks. One flaw is the use of unencrypted HTTP communications that makes it possible for remote hackers to conduct adversary-in-the-middle attacks that intercept or change requests sent between the mobile application and supporting servers. Other vulnerabilities include a flawed authentication mechanism in the mobile app that can allow attackers to access the hardcoded key for locking down the trackers and the ability to use a custom IP address that makes it possible for hackers to monitor and control all communications to and from the device.
Russian Hackers Behind Solarwinds Breach Continue to Scour US And European Organisations for Intel, Researchers Say
The Russian hackers behind a sweeping 2020 breach of US government networks have in recent months continued to hack US organisations to collect intelligence while also targeting an unnamed European government that is a NATO member.
The new findings show how relentless the hacking group — which US officials have linked with Russia's foreign intelligence service — is in its pursuit of intelligence held by the US and its allies, and how adept the hackers are at targeting widely used cloud-computing technologies.
The hacking efforts come as Russia's invasion of Ukraine continues to fray US-Russia relations and drive intelligence collection efforts from both governments.
In recent months, the hacking group has compromised the networks of US-based organisations that have data of interest to the Russian government.
In separate activity revealed Tuesday, US cyber security firm Palo Alto Networks said that the Russian hacking group had been using popular services like Dropbox and Google Drive to try to deliver malicious software to the embassies of an unnamed European government in Portugal and Brazil in May and June.
https://edition.cnn.com/2022/07/19/politics/russia-solarwinds-hackers/index.html
The Next Big Security Threat Is Staring Us in The Face. Tackling It Is Going to Be Tough
If the ongoing fight against ransomware wasn't keeping security teams busy, along with the challenges of securing the ever-expanding galaxy of Internet of Things devices, or cloud computing, then there's a new challenge on the horizon – protecting against the coming wave of digital imposters or deepfakes.
A deepfake video uses artificial intelligence and deep-learning techniques to produce fake images of people or events.
One recent example is when the mayor of Berlin thought he was having an online meeting with former boxing champion and current mayor of Kyiv, Vitali Klitschko. But the mayor of Berlin grew suspicious when 'Klitschko' started saying some very out of character things relating to the invasion of Ukraine, and when the call was interrupted the mayor's office contacted the Ukrainian ambassador to Berlin – to discover that, whoever they were talking to, it wasn't the real Klitschko.
It's a sign that deepfakes are getting more advanced and quickly. Previous instances of deepfake videos that have gone viral often have tell-tale signs that something isn't real, such as unconvincing edits or odd movements, but the developments in deepfake technology mean it isn't difficult to imagine it being exploited by cyber criminals, particularly when it comes to stealing money.
While ransomware might generate more headlines, business email compromise (BEC) is the costliest form of cyber crime today. The FBI estimates that it costs businesses billions of dollars every year. The most common form of BEC attack involves cyber criminals exploiting emails, hacking into accounts belonging to bosses – or cleverly spoofing their email accounts – and asking staff to authorise large financial transactions, which can often amount to hundreds of thousands of dollars.
The emails claim that the money needs to be sent urgently, maybe as part of a secret business deal that can't be disclosed to anyone. It's a classic social-engineering trick designed to force the victim into transferring money quickly and without asking for confirmation from anyone else who could reveal it's a fake request. By the time anyone might be suspicious, the cyber criminals have taken the money, likely closed the bank account they used for the transfer – and run.
BEC attacks are successful, but many people might remain suspicious of an email from their boss that comes out the blue and they could avoid falling victim by speaking to someone to confirm that it's not real. But if cyber criminals could use a deepfake to make the request, it could be much more difficult for victims to deny the request, because they believe they're actually speaking to their boss on camera.
Many companies publicly list their board of directors and senior management on their website. Often, these high-level business executives will have spoken at events or in the media, so it's possible to find footage of them speaking. By using AI-powered deep-learning techniques, cyber criminals could exploit this public information to create a deepfake of a senior-level executive, exploit email vulnerabilities to request a video call with an employee, and then ask them to make the transaction. If the victim believes they're speaking to their CEO or boss, they're unlikely to deny the request.
Threats
Ransomware
Post-Breakup, Conti Ransomware Members Remain Dangerous (darkreading.com)
The Kronos Ransomware Attack: What You Need to Know So Your Business Isn't Next (darkreading.com)
New Luna ransomware encrypts Windows, Linux, and ESXi systems (bleepingcomputer.com)
Digital security giant Entrust breached by ransomware gang (bleepingcomputer.com)
Protecting Against Kubernetes-Borne Ransomware (darkreading.com)
Knauf cyber attack: Black Basta ransomware gang claims responsibility (techmonitor.ai)
New Redeemer ransomware version promoted on hacker forums (bleepingcomputer.com)
Kaspersky report on Luna and Black Basta ransomware | Securelist
New Cross-Platform 'Luna' Ransomware Only Offered to Russian Affiliates | SecurityWeek.Com
Conti’s Reign of Chaos: Costa Rica in the Crosshairs | Threatpost
Researchers uncover potential ransomware network with U.S. connections - CyberScoop
How Conti ransomware hacked and encrypted the Costa Rican government (bleepingcomputer.com)
A small Canadian town is being extorted by a global ransomware gang - The Verge
BEC – Business Email Compromise
Phishing & Email Based Attacks
Phishing Bonanza: Social-Engineering Savvy Skyrockets as Malicious Actors Cash In (darkreading.com)
Outlook users report suspicious activity from Microsoft IPs • The Register
PayPal Used to Send Malicious “Double Spear” Invoices - Infosecurity Magazine
LinkedIn remains the most impersonated brand in phishing attacks (bleepingcomputer.com)
Google Calendar provides new way to block invitation phishing (bleepingcomputer.com)
Other Social Engineering
Malware
Hacking group '8220' grows cloud botnet to more than 30,000 hosts (bleepingcomputer.com)
Buy ‘plug-n-play’ malware for the price of a pint of beer (computerweekly.com)
New ‘Lightning Framework’ Linux malware installs rootkits, backdoors (bleepingcomputer.com)
Mobile
Google pulls malware-infected apps, 3 million users at risk • The Register
Roaming Mantis hits Android and iOS users in malware, phishing attacks (bleepingcomputer.com)
BYOD
Data Breaches/Leaks
Neopets data breach exposes personal data of 69 million members (bleepingcomputer.com)
Verified Twitter Vulnerability Exposes Data from 5.4 Million Accounts | RestorePrivacy
Mixed Messages as Neopets Scrambles to Respond to Mega Breach - Infosecurity Magazine
Organised Crime & Criminal Actors
Cyber crime escalates as barriers to entry crumble | CSO Online
Understanding the Evolution of Cyber Crime to Predict its Future | SecurityWeek.Com
The growth in targeted, sophisticated cyber attacks troubles top FBI cyber official - CyberScoop
'AIG' Threat Group Launches with Unique Business Model (darkreading.com)
US DOJ report warns of escalating cyber crime, 'blended' threats (techtarget.com)
Chaotic LAPSUS$ Group Goes Quiet, but Threat Likely Persists (darkreading.com)
Last member of Gozi malware troika arrives in US for criminal trial – Naked Security (sophos.com)
Romanian hacker faces US trial over virus-for-hire service - The Verge
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
This Cloud Botnet Has Hijacked 30,000 Systems to Mine Cryptocurrencies (thehackernews.com)
Hackers Use Evilnum Malware to Target Cryptocurrency and Commodities Platforms (thehackernews.com)
Singapore distances itself from local crypto companies • The Register
FBI Warns Fake Crypto Apps are Bilking Investors of Millions | Threatpost
Ex-Coinbase manager charged in crypto insider trading case • The Register
FBI Warns of Fake Cryptocurrency Apps Stealing Millions from Investors (thehackernews.com)
My Big Coin founder guilty of $6m crypto-fraud • The Register
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
AML/CFT/Sanctions
UK Regulator Issues Record Fines as Financial Crime Surges - Infosecurity Magazine
Broker Fined £2m for Financial Crime Control Failings - Infosecurity Magazine
Insurance
82% of global insurers expect the rise in cyber insurance premiums to continue - Help Net Security
Will Your Cyber Insurance Premiums Protect You in Times of War? (darkreading.com)
Dark Web
Supply Chain and Third Parties
Software Supply Chain
Improving Software Supply Chain Cyber Security (trendmicro.com)
Why SBOMs aren't the silver bullet they're portrayed as - Help Net Security
Breaking down CIS's new software supply chain security guidance | CSO Online
Cloud/SaaS
60% of IT leaders are not confident about their secure cloud access - Help Net Security
Public Cloud Customers Admit Security Challenges - Infosecurity Magazine
The New Weak Link in SaaS Security: Devices (thehackernews.com)
Identity and Access Management
Encryption
Open Source
Open source security needs automation as usage climbs amongst organisations | ZDNet
New ‘Lightning Framework’ Linux malware installs rootkits, backdoors (bleepingcomputer.com)
The US military wants to understand the most important software on earth | MIT Technology Review
Passwords, Credential Stuffing & Brute Force Attacks
The importance of secure passwords can't be emphasized enough - Help Net Security
3rd Party Services Are Falling Short on Password Security (bleepingcomputer.com)
Okta Exposes Passwords in Clear Text for Possible Theft (darkreading.com)
Enforcing Password History in Your Windows AD to Curb Password Reuse (bleepingcomputer.com)
Social Media
LinkedIn remains the most impersonated brand in phishing attacks (bleepingcomputer.com)
Hacker selling Twitter account data of 5.4 million users for $30k (bleepingcomputer.com)
TikTok Engaging in Excessive Data Collection - Infosecurity Magazine
Privacy
Parental Controls and Child Safety
Regulations, Fines and Legislation
UK Regulator Issues Record Fines as Financial Crime Surges - Infosecurity Magazine
Legal Experts Concerned Over New UK Digital Reform Bill - Infosecurity Magazine
Understanding Proposed SEC Rules Through an ESG Lens (darkreading.com)
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
EU warns of risks of spillover effects associated with ongoing war - Security Affairs
US Cyber Command IDs new malware strains targeting Ukraine • The Register
Russian hackers use fake DDoS app to infect pro-Ukrainian activists (bleepingcomputer.com)
Experts Uncover New CloudMensis Spyware Targeting Apple macOS Users (thehackernews.com)
Hackers attempt to infiltrate Ukrainian tech company with backdoor malware, Talos says - CyberScoop
Will Your Cyber-Insurance Premiums Protect You in Times of War? (darkreading.com)
Hackers Target Ukrainian Software Company Using GoMet Backdoor (thehackernews.com)
Copycat DoS App Created by Russian Hackers to Target Ukraine - IT Security Guru
Albanian government websites go dark after cyber attack • The Register
Mysterious, Cloud-Enabled macOS Spyware Blows Onto the Scene (darkreading.com)
Belgium claims China-linked APT groups hit its ministries - Security Affairs
Nation State Actors
Nation State Actors – Russia
Google, EU Warn of Malicious Russian Cyber Activity | SecurityWeek.Com
Google warns Kremlin-backed goons pose as pro-Ukraine app • The Register
Russia Released a Ukrainian App for Hacking Russia That Was Actually Malware (vice.com)
Cloaked Ursa (APT29) Hackers Use Trusted Online Storage Services (paloaltonetworks.com)
Russian SVR hackers use Google Drive, Dropbox to evade detection (bleepingcomputer.com)
Russia, Iran discuss broad tech collaboration • The Register
Half of Russian spies in Europe expelled since Ukraine invasion, says MI6 chief | MI6 | The Guardian
Nation State Actors – China
Belgium says Chinese APT gangs attacked its government • The Register
Government blocks Chinese tech deal on national security grounds | Business News | Sky News
Nation State Actors – North Korea
Nation State Actors – Iran
Nation State Actors – Misc APT
Vulnerability Management
Vulnerabilities
Chrome 103 Update Patches High-Severity Vulnerabilities | SecurityWeek.Com
Critical Bugs Threaten to Crack Atlassian Confluence Workspaces Wide Open (darkreading.com)
WordPress Page Builder Plug-in Under Attack, Can't Be Patched (darkreading.com)
SonicWall: Patch critical SQL injection bug immediately (bleepingcomputer.com)
Cisco fixes bug that lets attackers execute commands as root (bleepingcomputer.com)
Atlassian reveals critical flaws across its product line • The Register
Netwrix Auditor Vulnerability Can Facilitate Attacks on Enterprises | SecurityWeek.Com
Azure's Security Vulnerabilities Are Out of Control - Last Week in AWS Blog
Oracle Releases 349 New Security Patches With July 2022 CPU | SecurityWeek.Com
0-day used to infect Chrome users could pose threat to Edge and Safari users, too | Ars Technica
Juniper Networks Patches Over 200 Third-Party Component Vulnerabilities | SecurityWeek.Com
Google Chrome Zero-Day Weaponized to Spy on Journalists (darkreading.com)
Apple Ships Urgent Security Patches for macOS, iOS | SecurityWeek.Com
Juniper Releases Patches for Critical Flaws in Junos OS and Contrail Networking (thehackernews.com)
Code Execution and Other Vulnerabilities Patched in Drupal | SecurityWeek.Com
Atlassian Rolls Out Security Patch for Critical Confluence Vulnerability (thehackernews.com)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
Other News
Hackers for Hire: Adversaries Employ 'Cyber Mercenaries' | Threatpost
Companies around the globe still not implementing MFA - Help Net Security
Global Firms Fear the Worst Over Risk Management Failures - Infosecurity Magazine
Humans are becoming the primary security risk for organisations around the world - Help Net Security
What threats and challenges are CISOs and CROs most focused on? - Help Net Security
What InfoSec Pros Can Teach the Organisation About ESG (darkreading.com)
SATAn Turns Hard Drive Cable Into Antenna To Defeat Air-Gapped Security | Hackaday
Lack of staff and resources drives smaller teams to outsource security - Help Net Security
Office macro security: on-again-off-again feature now BACK ON AGAIN! – Naked Security (sophos.com)
Removing the blind spots that allow lateral movement - Help Net Security
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 01 July 2022
Black Arrow Cyber Threat Briefing 01 July 2022:
-Ransomware Is the Biggest Global Cyber Threat. And The Attacks Are Still Evolving
-Study Reveals Traditional Data Security Tools Have a 60% Failure Rate Against Ransomware and Extortion
-Patchable and Preventable Security Issues Lead Causes of Q1 Attacks
-Three in Four Vulnerability Management Programs Ineffective, NopSec Research Finds
-EMEA Continues to Be a Hotspot for Malware Threats
-A New, Remarkably Sophisticated Malware Is Attacking Home and Small Office Routers
-What Are Shadow IDs, and How Are They Crucial in 2022?
-Zero-Days Aren't Going Away Anytime Soon & What Leaders Need to Know
-Half of 2022's Zero-Days Are Variants of Previous Vulnerabilities
-Human Error Remains the Top Security Issue
-Carnival Cruises Torpedoed by US States, Agrees to Pay $6m After Wave of Cyber Attacks
-Uber Ex-Security Chief Accused of Hacking Coverup Must Face Fraud Charges, Judge Rules
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Ransomware Is the Biggest Global Cyber Threat. And The Attacks Are Still Evolving
Ransomware is the biggest cyber security threat facing the world today, with the potential to significantly affect whole societies and economies – and the attacks are unrelenting, the head of the National Cyber Security Centre (NCSC) has warned.
"Even with a war raging in Ukraine – the biggest global cyber threat we still face is ransomware. That tells you something of the scale of the problem. Ransomware attacks strike hard and fast. They are evolving rapidly, they are all-pervasive, they're increasingly offered by gangs as a service, lowering the bar for entry into cyber crime," said Lindy Cameron, CEO of the NCSC in a speech at Tel Aviv Cyber Week.
She added that the NCSC has dealt with "nationally significant incidents" along with hundreds of general cyber incidents that "affect the UK more widely every year".
While she didn't detail any specific instances of responding to ransomware incidents, Cameron warned that "these complex attacks have the potential to affect our societies and economies significantly", and implied that if it weren't for the work of NCSC incident responders, alongside their counterparts in the industry and international counterparts, the attacks could have had a major impact.
Study Reveals Traditional Data Security Tools Have a 60% Failure Rate Against Ransomware and Extortion
Titaniam, Inc., the data security platform, announced the ‘State of Data Exfiltration & Extortion Report.’ The survey revealed that while over 70% of organisations have an existing set of prevention, detection, and backup solutions, nearly 40% of organisations have been hit with ransomware attacks in the last year, and more than 70% have experienced one in the previous five years, proving existing solutions to be woefully inadequate in managing the risks and impacts from these attacks.
Data exfiltration during ransomware attacks is up 106% relative to where it was five years ago. We are seeing the emergence of a new trend where cyber criminals are no longer limiting themselves to just encrypting entire systems—they are making sure to steal data ahead of the encryption so that they can have additional leverage on the victim. The survey found that 65% of those who have experienced a ransomware attack have also experienced data theft or exfiltration due to the incident. Of those victims, 60% say the hackers used the data theft to extort them further, known as double extortion. Most of them, i.e., 59% of victims, paid the hackers, implying that they were not helped by their backup or data security tools to prevent this fate.
Data is being exposed for theft and extortion in other ways too. Nearly half (47%) uncovered publicly exposed data in their systems in the last 24 months. It was found that respondents have a mix of data security & protection (78%), prevention & detection (75%), and backup and recovery (73%) in their cyber security stacks. Still, exposure and extortion numbers imply a missing puzzle piece regarding attacks.
Patchable and Preventable Security Issues Lead Causes of Q1 Attacks
Attacks against companies spiked in Q1 2022 with patchable and preventable external vulnerabilities responsible for the bulk of attacks.
Eighty-two percent of attacks on organisations in Q1 2022 were caused by the external exposure of known vulnerabilities in the victim’s external-facing perimeter or attack surface. Those unpatched bugs overshadowed breach-related financial losses tied to human error, which accounted for 18 percent.
The numbers come from Tetra Defense and its quarterly report that sheds light on a notable uptick in cyber attacks against United States organisations between January and March 2022.
The report did not let employee security hygiene, or a lack thereof, off the hook. Tetra revealed that a lack of multi-factor authentication (MFA) mechanisms adopted by firms and compromised credentials are still major factors in attacks against organisations.
https://threatpost.com/lead-causes-of-q1-attacks/180096/
Three in Four Vulnerability Management Programs Ineffective
How at risk are organisations to unsecured vulnerabilities in their networks? NopSec, a threat and exposure management provider, gives us the answers in a new study of some 430 cyber security professionals.
Are security teams finding successful approaches to their vulnerability management, or are “open doors around their attack surface” leaving them susceptible to disaster in their organisation? The answer, as it turns out, is that some organisations are better at detection, response and remediation of their vulnerabilities.
Perhaps more importantly, others are not as locked down as they believe, according to the report. Keeping track of known vulnerabilities and responding quickly is one thing, but locating flaws they did not previously know existed is quite another.
Seventy percent of respondent say their vulnerability management program (VMP) is only somewhat effective or worse, blind spots and shadow IT remain top challenges, and vulnerabilities take too long to patch.
EMEA Continues to Be a Hotspot for Malware Threats
Ransomware detections in the first quarter of this year doubled the total volume reported for 2021, according to the latest quarterly Internet Security Report from the WatchGuard Threat Lab. Researchers also found that the Emotet botnet came back in a big way, the infamous Log4Shell vulnerability tripled its attack efforts and malicious cryptomining activity increased.
Although findings from the Threat Lab’s Q4 2021 report showed ransomware attacks trending down year over year, that all changed in Q1 2022 with a massive explosion in ransomware detections. While Q4 2021 saw the downfall of the infamous REvil cybergang, WatchGuard analysis suggests that this opened the door for the LAPSUS$ extortion group to emerge, which along with many new ransomware variants such as BlackCat – the first known ransomware written in the Rust programming language – could be contributing factors to an ever-increasing ransomware and cyber-extortion threat landscape.
The report also shows that EMEA continues to be a hotspot for malware threats. Overall regional detections of basic and evasive malware show WatchGuard Fireboxes in EMEA were hit harder than those in North, Central and South America (AMER) at 57% and 22%, respectively, followed by Asia-Pacific (APAC) at 21%.
https://www.helpnetsecurity.com/2022/06/30/emea-malware-threats/
A New, Remarkably Sophisticated Malware Is Attacking Home and Small Office Routers
An unusually advanced hacking group has spent almost two years infecting a wide range of routers in North America and Europe with malware that takes full control of connected devices running Windows, macOS, and Linux, researchers reported on June 28.
So far, researchers from Lumen Technologies' Black Lotus Labs say they've identified at least 80 targets infected by the stealthy malware, including routers made by Cisco, Netgear, Asus, and DrayTek. Dubbed ZuoRAT, the remote access Trojan is part of a broader hacking campaign that has existed since at least the fourth quarter of 2020 and continues to operate.
The discovery of custom-built malware written for the MIPS architecture and compiled for small-office and home-office routers is significant, particularly given its range of capabilities. Its ability to enumerate all devices connected to an infected router and collect the DNS lookups and network traffic they send and receive, and remain undetected, is the hallmark of a highly sophisticated threat actor.
"While compromising small office/home office (SOHO) routers as a vector to gain access to an adjacent LAN is not a novel technique, it has seldom been reported," Black Lotus Labs researchers wrote. "Similarly, reports of person-in-the-middle style attacks, such as DNS and HTTP hijacking, are even rarer and a mark of a complex and targeted operation. The use of these two techniques congruently demonstrated a high level of sophistication by a threat actor, indicating that this campaign was possibly performed by a state-sponsored organisation."
The campaign comprises at least four pieces of malware, three of them written from scratch by the threat actor. The first piece is the MIPS-based ZuoRAT, which closely resembles the Mirai internet-of-things malware that achieved record-breaking distributed denial-of-service attacks that crippled some Internet services for days. ZuoRAT often gets installed by exploiting unpatched vulnerabilities in SOHO devices.
https://www.wired.com/story/zuorat-trojan-malware-hacking-routers/
What Are Shadow IDs, and How Are They Crucial in 2022?
Just before last Christmas, in a first-of-a-kind case, JPMorgan was fined $200M for employees using non-sanctioned applications for communicating about financial strategy. No mention of insider trading, naked shorting, or any malevolence. Just employees circumventing regulation using, well, Shadow IT. Not because they tried to obfuscate or hide anything, simply because it was a convenient tool that they preferred over any other sanctioned products (which JPMorgan certainly has quite a few of.)
Visibility into unknown and unsanctioned applications has been required by regulators and also recommended by the Center for Internet Security community for a long time. Yet it seems that new and better approaches are still in demand. Gartner has identified External Attack Surface Management, Digital Supply Chain Risk, and Identity Threat Detection as the top three trends to focus on in 2022, all of which are closely intertwined with Shadow IT.
"Shadow IDs," or in other words, unmanaged employee identities and accounts in third-party services, are often created using a simple email-and-password-based registration. Cloud access security broker (CASB) and corporate single-sign-on (SSO) solutions are limited to a few sanctioned applications, and are not widely adopted on most websites and services either. This means, that a large part of an organisation's external surface - as well as its user identities - may be completely invisible.
https://thehackernews.com/2022/06/what-are-shadow-ids-and-how-are-they.html
Zero-Days Aren't Going Away Anytime Soon, and What Leaders Need to Know
Few security exploits are the source of more sleepless nights for security professionals than zero-day attacks. Just recently, researchers discovered a new vulnerability enabling hackers to achieve remote code execution within Microsoft Office. Dubbing the evolving threat the Follina exploit, researchers say all versions of Office are at risk. And because the internal security teams have no time to prepare or patch their systems to defend against these software vulnerabilities, crafty threat actors can take advantage, taking their time after they've accessed an organisation's environment to observe and exfiltrate data while remaining completely unseen.
And though sophisticated threat actors and nations have exploited zero-days for nearly two decades, last year saw a historic rise in the number of vulnerabilities detected. Both Google and Mandiant tracked a record number of zero-days last year, with the caveat that more zero-days are being discovered because security companies are getting better at finding them — not necessarily because hackers are coming up with new vulnerabilities. Not all zero-days are created equal, though. Some require sophisticated and novel techniques, like the attack on SolarWinds, and others exploit simple vulnerabilities in commonly used programs like Windows. Thankfully, there's some basic cyber hygiene strategies that can keep your organisation sufficiently prepared to mitigate zero-day exploits.
Half of 2022's Zero-Days Are Variants of Previous Vulnerabilities
Google Project Zero has observed a total of 18 exploited zero-day vulnerabilities in the first half of 2022, at least half of which exist because previous bugs were not properly addressed.
According to Google Project Zero researcher Maddie Stone, nine of the in-the-wild zero-days seen so far this year could have been prevented had organisations applied more comprehensive patching.
“On top of that, four of the 2022 zero-days are variants of 2021 in-the-wild zero-days. Just 12 months from the original in-the-wild zero-day being patched, attackers came back with a variant of the original bug,” Stone says.
The most recent of these issues is the Follina vulnerability in the Windows platform. Tracked as CVE-2022-30190, it is a variant of an MSHTML zero-day tracked as CVE-2021-40444.
CVE-2022-21882 is another Windows vulnerability that is a variant of an in-the-wild zero-day that was improperly resolved last year, namely CVE-2021-1732.
An iOS IOMobileFrameBuffer bug (CVE-2022-22587) and a type confusion flaw in Chrome’s V8 engine (CVE-2022-1096) are two other zero-days that are variants of exploited security flaws found last year – CVE-2021-30983 and CVE-2021-30551, respectively.
Other 2022 zero-days that are variants of improperly addressed security defects are CVE-2022-1364 (Chrome), CVE-2022-22620 (WebKit), CVE-2021-39793 (Google Pixel), CVE-2022-26134 (Atlassian Confluence), and CVE-2022-26925 (Windows flaw called PetitPotam).
https://www.securityweek.com/google-half-2022s-zero-days-are-variants-previous-vulnerabilities
Human Error Remains the Top Security Issue
Human error remains the most effective vector for conducting network infiltrations and data breaches.
The SANS Institute security centre issued its annual security awareness report Wednesday, which was based on data from 1,000 infosec professionals and found that employees and their lack of security training remain common points of failure for data breaches and network attacks. The report also tracked the maturity level of respondents' security awareness programs and their effectiveness in reducing human risk.
"This year's report once again identifies what we have seen over the past three years: that the most mature security awareness programs are those that have the most people dedicated to managing and supporting it," the cyber security training and education organisation said.
"These larger teams are more effective at working with the security team to identify, track, and prioritise their top human risks, and at engaging, motivating, and training their workforce to manage those risks."
The SANS Institute study ranked maturity by five levels, from lowest to highest: nonexistent, compliance-focused, promoting awareness and behaviour change, long-term sustainment and culture change, and metrics framework. The report found that while approximately 400 respondents said their programs promote awareness and behaviour change - the highest such response for any maturity level - the number represented a 10% decrease from the previous year's report.
Carnival Cruises Torpedoed by US States, Agrees to Pay $6m After Wave of Cyber Attacks
Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyber attacks.
A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based business revealed intruders had not only encrypted some of its data but also downloaded a collection of names and addresses; Social Security info, driver's license, and passport numbers; and health and payment information of thousands of people in almost every American state.
It all started to go wrong more than a year prior, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn't disclosed until 10 months later, in March 2020.
Back in 2019, the security operations team spotted an internal email account sending spam to other addresses. It turned out miscreants had hijacked 124 employee Microsoft Office 365 email accounts, and were using them to send phishing emails to harvest more credentials. This, we're told, gave the intruders access to personal data on 180,000 Carnival employees and customers. It's likely the miscreants first broke in using phishing mails or brute-forcing passwords; either way, there was no multi-factor authentication.
Then in August 2020, the company said it was hit with the aforementioned ransomware, and copies of its files were siphoned. In January 2021, it was infected again with malware, and again sensitive information – specifically, customer passport numbers and dates of birth, and employee credit card numbers – were downloaded. And in March that year, a staffer's work email account was compromised again to send out a phishing email; more sensitive information was exposed.
https://www.theregister.com/2022/06/28/carnival-cybersecurity-fines/
Uber Ex-Security Chief Accused of Hacking Coverup Must Face Fraud Charges, Judge Rules
A federal judge on Tuesday said a former Uber Technologies Inc. security chief must face wire fraud charges over his alleged role in trying to cover up a 2016 hacking that exposed personal information of 57 million passengers and drivers.
The US Department of Justice had in December added the three charges against Joseph Sullivan to an earlier indictment, saying he arranged to pay money to two hackers in exchange for their silence, while trying to conceal the hacking from passengers, drivers and the US Federal Trade Commission.
Threats
Ransomware
Record-Breaking Year for Ransomware Attacks, WatchGuard Research Predicts - MSSP Alert
Cyber Security Experts Warn of Emerging Threat of "Black Basta" Ransomware (thehackernews.com)
AstraLocker 2.0 infects users directly from Word attachments (bleepingcomputer.com)
Black Basta Ransomware Gang Attacks 50 Companies, Cybereason Reports - MSSP Alert
How Dangerous Is BlackBasta Ransomware? (informationsecuritybuzz.com)
LockBit 3.0 Debuts With Ransomware Bug Bounty Program (darkreading.com)
Son of Conti: Ransomware tries its hand at politics - The Record by Recorded Future
Kaseya Ransomware - Cyber Leader’s Thoughts & Learnings One Year Later (informationsecuritybuzz.com)
Are Protection Payments the Future of Ransomware? (tripwire.com)
Conti vs. LockBit: A Comparative Analysis of Ransomware Groups (trendmicro.com)
This new malware is at the heart of the ransomware ecosystem | ZDNet
Macmillan Publishing shuts down systems after likely ransomware attack (bleepingcomputer.com)
Walmart denies being hit by Yanluowang ransomware attack (bleepingcomputer.com)
Fake copyright infringement emails install LockBit ransomware (bleepingcomputer.com)
Cisco Talos techniques uncover ransomware sites on dark web (techtarget.com)
RansomHouse gang claims to have some stolen AMD data • The Register
'Prolific' NetWalker extortionist pleads guilty • The Register
Phishing & Email Based Attacks
Google Warns About Hacker-for-Hire Services Trying to Phish Users (pcmag.com)
Clever phishing method bypasses MFA using Microsoft WebView2 apps (bleepingcomputer.com)
Cyber Attacks via Unpatched Systems Cost Orgs More Than Phishing (darkreading.com)
How phishing attacks are becoming more sophisticated - Help Net Security
How Evilnum Cyber Attacks Target Microsoft Office Files - MSSP Alert
New Matanbuchus Campaign drops Cobalt Strike beacons - Security Affairs
Kaspersky Reveals Phishing Emails That Employees Find Most Confusing (darkreading.com)
Ukraine arrests cyber crime gang operating over 400 phishing sites (bleepingcomputer.com)
Malware
Microsoft finds Raspberry Robin worm in hundreds of Windows networks (bleepingcomputer.com)
Microsoft Exchange servers worldwide backdoored with new malware (bleepingcomputer.com)
Microsoft warning: This malware that targets Linux just got a big update | ZDNet
ZuoRAT Hijacks SOHO Routers From Cisco, Netgear (darkreading.com)
XFiles info-stealing malware adds support for Follina delivery (bleepingcomputer.com)
Raccoon Stealer is back with a new version to steal your passwords (bleepingcomputer.com)
PyPi python packages caught sending stolen AWS keys to unsecured sites (bleepingcomputer.com)
Mobile
Android Spyware 'Revive' Upgraded to Banking Trojan - Infosecurity Magazine
Phone Hackers: 9 Ways To Tell If You Have Fallen Victim (informationsecuritybuzz.com)
Google Warns of New Spyware Targeting iOS and Android Users - IT Security Guru
Internet of Things – IoT
Data Breaches/Leaks
Leaky Access Tokens Exposed Amazon Photos of Users | Threatpost
California gun dashboards expose 10 years of personal data • The Register
Organised Crime & Criminal Actors
Russia-China cyber criminal collaboration could “destabilize” international order | CSO Online
Canadian admits to hacking spree with Russian cyber-gang - BBC News
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Pentagon finds concerning vulnerabilities on blockchain | TechRepublic
Hackers steal $100m from another breached crypto bridge | TechRadar
Santander Warns of 87% Surge in UK Crypto Scams - Infosecurity Magazine
Dozens of cryptography libraries vulnerable to private key theft | The Daily Swig (portswigger.net)
Missing Cryptoqueen: FBI adds Ruja Ignatova to top ten most wanted - BBC News
Singapore warns of ‘brutal, unrelentingly hard’ crypto regs • The Register
Insider Risk and Insider Threats
Rogue HackerOne employee steals bug reports to sell on the side (bleepingcomputer.com)
Japanese worker loses city's personal data in USB fail • The Register
How you handle independent contractors may determine your insider threat risk | CSO Online
Fraud, Scams & Financial Crime
Threat actors increasingly use third parties to run their scams - Help Net Security
Santander Warns of 87% Surge in UK Crypto Scams - Infosecurity Magazine
Evolving online habits have paved the way for fraud. What can we do about it? - Help Net Security
Insurance
Software Supply Chain
It's a Race to Secure the Software Supply Chain — Have You Already Stumbled? (darkreading.com)
Over a Decade in Software Security: What Have We learned? - IT Security Guru
Denial of Service DoS/DDoS
Attack Surface Management
Shadow IT
Open Source
Passwords, Credential Stuffing & Brute Force Attacks
RansomHouse Hackers Claim to Breach AMD With Bad Passwords (gizmodo.com)
Breaking Down the Zola Hack and Why Password Reuse is so Dangerous (bleepingcomputer.com)
Raccoon Stealer is back with a new version to steal your passwords (bleepingcomputer.com)
Social Media
Verified Twitter accounts hacked to send fake suspension notices (bleepingcomputer.com)
Facebook Business Pages Targeted via Chatbot in Data-Harvesting Campaign (darkreading.com)
New YTStealer malware steals accounts from YouTube Creators (bleepingcomputer.com)
Facebook 2FA phish arrives just 28 minutes after scam domain created – Naked Security (sophos.com)
Training, Education and Awareness
Privacy
‘Supercookies’ Have Privacy Experts Sounding the Alarm | WIRED
UK should immediately ban use of live facial recognition, warns report | Financial Times (ft.com)
Snoopers’ Charter Ruled Partially Unlawful - Infosecurity Magazine
We must stop sleepwalking towards a surveillance state | Financial Times (ft.com)
Parental Controls and Child Safety
Regulations, Fines and Legislation
Manx government department fined over data breach - BBC News
Clearview fine: The unacceptable face of modern surveillance - Help Net Security
Law Enforcement Action and Take Downs
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
NATO to create cyber rapid response force, increase cyber defence aid to Ukraine - CyberScoop
Evilnum hackers return in new operation targeting migration orgs (bleepingcomputer.com)
Commercial cyber products must be used responsibly, says NCSC CEO (computerweekly.com)
G7 to tackle cyber threats and disinformation from Russia: communique | Reuters
Google Warns of New Spyware Targeting iOS and Android Users - IT Security Guru
China lured graduate jobseekers into digital espionage | Ars Technica
Nation State Actors
Nation State Actors – Russia
Ukraine targeted by almost 800 cyber attacks since the war started (bleepingcomputer.com)
Russian Hacker Group Says Cyber Attacks Continue On Lithuania (informationsecuritybuzz.com)
Russian hacktivists take down Norway govt sites in DDoS attacks (bleepingcomputer.com)
Russia's Killnet hacker group says it attacked Lithuania | Reuters
Nation State Actors – China
Chinese Hackers Target Building Management Systems | SecurityWeek.Com
China lured graduate jobseekers into digital espionage | Ars Technica
Nation State Actors – North Korea
Vulnerability Management
Why more zero-day vulnerabilities are being found in the wild | CSO Online
Cyber Attacks via Unpatched Systems Cost Orgs More Than Phishing (darkreading.com)
Microsoft's quiet mishandling of vulnerabilities is becoming a public mess - OnMSFT.com
Vulnerabilities
MITRE shares this year's list of most dangerous software bugs (bleepingcomputer.com)
How and why threat actors target Microsoft Active Directory | CSO Online
Atlassian Confluence Exploits Peak at 100K Daily (darkreading.com)
Patch Now: Linux Container-Escape Flaw in Azure Service Fabric (darkreading.com)
Zoho ManageEngine ADAudit Plus bug gets public RCE exploit (bleepingcomputer.com)
OpenSSL 3.0.5 awaits release to fix potential security flaw • The Register
CISA: Adopt Modern Auth now for Exchange Online • The Register
CISA Warns of Active Exploitation of 'PwnKit' Linux Vulnerability in the Wild (thehackernews.com)
CISA orders agencies to patch Windows LSA bug exploited in the wild (bleepingcomputer.com)
Log4Shell Vulnerability in VMware Leads to Data Exfiltration and Ransomware (trendmicro.com)
Jenkins discloses dozens of zero-day bugs in multiple plugins (bleepingcomputer.com)
New UnRAR Vulnerability Could Let Attackers Hack Zimbra Webmail Servers (thehackernews.com)
Sector Specific
Critical National Infrastructure (CNI)
Financial Services Sector
FinTech
A Fintech Horror Story: How One Company Prioritizes Cyber Security (darkreading.com)
Security and compliance concerns limit ‘open finance’ expansion, say executives (scmagazine.com)
Telecoms
OT, ICS, IIoT, SCADA and Cyber-Physical Systems
APT Hackers Targeting Industrial Control Systems with ShadowPad Backdoor (thehackernews.com)
Cyber-Physical Security: Benchmarking to Advance Your Journey | SecurityWeek.Com
Critical Security Flaws Identified in CODESYS ICS Automation Software (thehackernews.com)
Microsoft Exchange bug abused to hack building automation systems (bleepingcomputer.com)
5 Cyber Security Tips for Smart Buildings - IT Security Guru
Chinese Hackers Target Building Management Systems | SecurityWeek.Com
OT security: Helping under-resourced critical infrastructure organisations - Help Net Security
Energy & Utilities
Oil, Gas and Mining
Food and Agriculture
Education and Academia
Web3
Reports Published in the Last Week
Q1 2022 Incident Response Insights from Tetra Defense | Arctic Wolf
Defending Ukraine: Early Lessons from the Cyber War - Microsoft On the Issues
Other News
Cyber Attacks Gain Steam in Early '22: Tetra Defense Report - MSSP Alert
FBI warns crooks are using deepfake videos in job interviews • The Register
Destructive firmware attacks pose a significant threat to businesses - Help Net Security
48% of security practitioners seeing 3x increase in alerts per day - Help Net Security
Adversarial machine learning explained: How attackers disrupt AI and ML systems | CSO Online
82% Cyber Breaches In Verizon’s Report Preventable, Says MyCena (informationsecuritybuzz.com)
SolarWinds hack explained: Everything you need to know (techtarget.com)
Properly securing APIs is becoming increasingly urgent - Help Net Security
97% Of UK Business Leaders Expect Quantum Computing to Disrupt Their Sectors - Infosecurity Magazine
LGBTQ+ folks warned of dating app extortion scams • The Register
What is Zero Trust and why would you want it? • The Register
Tencent admits to poisoned QR code attack on QQ accounts • The Register
Exploring the insecurity of readily available Wi-Fi networks - Help Net Security
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.