Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Ransomware Is the Biggest Global Cyber Threat. And The Attacks Are Still Evolving

Ransomware is the biggest cyber security threat facing the world today, with the potential to significantly affect whole societies and economies – and the attacks are unrelenting, the head of the National Cyber Security Centre (NCSC) has warned.

"Even with a war raging in Ukraine – the biggest global cyber threat we still face is ransomware. That tells you something of the scale of the problem. Ransomware attacks strike hard and fast. They are evolving rapidly, they are all-pervasive, they're increasingly offered by gangs as a service, lowering the bar for entry into cyber crime," said Lindy Cameron, CEO of the NCSC in a speech at Tel Aviv Cyber Week.

She added that the NCSC has dealt with "nationally significant incidents" along with hundreds of general cyber incidents that "affect the UK more widely every year".

While she didn't detail any specific instances of responding to ransomware incidents, Cameron warned that "these complex attacks have the potential to affect our societies and economies significantly", and implied that if it weren't for the work of NCSC incident responders, alongside their counterparts in the industry and international counterparts, the attacks could have had a major impact.

https://www.zdnet.com/article/ransomware-attacks-are-the-biggest-global-cyber-threat-and-still-evolving-warns-cybersecurity-chief/

• Study Reveals Traditional Data Security Tools Have a 60% Failure Rate Against Ransomware and Extortion

Titaniam, Inc., the data security platform, announced the ‘State of Data Exfiltration & Extortion Report.’ The survey revealed that while over 70% of organisations have an existing set of prevention, detection, and backup solutions, nearly 40% of organisations have been hit with ransomware attacks in the last year, and more than 70% have experienced one in the previous five years, proving existing solutions to be woefully inadequate in managing the risks and impacts from these attacks.

Data exfiltration during ransomware attacks is up 106% relative to where it was five years ago. We are seeing the emergence of a new trend where cyber criminals are no longer limiting themselves to just encrypting entire systems—they are making sure to steal data ahead of the encryption so that they can have additional leverage on the victim. The survey found that 65% of those who have experienced a ransomware attack have also experienced data theft or exfiltration due to the incident. Of those victims, 60% say the hackers used the data theft to extort them further, known as double extortion. Most of them, i.e., 59% of victims, paid the hackers, implying that they were not helped by their backup or data security tools to prevent this fate.

Data is being exposed for theft and extortion in other ways too. Nearly half (47%) uncovered publicly exposed data in their systems in the last 24 months. It was found that respondents have a mix of data security & protection (78%), prevention & detection (75%), and backup and recovery (73%) in their cyber security stacks. Still, exposure and extortion numbers imply a missing puzzle piece regarding attacks.

https://www.darkreading.com/attacks-breaches/study-reveals-traditional-data-security-tools-have-a-60-failure-rate-against-ransomware-and-extortion

• Patchable and Preventable Security Issues Lead Causes of Q1 Attacks

Attacks against companies spiked in Q1 2022 with patchable and preventable external vulnerabilities responsible for the bulk of attacks.

Eighty-two percent of attacks on organisations in Q1 2022 were caused by the external exposure of known vulnerabilities in the victim’s external-facing perimeter or attack surface. Those unpatched bugs overshadowed breach-related financial losses tied to human error, which accounted for 18 percent.

The numbers come from Tetra Defense and its quarterly report that sheds light on a notable uptick in cyber attacks against United States organisations between January and March 2022.

The report did not let employee security hygiene, or a lack thereof, off the hook. Tetra revealed that a lack of multi-factor authentication (MFA) mechanisms adopted by firms and compromised credentials are still major factors in attacks against organisations.

https://threatpost.com/lead-causes-of-q1-attacks/180096/

• Three in Four Vulnerability Management Programs Ineffective

How at risk are organisations to unsecured vulnerabilities in their networks? NopSec, a threat and exposure management provider, gives us the answers in a new study of some 430 cyber security professionals.

Are security teams finding successful approaches to their vulnerability management, or are “open doors around their attack surface” leaving them susceptible to disaster in their organisation? The answer, as it turns out, is that some organisations are better at detection, response and remediation of their vulnerabilities.

Perhaps more importantly, others are not as locked down as they believe, according to the report. Keeping track of known vulnerabilities and responding quickly is one thing, but locating flaws they did not previously know existed is quite another.

Seventy percent of respondent say their vulnerability management program (VMP) is only somewhat effective or worse, blind spots and shadow IT remain top challenges, and vulnerabilities take too long to patch.

https://www.msspalert.com/cybersecurity-research/three-in-four-vulnerability-management-programs-ineffective-study-finds/

• EMEA Continues to Be a Hotspot for Malware Threats

Ransomware detections in the first quarter of this year doubled the total volume reported for 2021, according to the latest quarterly Internet Security Report from the WatchGuard Threat Lab. Researchers also found that the Emotet botnet came back in a big way, the infamous Log4Shell vulnerability tripled its attack efforts and malicious cryptomining activity increased.

Although findings from the Threat Lab’s Q4 2021 report showed ransomware attacks trending down year over year, that all changed in Q1 2022 with a massive explosion in ransomware detections. While Q4 2021 saw the downfall of the infamous REvil cybergang, WatchGuard analysis suggests that this opened the door for the LAPSUS$ extortion group to emerge, which along with many new ransomware variants such as BlackCat – the first known ransomware written in the Rust programming language – could be contributing factors to an ever-increasing ransomware and cyber-extortion threat landscape.

The report also shows that EMEA continues to be a hotspot for malware threats. Overall regional detections of basic and evasive malware show WatchGuard Fireboxes in EMEA were hit harder than those in North, Central and South America (AMER) at 57% and 22%, respectively, followed by Asia-Pacific (APAC) at 21%.

https://www.helpnetsecurity.com/2022/06/30/emea-malware-threats/

• A New, Remarkably Sophisticated Malware Is Attacking Home and Small Office Routers

An unusually advanced hacking group has spent almost two years infecting a wide range of routers in North America and Europe with malware that takes full control of connected devices running Windows, macOS, and Linux, researchers reported on June 28.

So far, researchers from Lumen Technologies' Black Lotus Labs say they've identified at least 80 targets infected by the stealthy malware, including routers made by Cisco, Netgear, Asus, and DrayTek. Dubbed ZuoRAT, the remote access Trojan is part of a broader hacking campaign that has existed since at least the fourth quarter of 2020 and continues to operate.

The discovery of custom-built malware written for the MIPS architecture and compiled for small-office and home-office routers is significant, particularly given its range of capabilities. Its ability to enumerate all devices connected to an infected router and collect the DNS lookups and network traffic they send and receive, and remain undetected, is the hallmark of a highly sophisticated threat actor.

"While compromising small office/home office (SOHO) routers as a vector to gain access to an adjacent LAN is not a novel technique, it has seldom been reported," Black Lotus Labs researchers wrote. "Similarly, reports of person-in-the-middle style attacks, such as DNS and HTTP hijacking, are even rarer and a mark of a complex and targeted operation. The use of these two techniques congruently demonstrated a high level of sophistication by a threat actor, indicating that this campaign was possibly performed by a state-sponsored organisation."

The campaign comprises at least four pieces of malware, three of them written from scratch by the threat actor. The first piece is the MIPS-based ZuoRAT, which closely resembles the Mirai internet-of-things malware that achieved record-breaking distributed denial-of-service attacks that crippled some Internet services for days. ZuoRAT often gets installed by exploiting unpatched vulnerabilities in SOHO devices.

https://www.wired.com/story/zuorat-trojan-malware-hacking-routers/

• What Are Shadow IDs, and How Are They Crucial in 2022?

Just before last Christmas, in a first-of-a-kind case, JPMorgan was fined $200M for employees using non-sanctioned applications for communicating about financial strategy. No mention of insider trading, naked shorting, or any malevolence. Just employees circumventing regulation using, well, Shadow IT. Not because they tried to obfuscate or hide anything, simply because it was a convenient tool that they preferred over any other sanctioned products (which JPMorgan certainly has quite a few of.)

Visibility into unknown and unsanctioned applications has been required by regulators and also recommended by the Center for Internet Security community for a long time. Yet it seems that new and better approaches are still in demand. Gartner has identified External Attack Surface Management, Digital Supply Chain Risk, and Identity Threat Detection as the top three trends to focus on in 2022, all of which are closely intertwined with Shadow IT.

"Shadow IDs," or in other words, unmanaged employee identities and accounts in third-party services, are often created using a simple email-and-password-based registration. Cloud access security broker (CASB) and corporate single-sign-on (SSO) solutions are limited to a few sanctioned applications, and are not widely adopted on most websites and services either. This means, that a large part of an organisation's external surface - as well as its user identities - may be completely invisible.

https://thehackernews.com/2022/06/what-are-shadow-ids-and-how-are-they.html

• Zero-Days Aren't Going Away Anytime Soon, and What Leaders Need to Know

Few security exploits are the source of more sleepless nights for security professionals than zero-day attacks. Just recently, researchers discovered a new vulnerability enabling hackers to achieve remote code execution within Microsoft Office. Dubbing the evolving threat the Follina exploit, researchers say all versions of Office are at risk. And because the internal security teams have no time to prepare or patch their systems to defend against these software vulnerabilities, crafty threat actors can take advantage, taking their time after they've accessed an organisation's environment to observe and exfiltrate data while remaining completely unseen.

And though sophisticated threat actors and nations have exploited zero-days for nearly two decades, last year saw a historic rise in the number of vulnerabilities detected. Both Google and Mandiant tracked a record number of zero-days last year, with the caveat that more zero-days are being discovered because security companies are getting better at finding them — not necessarily because hackers are coming up with new vulnerabilities. Not all zero-days are created equal, though. Some require sophisticated and novel techniques, like the attack on SolarWinds, and others exploit simple vulnerabilities in commonly used programs like Windows. Thankfully, there's some basic cyber hygiene strategies that can keep your organisation sufficiently prepared to mitigate zero-day exploits.

https://www.darkreading.com/attacks-breaches/zero-days-aren-t-going-away-anytime-soon-and-what-leaders-need-to-know

• Half of 2022's Zero-Days Are Variants of Previous Vulnerabilities

Google Project Zero has observed a total of 18 exploited zero-day vulnerabilities in the first half of 2022, at least half of which exist because previous bugs were not properly addressed.

According to Google Project Zero researcher Maddie Stone, nine of the in-the-wild zero-days seen so far this year could have been prevented had organisations applied more comprehensive patching.

“On top of that, four of the 2022 zero-days are variants of 2021 in-the-wild zero-days. Just 12 months from the original in-the-wild zero-day being patched, attackers came back with a variant of the original bug,” Stone says.

The most recent of these issues is the Follina vulnerability in the Windows platform. Tracked as CVE-2022-30190, it is a variant of an MSHTML zero-day tracked as CVE-2021-40444.

CVE-2022-21882 is another Windows vulnerability that is a variant of an in-the-wild zero-day that was improperly resolved last year, namely CVE-2021-1732.

An iOS IOMobileFrameBuffer bug (CVE-2022-22587) and a type confusion flaw in Chrome’s V8 engine (CVE-2022-1096) are two other zero-days that are variants of exploited security flaws found last year – CVE-2021-30983 and CVE-2021-30551, respectively.

Other 2022 zero-days that are variants of improperly addressed security defects are CVE-2022-1364 (Chrome), CVE-2022-22620 (WebKit), CVE-2021-39793 (Google Pixel), CVE-2022-26134 (Atlassian Confluence), and CVE-2022-26925 (Windows flaw called PetitPotam).

https://www.securityweek.com/google-half-2022s-zero-days-are-variants-previous-vulnerabilities

• Human Error Remains the Top Security Issue

Human error remains the most effective vector for conducting network infiltrations and data breaches.

The SANS Institute security centre issued its annual security awareness report Wednesday, which was based on data from 1,000 infosec professionals and found that employees and their lack of security training remain common points of failure for data breaches and network attacks. The report also tracked the maturity level of respondents' security awareness programs and their effectiveness in reducing human risk.

"This year's report once again identifies what we have seen over the past three years: that the most mature security awareness programs are those that have the most people dedicated to managing and supporting it," the cyber security training and education organisation said.

"These larger teams are more effective at working with the security team to identify, track, and prioritise their top human risks, and at engaging, motivating, and training their workforce to manage those risks."

The SANS Institute study ranked maturity by five levels, from lowest to highest: nonexistent, compliance-focused, promoting awareness and behaviour change, long-term sustainment and culture change, and metrics framework. The report found that while approximately 400 respondents said their programs promote awareness and behaviour change - the highest such response for any maturity level - the number represented a 10% decrease from the previous year's report.

https://www.techtarget.com/searchsecurity/news/252522226/SANS-Institute-Human-error-remains-the-top-security-issue

• Carnival Cruises Torpedoed by US States, Agrees to Pay $6m After Wave of Cyber Attacks

Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyber attacks.

A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based business revealed intruders had not only encrypted some of its data but also downloaded a collection of names and addresses; Social Security info, driver's license, and passport numbers; and health and payment information of thousands of people in almost every American state.

It all started to go wrong more than a year prior, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn't disclosed until 10 months later, in March 2020.

Back in 2019, the security operations team spotted an internal email account sending spam to other addresses. It turned out miscreants had hijacked 124 employee Microsoft Office 365 email accounts, and were using them to send phishing emails to harvest more credentials. This, we're told, gave the intruders access to personal data on 180,000 Carnival employees and customers. It's likely the miscreants first broke in using phishing mails or brute-forcing passwords; either way, there was no multi-factor authentication.

Then in August 2020, the company said it was hit with the aforementioned ransomware, and copies of its files were siphoned. In January 2021, it was infected again with malware, and again sensitive information – specifically, customer passport numbers and dates of birth, and employee credit card numbers – were downloaded. And in March that year, a staffer's work email account was compromised again to send out a phishing email; more sensitive information was exposed.

https://www.theregister.com/2022/06/28/carnival-cybersecurity-fines/

• Uber Ex-Security Chief Accused of Hacking Coverup Must Face Fraud Charges, Judge Rules

A federal judge on Tuesday said a former Uber Technologies Inc. security chief must face wire fraud charges over his alleged role in trying to cover up a 2016 hacking that exposed personal information of 57 million passengers and drivers.

The US Department of Justice had in December added the three charges against Joseph Sullivan to an earlier indictment, saying he arranged to pay money to two hackers in exchange for their silence, while trying to conceal the hacking from passengers, drivers and the US Federal Trade Commission.

https://www.reuters.com/business/uber-ex-security-chief-accused-hacking-coverup-must-face-fraud-charges-judge-2022-06-28/

Threats

Ransomware

• Ransomware market evolution results in fewer variants, but rise in off-the-shelf cyber crime kits continues | The Daily Swig (portswigger.net)

• Record-Breaking Year for Ransomware Attacks, WatchGuard Research Predicts - MSSP Alert

• Cyber Security Experts Warn of Emerging Threat of "Black Basta" Ransomware (thehackernews.com)

• 5 years after NotPetya: Lessons learned | CSO Online

• AstraLocker 2.0 infects users directly from Word attachments (bleepingcomputer.com)

• Mitel VoIP Bug Exploited in Ransomware Attacks | Threatpost

• Black Basta Ransomware Gang Attacks 50 Companies, Cybereason Reports - MSSP Alert

• How Dangerous Is BlackBasta Ransomware? (informationsecuritybuzz.com)

• LockBit 3.0 Debuts With Ransomware Bug Bounty Program (darkreading.com)

• Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit (trendmicro.com)

• Son of Conti: Ransomware tries its hand at politics - The Record by Recorded Future

• Kaseya Ransomware - Cyber Leader’s Thoughts & Learnings One Year Later (informationsecuritybuzz.com)

• Are Protection Payments the Future of Ransomware? (tripwire.com)

• Conti vs. LockBit: A Comparative Analysis of Ransomware Groups (trendmicro.com)

• This new malware is at the heart of the ransomware ecosystem | ZDNet

• Macmillan Publishing shuts down systems after likely ransomware attack (bleepingcomputer.com)

• Walmart denies being hit by Yanluowang ransomware attack (bleepingcomputer.com)

• Fake copyright infringement emails install LockBit ransomware (bleepingcomputer.com)

• Cisco Talos techniques uncover ransomware sites on dark web (techtarget.com)

• RansomHouse gang claims to have some stolen AMD data • The Register

• 'Prolific' NetWalker extortionist pleads guilty • The Register

Phishing & Email Based Attacks

• Google Warns About Hacker-for-Hire Services Trying to Phish Users (pcmag.com)

• Clever phishing method bypasses MFA using Microsoft WebView2 apps (bleepingcomputer.com)

• Cyber Attacks via Unpatched Systems Cost Orgs More Than Phishing (darkreading.com)

• How phishing attacks are becoming more sophisticated - Help Net Security

• How Evilnum Cyber Attacks Target Microsoft Office Files - MSSP Alert

• New Matanbuchus Campaign drops Cobalt Strike beacons - Security Affairs

• Kaspersky Reveals Phishing Emails That Employees Find Most Confusing (darkreading.com)

• Ukraine arrests cyber crime gang operating over 400 phishing sites (bleepingcomputer.com)

Malware

• Microsoft finds Raspberry Robin worm in hundreds of Windows networks (bleepingcomputer.com)

• Microsoft Exchange servers worldwide backdoored with new malware (bleepingcomputer.com)

• Microsoft warning: This malware that targets Linux just got a big update | ZDNet

• ZuoRAT Hijacks SOHO Routers From Cisco, Netgear (darkreading.com)

• XFiles info-stealing malware adds support for Follina delivery (bleepingcomputer.com)

• Raccoon Stealer is back with a new version to steal your passwords (bleepingcomputer.com)

• Minors Use Discord Servers To Earn Extra Pocket Money Through Spreading Malware (informationsecuritybuzz.com)

• PyPi python packages caught sending stolen AWS keys to unsecured sites (bleepingcomputer.com)

Mobile

• Android Spyware 'Revive' Upgraded to Banking Trojan - Infosecurity Magazine

• Google warns Hermit spyware is infecting phones. What is it and how do you protect yourself from it? | Mashable

• Phone Hackers: 9 Ways To Tell If You Have Fallen Victim (informationsecuritybuzz.com)

• Apple revokes certificates for Hermit spyware app - 9to5Mac

• Google Warns of New Spyware Targeting iOS and Android Users - IT Security Guru

Internet of Things – IoT

• Swarm of malfunctioning driverless taxis brings traffic to a halt for hours (telegraph.co.uk)

Data Breaches/Leaks

• Millions of free VPN user records leaked | TechRadar

• Leaky Access Tokens Exposed Amazon Photos of Users | Threatpost

• California gun dashboards expose 10 years of personal data • The Register

Organised Crime & Criminal Actors

• The strange business of cyber crime | CSO Online

• Russia-China cyber criminal collaboration could “destabilize” international order | CSO Online

• Canadian admits to hacking spree with Russian cyber-gang - BBC News

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Pentagon finds concerning vulnerabilities on blockchain | TechRepublic

• Threat actors sell access to tens of vulnerable networks compromised by exploiting Atlassian 0daySecurity Affairs

• Hackers steal $100m from another breached crypto bridge | TechRadar

• Santander Warns of 87% Surge in UK Crypto Scams - Infosecurity Magazine

• Dozens of cryptography libraries vulnerable to private key theft | The Daily Swig (portswigger.net)

• Missing Cryptoqueen: FBI adds Ruja Ignatova to top ten most wanted - BBC News

• Singapore warns of ‘brutal, unrelentingly hard’ crypto regs • The Register

Insider Risk and Insider Threats

• Rogue HackerOne employee steals bug reports to sell on the side (bleepingcomputer.com)

• Japanese worker loses city's personal data in USB fail • The Register

• How you handle independent contractors may determine your insider threat risk | CSO Online

Fraud, Scams & Financial Crime

• Threat actors increasingly use third parties to run their scams - Help Net Security

• Santander Warns of 87% Surge in UK Crypto Scams - Infosecurity Magazine

• Evolving online habits have paved the way for fraud. What can we do about it? - Help Net Security

Insurance

• Cyber Insurance: The Good, the Bad, and the Ugly - IT Security Guru

Software Supply Chain

• It's a Race to Secure the Software Supply Chain — Have You Already Stumbled? (darkreading.com)

• Over a Decade in Software Security: What Have We learned? - IT Security Guru

Denial of Service DoS/DDoS

• Russian hacktivists take down Norway govt sites in DDoS attacks (bleepingcomputer.com)

Attack Surface Management

• Digital Shadows Weaken Your Attack Surface (securityintelligence.com)

Shadow IT

• Shadow IT Spurs 1 in 3 Cyber Attacks (darkreading.com)

• What is Shadow IT and why is it so risky? (thehackernews.com)

Open Source

• CISA Warns of Active Exploitation of 'PwnKit' Linux Vulnerability in the Wild (thehackernews.com)

Passwords, Credential Stuffing & Brute Force Attacks

• RansomHouse Hackers Claim to Breach AMD With Bad Passwords (gizmodo.com)

• Breaking Down the Zola Hack and Why Password Reuse is so Dangerous (bleepingcomputer.com)

• Raccoon Stealer is back with a new version to steal your passwords (bleepingcomputer.com)

Social Media

• Verified Twitter accounts hacked to send fake suspension notices (bleepingcomputer.com)

• Facebook Business Pages Targeted via Chatbot in Data-Harvesting Campaign (darkreading.com)

• New YTStealer malware steals accounts from YouTube Creators (bleepingcomputer.com)

• Facebook 2FA phish arrives just 28 minutes after scam domain created – Naked Security (sophos.com)

Training, Education and Awareness

• Time Constraints Hamper Security Awareness Programs (darkreading.com)

Privacy

• ‘Supercookies’ Have Privacy Experts Sounding the Alarm | WIRED

• UK should immediately ban use of live facial recognition, warns report | Financial Times (ft.com)

• Snoopers’ Charter Ruled Partially Unlawful - Infosecurity Magazine

• We must stop sleepwalking towards a surveillance state | Financial Times (ft.com)

Parental Controls and Child Safety

• How parents can talk about online safety and personal info protection with their kids - Help Net Security

Regulations, Fines and Legislation

• Manx government department fined over data breach - BBC News

• Clearview fine: The unacceptable face of modern surveillance - Help Net Security

• UK security services must seek approval to access telecoms data, judges rule | UK security and counter-terrorism | The Guardian

Law Enforcement Action and Take Downs

• Global Police Crack Down on Online Sexual Exploitation - Infosecurity Magazine

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Lethal drinking water, runs on banks and panic buying: What a real Undeclared War cyber attack could mean (inews.co.uk)

• Microsoft's Defending Ukraine report offers fresh details on digital conflict and disinformation | CSO Online

• Clear Rules Needed to Prevent Conflict and Struggle in Cyber Space, Says NCSC Chief - Infosecurity Magazine

• NATO to create cyber rapid response force, increase cyber defence aid to Ukraine - CyberScoop

• Could the Russian cyber attack on Lithuania draw a military response from NATO? | World News | Sky News

• Evilnum hackers return in new operation targeting migration orgs (bleepingcomputer.com)

• Commercial cyber products must be used responsibly, says NCSC CEO (computerweekly.com)

• G7 to tackle cyber threats and disinformation from Russia: communique | Reuters

• Google Warns of New Spyware Targeting iOS and Android Users - IT Security Guru

• Apple revokes certificates for Hermit spyware app - 9to5Mac

• China lured graduate jobseekers into digital espionage | Ars Technica

• FCC commissioner calls TikTok Chinese spyware and wants it pulled from mobile app stores (androidpolice.com)

• Google warns Hermit spyware is infecting phones. What is it and how do you protect yourself from it? | Mashable

Nation State Actors

Nation State Actors – Russia

• Ukraine targeted by almost 800 cyber attacks since the war started (bleepingcomputer.com)

• Russia-linked actors may be behind an explosion at a liquefied natural gas plant in Texas - Security Affairs

• Russian Hacker Group Says Cyber Attacks Continue On Lithuania (informationsecuritybuzz.com)

• Russian hacktivists take down Norway govt sites in DDoS attacks (bleepingcomputer.com)

• Russia's Killnet hacker group says it attacked Lithuania | Reuters

Nation State Actors – China

• Chinese Threat Actor Targets Rare Earth Mining Companies in North America, Australia | SecurityWeek.Com

• Chinese Hackers Target Building Management Systems | SecurityWeek.Com

• China lured graduate jobseekers into digital espionage | Ars Technica

Nation State Actors – North Korea

• Experts blame North Korea-linked Lazarus APT for Harmony hack - Security Affairs

Vulnerability Management

• 18 Zero-Days Exploited So Far in 2022 (darkreading.com)

• Why more zero-day vulnerabilities are being found in the wild | CSO Online

• Cyber Attacks via Unpatched Systems Cost Orgs More Than Phishing (darkreading.com)

• Solving the indirect vulnerability enigma - fixing indirect vulnerabilities without breaking your dependency tree (thehackernews.com)

• Microsoft's quiet mishandling of vulnerabilities is becoming a public mess - OnMSFT.com

Vulnerabilities

• MITRE shares this year's list of most dangerous software bugs (bleepingcomputer.com)

• Critical ManageEngine ADAudit Plus Vulnerability Allows Network Takeover, Mass Data Exfiltration (darkreading.com)

• How and why threat actors target Microsoft Active Directory | CSO Online

• Atlassian Confluence Exploits Peak at 100K Daily (darkreading.com)

• Patch Now: Linux Container-Escape Flaw in Azure Service Fabric (darkreading.com)

• Zoho ManageEngine ADAudit Plus bug gets public RCE exploit (bleepingcomputer.com)

• OpenSSL 3.0.5 awaits release to fix potential security flaw • The Register

• CISA: Adopt Modern Auth now for Exchange Online • The Register

• CISA Warns of Active Exploitation of 'PwnKit' Linux Vulnerability in the Wild (thehackernews.com)

• CISA orders agencies to patch Windows LSA bug exploited in the wild (bleepingcomputer.com)

• Mitel VoIP Bug Exploited in Ransomware Attacks | Threatpost

• Log4Shell Vulnerability in VMware Leads to Data Exfiltration and Ransomware (trendmicro.com)

• Jenkins discloses dozens of zero-day bugs in multiple plugins (bleepingcomputer.com)

• New UnRAR Vulnerability Could Let Attackers Hack Zimbra Webmail Servers (thehackernews.com)

Sector Specific

Critical National Infrastructure (CNI)

• Stress and Burnout Could Lead to Exodus of CNI Cyber Security Leaders - Infosecurity Magazine

Financial Services Sector

• Android Spyware 'Revive' Upgraded to Banking Trojan - Infosecurity Magazine

FinTech

• A Fintech Horror Story: How One Company Prioritizes Cyber Security (darkreading.com)

• Security and compliance concerns limit ‘open finance’ expansion, say executives (scmagazine.com)

Telecoms

• Why the next-gen telecom ecosystem needs better regulations (techtarget.com)

OT, ICS, IIoT, SCADA and Cyber-Physical Systems

• APT Hackers Targeting Industrial Control Systems with ShadowPad Backdoor (thehackernews.com)

• Cyber-Physical Security: Benchmarking to Advance Your Journey | SecurityWeek.Com

• Critical Security Flaws Identified in CODESYS ICS Automation Software (thehackernews.com)

• Microsoft Exchange bug abused to hack building automation systems (bleepingcomputer.com)

• 5 Cyber Security Tips for Smart Buildings - IT Security Guru

• Chinese Hackers Target Building Management Systems | SecurityWeek.Com

• OT security: Helping under-resourced critical infrastructure organisations - Help Net Security

Energy & Utilities

Oil, Gas and Mining

Chinese Threat Actor Targets Rare Earth Mining Companies in North America, Australia | SecurityWeek.Com

Food and Agriculture

• Wiltshire Farm Foods Cyberattack (informationsecuritybuzz.com)

Education and Academia

• Threat Actor Claims Responsibility For IBM and Stanford University Hack - Infosecurity Magazine (infosecurity-magazine.com)

Web3

• Securing the Metaverse and Web3 | SecurityWeek.Com

• Cyber security and the metaverse: Identifying the weak spots | VentureBeat

Reports Published in the Last Week

• State of Email Security | Mimecast

• Q1 2022 Incident Response Insights from Tetra Defense | Arctic Wolf

• State of Data Exfiltration and Extortion 2022 - Titaniam

• SANS 2022 Security Awareness Report: Human Risk Remains the Biggest Threat to Your Organisation’s Cyber Security | SANS Institute

• Defending Ukraine: Early Lessons from the Cyber War - Microsoft On the Issues

Other News

• Cyber Attacks Gain Steam in Early '22: Tetra Defense Report - MSSP Alert

• FBI warns crooks are using deepfake videos in job interviews • The Register

• Destructive firmware attacks pose a significant threat to businesses - Help Net Security

• 48% of security practitioners seeing 3x increase in alerts per day - Help Net Security

• Adversarial machine learning explained: How attackers disrupt AI and ML systems | CSO Online

• Companies are desperate for cyber security workers—more than 700K positions need to be filled | Fortune

• 82% Cyber Breaches In Verizon’s Report Preventable, Says MyCena (informationsecuritybuzz.com)

• SolarWinds hack explained: Everything you need to know (techtarget.com)

• Properly securing APIs is becoming increasingly urgent - Help Net Security

• 97% Of UK Business Leaders Expect Quantum Computing to Disrupt Their Sectors - Infosecurity Magazine

• LGBTQ+ folks warned of dating app extortion scams • The Register

• What is Zero Trust and why would you want it? • The Register

• Tencent admits to poisoned QR code attack on QQ accounts • The Register

• Exploring the insecurity of readily available Wi-Fi networks - Help Net Security

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Ransomware Attacks Surged to New Highs in 2021

Ransomware attacks are getting more frequent, more successful and more expensive.

Sixty-six percent of the organisations surveyed by Sophos for its annual State of Ransomware report admitted that they were hit with a ransomware attack last year, up from 37% in 2020. And 65 percent of those attacks were successful in encrypting their victims' data, up from 54 percent the year before.

On top of that, the average ransom paid by organisations for their most significant ransomware attack grew by nearly five times, to just over $800,000, while the number of organisations that paid ransoms of $1 million or more tripled to 11%, the UK-based cybersecurity company said. For its annual report, Sophos surveyed 5,600 organisations from 31 countries. A total of 965 of those polled shared details of their ransomware attacks.

The numbers aren't a huge surprise after a year of epic ransomware attacks that shut down everything from a major oil pipeline to one of the largest meat processors in the US. While both Colonial Pipeline and JBS US Holdings paid millions in ransom, the attacks paused their operations long enough to spark panic buying and drive prices up for consumers.

https://www.cnet.com/tech/services-and-software/ransomware-attacks-surged-to-new-highs-in-2021/#ftag=CAD-09-10aai5b

• NCSC and Allies Publish Advisory on The Most Commonly Exploited Vulnerabilities In 2021

The UK and international partners have published an advisory for public and private sector organisations on the 15 most commonly exploited vulnerabilities in 2021.

The National Cyber Security Centre (NCSC), a part of GCHQ, has jointly published an advisory with agencies in the US, Australia, Canada and New Zealand, showing that malicious cyber actors aggressively targeted newly disclosed critical software vulnerabilities across the public and private sectors worldwide.

Threat actors often geared their efforts towards targeting internet-facing systems, such as email and virtual private network (VPN) servers.

It also indicates that, to a lesser extent, actors continue to exploit publicly known – and often dated – vulnerabilities, some of which were routinely exploited in 2020 or earlier.

The advisory directs organisations to follow specific mitigation advice to protect against exploitation, which includes applying timely patches, using a centralised patch management system and replacing any software no longer supported by the vendor.

https://www.ncsc.gov.uk/news/ncsc-and-allies-publish-advisory-on-the-most-commonly-exploited-vulnerabilities-in-2021

•  Network Attacks Increased to a 3-Year High

WatchGuard Technologies’ Internet Security Report for Q4 2021 revealed all threats were up, whether they’re network attacks or malware.

When the pandemic started, their research team saw a big drop in malware being detected by network security devices. In this period, tech based jobs moved to remote work, which meant a lot of users were no longer browsing the internet and encountering bad things through the network security control at the office. That’s probably why network detection for malware dropped quite a bit at the beginning of the pandemic.

Meanwhile, network attacks continued to rise even through the pandemic, since the servers still lived at the offices and the cloud, and network security still protected those.

The big takeaway in Q4 2021 is that malware rose significantly, returning to normal levels. The reason might be the holiday season, but it’s most probably the fact that, at the end of last year, a lot of tech-based offices started reopening and offering employees to come back in, and thus there’s a bigger chance for network security controls to catch malware.

https://www.helpnetsecurity.com/2022/04/25/network-attacks-q4-2021-video/

• World War Three Is Far More Likely Than Anyone Is Prepared to Admit

A Telegraph article looks at the Russia-Ukraine conflict and considers risks posed by new weapons and how the West’s failure to understand our enemies are raising the chances of a horrific conflict.

The fact is the world is becoming more, rather than less, dangerous: there are plenty of other wannabe Putins, and they are better equipped to sow death and destruction. Not only traditional and nuclear threats but bioterrorism is a growing worry and a major cyber attack or assault on transatlantic cables could be so devastating to an internet-based economy as to be seen as a declaration of war.

https://www.telegraph.co.uk/news/2022/04/27/world-war-three-far-likely-anyone-prepared-admit/

• The Ransomware Crisis Deepens, While Data Recovery Stalls

Higher probabilities of attack, soaring ransoms, and less chance of getting data back — the ransomware plague gets worse, and cyber insurance fails to be a panacea.

When it comes to ransomware, more companies are seeing attacks and have had data encrypted, according to research out this week. And even though more companies are backing up or paying ransom demands, less data was recovered in 2021 compared with the previous year.

For instance, in its "State of Ransomware 2022" report, cybersecurity firm Sophos found that 66% of surveyed companies had encountered ransomware in 2021, with two-thirds of those firms — or 43% overall — suffering from an actual attack that encrypted data. In its previous report covering 2020, the frequency of successful attacks was much smaller, with about 20% overall resulting in encryption.

The deteriorating cyberthreat landscape is largely due to the evolution of ransomware groups and their techniques, says Sean Gallagher, senior threat researcher with Sophos.

"Over the past couple of years, there has been a massive transition from ransomware to ransomware-as-a-service," he says. "There are very well-established [groups] that are doing these attacks, and as a result, the number of attacks companies are seeing has gone up."

Ransomware continues to plague companies with business-disrupting attacks and defy efforts by cybersecurity experts to rein in the operators behind the criminals’ campaigns. Not only did the portion of companies affected by ransomware more than double last year, but the mean ransomware payment more than quadrupled to $812,000, according to the Sophos report.

https://www.darkreading.com/attacks-breaches/ransomware-crisis-deepens-data-recovery-stalls

• Ransoms Only Make Up 15% of Ransomware Costs

New research suggests that paying ransoms is only the tip of the cost iceberg when it comes to ransomware attacks.

Researchers at Check Point have revealed that the collateral damage of ransomware attacks make up costs roughly seven times higher than the ransom demanded by threat actors.

The costs include financial implications caused by incident response efforts, system restoration, legal fees, monitoring costs and the overall impact of business disruption.

Ransomware attacks are an increasingly popular attack method, typically involving stealing data from the victim, encrypting data and forcing them to pay for decryption and avoiding a data leak.

Check Point said in the report:

“Most other losses, including response and restoration costs, legal fees, monitoring costs, etc., are applied whether the extortion demand was paid or not. The year 2020 showed that the average total cost of a ransomware attack was more than seven times higher than the average ransom paid.”

https://www.itsecurityguru.org/2022/04/28/ransoms-only-make-up-15-of-ransomware-costs/

• Defending Your Business Against Russian Cyber Warfare

We are likely to see Russian state sponsored attacks escalate as the West continues to increase sanctions and support Ukraine.

The eyes of the world are focused on the war in Ukraine. As expected, Russia has targeted Ukraine with cyber attacks first, and much of the West is wondering when Russia will also retaliate against countries supporting Ukraine. Most agree that some attacks are already in progress, and the attacks against western entities are sure to escalate as the war continues and more sanctions are put in place. 

The first wave of companies targeted by the Russian state, and threat actors it supports, will be those that suspend Russian operations or take direct action to support Ukraine. Information operations and subversion against these companies will likely ensue. In the event of Russian cyberwarfare, reviewing the industries, styles, and objectives of their attacks can help organisations to prepare and implement more robust defences. These defences include actions both inside and outside an enterprise's perimeter.

https://www.securityweek.com/defending-your-business-against-russian-cyberwarfare

• 5-Year Vulnerability Trends Are Both Surprising and Sadly Predictable

What 5,800+ pentests show us: Companies have been struggling with the same known and preventable security bugs year over year. Bandwidth stands at the heart of the problem.

Cyber crime can cause major disruption when it comes to the sustainability and long-term success of companies. Teams want to have robust security but often struggle to meet that objective. It's crucial for security professionals to leverage insights into emerging trends in cybersecurity to pinpoint which vulnerabilities put organisations at the greatest risk, and Cobalt's "State of Pentesting" reports explore how to achieve efficiency to strengthen security.

The "State of Pentesting 2022" surveyed 602 cybersecurity and software development professionals and analysed data from 2,380 pentests conducted over the course of 2021 to pull key insights that are relevant to security and development teams when it comes to fixing vulnerabilities.

As a result of the data collected, the top five most common vulnerability categories outlined in this year's "State of Pentesting" report include:

·       Server Security Misconfigurations

·       Cross-Site Scripting (XSS)

·       Broken Access Control

·       Sensitive Data Exposure

·       Authentication and Sessions

Surprisingly — yet predictably — these vulnerability categories have stayed at the top of the list for at least the last five years in a row. They're also recognisable to those who are familiar with OWASP Top 10 list for Web Application Security Risks.

The majority of these findings are connected to missing configurations, outdated software, and a lack of access management controls — all common and easily preventable security flaws. So, what's holding companies back from preventing well-known security flaws? Why does this come as a surprise?

https://www.darkreading.com/vulnerabilities-threats/5-year-vulnerability-trends-are-both-surprising-and-sadly-predictable

• Cisco Talos Observes 'Novel Increase' in APT Activity in Q1

Advanced persistent threat actors have been busy over the past few months, according to Cisco Talos.

The security vendor released its Quarterly Trends report, which examined incident response trends from engagements in the first quarter of 2022. While ransomware remained the top threat, as it has for the past two years now, Cisco observed a new trend of increased APT activity. The Cisco Talos Incident Response (CTIR) team attributed some of the increase to groups like Iranian state-sponsored Muddywater and China-based Mustang Panda.

One suspected Chinese APT, dubbed "Deep Panda," was connected to exploitation of the Log4j flaw that was discovered last year in the widely used Java logging tool. Log4j exploitation was the second most common threat for Q1 behind ransomware, indicating the bug is a growing threat despite a patch being available.

https://www.techtarget.com/searchsecurity/news/252516380/Cisco-Talos-observes-novel-increase-in-APT-activity-in-Q1

• Deepfakes Set to Be Used in Organised Crime

New research from Europol suggests that deepfakes will be used extensively in organised crime operations.

Europol has warned of a projected rise in the use of deepfake technology by organised crime organisations.

Deepfakes involve the use of artificial intelligence to create realistic audio and audio-visual content “that convincingly shows people saying or doing things they never did, or create personas that never existed in the first place.”

Law enforcement and the challenge of deepfakes is the first published analysis of the Europol Innovation Lab’s Observatory function, warning that law enforcement agencies must rapidly improve skills and technologies utilised by officers in order to keep up with criminal deepfake use.

The analysis report highlighted how deepfakes are used primarily in disinformation, non-consensual pornography and document fraud campaigns, which will grow more realistic in years to come.

https://www.itsecurityguru.org/2022/04/29/deepfakes-set-to-be-used-in-organised-crime/

• Smart Contract Developers Not Really Focused on Security. Who Knew?

"Smart contracts," which consist of self-executing code on a blockchain, are not nearly as smart as the label suggests.

They are at least as error-prone as any other software, where historically the error rate has been about one bug per hundred lines of code.

And they may be shoddier still due to disinterest in security among smart contract developers, and perhaps inadequate technical resources.

Multi-million dollar losses attributed to smart contract bugs – around $31m stolen from MonoX via smart contract exploit and ~$34m locked into a contract forever due to bad increment math, to name a few – illustrate the consequences.

https://www.theregister.com/2022/04/26/smart_contract_losses/

• Tractor-Trailer Brake Controllers Vulnerable to Remote Hacker Attacks

We’ve been predicting this for a while now and the move to more and more connected systems, autonomous and semi-autonomous vehicles, how long until someone is subject to threats to disconnect a vehicle’s brakes as they are driving along a motorway? Who wouldn’t pay the ransom demand in that scenario?

A report this week is related to articulated lorries but this is something that will be affecting all vehicles unless safeguards are put in place.

Researchers have analysed the cyber security of heavy vehicles and discovered that the brake controllers found on many tractor-trailers in North America are susceptible to remote hacker attacks.

The research was conducted by the US National Motor Freight Traffic Association (NMFTA), which is a non-profit organisation that represents roughly 500 motor freight carriers, in collaboration with Assured Information Security, Inc.

NMFTA has been analysing the cyber security of heavy vehicles since 2015 and it has periodically disclosed its findings. The latest report from the organisation came in early March, when the US Cybersecurity and Infrastructure Security Agency (CISA) also issued an advisory to describe two vulnerabilities affecting trailer brake controllers.

The flaws described in the CISA advisory are related to the power line communications (PLC) between tractors and trailers, specifically the PLC4TRUCKS technology, which uses a standard named J2497 for bidirectional communications between the tractor and trailer without adding new wires.

https://www.securityweek.com/tractor-trailer-brake-controllers-vulnerable-remote-hacker-attacks

Threats

Ransomware

• Prevent HEAT Attacks to Foil Ransomware Incidents - Help Net Security

• 4-Hour Time-to-Ransom Seen in Quantum Attack as Accelerated Ransomware Increasingly Common | SecurityWeek.Com

• Conti Ransomware Operations Surge Despite Recent Leak - Security Affairs

• Beware: Onyx Ransomware Destroys Files Instead of Encrypting Them (bleepingcomputer.com)

• FBI says BlackCat Rust-Based Ransomware Scratched 60+ Orgs • The Register

• REvil Ransomware Attacks Resume, But Operators Are Unknown (techtarget.com)

• Fake Windows 10 Updates Infect You with Magniber Ransomware (bleepingcomputer.com)

• New Black Basta Ransomware Springs into Action with A Dozen Breaches (bleepingcomputer.com)

• Companies Can't Get Enough of Good Ol' Tape Storage For Ransomware Resistance | PC Gamer

Phishing & Email Based Attacks

• Phishing Goes KISS: Don’t Let Plain and Simple Messages Catch You Out! – Naked Security (sophos.com)

• Phishing Attacks Benefiting from Shady SEO Practices (techtarget.com)

• Cyber Criminals Deliver IRS Tax Scams and Phishing Campaigns by Mimicking Government Vendors - Help Net Security

Malware

• Emotet Malware Now Installs Via Powershell in Windows Shortcut Files (bleepingcomputer.com)

• It’s Called BadUSB for a Reason - Security Affairs

• New RIG Exploit Kit Campaign Infecting Victims' PCs with RedLine Stealer (thehackernews.com)

• Emotet Tests New Attack Techniques: Sign of Things to Come? | CSO Online

• Cyber Criminals Using New Malware Loader 'Bumblebee' in the Wild (thehackernews.com)

• New Powerful Prynt Stealer Malware Sells for Just $100 Per Month (bleepingcomputer.com)

Mobile

• These Are Signs That Your Phone Could Be Infected with Malware - PhoneArena

Organised Crime & Criminal Actors

• Interpol: We Can't Arrest Our Way Out of Cyber Crime • The Register

Cryptocurrency/Cryptomining/Cryptojacking/NFTs

• Scammers Are Copying News Sites To Push Elon Musk-themed Crypto Scams - Information Security Buzz

• Why Did Hackers Target DeFi L1, L2 Solutions for a $1.2 Billion Theft in 2022? (watcher.guru)

• Intuit Sued Over Phishing Attack Targeting Trezor Crypto Wallet Users - Decrypt

• Crypto Trading Fund Partners Accused of Fraud - Infosecurity Magazine

• LemonDuck Botnet Evades Detection in Cryptomining Attacks (techtarget.com)

• Bored Ape Yacht Club Instagram Hacked, NFTs Worth Millions Stolen (vice.com)

Insider Risk and Insider Threats

• Don't Ignore Risks Lurking Within Your Own Network - Help Net Security

AML/CFT

• Two More Indicted Over North Korean Sanctions Evasion Plot - Infosecurity Magazine

• FCA: Challenger Banks Failing to Spot Money Launderers - Infosecurity Magazine

Denial of Service DoS/DDoS

• Cloudflare Stomps On 15.3 Million Requests Per Second DDoS • The Register

• How a New Generation of IoT Botnets Is Amplifying DDoS Attacks | CSO Online

• Attackers Remain Persistent and Indiscriminate As Multi-Vector DDoS Attacks Continue To Rise - Help Net Security

• DDoS Attacks Target Healthcare, Education Markets, Research Finds - MSSP Alert

Cloud

• Is Cloud Critical Infrastructure? Prep Now for Provider Outages (techtarget.com)

• Shadow IT Is A Top Concern Related To SaaS Adoption - Help Net Security

• Security Turbulence in the Cloud: Survey Says… | Threatpost

Travel

• Finnish Hotels' Data Compromised - Infosecurity Magazine

Parental Controls and Child Safety

• Hackers Sexually Extort Kids with Stolen Data: Report (gizmodo.com)

Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• The Hybrid War in Ukraine - Microsoft On the Issues

• Data-Wiper Malware Strains Surge Amid Ukraine Invasion • The Register

• Russia Is Being Hacked at an Unprecedented Scale | WIRED

• Chinese Hackers Targeting Russian Military Personnel with Updated PlugX Malware (thehackernews.com)

• Cyber Attacks Rage in Ukraine, Support Military Operations | Threatpost

• Ongoing DDoS Attacks from Compromised Sites Hit Ukraine - Security Affairs

• Anonymous Hacked Russian PSCB Commercial Bank and Energy Firms - Security Affairs

• Russia-Linked Threat Actors Launched Hundreds of Cyber Attacks on Ukraine - Security Affairs

• Russian Hacktivists Launch DDoS Attacks on Romanian Govt Sites (bleepingcomputer.com)

• Cyber Espionage APT Now Identified as Three Separate Actors | Threatpost

Nation State Actors

Nation State Actors – Russia

• Microsoft Documents Over 200 Cyber Attacks by Russia Against Ukraine (thehackernews.com)

• Russian Govt Impersonators Target Telcos in Phishing Attacks (bleepingcomputer.com)

• The Subject of Trusting ‘Russian’ Applications - Information Security Buzz

Nation State Actors – North Korea

• Nation-state Hackers Target Journalists with Goldbackdoor Malware | Threatpost

Nation State Actors – Iran

• Iran's Rocket Kitten Likely Behind VMware Exploitation • The Register

Nation State Actors – Misc

• Case Study: Why It's Difficult To Attribute Nation-State Attacks (techtarget.com)

• Experts Detail 3 Hacking Teams Working Under the Umbrella of TA410 Group (thehackernews.com)

Vulnerability Management

• Five Eyes Nations Reveal 2021's Fifteen Most-Exploited Flaws • The Register

• Experts Warn of A Surge In Zero-Day Flaws Observed And Exploited in 2021 - Security Affairs

• Cyber Criminals are Feasting Over 'Zero-day Hacks' While the World Watches (analyticsinsight.net)

Vulnerabilities

• CISA Adds 7 Vulnerabilities to List Of Bugs Exploited In Attacks (bleepingcomputer.com)

• Cisco Patches 11 High-Severity Vulnerabilities in Security Products | SecurityWeek.Com

• Update Now! Critical Patches for Chrome and Edge | Malwarebytes Labs

• Microsoft Patches Pair of Dangerous Vulnerabilities in Azure PostgreSQL (darkreading.com)

• Log4j Attack Surface Remains Massive (darkreading.com)

• Microsoft Discovers New Privilege Escalation Flaws in Linux Operating System (thehackernews.com)

• Millions of Java Apps Remain Vulnerable to Log4Shell | Threatpost

• Organisations Warned of Attacks Exploiting WSO2 Vulnerability | SecurityWeek.Com

• Critical Vulnerabilities Leave Some Network-Attached Storage Devices Open to Attack (darkreading.com)

• Vulnerability Found in WordPress Anti-Malware Firewall (searchenginejournal.com)

Sector Specific

Financial Services Sector

• Private Investigator Admits Role in Hedge Fund Hack - Infosecurity Magazine

Government

• Governments Under Attack Must Think Defensively - Help Net Security

• Data Breach Disrupts UK Army Recruitment - Infosecurity Magazine

Health/Medical/Pharma Sector

• French Hospital Group Disconnects Internet After Hackers Steal Data (bleepingcomputer.com)

• Medical Software Firm Fined €1.5M for Leaking Data of 490k Patients (bleepingcomputer.com)

• Data breach at US healthcare provider ARcare impacts 345,000 individuals | The Daily Swig (portswigger.net)

• DDoS Attacks Target Healthcare, Education Markets, Research Finds - MSSP Alert

• Smile Brands Breach Impacts 2.5 Million Individuals - Infosecurity Magazine

CNI, OT, ICS, IIoT and SCADA

• Why Is It So Easy To Break Into The Systems That Run The World’s Most Critical, Expert Weighs In - Information Security Buzz

• Chickens Baked Alive Due to Computer Glitch - Infosecurity Magazine

Education and Academia

• Universities Lose Over £2m to Ransomware - IT Security Guru

• DDoS Attacks Target Healthcare, Education Markets, Research Finds - MSSP Alert

Gaming/Gambling

• New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware (trendmicro.com)

Reports Published in the Last Week

• Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: Quarterly Report: Incident Response trends in Q1 2022

• Internet Security Report - Q4 2021 | WatchGuard Technologies

• State of Pentesting Report 2022 | Cobalt

Other News

• SolarWinds Breach Lawsuits: 6 Takeaways for CISOs | CSO Online

• 41% Of Businesses Had an API Security Incident Last Year - Help Net Security

• Security Leaders Relying More Heavily on MSPs Amid Talent Crunch - Help Net Security

• 2022 Security Priorities: Staffing and Remote Work (darkreading.com)

• GitHub: How Stolen OAuth Tokens Helped Breach Dozens of Orgs (bleepingcomputer.com)

• Why Companies Should Focus on Preventing Privilege Escalation (techtarget.com)

• German Wind Turbine Firm Hit by 'Targeted, Professional Cyber Attack' | SecurityWeek.Com

• 308,000 Exposed Databases Discovered, Proper Management Is Key - Help Net Security

• Lapsus$ targeting SharePoint, VPNs and virtual machines (techtarget.com)

• Indian Govt Orders Organisations to Report Security Breaches Within 6 Hours to CERT-In (thehackernews.com)

• Top Five Post-Pandemic Priorities for Cyber Security Leaders - Help Net Security

• Security Spending Set to Hit $198bn by 2025 - Infosecurity Magazine

• Companies Poorly Prepared to Meet CCPA, CPRA and GDPR Compliance Requirements - Help Net Security

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Nearly Two-Thirds of Ransomware Victims Paid Ransoms Last Year, Finds "2022 Cyberthreat Defense Report"

CyberEdge Group, a leading research and marketing firm serving the cyber security industry’s top vendors, announced the launch of its ninth annual Cyberthreat Defense Report (CDR). The award-winning CDR is the standard for assessing organisations’ security posture, gauging perceptions of information technology (IT) security professionals, and ascertaining current and planned investments in IT security infrastructure – across all industries and geographic regions.

A record 71% of organisations were impacted by successful ransomware attacks last year, according to the 2022 CDR, up from 55% in 2017. Of those that were victimised, nearly two-thirds (63%) paid the requested ransom, up from 39% in 2017.

https://www.darkreading.com/attacks-breaches/nearly-two-thirds-of-ransomware-victims-paid-ransoms-last-year-finds-2022-cyberthreat-defense-report-

• New Android Banking Malware Remotely Takes Control of Your Device

A new Android banking malware named Octo has appeared in the wild, featuring remote access capabilities that allow malicious operators to perform on-device fraud.

Octo is an evolved Android malware based on ExoCompact, a malware variant based on the Exo trojan that quit the cyber crime space and had its source code leaked in 2018.

The new variant has been discovered by researchers at ThreatFabric, who observed several users looking to purchase it on darknet forums.

https://www.bleepingcomputer.com/news/security/new-android-banking-malware-remotely-takes-control-of-your-device/

• Network Intrusion Detections Skyrocketing

A WatchGuard report shows a record number of evasive network malware detections with advanced threats increasing by 33%, indicating a higher level of zero day threats than ever before.

Researchers detected malware threats in EMEA at a much higher rate than other regions of the world in Q4 2021, with malware detections per Firebox at 49%, compared to Americas at 23% and APAC at 29%. The trajectory of network intrusion detections also continued its upward climb with the largest total detections of any quarter in the last three years and a 39% increase quarter over quarter.

Researchers suggest that this may be due to the continued targeting of old vulnerabilities as well as the growth in organisations’ networks. As new devices come online and old vulnerabilities remain unpatched, network security is becoming more complex.

https://www.helpnetsecurity.com/2022/04/08/network-malware-detections/

• Organisations Underestimating the Seriousness of Insider Threats

Imperva releases data that shows organisations are failing to address the issue of insider threats during a time when the risk is at its greatest.

New research, conducted by Forrester, found that 59% of incidents in EMEA organisations that negatively impacted sensitive data in the last 12 months were caused by insider threats, and yet 59% do not prioritise insider threats the way they prioritise external threats. Despite the fact that insider events occur more often than external ones, they receive lower levels of investment.

This approach is at odds with today’s threat landscape where the risk of malicious insiders has never been higher. The rapid shift to remote working means many employees are now outside the typical security controls that organisations employ, making it harder to detect and prevent insider threats.

Further, the Great Resignation is creating an environment where there is a higher risk of employees stealing data. This data could be stolen intentionally by people looking to help themselves in future employment, because they are disgruntled and want revenge, or it could be taken unintentionally when a careless employee leaves the business with important information.

https://www.helpnetsecurity.com/2022/04/08/organizations-insider-threats-issue/

• Watch Out for Phishing Emails from Genuine Mailing Lists, Following Mailchimp Hack

A Mailchimp hack means that you’ll want to be even more vigilant than usual about phishing emails. Attackers have taken a clever approach to making their emails appear genuine …

When you subscribe to an email list, there’s a decent chance that the emails you received are actually sent by a company called Mailchimp, rather than directly by the company itself. Mailchimp offers companies a range of tools that make it easy to manage email databases, and send marketing emails and newsletters.

Hackers managed to gain access to more than 100 Mailchimp customer accounts, giving them the ability to send emails that would appear to have come from any one of those businesses.

Users will need to be more vigilant when receiving emails and avoid clicking on links in emails, even if they appear genuine.

https://9to5mac.com/2022/04/05/mailchimp-hack-phishing-alert/

• SpringShell Attacks Target About One in Six Vulnerable Orgs

Roughly one out of six organisations worldwide that are impacted by the Spring4Shell zero-day vulnerability have already been targeted by threat actors, according to statistics from one cyber security company.

The exploitation attempts took place in the first four days since the disclosure of the severe remote code execution (RCE) flaw, tracked as CVE-2022-22965, and the associated exploit code.

According to Check Point, who compiled the report based on their telemetry data, 37,000 Spring4Shell attacks were detected over the past weekend alone.

https://www.bleepingcomputer.com/news/security/springshell-attacks-target-about-one-in-six-vulnerable-orgs/

• New Threat Group Underscores Mounting Concerns Over Russian Cyber Threats

Crowdstrike says Ember Bear is likely responsible for the wiper attack against Ukrainian networks and that future Russian cyber attacks might target the West.

As fears mount over the prospects of a “cyberwar” initiated by the Russian government, the number of identified Russian threat actors also continues to climb. Last week CrowdStrike publicly revealed a Russia-nexus state-sponsored actor that it tracks as Ember Bear.

CrowdStrike says that Ember Bear (also known as UAC-0056, Lorec53, Lorec Bear, Bleeding Bear, Saint Bear) is likely an intelligence-gathering adversary group that has operated against government and military organisations in eastern Europe since early 2021. The group seems “motivated to weaponize the access and data obtained during their intrusions to support information operations (IO) aimed at creating public mistrust in targeted institutions and degrading government ability to counter Russian cyber operations,” according to CrowdStrike intelligence.

Despite its state-sponsored Russia nexus, Ember Bear differs from its better-known kin such as Fancy Bear or Voodoo Bear because CrowdStrike can’t tie it to a specific Russian organisation. Its target profile, assessed intent, and technical tactics, techniques, and procedures (TTPs) are consistent with other Russian GRU cyber operations.

https://www.csoonline.com/article/3655976/new-threat-group-underscores-mounting-concerns-over-russian-cyber-threats.html

• Consumer Fraud Tripled in The Last Two Years

Reported cases of consumer fraud more than tripled in the years 2020-2021 from prior years, finds a new report by Accenture, presenting a growing challenge for public safety agencies to find new strategies to counter the trend.

The report compiled data from eight developed nations (Australia, Canada, France, Germany, Italy, Singapore, the United Kingdom, and the United States) on consumer fraud, defined as any fraud directly targeting citizens and excluding fraud targeting government agencies and companies. Reports of such fraud increased at an estimated 6.8% rate annually during 2013-2019 and then increased to a 22.5% annual growth rate yearly during 2020-2021 in parallel with the large shift of workers and consumers to digital channels and greater use of technology during the pandemic.

https://www.helpnetsecurity.com/2022/04/08/consumer-fraud-tripled/

• Borat RAT: Multiple Threat of Ransomware, DDoS and Spyware

A new remote access trojan (RAT) dubbed "Borat" doesn't come with many laughs but offers bad actors a menu of cyberthreats to choose from.

RATs are typically used by cyber criminals to get full control of a victim's system, enabling them to access files and network resources and manipulate the mouse and keyboard. Borat does all this and also delivers features to enable hackers to run ransomware, distributed denial of service attacks (DDoS) and other online assaults and to install spyware, according to researchers at cyber security biz Cyble.

"The Borat RAT provides a dashboard to Threat Actors (TAs) to perform RAT activities and also has an option to compile the malware binary for performing DDoS and ransomware attacks on the victim's machine," the researchers wrote in a blog post, noting the malware is being made available for sale to hackers.

Borat – named after the character made famous by actor Sacha Baron Cohen in two comedy films – comes with the standard requisite of RAT features in a package that includes such functions as builder binary, server certificate and supporting modules.

https://www.theregister.com/2022/04/04/borat-rat-ransomware-ddos/

• Bank Had No Firewall License, Intrusion or Phishing Protection – Guess the Rest

An Indian bank that did not have a valid firewall license, had not employed phishing protection, lacked an intrusion detection system and eschewed use of any intrusion prevention system has, shockingly, been compromised by criminals who made off with millions of rupees.

The unfortunate institution is called the Andra Pradesh Mahesh Co-Operative Urban Bank. Its 45 branches and just under $400 million of deposits make it one of India's smaller banks.

It certainly thinks small about security – at least according to Hyderabad City Police, which last week detailed an attack on the Bank that started with over 200 phishing emails being sent across three days in November 2021. At least one of those mails succeeded in fooling staff, resulting in the installation of a Remote Access Trojan (RAT).

Another technology the bank had chosen not to adopt was virtual LANs, so once the RAT went to work the attackers gained entry to the Bank's systems and were able to roam widely – even in its core banking application

https://www.theregister.com/2022/04/05/mahesh_bank_no_firewall_attack/

• Global APT Groups Use Ukraine War for Phishing Lures

Security researchers have detected multiple APT campaigns leveraging Ukraine war-themed documents and news sources to lure victims into clicking on spear-phishing links.

Check Point Research said victim locations ranged from South America to the Middle East, with malware downloads designed to perform keylogging and screenshotting and execute commands.

The threat groups in question include El Machete, which is targeting the financial and government sectors in Nicaragua and Venezuela with malicious macro-laden Word documents containing articles on the war.

One of the docs was an article written by the Russian ambassador to Nicaragua titled: “Dark plans of the neo-Nazi regime in Ukraine.”

Another is Lyceum, an Iranian state-linked group targeting the energy sector with emails about war crimes in Ukraine that link to a malicious document hosted elsewhere. Its victims so far have been in Israel and Saudi Arabia, according to Check Point.

One email contained a link to an article from The Guardian hosted on the news-spot[.]live domain, alongside several malicious docs about the war.

https://www.infosecurity-magazine.com/news/global-apt-ukraine-war-phishing/

• Paying Ransom Doesn’t Guarantee Data Recovery

OwnBackup announced the findings of a global survey conducted by Enterprise Strategy Group (ESG) that reveals a staggering 79% of respondent organisations have been targeted by ransomware within the past 12 months. Of those organisations, nearly three quarters said the attack was successful, meaning that it disrupted business operations.

Other key findings

·       Of the respondents that said their organisation paid a cyber ransom to regain access to data, applications, and/or systems after an attack, only 14% were able to recover all of their data.

·       87% of respondents who made ransom payments said that they experienced additional extortion attempts beyond the initial ransomware demand.

·       31% of respondent organisations targeted by ransomware indicated that application user and permission misconfigurations were the initial point of compromise.

·       87% of respondents are very or somewhat concerned about their backups being infected by ransomware attacks.

https://www.helpnetsecurity.com/2022/04/07/organizations-targeted-by-ransomware/

Threats

Ransomware

• March Ransomware Attacks Strike Finance, Government Targets (techtarget.com)

• Why Paying The Ransom Isn’t The Answer For Ransomware Victims - Information Security Buzz

• Companies Are More Prepared to Pay Ransoms Than Ever Before (tripwire.com)

• Conti Ransomware Deployed in IcedID Banking Trojan Attack (techtarget.com)

• Researchers Connect BlackCat Ransomware with Past BlackMatter Malware Activity (thehackernews.com)

• Notorious Hacking Group FIN7 Adds Ransomware to Its Repertoire - CyberScoop

• BlackCat Purveyor Shows Ransomware Operators Have 9 Lives (darkreading.com)

• FIN7 Hackers Evolve Toolset, Work with Multiple Ransomware Gangs (bleepingcomputer.com)

• LockBit Ransomware Attack Costs CRM Services Provider Over $42 Million - MSSP Alert

• Snap-on Discloses Data Breach Claimed by Conti Ransomware Gang (bleepingcomputer.com)

Phishing & Email Based Attacks

• Phishing Hook: Are you on the line? Cyber Security Experts Explain How the Criminals Lure You In. (winknews.com)

Other Social Engineering

• Hackers Employ Voicemail Phishing Attacks On WhatsApp Users | TechRepublic

Malware

• Borat RAT Malware: A 'Unique' Triple Threat That Is Far from Funny | ZDNet

• Multiple Hacker Groups Capitalizing on Ukraine Conflict for Distributing Malware (thehackernews.com)

• Experts Shed Light on BlackGuard Infostealer Malware Sold on Russian Hacking Forums (thehackernews.com)

• Malicious Web Redirect Service Infects 16,500 Sites to Push Malware (bleepingcomputer.com)

• Researchers Uncover How Colibri Malware Stays Persistent on Hacked Systems (thehackernews.com)

Mobile

• 44 Vulnerabilities Patched in Android With April 2022 Security Updates | SecurityWeek.Com

• Fake Versions of Real Smartphone Apps Are Being Used To Spread Malware. Here's How to Stay Safe | ZDNet

• Samsung Security Flaw Left Phones Exposed for Years (androidpolice.com)

• Six 'Antivirus' Apps Were Caught Spreading Malware That Steals Banking Info — Here Are the Culprits | Laptop Mag

• SharkBot Android Malware Continues Popping Up on Google Play | SecurityWeek.Com

• Android Apps With 45 Million Installs Used Data Harvesting SDK (bleepingcomputer.com)

• New Android Spyware Uses Turla-Linked Infrastructure | SecurityWeek.Com

Organised Crime & Criminal Actors

• Cyber Criminals Taking Advantage of The Ukraine Crisis To Create Charity Donation Scams - Help Net Security

Cryptocurrency/Cryptomining/Cryptojacking

• Crypto 2022: Hackers Have Nabbed $1.22 Billion Already (yahoo.com)

• Malicious Crypto Miners Can Make A Profit In A Few Hours - Help Net Security

• Malicious Actors Targeting the Cloud For Cryptocurrency-Mining Activities - Help Net Security

• Cryptocurrency-Mining AWS Lambda-Specific Malware Spotted • The Register

• MailChimp Breached, Intruders Conducted Phishing Attacks Against Crypto Customers - Security Affairs

• Turkey Seeks 40,000-Year Sentences for Alleged Cryptocurrency Exit Scammers | ZDNet

Insider Risk and Insider Threats

• New Insider Threat: Bad Business Decisions That Put IP At Risk | CSO Online

Fraud, Scams & Financial Crime

• Traditional Identity Fraud Losses Soar, Totalling $52 Billion in 2021 - Help Net Security

• Online Fraud Up 233% - Infosecurity Magazine

• Internal Auditors Stepping Up to Become Strategic Advisors In The Fight Against Fraud - Help Net Security

• South African and US Officers Swoop on Fraud Gang - Infosecurity Magazine

Insurance

• 18% Of the Top 99 Insurance Carriers Have A High Susceptibility To Ransomware - Help Net Security

Supply Chain

• The Blurring Line, and Growing Risk, Between Physical and Digital Supply Chains (darkreading.com)

Cloud

• The Importance of Understanding Cloud Native Security Risks - Help Net Security

• 15 Cyber Security Measures for the Cloud Era - Security Affairs

Privacy

• How You’re Still Being Tracked on the Internet - The New York Times (nytimes.com)

• Using Google's Chrome Browser? This New Feature Will Help You Fix Your Security Settings | ZDNet

Passwords & Credential Stuffing

• Attack on Ukraine Telecoms Provider Caused by Compromised Employee Credentials - Infosecurity Magazine (infosecurity-magazine.com)

• FIN7 Hackers Leveraging Password Reuse and Software Supply Chain Attacks (thehackernews.com)

Travel

• Hotels In Hackers’ Sights as Technology Replaces Personal Touch | Financial Times (ft.com)

Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Hackers Use Conti's Leaked Ransomware to Attack Russian Companies (bleepingcomputer.com)

• Hacking Group Claim It Has Leaked More Than 900,000 Emails from Russian State Media | The Independent

• What Is the Risk Of Retaliation For Taking A Corporate Stance on Russia? | CSO Online

• Anonymous and the IT ARMY of Ukraine Continue to Target Russian Entities - Security Affairs

Nation State Actors

Nation State Actors – Russia

• The Russian Cyber Attack Threat Might Force a New IT Stance | Computerworld

• FBI Operation Aims to Take Down Massive Russian GRU Botnet | TechCrunch

• Microsoft Sinkholes Russian Hacking Group's Domains Targeting Ukraine (darkreading.com)

• FBI Disrupts Russian Military Hackers, Preventing Botnet Amid Ukraine War | Fox News

• Russia (still) Trying To Weaponize Facebook Amid Ukraine War • The Register

Nation State Actors – China

• Symantec: Chinese APT Group Targeting Global MSPs | SecurityWeek.Com

• Chinese Hackers Are Using VLC Media Player to Launch Malware Attacks (androidpolice.com)

• Hacked: Inside the US-China Cyberwar | Cybersecurity | Al Jazeera

• China Uses AI Software to Improve Its Surveillance Capabilities | Reuters

Nation State Actors – Misc

• Israeli Officials Are Being Catfished by APT-C-23 Hackers | ZDNet

Vulnerabilities

• CISA Warns of Active Exploitation of Critical Spring4Shell Vulnerability (thehackernews.com)

• Palo Alto Networks firewalls, VPNs vulnerable to OpenSSL bug (bleepingcomputer.com)

• A Vulnerability in Zyxel Firewall Could Allow for Authentication Bypass (cisecurity.org)

• Citrix Releases Security Updates for Hypervisor | CISA

• Spring4Shell Patching Is Going Slow but Risk Not Comparable To Log4Shell | CSO Online

• VMware Releases Critical Patches for New Vulnerabilities Affecting Multiple Products (thehackernews.com)

• Apple Leaves Big Sur, Catalina Exposed to Critical Flaws: Intego | SecurityWeek.Com

• A Mirai-Based Botnet Is Exploiting the Spring4Shell Vulnerability - Security Affairs

• Steady Rise in Severe Web Vulnerabilities - Help Net Security

• ACF WordPress Plugin Vulnerability Affects Up To +2 Million Sites (searchenginejournal.com)

• Zero Days Are for Life, Not Just For Christmas. Here’s How to Deal With Them • The Register

Sector Specific

Financial Services Sector

• March Ransomware Attacks Strike Finance, Government Targets (techtarget.com)

FinTech

• Server-Side-Request-Forgery Enabled Administrative Account Takeover on FinTech Platform - IT Security Guru

Health/Medical/Pharma Sector

• 49% of Small Medical Practices Lack a Cyber Attack Response Plan - Help Net Security

Manufacturing

• A Cyber Attack Forced The Wind Turbine Manufacturer Nordex Group To Shut Down Some of IT Systems - Security Affairs

CNI, OT, ICS, IIoT and SCADA

• Europe Warned About Cyber Threat to Industrial Infrastructure | SecurityWeek.Com

• BlackCat Ransomware Targets Industrial Companies | SecurityWeek.Com

Energy & Utilities

• Spanish Energy Giant Hit by Data Breach - IT Security Guru

Reports Published in the Last Week

• Cyberthreat Defense Report 2021 - CyberEdge Group (cyber-edge.com)

Other News

• Okta CEO Says Lapsus$ Hack is 'Big Deal,' Aims to Restore Trust (yahoo.com)

• 86% of Developers Don't Prioritise Application Security - Help Net Security

• Digital Transformation Requires Security Intelligence - Help Net Security

• Government Officials: AI Threat Detection Still Needs Humans (techtarget.com)

• The Original APT: Advanced Persistent Teenagers – Krebs on Security

• Scan This: There's Danger in QR Codes (darkreading.com)

• How Many Steps Does It Take for Attackers To Compromise Critical Assets? - Help Net Security

• Cyber Talent Shortage Remains A Top Problem For Sec Pros – CEO Perspective - Information Security Buzz

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Cyber Risks Top Worldwide Business Concerns In 2022

Cyber perils are the biggest concern for companies globally in 2022, according to the Allianz Risk Barometer. The threat of ransomware attacks, data breaches or major IT outages worries companies even more than business and supply chain disruption, natural disasters or the COVID-19 pandemic, all of which have heavily affected firms in the past year.

Cyber incidents tops the Allianz Risk Barometer for only the second time in the survey’s history (44% of responses), Business interruption drops to a close second (42%) and Natural catastrophes ranks third (25%), up from sixth in 2021. Climate change climbs to its highest-ever ranking of sixth (17%, up from ninth), while Pandemic outbreak drops to fourth (22%).

The annual survey incorporates the views of 2,650 experts in 89 countries and territories, including CEOs, risk managers, brokers and insurance experts. View the full global and country risk rankings.

https://www.helpnetsecurity.com/2022/01/20/cyber-concern-2022/

Bosses Think That Security Is Taken Care Of: CISOs Aren't So Sure

The World Economic Forum warns about a significant gap in understanding between C-suites and information security staff - but it's possible to close the gap.

Organisations could find themselves at risk from cyberattacks because of a significant gap between the views of their own security experts and the boardroom.

The World Economic Forum's new report, The Global Cyber Security Outlook 2022, warns there are big discrepancies between bosses and information security personnel when it comes to the state of cyber resilience within organisations.

According to the paper, 92% of business executives surveyed agree that cyber resilience is integrated into enterprise risk management strategies – or in other words, protecting the organisation against falling victim to a cyberattack, or mitigating the incident so it doesn't result in significant disruption.

However, only 55% of security-focused executives believe that cyber resilience is integrated into risk management strategies – indicating a significant divide in attitudes to cyber security.

This gap can leave organisations vulnerable to cyberattacks, because boardrooms believe enough has been done in order to mitigate threats, while in reality there could be unconsidered vulnerabilities or extra measures put in place.

https://www.zdnet.com/article/managers-think-their-systems-are-unbreakable-cybersecurity-teams-arent-so-sure/

Fraud Is On the Rise, and It's Going to Get Worse

The acceleration of the digital transformation resulted in a surge of online transactions, greater adoption of digital payments, and increased fraud.

As more daily activities — work, education, shopping, and entertainment — shift online, fraud is also on the rise. A trio of recent reports paint a bleak picture, highlighting concerns that companies are experiencing increasing losses from fraud and that the situation will get worse over the coming year.

In KPMG's survey of senior risk executives, 67% say their companies have experienced external fraud in the past 12 months, and 38% expect the risk of fraud committed by external perpetrators to somewhat increase in the next year. External fraud, which includes credit card fraud and identity theft, is specifically referring to incidents perpetuated by individuals outside the company. For most of these respondents, there was a financial impact: Forty-two percent say their organisations experienced 0.5% to 1% of loss as a result of fraud and cybercrime.

https://www.darkreading.com/edge-articles/fraud-is-on-the-rise-and-its-going-to-get-worse

Two-Fifths of Ransomware Victims Still Paying Up

Two-fifths (39%) of ransomware victims paid their extorters over the past three years, with the majority of these spending at least $100,000, according to new Anomali research.

The security vendor hired The Harris Poll to complete its Cyber Resiliency Survey – interviewing 800 security decision-makers in the US, Canada, the UK, Australia, Singapore, Hong Kong, India, New Zealand, the UAE, Mexico and Brazil.

Some 87% said their organisation had been the victim of a successful attack resulting in damage, disruption, or a breach since 2019. However, 83% said they’d experienced more attacks since the start of the pandemic.

Over half (52%) were ransomware victims, with 39% paying up. Of these, 58% gave their attackers between $100,000 and $1m, while 7% handed over more than $1m.

https://www.infosecurity-magazine.com/news/two-fifths-ransomware-victims/

Less Than a Fifth of Cyber Leaders Feel Confident Their Organisation is Cyber-Resilient

Less than one-fifth (17%) of cyber leaders feel confident that their organisations are cyber-resilient, according to the World Economic Forum (WEF)’s inaugural Global Cyber Security Outlook 2022 report.

The study, written in collaboration with Accenture, revealed there is a wide perception gap between business executives and security leaders on the issue of cyber security. For example, 92% of businesses believe cyber-resilience is integrated into their enterprise risk-management strategies, compared to just 55% of cyber leaders.

This difference in attitude appears to be having worrying consequences. The WEF said that many security leaders feel that they are not consulted in security decisions, and only 68% believe cyber-resilience forms a major part of their organisation’s overall corporate risk management.

In addition, over half (59%) of all cyber leaders admitted they would find it challenging to respond to a cyber security incident due to a shortage of skills within their team.

Supply chain security was another major concern among cyber leaders, with almost nine in 10 (88%) viewing SMEs as a key threat to supply chains.

Interestingly, 59% of cyber leaders said cyber-resilience and cyber security are synonymous, with the differences not well understood.

https://www.infosecurity-magazine.com/news/cyber-leaders-organisation/

Endpoint Malware And Ransomware Detections Hit All-Time High

Endpoint malware and ransomware detections surpassed the total volume seen in 2020 by the end of Q3 2021, according to researchers at the WatchGuard Threat Lab. In its latest report, WatchGuard also highlights that a significant percentage of malware continues to arrive over encrypted connections.

While zero-day malware increased by just 3% to 67.2% in Q3 2021, the percentage of malware that arrived via Transport Layer Security (TLS) jumped from 31.6% to 47%. Data shows that many organisations are not decrypting these connections and therefore have poor visibility into the amount of malware hitting their networks.

https://www.helpnetsecurity.com/2022/01/20/endpoint-malware-ransomware-detections-q3-2021/

End Users Remain Organisations' Biggest Security Risk

With the rapid adoption of hybrid working environments and increased attacks, IT and security professionals worry that future data breaches will most likely be the result of end users who are negligent of or break security policy, according to a recent Dark Reading survey. The percentage of respondents in Dark Reading's 2021 Strategic Security Survey who perceive users breaking policy as the biggest risk fell slightly, however, from 51% in 2020 to 48% in 2021. Other potential issues involving end users showed improvements as well, with social engineering falling in concern from 20% to 15% and remote work worries halving from 26% to 13%.

While this trend is positive, it's unclear where the increased confidence comes from, since more people now report ineffective end-user security awareness training (11%, to 2020's 7%).

Respondents shared their heightened concern about well-funded attacks. In 2021, 25% predicted an attack targeted at their organisations (a rise from 2020, when 20% said the same), and fear of a nation-state-sponsored action rose to 16% from 9% the year before. Yet only 16% reported sophisticated, automated malware as a top concern, a 10% drop from 2020, and fear of a gap between security and IT advances only merited 9%. A tiny 3% worried that their security tools wouldn't work well together, dropping from the previous year's 10%.

https://www.darkreading.com/edge-threat-monitor/despite-rise-of-third-party-concerns-end-users-still-the-biggest-security-risk

Supply Chain Disruptions Rose In 2021

56% of businesses experienced more supply chain disruptions in 2021 than 2020, a Hubs report reveals.

Last year was marked by a number of challenges, including computer chip shortages, port congestion, the ongoing impacts of COVID-19, logistics impediments, and energy crises, though with every hurdle faced, solutions are being sought. It is increasingly clear that while certain risks are hard to anticipate and difficult to plan for, it is possible to mitigate the effects of supply chain disruptions by establishing a robust and agile supply chain.

Over 98% of global companies are now planning to boost the resilience of their manufacturing supply chains, however, 37% have yet to implement any measures. As businesses develop long term strategies, over 57% of companies say diversification of their supply chains is the most effective way of building resilience. This report explores last year’s most disruptive events, how disruptions have changed over time, industry trends and strategies for strengthening manufacturing supply chains.

https://www.helpnetsecurity.com/2022/01/19/supply-chain-disruptions-2021/

Red Cross Begs Attackers Not to Leak Stolen Data for 515K People

A cyber attack forced the Red Cross to shut down IT systems running the Restoring Family Links system, which reunites families fractured by war, disaster or migration. UPDATE: The ICRC says it’s open to confidentially communicating with the attacker.

The Red Cross is imploring threat actors to show mercy by abstaining from leaking data belonging to 515,000+ “highly vulnerable” people. The data was stolen from a program used to reunite family members split apart by war, disaster or migration.

“While we don’t know who is responsible for this attack, or why they carried it out, we do have this appeal to make to them,” Robert Mardini, the director general of the International Committee for the Red Cross (ICRC), said in a release on Wednesday. “Your actions could potentially cause yet more harm and pain to those who have already endured untold suffering. The real people, the real families behind the information you now have are among the world’s least powerful. Please do the right thing. Do not share, sell, leak or otherwise use this data.”

https://threatpost.com/red-cross-begs-attackers-not-to-leak-515k-peoples-stolen-data/177799/

DHL Dethrones Microsoft As Most Imitated Brand In Phishing Attacks

DHL was the most imitated brand in phishing campaigns throughout Q4 2021, pushing Microsoft to second place, and Google to fourth.

This isn't surprising considering that the final quarter of every year includes the Black Friday, Cyber Monday, and Christmas shopping season, so phishing lures based on package deliveries naturally increase.

DHL is an international package delivery and express mail service, delivering over 1.6 billion parcels per year.

As such, phishing campaigns impersonating the brand have good chances of reaching people who are waiting for a DHL package to arrive during the holiday season.

The specific lures range from a package that is stuck at customs and requires action for clearance to supposed tracking numbers that hide inside document attachments or embedded links.

https://www.bleepingcomputer.com/news/security/dhl-dethrones-microsoft-as-most-imitated-brand-in-phishing-attacks/

Threats

Ransomware

• New White Rabbit Ransomware Linked To FIN8 Hacking Group (bleepingcomputer.com)

• Conti Ransomware Gang Started Leaking Files Stolen From Bank Indonesia - Security Affairs

• This New Ransomware Comes With A Small But Dangerous Payload | ZDNet

• FBI Warning: This New Ransomware Makes Demands Of Up To $500,000 | ZDNet

• Experts Warn Of Attacks Using A New Linux Variant Of SFile Ransomware - Security Affairs

• SEC Filing Reveals Fortune 500 Firm Targeted in Ransomware Attack | Threatpost

• FBI Warns Organisations of Diavol Ransomware Attacks | SecurityWeek.Com

• Marketing Giant RRD Confirms Data Theft In Conti Ransomware Attack (bleepingcomputer.com)

• After Ransomware Arrests, Some Dark Web Criminals Are Getting Worried | ZDNet

BEC – Business Email Compromise

• Nigerian Authorities Arrest 11 Members of Prolific BEC Fraud Group | SecurityWeek.Com

Phishing

• Phishing Impersonates Shipping Giant Maersk To Push STRRAT Malware (bleepingcomputer.com)

• #COVID19 Phishing Emails Surge 500% on Omicron Concerns - Infosecurity Magazine

• Financially Motivated Earth Lusca Threat Actors Targets Orgs Worldwide - Security Affairs

Malware

• Microsoft Details Recent Damaging Malware Attacks on Ukrainian Organisations (darkreading.com)

• Custom-Written Malware Discovered Across Windows, MacOS, And Linux Systems | TechSpot

• Backdoor RAT for Windows, macOS, and Linux went undetected until now | Ars Technica

• Ukraine: Wiper Malware Masquerading As Ransomware Hits Government Organisations - Help Net Security

• Russian Hackers Heavily Using Malicious Traffic Direction System to Distribute Malware (thehackernews.com)

• Linux Malware Is On The Rise. Here Are Three Top Threats Right Now | ZDNet

• Malware That Can Survive OS Reinstalls Strikes Again, Likely for Cyber Espionage | PCMag

• New MoonBounce UEFI Malware Used By Apt41 In Targeted Attacks (bleepingcomputer.com)

Data Breaches/Leaks

• Exposed Records Exceeded 40 Billion In 2021 - Help Net Security

• European Regulators Hand Out €1.1bn in GDPR Fines - Infosecurity Magazine

Organised Crime & Criminal Actors

• Financially Motivated Earth Lusca Threat Actors Targets Orgs Worldwide - Security Affairs

• A Hacker Is Negotiating With Victims on the Blockchain After $1.4M Heist (vice.com)

• FBI & European Police Take Down Computer Servers Used In Major Cyberattacks Worldwide - CNNPolitics

• Europol Shuts Down VPNLab, Cyber Criminals' Favourite VPN Service (thehackernews.com)

Cryptocurrency/Cryptomining/Cryptojacking

• 2FA Bypassed in $34.6M Crypto.com Heist | Threatpost

• Cyber Criminals Actively Target VMware vSphere with Cryptominers | Threatpost

• New BHUNT Password Stealer Malware Targeting Cryptocurrency Wallets (thehackernews.com)

• Cheap Malware Is Behind A Rise In Attacks On Cryptocurrency Wallets | ZDNet

Insider Risk and Insider Threats

• Research: Why Employees Violate Cyber Security Policies (hbr.org)

• What CISOs Can Learn About Insider Threats From Iran's Human Espionage Tactics | CSO Online

Fraud, Scams & Financial Crime

• How Buy Now, Pay Later Is Being Targeted By Fraudsters - Help Net Security

• Romance Scammer Who Targeted 670 Women Gets 28 Months In Jail – Naked Security (sophos.com)

Insurance

• Merck Awarded $1.4B Insurance Payout over NotPetya Attack | Threatpost

CNI, OT, ICS, IIoT and SCADA

• UK Mulls Making MSPs Subject To Mandatory Security Standards • The Register

• ‘Anomalous’ Spyware Stealing Credentials In Industrial Firms (bleepingcomputer.com)

• European Union Simulated A Cyber Attack On A Fictitious Finnish Power Company - Security Affairs

Nation State Actors

• Ukraine: Recent Cyber Attacks Part of Wider Plot to Sabotage Critical Infrastructure (thehackernews.com)

• Ukraine Cyber Attack Timeline: Microsoft, CISA, White House and Kyiv Statements - MSSP Alert

• Chinese Hackers Spotted Using New UEFI Firmware Implant in Targeted Attacks (thehackernews.com)

• Security Scanners Across Europe Tied To China Govt, Military | AP News

Cloud

• Attackers Use Public Cloud Providers To Spread RATs | CSO Online

Privacy

• UK.Gov's No Place To Hide campaign flops on launch • The Register

Passwords & Credential Stuffing

• Your Keyboard Walking Password Isn’t Complex Or Secure – Review Geek

• Box Flaw Allowed To Bypass MFA And Takeover Accounts - Security Affairs

Spyware, Espionage & Cyber Warfare

• Malware That Can Survive OS Reinstalls Strikes Again, Likely for Cyber Espionage | PCMag

Vulnerabilities

• CISA Adds 13 Exploited Vulnerabilities To List, 9 with Feb. 1 Remediation Date | ZDNet

• Microsoft RDP Vulnerability Makes It A Breeze For Attackers To Become Men-In-The-Middle - TechRepublic

• High-Severity Vulnerabilities Patched in McAfee Enterprise Product | SecurityWeek.Com

• Cisco Releases Patch for Critical Bug Affecting Unified CCMP and Unified CCDM (thehackernews.com)

• A bug in McAfee Agent allows to run code with SYSTEM privileges - Security Affairs

• Zoho Fixes A Critical Vulnerability (CVE-2021-44757) in Desktop Central - Security Affairs

• Ubuntu Patch For Heap Buffer Overflow Vulnerability • The Register

• Google Details Two Zero-Day Bugs Reported in Zoom Clients and MMR Servers (thehackernews.com)

• Hackers Attempt to Exploit New SolarWinds Serv-U Bug in Log4Shell Attacks (thehackernews.com)

• F5 Patches Two Dozen Vulnerabilities in BIG-IP | SecurityWeek.Com

• McAfee Bug Can Be Exploited to Gain Windows SYSTEM Privileges | Threatpost

• Oracle Critical Patch Update for January 2022 will fix 483 new flaws - Security Affairs

• 20K WordPress Sites Exposed by Insecure Plugin REST-API | Threatpost

• Nasty Linux Kernel Bug Found And Fixed | ZDNet

• Cisco Issues Patch for Critical RCE Vulnerability in RCM for StarOS Software (thehackernews.com)

• Critical Bugs in Control Web Panel Expose Linux Servers to RCE Attacks (thehackernews.com)

• Critical SAP Vulnerability Allows Supply Chain Attacks | SecurityWeek.Com

• Zoho Plugs Another Critical Security Hole In Desktop Central (bleepingcomputer.com)

• Safari Exploit Can Leak Browser Histories And Google Account Info | Engadget

Sector Specific

Financial Services Sector

• Singapore Pushed To Introduce Security Measures Amidst Online Banking Scams | ZDNet

Health/Medical/Pharma Sector

• More Than Half Of Medical Devices Found To Have Critical Vulnerabilities | ZDNet

• Additional Healthcare Firms Disclose Impact From Netgain Ransomware Attack | SecurityWeek.Com

Retail

• PCI SSC Updates Card Security Standards To Secure The Card Production Process - Help Net Security

Education and Academia

• Kids Won’t Stop Launching DDoS Attacks Against Their Schools | TechRadar

Other News

• Biggest MSP Takeaways From The Apache Log4j Vulnerability - MSSP Alert

• The Emotional Stages Of A Data Breach: How To Deal With Panic, Anger, And Guilt | CSO Online

• The Log4j Vulnerability Puts Pressure on the Security World | Threatpost

• Hackers Planted Secret Backdoor in Dozens of WordPress Plugins and Themes (thehackernews.com)

• BadUSB explained: How rogue USBs threaten your organisation | CSO Online

• Millions of UK Wi-Fi Routers Vulnerable To Security Threats - IT Security Guru

• NATO, Ukraine Sign Deal to 'Deepen' Cyber Cooperation | SecurityWeek.Com

• UK Umbrella Company Parasol Group Confirms Cyber Attack • The Register

• MPs Criticise Cyber Agency For Not Aiding China Rights Group After It Was Hacked | China | The Guardian

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.