Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• UK Organisations, Ukraine's Allies Warned of Potential "Massive" Cyber Attacks By Russia

The head of the UK National Cyber Security Centre (NCSC) Lindy Cameron has given an update on Russia’s cyber activity amid its war with Ukraine. Her speech at Chatham House last week came just a few days after Ukraine’s military intelligence agency issued a warning that Russia was “preparing massive cyber attacks on the critical infrastructure of Ukraine and its allies.” This coincides with a new Forrester report that reveals the extent to which the cyber impact of the Russia-Ukraine conflict has expanded beyond the conflict zone with malware attacks propagating into European entities.

Addressing Russian cyber activity this year, Cameron stated that, while we have not seen the “cyber-Armageddon” some predicted, there has been a “very significant conflict in cyber space – probably the most sustained and intensive cyber campaign on record – with the Russian State launching a series of major cyber attacks in support of their illegal invasion in February.”

Russian cyber forces from their intelligence and military branches have been busy launching a huge number of attacks in support of immediate military objectives.

Since the start of the year, the NCSC has been advising UK organisations to take a more proactive approach to cyber security in light of the situation in Ukraine. “There may be organisations that are beginning to think ‘is this still necessary?’ as in the UK we haven’t experienced a major incident related to the war in Ukraine. My answer is an emphatic yes,” Cameron said.

In response to significant recent battlefield set-backs, Putin has been reacting in unpredictable ways, and so we shouldn’t assume that just because the conflict has played out in one way to date, it will continue to go the same way, Cameron added. “There is still a real possibility that Russia could change its approach in the cyber domain and take more risks – which could cause more significant impacts in the UK.” UK organisations and their network defenders should therefore be prepared for this period of elevated alert with a focus on building long-term resilience, which is a “marathon not a sprint,” she said.

https://www.csoonline.com/article/3674871/ncsc-chief-warns-uk-organizations-ukraine-s-allies-of-possible-massive-cyberattacks-by-russia.html#tk.rss_news

• Cyber Criminals See Allure in BEC Attacks Over Ransomware

While published trends in ransomware attacks have been contradictory — with some firms tracking more incidents and other fewer — business email compromise (BEC) attacks continue to have proven success against organisations.

BEC cases, as a share of all incident-response cases, more than doubled in the second quarter of the year, to 34% from 17% in the first quarter of 2022. That's according to Arctic Wolf's "1H 2022 Incident Response Insights" report, published on 29 September, which found that specific industries — including financial, insurance, business services, and law firms, as well as government agencies — experienced more than double their previous number of cases, the company said.

Overall, the number of BEC attacks encountered per email box has grown by 84% in the first half of 2022, according to data from cyber security firm Abnormal Security.

Meanwhile, so far this year, threat reports released by organisations have revealed contradictory trends for ransomware. Arctic Wolf and the Identity Theft Resource Center (ITRC) have seen drops in the number of successful ransomware attacks, while business customers seem to be encountering ransomware less often, according to security firm Trellix. At the same time, network security firm WatchGuard had a contrary take, noting that its detection of ransomware attacks skyrocketed 80% in the first quarter of 2022, compared with all of last year.

The surging state of BEC landscape is unsurprising because BEC attacks offer cyber criminals advantages over ransomware. Specifically, BEC gains do not rely on the value of cryptocurrency, and attacks are often more successful at escaping notice while in progress. Threat actors are unfortunately very opportunistic.

For that reason, BEC — which uses social engineering and internal systems to steal funds from businesses — continues to be a stronger source of revenue for cyber criminals. In 2021, BEC attacks accounted for 35%, or $2.4 billion, of the $6.9 billion in potential losses tracked by the FBI's Internet Crime Complaint Center (IC3), while ransomware remained a small fraction (0.7%) of the total.

https://www.darkreading.com/threat-intelligence/cybercriminals-see-allure-bec-attacks-ransomware

• Most Hackers Need 5 Hours or Less to Break Into Enterprise Environments

A new survey of 300 ethical hackers provides insight into not only the most common means of initial access, but how a complete end-to-end attack happens.

Around 40% of ethical hackers recently surveyed by the SANS Institute said they can break into most environments they test, if not all. Nearly 60% said they need five hours or less to break into a corporate environment once they identify a weakness.

The SANS ethical hacking survey, done in partnership with security firm Bishop Fox, is the first of its kind and collected responses from over 300 ethical hackers working in different roles inside organisations, with different levels of experience and specialisations in different areas of information security. The survey revealed that on average, hackers would need five hours for each step of an attack chain: reconnaissance, exploitation, privilege escalation and data exfiltration, with an end-to-end attack taking less than 24 hours.

The survey highlights the need for organisations to improve their mean time-to-detect and mean-time-to-contain, especially when considering that ethical hackers are restricted in the techniques they're allowed to use during penetration testing or red team engagements. Using black hat techniques, like criminals do, would significantly improve the success rate and speed of attack.

When asked how much time they typically need to identify a weakness in an environment, 57% of the polled hackers indicated ten or fewer hours: 16% responded six to ten hours, 25% three to five hours, 11% one to two hours and 5% less than an hour.

https://www.csoonline.com/article/3675535/most-hackers-need-5-hours-or-less-to-break-into-enterprise-environments.html#tk.rss_news

• Global Firms Deal with 51 Security Incidents Each Day

Security operations (SecOps) teams are struggling to respond to dozens of cyber security incidents every single day, according to a new report from Trellix.

The security vendor polled 9000 security decision makers from organisations with 500+ employees across 15 markets to compile its latest study, ‘XDR: Redefining the future of cyber security’.

It found that the average SecOps team has to manage 51 incidents per day, with 36% of respondents claiming they deal with 50 to 200 daily incidents. Around half (46%) agreed that they are “inundated by a never-ending stream of cyber-attacks.”

Part of the problem is the siloed nature of security and detection and response systems, the study claimed. Some 60% of respondents argued that poorly integrated products mean teams can’t work efficiently, while a third (34%) admitted they have blind spots. It’s perhaps no surprise, therefore, that 60% admitted they can’t keep pace with the rapid evolution of security threats.

This could be having a major impact on the bottom line. The vast majority (84%) of security decision makers that Trellix spoke to estimated that their organisation lost up to 10% of revenue from security breaches in the past year.

Medium size businesses ($50–$100m in revenue) lost an average of 8% in revenue, versus 5% for large businesses with a turnover of $10bn–$25bn. That could mean hundreds of millions of dollars are being thrown away each year due to inadequate SecOps.

https://www.infosecurity-magazine.com/news/global-firms-51-security-incidents/

• Phishing Attacks Crushed Records Last Quarter, Driven by Mobile

Last quarter saw a record-shattering number of observed phishing attacks, fuelled in large part by attempts to target users on their mobile devices.

The latest Anti-Phishing Working Group (APWG) "Phishing Activity Trends Report" for the second quarter of 2022 found 1,097,811 observed phishing attacks, the most the group has ever measured in its history.

The financial sector remained the top target for phishing lures (27.6%), along with other bombarded sectors, including webmail and software-as-a-service providers, social media sites, and cryptocurrency.

But much of the rise in phishing volume is due to a new threat actor focus on mobile devices, specifically vishing (voice phishing) and smishing (SMS phishing) attacks, the report noted.

https://www.darkreading.com/attacks-breaches/phishing-attacks-crushed-records-last-quarter

• Why Paying the Ransom is Still the Most Common Response to a Ransomware Attack

According to new data from Databarracks, 44% of the organisations who experienced a ransomware assault paid the demanded ransom. 22% made use of ransomware decryption software, while 34% restored data from backups.

The Databarracks 2022 Data Health Check produced the results. The annual report has been collecting data on ransomware, cyber, backup, disaster recovery, and business continuity from more than 400 UK IT decision-makers since 2008.

From the victim’s standpoint, it’s logical why you may pay a ransom. You are unable to handle orders or provide customer support, and losses mount swiftly. Downtime expenses can easily surpass the ransom.

Organisations may believe that paying the ransom will solve the issue more quickly, allowing them to resume operations as usual. This strategy is faulty for a number of causes.

First of all, there is no assurance that your data will be returned. Second, once criminals know an organisation is an easy target, they frequently attack it again. Finally, it conveys the incorrect message. By paying, you are assisting the crooks by demonstrating that their strategies are effective.

https://informationsecuritybuzz.com/study-research/why-paying-the-ransom-is-still-the-most-common-response-to-a-ransomware-attack/

• Ransomware Attacks Continue Increasing: 20% of All Reported Attacks Occurred in the Last 12 Months

Nearly a quarter of businesses have suffered a ransomware attack, with a fifth occurring in the past 12 months, according to a latest annual report from cyber security specialist Hornetsecurity.

The 2022 Ransomware Report, which surveyed over 2,000 IT leaders, revealed that 24% have been victims of a ransomware attack, with one in five (20%) attacks happening in the last year.

Cyber attacks are happening more frequently. Last year's ransomware survey revealed one in five (21%) companies experienced an attack; this year it rose by three percent to 24%.

Attacks on businesses are increasing, and there is a shocking lack of awareness and preparation by IT pros. The survey shows that many in the IT community have a false sense of security as bad actors develop new techniques.

The 2022 Ransomware Report highlighted a lack of knowledge on the security available to businesses. A quarter (25%) of IT professionals either don't know or don't think that Microsoft 365 data can be impacted by a ransomware attack.

Just as worryingly, 40% of IT professionals that use Microsoft 365 in their organisation admitted they do not have a recovery plan in case their Microsoft 365 data was compromised by a ransomware attack.

Microsoft 365 is vulnerable to phishing attacks and ransomware attacks, but with the help of third-party tools, IT admins can back up their Microsoft 365 data securely and protect themselves from such attacks.

Industry responses showed the widespread lack of preparedness from IT professionals and businesses. There has been an increase in businesses not having a disaster recovery plan in place if they do succumb to the heightened threat of a cyber attack.

In 2021, 16% of respondents reported having no disaster recovery plan in place. In 2022, this grew to 19%, despite the rise in attacks.

https://www.darkreading.com/attacks-breaches/ransomware-attacks-continue-increasing-20-of-all-reported-attacks-occurred-in-the-last-12-months---new-survey

• More Than Half of Security Pros Say Risks Higher in Cloud Than On Premise

A recent survey from machine identity solutions provider Venafi aimed to explore the complexity of cloud environments and the resulting impact on cyber security.

Venafi surveyed 1,101 security decision makers (SDMs) in firms with more than 1,000 employees and found that eighty-one percent of companies have experienced a cloud security incident in the last year. Forty-five percent have suffered at least four security incidents in the same period. More than half of security decision makers believe that security risks are higher in the cloud than on-premise.

Twenty-four percent of the firms have more than 10,000 employees. Ninety-two percent of the SDMs are at manager level or above, with 49% at c-suite level or higher.

Most of the firms surveyed believe the underlying issue is the increasing complexity of their cloud deployments. Since these companies already host 41% of their applications in the cloud, and expect to increase this to 57% over the next 18 months, the problem is only likely to worsen in the future.

The ripest target of attack in the cloud is identity management, especially machine identities. Each of these cloud services, containers, Kubernetes clusters and microservices needs an authenticated machine identity – such as a TLS certificate – to communicate securely. If any of these identities is compromised or misconfigured, it dramatically increases security and operational risks.

Respondents reported that the most common cloud incidents are security incidents during runtime (34%), unauthorised access (33%), misconfigurations (32%), vulnerabilities that have not been remediated (24%), and failed audits (19%).

Their primary operational concerns are hijacking of accounts, services or traffic (35%), malware or ransomware (31%), privacy/data access issues such as those from GDPR (31%), unauthorised access (28%), and nation state attacks (26%).

https://www.securityweek.com/more-half-security-pros-say-risks-higher-cloud-premise

• How To Outsmart Increasingly Complex Cyber Attacks

Threat detection is harder today than it was two years ago. Next year will be harder than this year. Why? It’s a compounding effect from skills shortages and threat varieties that’s making it more challenging for any one product to handle key security wins. And cyber security is a constantly evolving sector with 2022 a devastating year for cyber security. Both hackers and security experts are always in a battle to outsmart each other.

Even for businesses with good IT departments, data protection can too quickly become an afterthought. Today’s threat landscape is growing, not just in the frequency of attacks (and the number of high-profile breaches recorded in the media) but so is the complexity of any given threat. A recent piece of research found that in 93 percent of cases, an external attacker can breach an organisation’s network perimeter and gain access to local network resources. Following increasing levels of cyber-attacks, it’s a case of “not if I will be hit by a ransomware attack,” but “when…” Organisations need to do something to mitigate the risk and protect their businesses, and they need to do it now. 

Planning and executing a better defence to outsmart attackers and win more security battles doesn’t have to feel like a military operation – but it does require the right service coverage to remove blind spots and reduce emerging risks before they escalate. 

https://informationsecuritybuzz.com/articles/how-to-outsmart-increasingly-complex-cyber-attacks/

• Top Issues Driving Cyber Security: Growing Number of Cyber Criminals, Variety of Attacks

Fortifying cyber security defences remains a work in progress for many organisations, who acknowledge their shortcomings but have yet to commit the necessary resources to the effort, according to new research from CompTIA.

While a majority of respondents in each of seven geographic regions feels that their company’s cyber security is satisfactory, CompTIA’s “State of Cybersecurity” shows that a much smaller number rank the situation as “completely satisfactory.” Nearly everyone feels that there is room for improvement.

“Companies are aware of the threats they face and the potential consequences of an attack or breach,” said Seth Robinson, VP of industry research, CompTIA. “But they may be underestimating their exposure and how much they need to invest in cyber security. Risk mitigation is the key, the filter through which everything should be viewed.”

Two of the top three issues driving cyber security considerations are the growing volume of cyber criminals, cited by 48% of respondents, and the growing variety of cyber attacks (45%). Additionally, ransomware and phishing have quickly become major areas of concern as digital operations have increased and human error has proven more costly.

“Digital transformation driven by cloud and mobile adoption requires a new strategic approach to cyber security, but this poses significant challenges, both tactically and financially,” Robinson said. “As IT operations and strategy have grown more complex, so has the management of cyber security.”

As cyber security is more tightly integrated with business objectives, zero trust is the overarching policy that should be guiding modern efforts, though its adoption will not take place overnight because it requires a drastically different way of thinking and acting. The report suggests there is small progress in recognising a holistic zero trust approach, but better progress in adopting some elements that are part of an overarching zero trust policy.

https://www.helpnetsecurity.com/2022/09/30/top-issues-driving-cybersecurity/

• Cyber Threats Top Business Leaders' Biggest Concerns

Cyber threats are the number one concern for business decision makers, beating worries over economic uncertainty, rising energy costs and hiring, according to insurance provider Travelers. The firm polled over 1200 business leaders to compile its 2022 Travelers Risk Index report.

This is the third time in four years that cyber has emerged as the top concern, with more than half (57%) of respondents believing a future cyber-attack on their organisation is inevitable. A quarter (26%) said their company had already been a breach victim, the seventh successive year this figure has risen.

The top two cyber-related concerns were suffering a security breach (57%), and a system glitch causing computers to crash (55%). Becoming a cyber-extortion victim rose from eighth position to third this year.

However, despite general concern about cyber-threats, business decision-makers may also be guilty of overconfidence in their organisation’s security posture.

Nearly all respondents (93%) said they’re confident their company has implemented best practices to prevent or mitigate a cyber event. Yet most have not deployed endpoint detection and response tools (64%), they haven’t conducted a vendor cyber-assessment (59%), and don’t have an incident response plan (53%). Further, while 90% said they’re familiar with multi-factor authentication (MFA), only 52% had implemented it for remote access. This increasingly matters, not only to mitigate cyber-risk but also to reduce insurance premium costs and increase coverage.

Cyber attacks can shut down a company for a long period of time or even put it out of business, and it’s imperative that companies have a plan in place to mitigate any associated operational and financial disruptions.

Effective measures that have proven to reduce the risk of becoming a cyber victim are available, but based on these survey results, not enough companies are taking action. It’s never too late, and these steps can help businesses avoid a devastating cyber-event.

https://www.infosecurity-magazine.com/news/cyberthreats-top-business-big/

• Fired Admin Cripples Former Employer's Network Using Old Credentials

After being laid off, an IT system administrator disrupted the operations of his former employer, a high-profile financial company in Hawaii, hoping to get his job back.

Casey K Umetsu, aged 40, worked as a network admin for the company between 2017 and 2019, when his employer terminated his contract. The US Department of Justice says in a press release that the defendant pled guilty to accessing his former employer's website and making configuration changes to redirect web and email traffic to external computers.

To prolong the business disruption for several more days, Umetsu performed additional actions that essentially locked out the firm's IT team from the website administration panel. In the end, the victimised company learned who was responsible for the sabotage after reporting the cyber security incident to the FBI.

Umetsu is awaiting sentence for his wrongdoings on January 19, 2023. He faces a maximum of 10 years of prison time and a fine of up to $250,000.

While Umetsu's actions are condemnable, the company's security practices cannot be overlooked since Umetsu used credentials that should have been invalidated the moment he got fired.

https://www.bleepingcomputer.com/news/security/fired-admin-cripples-former-employers-network-using-old-credentials/

Threats

Ransomware and Extortion

• Ransomware data theft tool may show a shift in extortion tactics (bleepingcomputer.com)

• The various ways ransomware impacts your organization - Help Net Security

• New Royal Ransomware emerges in multi-million dollar attacks (bleepingcomputer.com)

• Research: 20% of All Reported Ransomware Attacks Occurred in the Last 12 Months - MSSP Alert

• BlackCat Ransomware Attackers Spotted Fine-Tuning Their Malware Arsenal (thehackernews.com)

• Noberus ransomware gets info-stealing upgrades • The Register

• Personal Data Of Duchess Of York, Clarkson And Attenborough Leaked In Ransomware Attack On Luxury Company (informationsecuritybuzz.com)

• SQL Server admins warned to watch for Fargo ransomware • The Register

• BlackCat/ALPHV Gang Adds Wiper Functionality as Ransomware Tactic (darkreading.com)

• 'Disgruntled insider' shared REvil information with researchers, helped law enforcement (cyberscoop.com)

• Leaked LockBit 3.0 builder used by ‘Bl00dy’ ransomware gang in attacks (bleepingcomputer.com)

• NCC Group: IceFire ransomware gang ramping up attacks (techtarget.com)

• MS SQL servers are getting hacked to deliver ransomware to orgs - Help Net Security

• TAP Air Portugal confirms hack, as Ragnar Locker gang leaks data - including that of Portuguese president (bitdefender.com)

• ‘The Ransomware Hunting Team’: Book Excerpt (nymag.com)

• Hackers Leak French Hospital Patient Data in Ransom Fight | SecurityWeek.Com

• Oxford Health: Cyber attack continues to hit NHS trust's services - BBC News

• LA School District Ransomware Attackers Now Threaten to Leak Stolen Data (darkreading.com)

Phishing & Email Based Attacks

• Phishing activity exploded in Q2 2022 - Help Net Security

• Fake US govt job offers push Cobalt Strike in phishing attacks (bleepingcomputer.com)

• Germany arrests hacker for stealing €4 million via phishing attacks (bleepingcomputer.com)

• Capital One Phish Showcases Growing Bank-Brand Targeting Trend (darkreading.com)

Other Social Engineering; Smishing, Vishing, etc

• How cyber criminals use public online and offline data to target employees | CSO Online

• Beware Revolut frozen card scams sent via SMS text • Graham Cluley

• IRS warns Americans of massive rise in SMS phishing attacks (bleepingcomputer.com)

Malware

• Office exploits continue to spread more than any other category of malware - Help Net Security

• This credit card-stealing malware is spreading like wildfire | Digital Trends

• VMWare Releases Guidance for VirtualPITA, VirtualPIE, and VirtualGATE Malware Targeting vSphere | CISA

• Hacking group hides backdoor malware inside Windows logo image (bleepingcomputer.com)

• Hackers now sharing cracked Brute Ratel post-exploitation kit online (bleepingcomputer.com)

• Cobalt Strike malware campaign targets job seekers (techtarget.com)

• New Botnet 'Chaos' Targeting Linux, Windows Systems (informationsecuritybuzz.com)

• Malware targets VMware users for espionage, Mandiant says • The Register

• Chaos Malware Resurfaces With All-New DDoS & Cryptomining Modules (darkreading.com)

• Microsoft Sway Pages Weaponized to Perform Phishing and Malware Delivery - Infosecurity Magazine (infosecurity-magazine.com)

• Quantum Builder tool helps criminals spread Windows RATs • The Register

• Unit 42 finds polyglot files delivering IcedID malware (techtarget.com)

• Hackers use PowerPoint files for 'mouseover' malware delivery (bleepingcomputer.com)

• Does AI-powered malware exist in the wild? Not yet (techtarget.com)

• Hackers Backdoor Pirated Windows OS With Cryptominer and Xtreme RAT - Infosecurity Magazine (infosecurity-magazine.com)

• New Erbium password-stealing malware spreads as game cracks, cheats (bleepingcomputer.com)

• Lazarus APT continues to target job seekers with macOS malware - Security Affairs

• Hackers Use NullMixer and SEO to Spread Malware More Efficiently - Infosecurity Magazine (infosecurity-magazine.com)

• APT28 relies on PowerPoint Mouseover to deliver Graphite malware - Security Affairs

Mobile

• WhatsApp 0-Day Bug Let Hackers Execute an Arbitary Code Remotely (gbhackers.com)

• Adware on Google Play and Apple Store installed 13 million times (bleepingcomputer.com)

• Samsung facing class action suit after customer data leak • The Register

• Inside a cyber attack method that targets your cellphone - The Washington Post

Internet of Things – IoT

• Embedded IoT security threats and challenges - Help Net Security

• Manufacturers Failing to Address Cyber security Vulnerabilities Liable Under New European Rules - Infosecurity Magazine (infosecurity-magazine.com)

Data Breaches/Leaks

• Watchfinder warns customers that hackers stole their data • Graham Cluley

• Samsung Fails Consumers in Preventable Back-to-Back Data Breaches, According to Federal Lawsuit (darkreading.com)

• Shangri-La hotels Customer Database Hacked | SecurityWeek.Com

• Hacker Behind Optus Breach Releases 10,200 Customer Records in Extortion Scheme (thehackernews.com)

• Australia government wants Optus to pay for data breach | ZDNET

Organised Crime & Criminal Actors

• Ukraine Arrests Cyber Crime Group for Selling Data of 30 Million Accounts (thehackernews.com)

• Middle-class migrant trap as traffickers lure white collar workers into bogus overseas jobs (telegraph.co.uk)

• New hacking group ‘Metador’ lurking in ISP networks for months (bleepingcomputer.com)

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Scams targeting crypto enthusiasts are becoming increasingly common - Help Net Security

• Chaos Malware Resurfaces With All-New DDoS & Cryptomining Modules (darkreading.com)

• Hackers Backdoor Pirated Windows OS With Cryptominer and Xtreme RAT - Infosecurity Magazine (infosecurity-magazine.com)

• Cyber sleuth alleges $160M Wintermute hack was an inside job (cointelegraph.com)

• Crypto-Thieves Cost Victims 53 Times What They Make - Infosecurity Magazine (infosecurity-magazine.com)

• Preventing Cryptocurrency Cyber Extortion (trendmicro.com)

Insider Risk and Insider Threats

• Recent cases highlight need for insider threat awareness and action | CSO Online

Fraud, Scams & Financial Crime

• Online fraudsters adapt tactics to exploit UK cost of living crisis | UK cost of living crisis | The Guardian

• Identities Stolen From 1 In 4 Internet Users (informationsecuritybuzz.com)

• Fake Sites Siphon Millions of Dollars in 3-Year Scam (darkreading.com)

• Man jailed over involvement in identity theft syndicate that laundered millions of dollars | Crime - Australia | The Guardian

• Here’s how crooks are using deepfakes to scam your biz • The Register

Deepfakes

• Reshaping the Threat Landscape: Deepfake Cyber attacks Are Here (darkreading.com)

• The deepfake danger: When it wasn’t you on that Zoom call | CSO Online

Software Supply Chain

• With the Software Supply Chain, You Can't Secure What You Don't Measure (darkreading.com)

Denial of Service DoS/DDoS

• DDoS Threat Intelligence Report: More Than 6 Million Cyber attacks in First Half of 2022 - MSSP Alert

• Hackers are making DDoS attacks sneakier and harder to protect against | ZDNET

• UK's MI5 website briefly hit by denial of service attack - BBC | Reuters

• Chaos Malware Resurfaces With All-New DDoS & Cryptomining Modules (darkreading.com)

Cloud/SaaS

• Cloud security trends: What makes cloud infrastructure vulnerable to threats? - Help Net Security

• 81% of Companies Suffered A Cloud Security Incident Last Year – (informationsecuritybuzz.com)

• What Lurks in the Shadows of Cloud Security? (darkreading.com)

• The current state of cloud security - Help Net Security

Open Source

• Open source projects under attack, with enterprises as the ultimate targets - Help Net Security

• Microsoft: Lazarus hackers are weaponizing open-source software (bleepingcomputer.com)

• Numerous orgs hacked after installing weaponized open source apps | Ars Technica

Passwords, Credential Stuffing & Brute Force Attacks

• The Country Where You Live Impacts Password Choices (darkreading.com)

• Five Steps to Mitigate the Risk of Credential Exposure (thehackernews.com)

Social Media

• Fake CISO Profiles on LinkedIn Target Fortune 500s – Krebs on Security

• Fake Accounts Are Not Your Friends! (darkreading.com)

• Ofcom chair says tech firms must prioritise safety alongside clicks | Ofcom | The Guardian

• UK may fine TikTok $29 million for failing to protect children's privacy | Reuters

Training, Education and Awareness

• Time to Change Flawed Approach to Security Awareness (darkreading.com)

Parental Controls and Child Safety

• TikTok could face £27m fine for failing to protect children’s privacy | TikTok | The Guardian

Regulations, Fines and Legislation

• Australia flags privacy overhaul after huge cyber attack on Optus | Reuters

Models, Frameworks and Standards

• 10 PCI DSS best practices to weigh as new standard rolls out (techtarget.com)

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Cyber Warfare Rife in Ukraine, But Impact Stays in Shadows | SecurityWeek.Com

• Russia prepares massive cyber attacks on the critical infrastructure of Ukraine and its allies - Security Affairs

• State-Sponsored Hackers Likely Exploited MS Exchange 0-Days Against ~10 Organisations (thehackernews.com)

• NCSC: UK Organisations Can Learn from Ukraine’s Impressive Cyber Defences - Infosecurity Magazine (infosecurity-magazine.com)

• Facebook Shuts Down Covert Political 'Influence Operations' from Russia and China (thehackernews.com)

• Mystery hackers are “hyperjacking” targets for insidious spying | Ars Technica

• Cyber espionage group developed backdoors tailored for VMware ESXi hypervisors | CSO Online

• Taiwanese citizens prepare for possible cyber war (axios.com)

• Malware targets VMware users for espionage, Mandiant says • The Register

• Espionage Group Wields Steganographic Backdoor Against Govs, Stock Exchange (darkreading.com)

• Can Kaspersky survive the Ukraine war? - CyberScoop

Nation State Actors

Nation State Actors – Russia

• Researchers Identify 3 Hacktivist Groups Supporting Russian Interests (thehackernews.com)

• APT28 relies on PowerPoint Mouseover to deliver Graphite malware - Security Affairs

• Meta dismantles massive Russian network spoofing Western news sites (bleepingcomputer.com)

Nation State Actors – China

• Chinese Cyberespionage Group 'Witchetty' Updates Toolset in Recent Attacks | SecurityWeek.Com

• China’s infosec researchers may have dodged vuln report ban` • The Register

Nation State Actors – North Korea

• Lazarus Lures Aspiring Crypto Pros With Fake Exchange Job Postings (darkreading.com)

• Microsoft: Lazarus hackers are weaponizing open-source software (bleepingcomputer.com)

• Lazarus APT continues to target job seekers with macOS malware - Security Affairs

• Lazarus hackers abuse Dell driver bug using new FudModule rootkit (bleepingcomputer.com)

Nation State Actors – Iran

• 'Our Conflict With Iran Is Unparalleled', Say Israel's Elite Cyber Unit Commanders - Israel News - Haaretz.com

• OpIran:Anonymous declares war on Iran amid Mahsa Amini’s death - Security Affairs

Nation State Actors – Misc

• Hunting for Unsigned DLLs to Find APTs (paloaltonetworks.com)

Vulnerabilities

• Exchange Server zero-day being actively exploited • The Register

• Microsoft Confirms Pair of Blindsiding Exchange Zero-Days, No Patch Yet (darkreading.com)

• Cisco Patches High-Severity Vulnerabilities in Networking Software | SecurityWeek.Com

• Sophos fixes critical code injection bug under exploit • The Register

• Zoho ManageEngine flaw is actively exploited, CISA warns | CSO Online

• Lazarus hackers abuse Dell driver bug using new FudModule rootkit (bleepingcomputer.com)

• Google Quashes 5 High-Severity Bugs With Chrome 106 Update (darkreading.com)

• Critical WhatsApp Bugs Could Have Let Attackers Hack Devices Remotely (thehackernews.com)

• Go Update iOS, Chrome, and HP Computers to Fix Serious Flaws | WIRED

Reports Published in the Last Week

• 2022 State of Bot Mitigation Report: Growing Majority of Companies (69%) (informationsecuritybuzz.com)

Other News

• High-Profile Hacks Show Effectiveness of MFA Fatigue Attacks | SecurityWeek.Com

• Poll Of IT Security Pros Suggests Gaps In UK Cyber Defence (informationsecuritybuzz.com)

• Why Organisations Need Both EDR and NDR for Complete Network Protection (thehackernews.com)

• Lessons From the GitHub Cyber Security Breach (darkreading.com)

• Data security trends: 7 statistics you need to know - Help Net Security

• Why does a Legacy WAF Fail to “Catch” Sophisticated Attacks? (informationsecuritybuzz.com)

• Akamai finds 13 million malicious newly observed domains a month | SC Media (scmagazine.com)

• Opinion | The Uber Hack Exposes More Than Failed Data Security - The New York Times (nytimes.com)

• Cyber security Study Sees “Siloed” Security As Organisational Weak Spot - MSSP Alert

• The key differences between a business continuity plan and a disaster recovery plan - Help Net Security

• 3 types of attack paths in Microsoft Active Directory environments - Help Net Security

• 97% of enterprises say VPNs are prone to cyber attacks: Study | CSO Online

• Collaboration in Cyber Security is the Key to Combatting the Growing Cyber Threat. Here’s Why - IT Security Guru

• 65% of companies are considering adopting VPN alternatives - Help Net Security

• Spoofing cyber attack can make cameras see things that aren’t there | New Scientist

• Zero Trust is the Goal But Much Ground Yet to Cover, CompTIA Reports - MSSP Alert

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Lloyd's to Exclude Certain Nation-State Attacks from Cyber Insurance Policies

Lloyd's of London insurance policies will stop covering losses from certain nation-state cyber attacks and those that happen during wars, beginning in seven months' time.

In a memo sent to the company's 76-plus insurance syndicates, underwriting director Tony Chaudhry said Lloyd's remains "strongly supportive" of cyber attack coverage. However, as these threats continue to grow, they may "expose the market to systemic risks that syndicates could struggle to manage," he added, noting that nation-state-sponsored attacks are particularly costly to cover.

Because of this, all standalone cyber attack policies must include "a suitable clause excluding liability for losses arising from any state-backed cyber attack," Chaudhry wrote. These changes will take effect beginning March 31, 2023 at the inception or renewal of each policy.

At a minimum (key word: minimum) these policies must exclude losses arising from a war, whether declared or not, if the policy doesn't already have a separate war exclusion. They must also at least exclude losses from nation-state cyber attacks that "significantly impair the ability of a state to function or that significantly impair the security capabilities of a state."

Policies must also "set out a robust basis" on which to attribute state-sponsored cyber attacks, according to Chaudhry – and therein lies the rub.

Attributing a cyber attack to a particular crime group or nation-state with 100 percent confidence "is absolutely hard," NSA director of cybersecurity Rob Joyce said at this year's RSA Conference.

Threat analysts typically attribute an attack to a nation-state from its level of sophistication, but as advanced persistent crime groups become more sophisticated – and have more resources at their disposal to buy zero-day exploits and employ specialists for each stage of an attack – differentiating between nation-states and cyber crime gangs becomes increasingly difficult, he explained.

There are times when nation-states will act like criminals, using their tools and infrastructure, and sometimes vice versa. The clear line of sophistication and stealth that many have used as a common sense delineation has blurred. Yet, If you are going to pay out money you are likely going to look for something that is more ironclad and likely related to forensic evidence.

https://www.theregister.com/2022/08/24/lloyds_cybersecurity_insurance/

• Cyber Security Top Risk for Enterprise C-Suite Leaders, PwC Study Says

Cyber security is now firmly on the agenda of the entire C-suite, consultancy PricewaterhouseCoopers (PwC) reports in a new survey of more than 700 business leaders across a variety of industries.

Of key enterprise issues, cyber security ranks at the top of business risks, with nearly 80% of the respondents considering it a moderate to serious risk. The warning isn’t confined to just chief information security officers, but ranges from chief executives to chief financial officers, chief operating officers, chief technology officers, chief marketing officers and includes corporate board members. Virtually all roles ranked cyber attacks high on their list of risks, PwC said.

Overall, 40% of business leaders ranked cyber security as the top serious risk facing their companies, and 38% ranked it a moderate risk.

Here are six steps businesses can take to address cyber security concerns:

1. View cyber security as a broad business concern and not just an IT issue.

2. Build cyber security and data privacy into agendas across the C-suite and board.

3. Increase investment to improve security.

4. Educate employees on effective cyber security practices.

5. For each new business initiative or transformation, make sure there’s a cyber plan in place.

6. Use data and intelligence to regularly measure cyber risks. Proactively look for blind spots in third-party relationships and supply chains.

https://www.msspalert.com/cybersecurity-research/cybersecurity-top-risk-for-enterprise-c-suite-leaders-pwc-study-says/

• Apathy Is Your Company's Biggest Cyber Security Vulnerability — Here's How to Combat It

Human error continues to be the leading cause of a cyber security breach. Nearly 60% of organisations experienced a data loss due to an employee's mistake on email in the last year, while one in four employees fell for a phishing attack.

Employee apathy, while it may not seem like a major cyber security issue, can leave an organisation vulnerable to both malicious attacks and accidental data loss. Equipping employees with the tools and knowledge they need to prevent these risks has never been more important to keep organisations safe.

A new report from Tessian sheds light on the full extent of employee apathy and its impact on cyber security posture. The report found that a significant number of employees aren't engaged in their organisation's cyber security efforts and don't understand the role they play. One in three employees say they don't understand the importance of cyber security at work. What's more, only 39% say they're very likely to report a cyber security incident. Why? A quarter of employees say they don't care enough about cyber security to mention it.

This is a serious problem. IT and security teams can't investigate or remediate a threat they don't know about.

Employees play an important role in flagging incidents or suspicious activity early on to prevent them from escalating to a costly breach. Building a strong cyber security culture can mitigate apathy by engaging employees as part of the solution and providing the tools and training they need to work productively and securely.

https://www.darkreading.com/attacks-breaches/apathy-is-your-company-s-biggest-cybersecurity-vulnerability-here-s-how-to-combat-it

• The World’s Largest Sovereign Wealth Fund Warns Cyber Security Is Top Concern, as Attacks on Banks and Financial Service Double

Cyber security has eclipsed tumultuous financial markets as the biggest concern for the world’s largest sovereign wealth fund, as it faces an average of three “serious” cyber attacks each day.

The number of significant hacking attempts against Norway’s $1.2tn oil fund, Norges Bank Investment Management, has doubled in the past two to three years.

The fund, which reported its biggest half-year dollar loss last week after inflation and recession fears shook markets, suffers about 100,000 cyber attacks a year, of which it classifies more than 1,000 as serious, according to its top executives.

“I’m worried about cyber more than I am about markets,” their CEO told the Financial Times. “We’re seeing many more attempts, more attacks [that are] increasingly sophisticated.”

The fund’s top executives are even concerned that concerted cyber attacks are becoming a systemic financial risk as markets become increasingly digitised.

Their deputy CEO pointed to the 2020 attack on SolarWinds, a software provider, by Russian state-backed hackers that allowed them to breach several US government agencies, including the Treasury and Pentagon, and a number of Fortune 500 companies including Microsoft, Intel and Deloitte.

“They estimate there were 1,000 Russians [involved] in that one attack, working in a co-ordinated fashion. I mean, Jesus, that’s our whole building on one attack, so you’re up against some formidable forces there,” he said.

Cyber attacks targeting the financial industry have risen sharply in recent months. Malware attacks globally rose 11 per cent in the first half of 2022, but they doubled at banks and financial institutions, according to cyber security specialist SonicWall. Ransomware attacks dropped 23 per cent worldwide, but increased 243 per cent against financial targets in the same period.

https://www.ft.com/content/1aa6f92a-078b-4e1a-81ca-65298b8310b2

Configuration Errors to Blame for 80% of Ransomware

The vast majority (80%) of ransomware attacks can be traced back to common configuration errors in software and devices, according to Microsoft.

The tech giant’s latest Cyber Signals report focuses on the ransomware as a service (RaaS) model, which it claims has democratised the ability to launch attacks to groups “without sophistication or advanced skills.” Some RaaS programs now have over 50 affiliate groups on their books.

For defenders, a key challenge is ensuring they don’t leave systems misconfigured, it added.

“Ransomware attacks involve decisions based on configurations of networks and differ for each victim even if the ransomware payload is the same,” the report argued. “Ransomware culminates an attack that can include data exfiltration and other impacts. Because of the interconnected nature of the cyber-criminal economy, seemingly unrelated intrusions can build upon each other.”

Although each attack is different, Microsoft pointed to missing or misconfigured security products and legacy configurations in enterprise apps as two key areas of risk exposure.

“Like smoke alarms, security products must be installed in the correct spaces and tested frequently. Verify that security tools are operating in their most secure configuration, and that no part of a network is unprotected,” it urged. “Consider deleting duplicative or unused apps to eliminate risky, unused services. Be mindful of where you permit remote helpdesk apps like TeamViewer. These are notoriously targeted by threat actors to gain express access to laptops.”

Although not named in the report, another system regularly misconfigured and hijacked by ransomware actors is the remote desktop protocol (RDP), which often is not protected by a strong password or two-factor authentication. It’s widely believed to be one of the top three vectors for attack.

The bad news for network defenders is they don’t have much time after initial compromise to contain an attack. Microsoft claimed the median time for an attacker to begin moving laterally inside the network after device compromise is one hour, 42 minutes. The median time for an attacker to access private data following a phishing email is one hour, 12 minutes, the firm added.

https://www.infosecurity-magazine.com/news/configuration-errors-blame-80/

• Ransomware Surges to 1.2 Million Attacks Per Month

Ransomware threat detections have risen to over one million per month this year, with a French hospital the latest to suffer a major outage.

The 1000-bed Center Hospitalier Sud Francilien (CHSF) near Paris revealed it was hit on Sunday morning, in an attack which has knocked out all the hospital's business software, storage systems including medical imaging, and patient admissions. This has led to all but the most urgent emergency patients being diverted to other facilities in the region.

France24 cited figures claiming cyber-attacks against French hospitals surged 70% year-on-year in 2021. "Each day we need to rewrite patients' medications, all the prescriptions, the discharge prescriptions," Valerie Caudwell, president of the medical commission at CHSF hospital, reportedly said. "For the nurses, instead of putting in all the patients' data on the computer, they now need to file it manually from scratch."

Reports suggest Lockbit 3.0 may be to blame for the $10m ransom demand, which the hospital is refusing to pay.

Barracuda Networks claimed in a new report out today that education, municipalities, healthcare, infrastructure and finance have remained the top five targets for ransomware over the past 12 months. However, while attacks on local government increased only slightly, those targeting educational institutions more than doubled, and attacks on the healthcare and financial verticals tripled. Overall, Barracuda claimed that ransomware detections between January and June of this year climbed to more than 1.2 million per month.

https://www.infosecurity-magazine.com/news/ransomware-surges-to-12-million/

• A Massive Hacking Campaign Stole 10,000 Login Credentials From 130 Different Organisations

A phishing campaign targeted Okta users at multiple companies, successfully swiping passwords from staffers and then using them to steal company secrets.

Researchers say that a mysterious “threat actor” (a fancy term for a hacker or hacker group) has managed to steal nearly 10,000 login credentials from the employees of 130 organisations, in the latest far-reaching supply chain attack on corporate America. Many of the victims are prominent software companies, including firms like Twilio, MailChimp, and Cloudflare, among many others.

The news comes from research conducted by cyber security firm Group-IB, which began looking into the hacking campaign after a client was phished and reached out for help. The research shows that the threat actor behind the campaign, which researchers have dubbed “0ktapus,” used basic tactics to target staff from droves of well-known companies. The hacker(s) would use stolen login information to gain access to corporate networks before going on to steal data and then break into another company’s network.

“This case is of interest because despite using low-skill methods it was able to compromise a large number of well-known organisations,” researchers wrote in their blog. “Furthermore, once the attackers compromised an organisation they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance.”

https://gizmodo.com/oktapus-okta-hack-twilio-10000-logins-130-companies-1849457420

• This Company Paid a Ransom Demand. Hackers Leaked Its Data Anyway

A victim of a ransomware attack paid to restore access to their network – but the cyber criminals didn't hold up their end of the deal.

The real-life incident, as detailed by cyber security researchers at Barracuda Networks, took place in August 2021, when hackers from BlackMatter ransomware group used a phishing email to compromise the account of a single victim at an undisclosed company.

From that initial entry point, the attackers were able to expand their access to the network by moving laterally around the infrastructure, ultimately leading to the point where they were able to install hacking tools and steal sensitive data. Stealing sensitive data has become a common part of ransomware attacks. Criminals leverage it as part of their extortion attempts, threatening to release it if a ransom isn't received. 

The attackers appear to have had access to the network for at least a few weeks, seemingly going undetected before systems were encrypted and a ransom was demanded, to be paid in Bitcoin.

Cyber security agencies warn that despite networks being encrypted, victims shouldn't pay ransom demands for a decryption key because this only shows hackers that such attacks are effective.

https://www.zdnet.com/article/this-company-paid-a-ransom-demand-hackers-leaked-its-data-anyway/

• Sophisticated BEC Scammers Bypass Microsoft 365 Multi-Factor Authentication

A Business Email Compromise (BEC) attack recently analysed by cloud incident response company Mitiga used an adversary-in-the-middle (AitM) phishing attack to bypass Microsoft Office 365 MFA and gain access to a business executive's account, and then managed to add a second authenticator device to the account for persistent access. According to the researchers, the campaign they analysed is widespread and targets large transactions of up to several million dollars each.

The attack started with a well-crafted phishing email masquerading as a notification from DocuSign, a widely used cloud-based electronic document signing service. The email was crafted to the targeted business executive, suggesting that attackers have done reconnaissance work. The link in the phishing email led to an attacker-controlled website which then redirects to a Microsoft 365 single sign-on login page.

This fake login page uses an AitM technique, where the attackers run a reverse proxy to authentication requests back and forth between the victim and the real Microsoft 365 website. The victim has the same experience as they would have on the real Microsoft login page, complete with the legitimate MFA request that they must complete using their authenticator app. Once the authentication process is completed successfully, the Microsoft service creates a session token which gets flagged in its systems that it fulfilled MFA. The difference is that since the attackers acted as a proxy, they now have this session token too and can use it to access the account.

This reverse proxy technique is not new and has been used to bypass MFA for several years. In fact, easy-to-use open-source attack frameworks have been created for this purpose.

https://www.csoonline.com/article/3670575/sophisticated-bec-scammers-bypass-microsoft-365-multi-factor-authentication.html

• 77% Of Security Leaders Fear We’re in Perpetual Cyber War from Now On

A survey of cyber security decision makers found 77 percent think the world is now in a perpetual state of cyber warfare.

In addition, 82 percent believe geopolitics and cyber security are "intrinsically linked," and two-thirds of polled organisations reported changing their security posture in response to the Russian invasion of Ukraine.

Of those asked, 64 percent believe they may have already been the target of a nation-state-directed cyber attack. Unfortunately, 63 percent of surveyed security leaders also believe that they'd never even know if a nation-state level actor pwned them.

The survey, organised by security shop Venafi, questioned 1,100 security leaders. They said the results show cyber warfare is here, and that it's completely different to many would have imagined. "Any business can be damaged by nation-states," they stated.

It's been common knowledge for some time that government-backed advanced persistent threat (APT) crews are being used to further online geopolitical goals. Unlike conventional warfare, everyone is a target and there's no military or government method for protecting everyone.

Nor is there going to be much financial redress available. Earlier this week Lloyd's of London announced it would no longer recompense policy holders for certain nation-state attacks.

https://www.theregister.com/2022/08/27/in-brief-security/

• Cyber Security Governance: A Path to Cyber Maturity

Organisations need cyber security governance programs that make every employee aware of the cyber security mitigation efforts required to reduce cyber-risks.

In an increasingly challenging threat landscape, many organisations struggle with developing and implementing effective cyber security governance. The "Managing Cybersecurity Risk: A Crisis of Confidence" infographic by the CMMI Institute and ISACA stated: "While enterprise leaders recognise that mature cyber security is essential to thriving in today's digital economy, they often lack the insights and data to have peace of mind that their organisations are efficiently and effectively managing cyber risk."

Indeed, damages from cyber crime are projected to cost the world $7 trillion in 2022, according to the "Boardroom Cybersecurity 2022 Report" from Cybersecurity Ventures. As a result, "board members and chief executives are more interested in cyber security now than ever before," the report stated, adding that the time is ripe for turning awareness into action.

How, then, can board leaders have confidence that their organisations are prepared against cyber attacks? The first order of business for most organisations is to enable a strong cyber security governance program.

Cyber security governance refers to the component of governance that addresses an organisation's dependence on cyber space in the presence of adversaries. The ISO/IEC 27001 standard defines cyber security governance as the following: “The system by which an organisation directs and controls security governance, specifies the accountability framework and provides oversight to ensure that risks are adequately mitigated, while management ensures that controls are implemented to mitigate risks”.

Traditionally, cyber security is viewed through the lens of a technical or operational issue to be handled in the technology space. Cyber security planning needs to fully transition from a back-office operational function to its own area aligned with law, privacy and enterprise risk. The CISO should have a seat at the table alongside the CIO, COO, CFO and CEO. This helps the C-suite understand cyber security as an enterprise-wide risk management issue, along with the legal implications of cyber-risks, and not solely a technology issue.

https://www.techtarget.com/searchsecurity/post/Cybersecurity-governance-A-path-to-cyber-maturity

• The Rise of Data Exfiltration and Why It Is a Greater Risk Than Ransomware

Ransomware is the de facto threat organisations have faced over the past few years. Threat actors were making easy money by exploiting the high valuation of cryptocurrencies and their victims' lack of adequate preparation.

Think about bad security policies, untested backups, patch management practices not up-to-par, and so forth. It resulted in easy growth for ransomware extortion, a crime that multiple threat actors around the world perpetrate.

Something's changed, though. Crypto valuations have dropped, reducing the monetary appeal of ransomware attacks due to organisations mounting better defence against ransomware.

Threat actors have been searching for another opportunity – and found one. It's called data exfiltration, or exfil, a type of espionage causing headaches at organisations worldwide.

Information exfiltration is rapidly becoming more prevalent. Earlier this year, incidents at Nvidia, Microsoft, and several other companies have highlighted how big of a problem it's become – and how, for some organisations, it may be a threat that's even bigger than ransomware.

Nvidia, for example, became entangled in a complex tit-for-tat exchange with hacker group Lapsus$. One of the biggest chipmakers in the world was faced with the public exposure of the source code for invaluable technology, as Lapsus$ leaked the source code for the company's Deep Learning Super Sampling (DLSS) research.

When it comes to exfil extortion, attackers do not enter with the primary aim of encrypting a system and causing disruption the way that a ransomware attacker does. Though, yes, attackers may still use encryption to cover their tracks.

Instead, attackers on an information exfiltration mission will move vast amounts of proprietary data to systems that they control. And here's the game: attackers will proceed to extort the victim, threatening to release that confidential information into the wild or to sell it to unscrupulous third parties.

https://thehackernews.com/2022/08/the-rise-of-data-exfiltration-and-why.html

Threats

Ransomware

• Ransomware Groups Can Adapt Malware Code to Different Operating Systems Simultaneously, Kaspersky Research Finds - MSSP Alert

• [Whoa] Ransomware Strains Almost Double in Six Months from 5,400 to 10,666 (knowbe4.com)

• Ransomware: Most attacks exploit these common cyber security mistakes - so fix them now, warns Microsoft | ZDNET

• Ransomware dominates the threat landscape - Help Net Security

• We need to think about ransomware differently - Help Net Security

• Disk wiping malware knows no borders - Help Net Security

• NATO investigates hacker sale of missile firm data - BBC News           

• Cyber attackers disrupt services at French hospital, demand $10 million ransom (france24.com)

• New 'Agenda' Ransomware Customized for Each Victim | SecurityWeek.Com

• LockBit gang hit by DDoS attack after Entrust leaks • The Register

• New ransomware HavanaCrypt poses as Google software update | CSO Online

• WannaCry explained: A perfect ransomware storm | CSO Online

• LockBit Ransomware Site Hit by DDoS Attack as Hackers Start Leaking Entrust Data | SecurityWeek.Com

• New Golang Ransomware Agenda Customizes Attacks (trendmicro.com)

• New 'BianLian' Ransomware Variant on the Rise (darkreading.com)

• New 'Donut Leaks' extortion gang linked to recent ransomware attacks (bleepingcomputer.com)

• Ransomware Attacks are on the Rise | Threatpost

• Quantum ransomware attack disrupts govt agency in Dominican Republic (bleepingcomputer.com)

• Car Dealership Hit by Major Ransomware Attack - Infosecurity Magazine

• Ransomware Gang Leaks Data Allegedly Stolen from Greek Gas Supplier | SecurityWeek.Com

• Major airline technology provider Accelya attacked by ransomware group - The Record by Recorded Future

• Businesses expect the government to increase its financial assistance for all ransomware incidents - Help Net Security

BEC – Business Email Compromise

• Before Portland lost $1.4 million in cyber breach, city treasurer raised red flag - OPB

Phishing & Email Based Attacks

• Phishing attacks abusing SaaS platforms see a massive 1,100% growth (bleepingcomputer.com)

• Researchers Warn of AiTM Attack Targeting Google G-Suite Enterprise Users (thehackernews.com)

• Unusual Microsoft 365 Phishing Campaign Spoofs eFax Via Compromised Dynamics Voice Account (darkreading.com)

• Hiding a phishing attack behind the AWS cloud • The Register

• 10 key facts about callback phishing attacks - CyberTalk 2022

Other Social Engineering; Smishing, Vishing, etc

• New social engineering tactics discovered in the wild - Help Net Security

Malware

• Threat actor abuses Genshin Impact Anti-Cheat driver to disable antivirus - Security Affairs

• Fake DDoS Protection Alerts Distribute Dangerous RAT (darkreading.com)

• Meet Borat RAT, a New Unique Triple Threat (thehackernews.com)

• Donot Team group updates its Windows malware framework - Security Affairs

• How 'Kimsuky' hackers ensure their malware only reach valid targets (bleepingcomputer.com)

• Grandoreiro banking malware targets Mexico and Spain - Security Affairs

• Fake Chrome extension 'Internet Download Manager' has 200,000 installs (bleepingcomputer.com)

• Threat actors are using the Tox P2P messenger as C2 server - Security Affairs

Mobile

• Google Play Store Serving Up Chameleon-like Apps (informationsecuritybuzz.com)

• We can make our phones harder to hack but complete security is a pipe dream | John Naughton | The Guardian

Internet of Things – IoT

• Cyber criminals Are Selling Access to Chinese Surveillance Cameras | Threatpost

• IoT Vulnerability Disclosures Up 57% in Six Months, Claroty Reveals - Infosecurity Magazine

• Thousands of Organisations Remain at Risk from Critical Zero-Click IP Camera Bug (darkreading.com)

Data Breaches/Leaks

• LastPass data breach: threat actors stole portion of source code - Security Affairs

• Plex discloses data breach and urges password reset - Security Affairs

• Why the Twilio Breach Cuts So Deep | WIRED

• Plex was compromised, exposing usernames, emails, and passwords - The Verge

• DoorDash discloses new data breach tied to Twilio hackers (bleepingcomputer.com)

• Data on California Prisons' Visitors, Staff, Inmates Exposed | SecurityWeek.Com

• Expert Commentary On The Plex Data Breach (informationsecuritybuzz.com)

• Textile Company Sferra Discloses Data Breach | SecurityWeek.Com

• Novant Health: Oops, we leaked 1.3m patients' info to Meta • The Register

Organised Crime & Criminal Actors

• RaaS Kits Are Hiding Who The Attackers Really Are – Expert Comments (informationsecuritybuzz.com)

• Researchers warn of darkverse emerging from the metaverse | CSO Online

 Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• An anatomy of crypto-enabled cyber crime | Financial Times (ft.com)

• Cryptojackers Spread Across Computers Globally- IT Security Guru

• Hackers Are Breaking Into and Emptying Cash App Accounts (vice.com)

• Threat actors are stealing funds from General Bytes Bitcoin ATMSecurity Affairs

• How Economic Changes and Crypto's Rise Are Fuelling the use of "Cyber Mules" | SecurityWeek.Com

Fraud, Scams & Financial Crime

• Scammers Create “AI Hologram” of C-Suite Crypto Exec - Infosecurity Magazine

• Employee fraud: Beware of deepfake job applicants - Protocol

• A closer look at identity crimes committed against individuals - Help Net Security

• What type of fraud enables attackers to make a living? - Help Net Security

Insurance

• Lloyds Of London Ends Insurance Coverage For State Cyber Attacks, Expert (informationsecuritybuzz.com)

Software Supply Chain

• Why SBOMs alone aren’t enough for software supply chain security | CSO Online

Denial of Service DoS/DDoS

• DDoS attacks jump 203%, patriotic hacktivism surges - Help Net Security

• Threat Actor Deploys Raven Storm Tool to Perform DDoS Attacks - Infosecurity Magazine

• LockBit gang hit by DDoS attack after Entrust leaks • The Register

• Gambling sites are losing significant amounts of revenue due to raising DDoS attacks - Help Net Security

Cloud/SaaS

• Mitiga: Attackers evade Microsoft MFA to lurk inside M365 (techtarget.com)

• Phishing attacks abusing SaaS platforms see a massive 1,100% growth (bleepingcomputer.com)

• How complicated access management protocols have impacted cloud security - Help Net Security

Identity and Access Management

• IT leaders struggling to address identity sprawl - Help Net Security

• Identity Security Pain Points and What Can Be Done (darkreading.com)

• Thoma Bravo: Securing digital identities has become a major priority - Help Net Security

Encryption

• CISA: Action required now to prepare for quantum computing cyber threats | ZDNET

• Encrypted Traffic Analysis: Mitigating Against The Risk Of Encryption (informationsecuritybuzz.com)

• US Government: Stop Dickering and Prepare for Post-Quantum Encryption Now - CNET

API

• API security incidents occur at least once a month - Help Net Security

Passwords, Credential Stuffing & Brute Force Attacks

• Credential phishing attacks rise and represent a huge threat to businesses - Help Net Security

• Twilio hackers breached over 130 organisations during months-long hacking spree | TechCrunch

• FBI: Beware Residential IPs Hiding Credential Stuffing - Infosecurity Magazine

Social Media

• Experts Reaction to Poor Security At Twitter (informationsecuritybuzz.com)

Privacy

• Oracle sued over ‘worldwide surveillance machine’ by privacy rights activists | CSO Online

• Most top mobile carriers retain geolocation data for two years on average, FCC findings show - CyberScoop

Travel

• Hackers target hotel and travel companies with fake reservations (bleepingcomputer.com)

• Fake Reservation Links Prey on Weary Travelers | Threatpost

• British Airways passengers targeted in baggage scam using Twitter | The Independent

Models, Frameworks and Standards

• PCI DSS v4.0 is coming, here's how to prepare to comply (techtarget.com)

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Lloyd's of London Introduces New War Exclusion Insurance Clauses | SecurityWeek.Com

• The (Nation) State of Cyber: 64% of Businesses Suspect They've Been Targeted or Impacted by Nation-State Attacks (darkreading.com)

• EU Outlines Critical Cyber Response to Ukraine War - Infosecurity Magazine

• Unprecedented cyber attack hit State Infrastructure of Montenegro - Security Affairs

• Suspected Iranian Hackers Targeted Several Israeli Organisations for Espionage (thehackernews.com)

Nation State Actors

Nation State Actors – Russia

• Microsoft: Russian hackers gain powerful 'MagicWeb' authentication bypass | ZDNET

• Microsoft Attributes New Post-Compromise Capability to Nobelium - Infosecurity Magazine

Nation State Actors – Iran

• Google Uncovers Tool Used by Iranian Hackers to Steal Data from Email Accounts (thehackernews.com)

• Iranian Hackers Exploiting Unpatched Log4j 2 Bugs to Target Israeli Organisations (thehackernews.com)

Nation State Actors – Misc APT

• Donot Team group updates its Windows malware framework - Security Affairs

• Cyber crime Groups Increasingly Adopting Sliver Command-and-Control Framework (thehackernews.com)

Vulnerability Management

• Up to 35% more CVEs published so far this year compared to 2021 | CSO Online

• Why patching quality, vendor info on vulnerabilities are declining | CSO Online

• How fast is the financial industry fixing its software security flaws? - Help Net Security

• Highlighting What should be Patched First at the Endpoint (bleepingcomputer.com)

Vulnerabilities

• Cisco Patches High-Severity Vulnerabilities in Business Switches | SecurityWeek.Com

• CISA Warns of Active Exploitation of Palo Alto Networks' PAN-OS Vulnerability (thehackernews.com)

• Critical flaw impacts Atlassian Bitbucket Server and Data Center - Security Affairs

• VMware fixes privilege escalation vulnerabilities in VMware Tools - Infosecurity Magazine

• VMware LPE Bug Allows Cyber attackers to Feast on Virtual Machine Data (darkreading.com)

• Critical RCE bug in GitLab patched, update ASAP! (CVE-2022-2884) - Help Net Security

• Mac users urged to update Zoom, after security patch released for previously-flawed security patch (bitdefender.com)

• Zoom patches root exploit, patches patch due to root exploit • The Register

• US government really hopes you've patched your Zimbra server • The Register

• Apple security flaw ‘actively exploited’ by hackers to fully control devices | Apple | The Guardian

• Microsoft publicly discloses details on critical ChromeOS flaw - Security Affairs

• Mozilla Patches High-Severity Vulnerabilities in Firefox, Thunderbird | SecurityWeek.Com

• 'DirtyCred' Vulnerability Haunting Linux Kernel for 8 Years | SecurityWeek.Com

• Privilege Escalation Flaw Haunts VMware Tools | SecurityWeek.Com

Reports Published in the Last Week

• Cyber Signals: Defend against the new ransomware landscape - Microsoft

• Threat Spotlight: The untold stories of ransomware - Journey Notes (barracuda.com)

Other News

• How attackers use and abuse Microsoft MFA - Help Net Security

• There is an urgent need to reduce systemic cyber risks | Financial Times (ft.com)

• Critical infrastructure is under attack from hackers. Securing it needs to be a priority - before it's too late | ZDNET

• We Need to Talk About How Good A.I. Is Getting - The New York Times (nytimes.com)

• A lack of endpoint security strategy is leaving enterprises open to attack - Help Net Security

• NIST Weighs in on AI Risk (darkreading.com)

• Twitter whistleblower report holds security lessons (techtarget.com)

• Nearly 3 Years Later, SolarWinds CISO Shares 3 Lessons From the Infamous Attack (darkreading.com)

• Data governance: 5 tips for holistic data protection - Microsoft Security Blog

• US Government Spending Billions on Cyber security (thehackernews.com)

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Average Cost of Data Breaches Hits Record High of $4.35 Million: IBM

The global average cost of data breaches reached an all-time high of $4.35 million in 2022 compared with $4.24 million in 2021, according to a new IBM Security report. About 60% of the breached organisations raised product and services prices due to the breaches.

The annual report, conducted by Ponemon Institute and analysed and sponsored by IBM Security, is based on the analysis of real-world data breaches experienced by 550 organisations globally between March 2021 and March 2022.

According to the report, about 83% of the organisations have experienced more than one breach in their lifetime, with nearly half of the costs reported to be incurred more than a year after the breach.

The report revealed that ransomware and destructive attacks represented 28% of breaches among the critical infrastructure organisations studied, indicating that threat actors are specifically targeting the sector to disrupt global supply chains. The critical infrastructure sector includes financial services, industrial, transportation, and healthcare companies.

https://www.csoonline.com/article/3668655/average-cost-of-data-breaches-hits-record-high-of-435-million-ibm.html#tk.rss_news

• Researchers Warns of Large-Scale Adversary-in-the-Middle (AiTM) Attacks Targeting Enterprise Users

A new, large-scale phishing campaign has been observed using adversary-in-the-middle (AitM) techniques to get around security protections and compromise enterprise email accounts.

It uses a technique capable of bypassing multi-factor authentication. The campaign is specifically designed to reach end users in enterprises that use Microsoft's email services.

Prominent targets include fintech, lending, insurance, energy, manufacturing, and federal credit union verticals located in the US, UK, New Zealand, and Australia.

This is not the first time such a phishing attack has come to light. Last month, Microsoft disclosed that over 10,000 organisations had been targeted since September 2021 by means of AitM techniques to breach accounts secured with multi-factor authentication (MFA).

The ongoing campaign, effective June 2022, commences with an invoice-themed email sent to targets containing an HTML attachment, which includes a phishing URL embedded within it.

https://thehackernews.com/2022/08/researchers-warns-of-large-scale-aitm.html

• UK NHS Suffers Outage After Cyber Attack on Managed Service Provider

The UK National Health Service (NHS) 111 emergency services were affected by a significant and ongoing outage triggered by a cyber attack that hit the systems of British managed service provider (MSP) Advanced.

Advanced's Adastra client patient management solution, which is used by 85% of NHS 111 services, was hit by a major outage together with several other services provided by the MSP, according to a status page.

"There was a major outage of a computer system that is used to refer patients from NHS 111 Wales to out-of-hours GP providers," the Welsh Ambulance Services said. "This system is used by Local Health Boards to coordinate these services for patients. The ongoing outage is significant and has been far-reaching, impacting each of the four nations in the UK."

The UK public was advised to access the NHS 111 emergency services using the online platform until the incident is resolved.

While no details were provided regarding the nature of the cyber attack, based on the wording, it is likely that this was a ransomware or data extortion attack.

https://www.bleepingcomputer.com/news/security/uk-nhs-suffers-outage-after-cyberattack-on-managed-service-provider/

• A Third of Organisations Experience a Ransomware Attack Once a Week

Ransomware attacks show no sign of slowing. According to new research published by Menlo Security, a third of organisations experience a ransomware attack at least once a week, with one in 10 experiencing them more than once a day.

The research, conducted among 500+ IT security decision makers at US and UK organisations with more than 1,000 employees, highlights the impact this is having on security professionals’ own wellbeing. When asked what keeps them awake at night, 41% of respondents say they worry about ransomware attacks evolving beyond their team’s knowledge and skillset, while 39% worry about them evolving beyond their company’s security capabilities.

Their biggest concern, however, is the risk of employees ignoring corporate security advice and clicking on links or attachments containing malware (46%). Respondents worry more about this than they do their own job security, with just a quarter (26%) of respondents worried about losing their job.

According to the report, around half of organisations (61% US and 44% UK) have been the victim of a successful ransomware attack in the last 18 months, with customers and prospects the most likely entry point for an attack.

Partners/suppliers and employees/contractors are also seen as serious security risks, although one in 10 admit they are unable to identify how the attacks got in. The top three ransomware attack vectors are email (54%), web browsers via a desktop or laptop (49%) and mobile devices (39%).

https://www.helpnetsecurity.com/2022/08/04/organizations-experience-ransomware-attack/

• Ransomware Products and Services Ads on Dark Web Show Clues to Danger

Why is ransomware’s destructive potential so daunting? Some clues are in the “for sale” ads. In an examination of some 35 million dark web URLs, a provider of machine identity management and a forensic specialist found some 475 web pages peddling sophisticated ransomware products and services with a number of high profile crews hawking ransomware-as-a-service.

The work is a joint effort between the Salt Lake City-based Venafi and Forensic Pathways, which took place between November 2021 and March 2022. Researchers used Forensic’s Dark Search Engine to carry out the investigation.

Here are some of the research findings:

• 87% of the ransomware found on the dark web has been delivered via malicious macros to infect targeted systems.

• 30 different “brands” of ransomware were identified within marketplace listings and forum discussions.

• Many strains of ransomware being sold — such as Babuk, GoldenEye, Darkside/BlackCat, Egregor, HiddenTear and WannaCry — have been successfully used in high-profile attacks.

• Ransomware strains used in high-profile attacks command a higher price for associated services. For example, the most expensive listing was $1,262 for a customised version of Darkside ransomware, which was used in the Colonial Pipeline ransomware attack.

• Source code listings for well-known ransomware generally command higher price points. For example, Babuk source code is listed for $950 and Paradise source code is selling for $593.

Ransomware Sold for as Little as $1: In addition to a variety of ransomware at various price points, a wide range of services and tools that help make it easier for attackers with minimal technical skills to launch ransomware attacks are for sale on the dark web, Venafi said. Services with the greatest number of listings include those offering source code, build services, custom development services and ransomware packages that include step-by-step tutorials.

https://www.msspalert.com/cybersecurity-breaches-and-attacks/ransomware/ransomware-products-services-ads-on-dark-web-show-clues-to-danger/

• Wolf In Sheep’s Clothing: How Malware Tricks Users and Antivirus

One of the primary methods used by malware distributors to infect devices is by deceiving people into downloading and running malicious files, and to achieve this deception, malware authors are using a variety of tricks.

Some of these tricks include masquerading malware executables as legitimate applications, signing them with valid certificates, or compromising trustworthy sites to use them as distribution points.

According to VirusTotal, a security platform for scanning uploaded files for malware, some of these tricks are happening on a much larger scale than initially thought.

The platform has compiled a report presenting stats from January 2021 until July 2022, based on the submission of two million files daily, illustrating trends in how malware is distributed.

• Abusing legitimate domains: Distributing malware through legitimate, popular, and high-ranking websites allows threat actors to evade IP-based blocklists, enjoy high availability, and provide a greater level of trust.

• Using stolen code-signing certificates: Signing malware samples with valid certificates stolen from companies is a reliable way to evade AV detection and security warnings on the host. Of all the malicious samples uploaded to VirusTotal between January 2021 and April 2022, over a million were signed, and 87% used a valid certificate.

• Disguised as popular software: Masquerading a malware executable as a legitimate, popular application has seen an upward trend in 2022. Victims download these files thinking they’re getting the applications they need, but upon running the installers, they infect their systems with malware. The most mimicked applications are Skype, Adobe Acrobat, VLC, and 7zip.

• Lacing legitimate installers - Finally, there’s the trick of hiding malware inside legitimate application installers and running the infection process in the background while the real apps execute in the foreground. Based on VirusTotal stats, this practice also appears to be on the rise this year, using Google Chrome, Malwarebytes, Windows Updates, Zoom, Brave, Firefox, ProtonVPN, and Telegram as lures.

https://www.bleepingcomputer.com/news/security/wolf-in-sheep-s-clothing-how-malware-tricks-users-and-antivirus/

• Microsoft Accounts Targeted with New MFA-Bypassing Phishing Kit

A new large-scale phishing campaign targeting credentials for Microsoft email services use a custom proxy-based phishing kit to bypass multi-factor authentication.

Researchers believe the campaign's goal is to breach corporate accounts to conduct BEC (business email compromise) attacks, diverting payments to bank accounts under their control using falsified documents.

The phishing campaign's targets include fin-tech, lending, accounting, insurance, and Federal Credit Union organisations in the US, UK, New Zealand, and Australia.

The campaign was discovered by Zscaler's ThreatLabz researchers, who report that the operation is still ongoing, and the phishing actors register new phishing domains almost daily.

Starting in June 2022, Zscaler's analysts noticed a spike in sophisticated phishing attempts against specific sectors and users of Microsoft email services.

Some of the newly registered domains used in the campaign are typo-squatted versions of legitimate domains.

Notably, many phishing emails originated from the accounts of executives working in these organisations, whom the threat actors most likely compromised earlier.

https://www.bleepingcomputer.com/news/security/microsoft-accounts-targeted-with-new-mfa-bypassing-phishing-kit/

• Cyber Attack Prevention Is Cost-Effective, So Why Aren’t Businesses Investing to Protect?

Cyber attacks like ransomware, BEC scams and data breaches are some of the key issues businesses are facing today, but despite the number of high-profile incidents, many boardrooms are reluctant to free up budget to invest in the cyber security measures necessary to avoid becoming the next victim.

In a Help Net Security interview, Former Pentagon Chief Strategy Officer Jonathan Reiber, VP Cyber security Strategy and Policy, AttackIQ, discusses how now, more than ever, companies need to protect themselves from cyber threat actors. He offers insight for CISOs, from talking to the Board to proper budget allocation.

https://www.helpnetsecurity.com/2022/08/01/cyberattack-prevention-investing/

• Securing Your Move to the Hybrid Cloud

The combination of private and public cloud infrastructure, which most organisations are already using, poses unique security challenges. There are many reasons why organisations adopt the public cloud, from enabling rapid growth without the burden of capacity planning to leveraging flexibility and agility in delivering customer-centric services. However, this use can leave companies open to threats.

Since regulatory requirements or other preferences dictate that certain applications remain on private (on-prem) infrastructure, many organisations choose to maintain a mix of private and public infrastructure. Additionally, organisations typically use multiple cloud providers simultaneously or preserve the option to move between providers. However, this hybrid approach presents unique and diverse security challenges. Different cloud providers and private cloud platforms may offer similar capabilities but different ways of implementing security controls, along with disparate management tools.

The question then becomes: How can an organisation maintain consistent governance, policy enforcement and controls across different clouds? And how can it ensure that it maintains its security posture when moving between them? Fortunately, there are steps professionals can take to ensure that applications are continuously secure, starting from the early stages of development and extending throughout the lifecycle.

https://threatpost.com/secure-move-cloud/180335/

• Lessons from the Russian Cyber Warfare Attacks

Cyber warfare tactics may not involve tanks and bombs, but they often go hand-in-hand with real combat.

The Russian invasion of Ukraine is a prime example. Before Russian troops crossed the border, Russian hackers had already taken down Ukrainian government websites. And after the conflict started, the hacktivist group Anonymous turned the tables by hacking Russian media to shut down propaganda about the war.

In these unprecedented times of targeted attacks against governments and financial institutions, every organisation should be on heightened alert about protecting their critical infrastructure and digital attack surface.

With the Russia-Ukraine conflict as a backdrop, two Trend Micro security experts recently discussed cyber warfare techniques and how they’re an important reminder for every business to proactively manage cyber risk.

https://www.trendmicro.com/en_us/ciso/22/h/russian-cyber-warfare-attacks.html

• Four Sneaky Attacker Evasion Techniques You Should Know About

Remember those portrayals of hackers in the 80s and 90s where you just knew when you got pwned? A blue screen of death, a scary message, a back-and-forth text exchange with a hacker—if you got pwned in a movie in the 80s and 90s, you knew it right off the bat.

What a shame that today’s hackers have learned to be quiet when infiltrating an environment. Sure, “loud” attacks like ransomware still exist, but threat actors have learned that if they keep themselves hidden, they can usually do far more damage. For hackers, a little stealth can go a long way. Some attack tactics are inherently quiet, making them arguably more dangerous as they can be harder to detect. Here are four of these attack tactics you should know about.

1. Trusted Application Abuse: Attackers know that many people have applications that they inherently trust, making those trusted applications the perfect launchpad for cyber attacks. Threat actors know that defenders and the tools they use are often on the hunt for new malware presenting itself in environments. What isn’t so easy to detect is when the malware masquerades under legitimate applications.

2. Trusted Infrastructure Abuse: Much like trusted application abuse, trusted infrastructure abuse is the act of using legitimate, publicly hosted services and toolsets (such as Dropbox or Google Drive) as part of the attack infrastructure. Threat actors know that people tend to trust Dropbox and Google Drive. As a result, this makes these tools a prime means for threat actors to carry out malicious activity. Threat actors often find trusted infrastructure abuse easy because these services aren’t usually blocked at an enterprise’s gateway. In turn, outbound communications can hide in plain sight.

3. Obfuscation: Although cyber security has more than its fair share of tedious acronyms, the good news is that many terms can be broken down by their generic dictionary definitions. According to dictionary.com, this is what obfuscate means: “To make something unclear, obscure or difficult to understand.” And that’s exactly what it means in cyber security: finding ways to conceal malicious behaviour. In turn, this makes it more difficult for analysts and the tools they use to flag suspicious or malicious activity.

4. Persistence: Imagine writing up documentation using your computer, something you may well do in your role. You’ve spent a ton of time doing the research required, finding the right sources and compiling all your information into a document. Now, imagine not hitting save on that document and losing it as soon as you reboot your computer. Sound like a nightmare—or perhaps a real anxiety-inducing experience you’ve been through before? Threat actors agree. And that’s why they establish persistence. They don’t want all of their hard work to get into your systems in the first place to be in vain just because you restart your computer. They establish persistence to make sure they can still hang around even after you reboot.

https://www.msspalert.com/cybersecurity-guests/four-sneaky-attacker-evasion-techniques-you-should-know-about/

• Zero-Day Defence: Tips for Defusing the Threat

Because they leave so little time to patch and defuse, zero-day threats require a proactive, multi-layered approach based on zero trust.

The recent Atlassian Confluence remote code execution bug is just the latest example of zero-day threats targeting critical vulnerabilities within major infrastructure providers. The specific threat, an Object-Graph Navigation Language (OGNL) injection, has been around for years but took on new significance given the scope of the Atlassian exploit. And OGNL attacks are on the rise.

Once bad actors find such a vulnerability, proof-of-concept exploits start knocking at the door, seeking unauthenticated access to create new admin accounts, execute remote commands, and take over servers. In the Atlassian case, Akamai's threat research team identified that the number of unique IP addresses attempting these exploits grew to more than 200 within just 24 hours.

Defending against these exploits becomes a race against time worthy of a 007 movie. The clock is ticking and you don't have much time to implement a patch and "defuse" the threat before it's too late. But first you need to know that an exploit is underway. That requires a proactive, multi-layered approach to online security based on zero trust.

What do these layers look like? There are a number of different practices that security teams — and their third-party Web application and infrastructure partners — should be aware of.

https://www.darkreading.com/attacks-breaches/zero-day-defense-tips-for-defusing-the-threat

Threats

Ransomware

• Reported ransomware attacks are just the tip of the iceberg. That's a problem for everyone | ZDNet

• Initial Access Brokers - Key to Rise In Ransomware Attacks (informationsecuritybuzz.com)

• Ransomware gangs are hitting roadblocks, but aren't stopping (yet) - Help Net Security

• SonicWall: Ransomware Global Cyber Attack Volume Shrinks, Still Exceeds Totals for 2017-2019 - MSSP Alert

• 87% of the ransomware found on the dark web has been delivered via malicious macros - Help Net Security

• LockBit Ransomware Abuses Windows Defender for Payload Loading | SecurityWeek.Com

• German Chambers of Industry and Commerce hit by 'massive' cyber attack (bleepingcomputer.com)

• Brand-New HavanaCrypt Ransomware Poses as Google Software Update App Uses Microsoft Hosting Service IP Address as C&C Server (trendmicro.com)

• Ransomware Task Force releases SMB blueprint for defence and mitigation (scmagazine.com)

• Prepare for ransomware before you're hit • The Register

• German semiconductor giant Semikron says hackers encrypted its network | TechCrunch

• Ransomware Hit on European Pipeline & Energy Supplier Encevo Linked to BlackCat (darkreading.com)

• Luxembourg Energy Company Hit by Ransomware | SecurityWeek.Com

• Spanish research agency still recovering after ransomware attack (bleepingcomputer.com)

Phishing & Email Based Attacks

• Countdown Clock Puts Pressure on Phishing Targets - Infosecurity Magazine

• The most impersonated brand in phishing attacks? Microsoft - Help Net Security

• Open Redirect Flaw Snags Amex, Snapchat User Data | Threatpost

• American Express, Snapchat Open-Redirect Vulnerabilities Exploited in Phishing Scheme (darkreading.com)

• A new malware threat is spying on users' Gmail inbox — do this before you're next | Laptop Mag

• Massive New Phishing Campaign Targets Microsoft Email Service Users (darkreading.com)

• North Korean Hackers Use Browser Extension to Spy on Gmail and AOL Accounts - Infosecurity Magazine

Other Social Engineering; SMishing, Vishing, etc

• US FCC warns of the rise of smishing attacks - Security Affairs

Malware

• VirusTotal Reveals Most Impersonated Software in Malware Attacks (thehackernews.com)

• Gootkit Loader Resurfaces with Updated Tactic to Compromise Targeted Computers (thehackernews.com)

• Woody RAT: A new feature-rich malware spotted in the wild | Malwarebytes Labs

• VirusTotal: Threat Actors Mimic Legitimate Apps, Use Stolen Certs to Spread Malware (darkreading.com)

• New IoT RapperBot Malware Targeting Linux Servers via SSH Brute-Forcing Attack (thehackernews.com)

• New Linux malware brute-forces SSH servers to breach networks (bleepingcomputer.com)

• Credential Stealer Malware Raccoon Updated to Obtain Passwords More Efficiently - Infosecurity Magazine

• Attackers cause Discord discord with malicious npm packages • The Register

• Gootkit AaaS malware is still active and uses updated tactics - Security Affairs

Mobile

• Facebook finds new Android malware used by APT hackers (bleepingcomputer.com)

• Google Patches Critical Android Bluetooth Flaw in August Security Bulletin - Infosecurity Magazine

• Banking trojan finds new routes to accounts by infiltrating Google Play Store (scmagazine.com)

Internet of Things – IoT

• A Digital Home Has Many Open Doors (darkreading.com)

• All the Data Amazon's Ring Cameras Collect About You | WIRED

Organised Crime & Criminal Actors

• Thousands of hackers flock to 'Dark Utilities' C2-as-a-Service (bleepingcomputer.com)

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Phishing campaign targets Coinbase wallet holders to steal cryptocurrency in real-time - Help Net Security

• Nearly $200 Million Stolen from Cryptocurrency Bridge Nomad | SecurityWeek.Com

• Crypto firm that promised security loses $200 million in 'frenzied free-for-all' hack | PC Gamer

• Nomad to crooks: Keep 10% as a bounty, return the rest • The Register

• Cyber attackers Drain Nearly $6M From Solana Crypto Wallets (darkreading.com)

• Man robbed of $800,000 in cryptocurrency sues Google • The Register

Insider Risk and Insider Threats

• T-Mobile Store Owner Made $25M Using Stolen Employee Credentials (darkreading.com)

Fraud, Scams & Financial Crime

• UK Branded Europe’s “Capital of Card Fraud” - Infosecurity Magazine

• Huge network of 11,000 fake investment sites targets Europe (bleepingcomputer.com)

• Online payment fraud losses accelerate at an alarming rate - Help Net Security

• COMMENT: 'Hi Mum, Hi Dad' Scams On The Rise - Britons Already (informationsecuritybuzz.com)

• Increase in Fake Tickets Being Sold by Cyber criminals on Social Media - IT Security Guru

AML/CFT/Sanctions

• Robinhood Crypto Penalized $30M for Violating NY Cybersecurity Regulations | SecurityWeek.Com

Dark Web

• A Ransomware Explosion Fosters Thriving Dark Web Ecosystem (darkreading.com)

• The popularity of Dark Utilities 'C2-as-a-Service' rapidly increases - Security Affairs

Software Supply Chain

• Now is the time to focus on software supply chain security improvements - Help Net Security

Cloud/SaaS

• Cyber attackers Increasingly Target Cloud IAM as a Weak Link (darkreading.com)

• What Worries Security Teams About the Cloud? (darkreading.com)

• Who Has Control: The SaaS App Admin Paradox (thehackernews.com)

• Enterprises face a multitude of barriers to securing diverse cloud environments - Help Net Security

Open Source

• New Linux malware brute-forces SSH servers to breach networks (bleepingcomputer.com)

Passwords, Credential Stuffing & Brute Force Attacks

• Hackers stole passwords for accessing 140,000 payment terminals | TechCrunch

• Credential Canaries Create Minefield for Attackers (darkreading.com)

• 5 reasons why businesses should never use consumer-grade password managers | TechRadar

Social Media

• Hackers Exploit Twitter Vulnerability to Exposes 5.4 Million Accounts (thehackernews.com)

• Parliament shuts down TikTok account over China data security concerns (telegraph.co.uk)

• Over 3,200 Apps Leak Twitter API Keys, Some Allowing Account Hijacks (informationsecuritybuzz.com)

• Increase in Fake Tickets Being Sold by Cyber criminals on Social Media - IT Security Guru

Privacy

• DuckDuckGo browser now blocks all Microsoft trackers, most of the time (bleepingcomputer.com)

Cyber Bullying and Cyber Stalking

• Australia charges dev of Imminent Monitor RAT used by domestic abusers (bleepingcomputer.com)

Regulations, Fines and Legislation

• Most companies are unprepared for CCPA and GDPR compliance - Help Net Security

• Data privacy: Collect what you need, protect what you collect | CSO Online

• India scraps data protection law, promises better successor • The Register

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Austrian Investigation Reveals Spyware Targeting Law Firms, Finance Institutions - Infosecurity Magazine

• Ukraine takes down 1,000,000 bots used for disinformation (bleepingcomputer.com)

• Nancy Pelosi ties Chinese cyber-attacks to Taiwan visit • The Register

• Spanish Research Center Suffers Cyber attack Linked to Russia | SecurityWeek.Com

• Russian organisations attacked with new Woody RAT malware (bleepingcomputer.com)

• Greek intelligence spied on journalist with a surveillance spyware - Security Affairs

• Rare Pegasus screenshots depict NSO Group's spyware capabilities | AppleInsider

Nation State Actors

Nation State Actors – Russia

• Double Whammy: Russian Hackers Launch Cyber Attacks On Lockheed Martin; Armed Forces Hack Into HIMARS -- Reports (eurasiantimes.com)

• Ukraine Shutters Major Russian Bot Farm - Infosecurity Magazine

Nation State Actors – China

• Chinese hackers use new Cobalt Strike-like attack framework (bleepingcomputer.com)

• Massive China-Linked Disinformation Campaign Taps PR Firm for Help (darkreading.com)

• Parliament shuts down TikTok account over China data security concerns (telegraph.co.uk)

• China, Huawei, and the eavesdropping threat | CSO Online

• Global network of fake news sites push Chinese propaganda, researchers find - CyberScoop

• Taiwanese military reports DDoS in wake of US Speaker visit • The Register

Nation State Actors – North Korea

• Cyber crime a Key Revenue Stream For North Korea's Weapons Program - Infosecurity Magazine (infosecurity-magazine.com)

• North Korean Hackers Use Browser Extension to Spy on Gmail and AOL Accounts - Infosecurity Magazine (infosecurity-magazine.com)

Nation State Actors – Iran

• Iranian Hackers Likely Behind Disruptive Cyber attacks Against Albanian Government (thehackernews.com)

• Disruptive Cyber attacks on NATO Member Albania Linked to Iran | SecurityWeek.Com

Nation State Actors – Misc APT

• Twitter breach exposes anonymous accounts to nation state hackers - CyberScoop

Vulnerabilities

• VMware urges admins to patch critical auth bypass bug immediately (bleepingcomputer.com)

• Critical RCE Bug in DrayTek Routers Opens SMBs to Zero-Click Attacks (darkreading.com)

• Cisco fixes critical remote code execution bug in VPN routers (bleepingcomputer.com)

• F5 Fixes 21 Vulnerabilities With Quarterly Security Patches | SecurityWeek.Com

• High-Severity Bug in Kaspersky VPN Client Opens Door to PC Takeover (darkreading.com)

• Hackers Exploit Atlassian Confluence Vulnerability to Deploy New 'Ljl' Backdoor - Infosecurity Magazine

• Slack Resets Passwords After a Bug Exposed Hashed Passwords for Some Users (thehackernews.com)

• VMware Releases Patches for Several New Flaws Affecting Multiple Products (thehackernews.com)

• Hackers are actively exploiting password-stealing flaw in Zimbra (bleepingcomputer.com)

• Google fixed Critical Remote Code Execution flaw in Android - Security Affairs

• CISA adds Zimbra bug to Known Exploited Vulnerabilities Catalogue - Security Affairs

• Warning! Critical flaws found in US Emergency Alert System • The Register

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

Other News

• APIs attacked in 94% of companies in past year - IT Security Guru

• Over 60% of Organisations Expose SSH to the Internet - Infosecurity Magazine

• How IT and security teams can work together to improve endpoint security - Microsoft Security Blog

• Burnout and attrition impact tech teams sustaining modern digital systems - Help Net Security

• Machine learning creates a new attack surface requiring specialized defences - Help Net Security

• Cyber security lessons learned from COVID-19 pandemic (techtarget.com)

• 10 enterprise database security best practices (techtarget.com)

• Resolving Availability vs. Security, a Constant Conflict in IT (thehackernews.com)

• Tips to prevent RDP and other remote attacks on Microsoft networks | CSO Online

• 5 ways to unite security and compliance | CSO Online

• The Myth of Protection Online — and What Comes Next (darkreading.com)

• The Importance of Data Security in the Enterprise (techtarget.com)

• Who Needs Macros? | Threat Actors Pivot to Abusing Explorer and Other LOLBins via Windows Shortcuts - SentinelOne

• How IT Teams Can Use 'Harm Reduction' for Better Cyber security Outcomes (darkreading.com)

• Businesses lack visibility into run-time threats against mobile apps and APIs - Help Net Security

• Browser synchronization abuse: Bookmarks as a covert data exfiltration channel - Help Net Security

• Threats emanating from digital ecosystems can be a blind spot for businesses - Help Net Security

• Busting the Myths of Hardware Based Security - Security Affairs

• New Traffic Light Protocol standard released after five years (bleepingcomputer.com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.