Threat Intelligence Blog

Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.

Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 17 May 2024

Black Arrow Cyber Threat Intelligence Briefing 17 May 2024:

-Social Engineering is the Biggest Cyber Threat as Study Finds Most Workers Have Clicked on a Suspicious Email Link

-Business Leaders are Stressing Out Over Pace of Technological Change, as Cyber Security Incidents Seen as Main Business Disruptor

-ICO Warns That Many UK Businesses Neglect Basic Cyber Security: More Ransomware and Cyber Attacks Last Year Than Ever Before

-Data Breaches are Getting Worse, Many are Employee Errors or Social Engineering Attacks

-Why Cyber Insurance isn’t a Substitute for Cyber Risk Management

-China Presents Defining Challenge to Global Cyber Security, Says GCHQ

-Botnet Sent Millions of Emails in LockBit Black Ransomware Campaign

-Global Financial Stability at Risk Due to Cyber Threats, IMF warns

-Ongoing Campaign Bombards Enterprises with Spam Emails and Phone Calls

-Santander Data Breach via Third-Party Provider Impacted Customers and Employees

-40% of Cyber Teams Have Held Back from Reporting Cyber Attacks Over Fear of Losing Jobs

-Digital Resilience – a Step Up from Cyber Security

-UK Lags Europe on Exploited Vulnerability Remediation

-Cyber Threats Demand More Focus Says Zurich, as UK Insurance And NCSC Join Forces to Fight Ransomware Payments

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Social Engineering is the Biggest Cyber Threat, as Study Finds Most Workers Have Clicked on a Suspicious Email Link

According to a recent report, half of office workers have clicked on a link or attachment within a suspicious email sent to their work address within the last 12 months, and of those that interacted with the email, half of them claimed to be confident in their ability to identify phishing emails.

With 68% of breaches involving the human element, your organisation must be cognisant of its employees. Hackers know that no matter what your tech stack is, you will always have employees and where there is an employee, there is a way into your organisation. It is far cheaper to exploit an employee who already has the access you require, than to develop a new exploit. It only takes one human to make a mistake by granting access to an attacker.  

When it came to training, only 41% of respondents said their employer had provided formal cyber security awareness training and 79% said their previous training is not sufficient to keep pace with modern cyber threats.

Source: [HackerNoon] [BusinessPlus]

Business Leaders are Stressing Out Over Pace of Technological Change, as Cyber Security Incidents Seen as Main Business Disruptor

A recent report commissioned by BT reveals that 86% of UK business leaders suffer from 'tech-related stress,' particularly concerning AI and cyber security, a phenomenon they have termed as 'Bytmares.' The report found that 59% of business leaders worry about the rapid and relentless pace of tech advancement, and whether appropriate controls are in place to protect it.

According to a different survey, 74% of business leaders view cyber security incidents as the main disruptive threat to their organisations either currently or over the next twelve months. This was followed by cloud computing, internet of things and artificial intelligence.

These findings highlight the critical importance of robust cyber security measures in today’s interconnected world. As organisations increasingly rely on digital infrastructure, safeguarding sensitive data and systems becomes paramount. Cyber threats can disrupt operations, compromise customer trust, and result in financial losses. Remember, cyber security is not just an IT concern; it is a strategic imperative for every organisation.

Sources: [Beta News] [Telecoms] [Verdict]

ICO Warns That Many UK Businesses Neglect Basic Cyber Security: More Ransomware and Cyber Attacks Last Year Than Ever Before

A recent update from the UK’s Information Commissioner’s Office (ICO) has revealed that ransomware attacks in the UK have surpassed all previous years, up 52% from the previous year. The report found that finance, retail and education sectors are suffering the most incidents.

The leading causes of breaches include phishing, brute force attacks, errors and supply chain attacks. The ICO noted that many organisations still neglect basic cyber security measures and has called for enhanced efforts to combat the escalating threat, emphasising the importance of foundational controls.

Sources: [Tech Monitor] [Government Business] [The Record Media] [Tech Monitor]

Data Breaches are Getting Worse, Many are Employee Errors or Social Engineering Attacks

The latest Verizon Business Data Breach Investigations Report (DBIR) highlights that employee error is the leading cause of cyber security incidents in the EMEA region, accounting for 49% of cases. The top reasons for these incidents are “miscellaneous errors, system intrusion, and social engineering,” making up 87% of all breaches. Hackers primarily target personal information (64%), internal data (33%), and login credentials (20%). Despite zero-day vulnerabilities being a significant threat, with exploitation rising to 14% of breaches, the report emphasises the critical need for ongoing employee training and awareness to mitigate these risks.

Source: [TechRadar]

Why Cyber Insurance isn’t a Substitute for Cyber Risk Management

While cyber insurance can be beneficial in mitigating financial loss from cyber attacks, it is not a substitute for comprehensive cyber risk management. Many firms with cyber insurance have still fallen victim to attacks, highlighting that cyber insurance primarily transfers residual risk. Effective cyber risk management includes conducting proper risk assessments and implementing robust cyber security controls. Cyber insurance cannot resolve issues like business disruption, breach of client confidentiality, and compliance with legal obligations; this stresses the need for proactive measures and independent assurance to protect against cyber threats.

Source: [ Law Society of Scotland]

China Presents Defining Challenge to Global Cyber Security, Says GCHQ

A recent speech by the new director of the UK’s GCHQ highlighted China's growing cyber threat, describing it as an "epoch-defining challenge." She warned that China's destabilising actions undermine global internet security. The current head of the UKs’ NCSC echoed these concerns, pointing to the Chinese state-sponsored hacking group Volt Typhoon which has infiltrated critical sectors like energy and transportation. The National Cyber Director at the White House added that China’s cyber capabilities pose a significant threat to global infrastructure, particularly in crisis scenarios, as Chinese hackers increasingly use sophisticated techniques to pre-position within networks.

Source: [Infosecurity Magazine]

Botnet Sent Millions of Emails in LockBit Black Ransomware Campaign

Since April, millions of phishing emails have been sent through a botnet known as “Phorpiex” to conduct a large-scale LockBit Black ransomware campaign. In a warning from New Jersey’s Cybersecurity and Communications Integration Cell, it was explained that the attackers use ZIP attachments containing an executable that deploys the LockBit Black payload, which encrypts the recipients' systems if launched. The emails are sent from 1,500 unique IP addresses worldwide.

Sources: [Bleeping Computer]

Global Financial Stability at Risk Due to Cyber Threats, IMF warns

A new International Monetary Fund (IMF) report highlights the severe threat cyber attacks pose to global financial stability, revealing that nearly 20% of reported cyber incidents in the past two decades targeted the financial sector, causing $12 billion in direct losses. Since 2020, these attacks have led to an estimated $2.5 billion in direct losses. The report underscores that cyber incidents threaten financial institutions' operational resilience, potentially leading to funding challenges and reputational damage. The IMF calls for bolstered cyber security measures, including stress testing, information-sharing arrangements, and enhanced national cyber security strategies to mitigate these growing risks.

Source: [World Economic Forum]

Ongoing Campaign Bombards Enterprises with Spam Emails and Phone Calls

An ongoing social engineering campaign that is bombarding enterprises with spam calls and emails has been uncovered. The campaign involves a threat actor overwhelming a user’s email with junk, followed by a call offering to assist in removing the junk. From here, the threat actor aims to convince the victim to download remote monitoring and management software such as AnyDesk or Microsoft’s built in Quick Assist feature to allow the attacker remote access to the victim’s machine.

Source: [The Hacker News]

Santander Data Breach via Third-Party Provider Impacted Customers and Employees

A recent disclosure by the Spanish bank Santander revealed a data breach at a third-party provider affecting customers in Chile, Spain, and Uruguay. Unauthorised access to a database hosted by the provider compromised information on all current and some former employees, but did not include transactional data, online banking details, or passwords. Santander said they swiftly implemented measures to contain the incident, blocking access to the compromised database and enhancing fraud prevention controls. The bank assured that its operations and systems remain unaffected, allowing customers to continue transacting securely. The number of impacted individuals remains unspecified.

There is a continued trend in third party providers being used as the soft underbelly to attack larger and better defended organisations, requiring all organisations to consider the security controls of their third parties.

Source: [securityaffairs.com]

40% of Cyber Teams Have Held Back from Reporting Cyber Attacks Over Fear of Losing Jobs

Recent research has revealed that 40% of cyber teams have not reported a cyber attack due to the fear of losing their job. Unfortunately, this leaves businesses at risk of being non-compliant, without even knowing so. When it came to challenges faced by organisations, it was found that nearly 20% of companies say a lack of qualified talent is a key challenge to overcoming cyber attacks and 32% did not have the resources to hire new staff. This is not to say however, they are unable to outsource some of their cyber function to cyber specialists. This lack of allocated resources prevents the organisation from being confident that any incidents have been appropriately remediated.

Source: [Business Wire]

Digital Resilience – a Step Up from Cyber Security

In an increasingly digital world, many organisations are unaware of how truly reliant they are on digital technology, and the accompanying risks. As we move toward an even more digitally dependent future, the need for digital resilience is more critical than ever. Digital resilience refers to the ability to maintain, change, or recover technology-dependent operations. Organisations should begin with an internal audit to assess their digital resilience, involving all departments and ensuring senior management oversight, as board involvement is essential for effective cyber security programmes.

Digital resilience goes beyond cyber security to encompass change management, business resilience, and operational risk. Implementing digital resilience strategies requires continuous adaptation, cross-functional collaboration, and embedding resilience thinking throughout the organisation. Businesses must integrate digital resilience into their strategic planning to ensure ongoing competitiveness and adaptability in an ever-evolving digital landscape.

Sources: [CSO Online] [CSO Online]

UK Lags Europe on Exploited Vulnerability Remediation

A new report by Bitsight reveals that UK organisations lag behind their European counterparts in remediating software flaws listed in the US ‘Known Exploited Vulnerability’ (KEV) catalogue. UK organisations take an average of 225 days to address KEVs, compared to 220 days for European entities and just 21 days for German organisations. Non-KEV vulnerabilities are patched at an even slower rate, with UK entities taking over two years (736 days) to patch. Globally, the average time to resolve KEVs is around six months (180 days). Despite fewer KEVs detected in UK environments (30% versus 43% in Europe), the slow remediation poses significant risks, emphasising the need for faster and more proactive cyber security measures, specifically robust vulnerability scanning and patching.

Source: [Infosecurity Magazine]

Cyber Threats Demand More Focus Says Zurich, as UK Insurance And NCSC Join Forces to Fight Ransomware Payments

A recent discussion at the British Insurance Brokers' Association (BIBA) conference highlighted the increasing importance of cyber security for businesses, driven by the surge in cyber attacks and the use of AI by criminal gangs. Zurich Resilience Solutions UK noted that businesses face greater scrutiny from underwriters over their cyber exposures.

BIBA, together with the Association of British Insurers (ABI), and the International Underwriting Association (IUA), have united with the UK’s National Cyber Security Centre (NCSC) in a joint effort to tackle ransom payments. As a result of their collaboration, they have published new best practice guidance, which aims to reduce the number of payments being made by UK victims as well as the disruption businesses face.

Source: [Emerging Risks] [NCSC] [Infosecurity Magazine]

Governance, Risk and Compliance

Threats

Ransomware, Extortion and Destructive Attacks

Ransomware Victims

Phishing & Email Based Attacks

BEC

Other Social Engineering

Artificial Intelligence

2FA/MFA

Malware

Mobile

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Insider Risk and Insider Threats

Insurance

Supply Chain and Third Parties

Cloud/SaaS

Encryption

Linux and Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Training, Education and Awareness

Regulations, Fines and Legislation

Models, Frameworks and Standards

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity

Cyber Warfare and Cyber Espionage

Nation State Actors

China

Russia

Iran

North Korea

Vulnerability Management

Vulnerabilities

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·         Automotive

·         Construction

·         Critical National Infrastructure (CNI)

·         Defence & Space

·         Education & Academia

·         Energy & Utilities

·         Estate Agencies

·         Financial Services

·         FinTech

·         Food & Agriculture

·         Gaming & Gambling

·         Government & Public Sector (including Law Enforcement)

·         Health/Medical/Pharma

·         Hotels & Hospitality

·         Insurance

·         Legal

·         Manufacturing

·         Maritime

·         Oil, Gas & Mining

·         OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·         Retail & eCommerce

·         Small and Medium Sized Businesses (SMBs)

·         Startups

·         Telecoms

·         Third Sector & Charities

·         Transport & Aviation

·         Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 22 December 2023

Black Arrow Cyber Threat Intelligence Briefing 22 December 2023:

-Majority of 2023’s Critical Cyber Attacks Stemmed from Fewer Than 1% of Vulnerabilities, with 1 in 4 High Risk Vulnerabilities Exploited Within 24 Hours of Going Public

-Ransomware Gangs Are Increasingly Turning to Remote Access Tools for Attacks, As UK Honeypots Attacked 17 Million Times Per Day

-Why Employees Are a Bigger Security Risk than Hackers

-77% of Financial Services Firms Detected a Cyber Attack in the Last Year, as Finance and Healthcare Continue to Suffer the Most Cyber Attacks

-New Report Data Shows 75% Increase in Suspicious Emails Hitting Inboxes

-Threat Actors Still Exploiting Old Unpatched Vulnerabilities

-Many Organisations Still Lack Formal Cyber Security Training

-Addressing the Growing Threat of Supply Chain Cyber Attacks

-Cyber Incident Costs Surge 11% as Budgets Remain Muted

-Attacks on Critical Infrastructure are Harbingers of War: Are We Prepared?

-UK Data Centres to be Classed as Critical Infrastructure Under New Gov Proposals

-Data Exfiltration and Extortion is the New Ransomware Threat, as 65% of Organisations Say Ransomware Concerns Impact Risk Management

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Majority of 2023’s Critical Cyber Attacks Stemmed from Fewer Than 1% of Vulnerabilities, with 1 in 4 High Risk Vulnerabilities Exploited Within 24 Hours of Going Public

A new Qualys report reveals that less than 1% of vulnerabilities are responsible for the greatest damage, and a quarter of high-risk vulnerabilities are now being exploited within a day of disclosure. In 2023, a record-breaking 26,000 vulnerabilities have been identified so far, emphasising the need for organisations to accelerate their response times. High-risk vulnerabilities, particularly in network devices and web applications, are the main targets for attackers seeking unauthorised access or privilege escalation. This situation underscores the critical need for organisations to implement a multi-layered defence strategy, automate patching where appropriate especially in areas of critical infrastructure, and adopt zero-trust principles to safeguard against such swift and potent cyber threats.

Sources: [SiliconANGLE] [SC Media]

Ransomware Gangs Are Increasingly Turning to Remote Access Tools for Attacks, As UK Honeypots Attacked 17 million Times Per Day

Nearly three quarters of cyber-attacks across the UK in 2023 targeted technology frequently used for remote working, new data from Coalition has revealed.

Attackers frequently target Remote Desktop Protocol (RDP), a tool that lets users access office computers from home, as it grants the attacker quick access to devices and allows them to execute further attacks.

Honeypot sensors maintained by Coalition have recorded 5.8 billion attacks so far in 2023, averaging around 17 million attacks per day. Of these it was found that 76% of attacks targeted RDP.

Attackers exploit RDP vulnerabilities that often stem from simple configuration mistakes. By taking steps like disabling unnecessary remote access or tightening controls, companies can help shield themselves from these pervasive threats.

Sources: [Insurance Times] [TechRadar] [Infosecurity Magazine]

Why Employees Are a Bigger Security Risk than Hackers

In today's interconnected world, the spotlight is often on cyber criminals attacking from outside, but a worrying trend points inward. A recent study by Imperva reveals that insiders pose a significant threat, being behind 58% of security incidents. The incidents are a mixture of deliberate misuse and accidents, however the majority of organisations lack a strategy to combat these risks. Even when strategies exist, they may be undermined by employees bypassing IT protocols or due to the pressures of adapting to new technologies. With insider incidents on the rise by 47% in two years, the costs are too great to ignore.

Source: [Raconteur]

77% of Financial Services Firms Detected a Cyber Attack in the Last Year, as Finance and Healthcare Continue to Suffer the Most Cyber Attacks

Cyber attacks are more prevalent in the financial services sector than in any other industry. Last year, 77% of financial institutions were targeted, primarily through phishing and ransomware attacks. After financial services the second most targeted sector is healthcare. Both types of institutions are attractive targets not only because of their wealth of sensitive data but also because disruptions to their operations can lead to substantial ransom payments. They face increasingly sophisticated threats and the financial impact is significant, with approximately a quarter of these institutions estimating damages of at least $50,000. To mitigate these risks organisations are turning to cyber insurance, which necessitates further tightening of security practices, including identity and access management, to meet insurers’ stringent standards.

The healthcare sector reported over 179,000 cyber attacks in a single quarter, affecting entities globally. The primary threats were infostealers and ransomware. There have been scores of notable incidents where hospitals have been shut down or otherwise unable to operate. In many cases, this resulted in closing emergency departments, interfering with planned or emergency surgeries and forcing ambulances to divert to other hospitals, potentially causing life threatening delays. Further, a recent report analysing the enterprise risk management for the financial sector found that the two biggest concerns were rising interest rates at 74% and ransomware attacks at 65%.

Sources: [Security Magazine] [MSSP Alert] [PR NewsWire] [Security Magazine]

New Report Data Shows 75% Increase in Suspicious Emails Hitting Inboxes

A new report has unveiled the escalating threat posed by phishing emails, as detected by DMARC software. In the past year, there's been a 70% rise in emails flagged as fraudulent, with almost 18% of total email traffic in the first half of 2023 being intercepted as potential phishing attempts. This surge underscores a pressing need for robust email security measures. Simple yet effective tools like DMARC, which automatically weeds out emails impersonating legitimate domains, are becoming critical in the fight against these sophisticated scams. With the average cost of a cyber attack now well into the millions, and given the high click rates on phishing emails, it is clear that taking proactive steps to strengthen an organisations digital defence is not just sensible, it is essential for safeguarding the businesses in the digital age.

Source: [Dark Reading]

Threat Actors Still Exploiting Old Unpatched Vulnerabilities

A report by Cisco has found that the most targeted vulnerabilities this year, same as previous years, were old unpatched vulnerabilities which should have been fixed a long time ago. Some of these security gaps in widely-used applications like Microsoft Office and or within versions of Windows itself are over a decade old. Unpatched vulnerabilities can leave systems open to exploitation, potentially leading to unauthorised access, data breaches, and widespread security incidents, including being a key enabler of ransomware attacks. This highlights an urgent call to action for organisations to patch known vulnerabilities and secure user accounts to fortify their defences against cyber threats.

Source: [IT Business]

Many Organisations Still Lack Formal Cyber Security Training

As we navigate into 2024, a new report by the SANS Institute found that more than 30% of organisations do not regularly perform cyber readiness exercises, while 40% have yet to establish formal training for cyber security. These findings underline a gap between the need for robust security measures and actual preparedness. On a positive note, most organisations are adopting frameworks like the NIST CSF to shape their security posture, and two-thirds are actively using metrics to gauge the effectiveness of their security operations. Yet, there’s a call to action here: for real progress, intentional investment and commitment to comprehensive training and stringent security operations are non-negotiable. This is the path to mature security operations that can withstand the complexities of today’s cyber threats.

Source: [Security Brief]

Addressing the Growing Threat of Supply Chain Cyber Attacks

As businesses become more interconnected through digital supply chains, supply chain cyber attacks are becoming more of a pressing issue for organisations. The attackers tend to exploit weaknesses in third-party suppliers, often with less guarded entry points, to access larger networks. With companies increasingly outsourcing and using cloud adoption, the need for stringent third-party cyber risk assessments is vital. However, complexities arise with the shared responsibility model for cloud security, where setting out the division of security duties between cloud service providers and clients can blur lines of defence. To tackle these challenges, integration of cyber security into procurement and supply chain processes is essential. This means enforcing collaboration between procurement and cyber security teams, mandating security standards in vendor contracts, and utilising automated tools for continuous risk assessments. Safeguarding modern supply chains is no longer a siloed task but a strategic, organisation wide imperative.

Source: [HackerNoon]

Cyber Incident Costs Surge 11% as Budgets Remain Muted

A new report found an 11% jump in the direct costs of a significant cyber incident, now averaging $1.7 million. The burden is even heavier for those without cyber insurance, with costs escalating to $2.7 million per incident. Cyber risks like fraud, third-party breaches, and data theft remain prevalent. Despite these increasing threats, cyber security budgets have grown modestly and are not keeping pace with the increased level of threat. The report also highlights a concerning gap in understanding cyber threats and a lack of internal training, emphasising the critical need for not just financial investment, but also a deeper engagement with cyber security training and awareness within organisations.

Source: [Infosecurity Magazine]

Attacks on Critical Infrastructure are Harbingers of War: Are We Prepared?

The escalating cyber threats against critical infrastructure, like recent attacks on water authorities, highlight an urgent security concern. These attacks, which are often state-sponsored, are not just targeting financial or data assets but are striking at essential services vital to human survival. The tactics used in these attacks, known as Intelligence Preparation of the Battlefield (IPB), are aimed at weakening a nation by disrupting services like power and water, key to both civil stability and military operations. Nations like Russia, China, and Iran employ these strategies for different purposes, ranging from strategic military advantages to ideological victories. The use of ransomware, as seen in the increasing incidents reported by the FBI, is a tool for both financial gain and geopolitical disruption. As we face these multifaceted threats, the need for robust cyber security measures to protect our critical infrastructure has never been more pressing. It is a call to action for nations and organisations alike to fortify their defences against these evolving and serious cyber threats.

Source: [SC Media]

UK Data Centres to be Classed as Critical Infrastructure Under New Gov Proposals

The UK government is considering new regulations aimed at enhancing the security and resilience of data centres. The Department for Science, Innovation and Technology (DSIT) recognises the vital role of these data hubs and is examining the adequacy of current safety practices. With the identification of varying levels of security across the sector, the prospect of legislating minimum security standards is on the table. This may include establishing a regulatory body to oversee incident reporting and risk mitigation strategies, particularly for third-party service providers. These measures underscore the government's commitment to safeguarding data centres, which are increasingly integral to the UK's economic vitality and national security. As part of a broader initiative, the sector could be designated as critical national infrastructure, aligning it with international best practices and ensuring comprehensive protection from cyber threats and other risks.

Source: [ITPro]

Data Exfiltration and Extortion is the New Ransomware Threat, as 65% of Organisations Say Ransomware Concerns Impact Risk Management

Cyber criminals are escalating their tactics and becoming more aggressive in their effort to maximise disruption and compel the payment of ransom demands. Earlier this year, the ransomware group ALPHV exploited the new US data breach disclosure rules by filing a complaint with the US Securities and Exchange Commission (SEC) against a victim company for not reporting an alleged significant data breach. This marks a strategic evolution from traditional ransomware attacks, where data is encrypted and held hostage, to more nuanced extortion schemes. Such tactics are becoming more sophisticated, with triple extortion attacks threatening not just the target company but also their partners and clients. This shift from encryption to pure extortion requires a fresh understanding of cyber threats and a re-evaluation of defence strategies. It highlights the urgent need for businesses to protect not just their own data but also to consider the security of their entire data supply chain.

Source: [TechCrunch]

Threats

Ransomware, Extortion and Destructive Attacks

Ransomware Victims

Phishing & Email Based Attacks

Artificial Intelligence

2FA/MFA

Malware

Mobile

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Insurance

Supply Chain and Third Parties

Cloud/SaaS

Encryption

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Malvertising

Training, Education and Awareness

Regulations, Fines and Legislation

Models, Frameworks and Standards

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity

Cyber Warfare and Cyber Espionage

Nation State Actors

China

Russia

Iran

Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence

Vulnerability Management

Vulnerabilities

Other News

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·         Automotive

·         Construction

·         Critical National Infrastructure (CNI)

·         Defence & Space

·         Education & Academia

·         Energy & Utilities

·         Estate Agencies

·         Financial Services

·         FinTech

·         Food & Agriculture

·         Gaming & Gambling

·         Government & Public Sector (including Law Enforcement)

·         Health/Medical/Pharma

·         Hotels & Hospitality

·         Insurance

·         Legal

·         Manufacturing

·         Maritime

·         Oil, Gas & Mining

·         OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·         Retail & eCommerce

·         Small and Medium Sized Businesses (SMBs)

·         Startups

·         Telecoms

·         Third Sector & Charities

·         Transport & Aviation

·         Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 01 December 2023

Black Arrow Cyber Threat Intelligence Briefing 01 December 2023:

-Law Firms Face Surge in Targeted Attacks as Hundreds Impacted by Single Attack

-Approach Cyber Security Awareness Training by Engaging People at All Levels

-Board Support Remains Critical as Majority of CISOs Experience Repeat Cyber Attacks

-Ransomware Attacks Surge 81% in October as New Threat Actors Emerge

-Hacked Microsoft Word Documents Being Used to Trick Windows Users

-Mitigating Deepfake Threats in The Corporate World

-Black Basta Ransomware Made Over $100 Million From Extortion Alone

-Long Recovery Times After Cyber Attacks Could Annihilate Your Organisation

-Booking.com Customers Scammed in Novel Social Engineering Campaign

-Stop Panic Buying Your Security Products and Start Prioritising

-A Fifth of UK SMBs Unable to Spot Scams

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber threat intelligence experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Strategic Cyber Stories of the Last Week

Law Firms Face Surge in Targeted Attacks as Hundreds Impacted by Single Attack

An estimated 80 to 200 law firms across the UK were impacted by a cyber attack on a third party firm in their supply chain. The attack was on managed service supplier CTS, who provide services to hundreds of law firms across the UK, especially those with conveyancing departments, and many property sales were impacted nationwide as a result of the attack.

This is against a sharp increase in the number of law firms being singled out by cyber threat actors; only recently, magic circle firm Allen & Overy confirmed themselves as a victim of ransomware.

Sources: [SC Media] [Lawyer Monthly] [Scottish Legal News] [Law Gazette] [Dark Reading]

Approach Cyber Security Awareness Training by Engaging People at All Levels

In the cyber security landscape, human-related factors like social engineering, compromised credentials, and errors are the top causes of breaches. Increased investment in threat detection doesn't guarantee foolproof security. Organisations need a proactive strategy focusing on human risks, a security mindset in employees, and a security culture. According to IBM’s latest data security report, high levels of security training can significantly reduce the impact, cost, and frequency of data breaches.

However, most employee training programmes fail due to staff resistance and lack of management support. The key is convincing leadership of its value. To achieve a successful and impactful security awareness programme, it is important that security teams understand their audiences (leaders, managers, and employees), address their requirements, and effectively communicate the benefits of security training.

Source: [CPO Magazine]

Board Support Remains Critical as Majority of CISOs Experience Repeat Cyber Attacks

A recent report found that despite 95% of Chief Information Security Officers (CISOs) receiving budgetary and other support from their organisation after a cyber attack, this largely fails to prevent future incidents, with over half admitting they have experienced multiple “major cyber security incidents” in the last five years.

The report revealed that after an attack 46% of CISOs were given a bigger tech budget, 42% revised their security strategy, 41% adopted new frameworks, and 38% created new roles. However, incidents come with hidden consequences such as revenue loss, rising insurance premiums and declining reputation. CISOs need to have support from the board and executives from the start so that investments can be made in the right technology, processes, and tools. In doing so, a culture of security and vigilance can be instilled from the top down to help protect organisations against evolving threats.

Sources: [Business Wire] [Silicon UK]

Ransomware Attacks Surge 81% in October as New Threat Actors Emerge

The NCC Group revealed that ransomware attacks have surged by 81% in October 2023, compared to the same period in the previous year. Ransomware gangs have already victimised over 50% more individuals and enterprises in 2023 than during the entirety of 2022. As artificial intelligence, phishing kits and ransomware-as-a-service has improved, so too has the number of threat actors; those who were previously stunted by their technical know-how are now able to gain access to sophisticated attacks.

Source: [Security Brief]

Hacked Microsoft Word Documents Being Used to Trick Windows Users

Active campaigns carried out by cyber criminals are again using macros within Word documents to deploy malware, in spite of Microsoft’s efforts to stop these types of attacks. Most of the time the actor delivers the Word document via phishing emails, with the aim of convincing the user to click and run the macro. Once run, the malware has then achieved its goal of establishing itself on the victims’ machine and executing its malicious payload.

Source: [TechRadar]

Mitigating Deepfake Threats in The Corporate World

Deepfakes are synthetic media that are created or manipulated with the desired outcome of convincing the recipient of their legitimacy; and it’s entering the corporate world. Deepfake technology has already been used to impersonate Presidents and financial experts, however there has been an uprise in the number of these attacks. This has left the corporate world questioning existing operational procedures such as callbacks and how they will need to adjust to encompass the changing landscape.

Some of the ways a corporation can mitigate this, is to promote awareness within the workplace, adjust operational procedures to reflect the current landscape, and utilise advanced detection tools.

Source: [MSSP Alert]

Black Basta Ransomware Made Over $100 Million From Extortion Alone

The cyber crime operator “Black Basta” has raked in at least $100 million in ransom payments from more than 90 victims since it first surfaced in April 2022. In total, 329 victims worldwide were targeted and research has estimated that at least 35% paid a ransom, with multiple payments over $1 million. Black Basta uses double extortion techniques, where data is both ransomed and exfiltrated. This way, victims are forced to pay to get their data back and not have it published online; the latter itself can lead to regulatory fines.

Source: [Bleeping Computer]

Long Recovery Times After Cyber Attacks Could Annihilate Your Organisation

In the evolving cyber security landscape, organisations are increasingly investing in detection and prevention measures. However, there's a growing trend of neglecting post-attack recovery. While advanced security tools and technologies are crucial, recent ransomware incidents have shown that recovery is equally vital. Organisations have faced substantial downtime and financial losses due to attacks. Cyber resilience, the ability to bounce back quickly after an attack, is crucial, especially with the rise of remote work.

Budgets often prioritise prevention, leaving organisations ill-prepared for recovery. In 2023, a significant number of companies paid ransoms to regain data. To achieve true cyber resilience, a rebalance in approach is essential, focusing on preparation, response, and recovery alongside detection and prevention, ensuring rapid recovery and safeguarding of valuable assets.

Source: [TechRadar]

Booking.com Customers Scammed in Novel Social Engineering Campaign

According to new research by SecureWorks, Booking.com customers are being targeted by a novel social engineering campaign that is “paying serious dividends” for cyber criminals. Researchers believe the campaign has gone on for at least a year and it begins by deploying the Vidar infostealer to gain access partner hotels’ Booking.com credentials. This information is then used to send phishing emails to Booking.com customers and trick them into handing over their payment details, in many cases leading to money being stolen. The scam is proving so fruitful that sales of Booking.com portal credentials are commanding sale prices of up to $2,000 in two cyber crime forums.

Source: [Infosecurity Magazine]

Stop Panic Buying Your Security Products and Start Prioritising

In the cyber security landscape, impulse buying can lead to costly mistakes. Breaches are now more expensive than ever, underscoring the need to assess cyber security investments. Fear-driven tactics and the quest for a "silver bullet" solution can push organisations, especially smaller ones, into impulsive investments. These decisions may introduce even more risk by failing to integrate with existing systems, or buying systems but failing to configure them properly or utilising them to the fullest extent, leading to a false sense of security. The consequences can be severe, with breaches now costing organisations millions. To navigate this landscape, organisations must assess the real value of cyber security investments. Calculating risk by evaluating likelihood and impact can guide us in making informed decisions. Instead of impulse buying, assign a monetary value to cyber risks for strategic budget decisions in these economic times, ensuring investments align with security and business goals.

Source: [Help Net Security]

A Fifth of UK SMBs Unable to Spot Scams

New data from UK Finance reveals that 17% of UK small and medium-sized businesses (SMBs) struggle to identify online fraud and scam indicators. This is particularly alarming given the rise in authorised push payment (APP) scams in the UK, where fraudsters impersonate trusted entities to deceive victims into transferring money to controlled accounts. In the first half of 2023 alone, criminals stole a reported £42.6 million through such scams, with total losses including consumer impacts reaching £239 million. SMBs are increasingly targeted due to typically fewer anti-fraud and other countermeasures and controls, compared to larger and better protected larger firms. It is important for SMBs to be vigilant and verify payment details directly with suppliers to help avoid these types of scams.

Source: [Infosecurity Magazine]

Threats

Ransomware, Extortion and Destructive Attacks

Ransomware Victims

Phishing & Email Based Attacks

Artificial Intelligence

Malware

Mobile

Denial of Service/DoS/DDOS

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insurance

Supply Chain and Third Parties

Cloud/SaaS

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Training, Education and Awareness

Regulations, Fines and Legislation

Models, Frameworks and Standards

Data Protection

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Misinformation, Disinformation and Propaganda

Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity

Cyber Warfare and Cyber Espionage

Nation State Actors

China

Russia

Iran

North Korea

Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence

Tools and Controls

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·         Automotive

·         Construction

·         Critical National Infrastructure (CNI)

·         Defence & Space

·         Education & Academia

·         Energy & Utilities

·         Estate Agencies

·         Financial Services

·         FinTech

·         Food & Agriculture

·         Gaming & Gambling

·         Government & Public Sector (including Law Enforcement)

·         Health/Medical/Pharma

·         Hotels & Hospitality

·         Insurance

·         Legal

·         Manufacturing

·         Maritime

·         Oil, Gas & Mining

·         OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·         Retail & eCommerce

·         Small and Medium Sized Businesses (SMBs)

·         Startups

·         Telecoms

·         Third Sector & Charities

·         Transport & Aviation

·         Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 10 February 2023

Black Arrow Cyber Threat Briefing 10 February 2023:

-Companies Banned from Paying Hackers After Attacks on Royal Mail and Guardian

-Fraud Set to Be Upgraded as a Threat to National Security

-98% of Attacks are Not Reported by Employees to their Employers

-UK Second Most Targeted Nation Behind America for Ransomware

-Financial Institutions are Suffering from Increasingly Sophisticated Cyber Attacks

-An Email Attack Can End Up Costing You Over $1 Million

-Cyber Crime Shows No Signs of Slowing Down

-Surge of Swatting Attacks Targets Corporate Executive and Board Members

-Phishing Surges Ahead, as ChatGPT and Artificial Intelligence Loom

-Pro-Russian Hacktivist Group is Only Getting Started, Experts Warn

-Crypto Investors Lost Nearly $4 Billion to Hackers in 2022

-PayPal and Twitter Abused in Turkey Relief Donation Scams

-Mysterious Leak of Booking.com Reservation Data is Being Used to Scam Customers

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • UK Companies Banned from Paying Ransomware Hackers After Attacks on Royal Mail and Guardian

British companies have been banned from paying ransomware hackers after a spate of attacks on businesses including Royal Mail and the Guardian newspaper.

UK Foreign Secretary James Cleverly on Thursday unveiled sanctions on seven Russian hackers linked to a gang called Conti, effectively banning any payments to the group.

Thursday’s sanctions are the first of their kind to be specifically targeted against Russian ransomware gang members.

The actions follow a spate of high-profile attacks on businesses and amid warnings from GCHQ that Russian and Iranian hackers are stepping up actions in Britain.

https://www.telegraph.co.uk/business/2023/02/09/companies-banned-paying-hackers-attacks-royal-mail-guardian/

  • Fraud Set to Be Upgraded as a Threat to National Security

Fraud is to be reclassified as a threat to national security under UK government plans that will force police chiefs to devote more officers to solving the crime.

It will be elevated to the same status as terrorism, with chief constables mandated to increase resources and combine capabilities in a new effort to combat a fraud epidemic that now accounts for 30 per cent of all crime.

It will be added to the strategic policing requirement, which means that forces will be required by ministers to treat fraud as a major priority alongside not only terrorism, but also public disorder, civil emergencies, serious and organised crime, cyber attacks and child sexual abuse.

https://www.telegraph.co.uk/news/2023/02/04/fraud-set-upgraded-threat-national-security/

  • 98% of Attacks are Not Reported by Employees to their Employers

Cyber attackers are increasingly using social engineering tactics to lure employees into opening malicious emails in an attempt to trick them into providing login credentials, updating bank account information and paying fraudulent invoices. Worryingly, research conducted by security provider Abnormal has found that 98% of attacks on organisations are not reported to the organisation’s security team. In addition to this, the report found that the volume of business email compromise attacks are spiking, growing by 175% over the past two years. The report also found that nearly two-thirds of large enterprises experiencing a supply chain compromise attack in the second half of 2022.

https://www.msspalert.com/cybersecurity-research/employees-fail-to-report-98-of-email-cyber-hacks-to-security-teams-study-finds/

  • UK Second Most Targeted Nation Behind America for Ransomware

Security research team Kraken Labs released their report earlier this week, which found that of the 101 different countries that registered victims of ransomware, the UK had registered the second highest number of victims behind the US. Currently, there are over 60 ransomware groups, with the top 3 accounting for a third of all ransomware attacks.

https://www.itsecurityguru.org/2023/02/07/uk-second-most-targeted-nation-behind-america-for-ransomware/

  • Financial Institutions are Suffering from Increasingly Sophisticated Cyber Attacks

This week security provider Contrast Security released its Cyber Bank Heists report, an annual report that exposes cyber security threats facing the financial sector. The report warns financial institutions that security must be a top-of-mind issue amid rising geopolitical tensions, increased destructive attacks utilising wipers and a record-breaking year of zero-day exploits. The report involved a series of interviews with financial sector security leaders and found some notable results. Some of the results include 64% of leaders seeing an increase in application attacks, 72% of respondents planning to increase investment in application security in 2023, 60% of respondents falling victim to destructive attacks and 50% of organisations detecting campaigns which aimed to steal non-public market information.

https://www.darkreading.com/attacks-breaches/financial-institutions-are-suffering-from-increasingly-sophisticated-cyberattacks-according-to-contrast-security

  • An Email Attack Can End Up Costing You Over $1 Million

According to a report by security provider Barracuda Network, 75% of organisations had fallen victim to at least one successful email attack in the last 12 months, with those affected facing potential costs of over $1 million for their most expensive attack. The fallout from an email security attack can be significant, with the report finding 44% of those hit had faced significant downtime and business disruption. Additionally financial services greatly impacted by the loss of valuable data (59%) and payments made to attackers (51%). When it came to organisations preparation, 30% felt underprepared when dealing with account takeover and 28% felt unprepared for dealing with business email compromise.

https://www.helpnetsecurity.com/2023/02/10/email-attack-damage-1-million/

  • Cyber Crime Shows No Signs of Slowing Down

Global risks from population pressures and climate change to political conflicts and industrial supply chain challenges characterised 2022. Cyber criminals used this turmoil to exploit these trending topics, including significant events, public affairs, social causes, and anywhere else opportunity appeared. According to security researchers at Zscaler TheatLabz, 2023 will see a rise in Crime-as-a-service (CaaS), supply chains will be bigger targets than ever, there will be a greater need for defence in depth as endpoint protection will not be enough and finally, there will be a decrease in the time between initial compromise and the final stage of an attack.

https://www.darkreading.com/zscaler/cybercrime-shows-no-signs-of-slowing-down

  • Surge of Swatting Attacks Targets Corporate Executive and Board Members

Swatting is the act of deceiving an emergency service with the purpose of the service then sending an emergency response, often armed, to a targeted persons address. Security provider Black Cloak has found that swatting incidents are now beginning to target C-suite executives and corporate board members, with the number of incidents increasing over the last few months. Malicious actors are using information from the dark web, company websites and property records to construct their swatting attacks.

https://www.csoonline.com/article/3687177/surge-of-swatting-attacks-targets-corporate-executives-and-board-members.html#tk.rss_news

  • Phishing Surges Ahead, as ChatGPT and Artificial Intelligence Loom

Artificial Intelligence (AI) is making it easier for threat actors to create sophisticated and malicious email campaigns. In their report, security provider Vade found that Q4 of 2022 saw a 36% volume increase in phishing campaigns compared to the previous quarter, with over 278.3 million unique phishing emails in that period. The researchers found in particular, new AI tools such as ChatGPT had made it easy for anyone, including those with limited skills, to conduct a sophisticated phishing campaign. Furthermore, the ability of ChatGPT to tailor phishing to different languages is an area for concern.

https://www.darkreading.com/vulnerabilities-threats/bolstered-chatgpt-tools-phishing-surged-ahead

  • Pro-Russian Hacktivist Group is Only Getting Started, Experts Warn

A pro-Russian hacktivist group's low-level distributed denial-of-service (DDoS) attacks on US critical infrastructure could be a precursor to more serious cyber attacks, health care and security officials warned this week. A DDoS attack involves overwhelming a targeted service, service or network with traffic in an attempt to disrupt it. Earlier this week Killnet, a politically motivated Russian hacking group, overloaded and took down some US healthcare organisations. The attack came after threatening western healthcare organisations for the continued NATO support of Ukraine.

https://www.axios.com/2023/02/03/killnet-russian-hackers-attacks

  • Crypto Investors Lost Nearly $4 Billion to Hackers in 2022

Last year marked the worst year on record for cryptocurrency hacks, according to analytic firm Chainalysis’ latest report. According to the report, hackers stole $3.8 billion in 2022, up from $3.3 billion the previous year. De-centralised finance products, which are products that have no requirement for an intermediary or middle-man accounted for about 82% of all crypto stolen.

https://www.cnbc.com/2023/02/04/crypto-investors-lost-nearly-4-billion-dollars-to-hackers-in-2022.html

  • PayPal and Twitter Abused in Turkey Relief Donation Scams

Scammers are now exploiting the ongoing humanitarian crisis in Turkey and Syria. This time, stealing donations by abusing legitimate platforms such as PayPal and Twitter. It has been identified that multiple scams are running which call for fundraising, linking the victim to a legitimate PayPal site. The money however, is kept by the scammer.

https://www.bleepingcomputer.com/news/security/paypal-and-twitter-abused-in-turkey-relief-donation-scams/

  • Mysterious Leak of Booking.com Reservation Data is Being Used to Scam Customers

For almost 5 years, Booking.com customers have been on the receiving end of a continuous series of scams that demonstrate criminals have obtained travel plans amongst other personally identifiable information that were provided to Booking.com. The scams have involved users receiving fake emails purporting to be from Booking.com with genuine travel details that victims had provided. These emails contain links to malicious URL’s that look nearly identical to the Booking.com website. These then display the victim’s expected travel information, requiring them to input their card details. Some of the scams have developed and involve scammers sending WhatsApp messages after payment has been made, purporting to be from hotels which have been booked by the victims.

https://arstechnica.com/information-technology/2023/02/mysterious-leak-of-booking-com-reservation-data-is-being-used-to-scam-customers/

Threats

Ransomware, Extortion and Destructive Attacks

Phishing & Email Based Attacks

BEC – Business Email Compromise

Malware

Mobile

Denial of Service/DoS/DDOS

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Fraud, Scams & Financial Crime

Impersonation Attacks

AML/CFT/Sanctions

Insurance

Dark Web

Supply Chain and Third Parties

Software Supply Chain

Cloud/SaaS

Hybrid/Remote Working

Identity and Access Management

Encryption

API

Passwords, Credential Stuffing & Brute Force Attacks

Biometrics

Social Media

Malvertising

Training, Education and Awareness

Parental Controls and Child Safety

Regulations, Fines and Legislation

Governance, Risk and Compliance

Models, Frameworks and Standards

Data Protection

Law Enforcement Action and Take Downs

Privacy, Surveillance and Mass Monitoring

Artificial Intelligence

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

Nation State Actors

Vulnerability Management

Vulnerabilities

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 16 December 2022

Black Arrow Cyber Threat Briefing 16 December 2022:

-Executives Take More Cyber Security Risks Than Office Workers

-CISO Role is Diversifying from Technology to Leadership & Communication Skills

-How Emerging AIs, Like ChatGPT, Can Turn Anyone into a Ransomware and Malware Threat Actor

-Cyber Security Drives Improvements in Business Goals

-Incoming FCA Chair Says Crypto Firms Facilitate Money Laundering

-Managing Cyber Risk in 2023: The People Element

-What We Can't See Can Hurt Us

-Uber Suffers New Data Breach After Attack on Vendor, Info Leaked Online

-When Companies Compensate the Hackers, We All Foot the Bill

-HSE Cyber-Attack Costs Ireland $83m So Far

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • Executives Take More Cyber Security Risks Than Office Workers

IT software company Ivanti worked with cyber security experts and surveyed 6,500 executive leaders, cybersecurity professionals, and office workers to understand the perception of today’s cybersecurity threats and to find out how companies are preparing for yet-unknown future threats.

The report revealed that despite 97% of leaders and security professionals reporting their organisation is as prepared, or more prepared, to defend against cybersecurity attacks than they were a year ago, one in five wouldn’t bet a chocolate bar that they could prevent a damaging breach.

In fact, the study finds that organisations are racing to fortify against cyber attacks, but the industry still struggles with a reactive, checklist mentality. This is most pronounced in how security teams are prioritising patches. While 92% of security professionals reported they have a method to prioritise patches, they also indicated that all types of patches rank high – meaning none do.

“Patching is not nearly as simple as it sounds,” said Ivanti. “Even well-staffed, well-funded IT and security teams experience prioritisation challenges amidst other pressing demands. To reduce risk without increasing workload, organisations must implement a risk-based patch management solution and leverage automation to identify, prioritise, and even address vulnerabilities without excess manual intervention”.

Cyber security insiders view phishing, ransomware, and software vulnerabilities as top industry-level threats for 2023. Approximately half of respondents indicated they are “very prepared” to meet the growing threat landscape including ransomware, poor encryption, and malicious employees, but the expected safeguards such as deprovisioning credentials is ignored a third of a time and nearly half of those surveyed say they suspect a former employee or contractor still has active access to company systems and files.

The report also revealed that leaders engage in more dangerous behaviour and are four times more likely to be victims of phishing compared to office workers.

Additionally:

  • More than 1 in 3 leaders have clicked on a phishing link

  • Nearly 1 in 4 use easy-to-remember birthdays as part of their password

  • They are much more likely to hang on to passwords for years

  • And they are 5x more likely to share their password with people outside the company.

One survey taker shared, “We’ve experienced a few advanced phishing attempts and the employees were totally unaware they were being targeted. These types of attacks have become so much more sophisticated over the last two years – even our most experienced staff are falling prey to it.”

To cope with a rapidly expanding threat landscape, organisations must move beyond a reactive, rules-based approach.

https://www.helpnetsecurity.com/2022/12/16/executives-take-more-cybersecurity-risks-than-office-workers/

  • CISO Role is Diversifying from Technology to Leadership & Communication Skills

The role of chief information security officer (CISO), a relatively new executive position, is undergoing some significant changes and an archetype has yet to emerge, a new global report from Marlin Hawk, an executive recruiting and leadership consultant, said.

CISOs are still more likely to serve on advisory boards or industry bodies than on the board of directors. Only 13% of the global CISOs analysed are women; approximately 20% are non-white. Each diversity dimension analysed is down one percentage point year-on-year.

According to James Larkin, managing partner at Marlin Hawk, “Today’s CISOs are taking up the mantle of responsibilities that have traditionally fallen solely to the chief information officer (CIO), which is to act as the primary gateway from the tech department into the wider business and the outside marketplace. This widening scope requires CISOs to be adept communicators to the board, the broader business, as well as the marketplace of shareholders and customers. By thriving in the ‘softer’ skill sets of communication, leadership, and strategy, CISOs are now setting the new industry standards of today and, I predict, will be progressing into the board directors of tomorrow.”

The job does not come without its downsides. For one, according to the search firm, many CISOs change roles and leave their jobs. Their skillset may not be adequate or new leaders get appointed to the job, they lack the necessary internal support, or their company may not have the required commitment to cyber security to make the job effective.

Key findings from the report include:

  • 45% of global CISOs have been in their current role for two years or less, down from 53% in 2021, with 18% turnover year-on-year. While there is still a lot of movement in the CISO seat, there is potentially some stabilisation emerging.

  • Approximately 62% of global CISOs were hired from another company, indicating a slight increase in the number of CISOs hired internally (38% were hired internally compared to 36% in 2021) but a large gap remains in appropriate successors.

  • 36% of CISOs analysed with a graduate degree received a higher degree in business administration or management. This is down 10% from last year (46% in 2021). Conversely, there has been an increase to 61% of CISOs receiving a higher degree in STEM subjects (up from 46% in 2021).

https://www.msspalert.com/cybersecurity-research/ciso-role-is-diversifying-from-technology-to-leadership-communication-skills/

  • How Emerging AIs, Like ChatGPT, Can Turn Anyone into a Ransomware and Malware Threat Actor

Ever since OpenAI launched ChatGPT at the end of November, commentators on all sides have been concerned about the impact AI-driven content-creation will have, particularly in the realm of cybersecurity. In fact, many researchers are concerned that generative AI solutions will democratise cyber crime.

With ChatGPT, any user can enter a query and generate malicious code and convincing phishing emails without any technical expertise or coding knowledge.

While security teams can also leverage ChatGPT for defensive purposes such as testing code, by lowering the barrier for entry for cyber attacks, the solution has complicated the threat landscape significantly. From a cyber security perspective, the central challenge created by OpenAI’s creation is that anyone, regardless of technical expertise, can create code to generate malware and ransomware on-demand.

Whilst it can be used for good to assist developers in writing code for good, it can (and already has) been used for malicious purposes. Examples including asking the bot to create convincing phishing emails or assist in reverse engineering code to find zero-day exploits that could be used maliciously instead of reporting them to a vendor.

ChatGPT does have inbuilt guardrails designed to prevent the solution from being used for criminal activity. For instance, it will decline to create shell code or provide specific instructions on how to create shellcode or establish a reverse shell and flag malicious keywords like phishing to block the requests.

The problem with these protections is that they’re reliant on the AI recognising that the user is attempting to write malicious code (which users can obfuscate by rephrasing queries), while there’s no immediate consequences for violating OpenAI’s content policy.

https://venturebeat.com/security/chatgpt-ransomware-malware/

  • Cyber Security Drives Improvements in Business Goals

Cyber threats should no longer be viewed as just an IT problem, but also a business problem, Deloitte said in its latest Future of Cyber study. Operational disruption, loss of revenue, and loss of customer trust are the top three significant impacts of cyber incidents. More than half, or 56%, of respondents told Deloitte they suffered related consequences to a moderate or large extent.

In 2021, the top three negative consequences from cyber incidents and breaches were operational disruption, which includes supply chain and the partner ecosystem, intellectual property theft, and a drop in share price. While operational disruption remained the top concern in 2022, loss of revenue and loss of customer trust and negative brand impact moved up in importance. Intellectual property theft and drop in share price dropped to eighth and ninth (out of ten) in ranking. Losing funding for a strategic initiative, loss of confidence in the integrity of the technology, and impact on employee recruitment and retention moved up in ranking in 2022. Respondents were also asked to mark two consequences they felt would be most important in 2023: Operational disruption and loss of revenue topped the list.

"Today, cyber means business, and it is difficult to overstate the importance of cyber as a foundational and integral business imperative," Deloitte noted in its report. "It [cyber] should be included in every functional area, as an essential ingredient for success—to drive continuous business value, not simply mitigate risks to IT."

Deloitte categorised organisations' cyber security maturity based on their adoption of cyber planning, risk management, and board engagement. Risk management included activities such as industry benchmarking, incident response, scenario planning, and qualitative and quantitative risk assessment.

Whether or not the organisation adopted any of these three practices hinged on stakeholders recognising the importance of cyber responsibility and engagement across the whole organisation, Deloitte said in its report. Examples included having a governing body that comprises IT and senior business leaders to oversee the cyber program, conducting incident-response scenario planning and simulation at the organisational and/or board level, regularly providing cyber updates to the board to secure funding, and conducting regular cyber awareness training for all employees.

https://www.darkreading.com/edge-threat-monitor/cybersecurity-drives-improvements-in-business-goals

  • Incoming FCA Chair Says Crypto Firms Facilitate Money Laundering

The man who will lead UK efforts to regulate cryptocurrency firms issued a stark condemnation of the sector on Wednesday, telling MPs that in his experience crypto platforms were “deliberately evasive”, facilitated money laundering at scale and created “massively untoward risk”.

The comments from Ashley Alder, the incoming chair of the Financial Conduct Authority, suggest that crypto firms hoping to build businesses in the UK will face an uphill battle when the FCA assumes new powers to regulate broad swaths of the sector.

They also put Alder, who will become FCA chair in February, on a potential collision course with the government’s aspiration to create a high quality crypto hub that fosters innovation, a vision ministers have remained loyal to even as the global crypto market lurches from crisis to crisis, epitomised by the collapse of FTX. The FCA declined to comment on whether their incoming chair’s views were at odds with those of the government.

Alder comments came during a sometimes terse appointment hearing with the cross-party Treasury select committee, where he faced sustained criticism for appearing virtually from Hong Kong and for his lack of familiarity with some parts of the UK market place and its accountability structures.

https://www.ft.com/content/7bf0a760-5fb5-4146-b757-1acc5fc1dee5

  • Managing Cyber Risk in 2023: The People Element

2022 has had many challenges from cyber war between Russia and Ukraine, continuing ransomware attacks, and a number of high-profile vulnerabilities and zero day attacks.  With the attack surface constantly expanding, CISOs and security leaders are acutely aware of the need to minimise risk across people, processes, and technology.

Top infrastructure risk: people

It’s common knowledge that it’s not if, but when, your organisation will be the target of a cyber attack. CISOs and security leaders seem to share the same opinion—according to Trend Micro’s latest Cyber Risk Index (CRI) (1H’2022), 85% of 4,100 respondents across four global regions said its somewhat to very likely they will experience a cyber attack in the next 12 months.  More concerning was 90% of respondents had at least one successful cyber attack in the past 12 months.

The CRI (1H’2022) also found that CISOs, IT practitioners, and managers identified that most organisations’ IT security objectives are not aligned with the business objectives, which could cause challenges when trying to implement a sound cyber security strategy.

It’s important to note that while ideal, avoiding a cyber attack isn’t the main goal—companies need to address critical challenges across their growing digital attack surface to enable faster detection and response, therefore minimising cyber risk.

While it's commonly assumed that security efforts should be largely focused on protecting critical servers and infrastructure, the human attack vector shouldn’t be so quickly forgotten.

https://www.trendmicro.com/en_us/ciso/22/e/managing-cyber-risk.html

  • What We Can't See Can Hurt Us

In speaking with security and fraud professionals, visibility remains a top priority. This is no surprise, since visibility into the network, application, and user layers is one of the fundamental building blocks of both successful security programs and successful fraud programs. This visibility is required across all environments — whether on-premises, private cloud, public cloud, multicloud, hybrid, or otherwise.

Given this, it is perhaps a bit surprising that visibility in the cloud has lagged behind the move to those environments. This occurred partially because few options for decent visibility were available to businesses as they moved to the cloud. But it also partially happened because higher priority was placed on deploying to the cloud than on protecting those deployments from security and fraud threats.

This is unfortunate, since what we can't see can hurt us. That being said, cloud visibility is becoming a top priority for many businesses. There are a few areas where many businesses are looking for visibility to play a key role, including Compliance, Monitoring, Investigation, Response, API Discovery, Application Breaches, and Malicious User Detection.

Organisation have been a bit behind in terms of ensuring the requisite visibility into cloud environments. Whilst time has been lost, it does seem that gaining visibility into the network, application, and user layers is now a priority for many businesses. This is a positive development, as it enables those businesses to better mitigate the risks that operating blindly creates.

https://www.darkreading.com/edge-articles/what-we-can-t-see-can-hurt-us

  • Uber Suffers New Data Breach After Attack on Vendor, Info Leaked Online

Uber has suffered a new data breach after a threat actor leaked employee email addresses, corporate reports, and IT asset information stolen from a third-party vendor in a cyber security incident.

On Saturday last week, a threat actor named 'UberLeaks' began leaking data they claimed was stolen from Uber and Uber Eats on a hacking forum known for publishing data breaches. The leaked data includes numerous archives claiming to be source code associated with mobile device management platforms (MDM) used by Uber and Uber Eats and third-party vendor services.

The threat actor created four separate topics, allegedly for Uber MDM at uberhub.uberinternal.com and Uber Eats MDM, and the third-party Teqtivity MDM and TripActions MDM platforms. Each post refers to a member of the Lapsus$ hacking group who is believed to be responsible for numerous high-profile attacks, including a September cyber attack on Uber where threat actors gained access to the internal network and the company's Slack server.

News outlet BleepingComputer has been told that the newly leaked data consists of source code, IT asset management reports, data destruction reports, Windows domain login names and email addresses, and other corporate information. One of the documents seen by BleepingComputer includes email addresses and Windows Active Directory information for over 77,000 Uber employees.

While BleepingComputer initially thought this data was stolen during the September attack, Uber told BleepingComputer it believes it is related to a security breach on a third-party vendor.

https://www.bleepingcomputer.com/news/security/uber-suffers-new-data-breach-after-attack-on-vendor-info-leaked-online/

  • When Companies Compensate the Hackers, We All Foot the Bill

Companies are always absorbing costs that are seen as par for the course of budget planning: maintenance, upgrades, office supplies, wastage, shrinkage, etc. These costs ratchet up the price of a company's products and are then passed on to the consumer. Breaches in cyber security and paying out ransoms to hackers should be outside of this remit, and yet more than half of all companies admit to transferring the costs of data breaches on to consumers. Careless or ill-informed employees and other weaknesses in a company's protections lead to catastrophic losses to businesses of around $1,797,945 per minute — and the consumers are paying it off.

If a company estimates the recovery costs from a ransomware attack to exceed the requested payment from the hacker, then it feels like a no-brainer — they're better off just cutting their losses and giving in to the cyber criminal's demands. The issue is that this creates an unvirtuous circle of paying the hacker, which enforces nefarious behaviour and empowers hackers to increase the number and volume of ransoms.

When it comes to ransomware, 32% of companies pay off hackers, and, of that percentage, the average company only retrieves about 65% of its data. Giving in to hackers is counterintuitive. On an even more disturbing note, one study found that 80% of companies that paid a ransom were targeted a second time, with about 40% paying again and a majority of that 40% paying a higher ransom the second time round. This is ludicrous. With 33% of companies suspending operations following an attack, and nearly 40% resorting to laying off staff, it comes as no surprise that the downstream costs are picked up to some extent by the consumer.

As for smaller companies, about 50% of US small businesses don't have a cyber security plan in place, despite the fact that small businesses are three times more likely to be targeted by cyber criminals than larger companies. An average breach costs these companies around $200,000 and has put many out of business. It isn't simply the cost passed on to consumers, it's also the intangible assets, such as brand reputation.

When data is leaked and a site goes down, customers become rightly anxious when their information is sold to the highest bidder on the Dark Web. To safeguard against this, companies of all sizes should exploit automated solutions while training every single member of staff to recognise and report online threats. Paying a ransom does not guarantee the return of data, and for a smaller business, losing valuable customer information could cause long-term damage way beyond the initial attack.

Cyber security professionals, governments, and law enforcement agencies all advise companies to avoid paying the hackers' ransoms. This strategy is affirmed by the success businesses have had in retrieving the stolen data and turning the lights back on — 78% of organisations who say they did not pay a ransom were able to fully restore systems and data without the decryption key. This evidently is not enough to reassure companies who, at the click of a dangerous email being opened, have lost sensitive information and access to their systems and are desperate to get back online. There are many preventative techniques businesses can take advantage of before it even gets to that stage.

https://www.darkreading.com/attacks-breaches/when-companies-compensate-the-hackers-we-all-foot-the-bill

  • HSE Cyber-Attack Costs Ireland $83m So Far

The cost of the cyber-attack that hit the Irish Health Service Executive (HSE) last year has officially reached €80m ($83.75m).

The figures come from a letter from HSE’s chief information officer, seen by The Irish Times. This comes months after the Department of Health suggested in February the attack could end up costing up to €100m ($104m). The letter confirmed that the costs reached €42m ($43.97m) in 2021 and almost €39m ($40.83m) until October of this year.

Ireland has a very capable national cyber security centre and a well-oiled CSIRT team that engages the public/private sector. If the cost does continue to escalate to €100m, that is the equivalent to everyone in the Republic of Ireland having been defrauded by €20. According to The Irish Times, the costs were said to be “enormous,” and the government has been asked to complete a comprehensive assessment of the impact caused by the breach.

The cyber-attack, believed to have been conducted by Russia-based state actors, was reportedly caused by a malicious Microsoft Excel file delivered via a phishing email. According to a December 2021 report, the file was opened at an HSE workstation in March 2021. The malware would have been latent for two months before the breach, which was reportedly discovered in May, two months later. A total of roughly 100,000 people had their personal data stolen during the cyber-attack.

Healthcare continues to be a target of attacks given their enormous attack surface across critical applications, cloud environments and IoT devices.

https://www.infosecurity-magazine.com/news/hse-cyber-attack-ireland-dollar83m/

Threats

Ransomware, Extortion and Destructive Attacks

Phishing & Email Based Attacks

BEC – Business Email Compromise

Other Social Engineering; Smishing, Vishing, etc

Malware

Mobile

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Fraud, Scams & Financial Crime

AML/CFT/Sanctions

Insurance

Dark Web

Supply Chain and Third Parties

Software Supply Chain

Denial of Service DoS/DDoS

Cloud/SaaS

Hybrid/Remote Working

Encryption

API

Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Training, Education and Awareness

Parental Controls and Child Safety

Cyber Bullying, Cyber Stalking and Sextortion

Regulations, Fines and Legislation

Governance, Risk and Compliance

Models, Frameworks and Standards

Backup and Recovery

Data Protection

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Privacy, Surveillance and Mass Monitoring

Artificial Intelligence

Misinformation, Disinformation and Propaganda

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

Vulnerability Management

Vulnerabilities

Tools and Controls

Other News

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 04 November 2022

Black Arrow Cyber Threat Briefing 04 November 2022:

-NCSC Looks Back on Year Of ‘Profound Change’ for Cyber

-LastPass Research Finds False Sense of Cyber Security Running Rampant

-Insurance Giant Settles NotPetya ‘Act of War’ Lawsuit, Signaling Cyber Insurance Shakeup

-Microsoft Warns of Uptick in Hackers Leveraging Publicly-Disclosed 0-Day Vulnerabilities

-Chinese Mob Has 100K Slaves Working in Cambodian Cyber Crime Mills

-Ransomware Research: 17 Leaked Databases Operated by Threat Actors Threaten Third Party Organisations

-Not Enough Ransomware Victims Are Reporting Attacks, And That's a Problem for Everyone

-Hackers Selling Access to 576 Corporate Networks for $4 Million

-Cyber Security Recovery is a Process That Starts Long Before a Cyber Attack Occurs

-Geopolitics Plays Major Role in Cyber Attacks, Says EU Cyber Security Agency

-Russian Hackers Account for Most 2021 Ransomware Schemes, US Says

-Exposed: The Global Hacking Network That Targets VIPs

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • NCSC Looks Back on Year Of ‘Profound Change’ for Cyber

The UK’s National Cyber Security Centre (NCSC) provided support for 18 nationally significant ransomware attacks; removed 2.1 million cyber-enabled commodity campaigns; issued 34 million early warning alerts about attacks, compromises, vulnerabilities or open ports; and received 6.5 million reports of suspicious emails in the past 12 months – but in a year of “profound change” in the cyber security landscape, it was Russia’s invasion of Ukraine that dominated the agenda.

Reflecting on the past 12 months as she launched the NCSC’s latest annual report on 1 November at an event in London, NCSC CEO Lindy Cameron said that the return of war to Europe with Russia’s invasion of Ukraine presented a unique set of challenges in cyber space for the NCSC and its partners and allies.

Cameron added that while the cyber threat from Russia has perhaps been the most visible security issue of 2022, it was also important not to forget that when it comes to nation-state actors, it will likely be the technical development and evolution of China that ultimately has the more lasting impact on the UK’s national cyber security.

https://www.computerweekly.com/news/252526766/NCSC-looks-back-on-year-of-profound-change-for-cyber

  • LastPass Research Finds False Sense of Cyber Security Running Rampant

LastPass released findings from its fifth annual Psychology of Password findings, which revealed even with cyber security education on the rise, password hygiene has not improved. Regardless of generational differences across Boomers, Millennials and Gen Z, the research shows a false sense of password security given current behaviours across the board. In addition, LastPass found that while 65% of all respondents have some form of cyber security education — through school, work, social media, books or via online courses — the reality is that 62% almost always or mostly use the same or variation of a password.

The survey, which explored the password security behaviours of 3,750 professionals across seven countries, asked about respondents’ mindset and behaviours surrounding their online security. The findings highlighted a clear disconnect between high confidence when it comes to their password management and their unsafe actions. While the majority of professionals surveyed claimed to be confident in their current password management, this doesn’t translate to safer online behaviour and can create a detrimental false sense of safety.

Key findings from the research include:

  • Gen Z is confident when it comes to their password management, while also being the biggest offenders of poor password hygiene.

  • Cyber security education doesn’t necessarily translate to action.

  • Confidence creates a false sense of password security.

The latest research showcases that even in the face of a pandemic, where we spent more time online amid rising cyber attacks, there continues to be a disconnect for people when it comes to protecting their digital lives. Even though nearly two-thirds of respondents had some form of cyber security education, it is not being put into practice for varying reasons.

https://www.darkreading.com/vulnerabilities-threats/untitled

  • Insurance Giant Settles NotPetya ‘Act of War’ Lawsuit, Signaling Cyber Insurance Shakeup

The settlement last week in a $100 million lawsuit over whether insurance giant Zurich should cover losses Mondelez International suffered from NotPetya may very well reshape the entire cyber insurance marketplace.

Zurich initially denied claims from Mondelez after the malware, which experts estimate caused some $10 billion in damages globally, wreaked havoc on its computer networks. The insurance provider claimed an act of war exemption since it’s widely believed Russian military hackers unleashed NotPetya on a Ukrainian company before it spread around the world.

Now, however, it’s increasingly clear insurers aren’t off the hook for NotPetya payouts or from covering losses from other attacks with clear links to nation-state hackers.

That’s because in this case, what Mondelez and many other corporations endured was not an act of war, but “collateral damage” in a much larger cyber conflict that had nothing to do with them, said the Center for Strategic and International Studies.

There needs to be a rethink what act of war means in cyber space when it comes to insurance. The current definitions come out of the 19th century when we had pirates, navies and privateers.

Last week’s ruling in favour of Mondelez follows a January ruling in a New Jersey court that sided with global pharmaceutical company Merck in a similar case. Its insurance companies initially refused to pay for damages from NotPetya. Merck claimed losses that amounted to $1.4 billion. The insurers are appealing the ruling.

Insurers seized on the NotPetya episode to test how courts would rule on cyber coverage questions, particularly when there’s so much evidence pointing to one particular nation-state actor. Since NotPetya was widely attributed to the Russian government it gave the industry a “really strong opportunity” to set legal precedent limiting their responsibility in these instances.

Insurers will start to be much more upfront about the fact that they aren’t going to cover acts of cyber war or limit payouts for NotPetya type incidents in the future.

https://www.cyberscoop.com/insurance-giant-settles-notpetya-lawsuit/

  • Microsoft Warns of Uptick in Hackers Leveraging Publicly-Disclosed 0-Day Vulnerabilities

Microsoft is warning of an uptick among nation-state and criminal actors increasingly leveraging publicly-disclosed zero-day vulnerabilities for breaching target environments.

The tech giant, in its 114-page Digital Defense Report, said it has "observed a reduction in the time between the announcement of a vulnerability and the commoditisation of that vulnerability," making it imperative that organisations patch such exploits in a timely manner.

This also corroborates with an April 2022 advisory from the US Cybersecurity and Infrastructure Security Agency (CISA), which found that bad actors are "aggressively" targeting newly disclosed software bugs against broad targets globally.

Microsoft noted that it only takes 14 days on average for an exploit to be available in the wild after public disclosure of a flaw, stating that while zero-day attacks are initially limited in scope, they tend to be swiftly adopted by other threat actors, leading to indiscriminate probing events before the patches are installed.

It further accused Chinese state-sponsored groups of being "particularly proficient" at discovering and developing zero-day exploits. This has been compounded by the fact that the Cyberspace Administration of China (CAC) enacted a new vulnerability reporting regulation in September 2021 that requires security flaws to be reported to the government prior to them being shared with the product developers.

Redmond further said the law could enable government-backed elements to stockpile and weaponise the reported bugs, resulting in the increased use of zero-days for espionage activities designed to advance China's economic and military interests.

https://thehackernews.com/2022/11/microsoft-warns-of-uptick-in-hackers.html

  • Chinese Mob Has 100K Slaves Working in Cambodian Cyber Crime Mills

Up to 100,000 people from across Asia have been lured to Cambodia by Chinese crime syndicates with the promise of good jobs. When they arrive, their passports are seized and they are put to work in modern-day sweatshops, running cyber crime campaigns.

The Los Angeles Times reported that Cambodia, which was hit hard economically by the pandemic, has allowed Chinese mobsters to set up enormous cyber crime operations using human trafficked labour without consequence, because of the revenue it generates for the country. The campaigns they carry out run the gamut from romance scams to fake sports betting.

Although the Cambodian government acknowledges that as many as 100,000 workers are involved in these activities, it denies anyone is being held against their will. However, the stories from traumatised victims rescued from cyber crime mills include tales of beatings and torture for failing to meet quotas, and of being sold and passed around from gang to gang.

https://www.darkreading.com/attacks-breaches/chinese-mob-100k-slaves-cambodian-cybercrime-mills

  • Ransomware Research: 17 Leaked Databases Operated by Threat Actors Threaten Third Party Organisations

Ransomware remains a serious threat to organisations, Deep Instinct, a New York-based deep learning cyber security specialist, said in its recently released 2022 Interim Cyber Threat Report.

It’s no surprise, the company said, as there are currently 17 leaked databases operated by threat actors who are leveraging the data for attacks on third-party companies, most notably social engineering, credential theft, and triple-extortion attacks.

Here are the report’s key findings:

  • Changes in ransomware gangs, including LockBit, Hive, BlackCat, and Conti. The latter has spawned “Conti Splinters” made up of former affiliates Quantum, BlackBasta, and BlackByte.

  • Significant changes to tactics by Emotet, Agent Tesla, NanoCore, and others. For example, Emotet uses highly obfuscated VBA macros to avoid detection.

  • The use of documents for malware has decreased as the top attack vector, following Microsoft’s move to disable macros by default in Microsoft Office files. Threat actors have already pivoted to other methods such as LNK, HTML, and archive email attachments.

  • Vulnerabilities such as SpoolFool, Follina and DirtyPipe highlighted the exploitability of both Windows and Linux systems despite efforts to enhance their security.

  • The number of exploited in-the-wild vulnerabilities spikes every 3-4 months. The next spike is expected to occur by the end of the year.

  • Threat actor groups are extending data exfiltration attacks to demand ransoms from third-party companies if the leaked data contains their sensitive information.

The report also makes three predictions:

  • More inside jobs. Malicious threat actors look for the weakest link, which is often in the supply chain. Groups like Lapsus$ do not rely on exploits but instead look for insiders who are willing to sell access to data within their organisation.

  • Rise of protestware. Look for a spike in protestware, which is self-sabotaging one’s software and weaponising it with malware capabilities in an effort to harm all or some of its users. The war between Russia and Ukraine has caused a surge in protestware.

  • End of year attacks. While no major vulnerability in 2022 has emerged similar to the Log4J or the Exchange cases in 2021, there is an increase year-over-year in the number of publicly assigned CVEs for reported vulnerabilities. For now, threat actors are still exploiting old vulnerabilities during 2022 simply because there is a plethora of unpatched systems for 2021 CVEs but that will change.

Organisations are warned to be on their guard. 2022 has been another record year for cyber criminals and ransomware gangs. It’s no secret that these threat actors are constantly upping their game with new and improved tactics designed to evade traditional cyber defences. Defenders must continue to be vigilant and find new approaches to prevent these attacks from happening.

https://www.msspalert.com/cybersecurity-research/ransomware-research-17-leaked-databases-operated-by-threat-actors-threaten-third-party-organizations/

  • Ransomware: Not Enough Victims Are Reporting Attacks, And That's a Problem for Everyone

Ransomware continues to be a significant cyber threat to businesses and the general public – but it's difficult to know the true impact of attacks because many victims aren't coming forward to report them.

The warning comes in the National Cyber Security Centre (NCSC) Annual Review for 2022, which looks back at key developments and incidents in cyber crime over the last year, with ransomware described as an "ever present" threat and a "major challenge" to businesses and public services.

That's demonstrated by how the review details how in the 12-month period between 1 September 2021 and 31 August 2022 there were 18 ransomware incidents that needed a "nationally coordinated" response. These included attacks on a supplier to the National Health Service (NHS) and a ransomware attack against South Staffordshire Water.

However, the true impact of ransomware remains unclear, because the NCSC says that many organisations that fall prey to ransomware attacks aren't disclosing them.

That lack of reporting is despite the significant and disruptive consequences ransomware attacks can have, not only for organisations that fall victim, but for wider society – which is why it's vital that cyber security is taken seriously and incidents are reported.

https://www.zdnet.com/article/ransomware-not-enough-victims-are-reporting-attacks-and-that-increases-the-threat-for-everyone/

  • Hackers Selling Access to 576 Corporate Networks for $4 Million

A new report shows that hackers are selling access to 576 corporate networks worldwide for a total cumulative sales price of $4,000,000, fuelling attacks on the enterprise.

The research comes from Israeli cyber-intelligence firm KELA which published its Q3 2022 ransomware report, reflecting stable activity in the sector of initial access sales but a steep rise in the value of the offerings.

Although the number of sales for network access remained about the same as in the previous two quarters, the cumulative requested price has now reached $4,000,000. For comparison, the total value of initial access listings in Q2 2022 was $660,000, recording a drop in value that coincided with the summer ransomware hiatus that hurt demand.

Initial access brokers (IABs) are hackers who sell access to corporate networks, usually achieved through credential theft, webshells, or exploiting vulnerabilities in publicly exposed hardware. After establishing a foothold on the network, the threat actors sell this corporate access to other hackers who use it to steal valuable data, deploy ransomware, or conduct other malicious activity. The reasons IABs choose not to leverage network access vary, ranging from lacking diverse intrusion skills to preferring not to risk increased legal trouble.

IABs still play a crucial role in the ransomware infection chain, even if they got sidelined last year when big ransomware gangs that operated as crime syndicates operated their own IAB departments.

https://www.bleepingcomputer.com/news/security/hackers-selling-access-to-576-corporate-networks-for-4-million/

  • Cyber Security Recovery is a Process That Starts Long Before a Cyber Attack Occurs

Organisations are racing to stay ahead of cyber criminals, and as a result, we see businesses investing a lot of money on identifying and detecting attacks, on preventing attacks in the first place, and in responding to live attacks. But they are not spending the same amounts on attack recovery. They may have followed all the relevant guidelines, and even implemented the ISO 27000 standard, but none of that helps them to understand how to build the business back after a serious cyber attack.

Until recent years, this cyber security recovery investment would be spent on an annual tabletop exercise or disaster recovery test and auditing recovery plans. While this should be done, it isn’t enough on its own.

Cyber security insurance is also critical, of course, but it only covers some of the losses. It won’t cover future loss. The reality is most organisations find it very difficult to fully recover from an attack. Those that invest more in disaster recovery and business continuity recover from these attacks far more swiftly than their less-prepared competitors.

The four core components of an effective cyber security recovery program

  1. Pre-emptive action

  2. Responsibilities and accountability

  3. Having the right IT architecture, security and recovery process in place

  4. Learning lessons and implementing changes.

Once these factors are understood, and any weak spots identified, the organisation can focus on re-designing or updating architecture and procedures, and on retraining employees (something that should happen regularly).

Recovery is a process that starts long before a cyber attack occurs. It concludes not when the data is secured, but when the organisation can say that it’s learned everything it can from the event and has made the changes necessary to avoid it happening again.

https://www.helpnetsecurity.com/2022/11/03/cybersecurity-recovery/

  • Geopolitics Plays Major Role in Cyber Attacks, Says EU Cyber Security Agency

The ongoing Russia-Ukraine conflict has resulted in an increase in hacktivist activity in the past year, with state-sponsored threat actors targeting 128 governmental organisations in 42 countries that support Ukraine, according to the European Union Agency for Cybersecurity (ENISA).

In addition, some threat actors targeted Ukrainian and Russian entities during the early days of the conflict, likely for the collection of intelligence, according to the 10th edition of the ENISA threat landscape report. The report, this year titled Volatile Geopolitics Shake the Trends of the 2022 Cybersecurity Threat Landscape, notes that in general geopolitical situations continue to have a high impact on cyber security.

This year's report identified several attack types frequently used by state-sponsored attackers. These include zero-day and critical vulnerability exploitation; attacks on operational technology (OT) networks; wiper attacks to destroy and disrupt networks of governmental agencies and critical infrastructure entities; and supply chain attacks. Attacks also featured social engineering, disinformation, and threats against data.

State-sponsored threat actors have also been observed targeting entities from countries in Southeast Asia, Japan, Australia, and Taiwan. Due to increased tensions between specific countries in Asia, state-sponsored threat actors have targeted countries (including EU member states) that had established closer ties with Taiwan.

Ransomware remains the top cyber crime attack type this year as well. More than 10 terabytes of data were stolen monthly during the period studied, with phishing identified as the most common initial vector of such attacks. The report also noted that 60% of affected organisations likely have paid the ransom demanded.

The second most used form of attack was DDoS. The largest DDoS attack ever was launched in Europe in July 2022 against a European customer of Akamai. The attack hit a peak at 853.7Gbps and 659.6Mpps (megapackets per second) over 14 hours.

While all sectors fell victim to attacks, public administration and government entities were the most affected, making up 24% of all cyber attack victims. This was followed by digital service providers at 13% and the general public at 12%. These three sectors alone accounted for 50% of all the attacks during this year.

https://www.csoonline.com/article/3678771/geopolitics-plays-major-role-in-cyberattacks-says-eu-cybersecurity-agency.html#tk.rss_news

  • Russian Hackers Account for Most 2021 Ransomware Schemes, US Says

Payment-seeking software made by Russian hackers was used in three quarters of all the ransomware schemes reported to a US financial crime agency in the second half of 2021, a Treasury Department analysis released on Tuesday showed.

In an analysis issued in response to the increase in number and severity of ransomware attacks against critical infrastructure in the United States since late 2020, the US Financial Crimes Enforcement Network (FinCEN) said it had received 1,489 ransomware-related filings worth nearly $1.2 billion in 2021, a 188% jump from the year before.

Out of 793 ransomware incidents reported to FinCEN in the second half of 2021, 75% "had a nexus to Russia, its proxies, or persons acting on its behalf," the report said.

Washington last week hosted a meeting with officials from 36 countries and the European Union, as well as 13 global companies to address the growing threat of ransomware and other cyber crime, including the illicit use of cryptocurrencies.

https://www.reuters.com/technology/us-says-many-ransomware-attacks-late-2021-were-connected-russian-actors-2022-11-01/

  • Exposed: The Global Hacking Network That Targets VIPs

Private investigators linked to the City of London are using an India-based computer hacking gang to target British businesses, government officials and journalists.

The Sunday Times and the Bureau of Investigative Journalism have been given access to the gang’s database, which reveals the extraordinary scale of the attacks. It shows the criminals targeted the private email accounts of more than 100 victims on behalf of investigators working for autocratic states, British lawyers and their wealthy clients. Critics of Qatar who threatened to expose wrongdoing by the Gulf state in the run-up to this month’s World Cup were among those hacked.

It is the first time the inner workings of a major “hack-for-hire” gang have been leaked to the media and it reveals multiple criminal conspiracies. Some of the hackers’ clients are private investigators used by major law firms with bases in the City of London.

The investigation — based on the leaked documents and undercover work in India — reveals:

  • Orders went out to the gang to target the BBC’s political editor Chris Mason in May, three weeks after his appointment was announced.

  • The president of Switzerland and his deputy were targeted just days after he met Boris Johnson and Liz Truss in Downing Street to discuss Russian sanctions.

  • Philip Hammond, then chancellor, was hacked as he was dealing with the fallout of Russia’s novichok poisonings in Salisbury.

  • A private investigator hired by a London law firm acting for the Russian state ordered the gang to target a British-based oligarch fleeing President Putin.

  • Michel Platini, the former head of European football, was hacked shortly before he was due to talk to French police about corruption allegations relating to this year’s World Cup.

  • The hackers broke into the email inboxes of the Formula One motor racing bosses Ruth Buscombe, the British head of race strategy at the Alfa Romeo team, and Otmar Szafnauer, who was chief executive of the Aston Martin team.

  • The gang seized control of computers owned by Pakistan’s politicians, generals and diplomats and eavesdropped on their private conversations apparently at the behest of the Indian secret services.

The commissioning of hacking is a criminal offence punishable with a maximum sentence of ten years in jail in Britain. The Metropolitan Police was tipped off about the allegations regarding Qatar in October last year, yet chose not to take any action. David Davis, the former cabinet minister, said that the force should reopen its investigation into the cyber attacks against British citizens. Davis said the investigation exposed how London has become “the global centre of hacking”.

https://www.thetimes.co.uk/article/exposed-the-global-hacking-network-that-targets-vips-nff67j67z

Threats

Ransomware and Extortion

Phishing & Email Based Attacks

BEC – Business Email Compromise

Malware

Mobile

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Fraud, Scams & Financial Crime

Insurance

Dark Web

Supply Chain and Third Parties

Software Supply Chain

Denial of Service DoS/DDoS

Cloud/SaaS

API

Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Training, Education and Awareness

Travel

Regulations, Fines and Legislation

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

Other News

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 12 August 2022

Black Arrow Cyber Threat Briefing 12 August 2022

-Three Ransomware Gangs Consecutively Attacked the Same Network

-As The Cost of Cyber Insurance Rises, The Number of Organisations Who Can’t Afford It Is Set to Double

-Identity Cyber Attacks, Microsoft 365 Dominate Cybersecurity Incidents, Expel Research Finds

-Exploit Activity Surges 150% in Q2 Thanks to Log4Shell

-Ransomware Is Not Going Anywhere: Attacks Are Up 24%

-Email Is the Single Biggest Threat to Businesses, And Here’s What You Can Do About It

-Realtek SDK Vulnerability Exposes Routers from Many Vendors to Remote Attacks

-Most Companies Are at An Entry-Level When It Comes to Cloud Security

-The Impact of Exploitable Misconfigurations on Network Security

-Industrial Spy Ransomware: New Threat Group Emerges to Exfiltrate Data, Extort Victims

-UK NHS Service Recovery May Take a Month After MSP Ransomware Attack

-A Single Flaw Broke Every Layer of Security in MacOS

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • Three Ransomware Gangs Consecutively Attacked the Same Network

Hive, LockBit and BlackCat, three prominent ransomware gangs, consecutively attacked the same network, according to Sophos. The first two attacks took place within two hours, and the third attack took place two weeks later. Each ransomware gang left its own ransom demand, and some of the files were triple encrypted.

It’s bad enough to get one ransomware note, let alone three. Multiple attackers create a whole new level of complexity for recovery, particularly when network files are triple encrypted. Cyber security that includes prevention, detection and response is critical for organisations of any size and type—no business is immune.

The “Multiple Attackers: A Clear and Present Danger” whitepaper further outlines additional cases of overlapping cyber attacks, including cryptominers, remote access trojans (RATs) and bots. In the past, when multiple attackers have targeted the same system, the attacks usually occurred across many months or multiple years. The attacks described in Sophos’ whitepaper took place within days or weeks of each other—and, in one case, simultaneously—often with the different attackers accessing a target’s network through the same vulnerable entry point.

Typically, criminal groups compete for resources, making it more difficult for multiple attackers to operate simultaneously. Cryptominers normally kill their competitors on the same system, and today’s RATs often highlight bot killing as a feature on criminal forums. However, in the attack involving the three ransomware groups, for example, BlackCat—the last ransomware group on the system—not only deleted traces of its own activity, but also deleted the activity of LockBit and Hive.

In another case, a system was infected by LockBit ransomware. Then, about three months later, members of Karakurt Team, a group with reported ties to Conti, was able to leverage the backdoor LockBit created to steal data and hold it for ransom.

https://www.helpnetsecurity.com/2022/08/09/ransomware-gangs-attacks/

  • As The Cost of Cyber Insurance Rises, The Number of Organisations Who Can’t Afford It Is Set to Double

The number of organisations that will be either unable to afford cyber insurance, be declined cover, or experience significant coverage limitations is set to double in 2023, according to Huntsman Security.

Even for those insured, the perfect storm of ongoing attacks, tightening regulations and growing financial pressures is making it more likely that any attack on an organisation will leave it exposed.

Factors like the supply chain crisis, inflation and skill shortages are all adding to the difficulty for organisations trying to execute on their cyber security strategy. At the same time, increases in insurance premiums, limits on coverage, increasing underwriting rigour, and capacity constraints are all limiting the accessibility of cyber insurance, for many.

Loss ratios will not improve until premium incomes better match the current level of pay-outs. With this reduced insurance access alongside increasing cyber threats and tightening regulations, many organisations are losing cyber insurance as an important risk management tool. Even those who can still get insurance are paying a prohibitively high cost.

With a third of UK firms subject to cyber attacks at least once a week, cyber insurance as part of overall risk management is crucial. To bridge this accessibility gap insurers are seeking to improve the quality of risk information, so premiums better reflect the true cost of that risk. Unless organisations can demonstrate they have insurers’ specified controls in place to manage their security risks, insurers will continue to have difficulty quantifying that risk. It’s for these reasons that insurers have changed the basis upon which their products are offered to reflect the risk being underwritten more accurately.

In this environment, improving and demonstrating the effectiveness of security controls will now be essential: both for organisations looking to improve their cyber resilience and oversight while enhancing their eligibility for insurers, and for insurers who need to minimise their own exposure by ensuring the accuracy of their risk pricing process.

https://www.helpnetsecurity.com/2022/08/11/afford-cyber-insurance/

  • Identity Cyber Attacks, Microsoft 365 Dominate Cyber Security Incidents, Expel Research Finds

Identity-based cyber attacks (including credential theft, credential abuse and long-term access key theft) accounted for 56% of all incidents in Q2 of 2022, and Microsoft 365 remained the prime target for SaaS attacks, according to Expel’s Quarterly Threat Report.

Among the key findings:

  • Business email compromise (BEC) and business application compromise (BAC) access to application data represented 51% of all incidents.

  • Identity-based attacks in popular cloud environments like Amazon Web Services (AWS) accounted for 5%.

  • Ransomware groups change tactics, with threat groups and their affiliates all but abandoning the use of Visual Basic for Application (VBA) macros and Excel 4.0 macros to gain initial entry to Windows-based environments. In Q1, a macro-enabled Microsoft Word document (VBA macro) or Excel 4.0 macro was the initial attack vector in 55% of all pre-ransomware incidents. In Q2, that figure fell sharply to 9%. Instead, ransomware operators opted to use disk image (ISO), short-cut (LNK) and HTML application (HTA) files to gain initial entry.

  • Cloud attacks are becoming more sophisticated, with 14% of identity attacks against cloud identity providers tackling the multi-factor authentication (MFA) requirement by continuously sending push notifications.

  • Microsoft 365 is a common threat target, with BEC in Microsoft Office 365 (O365) remaining the top threat to organisations in Q2. 45% of all Q2 incidents were BEC attempts in O365. No BEC attempts were identified in Google Workspaces. 19% of BEC attempts bypassed MFA in O365 using legacy protocols, a 16% increase of compared to Q1.

https://www.msspalert.com/cybersecurity-research/identity-cyberattacks-targeting-microsoft-365-dominate-cybersecurity-incidents-expel-research-finds/

  • Exploit Activity Surges 150% in Q2 Thanks to Log4Shell

Detections of malware events, botnet activity and exploits all increased significantly in the second quarter of 2022, according to new data from Nuspire.

The managed security services provider (MSSP) gathered the data from its endpoint detection and response (EDR) and managed detection and response (MDR) tools to produce its Q2 2022 Quarterly Threat Report.

The company recorded an increase in malware events of over 25%, a doubling of botnet detections and a rise in exploit activity of 150% versus the first quarter.

Botnet activity in particular surged towards the end of Q2, thanks to the Torpig Mebroot botnet – a banking trojan designed to scrape credit card and payment information from infected devices, the report revealed. Nuspire claimed it is particularly difficult to detect and remove, because it targets a machine’s master boot record.

It attributed much of the surge in exploit activity to the persistent threat posed by the Log4j bugs discovered at the end of December 2021. At the time, experts warned that the ubiquity of the utility, and the difficulty many organisations have in finding all instances of the CVE due to complex Java dependencies, means it may be exploited for years.

https://www.infosecurity-magazine.com/news/exploit-activity-150-q2-log4shell/

  • Ransomware Is Not Going Anywhere: Attacks Are Up 24%

Avast released a report revealing a significant increase in global ransomware attacks, up 24% from Q1/2022. Researchers also uncovered a new zero-day exploit in Chrome, as well as signals of how cyber criminals are preparing to move away from macros as an infection vector.

After months of decline, global ransomware attacks increased significantly in Q2/2022, up 24% from the previous quarter. The highest quarter-on-quarter increases in ransomware risk ratio occurred in Argentina (+56%), UK (+55%), Brazil (+50%), France (+42%), and India (+37%).

Businesses and consumers should be on guard and prepared for encounters with ransomware, as the threat is not going anywhere anytime soon.

The decline in ransomware attacks observed in Q4/2021 and Q1/2022 were thanks to law enforcement agencies busting ransomware group members, and caused by the war in Ukraine, which also led to disagreements within the Conti ransomware group, halting their operations. Things dramatically changed in Q2/2022. Conti members have now branched off to create new ransomware groups, like Black Basta and Karakurt, or may join other existing groups, like Hive, BlackCat, or Quantum, causing an uptick in activity.

https://www.helpnetsecurity.com/2022/08/12/increase-ransomware-attacks/

  • Email Is the Single Biggest Threat to Businesses, And Here’s What You Can Do About It

Email remains one of the most popular methods of communication, particularly for business communications. There were 316.9 billion emails sent and received every day in 2021, and this is set to increase to 376.4 billion by 2025. But despite the scale of its use and how much people exchange confidential information over email, it is not a secure system by design.

Consequently, email is a major attack vector for organisations of all sizes. Deloitte found that 91% of all cyber attacks originate from a phishing email (an email that attempts to steal money, identity or personal information through a spoof website link that looks legitimate). The cost to organisations can be catastrophic with the National Cyber Security Centre (NCSC) reporting in August 2021 that phishing email attacks had cost UK organisations more than £5 million in the past 13 months.

It’s not enough for individuals to create complex passwords or rely on the security services of their email provider. Spam filters are not enough to stop malicious emails creeping into inboxes. Fortunately, safeguarding your emails with enterprise-grade email security doesn’t have to cost the earth or be hard to integrate so businesses of any size can protect themselves.

https://informationsecuritybuzz.com/articles/email-is-the-single-biggest-threat-to-businesses-and-heres-what-you-can-do-about-it/

  • Realtek SDK Vulnerability Exposes Routers from Many Vendors to Remote Attacks

A serious vulnerability affecting the embedded Configurable Operating System (eCos) software development kit (SDK) made by Taiwanese semiconductor company Realtek could expose the networking devices of many vendors to remote attacks.

The security hole, tracked as CVE-2022-27255 and rated ‘high severity’, has been described as a stack-based buffer overflow that can allow a remote attacker to cause a crash or achieve arbitrary code execution on devices that use the SDK. An attack can be carried out through the wide area network (WAN) interface using specially crafted session initiation protocol (SIP) packets.

The Realtek eCos SDK is provided to companies that manufacture routers, access points and repeaters powered by RTL819x family SoCs. The SDK implements the base functionalities of the router, including the web administration interface and the networking stack. Vendors can build on top of this SDK to add custom functionality and their branding to the device.

Realtek informed customers about the eCos SDK vulnerability in March, when it announced the availability of a patch. However, it’s up to the original equipment manufacturer (OEM) using the SDK to ensure that the patch is distributed to end-user devices.

The vulnerability can be exploited remotely — directly from the internet — to hack affected routers running with default settings. No user interaction is required for successful exploitation.

https://www.securityweek.com/realtek-sdk-vulnerability-exposes-routers-many-vendors-remote-attacks

  • Most Companies Are at An Entry-Level When It Comes to Cloud Security

Ermetic released a study by Osterman Research that found 84% of respondents were at an entry-level (one or two rating, with four being the highest) in terms of their cloud security capabilities.

The study found that only 16% ranked on the Ermetic Cloud Security Model at the top two levels, and 80% of companies said they lack a dedicated security team responsible for protecting cloud resources from threats.

“One of the most unexpected findings that emerged from this study was the lack of cloud security maturity among the largest enterprises surveyed,” said the author of the report. “Less than 10% of companies with more than 10,000 employees reported being at the top two maturity levels, while nearly 20% of smaller enterprises have achieved repeatable or automated & integrated cloud security capabilities.”

The report shows why new cloud data breaches are being reported all the time. Multi-cloud deployments, plus low investment in security, does not make for a good combination.

The new frontiers of cyber security, such as cloud security or internet of things (IoT) security are often at early stages of maturity. Organisations that are mature in their IT and data centre security are already overwhelmed and stretched thin and that’s why automation and simplification will help organisations accelerate their maturity in areas like cloud security.

There’s a mistaken belief that cloud computing environments inherently have security built-in — they don’t.

https://www.scmagazine.com/news/cloud-security/most-companies-are-at-an-entry-level-when-it-comes-to-cloud-security

  • The Impact of Exploitable Misconfigurations on Network Security

Network professionals feel confident with their security and compliance practices but data suggests that they also leave their organisations open to risk, which is costing a significant amount of revenue, according to Titania.

In addition, some businesses are not minimising their attack surface effectively. Companies are prioritising firewall security and chronicle a fast time to respond to misconfigurations when detected in annual audits. However, switches and routers are only included in 4% of audits and these devices play a vital role in reducing an organisation’s attack surface and preventing lateral movement across the network.

Respondents also indicated that financial resources allocated to mitigating network configuration, which currently stands around 3.4% of the total IT budget, and a lack of accurate automation are limiting factors in misconfiguration risk management.

The study, which surveyed 160 senior cyber security decision-makers revealed:

  • Misconfigurations cost organisations millions, up to 9% of their annual revenue but the true cost is likely to be higher.

  • Compliance is a top priority, with 75% of organisations across all sectors saying their business relies on compliance to deliver security. Whilst almost every organisation reported that it is meeting its security and compliance requirements, this is at odds with a number of the other findings from the survey and other reports that show a decline in organisations maintaining full compliance with regulated data security standards.

  • Remediation prioritisation is a challenge. 75% said their network security tools meant they could categorise and prioritise compliance risks ‘very effectively’. However, 70% report difficulties prioritising remediation based on risk and also claim inaccurate automation as the top challenges when meeting security and compliance requirements.

  • Routers and switches are mostly overlooked. 96% of organisations prioritise the configuration and auditing of firewalls, but not routers or switches. This leaves these devices exposed to potentially significant and unidentified risks.

https://www.helpnetsecurity.com/2022/08/12/impact-exploitable-misconfigurations-network-security/

  • Industrial Spy Ransomware: New Threat Group Emerges to Exfiltrate Data, Extort Victims

A new ransomware group dubbed Industrial Spy that first emerged in April 2022 is specialising in exfiltration and double extortion tactics and has the potential to do significant damage, Zscaler’s threat tracking team said.

The threat crew has shown that it possesses the capability to breach organisations and have been “actively adding unencrypted data from two or three victims every month,” Zscaler said. In some instances, the threat group appears to only exfiltrate and ransom data. In other cases, they encrypt, exfiltrate and ransom the data, the cloud security provider said.

At this point, it’s not clear who’s behind the threat entry or if it’s nation-state affiliated. The group started as a data extortion marketplace where criminals could buy large companies’ internal data, promoting the marketplace through Readme.txt files downloaded using malware downloaders.

In May, 2022, the threat group introduced their own ransomware to create double extortion attacks that combine data theft with file encryption.

What you need to know:

  • Industrial Spy started by ransoming stolen data and more recently has combined these attacks with ransomware.

  • The threat group exfiltrates and sells data on their dark web marketplace, but does not always encrypt a victim’s files.

  • The ransomware utilises a combination of RSA and 3DES to encrypt files.

  • Industrial Spy lacks many common features present in modern ransomware families.

  • The Industrial Spy ransomware family is relatively basic, and parts of the code appear to be in development.

https://www.msspalert.com/cybersecurity-breaches-and-attacks/ransomware/new-ransomware-family-industrial-spy-emerges-to-exfiltrate-data-extort-victims/

  • UK NHS Service Recovery May Take a Month After MSP Ransomware Attack

Managed service provider (MSP) Advanced confirmed that a ransomware attack on its systems disrupted emergency services (111) from the United Kingdom's National Health Service (NHS). Customers of seven solutions from the British MSP have been impacted either directly or indirectly, the company said. The first has stated it could take a month to recover systems to full service.

The ransomware attack started to disrupt Advanced systems on Thursday, August 4 and was identified around 7 AM. It caused a major outage to NHS emergency services across the UK.

Advanced did not disclose the ransomware group behind the attack but said that it took immediate action to mitigate the risk and isolated Health and Care environments where the incident was detected. The company is working with forensic experts from Microsoft (DART) and Mandiant, who are also helping bring the affected systems back online securely and with added defences:

  • Implementing additional blocking rules and further restricting privileged accounts for Advanced staff

  • Scanning all impacted systems and ensuring they are fully patched

  • Resetting credentials

  • Deploying additional endpoint detection and response agents

  • Conducting 24/7 monitoring

After implementing the security measures above, Advanced said it would restore connectivity to its environments and assist customers to gradually reconnect safely and securely.

https://www.bleepingcomputer.com/news/security/uk-nhs-service-recovery-may-take-a-month-after-msp-ransomware-attack/

  • A Single Flaw Broke Every Layer of Security in MacOS

Every time you shut down your Mac, a pop-up appears: “Are you sure you want to shut down your computer now?” Nestled under the prompt is another option most of us likely overlook: the choice to reopen the apps and windows you have open now when your machine is turned back on. Researchers have now found a way to exploit a vulnerability in this “saved state” feature—and it can be used to break the key layers of Apple’s security protections.

The vulnerability, which is susceptible to a process injection attack to break macOS security, could allow an attacker to read every file on a Mac or take control of the webcam. It's basically one vulnerability that could be applied to three different locations.

https://www.wired.com/story/a-single-flaw-broke-every-layer-of-security-in-macos/

Threats

Ransomware

Phishing & Email Based Attacks

Other Social Engineering; SMishing, Vishing, etc

Malware

Mobile

Internet of Things – IoT

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Fraud, Scams & Financial Crime

AML/CFT/Sanctions

Insurance

Cloud/SaaS

Open Source

Social Media

Training, Education and Awareness

Privacy

Travel

Parental Controls and Child Safety

Models, Frameworks and Standards

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

Vulnerabilities

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 05 August 2022

Black Arrow Cyber Threat Briefing 05 August 2022

-Average Cost of Data Breaches Hits Record High of $4.35 Million: IBM

-Researchers Warns of Large-Scale Adversary-in-the-Middle (AiTM) Attacks Targeting Enterprise Users

-UK NHS Suffers Outage After Cyber Attack on Managed Service Provider

-A Third of Organisations Experience a Ransomware Attack Once a Week

-Ransomware Products, Services Ads on Dark Web Show Clues to Danger

-Wolf In Sheep’s Clothing, How Malware Tricks Users and Antivirus

-Microsoft Accounts Targeted with New MFA-Bypassing Phishing Kit

-Cyber Attack Prevention Is Cost-Effective, So Why Aren’t Businesses Investing to Protect?

-Securing Your Move to the Hybrid Cloud

-Lessons from the Russian Cyber Warfare Attacks

-Four Sneaky Attacker Evasion Techniques You Should Know About

-Zero-Day Defence: Tips for Defusing the Threat

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • Average Cost of Data Breaches Hits Record High of $4.35 Million: IBM

The global average cost of data breaches reached an all-time high of $4.35 million in 2022 compared with $4.24 million in 2021, according to a new IBM Security report. About 60% of the breached organisations raised product and services prices due to the breaches.

The annual report, conducted by Ponemon Institute and analysed and sponsored by IBM Security, is based on the analysis of real-world data breaches experienced by 550 organisations globally between March 2021 and March 2022.

According to the report, about 83% of the organisations have experienced more than one breach in their lifetime, with nearly half of the costs reported to be incurred more than a year after the breach.

The report revealed that ransomware and destructive attacks represented 28% of breaches among the critical infrastructure organisations studied, indicating that threat actors are specifically targeting the sector to disrupt global supply chains. The critical infrastructure sector includes financial services, industrial, transportation, and healthcare companies.

https://www.csoonline.com/article/3668655/average-cost-of-data-breaches-hits-record-high-of-435-million-ibm.html#tk.rss_news

  • Researchers Warns of Large-Scale Adversary-in-the-Middle (AiTM) Attacks Targeting Enterprise Users

A new, large-scale phishing campaign has been observed using adversary-in-the-middle (AitM) techniques to get around security protections and compromise enterprise email accounts.

It uses a technique capable of bypassing multi-factor authentication. The campaign is specifically designed to reach end users in enterprises that use Microsoft's email services.

Prominent targets include fintech, lending, insurance, energy, manufacturing, and federal credit union verticals located in the US, UK, New Zealand, and Australia.

This is not the first time such a phishing attack has come to light. Last month, Microsoft disclosed that over 10,000 organisations had been targeted since September 2021 by means of AitM techniques to breach accounts secured with multi-factor authentication (MFA).

The ongoing campaign, effective June 2022, commences with an invoice-themed email sent to targets containing an HTML attachment, which includes a phishing URL embedded within it.

https://thehackernews.com/2022/08/researchers-warns-of-large-scale-aitm.html

  • UK NHS Suffers Outage After Cyber Attack on Managed Service Provider

The UK National Health Service (NHS) 111 emergency services were affected by a significant and ongoing outage triggered by a cyber attack that hit the systems of British managed service provider (MSP) Advanced.

Advanced's Adastra client patient management solution, which is used by 85% of NHS 111 services, was hit by a major outage together with several other services provided by the MSP, according to a status page.

"There was a major outage of a computer system that is used to refer patients from NHS 111 Wales to out-of-hours GP providers," the Welsh Ambulance Services said. "This system is used by Local Health Boards to coordinate these services for patients. The ongoing outage is significant and has been far-reaching, impacting each of the four nations in the UK."

The UK public was advised to access the NHS 111 emergency services using the online platform until the incident is resolved.

While no details were provided regarding the nature of the cyber attack, based on the wording, it is likely that this was a ransomware or data extortion attack.

https://www.bleepingcomputer.com/news/security/uk-nhs-suffers-outage-after-cyberattack-on-managed-service-provider/

  • A Third of Organisations Experience a Ransomware Attack Once a Week

Ransomware attacks show no sign of slowing. According to new research published by Menlo Security, a third of organisations experience a ransomware attack at least once a week, with one in 10 experiencing them more than once a day.

The research, conducted among 500+ IT security decision makers at US and UK organisations with more than 1,000 employees, highlights the impact this is having on security professionals’ own wellbeing. When asked what keeps them awake at night, 41% of respondents say they worry about ransomware attacks evolving beyond their team’s knowledge and skillset, while 39% worry about them evolving beyond their company’s security capabilities.

Their biggest concern, however, is the risk of employees ignoring corporate security advice and clicking on links or attachments containing malware (46%). Respondents worry more about this than they do their own job security, with just a quarter (26%) of respondents worried about losing their job.

According to the report, around half of organisations (61% US and 44% UK) have been the victim of a successful ransomware attack in the last 18 months, with customers and prospects the most likely entry point for an attack.

Partners/suppliers and employees/contractors are also seen as serious security risks, although one in 10 admit they are unable to identify how the attacks got in. The top three ransomware attack vectors are email (54%), web browsers via a desktop or laptop (49%) and mobile devices (39%).

https://www.helpnetsecurity.com/2022/08/04/organizations-experience-ransomware-attack/

  • Ransomware Products and Services Ads on Dark Web Show Clues to Danger

Why is ransomware’s destructive potential so daunting? Some clues are in the “for sale” ads. In an examination of some 35 million dark web URLs, a provider of machine identity management and a forensic specialist found some 475 web pages peddling sophisticated ransomware products and services with a number of high profile crews hawking ransomware-as-a-service.

The work is a joint effort between the Salt Lake City-based Venafi and Forensic Pathways, which took place between November 2021 and March 2022. Researchers used Forensic’s Dark Search Engine to carry out the investigation.

Here are some of the research findings:

  • 87% of the ransomware found on the dark web has been delivered via malicious macros to infect targeted systems.

  • 30 different “brands” of ransomware were identified within marketplace listings and forum discussions.

  • Many strains of ransomware being sold — such as Babuk, GoldenEye, Darkside/BlackCat, Egregor, HiddenTear and WannaCry — have been successfully used in high-profile attacks.

  • Ransomware strains used in high-profile attacks command a higher price for associated services. For example, the most expensive listing was $1,262 for a customised version of Darkside ransomware, which was used in the Colonial Pipeline ransomware attack.

  • Source code listings for well-known ransomware generally command higher price points. For example, Babuk source code is listed for $950 and Paradise source code is selling for $593.

Ransomware Sold for as Little as $1: In addition to a variety of ransomware at various price points, a wide range of services and tools that help make it easier for attackers with minimal technical skills to launch ransomware attacks are for sale on the dark web, Venafi said. Services with the greatest number of listings include those offering source code, build services, custom development services and ransomware packages that include step-by-step tutorials.

https://www.msspalert.com/cybersecurity-breaches-and-attacks/ransomware/ransomware-products-services-ads-on-dark-web-show-clues-to-danger/

  • Wolf In Sheep’s Clothing: How Malware Tricks Users and Antivirus

One of the primary methods used by malware distributors to infect devices is by deceiving people into downloading and running malicious files, and to achieve this deception, malware authors are using a variety of tricks.

Some of these tricks include masquerading malware executables as legitimate applications, signing them with valid certificates, or compromising trustworthy sites to use them as distribution points.

According to VirusTotal, a security platform for scanning uploaded files for malware, some of these tricks are happening on a much larger scale than initially thought.

The platform has compiled a report presenting stats from January 2021 until July 2022, based on the submission of two million files daily, illustrating trends in how malware is distributed.

  • Abusing legitimate domains: Distributing malware through legitimate, popular, and high-ranking websites allows threat actors to evade IP-based blocklists, enjoy high availability, and provide a greater level of trust.

  • Using stolen code-signing certificates: Signing malware samples with valid certificates stolen from companies is a reliable way to evade AV detection and security warnings on the host. Of all the malicious samples uploaded to VirusTotal between January 2021 and April 2022, over a million were signed, and 87% used a valid certificate.

  • Disguised as popular software: Masquerading a malware executable as a legitimate, popular application has seen an upward trend in 2022. Victims download these files thinking they’re getting the applications they need, but upon running the installers, they infect their systems with malware. The most mimicked applications are Skype, Adobe Acrobat, VLC, and 7zip.

  • Lacing legitimate installers - Finally, there’s the trick of hiding malware inside legitimate application installers and running the infection process in the background while the real apps execute in the foreground. Based on VirusTotal stats, this practice also appears to be on the rise this year, using Google Chrome, Malwarebytes, Windows Updates, Zoom, Brave, Firefox, ProtonVPN, and Telegram as lures.

https://www.bleepingcomputer.com/news/security/wolf-in-sheep-s-clothing-how-malware-tricks-users-and-antivirus/

  • Microsoft Accounts Targeted with New MFA-Bypassing Phishing Kit

A new large-scale phishing campaign targeting credentials for Microsoft email services use a custom proxy-based phishing kit to bypass multi-factor authentication.

Researchers believe the campaign's goal is to breach corporate accounts to conduct BEC (business email compromise) attacks, diverting payments to bank accounts under their control using falsified documents.

The phishing campaign's targets include fin-tech, lending, accounting, insurance, and Federal Credit Union organisations in the US, UK, New Zealand, and Australia.

The campaign was discovered by Zscaler's ThreatLabz researchers, who report that the operation is still ongoing, and the phishing actors register new phishing domains almost daily.

Starting in June 2022, Zscaler's analysts noticed a spike in sophisticated phishing attempts against specific sectors and users of Microsoft email services.

Some of the newly registered domains used in the campaign are typo-squatted versions of legitimate domains.

Notably, many phishing emails originated from the accounts of executives working in these organisations, whom the threat actors most likely compromised earlier.

https://www.bleepingcomputer.com/news/security/microsoft-accounts-targeted-with-new-mfa-bypassing-phishing-kit/

  • Cyber Attack Prevention Is Cost-Effective, So Why Aren’t Businesses Investing to Protect?

Cyber attacks like ransomware, BEC scams and data breaches are some of the key issues businesses are facing today, but despite the number of high-profile incidents, many boardrooms are reluctant to free up budget to invest in the cyber security measures necessary to avoid becoming the next victim.

In a Help Net Security interview, Former Pentagon Chief Strategy Officer Jonathan Reiber, VP Cyber security Strategy and Policy, AttackIQ, discusses how now, more than ever, companies need to protect themselves from cyber threat actors. He offers insight for CISOs, from talking to the Board to proper budget allocation.

https://www.helpnetsecurity.com/2022/08/01/cyberattack-prevention-investing/

  • Securing Your Move to the Hybrid Cloud

The combination of private and public cloud infrastructure, which most organisations are already using, poses unique security challenges. There are many reasons why organisations adopt the public cloud, from enabling rapid growth without the burden of capacity planning to leveraging flexibility and agility in delivering customer-centric services. However, this use can leave companies open to threats.

Since regulatory requirements or other preferences dictate that certain applications remain on private (on-prem) infrastructure, many organisations choose to maintain a mix of private and public infrastructure. Additionally, organisations typically use multiple cloud providers simultaneously or preserve the option to move between providers. However, this hybrid approach presents unique and diverse security challenges. Different cloud providers and private cloud platforms may offer similar capabilities but different ways of implementing security controls, along with disparate management tools.

The question then becomes: How can an organisation maintain consistent governance, policy enforcement and controls across different clouds? And how can it ensure that it maintains its security posture when moving between them? Fortunately, there are steps professionals can take to ensure that applications are continuously secure, starting from the early stages of development and extending throughout the lifecycle.

https://threatpost.com/secure-move-cloud/180335/

  • Lessons from the Russian Cyber Warfare Attacks

Cyber warfare tactics may not involve tanks and bombs, but they often go hand-in-hand with real combat.

The Russian invasion of Ukraine is a prime example. Before Russian troops crossed the border, Russian hackers had already taken down Ukrainian government websites. And after the conflict started, the hacktivist group Anonymous turned the tables by hacking Russian media to shut down propaganda about the war.

In these unprecedented times of targeted attacks against governments and financial institutions, every organisation should be on heightened alert about protecting their critical infrastructure and digital attack surface.

With the Russia-Ukraine conflict as a backdrop, two Trend Micro security experts recently discussed cyber warfare techniques and how they’re an important reminder for every business to proactively manage cyber risk.

https://www.trendmicro.com/en_us/ciso/22/h/russian-cyber-warfare-attacks.html

  • Four Sneaky Attacker Evasion Techniques You Should Know About

Remember those portrayals of hackers in the 80s and 90s where you just knew when you got pwned? A blue screen of death, a scary message, a back-and-forth text exchange with a hacker—if you got pwned in a movie in the 80s and 90s, you knew it right off the bat.

What a shame that today’s hackers have learned to be quiet when infiltrating an environment. Sure, “loud” attacks like ransomware still exist, but threat actors have learned that if they keep themselves hidden, they can usually do far more damage. For hackers, a little stealth can go a long way. Some attack tactics are inherently quiet, making them arguably more dangerous as they can be harder to detect. Here are four of these attack tactics you should know about.

  1. Trusted Application Abuse: Attackers know that many people have applications that they inherently trust, making those trusted applications the perfect launchpad for cyber attacks. Threat actors know that defenders and the tools they use are often on the hunt for new malware presenting itself in environments. What isn’t so easy to detect is when the malware masquerades under legitimate applications.

  2. Trusted Infrastructure Abuse: Much like trusted application abuse, trusted infrastructure abuse is the act of using legitimate, publicly hosted services and toolsets (such as Dropbox or Google Drive) as part of the attack infrastructure. Threat actors know that people tend to trust Dropbox and Google Drive. As a result, this makes these tools a prime means for threat actors to carry out malicious activity. Threat actors often find trusted infrastructure abuse easy because these services aren’t usually blocked at an enterprise’s gateway. In turn, outbound communications can hide in plain sight.

  3. Obfuscation: Although cyber security has more than its fair share of tedious acronyms, the good news is that many terms can be broken down by their generic dictionary definitions. According to dictionary.com, this is what obfuscate means: “To make something unclear, obscure or difficult to understand.” And that’s exactly what it means in cyber security: finding ways to conceal malicious behaviour. In turn, this makes it more difficult for analysts and the tools they use to flag suspicious or malicious activity.

  4. Persistence: Imagine writing up documentation using your computer, something you may well do in your role. You’ve spent a ton of time doing the research required, finding the right sources and compiling all your information into a document. Now, imagine not hitting save on that document and losing it as soon as you reboot your computer. Sound like a nightmare—or perhaps a real anxiety-inducing experience you’ve been through before? Threat actors agree. And that’s why they establish persistence. They don’t want all of their hard work to get into your systems in the first place to be in vain just because you restart your computer. They establish persistence to make sure they can still hang around even after you reboot.

https://www.msspalert.com/cybersecurity-guests/four-sneaky-attacker-evasion-techniques-you-should-know-about/

  • Zero-Day Defence: Tips for Defusing the Threat

Because they leave so little time to patch and defuse, zero-day threats require a proactive, multi-layered approach based on zero trust.

The recent Atlassian Confluence remote code execution bug is just the latest example of zero-day threats targeting critical vulnerabilities within major infrastructure providers. The specific threat, an Object-Graph Navigation Language (OGNL) injection, has been around for years but took on new significance given the scope of the Atlassian exploit. And OGNL attacks are on the rise.

Once bad actors find such a vulnerability, proof-of-concept exploits start knocking at the door, seeking unauthenticated access to create new admin accounts, execute remote commands, and take over servers. In the Atlassian case, Akamai's threat research team identified that the number of unique IP addresses attempting these exploits grew to more than 200 within just 24 hours.

Defending against these exploits becomes a race against time worthy of a 007 movie. The clock is ticking and you don't have much time to implement a patch and "defuse" the threat before it's too late. But first you need to know that an exploit is underway. That requires a proactive, multi-layered approach to online security based on zero trust.

What do these layers look like? There are a number of different practices that security teams — and their third-party Web application and infrastructure partners — should be aware of.

https://www.darkreading.com/attacks-breaches/zero-day-defense-tips-for-defusing-the-threat

Threats

Ransomware

Phishing & Email Based Attacks

Other Social Engineering; SMishing, Vishing, etc

Malware

Mobile

Internet of Things – IoT

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Fraud, Scams & Financial Crime

AML/CFT/Sanctions

Dark Web

Software Supply Chain

Cloud/SaaS

Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Privacy

Cyber Bullying and Cyber Stalking

Regulations, Fines and Legislation

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

Other News

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Antony Cleal Antony Cleal

Black Arrow Cyber Threat Briefing 10 June 2022

Black Arrow Cyber Threat Briefing 10 June 2022

-Business Email Compromise (BEC) Attacks Have Risen 53% Year-Over-Year

-Ransomware Attacks Setting New Records

-Hackers Are Now Hiding Inside Networks for Longer. That's Not a Good Sign

-Paying Ransomware Paints Bigger Bullseye on Target’s Back

-Organisations Fix Only 1 in 10 Vulnerabilities Monthly

-Cyber Attack Surface "Spiralling Out of Control"

-Phishing Hits All-Time High in Q1 2022

-Ransomware's ROI Retreat Will Drive More BEC Attacks

-The Real Cost of Cyber Attacks: What Organisations Should Be Prepared For

-Why Smishing and Vishing Attempts Surged In 2021?

-Know Your Enemy! Learn How Cyber Crime Adversaries Get In…

-Small Businesses Struggle with an Increase in Cyber Attacks

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • Business Email Compromise (BEC) Attacks Have Risen 53% Year-Over-Year

Armorblox released a report which highlights the use of language-based attacks that bypass existing email security controls. The report uncovers how the continued increase in remote working has made critical business workflows even more vulnerable to new forms of email-based attacks, often resulting in financial fraud or credential theft.

Language-based attacks have become the new normal for business email compromise (BEC) with 74% of these attacks using language as the main attack vector.

Security teams spend a massive amount of time configuring rules and exceptions in their email security solutions to block impersonation emails – both for executives and other employees. Despite all of that manual work and rule writing, 70% of impersonation emails evaded email security controls.

https://www.helpnetsecurity.com/2022/06/06/language-based-attacks-email-video/

  • Ransomware Attacks Setting New Records

Zscaler released the findings of its annual ThreatLabz Ransomware Report, which revealed an 80 percent increase in ransomware attacks year-over-year.

In 2022, the most prevalent ransomware trends include double-extortion, supply chain attacks, ransomware-as-a-service, ransomware rebranding, and geo-political incited ransomware attacks. The report details which industries are being targeted the most by cyber criminals, explains the damage caused by double-extortion and supply chain attacks, and catalogues the most active ransomware groups operating today.

Modern ransomware attacks require a single successful asset compromise to gain initial entry, move laterally, and breach the entire environment, making legacy VPN and flat networks extremely vulnerable. Attackers are finding success exploiting weaknesses across businesses’ supply chains as well as critical vulnerabilities like Log4Shell, PrintNightmare, and others. And with ransomware-as-a-service available on the darkweb, more and more criminals are turning to ransomware, realising that the odds of receiving a big payday are high.

The tactics and scope of ransomware attacks have been steadily evolving, but the end goal continues to be a disruption of the target organisation and theft of sensitive information for the purposes of ransom. The size of the ransom often depends on the number of systems infected and the value of the data stolen: the higher the stakes, the higher the payment. In 2019, many ransomware groups updated their tactics to include data exfiltration, commonly referred to as a ‘double extortion’ ransomware.

https://www.helpnetsecurity.com/2022/06/07/ransomware-attacks-increase/

  • Hackers Are Now Hiding Inside Networks for Longer. That's Not a Good Sign

Cyber criminals are spending more time inside networks before they're discovered, and that's allowing them to do more damage.

The amount of time cyber criminal intruders are spending inside victims' networks is increasing, providing them with the ability to carry out higher complexity campaigns and more damaging cyber attacks.

According to analysis by cyber security researchers at Sophos, who examined incidents targeting organisations around the world and across a wide range of industry sectors, the median dwell time that cyber criminals spend inside compromised networks is now 15 days, up from 11 days the previous year.

Dwell time is the amount of time hackers are inside the network before they're discovered or before they leave – and being able to spend an increased amount of time inside a compromised network undetected means they're able to more carefully conduct malicious activity, such as monitoring users, stealing data or laying the foundations for a malware or ransomware attack.

https://www.zdnet.com/article/hackers-are-now-hiding-inside-networks-for-longer-thats-not-a-good-sign/

  • Paying Ransomware Paints Bigger Bullseye on Target’s Back

Ransomware attackers often strike targets twice, regardless of whether the ransom was paid.

Paying ransomware attackers doesn’t pay off and often paints a bigger target on a victim’s back. Eighty percent of ransomware victims that paid their attackers were hit a second time by the malware scourge.

New ransomware numbers come from a Cybereason’s April ransomware survey of 1,456 cyber security professionals. According to the gated report (registration required), victims that were successfully extorted were not only targeted a second time, but frequently data encrypted by criminals later became unusable during the decryption process because of corruption issues.

The fact that ransomware gangs strike so quickly a second and third time isn’t surprising, because they will try to profit in any possible way so why not hit the same company, demand a higher ransom, and get paid again?

https://threatpost.com/paying-ransomware-bullseye-back/179915/

  • Organisations Fix Only 1 in 10 Vulnerabilities Monthly

New research from SecurityScorecard features a couple of eye-popping “only” findings: Only 10 percent of vulnerabilities are remediated each month, and only 60 percent of companies have improved their security profile despite a 15-fold increase in the number of cyber incidents in the last three years.

That’s not good. The research, which sought to measure how long it took the 1.6 million organisations assessed to remediate vulnerabilities in the three-year period from 2019 to 2022, also found the following:

·       53% had at least one exposed vulnerability to the internet, while 22% of organisations amassed more than 1,000 vulnerabilities each, confirming more progress is required to protect organisations’ critical assets.

·       The financial sector is among the slowest remediation rates (median to fix 50% = 426 days), while utilities ranked among the fastest (median = 270 days).

·       Despite a 15-fold increase in exploitation activity for vulnerabilities with published exploit code, there was little evidence that organisations in the financial sector fixed exploited flaws faster.

·       The IT sector (62.6%) and public sector (61.6%) had the highest prevalence of open vulnerabilities.

·       The financial sector (48.6%) exhibited the lowest proportion of open vulnerabilities; however, there is less than a 10% difference between this and other sectors in terms of industries with the most open vulnerabilities.

·       It typically takes organisations 12 months to remediate half of the vulnerabilities in their internet-facing infrastructure.

·       When firms have fewer than 10 open vulnerabilities, it can take about a month to close just half of them, but when the list grows into the hundreds, it takes up to a year to reach the halfway point.

https://www.msspalert.com/cybersecurity-research/organizations-fix-only-1-in-10-vulnerabilities-monthly/

  • Cyber Attack Surface "Spiralling Out of Control"

Global organisations are still beset with cyber visibility and control challenges, with two-fifths (43%) admitting their digital attack surface is out of control as a result, according to new Trend Micro research.

The security vendor polled over 6200 IT and business decision-makers to compile its new study, ‘Mapping the digital attack surface: Why global organisations are struggling to manage cyber risk’.

It revealed that nearly three-quarters (73%) are concerned about the increasing size of their attack surface. Over a third (37%) said it is “constantly evolving and messy,” and just half (51%) thought they were able to fully define its extent.

These visibility challenges are greatest in cloud environments, although problems persist across the board. The report highlights complex supply chains, tool bloat and home working-driven shadow IT as additional contributory factors.

On average, respondents estimated having just 62% visibility of their attack surface.

https://www.infosecurity-magazine.com/news/cyberattack-surface-out-of-control/

  • Phishing Hits All-Time High in Q1 2022

The first quarter of 2022 saw phishing attacks hit a record high, topping one million for the first time, according to data from the Anti Phishing Working Group (APWG).

The industry, law enforcement and government coalition’s new Phishing Activity Trends Report also revealed that March was the worst month on record for phishing, with 384,291 attacks detected.

The financial sector was the worst hit, accounting for 24% of all detected attacks, although webmail and SaaS providers were also popular targets.

Attacks spoofing retailers dropped 17% from the previous quarter to 15% following the busy holiday shopping season, while those against social media services rose significantly, from nearly 9% percent of all attacks to 13% over the same period.

https://www.infosecurity-magazine.com/news/phishing-hits-all-time-high-q1/

  • Ransomware's ROI Retreat Will Drive More BEC Attacks

Law enforcement crackdowns, tighter cryptocurrency regulations, and ransomware-as-a-service (RaaS) operator shutdowns are driving down the return on investment for ransomware operations across the globe.

A presentation at the RSA Conference last week laid out analysis of the ransomware threat landscape, predicting that there will be a pivot from ransomware toward renewed interest in basic business email compromise (BEC) attacks in the next 6 to 12 months.

Ransomware attacks grab headlines and have been supercharged by a few prolific RaaS operators, but crackdowns on just one group can make an enormous dent.

Ransomware is a centralised ecosystem with small numbers of operators responsible for the majority of attacks.

The recent disappearance of Pysa, left just two groups, Conti and Lockbit, with more than 50% of the share of the total ransomware attacks in the first half of 2022. BEC groups, on the other hand, are diffuse and scattered, making them much harder to eradicate.

Although they're not as quick to make the headlines, BEC attacks have cost business more than $43 billion since 2016, according to the FBI, and make up $1 out of every $3 lost to cyber attacks, far outpacing ransomware losses.

Ransomware has had a moment over the past couple of years, in part because once threat actors were able to abandon arcane wire transfers to collect ransoms and rely on cryptocurrency, caps on transactions were lifted and it became simple to collect much larger amounts. But new crypto regulations are chilling the ability of these cyber criminals to rely on its infrastructure to do business, adding "friction" to the transactions.

BEC attacks, by comparison, rely on social engineering to corrupt a business's financial supply chain to get employees to willingly part with the cash, making them exponentially harder to track and stop. 

https://www.darkreading.com/threat-intelligence/retreat-of-ransomware-roi-will-drive-bec-attacks-analyst-warns

  • The Real Cost of Cyber Attacks: What Organisations Should Be Prepared For

With each passing year, hackers and cyber criminals of all kinds are becoming more sophisticated, malicious, and greedy conducting brazen and often destructive cyber-attacks that can severely disrupt a company’s business operations. And this is a big problem, because, first and foremost, customers rely on a company’s ability to deliver services or products in a timely manner. Cyber attacks not only can affect customers’ data, but they can impact service delivery.

Data breaches and costs associated with them have been on the rise for the past few years, but, according to a 2021 report, the average cost per breach increased from $3.86 million in 2020 to $4.24 million in 2021. The report also identified four categories contributing most global data breach costs – Lost business cost (38%), Detection and escalation (29%), Post breach response (27%), and Notification (6%).

Ransomware attacks cost an average of $4.62 million (the cost of a ransom is not included), and destructive wiper-style attacks cost an average of $4.69 million, the report said.

For a business, a data breach is not just a loss of data, it can also have a long-lasting impact on operations and undermine customers’ trust in the company. In fact, a survey revealed that 87% of consumers are willing to take their business elsewhere if they don’t trust a company is handling their data responsibly. Therefore, the reputational damage might be detrimental to a business’ ability to attract new customers.

https://informationsecuritybuzz.com/articles/the-real-cost-of-cyber-attacks-what-organizations-should-be-prepared-for/

  • Why Smishing and Vishing Attempts Surged In 2021

In The Human Factor Report 2022, security vendor Proofpoint found that SMS phishing (smishing) attacks more than doubled year-on-year in 2021. The report is based on their analysis of over 2.6 billion email messages, 49 billion URLs, 1.9 billion attachments, 28 million cloud accounts and 1.7 billion mobile messages.

The study details the most common attack surfaces and methods including categories of risk, vulnerabilities, attacks, Russian Aligned APT’s, and Privilege as a vector.

Key Findings:

  • Managers and executives make up only 10% of users, but almost 50% of the most severe attack risk

  • Attackers attempt to initiate more than 100,000 telephone-oriented attacks every day.

  • Malicious URLS are 3-4x more common than malicious attachments.

  • Smishing attempts more than doubled in the US over the year, while in the UK over 50% of lures are themed around delivery notification.

  • More than 20 million messages attempted to deliver malware linked to eventual ransomware attack

  • Data loss prevention alerts have stabilised as businesses adopt permanent hybrid work models.

  • 80% of businesses are attacked by a compromised supplier account in any given month.

  • 35% of cloud tenants that received a suspicious login also saw suspicious post-access activity.

https://informationsecuritybuzz.com/expert-comments/why-smishing-and-vishing-attempts-surged-in-2021/

  • Know Your Enemy! Learn How Cyber Crime Adversaries Get In…

Cyber security vendor Sophos dug into the incident reports of 144 real-life cyber attacks investigated by its Rapid Response team during 2021.

What they found might not surprise you, but it’s vital information nevertheless, because it’s what really happened, not merely what might have.

Notably:

  • Unpatched vulnerabilities were the entry point for close to 50% of the attackers.

  • Attackers stuck around for more than a month on average when ransomware wasn’t their primary goal.

  • Attackers were known to have stolen data in about 40% of incidents. (Not all data thefts can be proved, of course, given that there isn’t a gaping hole where your copy of the data used to be, so the true number could be much higher.)

  • RDP was abused to circumnavigate the network by more than 80% of attackers once they’d broken in.

Intriguingly, if perhaps unsurprisingly, the smaller the organisation, the longer the crooks had generally been in the network before anyone noticed and decided it was time to kick them out.

In businesses with 250 staff and below, the crooks stuck around (in the jargon, this is known by the quaintly archaic automotive metaphor of dwell time) for more than seven weeks on average.

This compared with an average dwell time of just under three weeks for organisations with more than 3000 employees.

As you can imagine, however, ransomware criminals typically stayed hidden for much shorter periods (just under two weeks, instead of just over a month), not least because ransomware attacks are inherently self-limiting.

After all, once ransomware crooks have scrambled all your data, they’re out of hiding and straight into their in-your-face blackmail phase.

https://nakedsecurity.sophos.com/2022/06/07/know-your-enemy-learn-how-cybercrime-adversaries-get-in/

  • Small Businesses Struggle with an Increase in Cyber Attacks

Part of the problem: They don’t believe they are targets, so they don’t make security a priority. Cyber attacks are becoming more common for small businesses, and many aren’t prepared to deal with an attack.

As small businesses have accelerated their adoption of new technologies for remote work, communication, production and sales during the pandemic, their expanded computer networks have created new vulnerabilities to phishing and ransomware attacks. But many small businesses still don’t expect to be targeted by hackers, so preparing for a cyber attack is well down their list of priorities.

https://www.wsj.com/articles/small-business-cyberattacks-increase-11654540786

Threats

Ransomware

BEC – Business Email Compromise

Phishing & Email Based Attacks

Other Social Engineering

Malware

Mobile

IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs

Fraud, Scams & Financial Crime

AML/CFT/Sanctions

Insurance

Dark Web

Software Supply Chain

Denial of Service DoS/DDoS

Cloud/SaaS

Attack Surface Management

Open Source

Privacy

Parental Controls and Child Safety

Law Enforcement Action and Take Downs

Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 22 April 2022

Black Arrow Cyber Threat Briefing 22 April 2022:

-Why Ransomware Attacks Prefer Small Business Targets Rather Than Rich Enterprises

-Ransomware Plagues Finance Sector as Cyber Attacks Get More Complex

-76% of Organisations Worldwide Expect to Suffer a Cyber Attack This Year

-Most Email Security Approaches Fail to Block Common Threats

-Financial Leaders Grappling with More Aggressive and Sophisticated Attack Methods

-Hackers Sneak Malware into Resumes Sent to Corporate Hiring Managers

-West Warns of Russian Cyber-Attacks As Concerns Rise Over Putin’s Nuclear Rhetoric

-Criminals Adopting New Methods To Bypass Improved Defences, Says Zscaler

-Cyber Criminals Are ‘Drinking the Tears’ Of Ukrainians

-Hackers For Hire Attempt to Destroy Hedge Fund Manager's Reputation

-New Threat Groups and Malware Families Emerging

-Economic Warfare: Attacks on Critical Infrastructure Part of Geopolitical Conflict

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • Why Ransomware Attacks Prefer Small Business Targets Rather Than Rich Enterprises

Enterprise businesses with 25,000 employees+ are less likely to get hit by a ransomware attack than smaller businesses — even though big companies typically can afford to pay higher ransoms, the 2022 CyberEdge Cyberthreat Defense Report concluded.

What explains hackers taking aim at small businesses more frequently than enterprise giants?  The answer: Damaging a critical infrastructure facility or similar disruptions are certain to catch the eye of federal law enforcement, or national governments — something that no hacker wants, CyberEdge said. Smaller to medium-sized firms, as it turns out, get hit more frequently by ransomware attacks, on average at roughly 70 percent, the report said.

Overall, some 71 percent of organisations have been bitten by ransomware in 2022, up a point and a half from last year and by 8.5 points in 2020. It’s companies of 10,000 to 24,999 employees that are the sweet spot for ransomware hackers, nearly 75 percent of which are victimised by cyber extortionists.

The extensive study, which surveyed 1,200 security decision makers and practitioners employed by companies of greater than 500 people in 17 countries across 19 industries, is geared to helping gauge their internal practices and investments against those of their counterparts in other parts of the world.

https://www.msspalert.com/cybersecurity-research/why-ransomware-attacks-prefer-small-business-targets-rather-than-rich-enterprises/

  • Ransomware Plagues Finance Sector as Cyber Attacks Get More Complex

Cyber criminals have evolved from hacking wire transfers to targeting market data, as ransomware continues to hit financial firms, says a new VMware report. Here's what to do about it.

Ransomware plagues financial institutions as they face increasingly complex threats over previous years owing to the changing behaviour of cyber criminal cartels, according to VMware's latest Modern Bank Heists report.

This has happened as the cyber crime cartels have evolved beyond wire transfer frauds to target market strategies, take over brokerage accounts, and island-hop into banks, according to the report.

For the report, VMware surveyed 130 financial sector CISOs and security leaders from across different regions including North America, Europe, Asia Pacific, Central and South America, and Africa.

Report findings were consistent with observations by other security experts. "The Secret Service, in its investigative capacity to protect the nation's financial payment systems and financial infrastructure, has seen an evolution and increase in complex cyber-enabled fraud," says Jeremy Sheridan, former assistant director at the US Secret Service. "The persistent, inadequate security of systems connected to the internet provides opportunity and methodology."

https://www.csoonline.com/article/3657875/ransomware-plagues-finance-sector-as-cyberattacks-get-more-complex.html

  • 76% of Organisations Worldwide Expect to Suffer a Cyber Attack This Year

Ransomware, phishing/social engineering, denial of service (DoS) attacks, and the business fallout of a data breach rank as the top concerns of global organisations, a new study shows.

The newly published Cyber Risk Index, a study by Trend Micro and the Ponemon Institute, shows that more than three-quarters of global organisations expect to suffer a cyber attack in the next 12 months — 25% of which say an attack is "very likely."

More than 80% of the 3,400 CISO and IT professionals and managers surveyed say their organisations were hit with one or more successful cyber attacks in the past 12 months, and 35% suffered seven or more attacks, according to the report, which covers the second half of 2021.

https://www.darkreading.com/attacks-breaches/76-of-organizations-worldwide-expect-to-suffer-a-cyberattack-this-year

  • Most Email Security Approaches Fail to Block Common Threats

A full 89 percent of organisations experienced one or more successful email breaches during the previous 12 months, translating into big-time costs.

On overwhelming number of security teams believe their email security systems to be ineffective against the most serious inbound threats, including ransomware.

That’s according to a survey of business customers using Microsoft 365 for email commissioned by Cyren and conducted by Osterman Research, which examined concerns with phishing, business email compromise (BEC), and ransomware threats, attacks that became costly incidents, and preparedness to deal with attacks and incidents.

“Security team managers are most concerned that current email security solutions do not block serious inbound threats (particularly ransomware), which requires time for response and remediation by the security team before dangerous threats are triggered by users,” according to the report, released Wednesday.

Less than half of those surveyed said that their organisations can block delivery of email threats. And, correspondingly, less than half of organisations rank their currently deployed email security solutions as effective.

https://threatpost.com/email-security-fail-block-threats/179370/

  • Financial Leaders Grappling with More Aggressive and Sophisticated Attack Methods

VMware released a report which takes the pulse of the financial industry’s top CISOs and security leaders on the changing behaviour of cyber criminal cartels and the defensive shift of the financial sector.

The report found that financial institutions are facing increased destructive attacks and falling victim to ransomware more than in years past, as sophisticated cyber crime cartels evolve beyond wire transfer fraud to now target market strategies, take over brokerage accounts and island hop into banks.

In the Modern Bank Heists report, 63% of financial institutions admitted experiencing an increase in destructive attacks, with cyber criminals leveraging this method as a means to burn evidence as part of a counter incident response.

Additionally, 74% experienced at least one ransomware attack over the past year, with 63% paying the ransom. When asked about the nation-state actors behind these attacks, the majority of financial instructions stated that Russia posed the greatest concern, as geopolitical tension continues to escalate in cyberspace.

https://www.helpnetsecurity.com/2022/04/21/cybercriminal-cartels-financial-sector/

  • Hackers Sneak Malware into Resumes Sent to Corporate Hiring Managers

A new set of phishing attacks delivering the ‘more_eggs’ malware has been observed striking corporate hiring managers with bogus resumes as an infection vector, a year after potential candidates looking for work on LinkedIn were lured with weaponised job offers.

"This year the more_eggs operation has flipped the social engineering script, targeting hiring managers with fake resumes instead of targeting jobseekers with fake job offers," eSentire's research and reporting lead, Keegan Keplinger, said in a statement.

The Canadian cyber security company said it identified and disrupted four separate security incidents, three of which occurred at the end of March. Targeted entities include a US-based aerospace company, an accounting business located in the UK, a law firm, and a staffing agency, both based out of Canada.

The malware, suspected to be the handiwork of a threat actor called Golden Chickens (aka Venom Spider), is a stealthy, modular backdoor suite capable of stealing valuable information and conducting lateral movement across the compromised network.

"More_eggs achieves execution by passing malicious code to legitimate windows processes and letting those windows processes do the work for them," Keplinger said. The goal is to leverage the resumes as a decoy to launch the malware and sidestep detection.

https://thehackernews.com/2022/04/hackers-sneak-moreeggs-malware-into.html

  • West Warns of Russian Cyber Attacks as Concerns Rise Over Putin’s Nuclear Rhetoric

Cyber crime groups have publicly pledged support for Russia, western officials worry about Putin’s reliance on nuclear threats and the battle for Mariupol in Ukraine grinds on.

The US and four of its closest allies have warned that “evolving intelligence” shows that Russia is contemplating cyber attacks on countries backing Ukraine, as the Kremlin’s frustration grows at its failure to make military gains.

Vladimir Putin used the launch on Wednesday of a powerful new Sarmat intercontinental ballistic missile (ICBM), capable of carrying ten or more warheads, to make nuclear threats against western countries.

The Sarmat has long been in development and test flights were initially due to start in 2017. The Pentagon confirmed that the US had been given notice of the test and was not alarmed. Western officials are more concerned by the increasing emphasis Moscow puts on its nuclear arsenal as its conventional forces have faltered in Ukraine.

The Ukrainian army continued to put up resistance in the besieged and devastated city of Mariupol, but Putin’s Chechen ally, Ramzan Kadyrov, predicted that the last stand of the port’s defenders at the Azovstal steel works would fall on Thursday.

The Kremlin has made repeated threats against the many countries that have been supplying Ukraine’s army with modern weapons, and members of the “Five Eyes” intelligence sharing network – the US, Britain, Canada, Australia and New Zealand – predicted Moscow could also work with cyber crime groups to launch attacks on governments, institutions and businesses.

https://www.theguardian.com/world/2022/apr/21/west-warns-of-russian-cyber-attacks-as-concerns-rise-over-putins-nuclear-rhetoric

  • Criminals Adopting New Methods To Bypass Improved Defences, Says Zscaler

The number of phishing attacks worldwide jumped 29 percent last year as threat actors countered stronger enterprise defences with newer methods, according to researchers with Zscaler's ThreatLabz research team.

Cyber criminals have adapted to multi-factor authentication (MFA), employee security awareness training, and security controls by broadening who and where they will attack.

While the United States remained the country with the most phishing attempts, others are seeing faster growth in the number of incidents – exploiting new vectors like SMS and lowering the barrier of entry for launching attacks through pre-built tools made available on the market.

"Phishing attacks continue to remain one of the most prevalent attack vectors, often serving as a starting point for more advanced next stage attacks that may result in a large-scale breach," Deepen Desai, CISO and vice president of security research and operations at Zscaler, told The Register.

https://www.theregister.com/2022/04/20/phishing-attempts-on-rise-zscaler/

  • Cyber Criminals Are ‘Drinking the Tears’ of Ukrainians

In biology, when an insect drinks the tears of a large creature, it is called lachryphagy. And in cyberspace, malicious actors are likewise “drinking tears” by exploiting humanitarian concerns about the war in Ukraine for profit. Different forms of deception include tricking people into donating to bogus charities, clicking on Ukraine-themed malicious links and attachments, and even impersonating officials to extort payment for rescuing loved ones.

It is an unfortunate reality that cyber opportunists are engaging in lachryphagy to exploit humanitarian concerns about the war for profit or data collection. To date, one of the largest cryptocurrency scams involving fraudulent Ukrainian relief payments totalled $50 million in March, the Wall Street Journal reports.

Immediately following Russia’s invasion of Ukraine, cybersecurity companies warned the public that criminals were preying on Ukrainian relief fundraising efforts with cryptocurrency scams. Bitdefender Labs reports that cyber criminals have impersonated Ukrainian government entities and charitable organisations such as UNICEF, and the Australian humanitarian agency, Act for Peace. “Some [scammers] are even pretending to be Wladimir Klitschko, whose brother Vitali is mayor of Ukraine’s capital, Kyiv,” according to the BBC.

https://thehill.com/opinion/cybersecurity/3273636-cyber-criminals-are-drinking-the-tears-of-ukrainians/?rl=1

  • Hackers For Hire Attempt to Destroy Hedge Fund Manager's Reputation

Hackers bombarded a British hedge fund manager with 3,000 emails and fake news stories about his mortgage in an effort to destroy his reputation after being hired by a corporate rival.

Criminals even sought to gain personal information about Matthew Earl by pretending to be his sister in a three-year campaign when he raised concerns over the controversial German payments company Wirecard.

Mr Earl, a former City analyst who runs the hedge fund ShadowFall, said he was targeted by a group called Dark Basin.

This group has been linked to Aviram Azari, who this week pleaded guilty in New York to a conspiracy to target journalists and critics of Wirecard using phishing emails.

Mr Earl said the hacking attempts started in 2016 after ShadowFall, nicknamed the “dark destroyer” in the City, criticised the financial performance of Wirecard. The German company was later mired in a series of accounting scandals and went bust.

He said: “I was being sent very targeted emails, which were crafted with personal information about my interests, friends and family’s details. They were very specific.”

Mr Earl received news stories that appeared to be from media outlets such as Reuters and Bloomberg. Another email appeared to be sent by his sister, sharing family photographs, he added.

https://www.telegraph.co.uk/business/2022/04/21/reign-terror-hackers-hire-ramp-corporate-espionage/

  • New Threat Groups and Malware Families Emerging

Mandiant announced the findings of an annual report that provides timely data and insights based on frontline investigations and remediations of high-impact cyber attacks worldwide. The 2022 report––which tracks investigation metrics between October 1, 2020 and December 31, 2021—reveals over 1,100 new threat groups and 733 new malware families.

The report also notes a realignment and retooling of China cyber espionage operations to align with the implementation of China’s 14th Five-Year Plan in 2021. The report warns that the national-level priorities included in the plan “signal an upcoming increase in China-nexus actors conducting intrusion attempts against intellectual property or other strategically important economic concerns, as well as defence industry products and other dual-use technologies over the next few years.”

https://www.helpnetsecurity.com/2022/04/22/adversaries-innovating-and-adapting/

Economic Warfare: Attacks on Critical Infrastructure Part of Geopolitical Conflict

We’ve known for years that since at least March of 2016, Russian government threat actors have been targeting multiple U.S. critical infrastructure sectors including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. The Department of Homeland Security (DHS), the Federal Bureau of Investigations (FBI), and other agencies have acknowledged this for quite some time in many of their technical alerts and statements.

In the intervening years, with the acceleration of digital transformation, cyber criminals and nation-state actors have increasingly set their sights on these sectors. The convergence of physical and digital assets brings competitive advantage but also inevitable risks. Attacks against hospitals, oil pipelines, food supply chains, and other critical infrastructure, have brought into sharp focus the vulnerability of cyber-physical systems (CPS) and the impact on lives and livelihoods when they are disrupted. Now, overwhelming signs indicate critical infrastructure companies are in the bullseye of geopolitical conflict.

https://www.securityweek.com/economic-warfare-attacks-critical-infrastructure-part-geopolitical-conflict

Threats

Ransomware

Phishing & Email Based Attacks

Malware

Mobile

BYOD

IoT

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking

Fraud, Scams & Financial Crime

Insurance

Dark Web

Supply Chain and Third Parties

Cloud

Passwords & Credential Stuffing

Digital Transformation

Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More