Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 25 March 2022
Black Arrow Cyber Threat Briefing 25 March 2022:
-Morgan Stanley Client Accounts Breached in Social Engineering Attacks
-Ransomware Is Scary, But Another Scam Is Costing Victims Much, Much More
-Phishing Kits Constantly Evolve to Evade Security Software
-Ransomware Payments, Demands Rose Dramatically in 2021
-7 Suspected Members of LAPSUS$ Hacker Gang, Aged 16 to 21, Arrested in UK
-Here's How Fast Ransomware Encrypts Files
-HEAT Attacks: A New Class of Cyber Threats Organisations Are Not Prepared For
-The Cyber Warfare Predicted In Ukraine May Be Yet To Come
-The Three Russian Cyber Attacks The West Most Fears
-Do These 8 Things Now To Boost Your Security Ahead Of Potential Russian Cyber Attacks
-Cyber Crime Victims Suffered Losses of Over $6.9B in 2021 in the US Alone
-Expanding Threat Landscape: Cyber Criminals Attacking from All Sides
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Morgan Stanley Client Accounts Breached in Social Engineering Attacks
Morgan Stanley Wealth Management says some of its customers had their accounts compromised in social engineering attacks.
The account breaches were the result of vishing (aka voice phishing), a social engineering attack where scammers impersonate a trusted entity (in this case Morgan Stanley) during a voice call to convince their targets into revealing sensitive information such as banking or login credentials.
The company said in a notice sent to affected clients that, "on or around February 11, 2022," a threat actor impersonating Morgan Stanley gained access to their accounts after tricking them into providing their Morgan Stanley Online account info.
After successfully breaching their accounts, the attacker also electronically transferred money to their own bank account by initiating payments using the Zelle payment service.
Ransomware Is Scary, But Another Scam Is Costing Victims Much, Much More
Business email compromise (BEC) remains the biggest source of financial losses, which totalled $2.4 billion in 2021, up from an estimated $1.8 billion in 2020, according to the Federal Bureau of Investigation's (FBI) Internet Crime Center (IC3).
The FBI says in its 2021 annual report that Americans last year lost $6.9 billion to scammers and cyber criminals through ransomware, BEC, and cryptocurrency theft related to financial and romance scams. In 2020, that figure stood at $4.2 billion.
Last year, FBI's Internet Crime Complaint Center (IC3) received 847,376 complaints about cybercrime losses, up 7% from 791,790 complaints in 2020.
BEC has been the largest source of fraud for several years despite ransomware attacks grabbing most headlines.
Phishing Kits Constantly Evolve to Evade Security Software
Modern phishing kits sold on cybercrime forums as off-the-shelf packages feature multiple, sophisticated detection avoidance and traffic filtering systems to ensure that internet security solutions won’t mark them as a threat.
Fake websites that mimic well-known brands are abundant on the internet to lure victims and steal their payment details or account credentials.
Most of these websites are built using phishing kits that feature brand logos, realistic login pages, and in cases of advanced offerings, dynamic webpages assembled from a set of basic elements.
Ransomware Payment Demands Rose Dramatically in 2021
Ransomware attackers demanded dramatically higher ransom fees last year, and the average ransom payment rose by 78% to $541,010, according to data from incident response (IR) cases investigated by Palo Alto Networks Unit 42.
IR cases by Unit 42 also saw a whopping 144% increase in ransom demands, to $2.2 million. According to the report, the most victimised sectors were professional and legal services, construction, wholesale and retail, healthcare, and manufacturing.
Cyber extortion spiked, with 85% of ransomware victims — some 2, 556 organisations — having their data dumped and exposed on leak sites, according to the "2022 Unit 42 Ransomware Threat Report."
Conti led the ransomware attack volume, representing some one in five cases Unit 42 investigated, followed by REvil, Hello Kitty, and Phobos.
https://www.darkreading.com/attacks-breaches/ransomware-payments-demands-rose-dramatically-in-2021
7 Suspected Members of LAPSUS$ Hacker Gang, aged 16 to 21, Arrested in UK
The City of London Police has arrested seven teenagers between the ages of 16 and 21 for their alleged connections to the prolific LAPSUS$ extortion gang that's linked to a recent burst of attacks targeting NVIDIA, Samsung, Ubisoft, LG, Microsoft, and Okta.
"The City of London Police has been conducting an investigation with its partners into members of a hacking group," Detective Inspector, Michael O'Sullivan, said in a statement shared with The Hacker News. "Seven people between the ages of 16 and 21 have been arrested in connection with this investigation and have all been released under investigation. Our enquiries remain ongoing."
The development, which was first disclosed by BBC News, comes after a report from Bloomberg revealed that a 16-year-old Oxford-based teenager is the mastermind of the group. It's not immediately clear if the minor is one among the arrested individuals. The said teen, under the online alias White or Breachbase, is alleged to have accumulated about $14 million in Bitcoin from hacking.
https://thehackernews.com/2022/03/7-suspected-members-of-lapsus-hacker.html
Here's How Fast Ransomware Encrypts Files
Forty-two minutes and 54 seconds: that's how quickly the median ransomware variant can encrypt and lock out a victim from 100,000 of their files.
The data point came from Splunk's SURGe team, which analysed in its lab how quickly the 10 biggest ransomware strains — Lockbit, REvil, Blackmatter, Conti, Ryuk, Avaddon, Babuk, Darkside, Maize, and Mespinoza — could encrypt 100,000 files consisting of some 53.93 gigabytes of data. Lockbit won the race, with speeds of 86% faster than the median. One Lockbit sample was clocked at encrypting 25,000 files per minute.
Splunk's team found that ransomware variants are all over the map speed-wise, and the underlying hardware can dictate their encryption speeds.
https://www.darkreading.com/application-security/here-s-how-fast-ransomware-encrypts-files
HEAT Attacks: A New Class of Cyber Threats Organisations Are Not Prepared For
Web malware (47%) and ransomware (42%) now top the list of security threats that organisations are most concerned about. Yet despite the growing risks, just 27% have advanced threat protection in place on every endpoint device that can access corporate applications and resources.
This is according to research published by Menlo Security, exploring what steps organisations are taking to secure themselves in the wake of a new class of cyber threats – known as Highly Evasive Adaptive Threats (HEAT).
As employees spend more time working in the browser and accessing cloud-based applications, the risk of HEAT attacks increases. Almost two-thirds of organisations have had a device compromised by a browser-based attack in the last 12 months. The report suggests that organisations are not being proactive enough in mitigating the risk of these threats, with 45% failing to add strength to their network security stack over the past year. There are also conflicting views on the most effective place to deploy security to prevent advanced threats, with 43% citing the network, and 37% the cloud.
https://www.helpnetsecurity.com/2022/03/22/web-security-threats/
The Cyber Warfare Predicted in Ukraine May Be Yet to Come
In the build-up to Russia’s invasion of Ukraine, the national security community braced for a campaign combining military combat, disinformation, electronic warfare and cyber attacks. Vladimir Putin would deploy devastating cyber operations, the thinking went, to disable government and critical infrastructure, blind Ukrainian surveillance capabilities and limit lines of communications to help invading forces. But that’s not how it has played out. At least, not yet.
The danger is that as political and economic conditions deteriorate, the red lines and escalation judgments that kept Moscow’s most potent cyber capabilities in check may adjust. Western sanctions and lethal aid support to Ukraine may prompt Russian hackers to lash out against the west. Russian ransomware actors may also take advantage of the situation, possibly resorting to cyber crime as one of the few means of revenue generation.
https://www.ft.com/content/2938a3cd-1825-4013-8219-4ee6342e20ca
The Three Russian Cyber Attacks the West Most Fears
The UK's cyber authorities are supporting the White House's calls for "increased cyber-security precautions", though neither has given any evidence that Russia is planning a cyber-attack.
Russia has previously stated that such accusations are "Russophobic".
However, Russia is a cyber-superpower with a serious arsenal of cyber-tools, and hackers capable of disruptive and potentially destructive cyber-attacks.
Ukraine has remained relatively untroubled by Russian cyber-offensives but experts now fear that Russia may go on a cyber-offensive against Ukraine's allies.
"Biden's warnings seem plausible, particularly as the West introduced more sanctions, hacktivists continue to join the fray, and the kinetic aspects of the invasion seemingly don't go to plan," says Jen Ellis, from cyber-security firm Rapid7.
This article from the BCC outlines the hacks that experts most fear, and they are repeats of things we have already seen coming out of Russia, only potentially a lot more destructive this time around.
https://www.bbc.co.uk/news/technology-60841924
Do These 8 Things Now to Boost Your Security Ahead of Potential Russian Cyber Attacks
The message comes as the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) ramp up warnings about Russian hacking of everything from online accounts to satellite broadband networks. CISA's current campaign is called Shields Up, which urges all organisations to patch immediately and secure network boundaries. This messaging is being echoed by UK and other Western Cyber authorities:
The use of Multi-Factor Authentication (MFA) is being very strongly advocated. The White House and other agencies both sides of the Atlantic also urged companies to take seven other steps:
Deploy modern security tools on your computers and devices to continuously look for and mitigate threats
Make sure that your systems are patched and protected against all known vulnerabilities, and change passwords across your networks so that previously stolen credentials are useless to malicious actors
Back up your data and ensure you have offline backups beyond the reach of malicious actors
Run exercises and drill your emergency plans so that you are prepared to respond quickly to minimize the impact of any attack
Encrypt your data so it cannot be used if it is stolen
Educate your employees to common tactics that attackers will use over email or through websites
Work with specialists to establish relationships in advance of any cyber incidents.
Cyber Crime Victims Suffered Losses of Over $6.9B in 2021 in the US Alone
The FBI's Internet Crime Complaint Center (IC3) reported a record-breaking year for 2021 in the number of complaints it received, among which business email compromise (BEC) attacks made up the majority of incidents.
IC3 handled 847,376 complaint reports last year — an increase of 7% over 2020 — which mainly revolved around phishing attacks, nonpayment/nondelivery scams, and personal data breaches. Overall, losses amounted to more than $6.9 billion.
BEC and email account compromises ranked as the No. 1 attack, accounting for 19,954 complaints and losses of around $2.4 billion.
"In 2021, heightened attention was brought to the urgent need for more cyber incident reporting to the federal government. Cyber incidents are in fact crimes deserving of an investigation, leading to judicial repercussions for the perpetrators who commit them," Paul Abbate, deputy director of the FBI wrote in the IC3's newly published annual report.
Expanding Threat Landscape: Cyber Criminals Attacking from All Sides
Research from Trend Micro warns of spiralling risk to digital infrastructure and remote workers as threat actors increase their rate of attack on organisations and individuals.
“Attackers are always working to increase their victim count and profit, whether through quantity or effectiveness of attacks,” said Jon Clay, VP of threat intelligence at Trend Micro.
“Our latest research shows that while Trend Micro threat detections rose 42% year-on-year in 2021 to over 94 billion, they shrank in some areas as attacks became more precisely targeted.”
Ransomware attackers are shifting their focus to critical businesses and industries more likely to pay, and double extortion tactics ensure that they are able to profit. Ransomware-as-a-service offerings have opened the market to attackers with limited technical knowledge – but also given rise to more specialisation, such as initial access brokers who are now an essential part of the cybercrime supply chain.
Threat actors are also getting better at exploiting human error to compromise cloud infrastructure and remote workers. Trend Micro detected and prevented 25.7 million email threats in 2021 compared to 16.7 million in 2020, with the volume of blocked phishing attempts nearly doubling over the period. Research shows home workers are often prone to take more risks than those in the office, which makes phishing a particular risk.
https://www.helpnetsecurity.com/2022/03/22/threat-actors-increase-attack/
Threats
Ransomware
Ransomware Infections Follow Precursor Malware – Lumu • The Register
Ransomware, Malware-as-a-Service Dominate Threat Landscape | SecurityWeek.Com
AvosLocker Ransomware - What You Need To Know | The State of Security (tripwire.com)
What the Conti Ransomware Group Data Leak Tells Us (darkreading.com)
Ransomware Demands And Payments Increase With Use Of Leak Sites (computerweekly.com)
Ten Notorious Ransomware Strains Put to The Encryption Speed Test (bleepingcomputer.com)
Lockbit Wins Ransomware Speed Test, Encrypts 25k Files/Min • The Register
Talos warns of BlackMatter-linked BlackCat Ransomware • The Register
Report: 89% of Organizations Say Kubernetes Ransomware Is A Problem Today | VentureBeat
Top Russian Meat Producer Hit with Windows BitLocker Encryption Attack (bleepingcomputer.com)
Greece's Public Postal Service Offline Due To Ransomware Attack (bleepingcomputer.com)
Lawsuit Claims Kronos Breach Exposed Data For 'Millions' (techtarget.com)
Estonian Man Sentenced To Prison For Role In Cyber Intrusions, Ransomware Attacks - CyberScoop
Phishing & Email
New Phishing Toolkit Lets Anyone Create Fake Chrome Browser Windows (bleepingcomputer.com)
Browser-in-the-Browser Attack Makes Phishing Nearly Invisible | Threatpost
'Unique Attack Chain' Drops Backdoor in New Phishing Campaign (darkreading.com)
Other Social Engineering
Malware
Malicious Microsoft Excel Add-Ins Used to Deliver RAT Malware (bleepingcomputer.com)
BitRAT Malware Now Spreading As A Windows 10 License Activator (bleepingcomputer.com)
Mobile
URL Rendering Trick Enabled WhatsApp, Signal, iMessage Phishing (bleepingcomputer.com)
Downloaders Currently the Most Prevalent Android Malware (darkreading.com)
Experts Uncover Campaign Stealing Cryptocurrency from Android and iPhone Users (thehackernews.com)
Android Password-Stealing Malware Infects 100,000 Google Play Users (bleepingcomputer.com)
IoT
Botnet of Thousands of MikroTik Routers Abused in Glupteba, TrickBot Campaigns (thehackernews.com)
Honda Civics Vulnerable To Remote Unlock, Start Hack • The Register
Data Breaches/Leaks
UK MoD's Capita-Run Recruitment Portal Support Offline • The Register
Background Check Company Sued Over Data Breach - Infosecurity Magazine (infosecurity-magazine.com)
Organised Crime & Criminal Actors
Who is LAPSUS$, the Gang Hacking Microsoft, Samsung, and Okta? (gizmodo.com)
Hackers Are Targeting European Refugee Charities -Ukrainian Official | Reuters
Hackers Steal From Hackers By Pushing Fake Malware On Forums (bleepingcomputer.com)
Cryptocurrency/Cryptomining/Cryptojacking
An Investigation of Cryptocurrency Scams and Schemes (trendmicro.com)
Global Regulators Monitor Crypto Use in Ukraine War | Reuters
Cryptocurrency Companies Impacted by HubSpot Breach (techtarget.com)
Insider Risk and Insider Threats
6 Types Of Insider Threats And How To Prevent Them (techtarget.com)
HP Staffer Blew $5m On Personal Expenses With Company Card • The Register
Fraud, Scams & Financial Crime
Internet Crime in 2021: Investment Fraud Losses Soar - Help Net Security
NFT Fraud in the UK Soars 400% in 2021 - Infosecurity Magazine (infosecurity-magazine.com)
DeFiance Capital Founder Loses $1.7M in NFTs To Phishing Scam - Decrypt
Insurance
Dark Web
Supply Chain
Cloud
Passwords & Credential Stuffing
Spyware, Espionage & Cyber Warfare
Nation State Actors
Nation State Actors – Russia
Internet Sanctions Against Russia Pose Risks, Challenges For Businesses | CSO Online
Is It Safe To Use Russian-Based Kaspersky Antivirus? No, And Here's Why (komando.com)
Anonymous Leaked 28gb of Data Stolen from The Central Bank of Russia - Security Affairs
President Biden Says Russia Exploring Revenge Cyber Attacks • The Register
Analysis: Putin's next escalation could be a direct cyberattack on the West - CNNPolitics
Russia-backed Hackers Bypassed MFA, Exploited Print Vulnerability - MSSP Alert
Hackers Around The World Deluge Russia's Internet With Simple, Effective Cyber Attacks (nbcnews.com)
Anonymous Targets Western Companies Still Active in Russia - Security Affairs
Ukrainian Enterprises Hit with the DoubleZero Wiper - Security Affairs
NATO, G-7 Leaders Promise Bulwark Against Retaliatory Russian Cyber Attacks (cyberscoop.com)
Russia Hacked Ukrainian Satellite Communications, Officials Believe - BBC News
Russia-linked InvisiMole APT Targets State Organizations Of Ukraine - Security Affairs
Corrupted Open-Source Software Enters the Russian Battlefield | ZDNet
Nestlé Says 'Anonymous' Data Leak Actually A Self-Own • The Register
Nation State Actors – China
Another Chinese Hacking Group Spotted Targeting Ukraine Amid Russia Invasion (thehackernews.com)
Chinese APT Combines Fresh Hodur RAT with Complex Anti-Detection | Threatpost
Mustang Panda Hacking Group Takes Advantage Of Ukraine Crisis In New Attacks | ZDNet
Nation State Actors – North Korea
Vulnerabilities
CISA Adds 66 Vulnerabilities To List Of Bugs Exploited In Attacks (bleepingcomputer.com)
Three Critical RCE Flaws Affect Hundreds of HP Printer Models - Security Affairs
Critical Sophos Firewall vulnerability allows remote code execution (bleepingcomputer.com)
VMware Fixes Carbon Black Command Injection, Upload Bugs • The Register
Western Digital Fixes Critical Bug Giving Root On My Cloud NAS Devices (bleepingcomputer.com)
Sector Specific
Health/Medical/Pharma Sector
Scottish Mental Health Charity SAMH Targeted In Cyber Attack - BBC News
Over 1 Million Impacted in Data Breach at Texas Dental Services Provider | SecurityWeek.Com
Retail/eCommerce
Transport and Aviation
Energy & Utilities
Education and Academia
Reports Published in the Last Week
Other News
A Better Grasp of Cyber Attack Tactics Can Stop Criminals Faster (bleepingcomputer.com)
The Chaos (and Cost) of the Lapsus$ Hacking Carnage | SecurityWeek.Com
Soldiers told to use Signal instead of WhatsApp for security | The Times
Cyber Security Compliance: Start With Proven Best Practices - Help Net Security
Only 27% of Orgs Have Advanced Threat Protection on Endpoints | VentureBeat
Okta Breach Leads To Questions On Disclosure, Reliance On Third-Party Vendors - CyberScoop
The Challenges Audit Leaders Need To Look Out For This Year - Help Net Security
South Korean DarkHotel Hackers Targeted Luxury Hotels in Macau (thehackernews.com)
ISACA: Two-Thirds of Cybersecurity Teams Are Understaffed - Infosecurity Magazine
Security Teams are Responsible for Over 165k Assets - Infosecurity Magazine
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 24 December 2021
Black Arrow Cyber Threat Briefing 24 December 2021
-Cyber Criminals Shifting Focus: IT Sector Most Targeted In 2021
-Log4j Flaw: Attackers Are 'Actively Scanning Networks' Warns New Guidance, Joint Advisory from Cyber Agencies in US, Australia, Canada, New Zealand and the United Kingdom
-New Ransomware Variants Flourish Amid Law Enforcement Actions
-93% of Tested Networks Vulnerable to Breach, Pen Testers Find
-Dridex Malware Trolls Employees With Fake Job Termination Emails
-More Than 35,000 Java Packages Impacted By Log4j Flaw, Google Warns
-Conti Ransomware Gang Has Full Log4Shell Attack Chain
-Second Ransomware Family Exploiting Log4j Spotted In US, Europe
-Threat actors steal $80 million per month with fake giveaways, surveys
-Microsoft Teams might have a few serious security issues
-The Future of Work Has Changed, and Your Security Mindset Needs to Follow
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Cyber Criminals Shifting Focus: IT Sector Most Targeted In 2021
Darktrace reported that the IT and communications sector was globally the most targeted industry by cybercriminals in 2021.
Darktrace’s data is developed by ‘early indicator analysis’ that looks at the breadcrumbs of potential cyber-attacks at several stages before they are attributed to any particular actor and before they escalate into a full-blown crisis. Findings show that its artificial intelligence autonomously interrupted an average of 150,000 threats per week against the sector in 2021.
The IT and communications sector includes telecommunications providers, software developers, and managed security service providers, amongst others. There was also a growing trend of hackers targeting backup servers in an attempt to deliberately disable or corrupt backup files by deleting a single index file that would render all backups inaccessible. Attackers could then launch ransomware attacks against the clients of the backup vendor, preventing recovery and forcing payment.
In 2020, the most attacked industry was the financial and insurance sector, showing that cyber-criminals have shifted their focus over the last 12 months.
Over the last 12 months, it is clear that attackers are relentlessly trying to access the networks of trusted suppliers in the IT and communications sector. Quite simply, it is a better return on investment than, for example, going after one company in the financial services sector. SolarWinds and Kaseya are just two well-known and recent examples of this. Sadly, there is likely to be more in the near term.
The findings of this research mark one year since the compromise of US software company SolarWinds rattled the security industry. This landmark supply-chain attack made thousands of organisations vulnerable to infiltration by inserting malicious code into the Orion system. Over the last 12 months, there has been a continued spate of attacks against the IT and communications sector, including the high-profile attacks on Kaseya and Gitlab.
https://www.helpnetsecurity.com/2021/12/22/cybercriminals-it-sector/
New Ransomware Variants Flourish Amid Law Enforcement Actions
Ransomware groups continue to evolve their tactics and techniques to deploy file-encrypting malware on compromised systems, notwithstanding law enforcement's disruptive actions against the cyber crime gangs to prevent them from victimizing additional companies.
"Be it due to law enforcement, infighting amongst groups or people abandoning variants altogether, the RaaS [ransomware-as-a-service] groups dominating the ecosystem at this point in time are completely different than just a few months ago," Intel 471 researchers said in a report published this month. "Yet, even with the shift in the variants, ransomware incidents as a whole are still on the rise."
Sweeping law enforcement operations undertaken by government agencies in recent months have brought about rapid shifts in the RaaS landscape and turned the tables on ransomware syndicates like Avaddon, BlackMatter, Cl0p, DarkSide, Egregor, and REvil, forcing the actors to slow down or shut down their businesses altogether.
https://thehackernews.com/2021/12/new-ransomware-variants-flourish-amid.html
93% of Tested Networks Vulnerable to Breach, Pen Testers Find
Data from dozens of penetration tests and security assessments suggest nearly every organisation can be infiltrated by cyber attackers.
The vast majority of businesses can be compromised within a month by a motivated attacker using common techniques, such as compromising credential, exploiting known vulnerabilities in software and Web applications, or taking advantage of configuration flaws, according to an analysis of security assessments by Positive Technologies.
In 93% of cases, an external attacker could breach a target company's network and gain access to local devices and systems, the company's security service professionals found. In 71% of cases, the attacker could affect the businesses in a way deemed "unacceptable." For example, every bank tested by the security firm could be attacked in a way that disrupted business processes and reduced the quality of their service.
Dridex Malware Trolls Employees With Fake Job Termination Emails
A new Dridex malware phishing campaign is using fake employee termination emails as a lure to open a malicious Excel document, which then trolls the victim with a season's greeting message.
Dridex is a banking malware spread through malicious emails that was initially developed to steal online banking credentials. Over time, the developers evolved the malware to use different modules that provide additional malicious behaviour, such as installing other malware payloads, providing remote access to threat actors, or spreading to other devices on the network.
This malware was created by a hacking group known as Evil Corp, which is behind various ransomware operations, such as BitPaymer, DoppelPaymer, WastedLocker variants, and Grief. Due to this, Dridex infections are known to lead to ransomware attacks on compromised networks.
More Than 35,000 Java Packages Impacted By Log4j Flaw, Google Warns
The Google Open Source Team scanned the Maven Central Java package repository and found that 35,863 packages (8% of the total) were using versions of the Apache Log4j library vulnerable to Log4Shell exploit and to the CVE-2021-45046 RCE.
“More than 35,000 Java packages, amounting to over 8% of the Maven Central repository (the most significant Java package repository), have been impacted by the recently disclosed log4j vulnerabilities (1, 2), with widespread fallout across the software industry.” reads the report published by Google. “As far as ecosystem impact goes, 8% is enormous.”
The Google experts used the Open Source Insights, a project used to determine open source dependencies, to assess all versions of all artifacts in the Maven Central Repository.
The experts pointed out that the direct dependencies account for around 7,000 of the affected packages. Most of the affected artifacts are related to indirect dependencies.
Since the vulnerability was disclosed, 13% of all vulnerable packages have been fixed (4,620).
https://securityaffairs.co/wordpress/125845/security/log4j-java-packages-flaws.html
Log4j Flaw: Attackers Are 'Actively Scanning Networks' Warns New Guidance, Joint Advisory from Cyber Agencies in US, Australia, Canada, New Zealand and the United Kingdom
A new informational Log4J advisory has been issued by cybersecurity leaders from the US, Australia, Canada, New Zealand and the United Kingdom. The guide includes technical details, mitigations and resources to address known vulnerabilities in the Apache Log4j software library.
The project is a joint effort by the US' Cybersecurity and Infrastructure Security Agency (CISA), FBI and NSA, as well as the Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), Computer Emergency Response Team New Zealand (CERT NZ), New Zealand National Cyber Secure Centre (NZ NCSC), and the United Kingdom's National Cyber Security Centre (NCSC-UK).
The organisations said they issued the advisory in response to "active, worldwide exploitation by numerous threat actors, including malicious cyber threat actors." Numerous groups from North Korea, Iran, Turkey and China have been seen exploiting the vulnerability alongside a slate of ransomware groups and cybercriminal organisations.
Conti Ransomware Gang Has Full Log4Shell Attack Chain
The Conti gang was the first professional-grade, sophisticated ransomware group to weaponise Log4j2, now with a full attack chain.
The Conti ransomware gang, which last week became the first professional crimeware outfit to adopt and weaponize the Log4Shell vulnerability, has now built up a holistic attack chain.
The sophisticated Russia-based Conti group – which Palo Alto Networks has called “one of the most ruthless” of dozens of ransomware groups currently known to be active – was in the right place at the right time with the right tools when Log4Shell hit the scene 10 days ago, security firm Advanced Intelligence (AdvIntel) said in a report shared with Threatpost on Thursday.
As of Monday the attack chain has taken the following form, AdvIntel’s Yelisey Boguslavskiy told Threatpost: Emotet -> Cobalt Strike -> Human Exploitation -> (no ADMIN$ share) -> Kerberoast -> vCenter ESXi with log4shell scan for vCenter.
https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/
Second Ransomware Family Exploiting Log4j Spotted In US, Europe
This was quickly followed by a second ransomware group when researchers found a second family of ransomware has been growing in usage for attack attempts that exploit the critical vulnerability in Apache Log4j, including in the US and Europe.
A number of researchers, including at cybersecurity giant Sophos, have now said they’ve observed the attempted deployment of a ransomware family known as TellYouThePass. Researchers have described TellYouThePass as an older and largely inactive ransomware family — which has been revived following the discovery of the vulnerability in the widely used Log4j logging software.
https://venturebeat.com/2021/12/21/second-ransomware-family-exploiting-log4j-spotted-in-u-s-europe/
Threat actors steal $80 million per month with fake giveaways, surveys
Scammers are estimated to have made $80 million per month by impersonating popular brands asking people to participate in fake surveys or giveaways.
Researchers warn of this new trend in global fraud schemes involving targeted links to make investigation and take-down increasingly challenging.
According to current estimates, these massive campaigns resulted in an estimated $80,000,000 per month, stolen from 10 million people in 91 countries.
The scam themes are the typical and "trustworthy" fake surveys and giveaways from popular brands with the holiday season making targets more susceptible to fraudulent gift offerings.
According to a report by Group-IB, there are currently 60 known scam networks that use targeted links in their campaigns, impersonating 121 brands in false giveaways.
Each network uses an average of 70 different Internet domain names as part of their campaigns, but some find great success with fewer domains, which indicates that quality beats quantity when it comes to scams.
Microsoft Teams might have a few serious security issues
Security researchers have discovered four separate vulnerabilities in Microsoft Teams that could be exploited by an attacker to spoof link previews, leak IP addresses and even access the software giant's internal services.
These discoveries were made by researchers at Positive Security who “stumbled upon” them while looking for a way to bypass the Same-Origin Policy (SOP) in Teams and Electron according to a new blog post. For those unfamiliar, SOP is a security mechanism found in browsers that helps stop websites from attacking one another.
During their investigation into the matter, the researchers found that they could bypass the SOP in Teams by abusing the link preview feature in Microsoft's video conferencing software by allowing the client to generate a link preview for the target page and then using either summary text or optical character recognition (OCR) on the preview image to extract information.
https://www.techradar.com/news/microsoft-teams-might-have-a-few-serious-security-issues
The Future of Work Has Changed, and Your Security Mindset Needs to Follow
VPNs have become a vulnerability that puts organisations at risk of cyber attacks.
When businesses first sent employees to work from home in March 2020 — thinking it'd only be for two weeks — they turned to quick fixes that would enable remote work for large numbers of people as quickly as possible. While these solutions solved the short-term challenge of allowing distributed workforces to connect to a company's network from anywhere, they're now becoming a security vulnerability that is putting organisations at risk of growing cyberattacks.
Now that almost two years have passed and work has fundamentally shifted, with fully or hybrid remote environments here to stay, business and security leaders need solutions that better fit their unique and increasingly complex needs. In fact, a new survey from Menlo Security has found that 75% of organisations are re-evaluating their security strategies for remote employees, exemplifying that accommodating remote work is a top priority for the majority of business leaders.
To successfully manage the risks that distributed workforces entail, leaders must shift their mindset away from the hub-and-spoke approach of providing connectivity to the entire network, instead segmenting access by each individual private application, wherever it is deployed, as threats of cyberattacks loom across all industries. As organisations grapple with the added security challenges that remote and hybrid work environments bring, adopting a zero-trust approach will be critical for end-to-end network and endpoint protection.
Threats
Ransomware
Ransomware Threat Just as Urgent as Terrorism, Say Two-Thirds of IT Pros - Infosecurity Magazine
PYSA Emerges as Top Ransomware Actor in November | Threatpost
AvosLocker Ransomware Reboots In Safe Mode To Bypass Security Tools (bleepingcomputer.com)
Rook Ransomware Is Yet Another Spawn Of The Leaked Babuk Code (bleepingcomputer.com)
PYSA Ransomware Behind Most Double Extortion Attacks In November (bleepingcomputer.com)
This Ransomware Strain Just Started Targeting Lots More Businesses | ZDNet
Phishing
How Likely Are Employees To Fall Prey To A Phishing Attack? - Help Net Security
Dridex Omicron Phishing Taunts With Funeral Helpline Number (bleepingcomputer.com)
New Phishing Campaign Claims $80m Per Month - IT Security Guru
Malware
Log4j Vulnerability Now Used To Install Dridex Banking Malware (bleepingcomputer.com)
New BLISTER Malware Using Code Signing Certificates to Evade Detection (thehackernews.com)
IoT
Cryptocurrency/Cryptomining/Cryptojacking
Example Of How Attackers Are Trying To Push Crypto Miners Via Log4Shell - SANS Internet Storm Center
Insider Risk and Insider Threats
Scams, Fraud & Financial Crime
Insurance
Dark Web
OT, ICS, IIoT and SCADA
Lights Out: Cyber Attacks Shut Down Building Automation Systems (darkreading.com)
Walk-Through Metal Detectors Can Be Hacked, New Research Finds (gizmodo.com)
Nation State Actors
Passwords
Parental Controls and Child Safety
Vulnerabilities
Microsoft Teams Bug Allowing Phishing Unpatched Since March (bleepingcomputer.com)
FBI: Another Zoho ManageEngine Zero-Day Under Active Attack | Threatpost
Active Directory Bugs Could Let hackers Take Over Windows Domain Controllers (thehackernews.com)
All in One SEO Plugin Bug Threatens 3M Websites with Takeovers | Threatpost
Researchers Disclose Unpatched Vulnerabilities in Microsoft Teams Software (thehackernews.com)
Microsoft Admits To Azure App Service Source Code Leak Bug • The Register
Expert Details macOS Bug That Could Let Malware Bypass Gatekeeper Security (thehackernews.com)
New Dell BIOS Updates Cause Laptops And Desktops Not To Boot (bleepingcomputer.com)
Western Digital Warns Customers To Update Their My Cloud Devices (Bleepingcomputer.Com)
New Mobile Network Vulnerabilities Affect All Cellular Generations Since 2G (thehackernews.com)
Sector Specific
Health/Medical/Pharma Sector
Retail
Transport and Aviation
Other News
How Confident Can Organisations Be In Their Managed Services Security? - Help Net Security
Experts Discover Backdoor Deployed on the US Federal Agency's Network (thehackernews.com)
Half-Billion Compromised Credentials Lurking on Open Cloud Server | Threatpost
New Log4J Flaw Caps Year of Relentless Cyber Security Crises - WSJ
Log4Shell Is A Dumpster Fire That Should Have Been Avoided - Help Net Security
7 of the Most Impactful Cyber Security Incidents of 2021 (darkreading.com)
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.