Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 05 January 2024
Black Arrow Cyber Threat Intelligence Briefing 05 January 2024:
-A “Ridiculously Weak“ Password Causes Disaster for Spain’s Number 2 Mobile Carrier
-Russia Kyivstar Hack Should Alarm West, Ukraine Security Chief Warns
-23andMe Tells Victim It’s Their Fault Their Data Was Breached
-Financial Sector Faces More Cyber Attacks Than Other Sectors
-An Innocent-Looking Instagram Trend Could Be a Gift to Hackers
-Cyber Criminals Shared Millions of Stolen Records During Holiday Break
-Law Firm that Handles Data Breaches was Itself Hit by Data Breach
-Nigerian Hacker Arrested for Stealing Millions from Charities
-Cyber Criminals Implemented Artificial Intelligence for Invoice Fraud
-Shadow IT Threatens Corporate Cyber Security, Study Reveals
-Escalating Cyber Threats: Bots, Fraud Farms, and Cryptojacking Surge
-Putin has Declared a Cyber War on Britain
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
A “Ridiculously Weak“ Password Causes Disaster for Spain’s Number 2 Mobile Carrier
Spain’s second largest mobile operator, Orange España, suffered a major outage after an unknown party obtained a “ridiculously weak” password and used it to access an account for managing the network that delivers the company’s internet traffic. The attacker had posted the account they had compromised, and researchers found that the associated system had been infected with a Raccoon type infostealer back in September of 2023. The compromised account was Orange’s RIPE administrator account, with the password “ripeadmin”. The incident led to a 50% drop in connections for a 4 hour period, and underscores the critical importance of robust cyber security measures, including strong passwords, and serves as a stark reminder that even seemingly minor oversights can lead to significant disruptions.
Source: [Ars Technica]
Russia Kyivstar Hack Should Alarm the West, Ukraine Security Chief Warns
If Ukraine's core telephone network can be taken out, organisations in the West could easily be next, Ukraine's SBU chief says. December's cyber attack on Ukrainian telecommunications operator Kyivstar by Russian-backed threat actor ‘Sandworm’ dealt a catastrophic blow to the telecoms provider, according to Illia Vitiuk, head of the Security Service of Ukraine's (SBU) cyber security department. It is believed that although the attack took place in December 2023, the threat actors likely had access to Kyivstar systems since May 2023.
Source: [Dark Reading]
23andMe Tells Victims It’s Their Fault Their Data Was Breached
A cyber incident at DNA data firm 23andMe started with credential stuffing 14,000 user accounts. Credential stuffing is the process by which a malicious actor uses previously harvested usernames and passwords from earlier unrelated breaches to break into other sites and services. Many of the 14,000 accounts had opted-in for a feature whereby information is shared with relatives, which meant that once compromised, attackers had access to 6.9 million users: nearly half of the user base.
Facing over 30 lawsuits from victims, 23andMe is now blaming victims, according to letters seen by victims. 23andMe stated “users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe”. This has caused divide in the cyber world; on one side, recycling and failing to update passwords is poor cyber hygiene and on the other hand, there are technical controls that could have better prevented this type of well known and common attack.
Source: [TechCrunch] [The Register]
Financial Sector Faces More Cyber Attacks Than Other Sectors
A recent study found that more than three-quarters (77%) of financial organisations detected an attack on their infrastructures in 2023, compared with around two-thirds (68%) of other sectors. In particular, the study found that financial workers were at a higher than average risk of phishing compared to other workers. Despite their target attractiveness, only three-quarters (73%) of the financial sector respondents said that they have a cyber security policy in place or will do so within the next year. A separate report from Kaspersky stated that the financial sector is poised to experience an influx of artificial intelligence based attacks 2024, adding to the fire.
Sources: [SC Media] [TechRadar ]
An Innocent-Looking Instagram Trend Could Be a Gift to Hackers
A recent trend that has picked up traction at the end of December on social media apps such as Instagram and TikTok, encourages their followers to “get to know them better”. This trend gets people to answer a popular template, freely giving away personal information such as their height, date of birth, and various details that they feel strongly about including favourite food and phobias. While these questions may seem harmless, these sorts of personal details are used by companies for security questions, for example when a person wants to reset their password. Hackers can use this information to easily social engineer victims or impersonate them to get access to their accounts.
Source: [Business Insider]
Cyber Criminals Shared Millions of Stolen Records During Holiday Break
While many people unwind and enjoy their time off during the festive season, cyber criminals remain active. In fact, they leaked approximately 50 million records containing sensitive personal information during this period. These data breaches were not limited to the West; they had a global impact, affecting individuals in various countries such as Peru, Australia, South Africa, and more. It is important to note that not all the data leaks were recent; some appeared to be remnants of older incidents. For instance, some of the leaked data belonged to customers of the credit company Klarna, which was rumoured to have experienced a breach back in 2022, although it was never publicly confirmed. This ‘Free Leaksmas’ event, as it’s been dubbed, underscores the extensive global reach and serious consequences of these cyber criminal activities.
Sources: [Security Affairs] [Dark Reading]
Law Firm that Handles Data Breaches was Itself Hit by Data Breach
Orrick, Herrington & Sutcliffe, a law firm specialising in managing security incidents for other companies, has disclosed more details of the cyber attack it itself experienced in March 2023. The breach compromised the sensitive health and personal information of over 637,000 individuals. The stolen data was linked to client organisations and included the names of individuals alongside their social security numbers, medical details, and financial information. Despite the firm's expertise in cyber security, the attack highlights the pervasive risk of data breaches, even among those who advise on such matters. Orrick's delayed response and subsequent legal settlements underscore the importance of proactive security measures and swift action in the wake of a breach. This incident serves as a stark reminder to all organisations of the need for robust cyber defences and transparent communication strategies in today's digital landscape. The law firm has recently settled in principle to resolve four class action lawsuits that accused Orrick of failing to inform victims of the breach until months after the incident.
Source: [TechCrunch]
Nigerian Hacker Arrested for Stealing Millions from Charities
A Nigerian national, Olusegun Samson Adejorin, has been arrested for charges relating to business email compromise attacks that caused a charitable organisation in the US to lose more than $7.5 million. Adejorin had purchased a credential harvesting tool to steal login credentials, which were used to send emails to the charity’s financial service provider. The emails requested and authorised a transfer of $7.5 million, which the investment services provider believed it was paying to the charity whereas it was paying into a bank account controlled by the attacker.
Source: [Bleeping Computer]
Cyber Criminals Implemented Artificial Intelligence for Invoice Fraud
A cyber criminal gang known as GXC Team has been seen selling an artificial intelligence tool for creating fraudulent invoices. The tool, known as Business Invoice Swapper, scrutinises compromised emails that are fed to it, looking for emails which mention invoices or include invoice attachments. It then alters the details of the intended recipient to details specified by the perpetrator. This altered invoice then either replaces the compromised one, or is sent to a predetermined set of contacts.
Source: [Security Affairs]
Shadow IT Threatens Corporate Cyber Security, Study Reveals
With remote working becoming more and more prevalent, organisations are finding themselves at risk of cyber threats due to what is known as shadow IT; this is any software, hardware or IT resource used without the IT department’s approval, knowledge or oversight. A study by Kaspersky found of the 77% of companies that had suffered from cyber incidents over the past two years, 11% of these were directly caused by the unauthorised use of shadow IT.
Source: [Security Brief]
Escalating Cyber Threats: Bots, Fraud Farms, and Cryptojacking Surge
In the constantly evolving cyber threat landscape, 2023 has witnessed a notable surge in the use of bots, fraud farms, and cryptojacking. A new report found that 73% of web and app traffic this year has been attributed to malicious bots and fraud farms, indicating a significant shift towards automated cyber attacks. This trend poses a heightened risk to the ecommerce sector, where cyber criminals exploit API connections and third-party dependencies.
Furthermore, the surge in cryptojacking, marked by a 399% increase, reveals a diversifying strategy among cyber criminals, targeting critical infrastructure with sophisticated methods. These developments serve as a crucial reminder for organisations to bolster their cyber defences and adopt a proactive stance against these emerging and increasingly automated threats.
Source: [Help Net Security]
Putin has Declared a Cyber War on Britain
This year over 2 billion people will vote for new governments across the world, and it is crucial to be aware of upcoming threats to these elections from foreign powers. In particular, Russia is notorious for deploying bots, trolls, and deepfakes, which are techniques used to manipulate information and influence public opinion. These malicious actors are adept at spreading misinformation and disinformation, often with the goal of interfering in elections. With the upcoming UK General Election in 2024 and the US Presidential Election also falling this year, it is imperative to exercise caution and discernment when consuming online content. Not everything we see can be taken at face value.
Source: [Telegraph]
Governance, Risk and Compliance
Thoughts for Boards: Key Issues in Corporate Governance for 2024 (harvard.edu)
Legal, compliance and privacy leaders anxious about rapid GenAI adoption - Help Net Security
Navigating the New Age of Cyber Security Enforcement (darkreading.com)
Facts and misconceptions about cyber security budgets - Help Net Security
Budget cuts take a toll on IT decision makers' mental health - Help Net Security
Consumers prepared to ditch brands after cyber security issues - Help Net Security
Threats
Ransomware, Extortion and Destructive Attacks
Firms urged to stop ransomware payments as attacks become “astronomical” (emergingrisks.co.uk)
How ransomware could cripple countries, not just companies (economist.com)
New Black Basta decryptor exploits ransomware flaw to recover files (bleepingcomputer.com)
Sophos reports spike in ransomware groups using remote encryption (securitybrief.co.nz)
Cactus RANSOMWARE gang hit the Swedish retail and grocery provider Coop (securityaffairs.com)
Police locate missing Chinese student who was victim of ‘cyber kidnapping’ (msn.com)
Kai Zhuang: Cyber kidnapping in US illustrates growing crime trend - BBC News
Ban on ransomware payments? The alternative isn't working • The Register
December ransomware attacks disrupt healthcare organisations | TechTarget
Study: Ransomware Is Actually Killing One American Per Month (tech.co)
Zeppelin ransomware source code sold for $500 on hacking forum (bleepingcomputer.com)
Ransomware Victims
Hospitals ask courts to force cloud storage firm to return stolen data (bleepingcomputer.com)
Software Used by Hundreds of Museums Taken Down by Ransomware Attack (pcmag.com)
CTS cyber attack: Disruption to home sales now over - BBC News
Xerox says subsidiary XBS US breached after ransomware gang leaks data (bleepingcomputer.com)
Cyber attackers breach trove of Victoria court recordings • The Register
Estes refuses to pay off ransomware crew, says data stolen • The Register
Phishing & Email Based Attacks
Numerous backdoors deployed in new Kimsuky spear-phishing attacks | SC Media (scmagazine.com)
Russia's APT28 used new malware in a recent phishing campaign (securityaffairs.com)
SMTP Smuggling: New Flaw Lets Attackers Bypass Security and Spoof Emails (thehackernews.com)
CERT-UA Uncovers New Malware Wave Distributing OCEANMAP, MASEPIE, STEELHOOK (thehackernews.com)
UAC-0050 Group Using New Phishing Tactics to Distribute Remcos RAT (thehackernews.com)
Crypto phishing scams took almost $300M from 324K victims in 2023: Report (cointelegraph.com)
Artificial Intelligence
Cyber Criminals Implemented Artificial Intelligence (AI) for Invoice Fraud (securityaffairs.com)
The Imperative of Cyber Security in the Era of AI (thefastmode.com)
Finance orgs to face increasingly prevalent AI cyber attacks | SC Media (scmagazine.com)
Enterprise cyber security in 2024: The AI play comes to the fore - Verdict
NIST Identifies Types of Cyber Attacks That Manipulate Behaviour of AI Systems | NIST
Use of generative AI in the legal profession accelerating despite accuracy concerns | ITPro
A New Kind of AI Copy Can Fully Replicate Famous People. The Law Is Powerless. - POLITICO
CISO Planning for 2024 May Struggle When It Comes to AI (darkreading.com)
Legal, compliance and privacy leaders anxious about rapid GenAI adoption - Help Net Security
AI Is Driving a Silent Cyber Security Arms Race (govtech.com)
Malware
Google accounts may be vulnerable to new hack, changing password won’t help | Cybernews
Malware abuses Google OAuth endpoint to ‘revive’ cookies, hijack accounts (bleepingcomputer.com)
Microsoft patches critical vulnerability used to install malware on Windows PCs - MSPoweruser
Microsoft disables Windows app installation, again • The Register
New Version of Meduza Stealer Released in Dark Web (securityaffairs.com)
Weak password and infostealer blamed for Orange Spain outage • The Register
Russia's APT28 used new malware in a recent phishing campaign (securityaffairs.com)
Russian Military Intelligence Blamed for Blitzkrieg Hacks (inforisktoday.com)
CERT-UA Uncovers New Malware Wave Distributing OCEANMAP, MASEPIE, STEELHOOK (thehackernews.com)
Kimsuky Hackers Deploying AppleSeed, Meterpreter, and TinyNuke in Latest Attacks (thehackernews.com)
Activity of Rugmi malware loader spikes | SC Media (scmagazine.com)
Kronos Malware Reemerges with Increased Functionality (securityintelligence.com)
Malware attacks exploiting app installation protocol prompt deactivation | SC Media (scmagazine.com)
New Variant of DLL Search Order Hijacking Bypasses Windows 10 and 11 Protections (thehackernews.com)
29 malware families target 1,800 banking apps worldwide - Help Net Security
Google password resets not enough to stop this malware • The Register
UAC-0050 Group Using New Phishing Tactics to Distribute Remcos RAT (thehackernews.com)
New Bandook RAT Variant Resurfaces, Targeting Windows Machines (thehackernews.com)
Mobile
Europe's Largest Parking App Provider Informs Customers of Data Breach - Security Week
How to prevent hackers from breaking into your Android, stealing bank info (nypost.com)
QR code hacking: How to protect yourself from rogue QR codes (androidpolice.com)
29 malware families target 1,800 banking apps worldwide - Help Net Security
Denial of Service/DoS/DDOS
Internet of Things – IoT
Study Finds IoT Cyber Security Risk Increased 400 Percent Last Year - RFID JOURNAL
4 essential smart home cameras tips to protect your sensitive data
Ukraine says Russia hacked web cameras to spy on targets in Kyiv (therecord.media)
Data Breaches/Leaks
23andMe tells victims it’s their fault that their data was breached | TechCrunch
Law firm that handles data breaches was hit by data breach | TechCrunch
Europe's Largest Parking App Provider Informs Customers of Data Breach - Security Week
Here we go again: 2023’s badly handled data breaches | TechCrunch
Over 900k Impacted by Data Breach at Defunct Boston Ambulance Service - Security Week
Data breach at healthcare tech firm impacts 4.5 million patients (bleepingcomputer.com)
'Cyber Toufan' Hacktivists Leaked 100-Plus Israeli Orgs in One Month (darkreading.com)
Cyber Attacks Are Back in Hollywood. Did Sony Hack Teach Us Nothing? (variety.com)
Accounting Firm Battling Cyber Security Lawsuit Seeks Dismissal (bloomberglaw.com)
Organised Crime & Criminal Actors
Nigerian hacker arrested for stealing $7.5M from charities (bleepingcomputer.com)
Hackers employ nuanced tactics to evade detection - Help Net Security
The law enforcement operations targeting cyber crime in 2023 (bleepingcomputer.com)
What’s It Like to Be the Victim of Cyber Crimes? (govtech.com)
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Crypto phishing scams took almost $300M from 324K victims in 2023: Report (cointelegraph.com)
Cryptocurrency wallet CEO loses $125,000 in wallet-draining scam | Tripwire
Cyber criminals set their sights on crypto markets - Help Net Security
Orbit Chain loses $86 million in the last fintech hack of 2023 (bleepingcomputer.com)
Crypto-crook Sam Bankman-Fried spared a second trial • The Register
Bitconned review — Netflix documentary about a fortune built on brazen lies
Hackers hijack govt and business accounts on X for crypto scams (bleepingcomputer.com)
Insurance
Supply Chain and Third Parties
Online museum collections down after cyber attack on service provider (bleepingcomputer.com)
A new framework for third-party risk in the European Union | ITPro
Cloud/SaaS
Identity and Access Management
The password identity crisis: Evolving authentication methods in 2024 and beyond | VentureBeat
Active Directory Infiltration Methods Employed by Cyber Criminals (gbhackers.com)
Encryption
Quantum Risks and Rewards: Forward-Defending Cyber Security (govinfosecurity.com)
Saving Schrödinger’s Cat: Getting serious about post-quantum encryption in 2024 - Breaking Defence
Nearly 11 million SSH servers vulnerable to new Terrapin attacks (bleepingcomputer.com)
Linux and Open Source
Passwords, Credential Stuffing & Brute Force Attacks
A “ridiculously weak“ password causes disaster for Spain’s No. 2 mobile carrier | Ars Technica
23andMe tells victims it’s their fault that their data was breached | TechCrunch
The password identity crisis: Evolving authentication methods in 2024 and beyond | VentureBeat
Social Media
Instagram Trend Could Be a Gift to Hackers (businessinsider.com)
Cyber Attackers Target Nuclear Waste Company via LinkedIn (darkreading.com)
Cyber Criminals Flood Dark Web with X (Twitter) Gold Accounts (darkreading.com)
Hackers hijack govt and business accounts on X for crypto scams (bleepingcomputer.com)
Mandiant's Twitter Account Restored After Six-Hour Crypto Scam Hack (thehackernews.com)
Malvertising
Regulations, Fines and Legislation
New risk management framework helps with SEC mandate compliance | CSO Online
A new framework for third-party risk in the European Union | ITPro
Navigating the New Age of Cyber Security Enforcement (darkreading.com)
Models, Frameworks and Standards
Careers, Working in Cyber and Information Security
Cyber security skills gap poses threat to business protection measures (securitybrief.co.nz)
Many cyber security workers feel burnt out and worry about understaffing | TechRadar
Law Enforcement Action and Take Downs
Police investigate virtual sex assault on girl's avatar - BBC News
The law enforcement operations targeting cyber crime in 2023 (bleepingcomputer.com)
Additional cyber agents to be deployed by FBI | SC Media (scmagazine.com)
Misinformation, Disinformation and Propaganda
Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity
Cyber Warfare and Cyber Espionage
Nation State Actors
China
BT Miss Deadline to Remove All Huawei Kit from UK Core Network UPDATE - ISPreview UK
Three Chinese balloons float near Taiwanese airbase • The Register
Russia
Russia Kyivstar Hack Should Alarm West, Ukraine Security Chief Warns (darkreading.com)
Russian hackers were inside Ukraine telecoms giant for months – cyber spy chief – Euractiv
Ukraine says Russia hacked web cameras to spy on targets in Kyiv (therecord.media)
UK exposes Russia for attempted political interference (ukdefencejournal.org.uk)
Vladimir Putin has declared a cyber war on Britain (telegraph.co.uk)
Russia's APT28 used new malware in a recent phishing campaign (securityaffairs.com)
Russian Military Intelligence Blamed for Blitzkrieg Hacks (inforisktoday.com)
CERT-UA Uncovers New Malware Wave Distributing OCEANMAP, MASEPIE, STEELHOOK (thehackernews.com)
Massive missile strike disrupts Kyiv's internet and power supply (therecord.media)
The "Tallinn Mechanism" is Designed to Enhance Civilian Cyber Assistance to Ukraine
UAC-0050 Group Using New Phishing Tactics to Distribute Remcos RAT (thehackernews.com)
Iran
Multiple organisations in Iran breached by a mysterious hacker (securityaffairs.com)
Israel Battles Spike in Wartime Hacktivist, OT Cyber Attacks (darkreading.com)
Pilfered Data From Iranian Insurance and Food Delivery Firms Leaked Online (darkreading.com)
North Korea
Kimsuky Hackers Deploying AppleSeed, Meterpreter, and TinyNuke in Latest Attacks (thehackernews.com)
Numerous backdoors deployed in new Kimsuky spear-phishing attacks | SC Media (scmagazine.com)
Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence
Vulnerability Management
Apache ERP Zero-Day Underscores Dangers of Incomplete Patches (darkreading.com)
Vulnerability management remains a moving target | SC Media (scmagazine.com)
Vulnerabilities
Microsoft patches critical vulnerability used to install malware on Windows PCs - MSPoweruser
Google Patches Six Vulnerabilities With First Chrome Update of 2024 - Security Week
Apache ERP Zero-Day Underscores Dangers of Incomplete Patches (darkreading.com)
Ivanti warns critical EPM bug lets hackers hijack enrolled devices (bleepingcomputer.com)
Vulnerabilities in Google Kubernetes Engine Could Allow Cluster Takeover - Security Week
Malware attacks exploiting app installation protocol prompt deactivation | SC Media (scmagazine.com)
Qualcomm chip vulnerability enables remote attack by voice call | SC Media (scmagazine.com)
Nearly 11 million SSH servers vulnerable to new Terrapin attacks (bleepingcomputer.com)
WordPress Google Fonts Plugin Vulnerability Affects Up To +300,000 Sites (searchenginejournal.com)
January Android Security Bulletin Arrives, So Does Pixel Update (droid-life.com)
Tools and Controls
Why training LLMs with endpoint data will strengthen cyber security | VentureBeat
Cyber security challenges emerge in the wake of API expansion - Help Net Security
Are Security Appliances fit for Purpose in a Decentralized Workplace? - Security Week
Guarding against DDoS attacks during high-traffic periods | CSO Online
8 Hybrid Cloud Security Challenges and How to Manage Them (techtarget.com)
Active Directory Infiltration Methods Employed by Cyber Criminals (gbhackers.com)
Other News
IT and OT cyber security: A holistic approach (securityintelligence.com)
The FBI is adding more cyber focused agents to US embassies | CyberScoop
Hackers hit Australian state's court recording database | Reuters
Cyber Attacks Are Back in Hollywood. Did Sony Hack Teach Us Nothing? (variety.com)
Healthcare breach costs soar requiring new thinking for safeguarding data (securityintelligence.com)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 23 July 2021
Black Arrow Cyber Threat Briefing 23 July 2021: 40% Fell Victim To A Phishing Attack In The Past Month; Traditional Ransomware Defences Are Failing Businesses; The Number Of Employees Going Around IT Security May Surprise You; 740 Ransomware Victims Named On Data Leak Sites In Q2 2021; A More Dynamic Approach Is Needed To Tackle Today’s Evolving Cyber Security Threats; Law Firm For Ford, Boeing, Exxon, Marriott, Walgreens, And More Hacked In Ransomware Attack; UK And Allies Accuse China Of 'Reckless' Cyber Extortion And Microsoft Hack; Even after Emotet takedown, Office docs deliver 43% of all malware downloads now; Gun owners' fears after firearms dealer data breach
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
40% Fell Victim To A Phishing Attack In The Past Month
The global shift to remote work has exacerbated the onslaught, sophistication, and impact of phishing attacks, according to Ivanti. Nearly three-quarters (74%) of respondents said their organisations have fallen victim to a phishing attack in the last year, with 40% confirming they have experienced one in the last month.
Eighty percent of respondents said they have witnessed an increase in volume of phishing attempts and 85% said those attempts are getting more sophisticated. In fact, 73% of respondents said that their IT staff had been targeted by phishing attempts, and 47% of those attempts were successful.
Smishing and vishing scams are the latest variants to gain traction and target mobile users. According to recent research by Aberdeen, attackers have a higher success rate on mobile endpoints than on servers – a pattern that is trending dramatically worse. Meanwhile, the annualized risk of a data breach resulting from mobile phishing attacks has a median value of about $1.7M, and a long tail of value of about $90M.
https://www.helpnetsecurity.com/2021/07/23/risk-phishing-attacks/
Traditional Ransomware Defences Are Failing Businesses
Traditional cyber security strategies are failing to protect organisations from ransomware attacks, new research suggests. Based on a poll of 200 IT decision-makers whose businesses recently suffered ransomware attacks, 54 percent of all victims had their employees go through anti-phishing training. Furthermore, almost half (49 percent) had perimeter defences set up at the time of the attack. However, attack methods have grown too sophisticated for traditional security measures to keep up. Many attacks (24 percent) still start with a successful phishing attempt, while almost a third (31 percent) see attacker enter the network through public cloud.
https://www.itproportal.com/news/traditional-ransomware-defenses-are-failing-businesses/
Cyber Security Risk: The Number Of Employees Going Around IT Security May Surprise You
Last month, a report was published highlighting challenges associated with enabling IT freedoms while ensuring tight security procedures. The findings detail a complex balancing act between IT teams and network users. Calibrating this equilibrium is particularly challenging in the age of remote work as employees log on and virtually collaborate via a host of digital solutions. Overall, the survey found that virtually all employees (93%) "are working around IT restrictions," and a mere 7% said they were "satisfied with their corporate IT restrictions." Interestingly, this information about IT workarounds does not match security leaders' and IT expectations.
740 ransomware victims named on data leak sites in Q2 2021: report
More than 700 organizations were attacked with ransomware and had their data posted to data leak sites in Q2 of 2021, according to a new research report from cyber security firm Digital Shadows.
Out of the almost 2,600 victims listed on ransomware data leak sites, 740 of them were named in Q2 2021, representing a 47% increase compared to Q1.
https://www.zdnet.com/article/740-ransomware-victims-named-on-data-leak-sites-in-q2-2021-report/
A More Dynamic Approach Is Needed To Tackle Today’s Evolving Cyber Security Threats
For decades, the cyber security industry has followed a defense-in-depth strategy, which allowed organisations to designate the battlefield against bad actors at their edge firewall. Nowadays, cyber criminals have become as creative as ever. New cyber threats are emerging every day, and with the constantly increasing rate of Ransomware, Phishing, etc. We’re forced to take a more dynamic approach when tackling these cyber threats on a day to day basis. Recent statistics demonstrate the scale of the cyber security issues faced by companies. In 2020, malware attacks increased by 358% and ransomware increased by 435%, and the average cost of recovering from a ransomware attack has doubled in the last 12 months, reaching almost $2 million in 2021.
https://www.helpnetsecurity.com/2021/07/13/dynamic-approach-cybersecurity-threats/
Law Firm For Ford, Boeing, Exxon, Marriott, Walgreens, And More Hacked In Ransomware Attack
Campbell Conroy & O'Neil, P.C., a law firm handling hundreds of cases for the world's leading companies, has announced a large data breach that resulted from a ransomware attack in February. In a statement, the law firm said it noticed unusual activity on its network on February 27. The firm later realized it was being hit with a ransomware attack and contacted the FBI as well as cyber security companies for help.
UK And Allies Accuse China Of 'Reckless' Cyber Extortion And Microsoft Hack
The Government was hinting yet again at covertly using Britain’s own offensive cyber capabilities – hitting back at cyber attacks with cyber attacks of our own. This approach goes all the way back to 2013, when then defence secretary told the Conservative Party conference that the UK would “build a dedicated capability to counter-attack in cyber space and, if necessary, to strike in cyber space”.
Even after Emotet takedown, Office docs deliver 43% of all malware downloads now
Malware delivered over the cloud increased by 68% in Q2, according to data from cyber security firm Netskope.
The company released the fifth edition of its Cloud and Threat Report that covers the cloud data risks, threats and trends they see throughout the quarter.
The report noted that cloud storage apps account for more than 66% of cloud malware delivery.
"In Q2 2021, 43% of all malware downloads were malicious Office docs, compared to just 20% at the beginning of 2020. This increase comes even after the Emotet takedown, indicating that other groups observed the success of the Emotet crew and have adopted similar techniques," the report said.
Gun Owners' Fears After Firearms Dealer Data Breach
Thousands of names and addresses belonging to UK customers of a leading website for buying and selling shotguns and rifles have been published to the dark web following a "security breach".
Guntrader.uk told the BBC it learned of the breach on Monday and had notified the Information Commissioner's Office.
Police, including the National Crime Agency, are investigating.
One affected gun owner said he was afraid the breach could lead to his family being targeted by criminals.
Gun ownership is tightly controlled in the UK, making guns difficult to acquire, and potentially valuable on the black market.
The individual, who did not wish to be named, told the BBC the breach "seriously compromises my security arrangements for my firearms and puts me in a situation where me and my family could be targeted and in danger".
Threats
Ransomware
BEC
Phishing
Malware
Leaked NSO Group Data Hints At Widespread Pegasus Spyware Infections
This New Malware Hides Itself Among Windows Defender Exclusions To Evade Detection
MacBook Users Beware! Hackers Are Buying $49 Malware To Wreak Havoc On MacOS
New MosaicLoader Malware Targets Software Pirates Via Online Ads
CISA Warns Of Stealthy Malware Found On Hacked Pulse Secure Devices
This Password-Stealing Windows Malware Is Distributed Via Ads In Search Results
Mobile
Vulnerabilities
Researcher Uncovers Yet Another Unpatched Windows Printer Spooler Vulnerability
16-Year-Old Security Bug Affects Millions Of HP, Samsung, Xerox Printers
Fortinet Fixes Bug Letting Unauthenticated Hackers Run Code As Root
Windows 10 Vulnerability Lets Anyone Get Administrator Privileges
Researchers Discover Security Flaws In Telegram Encryption Protocol
Microsoft Shares Workaround For Windows 10 SeriousSAM Vulnerability
Apple Issues Urgent iPhone Updates; None for Pegasus Zero-Day
Data Breaches
Organised Crime & Criminal Actors
Supply Chain
DoS/DDoS
OT, ICS, IIoT and SCADA
Nation State Actors
UK And Allies Hold Chinese State Responsible For Pervasive Pattern Of Hacking
Chinese Hacking Group APT31 Uses Mesh Of Home Routers To Disguise Attacks
France Warns Of APT31 Cyber Spies Targeting French Organisations
APT Hackers Distributed Android Trojan Via Syrian E-Government Portal
Cloud
Privacy
Other News
Application Security Tools Ineffective Against New And Growing Threats
Pegasus: What Is The Israeli Spyware And How Can You Tell If It’s On Your Phone?
DHS Releases New Mandatory Cyber Security Rules For Pipelines After Colonial Ransomware Attack
1 in 5 companies fail PCI compliance assessments of their infrastructure
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Cyber Weekly Flash Briefing 03 July 2020: Ransomware attacks increasing, Microsoft emergency updates, ransomware gang auction data, 'return to work' traps, new Windows botnet, Cisco SMB router flaws
Cyber Weekly Flash Briefing 03 July 2020: Ransomware attacks increasing, Microsoft emergency updates, ransomware gang auction data, 'return to work' traps, new Windows botnet, Cisco SMB router flaws
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Ransomware attacks are increasing, do you have an emergency plan in place?
Cyber attacks and data breaches can have serious implications for organisations in terms of downtime, financial damage and reputation of the business. Ransomware attacks that seek to encrypt a victim’s data and demand a fee to restore it continue to be prevalent. Unfortunately, the damage caused can be severe and widespread, yet 39% of organizations either have no ransomware emergency plan in place or are not aware if one exists. This is despite more ransomware attacks being recorded in the past 12 months than ever before.
The largest ransomware attack to date – WannaCry – was estimated to have affected more than 200,000 computers across 150 separate countries. Ransomware today is rife and has been exacerbated by the current work-from-home trend.
21% of respondents to a recent survey said they had experienced a ransomware attack, and of those, 26% admitted they couldn’t access any working backup after the attack. Even when organisations could access a working backup, 22% of them could either only restore a partial amount of data or none at all.
In most countries, employees have been working under a completely different set of parameters for a couple of months; ones where new security risks are high and where cybercriminals are finding new ways to exploit any weaknesses they can find.
Read more: https://www.helpnetsecurity.com/2020/07/01/ransomware-emergency-plan/
Further reading: The 11 Biggest Ransomware Attacks Of 2020 (So Far) https://www.crn.com/slide-shows/security/the-11-biggest-ransomware-attacks-of-2020-so-far-?itc=refresh
Microsoft releases emergency update to fix two serious Windows flaws
Microsoft on Tuesday released emergency security patches to plug a pair of serious vulnerabilities in its Windows Codecs library that impact several Windows 10 and Windows Server versions. Indexed as CVE-2020-1425 and CVE-2020-1457, the two remote-code execution (RCE) flaws are rated as ‘critical’ and ‘important’ in severity, respectively.
Both security loopholes have to do with how Microsoft Windows Codecs Library handles objects in memory. An attacker of the first flaw could obtain information to further compromise the user’s system, while successful exploitation of the second flaw could enable attackers to execute arbitrary code on the targeted machine.
Details are very sparse and there’s no word on specific attack vectors, but Microsoft said that exploitation of either vulnerability “requires that a program process a specially crafted image file”. This could, for example, involve luring the target into downloading and opening a malicious image file shared via email or a compromised website.
Researchers Find New Calendar-Based Phishing Campaign
Researchers have once again spotted crooks using calendar invitations to mount phishing attacks using iCalendar. iCalendar is a media type that lets users store and exchange calendaring and scheduling information, including events and tasks.
Whilst this is evidence of a new campaign, this is not a new technique. A similar attack cropped up last June, when researchers found attackers using Google's auto-add feature. In that attack, smartphone users would see the invitation as a pop-up invitation, displaying a link to a phishing URL that asked for their credit card data and personal information.
Read more: https://www.infosecurity-magazine.com/news/calendar-phishing-campaign/
REvil Ransomware Gang Adds Auction Feature for Stolen Data
The REvil ransomware gang (also known as Sodinokibi) has added an auction feature to its underground website that allows anonymous bidding on information stolen in its targeted ransomware campaigns.
The auction capability appeared at the beginning of June and in announcing the feature, REvil included details on its first lot, the firm said, containing accounting information, files and databases stolen from a Canadian agricultural company.
A few days later on June 8, bidding went live, giving interested parties the choice to submit a bid (starting at $50,000) or buy the data outright, with a higher “blitz” price ($100,000).
Other victims whose data went up for sale in auction include a U.S. food distributor (accounts and documents with a starting price of $100,000 and a blitz price of double that); a U.S. law firm (50GB of data including confidential and personal information on clients, with a starting price of $30,000 and a blitz price of $50,000); and a U.S. intellectual property law firm (1.2TB of data including ‘all’ internal documentation, correspondence, patent agreements and client confidential information with a starting price of $1 million and a blitz price of $10 million).
As for why the latter’s data is so valuable, “data stolen from the intellectual property law firm reportedly includes information related to new technologies and unfiled patents that, given the high-profile client list, likely explains the high starting and blitz prices,” the firm noted in a report Monday, adding that the data would possibly be of interest to competitors or even a nation-state seeking to gain economic advantages.
Read more here: https://threatpost.com/revil-ransomware-gang-auction-stolen-data/157006/
Criminals set 'return to work' traps
Just because workers are returning to their offices, that doesn't mean criminals can't still abuse Covid-19 to spread malware and steal sensitive data.
According to a new report criminals are setting “return to work traps”, taking advantage of the training employees need to go through as they return to the office in its new form.
Many workers now need to go through various tutorials, webinars and training sessions, to ensure they are compliant with new workplace rules set up to prevent viral transmission. Sensing an opportunity, cybercriminals are disguising malware as webinar recordings and other educational material.
According to the report, these new practices are mostly reserved for businesses in North America and Europe, where lockdown measures are slowly being eased up and people are being allowed to return to work.
Read more here: https://www.itproportal.com/news/criminals-set-return-to-work-traps/
This new botnet has recruited an army of Windows devices
A new botnet is exploiting close to a dozen high and critical-severity vulnerabilities in Windows systems to turn them into cryptomining clients as well as to launch DDoS attacks.
The malware behind the botnet has been given the name Satan DDoS though security researchers have taken to referring to its as Lucifer in order to avoid confusion with the Satan ransomware.
A security firm began looking into the botnet after discovering it while following multiple incidents involving the exploitation of a critical vulnerability in a component of a web framework which can lead to remote code execution.
At first the Lucifer malware was believed to be used to mine the cryptocurrency Monero. However, it later become apparent that the malware also contains a DDoS component as well as a self-spreading mechanism that uses severe vulnerabilities and brute-forcing to its advantage.
Read more here: https://www.techradar.com/news/this-new-botnet-has-recruited-an-army-of-windows-devices
Cisco SMB routers hit with another major security flaw
Security researchers have discovered a significant cross-site scripting (XSS) vulnerability in the web admin interface of two small business routers from Cisco.
The XSS vulnerability exists in the company's RVO42 and RV042G routers and it provides attackers with an easy way to take control of the devices' web configuration utility.
This could allow an attacker to perform a number of admin actions from viewing and modifying sensitive information to taking control of the router or even having the ability to move laterally and gain access to other systems on the network.
Read more here: https://www.techradar.com/news/cisco-smb-routers-hit-with-another-major-security-flaw
Xerox apparently victim of Maze attack
It appears that Xerox is the latest victim of Maze ransomware attackers, if screenshots posted by the ransomware’s operators are legitimate.
The hackers claim to have obtained more than 100GB of information and are threatening to publish it, according to a reports.
Maze has hit a number of high-profile targets and in recent months has joined forces with other ransomware groups.
Read more: https://www.scmagazine.com/home/security-news/ransomware/xerox-apparent-victim-of-maze-attack/
FakeSpy Android Malware Spread Via ‘Postal-Service’ Apps
Android mobile device users are being targeted in a new SMS phishing campaign that’s spreading the FakeSpy infostealer. The malware, which is disguised as legitimate global postal-service apps, steals SMS messages, financial data and more from the victims’ devices.
The campaign was first discovered several weeks ago targeting South Korean and Japanese speakers, but it has now expanded that targeting to China, Taiwan, France, Switzerland, Germany, the United Kingdom and the United States. The attacker uses text messages as an initial infection vector, prompting the Android recipients to click on a malicious link, in a practice known as SMS phishing or “smishing.”
Read more here: https://threatpost.com/fakespy-android-malware-spread-via-postal-service-apps/157102/
New Mac Ransomware Is Even More Sinister Than It Appears
There haven't been too many strains tailored specifically to infect Apple's Mac computers since the first full-fledged Mac ransomware surfaced four years ago but new findings published this week have highlighted a new example of Mac ransomware called ThiefQuest.
In addition to ransomware, ThiefQuest has a whole other set of spyware capabilities that allow it to exfiltrate files from an infected computer, search the system for passwords and cryptocurrency wallet data, and run a robust keylogger to grab passwords, credit card numbers, or other financial information as a user types it in. The spyware component also lurks persistently as a backdoor on infected devices, meaning it sticks around even after a computer reboots, and could be used as a launchpad for additional, or "second stage," attacks. Given that ransomware is so rare on Macs to begin with, this one-two punch is especially noteworthy.
Read more here: https://www.wired.com/story/new-mac-ransomware-thiefquest-evilquest/