Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Turbulent Cyber Insurance Market Sees Rising Prices And Sinking Coverage

As insurers and brokers reckon with unexpected losses, they're charging more for policies and setting higher requirements.

Chaos reigns in the cyber insurance market. Brokers and cyber insurance carriers — the companies that actually offer the policies — are tightening requirements on what applicants need to do to obtain policies due to losses the insurers have suffered from ransomware coverage. During the past year, premiums grew 18% in the first quarter of 2021 and were up 34% in the fourth quarter of 2021, according to Jess Burn, senior analyst at Forrester.

Organisations often find they cannot obtain cyber insurance, are not being renewed for coverage they already have, or are faced with soaring prices and shrinking coverage. Despite the value many organisations put on cyber insurance — in some cases, they're required to carry it to comply with regulations — obtaining such policies is getting more difficult.

While raising premiums, some insurers are reducing coverage. If an organisation bought $10 million worth of coverage for a given price in 2021, for example, renewing that policy in 2022 might see the coverage amount fall to $3 million and the premiums for that lower coverage rise. This phenomenon is due, in part, to insurers trying to strike the right balance of customers' risk profile versus their risk-mitigation efforts.

https://www.darkreading.com/edge-articles/turbulent-cyber-insurance-market-sees-rising-prices-and-sinking-coverage

• Ransomware Attacks Still The #1 Threat To Businesses And Organisations

In 2021, ransomware attacks continued to be one of the most prominent threats targeting businesses and organisations worldwide.

High-profile attacks disrupted operations of companies in various sectors.

For example, the Colonial Pipeline attack interrupted critical infrastructure, the JBS Foods attack influenced food processing, and the CNA breach disrupted the insurance industry.

Following the attacks, pressure of law enforcement on ransomware gangs intensified, though simultaneously these threat actors continued to evolve.

They are not only becoming more technologically sophisticated but are also extensively leveraging the growing cyber crime ecosystem looking to find new partners, services and tools for their operations.

https://www.helpnetsecurity.com/2022/05/30/ransomware-trends-video/

• Third Of UK Firms Have Experienced A Security Breach Since 2020

Cyber threats are behind soaring fraud and economic crime in the UK, where rates are now second only globally to South Africa, according to PwC.

The consulting giant’s latest Global Economic Crime Survey revealed that nearly two-thirds (64%) of UK businesses experienced fraud, corruption or other economic/financial crime during the past 24 months, a significant increase on the 56% recorded in 2020, and 50% in 2018.

It’s also much higher than the 2022 global average of 46%, PwC said.

Cyber crime was the most commonly reported fraud type, although figures here dropped from 42% in 2020 to 32% in 2022. Included for the first time in the report, supply chain incidents accounted for 19%.

Most (51%) reported fraud cases in the UK were traced back to external parties, versus just 43% globally. The top three culprits were cited as customers, hackers and vendors/suppliers.

https://www.infosecurity-magazine.com/news/third-uk-security-breach-2020/

• There Is No Good Digital Transformation Without Cyber Security

Network engineers and CIOs agree that cyber security issues represent the biggest risk for organisations that fail to put networks at the heart of digital transformation plans. According to research commissioned by Opengear, 53% of network engineers and 52% of CIOs polled in the US, UK, France, Germany, and Australia rank cyber security among the list of their biggest risks.

The concerns are fuelled by an escalating number of cyber attacks. In fact, 61% of CIOs report an increase in cyber security attacks/breaches from 2020-21 compared to the preceding two years. For digital transformation of networking, 70% of network engineers say security is the most important focus area, and 31% say network security is their biggest networking priority.

Digital transformation is a priority, but cyber security risk remains. CIOs also understand the importance of the issues. 51% of network engineers say their CIOs have consulted them on investments to deliver digital transformation plans, the highest priority in the survey.

What’s more, 41% of CIOs rank cyber security among their organisation’s most important investment priorities over the next year, with 35% stating it is among the biggest over the next five years. In both cases, cyber security ranks higher than any other factor.

https://www.helpnetsecurity.com/2022/05/31/digital-transformation-cybersecurity-risk/

• Ransomware Gang Now Hacks Corporate Websites To Show Ransom Notes

A ransomware gang is taking extortion to a new level by publicly hacking corporate websites to publicly display ransom notes.

This new extortion strategy is being conducted by Industrial Spy, a data extortion gang that recently began using ransomware. As part of their attacks, Industrial Spy will breach networks, steal data, and deploy ransomware on devices. The threat actors then threaten to sell the stolen data on their Tor marketplace if a ransom is not paid.

When ransomware gangs extort a victim, they typically give them a short window, usually a few weeks, to negotiate and pay a ransom before they start leaking data.

During this negotiation process, the threat actors promise to keep the attack secret, provide a decryption key, and delete all data if a ransom is paid.

After this period, the threat actors will use various methods to increase pressure, including DDoS attacks on corporate websites, emailing customers and business partners, and calling executives with threats.

These tactics are all done privately or with minimal exposure on their data leak sites, which are usually only visited by cyber security researchers and the media.

However, this is the first time we have seen a ransomware gang defacing a website to very publicly display a ransom note.

https://www.bleepingcomputer.com/news/security/ransomware-gang-now-hacks-corporate-websites-to-show-ransom-notes/

• Attackers Are Leveraging Follina, A Critical Microsoft Windows Vulnerability Affecting Nearly All Versions of Windows and Windows Server. What Can You Do?

As the world is waiting for Microsoft to push out a patch for CVE-2022-30190, aka “Follina”, attackers around the world are exploiting the vulnerability in a variety of campaigns.

Microsoft has described CVE-2022-30190 as a Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution vulnerability, confirmed it affects an overwhelming majority of Windows and Windows Server versions, and advised on a workaround to be implemented until a patch is ready.

https://www.helpnetsecurity.com/2022/06/03/patch-cve-2022-30190/

• Ransomware Attacks Need Less Than Four Days To Encrypt Systems

The duration of ransomware attacks in 2021 averaged 92.5 hours, measured from initial network access to payload deployment. In 2020, ransomware actors spent an average of 230 hours to complete their attacks and 1637.6 hours in 2019.

This change reflects a more streamlined approach that developed gradually over the years to make large-scale operations more profitable.

At the same time, improvements in incident response and threat detection have forced threat actors to move quicker, to leave defenders with a smaller reaction margin.

The data was collected by researchers at IBM's X-Force team from incidents analysed in 2021. They also noticed a closer collaboration between initial access brokers and ransomware operators.

Previously, network access brokers might wait for multiple days or even weeks before they found a buyer for their network access.

In addition, some ransomware gangs now have direct control over the initial infection vector, an example being Conti taking over the TrickBot malware operation.

Malware that breaches corporate networks is quickly leveraged to enable post-exploitation stages of the attack, sometimes completing its objectives in mere minutes.

https://www.bleepingcomputer.com/news/security/ransomware-attacks-need-less-than-four-days-to-encrypt-systems/

• 57% Of All Digital Crimes In 2021Were Scams

Group-IB shares its analysis of the landscape of the most widespread cyber threat in the world: scams. Accounting for 57% of all financially motivated cyber crime, the scam industry is becoming more structured and involves more and more parties divided into hierarchical groups.

The number of such groups jumped to a record high of 390, which is 3.5 times more than last year, when the maximum number of active groups was close to 110. Due to SaaS (Scam-as-a-Service), in 2021 the number of cyber criminals in one scam gang increased 10 times compared to 2020 and now reaches 100.

Traffic has become the circulatory system of scam projects: researchers emphasise that the number of websites used for purchasing and providing “grey” and illegal traffic and that lure victims into fraudulent schemes has increased by 1.5 times. Scammers are going into 2022 on a new level of scam attack automation: no more non-targeted users. Scammers are now attracting specific groups of victims to increase conversion rates. Social media are more often becoming the first point of contact between scammers and their potential victims.

https://www.helpnetsecurity.com/2022/05/31/scams-widespread-cyber-threat/

• Intelligence Is Key To Strategic Business Decisions

Businesses have a growing need for greater relevance in the intelligence they use to inform critical decision-making. Currently just 18% of professionals responsible for security, risk, or compliance in their organisation feel that the intelligence they receive is “very specific and focused on their business”, a S-RM research reveals.

6 in 10 respondents also say the intelligence they receive takes too much time to analyse, meaning it does not always result in better informed decision making. This was the top reason behind dissatisfaction with external intelligence, identified by over 200 professionals working at companies with revenues of over $250 million.

The second most likely reason was that information was not tailored to business needs (47%), followed by too much information (35%).

Growing demand for the use of strategic intelligence has been prompted by increasing cyber (51%) and regulatory concerns (50%). And while these two factors have been climbing the boardroom agenda for years, geopolitical uncertainty has made the need to respond to these developments more acute. In particular, the Russia-Ukraine conflict has created a complex sanctions regime for businesses to operate.

Additionally, navigating the complexities of the COVID-19 pandemic has been a key challenge for businesses in the past three years, with 40% citing this as a catalyst in driving a growing need for strategic intelligence.

https://www.helpnetsecurity.com/2022/06/03/intelligence-decision-making/

• How Cyber Criminals Are Targeting Executives At Home And Their Families

Top executives and their families are increasingly being targeted on their personal devices and home networks, as sophisticated threat actors look for new ways to bypass corporate security and get direct access to highly sensitive data.

https://www.helpnetsecurity.com/2022/06/01/cybercriminals-targeting-executives-video/

Threats

Ransomware

• Cyber criminals Expand Attack Radius and Ransomware Pain Points | Threatpost

• FBI, CISA warn: Don't get caught in Karakurt's web • The Register

• Conti ransomware targeted Intel firmware for stealthy attacks (bleepingcomputer.com)

• GoodWill Ransomware victims have to perform socially driven activities to decryption their dataSecurity Affairs

• YourCyanide Ransomware Propagates With PasteBin, Discord, Microsoft Links (darkreading.com)

• Conti Leaks Reveal Ransomware Gang's Interest in Firmware-based Attacks (thehackernews.com)

• Evil Corp switches to LockBit ransomware to evade sanctions (bleepingcomputer.com)

• Ransomware attack sends New Jersey county back to 1977 • The Register

• Ransomware roundup: System-locking malware dominates headlines | CSO Online

• What if ransomware evolved to hit IoT in the enterprise? • The Register

• How Costa Rica found itself at war over ransomware | CSO Online

• Experts warn of ransomware attacks on government orgs of small states - Security Affairs

• Foxconn confirms ransomware attack disrupted production in Mexico (bleepingcomputer.com)

• Hanesbrands says it suffered a ransomware attack on May 24 and has informed law enforcement - MarketWatch

• Why Ransomware Timeline Shrinks By 94%? – Information Security Buzz

• Hundreds of Elasticsearch databases targeted in ransom attacks (bleepingcomputer.com)

BEC – Business Email Compromise

• Why Stopping Business Email Compromise (BEC) Needs To Be A Priority For MSPs - MSSP Alert

• Language-based BEC attacks rising - Help Net Security

Phishing & Email Based Attacks

• Watch out for phishing emails that inject spyware trio • The Register

• Existential Phishing Schemes | The New Yorker

• Telegram’s blogging platform abused in phishing attacks (bleepingcomputer.com)

Other Social Engineering

• Hacker steals Verizon employee database after tricking worker into granting remote access (bitdefender.com)

• Vishing attacks: What they are and how organisations can protect themselves - Help Net Security

• Beware the Smish! Home delivery scams with a professional feel… – Naked Security (sophos.com)

Malware

• New XLoader Botnet Version Using Probability Theory to Hide its C&C Servers (thehackernews.com)

• LuoYu APT delivers WinDealer malware via man-on-the-side attacks - Security Affairs

• EnemyBot malware adds enterprise flaws to exploit arsenal • The Register

• Researchers Uncover Malware Controlling Thousands of Sites in Parrot TDS Network (thehackernews.com)

• Logic bombs explained: Definition, examples, and prevention | CSO Online

Mobile

• Top 10 Android banking trojans target apps with 1 billion downloads (bleepingcomputer.com)

• WhatsApp accounts hijacked by call forwarding | Malwarebytes Labs

• SideWinder Hackers Use Fake Android VPN Apps to Target Pakistani Entities (thehackernews.com)

• SMSFactory Android malware sneakily subscribes to premium services (bleepingcomputer.com)

• Phishers Having a Field Day on WhatsApp, Telegraph (darkreading.com)

• Apple blocked 1.6 millions apps from defrauding users in 2021 (bleepingcomputer.com)

Organised Crime & Criminal Actors

• FBI warns of Ukrainian charities impersonated to steal donations (bleepingcomputer.com)

• Euro Cops Bust $47m Money Laundering Operation - Infosecurity Magazine (infosecurity-magazine.com)

• Three Nigerian Users of Agent Tesla RAT Arrested | SecurityWeek.Com

Cryptocurrency/Cryptomining/Cryptojacking/NFTs

• Americans report losing over $1 billion to cryptocurrency scams (bleepingcomputer.com)

• Clipminer malware gang stole $1.7M by hijacking crypto payments (bleepingcomputer.com)

• Bored Ape Yacht Club, Otherside NFTs stolen in Discord server hack (bleepingcomputer.com)

• WatchDog hacking group launches new Docker cryptojacking campaign (bleepingcomputer.com)

Fraud, Scams & Financial Crime

• $39.5 billion lost to phone scams in last year - Help Net Security

• Fast loan scam: Here's how it works and why Lloyds Bank has put out an urgent warning | This is Money

• Britain's biggest bank issues 'urgent warning' over new scam (telegraph.co.uk)

• Scams account for most of all financially motivated cyber crime - Help Net Security

AML/CFT/Sanctions

• Evil Corp Pivots LockBit to Dodge US Sanctions | Threatpost

Supply Chain and Third Parties

• To better manage cyber security risk, extend zero-trust principles to third parties | TechCrunch

Denial of Service DoS/DDoS

• DDoS threats growing in sophistication, size, and frequency - Help Net Security

• DDoS attackers continue to innovate, devising new threats and altering attack strategies - Help Net Security

Open Source

• Linux malware is on the rise—6 types of attacks to look for | CSO Online

• The Open Source Software Security Mobilization Plan: Takeaways for security leaders | CSO Online

Privacy

• Vodafone plans carrier-level user tracking for targeted ads (bleepingcomputer.com)

• Europe's hope to scan devices for unlawful files criticized • The Register

Passwords & Credential Stuffing

• Why are many businesses still not using a password manager? - Help Net Security

Regulations, Fines and Legislation

• ExpressVPN Removes Servers in India After Refusing to Comply with Government Order (thehackernews.com)

Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• NSA general confirms US offensive cyber ops in Ukraine war • The Register

• Deadly Secret: Electronic Warfare Shapes Russia-Ukraine War | SecurityWeek.Com

• Anonymous: Operation Russia after 100 days of war - Security Affairs

• Chinese LuoYu hackers deploy cyber-espionage malware via app updates (bleepingcomputer.com)

Nation State Actors

Nation State Actors – Russia

• Germany issues fresh warning to banks of cyber attacks due to Ukraine war | Reuters

Nation State Actors – China

• China-linked TA413 group actively exploits Microsoft Follina Zero-Day flawSecurity Affairs

• Chinese state media propaganda found in 88% of Google, Bing news searches - CyberScoop

• Chinese LuoYu Hackers Using Man-on-the-Side Attacks to Deploy WinDealer Backdoor (thehackernews.com)

• How Beijing’s surveillance cameras crept into Britain’s corridors of power (telegraph.co.uk)

Nation State Actors – North Korea

• The day the NHS was held to ransom by North Korean cyber hackers (telegraph.co.uk)

Nation State Actors – Iran

• Microsoft Disables Iran-Linked Lebanese Hacking Group Polonium (darkreading.com)

• Iranian hackers planned attack on Boston Children's Hospital last summer, FBI director says - CyberScoop

Nation State Actors – Misc APT

• Microsoft blocks Polonium hackers from using OneDrive in attacks (bleepingcomputer.com)

• Snake carried out over 1,000 attacks since April 2020 - Security Affairs

• SideWinder Hackers Launched Over a 1,000 Cyber Attacks Over the Past 2 Years (thehackernews.com)

Vulnerability Management

• Focus resources on patching most threatening vulns: research • The Register

Vulnerabilities

• CISA adds 75 vulnerabilities to catalogue in 3 days- IT Security Guru

• Fighting Follina: Application Vulnerabilities and Detection Possibilities (darkreading.com)

• Yet another zero-day (sort of) in Windows “search URL” handling – Naked Security (sophos.com)

• Microsoft Releases Workarounds for Office Vulnerability Under Active Exploitation (thehackernews.com)

• Actively Exploited Atlassian Zero-Day Bug Allows Full System Takeover (darkreading.com)

• Microsoft Azure vulnerabilities pose new cloud security risk - Protocol

• GitLab Issues Security Patch for Critical Account Takeover Vulnerability (thehackernews.com)

• New Unpatched Horde Webmail Bug Lets Hackers Take Over Server by Sending Email (thehackernews.com)

Sector Specific

Financial Services Sector

• Germany issues fresh warning to banks of cyber attacks due to Ukraine war | Reuters

Government

• Experts warn of ransomware attacks on government orgs of small states - Security Affairs

Health/Medical/Pharma Sector

• Twice as Many Healthcare Organisations Now Pay Ransom - Infosecurity Magazine

• Novartis says no sensitive data was compromised in cyber attack (bleepingcomputer.com)

• Costa Rica’s public health agency hit by Hive ransomware (bleepingcomputer.com)

Transport and Aviation

• Turkish airline suffers 6.5TB data leak - IT Security Guru

CNI, OT, ICS, IIoT and SCADA

• Vendor Refuses to Remove Backdoor Account That Can Facilitate Attacks on Industrial Firms | SecurityWeek.Com

• Industrial IoT ransomware attacks control systems directly (scmagazine.com)

• Researchers Demonstrate Ransomware for IoT Devices That Targets IT and OT Networks (thehackernews.com)

Food and Agriculture

• JBS Foods cyber attack highlights industry vulnerabilities to Russian hackers - ABC News

Web3

• Why web3 companies get hacked so often, according to crypto VC Grace Isford | TechCrunch

Other News

• How Failing to Prioritize Cyber Security can Hurt Your Company (analyticsinsight.net)

• Cyber security needs a whole-of-society effort | The Hill

• 40% of enterprises don't include business-critical systems in their cyber security monitoring - Help Net Security

• Bad news: The cyber security skills crisis is about to get even worse | ZDNet

• Nearly Three-Quarters of Firms Suffer Downtime from DNS Attacks - Infosecurity Magazine

• CIOs and network engineers rank cyber security among the biggest risks - Help Net Security

• How USB Drives Can Be a Danger to Your Computer (howtogeek.com)

• Australian digital driver's licenses hackable in minutes • The Register

• Over 3.6 million MySQL servers found exposed on the Internet (bleepingcomputer.com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Microsoft Sees Rampant Log4j Exploit Attempts, Testing

Microsoft says it’s only going to get worse: It’s seen state-sponsored and cyber-criminal attackers probing systems for the Log4Shell flaw through the end of December.

No surprise here: The holidays bought no Log4Shell relief.

Threat actors vigorously launched exploit attempts and testing during the last weeks of December, Microsoft said on Monday, in the latest update to its landing page and guidance around the flaws in Apache’s Log4j logging library.

“We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks,” according to Microsoft.

https://threatpost.com/microsoft-rampant-log4j-exploits-testing/177358/

Warning: Log4j Still Lurks Where Dependency Analysis Can’t Find It

The best programming practice to include a third-party library in source code is to use the import command. It is the easiest way to do it, and it is also the way that most dependency analysis programs work to determine if a vulnerable library is in play. But any time code is included without calling it as an external package, traditional dependency analysis might not be enough to find it — including when Java coders use a common trick to resolve conflicting dependencies during the design process.

A new study by jFrog found that 400 packages on repository Maven Central used Log4j code without calling it as an external package. Around a third of that came from fat jars — jar files that include all external dependencies to make a more efficient product. The remainder came from directly inserting Log4j code into the source code, including shading, a work-around used when two or more dependencies call different versions of the same library in a way that might conflict.

While 400 may not seem like a lot for Maven Central, where Google found 17,000 packages implementing the vulnerable Log4j library, some of the 400 packages unearthed by JFrog are widely used.

https://www.scmagazine.com/analysis/devops/warning-log4j-still-lurks-where-dependency-analysis-cant-find-it

Hackers Sending Malware-Filled USB Sticks to Companies Disguised as Presents

The "malicious USB stick" trick is old but apparently it's still wildly popular with the crooks.

Word to the wise: If a stranger ever offers you a random USB stick as a gift, best not to take it.

On Thursday, the FBI warned that a hacker group has been using the US mail to send malware-laden USB drives to companies in the defence, transportation and insurance industries. The criminals’ hope is that employees will be gullible enough to stick them into their computers, thus creating the opportunity for ransomware attacks or the deployment of other malicious software, The Record reports.

The hacker group behind this bad behaviour—a group called FIN7—has gone to great lengths to make their parcels appear innocuous. In some cases, packages were dressed up as if they were sent by the US Department of Health and Human Services, with notes explaining that the drives contained important information about COVID-19 guidelines. In other cases, they were delivered as if they had been sent via Amazon, along with a “decorative gift box containing a fraudulent thank you letter, counterfeit gift card, and a USB,” according to the FBI warning.

https://gizmodo.com/hackers-have-been-sending-malware-filled-usb-sticks-to-1848323578

Patch Systems Vulnerable To Critical Log4j Flaws, UK And US Officials Warn

One of the highest-severity vulnerabilities in years, Log4Shell remains under attack.

Criminals are actively exploiting the high-severity Log4Shell vulnerability on servers running VMware Horizon in an attempt to install malware that allows them to gain full control of affected systems, the UK’s publicly funded healthcare system is warning.

CVE-2021-44228 is one of the most severe vulnerabilities to come to light in the past few years. It resides in Log4J, a system-logging code library used in thousands if not millions of third-party applications and websites. That means there is a huge base of vulnerable systems. Additionally, the vulnerability is extremely easy to exploit and allows attackers to install Web shells, which provide a command window for executing highly privileged commands on hacked servers.

The remote-code execution flaw in Log4J came to light in December after exploit code was released before a patch was available. Malicious hackers quickly began actively exploiting CVE-2021-44228 to compromise sensitive systems.

https://arstechnica.com/information-technology/2022/01/patch-systems-vulnerable-to-critical-log4j-flaws-uk-and-us-officials-warn/

‘Elephant Beetle’ Lurks For Months In Networks

The group blends into an environment before loading up trivial, thickly stacked, fraudulent financial transactions too tiny to be noticed but adding up to millions of dollars.

Researchers have identified a threat group that’s been quietly siphoning off millions of dollars from financial- and commerce-sector companies, spending months patiently studying their targets’ financial systems and slipping in fraudulent transactions amongst regular activity.

The Sygnia Incident Response team has been tracking the group, which it named Elephant Beetle, aka TG2003, for two years.

In a Wednesday report, the researchers called Elephant Beetle’s attack relentless, as the group has hidden “in plain sight” without the need to develop exploits.

https://threatpost.com/elephant-beetle-months-networks-financial/177393/

Sonicwall: Y2k22 Bug Hits Email Security, Firewall Products

SonicWall has confirmed today that some of its Email Security and firewall products have been hit by the Y2K22 bug, causing message log updates and junk box failures starting with January 1st, 2022.

The company says that email users and administrators will no longer be able to access the junk box or un-junk newly received emails on affected systems.

They will also no longer be able to trace incoming/outgoing emails using the message logs because they're no longer updated.

On January 2nd, SonicWall deployed updates to North American and European instances of Hosted Email Security, the company's cloud email security service.

It also released fixes for its on-premises Email Security Appliance (ES 10.0.15) and customers using firewalls with the Anti-Spam Junk Store functionality toggled on (Junk Store 7.6.9).

https://www.bleepingcomputer.com/news/security/sonicwall-y2k22-bug-hits-email-security-firewall-products/

Hackers Use Video Player To Steal Credit Cards From Over 100 Sites

Hackers used a cloud video hosting service to perform a supply chain attack on over one hundred real estate sites that injected malicious scripts to steal information inputted in website forms.

These scripts are known as skimmers or formjackers and are commonly injected into hacked websites to steal sensitive information entered into forms. Skimmers are commonly used on checkout pages for online stores to steal payment information.

In a new supply chain attack discovered by Palo Alto Networks Unit42, threat actors abused a cloud video hosting feature to inject skimmer code into a video player. When a website embeds that player, it embeds the malicious script, causing the site to become infected.

https://www.bleepingcomputer.com/news/security/hackers-use-video-player-to-steal-credit-cards-from-over-100-sites/

Cyber World Is Starting 2022 In Crisis Mode With The Log4j Bug

The cyber security world is starting off 2022 in crisis mode.

The newest culprit is the log4j software bug, which cyber security and Infrastructure Security Agency (CISA) Director Jen Easterly called “the most serious vulnerability I have seen in my decades-long career.” It forced many cyber security pros to work through the holidays to protect computer systems at Big Tech firms, large and small companies and government agencies.

But crises like log4j have become the norm rather than the exception during the past few years.

Last year kicked off with the SolarWinds hack — a Russian government operation that compromised reams of sensitive information from U.S. government agencies and corporations.

Digital threats of all sorts are growing far faster than the capability to defend against them. If past is prologue, 2022 is likely to be a year of big hacks, big threats and plenty more crises.

“We’re always in crisis is the long and short of it,” Jake Williams, a former National Security Agency (NSA) cyber operator and founder of the firm Rendition Infosec, told me. “Anyone looking for calm rather than the storm in cyber is in the wrong field.”

https://www.washingtonpost.com/politics/2022/01/03/cyber-world-is-starting-2022-crisis-mode-with-log4j-bug/

Everything You Need To Know About Ransomware Attacks and Gangs In 2022

Ransomware is a lucrative business for criminals. It is paying off, and it is working.

According to a recent Trend Micro report, a staggering 84% of US organisations experienced either a phishing or ransomware attack in the last year. The average ransomware payment was over $500,000.

Bad actors want to keep cashing in. So they’re going as far as creating ransomware kits as a service (Ransomware as a Service) to be sold on the dark web and even setting up fake companies to recruit potential employees.

Many ransomware gangs function like real companies — with marketing teams, websites, software development, user documentation, support forums and media relations.

If the “companies” run by ransomware gangs can operate with minimal expenses and mind-blowing revenues, what’s stopping them from growing in number and size?

https://securityintelligence.com/articles/ransomware-attacks-gangs-2022/

Why the Log4j Vulnerability Makes Endpoint Visibility and Zero Trust Security More Important Than Ever

The Apache Log4j vulnerability is one of the most serious vulnerabilities in recent years—putting millions of devices at risk.

IT organisations worldwide are still reeling from the discovery of a major security vulnerability in Apache Log4j, an open-source logging utility embedded in countless internal and commercial applications.

By submitting a carefully constructed variable string to log4j, attackers can take control of any application that includes log4j. Suddenly, cyber criminals around the world have a blueprint for launching attacks on everything from retail store kiosks to mission-critical applications in hospitals.

If security teams overlook even one instance of log4j in their software, they give attackers an opportunity to issue system commands at will. Attackers can use those commands to install ransomware, exfiltrate data, shut down operations — the list goes on.

How should enterprises respond to this pervasive threat?

https://www.cio.com/article/302868/why-the-log4j-vulnerability-makes-endpoint-visibility-and-zero-trust-security-more-important-than-ever.html

Threats

Ransomware

• Night Sky Is The Latest Ransomware Targeting Corporate Networks (bleepingcomputer.com)

• Counties In New Mexico, Arkansas Begin 2022 With Ransomware Attacks | ZDNet

• Ransomware Attack Affects The Websites Of 5,000 Schools - CNNPolitics

Phishing

• Google Docs Comments Weaponized in New Phishing Campaign (darkreading.com)

• US Arrests Suspect Who Stole Unpublished Books In Phishing Attacks (bleepingcomputer.com)

Malware

• FluBot Malware Now Targets Europe Posing As Flash Player App (bleepingcomputer.com)

• New Mac Malware Samples Underscore Growing Threat (darkreading.com)

• Purple Fox Rootkit Now Bundled With Telegram Installer | Malwarebytes Labs

• ‘Malsmoke’ Exploits Microsoft’s E-Signature Verification | Threatpost

Mobile

• Apple iPhone Malware Tactic Causes Fake Shutdowns to Enable Spying | Threatpost

IoT

• IoT's Importance is Growing Rapidly, But Its Security Is Still Weak | SecurityWeek.Com

Data Breaches/Leaks

• List Of Data Breaches And Cyber Attacks In December 2021 | 219M records (itgovernance.co.uk)

• Have I Been Pwned Warns Of DatPiff Data Breach Impacting Millions (bleepingcomputer.com)

• Morgan Stanley To Pay $60 Million To Resolve Data Security Lawsuit (Yahoo.Com)

Cryptocurrency/Cryptomining/Cryptojacking

• Report: $2.2 Billion In Cryptocurrency Stolen From DeFi Platforms In 2021 | ZDNet

• UK Police Seize £322m of Cryptocurrency in Past Five Years - Infosecurity Magazine

Fraud, Scams & Financial Crime

• Broker-Dealers Impersonators Stole $50 Million Using Spoofed Sites (bleepingcomputer.com)

• 'Sextortion' Leads To Financial Losses And Psychological Trauma. Here's What To Look Out For On Dating Apps (theconversation.com)

DoS/DDoS

• CDN Cache Poisoning Allows DoS Attacks Against Cloud Apps (darkreading.com)

OT, ICS, IIoT and SCADA

• Why The UK’s Energy Sector Is Fragile And Ripe To Cyber Attacks - Help Net Security

Nation State Actors

• Should Businesses Be Concerned About APT-Style Attacks? - Help Net Security

• MI6 Chief Thanks China For ‘Free Publicity’ After James Bond Spoof | China | The Guardian

• Log4j Vulnerabilities: New Patches And Nation-State Exploitation. (thecyberwire.com)

• North Korea-Linked Konni APT Targets Russian Diplomatic Bodies - Security Affairs

Privacy

• Swiss Army Bans All Chat Apps But Locally-Developed Threema (bleepingcomputer.com)

• France Fines Google, Facebook €210 Million Over Privacy Violating Tracking Cookies (thehackernews.com)

Passwords & Credential Stuffing

• 1.1M Compromised Accounts Found at 17 Major Companies | Threatpost

Spyware and Espionage

• US Counterintelligence Shares Tips To Block Spyware Attacks (bleepingcomputer.com)

Vulnerabilities

• Google Chrome Update Includes 37 Security Fixes | ZDNet

• Emergency Windows Server Update Fixes Remote Desktop Issues (bleepingcomputer.com)

• Microsoft Rolled Out Emergency Fix For Y2k22 Bug In Exchange Servers - Security Affairs

• VMware Fixed CVE-2021-22045 Heap-Overflow In Workstation, Fusion and ESXi - Security Affairs

• Latest WordPress Security Release Fixes XSS, SQL Injection Bugs | The Daily Swig (portswigger.net)

• Internet Bug Bounty: High Severity Vulnerability In Apache HTTP Server Could Lead To RCE | The Daily Swig (portswigger.net)

• QNAP: Get NAS Devices Off the Internet Now | Threatpost

• New Ubuntu Linux Kernel Security Updates Fix 9 Vulnerabilities, Patch Now - 9to5Linux

• JFrog Researchers Find JNDI Vulnerability In H2 Database Consoles Similar To Log4Shell | ZDNet

• Unpatched HomeKit Vulnerability Exposes iPhones, iPads to DoS Attacks | SecurityWeek.Com

Sector Specific

Defence

• FBI: Hackers Use BadUSB To Target Defence Firms With Ransomware (bleepingcomputer.com)

Health/Medical/Pharma Sector

• Are Medical Devices at Risk of Ransomware Attacks? (thehackernews.com)

Estate Agents

• Hackers Target Real Estate Websites with Skimmer in Latest Supply Chain Attack (thehackernews.com)

Other News

Log4j Flaw Attack Levels Remain High, Microsoft Warns | ZDNet

Cyber Attack Against UK Ministry of Defence Training Academy Revealed | ZDNet

API Security: Understanding The Next Top Attack Vector - Help Net Security

E-Waste Is a Cybersecurity Problem, Too - IEEE Spectrum

The Log4j Debacle Showed Again That Public Disclosure Of 0-Days Only Helps Attackers - Help Net Security

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Cyber Insurers Recoil As Ransomware Attacks ‘Skyrocket’

The Great Fire of London helped forge the property insurance market, as residents feared a repeat of the savage destruction of 1666. In the absence of a state-backed fire service, some insurers even employed their own brigades, betting that limiting the damage to a property would be cheaper than rebuilding it. After a wave of high-profile cyber assaults, Graeme Newman, chief innovation officer at London-based insurance provider CFC, draws a parallel with today’s rapidly evolving market for cyber coverage. Insurance companies now provide emergency support services as well as financial compensation, so “the insurers own the digital fire trucks”, he said.

https://www.ft.com/content/4f91c4e7-973b-4c1a-91c2-7742c3aa9922

US Puts Cyber Crime On Par With Terror After Ransomware Attacks

The US government is raising the fight against cyber criminals to the same level as the battle against terrorists after a surge of ransomware attacks on large corporations. Internal guidance circulated by the Department of Justice instructs prosecutors to pool their information about hackers. The idea, said John Carlin, of the attorney-general’s office, is to “make the connections between actors and work your way up to disrupt the whole chain”.

https://www.thetimes.co.uk/article/us-cybercrime-terror-ransomware-attacks-joe-biden-pzrqbkfwt

Russia Under Fire As Cyber Attack Leaves 7,000 Out Of Work

An attack this week on JBS meatworks in North America and Australia brought the firm to a standstill, and now threatens to turn into a diplomatic row with Russia. JBS are reported to supply 20% of the world meat market and the ransomware attack has left 7,000 workers unable to do their jobs.

https://www.afr.com/politics/russia-under-fire-as-ransomware-attack-leaves-7000-out-of-work-20210602-p57xha

Irish Health Service Confirms Data Of Nearly 520 Patients Is Online After Cyber Attack

The Health Service Executive (HSE) has confirmed the data of nearly 520 patients is online after media reports of their publication. In a statement, the HSE said the data contains correspondence with patients, minutes of meetings and includes sensitive patient data. The HSE also confirmed corporate documents are among the HSE data illegally accessed.  Confirmation of the authenticity of this data follows an analysis carried out by the agency and comments from the Minister for Communications, Eamon Ryan, that reports of patient data being shared online are "very credible".

https://www.irishexaminer.com/news/arid-40301054.html

Enterprise Networks Vulnerable To 20-Year-Old Exploits

While the industry focuses on exotic attacks – like the SolarWinds incident — the real risk to enterprises comes from older exploits, some as much as 20-years old. “While organisations always need to keep up with the latest security patches, it is also vital to ensure older system and well-known vulnerabilities from years past are monitored and patched as well,” says Etay Maor, senior director of security strategy at Cato Networks. “Threat actors are attempting to take advantage of overlooked, vulnerable systems.” Our research showed that attackers often scanned for end-of-life and unsupported systems. Common Vulnerability and Exposures (CVE) identified were exploits targeting software, namely vSphere, Oracle WebLogic, and Big-IP, as well as routers with remote administration vulnerabilities.

https://www.helpnetsecurity.com/2021/05/27/enterprise-networks-vulnerable/

US Authorities Seize Two Domains Used By SolarWinds Intruders For Malware Spear-Phishing Operation

Uncle Sam on Tuesday said it had seized two web domains used to foist malware on victims using spoofed emails from the US Agency for International Development (USAID). The domain takeovers, which occurred on Friday, followed a court order issued in the wake of a Microsoft report warning about the spear-phishing campaign. The phishing effort relied on malware-laden messages sent via marketing service Constant Contact. "Cyber intrusions and spear-phishing email attacks can cause widespread damage throughout affected computer networks, and can result in significant harm to individual victims, government agencies, NGOs, and private businesses,” said Acting US Attorney Raj Parekh for the Eastern District of Virginia, in a statement. "As demonstrated by the court-authorized seizure of these malicious domains, we are committed to using all available tools to protect the public and our government from these worldwide hacking threats."

https://www.theregister.com/2021/06/02/feds_seize_nobelium/

Hacker Group DarkSide Operates In A Similar Way To A Franchise

DarkSide, the hacker group behind the recent Colonial Pipeline ransomware attack, has a business model that’s more familiar than people think, according to New York Times correspondent Andrew Kramer, “It operates something like a franchise, where individual hackers can come and receive the ransomware software and use it, as well as, use DarkSide’s reputation, as it were, to extract money from their targets, mostly in the United States,” Kramer said in an interview that aired Wednesday night.

https://www.cnbc.com/2021/06/02/hacker-group-darksides-operates-in-a-similar-way-to-a-franchise-new-york-times-reporter-says.html?__source=sharebar|twitter&par=sharebar

Interpol Intercepts $83 Million Fighting Financial Cyber Crime

The Interpol (short for International Criminal Police Organisation) has intercepted $83 million belonging to victims of online financial crime from being transferred to the accounts of their attackers. Over 40 law enforcement officers specialized in fighting cyber crime across the Asia Pacific region took part in the Interpol-coordinated Operation HAECHI-I spanning more than six months. Between September 2020 and March 2021, law enforcement focused on battling five types of online financial crimes: investment fraud, romance scams, money laundering associated with illegal online gambling, online sextortion, and voice phishing.

https://www.bleepingcomputer.com/news/security/interpol-intercepts-83-million-fighting-financial-cyber-crime/

Is It Really The Wild West In Cyber Crime? Why We Need To Re-Examine Our Approach To Ransomware

Once again, cyber security has become a headline topic within and well outside technology circles, along with the little-known operator of a significant fuel pipeline: Colonial Pipeline. A ransomware attack, and ensuing panic buying of gasoline, resulted in widespread fuel shortages on the east coast, thrusting the issue of cyber security into the lives of everyday Americans. Colonial Pipeline CEO Joseph Blount later acknowledged that his company ultimately paid the cybercriminals $4.4 million to unlock company systems, generating a great deal of controversy around the simple question (and associated complex potential answers), of whether companies should pay when their systems are held hostage by ransomware.

https://www.techrepublic.com/article/is-it-really-the-wild-west-in-cybercrime-why-we-need-to-re-examine-our-approach-to-ransomware/

Threats

Ransomware

• Anti-Ransomware Biz Exagrid ‘Paid $2.6M Ransomware Demand’

• White House Contacts Russia After Hack Of World’s Largest Meatpacking Company

• This New Ransomware Is Targeting Unpatched Microsoft Exchange Servers

• Fujifilm Becomes Latest Ransomware Victim As White House Urges Business Leaders To Take Action

• Cyber Crime Forum Advertises Alleged Database, Source Code From Russian Firm That Helped Parler

• On The Taxonomy And Evolution Of Ransomware

Phishing

• Phishing Emails Remain in User Inboxes Over 3 Days ... (darkreading.com)

Other Social Engineering

• The Bizarro Streaming Site That Hackers Built From Scratch

Malware

• Malware Can Use This Trick To Bypass Ransomware Defense In Antivirus Solutions

• Exchange Servers Targeted By ‘Epsilon Red’ Malware

Mobile

IOT

• Amazon Sidewalk Poised To Sweep You Into Its Mesh

 Vulnerabilities

• XSS Vulnerability Found In Popular WYSIWYG Website Editor

• Huawei USB LTE Dongles Are Vulnerable To Privilege Escalation Attacks

• Hackers Actively Exploiting 0-Day In WordPress Plugin Installed On Over 17,000 Sites

• EPUB Vulnerabilities: Electronic Reading Systems Riddled With Browser-Like Flaws

• SonicWall Urges Customers To 'Immediately' Patch NSM On-Prem Bug

Data Breaches

• GDPR: EU Privacy Watchdog Probing The Use Of AWS And Azure Cloud Services

Supply Chain

• What Is A Supply Chain Attack?

• Microsoft Office 365 A Major Supply Chain Attack Vector

Nation State Actors

• Chinese Cyber Criminals Spent Three Years Creating A New Backdoor To Spy On Governments

• Kimsuky APT Continues To Target South Korean Government Using Appleseed Backdoor

• Russian Hacker Pavel Sitnikov Arrested For Sharing Malware Source Code

Privacy

• You Have A Week To Opt-Out Of Amazon Sidewalk, Do It Now

Other News

• “Have I Been Pwned” Breach Site Partners With… The FBI!

• 17 Cyber Insurance Application Questions You'll Need To Answer

• Cyber Criminals Go Corporate As Hacking Becomes A Business

• The Human Cost Of Understaffed SOCs

• Security Ops Teams Struggle To Switch Off At Home

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.