Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 08 September 2023
Black Arrow Cyber Threat Intelligence Briefing 08 September 2023:
-More Than Half of UK Organisations Know They Aren’t Well Protected
-Generative AI Considered a Security Risk by 60% of Board Members: How Organisations Can Prepare
-Businesses Ignore Incident Response at Their Peril
-Blame Culture: An Organisation’s Ticking Time Bomb
-Spend to Save: CFO’s and Cyber Security Investment
-Cyber Security Tools Are New Targets for Attackers, including Nation-State Actors
-Attackers Access UK Military Data Through Third Party Supplier as Relentless Russian Cyber Attacks Raise Spectre of WW3
-Common Tactics Used by Threat Actors to Weaponise PDFs
-Years-old Microsoft Security Holes Still Hot Targets for Cyber Criminals
-Popular ‘As-a-Service’ Operations Have Earned Cyber Criminals over $64m
-71% of Organisations are Impacted by Cyber Security Skills Shortage
-Multiple Schools Hit by Cyber Attacks Before Term Begins
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
More Than Half of UK Organisations Know They Aren’t Well Protected
According to a recent report, just 49% of business leaders report their organisation is well or very well protected. Cyber security featured as the third highest-rated business priority, with increasing revenues and reducing costs forming the top two. One of the ways an organisation can reduce cost is to outsource, and 63% of respondents agreed, reporting that they wanted to work with an external cyber security partner to improve their security.
Even if you’re in the 49% of organisations that believes it is well protected, this can be a dangerous self-assessment based on a lack of experience and impartiality. Business leaders need independent assurance to ensure their security controls are appropriate and in line with the organisation’s risk appetite. It is essential to dispel assumptions, by investigating your security before an attacker does.
Black Arrow Cyber Consulting offers a free, no-obligation, introductory consultation to help you gain an unbiased perspective on how your current security approach could withstand an attacker. We help our clients to know the questions to ask of their external or internal IT provider, and how to leverage other security controls from existing resources.
Sources: [IT Security Guru][Beta News]
Generative AI Considered a Security Risk by 60% of Board Members. How Organisations Can Prepare
A recent report conducted by Proofpoint found that 60% of board members consider generative AI a security risk.
The rapid development and adoption of AI is double-edged in nature. Whilst it can yield positive benefits if used safely and responsibility within organisations, AI is also being used to great effect by malicious actors with AI abuse growing beyond phishing to increasing the efficacy of multistage attacks, being used to generated malware, and carrying out different types of social engineering attacks.
For this reason Boards and senior leaders are right to be concerned and should ensure appropriate measures are being taken.
Sources: [TheNationalNews] [SCMagazine] [CyberSecurityNews]
Further reading: [BusinessCloud.co.uk] [WIRED UK] [Help Net Security]
Businesses Ignore Incident Response at Their Peril
According to a UK Government report, a quarter of businesses don’t regard cyber incident response skills as essential and almost half said they weren’t confident they could put together an incident response plan. This led to 41% saying they were not very or not at all confident that they would be able to deal with a cyber security breach or attack.
Unfortunately, this leaves many organisations in a situation where they will have to learn the hard way about the implications of not having an incident response plan. A separate government report found that 37% of those hit by a cyber attack said it impacted operations and a quarter experienced negative consequences such as loss of money or data.
One of the ways organisations can circumnavigate their lack of confidence in their ability to construct an incident response plan is to use cyber security experts to construct it.
Source: [Infosecurity Magazine]
Blame Culture: An Organisation’s Ticking Time Bomb
An organisation’s attitude and responses to cyber security are almost as important as the actions taken to prevent cyber attacks. “Lessons learnt” are a common feature within mature and cyber resilient organisations. Incidents are a matter of when not if, and it is important that organisations know how to react.
Taking the example of a phishing attack, it is easy to blame the employee who opened it, potentially firing them. With phishing simulations, it is equally easy to discipline an employee who fell for it. The problem is, neither of these focus on what can be learned, such as why the employee fell for it in the first place. Additionally, there is the potential that employees become reserved or reticent about reporting potential events, due to the fear of being disciplined. This can be the difference between an organisation having an early detection of an incident and being able to invoke incident response plans sooner, or leaving the attacker in the system doing damage for longer before being reported.
Source: [ IT Security Guru]
Spend to Save: CFOs and Cyber Security Investment
For chief financial officers (CFOs), the increasing impact of data breaches creates a paradox. While more spending is necessary to combat these challenges, this spending isn’t directly tied to profit. Instead, cyber security spending is all about return on investment.
When looking at spending, CFOs need to keep in mind that the total cost of a breach is more than the initial currency loss: there is the knock-on effect of reputation and losses in customers. But it is not a case of spending more to protect more; spending must be tailored to the organisation and prioritise in terms of business needs.
Source: [Security Intelligence]
Cyber Security Tools Are New Targets for Attackers, Including Nation-State Actors
An increasing number of attacks by nation-state attackers are targeting cyber security tools in their campaigns. This includes the recent attacks on US officials which attacked and gained access through the firewalls of the victim. Security vendors, just like anyone, will have flaws in their software: there will be vulnerabilities. As such, organisations need to be aware of these vulnerabilities and when support runs out for their cyber security tools, to better protect themselves.
Source: [News Week]
Attackers Access UK Military Data Through Third Party Supplier as Relentless Russian Cyber Attacks Raise Spectre of WW3
Top secret military data from the UK’s Ministry of Defence was stolen and then sold by the ransomware gang LockBit. How, you might ask? Through a rogue Windows 7 PC that belonged to their fencing supplier, Zaun. The LockBit Ransom group conducted the attack on the supplier’s network, and Zaun admitted the group may have exfiltrated 10GB of data.
Many attackers have realised that if you cannot directly attack an organisation, then the supplier can present a way in. Organisations need to be sure of their suppliers’ security, and conduct third party security assessments to identify the risk the supplier may present to the organisation itself.
Black Arrow have helped many clients carry out third party risk assessments on a large number of suppliers and this can be done as a standalone offering or as part of a fractional CISO engagement.
Source: [The Register] [Tech Monitor]
Common Tactics Used by Threat Actors to Weaponise PDFs
PDFs are often seen as safe, something that cannot be used by an attacker, but that’s wrong. Actors are using this trustworthiness, as well as the difficulty in detection and ubiquity of PDFs, to weaponise them. Common tactics involve malicious hyperlinks within PDFs and macros that run when a PDF is opened, and in some cases attackers are disguising a malicious Word document as a PDF to evade detection.
Source: [Cyber Security News]
Years-old Microsoft Security Holes Still Hot Targets for Cyber Criminals
A recent report has found that Microsoft vulnerabilities as old as 6 years are still being exploited, with one recorded as being exploited as recently as 31 August. In fact, since this particular vulnerability was fixed, it has been used to deploy 467 different malware types. This is not the number of attacks, but the number of different types of malware used in attacks.
The concept isn’t just for Microsoft. Many organisations do not employ effective patching strategies, and as such leave the doors open to attackers. Sometimes, these doors are open for years.
Source: [The Register]
Popular ‘As-a-Service’ Operations Have Earned Cyber Criminals over $64m
As-a-service operations allow attackers to employ sophisticated attacks without the need for extensive knowledge; they simply just purchase the ability. Take phishing-as-a-service (PhaaS), where an attacker with very limited cyber knowledge simply needs to purchase a phishing kit and they are then well-equipped to target organisations. This availability in tools creates a significant surge in the number of cyber criminals, with one scheme alone raking in $64.5 billion in illegal gains.
Source: [IT Security Guru]
71% of Organisations are Impacted by Cyber Security Skills Shortage
Most organisations (71%) report that they’ve been impacted by the cyber security skills shortage, leading to an increased workload for the cyber security team (61%), unfilled open job requisitions (49%) and high burnout among staff (43%). Further, 95% respondents state the cyber security skills shortage and its associated impacts have not improved over the past few years and 54% (up 10% from 2021) say it has got worse.
Organisations need to continue maintaining and improving their security while their cyber security positions remain unfilled. Black Arrow supports firms to achieve this by providing expert resources on a flexible basis for technical, governance and transformational positions.
Source: [Security Magazine] [Digital Journal]
Multiple Schools Hit by Cyber Attacks Before Term Begins
Ahead of the new school term, a number of schools have become the victim of serious cyber attacks. The education sector isn’t a new target, with previous ransomware reports finding the education sector to account for 16% of victims.
The education sector remains a target due to the valuable data they hold, large attack surfaces and frequently a lack of resources and budgets, something many small and medium-sized business may share.
Source: [Infosecurity Magazine]
Governance, Risk and Compliance
The importance of CISOs is not recognised by senior leadership - IT Security Guru
Blame Culture: An Organisation's Ticking Time Bomb - IT Security Guru
Spend to save: The CFO’s guide to cyber security investment (securityintelligence.com)
SEC tells companies to “show their work” on cyber security - Red Canary
Cyber security: a life cycle, not a destination | Hydrocarbon Engineering
Rising Physical Incidents Should Drive C-Level Investment & Action (forbes.com)
Compliance budgets under strain as inflation and workload grow - Help Net Security
Cyber Security pros battle discontent amid skills shortage - Help Net Security
CISOs weigh in on building security-focused culture | Healthcare IT News
How Do Some Companies Get Compromised Again and Again? (securityintelligence.com)
IAM, cloud security to drive new cyber security spending | CSO Online
Threats
Ransomware, Extortion and Destructive Attacks
Ministry of Defence documents leaked by LockBit (techmonitor.ai)
Attackers access military data through fencing supplier • The Register
Ransomware attackers are targeting exposed Microsoft SQL databases, report says (therecord.media)
Ransomware and Data Breaches: Impacts Continue to Grow Louder (govtech.com)
Education Sector Heavily Targeted as the School Year Begins (databreaches.net)
Killware vs. Ransomware: What's the Difference? (makeuseof.com)
Is this the next target for international ransomware attacks? | World Economic Forum (weforum.org)
To Pay or Not to Pay? The Ransomware Dilemma (informationweek.com)
Snake Ransomware Endangers Your Data: How Can You Stop It? (makeuseof.com)
How to Prevent Ransomware: 6 Key Steps to Safeguard Assets (techtarget.com)
Ransomware Victims
LockBit Leaks Documents Filched From UK Defence Contractor (darkreading.com)
Ministry of Defence documents leaked in cyber attack (civilserviceworld.com)
Debenham High School IT system hit by cyber attack - BBC News
Highgate Wood School delays term by 6 days after cyber attack | This Is Local London
Cyber attack hits Wokingham's Maiden Erlegh School | Reading Chronicle
Ransomware gang claims credit for Sabre data breach | TechCrunch
Hackers claim to publish prominent Israeli hospital’s patient data (therecord.media)
Phishing & Email Based Attacks
AI abuse grows beyond phishing to multistage cyber attacks | SC Media (scmagazine.com)
Google is enabling Chrome real-time phishing protection for everyone (bleepingcomputer.com)New phishing tool hijacked thousands of Microsoft business email accounts (therecord.media)
Beware of New Fileless Malware that Propagates Via Spam Mail (cybersecuritynews.com)
Spam is up, QR codes emerge as a significant threat vector - Help Net Security
From unsuspecting click to data compromise - Help Net Security
Alert: Phishing Campaigns Deliver New SideTwist Backdoor and Agent Tesla Variant (thehackernews.com)
Getting off the hook: 10 steps to take after clicking on a phishing link (welivesecurity.com)
Other Social Engineering; Smishing, Vishing, etc
Emerging threat: AI-powered social engineering - Help Net Security
Hackers Using ChatGPT to Generate Malware & Social Engineering Threats (cybersecuritynews.com)
How cyber criminals use look-alike domains to impersonate brands - Help Net Security
Artificial Intelligence
Generative AI considered a security risk by 60% of board members, survey finds (thenationalnews.com)
AI ‘triggers DeepTech anxiety for senior leaders’ (businesscloud.co.uk)
Emerging threat: AI-powered social engineering - Help Net Security
AI abuse grows beyond phishing to multistage cyber attacks | SC Media (scmagazine.com)
Hackers Using ChatGPT to Generate Malware & Social Engineering Threats (cybersecuritynews.com)
UK tech tsar warns of AI cyber threat to NHS | Financial Times (ft.com)
It's the summer of adversarial chatbots. Here's how to defend against them - SiliconANGLE
Will the AI Arms Race Lead to the Pollution of the Internet? (darkreading.com)
UK cyber chief urges ‘Security by Design’ in AI development (ukdefencejournal.org.uk)
Generative AI’s Biggest Security Flaw Is Not Easy to Fix | WIRED UK
Developers have security, other generative AI concerns but use it anyway - ARN (arnnet.com.au)
How Companies Can Cope With the Risks of Generative AI Tools (darkreading.com)
3 ways to strike the right balance with generative AI - Help Net Security
Peril vs. Promise: Companies, Developers Worry Over Generative AI Risk (darkreading.com)
Experts Probe AI Risks Around Malicious Use, China Influence (govinfosecurity.com)
Beware: Deepfake Scams Could Target Your Next Zoom Meeting | Entrepreneur
Malware
Common Tactics Used by Threat Actors to Weaponise PDFs (cybersecuritynews.com)
'Atomic macOS Stealer' Malware Delivered via Malvertising Campaign - SecurityWeek
Hackers Using ChatGPT to Generate Malware & Social Engineering Threats (cybersecuritynews.com)
UNRAVELING EternalBlue: inside the WannaCry’s enabler (securityaffairs.com)
Malware configurations How to find and use them? (govinfosecurity.com)
Beware of New Fileless Malware that Propagates Via Spam Mail (cybersecuritynews.com)
New Python Variant of Chaes Malware Targets Banking and Logistics Industries (thehackernews.com)
New BLISTER Malware Update Fuelling Stealthy Network Infiltration (thehackernews.com)
Alert: Phishing Campaigns Deliver New SideTwist Backdoor and Agent Tesla Variant (thehackernews.com)
Mobile
Hacking device Flipper Zero can spam nearby iPhones with Bluetooth pop-ups | TechCrunch
September Android updates fix zero-day exploited in attacks (bleepingcomputer.com)
Hacker exploits security flaw to target iPhone users with 'notification attack' | Macworld
Botnets
Denial of Service/DoS/DDOS
DDoS attack took down the site of German financial agency BaFin (securityaffairs.com)
Mirai variant infects low-cost Android TV boxes for DDoS attacks (bleepingcomputer.com)
CISA Releases Capacity Enhancement Guide to Strengthen Agency Resilience to DDoS Attack | CISA
BYOD
Internet of Things – IoT
Securing The IoT From The Threat China Poses To US Infrastructure (forbes.com)
Connected cars and cyber crime: A primer - Help Net Security
Hacking device Flipper Zero can spam nearby iPhones with Bluetooth pop-ups | TechCrunch
Mirai variant infects low-cost Android TV boxes for DDoS attacks (bleepingcomputer.com)
Why consumer drones represent a special cyber security risk (securityintelligence.com)
Like privacy? Then smart devices are a dumb idea • The Register
Maker of ‘smart’ chastity cage left users’ emails, passwords, and locations exposed | TechCrunch
Data Breaches/Leaks
Electoral Commission failed basic security test before hack - BBC News
Insurer fined $3M for exposing data of 650k clients for two years (bleepingcomputer.com)
Golf gear giant Callaway data breach exposes info of 1.1 million (bleepingcomputer.com)
Freecycle confirms massive data breach impacting 7 million users (bleepingcomputer.com)
Thousands of Popular Websites Leaking Secrets - SecurityWeek
Johnson & Johnson discloses IBM data breach impacting patients (bleepingcomputer.com)
Northern Ireland police chief quits in wake of data breach • The Register
Lawsuit blames Tesla for data breach it sued ex-staff over • The Register
Organised Crime & Criminal Actors
Popular 'As-a-Service' Operations Have Earned Cyber Criminals over $64m - IT Security Guru
Cyber Crime Tremors: Experts Forecast Qakbot Resurgence (govinfosecurity.com)
It might be too soon to claim victory against Qakbot | Computer Weekly
Cyber crime to cost Germany 206 billion euros in 2023, survey finds | Reuters
Cyber criminals coercing children in their own bedrooms | The Canberra Times | Canberra, ACT
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
YouTuber Loses $60K Worth of Crypto After Showing Seed Phrases on Stream - Decrypt
Who Pulled Off a $41M Online Casino Heist? North Korea, FBI Says (vice.com)
Is this the next target for international ransomware attacks? | World Economic Forum (weforum.org)
Bitcoin exchange exec admits he ignored anti-laundering laws • The Register
Cyber criminals target graphic designers with GPU miners (talosintelligence.com)
LastPass under fire again as users report stolen crypto keys and losses | Cybernews
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
Popular 'As-a-Service' Operations Have Earned Cyber criminals over $64m - IT Security Guru
Fake YouPorn extortion scam threatens to leak your sex tape (bleepingcomputer.com)
Four Convicted in $18m Investment Fraud Scheme - Infosecurity Magazine (infosecurity-magazine.com)
Global roaming fraud losses to surpass $8 billion by 2028 - Help Net Security
Airlines Battle Surge in Loyalty Program Fraud - Infosecurity Magazine (infosecurity-magazine.com)
How We Track Crypto Money Laundering for Off-Chain Crime (chainalysis.com)
See Tickets Alerts 300,000 Customers After Another Web Skimmer Attack - SecurityWeek
Beware: Deepfake Scams Could Target Your Next Zoom Meeting | Entrepreneur
Impersonation Attacks
'Smishing Triad' Targeted USPS and US Citizens for Data Theft (securityaffairs.com)
How cyber criminals use look-alike domains to impersonate brands - Help Net Security
Deepfakes
Emerging threat: AI-powered social engineering - Help Net Security
Beware: Deepfake Scams Could Target Your Next Zoom Meeting | Entrepreneur
AML/CFT/Sanctions
How We Track Crypto Money Laundering for Off-Chain Crime (chainalysis.com)
Four Convicted in $18m Investment Fraud Scheme - Infosecurity Magazine (infosecurity-magazine.com)
Bitcoin exchange exec admits he ignored anti-laundering laws • The Register
Insurance
Insights Into the Changing Landscape of Cyber Insurance - Frost Brown Todd | Full-Service Law Firm
Time and effort to obtain cyber insurance increasing for US businesses | CSO Online
Beazley expects to sponsor more cyber catastrophe bonds in 2024 - Artemis.bm
Lloyd’s categorises cyber war wordings in aggregation clarity push (insuranceinsider.com)
Dark Web
Supply Chain and Third Parties
Attackers access military data through fencing supplier • The Register
Ministry of Defence documents leaked by LockBit (techmonitor.ai)
Supply chain related security risks, and how to protect against them (malwarebytes.com)
5 ways to improve your supply chain security posture | IT Reseller Magazine (itrportal.com)
Overcoming Open Source Vulnerabilities in the Software Supply Chain (darkreading.com)
Creating a more cyber secure supply chain requires group effort - FreightWaves
Facing Third-Party Threats With Non-Employee Risk Management (darkreading.com)
Software Supply Chain
Cloud/SaaS
Step Up Your Defence Against Cloud-loving Cyber Criminals (informationsecuritybuzz.com)
IAM, cloud security to drive new cyber security spending | CSO Online
Hybrid/Remote Working
Attack Surface Management
What OSINT is, and why it’s dangerous | Kaspersky official blog
Armis report sheds light on top 10 targeted assets by cyber attackers - SiliconANGLE
Top 10 riskiest assets threatening global business - IT Security Guru
Encryption
Government denies U-turn on encrypted messaging row - BBC News
UK lawmakers back down on encryption-busting 'spy clause' | CyberScoop
API
Open Source
Software industry urged to assume risk on open source security | CIO Dive
Overcoming Open Source Vulnerabilities in the Software Supply Chain (darkreading.com)
Passwords, Credential Stuffing & Brute Force Attacks
It's a Zero-day? It's Malware? No! It's Username and Password (thehackernews.com)
Chrome extensions can steal plaintext passwords from websites (bleepingcomputer.com)
Hacker gains admin control of Sourcegraph and gives free access to the masses | Ars Technica
Passwords From The November 2022 LastPass Breach Being Cracked? - PC Perspective
LastPass under fire again as users report stolen crypto keys and losses | Cybernews
Maker of ‘smart’ chastity cage left users’ emails, passwords, and locations exposed | TechCrunch
75% of education sector attacks linked to compromised accounts - Help Net Security
Social Media
Malvertising
Parental Controls and Child Safety
Children's snack recalled after its website caught serving porn (bleepingcomputer.com)
Cyber criminals coercing children in their own bedrooms | The Canberra Times | Canberra, ACT
Regulations, Fines and Legislation
An Overview of ENISA’s Risk Management Standards Report | UpGuard
SEC tells companies to “show their work” on cyber security - Red Canary
Verizon to pay feds $4M over cyber security lapse | Light Reading
Government denies U-turn on encrypted messaging row - BBC News
UK drops 'spy clause' for scanning encrypted messages • The Register
Models, Frameworks and Standards
An Overview of ENISA’s Risk Management Standards Report | UpGuard
CIS Benchmarks Communities: Where configurations meet consensus - Help Net Security
Explaining The New NIST Cyber Security Framework to the C-Suite
Backup and Recovery
Careers, Working in Cyber and Information Security
71% of organisations are impacted by cyber security skills shortage | Security Magazine
Cyber Security Skills Gap set to cost UK £120 billion by 2023 - Essex-TV
6 free resources for getting started in cyber security - Help Net Security
Cyber professionals say industry urgently needs to confront mental health crisis | CyberScoop
Cyber security pros battle discontent amid skills shortage - Help Net Security
Law Enforcement Action and Take Downs
It might be too soon to claim victory against Qakbot | Computer Weekly
Cops drill into chat apps to thwart coke-smuggling ring • The Register
Privacy, Surveillance and Mass Monitoring
Misinformation, Disinformation and Propaganda
Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare and Cyber Espionage
Russia
Russia-linked attackers hit UK Ministry of Defence, leak stolen data | CSO Online
Meet the man leading the front-line effort in Ukraine's cyber war with Russia : NPR
China and Russia are pushing the boundaries of cyber attacks to harm other states - CityAM
Ukraine's CERT Thwarts APT28's Cyber Attack on Critical Energy Infrastructure (thehackernews.com)
Attackers access military data through fencing supplier • The Register
Russia-linked hack on Trident base sparks 'World War Three' warning from expert (yahoo.com)
Russia, China behind majority of cyber attacks targeting German businesses (aa.com.tr)
Elon Musk's Father Fears Possible Assassination Attempt on His Son (businessinsider.com)
Big Tech failed to police Russian disinformation: EU study • The Register
North Korea hackers going after Russian targets, Microsoft says, World News - AsiaOne
China
How China gets free intel on tech companies’ vulnerabilities | Ars Technica
Experts Probe AI Risks Around Malicious Use, China Influence (govinfosecurity.com)
How Microsoft's highly secure environment was breached (malwarebytes.com)
Securing The IoT From The Threat China Poses To US Infrastructure (forbes.com)
China and Russia are pushing the boundaries of cyber attacks to harm other states - CityAM
Russia, China behind majority of cyber attacks targeting German businesses (aa.com.tr)
German companies report more cyber attacks from Russia, China | Meta.mk
Microsoft finally explains cause of Azure breach: An engineer’s account was hacked | Ars Technica
South Korean Cyber Security Concerns Over Chinese-Made Cranes, Meteorological Gear | The Epoch Times
Huawei hits back in Portugal over 5G 'ban' with lawsuit - DCD (datacenterdynamics.com)
Iran
Hackers push anti-Iranian government messages to millions via breached app | CyberScoop
Iranian hackers breach US aviation org via Zoho, Fortinet bugs (bleepingcomputer.com)
North Korea
Lazarus hackers deploy fake VMware PyPI packages in VMConnect attacks (bleepingcomputer.com)
Researchers Warn of Cyber Weapons Used by Lazarus Group's Andariel Cluster (thehackernews.com)
Meet the man leading the front-line effort in Ukraine's cyber war with Russia : NPR
North Korean hackers target security researchers with new zero-day (therecord.media)
North Korea hackers going after Russian targets, Microsoft says, World News - AsiaOne
Who Pulled Off a $41M Online Casino Heist? North Korea, FBI Says (vice.com)
Misc Nation State/Cyber Warfare
Nation-state 'hot zones' offer view of the future of cyber war – report - CIR Magazine
Lloyd’s categorises cyber war wordings in aggregation clarity push (insuranceinsider.com)
Cyber Security Tools Are New Targets For Nation-State Hackers (newsweek.com)
Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475 | CISA
Vulnerability Management
Years-old Microsoft bugs are still hot targets for criminals • The Register
Old vulnerabilities are still a big problem - Help Net Security
Overcoming Open Source Vulnerabilities in the Software Supply Chain (darkreading.com)
How China gets free intel on tech companies’ vulnerabilities | Ars Technica
Vulnerabilities
Apple discloses 2 actively exploited zero-days in iPhones, Macs (securityaffairs.com)
Google patches 4 high-rated security issues in latest Chrome 116 update - gHacks Tech News
Two flaws in Apache SuperSet allow to remotely hack servers (securityaffairs.com)
Cisco Patches Critical Vulnerability in BroadWorks Platform - SecurityWeek
Multiple Notepad++ Flaws Let Attackers Execute Arbitrary Code (cybersecuritynews.com)
Hackers exploit MinIO storage system to breach corporate networks (bleepingcomputer.com)
ASUS routers vulnerable to critical remote code execution flaws (bleepingcomputer.com)
September Android updates fix zero-day exploited in attacks (bleepingcomputer.com)
Cisco SSO authentication bug patched - Security - Networking - iTnews
Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475 | CISA
Security or performance? Zenbleed forces you to choose | Digital Trends
Tools and Controls
Many businesses still aren't using BYOD protection | TechRadar
Insights Into the Changing Landscape of Cyber Insurance - Frost Brown Todd | Full-Service Law Firm
Spend to save: The CFO’s guide to cyber security investment (securityintelligence.com)
An Overview of ENISA’s Risk Management Standards Report | UpGuard
IOCs vs Artifacts How to Filter Out the Noise (govinfosecurity.com)
Time and effort to obtain cyber insurance increasing for US businesses | CSO Online
Chrome extensions can steal plaintext passwords from websites (bleepingcomputer.com)
Dangling DNS Used to Hijack Subdomains of Major Organisations - SecurityWeek
Why DNS Security Can Be Your Most Problematic Blind Spot (hyas.com)
Cyber Security Tools Are New Targets For Nation-State Hackers (newsweek.com)
Rising Physical Incidents Should Drive C-Level Investment & Action (forbes.com)
Why Cyber Security Risk Assessment Matters in the Banking Industry (securityintelligence.com)
Cut through cyber security vendor hype with these 6 tips | TechTarget
IAM, cloud security to drive new cyber security spending | CSO Online
Best practices for implementing a proper backup strategy - Help Net Security
Other News
Education Sector Heavily Targeted as the School Year Begins (databreaches.net)
Schools warned of cyberattack threat as new year begins | Science & Tech News | Sky News
Ways to protect WordPress sites and blogs from hacking | Kaspersky official blog
Insecure by design: What you need to know about defending critical infrastructure | CSO Online
Half of Switzerland's large companies have been the victim of a cyber attack | Euronews
Dangling DNS Used to Hijack Subdomains of Major Organizations - SecurityWeek
Securing the future: Safeguarding cyber-physical systems | CSO Online
25 Major Car Brands Get Failing Marks From Mozilla for Security and Privacy - SecurityWeek
Cyber security In Focus Ahead Of Berlin NATO Conference | OilPrice.com
10 old-school security principles that (still) rule | CSO Online
Surge in Hospital Hacks Endangers Patients, Cyber Official Says - WSJ
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 30 June 2023
Black Arrow Cyber Threat Briefing 30 June 2023:
-Zurich Insurance Group Secures Data Leak After Leaving Sensitive Data Publicly Accessible
-Employees Worry Less About Cyber Security Best Practices in the Summer
-Businesses are Ignoring Third-Party Security Risks
-Fear Trumps Anger When It Comes to Data Breaches – Angry Customers Vent, But Fearful Customers Don’t Come Back
-Over 130 Organisations and Millions of Individuals Believed to Be Impacted by MOVEit Hack, it Keeps Growing
-Widespread BEC Attacks Threaten European Organisations
-Lloyd’s Syndicates Sued Over Cyber Insurance
-95% Fear Inadequate Cloud Security Detection and Response
-The Growing Use of Generative AI and the Security Risks They Pose
-The CISO’s Toolkit Must Include Political Capital Within The C-Suite
-Microsoft Warns of Widescale Credential Stealing Attacks by Russian Hackers as War Ministers Reliant on Cyber Crime
-SMBs Plagued by Exploits, Trojans and Backdoors
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Zurich Insurance Group Secures Data Leak After Leaving Sensitive Data Publicly Accessible
Zurich Insurance Group is a major player in the insurance game, with over 55 million clients. They have recently just fixed a sensitive file that they had left publicly accessible. The file in question contained a range of credentials including database credentials, admin credentials, credentials for the actively exploited MOVEit software, credentials for their HR system and more. All of which could be utilised by threat actors to inflict serious damage. This was not the only vulnerability stemming from the insurance group; researchers found that Zurich were also running an outdated website, which contained a large number of vulnerabilities.
The case is alarming as Zurich Insurance Group provides cyber insurance and the instance above reinforces the need for organisations to be proactive in identifying cyber risks in their environment; it is simply not enough to rely on having insurance or meeting insurance requirements.
https://cybernews.com/zurich-insurance-data-leak/
Employees Worry Less About Cyber Security Best Practices in the Summer
IT teams are struggling to monitor and enforce BYOD (Bring Your Own Device) policies during summer months according to a new report. The report found that 55% of employees admitted to relying solely on their mobile devices while working remotely in the summer. 25% of all respondents claim that they aren’t concerned about ensuring network connections are secure when accessing their company’s data.
In the same report, 45% of employees in the US and UK said no specific measures to educate and remind employees on security best practices are taken during the summer, with only 24% of UK respondents receiving access to online cyber security training and guides and even less (17%) in the US. This comes as a separate report found that the number of phishing sites targeting mobile devices increased from 75% to 80% year-on-year in 2022, and this is likely to continue rising. Worryingly, it was also found that the average user is between six and ten times more likely to fall for an SMS phishing attack than email.
https://www.helpnetsecurity.com/2023/06/30/summer-byod-policies/
https://www.infosecurity-magazine.com/news/mobile-malware-and-phishing-surge/
Businesses are Ignoring Third-Party Security Risks
With 58% of companies managing over 100 vendors, 8% of which manage over 1,000, the need for a robust Third-Party Security Risk Management process becomes abundantly clear. Despite this, only 13% of organisations continuously monitor the security risks of their third parties. This is worrying, when considering the knock-on effects of third party breaches from the likes of Capita, SolarWinds and 3CX, and the recent MOVEit attack, impacting organisations whose only relationship with MOVEit was that their supplier used it.
https://www.helpnetsecurity.com/2023/06/30/third-party-relationships-risks/
Fear Trumps Anger When It Comes to Data Breaches – Angry Customers Vent, But Fearful Customers Don’t Come Back
When a person is notified of a data breach involving their personal information, if they react with a feeling of fear, as opposed to anger, they’re more likely to stop using the site. A report found that positive attitudes toward the website before the breach did not meaningfully affect whether consumers reengaged with the website after the breach, as some prior research has indicated. Instead, the emotional response of fear weighed heavily on customers and outweighed any earlier positive sentiment towards the organisation.
When a company has been breached in the past they have dealt with angry customers and negative press. To do so, companies may engage crisis managers to contain the damage, partner with identity protection services, pay fines or settlements, or try to lure back customers with free services. However, the study shows that companies need to address fearful customers differently after a data breach has occurred if they want to avoid customer loss. To do this, companies can work with their IT departments to identify customers who are no longer active after a breach and then reach out to them directly to assuage their fears.
Over 130 Organisations and Millions of Individuals Believed to be Impacted by MOVEit Hack, it Keeps Growing
The dramatic fallout continues in the mass exploitation of a critical vulnerability in a widely used file-transfer program, with at least three new victims coming to light in the past few days. They include the New York City Department of Education and energy companies Schneider Electric and Siemens Electric. These join others, including PwC, Sony and EY. If the attack has shown us one thing, it’s that any organisation can be a victim.
Widespread BEC Attacks Threaten European Organisations
Based on an analysis of email attack trends between June 2022 and May 2023, total email attacks in Europe increased by 7 times and the US 5 times. For business email compromise (BEC) specifically, Europe saw an alarming 10 times the amount it had previously and the US saw a 2 times increase.
BEC continues to remain a high priority threat for many organisations and if someone already has a legitimate business email which they have compromised to use for BEC attacks on your organisation, it is very likely that your technical processes will be ineffective, leaving your people and operational processes to stop an attack. Is your organisation cyber aware? Are they undergoing regular awareness training?
This is one of many areas that Black Arrow can help improve your organisation’s security through robust employee cyber security Awareness Behaviour and Culture training.
https://www.helpnetsecurity.com/2023/06/27/bec-attacks-frequency/
Lloyd’s Syndicates Sued Over Cyber Insurance
The University of California (UCLA) is suing a number of insurance firms for refusing to pay out on cyber policies nearly 10 years after hackers breached data on millions of patients at its health system. The dispute is over a cyber attack from 2014 through 2015 that exposed personal information of patients at UCLA Health.
UCLA Health allege that the syndicates refused to engage in dispute resolution by asserting that the statue of limitations applying to the claims had expired. The insurers, who could not be named, are said to have refused every claim saying that UCLA Health failed to satisfy cyber security requirements under the contract terms. It’s important for organisations with cyber insurance to understand their insurance in detail and to know where they stand in the event of a cyber incident.
95% Fear Inadequate Cloud Security Detection and Response
A recent report found 95% of respondents expressed concern in their organisation’s ability to detect and respond to a security event in their cloud environment. The same study also found that 50% of total respondents had reported a data breach due to unauthorised access to their cloud environment.
It is often the case that issues in the cloud come from the perception of the responsibility of the cloud environment. Organisations must realise that they share responsibility for securing their cloud environment, including its configuration. The report found that, despite the number of breaches and concerns in their organisation’s ability, more than 80% of respondents still felt their existing tooling and configuration would sufficiently cover their organisation from an attack. Organisations must ask themselves what they are doing to protect their cloud environment.
https://www.helpnetsecurity.com/2023/06/27/cloud-environment-security/
The Growing Use of Generative AI and the Security Risks They Pose
A recent survey by Malwarebytes revealed 81% of people are concerned about the security risks posed by ChatGPT and generative AI, and 52% of respondents are calling for a pause on ChatGPT for regulations to catch up, while 7% think it will improve internet security. A key concern about the data produced by generative AI platforms is the risk of "hallucinations" whereby machine learning models produce untruths. This becomes a serious issue for organisations if its content is heavily relied upon to make decisions, particularly those relating to threat detection and response.
Another recent report on the risks brought by Large Language Model AIs showed that the rise in opensource AI adoption is developed insecurely; this results in an increased threat with substantial security risks to organisation.
The CISO’s Toolkit Must Include Political Capital Within The C-Suite
Over the past 18 months, there has been a sea change in the chief information security officer (CISO) role. Fundamentally, the CISO is responsible for the protection of an entity's information. The US Securities and Exchange Commission (SEC) has issued a proposed rule change on cyber security risk management, strategy, governance, and incident response disclosure by public companies that requires publicly traded companies to provide evidence of the board's oversight of cyber security risk. Couple this with the former CISO of Uber being found guilty on charges of "obstruction of the proceedings of the Federal Trade Commission" and it is clear that the hand at the helm must be able to navigate all types of seas in their entity's political milieu. In this regard, the CISO needs to acquire political capital. CISO’s should have the capability to talk in understandable terms and clearly demonstrate value to the other board members.
Microsoft Warns of Widescale Credential Stealing Attacks by Russian Hackers as War Ministers Reliant on Cyber Crime
Russia's diminishing position on the world stage has limited its physical options on the ground, leaving Putin's regime increasingly reliant on cyber crime to carry out its oppositional activities against Ukraine and Europe. Microsoft has disclosed that it has detected a spike in credential-stealing attacks conducted by the Russian state-affiliated hacker group known as Midnight Blizzard.
This comes as Switzerland's Federal Intelligence Service (FIS) released its 2023 security assessment, predicting that Russia will increasingly launch cyber attacks as part of its war strategy not just in Ukraine, but against NATO member states as well.
https://www.darkreading.com/threat-intelligence/russia-reliant-on-cybercrime-as-international-pariah
https://thehackernews.com/2023/06/microsoft-warns-of-widescale-credential.html
SMB’s Plagued as Cyber Attackers Still Rely on Decades Old Security Weaknesses and Tactics
Despite best cyber security efforts, small and mid-sized businesses (SMBs) continue to struggle to thwart attacks and harden defences in response to remote working and other newer challenges.
This future focus can lead to a neglection of older weaknesses. Cyber attackers are typically relying on tried-and-tested tactics and old security weaknesses to target organisations, a recent Barracuda threat spotlight found. Hackers are returning to proven methods to gain remote control of systems, install malware, steal information and disrupt or disable business operations through denial-of-service attacks, Barracuda reports. The report found that between February to April 2023, the top malicious tactics found to be used were vulnerabilities from 2008.
The report highlights the fact that there are no cutoff dates for vulnerabilities and attackers will use whatever is at their disposal to try and infiltrate your organisation. This can be protected by having strong policies and controls in place alongside frequent penetration testing to ensure these vulnerabilities are being patched.
https://www.scmagazine.com/news/malware/smbs-plagued-by-exploits-trojans-and-backdoors
Governance, Risk and Compliance
Businesses are ignoring third-party security risks - Help Net Security
Employees worry less about cyber security best practices in the summer - Help Net Security
Digital-First Economy Has Transformed Role of CISO- IT Security Guru
SEC Alleges SolarWinds CFO, CISO Violated US Securities Laws (bankinfosecurity.com)
The CISO’s toolkit must include political capital within the C-suite | CSO Online
NCSC Launches Cyber Risk Management Toolbox - Infosecurity Magazine (infosecurity-magazine.com)
Threats
Ransomware, Extortion and Destructive Attacks
MOVEit hackers may have found simpler business model beyond ransomware | SC Media (scmagazine.com)
Dozens of Businesses Hit Recently by '8Base' Ransomware Gang - SecurityWeek
UK cyber spies warn ransomware criminals targeting law firms • The Register
Cl0p in Your Network? Here's How to Find Out (darkreading.com)
July is Ransomware Month: Reminder to Prepare, Defend Against Hijackers - MSSP Alert
The Trickbot/Conti Crypters: Where Are They Now? (securityintelligence.com)
Linux version of Akira ransomware targets VMware ESXi servers (bleepingcomputer.com)
Ransomware Victims
Casualties keep growing in this month’s mass exploitation of MOVEit 0-day | Ars Technica
8 Tech And IT Companies Targeted In The MOVEit Attacks | CRN
MOVEIt breach impacts Genworth, CalPERS as data for 3.2 million exposed (bleepingcomputer.com)
Clop names PWC, Ernst & Young, and Sony in MOVEit hack | Cybernews
UCLA, Siemens Among Latest Victims of Relentless MOVEit Attacks (darkreading.com)
Siemens Energy, Schneider Electric Targeted by Ransomware Group in MOVEit Attack - SecurityWeek
10 banks alleged victims of ransomware attacks on file transfer software | American Banker
Almost 770,000 Calpers members hit by cyber attack | Financial Times (ft.com)
Ransomware and phishing attacks continue to plague businesses in Singapore | ZDNET
K-12 schools are revisiting their cyber strategies after year of ransomware attacks (axios.com)
Phishing & Email Based Attacks
Mobile Malware and Phishing Surge in 2022 - Infosecurity Magazine (infosecurity-magazine.com)
How a Layered Security Approach Can Minimise Email Threats - MSSP Alert
Less than half of UK banks implement most secure DMARC level | CSO Online
BEC – Business Email Compromise
Widespread BEC attacks threaten European organisations - Help Net Security
The Current State of Business Email Compromise Attacks (bleepingcomputer.com)
Other Social Engineering; Smishing, Vishing, etc
Unmasking Pig-Butchering Scams and Protecting Your Financial Future - Security News (trendmicro.com)
Artificial Intelligence
Sharing Your Business’ Data With ChatGPT: How Risky Is It? - MSSP Alert
OpenAI lawsuit: Maker of ChatGPT sued over alleged data usage | CNN Business
Lawyers who cited fake cases invented by ChatGPT must pay • The Register
Generative AI Projects Pose Major Cyber security Risk to Enterprises (darkreading.com)
How to Deploy Generative AI Safely and Responsibly (trendmicro.com)
Generative-AI apps & ChatGPT: Potential risks and mitigation strategies (thehackernews.com)
Does the world need an arms control treaty for AI? | CyberScoop
When It Comes to Secure Coding, ChatGPT Is Quintessentially Human (darkreading.com)
AI-Enabled Voice Cloning Anchors Deepfaked Kidnapping (darkreading.com)
2FA/MFA
Malware
SMBs plagued by exploits, trojans and backdoors | SC Media (scmagazine.com)
Hackers Use Weaponized PDF Files to Attack Organisations (cybersecuritynews.com)
New Mockingjay Process Injection Technique Could Let Malware Evade Detection (thehackernews.com)
Fileless attacks surge as cyber Criminals evade cloud security defences | CSO Online
NSA warns of ‘false sense of security’ against BlackLotus malware (therecord.media)
Trojanized Super Mario Bros game spreads malware- - Security Affairs
New PindOS JavaScript dropper deploys Bumblebee, IcedID malware (bleepingcomputer.com)
NPM Plagued with ‘Manifest Confusion’ Malware-Hiding Weakness (darkreading.com)
Newly Uncovered ThirdEye Windows-Based Malware Steals Sensitive Data (thehackernews.com)
North Korean Andariel APT used a new malware named EarlyRat - Security Affairs
Mobile
Mobile Malware and Phishing Surge in 2022 - Infosecurity Magazine (infosecurity-magazine.com)
Apple says proposed UK law ‘poses a serious threat’ to end-to-end encryption - The Verge
Anatsa Android trojan now steals banking info from users in US, UK (bleepingcomputer.com)
Fluhorse: Flutter-Based Android Malware Targets Credit Cards and 2FA Codes (thehackernews.com)
Denial of Service/DoS/DDOS
Global rise in DDoS attacks threatens digital infrastructure - Help Net Security
Pro-Russia DDoSia hacktivist project sees 2,400% membership increase (bleepingcomputer.com)
Internet of Things – IoT
Someone sent mysterious smartwatches to US Military personnel - Security Affairs
The tech flaw that lets hackers control surveillance cameras - BBC News
Data Breaches/Leaks
Latitude hit with $1 million lawsuit over data breach (9news.com.au)
Recruitment portal exposes data of US pilot candidates • The Register
3 Steps to Successfully & Ethically Navigate a Data Breach (darkreading.com)
Sensitive Information Stolen in LetMeSpy Stalkerware Hack - SecurityWeek
US Patent Office Data Spill Exposes Trademark Applications (darkreading.com)
Organised Crime & Criminal Actors
2,700 People Tricked Into Working for Cyber Crime Syndicates Rescued in Philippines - SecurityWeek
Security analyst wanted by both Russia and the US • The Register
Former Group-IB manager has been arrested in Kazahstan - Security Affairs
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Twitter Hacker Sentenced to 5 Years in Prison for $120,000 Crypto Scam (thehackernews.com)
JOKERSPY used to target a cryptocurrency exchange in Japan - Security Affairs
Japanese Cryptocurrency Exchange Falls Victim to JokerSpy macOS Backdoor Attack (thehackernews.com)
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
Twitter Hacker Sentenced to 5 Years in Prison for $120,000 Crypto Scam (thehackernews.com)
Unmasking Pig-Butchering Scams and Protecting Your Financial Future - Security News (trendmicro.com)
This Chatbot Gives Phone Call Scammers a Taste of Their Own Medicine (pcmag.com)
The robotic falcon maker who was targeted by cyber criminals - BBC News
Deepfakes
Insurance
University of California Sues Lloyd’s Syndicates Over Cyber Insurance - WSJ
Insurance companies using AI for underwriting and due diligence amid cyber threats | Fox Business
How Big Is the Cyber Insurance Market? Can It Keep Growing? | Lawfare (lawfaremedia.org)
Dark Web
Citizen of Croatia charged with running the Monopoly Market drug marketplace - Security Affairs
Inside Threat Actors: Dark Web Forums vs. Illicit Telegram Communities (bleepingcomputer.com)
Supply Chain and Third Parties
Cloud/SaaS
95% fear inadequate cloud security detection and response - Help Net Security
Fileless attacks surge as cyber Criminals evade cloud security defences | CSO Online
5 Pitfalls in Cloud Cyber security’s Shared Responsibility Model - MSSP Alert
Uncovering attacker tactics through cloud honeypots - Help Net Security
How hardening Microsoft 365 tenants mitigates potential cloud attacks - Help Net Security
Outlook for the web outage impacts users across America (bleepingcomputer.com)
3 Tips to Increase Hybrid and Multicloud Security (darkreading.com)
Identity and Access Management
Encryption
Apple says proposed UK law ‘poses a serious threat’ to end-to-end encryption - The Verge
Iran finally admits its 'quantum processor' was in fact not quantum at all | PC Gamer
How to stop quantum computers from breaking the internet’s encryption (sciencenews.org)
Open Source
Passwords, Credential Stuffing & Brute Force Attacks
Social Media
Travel
Cyber Bullying, Cyber Stalking and Sextortion
Regulations, Fines and Legislation
SEC Alleges SolarWinds CFO, CISO Violated US Securities Laws (bankinfosecurity.com)
US firm 'breached GDPR' by reputation-scoring EU citizens • The Register
JP Morgan accidentally deletes 47 million comms records • The Register
Models, Frameworks and Standards
Careers, Working in Cyber and Information Security
SEC notice to SolarWinds CISO and CFO roils cyber security industry | CSO Online
Skill gap plagues cyber security industry as jobs go unfilled | Mint (livemint.com)
Law Enforcement Action and Take Downs
Hacker responsible for 2020 Twitter breach sentenced to prison | TechCrunch
Citizen of Croatia charged with running the Monopoly Market drug marketplace - Security Affairs
2,700 People Tricked Into Working for Cyber Crime Syndicates Rescued in Philippines - SecurityWeek
Privacy, Surveillance and Mass Monitoring
Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare and Cyber Espionage
Russia
Microsoft Warns of Widescale Credential Stealing Attacks by Russian Hackers (thehackernews.com)
Russian Spies, War Ministers Reliant on Cyber Crime in Pariah State (darkreading.com)
Pro-Russia DDoSia hacktivist project sees 2,400% membership increase (bleepingcomputer.com)
Microsoft hackers say they work for Sudan, not Russia | Fortune
'Chinese spy balloon' was 'crammed' with US hardware • The Register
Hackers attack Russian satellite telecom provider, claim affiliation with Wagner Group | CyberScoop
China
China's 'Volt Typhoon' APT Now Exploits Zoho ManageEngine (darkreading.com)
'Chinese spy balloon' was 'crammed' with US hardware • The Register
Iran
The potent cyber adversary threatening to further inflame Iranian politics | CyberScoop
From MuddyC3 to PhonyC2: Iran's MuddyWater Evolves with a New Cyber Weapon (thehackernews.com)
Iran finally admits its 'quantum processor' was in fact not quantum at all | PC Gamer
North Korea
Misc/Other/Unknown
Vulnerability Management
SMBs plagued by exploits, trojans and backdoors | SC Media (scmagazine.com)
Remediation Ballet Is a Pas de Deux of Patch and Performance (darkreading.com)
Micropatches: What they are and how they work - Help Net Security
When It Comes to Secure Coding, ChatGPT Is Quintessentially Human (darkreading.com)
It's 2023 and out-of-bounds write bugs are still number one • The Register
Vulnerabilities
VMware fixed five memory corruption issues in vCenter Server - Security Affairs
US Cyber security Agency Adds 6 Flaws to Known Exploited Vulnerabilities Catalog (thehackernews.com)
CISA Says Critical Zyxel NAS Vulnerability Exploited in Attacks - SecurityWeek
Serious IDOR Vulnerability Found In Microsoft Teams (latesthackingnews.com)
Fortinet fixes critical FortiNAC RCE, install updates asap - Security Affairs
Details Disclosed for Critical SAP Vulnerabilities, Including Wormable Exploit Chain - SecurityWeek
Critical flaw in VMware Aria Operations for Networks sees mass exploitation | CSO Online
Internet Systems Consortium (ISC) fixed three DoS flaw in BIND - Security Affairs
Chrome 114 Update Patches High-Severity Vulnerabilities - SecurityWeek
Grafana warns of critical auth bypass due to Azure AD integration (bleepingcomputer.com)
The tech flaw that lets hackers control surveillance cameras - BBC News
Exploit released for new Arcserve UDP auth bypass vulnerability (bleepingcomputer.com)
Tools and Controls
95% fear inadequate cloud security detection and response - Help Net Security
How a Layered Security Approach Can Minimize Email Threats - MSSP Alert
ITDR Combines and Refines Familiar Cyber security Approaches (darkreading.com)
Uncovering attacker tactics through cloud honeypots - Help Net Security
10 things every CISO needs to know about identity and access management (IAM) | VentureBeat
FIDO Alliance Publishes Guidance for Deploying Passkeys in the Enterprise (darkreading.com)
3 Tips to Increase Hybrid and Multicloud Security (darkreading.com)
Other News
Businesses count the cost of network downtime - Help Net Security
Exploring the persistent threat of cyber attacks on healthcare - Help Net Security
How Can Manufacturers Stop Being The Top Target For Cyber Crime? (informationsecuritybuzz.com)
Ex-FBI employee jailed for mishandling classified material • The Register
Rapid7: Japan Threat Landscape Takes on Global Significance - SecurityWeek
Over 1500 gas stations disrupted in Canada, after energy giant hacked (bitdefender.com)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 03 March 2023
Black Arrow Cyber Briefing 03 March 2023:
-It’s Time to Evaluate Your Security Education Plan Amongst the Rise in Social Engineering Attacks
-Mobile Users are More Susceptible to Phishing Attacks
-Phishing as a Service Stimulates Cyber Crime
-Attacker Breakout Time Drops to Just 84 Minutes
-Attackers are Developing and Deploying Exploits Faster Than Ever
-Old Vulnerabilities are Haunting Organisations and Aiding Attackers
-Scams Drive Nearly $9bn Fraud Surge in 2022
-Economic Pressure are Increasing Cyber Security Risks and a Recession Would Only Further This
-Cyber Security in This Era of Polycrisis
-Russian Ransomware Projects Rebranded to Avoid Western Sanctions
-Ransomware Attacks Ravaged Big Names in February
-Firms Who Pay Ransom Subsidise New Attacks
-How the Ukraine War Opened a Fault Line in Cyber Crime
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
It’s Time to Evaluate Your Security Education Plan with the Rise in Social Engineering Attacks
Security provider Purplesec found 98% of attacks in 2022 involved an element of social engineering. Social engineering attacks can take many forms including phishing, smishing, vishing and quishing and it’s vital to educate your organisation on how to best prepare for these. Education plans should focusing on educating all levels of users, including those at the top. These plans should also be tested to allow organisations to assess where they are at and identify where they can improve.
Mobile Users are More Susceptible to Phishing Attacks
A report conducted by mobile security provider Lookout focused on the impact of mobile phishing. Some of the key findings from the report included that more than 50% of personal devices were exposed to a mobile phishing attack every quarter, the percentage of users falling for multiple mobile phishing links increasing and an increased targeting of highly regulated industries such as insurance, banking and financial services. It is likely that this has resulted from the increase in relaxed bring your own device (BYOD) policies.
Phishing as a Service Stimulates Cyber Crime
Phishing attacks are at an all-time high and the usage of Phishing as a Service (PaaS) opens this attack technique to virtually anyone. The sale of “phishing kits” and usage of artificial intelligence has further increased the availability of this attack technique. In response, organisations should look to improve their email security, cloud security and education programs for employees.
https://www.trendmicro.com/en_us/ciso/23/c/phishing-as-a-service-phaas.html
Attacker Breakout Time Drops to Just 84 Minutes
The average time it takes for a threat actor to move laterally from a compromised host within an organisation dropped 14% between 2012 and 2022 down to 84 minutes, according to a report by security provider Crowdstrike. With the reduction in time it takes a threat actor to move across systems, organisations have even less time to enact their incident response plans and contain breaches effectively, putting further pressure on the incident response team. By responding quickly, organisations can minimise the cost and damage of a breach. The report from Crowdstrike found that organisations were facing increasing difficulty in detecting suspicious activity as attackers are choosing to use valid organisation credentials rather than malware, to gain access to an organisation’s systems.
https://www.infosecurity-magazine.com/news/attacker-breakout-time-drops-just/
Attackers are Developing and Deploying Exploits Faster Than Ever
A report from security provider Rapid7 found that over 56% of vulnerabilities were exploited within seven days of public disclosure. Worryingly, the median time for exploitation in 2022 was just one day. The finding from the report highlights the need for organisations to not only conduct threat intelligence to be aware of vulnerabilities but to also look to employ patches where possible in a timely manner.
https://www.helpnetsecurity.com/2023/03/03/attackers-developing-deploying-exploits/
Old Vulnerabilities are Haunting Organisations and Aiding Attackers
Known vulnerabilities, vulnerabilities for which patches have already been made available, are one of the primary attack vectors for threat actors. Vulnerability management vendor Tenable found that the top exploited vulnerabilities were originally disclosed as far back as 2017 and organisations that had not applied these patches were at increased risks of attack.
https://www.helpnetsecurity.com/2023/03/03/known-exploitable-vulnerabilities/
Scams Drive Nearly $9bn Fraud Surge in 2022
Americans lost $8.8 billion to fraud last year, with imposter scams responsible for $2.8 billion of that amount, according to the Federal Trade Commission (FTC). Losses to business imposters were particularly damaging, climbing to $660 million from the previous year. Interestingly, the FTC found that younger people reported losing money to fraud the most often.
https://www.infosecurity-magazine.com/news/investment-scams-drive-9bn-in/
Economic Pressure are Increasing Cyber Security Risks and a Recession Would Only Further This
The World Economic Forum’s recent report found that 93% of cyber security leaders and 86% of business leaders think it is moderately or very likely that global geopolitical instability will lead to a catastrophic cyber event in the next two years. Reinforcing this, a report from (ISC)² found that 80% of business executives believe a weakening economy will increase cyber threats and a recession will only amplify this.
Cyber Security in this Era of Polycrisis
A year since Russia invaded Ukraine, the geopolitical context is increasingly tense and volatile. The world faces several major crises in what has been coined a 'polycrisis,' a cluster of global shocks with compounding effects. This, along with increasing geopolitical tensions causes a rise in risk from cyber attacks. In fact, the European Union Agency for Cyber Security (ENISA) recently issued an alert regarding actors conducting malicious cyber activities against businesses and governments in the European Union and findings from Google show a 300% increase in state-sponsored cyber attacks targeting users in NATO countries.
https://www.weforum.org/agenda/2023/02/cybersecurity-in-an-era-of-polycrisis/
Russian Ransomware Projects Rebranded to Avoid Western Sanctions
Research provider TRM labs found that some major Russian-linked ransomware crime gangs have rebranded their activities in 2022 to avoid sanctions. To strengthen their anonymity, two major ransomware crime gangs LockBit and Conti restructured their activities. Conti is reported to have restructured into three smaller groups named Black Besta, BlackByte, Karakurt. LockBit on the other hand launched LockBit 3.0, which is focused on monetary gain. Additionally, the report found that Russian-speaking darknet markets had amassed over $130 million in sales.
https://cryptopotato.com/russian-ransomware-projects-rebranded-to-avoid-western-sanctions-report/
Ransomware Attacks Ravaged Big Names in February
Despite the apparent slight drop in ransomware activity last month, several high profile targets of various industries were hit; this ranges from the likes of the US Marshal Service, retailer WH Smith, satellite provider Dish and many more. These attacks reinforce the concept that any organisation can be a victim, regardless of industry.
Firms Who Pay Ransoms Subsidise New Attacks
A report from security provider Trend Micro found that whilst only a relatively small number of ransomware victims pay their extorters, those that do pay are effectively funding 6-10 new attacks. The report also found that attackers are aware of which industries and countries pay ransoms more often, so organisations belonging to those industries and countries may find themselves an even more attractive target.
https://www.infosecurity-magazine.com/news/firms-pay-ransom-subsidise-10/
How the Ukraine War Opened a Fault Line in Cyber Crime
A report from threat intelligence provider Recorded Future has highlighted the impact that the Russian invasion of Ukraine has had on cyber. Recorded Future explain how a number of threat actor groups fled during the war and in addition to differing political views between groups, there has been a disruption to the cyber environment. In fact, Recorded Future found that Russian-language dark web marketplaces have taken a major hit and the prediction is that the epicentre of cyber crime may shift to English-speaking dark web forums, shops and marketplaces.
https://www.darkreading.com/analytics/ukraine-war-fault-line-cybercrime-forever
Threats
Ransomware, Extortion and Destructive Attacks
Well-funded security systems fail to prevent cyber attacks in US and Europe: Report | CSO Online
Russian Ransomware Projects Rebranded to Avoid Western Sanctions: Report (cryptopotato.com)
New cyber attack tactics rise up as ransomware payouts increase | CSO Online
Ransomware Attacks: Don’t Let Your Guard Down - SecurityWeek
Ransomware attacks ravaged big names in February | TechTarget
Cyber Insurance Market Back From Brink After Onslaught of Ransomware Attacks (insurancejournal.com)
Royal Mail schools LockBit in leaked negotiation (malwarebytes.com)
'Ethical hacker' among ransomware suspects arrested • The Register
Wiper malware goes global, destructive attacks surge - Help Net Security
A Deep Dive into the Evolution of Ransomware Part 3 (trendmicro.com)
New Exfiltrator-22 post-exploitation kit linked to LockBit ransomware (bleepingcomputer.com)
PureCrypter malware hits govt orgs with ransomware, info-stealers (bleepingcomputer.com)
Bitdefender Releases Free Decryptor for MortalKombat Ransomware Strain (thehackernews.com)
Dish Network confirms ransomware attack behind multi-day outage (bleepingcomputer.com)
US Marshals Ransomware Hit Is 'Major' Incident (darkreading.com)
The DoJ Disruption of the Hive Ransomware Group Is a Short-Lived Win (darkreading.com)
Vice Society publishes data stolen during Vesuvius ransomware attack • Graham Cluley
US Cybersecurity Agency Raises Alarm Over Royal Ransomware's Deadly Capabilities (thehackernews.com)
Phishing & Email Based Attacks
New cyber attack tactics rise up as ransomware payouts increase | CSO Online
Mobile Users More Susceptible to Phishing Attacks than Two Years Ago - MSSP Alert
Phishing as a Service Stimulates Cyber crime (trendmicro.com)
BEC – Business Email Compromise
New cyber attack tactics rise up as ransomware payouts increase | CSO Online
Expert strategies for defending against multilingual email-based attacks - Help Net Security
Hackers Target Young Gamers: How Your Child Can Cause Business Compromise (darkreading.com)
Other Social Engineering; Smishing, Vishing, etc
As Social Engineering Attacks Skyrocket, Evaluate Your Security Education Plan (darkreading.com)
The Top 5 New Social Engineering Attacks in 2023 - (ISC)² Blog (isc2.org)
How to Prevent Callback Phishing Attacks on Your Organization (bleepingcomputer.com)
2FA/MFA
Malware
RIG Exploit Kit still infects enterprise users via Internet Explorer (bleepingcomputer.com)
Exfiltrator-22 Post-Exploitation Toolkit Nips At Cobalt Strike's Heels (darkreading.com)
Malicious package flood on PyPI might be sign of new attacks to come | CSO Online
Iron Tiger hackers create Linux version of their custom malware (bleepingcomputer.com)
It's official: BlackLotus malware can bypass secure boot • The Register
Threat actors target law firms with GootLoader and SocGholish--Security Affairs
Mobile
Mobile Users More Susceptible to Phishing Attacks than Two Years Ago - MSSP Alert
Mobile Banking Trojans Surge, Doubling in Volume (darkreading.com)
Signal would 'walk' from UK if Online Safety Bill undermined encryption - BBC News
Don't be fooled by a pretty icon, malicious apps hide in plain sight - Help Net Security
Denial of Service/DoS/DDOS
Data Breaches/Leaks
LastPass Says DevOps Engineer Home Computer Hacked - SecurityWeek
LastPass Reveals Second Attack Resulting in Breach of Encrypted Password Vaults (thehackernews.com)
Stanford University discloses data breach affecting PhD applicants (bleepingcomputer.com)
Threat actors leak Activision employee data on hacking forum--Security Affairs
10 US states that suffered the most devastating data breaches in 2022 - Help Net Security
Australian orgs lodged 497 data breach notices in back half of 2022 - Security - iTnews
Hatch Bank discloses data breach after GoAnywhere MFT hack (bleepingcomputer.com)
GunAuction site was hacked and data of 565k accounts were exposed--Security Affairs
Chick-fil-A confirms accounts hacked in months-long "automated" attack (bleepingcomputer.com)
What GoDaddy's Years-Long Breach Means for Millions of Clients (darkreading.com)
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Cryptocurrency Bitcoin mining rig found in school crawlspace • The Register
Highly evasive cryptocurrency miner targets macOS--Security Affairs
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
Investment Scams Drive $9bn Fraud Surge in 2022 - Infosecurity Magazine (infosecurity-magazine.com)
How I Broke Into a Bank Account With an AI-Generated Voice (vice.com)
FTC reveals alarming increase in scam activity, costing consumers billions - Help Net Security
Resecurity identified the investment scam network Digital Smoke - Help Net Security
Pig butchering scam explained: Everything you need to know (techtarget.com)
AML/CFT/Sanctions
Insurance
Dark Web
Supply Chain and Third Parties
Third-party risks overwhelm traditional ERM setups - Help Net Security
Third-Party Risks: Challenges for MSSPs and How to Overcome Them - MSSP Alert
Shocking Findings from the 2023 Third-Party App Access Report (thehackernews.com)
Software Supply Chain
Shocking Findings from the 2023 Third-Party App Access Report (thehackernews.com)
SBOM is a 'massive galaxy of mess' for supply chain security • The Register
IBM Contributes Supply Chain Security Tools to OWASP (darkreading.com)
Cloud/SaaS
How to Tackle the Top SaaS Challenges of 2023 (thehackernews.com)
Cloud incident response: Frameworks and best practices | TechTarget
Security teams have no control over risky SaaS-to-SaaS connections - Help Net Security
It only takes one over-privileged identity to do major damage to a cloud - Help Net Security
SCARLETEEL hackers use advanced cloud skills to steal source code, data (bleepingcomputer.com)
Shocking Findings from the 2023 Third-Party App Access Report (thehackernews.com)
Google Cloud Platform allows data exfiltration without a (forensic) trace - Help Net Security
What Happened in That Cyber attack? With Some Cloud Services, You May Never Know (darkreading.com)
New Report: Inside the High Risk of Third-Party SaaS Apps (darkreading.com)
Containers
Hybrid/Remote Working
Work-From-Home Regulations Are Coming. Companies Aren’t Ready. (mit.edu)
How to work from home securely, the NSA way (malwarebytes.com)
Encryption
API
Open Source
Iron Tiger hackers create Linux version of their custom malware (bleepingcomputer.com)
Should organisations swear off open-source software altogether? | VentureBeat
IBM Contributes Supply Chain Security Tools to OWASP (darkreading.com)
Passwords, Credential Stuffing & Brute Force Attacks
LastPass Says DevOps Engineer Home Computer Hacked - SecurityWeek
Critical Vulnerabilities Allowed Booking.com Account Takeover - SecurityWeek
Sale of Stolen Credentials and Initial Access Dominate Dark Web Markets (darkreading.com)
Social Media
White House: No More TikTok on Gov't Devices Within 30 Days - SecurityWeek
EU Parliament bans staff from using TikTok over ‘cybersecurity concerns’ – POLITICO
TikTok answers three big cyber-security fears about the app - BBC News
Meta says $725M deal ends all Cambridge Analytica claims; one state disagrees | Ars Technica
Training, Education and Awareness
Parental Controls and Child Safety
Regulations, Fines and Legislation
UK seeks to ‘focus’ espionage bill to head off Lords rebellion | Financial Times (ft.com)
Cyber resilience in focus: EU act to set strict standards - Help Net Security
Work-From-Home Regulations Are Coming. Companies Aren’t Ready. (mit.edu)
ML practitioners push for mandatory AI Bill of Rights - Help Net Security
Governance, Risk and Compliance
Third-party risks overwhelm traditional ERM setups - Help Net Security
CISOs Share Their 3 Top Challenges for Cybersecurity Management (darkreading.com)
The Importance of Recession-Proofing Security Operations (darkreading.com)
Third-Party Risks: Challenges for MSSPs and How to Overcome Them - MSSP Alert
CISO Conversations: Code42, BreachQuest Leaders Discuss Combining CISO and CIO Roles - SecurityWeek
Models, Frameworks and Standards
Careers, Working in Cyber and Information Security
Gartner Prediction: Nearly Half of Cybersecurity Pros Will Change Jobs by 2025 - MSSP Alert
Growing Demand For Skilled Cybersecurity Workforce In Digital Age (informationsecuritybuzz.com)
Partnering With a Cybersecurity Vendor Can Help You Recruit Top Talent - MSSP Alert
CISOs Are Stressed Out and It's Putting Companies at Risk (thehackernews.com)
Law Enforcement Action and Take Downs
'Ethical hacker' among ransomware suspects arrested • The Register
The DoJ Disruption of the Hive Ransomware Group Is a Short-Lived Win (darkreading.com)
Privacy, Surveillance and Mass Monitoring
UK seeks to ‘focus’ espionage bill to head off Lords rebellion | Financial Times (ft.com)
Press greets Home Office redraft of national security bill with scepticism | Media | The Guardian
The Air Force Is Now Using Facial Recognition Drones (gizmodo.com)
How dog tracker apps are snooping on humans, according to cyber security experts (telegraph.co.uk)
Artificial Intelligence
Generative AI Changes Everything We Know About Cyber attacks (darkreading.com)
ChatGPT is bringing advancements and challenges for cybersecurity - Help Net Security
How I Broke Into a Bank Account With an AI-Generated Voice (vice.com)
ML practitioners push for mandatory AI Bill of Rights - Help Net Security
Misinformation, Disinformation and Propaganda
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Cyber security must be tightened up in this era of polycrisis | World Economic Forum (weforum.org)
How the Ukraine War Opened a Fault Line in Cyber crime, Possibly Forever (darkreading.com)
Russia-Ukraine War: A Year of Cyber Shortfalls (foreignpolicy.com)
Evaluating the Cyberwar Set Off by Russian Invasion of Ukraine (darkreading.com)
CERT of Ukraine: Russia-linked APT backdoored multiple govt sites-Security Affairs
White House: No More TikTok on Gov't Devices Within 30 Days - SecurityWeek
Russian charged with smuggling US counterintel tech • The Register
Cyber security in wartime: how Ukraine's infosec community is coping | CSO Online
China's BlackFly Targets Materials Sector in 'Relentless' Quest for IP (darkreading.com)
'Hackers' Behind Air Raid Alerts Across Russia: Official - SecurityWeek
China spends billions on pro-Russia disinformation, US special envoy says | China | The Guardian
Nation State Actors
Cyber security must be tightened up in this era of polycrisis | World Economic Forum (weforum.org)
How the Ukraine War Opened a Fault Line in Cyber crime, Possibly Forever (darkreading.com)
Hacker group defaces Russian websites to display the Kremlin on fire | TechCrunch
Russia-Ukraine War: A Year of Cyber Shortfalls (foreignpolicy.com)
CERT of Ukraine: Russia-linked APT backdoored multiple govt sites-Security Affairs
Evaluating the Cyberwar Set Off by Russian Invasion of Ukraine (darkreading.com)
White House: No More TikTok on Gov't Devices Within 30 Days - SecurityWeek
Russian charged with smuggling US counterintel tech • The Register
Cyber security in wartime: how Ukraine's infosec community is coping | CSO Online
EU Parliament bans staff from using TikTok over ‘cybersecurity concerns’ – POLITICO
China's BlackFly Targets Materials Sector in 'Relentless' Quest for IP (darkreading.com)
'Hackers' Behind Air Raid Alerts Across Russia: Official - SecurityWeek
China spends billions on pro-Russia disinformation, US special envoy says | China | The Guardian
TikTok answers three big cyber-security fears about the app - BBC News
Russia bans foreign messaging apps in government organisations (bleepingcomputer.com)
Chinese hackers use new custom backdoor to evade detection (bleepingcomputer.com)
Vulnerability Management
Vulnerabilities
A world of hurt for Fortinet and ManageEngine after users fail to install patches | Ars Technica
Hackers are actively exploiting Zoho ManageEngine flaw-Security Affairs
All In One SEO WordPress Plugin Vulnerability Affects Up To 3+ Million (searchenginejournal.com)
CISA warns of hackers exploiting ZK Java Framework RCE flaw (bleepingcomputer.com)
Cisco patches critical Web UI RCE flaw in multiple IP phones (bleepingcomputer.com)
Aruba Networks fixes six critical vulnerabilities in ArubaOS (bleepingcomputer.com)
Microsoft releases Windows security updates for Intel CPU flaws (bleepingcomputer.com)
Tools and Controls
LastPass Reveals Second Attack Resulting in Breach of Encrypted Password Vaults (thehackernews.com)
Well-funded security systems fail to prevent cyber attacks in US and Europe: Report | CSO Online
The Future of Network Security: Predictive Analytics and ML-Driven Solutions (thehackernews.com)
Microsoft announces automatic BEC, ransomware attack disruption capabilities - Help Net Security
How to use zero trust and IAM to defend against cyber attacks in an economic downturn | VentureBeat
Pentesting No Longer Driven by Regulatory Compliance, New Study Finds - MSSP Alert
Application Security vs. API Security: What is the difference? (thehackernews.com)
Accurately assessing the success of zero-trust initiatives | TechTarget
Other News
Attackers are developing and deploying exploits faster than ever - Help Net Security
Attacker Breakout Time Drops to Just 84 Minutes - Infosecurity Magazine (infosecurity-magazine.com)
Moving target defence must keep cyber attackers guessing - Help Net Security
Covert cyber attacks on the rise as attackers shift tactics for maximum impact - Help Net Security
Dormant accounts are a low-hanging fruit for attackers - Help Net Security
Dish Network goes offline after likely cyber attack, employees cut off (bleepingcomputer.com)
News Corp says state hackers were on its network for two years (bleepingcomputer.com)
UK won the Military Cyberwarfare exercise Defence Cyber Marvel-Security Affairs
To Safeguard Critical Infrastructure, Go Back to Basics (darkreading.com)
Feds accuse Google of destroying evidence in antitrust case • The Register
Microsoft recommending you scan more Exchange server files • The Register
CISA director urges tech sector to stop shipping unsafe products | CyberScoop
Developers can make a great extension of your security team - Help Net Security
2023 Browser Security Report Uncovers Major Browsing Risks and Blind Spots (thehackernews.com)
Uncovering the most pressing cybersecurity concerns for SMBs - Help Net Security
Wiz execs: Most overhyped security tool is technology itself • The Register
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 20 January 2023
Black Arrow Cyber Threat Briefing 20 January 2023:
-Experts at Davos 2023 Call for a Global Response to the Gathering 'Cyber Storm'
-Cost of Data Breaches to Global Businesses at Five-Year High
-European Data Protection Authorities Issue Record €2.92 Billion In GDPR Fines, an Increase of 168%
-PayPal Accounts Breached in Large-Scale Credential Stuffing Attack
-Royal Mail Boss to Face MPs’ Questions Over Russian Ransomware Attack
-Third-Party Risk Management: Why 2023 Could be the Perfect Time to Overhaul your TPRM Program
-EU Cyber Resilience Regulation Could Translate into Millions in Fines
-Russian Hackers Try to Bypass ChatGPT's Restrictions for Malicious Purposes
-New Report Reveals CISOs Rising Influence
-ChatGPT and its Perilous Use as a "Force Multiplier" for Cyber Attacks
-Mailchimp Discloses a New Security Breach, the Second One in 6 Months
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Experts at Davos 2023 Call for a Global Response to the Gathering 'Cyber Storm'
As economic and geopolitical instability spills into the new year, experts predict that 2023 will be a consequential year for cyber security. The developments, they say, will include an expanded threat landscape and increasingly sophisticated cyber attacks.
"There's a gathering cyber storm," Sadie Creese, a Professor of Cyber Security at the University of Oxford, said during an interview at the World Economic Forum’s Annual Meeting 2023 in Davos, Switzerland. "This storm is brewing, and it's really hard to anticipate just how bad that will be."
Already, cyber attacks such as phishing, ransomware and distributed denial-of-service (DDoS) attacks are on the rise. Cloudflare, a major US cyber security firm that provides protection services for over 30% of Fortune 500 companies, found that DDoS attacks—which entail overwhelming a server with a flood of traffic to disrupt a network or webpage—increased last year by 79% year-over-year.
"There's been an enormous amount of insecurity around the world," Matthew Prince, the CEO of Cloudflare, stated during the Annual Meeting. "I think 2023 is going to be a busy year in terms of cyber attacks."
https://www.weforum.org/agenda/2023/01/cybersecurity-storm-2023-experts-davos23/
Cost of Data Breaches to Global Businesses at Five-Year High
Research from business insurer Hiscox shows that the cost of dealing with cyber events for businesses has more than tripled since 2018. The study, which collated data from the organisation’s previous five annual Cyber Readiness reports, has revealed that:
Since 2018 the median IT budgets for cyber security more than tripled.
Between 2020 and 2022 cyber-attacks increased by over a quarter.
Businesses are increasing their cyber security budgets year-on-year.
In the Hiscox 2022 Cyber Readiness report, the financial toll of cyber incidents, including data breaches, was estimated to be $16,950 (£15,265) on average. As the cost of cyber crime grew, so did organisations’ cyber security budgets – average spending on cyber security tripled from 2018 to 2022, rocketing from $1,470,196 (£1,323,973) to $5,235,162 (£4,714,482).
Hiscox has also revealed that half of all companies surveyed suffered at least one cyber attack in 2022, up 11% from 2020. Financial Services, as well as Technology, Media and Telecom (TMT) sectors even reported a minimum of one attack for three consecutive years. Financial Services firms, however, seemed to be hit the hardest, with 66% reporting being impacted by cyber attacks in 2021-2022.
Cyber risk has risen to the same strategic level as traditional financial and operational risks, thanks to a growing realisation by businesses that the impact can be just as severe.
European Data Protection Authorities Issue Record €2.92 Billion in GDPR Fines, an Increase of 168%
European data regulators issued a record €2.92 billion in fines last year, a 168% increase from 2021. That’s according to the latest GDPR and Data Breach survey from international law firm DLA Piper, which covers all 27 Member States of the European Union, plus the UK, Norway, Iceland, and Liechtenstein. This year’s biggest fine of €405 million was imposed by the Irish Data Protection Commissioner (DPC) against Meta Platforms Ireland Limited relating to Instagram for alleged failures to protect children’s personal data. The Irish DPC also fined Meta €265 million for failing to comply with the GDPR obligation for Data Protection by Design and Default. Both fines are currently under appeal.
Despite the overall increase in fines since January 28, 2022, the fine of €746 million that Luxembourg authorities levied against Amazon last year remains the biggest to be issued by an EU-based data regulator to date (though the retail giant is still believed to be appealing).
The report also revealed a notable increase in focus by supervisory authorities on the use of artificial intelligence (AI), while the volume of data breaches reported to regulators decreased slightly against the previous year’s total.
PayPal Accounts Breached in Large-Scale Credential Stuffing Attack
PayPal is sending out data breach notifications to thousands of users who had their accounts accessed through credential stuffing attacks that exposed some personal data.
Credential stuffing are attacks where hackers attempt to access an account by trying out username and password pairs sourced from data leaks on various websites. This type of attack relies on an automated approach with bots running lists of credentials to "stuff" into login portals for various services. Credential stuffing targets users that employ the same password for multiple online accounts, which is known as "password recycling."
PayPal explains that the credential stuffing attack occurred between December 6 and December 8, 2022. The company detected and mitigated it at the time but also started an internal investigation to find out how the hackers obtained access to the accounts. By December 20, 2022, PayPal concluded its investigation, confirming that unauthorised third parties logged into the accounts with valid credentials. The electronic payments platform claims that this was not due to a breach on its systems and has no evidence that the user credentials were obtained directly from them.
According to the data breach reporting from PayPal, 34,942 of its users have been impacted by the incident. During the two days, hackers had access to account holders' full names, dates of birth, postal addresses, social security numbers, and individual tax identification numbers. Transaction histories, connected credit or debit card details, and PayPal invoicing data are also accessible on PayPal accounts.
Royal Mail Boss to Face MPs’ Questions Over Russian Ransomware Attack
Royal Mail’s chief executive faced questions from MPs last week over the Russia-linked ransomware attack that caused international deliveries to grind to a halt.
Simon Thompson, chief executive of Royal Mail, was asked about the recent cyber attack when he appeared before the Commons Business Select Committee to discuss Royal Mail’s response to the cyber attack at the evidence session on Tuesday Jan 17.
A Royal Mail spokesman said: “Royal Mail has been subject to a cyber incident that is affecting our international export service. We are focused on restoring this service as soon as we are able.”
Royal Mail was forced to suspend all outbound international post after machines used for printing customs dockets were disabled by the Russia-linked Lockbit cyber crime gang. Lockbit’s attackers used ransomware, malicious software that scrambles vital computer files before the gang demands payment to unlock them again. The software also took over printers at Royal Mail’s international sorting offices and caused ransom notes to “spout” from them, according to reports.
Cyber security industry sources cautioned that while Lockbit is known to be Russian in origin, it is not known whether a stolen copy of the gang’s signature ransomware had been deployed by rival hackers.
Third-Party Risk Management: Why 2023 Could be the Perfect Time to Overhaul your TPRM Program
Ensuring risk caused by third parties does not occur to your organisation is becoming increasingly difficult. Every business outsources some aspects of its operations, and ensuring these external entities are a strength and not a weakness isn’t always a straightforward process.
In the coming years we’ll see organisations dedicate more time and resources to developing detailed standards and assessments for potential third-party vendors. Not only will this help to mitigate risk within their supply chain network, it will also provide better security.
As demand for third-party risk management (TPRM) grows, there are key reasons why we believe 2023 could be pivotal for the future of your organisation’s TPRM program, cyber risk being principal amongst them.
Forrester predicted that 60% of security incidents in 2022 would stem from third parties. In 2021 there was a 300% increase in supply chain attacks, a trend that has continued to increase over the past 12 months also. For example, Japanese car manufacturer Toyota was forced to completely shut down its operations due to a security breach with a third-party plastics supplier.
It’s not only the frequency of third-party attacks that has increased, but also the methods that cyber criminals are using are becoming increasingly sophisticated. For example, the SolarWinds cyber breach in 2020 was so advanced that Microsoft estimated it took over a thousand engineers to stop the impact of the attack.
As the sophistication and frequency of supply chain attacks increases, the impact they have on businesses reputations and valuations is also becoming apparent. There is a need for organisations to conduct thorough due diligence of the third parties they choose to work with, otherwise the consequences could be disastrous.
Remember always that cyber security should be a non-negotiable feature of all business transactions.
EU Cyber Resilience Regulation Could Translate into Millions in Fines
The EU Commission’s Cyber Resilience Act (CRA) is intended to close the digital fragmentation problem surrounding devices and systems with network connections – from printers and routers to smart household appliances and industrial control systems. Industrial networks and critical infrastructures require special protection.
According to the European Union, there is currently a ransomware attack every eleven seconds. In the last few weeks alone, among others, a leading German children’s food manufacturer and a global Tier1 automotive supplier headquartered in Germany were hit, with the latter becoming the victim of a massive ransomware attack. Such an attack even led to insolvency at the German manufacturer Prophete in January 2023. To press manufacturers, distributors and importers into action, they face significant penalties if security vulnerabilities in devices are discovered and not properly reported and closed.
“The pressure on the industry – manufacturers, distributors and importers – is growing immensely. The EU will implement this regulation without compromise, even though there are still some work packages to be done, for example regarding local country authorities,” says Jan Wendenburg, CEO, ONEKEY.
The financial fines for affected manufacturers and distributors are therefore severe: up to 15 million euros or 2.5 percent of global annual revenues in the past fiscal year – the larger number counts. “This makes it absolutely clear: there will be substantial penalties on manufacturers if the requirements are not implemented,” Wendenburg continues.
Manufacturers, distributors and importers are required to notify ENISA – the European Union’s cyber security agency – within 24 hours if a security vulnerability in one of their products is exploited. Exceeding the notification deadlines is already subject to sanctions.
https://www.helpnetsecurity.com/2023/01/19/eu-cyber-resilience-regulation-fines/
Russian Hackers Try to Bypass ChatGPT's Restrictions for Malicious Purposes
Russian cyber-criminals have been observed on dark web forums trying to bypass OpenAI’s API restrictions to gain access to the ChatGPT chatbot for nefarious purposes.
Various individuals have been observed, for instance, discussing how to use stolen payment cards to pay for upgraded users on OpenAI (thus circumventing the limitations of free accounts). Others have created blog posts on how to bypass the geo controls of OpenAI, and others still have created tutorials explaining how to use semi-legal online SMS services to register to ChatGPT.
“Generally, there are a lot of tutorials in Russian semi-legal online SMS services on how to use it to register to ChatGPT, and we have examples that it is already being used,” wrote Check Point Research (CPR). “It is not extremely difficult to bypass OpenAI’s restricting measures for specific countries to access ChatGPT,” said Check Point. “Right now, we are seeing Russian hackers already discussing and checking how to get past the geofencing to use ChatGPT for their malicious purposes.”
They added that they believe these hackers are most likely trying to implement and test ChatGPT in their day-to-day criminal operations. “Cyber-criminals are growing more and more interested in ChatGPT because the AI technology behind it can make a hacker more cost-efficient,” they explained.
Case in point, just last week, Check Point Research published a separate advisory highlighting how threat actors had already created malicious tools using ChatGPT. These included infostealers, multi-layer encryption tools and dark web marketplace scripts.
More generally, the cyber security firm is not the only one believing ChatGPT could democratise cyber crime, with various experts warning that the AI bot could be used by potential cyber-criminals to teach them how to create attacks and even write ransomware.
https://www.infosecurity-magazine.com/news/russian-hackers-to-bypass-chatgpt/
New Report Reveals CISOs Rising Influence
Cyber security firm Coalfire this week unveiled its second annual State of CISO Influence report, which explores the expanding influence of Chief Information Security Officers (CISOs) and other security leaders.
The report revealed that the CISO role is maturing quickly, and the position is experiencing more equity in the boardroom. In the last year alone, there was a 10-point uptick in CISOs doing monthly reporting to the board. These positive outcomes likely stem from the increasingly metrics-driven reporting CISOs provide, where data is more effectively leveraged to connect security outcomes to business objectives.
An especially promising development in this year's report is how security teams are being looped into corporate projects. Of the security leaders surveyed, 78% say they are consulted early in project development when business objectives are first identified, and two-thirds are now making presentations to the highest levels of enterprise authority. 56% of CISOs present security metrics to their CEOs, up from 43% in 2021.
Cloud migration was universally identified as one of those top business objectives. The move to the cloud saddles CISOs with many challenges. The top priorities listed by CISOs include dealing with an expanding attack surface, staffing, and new compliance requirements — all within constrained budgets. In fact, 43% of security leaders said their budgets remained static or were reduced following business migration to the cloud.
Given these challenges, leading CISOs are transforming their approaches. To address multiple cloud compliance requirements, security leaders are focusing on the most onerous set of rules and creating separate environments for different requirements. Risk assessments were identified as the key tool used to secure funding for these and other cyber initiatives and to set top priorities.
"Costs and risks are up, while at the same time, cyber budgets are trending flat or down," said Colefire. "Cyber security has historically been lower in priority for organisations, but we are witnessing a big shift in enterprise cyber expectations. CISOs are rising to meet those expectations, speaking to the business, and as a result, solidifying their role in the C-suite."
https://www.darkreading.com/threat-intelligence/new-coalfire-report-reveals-cisos-rising-influence
ChatGPT and its Perilous Use as a "Force Multiplier" for Cyber Attacks
As a form of OpenAI technology, ChatGPT has the ability to mimic natural language and human interaction with remarkable efficiency. However, from a cyber security perspective, this also means it can be used in a variety of ways to lower the bar for threat actors.
One key method is the ability for ChatGPT to draft cunning phishing emails en masse. By feeding ChatGPT with minimal information, it can create content and entire emails that will lure unsuspecting victims to provide their passwords. With the right API setup, thousands of unique, tailored, and sophisticated phishing emails can be sent almost simultaneously.
Another interesting capability of ChatGPT is the ability to write malicious code. While OpenAI has put some controls in place to prevent ChatGPT from creating malware, it is possible to convince ChatGPT to create ransomware and other forms of malware as code that can be copied and pasted into an integrated development environment (IDE) and used to compile actual malware. ChatGPT can also be used to identify vulnerabilities in code segments and reverse engineer applications.
ChatGPT will expedite a trend that is already wreaking havoc across sectors – lowering the bar for less sophisticated threat actors, enabling them to conduct attacks while evading security controls and bypassing advanced detection mechanisms. And currently, there is not much that organisations can do about it. ChatGPT represents a technological marvel that will usher in a new era, not just for the cyber security space.
https://www.calcalistech.com/ctechnews/article/sj0lfp11oi
Mailchimp Discloses a New Security Breach, the Second One in 6 Months
The popular email marketing and newsletter platform Mailchimp was hacked twice in the past six months. The news of a new security breach was confirmed by the company; the incident exposed the data of 133 customers.
Threat actors targeted the company’s employees and contractors to gain access to an internal support and account admin tool.
“On January 11, the Mailchimp Security team identified an unauthorised actor accessing one of our tools used by Mailchimp customer-facing teams for customer support and account administration. The unauthorised actor conducted a social engineering attack on Mailchimp employees and contractors, and obtained access to select Mailchimp accounts using employee credentials compromised in that attack.” reads the notice published by the company. “Based on our investigation to date, this targeted incident has been limited to 133 Mailchimp accounts.”
The malicious activity was discovered on January 11, 2023; in response to the intrusion the company temporarily suspended access for impacted accounts. The company also notified the primary contacts for all affected accounts less than 24 hours after the initial discovery.
https://securityaffairs.com/140997/data-breach/mailchimp-security-breach.html
Threats
Ransomware, Extortion and Destructive Attacks
Yum Brands says nearly 300 restaurants in UK impacted due to cyber attack | Reuters
Royal Mail boss to face MPs’ questions over Russian ransomware attack (telegraph.co.uk)
What is LockBit ransomware and how does it operate? | Royal Mail | The Guardian
How cyber-attack on Royal Mail has left firms in limbo - BBC News
Royal Mail restarts limited overseas post after cyber-attack - BBC News
How Royal Mail’s hacker became the world’s most prolific ransomware group | Financial Times (ft.com)
Ransomware Trends In Q4 2022: Key Findings And Recommendations (informationsecuritybuzz.com)
Microsoft: Cuba ransomware hacking Exchange servers via OWASSRF flaw (bleepingcomputer.com)
Microsoft retracts its report on Mac ransomware (techrepublic.com)
Ransomware Dips During 2022: Are Cyber attacks Slowing or Just a Blip? - MSSP Alert
Up to 1,000 ships affected by DNV ransomware attack - Splash247
Avast releases free BianLian ransomware decryptor (bleepingcomputer.com)
Vice Society ransomware leaks University of Duisburg-Essen’s data (bleepingcomputer.com)
Ransomware attack cuts 1,000 ships off from on-shore servers • The Register
Royal Mail promises ‘workarounds’ to restore services after ransomware attack | Computer Weekly
Cyber-crime gangs' earnings slide as victims refuse to pay - BBC News
Ransomware gang steals data from KFC, Taco Bell, and Pizza Hut brand owner (bleepingcomputer.com)
Phishing & Email Based Attacks
How AI chatbot ChatGPT changes the phishing game | CSO Online
The big risk in the most-popular, and aging, big tech email programs (cnbc.com)
Why encrypting emails isn't as simple as it sounds - Help Net Security
Fake DHL emails allow hackers to breach Microsoft 365 accounts (msn.com)
Other Social Engineering; Smishing, Vishing, etc
Techniques that attackers use to trick victims into visiting malicious content - Help Net Security
As Social Engineering Tactics Change, So Must Your Security Training (darkreading.com)
2FA/MFA
CircleCI's hack caused by malware stealing engineer's 2FA-backed session (bleepingcomputer.com)
The Importance of Multi-Factor Authentication (MFA) - MSSP Alert
Malware
New Backdoor Created Using Leaked CIA's Hive Malware Discovered in the Wild (thehackernews.com)
Experts spotted a backdoor that borrows code from CIA's Hive malware - Security Affairs
ChatGPT Creates Polymorphic Malware - Infosecurity Magazine (infosecurity-magazine.com)
Attackers Crafted Custom Malware for Fortinet Zero-Day (darkreading.com)
New Chinese Malware Spotted Exploiting Recent Fortinet Firewall Vulnerability (thehackernews.com)
Malicious ‘Lolip0p’ PyPi packages install info-stealing malware (bleepingcomputer.com)
Hackers exploit Cacti critical bug to install malware, open reverse shells (bleepingcomputer.com)
Hackers can use GitHub Codespaces to host and deliver malware (bleepingcomputer.com)
Hackers turn to Google search ads to push info-stealing malware (bleepingcomputer.com)
How to spot a cyberbot – five tips to keep your device safe (theconversation.com)
Mobile
New 'Hook' Android malware lets hackers remotely control your phone (bleepingcomputer.com)
Roaming Mantis’ Android malware adds DNS changer to hack WiFi routers (bleepingcomputer.com)
Botnets
Denial of Service/DoS/DDOS
Internet of Things – IoT
Data Breaches/Leaks
6,000+ Customer Accounts Breached, NortonLifeLock Alert Users (informationsecuritybuzz.com)
1.7 TB of data from digital intelligence firm Cellebrite leaked online - Security Affairs
LastPass faces mounting criticism over recent breach | TechTarget
Mailchimp discloses a new incident, the second one in 6 months - Security Affairs
PayPal Breach Exposed PII of Nearly 35K Accounts (darkreading.com)
T-Mobile US says hacker accessed personal data of 37 million customers • TechCrunch
Twitter says leaked emails not hacked from its systems - BBC News
Hacked! My Twitter user data is out on the dark web -- now what? | ZDNET
Twitter sued over data leak that it denied was caused by a flaw | Business
Nissan North America data breach caused by vendor-exposed database (bleepingcomputer.com)
18k Nissan Customers Affected by Data Breach at Third-Party Software Developer | SecurityWeek.Com
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Crypto exchanges freeze accounts tied to North Korea • The Register
Europol arrested cryptocurrency scammers that stole millions from victims - Security Affairs
FTX Says $415 Million Of Its Crypto Assets Was Hacked (informationsecuritybuzz.com)
Google Ads-delivered malware drains NFT influencer’s entire crypto wallet (cointelegraph.com)
Bitcoin is a ‘hyped-up fraud’, says JP Morgan chief (telegraph.co.uk)
International Arrests Over 'Criminal' Crypto Exchange | SecurityWeek.Com
Fraud, Scams & Financial Crime
Hacker stole credit cards from Canada alcohol retailer LCBO - Security Affairs
Europol arrested cryptocurrency scammers that stole millions from victims - Security Affairs
New York man defrauded thousands using credit cards sold on dark web (bleepingcomputer.com)
FTX Says $415 Million Of Its Crypto Assets Was Hacked (informationsecuritybuzz.com)
The US Has a Massive Money Transfer Surveillance Apparatus (gizmodo.com)
The threat of location spoofing and fraud - Help Net Security
HUMAN Security Stops VASTFLUX Digital Ad Fraud Operation - MSSP Alert
International Arrests Over 'Criminal' Crypto Exchange | SecurityWeek.Com
Insurance
Dark Web
New York man defrauded thousands using credit cards sold on dark web (bleepingcomputer.com)
Illegal Solaris darknet market hijacked by competitor Kraken (bleepingcomputer.com)
Supply Chain and Third Parties
Cloud/SaaS
The Dangers of Default Cloud Configurations (darkreading.com)
Report: Cloud-based networks under growing attack • The Register
Data Security in Multicloud: Limit Access, Increase Visibility (darkreading.com)
Hybrid/Remote Working
Encryption
Vulnerabilities in cryptographic libraries found through modern fuzzing - Help Net Security
teiss - Cyber Threats - Managing the treat from quantum computers
Threats Of Quantum: The Solution Lies In Quantum Cryptography (informationsecuritybuzz.com)
Why encrypting emails isn't as simple as it sounds - Help Net Security
TLS Connection Cryptographic Protocol Vulnerabilities (trendmicro.com)
Passwords, Credential Stuffing & Brute Force Attacks
Compromise of employee device, credentials led to CircleCI breach | SC Media (scmagazine.com)
PayPal accounts breached in large-scale credential stuffing attack (bleepingcomputer.com)
NortonLifeLock: threat actors breached Norton Password Manager accounts - Security Affairs
Social Media
Twitter says leaked emails not hacked from its systems - BBC News
Hacked! My Twitter user data is out on the dark web -- now what? | ZDNET
French CNIL fined Tiktok $5.4 Million for violating cookie laws - Security Affairs
Malvertising
Hackers turn to Google search ads to push info-stealing malware (bleepingcomputer.com)
Google Ads-delivered malware drains NFT influencer’s entire crypto wallet (cointelegraph.com)
HUMAN Security Stops VASTFLUX Digital Ad Fraud Operation - MSSP Alert
Training, Education and Awareness
Training, endpoint management reduce remote working cyber security risks - Help Net Security
As Social Engineering Tactics Change, So Must Your Security Training (darkreading.com)
Regulations, Fines and Legislation
GDPR Fines Surge 168% in a Year - Infosecurity Magazine (infosecurity-magazine.com)
European data protection authorities issue record €2.92 billion in GDPR fines | CSO Online
How data protection is evolving in a digital world - Help Net Security
EU cyber resilience regulation could translate into millions in fines - Help Net Security
Online safety bill: Attempt to jail tech bosses ‘could backfire’ | News | The Times
Culture secretary examines plans to punish tech bosses over online harms | Financial Times (ft.com)
French CNIL fined Tiktok $5.4 Million for violating cookie laws - Security Affairs
State legislators aren't waiting for Congress to regulate children's online privacy - CyberScoop
How Would the FTC Rule on Noncompetes Affect Data Security? (darkreading.com)
The US Has a Massive Money Transfer Surveillance Apparatus (gizmodo.com)
Governance, Risk and Compliance
Technology is a fragile machine that seems to power everything | Android Central
Training, endpoint management reduce remote working cyber security risks - Help Net Security
New Coalfire Report Reveals CISOs Rising Influence (darkreading.com)
Cost of data breaches to global businesses at five-year high- IT Security Guru
Experts at Davos 2023 sound the alarm on cyber security | World Economic Forum (weforum.org)
Why Mean Time to Repair Is Not Always A Useful Security Metric (darkreading.com)
Why are there so many cyber attacks lately? An explainer on the rising trend | Globalnews.ca
How To Build A Network Of Security Champions In Your Organisation (forbes.com)
EU cyber resilience regulation could translate into millions in fines - Help Net Security
What is Business Attack Surface Management? (trendmicro.com)
How to build a cyber-resilience culture in the enterprise | TechTarget
Why Businesses Need to Think Like Hackers This Year (darkreading.com)
How to prioritize resilience in the face of cyber-attacks | World Economic Forum (weforum.org)
Cyber-attack contributes to major Harrogate district firm posting £4.1m loss - The Stray Ferret
Data Protection
GDPR Fines Surge 168% in a Year - Infosecurity Magazine (infosecurity-magazine.com)
European data protection authorities issue record €2.92 billion in GDPR fines | CSO Online
How data protection is evolving in a digital world - Help Net Security
State legislators aren't waiting for Congress to regulate children's online privacy - CyberScoop
Careers, Working in Cyber and Information Security
New Coalfire Report Reveals CISOs Rising Influence (darkreading.com)
IT Burnout may be Putting Your Organisation at Risk (bleepingcomputer.com)
Sophos Joins List of Cyber security Companies Cutting Staff | SecurityWeek.Com
Law Enforcement Action and Take Downs
Privacy, Surveillance and Mass Monitoring
UK supermarket uses facial recognition tech to track shoppers - Coda Story
State legislators aren't waiting for Congress to regulate children's online privacy - CyberScoop
Artificial Intelligence
How AI chatbot ChatGPT changes the phishing game | CSO Online
ChatGPT and its perilous use as a "Force Multiplier" for cyber attacks | Ctech (calcalistech.com)
Potential threats and sinister implications of ChatGPT - Help Net Security
Criminals seek OpenAI guardrail bypass, use ChatGPT for evil • The Register
ChatGPT Creates Polymorphic Malware - Infosecurity Magazine (infosecurity-magazine.com)
Misinformation, Disinformation and Propaganda
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Putin’s Russian cyber attacks could target UK’s infrastructure | News | The Times
Industrial espionage: How China sneaks out America's technology secrets - BBC News
Ukraine blames Russia for most of over 2,000 cyber attacks in 2022 | Reuters
Beware: Tainted VPNs Being Used to Spread EyeSpy Surveillanceware (thehackernews.com)
Is Elon Musk’s Starlink winning the war for Ukraine? | World | The Sunday Times (thetimes.co.uk)
Pro-Russia Hacktivist Group NoName057(16) Strikes Again (informationsecuritybuzz.com)
Russian hacktivists NoName057 offer cash for DDoS attacks (techmonitor.ai)
Ukraine links data-wiping attack on news agency to Russian hackers (bleepingcomputer.com)
Russian hackers target Ukrainian press briefing about cyber attacks (axios.com)
Chinese hackers targeted Iranian government entities for months: Report | CSO Online
Nation State Actors
Nation State Actors – Russia
Putin’s Russian cyber attacks could target UK’s infrastructure | News | The Times
Ukraine blames Russia for most of over 2,000 cyber attacks in 2022 | Reuters
Is Elon Musk’s Starlink winning the war for Ukraine? | World | The Sunday Times (thetimes.co.uk)
Pro-Russia Hacktivist Group NoName057(16) Strikes Again (informationsecuritybuzz.com)
Russian hacktivists NoName057 offer cash for DDoS attacks (techmonitor.ai)
Ukraine links data-wiping attack on news agency to Russian hackers (bleepingcomputer.com)
Russian hackers target Ukrainian press briefing about cyber attacks (axios.com)
Russians say they can download software from Intel again • The Register
Nation State Actors – China
Industrial espionage: How China sneaks out America's technology secrets - BBC News
Attackers Crafted Custom Malware for Fortinet Zero-Day (darkreading.com)
New Chinese Malware Spotted Exploiting Recent Fortinet Firewall Vulnerability (thehackernews.com)
China wants 30 percent CAGR for its infosec industry • The Register
Chinese hackers targeted Iranian government entities for months: Report | CSO Online
Nation State Actors – North Korea
Nation State Actors – Iran
Nation State Actors – Misc
Vulnerability Management
The Top 10 Vulnerabilities of 2022: Mastering Vulnerability Management - Security Boulevard
3 Lessons Learned in Vulnerability Management (darkreading.com)
Vulnerabilities
Cisco won’t fix critical flaw in small business routers • The Register
Unpatched Zoho ManageEngine Products Under Active Cyber attack (darkreading.com)
Oracle's First Security Update for 2023 Includes 327 New Patches | SecurityWeek.Com
Why it's time to review your on-premises Microsoft Exchange patch status | CSO Online
Attackers Crafted Custom Malware for Fortinet Zero-Day (darkreading.com)
New Chinese Malware Spotted Exploiting Recent Fortinet Firewall Vulnerability (thehackernews.com)
Cacti Servers Under Attack as Majority Fail to Patch Critical Vulnerability (thehackernews.com)
PoC exploits released for critical bugs in popular WordPress plugins (bleepingcomputer.com)
Vulnerabilities in cryptographic libraries found through modern fuzzing - Help Net Security
Microsoft: Exchange Server 2013 reaches end of support in 90 days (bleepingcomputer.com)
Hackers are using this old trick to dodge security protections | ZDNET
Attackers deploy sophisticated Linux implant on Fortinet network security devices | CSO Online
Researchers to release PoC exploit for critical Zoho RCE bug, patch now (bleepingcomputer.com)
MSI accidentally breaks Secure Boot for hundreds of motherboards (bleepingcomputer.com)
Microsoft fixes SSRF vulnerabilities found in Azure services | TechTarget
Over 4,000 Sophos Firewall devices vulnerable to RCE attacks (bleepingcomputer.com)
Critical Security Vulnerabilities Discovered in Netcomm and TP-Link Routers (thehackernews.com)
Exploited Control Web Panel Flaw Added to CISA 'Must-Patch' List | SecurityWeek.Com
Two critical flaws discovered in Git system - Security Affairs
Vendors Actively Bypass Security Patch for Year-Old Magento Vulnerability | SecurityWeek.Com
Cisco Patches High-Severity SQL Injection Vulnerability in Unified CM | SecurityWeek.Com
CVE-2022-47966: Rapid7 Observed Exploitation of Critical ManageEngine Vulnerability | Rapid7 Blog
Critical Microsoft Azure RCE flaw impacted multiple services - Security Affairs
New Microsoft Azure Vulnerability Uncovered — EmojiDeploy for RCE Attacks (thehackernews.com)
Tools and Controls
Training, endpoint management reduce remote working cyber security risks - Help Net Security
Why encrypting emails isn't as simple as it sounds - Help Net Security
As Social Engineering Tactics Change, So Must Your Security Training (darkreading.com)
Zero trust network access for Desktop as a Service - Help Net Security
How to prioritize resilience in the face of cyber-attacks | World Economic Forum (weforum.org)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Advisory 20/01/2023 – Zoho ManageEngine Exploit Released Affecting Multiple Product Lines
Black Arrow Cyber Advisory 20/01/2023 – Zoho ManageEngine Exploit Released Affecting Multiple Product Lines
Executive Summary
CVE-2022-47966 is a remote code execution vulnerability which impacts Zoho’s ManageEngine On-Premise products, due to the use of an outdated third-party dependency, Apache Santuario. The exploit for this vulnerability has now been publicly released. Software updates addressing the vulnerabilities were previously released by Zoho across October/November last year.
What’s the risk to me or my business?
Successful exploitation of this vulnerability would grant an attacker the ability to remotely execute code. Users of ManageEngine On-Demand/cloud products are not affected by this vulnerability. In addition, the exploit is applicable, only when Single Sign-on (SSO) is or was enabled during the initial ManageEngine setup.
What can I do?
For organisations using ManageEngine On-Premise products where Single Sign-on (SSO) is or was enabled during initial setup, it is strongly recommended to install the patched version which addresses this vulnerability.
Further information on the security advisory from Zoho ManageEngine can be found here, including impacted version numbers, and the version numbers where the exploit was fixed: https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity
Black Arrow Cyber Threat Briefing 06 January 2023
Black Arrow Cyber Threat Briefing 06 January 2023:
-Cyber War in Ukraine, Ransomware Fears Drive Surge in Demand for Threat Intelligence Tools
-Cyber Premiums Holding Firms to Ransom
-Ransomware Ecosystem Becoming More Diverse For 2023
-Attackers Evolve Strategies to Outmanoeuvre Security Teams
-Building a Security-First Culture: The Key to Cyber Success
-Adobe, Apple, Cisco, Microsoft Flaws Make Up Half of Known Exploited Vulnerabilities Catalogue
-First LastPass, Now Slack and CircleCI. The Hacks Go On (and will likely worsen)
-Data of 235 Million Twitter Users Leaked Online
-16 Car Makers, including BMW, Ferrari, Ford, Honda, Kia, Land Rover, Mercedes and Toyota, and Their Vehicles Hacked via Telematics, APIs, Infrastructure
-Ransomware Gang Apologizes, Gives SickKids Hospital Free Decryptor
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Cyber War in Ukraine, Ransomware Fears Drive 2022 Surge in Demand for Threat Intelligence Tools
Amid the heightened fear of ransomware in 2022, threat intelligence emerged as a core requirement of doing business in a world gone mad.
A sizable amount of interest in the historically tech-centric discipline was fuelled in part by fear of cyber attacks tied to the war between Russia and Ukraine. In one example, the Ukrainian government warned the world that the Russian military was planning for multi-pronged attacks targeting the energy sector. Other nation-state cyber attack operations also contributed to the demand, including one June 2022 incident were Iran’s Cobalt Mirage exploited PowerShell vulnerabilities to launch ransomware attacks.
And of course, headlines of data breaches tied to vulnerabilities that organisations did not even know existed within their networks caught the attention not just of security teams, but the C-Suite and corporate board. A misconfigured Microsoft server, for example, wound up exposing years of sensitive data for tens of thousands of its customers, including personally identifiable information, user data, product and project details and intellectual property.
Indeed, according to 183 security pros surveyed by CyberRisk Alliance Business Intelligence in June 2022, threat intelligence has become critical in arming their security operations centres (SOCs) and incident response teams with operational data to help them make timely, informed decisions to prevent system downtime, thwart the theft of confidential data, and protect intellectual property.
Threat intelligence has emerged as a useful tool for educating executives. Many also credited threat intelligence for helping them protect their company and customer data — and potentially saving their organisation's reputation.
Cyber Premiums Holding Firms to Ransom
Soaring premiums for cyber security insurance are leaving businesses struggling to pay other bills, a key industry player has warned.
Mactavish, which buys insurance policies on behalf of companies, said that more than half of big businesses that had bought cyber security insurance had been forced to make cuts elsewhere to pay for it.
In a survey of 200 companies with a turnover above £10 million, Mactavish found that businesses were reducing office costs and staff bonuses and were cutting other types of insurance to meet the higher payments.
Last month Marsh, an insurance broker, revealed that costs for cyber insurance had increased by an average of 66 per cent in the third quarter compared with last year.
Meanwhile, the risk to businesses from hackers continues to rise. A government report on digital threats, published this month, showed the proportion of businesses experiencing cyber security incidents at least monthly had increased from 53 per cent to 60 per cent in the past year. Uber, Cisco and InterContinental Hotels Group were among high-profile targets this year.
https://www.thetimes.co.uk/article/cyber-safety-premiums-hold-firms-to-ransom-tnrsz3vs2
Ransomware Ecosystem Becoming More Diverse for 2023
The ransomware ecosystem has changed significantly in 2022, with attackers shifting from large groups that dominated the landscape toward smaller ransomware-as-a-service (RaaS) operations in search of more flexibility and drawing less attention from law enforcement. This democratisation of ransomware is bad news for organisations because it also brought in a diversification of tactics, techniques, and procedures (TTPs), more indicators of compromise (IOCs) to track, and potentially more hurdles to jump through when trying to negotiate or pay ransoms.
Since 2019 the ransomware landscape has been dominated by big and professionalised ransomware operations that constantly made the news headlines and even looked for media attention to gain legitimacy with potential victims. We've seen ransomware groups with spokespeople who offered interviews to journalists or issued "press releases" on Twitter and their data leak websites in response to big breaches.
The DarkSide attack against Colonial Pipeline that led to a major fuel supply disruption along the US East Coast in 2021 highlighted the risk that ransomware attacks can have against critical infrastructure and led to increased efforts to combat this threat at the highest levels of government. This heightened attention from law enforcement made the owners of underground cyber crime forums reconsider their relationship with ransomware groups, with some forums banning the advertising of such threats. DarkSide ceased operations soon thereafter and was followed later in the year by REvil, also known as Sodinokibi, whose creators were indicted and one was even arrested. REvil was one of the most successful ransomware groups since 2019.
Russia's invasion of Ukraine in February 2022 quickly put a strain on the relationship between many ransomware groups who had members and affiliates in both Russia and Ukraine, or other former USSR countries. Some groups, such as Conti, rushed to take sides in the war, threatening to attack Western infrastructure in support of Russia. This was a departure from the usual business-like apolitical approach in which ransomware gangs had run their operations and drew criticism from other competing groups.
This was also followed by a leak of internal communications that exposed many of Conti's operational secrets and caused uneasiness with its affiliates. Following a major attack against the Costa Rican government the US State Department put up a reward of $10 million for information related to the identity or location of Conti's leaders, which likely contributed to the group's decision to shut down operations in May.
Conti's disappearance led to a drop in ransomware activity for a couple of months, but it didn't last long as the void was quickly filled by other groups, some of them newly set up and suspected to be the creation of former members of Conti, REvil and other groups that ceased operations over the past two years.
Attackers Evolve Strategies to Outmanoeuvre Security Teams
Attackers are expected to broaden their targeting strategy beyond regulated verticals such as financial services and healthcare. Large corporations (41%) will be the top targeted sector for cyber attacks in 2023, favoured over financial institutions (36%), government (14%), healthcare (9%), and education (8%), according to cyber security solution provider Titaniam.
The fast pace of change has introduced new vulnerabilities into corporate networks, making them an increasingly attractive target for cyber attackers. To compete in the digital marketplace, large companies are adopting more cloud services, aggregating data, pushing code into production faster, and connecting applications and systems via APIs.
As a result, misconfigured services, unprotected databases, little-tested applications, and unknown and unsecured APIs abound, all of which can be exploited by attackers.
The top four threats in 2022 were malware (30%), ransomware and extortion (27%), insider threats (26%), and phishing (17%).
The study found that enterprises expected malware (40%) to be their biggest challenge in 2023, followed by insider threats (26%), ransomware and related extortion (21%), and phishing (16%).
Malware, however, has more enterprises worried for 2023 than it did for 2022. It is important to note that these threats can overlap, where insiders can have a hand in ransomware attacks, phishing can be a source of malware, etc.
Attackers are evolving their strategies to surprise and outmanoeuvre security teams, which have hardened ransomware defences and improved phishing detection. They’re using new malware, such as loaders, infostealers, and wipers to accelerate attacks, steal sensitive data and create mayhem.
They’re also buying and stealing employee credentials to walk in through the front door of corporate networks.
https://www.helpnetsecurity.com/2023/01/04/attackers-evolve-strategies-outmaneuver-security-teams/
Building a Security-First Culture: The Key to Cyber Success
Everyone has heard a car alarm go off in the middle of the night, but how often does that notification actually lead to action? Most people will hear the alarm, glance in its direction and then hope the owner will quickly remedy the situation.
Cars alarms often fail because they go off too often, leading to apathy and annoyance instead of being a cause for emergency. For many, cyber security has also become this way. While we see an increase in the noise surrounding the need for organisations to improve the security skillset and knowledge base of employees, there continues to be little proactive action on this front. Most organisations only provide employees with elementary-grade security training, often during their initial onboarding process or as part of a standard training requirement.
At the same time, many organisations also make the grave mistake of leaving all of their security responsibilities and obligations in the hands of IT and security teams. Time and time again, this approach has proven to be highly ineffective, especially as cyber criminals refine their social engineering tactics and target user accounts to execute their attacks.
Alarmingly, recent research found that 30% of employees do not think that they play a role in maintaining their company’s cyber security posture. The same report also revealed that only 39% of employees say they are likely to report a security incident.
As traditional boundaries of access disintegrate and more employees obtain permissions to sensitive company data and systems to carry out their tasks, business leaders must change the mindset of their employees when it comes to the role they play in keeping the organisation safe from cyber crime. The key is developing an integrated cyber security strategy that incorporates all aspects—including all stakeholders—of the organisation. This should be a strategy that breaks down departmental barriers and creates a culture of security responsibility where every team member plays a part.
Adobe, Apple, Cisco, Microsoft Flaws Make Up Half of Known Exploited Vulnerabilities Catalogue
Back in November 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) published the Known Exploited Vulnerabilities (KEV) Catalogue to help federal agencies and critical infrastructure organisations identify and remediate vulnerabilities that are actively being exploited. CISA added 548 new vulnerabilities to the catalogue across 58 updates from January to end of November 2022, according to cyber security solution provider Grey Noise in its first-ever "GreyNoise Mass Exploits Report."
Including the approximately 300 vulnerabilities added in November and December 2021, CISA listed approximately 850 vulnerabilities in the first year of the catalogue's existence.
Actively exploited vulnerabilities in Microsoft, Adobe, Cisco, and Apple products accounted for over half of the updates to the KEV catalogue in 2022, Grey Noise found. Seventy-seven percent of the updates to the KEV catalogue were older vulnerabilities dating back to before 2022. Many of these vulnerabilities have been around for two decades.
Several of the vulnerabilities in the KEV catalogue are from products that have already entered end-of-life (EOL) and end-of-service-life (EOSL), according to an analysis by a team from cyber security solution provider Cyber Security Works. Even though Windows Server 2008 and Windows 7 are EOSL products, the KEV catalogue lists 127 Server 2008 vulnerabilities and 117 Windows 7 vulnerabilities.
Even though the catalogue was originally intended for critical infrastructure and public-sector organisations, it has become the authoritative source on which vulnerabilities are – or have been – exploited by attackers. This is key because the National Vulnerability Database (NVD) assigned Common Vulnerabilities and Exposures (CVE) identifiers for over 12,000 vulnerabilities in 2022, and it would be unwieldy for enterprise defenders to assess every single one to identify the ones relevant to their environments. Enterprise teams can use the catalogue's curated list of CVEs under active attack to create their priority lists.
First LastPass, Now Slack and CircleCI. The Hacks Go On (and will likely worsen)
In the past week, the world has learned of serious breaches hitting chat service Slack and software testing and delivery company CircleCI, though giving the companies' opaque wording—“security issue” and “security incident,” respectively—you'd be forgiven for thinking these events were minor.
The compromises—in Slack’s case, the theft of employee token credentials and for CircleCI, the possible exposure of all customer secrets it stores—come two weeks after password manager LastPass disclosed its own security failure: the theft of customers’ password vaults containing sensitive data in both encrypted and clear text form. It’s not clear if all three breaches are related, but that’s certainly a possibility.
The most concerning of the two new breaches is the one hitting CircleCI. The company reported a “security incident” that prompted it to advise customers to rotate “all secrets” they store on the service. The alert also informed customers that it had invalidated their Project API tokens, an event requiring them to go through the hassle of replacing them.
CircleCI says it’s used by more than 1 million developers in support of 30,000 organisations and runs nearly 1 million daily jobs. The potential exposure of all those secrets—which could be login credentials, access tokens, and who knows what else—could prove disastrous for the security of the entire Internet.
It’s possible that some or all of these breaches are related. The Internet relies on a massive ecosystem of content delivery networks, authentication services, software development tool makers, and other companies. Threat actors frequently hack one company and use the data or access they obtain to breach that company's customers or partners. That was the case with the August breach of security provider Twilio. The same threat actor targeted 136 other companies. Something similar played out in the last days of 2020 when hackers compromised Solar Winds, gained control of its software build system, and used it to infect roughly 40 Solar Winds customers.
For now, people should brace themselves for additional disclosures from companies they rely on. Checking internal system logs for suspicious entries, turning on multifactor authentication, and patching network systems are always good ideas, but given the current events, those precautions should be expedited. It’s also worth checking logs for any contact with the IP address 54.145.167.181, which one security practitioner said was connected to the CircleCI breach.
Data of 235 Million Twitter Users Leaked Online
A data leak containing email addresses for 235 million Twitter users has been published on a popular hacker forum. Many experts have immediately analysed it and confirmed the authenticity of many of the entries in the huge leaked archive.
In January 2022, a report claimed the discovery of a vulnerability that can be exploited by an attacker to find a Twitter account by the associated phone number/email, even if the user has opted to prevent this in the privacy options. The vulnerability was exploited by multiple threat actors to scrape Twitter user profiles containing both private (phone numbers and email addresses) and public data, and was present within the social media platforms application programming interface (API) from June 2021 until January 2022.
At the end of July 2022, a threat actor leaked data of 5.4 million Twitter accounts that were obtained by exploiting the forementioned, now-fixed vulnerability in the popular social media platform. The scraped data was then put up for sale on various online cyber crime marketplaces. In August, Twitter confirmed that the data breach was caused by a now-patched zero-day flaw.
In December another Twitter data leak made the headlines, a threat actor obtained data of 400,000,000 Twitter users and attempted to sell it. The seller claimed the database is private, and he provided a sample of 1,000 accounts as proof of claims which included the private information of prominent users such as Donald Trump JR, Brian Krebs, and many more. The seller, who is a member of a popular data breach forum, claimed the data was scraped via a vulnerability. The database includes emails and phone numbers of celebrities, politicians, companies, normal users, and a lot of special usernames.
https://securityaffairs.com/140352/data-breach/twitter-data-leak-235m-users.html
16 Car Makers, including BMW, Ferrari, Ford, Honda, Kia, Land Rover, Mercedes and Toyota, and Their Vehicles Hacked via Telematics, APIs, and Infrastructure
A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car functions and start or stop the engine.
Multiple other security defects, the researchers say, allowed them to access a car maker’s internal applications and systems, leading to the exposure of personally identifiable information (PII) belonging to customers and employees, and account takeover, among others. The hacks targeted telematic systems, automotive APIs, and infrastructure.
Impacted car models include Acura, BMW, Ferrari, Ford, Genesis, Honda, Hyundai, Infiniti, Jaguar, Kia, Land Rover, Mercedes-Benz, Nissan, Porsche, Rolls Royce, and Toyota. The vulnerabilities were identified over the course of 2022. Car manufacturers were informed about the security holes and they released patches.
According to the researchers, they were able to send commands to Acura, Genesis, Honda, Hyundai, Kia, Infiniti, Nissan, and Porsche vehicles.
Using only the VIN (vehicle identification number), which is typically visible on the windshield, the researchers were able to start/stop the engine, remotely lock/unlock the vehicle, flash headlights, honk vehicles, and retrieve the precise location of Acura, Honda, Kia, Infiniti, and Nissan cars.
They could also lock users out of remote vehicle management and could change car ownership.
https://www.securityweek.com/16-car-makers-and-their-vehicles-hacked-telematics-apis-infrastructure
Ransomware Gang Apologises, and Gives SickKids Hospital Free Decrypter
The LockBit ransomware gang has released a free decrypter for the Hospital for Sick Children (SickKids), saying one of its members violated rules by attacking the healthcare organisation. SickKids is a teaching and research hospital in Toronto that focuses on providing healthcare to sick children.
On December 18th, the hospital suffered a ransomware attack that impacted internal and corporate systems, hospital phone lines, and the website. While the attack only encrypted a few systems, SickKids stated that the incident caused delays in receiving lab and imaging results and resulted in longer patient wait times.
On December 29th, SickKids announced that it had restored 50% of its priority systems, including those causing diagnostic or treatment delays. Two days after SickKids' latest announcement, the LockBit ransomware gang apologised for the attack on the hospital and released a decrypter for free.
“We formally apologise for the attack on sikkids.ca and give back the decrypter for free, the partner who attacked this hospital violated our rules, is blocked and is no longer in our affiliate programme," stated the ransomware gang.
Threats
Ransomware, Extortion and Destructive Attacks
Rackspace: Ransomware Attack Bypassed ProxyNotShell Mitigations (darkreading.com)
Rackspace: Customer email data accessed in ransomware attack (bleepingcomputer.com)
Ransomware gang cloned victim’s website to leak stolen data (bleepingcomputer.com)
Rackspace identifies hacking group responsible for early December ransomware attack | TPR
Ransomware ecosystem becoming more diverse for 2023 | CSO Online
Rackspace Sunsets Email Service Downed in Ransomware Attack (darkreading.com)
December ransomware disclosures reveal high-profile victims | TechTarget
The Guardian ransomware attack hits week two as staff WFH • The Register
Unraveling the techniques of Mac ransomware - Microsoft Security Blog
Bitdefender releases free MegaCortex ransomware decryptor (bleepingcomputer.com)
Ransomware Research: More than 200 US Infrastructure Organisations Attacked in 2022 - MSSP Alert
Ransomware impacts over 200 govt, edu, healthcare orgs in 2022 (bleepingcomputer.com)
Guardian ransomware attack: Staff told work from home to 23 Jan (pressgazette.co.uk)
Rail giant Wabtec discloses data breach after Lockbit ransomware attack (bleepingcomputer.com)
Christmas Eve 'cyber attack' forced Arnold Clark's network down | STV News
Royal ransomware claims attack on Queensland University of Technology (bleepingcomputer.com)
LockBit: Sorry for SickKids, but not housing authority • The Register
Canadian mining firm shuts down mill after ransomware attack (bleepingcomputer.com)
Phishing & Email Based Attacks
Data of 235 million Twitter users leaked online - Security Affairs
Is NHS The Most Impersonated UK Government "Brand"? (informationsecuritybuzz.com)
The Evolving Tactics of Vidar Stealer: From Phishing Emails to Social Media (thehackernews.com)
Ongoing Flipper Zero phishing attacks target infosec community (bleepingcomputer.com)
Other Social Engineering; Smishing, Vishing, etc
Malware
Raspberry Robin Worm Evolves to Attack Financial and Insurance Sectors in Europe (thehackernews.com)
Hackers abuse Windows error reporting tool to deploy malware (bleepingcomputer.com)
New SHC-compiled Linux malware installs cryptominers, DDoS bots (bleepingcomputer.com)
Bluebottle hackers used signed Windows driver in attacks on banks (bleepingcomputer.com)
Dridex Returns, Targets MacOS Using New Entry Method (trendmicro.com)
New Linux malware uses 30 plugin exploits to backdoor WordPress sites (bleepingcomputer.com)
PyTorch discloses malicious dependency chain compromise over holidays (bleepingcomputer.com)
WordPress Sites Under Attack from Newly Found Linux Trojan (darkreading.com)
Blind Eagle Hackers Return with Refined Tools and Sophisticated Infection Chain (thehackernews.com)
Raspberry Robin Worm Hatches a Highly Complex Upgrade (darkreading.com)
The Evolving Tactics of Vidar Stealer: From Phishing Emails to Social Media (thehackernews.com)
Denial of Service/DoS/DDOS
Internet of Things – IoT
Data Breaches/Leaks
Data of over 200 million Deezer users stolen, leaks on hacking forum • Graham Cluley
Five Guys Data Breach Puts HR Data Under a Heat Lamp (darkreading.com)
Analysis Of Top 10 Countries Mostly Targeted By Data Breaches (informationsecuritybuzz.com)
I bought a $15 router at Goodwill — and found a millionaire's dirty secrets (nypost.com)
Critical flaws found in Ferrari, BMW, Porsche, and other carmakers - Security Affairs
Toyota, Mercedes, BMW API flaws exposed owners’ personal info (bleepingcomputer.com)
Threat actors stole Slack private source code repositories - Security Affairs
Data of over 200 million Deezer users stolen, leaks on hacking forum • Graham Cluley
Organised Crime & Criminal Actors
Threat Actors Evade Detection Through Geofencing & Fingerprinting (darkreading.com)
Attackers create 130K fake accounts to abuse limited-time cloud computing resources | CSO Online
Ukrainian Cops Bust Prolific Fraud Call Centre - Infosecurity Magazine (infosecurity-magazine.com)
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Insider Risk and Insider Threats
Software engineer busted after being inspired by Office Space scam | PC Gamer
Are Meta and Twitter Ushering in a New Age of Insider Threats? (darkreading.com)
Ex-GE engineer sentenced for stealing turbine tech for China • The Register
Fraud, Scams & Financial Crime
Avast: Expect Cyber crime "Scamdemic" to Continue in 2023 - MSSP Alert
Software engineer busted after being inspired by Office Space scam | PC Gamer
US regulators warn banks over cryptocurrency risks - BBC News
RedZei Chinese Scammers Targeting Chinese Students in the UK (thehackernews.com)
Ukrainian Cops Bust Prolific Fraud Call Centre - Infosecurity Magazine (infosecurity-magazine.com)
Impersonation Attacks
AML/CFT/Sanctions
Insurance
Cyber safety premiums holding firms to ransom | Business | The Times
How can businesses decrease cyber insurance premiums while maintaining coverage? - Help Net Security
Dark Web
Supply Chain and Third Parties
Software Supply Chain
Cloud/SaaS
Encryption
API
Car companies massively exposed to web vulnerabilities | The Daily Swig (portswigger.net)
16 Car Makers and Their Vehicles Hacked via Telematics, APIs, Infrastructure | SecurityWeek.Com
What Are Some Ways to Make APIs More Secure? (darkreading.com)
Critical flaws found in Ferrari, BMW, Porsche, and other carmakers - Security Affairs
Open Source
New SHC-compiled Linux malware installs cryptominers, DDoS bots (bleepingcomputer.com)
New Linux malware uses 30 plugin exploits to backdoor WordPress sites (bleepingcomputer.com)
Social Media
Data of 235 million Twitter users leaked online - Security Affairs
The Evolving Tactics of Vidar Stealer: From Phishing Emails to Social Media (thehackernews.com)
Are Meta and Twitter Ushering in a New Age of Insider Threats? (darkreading.com)
Meta fined €390m over use of data for targeted ads - BBC News
More Political Storms for TikTok After US Government Ban | SecurityWeek.Com
Parental Controls and Child Safety
Regulations, Fines and Legislation
Governance, Risk and Compliance
Cyber safety premiums holding firms to ransom | Business | The Times
Attackers never let a critical vulnerability go to waste - Help Net Security
Attackers evolve strategies to outmanoeuvre security teams - Help Net Security
How to start planning for disaster recovery - Help Net Security
Building A Security-First Culture: The Key To Cyber Success (forbes.com)
Data backup is no longer just about operational fallback - Help Net Security
Threat Actors Evade Detection Through Geofencing & Fingerprinting (darkreading.com)
How can businesses decrease cyber insurance premiums while maintaining coverage? - Help Net Security
Secure Disposal
Backup and Recovery
Data Protection
Law Enforcement Action and Take Downs
Privacy, Surveillance and Mass Monitoring
National security fears over police using Chinese tech | News | The Times
Meta fined €390m over use of data for targeted ads - BBC News
Artificial Intelligence
ChatGPT: An Easy Cyber crime Target For Cyber attacks (informationsecuritybuzz.com)
OpenAI's ChatGPT previews how AI can help hackers breach more networks (axios.com)
NATO tests AI’s ability to protect critical infrastructure against cyber attacks | CSO Online
Misinformation, Disinformation and Propaganda
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
War and Geopolitical Conflict: The New Battleground for DDoS Attacks (darkreading.com)
Cyber attacks against governments jumped 95% in last half of 2022, CloudSek says | CSO Online
It's time to focus on information warfare's hard questions (cyberscoop.com)
National security fears over police using Chinese tech | News | The Times
Ex-GE engineer sentenced for stealing turbine tech for China • The Register
Pro-Russia cyber attacks aim at destabilizing Poland - Security Affairs
Poland warns of attacks by Russia-linked Ghostwriter hacking group (bleepingcomputer.com)
Nation State Actors
Nation State Actors – Russia
Nation State Actors – China
National security fears over police using Chinese tech | News | The Times
Ex-GE engineer sentenced for stealing turbine tech for China • The Register
Nation State Actors – Iran
Nation State Actors – Misc
Vulnerability Management
Adobe, Apple, Cisco, Microsoft Flaws Make Up Half of KEV Catalog (darkreading.com)
Attackers never let a critical vulnerability go to waste - Help Net Security
Vulnerabilities
Over 60,000 Exchange servers vulnerable to ProxyNotShell attacks (bleepingcomputer.com)
Adobe, Apple, Cisco, Microsoft Flaws Make Up Half of KEV Catalog (darkreading.com)
Rackspace: Ransomware Attack Bypassed ProxyNotShell Mitigations (darkreading.com)
Zoho urges admins to patch severe ManageEngine bug immediately (bleepingcomputer.com)
Android's First Security Updates for 2023 Patch 60 Vulnerabilities | SecurityWeek.Com
Fortinet and Zoho Urge Customers to Patch Enterprise Software Vulnerabilities (thehackernews.com)
Qualcomm, Lenovo flag multiple high impact firmware vulnerabilities | SC Media (scmagazine.com)
Netgear Wi-Fi routers need to be patched immediately | TechRadar
Other News
The cyber security industry will undergo significant changes in 2023 - Help Net Security
SecurityAffairs Top 10 cybersecurity posts of 2022 - Security Affairs
BleepingComputer's most popular cybersecurity stories of 2022
WordPress Security: 22 Ways To Protect Your Website (informationsecuritybuzz.com)
Cyber attacks against governments jumped 95% in last half of 2022, CloudSek says | CSO Online
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 23 September 2022
Black Arrow Cyber Threat Briefing 23 September 2022:
-Cyber Insurers Clamp Down on Clients' Self-Attestation of Security Controls
-Survey Shows CISOs Losing Confidence in Ability to Stop Ransomware Attacks
-MFA Fatigue: Hackers’ New Favourite Tactic In High-Profile Breaches
-Credential Stuffing Accounts For One-third Of Global Login Attempts, Okta Finds
-Ransomware Operators Might Be Dropping File Encryption In Favour Of Corrupting Files
-Revolut Hack Exposes Data Of 50,000 Users, Fuels New Phishing Wave
-Researchers Say Insider Threats Play A Larger Role In Security Incidents
-SMBs vs. Large Enterprises: Not All Compromises Are Created Equal
-Cyber Attack Costs for Businesses up by 80%
-Morgan Stanley Fined $35m By SEC For Data Security Lapse, Sold Devices Full of Customer PII
-Eyeglass Reflections Can Leak Information During Video Calls
-Uber Says It Was Likely Hacked by Teenage Hacker Gang LAPSUS$
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Cyber Insurers Clamp Down on Clients' Self-Attestation of Security Controls
After one company suffered a breach that could have been headed off by the MFA it claimed to have, insurers are looking to confirm claimed cyber security measures.
A voided lawsuit from a cyber insurance carrier claiming its customer misled it on its insurance application could potentially pave the way to change how underwriters evaluate self-attestation claims on insurance applications.
The case — Travelers Property Casualty Company of America v. International Control Services Inc. (ICS) — hinged on ICS claiming it had multifactor authentication (MFA) in place when the electronics manufacturer applied for a policy. In May the company experienced a ransomware attack. Forensics investigators determined there was no MFA in place, so Travelers asserted it should not be liable for the claim. The case was filed in the US District Court for the Central District of Illinois on July 6 and at the end of August, the litigants agreed to void the contract, ending ICS's efforts to have its insurer cover its losses.
This case was unusual in that Travelers maintained the misrepresentation "materially affected the acceptance of the risk and/or the hazard assumed by Travelers" in the court filing. Taking a client to court is a departure from other similar cases where an insurance company simply denied the claim.
Sean O'Brien of Yale Law School notes that security should be proactive, stopping possible breaches before they occur rather than simply responding to each successful attack. The insurance industry is likely to become more and more pernickety as cyber security claims rise, defending their bottom line and avoiding reimbursement wherever possible. This has always been the role of insurance adjusters, of course, and their business is in many ways adversarial to your organisation's interests after the dust settles from a cyber attack.
That said, organisations should not expect a payout for poor cyber security policies and practices, he notes.
Survey Shows CISOs Losing Confidence in Ability to Stop Ransomware Attacks
Despite an 86% surge in budget resources to defend against ransomware, 90% of organisations were impacted by attacks last year, a survey reveals.
An annual survey of CISOs from Canada, the UK, and US reveals that security teams are starting to lose hope that they can defend against the next ransomware attack. The survey was conducted by SpyCloud, and it showed that although budgets to protect against cyber attacks have swelled by 86%, a full 90% of organisations surveyed said they had been impacted by a ransomware over the past year.
More organisations have implemented 'Plan B' measures this year, from opening cryptocurrency accounts to purchasing ransomware insurance. These findings suggest that organisations realise threats are slipping through their defences and a ransomware attack is inevitable.
The survey did show some bright spots on the cyber security front — nearly three-quarters of those organisations surveyed are using multifactor authentication (MFA), with an increase from 44% to 73% year-over-year. The report added that respondents said they are focused on stopping credential-stealing malware, particularly on unmanaged network devices.
MFA Fatigue: Hackers’ New Favourite Tactic in High-Profile Breaches
Hackers are more frequently using social engineering attacks to gain access to corporate credentials and breach large networks. One component of these attacks that is becoming more popular with the rise of multi-factor authentication is a technique called MFA Fatigue.
When breaching corporate networks, hackers commonly use stolen employee login credentials to access VPNs and the internal network. The reality is that obtaining corporate credentials is far from difficult for threat actors, who can use various methods, including phishing attacks, malware, leaked credentials from data breaches, or purchasing them on dark web marketplaces.
To counter this, enterprises have increasingly adopted multi-factor authentication to prevent users from logging into a network without first entering an additional form of verification. This additional information can be a one-time passcode, a prompt asking you to verify the login attempt, or the use of hardware security keys.
While threat actors can use numerous methods to bypass multi-factor authentication, most revolve around stealing cookies through malware or man-in-the-middle phishing attack frameworks. However, a social engineering technique called 'MFA Fatigue' is growing more popular with threat actors as it does not require malware or phishing infrastructure and has proven to be successful in attacks.
An MFA Fatigue attack is when a threat actor runs a script that attempts to log in with stolen credentials over and over, causing what feels like an endless stream of MFA push requests to be sent to the account's owner's mobile device. The goal is to keep this up, day and night, to break down the target's cyber security posture and inflict a sense of "fatigue" regarding these MFA prompts.
Credential Stuffing Accounts for One-third Of Global Login Attempts
Okta’s global State of Secure Identity Report has found that credential stuffing is the top threat against customer accounts, outpacing legitimate login traffic in some countries. The report presents trends, examples and observations unearthed from the billions of authentications on Okta’s Auth0 platform.
Credential stuffing is when attacks take advantage of the practice of password reuse. It begins with a stolen login or password pair, then threat actors use these credentials across other common sites, using automated tooling used to “stuff” credential pairs into login forms. When an account holder reuses the same (or similar) passwords on multiple sites, it creates a domino effect in which a single credential pair can be used to breach multiple applications.
Across all industries globally, Okta found there were almost 10 billion credential stuffing attempts in the first 90 days of 2022, which amounts to 34% of authentication traffic.
Ransomware Operators Might Be Dropping File Encryption in Favour of Corrupting Files
Corrupting files is faster, cheaper, and less likely to be stopped by endpoint protection tools than encrypting them.
A recent attack that involved a threat actor believed to be an affiliate of the BlackCat/ALPHV ransomware-as-a-service (RaaS) operation was found to use a data exfiltration tool dubbed Exmatter. Exmatter is a tool that allows attackers to scan the victim computer's drives for files with certain extensions and then upload them to an attacker-controlled server in a unique directory created for every victim. The tool supports several exfiltration methods including FTP, SFTP, and webDAV.
The way the Eraser function works is that it loads two random files from the list into memory and then copies a random chunk from the second file to the beginning of the first file overwriting its original contents. This doesn't technically erase the file but rather corrupts it. The researchers believe this feature is still being developed because the command that calls the Eraser function is not yet fully implemented and the function’s code still has some inefficiencies. Since the selected data chunk is random, it can sometimes be very small, which makes some files more recoverable than others.
Why destroy files by overwriting them with random data instead of deploying ransomware to encrypt them? At a first glance these seem like similar file manipulation operations. Encrypting a file involves overwriting it, one block at a time, with random-looking data (the ciphertext). However, there are ways to detect these encryption operations when done in great succession and many endpoint security programs can now detect when a process exhibits this behaviour and can stop it. Meanwhile, the kind of file overwriting that Exmatter does is much more subtle.
The act of using legitimate file data from the victim machine to corrupt other files may be a technique to avoid heuristic-based detection for ransomware and wipers, as copying file data from one file to another is much more plausibly benign functionality compared to sequentially overwriting files with random data or encrypting them.
Another reason is that encrypting files is a more intensive task that takes a longer time. It's also much harder and costly to implement file encryption programs, which ransomware essentially are, without bugs or flaws that researchers could exploit to reverse the encryption. There have been many cases over the years where researchers found weaknesses in ransomware encryption implementations and were able to release decryptors. This has happened to BlackMatter, the Ransomwware-as-a-Service (RaaS) operation with which the Exmatter tool has been originally associated.
With data exfiltration now the norm among threat actors, developing stable, secure, and fast ransomware to encrypt files is a redundant and costly endeavour compared to corrupting files and using the exfiltrated copies as the means of data recovery.
It remains to be seen if this is the start of a trend where ransomware affiliates switch to data destruction instead of encryption, ensuring the only copy is in their possession, or if it's just an isolated incident where BlackMatter/BlackCat affiliates want to avoid mistakes of the past. However, data theft and extortion attacks that involve destruction are not new and have been widespread in the cloud database space. Attackers have hit unprotected S3 buckets, MongoDB databases, Redis instances, and ElasticSearch indexes for years, deleting their contents and leaving behind ransom notes so it wouldn't be a surprise to see this move to on-premises systems as well.
Revolut Hack Exposes Data Of 50,000 Users, Fuels New Phishing Wave
Revolut has suffered a cyber attack that gave an unauthorised third party access to personal information of tens of thousands of clients. The incident occurred over a week ago, on Sunday night, and has been described as "highly targeted."
Founded in 2015, Revolut is a financial technology company that has seen a rapid growth, now offering banking, money management, and investment services to customers all over the world. In a statement a company spokesperson said that an unauthorised party had access "for a short period of time" to details of only a 0.16% of its customers.
"We immediately identified and isolated the attack to effectively limit its impact and have contacted those customers affected. Customers who have not received an email have not been impacted" , Revolut said.
According to the breach disclosure to the State Data Protection Inspectorate in Lithuania, where Revolut has a banking license, 50,150 customers have been impacted. Based on the information from Revolut, the agency said that the number of affected customers in the European Economic Area is 20,687, and just 379 Lithuanian citizens are potentially impacted by this incident.
Details on how the threat actor gained access to the database have not been disclosed but it appears that the attacker relied on social engineering. The Lithuanian data protection agency notes that the likely exposed information includes:
Email addresses
Full names
Postal addresses
Phone numbers
Limited payment card data
Account data
However, in a message to an affected customer, Revolut says that the type of compromised personal data varies for different customers. Card details, PINs, or passwords were not accessed.
Researchers Say Insider Threats Play a Larger Role In Security Incidents
Insider threats are becoming an increasingly common part of the attack chain, with malicious insiders and unwitting assets playing critical roles in incidents over the past year, according to Cisco Talos research.
In a blog post, Cisco Talos researchers said organisations can mitigate these types of risks via education, user-access control, and ensuring proper processes and procedures are in place when and if employees leave the organisation.
There are a variety of reasons a user may choose to become a malicious insider, and unfortunately many of them are occurring today. The most obvious being financial distress, where a user has a lot of debt and selling the ability to infect their employer can be a tempting avenue. There have been examples of users trying to sell access into employer networks for more than a decade, having spotted them on dark web forums. The current climate, with the economy tilting toward recession, is ripe for this type of abuse.
The cyber crime underground remains a hot spot for insider threat recruitment efforts because of the relative anonymity, accessibility, and low barrier of entry it affords. Malicious actors use forums and instant messaging platforms to advertise their insider services or, vice versa, to recruit accomplices for specific schemes that require insider access or knowledge.
By far, the most popular motivation for insider threats is financial gain. There are plenty of examples of financially-motivated threat actors seeking employees at companies to provide data and access to sell in the underground or leverage against the organisation or its customers. There have also been instances where individuals turn to underground forums and instant messaging platforms claiming to be employees at notable organisations to sell company information.
SMBs vs. Large Enterprises: Not All Compromises Are Created Equal
Attackers view smaller organisations as having fewer security protocols in place, therefore requiring less effort to compromise. Lumu has found that compromise is significantly different for small businesses than for medium-sized and large enterprises.
There is no silver bullet for organisations to protect themselves from compromise, but there are critical steps to take to understand your potential exposure and make sure that your cyber security protocols are aligned accordingly.
Compromise often stay undetected for long periods of time – 201 days on average with compromise detection and containment taking approximately 271 days. It’s critical for smaller businesses to know they are more susceptible and to get ahead of the curve with safeguards.
Results from the Lumu Ransomware Assessment show a few reasons why attacks continue to stay undetected for such long periods of time:
· 58% of organisations aren’t monitoring roaming devices, which is concerning with a workforce that has embraced remote working
· 72% of organisations either don’t or only partially monitor the use of network resources and traffic, which is problematic given that most compromises tend to originate from within the network
· Crypto-mining doesn’t appear to be a concern for the majority of organisations as 76% either do not know or only partially know how to identify it; however, this is a commonly used technique for cyber criminals
Additionally, threat data unveils attack techniques used and how they vary based on the size of the organisation.
Small businesses are primarily targeted by malware attacks (60%) and are also at greater risk of Malware, Command and Control, and Crypto-Mining. Medium-sized businesses and large enterprises don’t see as much malware and are more susceptible to Domain Generated Algorithms (DGA). This type of attack allows adversaries to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains.
https://www.helpnetsecurity.com/2022/09/22/smaller-organizations-security-protocols/
Cyber Attack Costs for Businesses up by 80%
In seven out of eight countries, cyber attacks are now seen as the biggest risk to business — outranking COVID-19, economic turmoil, skills shortages, and other issues. The "Hiscox Cyber Readiness Report 2022," which assesses how prepared businesses are to fight back against cyber incidents and breaches, polled more than 5,000 corporate cyber security professionals in the US, UK, Belgium, France, Germany, Ireland, Spain, and the Netherlands. These experts had some enlightening things to say.
According to the report, IT pros are more worried about cyber attacks (46%) than the pandemic (43%) or skills shortages (38%). And the data prove it. The survey indicates that in the past 12 months, US businesses weathered a 7% increase in cyber attacks. Approximately half of all US businesses (47%) suffered an attack in the past year.
Remote work has caused many smaller organisations to use cloud solutions instead of utilizing in-house IT services. However, with more cloud applications and APIs in use, the attack surface has broadened, too, making these organisations more vulnerable to cyber crime.
Although the proportion of staff working remotely almost halved in the past year — from 62% of the workforce in 2021 to 39% in 2022 — overall IT expenditures doubled, from $11.5 million in 2021 to $24.2 million this year. "Despite 61% of survey respondents now being back in the office, businesses are still experiencing a hangover from the pandemic," Hiscox said in a statement. "Remote working provided a year-long Christmas for cyber criminals, and we can see the results of their cyber-feast in the increased frequency and cost of attacks. As we move into a new era of hybrid working, we all have an increased responsibility to continue learning, and managing our own cyber security."
It may come as no surprise that as more organisations evolve and scale their digital business models, the median cost of an attack has surged — from $10,000 last year to $18,000 in 2022. The US is bearing the brunt of generally higher cyber attack costs, with 40% of attack victims incurring costs of $25,000 or higher. The most common vulnerability — i.e., the entry point for cyber criminals — was a cloud-based corporate server.
However, in terms of attack costs, the report reveals major regional disparities. While one organisation in the UK suffered total attack costs of $6.7 million, the hardest-hit firms in Germany, Ireland, and the Netherlands paid out more than $5 million. In turn, Belgium, France, Germany, and Spain all experienced stable or lower median costs.
https://www.darkreading.com/attacks-breaches/cyberattack-costs-for-us-businesses-up-by-80-
Morgan Stanley Fined $35m By SEC For Data Security Lapse, Sold Devices Full of Customer PII
American financial services giant Morgan Stanley agreed to pay the Securities and Exchange Commission (SEC) a $35m penalty on Tuesday over data security lapses.
According to the SEC's complaint, the firm would have allowed roughly 1000 unencrypted hard drives (HDDs) and about 8000 backup tapes from decommissioned data centres to be resold on auction sites without first being wiped.
The improper disposal of the devices reportedly started in 2016 and per the SEC complaint, was part of an "extensive failure" that exposed 15 million customers' data.
In fact, instead of destroying the hard drives or employing an internal IT team to erase them, Morgan Stanley would have contracted an unnamed third–party moving company with allegedly no experience in decommissioning storage media to take care of the hardware.
The moving company initially subcontracted an IT firm to wipe the drives, but their business relationship went sour, so the mover started selling the storage devices to another firm that auctioned them online without erasing them.
"This is an astonishing security mistake by one of the world's most prestigious banks, who would be expected to have well–established procedures in system life cycle management," Jordan Schroeder, managing CISO at Barrier Networks, told Infosecurity Magazine.
"Not only does the situation mean that the bank put customer data at risk, but it also demonstrates the organisation was not following an expected policy which explained the secure disposing of IT equipment."
https://www.infosecurity-magazine.com/news/morgan-stanley-pay-dollar35m-sec/
Eyeglass Reflections Can Leak Information During Video Calls
A group of academic researchers have devised a method of reconstructing text exposed via participants’ eyeglasses and other reflective objects during video conferences.
Zoom and other video conferencing tools, which have been widely adopted over the past couple of years as a result of the Covid-19 pandemic, may be used by attackers to leak information unintentionally reflected in objects such as eyeglasses, the researchers say.
Using mathematical modelling and human subjects experiments, this research explores the extent to which emerging webcams might leak recognizable textual and graphical information gleaming from eyeglass reflections captured by webcams.
Dubbed ‘webcam peeking attack’, a threat model devised by academics shows that it is possible to obtain an accuracy of over 75% when reconstructing and recognizing text with heights as small as 10 mm, captured by a 720p webcam.
According to the academics, attackers can also rely on webcam peeking to identify the websites that the victims are using. Moreover, they believe that 4k webcams will allow attackers to easily reconstruct most header texts on popular websites.
To mitigate the risk posed by webcam peeking attacks, the researchers propose both near- and long-term mitigations, including the use of software that can blur the eyeglass areas of the video stream. Some video conferencing solutions already offer blurring capabilities, albeit not fine-tuned.
https://www.securityweek.com/eyeglass-reflections-can-leak-information-during-video-calls
Uber Says It Was Likely Hacked by Teenage Hacker Gang LAPSUS$
Uber has published additional information about how it was hacked, claiming that it was targeted by LAPSUS$, a cyber criminal gang with a hefty track record that is thought to be composed largely of teenagers.
Last week, someone broke into Uber’s network and used the access to cause all sorts of chaos. The culprit, who claims to be 18 years old, managed to spam company staff with vulgar Slack messages, post a picture of a penis on the company’s internal websites, and leak images of Uber’s internal environment to the web. Now, the ride-share giant has released a statement providing details on its ordeal.
In its update, the company has clarified how it was hacked, largely confirming an account made by the hacker themself. Uber says that the hacker exploited the login credentials of a company contractor to initially gain access to the network. The hacker may have originally bought access to those credentials via the dark web, Uber says. The hacker then used them to make multiple login attempts to the contractor’s account. The login attempts prompted a slew of multi-factor authentication requests for the contractor, who ultimately authenticated one of them. The hacker has previously claimed that it conducted a social engineering scheme to convince the contractor to authenticate the login attempt.
Security experts have called this an “MFA fatigue” attack. This increasingly common intrusion tactic seeks to overwhelm a victim with authentication push requests until they validate the hacker’s illegitimate login attempt.
Most interestingly, Uber has also claimed that whoever was behind this hacking episode is affiliated with the cyber crime gang “LAPSUS$.” It’s not totally clear how Uber knows that.
https://gizmodo.com/uber-says-it-was-hacked-by-teenage-hacker-gang-lapsus-1849554679
Threats
Ransomware and Extortion
Microsoft SQL servers hacked in TargetCompany ransomware attacks (bleepingcomputer.com)
BlackCat ransomware’s data exfiltration tool gets an upgrade (bleepingcomputer.com)
SpyCloud Report: 90% of Companies Affected by Ransomware in 2022 - MSSP Alert
Netflix-style Ransomware Makes Your Organisation’s Data The Prize In A (informationsecuritybuzz.com)
LockBit ransomware builder leaked online by “angry developer” (bleepingcomputer.com)
How to Prevent Ransomware as a Service (RaaS) Attacks (trendmicro.com)
The Risk of Ransomware Supply Chain Attacks (trendmicro.com)
Europol and Bitdefender Release Free Decryptor for LockerGoga Ransomware (thehackernews.com)
Vice Society Demands Ransom From LAUSD Two Weeks After Hack (gizmodo.com)
Phishing & Email Based Attacks
Microsoft: Exchange servers hacked via OAuth apps for phishing (bleepingcomputer.com)
LinkedIn Smart Links abused in evasive email phishing attacks (bleepingcomputer.com)
BBC Warns Of Cost-of-living Phishing, Expert Weighs In (informationsecuritybuzz.com)
Microsoft 365 phishing attacks impersonate US govt agencies (bleepingcomputer.com)
How DKIM records reduce email spoofing, phishing and spam (techtarget.com)
Security alert: new phishing campaign targets GitHub users | The GitHub Blog
American Airlines learned it was breached from phishing targets (bleepingcomputer.com)
Email-based threats: A pain point for organisations - Help Net Security
Other Social Engineering; Smishing, Vishing, etc
Malware
IT giants warn of ongoing Chromeloader malware campaigns - Security Affairs
Fake sites fool Zoom users into downloading deadly code • The Register
Malicious NPM package discovered in supply chain attack (techtarget.com)
How botnet attacks work and how to defend against them (bleepingcomputer.com)
Mobile
This dangerous Android spyware could affect millions of devices | TechRadar
Banking Users Faced With Rewards Phishing Scam - IT Security Guru
Malicious Apps With Millions of Downloads Found in Apple App Store, Google Play (darkreading.com)
Data Breaches/Leaks
Cyber Attack Steals Passenger Data From Portuguese Airline | SecurityWeek.Com
American Airlines discloses data breach after employee email compromise (bleepingcomputer.com)
Significant cyber attack hits Australian telco Optus • The Register
Organised Crime & Criminal Actors
London Police Arrested 17-Year-Old Hacker Suspected of Uber and GTA 6 Breaches (thehackernews.com)
Ukraine dismantles hacker gang that stole 30 million accounts (bleepingcomputer.com)
Cambodian authorities crack down on cyber slavery • The Register
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Cryptocurrency world's Wintermute loses $160m in cyber-heist • The Register
South Korean prosecutors ask Interpol to issue red notice for Do Kwon | Financial Times (ft.com)
"Fake crypto millionaire" charged with alleged $1.7M cryptomining scam (bitdefender.com)
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
Multi-million dollar credit card fraud operation uncovered (bleepingcomputer.com)
Microsoft Warns of Large-Scale Click Fraud Campaign Targeting Gamers (thehackernews.com)
Cyber crime cost American seniors $3 billion last year, a 62% jump (usatoday.com)
Insurance
Cyber Security Insurance Trends: Key Takeaways for MSPs - MSSP Alert
D&O insurance not yet a priority despite criminal trial of Uber’s former CISO | CSO Online
Supply Chain and Third Parties
Denial of Service DoS/DDoS
DDoS and bot attacks in 2022: Business sectors at risk and how to defend (bleepingcomputer.com)
Record DDoS Attack with 25.3 Billion Requests Abused HTTP/2 Multiplexing (thehackernews.com)
Imperva mitigated long-lasting, 25.3 billion request DDoS attack (bleepingcomputer.com)
Cloud/SaaS
Encryption
API
Open Source
Privacy, Surveillance and Mass Monitoring
Pressure mounts against Europol over data privacy • The Register
San Francisco cops can use private cameras for surveillance • The Register
Parental Controls and Child Safety
Regulations, Fines and Legislation
5 Data Privacy Laws That Could Affect Your Business (informationsecuritybuzz.com)
France and Germany fall foul of EU data retention rules • The Register
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Russia Makes Veiled Threat to Destroy SpaceX's Starlink (pcmag.com)
Researchers Uncover New Metador APT Targeting Telcos, ISPs, and Universities (thehackernews.com)
Russian Sandworm hackers pose as Ukrainian telcos to drop malware (bleepingcomputer.com)
Anonymous claims hacked website of Russian Ministry of Defence - Security Affairs
Pro-Ukraine Hacktivists Claim to Have Hacked Notorious Russian Mercenary Group (vice.com)
European Spyware Investigators Criticize Israel and Poland | SecurityWeek.Com
Hackathon finds dozens of Ukrainian refugees trafficked online | Ars Technica
Researchers Uncover Mysterious 'Metador' Cyber-Espionage Group (darkreading.com)
This dangerous Android spyware could affect millions of devices | TechRadar
Nation State Actors
Nation State Actors – Russia
Inside Russia’s Vast Surveillance State: ‘They Are Watching’ - The New York Times (nytimes.com)
Russian Cyberspies Targeting Ukraine Pose as Telecoms Providers | SecurityWeek.Com
Nation State Actors – China
Nation State Actors – Iran
FBI: Iranian hackers lurked in Albania’s govt network for 14 months (bleepingcomputer.com)
NATO's Team in Albania to Help on Iran-Alleged Cyber Attack | SecurityWeek.Com
Nation State Actors – Misc
Vulnerability Management
Vulnerabilities
Hackers Actively Exploiting New Sophos Firewall RCE Vulnerability (thehackernews.com)
CISA adds Zoho ManageEngine flaw to its Known Exploited Vulnerabilities Catalogue - Security Affairs
AttachMe: a critical flaw affects Oracle Cloud Infrastructure (OCI) - Security Affairs
BIND Updates Patch High-Severity Vulnerabilities | SecurityWeek.Com
15-year-old Python flaw found in 'over 350,000' projects • The Register
CISA warns of critical ManageEngine RCE bug used in attacks (bleepingcomputer.com)
Critical Magento vulnerability targeted in new surge of attacks (bleepingcomputer.com)
Reports Published in the Last Week
Other News
Why Even Big Tech Companies Keep Getting Hacked—and What They Plan to Do About It - WSJ
20/20 visibility is paramount to network security - Help Net Security
Domain shadowing becoming more popular among cyber criminals (bleepingcomputer.com)
Multi-factor authentication fatigue attacks are on the rise: How to defend against them | CSO Online
What's behind the different names for cyber hacker groups (axios.com)
IT services group Wipro fires 300 employees moonlighting for competitors | TechCrunch
How can organisations benefit from full-stack observability? - Help Net Security
Firing Your Entire Cyber Security Team? Are You Sure? (thehackernews.com)
Cyber criminals launching more MFA bypass attacks (techtarget.com)
Microsoft (MSFT) Says Managers Shouldn’t Spy on Staff to Ensure They’re Working - Bloomberg
A third of enterprises globally don’t prioritize digital trust: ISACA | CSO Online
How Malware Hides in Images and What You Can Do About It (gizmodo.com)
International cooperation is key to fighting threat actors and cyber crime | CSO Online
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 21 January 2022
Black Arrow Cyber Threat Briefing 21 January 2022
-Cyber Risks Top Worldwide Business Concerns In 2022
-Bosses Think That Security Is Taken Care Of: CISOs Aren't So Sure
-Fraud Is On the Rise, and It's Going to Get Worse
-Two-Fifths of Ransomware Victims Still Paying Up
-Less Than a Fifth of Cyber Leaders Feel Confident Their Organisation is Cyber-Resilient
-Endpoint Malware And Ransomware Detections Hit All-Time High
-End Users Remain Organisations' Biggest Security Risk
-Supply Chain Disruptions Rose In 2021
-Red Cross Begs Attackers Not to Leak Stolen Data for 515K People
-DHL Dethrones Microsoft As Most Imitated Brand In Phishing Attacks
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Cyber Risks Top Worldwide Business Concerns In 2022
Cyber perils are the biggest concern for companies globally in 2022, according to the Allianz Risk Barometer. The threat of ransomware attacks, data breaches or major IT outages worries companies even more than business and supply chain disruption, natural disasters or the COVID-19 pandemic, all of which have heavily affected firms in the past year.
Cyber incidents tops the Allianz Risk Barometer for only the second time in the survey’s history (44% of responses), Business interruption drops to a close second (42%) and Natural catastrophes ranks third (25%), up from sixth in 2021. Climate change climbs to its highest-ever ranking of sixth (17%, up from ninth), while Pandemic outbreak drops to fourth (22%).
The annual survey incorporates the views of 2,650 experts in 89 countries and territories, including CEOs, risk managers, brokers and insurance experts. View the full global and country risk rankings.
https://www.helpnetsecurity.com/2022/01/20/cyber-concern-2022/
Bosses Think That Security Is Taken Care Of: CISOs Aren't So Sure
The World Economic Forum warns about a significant gap in understanding between C-suites and information security staff - but it's possible to close the gap.
Organisations could find themselves at risk from cyberattacks because of a significant gap between the views of their own security experts and the boardroom.
The World Economic Forum's new report, The Global Cyber Security Outlook 2022, warns there are big discrepancies between bosses and information security personnel when it comes to the state of cyber resilience within organisations.
According to the paper, 92% of business executives surveyed agree that cyber resilience is integrated into enterprise risk management strategies – or in other words, protecting the organisation against falling victim to a cyberattack, or mitigating the incident so it doesn't result in significant disruption.
However, only 55% of security-focused executives believe that cyber resilience is integrated into risk management strategies – indicating a significant divide in attitudes to cyber security.
This gap can leave organisations vulnerable to cyberattacks, because boardrooms believe enough has been done in order to mitigate threats, while in reality there could be unconsidered vulnerabilities or extra measures put in place.
Fraud Is On the Rise, and It's Going to Get Worse
The acceleration of the digital transformation resulted in a surge of online transactions, greater adoption of digital payments, and increased fraud.
As more daily activities — work, education, shopping, and entertainment — shift online, fraud is also on the rise. A trio of recent reports paint a bleak picture, highlighting concerns that companies are experiencing increasing losses from fraud and that the situation will get worse over the coming year.
In KPMG's survey of senior risk executives, 67% say their companies have experienced external fraud in the past 12 months, and 38% expect the risk of fraud committed by external perpetrators to somewhat increase in the next year. External fraud, which includes credit card fraud and identity theft, is specifically referring to incidents perpetuated by individuals outside the company. For most of these respondents, there was a financial impact: Forty-two percent say their organisations experienced 0.5% to 1% of loss as a result of fraud and cybercrime.
https://www.darkreading.com/edge-articles/fraud-is-on-the-rise-and-its-going-to-get-worse
Two-Fifths of Ransomware Victims Still Paying Up
Two-fifths (39%) of ransomware victims paid their extorters over the past three years, with the majority of these spending at least $100,000, according to new Anomali research.
The security vendor hired The Harris Poll to complete its Cyber Resiliency Survey – interviewing 800 security decision-makers in the US, Canada, the UK, Australia, Singapore, Hong Kong, India, New Zealand, the UAE, Mexico and Brazil.
Some 87% said their organisation had been the victim of a successful attack resulting in damage, disruption, or a breach since 2019. However, 83% said they’d experienced more attacks since the start of the pandemic.
Over half (52%) were ransomware victims, with 39% paying up. Of these, 58% gave their attackers between $100,000 and $1m, while 7% handed over more than $1m.
https://www.infosecurity-magazine.com/news/two-fifths-ransomware-victims/
Less Than a Fifth of Cyber Leaders Feel Confident Their Organisation is Cyber-Resilient
Less than one-fifth (17%) of cyber leaders feel confident that their organisations are cyber-resilient, according to the World Economic Forum (WEF)’s inaugural Global Cyber Security Outlook 2022 report.
The study, written in collaboration with Accenture, revealed there is a wide perception gap between business executives and security leaders on the issue of cyber security. For example, 92% of businesses believe cyber-resilience is integrated into their enterprise risk-management strategies, compared to just 55% of cyber leaders.
This difference in attitude appears to be having worrying consequences. The WEF said that many security leaders feel that they are not consulted in security decisions, and only 68% believe cyber-resilience forms a major part of their organisation’s overall corporate risk management.
In addition, over half (59%) of all cyber leaders admitted they would find it challenging to respond to a cyber security incident due to a shortage of skills within their team.
Supply chain security was another major concern among cyber leaders, with almost nine in 10 (88%) viewing SMEs as a key threat to supply chains.
Interestingly, 59% of cyber leaders said cyber-resilience and cyber security are synonymous, with the differences not well understood.
https://www.infosecurity-magazine.com/news/cyber-leaders-organisation/
Endpoint Malware And Ransomware Detections Hit All-Time High
Endpoint malware and ransomware detections surpassed the total volume seen in 2020 by the end of Q3 2021, according to researchers at the WatchGuard Threat Lab. In its latest report, WatchGuard also highlights that a significant percentage of malware continues to arrive over encrypted connections.
While zero-day malware increased by just 3% to 67.2% in Q3 2021, the percentage of malware that arrived via Transport Layer Security (TLS) jumped from 31.6% to 47%. Data shows that many organisations are not decrypting these connections and therefore have poor visibility into the amount of malware hitting their networks.
https://www.helpnetsecurity.com/2022/01/20/endpoint-malware-ransomware-detections-q3-2021/
End Users Remain Organisations' Biggest Security Risk
With the rapid adoption of hybrid working environments and increased attacks, IT and security professionals worry that future data breaches will most likely be the result of end users who are negligent of or break security policy, according to a recent Dark Reading survey. The percentage of respondents in Dark Reading's 2021 Strategic Security Survey who perceive users breaking policy as the biggest risk fell slightly, however, from 51% in 2020 to 48% in 2021. Other potential issues involving end users showed improvements as well, with social engineering falling in concern from 20% to 15% and remote work worries halving from 26% to 13%.
While this trend is positive, it's unclear where the increased confidence comes from, since more people now report ineffective end-user security awareness training (11%, to 2020's 7%).
Respondents shared their heightened concern about well-funded attacks. In 2021, 25% predicted an attack targeted at their organisations (a rise from 2020, when 20% said the same), and fear of a nation-state-sponsored action rose to 16% from 9% the year before. Yet only 16% reported sophisticated, automated malware as a top concern, a 10% drop from 2020, and fear of a gap between security and IT advances only merited 9%. A tiny 3% worried that their security tools wouldn't work well together, dropping from the previous year's 10%.
Supply Chain Disruptions Rose In 2021
56% of businesses experienced more supply chain disruptions in 2021 than 2020, a Hubs report reveals.
Last year was marked by a number of challenges, including computer chip shortages, port congestion, the ongoing impacts of COVID-19, logistics impediments, and energy crises, though with every hurdle faced, solutions are being sought. It is increasingly clear that while certain risks are hard to anticipate and difficult to plan for, it is possible to mitigate the effects of supply chain disruptions by establishing a robust and agile supply chain.
Over 98% of global companies are now planning to boost the resilience of their manufacturing supply chains, however, 37% have yet to implement any measures. As businesses develop long term strategies, over 57% of companies say diversification of their supply chains is the most effective way of building resilience. This report explores last year’s most disruptive events, how disruptions have changed over time, industry trends and strategies for strengthening manufacturing supply chains.
https://www.helpnetsecurity.com/2022/01/19/supply-chain-disruptions-2021/
Red Cross Begs Attackers Not to Leak Stolen Data for 515K People
A cyber attack forced the Red Cross to shut down IT systems running the Restoring Family Links system, which reunites families fractured by war, disaster or migration. UPDATE: The ICRC says it’s open to confidentially communicating with the attacker.
The Red Cross is imploring threat actors to show mercy by abstaining from leaking data belonging to 515,000+ “highly vulnerable” people. The data was stolen from a program used to reunite family members split apart by war, disaster or migration.
“While we don’t know who is responsible for this attack, or why they carried it out, we do have this appeal to make to them,” Robert Mardini, the director general of the International Committee for the Red Cross (ICRC), said in a release on Wednesday. “Your actions could potentially cause yet more harm and pain to those who have already endured untold suffering. The real people, the real families behind the information you now have are among the world’s least powerful. Please do the right thing. Do not share, sell, leak or otherwise use this data.”
https://threatpost.com/red-cross-begs-attackers-not-to-leak-515k-peoples-stolen-data/177799/
DHL Dethrones Microsoft As Most Imitated Brand In Phishing Attacks
DHL was the most imitated brand in phishing campaigns throughout Q4 2021, pushing Microsoft to second place, and Google to fourth.
This isn't surprising considering that the final quarter of every year includes the Black Friday, Cyber Monday, and Christmas shopping season, so phishing lures based on package deliveries naturally increase.
DHL is an international package delivery and express mail service, delivering over 1.6 billion parcels per year.
As such, phishing campaigns impersonating the brand have good chances of reaching people who are waiting for a DHL package to arrive during the holiday season.
The specific lures range from a package that is stuck at customs and requires action for clearance to supposed tracking numbers that hide inside document attachments or embedded links.
Threats
Ransomware
New White Rabbit Ransomware Linked To FIN8 Hacking Group (bleepingcomputer.com)
Conti Ransomware Gang Started Leaking Files Stolen From Bank Indonesia - Security Affairs
This New Ransomware Comes With A Small But Dangerous Payload | ZDNet
FBI Warning: This New Ransomware Makes Demands Of Up To $500,000 | ZDNet
Experts Warn Of Attacks Using A New Linux Variant Of SFile Ransomware - Security Affairs
SEC Filing Reveals Fortune 500 Firm Targeted in Ransomware Attack | Threatpost
FBI Warns Organisations of Diavol Ransomware Attacks | SecurityWeek.Com
Marketing Giant RRD Confirms Data Theft In Conti Ransomware Attack (bleepingcomputer.com)
After Ransomware Arrests, Some Dark Web Criminals Are Getting Worried | ZDNet
BEC – Business Email Compromise
Phishing
Phishing Impersonates Shipping Giant Maersk To Push STRRAT Malware (bleepingcomputer.com)
#COVID19 Phishing Emails Surge 500% on Omicron Concerns - Infosecurity Magazine
Financially Motivated Earth Lusca Threat Actors Targets Orgs Worldwide - Security Affairs
Malware
Microsoft Details Recent Damaging Malware Attacks on Ukrainian Organisations (darkreading.com)
Custom-Written Malware Discovered Across Windows, MacOS, And Linux Systems | TechSpot
Backdoor RAT for Windows, macOS, and Linux went undetected until now | Ars Technica
Ukraine: Wiper Malware Masquerading As Ransomware Hits Government Organisations - Help Net Security
Linux Malware Is On The Rise. Here Are Three Top Threats Right Now | ZDNet
Malware That Can Survive OS Reinstalls Strikes Again, Likely for Cyber Espionage | PCMag
New MoonBounce UEFI Malware Used By Apt41 In Targeted Attacks (bleepingcomputer.com)
Data Breaches/Leaks
Exposed Records Exceeded 40 Billion In 2021 - Help Net Security
European Regulators Hand Out €1.1bn in GDPR Fines - Infosecurity Magazine
Organised Crime & Criminal Actors
Financially Motivated Earth Lusca Threat Actors Targets Orgs Worldwide - Security Affairs
A Hacker Is Negotiating With Victims on the Blockchain After $1.4M Heist (vice.com)
FBI & European Police Take Down Computer Servers Used In Major Cyberattacks Worldwide - CNNPolitics
Europol Shuts Down VPNLab, Cyber Criminals' Favourite VPN Service (thehackernews.com)
Cryptocurrency/Cryptomining/Cryptojacking
Cyber Criminals Actively Target VMware vSphere with Cryptominers | Threatpost
New BHUNT Password Stealer Malware Targeting Cryptocurrency Wallets (thehackernews.com)
Cheap Malware Is Behind A Rise In Attacks On Cryptocurrency Wallets | ZDNet
Insider Risk and Insider Threats
Research: Why Employees Violate Cyber Security Policies (hbr.org)
What CISOs Can Learn About Insider Threats From Iran's Human Espionage Tactics | CSO Online
Fraud, Scams & Financial Crime
How Buy Now, Pay Later Is Being Targeted By Fraudsters - Help Net Security
Romance Scammer Who Targeted 670 Women Gets 28 Months In Jail – Naked Security (sophos.com)
Insurance
CNI, OT, ICS, IIoT and SCADA
UK Mulls Making MSPs Subject To Mandatory Security Standards • The Register
‘Anomalous’ Spyware Stealing Credentials In Industrial Firms (bleepingcomputer.com)
European Union Simulated A Cyber Attack On A Fictitious Finnish Power Company - Security Affairs
Nation State Actors
Ukraine Cyber Attack Timeline: Microsoft, CISA, White House and Kyiv Statements - MSSP Alert
Chinese Hackers Spotted Using New UEFI Firmware Implant in Targeted Attacks (thehackernews.com)
Security Scanners Across Europe Tied To China Govt, Military | AP News
Cloud
Privacy
Passwords & Credential Stuffing
Your Keyboard Walking Password Isn’t Complex Or Secure – Review Geek
Box Flaw Allowed To Bypass MFA And Takeover Accounts - Security Affairs
Spyware, Espionage & Cyber Warfare
Vulnerabilities
CISA Adds 13 Exploited Vulnerabilities To List, 9 with Feb. 1 Remediation Date | ZDNet
High-Severity Vulnerabilities Patched in McAfee Enterprise Product | SecurityWeek.Com
Cisco Releases Patch for Critical Bug Affecting Unified CCMP and Unified CCDM (thehackernews.com)
A bug in McAfee Agent allows to run code with SYSTEM privileges - Security Affairs
Zoho Fixes A Critical Vulnerability (CVE-2021-44757) in Desktop Central - Security Affairs
Ubuntu Patch For Heap Buffer Overflow Vulnerability • The Register
Google Details Two Zero-Day Bugs Reported in Zoom Clients and MMR Servers (thehackernews.com)
Hackers Attempt to Exploit New SolarWinds Serv-U Bug in Log4Shell Attacks (thehackernews.com)
F5 Patches Two Dozen Vulnerabilities in BIG-IP | SecurityWeek.Com
McAfee Bug Can Be Exploited to Gain Windows SYSTEM Privileges | Threatpost
Oracle Critical Patch Update for January 2022 will fix 483 new flaws - Security Affairs
20K WordPress Sites Exposed by Insecure Plugin REST-API | Threatpost
Cisco Issues Patch for Critical RCE Vulnerability in RCM for StarOS Software (thehackernews.com)
Critical Bugs in Control Web Panel Expose Linux Servers to RCE Attacks (thehackernews.com)
Critical SAP Vulnerability Allows Supply Chain Attacks | SecurityWeek.Com
Zoho Plugs Another Critical Security Hole In Desktop Central (bleepingcomputer.com)
Safari Exploit Can Leak Browser Histories And Google Account Info | Engadget
Sector Specific
Financial Services Sector
Health/Medical/Pharma Sector
More Than Half Of Medical Devices Found To Have Critical Vulnerabilities | ZDNet
Additional Healthcare Firms Disclose Impact From Netgain Ransomware Attack | SecurityWeek.Com
Retail
Education and Academia
Other News
Biggest MSP Takeaways From The Apache Log4j Vulnerability - MSSP Alert
The Emotional Stages Of A Data Breach: How To Deal With Panic, Anger, And Guilt | CSO Online
The Log4j Vulnerability Puts Pressure on the Security World | Threatpost
Hackers Planted Secret Backdoor in Dozens of WordPress Plugins and Themes (thehackernews.com)
BadUSB explained: How rogue USBs threaten your organisation | CSO Online
Millions of UK Wi-Fi Routers Vulnerable To Security Threats - IT Security Guru
NATO, Ukraine Sign Deal to 'Deepen' Cyber Cooperation | SecurityWeek.Com
UK Umbrella Company Parasol Group Confirms Cyber Attack • The Register
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 24 December 2021
Black Arrow Cyber Threat Briefing 24 December 2021
-Cyber Criminals Shifting Focus: IT Sector Most Targeted In 2021
-Log4j Flaw: Attackers Are 'Actively Scanning Networks' Warns New Guidance, Joint Advisory from Cyber Agencies in US, Australia, Canada, New Zealand and the United Kingdom
-New Ransomware Variants Flourish Amid Law Enforcement Actions
-93% of Tested Networks Vulnerable to Breach, Pen Testers Find
-Dridex Malware Trolls Employees With Fake Job Termination Emails
-More Than 35,000 Java Packages Impacted By Log4j Flaw, Google Warns
-Conti Ransomware Gang Has Full Log4Shell Attack Chain
-Second Ransomware Family Exploiting Log4j Spotted In US, Europe
-Threat actors steal $80 million per month with fake giveaways, surveys
-Microsoft Teams might have a few serious security issues
-The Future of Work Has Changed, and Your Security Mindset Needs to Follow
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Cyber Criminals Shifting Focus: IT Sector Most Targeted In 2021
Darktrace reported that the IT and communications sector was globally the most targeted industry by cybercriminals in 2021.
Darktrace’s data is developed by ‘early indicator analysis’ that looks at the breadcrumbs of potential cyber-attacks at several stages before they are attributed to any particular actor and before they escalate into a full-blown crisis. Findings show that its artificial intelligence autonomously interrupted an average of 150,000 threats per week against the sector in 2021.
The IT and communications sector includes telecommunications providers, software developers, and managed security service providers, amongst others. There was also a growing trend of hackers targeting backup servers in an attempt to deliberately disable or corrupt backup files by deleting a single index file that would render all backups inaccessible. Attackers could then launch ransomware attacks against the clients of the backup vendor, preventing recovery and forcing payment.
In 2020, the most attacked industry was the financial and insurance sector, showing that cyber-criminals have shifted their focus over the last 12 months.
Over the last 12 months, it is clear that attackers are relentlessly trying to access the networks of trusted suppliers in the IT and communications sector. Quite simply, it is a better return on investment than, for example, going after one company in the financial services sector. SolarWinds and Kaseya are just two well-known and recent examples of this. Sadly, there is likely to be more in the near term.
The findings of this research mark one year since the compromise of US software company SolarWinds rattled the security industry. This landmark supply-chain attack made thousands of organisations vulnerable to infiltration by inserting malicious code into the Orion system. Over the last 12 months, there has been a continued spate of attacks against the IT and communications sector, including the high-profile attacks on Kaseya and Gitlab.
https://www.helpnetsecurity.com/2021/12/22/cybercriminals-it-sector/
New Ransomware Variants Flourish Amid Law Enforcement Actions
Ransomware groups continue to evolve their tactics and techniques to deploy file-encrypting malware on compromised systems, notwithstanding law enforcement's disruptive actions against the cyber crime gangs to prevent them from victimizing additional companies.
"Be it due to law enforcement, infighting amongst groups or people abandoning variants altogether, the RaaS [ransomware-as-a-service] groups dominating the ecosystem at this point in time are completely different than just a few months ago," Intel 471 researchers said in a report published this month. "Yet, even with the shift in the variants, ransomware incidents as a whole are still on the rise."
Sweeping law enforcement operations undertaken by government agencies in recent months have brought about rapid shifts in the RaaS landscape and turned the tables on ransomware syndicates like Avaddon, BlackMatter, Cl0p, DarkSide, Egregor, and REvil, forcing the actors to slow down or shut down their businesses altogether.
https://thehackernews.com/2021/12/new-ransomware-variants-flourish-amid.html
93% of Tested Networks Vulnerable to Breach, Pen Testers Find
Data from dozens of penetration tests and security assessments suggest nearly every organisation can be infiltrated by cyber attackers.
The vast majority of businesses can be compromised within a month by a motivated attacker using common techniques, such as compromising credential, exploiting known vulnerabilities in software and Web applications, or taking advantage of configuration flaws, according to an analysis of security assessments by Positive Technologies.
In 93% of cases, an external attacker could breach a target company's network and gain access to local devices and systems, the company's security service professionals found. In 71% of cases, the attacker could affect the businesses in a way deemed "unacceptable." For example, every bank tested by the security firm could be attacked in a way that disrupted business processes and reduced the quality of their service.
Dridex Malware Trolls Employees With Fake Job Termination Emails
A new Dridex malware phishing campaign is using fake employee termination emails as a lure to open a malicious Excel document, which then trolls the victim with a season's greeting message.
Dridex is a banking malware spread through malicious emails that was initially developed to steal online banking credentials. Over time, the developers evolved the malware to use different modules that provide additional malicious behaviour, such as installing other malware payloads, providing remote access to threat actors, or spreading to other devices on the network.
This malware was created by a hacking group known as Evil Corp, which is behind various ransomware operations, such as BitPaymer, DoppelPaymer, WastedLocker variants, and Grief. Due to this, Dridex infections are known to lead to ransomware attacks on compromised networks.
More Than 35,000 Java Packages Impacted By Log4j Flaw, Google Warns
The Google Open Source Team scanned the Maven Central Java package repository and found that 35,863 packages (8% of the total) were using versions of the Apache Log4j library vulnerable to Log4Shell exploit and to the CVE-2021-45046 RCE.
“More than 35,000 Java packages, amounting to over 8% of the Maven Central repository (the most significant Java package repository), have been impacted by the recently disclosed log4j vulnerabilities (1, 2), with widespread fallout across the software industry.” reads the report published by Google. “As far as ecosystem impact goes, 8% is enormous.”
The Google experts used the Open Source Insights, a project used to determine open source dependencies, to assess all versions of all artifacts in the Maven Central Repository.
The experts pointed out that the direct dependencies account for around 7,000 of the affected packages. Most of the affected artifacts are related to indirect dependencies.
Since the vulnerability was disclosed, 13% of all vulnerable packages have been fixed (4,620).
https://securityaffairs.co/wordpress/125845/security/log4j-java-packages-flaws.html
Log4j Flaw: Attackers Are 'Actively Scanning Networks' Warns New Guidance, Joint Advisory from Cyber Agencies in US, Australia, Canada, New Zealand and the United Kingdom
A new informational Log4J advisory has been issued by cybersecurity leaders from the US, Australia, Canada, New Zealand and the United Kingdom. The guide includes technical details, mitigations and resources to address known vulnerabilities in the Apache Log4j software library.
The project is a joint effort by the US' Cybersecurity and Infrastructure Security Agency (CISA), FBI and NSA, as well as the Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), Computer Emergency Response Team New Zealand (CERT NZ), New Zealand National Cyber Secure Centre (NZ NCSC), and the United Kingdom's National Cyber Security Centre (NCSC-UK).
The organisations said they issued the advisory in response to "active, worldwide exploitation by numerous threat actors, including malicious cyber threat actors." Numerous groups from North Korea, Iran, Turkey and China have been seen exploiting the vulnerability alongside a slate of ransomware groups and cybercriminal organisations.
Conti Ransomware Gang Has Full Log4Shell Attack Chain
The Conti gang was the first professional-grade, sophisticated ransomware group to weaponise Log4j2, now with a full attack chain.
The Conti ransomware gang, which last week became the first professional crimeware outfit to adopt and weaponize the Log4Shell vulnerability, has now built up a holistic attack chain.
The sophisticated Russia-based Conti group – which Palo Alto Networks has called “one of the most ruthless” of dozens of ransomware groups currently known to be active – was in the right place at the right time with the right tools when Log4Shell hit the scene 10 days ago, security firm Advanced Intelligence (AdvIntel) said in a report shared with Threatpost on Thursday.
As of Monday the attack chain has taken the following form, AdvIntel’s Yelisey Boguslavskiy told Threatpost: Emotet -> Cobalt Strike -> Human Exploitation -> (no ADMIN$ share) -> Kerberoast -> vCenter ESXi with log4shell scan for vCenter.
https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/
Second Ransomware Family Exploiting Log4j Spotted In US, Europe
This was quickly followed by a second ransomware group when researchers found a second family of ransomware has been growing in usage for attack attempts that exploit the critical vulnerability in Apache Log4j, including in the US and Europe.
A number of researchers, including at cybersecurity giant Sophos, have now said they’ve observed the attempted deployment of a ransomware family known as TellYouThePass. Researchers have described TellYouThePass as an older and largely inactive ransomware family — which has been revived following the discovery of the vulnerability in the widely used Log4j logging software.
https://venturebeat.com/2021/12/21/second-ransomware-family-exploiting-log4j-spotted-in-u-s-europe/
Threat actors steal $80 million per month with fake giveaways, surveys
Scammers are estimated to have made $80 million per month by impersonating popular brands asking people to participate in fake surveys or giveaways.
Researchers warn of this new trend in global fraud schemes involving targeted links to make investigation and take-down increasingly challenging.
According to current estimates, these massive campaigns resulted in an estimated $80,000,000 per month, stolen from 10 million people in 91 countries.
The scam themes are the typical and "trustworthy" fake surveys and giveaways from popular brands with the holiday season making targets more susceptible to fraudulent gift offerings.
According to a report by Group-IB, there are currently 60 known scam networks that use targeted links in their campaigns, impersonating 121 brands in false giveaways.
Each network uses an average of 70 different Internet domain names as part of their campaigns, but some find great success with fewer domains, which indicates that quality beats quantity when it comes to scams.
Microsoft Teams might have a few serious security issues
Security researchers have discovered four separate vulnerabilities in Microsoft Teams that could be exploited by an attacker to spoof link previews, leak IP addresses and even access the software giant's internal services.
These discoveries were made by researchers at Positive Security who “stumbled upon” them while looking for a way to bypass the Same-Origin Policy (SOP) in Teams and Electron according to a new blog post. For those unfamiliar, SOP is a security mechanism found in browsers that helps stop websites from attacking one another.
During their investigation into the matter, the researchers found that they could bypass the SOP in Teams by abusing the link preview feature in Microsoft's video conferencing software by allowing the client to generate a link preview for the target page and then using either summary text or optical character recognition (OCR) on the preview image to extract information.
https://www.techradar.com/news/microsoft-teams-might-have-a-few-serious-security-issues
The Future of Work Has Changed, and Your Security Mindset Needs to Follow
VPNs have become a vulnerability that puts organisations at risk of cyber attacks.
When businesses first sent employees to work from home in March 2020 — thinking it'd only be for two weeks — they turned to quick fixes that would enable remote work for large numbers of people as quickly as possible. While these solutions solved the short-term challenge of allowing distributed workforces to connect to a company's network from anywhere, they're now becoming a security vulnerability that is putting organisations at risk of growing cyberattacks.
Now that almost two years have passed and work has fundamentally shifted, with fully or hybrid remote environments here to stay, business and security leaders need solutions that better fit their unique and increasingly complex needs. In fact, a new survey from Menlo Security has found that 75% of organisations are re-evaluating their security strategies for remote employees, exemplifying that accommodating remote work is a top priority for the majority of business leaders.
To successfully manage the risks that distributed workforces entail, leaders must shift their mindset away from the hub-and-spoke approach of providing connectivity to the entire network, instead segmenting access by each individual private application, wherever it is deployed, as threats of cyberattacks loom across all industries. As organisations grapple with the added security challenges that remote and hybrid work environments bring, adopting a zero-trust approach will be critical for end-to-end network and endpoint protection.
Threats
Ransomware
Ransomware Threat Just as Urgent as Terrorism, Say Two-Thirds of IT Pros - Infosecurity Magazine
PYSA Emerges as Top Ransomware Actor in November | Threatpost
AvosLocker Ransomware Reboots In Safe Mode To Bypass Security Tools (bleepingcomputer.com)
Rook Ransomware Is Yet Another Spawn Of The Leaked Babuk Code (bleepingcomputer.com)
PYSA Ransomware Behind Most Double Extortion Attacks In November (bleepingcomputer.com)
This Ransomware Strain Just Started Targeting Lots More Businesses | ZDNet
Phishing
How Likely Are Employees To Fall Prey To A Phishing Attack? - Help Net Security
Dridex Omicron Phishing Taunts With Funeral Helpline Number (bleepingcomputer.com)
New Phishing Campaign Claims $80m Per Month - IT Security Guru
Malware
Log4j Vulnerability Now Used To Install Dridex Banking Malware (bleepingcomputer.com)
New BLISTER Malware Using Code Signing Certificates to Evade Detection (thehackernews.com)
IoT
Cryptocurrency/Cryptomining/Cryptojacking
Example Of How Attackers Are Trying To Push Crypto Miners Via Log4Shell - SANS Internet Storm Center
Insider Risk and Insider Threats
Scams, Fraud & Financial Crime
Insurance
Dark Web
OT, ICS, IIoT and SCADA
Lights Out: Cyber Attacks Shut Down Building Automation Systems (darkreading.com)
Walk-Through Metal Detectors Can Be Hacked, New Research Finds (gizmodo.com)
Nation State Actors
Passwords
Parental Controls and Child Safety
Vulnerabilities
Microsoft Teams Bug Allowing Phishing Unpatched Since March (bleepingcomputer.com)
FBI: Another Zoho ManageEngine Zero-Day Under Active Attack | Threatpost
Active Directory Bugs Could Let hackers Take Over Windows Domain Controllers (thehackernews.com)
All in One SEO Plugin Bug Threatens 3M Websites with Takeovers | Threatpost
Researchers Disclose Unpatched Vulnerabilities in Microsoft Teams Software (thehackernews.com)
Microsoft Admits To Azure App Service Source Code Leak Bug • The Register
Expert Details macOS Bug That Could Let Malware Bypass Gatekeeper Security (thehackernews.com)
New Dell BIOS Updates Cause Laptops And Desktops Not To Boot (bleepingcomputer.com)
Western Digital Warns Customers To Update Their My Cloud Devices (Bleepingcomputer.Com)
New Mobile Network Vulnerabilities Affect All Cellular Generations Since 2G (thehackernews.com)
Sector Specific
Health/Medical/Pharma Sector
Retail
Transport and Aviation
Other News
How Confident Can Organisations Be In Their Managed Services Security? - Help Net Security
Experts Discover Backdoor Deployed on the US Federal Agency's Network (thehackernews.com)
Half-Billion Compromised Credentials Lurking on Open Cloud Server | Threatpost
New Log4J Flaw Caps Year of Relentless Cyber Security Crises - WSJ
Log4Shell Is A Dumpster Fire That Should Have Been Avoided - Help Net Security
7 of the Most Impactful Cyber Security Incidents of 2021 (darkreading.com)
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 03 December 2021
Black Arrow Cyber Threat Briefing 03 December 2021
-Double Extortion Ransomware Victims Soar 935%
-MI6 Boss: Digital Attack Surface Growing "Exponentially"
-How Phishing Kits Are Enabling A New Legion Of Pro Phishers
-Crooks Are Selling Access To Hacked Networks. Ransomware Gangs Are Their Biggest Customers
-Omicron Phishing Scam Already Spotted in UK
-Phishing Remains the Most Common Cause of Data Breaches, Survey Says
-Ransomware Victims Increase Security Budgets Due To Surge In Attacks
-Control Failures Are Behind A Growing Number Of Cyber Security Incidents
-MI6 Spy Chief Says China, Russia, Iran Top UK Threat List
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Double Extortion Ransomware Victims Soar 935%
Researchers have recorded a 935% year-on-year increase in double extortion attacks, with data from over 2300 companies posted onto ransomware extortion sites.
Group-IB’s Hi-Tech Crime Trends 2021/2022 report covers the period from the second half of 2020 to the first half of 2021.
During that time, an “unholy alliance” of initial access brokers and ransomware-as-a-service (RaaS) affiliate programs has led to a surge in breaches, it claimed.
In total, the number of breach victims on ransomware data leak sites surged from 229 in the previous reporting period to 2371, Group-IB noted. During the same period, the number of leak sites more than doubled to 28, and the number of RaaS affiliates increased 19%, with 21 new groups discovered.
Group-IB warned that, even if victim organisations pay the ransom, their data often end up on these sites.
https://www.infosecurity-magazine.com/news/double-extortion-ransomware-soar/
MI6 Boss: Digital Attack Surface Growing "Exponentially"
Head of the Secret Intelligence Service (SIS), Richard Moore, explained in a rare speech this week that, unlike the character Q from the James Bond films, even MI6 cannot source all of its tech capabilities in-house.
New partners and tech capabilities will help address MI6’s four key priorities: Russia, China, Iran and global terrorism. It’s a challenge made more acute as technology rapidly advances, he said.
“The ‘digital attack surface’ that criminals, terrorists and hostile states threats seek to exploit against us is growing exponentially. We may experience more technological progress in the next ten years than in the last century, with a disruptive impact equal to the industrial revolution,” Moore argued.
https://www.infosecurity-magazine.com/news/mi6-digital-attack-surface-growing/
How Phishing Kits Are Enabling A New Legion Of Pro Phishers
Some cybercriminals are motivated by political ideals, others by malice or mischief, but most are only interested in cold, hard cash. To ensure their criminal endeavours are profitable, they need to balance the potential payday against the time, resources and risk required.
It’s no wonder then that so many use phishing as their default attack method. Malicious emails can be used to reach many targets with relative ease, and criminals can purchase ready-made phishing kits that bundle together everything they need for a lucrative campaign.
https://www.helpnetsecurity.com/2021/12/02/phishing-kits-pro/
Crooks Are Selling Access To Hacked Networks. Ransomware Gangs Are Their Biggest Customers
Dark web forum posts offering compromised VPN, RDP credentials and other ways into networks have tripled in the last year.
There's been a surge in cyber criminals selling access to compromised corporate networks as hackers look to cash in on the demand for vulnerable networks from gangs looking to initiate ransomware attacks.
Researchers at cybersecurity company Group-IB analysed activity on underground forums and said there's been a sharp increase in the number of offers to sell access to compromised corporate networks, with the number of posts offering access tripling between 2020 and 2021
Omicron Phishing Scam Already Spotted in UK
The global pandemic has provided cover for all sorts of phishing scams over the past couple of years, and the rise in alarm over the spread of the latest COVID-19 variant, Omicron, is no exception.
As public health professionals across the globe grapple with what they fear could be an even more dangerous COVID-19 variant than Delta, threat actors have grabbed the opportunity to turn uncertainty into cash.
UK consumer watchdog “Which?” has raised the alarm that a new phishing scam, doctored up to look like official communications from the National Health Service (NHS), is targeting people with fraud offers for free PCR tests for the COVID-19 Omicron variant
https://threatpost.com/omicron-phishing-scam-uk/176771/
Phishing Remains the Most Common Cause of Data Breaches, Survey Says
Phishing, malware, and denial-of-service attacks remained the most common causes for data breaches in 2021. Data from Dark Reading’s latest Strategic Security Survey shows that more companies experienced a data breach over the past year due to phishing than any other cause. The percentage of organisations reporting a phishing-related breach is slightly higher in the 2021 survey (53%) than in the 2020 survey (51%). The survey found that malware was the second biggest cause of data breaches over the past year, as 41% of the respondents said they experienced a data breach where malware was the primary vector.
Ransomware Victims Increase Security Budgets Due To Surge In Attacks
As the end of 2021 approaches, there’s no doubt ransomware became a top cybersecurity concern across multiple industries. Successful ransomware attacks like the Colonial Pipeline, which took down critical US infrastructure, and Kaseya, which hit over 1,500 companies in a single attack, became a popular topic in the news.
Research conducted by Cymulate, however, shows that despite the increase in the number of attacks this past year, overall victims suffered limited damage in both severity and duration. Potential victims have improved their level of preparedness, with 70% reporting an increase of awareness at the boardroom and business management level. The majority (55%) undertook proactive measures to prevent ransomware attacks before they could cause any significant damage, and many of those respondents (38%) prevented attacks even before they could cause any serious downtime. Only 14% of respondents that experienced an attack were down for a week or more.
Control Failures Are Behind A Growing Number Of Cyber Security Incidents
Data from a survey of 1,200 enterprise security leaders reveals that an increase in tools and manual reporting combined with control failures are contributing to the success of threats such as ransomware, which costs organisations an average of $1.85 million in recovery, according to Panaseer.
Currently, only 36% of security leaders feel very confident in their ability to prove controls were working as intended. This is despite 99% of respondents believing it’s valuable to know that all controls are fully deployed and operating within policy, and cybersecurity control failures are currently being listed as the top emerging risk in the latest Gartner Emerging Risks Monitor Report. Attacks only succeed when they hit systems that haven’t been patched or don’t have security controls monitoring them.
https://www.helpnetsecurity.com/2021/12/01/control-failures-cybersecurity/
MI6 Spy Chief Says China, Russia, Iran Top UK Threat List
China, Russia and Iran pose three of the biggest threats to the U.K. in a fast-changing, unstable world, the head of Britain’s foreign intelligence agency said Tuesday.
MI6 chief Richard Moore said the three countries and international terrorism make up the “big four” security issues confronting Britain’s spies.
In his first public speech since becoming head of the Secret Intelligence Service, also known as MI6, in October 2020, Moore said China is the intelligence agency’s “single greatest priority” as the country’s leadership increasingly backs “bold and decisive action” to further its interests.
Calling China “an authoritarian state with different values than ours,” he said Beijing conducts “large-scale espionage operations” against the U.K. and its allies, tries to ”distort public discourse and political decision-making” and exports technology that enables a “web of authoritarian control” around the world.
Moore said the U.K. also continues “to face an acute threat from Russia.” He said Moscow has sponsored killing attempts, such as the poisoning of former spy Sergei Skripal in England in 2018, mounts cyber attacks and attempts to interfere in other countries’ democratic processes.
https://www.securityweek.com/mi6-spy-chief-says-china-russia-iran-top-uk-threat-list
Threats
Ransomware
Microsoft Exchange Servers Hacked To Deploy BlackByte Ransomware (Bleepingcomputer.Com)
New Ransomware Variant Could Become Next Big Threat (darkreading.com)
Yanluowang Ransomware Tied to Thieflock Threat Actor | Threatpost
Yanluowang Ransomware Operation Matures With Experienced Affiliates (Bleepingcomputer.Com)
Ransomware Attack On Planned Parenthood Exposes 400,000 Patients' Personal Data - CNN
Phishing
APT Groups Adopt New Phishing Method. Will Cybercriminals Follow? (darkreading.com)
Hackers Increasingly Using RTF Template Injection Technique in Phishing Attacks (thehackernews.com)
Malware
Emotet Now Spreads Via Fake Adobe Windows App Installer Packages (Bleepingcomputer.Com)
New Malvertising Campaigns Spreading Backdoors, Malicious Chrome Extensions (thehackernews.com)
Password-Stealing And Keylogging Malware Is Being Spread Through Fake Downloads | ZDNet
Malware Variants In 2021: Harder To Detect And Respond To - Help Net Security
Mobile
Surge Of Info-Stealing Android Malware FluBot Detected Again • The Register
Fake Support Agents Call Victims To Install Android Banking Malware (Bleepingcomputer.Com)
Multi-Platform Spyware Tracks Users Across Windows And Android | Techradar
IOT
Vulnerabilities
Pretty Much All Wi-Fi Routers Are Vulnerable To Attack, Study Finds | Techradar
Warning: Yet Another Zoho ManageEngine Product Found Under Active Attacks (thehackernews.com)
New Ubuntu Linux Kernel Security Patches Address 6 Vulnerabilities, Update Now - 9to5Linux
Netgear Router Vulnerabilities Affecting SME Products Fixed • The Register
Data Breaches/Leaks
UK Government Fined £500,000 For New Year Honours Data Breach - BBC News
Panasonic Discloses Four-Months-Long Data Breach - The Record By Recorded Future
Organised Crime & Criminal Actors
Cryptocurrency/Cryptojacking
Iranians Charged for Cryptojacking After U.S. Firm Gets $760,000 Cloud Bill | SecurityWeek.Com
Threat Actors Stole $120 M In Crypto From BadgerDAO DeFi Platform - Security Affairs
Vulnerabilities Exploited for Monero Mining Malware Delivered via GitHub, Netlify (trendmicro.com)
How Do Criminals Exploit Cryptocurrencies? | Financial Times (ft.com)
Insider Threats
Fraud & Financial Crime
Insurance
Lloyd’s Carves Out Cyber-Insurance Exclusions for State-Sponsored Attacks | Threatpost
Cyber War Victims Might Not Get Payouts – Insurer • The Register
OT, ICS, IIoT and SCADA
Nation State Actors
MI6 Spy Chief Says China, Russia, Iran Top UK Threat List | SecurityWeek.Com
Lloyd’s Carves Out Cyber-Insurance Exclusions for State-Sponsored Attacks | Threatpost
Jumping The Air Gap: 15 Years Of Nation‑State Effort | WeLiveSecurity
Israel and Iran Broaden Cyberwar to Attack Civilian Targets - The New York Times (nytimes.com)
North Korea-Linked Zinc APT Posed As Samsung Recruiters To Target Security Firms - Security Affairs
Cloud
Parental Controls
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 10 September 2021
Black Arrow Cyber Threat Briefing 10 September 2021
-91% Of IT Teams Have Felt 'Forced' To Trade Security For Business Operations
-Ransomware Attacks Increased Exponentially In 2021
-One In Three Suspect Phishing Emails Reported By Employees Really Are Malicious
-Hackers Shift From Malware To Credential Hijacking
-Attacker Breakout Time Now Less Than 30 Minutes
-Hackers Leak VPN Account Passwords From 87,000 Fortinet FortiGate Devices
-The Impact Of Ransomware On Cyber Insurance Driving The Need For Broader Cyber Security Knowledge
-Hackers Exploit Camera Vulnerabilities To Spy On Parents
-39% Of All Internet Traffic Is From Bad Bots
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
91% Of IT Teams Have Felt 'Forced' To Trade Security For Business Operations
A new survey suggests that most IT staff have felt pressured to ignore security concerns in favour of business operations. On Thursday, a new study report was released, which combines data from an online YouGov survey targeting office workers that adopted WFH and global research conducted with IT decision-makers. In total, 91% of those surveyed said that they have felt "pressured" to compromise security due to the need for business continuity during the COVID-19 pandemic. 76% of respondents said that security had taken a backseat, and furthermore, 83% believe that working from home has created a "ticking time bomb" for corporate security incidents. https://www.zdnet.com/article/91-of-it-teams-have-felt-forced-to-trade-security-for-business-operations/
Ransomware Attacks Increased Exponentially In 2021
The growing threat of ransomware has been highlighted by NCC Group's Research Intelligence and Fusion Team (RIFT) analysis. Between January-March 2021 and April-June 2021, the number of ransomware assaults studied by the team climbed by 288%, indicating that enterprises are still facing waves of digital extortion in the form of targeted ransomware. https://www.ehackingnews.com/2021/09/ransomware-attacks-increased.html
Phishing Attacks: One In Three Suspect Emails Reported By Employees Really Are Malicious
All the time spent ticking boxes in cyber security training sessions seems to be paying off after all: according to a new report, about a third of emails reported by employees really are malicious or highly suspect, demonstrating the effectiveness of the well-established maxim "Think before you click". Researchers analysed over 200,000 emails that were flagged by employees from organisations across the globe in the first half of 2021 and found that 33% of the reports could be classified as phishing. https://www.zdnet.com/article/phishing-attacks-one-in-three-suspect-emails-reported-by-employees-really-are-malicious/
Hackers Shift From Malware To Credential Hijacking
Adversaries are relying less on malware to conduct attacks that are consequently more difficult to detect, according to an annual report conducted by researchers. “According to data from our customer base indexed by Threat Graph, 68% of detections from the last three months were not malware-based,” reads the report released Wednesday. “Attackers are increasingly attempting to accomplish their objectives without writing malware to the endpoint, using legitimate credentials and built-in tools (living off the land)—which are deliberate efforts to evade detection by traditional antivirus products.” https://www.nextgov.com/cybersecurity/2021/09/report-hackers-shift-malware-credential-hacking/185209/
Attacker Breakout Time Now Less Than 30 Minutes
The average time it takes threat actors to move from initial access to lateral movement has fallen by 67% over the past year, putting extra pressure on security operations (SecOps) teams, according to researchers. The findings come from researchers own investigations with customers across around 248,000 unique global endpoints. For incidents where this “breakout time” could be derived over the past year, it averaged just 1 hour 32 minutes. However, in over a third (36%) of intrusions, adversaries managed to move laterally to additional hosts in under 30 minutes. https://www.infosecurity-magazine.com/news/attacker-breakout-time-now-less/
Hackers Leak VPN Account Passwords From 87,000 Fortinet FortiGate Devices
Network security solutions provider Fortinet confirmed that a malicious actor had unauthorizedly disclosed VPN login names and passwords associated with 87,000 FortiGate SSL-VPN devices. "These credentials were obtained from systems that remained unpatched at the time of the actor's scan. While they may have since been patched, if the passwords were not reset, they remain vulnerable," the company said in a statement on Wednesday. https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html
53% Find It Difficult To Prevent An Insider Attack During Data Aggregation
Recent data from researchers found that 53% of companies find it impossible or very difficult to prevent an insider attack when data is being aggregated, a key indicator of intent of an attack. The vast majority of security threats follow a pattern or sequence of activity leading up to an attack, and insider threats are no exception. To fully understand any insider incident, visibility into the entire kill chain of an attack is imperative to preventing the exfiltration of critical data. https://venturebeat.com/2021/09/02/53-find-it-difficult-to-prevent-an-insider-attack-during-data-aggregation/
The Impact Of Ransomware On Cyber Insurance Driving The Need For Broader Cyber Security Knowledge
Not only have ransomware attacks spiked, the amount of ransom demanded has grown exponentially—to somewhere between $50 and $70 million dollars. Cyber Insurers can’t cover “whatever amount the hacker demands”—so major policies lost money. Insurers have responded by raising premiums, restricting coverage, or even getting out of the cyber-insurance game altogether in vulnerable markets. https://www.helpnetsecurity.com/2021/09/10/cyber-insurance-ransomware/
Hackers Exploit Camera Vulnerabilities To Spy On Parents
Various zero day vulnerabilities in home baby monitor could be compromised that lets threat actors hack into camera feed and put malicious codes like malware. The security issues were found in the IoT gadgets, made by China based developer Victure, that were found by researchers. In a security report, researchers revealed about the stack-based buffer flaw present in ONVIF server Victure PC420 component camera that allows hackers to plant remote codes on the victim device. When compromised, hacker can discover cameras (not owned by them) and command devices to broadcast camera feeds to third party and exploit the camera firmware. https://www.ehackingnews.com/2021/09/hackers-exploit-camera-vulnerabilities.html
39% Of All Internet Traffic Is From Bad Bots
Automated traffic takes up 64% of internet traffic – and whilst just 25% of automated traffic was made up by good bots, such as search engine crawlers and social network bots, 39% of all traffic was from bad bots, a Barracuda report reveals.
These bad bots include both basic web scrapers and attack scripts, as well as advanced persistent bots. These advanced bots try their best to evade standard defences and attempt to perform their malicious activities under the radar. The report revealed that the most common of these persistent bots were ones that went after e-commerce applications and login portals. https://www.helpnetsecurity.com/2021/09/07/bad-bots-internet-traffic/
Threats
Ransomware
BEC
Phishing
Other Social Engineering
Malware
Traffic Exchange Networks Distributing Malware Disguised As Cracked Software
New Malware Uses Novel Fileless Technique To Evade Detection
Mobile
IOT
Vulnerabilities
Zoho ManageEngine Password Manager Zero-Day Gets A Fix, Amid Attacks
New CPU Side-Channel Attack Takes Aim At Chrome’s Site Isolation Feature
Microsoft, CISA Urge Mitigations For Zero-Day RCE Flaw In Windows
Atlassian CISO Defends Company's Confluence Vulnerability Response, Urges Patching
PoC Released For GhostScript Vulnerability That Exposed Airbnb, Dropbox
New 0-Day Attack Targeting Windows Users With Microsoft Office Documents
Cisco Patches Critical Authentication Bug With Public Exploit
Data Breaches/Leaks
Organised Crime & Criminal Actors
Cryptocurrency/Cryptojacking
Insider Threats
DoS/DDoS
Nation State Actors
Cloud
Privacy
Other News
OWASP Shakes Up Web App Threat Categories With Release Of Draft Top 10
A Zero-Trust Future: Why Cyber Security Should Be Prioritized For The Hybrid Working World
Microsoft Has A $20 Billion Hacking Plan, But Cyber Security Has A Big Spending Problem
Misbehaving Microsoft Teams Ad Brings Down The Entire Windows 11 Desktop
This Seemingly Normal Lightning Cable Will Leak Everything You Type
HSE Cyber Attack: Irish Health Service Still Recovering Months After Hack
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.