Threat Intelligence Blog

Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.

Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 05 January 2024

Black Arrow Cyber Threat Intelligence Briefing 05 January 2024:

-A “Ridiculously Weak“ Password Causes Disaster for Spain’s Number 2 Mobile Carrier

-Russia Kyivstar Hack Should Alarm West, Ukraine Security Chief Warns

-23andMe Tells Victim It’s Their Fault Their Data Was Breached

-Financial Sector Faces More Cyber Attacks Than Other Sectors

-An Innocent-Looking Instagram Trend Could Be a Gift to Hackers

-Cyber Criminals Shared Millions of Stolen Records During Holiday Break

-Law Firm that Handles Data Breaches was Itself Hit by Data Breach

-Nigerian Hacker Arrested for Stealing Millions from Charities

-Cyber Criminals Implemented Artificial Intelligence for Invoice Fraud

-Shadow IT Threatens Corporate Cyber Security, Study Reveals

-Escalating Cyber Threats: Bots, Fraud Farms, and Cryptojacking Surge

-Putin has Declared a Cyber War on Britain

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

A “Ridiculously Weak“ Password Causes Disaster for Spain’s Number 2 Mobile Carrier

Spain’s second largest mobile operator, Orange España, suffered a major outage after an unknown party obtained a “ridiculously weak” password and used it to access an account for managing the network that delivers the company’s internet traffic. The attacker had posted the account they had compromised, and researchers found that the associated system had been infected with a Raccoon type infostealer back in September of 2023. The compromised account was Orange’s RIPE administrator account, with the password “ripeadmin”. The incident led to a 50% drop in connections for a 4 hour period, and  underscores the critical importance of robust cyber security measures, including strong passwords, and serves as a stark reminder that even seemingly minor oversights can lead to significant disruptions.

Source: [Ars Technica]

Russia Kyivstar Hack Should Alarm the West, Ukraine Security Chief Warns

If Ukraine's core telephone network can be taken out, organisations in the West could easily be next, Ukraine's SBU chief says. December's cyber attack on Ukrainian telecommunications operator Kyivstar by Russian-backed threat actor ‘Sandworm’ dealt a catastrophic blow to the telecoms provider, according to Illia Vitiuk, head of the Security Service of Ukraine's (SBU) cyber security department. It is believed that although the attack took place in December 2023, the threat actors likely had access to Kyivstar systems since May 2023.

Source: [Dark Reading]

23andMe Tells Victims It’s Their Fault Their Data Was Breached

A cyber incident at DNA data firm 23andMe started with credential stuffing 14,000 user accounts. Credential stuffing is the process by which a malicious actor uses previously harvested usernames and passwords from earlier unrelated breaches to break into other sites and services. Many of the 14,000 accounts had opted-in for a feature whereby information is shared with relatives, which meant that once compromised, attackers had access to 6.9 million users: nearly half of the user base.

Facing over 30 lawsuits from victims, 23andMe is now blaming victims, according to letters seen by victims. 23andMe stated “users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe”. This has caused divide in the cyber world; on one side, recycling and failing to update passwords is poor cyber hygiene and on the other hand, there are technical controls that could have better prevented this type of well known and common attack.

Source: [TechCrunch] [The Register]

Financial Sector Faces More Cyber Attacks Than Other Sectors

A recent study found that more than three-quarters (77%) of financial organisations detected an attack on their infrastructures in 2023, compared with around two-thirds (68%) of other sectors. In particular, the study found that financial workers were at a higher than average risk of phishing compared to other workers. Despite their target attractiveness, only three-quarters (73%) of the financial sector respondents said that they have a cyber security policy in place or will do so within the next year. A separate report from Kaspersky stated that the financial sector is poised to experience an influx of artificial intelligence based attacks 2024, adding to the fire.

Sources: [SC Media] [TechRadar ]

An Innocent-Looking Instagram Trend Could Be a Gift to Hackers

A recent trend that has picked up traction at the end of December on social media apps such as Instagram and TikTok, encourages their followers to “get to know them better”. This trend gets people to answer a popular template, freely giving away personal information such as their height, date of birth, and various details that they feel strongly about including favourite food and phobias. While these questions may seem harmless, these sorts of personal details are used by companies for security questions, for example when a person wants to reset their password. Hackers can use this information to easily social engineer victims or impersonate them to get access to their accounts.

Source: [Business Insider]

Cyber Criminals Shared Millions of Stolen Records During Holiday Break

While many people unwind and enjoy their time off during the festive season, cyber criminals remain active. In fact, they leaked approximately 50 million records containing sensitive personal information during this period. These data breaches were not limited to the West; they had a global impact, affecting individuals in various countries such as Peru, Australia, South Africa, and more. It is important to note that not all the data leaks were recent; some appeared to be remnants of older incidents. For instance, some of the leaked data belonged to customers of the credit company Klarna, which was rumoured to have experienced a breach back in 2022, although it was never publicly confirmed. This ‘Free Leaksmas’ event, as it’s been dubbed, underscores the extensive global reach and serious consequences of these cyber criminal activities.

Sources: [Security Affairs] [Dark Reading]

Law Firm that Handles Data Breaches was Itself Hit by Data Breach

Orrick, Herrington & Sutcliffe, a law firm specialising in managing security incidents for other companies, has disclosed more details of the cyber attack it itself experienced in March 2023. The breach compromised the sensitive health and personal information of over 637,000 individuals. The stolen data was linked to client organisations and included the names of individuals alongside their social security numbers, medical details, and financial information. Despite the firm's expertise in cyber security, the attack highlights the pervasive risk of data breaches, even among those who advise on such matters. Orrick's delayed response and subsequent legal settlements underscore the importance of proactive security measures and swift action in the wake of a breach. This incident serves as a stark reminder to all organisations of the need for robust cyber defences and transparent communication strategies in today's digital landscape. The law firm has recently settled in principle to resolve four class action lawsuits that accused Orrick of failing to inform victims of the breach until months after the incident.

Source: [TechCrunch]

Nigerian Hacker Arrested for Stealing Millions from Charities

A Nigerian national, Olusegun Samson Adejorin, has been arrested for charges relating to business email compromise attacks that caused a charitable organisation in the US to lose more than $7.5 million. Adejorin had purchased a credential harvesting tool to steal login credentials, which were used to send emails to the charity’s financial service provider. The emails requested and authorised a transfer of $7.5 million, which the investment services provider believed it was paying to the charity whereas it was paying into a bank account controlled by the attacker.

Source: [Bleeping Computer]

Cyber Criminals Implemented Artificial Intelligence for Invoice Fraud

A cyber criminal gang known as GXC Team has been seen selling an artificial intelligence tool for creating fraudulent invoices. The tool, known as Business Invoice Swapper, scrutinises compromised emails that are fed to it, looking for emails which mention invoices or include invoice attachments. It then alters the details of the intended recipient to details specified by the perpetrator. This altered invoice then either replaces the compromised one, or is sent to a predetermined set of contacts.

Source: [Security Affairs]

Shadow IT Threatens Corporate Cyber Security, Study Reveals

With remote working becoming more and more prevalent, organisations are finding themselves at risk of cyber threats due to what is known as shadow IT; this is any software, hardware or IT resource used without the IT department’s approval, knowledge or oversight. A study by Kaspersky found of the 77% of companies that had suffered from cyber incidents over the past two years, 11% of these were directly caused by the unauthorised use of shadow IT.

Source: [Security Brief]

Escalating Cyber Threats: Bots, Fraud Farms, and Cryptojacking Surge

In the constantly evolving cyber threat landscape, 2023 has witnessed a notable surge in the use of bots, fraud farms, and cryptojacking. A new report found that 73% of web and app traffic this year has been attributed to malicious bots and fraud farms, indicating a significant shift towards automated cyber attacks. This trend poses a heightened risk to the ecommerce sector, where cyber criminals exploit API connections and third-party dependencies.

Furthermore, the surge in cryptojacking, marked by a 399% increase, reveals a diversifying strategy among cyber criminals, targeting critical infrastructure with sophisticated methods. These developments serve as a crucial reminder for organisations to bolster their cyber defences and adopt a proactive stance against these emerging and increasingly automated threats.

Source: [Help Net Security]

Putin has Declared a Cyber War on Britain

This year over 2 billion people will vote for new governments across the world, and it is crucial to be aware of upcoming threats to these elections from foreign powers. In particular, Russia is notorious for deploying bots, trolls, and deepfakes, which are techniques used to manipulate information and influence public opinion. These malicious actors are adept at spreading misinformation and disinformation, often with the goal of interfering in elections. With the upcoming UK General Election in 2024 and the US Presidential Election also falling this year, it is imperative to exercise caution and discernment when consuming online content. Not everything we see can be taken at face value.

Source: [Telegraph]



Threats

Ransomware, Extortion and Destructive Attacks

Ransomware Victims

Phishing & Email Based Attacks

Artificial Intelligence

Malware

Mobile

Denial of Service/DoS/DDOS

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insurance

Supply Chain and Third Parties

Cloud/SaaS

Identity and Access Management

Encryption

Linux and Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Malvertising

Regulations, Fines and Legislation

Models, Frameworks and Standards

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Misinformation, Disinformation and Propaganda


Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity

Cyber Warfare and Cyber Espionage

Nation State Actors

China

Russia

Iran

North Korea

Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence





Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·         Automotive

·         Construction

·         Critical National Infrastructure (CNI)

·         Defence & Space

·         Education & Academia

·         Energy & Utilities

·         Estate Agencies

·         Financial Services

·         FinTech

·         Food & Agriculture

·         Gaming & Gambling

·         Government & Public Sector (including Law Enforcement)

·         Health/Medical/Pharma

·         Hotels & Hospitality

·         Insurance

·         Legal

·         Manufacturing

·         Maritime

·         Oil, Gas & Mining

·         OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·         Retail & eCommerce

·         Small and Medium Sized Businesses (SMBs)

·         Startups

·         Telecoms

·         Third Sector & Charities

·         Transport & Aviation

·         Web3


As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 23 July 2021

Black Arrow Cyber Threat Briefing 23 July 2021: 40% Fell Victim To A Phishing Attack In The Past Month; Traditional Ransomware Defences Are Failing Businesses; The Number Of Employees Going Around IT Security May Surprise You; 740 Ransomware Victims Named On Data Leak Sites In Q2 2021; A More Dynamic Approach Is Needed To Tackle Today’s Evolving Cyber Security Threats; Law Firm For Ford, Boeing, Exxon, Marriott, Walgreens, And More Hacked In Ransomware Attack; UK And Allies Accuse China Of 'Reckless' Cyber Extortion And Microsoft Hack; Even after Emotet takedown, Office docs deliver 43% of all malware downloads now; Gun owners' fears after firearms dealer data breach

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.


Top Cyber Stories of the Last Week

40% Fell Victim To A Phishing Attack In The Past Month

The global shift to remote work has exacerbated the onslaught, sophistication, and impact of phishing attacks, according to Ivanti. Nearly three-quarters (74%) of respondents said their organisations have fallen victim to a phishing attack in the last year, with 40% confirming they have experienced one in the last month.

Eighty percent of respondents said they have witnessed an increase in volume of phishing attempts and 85% said those attempts are getting more sophisticated. In fact, 73% of respondents said that their IT staff had been targeted by phishing attempts, and 47% of those attempts were successful.

Smishing and vishing scams are the latest variants to gain traction and target mobile users. According to recent research by Aberdeen, attackers have a higher success rate on mobile endpoints than on servers – a pattern that is trending dramatically worse. Meanwhile, the annualized risk of a data breach resulting from mobile phishing attacks has a median value of about $1.7M, and a long tail of value of about $90M.

https://www.helpnetsecurity.com/2021/07/23/risk-phishing-attacks/

Traditional Ransomware Defences Are Failing Businesses

Traditional cyber security strategies are failing to protect organisations from ransomware attacks, new research suggests. Based on a poll of 200 IT decision-makers whose businesses recently suffered ransomware attacks, 54 percent of all victims had their employees go through anti-phishing training. Furthermore, almost half (49 percent) had perimeter defences set up at the time of the attack. However, attack methods have grown too sophisticated for traditional security measures to keep up. Many attacks (24 percent) still start with a successful phishing attempt, while almost a third (31 percent) see attacker enter the network through public cloud.

https://www.itproportal.com/news/traditional-ransomware-defenses-are-failing-businesses/

Cyber Security Risk: The Number Of Employees Going Around IT Security May Surprise You

Last month, a report was published highlighting challenges associated with enabling IT freedoms while ensuring tight security procedures. The findings detail a complex balancing act between IT teams and network users. Calibrating this equilibrium is particularly challenging in the age of remote work as employees log on and virtually collaborate via a host of digital solutions. Overall, the survey found that virtually all employees (93%) "are working around IT restrictions," and a mere 7% said they were "satisfied with their corporate IT restrictions." Interestingly, this information about IT workarounds does not match security leaders' and IT expectations.

https://www.techrepublic.com/article/cybersecurity-risk-the-number-of-employees-going-around-it-security-may-surprise-you/

740 ransomware victims named on data leak sites in Q2 2021: report

More than 700 organizations were attacked with ransomware and had their data posted to data leak sites in Q2 of 2021, according to a new research report from cyber security firm Digital Shadows.

Out of the almost 2,600 victims listed on ransomware data leak sites, 740 of them were named in Q2 2021, representing a 47% increase compared to Q1.

https://www.zdnet.com/article/740-ransomware-victims-named-on-data-leak-sites-in-q2-2021-report/

A More Dynamic Approach Is Needed To Tackle Today’s Evolving Cyber Security Threats

For decades, the cyber security industry has followed a defense-in-depth strategy, which allowed organisations to designate the battlefield against bad actors at their edge firewall. Nowadays, cyber criminals have become as creative as ever. New cyber threats are emerging every day, and with the constantly increasing rate of Ransomware, Phishing, etc. We’re forced to take a more dynamic approach when tackling these cyber threats on a day to day basis. Recent statistics demonstrate the scale of the cyber security issues faced by companies. In 2020, malware attacks increased by 358% and ransomware increased by 435%, and the average cost of recovering from a ransomware attack has doubled in the last 12 months, reaching almost $2 million in 2021.

https://www.helpnetsecurity.com/2021/07/13/dynamic-approach-cybersecurity-threats/

Law Firm For Ford, Boeing, Exxon, Marriott, Walgreens, And More Hacked In Ransomware Attack

Campbell Conroy & O'Neil, P.C., a law firm handling hundreds of cases for the world's leading companies, has announced a large data breach that resulted from a ransomware attack in February.  In a statement, the law firm said it noticed unusual activity on its network on February 27. The firm later realized it was being hit with a ransomware attack and contacted the FBI as well as cyber security companies for help.

https://www.zdnet.com/article/law-firm-for-ford-boeing-exxon-marriott-walgreens-and-more-hacked-in-ransomware-attack/

UK And Allies Accuse China Of 'Reckless' Cyber Extortion And Microsoft Hack

The Government was hinting yet again at covertly using Britain’s own offensive cyber capabilities – hitting back at cyber attacks with cyber attacks of our own. This approach goes all the way back to 2013, when then defence secretary told the Conservative Party conference that the UK would “build a dedicated capability to counter-attack in cyber space and, if necessary, to strike in cyber space”.

https://www.telegraph.co.uk/world-news/2021/07/19/uk-allies-accuse-china-reckless-cyber-extortion-microsoft-hack/

Even after Emotet takedown, Office docs deliver 43% of all malware downloads now

Malware delivered over the cloud increased by 68% in Q2, according to data from cyber security firm Netskope.

The company released the fifth edition of its Cloud and Threat Report that covers the cloud data risks, threats and trends they see throughout the quarter.

The report noted that cloud storage apps account for more than 66% of cloud malware delivery.

"In Q2 2021, 43% of all malware downloads were malicious Office docs, compared to just 20% at the beginning of 2020. This increase comes even after the Emotet takedown, indicating that other groups observed the success of the Emotet crew and have adopted similar techniques," the report said.

https://www.zdnet.com/article/even-after-emotet-takedown-office-docs-deliver-43-of-all-malware-downloads-now/

Gun Owners' Fears After Firearms Dealer Data Breach

Thousands of names and addresses belonging to UK customers of a leading website for buying and selling shotguns and rifles have been published to the dark web following a "security breach".

Guntrader.uk told the BBC it learned of the breach on Monday and had notified the Information Commissioner's Office.

Police, including the National Crime Agency, are investigating.

One affected gun owner said he was afraid the breach could lead to his family being targeted by criminals.

Gun ownership is tightly controlled in the UK, making guns difficult to acquire, and potentially valuable on the black market.

The individual, who did not wish to be named, told the BBC the breach "seriously compromises my security arrangements for my firearms and puts me in a situation where me and my family could be targeted and in danger".

https://www.bbc.co.uk/news/technology-57932823  


Threats

Ransomware

BEC

Phishing

Malware

Mobile

Vulnerabilities

Data Breaches

Organised Crime & Criminal Actors

Supply Chain

DoS/DDoS

OT, ICS, IIoT and SCADA

Nation State Actors

Cloud

Privacy



As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Cyber Weekly Flash Briefing 03 July 2020: Ransomware attacks increasing, Microsoft emergency updates, ransomware gang auction data, 'return to work' traps, new Windows botnet, Cisco SMB router flaws

Cyber Weekly Flash Briefing 03 July 2020: Ransomware attacks increasing, Microsoft emergency updates, ransomware gang auction data, 'return to work' traps, new Windows botnet, Cisco SMB router flaws

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.


Ransomware attacks are increasing, do you have an emergency plan in place?

Cyber attacks and data breaches can have serious implications for organisations in terms of downtime, financial damage and reputation of the business. Ransomware attacks that seek to encrypt a victim’s data and demand a fee to restore it continue to be prevalent. Unfortunately, the damage caused can be severe and widespread, yet 39% of organizations either have no ransomware emergency plan in place or are not aware if one exists. This is despite more ransomware attacks being recorded in the past 12 months than ever before.

The largest ransomware attack to date – WannaCry – was estimated to have affected more than 200,000 computers across 150 separate countries. Ransomware today is rife and has been exacerbated by the current work-from-home trend.

21% of respondents to a recent survey said they had experienced a ransomware attack, and of those, 26% admitted they couldn’t access any working backup after the attack. Even when organisations could access a working backup, 22% of them could either only restore a partial amount of data or none at all.

In most countries, employees have been working under a completely different set of parameters for a couple of months; ones where new security risks are high and where cybercriminals are finding new ways to exploit any weaknesses they can find.

Read more: https://www.helpnetsecurity.com/2020/07/01/ransomware-emergency-plan/

Further reading: The 11 Biggest Ransomware Attacks Of 2020 (So Far) https://www.crn.com/slide-shows/security/the-11-biggest-ransomware-attacks-of-2020-so-far-?itc=refresh


Microsoft releases emergency update to fix two serious Windows flaws

Microsoft on Tuesday released emergency security patches to plug a pair of serious vulnerabilities in its Windows Codecs library that impact several Windows 10 and Windows Server versions. Indexed as CVE-2020-1425 and CVE-2020-1457, the two remote-code execution (RCE) flaws are rated as ‘critical’ and ‘important’ in severity, respectively.

Both security loopholes have to do with how Microsoft Windows Codecs Library handles objects in memory. An attacker of the first flaw could obtain information to further compromise the user’s system, while successful exploitation of the second flaw could enable attackers to execute arbitrary code on the targeted machine.

Details are very sparse and there’s no word on specific attack vectors, but Microsoft said that exploitation of either vulnerability “requires that a program process a specially crafted image file”. This could, for example, involve luring the target into downloading and opening a malicious image file shared via email or a compromised website.

Read more: https://www.welivesecurity.com/2020/07/01/microsoft-releases-emergency-update-two-serious-windows-flaws/


Researchers Find New Calendar-Based Phishing Campaign

Researchers have once again spotted crooks using calendar invitations to mount phishing attacks using iCalendar. iCalendar is a media type that lets users store and exchange calendaring and scheduling information, including events and tasks.

Whilst this is evidence of a new campaign, this is not a new technique. A similar attack cropped up last June, when researchers found attackers using Google's auto-add feature. In that attack, smartphone users would see the invitation as a pop-up invitation, displaying a link to a phishing URL that asked for their credit card data and personal information.

Read more: https://www.infosecurity-magazine.com/news/calendar-phishing-campaign/


REvil Ransomware Gang Adds Auction Feature for Stolen Data

The REvil ransomware gang (also known as Sodinokibi) has added an auction feature to its underground website that allows anonymous bidding on information stolen in its targeted ransomware campaigns.

The auction capability appeared at the beginning of June and in announcing the feature, REvil included details on its first lot, the firm said, containing accounting information, files and databases stolen from a Canadian agricultural company.

A few days later on June 8, bidding went live, giving interested parties the choice to submit a bid (starting at $50,000) or buy the data outright, with a higher “blitz” price ($100,000).

Other victims whose data went up for sale in auction include a U.S. food distributor (accounts and documents with a starting price of $100,000 and a blitz price of double that); a U.S. law firm (50GB of data including confidential and personal information on clients, with a starting price of $30,000 and a blitz price of $50,000); and a U.S. intellectual property law firm (1.2TB of data including ‘all’ internal documentation, correspondence, patent agreements and client confidential information with a starting price of $1 million and a blitz price of $10 million).

As for why the latter’s data is so valuable, “data stolen from the intellectual property law firm reportedly includes information related to new technologies and unfiled patents that, given the high-profile client list, likely explains the high starting and blitz prices,” the firm noted in a report Monday, adding that the data would possibly be of interest to competitors or even a nation-state seeking to gain economic advantages.

Read more here: https://threatpost.com/revil-ransomware-gang-auction-stolen-data/157006/


Criminals set 'return to work' traps

Just because workers are returning to their offices, that doesn't mean criminals can't still abuse Covid-19 to spread malware and steal sensitive data.

According to a new report criminals are setting “return to work traps”, taking advantage of the training employees need to go through as they return to the office in its new form.

Many workers now need to go through various tutorials, webinars and training sessions, to ensure they are compliant with new workplace rules set up to prevent viral transmission. Sensing an opportunity, cybercriminals are disguising malware as webinar recordings and other educational material.

According to the report, these new practices are mostly reserved for businesses in North America and Europe, where lockdown measures are slowly being eased up and people are being allowed to return to work.

Read more here: https://www.itproportal.com/news/criminals-set-return-to-work-traps/


This new botnet has recruited an army of Windows devices

A new botnet is exploiting close to a dozen high and critical-severity vulnerabilities in Windows systems to turn them into cryptomining clients as well as to launch DDoS attacks.

The malware behind the botnet has been given the name Satan DDoS though security researchers have taken to referring to its as Lucifer in order to avoid confusion with the Satan ransomware.

A security firm began looking into the botnet after discovering it while following multiple incidents involving the exploitation of a critical vulnerability in a component of a web framework which can lead to remote code execution.

At first the Lucifer malware was believed to be used to mine the cryptocurrency Monero. However, it later become apparent that the malware also contains a DDoS component as well as a self-spreading mechanism that uses severe vulnerabilities and brute-forcing to its advantage.

Read more here: https://www.techradar.com/news/this-new-botnet-has-recruited-an-army-of-windows-devices


Cisco SMB routers hit with another major security flaw

Security researchers have discovered a significant cross-site scripting (XSS) vulnerability in the web admin interface of two small business routers from Cisco.

The XSS vulnerability exists in the company's RVO42 and RV042G routers and it provides attackers with an easy way to take control of the devices' web configuration utility.

This could allow an attacker to perform a number of admin actions from viewing and modifying sensitive information to taking control of the router or even having the ability to move laterally and gain access to other systems on the network.

Read more here: https://www.techradar.com/news/cisco-smb-routers-hit-with-another-major-security-flaw


Xerox apparently victim of Maze attack

It appears that Xerox is the latest victim of Maze ransomware attackers, if screenshots posted by the ransomware’s operators are legitimate.

The hackers claim to have obtained more than 100GB of information and are threatening to publish it, according to a reports.

Maze has hit a number of high-profile targets and in recent months has joined forces with other ransomware groups.

Read more: https://www.scmagazine.com/home/security-news/ransomware/xerox-apparent-victim-of-maze-attack/


FakeSpy Android Malware Spread Via ‘Postal-Service’ Apps

Android mobile device users are being targeted in a new SMS phishing campaign that’s spreading the FakeSpy infostealer. The malware, which is disguised as legitimate global postal-service apps, steals SMS messages, financial data and more from the victims’ devices.

The campaign was first discovered several weeks ago targeting South Korean and Japanese speakers, but it has now expanded that targeting to China, Taiwan, France, Switzerland, Germany, the United Kingdom and the United States. The attacker uses text messages as an initial infection vector, prompting the Android recipients to click on a malicious link, in a practice known as SMS phishing or “smishing.”

Read more here: https://threatpost.com/fakespy-android-malware-spread-via-postal-service-apps/157102/


New Mac Ransomware Is Even More Sinister Than It Appears

There haven't been too many strains tailored specifically to infect Apple's Mac computers since the first full-fledged Mac ransomware surfaced four years ago but new findings published this week have highlighted a new example of Mac ransomware called ThiefQuest.

In addition to ransomware, ThiefQuest has a whole other set of spyware capabilities that allow it to exfiltrate files from an infected computer, search the system for passwords and cryptocurrency wallet data, and run a robust keylogger to grab passwords, credit card numbers, or other financial information as a user types it in. The spyware component also lurks persistently as a backdoor on infected devices, meaning it sticks around even after a computer reboots, and could be used as a launchpad for additional, or "second stage," attacks. Given that ransomware is so rare on Macs to begin with, this one-two punch is especially noteworthy.

Read more here: https://www.wired.com/story/new-mac-ransomware-thiefquest-evilquest/


As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Read More