Black Arrow Cyber Threat Briefing 02 December 2022

Written By Black Arrow Admin

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • Businesses Increasing Cyber Spend Without Clear Strategy, Study Finds

Most businesses worldwide claim to be confident that their current cyber security budgets are fit for their needs, but at the same time would be willing to spend more, according to research by the cloud platform provider Fastly.

While 71% of businesses highlighted their confidence in their currently budgets, 73% of the same businesses are willing to increase their budget. In the US specifically, over 85% of IT leaders considered their current budget to be adequate, but 79% are still thinking of increasing it.

This cyber spending paradox has been highlighted in Fastly’s latest study ‘Fighting fire with fire’ published on November 30, 2022.

One explanation is that IT leaders fear lagging the evolving cyber threat landscape and put their trust in technology to help them catch up and prepare for future cyber security risks.

“Overwhelmed and overworked, IT leaders are putting their faith in an abundance of tools and technologies and hoping for their best,” reads the report.

The reality, though, is that the majority of organisations are increasing spending with no clear strategy. Spending more money doesn’t necessarily equate to a safer business. Instead, it can create the illusion of security, and ironically put the businesses at even greater risk down the line when their security tools don’t work.

https://www.infosecurity-magazine.com/news/businesses-cyber-spend-no-strategy/

  • Cyber Security and ESG Among Top Areas of Concern for Audit Leaders in 2023

In an effort to understand key factors and concerns impacting Internal Audit executives, ManpowerGroup announced this week results from its sixth annual Internal Audit Priorities survey. While cyber security continues as the number one risk, Environmental, Social, and Governance (ESG) jumped up to number two on the list of emerging risks.

“Cyber security remains the top concern for many executives, who are seeing their audit teams expand their coverage of Information Technology Governance. But this year's survey also reveals the growing importance of ESG as more organisations are increasing their commitment to developing comprehensive ESG strategies in 2023 and beyond" said Manpower.

Many Internal Audit leaders expressed concern about Internal Audit Departments struggling to keep fully staffed, amid the ongoing pandemic and shifts in how and where auditors work. The survey shows 53% are working hybrid and 25% are fully remote.

Today's Chief Audit Executives are faced with balancing constrained audit resources with the consistent pressure to expand audit coverage within their organisations. Companies are experiencing a 100% increase, year-over-year, in audit departments deferring audits because resources aren't available. Due to the current state of the job market, many Internal Audit Departments have not been fully staffed over the past 12-18 months according to Jefferson Wells, part of Manpower.

KEY FINDINGS

The top five areas for Audit Committees are Data privacy and cyber security (43%), Emerging risks and impacts on major initiatives (37%), Strategic risk (33%), ESG (31%), and Employee retention (29%).

With the growing importance of ESG, 71% of Chief Audit Executives (CAE) are including an assessment of ESG in their audit plans.

As ransomware and other attacks have exponentially increased in both frequency and ferocity, Internal Audit departments are now shifting more attention to preventative, strategic methods of cyber defence.

As operational involvement increases, internal audit leaders are looking for other ways to enhance their audit function. Two areas with the highest return on investment are data analytics (52%) and other internal audit specific technologies (48%).

https://www.darkreading.com/risk/cybersecurity-and-esg-among-top-areas-of-concern-for-audit-leaders-in-2023

  • Ransomware Warning! Expect Hackers to Hit Harder During Holiday Season

Organisations should prepare for an onslaught of ransomware during the holidays as cyber crews take advantage of lower security staffing levels and subpar defences, security provider Cybereason said in a new study.

Ransomware attacks that take place on weekends and holidays hit organisations when they are most vulnerable, resulting in longer investigation times and causing greater damage, according to Cybereason’s global study of 1,200 cyber security professionals “Organisations at Risk 2022: Ransomware Attackers Don’t Take Holidays”.

It’s not just weekends and holidays where short staffing paves the way for hackers. Traditional Monday through Friday staffing models are out of step with cyber threats and expose companies the rest of the week, the report said.

Here are some key findings:

  • More than one-third of respondents who experienced a ransomware attack on a weekend or holiday said their organisations lost more money as a result, a 19% increase over 2021.

  • The numbers ticked up to 42% in the education sector and 48% in the travel and transportation industry.

  • Ransomware attacks make up nearly half (49%) of all security incidents that security operations centre (SOC) teams are most frequently trying to resolve.

  • Four-in-ten (44%) of respondents indicated they reduce security staff by as much as 70% on weekends and holidays.

  • One-fifth (21%) noted that their organisations operate a skeleton crew during those times, cutting staff by as much as 90%.

  • 7% of respondents indicated they were 80% to 100% staffed on weekends and holidays.

https://www.msspalert.com/cybersecurity-research/ransomware-warning-expect-hackers-to-hit-harder-during-holiday-season/

  • 2023 To Be Costliest, Most Destructive Year for Cyber Security as Recession Fears Force Firms to Cut Budgets

2023 is predicted to be one of the costliest and most destructive years for cyber security, with hackers upping their games in view of companies rethinking their cyber security budgets in anticipation of looming recession and ransomware gangs targeting supply chain firms for mounting focused attacks to extract optimum rewards, a latest report said.

New strains such as fileless malwares not requiring downloads, hackers crafting new modus operandi to exploit vulnerabilities in cloud security, and mounting targeted attacks on individuals will be among the potent cyber crime trends in the coming year, 2023, said the report by NordLocker, the leading global VPN (virtual private network) service provider.

The proposed European Union (EU) move to make digital platforms to scan all files and messages, impacting internet security and privacy, is the other major cyber threat to watch out for in 2023.

“From new strains of potent malware to major policies that threaten privacy and encryption, 2023 could expect several new and more damaging cyber security threats,” the report cautioned.

Cyber attacks, rated among the top five risks globally, are projected to cost companies worldwide an estimated $10.5 trillion annually by 2025, up from $3 trillion in 2015, according to some of the research and industry bodies. Besides financial losses, hacking also leads to major loss of productivity, reputation damage, legal liabilities for companies and organisations.

Cyber security never stops evolving because digital technologies are increasingly overtaking each part of our lives. This ever-changing nature of the cyber security field makes each week, month, and year different from those that have passed, making it extremely important to stay two steps ahead of emerging threats.

Cloud security will become most important in the coming year, with companies increasingly moving their data into the cloud instead of storing files locally on their computer. We will see a growing number of cyber attacks that exploit vulnerabilities in current solutions in cloud computing.

The report also cautioned that reduced cyber security spending will expose vulnerabilities, leading to increased hacking and cyber thefts.

https://www.arabianbusiness.com/industries/technology/2023-to-be-costliest-most-destructive-year-for-cybersecurity-as-recession-fears-force-firms-to-cut-budgets

  • Cyber Crime Expected to Skyrocket in Coming Years

According to estimates from Statista’s “Cybersecurity Outlook”, the global cost of cyber crime is expected to surge in the next five years, rising from $8.44 trillion in 2022 to $23.84 trillion by 2027. Cyber crime is defined by Cyber Crime Magazine as the “damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.”

As more and more people turn online, whether for work or their personal lives, there are more potential opportunities for cyber criminals to exploit. At the same time, attacker techniques are becoming more advanced, with more tools available to help scammers. The coronavirus pandemic saw a particular shift in cyber attacks, as Statista’s Outlook analysts explain: “The COVID-19 crisis led to many organisations facing more cyber attacks due to the security vulnerability of remote work as well as the shift to virtualised IT environments, such as the infrastructure, data, and network of cloud computing.”

https://www.statista.com/chart/28878/expected-cost-of-cybercrime-until-2027/

  • UK Introducing Mandatory Cyber Incident Reporting for Managed Service Providers

The British government is introducing a new mandatory reporting obligation on managed service providers (MSPs) to disclose cyber incidents, alongside minimum security requirements which could see MSPs fined up to £17 million ($20 million) for non-compliance.

The government said on Wednesday that MSPs “play a central role in supporting the UK economy” and warned they are “an attractive and high value target for malicious threat actors, and can be used as staging points through which threat actors can compromise the clients of those managed services.” MSPs are paid to manage IT infrastructure and provide support, often to smaller businesses that don’t have a designated IT department.

Financially-motivated ransomware attacks have impacted MSPs such as Kaseya in the United States and the NHS supplier Advanced in Britain, with the latter severely impacting patient care according to BBC News.

Recent reports detailed how the ransomware incident affecting the software provider Advanced prompted the government to hold several Cabinet Office Briefing Rooms (COBR) crisis management meetings.

State-sponsored actors have also targeted MSPs, according to the National Cyber Security Centre (NCSC), which in 2018 attributed a global espionage campaign known as “Cloud Hopper” to the Chinese Ministry of State Security.

The new obligations on these providers will be introduced through an update to the Network and Information Systems (NIS) Regulations which in their current form require essential services such as water, energy and transport to uphold security standards and notify national authorities about incidents.

https://therecord.media/uk-introducing-mandatory-cyber-incident-reporting-for-managed-service-providers/

  • CISOs’ Priorities for The Coming Year

BlueFort Security surveyed 600 CISOs from a variety of UK organisations and found most have moved beyond the challenges of widespread shift to remote working – which resulted in severely limited visibility, intelligence and control – and are now focused on digital transformation and migration to the cloud, despite a chaotic world and bleak economic environment.

88% of CISOs say cyber security has become more of a priority for their Board over the last 12 months. And while 37% of CISOs still have their cyber security budget defined as a subset of their organisation’s general IT budget, 58% of CISOs expect world events to cause an increase in their cyber security budget over the next budget cycle.

CISOs are looking to the future. When asked about the areas their departments are prioritising their time and budget, CISOs said they are accelerating digital transformation (47%) and ensuring cyber security protection is fit for purpose for the future (46%).

Enabling cloud transformation is now a key focus area for UK security leadership. With 57% of organisations using multiple clouds and 37% using a single cloud environment, CISOs now have a clear focus – secure the cloud and secure the (primarily cloud-based) applications. However, while progress has been made in securing these environments, 52% of CISOs are confident they are able to fully enforce a consistent security policy across all applications in the cloud. 42% can only partially enforce cloud application security policies, while 5% are unable to at all.

This challenge is likely to remain front and centre for CISOs over the next 12 months as their organisations continue along their digital transformation journeys, with 52% stating they will be moving applications to the public cloud, migrating apps from one cloud to another and replacing legacy systems with SaaS applications. And, while 62% of CISOs say their organisation is using a cloud security posture management tool, 52% are manually standardising and enforcing security policies in their public cloud environments for each application.

https://www.helpnetsecurity.com/2022/11/30/cisos-cloud-transformation/

  • The Evolution of Business Email Compromise

In 2012, the US Federal Bureau of Investigation (FBI) began investigating an influx of reported fraud incidents involving threat actors rerouting payments to attacker-controlled accounts. In these incidents, victims received seemingly legitimate emails containing requests to alter scheduled payments. The threat actors typically impersonated executives or finance and payroll personnel and convinced victims to reroute payments to a different bank account. These first instances of business email compromise (BEC) kicked off a decade of attacks that use this simple yet highly effective scheme. While the threat has evolved, threat actors continue to use phishing attacks to steal credentials and then send fraudulent invoices soliciting payment. Thousands of organisations have lost billions of dollars.

When BEC was first discovered, law enforcement referred to it as "man in the email" fraud. Because much of the money at the time was sent to China, Japan, and South Korea, law enforcement believed that the threat actors could be Asia-based organised crime groups. Multiple investigations confirmed that these schemes were connected and that the money eventually ended up with threat actors located in Nigeria.

BEC fraud emerged from Nigerian organised crime groups that conducted operations such as romance scams, advance-fee schemes (also known as "Nigerian prince" or "419" scams), and elder fraud. The low barrier to entry and potential for high payouts attracted more threat groups. Because the technical aspects of these schemes are relatively simple, threat actors with little to no technical capabilities could launch successful attacks.

By 2014, cooperation between law enforcement and financial institutions revealed a clearer understanding of BEC schemes. As BEC tactics, techniques, and procedures (TTPs) matured, the financial losses and number of impacted organisations increased. In 2014, the US Internet Crime Complaint Center (IC3) received 2,417 BEC complaints, with losses totaling $226 million. The numbers grew steadily until a decrease in reported incidents in 2020. However, that decline was likely due to the COVID-19 pandemic disrupting normal business processes. Momentum resumed in 2021, with 19,954 complaints and adjusted losses of almost $2.4 billion.

https://www.darkreading.com/endpoint/the-evolution-of-business-email-compromise

  • Web App and API Attacks Surge 257% in Financial Services

The volume of web application and API attacks detected over the past 12 months surged by 3.5 times year-on-year in the financial services sector, the highest of any vertical, according to the cloud security vendor Akamai.

Akamai’s latest State of the Internet report, Enemy at the Gates, is based on analysis of global customer traffic during the period October 01 2021 to September 26 2022 .

The growth in threats targeting web apps and APIs is reflective of the increasing investment financial institutions are putting into digital services, as a result of open banking mandates like Europe’s PSD2, the report claimed. While these technologies help to open banking services up to third party providers and create a more streamlined experience for customers, they also expand the corporate attack surface.

Overall, banking is the third-most attacked vertical when it comes to web apps and APIs, with 15% of the total accounted for by these threats. “Security is a tough challenge when building them. Vulnerabilities residing in these web applications could lead to remote code execution (RCE) and breaches. Second, web applications have the ability to capture and store confidential customer information (i.e., login credentials),” the report explained.

“Once attackers launch web applications attacks successfully, they could steal confidential data, and in more severe cases, gain initial access to a network and obtain more credentials that could allow them to move laterally. Aside from the implications of a breach, stolen information could be peddled in the underground or used for other attacks. This is highly concerning given the troves of data, such as personal identifiable information and account details, held by the financial services vertical.”

https://www.infosecurity-magazine.com/news/web-app-api-attacks-257-financial/

  • Australia Will Now Fine Firms Up To AU$50 Million for Data Breaches

The Australian parliament has approved a bill to amend the country's privacy legislation, significantly increasing the maximum penalties to AU$50 million for companies and data controllers who suffered large-scale data breaches.

The financial penalty introduced by the new bill is set to whichever is greater:

  • AU$50 million

  • Three times the value of any benefit obtained through the misuse of information

  • 30% of a company's adjusted turnover in the relevant period

Previously, the penalty for severe data exposures was AU$2.22 million, considered wholly inadequate to incentivise companies to improve their data security mechanisms.

The new bill comes in response to a series of recent cyber attacks against Australian companies, including ransomware and network breaches, resulting in the exposure of highly sensitive data for millions of people in the country. The Australian government has wasted no time in responding to recent major data breaches having announced, introduced, and delivered legislation in just over a month. These new, larger penalties send a clear message to large companies that they must do better to protect the data they collect.

The most notable incidents were the Optus telecommunication provider data breach that impacted 11 million people, and the Medibank insurance firm ransomware attack that exposed the data of 9.7 million.

https://www.bleepingcomputer.com/news/security/australia-will-now-fine-firms-up-to-au50-million-for-data-breaches/

Threats

Ransomware and Extortion

Phishing & Email Based Attacks

Other Social Engineering; Smishing, Vishing, etc

Malware

Mobile

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Fraud, Scams & Financial Crime

Impersonation Attacks

Insurance

Dark Web

Software Supply Chain

Denial of Service DoS/DDoS

Cloud/SaaS

Encryption

API

Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Regulations, Fines and Legislation

Data Protection

Law Enforcement Action and Take Downs

Privacy, Surveillance and Mass Monitoring

Misinformation, Disinformation and Propaganda

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Black Arrow Admin
Previous

Black Arrow Cyber Advisory 07/12/2022 – Rackspace Security Incident
Next

Black Arrow Cyber Advisory 02/12/2022 – LastPass Security Incident