Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Phishing Emails Up a Whopping 569% in 2022

The volume of phishing emails sent in 2022 spiked by a jaw-dropping 569% according to a new report. Based on data from 35 million users, the report details the astronomical rise of email phishing as a tactic among threat actors in 2022. Key findings from the report include the number of credential phishing emails sent spiked by 478% and, for the eighth consecutive year, business email compromise (BEC) ranked as the top cyber crime.

https://www.darkreading.com/attacks-breaches/phishing-emails-up-whopping-569-percent-2022

• The End User Password Mistakes Putting Your Organisation at Risk

Businesses rely on their end users, but those same users often don't follow the best security practices. Without the right password security policies, a single end user password mistake can be a costly breach of your organisation's defences. End users want to do their work quickly and efficiently, but sharing, reusing and weak passwords can put your organisation at risk so having the right policies in place is essential for security.

https://www.bleepingcomputer.com/news/security/the-end-user-password-mistakes-putting-your-organization-at-risk/

• Millions of Penetration Tests Show Companies’ Security Postures are Getting Worse

The risk score for the average company worsened in the past year as companies fail to adapt to data exfiltration techniques and adequately protect web applications. Companies' effective data-exfiltration risk increased to 44 out of 100 (with 100 indicating the riskiest posture) in 2022, from an average score of 30 in the previous year, indicating that the overall risk of data being compromised has increased. That's according to rankings by Cymulate, who crunched data on 1.7 million hours of offensive cyber security testing. The research noted that while many companies are improving the adoption of strict network and group policies, attackers are adapting to sidestep such protections. They also found that four of the top-10 CVEs (known vulnerabilities) identified in customer environments were more than two years old.

https://www.darkreading.com/cloud/millions-pen-tests-companies-security-posture-getting-worse

• 71% of Employees Keep Work Passwords on Personal Devices

71% of employees store sensitive work passwords on their personal phones, and 66% use their personal texting apps for work, according to a new mobile bring your own device (BYOD) security report this week, with the report also suggesting 95% of security leaders are increasingly concerned about phishing attacks via private messaging apps. With the widespread use of personal mobile devices in the workplace, it is increasingly difficult for employers to ensure the security of sensitive information. The use of personal devices and personal apps was the direct cause of many high-profile corporate breaches and this is a trend that will surely continue, as employees often use corporate and personal devices for work, effectively doubling the attack surface for cyber criminals as threat actors know there are fewer security controls on personal mobile devices than on corporate ones.

https://www.infosecurity-magazine.com/news/70-employees-keep-work-passwords/

• Cyber Frontlines in Russia-Ukraine War Move to Eastern and Northern Europe

More than a year into the war in Ukraine, hackers have extended the cyber battleground to Eastern and Northern Europe with the number of incidents in those geographies spiking noticeably. A new report shows that cyber warfare inside the conflict has “clearly moved on” from the beginnings of the war. Over the last 12 months, the research reports that the majority of incidents only affecting Ukraine in the first quarter of 2022 (50.4%) sank to 28.6% in the third period. But European Union countries have seen a spike in incidents related to the war in the past six months from 9.8% to 46.5%. Indeed, the number of attacks on EU countries in the third quarter of 2022 totalled just slightly less than those in the Ukraine. And, in the first quarter of this year, more than 80% of incidents occurred inside the European Union. Cyber is now a crucial weapon in the arsenal of new instruments of war, alongside disinformation, manipulation of public opinion, economic warfare, sabotage and guerrilla tactics. With the lateralisation of the conflict from Ukraine to the rest of Europe, Western Europe should be wary of possible attacks on critical infrastructure in the short term if the conflict continues to accelerate.

https://www.msspalert.com/cybersecurity-research/cybercrime-front-lines-in-russia-ukraine-war-move-to-eastern-and-northern-europe/

• Security Flaws Cost Fifth of Executives New Business

Boards continue to under-appreciate the value of cyber security to the business, despite acknowledging its critical role in winning new business and talent, according to Trend Micro. The security giant polled 2,718 business decision makers globally to compile its Risky Rewards study and it found that half (51%) believe cyber security is a necessary cost but not a revenue contributor. 48% argue that its value is limited to threat prevention and two-fifths (38%) see security as a barrier rather than a business enabler. That’s despite a fifth (19%) acknowledging that poor security posture has already impacted their ability to win new business, and 57% thinking there is a strong connection between cyber and client acquisition.

 https://www.infosecurity-magazine.com/news/fifth-execs-security-flaws-cost/

• Companies Struggle to Build and Run Effective Programs to Protect Data from Insider Threats

Insider risk is emerging as one of the most challenging threats for organisations to detect, mitigate and manage, Code42 Software said in its annual Data Exposure Report for 2023. To compile data for the study they surveyed some 700 cyber security leaders, managers and practitioners and whilst more than 72% of companies indicated they have an insider risk management (IRM) program in place, the same companies experienced a year-over-year increase in data loss incidents of 32%. 71% of respondees expect data loss from insider events to increase in the next 12 months. Insider incidents are costing organisations $16 million per incident on average, and chief information security officers (CISOs) say that insider risks are the most challenging type of threat to detect. Data loss from insiders is not a new problem but it has become more complex with workforce turnover and cloud adoption.

https://www.msspalert.com/cybersecurity-research/companies-struggle-to-build-and-run-effective-programs-to-protect-data-from-insider-threats/

• Only 10% of Workers Remember All Their Cyber Security Training

New research has found that only 10% of workers remember all their cyber security training. Furthermore, only half of employees are undergoing regular training, and a quarter aren’t receiving any training at all. Organisations should look to carry out effective and regular training that is tailored to their employees to increase the chance of training content being retained, with a programme of ongoing continual reinforcement.

https://www.itsecurityguru.org/2023/03/30/only-10-of-workers-remember-all-their-cyber-security-training/

• Silence Gets You Nowhere in a Data Breach

In cyber security, the phrase “what they don’t know won’t hurt them” is not only wrong, it’s dangerous. Despite this, it’s a motto that remains in many organisations’ PR playbooks, as demonstrated by the recent LastPass and Fortra data breaches. Smaller companies, too, are employing a silent-treatment approach to data breaches, and cyber attacks are now a fact of doing business with almost half of US organisations having suffered a cyber attack in 2022. Attackers are increasingly targeting smaller businesses due to the fact they are seen as easier targets than large companies.

 https://techcrunch.com/2023/03/29/silence-gets-you-nowhere-in-a-data-breach/

• Just 1% of Cloud Permissions are Actively Used

According to Microsoft, a surge in workload identities, super admins and “over-permissioning” is driving the increase in cyber risk for organisations. Just 1% of users are using the permissions granted to them for day-to-day work. Worryingly, this leaves a significant number of unnecessary permissions which could be used by an attacker to elevate their privileges.

https://www.infosecurity-magazine.com/news/just-1-of-cloud-permissions-used/

• Dangerous Misconceptions About Emerging Cyber Threats

Organisations are leaving common attack paths exposed in their quest to combat emergent threats, according to a new report that delves into the efficacy of different security controls, the most concerning threats as tested by organisations worldwide, and top cyber security best practices for 2023. One of the key findings of the report is that many organisations are actively testing against threats seen in the news, likely from pressure to report on their exposure risk to emergent threats, and whilst this is good, it should not take away from assessing threats and exposures that are more likely actively targeting the business.

https://www.helpnetsecurity.com/2023/03/30/misconceptions-emerging-cyber-threats/  

• ‘Grim’ Criminal Abuse of ChatGPT is Coming, Europol Warns

Europol has warned that criminals are set to take advantage of artificial intelligence to commit fraud and other crimes. Europol highlighted that ChatGPT could be used to speed up criminal research, impersonate speech styles for phishing and write code. Furthermore, despite ChatGPT having safeguards, Europol note that these can be circumvented.

https://www.securityweek.com/grim-criminal-abuse-of-chatgpt-is-coming-europol-warns/

Threats

Ransomware, Extortion and Destructive Attacks

• Why CISOs Are Looking to Lateral Security to Mitigate Ransomware | CIO

• 2023 Ransomware Insights | Barracuda Networks

• Clop Keeps Racking Up Ransomware Victims With GoAnywhere Flaw (darkreading.com)

• New IcedID malware variants shift from banking trojans to ransomware | SC Media (scmagazine.com)

• Publicly disclosed US ransomware attacks in 2023 | TechTarget

• Virgin Group added to Cl0p gang’s victim leak site | Cybernews

• New York law firm coughs up $200k after hospital data stolen • The Register

• Telecom giant Lumen suffered a ransomware attack-Security Affairs

• Ransomware crooks are exploiting IBM file exchange bug with a 9.8 severity | Ars Technica

• DarkBit puts data from Israel’s Technion university on sale | CSO Online

• Crown Resorts investigating potential data breach after being contacted by hacking group - ABC News

• Children’s data feared stolen in Fortra ransomware attack | TechCrunch

• P&G confirms data breach - Global Cosmetics News

Phishing & Email Based Attacks

• Phishing Emails Up a Whopping 569% in 2022 (darkreading.com)

• Exchange Online will soon start blocking emails from old, vulnerable on-prem servers - Help Net Security

• Volume of HTTPS Phishing Sites Surges 56% Annually - Infosecurity Magazine (infosecurity-magazine.com)

• Identifying AI-Enabled Phishing (knowbe4.com)

• IRS Phishing Emails Used to Distribute Emotet - Infosecurity Magazine (infosecurity-magazine.com)

• These next-level phishing scams use PayPal or Google Docs to steal your data | TechRadar

• Winter Vivern hackers exploit Zimbra flaw to steal NATO emails (bleepingcomputer.com)

BEC – Business Email Compromise

• BEC scammers are after physical goods, the FBI warns - Help Net Security

• Australian police arrest four BEC actors who stole $1.7 million (bleepingcomputer.com)

• New BEC Tactics Enable Fake Asset Purchases - Infosecurity Magazine (infosecurity-magazine.com)

• FBI: Business email compromise tactics used to defraud US vendors (bleepingcomputer.com)

Other Social Engineering; Smishing, Vishing, etc

• What is vishing (voice or VoIP phishing)? – TechTarget Definition

2FA/MFA

• What is Three-Factor Authentication? | Definition from TechTarget

Malware

• New IcedID malware variants shift from banking trojans to ransomware | SC Media (scmagazine.com)

• MacStealer  macOS malware appears in cyber crime underground--Security Affairs

• Cyber Scammers Using Decentralized File Distribution System to Spread Malware - MSSP Alert

• Microsoft confirms Defender has gone rogue as it's flagging legit links as malware - Neowin

• North Korean malware-spreading, crypto-stealing gang named • The Register

• Malware disguised as Tor browser steals $400k in cryptocash • The Register

• NullMixer Polymorphic Malware Variant Infects 8K Targets in Just a Month (darkreading.com)

• Chinese Cyber spies Use 'Melofee' Linux Malware for Stealthy Attacks - SecurityWeek

• Chinese RedGolf Group Targeting Windows and Linux Systems with KEYPLUG Backdoor (thehackernews.com)

• Realtek and Cacti flaws now actively exploited by malware botnets (bleepingcomputer.com)

• AlienFox malware caught in the cloud hen house • The Register

• Microsoft OneNote will block 120 dangerous file extensions (bleepingcomputer.com)

• IRS Phishing Emails Used to Distribute Emotet - Infosecurity Magazine (infosecurity-magazine.com)

Mobile

• Android-based banking Trojan Nexus now available as malware-as-a-service | CSO Online

• Inaudible ultrasound attack can stealthily control your phone, smart speaker (bleepingcomputer.com)

• Russia’s Rostec allegedly can de-anonymize Telegram users (bleepingcomputer.com)

• Android app from China executed 0-day exploit on millions of devices | Ars Technica

• Google again accused of destroying evidence in Android case • The Register

• Google finds more Android, iOS zero-days used to install spyware (bleepingcomputer.com)

• Samsung keeps ignoring a huge security flaw in millions of Galaxy phones - SamMobile

• iOS Vs. Android – Which Is The More Secure Platform? (informationsecuritybuzz.com)

Botnets

• Realtek and Cacti flaws now actively exploited by malware botnets (bleepingcomputer.com)

Denial of Service/DoS/DDOS

• DDoS DNS attacks are old-school, unsophisticated, and back • The Register

Internet of Things – IoT

• Inaudible ultrasound attack can stealthily control your phone, smart speaker (bleepingcomputer.com)

• This devious cyber attack can target all your smart speakers without you realizing | TechRadar

• Gone in 120 seconds: Tesla Model 3 child's play for hackers • The Register

Data Breaches/Leaks

• Fortra told breached companies their data was safe | TechCrunch

• Procter & Gamble confirms data theft via GoAnywhere zero-day (bleepingcomputer.com)

• Latitude Financial cyber-attack worse than first thought with 14m customer records stolen | Business | The Guardian

• New York law firm coughs up $200k after hospital data stolen • The Register

• Toyota scrambles to patch customer data leak-Security Affairs

• ChatGPT Data Breach Confirmed as Security Firm Warns of Vulnerable Component Exploitation - SecurityWeek

• 500k Impacted by Data Breach at Debt Buyer NCB - SecurityWeek

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• North Korean hackers turn to 'cloud mining' for crypto to avoid law enforcement scrutiny | CyberScoop

• European Parliament Passes Historic Anti-Money Laundering Rules for Crypto Industry – More Regulation Incoming? (cryptonews.com)

• Malware disguised as Tor browser steals $400k in cryptocash • The Register

• NullMixer Polymorphic Malware Variant Infects 8K Targets in Just a Month (darkreading.com)

Insider Risk and Insider Threats

• Companies Struggle to Build and Run Effective Programs to Protect Data From Insider Threats - MSSP Alert

• Over 70% of Employees Keep Work Passwords on Personal Devices - Infosecurity Magazine (infosecurity-magazine.com)

• Only 10% of workers remember all their cyber security training - IT Security Guru

• Data loss from insider events increase despite IRM programs, says study | CSO Online

• Stop Blaming the End User for Security Risk (darkreading.com)

Fraud, Scams & Financial Crime

• Visa fraud expert outlines the many faces of payment ecosystem fraud - Help Net Security

• SMS pumping attacks and how to mitigate them | TechTarget

• Cyber Scammers Using Decentralized File Distribution System to Spread Malware - MSSP Alert

• NCA Celebrates Multimillion-Pound Fraud Takedowns - Infosecurity Magazine (infosecurity-magazine.com)

• How I fell for an internet scam (thetimes.co.uk)

Deepfakes

• AI has figured out how to draw deepfake hands | The Independent

AML/CFT/Sanctions

• European Parliament Passes Historic Anti-Money Laundering Rules for Crypto Industry – More Regulation Incoming? (cryptonews.com)

Insurance

• Beazley working on standalone cyber war product in market first (insuranceinsider.com)

• Organisations Reassess Cyber Insurance as Self-Insurance Strategies Emerge (darkreading.com)

Supply Chain and Third Parties

• Hackers compromise 3CX desktop app in a supply chain attack (bleepingcomputer.com)

• Supply chain cyber attack with possible links to North Korea could have thousands of victims globally | CyberScoop

• Winter Vivern hackers exploit Zimbra flaw to steal NATO emails (bleepingcomputer.com)

• 'They outsmarted us.' 3CX CEO acknowledges mistakes handling potential supply chain cyberattack | CyberScoop

Cloud/SaaS

• Just 1% of Cloud Permissions Are Actively Used - Infosecurity Magazine (infosecurity-magazine.com)

• Where SSO Falls Short in Protecting SaaS (thehackernews.com)

• North Korean hackers turn to 'cloud mining' for crypto to avoid law enforcement scrutiny | CyberScoop

• CISA Releases Hunt Tool for Microsoft's Cloud Services (darkreading.com)

• Balancing security risks and innovation potential of shadow IT teams - Help Net Security

• Microsoft Cloud Vulnerability Led to Bing Search Hijacking, Exposure of Office 365 Data - SecurityWeek

• AlienFox malware caught in the cloud hen house • The Register

Hybrid/Remote Working

• Cyber security focus in second Digital Europe work programme – EURACTIV.com

• More companies are watching their remote workers WFH on camera | Fortune

Shadow IT

• Balancing security risks and innovation potential of shadow IT teams - Help Net Security

Identity and Access Management

• Legacy, password-based authentication systems are failing enterprise security, says study | CSO Online

Encryption

• OpenSSL 1.1.1 Nears End of Life: Security Updates Only Until September 2023 - SecurityWeek

API

• Attacks Targeting APIs Increased By 400% in Last Six Months - Infosecurity Magazine (infosecurity-magazine.com)

Passwords, Credential Stuffing & Brute Force Attacks

• The End-User Password Mistakes Putting Your Organisation at Risk (bleepingcomputer.com)

• New Research Examines Traffers and the Business of Stolen Credentials - IT Security Guru

• Over 70% of Employees Keep Work Passwords on Personal Devices - Infosecurity Magazine (infosecurity-magazine.com)

• Legacy, password-based authentication systems are failing enterprise security, says study | CSO Online

Social Media

• France bans TikTok, all social media apps from government devices | CSO Online

Training, Education and Awareness

• The era of passive cyber security awareness training is over - Help Net Security

• Only 10% of workers remember all their cyber security training - IT Security Guru

• Back and Bigger Than Ever! The Inside Man Season 5 Takes a Stab at Power Hungry Adversaries - IT Security Guru

Parental Controls and Child Safety

• Children’s data feared stolen in Fortra ransomware attack | TechCrunch

Regulations, Fines and Legislation

• UK Introduces Mass Surveillance With Online Safety Bill - SecurityWeek

• Call for Submissions to UK's New Computer Misuse Act - Infosecurity Magazine (infosecurity-magazine.com)

Governance, Risk and Compliance

• Beazley working on standalone cyber war product in market first (insuranceinsider.com)

• 3 Shifts in the Cyber Threat Landscape (trendmicro.com)

• Cyber security vs. Everyone: From Conflict to Collaboration (darkreading.com)

• Using Observability to Power a Smarter Cyber security Strategy (darkreading.com)

• It's Time to Rethink Security Culture, Match Confidence to Capabilities, Immersive Labs Reports - MSSP Alert

• How cyber security decision-makers perceive cyber resilience - Help Net Security

• NCSC issues revised security Board Toolkit for business leaders | Computer Weekly

• The CISO Mantra: Get Ready to Do More With Less (darkreading.com)

Models, Frameworks and Standards

• The best defence against cyber threats for lean security teams - Help Net Security

Backup and Recovery

• World Backup Day is here again – 5 tips to keep your precious data safe – Naked Security (sophos.com)

Law Enforcement Action and Take Downs

• FBI confirms access to Breached cyber crime forum database (bleepingcomputer.com)

• UK creates fake DDoS-for-hire sites to identify cyber criminals (bleepingcomputer.com)

• Australian police arrest four BEC actors who stole $1.7 million (bleepingcomputer.com)

• 20-Year-Old BreachForums Founder Faces Up to 5 Years in Prison (thehackernews.com)

• North Korean hackers turn to 'cloud mining' for crypto to avoid law enforcement scrutiny | Cyber scoop

• NCA Celebrates Multimillion-Pound Fraud Takedowns - Infosecurity Magazine (infosecurity-magazine.com)

Privacy, Surveillance and Mass Monitoring

• The Importance of Data Security and Privacy for Individuals and Businesses in the Digital Age - IT Security Guru

• UK Introduces Mass Surveillance With Online Safety Bill - SecurityWeek

• FBI Spent Tens of Thousands of Dollars on Bulk Data Collection (gizmodo.com)

• Clearview AI used nearly 1m times by US police, it tells the BBC - BBC News

• More companies are watching their remote workers WFH on camera | Fortune

Artificial Intelligence

• 'Grim' Criminal Abuse of ChatGPT is Coming, Europol Warns     - SecurityWeek

• Europol warns of criminal use of ChatGPT-Security Affairs

• In Sudden Alarm, Tech Doyens Call for a Pause on ChatGPT | WIRED

• Musk, Scientists Call for Halt to AI Race Sparked by ChatGPT - SecurityWeek

• AI-fuelled search gives more power to the bad guys | CSO Online

• Identifying AI-Enabled Phishing (knowbe4.com)

• Hacker demonstrates security flaws in GPT-4 just one day after launch | VentureBeat

• AI image of Pope Francis in a puffer jacket fooled the internet and experts fear there’s worse to come (inews.co.uk)

• Godfather of AI Says There's a Minor Risk It'll Eliminate Humanity (futurism.com)

• Clearview AI used nearly 1m times by US police, it tells the BBC - BBC News

• ChatGPT Data Breach Confirmed as Security Firm Warns of Vulnerable Component Exploitation - SecurityWeek

• AI has figured out how to draw deepfake hands | The Independent

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Putin and Xi’s plot to control the internet will leave the West in the dust (telegraph.co.uk)

• In A Surprise, China-Linked TikTok Grabs Power Norway Needs To Make Ammo (forbes.com)

• ‘Vulkan files’ leak reveals Putin’s global and domestic cyberwarfare tactics | Cyberwar | The Guardian

• Cyber crime Front Lines in Russia-Ukraine War Move to Eastern and Northern Europe - MSSP Alert

• Beazley working on standalone cyber war product in market first (insuranceinsider.com)

• 'Bitter' espionage hackers target Chinese nuclear energy orgs (bleepingcomputer.com)

• Earth Preta’s Cyber Espionage Campaign Hits Over 200 (trendmicro.com)

• China crisis is a TikToking time bomb • The Register

• Biden White House Issues Executive Order on Commercial Spyware (gizmodo.com)

• North Korean APT43 Group Uses Cybercrime to Fund Espionage Operations (thehackernews.com)

• Google finds more Android, iOS zero-days used to install spyware (bleepingcomputer.com)

• Over 200 Organisations Targeted in Chinese Cyber Espionage Campaign - SecurityWeek

• Chinese tech firms banned over spy fears granted access to UK officials at security conference (inews.co.uk)

• Google: Commercial Spyware Used by Governments Laden With Zero-Day Exploits (darkreading.com)

• Chinese Cyber spies Use 'Melofee' Linux Malware for Stealthy Attacks - SecurityWeek

• Chinese RedGolf Group Targeting Windows and Linux Systems with KEYPLUG Backdoor (thehackernews.com)

• Pro-Russian hackers target elected US officials supporting Ukraine | Ars Technica

• Russian spies more effective than army, say experts - BBC News

• Cyber warfare leaks show Russian army is adopting mindset of secret police | Cyberwar | The Guardian

Nation State Actors

• Uncle Sam sent cyber-soldiers to Albania to combat Iran • The Register

• Russia’s Rostec allegedly can de-anonymize Telegram users (bleepingcomputer.com)

• Android app from China executed 0-day exploit on millions of devices | Ars Technica

• North Korean hackers turn to 'cloud mining' for crypto to avoid law enforcement scrutiny | CyberScoop

• China urges Apple to improve security and privacy • The Register

• Supply chain cyber attack with possible links to North Korea could have thousands of victims globally | CyberScoop

• North Korean malware-spreading, crypto-stealing gang named • The Register

• Chinese tech firms banned over spy fears granted access to UK officials at security conference (inews.co.uk)

• Smugglers busted sneaking tech into China • The Register

• Chinese RedGolf Group Targeting Windows and Linux Systems with KEYPLUG Backdoor (thehackernews.com)

Vulnerability Management

• What you need before the next vulnerability hits - Help Net Security

• Vulnerability management vs. risk management, compared | TechTarget

• Most Weaponized Vulnerabilities of 2022 and 5 Key Risks: Report - SecurityWeek

• Microsoft shares tips on detecting Outlook zero-day exploitation (bleepingcomputer.com)

• Ignoring network automation is a ticking time bomb for security - Help Net Security

Vulnerabilities

• Microsoft: No-Interaction Outlook Zero Day Exploited Since Last April - SecurityWeek

• Microsoft shares tips on detecting Outlook zero-day exploitation (bleepingcomputer.com)

• Apple patches everything, including a zero-day fix for iOS 15 users – Naked Security (sophos.com)

• QNAP fixed Sudo privilege escalation bug in NAS devices-Security Affairs

• Patch Now: Cyber criminals Set Sights on Critical IBM File Transfer Bug (darkreading.com)

• ChatGPT Vulnerability May Have Exposed Users’ Payment Information - Infosecurity Magazine (infosecurity-magazine.com)

• Microsoft Cloud Vulnerability Led to Bing Search Hijacking, Exposure of Office 365 Data - SecurityWeek

• Super FabriXss flaw in Microsoft Azure SFX could lead to RCE-Security Affairs

• OpenAI quickly fixed account takeover bugs in ChatGPT-Security Affairs

Tools and Controls

• Even with defence tools, CISOs say cyber attacks are ‘inevitable’ (techrepublic.com)

• The era of passive cyber security awareness training is over - Help Net Security

• Silence gets you nowhere in a data breach | TechCrunch

• Only 10% of workers remember all their cyber security training - IT Security Guru

• Prioritizing data security amid workforce disruptions - Help Net Security

• Using Observability to Power a Smarter Cyber security Strategy (darkreading.com)

• For database security it's down to people, not tech fixes • The Register

• Known unknowns: Refining your approach to uncategorized web traffic - Help Net Security

• Understanding adversaries through dark web intelligence - Help Net Security

• Where SSO Falls Short in Protecting SaaS (thehackernews.com)

• How Does Data Literacy Enhance Data Security? (darkreading.com)

• CISA Releases Hunt Tool for Microsoft's Cloud Services (darkreading.com)

• With Security Copilot, Microsoft brings the power of AI to cyber defence - Stories

• Compare breach and attack simulation vs. penetration testing | TechTarget

• Ignoring network automation is a ticking time bomb for security - Help Net Security

• Microsoft's ‘Security Copilot’ Sics ChatGPT on Security Breaches | WIRED

• Breaking the Mold: Pen Testing Solutions That Challenge the Status Quo (thehackernews.com)

• Diagnose your SME’s Cyber security and Scan for Recommendations — ENISA (europa.eu)

• Protect your entire business with the right authentication method - Help Net Security

• What Makes an Effective Anti-Bot Solution? - SecurityWeek

• Microsoft Defender is flagging legit URLs as malicious • The Register

• Managing security in the cloud through Microsoft Intune | CSO Online

• Top 5 SD-WAN Challenges and How to Prepare for Them | TechTarget

• Why Endpoint Resilience Matters - SecurityWeek

• The rise of biometrics and decentralized identity is a game-changer for identity verification - Help Net Security

• Organisations Reassess Cyber Insurance as Self-Insurance Strategies Emerge (darkreading.com)

• The best defence against cyber threats for lean security teams - Help Net Security

• World Backup Day is here again – 5 tips to keep your precious data safe – Naked Security (sophos.com)

• Overcoming obstacles to introduce zero-trust security in established systems - Help Net Security

• The foundation of a holistic identity security strategy - Help Net Security

• The CISO Mantra: Get Ready to Do More With Less (darkreading.com)

Reports Published in the Last Week

• Cyber security focus in second Digital Europe work programme – EURACTIV.com

• 2023 Ransomware Insights | Barracuda Networks

• 2023 State of Cloud Permissions Risks report now published - Microsoft Community Hub

Other News

• GoAnywhere Zero-Day Attack Hits Major Orgs - SecurityWeek

• Hackers changed tactics, went cross-platform in 2022, says Trend Micro | CSO Online

• WiFi protocol flaw allows attackers to hijack network traffic (bleepingcomputer.com)

• Microsoft OneNote will block 120 dangerous file extensions (bleepingcomputer.com)

• How CISOs Can Reduce the Danger of Using Data Brokers (darkreading.com)

• Tech Industry Bids to Tackle Cyber-Mercenary Epidemic - Infosecurity Magazine (infosecurity-magazine.com)

• How Does Data Literacy Enhance Data Security? (darkreading.com)

• Microsoft uses carrot and stick with Exchange Online admins • The Register

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• NCSC Looks Back on Year Of ‘Profound Change’ for Cyber

The UK’s National Cyber Security Centre (NCSC) provided support for 18 nationally significant ransomware attacks; removed 2.1 million cyber-enabled commodity campaigns; issued 34 million early warning alerts about attacks, compromises, vulnerabilities or open ports; and received 6.5 million reports of suspicious emails in the past 12 months – but in a year of “profound change” in the cyber security landscape, it was Russia’s invasion of Ukraine that dominated the agenda.

Reflecting on the past 12 months as she launched the NCSC’s latest annual report on 1 November at an event in London, NCSC CEO Lindy Cameron said that the return of war to Europe with Russia’s invasion of Ukraine presented a unique set of challenges in cyber space for the NCSC and its partners and allies.

Cameron added that while the cyber threat from Russia has perhaps been the most visible security issue of 2022, it was also important not to forget that when it comes to nation-state actors, it will likely be the technical development and evolution of China that ultimately has the more lasting impact on the UK’s national cyber security.

https://www.computerweekly.com/news/252526766/NCSC-looks-back-on-year-of-profound-change-for-cyber

• LastPass Research Finds False Sense of Cyber Security Running Rampant

LastPass released findings from its fifth annual Psychology of Password findings, which revealed even with cyber security education on the rise, password hygiene has not improved. Regardless of generational differences across Boomers, Millennials and Gen Z, the research shows a false sense of password security given current behaviours across the board. In addition, LastPass found that while 65% of all respondents have some form of cyber security education — through school, work, social media, books or via online courses — the reality is that 62% almost always or mostly use the same or variation of a password.

The survey, which explored the password security behaviours of 3,750 professionals across seven countries, asked about respondents’ mindset and behaviours surrounding their online security. The findings highlighted a clear disconnect between high confidence when it comes to their password management and their unsafe actions. While the majority of professionals surveyed claimed to be confident in their current password management, this doesn’t translate to safer online behaviour and can create a detrimental false sense of safety.

Key findings from the research include:

• Gen Z is confident when it comes to their password management, while also being the biggest offenders of poor password hygiene.

• Cyber security education doesn’t necessarily translate to action.

• Confidence creates a false sense of password security.

The latest research showcases that even in the face of a pandemic, where we spent more time online amid rising cyber attacks, there continues to be a disconnect for people when it comes to protecting their digital lives. Even though nearly two-thirds of respondents had some form of cyber security education, it is not being put into practice for varying reasons.

https://www.darkreading.com/vulnerabilities-threats/untitled

• Insurance Giant Settles NotPetya ‘Act of War’ Lawsuit, Signaling Cyber Insurance Shakeup

The settlement last week in a $100 million lawsuit over whether insurance giant Zurich should cover losses Mondelez International suffered from NotPetya may very well reshape the entire cyber insurance marketplace.

Zurich initially denied claims from Mondelez after the malware, which experts estimate caused some $10 billion in damages globally, wreaked havoc on its computer networks. The insurance provider claimed an act of war exemption since it’s widely believed Russian military hackers unleashed NotPetya on a Ukrainian company before it spread around the world.

Now, however, it’s increasingly clear insurers aren’t off the hook for NotPetya payouts or from covering losses from other attacks with clear links to nation-state hackers.

That’s because in this case, what Mondelez and many other corporations endured was not an act of war, but “collateral damage” in a much larger cyber conflict that had nothing to do with them, said the Center for Strategic and International Studies.

There needs to be a rethink what act of war means in cyber space when it comes to insurance. The current definitions come out of the 19th century when we had pirates, navies and privateers.

Last week’s ruling in favour of Mondelez follows a January ruling in a New Jersey court that sided with global pharmaceutical company Merck in a similar case. Its insurance companies initially refused to pay for damages from NotPetya. Merck claimed losses that amounted to $1.4 billion. The insurers are appealing the ruling.

Insurers seized on the NotPetya episode to test how courts would rule on cyber coverage questions, particularly when there’s so much evidence pointing to one particular nation-state actor. Since NotPetya was widely attributed to the Russian government it gave the industry a “really strong opportunity” to set legal precedent limiting their responsibility in these instances.

Insurers will start to be much more upfront about the fact that they aren’t going to cover acts of cyber war or limit payouts for NotPetya type incidents in the future.

https://www.cyberscoop.com/insurance-giant-settles-notpetya-lawsuit/

• Microsoft Warns of Uptick in Hackers Leveraging Publicly-Disclosed 0-Day Vulnerabilities

Microsoft is warning of an uptick among nation-state and criminal actors increasingly leveraging publicly-disclosed zero-day vulnerabilities for breaching target environments.

The tech giant, in its 114-page Digital Defense Report, said it has "observed a reduction in the time between the announcement of a vulnerability and the commoditisation of that vulnerability," making it imperative that organisations patch such exploits in a timely manner.

This also corroborates with an April 2022 advisory from the US Cybersecurity and Infrastructure Security Agency (CISA), which found that bad actors are "aggressively" targeting newly disclosed software bugs against broad targets globally.

Microsoft noted that it only takes 14 days on average for an exploit to be available in the wild after public disclosure of a flaw, stating that while zero-day attacks are initially limited in scope, they tend to be swiftly adopted by other threat actors, leading to indiscriminate probing events before the patches are installed.

It further accused Chinese state-sponsored groups of being "particularly proficient" at discovering and developing zero-day exploits. This has been compounded by the fact that the Cyberspace Administration of China (CAC) enacted a new vulnerability reporting regulation in September 2021 that requires security flaws to be reported to the government prior to them being shared with the product developers.

Redmond further said the law could enable government-backed elements to stockpile and weaponise the reported bugs, resulting in the increased use of zero-days for espionage activities designed to advance China's economic and military interests.

https://thehackernews.com/2022/11/microsoft-warns-of-uptick-in-hackers.html

• Chinese Mob Has 100K Slaves Working in Cambodian Cyber Crime Mills

Up to 100,000 people from across Asia have been lured to Cambodia by Chinese crime syndicates with the promise of good jobs. When they arrive, their passports are seized and they are put to work in modern-day sweatshops, running cyber crime campaigns.

The Los Angeles Times reported that Cambodia, which was hit hard economically by the pandemic, has allowed Chinese mobsters to set up enormous cyber crime operations using human trafficked labour without consequence, because of the revenue it generates for the country. The campaigns they carry out run the gamut from romance scams to fake sports betting.

Although the Cambodian government acknowledges that as many as 100,000 workers are involved in these activities, it denies anyone is being held against their will. However, the stories from traumatised victims rescued from cyber crime mills include tales of beatings and torture for failing to meet quotas, and of being sold and passed around from gang to gang.

https://www.darkreading.com/attacks-breaches/chinese-mob-100k-slaves-cambodian-cybercrime-mills

• Ransomware Research: 17 Leaked Databases Operated by Threat Actors Threaten Third Party Organisations

Ransomware remains a serious threat to organisations, Deep Instinct, a New York-based deep learning cyber security specialist, said in its recently released 2022 Interim Cyber Threat Report.

It’s no surprise, the company said, as there are currently 17 leaked databases operated by threat actors who are leveraging the data for attacks on third-party companies, most notably social engineering, credential theft, and triple-extortion attacks.

Here are the report’s key findings:

• Changes in ransomware gangs, including LockBit, Hive, BlackCat, and Conti. The latter has spawned “Conti Splinters” made up of former affiliates Quantum, BlackBasta, and BlackByte.

• Significant changes to tactics by Emotet, Agent Tesla, NanoCore, and others. For example, Emotet uses highly obfuscated VBA macros to avoid detection.

• The use of documents for malware has decreased as the top attack vector, following Microsoft’s move to disable macros by default in Microsoft Office files. Threat actors have already pivoted to other methods such as LNK, HTML, and archive email attachments.

• Vulnerabilities such as SpoolFool, Follina and DirtyPipe highlighted the exploitability of both Windows and Linux systems despite efforts to enhance their security.

• The number of exploited in-the-wild vulnerabilities spikes every 3-4 months. The next spike is expected to occur by the end of the year.

• Threat actor groups are extending data exfiltration attacks to demand ransoms from third-party companies if the leaked data contains their sensitive information.

The report also makes three predictions:

• More inside jobs. Malicious threat actors look for the weakest link, which is often in the supply chain. Groups like Lapsus$ do not rely on exploits but instead look for insiders who are willing to sell access to data within their organisation.

• Rise of protestware. Look for a spike in protestware, which is self-sabotaging one’s software and weaponising it with malware capabilities in an effort to harm all or some of its users. The war between Russia and Ukraine has caused a surge in protestware.

• End of year attacks. While no major vulnerability in 2022 has emerged similar to the Log4J or the Exchange cases in 2021, there is an increase year-over-year in the number of publicly assigned CVEs for reported vulnerabilities. For now, threat actors are still exploiting old vulnerabilities during 2022 simply because there is a plethora of unpatched systems for 2021 CVEs but that will change.

Organisations are warned to be on their guard. 2022 has been another record year for cyber criminals and ransomware gangs. It’s no secret that these threat actors are constantly upping their game with new and improved tactics designed to evade traditional cyber defences. Defenders must continue to be vigilant and find new approaches to prevent these attacks from happening.

https://www.msspalert.com/cybersecurity-research/ransomware-research-17-leaked-databases-operated-by-threat-actors-threaten-third-party-organizations/

• Ransomware: Not Enough Victims Are Reporting Attacks, And That's a Problem for Everyone

Ransomware continues to be a significant cyber threat to businesses and the general public – but it's difficult to know the true impact of attacks because many victims aren't coming forward to report them.

The warning comes in the National Cyber Security Centre (NCSC) Annual Review for 2022, which looks back at key developments and incidents in cyber crime over the last year, with ransomware described as an "ever present" threat and a "major challenge" to businesses and public services.

That's demonstrated by how the review details how in the 12-month period between 1 September 2021 and 31 August 2022 there were 18 ransomware incidents that needed a "nationally coordinated" response. These included attacks on a supplier to the National Health Service (NHS) and a ransomware attack against South Staffordshire Water.

However, the true impact of ransomware remains unclear, because the NCSC says that many organisations that fall prey to ransomware attacks aren't disclosing them.

That lack of reporting is despite the significant and disruptive consequences ransomware attacks can have, not only for organisations that fall victim, but for wider society – which is why it's vital that cyber security is taken seriously and incidents are reported.

https://www.zdnet.com/article/ransomware-not-enough-victims-are-reporting-attacks-and-that-increases-the-threat-for-everyone/

• Hackers Selling Access to 576 Corporate Networks for $4 Million

A new report shows that hackers are selling access to 576 corporate networks worldwide for a total cumulative sales price of $4,000,000, fuelling attacks on the enterprise.

The research comes from Israeli cyber-intelligence firm KELA which published its Q3 2022 ransomware report, reflecting stable activity in the sector of initial access sales but a steep rise in the value of the offerings.

Although the number of sales for network access remained about the same as in the previous two quarters, the cumulative requested price has now reached $4,000,000. For comparison, the total value of initial access listings in Q2 2022 was $660,000, recording a drop in value that coincided with the summer ransomware hiatus that hurt demand.

Initial access brokers (IABs) are hackers who sell access to corporate networks, usually achieved through credential theft, webshells, or exploiting vulnerabilities in publicly exposed hardware. After establishing a foothold on the network, the threat actors sell this corporate access to other hackers who use it to steal valuable data, deploy ransomware, or conduct other malicious activity. The reasons IABs choose not to leverage network access vary, ranging from lacking diverse intrusion skills to preferring not to risk increased legal trouble.

IABs still play a crucial role in the ransomware infection chain, even if they got sidelined last year when big ransomware gangs that operated as crime syndicates operated their own IAB departments.

https://www.bleepingcomputer.com/news/security/hackers-selling-access-to-576-corporate-networks-for-4-million/

• Cyber Security Recovery is a Process That Starts Long Before a Cyber Attack Occurs

Organisations are racing to stay ahead of cyber criminals, and as a result, we see businesses investing a lot of money on identifying and detecting attacks, on preventing attacks in the first place, and in responding to live attacks. But they are not spending the same amounts on attack recovery. They may have followed all the relevant guidelines, and even implemented the ISO 27000 standard, but none of that helps them to understand how to build the business back after a serious cyber attack.

Until recent years, this cyber security recovery investment would be spent on an annual tabletop exercise or disaster recovery test and auditing recovery plans. While this should be done, it isn’t enough on its own.

Cyber security insurance is also critical, of course, but it only covers some of the losses. It won’t cover future loss. The reality is most organisations find it very difficult to fully recover from an attack. Those that invest more in disaster recovery and business continuity recover from these attacks far more swiftly than their less-prepared competitors.

The four core components of an effective cyber security recovery program

1. Pre-emptive action

2. Responsibilities and accountability

3. Having the right IT architecture, security and recovery process in place

4. Learning lessons and implementing changes.

Once these factors are understood, and any weak spots identified, the organisation can focus on re-designing or updating architecture and procedures, and on retraining employees (something that should happen regularly).

Recovery is a process that starts long before a cyber attack occurs. It concludes not when the data is secured, but when the organisation can say that it’s learned everything it can from the event and has made the changes necessary to avoid it happening again.

https://www.helpnetsecurity.com/2022/11/03/cybersecurity-recovery/

• Geopolitics Plays Major Role in Cyber Attacks, Says EU Cyber Security Agency

The ongoing Russia-Ukraine conflict has resulted in an increase in hacktivist activity in the past year, with state-sponsored threat actors targeting 128 governmental organisations in 42 countries that support Ukraine, according to the European Union Agency for Cybersecurity (ENISA).

In addition, some threat actors targeted Ukrainian and Russian entities during the early days of the conflict, likely for the collection of intelligence, according to the 10th edition of the ENISA threat landscape report. The report, this year titled Volatile Geopolitics Shake the Trends of the 2022 Cybersecurity Threat Landscape, notes that in general geopolitical situations continue to have a high impact on cyber security.

This year's report identified several attack types frequently used by state-sponsored attackers. These include zero-day and critical vulnerability exploitation; attacks on operational technology (OT) networks; wiper attacks to destroy and disrupt networks of governmental agencies and critical infrastructure entities; and supply chain attacks. Attacks also featured social engineering, disinformation, and threats against data.

State-sponsored threat actors have also been observed targeting entities from countries in Southeast Asia, Japan, Australia, and Taiwan. Due to increased tensions between specific countries in Asia, state-sponsored threat actors have targeted countries (including EU member states) that had established closer ties with Taiwan.

Ransomware remains the top cyber crime attack type this year as well. More than 10 terabytes of data were stolen monthly during the period studied, with phishing identified as the most common initial vector of such attacks. The report also noted that 60% of affected organisations likely have paid the ransom demanded.

The second most used form of attack was DDoS. The largest DDoS attack ever was launched in Europe in July 2022 against a European customer of Akamai. The attack hit a peak at 853.7Gbps and 659.6Mpps (megapackets per second) over 14 hours.

While all sectors fell victim to attacks, public administration and government entities were the most affected, making up 24% of all cyber attack victims. This was followed by digital service providers at 13% and the general public at 12%. These three sectors alone accounted for 50% of all the attacks during this year.

https://www.csoonline.com/article/3678771/geopolitics-plays-major-role-in-cyberattacks-says-eu-cybersecurity-agency.html#tk.rss_news

• Russian Hackers Account for Most 2021 Ransomware Schemes, US Says

Payment-seeking software made by Russian hackers was used in three quarters of all the ransomware schemes reported to a US financial crime agency in the second half of 2021, a Treasury Department analysis released on Tuesday showed.

In an analysis issued in response to the increase in number and severity of ransomware attacks against critical infrastructure in the United States since late 2020, the US Financial Crimes Enforcement Network (FinCEN) said it had received 1,489 ransomware-related filings worth nearly $1.2 billion in 2021, a 188% jump from the year before.

Out of 793 ransomware incidents reported to FinCEN in the second half of 2021, 75% "had a nexus to Russia, its proxies, or persons acting on its behalf," the report said.

Washington last week hosted a meeting with officials from 36 countries and the European Union, as well as 13 global companies to address the growing threat of ransomware and other cyber crime, including the illicit use of cryptocurrencies.

https://www.reuters.com/technology/us-says-many-ransomware-attacks-late-2021-were-connected-russian-actors-2022-11-01/

• Exposed: The Global Hacking Network That Targets VIPs

Private investigators linked to the City of London are using an India-based computer hacking gang to target British businesses, government officials and journalists.

The Sunday Times and the Bureau of Investigative Journalism have been given access to the gang’s database, which reveals the extraordinary scale of the attacks. It shows the criminals targeted the private email accounts of more than 100 victims on behalf of investigators working for autocratic states, British lawyers and their wealthy clients. Critics of Qatar who threatened to expose wrongdoing by the Gulf state in the run-up to this month’s World Cup were among those hacked.

It is the first time the inner workings of a major “hack-for-hire” gang have been leaked to the media and it reveals multiple criminal conspiracies. Some of the hackers’ clients are private investigators used by major law firms with bases in the City of London.

The investigation — based on the leaked documents and undercover work in India — reveals:

• Orders went out to the gang to target the BBC’s political editor Chris Mason in May, three weeks after his appointment was announced.

• The president of Switzerland and his deputy were targeted just days after he met Boris Johnson and Liz Truss in Downing Street to discuss Russian sanctions.

• Philip Hammond, then chancellor, was hacked as he was dealing with the fallout of Russia’s novichok poisonings in Salisbury.

• A private investigator hired by a London law firm acting for the Russian state ordered the gang to target a British-based oligarch fleeing President Putin.

• Michel Platini, the former head of European football, was hacked shortly before he was due to talk to French police about corruption allegations relating to this year’s World Cup.

• The hackers broke into the email inboxes of the Formula One motor racing bosses Ruth Buscombe, the British head of race strategy at the Alfa Romeo team, and Otmar Szafnauer, who was chief executive of the Aston Martin team.

• The gang seized control of computers owned by Pakistan’s politicians, generals and diplomats and eavesdropped on their private conversations apparently at the behest of the Indian secret services.

The commissioning of hacking is a criminal offence punishable with a maximum sentence of ten years in jail in Britain. The Metropolitan Police was tipped off about the allegations regarding Qatar in October last year, yet chose not to take any action. David Davis, the former cabinet minister, said that the force should reopen its investigation into the cyber attacks against British citizens. Davis said the investigation exposed how London has become “the global centre of hacking”.

https://www.thetimes.co.uk/article/exposed-the-global-hacking-network-that-targets-vips-nff67j67z

Threats

Ransomware and Extortion

• Wannacry, the hybrid malware that brought the world to its knees. Let’s not forget! - Security Affairs

• International Counter Ransomware Initiative 2022 Joint Statement | The White House

• Oreo Giant Mondelez Settles NotPetya 'Act of War' Insurance Suit (darkreading.com)

• Extortion fears after hacker stole patient files from Dutch mental health clinics (bitdefender.com)

• Ransomware activity and network access sales in Q3 2022 - Security Affairs

• Ransomware costs top $1 billion as White House inks new threat-sharing initiative - CyberScoop

• Stopping C2 communications in human-operated ransomware through network protection - Microsoft Security Blog

• FIN7 Cyber crime Group Likely Behind Black Basta Ransomware Campaign (darkreading.com)

• Everything You Need to Know About LockBit (darkreading.com)

• Yanluowang ransomware gang goes dark after leaks (techtarget.com)

• LockBit 3.0 gang claims to have stolen data from Thales - Security Affairs

• Ransomware cost US banks $1.2 billion last year • The Register

• Australia sees rise in cyber crimes on back of 'destructive' ransomware, state actors | ZDNET

• Listed car dealer Pendragon has ‘contained’ cyber attack – but new deadline for data release issued by hackers – Car Dealer Magazine

• Hackers Target Australian Defense Communications Platform With Ransomware - Infosecurity Magazine (infosecurity-magazine.com)

• LockBit Dominates Ransomware Campaigns in 2022: Deep Instinct - Infosecurity Magazine (infosecurity-magazine.com)

• BlackByte ransomware group hit Asahi Group Holdings, a precision metal manufacturing and metal solution provider - Security Affairs

• Australian Defence Department Impacted In Ransomware Attack (informationsecuritybuzz.com)

• LockBit ransomware gang claims the hack of the Continental automotive group - Security Affairs

• Cyber attack Strikes Global Copper Conglomerate (darkreading.com)

• ALMA Observatory shuts down operations due to a cyber attack (bleepingcomputer.com)

• Osaka Hospital Halts Services After Ransomware Attack - Infosecurity Magazine (infosecurity-magazine.com)

Phishing & Email Based Attacks

• Outmanoeuvring cyber criminals by recognizing mobile phishing threats’ telltale markers - Help Net Security

• Robin Banks phishing service returns to steal banking accounts (bleepingcomputer.com)

• Attackers leverage Microsoft Dynamics 365 to phish users - Help Net Security

• Phishers Abuse Microsoft Voicemail Service to Trick Users - Infosecurity Magazine (infosecurity-magazine.com)

• CISA Urges Organisations to Implement Phishing-Resistant MFA | SecurityWeek.Com

• 130 private Dropbox GitHub repos copied after phish attack • The Register

• As Twitter brings on $8 fee, phishing emails target verified accounts (bleepingcomputer.com)

BEC – Business Email Compromise

• New Crimson Kingsnake gang impersonates law firms in BEC attacks (bleepingcomputer.com)

• Double-check those demand-payment emails from law firms • The Register

Malware

• RomCom RAT malware campaign impersonates KeePass, SolarWinds NPM, Veeam (bleepingcomputer.com)

• The Emotet botnet has returned with a vengeance | TechRadar

• Emotet botnet starts blasting malware again after 4 month break (bleepingcomputer.com)

• Drinik banking malware returns: Things you can do to keep your data safe | Mint (livemint.com)

• Hacking group abuses antivirus software to launch LODEINFO malware (bleepingcomputer.com)

• This stealthy hacking campaign uses a new trick to deliver its malware | ZDNET

• Cranefly threat group uses innocent-looking info-stealer • The Register

• 250+ US news sites spotted spreading FakeUpdates malware in a supply-chain attack - Security Affairs

• New Azov data wiper tries to frame researchers and BleepingComputer

• Dozens of PyPI packages caught dropping 'W4SP' info-stealing malware (bleepingcomputer.com)

• Inside Raccoon Stealer V2 (thehackernews.com)

Mobile

• Android Apps With a Million Downloads Led Users to Phishing Sites - Infosecurity Magazine (infosecurity-magazine.com)

• US govt employees exposed to mobile attacks from outdated Android, iOS (bleepingcomputer.com)

• Samsung Galaxy Bug Secretly Let Hackers Install Apps on Targeted Devices (informationsecuritybuzz.com)

• Cyber-Threat Actor Uses Booby-Trapped VPN App to Deploy Android Spyware (darkreading.com)

• Malicious dropper apps on Play Store totaled 30.000+ installations - Security Affairs

• New SandStrike spyware infects Android devices via malicious VPN app (bleepingcomputer.com)

Internet of Things – IoT

• IoT devices can undermine your security. Here are four ways to boost your defences | ZDNET

• Understanding The Importance Of Cyber Resilience In Smart Buildings - IT Security Guru

Data Breaches/Leaks

• Royal Mail customer data leak shutters online Click and Drop • The Register

• Vodafone Italy discloses data breach after reseller hacked (bleepingcomputer.com)

• LockBit 3.0 gang claims to have stolen data from Thales - Security Affairs

• Dropbox discloses breach after hacker stole 130 GitHub repositories (bleepingcomputer.com)

• Data Breach of Missile Maker MBDA May Have Been Real: CloudSEK - Infosecurity Magazine (infosecurity-magazine.com)

• Experian tool exposed partial Social Security numbers, putting customers at risk - CyberScoop

• Label Giant Multi-Color Corporation Discloses Data Breach | SecurityWeek.Com

• Bed Bath & Beyond Discloses Data Breach to SEC (darkreading.com)

Organised Crime & Criminal Actors

• US Hacker Group Indicted For Million-Dollar RICO Conspiracy - Infosecurity Magazine (infosecurity-magazine.com)

• Four-year cyber crime campaign targeting African banks netted $30 million - CyberScoop

• French-speaking crooks stole $30m in bank cyber-heist spree • The Register

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• New clipboard hijacker replaces crypto wallet addresses with lookalikes (bleepingcomputer.com)

Fraud, Scams & Financial Crime

• Fraudulent Instruction Losses Spike in 2022 - Infosecurity Magazine (infosecurity-magazine.com)

• Former Apple worker pleads guilty to $17m fraud charges • The Register

Insurance

• Mondelez, Zurich settle $100m+ NotPetya insurance lawsuit • The Register

Dark Web

• German cops arrest student in dark-web marketplace bust • The Register

Supply Chain and Third Parties

• NCSC issues fresh guidance following recent rise in supply chain cyber attacks – Intelligent CISO

• Hundreds of US news sites push malware in supply-chain attack (bleepingcomputer.com)

Software Supply Chain

• You can up software supply chain security by implementing these measures - Help Net Security

• W4SP Stealer Stings Python Developers in Supply Chain Attack (darkreading.com)

Denial of Service DoS/DDoS

• FBI: Hacktivist DDoS attacks had minor impact on critical orgs (bleepingcomputer.com)

• CISA, FBI, MS-ISAC Publish Guidelines For Federal Agencies on DDoS Attacks - Infosecurity Magazine (infosecurity-magazine.com)

• DDoS Attacks are Upgrading 70% with The Help of CLDAP (analyticsinsight.net)

Cloud/SaaS

• Why Identity & Access Management Governance is a Core Part of Your SaaS Security (thehackernews.com)

• Top 4 priorities for cloud data protection - Help Net Security

• Zscaler's Cloud-Based Cyber security Outages Showcase Redundancy Problem (darkreading.com)

API

• Why Are Zombie APIs and Shadow APIs So Scary? (darkreading.com)

Open Source

• Last Years Open Source - Tomorrow's Vulnerabilities (thehackernews.com)

Passwords, Credential Stuffing & Brute Force Attacks

• Air New Zealand warns of an ongoing credential stuffing attack - Security Affairs

Social Media

• As Twitter brings on $8 fee, phishing emails target verified accounts (bleepingcomputer.com)

Training, Education and Awareness

• Can You Nudge Employees Toward Better Cyber security? New Research Says Yes (darkreading.com)

Travel

• Data capture by border agencies can and will happen – are your on-the-road employees prepared? | CSO Online

Regulations, Fines and Legislation

• ICO Slashes Government Data Breach Fine - Infosecurity Magazine (infosecurity-magazine.com)

• SolarWinds reaches $26m settlement, expects SEC action • The Register

• How to Prepare for New SEC Cyber security Disclosure Requirements | SecurityWeek.Com

Careers, Working in Cyber and Information Security

• How Microsoft works to grow the next generation of cyber defenders - Microsoft Security Blog

• Economic Uncertainty Isn't Stopping Cyber crime Recruitment — It's Fueling It (darkreading.com)

• How to Narrow the Talent Gap in Cyber security (darkreading.com)

• Is there a problem with stress and burnout in cyber security? - IT Security Guru

• A Third of Security Leaders Considering Quitting Their Current Role - Infosecurity Magazine (infosecurity-magazine.com)

Law Enforcement Action and Take Downs

• German cops arrest student in dark-web marketplace bust • The Register

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Russia has declared hybrid war on Britain (telegraph.co.uk)

• Will cyber saber-rattling drive us to destruction? - Help Net Security

• British cyber warriors defend Ukraine | News | The Times

• No.10 WhatsApp Use Is Critical Danger To Security (informationsecuritybuzz.com)

• Oreo Giant Mondelez Settles NotPetya 'Act of War' Insurance Suit (darkreading.com)

• Cyber Threat Actor Uses Booby-Trapped VPN App to Deploy Android Spyware (darkreading.com)

• New SandStrike spyware infects Android devices via malicious VPN app (bleepingcomputer.com)

• Russian missile strikes overshadow cyber attacks as Ukraine reels from blackouts | CNN Politics

Nation State Actors

Nation State Actors – Russia

• Liz Truss 's phone was allegedly hacked by Russian spies - Security Affairs

• MPs 'constantly' warned their phones are national security risk (telegraph.co.uk)

• US Treasury thwarted attack by Russian hacker group last month-official | Reuters

• Russia tries to impose switch to Linux from Windows (freethink.com)

• Ukraine war: British spies playing key role in defending Kyiv from Russian cyber attacks | UK News | Sky News

Nation State Actors – China

• China-Backed APT10 Supercharges Spy Game With Custom Fileless Backdoor (darkreading.com)

• Chinese Hackers Using New Stealthy Infection Chain to Deploy LODEINFO Malware (thehackernews.com)

Nation State Actors – Misc

• Microsoft Warns on Zero-Day Spike as Nation-State Groups Shift Tactics (darkreading.com)

Vulnerability Management

• The most frequently reported vulnerability types and severities - Help Net Security

• Last Years Open Source - Tomorrow's Vulnerabilities (thehackernews.com)

• Microsoft Warns on Zero-Day Spike as Nation-State Groups Shift Tactics (darkreading.com)

Vulnerabilities

• The OpenSSL security update story – how can you tell what needs fixing? – Naked Security (sophos.com)

• Critical ConnectWise Vulnerability Affects Thousands of Internet-Exposed Servers | SecurityWeek.Com

• Fortinet fixed 16 vulnerabilities, 6 rated as high severity - Security Affairs

• Cisco Patches High-Severity Bugs in Email, Identity, Web Security Products | SecurityWeek.Com

• You Need to Update Google Chrome, Windows, and Zoom Right Now | WIRED UK

• The Sky Is Not Falling: Disclosed OpenSSL Bugs Are Serious but Not Critical (darkreading.com)

• Splunk Patches 9 High-Severity Vulnerabilities in Enterprise Product | SecurityWeek.Com

• OpenSSL downgrades horror bug after week of speculation • The Register

• Follina Exploit Leads to Domain Compromise (thedfirreport.com)

• Patch Now: Dangerous RCE Bug Lays Open ConnectWise Server Backup Managers (darkreading.com)

Reports Published in the Last Week

• NCSC Annual Review 2022 - NCSC.GOV.UK

• Microsoft Digital Defense Report 2022 | Microsoft Security

• Psychology of Passwords 2022: Proactive Cyber security - LastPass

• APT trends report Q3 2022 | Securelist

• Attack Surface Management 2022 Midyear Review Part 3 (trendmicro.com)

• 2022 Cyber Threat Report Details Growing Trends | TechRepublic

• Volatile Geopolitics Shake the Trends of the 2022 Cyber security Threat Landscape — ENISA (europa.eu)

Other News

• Meet fundamental cyber security needs before aiming for more - Help Net Security

• NCSC Issued 34 Million Cyber Alerts in Past Year - Infosecurity Magazine (infosecurity-magazine.com)

• Multi-factor authentication fatigue can blow open security • The Register

• WiFi security flaw lets a drone track devices through walls | Engadget

• Now That EDR Is Obvious, What Comes Next? (darkreading.com)

• The Art of Calculating the Cost of Risk (darkreading.com)

• Build Security Around Users: A Human-First Approach to Cyber Resilience (darkreading.com)

• The Role of Ethical Hacking in Cyber security (bolton.ac.uk)

• Top 10 Ethical Hacking Trends and Predictions for 2023 (analyticsinsight.net)

• British govt is scanning all Internet devices hosted in UK (bleepingcomputer.com)

• Red Cross Eyes Digital Emblem for Cyber space Protection | SecurityWeek.Com

• CISA releases cyber security performance goals to reduce risk and impact of adversarial threats | CSO Online

• Security hygiene and posture management requires new tools (techtarget.com)

• Most Online Shoppers Would Leave Retailer Following Breach - Infosecurity Magazine (infosecurity-magazine.com)

• Offense Gets the Glory, but Defence Wins the Game | SecurityWeek.Com

• The 7 Core Pillars of a Zero-Trust Architecture (techtarget.com)

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Ransomware Report: Most Organisations Unprepared for an Attack, Lack Incident Playbook, Research Finds

Some organisations have made significant improvements to their ransomware readiness profile in the last year, Axio said in a newly released report. However, a lack of fundamental cyber security practices and controls, inadequate vulnerability patching and employee training continues to leave ransomware defences lacking in potency.

Axio’s report reveals that only 30% of organisations have a ransomware-specific playbook for incident management in place. In 2021’s report Axio, maker of a cloud-based cyber management software platform, identified seven key areas emerged where organisations were deficient in implementing and sustaining basic cyber security practices.

The same patterns showed up in the 2022 report:

• Managing privileged access.

• Improving basic cyber hygiene.

• Reducing exposure to supply chain and third-party risk.

• Monitoring and defending networks.

• Managing ransomware incidents.

• Identifying and addressing vulnerabilities in a timely manner.

• Improving cyber security training and awareness.

Overall, most organisations surveyed are not adequately prepared to manage the risk associated with a ransomware attack. Key data findings include:

• The number of organisations with a functional privileged access management solution in place increased by 10% but remains low at 33% overall.

• Limitations on the use of service and local administrator accounts remain average overall, with nearly 50% of organisations reporting implementing these practices.

• Approximately 40% of organisations monitor third-party network access, evaluate third-party cyber security posture, and limit the use of third-party software.

• Less than 50% of respondents implement basic network segmentation and only 40% monitor for anomalous connections.

• Critical vulnerability patching within 24 hours was reported by only 24% of organisations.

• Active phishing training has improved but is still not practiced by 40% of organisations.

https://www.msspalert.com/cybersecurity-research/most-organizations-unprepared-for-ransomware-attack-lack-incident-playbook-axio-reports/

• LinkedIn Scams, Fake Instagram Accounts Hit Businesses, Execs

Business owners with public social media accounts are easy targets for scammers who lift information to create fake accounts. The arduous process for removing fraudulent accounts leaves victims frustrated and vulnerable to further data privacy issues. Victims say platform providers, particularly Facebook and Instagram, must improve their responses to reports of fraud.

Impersonation of a brand or executive contributed to more than 40% of all phishing and social media incidents in the second quarter, according to the Agari and Phish Labs Quarterly Threat Trends and Intelligence Report released in August. Q2 marks the second quarter that impersonation attacks have represented the majority of threats, despite a 6.1% decrease from Q1.

Executive impersonation has been on the rise over the past four quarters — representing more than 15% of attacks, according to the report — as impersonating a corporate figure or company on social media is simple and effective for threat actors.

Thom Singer, CEO for the Austin Technology Council and a public speaker, was recently impersonated on Instagram. A scammer created a fake Instagram account with his name and photos, creating a handle with an extra "r" at the end of Singer. That account appeared to amass over 2,300 followers – nearly as many as Singer's own account – lending to its appearance of authenticity.

He learned of the fake account from a contact who texted to ask if he'd reached out on Instagram, which wasn't a channel Singer typically uses to communicate. Singer reported the fraudulent account using the platform's report button and asked his followers to do the same.

"You can't reach anyone at these platforms, so it takes days to get a fake account removed," Singer said. "These social media sites have no liability, nothing to lose when fraud is happening. They need to up their game and have a better process to get [fraud] handled in a timely manner."

https://www.techtarget.com/searchsecurity/feature/LinkedIn-scams-fake-Instagram-accounts-hit-businesses-execs

• Study Highlights Surge in Identity Theft and Phishing Attacks

A new study from behavioural risk firm CybSafe and the National Cybersecurity Alliance (NCA) has been launched and it highlights an alarming surge in phishing and identity theft attacks.

The report, titled ‘Oh, Behave! The Annual Cybersecurity Attitudes and Behaviors report’, studied the opinions of 3,000 individuals across the US, the UK and Canada towards cyber security and revealed that nearly half (45%) of users are connected to the internet all the time, however, this has led to a surge in identity theft with almost 1 in 4 people being affected by the attack.

Furthermore, 1 in 3 (36%) respondents revealed they have lost money or data due to a phishing attack. Yet the study also revealed that 70% of respondents feel confident in their ability to identify a malicious email, but only 45% will confirm the authenticity of a suspicious email by reaching out to the apparent sender.

When it comes to implementing cyber security best practices, only 33% of respondents revealed they use a unique password for important online accounts, while only 16% utilise passwords of over 12 characters in length. Furthermore, only 18% of participants have downloaded a stand-alone password manager, while 43% of respondents have not even heard of multi-factor authentication.

https://www.itsecurityguru.org/2022/10/12/study-highlights-surge-in-identity-theft-and-phishing-attacks/

• Increase in Cyber Liability Insurance Claims as Cyber Crime Skyrockets

A cyber insurer, Acuity Insurance, is reporting an increased need for cyber liability insurance across both personal and business policyholders. From June 2021 to June 2022, the insurer saw cyber liability insurance claims on its commercial insurance policies increase by more than 50%. For personal policies, they saw more than a 90% increase in cyber claims being reported in 2021 compared with 2020.

Our lives, homes and businesses are more connected than ever before. Being connected leads to a greater risk of cyber attacks, which aren't covered under standard homeowners or business insurance policies.

The insurance experts caution that everyone is at risk — whether you are a small business owner or an individual — as cyber attacks continue to pose a serious financial threat. From 2019 to 2021, cyber attacks were up 50% from the previous year, according to recent research. Wire fraud and gift card scams are two of the most common types of cyber attacks impacting both businesses and individuals.

Scams involving social engineering are some of the easiest to fall for, as fraudsters exploit a person's trust to obtain money or personal information, which can then be used for unauthorised withdrawals of money. Cyber insurance can protect you from financial loss caused by wire transfer fraud, phishing attacks, cyber extortion, cyberbullying and more, Acuity reported.

While all cyber crimes have a financial impact, fraudulent wire transfers often come with greater losses. Banks are typically not responsible for funds lost as a result of a fraudulent wire transfer inadvertently authorised by the customer. Whether it's a wrongful money transfer by a business or an individual, cyber insurance can help mitigate some of the financial loss caused by these scams.

https://www.darkreading.com/attacks-breaches/acuity-reports-increase-in-cyber-liability-insurance-claims-as-cybercrime-skyrockets

• UK Government Urges Action to Enhance Supply Chain Security

The UK government has warned organisations to take steps to strengthen their supply chain security.

New National Cyber Security Centre (NCSC) guidance has been issued amid a significant increase in supply chain attacks in recent years, such as the SolarWinds incident in 2020. The NCSC cited official government data showing that just over one in 10 businesses review the risks posed by their immediate suppliers (13%), while the proportion covering the wider supply chain is just 7%.

Aimed at medium-to-large organisations, the document sets out practical steps to better assess cyber security across increasingly complex supply chains. This includes a description of typical supplier relationships and ways that organisations are exposed to vulnerabilities and cyber-attacks via the supply chain, and the expected outcomes and key steps needed to assess suppliers’ approaches to security.

The new guidance followed a government response to a call for views last year which highlighted the need for further advice. Supply chain attacks are a major cyber threat facing organisations and incidents can have a profound, long-lasting impact on businesses and customers. With incidents on the rise, it is vital organisations work with their suppliers to identify supply chain risks and ensure appropriate security measures are in place.

https://www.infosecurity-magazine.com/news/uk-government-supply-chain-security/

• For Most Companies Ransomware Is the Scariest Of All Cyber Attacks

SonicWall released the 2022 SonicWall Threat Mindset Survey which found that 66% of customers are more concerned about cyber attacks in 2022, with the main threat being focused on financially motivated attacks like ransomware.

“No one is safe from cyber attacks — businesses or individuals,” said SonicWall Executive Chairman of the Board Bill Conner. “Today’s business landscape requires persistent digital trust to exist. Supply-chain attacks have dramatically changed the attack surface of the typical enterprise in the past few years, with more suppliers and service providers touching sensitive data than ever before.

“It’s likely we’ll see continued acceleration and evolution of ransomware tactics, as well as other advanced persistent threats (APTs), as cyber crime continues to scale the globe seeking both valuable and weak targets.”

Companies are not only losing millions of dollars to unending malware and ransomware strikes, but cyber attacks on essential infrastructure are impacting real-world services. Despite the growing concern of cyber attacks, organisations are struggling to keep pace with the fast-moving threat landscape as they orient their business, networks, data and employees against unwavering cyber attacks.

“The evolving cyber threat landscape has made us train our staff significantly more,” said Stafford Fields, IT Director, Cavett Turner & Wyble. “It’s made us spend more on cyber security. And what scares me is that an end-user can click on something and bring all our systems down — despite being well protected.”

https://www.helpnetsecurity.com/2022/10/12/customers-concerned-ransomware/

• EDR Is Not a Silver Bullet

Old lore held that shooting a werewolf, vampire, or even just your average nasty villain with a silver bullet was a sure-fire takedown: one hit, no more bad guy.

As cyber security professionals, we understand – much like folks in the Old West knew – that there are no panaceas, no actual silver bullets. Yet humans gravitate towards simple solutions to complex challenges, and we are constantly (if unconsciously) seeking silver bullet technology.

Endpoint Detection and Response (EDR) tools have become Standard Operating Procedures for cyber security regimes. They are every CIO’s starting point, and there’s nothing wrong with this. In a recent study by Cymulate of over one million tests conducted by customers in 2021, the most popular testing vector was EDR.

Yet cyber security stakeholders should not assume that EDR is a silver bullet. The fact is that EDR’s efficacy and protective prowess as a standalone solution has been slowly diminished over the decade since the term was first coined by Gartner. Even as it became a mainstay of enterprise and SMB/SME security posture – attacks have skyrocketed in frequency, severity, and success. Today, EDR is facing some of its greatest challenges, including threats laser-targeting EDR systems like the highly-successful Grandoiero banking trojan.

While EDR should not be your only line of defence against advanced threats, including it in a defence solution array is paramount. It should be installed on all organisational servers – including Linux-based ones. Yet installation is not enough. Your organisation is at significant risk if the underlying OS and EDR are not both implemented and fine-tuned.

https://www.helpnetsecurity.com/2022/10/11/edr-is-not-a-silver-bullet/

• Attackers Use Automation to Speed from Exploit to Compromise

A report from Laceworks examines the cloud security threat landscape over the past three months and unveils the new techniques and avenues cyber criminals are exploiting for profit at the expense of businesses. In this latest edition, the Lacework Labs team found a significantly more sophisticated attacker landscape, with an increase in attacks against core networking and virtualisation software, and an unprecedented increase in the speed of attacks following a compromise. Key trends and threats identified include:

• Increased speed from exposure to compromise: Attackers are advancing to keep pace with cloud adoption and response time. Many classes of attacks are now fully automated to capitalise on timing. Additionally, one of the most common targets is credential leakage. In a specific example from the report, a leaked AWS access key was caught and flagged by AWS in record time. Despite the limited exposure, an unknown adversary was able to log in and launch tens of GPU EC2 instances, underscoring just how quickly attackers can take advantage of a single simple mistake.

• Increased focus on infrastructure, specifically attacks against core networking and virtualisation software: Commonly deployed core networking and related infrastructure consistently remains a key target for adversaries. Core flaws in infrastructure often appear suddenly and are shared openly online, creating opportunities for attackers of all kinds to exploit these potential targets.

• Continued Log4j reconnaissance and exploitation: Nearly a year after the initial exploit, the Lacework Labs team is still commonly observing vulnerable software targeted via OAST requests. Analysis of Project Discovery (interact.sh) activity revealed Cloudflare and DigitalOcean as the top originators.

https://www.darkreading.com/cloud/attackers-use-automation-to-speed-from-exploit-to-compromise-according-to-lacework-labs-cloud-threat-report

• Rising Premiums, More Restricted Cyber Insurance Coverage Poses Big Risk for Companies

Among the many consequences of the rising number of costly data breaches, ransomware, and other security attacks are pricier premiums for cyber security insurance. The rise in costs could put many organisations out of the running for this essential coverage, a risky proposition given the current threat landscape.

Cyber insurance is a type of specialty insurance that protects organisations against a variety of risks related to information security attacks such as ransomware and data breaches. Ordinarily, these types of risks aren’t included with traditional commercial general liability policies or are not specifically defined in these insurance plans.

Given the rise in attacks, the growing sophistication of these incidents and the potential financial impact, having cyber insurance coverage has become critical for many organisations. Premiums for these plans have been on the rise because of the increase in security-related losses and rising demand for coverage.

Cyber insurance premiums increased by an average of 28% in the first quarter of 2022 compared with the fourth quarter of 2021, according to the Council of Insurance Agents & Brokers (CIAB), an association for commercial insurance and employee benefits intermediaries.

Among the primary drivers for the continued price increases were a reduced carrier appetite for the risk and high demand for coverage, CIAB said. The high demand for cyber coverage is in part fueled by greater awareness among companies of the threat cyber risk poses for businesses of all sizes, it said.

https://www.cnbc.com/2022/10/11/companies-are-finding-it-harder-to-get-cyber-insurance-.html

• Why CISO Roles Require Business and Technology Savvy

Listening and communicating to both the technical and business sides is critical to successfully leading IT teams and business leaders to the same end-goal.

Of all the crazy postings that advertise for CISO jobs, the one asking for a CISO to code in Python was probably the most outrageous example of the disconnect about a CISO’s role, says Joe Head, CISO search director at UK-based search firm, Intaso. This was a few years ago, and one can only guess that the role had been created by a technologist who didn’t care about or didn’t understand the business — or, inversely by a businessperson who didn’t understand enough about technology.

In either case, the disconnect is real. However, Head and other experts say that when it comes to achieving the true, executive role and reporting to the CEO and board, business skills rule. That doesn’t mean, however, that most CISOs know nothing about technology, because most still start out with technology backgrounds.

In the 2022 CISO survey by executive placement firm, Heidrick & Struggles, most CISOs come from a functional IT background that reflects the issues of the time. For example, in 2022 10% of CISOs came from software engineering backgrounds, which tracks with the White House directive to protect the software supply chain. The report notes that the majority of CISOs have experience in the financial services industry, which has a low risk tolerance and where more money is spent on security.

The survey also indicates that only a small core of CISOs (working primarily for the Fortune 500) rise to the executive level with the combination of business and technical responsibilities that come with the role. In it, more than two-thirds of CISOs responding to the survey worked for companies worth over $5 billion. So, instead of bashing a CISO’s lack of IT skills, the real need lies in developing business skills for the technologists coming up the ranks.

https://www.csoonline.com/article/3675952/why-ciso-roles-require-business-and-technology-savvy.html#tk.rss_news

• Wi-Fi Spy Drones Used to Snoop on Financial Firm

Modified off-the-shelf drones have been found carrying wireless network-intrusion kit in a very unlikely place.

The idea of using consumer-oriented drones for hacking has been explored over the past decade at security conferences like Black Hat 2016, in both the US and in Europe, but now these sort of attacks are actually taking place. A security researcher recently recounted an incident that occurred over the summer at a US East Coast financial firm focused on private investment.

The hacking incident was discovered when the financial firm spotted unusual activity on its internal Atlassian Confluence page that originated from within the company's network. The company's security team responded and found that the user whose MAC address was used to gain partial access to the company Wi-Fi network was also logged in at home several miles away. That is to say, the user was active off-site but someone within Wi-Fi range of the building was trying to wirelessly use that user's MAC address, which is a red flag. The team then took steps to trace the Wi-Fi signal and used a Fluke system to identify the Wi-Fi device.

This led the team to the roof, where two modified commercially available consumer drones series were discovered. One drone was in fine condition and had a modified Wi-Fi Pineapple device, used for network penetration testing. The second drone was carrying a case that contained a Raspberry Pi, several batteries, a GPD mini laptop, a 4G modem, and another Wi-Fi device. It had landed near the building's heating and ventilation system and appeared to be damaged but still operable.

During their investigation, they determined that the first drone had originally been used a few days prior to intercept a worker's credentials and Wi-Fi, and this data was then hard coded into the tools that were deployed on the second drone.

https://www.theregister.com/2022/10/12/drone-roof-attack/

• Magniber Ransomware Attacking Individuals and Home Users

A recent analysis shows that Magniber ransomware has been targeting home users by masquerading as software updates.

Reports have shown a ransomware campaign isolated by HP Wolf Security in September 2022 saw Magniber ransomware spread. The malware is known as a single-client ransomware family that demands $2,500 from victims. Magniber was previously primarily spread through MSI and EXE files, but in September 2022 HP Wolf Security began seeing campaigns distributing the ransomware in JavaScript files.

HP Wolf Security reported that some malware families rely exclusively on JavaScript, but have done so for some time. Currently, analysts are also seeing more HTML smuggling, such as with Qakbot and IcedID. This technique also makes use of JavaScript to decode malicious content. The only difference is that the HTML file is executed in the context of the browser and therefore usually requires further user interaction.

Remarkably, HP Wolf Security said, the attackers used clever techniques to evade detection, such as running the ransomware in memory, bypassing User Account Control (UAC) in Windows, and bypassing detection techniques that monitor user-mode hooks by using syscalls instead of standard Windows API libraries.

It appears that with the UAC bypass, the malware deletes the infected system’s shadow copy files and disables backup and recovery features, preventing the victim from recovering their data using Windows tools.

Having recently described the ransomware campaign in a recent interview, HP Wolf noted that the infection chain starts with a web download from an attacker-controlled website.

https://www.itsecurityguru.org/2022/10/14/https-www-infosecurity-magazine-com-news-magniber-ransomware-adopts/

Threats

Ransomware and Extortion

• More and more ransomware is just data theft, no encryption • The Register

• Why paying the ransom is a mistake - Help Net Security

• Ransomware: Undeniably Top of Mind - MSSP Alert

• Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike (trendmicro.com)

• Magniber ransomware now infects Windows users via JavaScript files (bleepingcomputer.com)

• Fake adult sites push data wipers disguised as ransomware (bleepingcomputer.com)

• It was LockBit that forced NHS tech supplier to shut down • The Register

• Ransomware posing as Windows antivirus update will just empty your wallet | TechRadar

• Microsoft: New Prestige ransomware targets orgs in Ukraine, Poland (bleepingcomputer.com)

• BlackByte ransomware uses new EDR evasion technique (techtarget.com)

• Prevent Ransomware Attacks on Critical Infrastructure (trendmicro.com)

• Microsoft Exchange servers hacked to deploy LockBit ransomware (bleepingcomputer.com)

• Harvard Business Publishing licensee hit by ransomware - Security Affairs

• LockBit affiliates compromise Microsoft Exchange servers to deploy ransomware - Security Affairs

• Police tricks DeadBolt ransomware out of 155 decryption keys (bleepingcomputer.com)

Phishing & Email Based Attacks

• Caffeine service lets anyone launch Microsoft 365 phishing attacks (bleepingcomputer.com)

• Kaspersky Warns Of A New Wave Of Malicious Email Campaign, Spreading The (informationsecuritybuzz.com)

• A whole load of phishing emails make it past Microsoft Defender, researchers say | TechRadar

• Google Forms abused in new COVID-19 phishing wave in the U.S. (bleepingcomputer.com)

• US election workers hit with phishing, malware emails • The Register

• Cyber criminals are having it easy with phishing-as-a-service - Help Net Security

Other Social Engineering; Smishing, Vishing, etc

• BazarCall Call Back Phishing Attacks Constantly Evolving Its Social Engineering Tactics (thehackernews.com)

• Hackers Using Vishing to Trick Victims into Installing Android Banking Malware (thehackernews.com)

Malware

• How a Microsoft blunder opened millions of PCs to potent malware attacks | Ars Technica

• Banks face their 'darkest hour' as crimeware powers up • The Register

• Emotet Rises Again With More Sophistication, Evasion (darkreading.com)

• QAKBOT Attacks Spike Amid Concerning Cyber Criminal Collaborations (darkreading.com)

• Hackers behind IcedID malware attacks diversify delivery tactics (bleepingcomputer.com)

• Eternity threat group’s LilithBot: A criminal multitool • The Register

• New Report Uncovers Emotet's Delivery and Evasion Techniques Used in Recent Attacks (thehackernews.com)

• Here's another excellent reason not to browse adult websites at work | TechRadar

• Experts analysed the evolution of the Emotet supply chain - Security Affairs

• Mirai Botnet Targeted Wynncraft Minecraft Server, Cloudflare Reports - Infosecurity Magazine (infosecurity-magazine.com)

• New Report Uncovers Emotet's Delivery and Evasion Techniques Used in Recent Attacks (thehackernews.com)

Mobile

• Modified WhatsApp App Caught Infecting Android Devices with Malware (thehackernews.com)

• Meta uncovers 400 malicious apps on Android and iOS apps   | SC Media (scmagazine.com)

• ‘Zero-Click’ Spyware Emerges as a Menacing Mobile Threat - Bloomberg

• Mullvad: Android may leak information when connected to a VPN - gHacks Tech News

• Android Security Updates Patch Critical Vulnerabilities | SecurityWeek.Com

• Hackers Using Vishing to Trick Victims into Installing Android Banking Malware (thehackernews.com)

• Mystery iPhone update patches against iOS 16 mail crash-attack – Naked Security (sophos.com)

Internet of Things – IoT

• Smart buildings may be your cyber security downfall - Help Net Security

Data Breaches/Leaks

• Client data exfiltrated in Advanced NHS cyber attack (digitalhealth.net)

• Mormon Church data stolen in 'state-sponsored' cyber attack • The Register

• Singtel's Australian IT Firm Dialog Suffers Data Breach - Infosecurity Magazine (infosecurity-magazine.com)

• 2K Customer Data Stolen, Sold Online After Support Desk Scam (kotaku.com)

• Toyota discloses data leak after access key exposed on GitHub (bleepingcomputer.com)

• Fast Company says Executive Board member info was not stolen in attack (bleepingcomputer.com)

• State Bar of Georgia Confirms Data Breach Following Ransomware Attack | SecurityWeek.Com

• Singtel's second unit faces cyber attack weeks after Optus data breach | Reuters

• Zoetop pays $1.9m to settle customer data theft case • The Register

• CommonSpirit Health IT still suffering after cyber attack • The Register

• Over 80,000 DJI drone IDs exposed in data leak: Report (dronedj.com)

• High-Value Targets: String of Aussie Telco Breaches Continues (darkreading.com)

• Data of 380K patients compromised in hack of 13 anesthesia practices | SC Media (scmagazine.com)

• Australian police secret agents exposed in Colombian data leak (bleepingcomputer.com)

• 64,000 Additional Patients Impacted by Omnicell Data Breach - What is Your Data Breach Action Plan? (thehackernews.com)

• Toyota Reveals Data Leak of 300,000 Customers - Infosecurity Magazine (infosecurity-magazine.com)

• Intel Processor UEFI Source Code Leaked (darkreading.com)

Organised Crime & Criminal Actors

• INTERPOL arrests ‘Black Axe’ cyber crime syndicate members (bleepingcomputer.com)

• Caffeine Phishing-as-a-Service toolkit available in the underground - Security Affairs

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• North Korea's Crypto Hackers Are Paving the Road to Nuclear Armageddon - CNET

• Fake Solana Phantom security updates push crypto-stealing malware (bleepingcomputer.com)

• 'Baby Al Capone' to pay $22m to SIM-swap crypto-heist victim • The Register

Fraud, Scams & Financial Crime

• A New Wave of PayPal Invoice Scams Using Crypto Disguise - Infosecurity Magazine (infosecurity-magazine.com)

• Alternative payment methods are creating new fraud risks - Help Net Security

• Prison inmate charged with $11m fraud via cell phone • The Register

• Mastercard moves to protect ‘risky and frisky’ transactions • The Register

Deepfakes

• DeepFakes Are The Cyber criminal Economy’s Latest Business Line - Security Affairs

AML/CFT/Sanctions

• GCHQ boss: China could use Digital Yuan to swerve sanctions • The Register

Insurance

• Australian insurer takes systems offline over possible hacking | Cybersecurity News | Al Jazeera

Dark Web

• Darkweb market BidenCash gives away 1.2 million credit cards for free (bleepingcomputer.com)

Software Supply Chain

• Novel npm Timing Attack Allows Corporate Targeting (darkreading.com)

Denial of Service DoS/DDoS

• The Nation State Threat — Philip Ingram Discusses DDoS and the Possibilities of Cyber War - IT Security Guru

• US airports' sites taken down in DDoS attacks by pro-Russian hackers (bleepingcomputer.com)

• Russian DDoS attack project pays contributors for more firepower (bleepingcomputer.com)

Cloud/SaaS

• Cloud Data Breaches Are Running Rampant. What Are the Common Characteristics? (darkreading.com)

Encryption

• Microsoft Office 365 uses insecure block ciphers • The Register

• Microsoft Office 365 email encryption could expose message content (bleepingcomputer.com)

Passwords, Credential Stuffing & Brute Force Attacks

• AI and Residual Finger Heat Could Be a Password Cracker's Latest Tools (darkreading.com)

Social Media

• Young people using TikTok is no problem, GCHQ chief says | TikTok | The Guardian

Training, Education and Awareness

• Phishing Simulations Do Not Give Users Enough Context As To Why They Are (informationsecuritybuzz.com)

• How to improve employees' cyber security behaviour - Help Net Security

Parental Controls and Child Safety

• Client-side scanning to detect child abuse material harmful • The Register

Cyber Bullying and Cyber Stalking

• Student jailed for hacking female classmates’ email, Snapchat accounts (bleepingcomputer.com)

Regulations, Fines and Legislation

• India set to extend deadline for verbose infosec reporting • The Register

Backup and Recovery

• Microsoft Teams: A channel for sensitive business information sharing that needs better backup - Help Net Security

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Vladimir Putin’s hybrid war has begun and the West must be ready | Evening Standard

• The Nation State Threat — Philip Ingram Discusses DDoS and the Possibilities of Cyber War - IT Security Guru

• Internet outages hit Ukraine following Russian missile strikes (bitdefender.com)

• Seven 'Creepy' Backdoors Used by Lebanese Cyberspy Group in Israel Attacks | SecurityWeek.Com

• Researchers Uncover Custom Backdoors and Spying Tools Used by Polonium Hackers (thehackernews.com)

• We must tackle Europe’s winter cyber threats head-on – POLITICO

• Starlink helped restore energy, communications infrastructure in parts of Ukraine - official | Reuters

• Researchers Detail Malicious Tools Used by Cyber Espionage Group Earth Aughisky (thehackernews.com)

• Ukraine Enhances Cooperation With EU Cybersecurity Agencies - Infosecurity Magazine (infosecurity-magazine.com)

• ‘Zero-Click’ Spyware Emerges as a Menacing Mobile Threat - Bloomberg

• SpaceX’s Starlink terminals in Ukraine back online after outages | Financial Times

Nation State Actors

Nation State Actors – Russia

• German Cyber security Chief Accused of Russian Contact Faces Sacking - IT Security Guru

• Russian DDoS attack project pays contributors for more firepower (bleepingcomputer.com)

• Extreme Networks admits sales to banned Russian arms maker • The Register

Nation State Actors – China

• UK Spy Chief to Warn of 'Huge' China Tech Threat | SecurityWeek.Com

• China’s attack motivations, tactics, and how CISOs can mitigate threats | CSO Online

• China will manipulate new tech for global influence, warns GCHQ boss | Metro News

• UK telcos legally required to remove Huawei equipment • The Register

• Chinese-linked hackers targeted U.S. state legislature, researchers say - CyberScoop

• New Chinese Malware Attack Framework Targets Windows, macOS, and Linux Systems (thehackernews.com)

• Feature-Rich 'Alchimist' Cyber attack Framework Targets Windows, Mac, Linux Environments (darkreading.com)

• China's cyber assault on Taiwan - 60 Minutes - CBS News

• UK to designate China a ‘threat’ in hawkish foreign policy shift | Foreign policy | The Guardian

• WIP19, a new Chinese APT targets IT Service Providers and Telcos - Security Affairs

• China-linked Budworm APT returns to target a US entity - Security Affairs

• We must tackle China’s satellite-busting technology, says GCHQ chief | News | The Times

• GCHQ boss: China could use Digital Yuan to swerve sanctions • The Register

• Young people using TikTok is no problem, GCHQ chief says | TikTok | The Guardian

Nation State Actors – North Korea

• North Korea's Crypto Hackers Are Paving the Road to Nuclear Armageddon - CNET

Nation State Actors – Misc

• Mormon Church data stolen in 'state-sponsored' cyber attack • The Register

Vulnerability Management

• Apple's Constant Battles Against Zero-Day Exploits (darkreading.com)

Vulnerabilities

• Concerns Over Fortinet Flaw Mount; PoC Released, Exploit Activity Grows (darkreading.com)

• Microsoft October 2022 Patch Tuesday fixes zero-day used in attacks, 84 flaws (bleepingcomputer.com)

• Microsoft Addresses Zero-Days, but Exchange Server Exploit Chain Remains Unpatched (darkreading.com)

• Auth bypass bug in FortiOS, FortiProxy is exploited in the wild (CVE-2022-40684) - Help Net Security

• Chrome 106 Update Patches Several High-Severity Vulnerabilities | SecurityWeek.Com

• Researchers Detail Windows Zero-Day Vulnerability Patched Last Month (thehackernews.com)

• SAP Patches Critical Vulnerabilities in Commerce, Manufacturing Execution Products | SecurityWeek.Com

• Almost 900 servers hacked using Zimbra zero-day flaw (bleepingcomputer.com)

• Patch Tuesday: Critical Flaws in ColdFusion, Adobe Commerce | SecurityWeek.Com

• Aruba fixes critical RCE and auth bypass flaws in EdgeConnect (bleepingcomputer.com)

• WordPress Vulnerability In Shortcodes Ultimate Impacts 700,000 Sites (searchenginejournal.com)

• Critical Open Source vm2 Sandbox Escape Bug Affects Millions (darkreading.com)

• VMware vCenter Server bug disclosed last year still not patched (bleepingcomputer.com)

Other News

• Board members should make CISOs their strategic partners - Help Net Security

• 5 Attack Elements Every Organisations Should Be Monitoring (darkreading.com)

• Ukraine’s Starlink problems show the dangers of digital dependency | Financial Times (ft.com)

• Here's 5 of the world's riskiest connected devices - Help Net Security

• 2FA is over. Long live 3FA! - Help Net Security

• White House to unveil ambitious cyber security labeling effort modeled after Energy Star - CyberScoop

• Older, Stored Data Is Cyber Security Risk, Report Warns - MSSP Alert

• What the Uber Breach Verdict Means for CISOs in the US (darkreading.com)

• Increasing network visibility is critical to improving security posture - Help Net Security

• What the Uber Hack can teach us about navigating IT Security (bleepingcomputer.com)

• Consumers want more transparency on how companies manage their data - Help Net Security

• Gaming Is Booming. That’s Catnip for Cyber criminals. - The New York Times (nytimes.com)

• 91% of Cyber Pros Experience Mental Health Challenges at Work - Infosecurity Magazine (infosecurity-magazine.com)

• Fear of cyber criminals drives cyber security improvements - Help Net Security

• The next Ford Mustang won’t be easy to tune; blame cyber security | Ars Technica

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Businesses Suffered 50% More Cyber Attack Attempts per Week in 2021

Cyberattack attempts reached an all-time high in the fourth quarter of 2021, jumping to 925 a week per organisation, partly due to attempts stemming from the Log4j vulnerability, according to new data.

Check Point Research on Monday reported that it found 50% more attack attempts per week on corporate networks globally in calendar year 2021 compared with 2020.

The researchers define a cyberattack attempt as a single isolated cyber occurrence that could be at any point in the attack chain — scanning/exploiting vulnerabilities, sending phishing emails, malicious website access, malicious file downloads (from Web/email), second-stage downloads, and command-and-control communications.

https://www.darkreading.com/attacks-breaches/corporate-networks-saw-50-more-attacks-per-week-in-2021-

Cyber Attacks Against MSPs Jump 67%

Cyber attacks spiked by 50 percent in 2021 as compared to 2020, aided by millions of attacks in December by hackers attempting to exploit the Log4J vulnerability, according to a Check Point Software Technologies research report.

In terming 2021 a “record breaking year,” the security provider pointed to a worldwide peak of 925 cyber attacks per organisation weekly and an October 2021 measure that showed a 40 percent increase in cyberattacks, with one out of every 61 entities hit by ransomware each week. The number of cyberattacks on managed service providers (MSPs) and internet service providers (ISPs) rose by nearly 70 percent year over year.

https://www.msspalert.com/cybersecurity-news/cyberattacks-vs-msps-skyrocket/

SMEs Still An Easy Target For Cyber Criminals

Cyber crime continues to be a major concern, with 51% of SMEs experiencing a cyber security breach, a Markel Direct survey reveals.

In this survey that polled 1000 respondents, Markel Direct explored the issue of cybercrime and its impact on the self-employed and SMEs. The survey found the most common cybersecurity attacks were malware/virus related (24%) followed by a data breach (16%) and phishing attack (15%), with 68% reporting the cost of their breach was up to £5,000.

This comes after the latest Quarterly Fraud and Cyber Crime Report revealed that Britons lost over £1 billion in the first six months of 2021, due to the considerable increase in fraudulent activity.

https://www.helpnetsecurity.com/2022/01/12/smes-cybersecurity-breach/

World Economic Forum: Cyber Security Failures an Increasing Global Threat

Cybersecurity was once again identified as a major short and medium-term threat to the world in this year’s World Economic Forum’s (WEF’s) The Global Risk Report. The analysis was based on insights from nearly 1000 global experts and leaders who responded to the WEF’s Global Risks Perception Survey (GRPS).

Perhaps unsurprisingly, environmental issues like climate action failure and extreme weather ranked highest on the risks facing the world over the short (0-2 years), medium (2-5 years) and long-term (5-10 years). In addition, a number of challenges exacerbated by the pandemic, such as livelihood crises, infectious diseases and mental health deterioration, also scored highly. Overall, this added up to a pessimistic assessment, with 84.2% of respondents stating they were either “worried” or “concerned” about the global outlook.

Digital challenges, such as “cyber security failures,” were also viewed as a significant and growing problem to the world. Nearly one in five (19.5%) respondents believe cybersecurity failures will be a critical threat to the world in just the next 0-2 years, and 14.6% said it would be in 2-5 years

https://www.infosecurity-magazine.com/news/world-economic-forum-cybersecurity/

Microsoft Faces Wormable, Critical RCE Bug & 6 Zero-Days

Microsoft started 2022 with a large January Patch Tuesday update covering nine critical CVEs, including a self-propagator with a 9.8 CVSS score.

Microsoft has addressed a total of 97 security vulnerabilities in its January 2022 Patch Tuesday update – nine of them rated critical – including six that are listed as publicly known zero-days.

The fixes cover a swath of the computing giant’s portfolio, including: Microsoft Windows and Windows Components, Microsoft Edge (Chromium-based), Exchange Server, Microsoft Office and Office Components, SharePoint Server, .NET Framework, Microsoft Dynamics, Open-Source Software, Windows Hyper-V, Windows Defender, and Windows Remote Desktop Protocol (RDP).

https://threatpost.com/microsoft-wormable-critical-rce-bug-zero-day/177564/

Russia Arrests REvil Ransomware Gang Responsible for High-Profile Cyber Attacks

In an unprecedented move, Russia's Federal Security Service (FSB), the country's principal security agency, on Friday disclosed that it arrested several members belonging to the notorious REvil ransomware gang and neutralized its operations.

The surprise takedown, which it said was carried out at the request of the US authorities, saw the law enforcement agency conduct raids at 25 addresses in the cities of Moscow, St. Petersburg, Moscow, Leningrad and Lipetsk regions that belonged to 14 suspected members of the organised cyber crime syndicate.

"In order to implement the criminal plan, these persons developed malicious software, organised the theft of funds from the bank accounts of foreign citizens and their cashing, including through the purchase of expensive goods on the Internet," the FSB said in a statement.

In addition, the FSB seized over 426 million rubles, including in cryptocurrency, $600,000, €500,000, as well as computer equipment, crypto wallets used to commit crimes, and 20 luxury cars that were purchased with money obtained by illicit means.

https://thehackernews.com/2022/01/russia-arrests-revil-ransomware-gang.html

North Korea Hackers Stole $400m Of Cryptocurrency In 2021, Report Says

North Korean hackers stole almost $400m (£291m) worth of digital assets in at least seven attacks on cryptocurrency platforms last year, a report claims.

Blockchain analysis company Chainalysis said it was one of most successful years on record for cyber-criminals in the closed east Asian state.

The attacks mainly targeted investment firms and centralised exchanges.

North Korea has routinely denied being involved in hack attacks attributed to them.

"From 2020 to 2021, the number of North Korean-linked hacks jumped from four to seven, and the value extracted from these hacks grew by 40%," Chainalysis said in a report.

https://www.bbc.co.uk/news/business-59990477

No Lights, No Heat, No Money - That's Life In Ukraine During Cyber Warfare

Hackers who defaced and interrupted access to numerous Ukrainian government websites on Friday could be setting the stage for more serious cyberattacks that would disrupt the lives of ordinary Ukrainians, experts said.

"As tensions grow, we can expect more aggressive cyber activity in Ukraine and potentially elsewhere," said John Hultquist, an intelligence analyst at US cyber security company Mandiant, possibly including "destructive attacks that target critical infrastructure."

"Organisations need to begin preparing," Hultquist added.

Intrusions by hackers on hospitals, power utility companies, and the financial system were until recently rare. But organised cyber criminals, many of them living in Russia, have gone after institutions aggressively in the past two years with ransomware, freezing data and computerized equipment needed to care for hospital patients.

In some cases, those extortion attacks have led to patient deaths, according to litigation, media reports and medical professionals.

https://www.reuters.com/world/europe/no-lights-no-heat-no-money-thats-life-ukraine-during-cyber-warfare-2022-01-14/

Ukrainian Police Arrest Five Members Of Ransomware Affiliate

Ukrainian police announced the arrest of five members of a ransomware affiliate on Thursday, noting that the group was behind attacks on more than 50 companies across Europe and the US.

In a statement, both the Ukrainian Security Service and Ukrainian Cyber Police said the group made at least $1 million through their attacks on the companies.

US and UK law enforcement officials worked with Ukrainian officials on the operation.

Officials said the leader of the group was a 36-year-old who worked with his wife and three other people out of Kyiv. The five are facing a variety of charges in Ukraine related to money laundering, hacking, and selling malware.

One of the people charged is wanted by law enforcement agencies in UK after "using a virus to obtain bank card details of the customers of British banks," according to the police statement.

The bank card details were used to buy things online that were then resold.

https://www.zdnet.com/article/ukrainian-police-arrest-members-of-ransomware-affiliate/

Fingers Point To Lazarus, Cobalt, Fin7 As Key Hacking Groups Attacking Finance Industry

The Lazarus, Cobalt, and FIN7 hacking groups have been labeled as the most prevalent threat actors striking financial organisations today.

According to "Follow the Money," a new report (.PDF) published on the financial sector by Outpost24's Blueliv on Thursday, members of these groups are the major culprits of theft and fraud in the industry today.

The financial sector has always been, and possibly always will be, a key target for cybercriminal groups. Organisations in this area are often custodians of sensitive personally identifiable information (PII) belonging to customers and clients, financial accounts, and cash.

They also often underpin the economy: if a payment processor or bank's systems go down due to malware, this can cause irreparable harm not only to the victim company in question, but this can also have severe financial and operational consequences for customers.

https://www.zdnet.com/article/fingers-point-to-lazarus-cobalt-fin7-as-key-hacking-groups-focused-on-finance-industry/

Ransomware, Supply Chain, And Deepfakes: The Top Threats The Finance Industry Needs To Prepare For

The finance industry is constantly targeted by numerous threat actors, and they are always innovating and trying new techniques (such as deepfakes) to outsmart security teams and breach an organisation’s network.

In addition to that, there is currently a huge demand for data and new tools on the dark web. In fact, users are selling access to point-of-sale (PoS) terminals and login details to the websites of financial services organisations all the time.

How can financial organisations protect themselves from existing threats and combat new ones at the same time?

https://www.helpnetsecurity.com/2022/01/12/finance-industry-threats/

Threats

Ransomware

• Night Sky Ransomware Is Attacking Corporate Networks For 800k Ransom - The Cybersecurity Times

• One Of The REvil Members Arrested Was Behind Colonial Pipeline Attack - Security Affairs

• Ransomware Is Being Rewritten In Go For Joint Attacks On Windows, Linux Users | IT PRO

• Inside a Ransomware Hit at Nordic Choice Hotels - WSJ

• Watch Out, That Microsoft Edge Update Is Actually Ransomware | TechRadar

• Qlocker Ransomware Returns To Target QNAP NAS Devices Worldwide (bleepingcomputer.com)

• Trends That Shaped Ransomware – And Why It’s Not Slowing Down - CyberScoop

Phishing

• Check Your SPF Records: Wide IP Ranges Undo Email Security And Make For Tasty Phishes | ZDNet

• Phishers Are Targeting Office 365 Users By Exploiting Adobe Cloud - Help Net Security

• Hackers Exploiting Microsoft Exchange Server Vulnerabilities in Enterprise Phishing Campaigns - MSSP Alert

• Real Big Phish: Mobile Phishing & Managing User Fallibility | Threatpost

Malware

• Microsoft Defender Weakness Lets Hackers Bypass Malware Detection (bleepingcomputer.com)

• New RedLine Malware Version Spread As Fake Omicron Stat Counter (bleepingcomputer.com)

• ‘Fully Undetected’ SysJoker Backdoor Malware Targets Windows, Linux & macOS | Threatpost

• FluBot Malware Continues To Evolve. What's New In Ver 5.0 And Beyond? Security Affairs

• Oops: Cyberspies Infect Themselves With Their Own Malware (bleepingcomputer.com)

Mobile

• Android Users Can Now Disable 2G to Block Stingray Attacks (bleepingcomputer.com)

• EFF Praises Android’s New 2G Kill Switch, Wants Apple To Follow Suit | Ars Technica

• How To Protect Yourself Against Sim-Swapping Scams With Mobile Phone Fraud On The Rise (inews.co.uk)

IoT

• How a Hacker Controlled Dozens of Teslas Using a Flaw in Third-Party App (vice.com)

• Better Smart Home Security In 5 Easy Steps - CNET

Organised Crime & Criminal Actors

• Cyber Attacks On Corporations Hit Record Breaking Highs - IT Security Guru

Cryptocurrency/Cryptomining/Cryptojacking

• Abcbot Botnet Is Linked To Xanthe Cryptojacking Group | ZDNet

• North Korean Hackers Impersonate Major Crypto Investment Firm to Scam Startups (vice.com)

Insider Risk and Insider Threats

• Insider Threat Does Not Have To Be Malicious, So How Do You Protect Your Organisation? - Help Net Security

• Data Security In The Age Of Insider Threats: A Primer - Help Net Security

• Former DHS Official Charged With Stealing Govt Employees' PII (bleepingcomputer.com)

• Forensics Expert Kept Murder Snaps on PC - Infosecurity Magazine

Fraud, Scams & Financial Crime

• £92m Lost To Romance Scammers In 2021 - IT Security Guru

• ‘It Felt Like Losing A Husband’: The Fraudsters Breaking Hearts – And Emptying Bank Accounts | Relationships | The Guardian

DoS/DDoS

• Extortion DDoS Attacks Grow Stronger And More Common (Bleepingcomputer.Com)

• DDoS Attacks That Come Combined With Extortion Demands Are On The Rise | ZDNet

CNI, OT, ICS, IIoT and SCADA

• Manufacturers Are Starting To Realize The Importance Of OT Security - Help Net Security

• FBI, NSA and CISA Warns of Russian Hackers Targeting Critical Infrastructure (thehackernews.com)

• Critical Infrastructure Falls Short on Ransomware Readiness, Mitigation, Recovery - MSSP Alert

Nation State Actors

• Ukraine Hacks Add to Worries of Cyber Conflict With Russia | SecurityWeek.Com

• Destructive Malware Targeting Ukrainian Organisations - Microsoft Security Blog

• US Olympic Athletes Urged to Leave Phones Behind (gizmodo.com)

• Suspected Chinese Hackers Use Log4j Flaw To Deploy Night Sky Ransomware, Microsoft Warns - CyberScoop

• Russian Submarines Threatening Undersea Cables, UK Defence Chief Warns - Security Affairs

• Iranian Hackers Exploit Log4j Vulnerability to Deploy PowerShell Backdoor (thehackernews.com)

• US Cyber Command Links 'MuddyWater' Hacking Group to Iranian Intelligence (thehackernews.com)

Cloud

• The Rising Threat Of Cyber Criminals Targeting Cloud Infrastructure In 2022 - Help Net Security

• 5 Top Hybrid Cloud Security Challenges | CSO Online

Passwords & Credential Stuffing

• 4 Ways Cyber Criminals Hide Credential Stuffing Attacks | CSO Online

Parental Controls and Child Safety

• UK Hacker Jailed for Spying on Children and Downloading Indecent Images (thehackernews.com)

Vulnerabilities

• CISA Adds 15 Exploited Vulnerabilities From Google, IBM, Microsoft, Oracle And More To Catalog | ZDNet

• Threat Actors Can Bypass Malware Detection Due To Microsoft Defender Weakness - Security Affairs

• noPac Exploit: Microsoft AD Flaw May Lead to Total Domain Compromise | CrowdStrike

• Adobe Fixes 4 Critical Reader Bugs That Were Demonstrated At Tianfu Cup - Security Affairs

• WordPress 5.8.3 Security Update Fixes SQL Injection, XSS Flaws (bleepingcomputer.com)

• WordPress Bugs Exploded in 2021, Most Exploitable | Threatpost

• Sonicwall SMA 100 VPN Box Security Hole Exploit Info Shared • The Register

• Cisco Patches Critical Vulnerability in Contact Center Products | SecurityWeek.Com

• Millions of Routers Exposed to RCE by USB Kernel Bug | Threatpost

• MacOS Bug Could Let Creeps Snoop On You | Threatpost

• Mozilla Patches High-Risk Firefox, Thunderbird Security Flaws | SecurityWeek.Com

Sector Specific

Financial Services Sector

• When It Comes To Banking Security, There's No Silver Bullet - Help Net Security

SMBs – Small and Medium Businesses

• Over Half of SMEs Have Experienced a Cyber Security Breach - Infosecurity Magazine

Reports Published in the Last Week

• Finance Whitepaper. Digital risk management for FSIs. (blueliv.com)

Other News

• Hackers Penetrate 93% of Local Company Networks, Cyber Simulation Finds - MSSP Alert

• URL Parsing: A Ticking Time Bomb Of Security Exploits - TechRepublic

• Europol Told to Delete Vast Trove of Personal Information - Infosecurity Magazine

• The Race Towards Renewable Energy Is Creating New Cyber Security Risks | ZDNet

• What Is Clipboard Hijacking? How to Avoid Becoming a Victim (makeuseof.com)

• White House Reminds Tech Giants Open Source Is A National Security Issue (bleepingcomputer.com)

• Want To Improve Corporate Security? Prioritize Personal Security | ZDNet

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Cyber Insurers Recoil As Ransomware Attacks ‘Skyrocket’

The Great Fire of London helped forge the property insurance market, as residents feared a repeat of the savage destruction of 1666. In the absence of a state-backed fire service, some insurers even employed their own brigades, betting that limiting the damage to a property would be cheaper than rebuilding it. After a wave of high-profile cyber assaults, Graeme Newman, chief innovation officer at London-based insurance provider CFC, draws a parallel with today’s rapidly evolving market for cyber coverage. Insurance companies now provide emergency support services as well as financial compensation, so “the insurers own the digital fire trucks”, he said.

https://www.ft.com/content/4f91c4e7-973b-4c1a-91c2-7742c3aa9922

US Puts Cyber Crime On Par With Terror After Ransomware Attacks

The US government is raising the fight against cyber criminals to the same level as the battle against terrorists after a surge of ransomware attacks on large corporations. Internal guidance circulated by the Department of Justice instructs prosecutors to pool their information about hackers. The idea, said John Carlin, of the attorney-general’s office, is to “make the connections between actors and work your way up to disrupt the whole chain”.

https://www.thetimes.co.uk/article/us-cybercrime-terror-ransomware-attacks-joe-biden-pzrqbkfwt

Russia Under Fire As Cyber Attack Leaves 7,000 Out Of Work

An attack this week on JBS meatworks in North America and Australia brought the firm to a standstill, and now threatens to turn into a diplomatic row with Russia. JBS are reported to supply 20% of the world meat market and the ransomware attack has left 7,000 workers unable to do their jobs.

https://www.afr.com/politics/russia-under-fire-as-ransomware-attack-leaves-7000-out-of-work-20210602-p57xha

Irish Health Service Confirms Data Of Nearly 520 Patients Is Online After Cyber Attack

The Health Service Executive (HSE) has confirmed the data of nearly 520 patients is online after media reports of their publication. In a statement, the HSE said the data contains correspondence with patients, minutes of meetings and includes sensitive patient data. The HSE also confirmed corporate documents are among the HSE data illegally accessed.  Confirmation of the authenticity of this data follows an analysis carried out by the agency and comments from the Minister for Communications, Eamon Ryan, that reports of patient data being shared online are "very credible".

https://www.irishexaminer.com/news/arid-40301054.html

Enterprise Networks Vulnerable To 20-Year-Old Exploits

While the industry focuses on exotic attacks – like the SolarWinds incident — the real risk to enterprises comes from older exploits, some as much as 20-years old. “While organisations always need to keep up with the latest security patches, it is also vital to ensure older system and well-known vulnerabilities from years past are monitored and patched as well,” says Etay Maor, senior director of security strategy at Cato Networks. “Threat actors are attempting to take advantage of overlooked, vulnerable systems.” Our research showed that attackers often scanned for end-of-life and unsupported systems. Common Vulnerability and Exposures (CVE) identified were exploits targeting software, namely vSphere, Oracle WebLogic, and Big-IP, as well as routers with remote administration vulnerabilities.

https://www.helpnetsecurity.com/2021/05/27/enterprise-networks-vulnerable/

US Authorities Seize Two Domains Used By SolarWinds Intruders For Malware Spear-Phishing Operation

Uncle Sam on Tuesday said it had seized two web domains used to foist malware on victims using spoofed emails from the US Agency for International Development (USAID). The domain takeovers, which occurred on Friday, followed a court order issued in the wake of a Microsoft report warning about the spear-phishing campaign. The phishing effort relied on malware-laden messages sent via marketing service Constant Contact. "Cyber intrusions and spear-phishing email attacks can cause widespread damage throughout affected computer networks, and can result in significant harm to individual victims, government agencies, NGOs, and private businesses,” said Acting US Attorney Raj Parekh for the Eastern District of Virginia, in a statement. "As demonstrated by the court-authorized seizure of these malicious domains, we are committed to using all available tools to protect the public and our government from these worldwide hacking threats."

https://www.theregister.com/2021/06/02/feds_seize_nobelium/

Hacker Group DarkSide Operates In A Similar Way To A Franchise

DarkSide, the hacker group behind the recent Colonial Pipeline ransomware attack, has a business model that’s more familiar than people think, according to New York Times correspondent Andrew Kramer, “It operates something like a franchise, where individual hackers can come and receive the ransomware software and use it, as well as, use DarkSide’s reputation, as it were, to extract money from their targets, mostly in the United States,” Kramer said in an interview that aired Wednesday night.

https://www.cnbc.com/2021/06/02/hacker-group-darksides-operates-in-a-similar-way-to-a-franchise-new-york-times-reporter-says.html?__source=sharebar|twitter&par=sharebar

Interpol Intercepts $83 Million Fighting Financial Cyber Crime

The Interpol (short for International Criminal Police Organisation) has intercepted $83 million belonging to victims of online financial crime from being transferred to the accounts of their attackers. Over 40 law enforcement officers specialized in fighting cyber crime across the Asia Pacific region took part in the Interpol-coordinated Operation HAECHI-I spanning more than six months. Between September 2020 and March 2021, law enforcement focused on battling five types of online financial crimes: investment fraud, romance scams, money laundering associated with illegal online gambling, online sextortion, and voice phishing.

https://www.bleepingcomputer.com/news/security/interpol-intercepts-83-million-fighting-financial-cyber-crime/

Is It Really The Wild West In Cyber Crime? Why We Need To Re-Examine Our Approach To Ransomware

Once again, cyber security has become a headline topic within and well outside technology circles, along with the little-known operator of a significant fuel pipeline: Colonial Pipeline. A ransomware attack, and ensuing panic buying of gasoline, resulted in widespread fuel shortages on the east coast, thrusting the issue of cyber security into the lives of everyday Americans. Colonial Pipeline CEO Joseph Blount later acknowledged that his company ultimately paid the cybercriminals $4.4 million to unlock company systems, generating a great deal of controversy around the simple question (and associated complex potential answers), of whether companies should pay when their systems are held hostage by ransomware.

https://www.techrepublic.com/article/is-it-really-the-wild-west-in-cybercrime-why-we-need-to-re-examine-our-approach-to-ransomware/

Threats

Ransomware

• Anti-Ransomware Biz Exagrid ‘Paid $2.6M Ransomware Demand’

• White House Contacts Russia After Hack Of World’s Largest Meatpacking Company

• This New Ransomware Is Targeting Unpatched Microsoft Exchange Servers

• Fujifilm Becomes Latest Ransomware Victim As White House Urges Business Leaders To Take Action

• Cyber Crime Forum Advertises Alleged Database, Source Code From Russian Firm That Helped Parler

• On The Taxonomy And Evolution Of Ransomware

Phishing

• Phishing Emails Remain in User Inboxes Over 3 Days ... (darkreading.com)

Other Social Engineering

• The Bizarro Streaming Site That Hackers Built From Scratch

Malware

• Malware Can Use This Trick To Bypass Ransomware Defense In Antivirus Solutions

• Exchange Servers Targeted By ‘Epsilon Red’ Malware

Mobile

IOT

• Amazon Sidewalk Poised To Sweep You Into Its Mesh

 Vulnerabilities

• XSS Vulnerability Found In Popular WYSIWYG Website Editor

• Huawei USB LTE Dongles Are Vulnerable To Privilege Escalation Attacks

• Hackers Actively Exploiting 0-Day In WordPress Plugin Installed On Over 17,000 Sites

• EPUB Vulnerabilities: Electronic Reading Systems Riddled With Browser-Like Flaws

• SonicWall Urges Customers To 'Immediately' Patch NSM On-Prem Bug

Data Breaches

• GDPR: EU Privacy Watchdog Probing The Use Of AWS And Azure Cloud Services

Supply Chain

• What Is A Supply Chain Attack?

• Microsoft Office 365 A Major Supply Chain Attack Vector

Nation State Actors

• Chinese Cyber Criminals Spent Three Years Creating A New Backdoor To Spy On Governments

• Kimsuky APT Continues To Target South Korean Government Using Appleseed Backdoor

• Russian Hacker Pavel Sitnikov Arrested For Sharing Malware Source Code

Privacy

• You Have A Week To Opt-Out Of Amazon Sidewalk, Do It Now

Other News

• “Have I Been Pwned” Breach Site Partners With… The FBI!

• 17 Cyber Insurance Application Questions You'll Need To Answer

• Cyber Criminals Go Corporate As Hacking Becomes A Business

• The Human Cost Of Understaffed SOCs

• Security Ops Teams Struggle To Switch Off At Home

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.

Top Cyber Headlines of the Week

The great hack attack: SolarWinds breach exposes big gaps in cyber security

Until this week, SolarWinds was a little known IT software group from Texas. Its deserted lobby has a framed magazine article from a few years ago when it was on a list of America’s “Best Small Companies”.

Now the Austin-based company is at the heart of one of the biggest and most startling cyber hacks in recent history, with ramifications that extend into the fields of geopolitics, espionage and national security.

For nine months, sophisticated state-backed hackers have exploited a ubiquitous SolarWinds software product in order to spy on government and business networks around the world, including in the US, UK, Israel and Canada. Wielding innovative tools and tradecraft, the cyber spies lurked in email services, and posed as legitimate staffers to tap confidential information stored in the cloud.

The bombshell revelations have sent 18,000 exposed SolarWinds customers scrambling to assess whether outsiders did indeed enter their systems, what the damage was and how to fix it.

https://www.ft.com/content/c13dbb51-907b-4db7-8347-30921ef931c2

A wake-up for the world on cyber security

Imagine intruders break into your home and loiter undetected for months, spying on you and deciding which contents to steal. This in essence is the kind of access that hackers, assumed to be Russian, achieved in recent months at US government institutions including the Treasury and departments of commerce and homeland security, and potentially many US companies. If the fear in the Cold War was of occasional “moles” gaining access to secrets, this is akin to a small army of moles burrowing through computer systems. The impact is still being assessed, but it marks one of the biggest security breaches of the digital era.

https://www.ft.com/content/d3fc0b14-4a82-4671-b023-078516ea714e

US government, thousands of businesses now thought to have been affected by SolarWinds security attack

Thousands of businesses and several branches of the US government are now thought to have been affected by the attack on software firm SolarWinds.

The Austin-based company has fallen victim to a massive supply chain attack believed to be the work of state-sponsored hackers.

Along with the US treasury and commerce departments, the Department of Homeland Security is now thought to have been affected by the attack. In a statement to the SEC today, SolarWinds said it had notified 33,000 customers of its recent hack, but that only 18,000 of these used the affected version of its Orion platform.

https://www.techradar.com/uk/news/solarwinds-suffers-massive-supply-chain-attack

White House activates cyber emergency response under Obama-era directive

In the wake of the SolarWinds breach, the National Security Council has activated an emergency cyber security process that is intended to help the government plan its response and recovery efforts, according to White House officials and other sources.

The move is a sign of just how seriously the Trump administration is taking the foreign espionage operation, former NSC officials told CyberScoop.

The action is rooted in a presidential directive issued during the Obama administration known as PPD-41, which establishes a Cyber Unified Coordination Group (UCG) that is intended to help the U.S. government coordinate multiple agencies’ responses to the significant hacking incident.

The UCG is generally led by the Department of Justice — through the FBI and the National Cyber Investigative Joint Task Force — as well as the Office of the Director of National Intelligence and the Department of Homeland Security.

https://www.cyberscoop.com/solarwinds-white-house-national-security-council-emergency-meetings/

Hackers targeted US nuclear weapons agency in massive cyber security breach, reports say

The National Nuclear Security Administration and Energy Department, which safeguard the US stockpile of nuclear weapons, have had their networks hacked as part of the widespread cyber espionage attack on a number of federal agencies.

Politico reports that officials have begun coordinating notifications about the security breach to the relevant congressional oversight bodies.

Suspicious activity was identified in the networks of the Federal Energy Regulatory Commission (FERC), Los Alamos and Sandia national laboratories in New Mexico and Washington, the Office of Secure Transportation, and the Richland Field Office of the Department of Energy.

Officials with direct knowledge of the matter said hackers have been able to do more damage to the network at FERC, according to the report.

https://www.independent.co.uk/news/world/americas/us-politics/hackers-nuclear-weapons-cybersecurity-b1775864.html

Microsoft warns UK companies were targeted by SolarWinds hackers

Microsoft has warned that some of its UK customers have been exposed to the malware used in the Russia-linked SolarWinds hack that targeted US states and government agencies.

More than 40 of the tech giant's customers are thought to have used breached SolarWinds software, including clients in Britain, the US, Canada, Mexico, Belgium, Spain, Israel, and the UAE.

The company would not name the victims, but said they include government agencies, think tanks, non-governmental organisations and IT firms. Microsoft said four in five were in the US, with nearly half of them tech companies.

“This is not ‘espionage as usual,’ even in the digital age,” said Brad Smith, Microsoft's president. “Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world.”

The attackers, believed to be working for the Russian government, got into computer networks by installing a vulnerability in Orion software from SolarWinds.

https://www.telegraph.co.uk/technology/2020/12/18/microsoft-warns-uk-companies-targeted-solarwinds-hackers/

Society at Increasingly High Risk of Cyber Attacks

Cyber attacks are becoming easier to conduct while conversely security is getting increasingly difficult, according to Kevin Curran, senior IEEE member and professor of cyber security, Ulster University, during a virtual media roundtable.

“Any company you can think of has had a data breach,” he commented. “Whenever a data breach happens it weakens our credentials because our passwords are often reused on different websites.”

He observed that the art of hacking doesn’t necessarily require a significant amount of technical expertise anymore, and bad actors can receive substantial help from numerous and readily accessible tools online. “You don’t have to spend seven years in college to learn how to hack, you just have to know about these sites and what terms to use,” noted Curran.

A number of legitimate online mechanisms that can help damaging attacks to be launched by hackers were highlighted by Curran in his presentation. These include Google Dorks, which are “search strings which point to website vulnerabilities.” This means vulnerable accounts can be identified simply via Google searches.

https://www.infosecurity-magazine.com/news/society-increasingly-risk-cyber/

Three million users installed 28 malicious Chrome or Edge extensions

More than three million internet users are believed to have installed 15 Chrome, and 13 Edge extensions that contain malicious code, security firm Avast said today.

The 28 extensions contained code that could perform several malicious operations, including:

-redirect user traffic to ads

-redirect user traffic to phishing sites

-collect personal data, such as birth dates, email addresses, and active devices

-collect browsing history

-download further malware onto a user's device

But despite the presence of code to power all the above malicious features, Avast researchers said they believe the primary objective of this campaign was to hijack user traffic for monetary gains.

https://www.zdnet.com/article/three-million-users-installed-28-malicious-chrome-or-edge-extensions/

Vaccines for sale on dark web as criminals target pandemic profits

Black market vendors were offering coronavirus vaccines for sale on hidden parts of the internet days after the first Covid-19 shot was approved this month, as criminals seek to profit from global demand for inoculations.

One such offer on the so-called dark web, traced by cyber security company Check Point Software, was priced at $250 with the seller promising “stealth” delivery in double-wrapped packaging. Shipping from the US via post or a leading courier company would cost $20, with an extra $5 securing overnight delivery.

https://www.ft.com/content/8bfc674e-efe6-4ee0-b860-7fcb5716bed6

Threats

Ransomware

• FBI says DoppelPaymer ransomware gang is harassing victims who refuse to pay

• House purchases in Hackney fall through following cyber attack against council

• Ransomware masterminds claim to have nabbed 53GB of data from Intel's Habana LabsRansomware masterminds claim to have nabbed 53GB of data from Intel's Habana Labs

• Mount Locker Ransomware Offering Double Extortion Scheme to Other Hackers

• PLEASE_READ_ME Ransomware Attacks 85K MySQL Servers

• Ransomware operators use SystemBC RAT as off-the-shelf Tor backdoor

Phishing

• Subway Sandwich Loyalty-Card Users Suffer Ham-Handed Phishing Scam

• Microsoft Office 365 Credentials Under Attack By Fax ‘Alert’ Emails

IoT

• Millions of Unpatched IoT, OT Devices Threaten Critical Infrastructure

Malware

• New iOS and Android spyware responsible for multi-layered sextortion campaign

• Google Chrome, Firefox, Edge hijacked by massive malware attack: What you need to know

• New Windows malware may soon target Linux, macOS devices

• This nasty malware is infecting every web browser — what to do now

• Tor malware is becoming a worryingly popular ransomware tool

Vulnerabilities

• Total Published CVEs Hits Record High for Fourth Year

• Israeli Phone-hacking Firm Claims It Can Now Break Into Encrypted Signal App

• F5 warns over ‘critical’ XSS flaw in BIG-IP

• PgMiner botnet exploits disputed CVE to hack unsecured PostgreSQL DBs

• Zero-day in WordPress SMTP plugin abused to reset admin account passwords

• Sophos fixes SQL injection vulnerability in their Cyberoam OS

• Wormable code-execution flaw in Cisco Jabber has a severity rating of 9.9 out of 10

• HPE discloses critical zero-day in Systems Insight Manager

Data Breaches

• Twitter hit with €450,000 GDPR fine nearly two years after disclosing data breach

• Data Leak Exposes Details of Two Million Chinese Communist Party Members

• Spotify Changes Passwords After Another Data Breach

• Massive Instagram 'click farm' found following data breach

• Tech unicorn UiPath discloses data breach

• People's Energy data breach affects all 270,000 customers

Organised Crime

• Lithuania Suffers "Most Complex" Cyber-attack in Years

Nation State Actors

• Enough is enough. Here’s what we should do to defend against the next Russian cyber attacks.

• Facebook Shutters Accounts Used in APT32 Cyber attacks

Privacy

• UK police unlawfully processing over a million people’s data on Microsoft 365

• Sci-fi surveillance: Europe's secretive push into biometric technology

Other News

• Analysis of 5G Network Security Reveals Attack Possibilities

Reports Published in the Last Week

• ENISA Threat Landscape for 5G Networks Report

• ENISA AI Threat Landscape Report Unveils Major Cyber Security Challenges

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.