Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.

Top Cyber Headlines of the Week

Ryuk gang estimated to have made more than $150 million from ransomware attacks

In a joint report published today, threat intel company Advanced Intelligence and cyber security firm HYAS said they tracked payments to 61 Bitcoin addresses previously attributed and linked to Ryuk ransomware attacks. "Ryuk receives a significant amount of their ransom payments from a well-known broker that makes payments on behalf of the ransomware victims," the two companies said. "These payments sometimes amount to millions of dollars and typically run in the hundreds of thousands range."

https://www.zdnet.com/article/ryuk-gang-estimated-to-have-made-more-than-150-million-from-ransomware-attacks/

China's APT hackers move to ransomware attacks

Security researchers investigating a set of ransomware incidents at multiple companies discovered malware indicating that the attacks may be the work of a hacker group believed to operate on behalf of China. Although the attacks lack the sophistication normally seen with advanced threat actors, there is strong evidence linking them to APT27, a group normally involved in cyber espionage campaigns, also known as TG-3390, Emissary Panda, BRONZE UNION, Iron Tiger, and LuckyMouse.

https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/

SolarWinds hack: Amid hardened security, attackers seek softer targets

Reported theories by SolarWinds hack investigators that federal agencies and private companies were too busy focusing on election security to recognize vulnerabilities tied to the software supply chain are unfair and misleading. And yet, those same experts acknowledge that such accusations offer an important cyber security lesson for businesses: organizations must ensure that their entire attack surface receives attention.

https://www.scmagazine.com/home/solarwinds-hack/solarwinds-hack-amid-hardened-security-attackers-seek-softer-targets/

Hackney Council files including alleged passport documents leaked online after cyber attack

The council in East London was hit by what it described as a "serious cyber attack" in October. It reported itself to the data watchdog due to the risk criminals accessed staff and residents' data. The council said it was working with the UK's National Cyber Security Centre (NCSC) and the Ministry of Housing to investigate and understand the impact of the incident.

https://news.sky.com/story/hackney-council-files-including-alleged-passport-documents-leaked-online-after-cyber-attack-12181017

PayPal users targeted in new SMS phishing campaign

Now, at first glance the message may not seem all that suspicious since PayPal may, in fact, impose limits on sending and withdrawing money. The payment provider usually does so when it suspects that an account has been accessed by a third party without authorization, when it has detected high-risk activities on an account, or when a user has violated its Acceptable Use Policy. However, in this case it really is a case of SMS-borne phishing, also known as Smishing. If you click on the link, you will be redirected to a login phishing page that will request your access credentials. Should you proceed to “log in”, your credentials will be sent to the scammers behind the ruse and the fraudulent webpage will attempt to gather further information, including the full name, date of birth address, and bank details.

https://www.welivesecurity.com/2021/01/04/paypal-users-targeted-new-sms-phishing-campaign/

SolarWinds, top executives hit with class action lawsuit over Orion software breach

SolarWinds and some of its top executives have been hit with a class action lawsuit by stockholders, who allege the company lied and materially misled them about security practices leading up to a massive breach of its Orion management software that has reverberated throughout the public and private sector.

https://www.scmagazine.com/home/solarwinds-hack/solarwinds-top-executives-hit-with-class-action-lawsuit-over-orion-software-breach/

The rise of cyber-mercenaries poses a growing threat for both governments and companies

These days, 21st century mercenaries are as likely to be seated behind a computer screen, wreaking havoc for their paymasters’ enemies as slugging it out on a real-world battlefield. But the rapid rise of cyber-mercenaries - or Private Sector Offensive Actors (PSOAs) - is vexing some of the biggest names in the global technology industry, and for good reason. Globally, the cyber security industry is already vast, raking in an estimated $156bn in revenues in 2019. It is set to nearly double in size by 2027.

https://www.telegraph.co.uk/business/2021/01/07/privatisation-cyber-security-growing-threat-governments-companies/

Declutter Your Devices to Reduce Security Risks

Everyone should set aside time to review what they’ve installed on their various devices—typically apps, but that can also include games and addons. In fact, this should be an annual cleaning, at minimum.

You’re not just doing this because you want your device to look good. That’s one benefit you get from cleaning up your digital life, but it’s not the most important one. You’re also doing this to bolster your digital security. Yes, security.

https://lifehacker.com/declutter-your-devices-to-reduce-security-risks-1845991606

Threats

Ransomware

New Year, New Ransomware: Babuk Locker Targets Large Corporations

Phishing

This new phishing attack uses an odd lure to deliver Windows trojan malware

Facebook ads used to steal 615000+ credentials in a phishing campaign

Malware

North Korean hackers launch RokRat Trojan in campaigns against the South

Thousands infected by trojan that targets cryptocurrency users on Windows, Mac and Linux

A hacker’s predictions on enterprise malware risk

Vulnerabilities

Google Warns of Critical Android Remote Code Execution Bug

Hackers are actively exploiting this leading VPN, so patch now

Data Breaches

Hacker posts data of 10,000 American Express accounts for free

Vodafone's ho. Mobile admits data breach, 2.5m users impacted

The gaming industry under attack, Over 500,000 credentials for the top two dozen leading gaming firms, including Ubisoft, leaked on online.

T-Mobile data breach: ‘Malicious, unauthorized’ hack exposes customer call information
Exclusive Networks hit by cyberattack on New Year's Eve

Up to half a million victims of BA data breach could be eligible for compensation

Nation State Actors

Even Small Nations Have Jumped into the Cyber Espionage Game

Denial of Service

Ransom DDoS attacks target a Fortune Global 500 company

Privacy

Telegram feature exposes your precise address to hackers

Whatsapp Competitor Signal Stops Working Properly As Users Rush To Leave Over Privacy Update

Google Chrome browser privacy plan investigated in UK

Singapore police can access COVID-19 contact tracing data for criminal investigations

Other News

Feds Issue Recommendations for Maritime Cybersecurity

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.

Top Cyber Headlines of the Week

SolarWinds hack may be much worse than originally feared

The Russia-linked SolarWinds hack which targeted US government agencies and private corporations may be even worse than officials first realized, with some 250 federal agencies and business now believed affected.

Microsoft has said the hackers compromised SolarWinds’ Orion monitoring and management software, allowing them to “impersonate any of the organisation’s existing users and accounts, including highly privileged accounts.” The Times reports that Russia exploited layers of the supply chain to access the agencies’ systems.

https://www.theverge.com/2021/1/2/22210667/solarwinds-hack-worse-government-microsoft-cybersecurity

Threat actor is selling 368.8 million records from 26 data breaches

Security experts reported that a threat actor is selling user records allegedly stolen from twenty-six companies on a hacker forum.

The total volume of data available for sale is composed of 368.8 million stolen user records.

For some of these companies, the data breaches have not been previously disclosed, including Teespring.com, MyON.com, Chqbook.com, Anyvan.com, Eventials.com, Wahoofitness.com, Sitepoint.com, and ClickIndia.com.

https://securityaffairs.co/wordpress/112842/data-breach/data-breaches-records-sale.html

The Worst Hacks of 2020, a Surreal Pandemic Year

WHAT A WAY to kick off a new decade. 2020 showcased all of the digital risks and cybersecurity woes you've come to expect in the modern era, but this year was unique in the ways Covid-19 radically and tragically transformed life around the world. The pandemic also created unprecedented conditions in cyberspace, reshaping networks by pushing people to work from home en masse, creating a scramble to access vaccine research by any means, generating new fodder for criminals to launch extortion attempts and scams, and producing novel opportunities for nation-state espionage.

https://www.wired.com/story/worst-hacks-2020-surreal-pandemic-year/

A Nasty Strain of malware is back and hits 100K recipients per day

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542. In the middle-August, the malware was employed in fresh COVID19-themed spam campaign Recent spam campaigns used messages with malicious Word documents, or links to them, pretending to be an invoice, shipping information, COVID-19 information, resumes, financial documents, or scanned documents.

https://securityaffairs.co/wordpress/112650/malware/december-emotet-redacted.html

Ransomware in 2020: A Banner Year for Extortion

From attacks on the UVM Health Network that delayed chemotherapy appointments, to ones on public schools that delayed students going back to the classroom, ransomware gangs disrupted organizations to inordinate levels in 2020. Remote learning platforms shut down. Hospital chemotherapy appointments cancelled. Ransomware attacks in 2020 dominated as a top threat vector this past year. Couple that with the COVID-19 pandemic, putting strains on the healthcare sector, and we witnessed ransomware exact a particularly cruel human toll as well. Attacks had an impact on nearly all sectors of the global economy – costing business $20 billion collectively and creating major cybersecurity headaches for others.

https://threatpost.com/ransomware-2020-extortion/162319/

Ransomware Is Headed Down a Dire Path

AT THE END of September, an emergency room technician in the United States gave WIRED a real-time account of what it was like inside their hospital as a ransomware attack raged. With their digital systems locked down by hackers, health care workers were forced onto backup paper systems. They were already straining to manage patients during the pandemic; the last thing they needed was more chaos. "It is a life-or-death situation," the technician said at the time.

The same scenario was repeated around the country this year, as waves of ransomware attacks crashed down on hospitals and health care provider networks, peaking in September and October. School districts, meanwhile, were walloped by attacks that crippled their systems just as students were attempting to come back to class, either in person or remotely. Corporations and local and state governments faced similar attacks at equally alarming rates.

https://www.wired.com/story/ransomware-2020-headed-down-dire-path/

Russia’s global hacking efforts are going to unwind in 2021

Russia has become adept at using cyberattacks and digital-media manipulation to influence events in other countries. We know there was Russian digital interference in the 2016 US general election and the 2017 presidential election in France: both involved fake social-media accounts and “hack-and-leak” operations to steal emails. The UK government has not investigated whether, as must be probable, Russia had also been using its tools of covert subversion during the Scottish independence and Brexit referenda, but it has said that it is almost certain that Russian actors sought to interfere in the 2019 general election through the online dissemination of illicitly acquired government documents, thought to relate to US/UK trade negotiations.

https://www.wired.co.uk/article/uk-us-russia-hacking

Threats

IOT

FBI Warn Hackers are Using Hijacked Home Security Devices for ‘Swatting’

Malware

New Golang worm turns Windows and Linux servers into monero miners

Emotet malware hits Lithuania's National Public Health Centre

GitHub-hosted malware calculates Cobalt Strike payload from Imgur pic

Vulnerabilities

Cross-layer attacks: New hacking technique raises DNS cache poisoning, user tracking risk

Windows Zero-Day Still Circulating After Faulty Fix

Backdoor account discovered in more than 100,000 Zyxel firewalls, VPN gateways

Data Breaches

T-Mobile warns customers of second data breach in less than a year

Kawasaki discloses security breach, potential data leak

Finland says hackers accessed MPs' emails accounts

Organised Crime

21 arrests in nationwide cyber crackdown

Nation State Actors

India: A Growing Cyber Security Threat

Denial of Service

Citrix devices are being abused as DDoS attack vectors

Privacy

Mapped: The Top Surveillance Cities Worldwide

Cryptocurrency

Voyager cryptocurrency broker halted trading due to cyber attack

Other News

Brexit deal mentions Netscape browser and Mozilla Mail

6 Questions Attackers Ask Before Choosing an Asset to Exploit

Deepfake queen to deliver Channel 4 Christmas message

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.

Top Cyber Headlines of the Week

The Cyber Threat Is Real and Growing

The SolarWinds breach could be one of the most significant cyber incidents in history. Russian intelligence—likely the SVR, the foreign-intelligence branch—infiltrated and sat undetected on U.S. and other government networks for nearly 10 months. It was a sophisticated, smart and savvy attack that should alarm the public and private sectors.

We may not know the full extent of the damage for some time. Don’t be surprised if more government entities disclose that they too were victims of this attack. Don’t be surprised either if it emerges that private companies were hit. SolarWinds says it has more than 300,000 customers, including 400 companies in the Fortune 500. That’s a lot of potential victims.

https://www.wsj.com/articles/the-cyber-threat-is-real-and-growing-11608484291

Ransomware Attacks Surge in Q3 as Cyber Criminals Shift Tactics

A record growth in ransomware attacks took place in Q3 of 2020 compared to Q2, from 39% to 51% of all malware attempts according to a new study. The study also found that hacking accounted for 30% of all attacks during Q3, with cyber criminals reducing their emphasis on social engineering tactics compared with earlier this year. The researchers noted that the percentage of social engineering attacks using COVID-19 as a lure fell from 16% in Q2 to just 4% in Q3, which they attribute to people becoming more accustomed to this crisis. Additionally, social engineering attacks targeting organizations fell from 67% of all attempts in Q1 to under half (45%) in Q3.

https://www.infosecurity-magazine.com/news/ransomware-attacks-surge-q3/

In 2021, there will be a cyber attack every 11 seconds. Here’s how to protect yourself

Experienced outdoor athletes know that with winter rapidly approaching, the secret to success lies in protecting the core. That is, the body’s core temperature through layering, wicking and a host of ever-improving technical fabrics that prevent the cold, snow and ice from affecting performance. The same could be said for cyber security. With organizations and workers now in their ninth month of COVID-19, the time has come to prepare as the threat of cyber attacks becomes even more menacing.

https://theprint.in/tech/in-2021-there-will-be-a-cyberattack-every-11-seconds-heres-how-to-protect-yourself/565616/

The US, and much of the West, has suffered a massive cyber breach. It's hard to overstate how bad it is

Recent news articles have all been talking about the massive Russian cyber-attack against the United States, but that’s wrong on two accounts. It wasn’t a cyber-attack in international relations terms, it was espionage. And the victim wasn’t just the US, it was the entire world. But it was massive, and it is dangerous.

Espionage is internationally allowed in peacetime. The problem is that both espionage and cyber-attacks require the same computer and network intrusions, and the difference is only a few keystrokes. And since this Russian operation isn’t at all targeted, the entire world is at risk – and not just from Russia. Many countries carry out these sorts of operations, none more extensively than the US. The solution is to prioritize security and defense over espionage and attack.

https://www.theguardian.com/commentisfree/2020/dec/23/cyber-attack-us-security-protocols

Big tech companies including Intel, Nvidia, and Cisco were all infected during the SolarWinds hack

Last week, news broke that IT management company SolarWinds had been hacked, possibly by the Russian government, and the US Treasury, Commerce, State, Energy, and Homeland Security departments have been affected — two of which may have had emails stolen as a result of the hack. Other government agencies and many companies are investigating due to SolarWinds’ extensive client list. The Wall Street Journal is now reporting that some big tech companies have been infected, too.

Cisco, Intel, Nvidia, Belkin, and VMware have all had computers on their networks infected with the malware. There could be far more: SolarWinds had stated that “fewer than 18,000” companies were impacted, as if that number is supposed to be reassuring, and it even attempted to hide the list of clients who used the infected software. Today’s news takes some of SolarWinds’ big-name clients from “possibly affected’’ to “confirmed affected.”

https://www.theverge.com/2020/12/21/22194183/intel-nvidia-cisco-government-infected-solarwinds-hack

Researchers share the lists of victims of SolarWinds hack

Security experts started analyzing the DGA mechanism used by threat actors behind the SolarWinds hack to control the Sunburst/Solarigate backdoor and published the list of targeted organizations. Researchers from multiple cybersecurity firms published a list that contains major companies, including Cisco, Deloitte, Intel, Mediatek, and Nvidia. The researchers decoded the DGA algorithm used by the backdoor to assign a subdomain of the C2 for each of the compromised organizations.

https://securityaffairs.co/wordpress/112555/hacking/solarwinds-victims-lists.html

Threats

Ransomware

Ransomware: Attacks could be about to get even more dangerous and disruptive

IOT

New Critical Flaws in Treck TCP/IP Stack Affect Millions of IoT Devices

Malware

Emotet Returns to Hit 100K Mailboxes Per Day

Microsoft has discovered yet more SolarWinds malware

3 million users hit with infected Google Chrome and Microsoft Edge extensions

Vulnerabilities

Windows zero-day with bad patch gets new public exploit code

Script for detecting vulnerable TCP/IP stacks released

New SUPERNOVA backdoor found in SolarWinds cyberattack analysis

Smart Doorbell Disaster: Many Brands Vulnerable to Attack

Zero-day exploit used to hack iPhones of Al Jazeera employees

Signal: Cellebrite claimed to have 'cracked' chat app's encryption

Data Breaches

There's been a Nintendo Switch data leak, according to reports

Data breach hits 30,000 signed up to workplace pensions provider

Thousands of customer records exposed after serious data breach

Organised Crime

Cyber criminals have started indexing the dark web

Joker’s Stash Carding Site Taken Down

International sting shuts down 'favourite' VPN of cyber criminals

Dark Web Pricing Skyrockets for Microsoft RDP Servers, Payment-Card Data

NSA Warns of Hacking Tactics That Target Cloud Resources

Denial of Service

Cloudflare has identified a new type of DDoS attack inspired by an acoustic beat

Privacy

The pandemic has taken surveillance of workers to the next level

Other News

Dozens of Al Jazeera journalists allegedly hacked using Israeli firm's spyware

Cyber Insurance Market Expected to Surge in 2021

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.

Top Cyber Headlines of the Week

The great hack attack: SolarWinds breach exposes big gaps in cyber security

Until this week, SolarWinds was a little known IT software group from Texas. Its deserted lobby has a framed magazine article from a few years ago when it was on a list of America’s “Best Small Companies”.

Now the Austin-based company is at the heart of one of the biggest and most startling cyber hacks in recent history, with ramifications that extend into the fields of geopolitics, espionage and national security.

For nine months, sophisticated state-backed hackers have exploited a ubiquitous SolarWinds software product in order to spy on government and business networks around the world, including in the US, UK, Israel and Canada. Wielding innovative tools and tradecraft, the cyber spies lurked in email services, and posed as legitimate staffers to tap confidential information stored in the cloud.

The bombshell revelations have sent 18,000 exposed SolarWinds customers scrambling to assess whether outsiders did indeed enter their systems, what the damage was and how to fix it.

https://www.ft.com/content/c13dbb51-907b-4db7-8347-30921ef931c2

A wake-up for the world on cyber security

Imagine intruders break into your home and loiter undetected for months, spying on you and deciding which contents to steal. This in essence is the kind of access that hackers, assumed to be Russian, achieved in recent months at US government institutions including the Treasury and departments of commerce and homeland security, and potentially many US companies. If the fear in the Cold War was of occasional “moles” gaining access to secrets, this is akin to a small army of moles burrowing through computer systems. The impact is still being assessed, but it marks one of the biggest security breaches of the digital era.

https://www.ft.com/content/d3fc0b14-4a82-4671-b023-078516ea714e

US government, thousands of businesses now thought to have been affected by SolarWinds security attack

Thousands of businesses and several branches of the US government are now thought to have been affected by the attack on software firm SolarWinds.

The Austin-based company has fallen victim to a massive supply chain attack believed to be the work of state-sponsored hackers.

Along with the US treasury and commerce departments, the Department of Homeland Security is now thought to have been affected by the attack. In a statement to the SEC today, SolarWinds said it had notified 33,000 customers of its recent hack, but that only 18,000 of these used the affected version of its Orion platform.

https://www.techradar.com/uk/news/solarwinds-suffers-massive-supply-chain-attack

White House activates cyber emergency response under Obama-era directive

In the wake of the SolarWinds breach, the National Security Council has activated an emergency cyber security process that is intended to help the government plan its response and recovery efforts, according to White House officials and other sources.

The move is a sign of just how seriously the Trump administration is taking the foreign espionage operation, former NSC officials told CyberScoop.

The action is rooted in a presidential directive issued during the Obama administration known as PPD-41, which establishes a Cyber Unified Coordination Group (UCG) that is intended to help the U.S. government coordinate multiple agencies’ responses to the significant hacking incident.

The UCG is generally led by the Department of Justice — through the FBI and the National Cyber Investigative Joint Task Force — as well as the Office of the Director of National Intelligence and the Department of Homeland Security.

https://www.cyberscoop.com/solarwinds-white-house-national-security-council-emergency-meetings/

Hackers targeted US nuclear weapons agency in massive cyber security breach, reports say

The National Nuclear Security Administration and Energy Department, which safeguard the US stockpile of nuclear weapons, have had their networks hacked as part of the widespread cyber espionage attack on a number of federal agencies.

Politico reports that officials have begun coordinating notifications about the security breach to the relevant congressional oversight bodies.

Suspicious activity was identified in the networks of the Federal Energy Regulatory Commission (FERC), Los Alamos and Sandia national laboratories in New Mexico and Washington, the Office of Secure Transportation, and the Richland Field Office of the Department of Energy.

Officials with direct knowledge of the matter said hackers have been able to do more damage to the network at FERC, according to the report.

https://www.independent.co.uk/news/world/americas/us-politics/hackers-nuclear-weapons-cybersecurity-b1775864.html

Microsoft warns UK companies were targeted by SolarWinds hackers

Microsoft has warned that some of its UK customers have been exposed to the malware used in the Russia-linked SolarWinds hack that targeted US states and government agencies.

More than 40 of the tech giant's customers are thought to have used breached SolarWinds software, including clients in Britain, the US, Canada, Mexico, Belgium, Spain, Israel, and the UAE.

The company would not name the victims, but said they include government agencies, think tanks, non-governmental organisations and IT firms. Microsoft said four in five were in the US, with nearly half of them tech companies.

“This is not ‘espionage as usual,’ even in the digital age,” said Brad Smith, Microsoft's president. “Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world.”

The attackers, believed to be working for the Russian government, got into computer networks by installing a vulnerability in Orion software from SolarWinds.

https://www.telegraph.co.uk/technology/2020/12/18/microsoft-warns-uk-companies-targeted-solarwinds-hackers/

Society at Increasingly High Risk of Cyber Attacks

Cyber attacks are becoming easier to conduct while conversely security is getting increasingly difficult, according to Kevin Curran, senior IEEE member and professor of cyber security, Ulster University, during a virtual media roundtable.

“Any company you can think of has had a data breach,” he commented. “Whenever a data breach happens it weakens our credentials because our passwords are often reused on different websites.”

He observed that the art of hacking doesn’t necessarily require a significant amount of technical expertise anymore, and bad actors can receive substantial help from numerous and readily accessible tools online. “You don’t have to spend seven years in college to learn how to hack, you just have to know about these sites and what terms to use,” noted Curran.

A number of legitimate online mechanisms that can help damaging attacks to be launched by hackers were highlighted by Curran in his presentation. These include Google Dorks, which are “search strings which point to website vulnerabilities.” This means vulnerable accounts can be identified simply via Google searches.

https://www.infosecurity-magazine.com/news/society-increasingly-risk-cyber/

Three million users installed 28 malicious Chrome or Edge extensions

More than three million internet users are believed to have installed 15 Chrome, and 13 Edge extensions that contain malicious code, security firm Avast said today.

The 28 extensions contained code that could perform several malicious operations, including:

-redirect user traffic to ads

-redirect user traffic to phishing sites

-collect personal data, such as birth dates, email addresses, and active devices

-collect browsing history

-download further malware onto a user's device

But despite the presence of code to power all the above malicious features, Avast researchers said they believe the primary objective of this campaign was to hijack user traffic for monetary gains.

https://www.zdnet.com/article/three-million-users-installed-28-malicious-chrome-or-edge-extensions/

Vaccines for sale on dark web as criminals target pandemic profits

Black market vendors were offering coronavirus vaccines for sale on hidden parts of the internet days after the first Covid-19 shot was approved this month, as criminals seek to profit from global demand for inoculations.

One such offer on the so-called dark web, traced by cyber security company Check Point Software, was priced at $250 with the seller promising “stealth” delivery in double-wrapped packaging. Shipping from the US via post or a leading courier company would cost $20, with an extra $5 securing overnight delivery.

https://www.ft.com/content/8bfc674e-efe6-4ee0-b860-7fcb5716bed6

Threats

Ransomware

• FBI says DoppelPaymer ransomware gang is harassing victims who refuse to pay

• House purchases in Hackney fall through following cyber attack against council

• Ransomware masterminds claim to have nabbed 53GB of data from Intel's Habana LabsRansomware masterminds claim to have nabbed 53GB of data from Intel's Habana Labs

• Mount Locker Ransomware Offering Double Extortion Scheme to Other Hackers

• PLEASE_READ_ME Ransomware Attacks 85K MySQL Servers

• Ransomware operators use SystemBC RAT as off-the-shelf Tor backdoor

Phishing

• Subway Sandwich Loyalty-Card Users Suffer Ham-Handed Phishing Scam

• Microsoft Office 365 Credentials Under Attack By Fax ‘Alert’ Emails

IoT

• Millions of Unpatched IoT, OT Devices Threaten Critical Infrastructure

Malware

• New iOS and Android spyware responsible for multi-layered sextortion campaign

• Google Chrome, Firefox, Edge hijacked by massive malware attack: What you need to know

• New Windows malware may soon target Linux, macOS devices

• This nasty malware is infecting every web browser — what to do now

• Tor malware is becoming a worryingly popular ransomware tool

Vulnerabilities

• Total Published CVEs Hits Record High for Fourth Year

• Israeli Phone-hacking Firm Claims It Can Now Break Into Encrypted Signal App

• F5 warns over ‘critical’ XSS flaw in BIG-IP

• PgMiner botnet exploits disputed CVE to hack unsecured PostgreSQL DBs

• Zero-day in WordPress SMTP plugin abused to reset admin account passwords

• Sophos fixes SQL injection vulnerability in their Cyberoam OS

• Wormable code-execution flaw in Cisco Jabber has a severity rating of 9.9 out of 10

• HPE discloses critical zero-day in Systems Insight Manager

Data Breaches

• Twitter hit with €450,000 GDPR fine nearly two years after disclosing data breach

• Data Leak Exposes Details of Two Million Chinese Communist Party Members

• Spotify Changes Passwords After Another Data Breach

• Massive Instagram 'click farm' found following data breach

• Tech unicorn UiPath discloses data breach

• People's Energy data breach affects all 270,000 customers

Organised Crime

• Lithuania Suffers "Most Complex" Cyber-attack in Years

Nation State Actors

• Enough is enough. Here’s what we should do to defend against the next Russian cyber attacks.

• Facebook Shutters Accounts Used in APT32 Cyber attacks

Privacy

• UK police unlawfully processing over a million people’s data on Microsoft 365

• Sci-fi surveillance: Europe's secretive push into biometric technology

Other News

• Analysis of 5G Network Security Reveals Attack Possibilities

Reports Published in the Last Week

• ENISA Threat Landscape for 5G Networks Report

• ENISA AI Threat Landscape Report Unveils Major Cyber Security Challenges

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.

Top Cyber Headlines of the Week

Cyber crime costs the world more than $1 trillion, a 50% increase from 2018

Cyber crime costs the world economy more than $1 trillion, or just more than one percent of global GDP, which is up more than 50 percent from a 2018 study that put global losses at close to $600 billion. Beyond the global figure, the report also explored the damage reported beyond financial losses, finding 92 percent of companies felt effects beyond monetary losses.

https://www.helpnetsecurity.com/2020/12/07/cybercrime-costs-world/

FireEye, one of the world's largest security firms, discloses security breach

FireEye, one of the world largest security firms, said today it was hacked and that a "highly sophisticated threat actor" accessed its internal network and stole hacking tools FireEye uses to test the networks of its customers.

The firm said the threat actor also searched for information related to some of the company's government customers.

The attacker was described as a "highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack."

https://www.zdnet.com/article/fireeye-one-of-the-worlds-largest-security-firms-discloses-security-breach/

Chinese Breakthrough in Quantum Computing a Warning for Security Teams

China’s top quantum-computer researchers have reported that they have achieved quantum supremacy, i.e., the ability to perform tasks a traditional supercomputer cannot. And while it’s a thrilling development, the inevitable rise of quantum computing means security teams are one step closer to facing a threat more formidable than anything before.

https://threatpost.com/chinese-quantum-computing-warning-security/161935/

Ransom payouts hit record-highs, surging 178% in a year

Average ransom payouts increased by 178% in the third quarter of this year, from $84,000 (£63,000) to almost £234,000, compared with the year before. Ransomware payments reached record-highs in 2020 as employees shifted to remote working to curb the spread of the coronavirus pandemic, creating more attack vectors for hackers.

https://uk.finance.yahoo.com/news/ransomware-payouts-hacking-computers-hit-record-highs-surging-134527988.html

Ransomware Set for Evolution in Attack Capabilities in 2021

Ransomware is set to evolve into a greater threat in 2021 as service offerings and collaborations increase. The year turned out “different than predicted” and the shift to working from home also impacted the e-crime landscape. “This created an industrialization of e-crime groups and their abilities to extend from single groups into business pipelines”

https://www.infosecurity-magazine.com/news/ransomware-evolution-capabilities/

How Organisations Can Prevent Users from Using Breached Passwords

There is no question that attackers are going after your sensitive account data. Passwords have long been a target of those looking to compromise your environment. Why would an attacker take the long, complicated way if they have the keys to the front door?

https://thehackernews.com/2020/12/how-organizations-can-prevent-users.html

Threats

Ransomware

• Hackers demand $34.7 million in Bitcoin after ransomware attack on Foxconn

• Ransomware forces hosting provider Netgain to take down data centers

• Ransomware-struck schools reject £1m demand from crims in timely reminder to always mind the air-gap

• 'Malwareless' ransomware campaign operators pwned 83k victims' MySQL servers, 250k databases up for sale

• Ransomware hits helicopter maker Kopter

Phishing

• Spearphishing Attack Spoofs Microsoft.com to Target 200M Office 365 Users

• Adobe users targeted in dangerous new phishing campaign

IOT

• Millions of IoT devices could be vulnerable to these unfixable security bugs

Malware

• Qbot malware switched to stealthy new Windows autostart method

• Microsoft exposes Adrozek, malware that hijacks Chrome, Edge, and Firefox

• Social media sharing icons could harbor info-stealing malware

• All-new Windows 10 malware is excellent at evading detection

• Rana Android Malware Updates Allow WhatsApp, Telegram IM Snooping

Vulnerabilities

• Critical, Unpatched Bugs Open GE Radiological Devices to Remote Code Execution

• Amnesia:33 vulnerabilities impact millions of smart and industrial devices

• Microsoft December 2020 Patch Tuesday security update address 58 vulnerabilities, 22 of them are remote code execution vulnerabilities.

• Expert discloses zero-click, wormable flaw in Microsoft Teams

• NSA Warns: Patched VMware Bug Under Active Attack

Data Breaches

• FireEye, one of the world's largest security firms, discloses security breach

• HMRC admits to 26 data breaches during 2019-20

• Hackers leak data from Embraer, world's third-largest airplane maker

• Payment service PayPay hacked

Threat Actors

• Norway says Russian hacking group APT28 is behind August 2020 Parliament hack

Insider Threats

• Bank Employee Sells Personal Data of 200,000 Clients

Other News

• Experian predicts 5 key data breach targets for 2021

• 6 new ways threat actors will attack in 2021

• Research: Millions of smart devices vulnerable to hacking

• Finland passes new 5G security law to ban risky equipment

• Ransomware attacks target backup systems, compromising the company ‘insurance policy’

Reports Published in the Last Week

• Sophos 2021 Threat Report

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.

Top Cyber Headlines of the Week

Covid vaccine supply chain targeted by hackers, say security experts

Cyber attackers have targeted the cold supply chain needed to deliver Covid-19 vaccines, according to a report detailing a sophisticated operation likely backed by a nation state. 

The hackers appeared to be trying to disrupt or steal information about the vital processes to keep vaccines cold as they travel from factories to hospitals and doctors’ offices.

https://www.ft.com/content/9c303207-8f4a-42b7-b0e4-cf421f036b2f

Criminals to Favour Ransomware and BEC Over Breaches in 2021

The era of the mega-breach may be coming to an end as cyber-criminals eschew consumers’ personal data and focus on phishing and ransomware.

Cyber-criminals are relying less on stolen personal information and more on “poor consumer behaviors” such as password reuse to monetize attacks.

https://www.infosecurity-magazine.com/news/criminals-favor-ransomware-bec/

Bank Employee Sells Personal Data of 200,000 Clients

South Africa–based financial services group Absa has stated that one of its employees sold the personal information of 200,000 clients to third parties.

The group confirmed on Wednesday that the illegal activity had occurred and that 2% of Absa's retail customer base had been impacted.

The employee allegedly responsible for it was a credit analyst who had access to the group's risk-modeling processes.

Data exposed as a result of the security incident included clients' ID numbers, addresses, contact details, and descriptions of vehicles that they had purchased on finance.

https://www.infosecurity-magazine.com/news/bank-employee-sells-personal-data/

LastPass review: Still the leading password manager, despite security history

"'Don't put all your eggs in one basket' is all wrong. I tell you 'put all your eggs in one basket, and then watch that basket,'" said industrialist Andrew Carnegie in 1885. When it comes to privacy tools, he's usually dead wrong. In the case of password managers, however, Carnegie is usually more dead than wrong. To wit, I have been using LastPass so long I don't know when I started using LastPass and, for now, I've got no reason to change that. 

https://www.cnet.com/news/lastpass-review-still-the-leading-password-manager-despite-security-history/

The most significant security innovations of 2020

Who gets access? That is the question that drives every security measure and innovation that’s landed on PopSci’s annual compendium since we launched the category in 2008. Every year, that question gets bigger and bigger. In 2020, the world quaked under a global pandemic that took 1.4 million lives, the US saw a rebirth in its civil rights movement, and a spate of record-breaking wildfires forced entire regions to evacuate. And those are just the new scares. A buildup of angst against ad trackers and app snooping led to major changes in hardware and software alike. It was a year full of lessons, nuances, and mini revolutions, and we strive to match that with our choices.

https://www.popsci.com/story/technology/most-important-security-innovations-2020/

2020 security priorities: Pandemic changing short- and long-term approaches to risk

Security planning and budgeting is always an adventure. You can assess current risk and project the most likely threats, but the only real constant in cybersecurity risk is its unpredictability. Layer a global pandemic on top of that and CISOs suddenly have the nearly impossible task of deciding where to request and allocate resources in 2021.

Show how the COVID pandemic has changed what security focuses on now and what will drive security priorities and spending in 2021. Based on a survey of 522 security professionals from the US, Asia/Pacific and Europe, the study reveals how the pandemic has changed the way organizations assess risk and respond to threats—permanently.

https://www.csoonline.com/article/3598393/new-study-shows-pandemic-changing-short-and-long-term-approaches-to-risk.html

Cyber risks take the fun out of connected toys

As Christmas approaches, internet-enabled smart toys are likely to feature heavily under festive trees. While some dolls of decades past were only capable of speaking pre-recorded phrases, modern equivalents boast speech recognition and can search for answers online in real time.

Other connected gadgets include drones or cars such as Nintendo’s Mario Kart Live Home Circuit, where players race each other in a virtual world modelled after their home surroundings.

But for all the fun that such items can bring, there is a risk — poorly-secured Internet of Things toys can be turned into convenient tools for hackers.

https://www.ft.com/content/c653e977-435f-4553-8401-9fa9b0faf632

Remote Workers Admit Lack of Security Training

A third of remote working employees have not received security training in the last six months.

400 remote workers in the UK across multiple industries, while 83% have had access to security best practice training and 88% are familiar with IT security policies, 32% have received no security training in the last six months.

Also, 50% spend two or more hours a week on IT issues, and 42% felt they had to go around the security policies of their organization to do their job.

https://www.infosecurity-magazine.com/news/remote-workers-training/ 

Threats

Ransomware

Delaware County Pays $500,000 Ransom After Outages

A US county is in the process of paying half-a-million dollars to ransomware extorters who locked its local government network, according to reports.

Pennsylvania’s Delaware County revealed the attack last week, claiming in a notice that it had disrupted “portions of its computer network.

“We commenced an immediate investigation that included taking certain systems offline and working with computer forensic specialists to determine the nature and scope of the event. We are working diligently to restore the functionality of our systems,” it said.

https://www.infosecurity-magazine.com/news/delaware-county-pays-500k-ransom/

MasterChef Producer Hit by Double Extortion Ransomware

A multibillion-dollar TV production company has become the latest big corporate name caught out by ransomware, it emerged late last week.

The firm owns over 120 production firms around the world, delivering TV shows ranging from MasterChef and Big Brother to Black Mirror and The Island with Bear Grylls.

In a short update last Thursday, it claimed to be managing a “cyber-incident” affecting the networks of Endemol Shine Group and Endemol Shine International, Dutch firms it acquired in a $2.2bn deal in July.

Although ransomware isn’t named in the notice, previous reports suggest the firm is being extorted.

https://www.infosecurity-magazine.com/news/masterchef-producer-double/

Sopra Steria to take multi-million euro hit on ransomware attack

The company revealed in October that it had been hit by hackers using a new version of Ryuk ransomware.

It now says that the fallout, with various systems out of action, is likely to have a gross negative impact on operating margin of between €40 million and €50 million.

The group's insurance coverage for cyber risks is EUR30 million, meaning that negative organic revenue growth for the year is now expected to be between 4.5% and five per cent (previously between two per cent and four per cent). Free cash flow is now expected to be between €50 million and €100 million (previously between €80 million and €120 million).

https://www.finextra.com/newsarticle/37020/sopra-steria-to-take-multi-million-euro-hit-on-ransomware-attack

BEC

FBI: BEC Scams Are Using Email Auto-Forwarding

The agency notes in an alert made public this week that since the COVID-19 pandemic began, leading to an increasingly remote workforce, BEC scammers have been taking advantage of the auto-forwarding feature within compromised email inboxes to trick employees to send them money under the guise of legitimate payments to third parties.

This tactic works because most organizations do not sync their web-based email client forwarding features with their desktop client counterparts. This limits the ability of system administrators to detect any suspicious activities and enables the fraudsters to send malicious emails from the compromised accounts without being detected, the alert, sent to organizations in November and made public this week, notes.

https://www.bankinfosecurity.com/fbi-bec-scams-are-using-email-auto-forwarding-a-15498

Phishing

Phishing lures employees with fake 'back to work' internal memos

Scammers are trying to steal email credentials from employees by impersonating their organization's human resources (HR) department in phishing emails camouflaged as internal 'back to work' company memos.

These phishing messages have managed to land in thousands of targeted individuals' mailboxes after bypassing G Suite email defences according to stats provided by researchers at email security company Abnormal Security who spotted this phishing campaign.

There is a high probability that some of the targets will fall for the scammers' tricks given that during this year's COVID-19 pandemic most companies have regularly emailed their employees with updates regarding remote working policy changes.

https://www.bleepingcomputer.com/news/security/phishing-lures-employees-with-fake-back-to-work-internal-memos/

Warning: Massive Zoom phishing targets Thanksgiving meetings

Everyone should be on the lookout for a massive ongoing phishing attack today, pretending to be an invite for a Zoom meeting. Hosted on numerous landing pages, BleepingComputer has learned that thousands of users' credentials have already been stolen by the attack.

With many in the USA hosting virtual Thanksgiving dinners and people in other countries conducting Zoom business meetings, as usual, today is a prime opportunity to perform a phishing attack using Zoom invite lures.

https://www.bleepingcomputer.com/news/security/warning-massive-zoom-phishing-targets-thanksgiving-meetings/

Malware

All-new Windows 10 malware is excellent at evading detection

Security researchers at Kaspersky have discovered a new malware strain developed by the hacker-for-hire group DeathStalker that has been designed to avoid detection on Windows PCs.

While the threat actor has been active since at least 2012, DeathStalker first drew Kaspersky's attention back in 2018 because of its distinctive attack characteristics which didn't resemble those employed by cybercriminals or state-sponsored hackers.

https://www.techradar.com/news/all-new-windows-10-malware-is-excellent-at-evading-detection

New TrickBot version can tamper with UEFI/BIOS firmware

The operators of the TrickBot malware botnet have added a new capability that can allow them to interact with an infected computer's BIOS or UEFI firmware.

The new capability was spotted inside part of a new TrickBot module, first seen in the wild at the end of October, security firms Advanced Intelligence and Eclypsium said in a joint report published today.

The new module has security researchers worried as its features would allow the TrickBot malware to establish more persistent footholds on infected systems, footholds that could allow the malware to survive OS reinstalls.

https://www.zdnet.com/article/new-trickbot-version-can-tamper-with-uefibios-firmware/

Russia-linked APT Turla used a new malware toolset named Crutch

Russian-linked APT group Turla has used a previously undocumented malware toolset, named Crutch, in cyberespionage campaigns aimed at high-profile targets, including the Ministry of Foreign Affairs of a European Union country.

The Turla APT group (aka Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON) has been active since at least 2007 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.

https://securityaffairs.co/wordpress/111813/apt/turla-crutch-malware-platform.html

MacBooks under attack by dangerous malware: What to do

a recent spate of malware attacks targeting macOS of late that installs backdoors to steal sensitive personal information. The security firm discovered that a new malware variant is being used online and backed by a rogue nation-state hacking group known as OceanLotus, which also operates under the name AKTP2 and is based in Vietnam. 

The new malware was created by OceanLotus due to the “similarities in dynamic behavior and code” from previous malware connected to the Vietnamese-based hacking group. 

https://www.laptopmag.com/news/macbooks-under-attack-by-dangerous-malware-what-to-do

Hackers Using Monero Mining Malware as Decoy, Warns Microsoft

The company’s intelligence team said a group called BISMUTH hit government targets in France and Vietnam with relatively conspicuous monero mining trojans this summer. Mining the crypto generated side cash for the group, but it also distracted victims from BISMUTH’s true campaign: credential theft.

Crypto-jacking “allowed BISMUTH to hide its more nefarious activities behind threats that may be perceived to be less alarming because they’re ‘commodity’ malware,” Microsoft concluded. It said the conspicuousness of monero mining fits BISMUTH’s “hide in plain sight” MO.

Microsoft recommended organizations stay vigilant against crypto-jacking as a possible decoy tactic.

https://www.coindesk.com/hackers-using-monero-mining-malware-as-decoy-warns-microsoft

Vulnerabilities

Zerologon is now detected by Microsoft Defender for Identity

There has been a huge focus on the recently patched CVE-2020-1472 Netlogon Elevation of Privilege vulnerability, widely known as ZeroLogon. While Microsoft strongly recommends that you deploy the latest security updates to your servers and devices, we also want to provide you with the best detection coverage possible for your domain controllers. Microsoft Defender for Identity along with other Microsoft 365 Defender solutions detect adversaries as they try to exploit this vulnerability against your domain controllers.

https://www.microsoft.com/security/blog/2020/11/30/zerologon-is-now-detected-by-microsoft-defender-for-identity/

Privacy

'We've heard the feedback...' Microsoft 365 axes per-user productivity monitoring after privacy backlash

If you heard a strange noise coming from Redmond today, it was the sound of some rapid back-pedalling regarding the Productivity Score feature in its Microsoft 365 cloud platform.

Following outcry from subscribers and privacy campaigners, the Windows giant has now vowed to wind back the functionality so that it no longer produces scores for individual users, and instead just summarizes the output of a whole organization. It was feared the dashboard could have been used by bad bosses to measure the productivity of specific employees using daft metrics like the volume of emails or chat messages sent through Microsoft 365.

https://www.theregister.com/2020/12/01/productivity_score/

Other News

Think-Tanks Under Attack by Foreign APTs, CISA Warns

AI needed to vet 100 billion cyber threat items per day

Cloud native security: A maturing and expanding arena

MOD Corsham seeks new recruits to combat cyber warfare

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.

Top Cyber Headlines of the Week

Hundreds of C-level executives’ credentials available for $100 to $1500 per account

A credible threat actor is offering access to the email accounts of hundreds of C-level executives for $100 to $1500 per account.

The availability of access to the email accounts of C-level executives could allow threat actors to carry out multiple malicious activities, from cyber espionage to BEC scams.

The threat actor is selling login credentials for Office 365 and Microsoft accounts and the price depends on the size of the C-level executives’ companies and the internal role of the executive.

The threat actor claims its database includes login credentials of high-level executives such as:

CEO, CTO, COO, CFO, CMO. President, Vice President, Executive Assistant, Finance Manager, Accountant, Director, Finance Director, Financial Controller and Accounts Payables

https://securityaffairs.co/wordpress/111588/cyber-crime/executives-credentials-dark-web.html

This Bluetooth Attack Can Steal a Tesla Model X in Minutes

Tesla has always prided itself on its so-called over-the-air updates, pushing out new code automatically to fix bugs and add features. But one security researcher has shown how vulnerabilities in the Tesla Model X's keyless entry system allow a different sort of update:

A hacker could rewrite the firmware of a key fob via Bluetooth connection, lift an unlock code from the fob, and use it to steal a Model X in just a matter of minutes.

https://www.wired.com/story/tesla-model-x-hack-bluetooth/

Three members of TMT cybercrime group arrested in Nigeria

Three Nigerians suspected of being part of a cybercrime group that has made tens of thousands of victims around the world have been arrested today in Lagos, Nigeria, Interpol reported.

In a report disclosing its involvement in the investigation, security firm Group-IB said the three suspects are members of a cybercrime group they have been tracking since 2019 and which they have been tracking under the codename of TMT.

Group-IB said the group primarily operated by sending out mass email spam campaigns containing files laced with malware.

https://www.zdnet.com/article/three-members-of-tmt-cybercrime-group-arrested-in-nigeria/

Cyber criminals make £2.5m raid on law firms in lockdown

The large number of lawyers working from home has become a magnet for cyber criminals, the Solicitors Regulation Authority has said, revealing a 300% increase in phishing scams in the first two months of lockdown alone.

In the first half of 2020, firms reported that nearly £2.5m held by them had been stolen by cybercriminals, more than three times the amount reported in the same period in 2019.

Law firm staff working remotely on less secure devices than the office network and those without dedicated office space finding it hard to keep information confidential. Those using video meetings also need to make sure that unauthorised parties cannot overhear or see a confidential meeting.

https://www.lawgazette.co.uk/news/cyber-criminals-make-25m-raid-on-law-firms-in-lockdown/5106526.article

Hackers post athletes’ naked photos online

Four British athletes are among hundreds of female sports stars and celebrities whose intimate photographs and videos have been posted online in a targeted cyberattack.

The hack, which the athletes became aware of this week, has caused panic and one leading sports agency has advised its clients to take extra measures to protect their private data.

The athletes, who had photographs and videos stolen from their phones, were considering steps last night to have the material removed from the dark net.

https://www.thetimes.co.uk/article/hackers-post-athletes-naked-photos-online-86sq27hgl

Threats

Ransomware

Manchester United hackers 'demanding million-pound ransom'

Manchester United are still suffering the effects of a significant cyberattack that targeted the club earlier this week.

Following last weekend's 'sophisticated' attack, the club has revealed it is still suffering severe disruption to its internal systems, several of which had to be shut down following the incident.

Reports have also claimed that the hackers are demanding "millions of pounds" before they let the club regain full control.

https://www.techradar.com/sg/news/manchester-united-hackers-demanding-million-pound-ransom

Egregor Ransomware Attack Hijacks Printers to Spit Out Ransom Notes

The South American retail giant Cencosud was hit with ransomware last week? The retailer was infected by an Egregor ransomware attack which, in time honoured fashion, stole sensitive files that it found on the compromised network, and encrypted data on Cencosud’s drives to lock workers out of the company’s data.

A text file was left on infected Windows computers, telling the store that private data would be shared with the media if it was not prepared to begin negotiating with the hackers within three days.

That’s nothing unusual, but Egregor’s novel twist is that it can also tell businesses that their computer systems are well and truly breached by sending its ransom note to attached printers.

https://www.tripwire.com/state-of-security/featured/egregor-ransomware-attack-hijacks-printers-spit-out-ransom-notes/

Sopra Steria: Adding up outages and ransomware clean-up, Ryuk attack will cost us up to €50m

Sopra Steria has said a previously announced Ryuk ransomware infection will not only cost it "between €40m and €50m" but will also deepen expected financial losses by several percentage points.

The admission comes weeks after the French-headquartered IT outsourcing firm's Active Directory infrastructure was compromised by malicious people who deployed the Ryuk ransomware, using what the company called "a previously unknown strain."

https://www.theregister.com/2020/11/25/sopra_steria_ransomware_damage_50m_euros/

Phishing

GoDaddy scam shows how voice phishing can be more deceptive than email schemes

Companies can protect employees from phishing schemes through a combination of training, secure email gateways and filtering technologies. But what protects workers from phone-based voice phishing (vishing) scams, like the kind that recently targeted GoDaddy and a group of cryptocurrency platforms that use the Internet domain registrar service?

Experts indicate that there are few easy answers, but organizations intent on putting a stop to such activity may have to push for more secure forms of verification, escalation procedures for sensitive requests, and better security awareness of account support staffers and other lower-level employees.

https://www.scmagazine.com/home/security-news/phishing/godaddy-scam-shows-how-voice-phishing-can-be-more-deceptive-than-email-schemes/

Google Services Weaponized to Bypass Security in Phishing, BEC Campaigns

A spike in recent phishing and business email compromise (BEC) attacks can be traced back to criminals learning how to exploit Google Services, according to research from Armorblox.

Social distancing has driven entire businesses into the arms of the Google ecosystem looking for a reliable, simple way to digitize the traditional office. A report detailing how now-ubiquitous services like Google Forms, Google Docs and others are being used by malicious actors to give their spoofing attempts a false veneer of legitimacy, both to security filters and victims.

https://threatpost.com/google-services-weaponized-to-bypass-security-in-phishing-bec-campaigns/161467/

Malware

Malware creates scam online stores on top of hacked WordPress sites

A new cybercrime gang has been seen taking over vulnerable WordPress sites to install hidden e-commerce stores with the purpose of hijacking the original site's search engine ranking and reputation and promote online scams.

The attacks were discovered earlier this month targeting a WordPress honeypot which was set up and managed.

The attackers leveraged brute-force attacks to gain access to the site's admin account, after which they overwrote the WordPress site's main index file and appended malicious code.

https://www.zdnet.com/article/malware-creates-online-stores-on-top-of-hacked-wordpress-sites/

Enter WAPDropper – An Android Malware Subscribing Victims to Premium Services by Telecom Companies

WAPDropper, a new malware which downloads and executes an additional payload. In the current campaign, it drops a WAP premium dialler which subscribes its victims to premium services without their knowledge or consent.

The malware, which belongs to a newly discovered family, consists of two different modules: the dropper module, which is responsible for downloading the 2nd stage malware, and a premium dialler module that subscribes the victims to premium services offered by legitimate sources – In this campaign, telecommunication providers in Thailand and Malaysia.
https://research.checkpoint.com/2020/enter-wapdropper-subscribe-users-to-premium-services-by-telecom-companies/

LightBot: TrickBot’s new reconnaissance malware for high-value targets

The notorious TrickBot gang has released a new lightweight reconnaissance tool used to scope out an infected victim's network for high-value targets.

Over the past week, security researchers began to see a phishing campaign normally used to distribute TrickBot's BazarLoader malware switch to installing a new malicious PowerShell script.

https://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/

IoT

The smart video doorbells letting hackers into your home

Smart doorbells with cameras let you see who’s at the door without getting up off the sofa, but in-depth security testing has found some are leaving your home wide open to uninvited guests.

With internet-connected smart tech on the rise, smart doorbells are a common sight on UK streets. Popular models, such as Ring and Nest doorbells, are expensive, but scores of similar looking devices have popped up on Amazon, eBay and Wish at a fraction of the price.

https://www.which.co.uk/news/2020/11/the-smart-video-doorbells-letting-hackers-into-your-home/

Password Attacks

Up to 350,000 Spotify accounts hacked in credential stuffing attacks

An unsecured internet-facing database containing over 380 million individual records, including login credentials that were leveraged for breaking into 300,000 to 350,000 Spotify accounts. The exposed records included a variety of sensitive information such as people’s usernames and passwords, email addresses, and countries of residence.

The treasure trove of data was stored on an unsecured Elasticsearch server that was uncovered. Both the origin and owners of the database remain unknown. However, the researchers were able to validate the veracity of the data as Spotify confirmed that the information had been used to defraud both the company and its users.

https://www.welivesecurity.com/2020/11/24/350000-spotify-accounts-hacked-credential-stuffing-attacks/

Passwords exposed for almost 50,000 vulnerable Fortinet VPNs

A hacker has now leaked the credentials for almost 50,000 vulnerable Fortinet VPNs.

Over the weekend a hacker had posted a list of one-line exploits to steal VPN credentials from these devices.

Present on the list of vulnerable targets are IPs belonging to high street banks, telecoms, and government organizations from around the world.

https://www.bleepingcomputer.com/news/security/passwords-exposed-for-almost-50-000-vulnerable-fortinet-vpns/

Vulnerabilities

UK urges orgs to patch critical MobileIron RCE bug

The UK National Cyber Security Centre (NCSC) issued an alert yesterday, prompting all organizations to patch the critical CVE-2020-15505 remote code execution (RCE) vulnerability in MobileIron mobile device management (MDM) systems.

An MDM is a software platform that allows administrators to remotely manage mobile devices in their organization, including the pushing out of apps, updates, and the ability to change settings. This management is all done from a central location, such as an admin console running on the organization's server, making it a prime target for attackers.

https://www.bleepingcomputer.com/news/security/uk-urges-orgs-to-patch-critical-mobileiron-cve-2020-15505-rce-bug/

Critical Unpatched VMware Flaw Affects Multiple Corporates Products

VMware has released temporary workarounds to address a critical vulnerability in its products that could be exploited by an attacker to take control of an affected system.

"A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system," the virtualization software and services firm noted in its advisory.

Tracked as CVE-2020-4006, the command injection vulnerability has a CVSS score of 9.1 out of 10 and impacts VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector.

https://thehackernews.com/2020/11/critical-unpatched-vmware-flaw-affects.html

GitHub fixes 'high severity' security flaw spotted by Google

GitHub has finally fixed a high severity security flaw reported to it by Google Project Zero more than three months ago.

The bug affected GitHub's Actions feature – a developer workflow automation tool was "highly vulnerable to injection attacks".

GitHub's Actions support a feature called workflow commands as a communication channel between the Action runner and the executed action.

https://www.zdnet.com/article/github-fixes-high-severity-security-flaw-spotted-by-google/

Google Chrome users still vulnerable to multiple zero-day attacks

As business users and consumers have moved most of their workloads to the cloud, more and more of their work is being done in web browsers such as Google Chrome as opposed to in applications installed locally on their systems.

This means that the web browser is now an essential yet vulnerable entry point that if compromised, could give cybercriminals access to a user's entire digital life including their email, online banking, social networks and more. However, despite this risk, users are failing to update to the latest version of Google Chrome.

https://www.techradar.com/news/google-chrome-users-still-vulnerable-to-multiple-zero-day-attacks

Microsoft releases patching guidance for Kerberos security bug

Released details on how to fully mitigate a security feature bypass vulnerability in Kerberos KDC (Key Distribution Centre) patched during this month's Patch Tuesday.

The remotely exploitable security bug tracked as CVE-2020-17049 exists in the way KDC decides if service tickets can be used for delegation via Kerberos Constrained Delegation (KCD).

Kerberos is the default authentication protocol for domain connected devices running Windows 2000 or later. Kerberos KDC is a feature that manages service tickets used for encrypting messages between network servers and clients.

https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-patching-guidance-for-kerberos-security-bug/

Data Breaches

Sophos notifies customers of data exposure after database misconfiguration

UK-based cyber-security vendor Sophos is currently notifying customers via email about a security breach the company suffered earlier this week.

Exposed information included details such as customer first and last names, email addresses, and phone numbers (if provided).

https://www.zdnet.com/article/sophos-notifies-customers-of-data-exposure-after-database-misconfiguration/

Privacy

Microsoft productivity score feature criticised as workplace surveillance

Microsoft has been criticised for enabling “workplace surveillance” after privacy campaigners warned that the company’s “productivity score” feature allows managers to use Microsoft 365 to track their employees’ activity at an individual level.

The tools, first released in 2019, are designed to “provide you visibility into how your organisation works”, according to a Microsoft blogpost, and aggregate information about everything from email use to network connectivity into a headline percentage for office productivity.

https://www.theguardian.com/technology/2020/nov/26/microsoft-productivity-score-feature-criticised-workplace-surveillance

Other News

Robot vacuum cleaners can eavesdrop on your conversations, researchers reveal - Bitdefender

You can protect the company from hackers, but can you protect the company from the CEO?

Botnets have been silently mass-scanning the internet for unsecured ENV files | ZDNet

Windows 10 KB4586819 update fixes gaming and USB 3.0 issues (bleepingcomputer.com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.

Top Cyber Headlines of the Week

Cyber crime is 'a constant threat' to SMEs

Criminals are diversifying and growing more dangerous, while SMEs remain complacent and mostly oblivious to the threats.

With a quarter of small and medium-sized enterprises (SME) falling victim to a cyberattack in the last 12 months, the threat towards these organizations is constant. This is according to a new report from Direct Line – Business, which claims that businesses aren't doing all they can to stay safe.

The report states that, if a cyber attack were to occur, many organisations would find themselves in a seriously dangerous position given they hold less than $13,000 in cash reserves. Besides financial damage, many should also expect damaged client and customer relationships due to eroded trust.

With cybercriminals diversifying into different methods of attack, SMEs need to stay vigilant on multiple fronts. Phishing is still the most popular weapon for criminals, the report states, but malware and ransomware, as well as DDoS attacks, are also notable mentions.

https://www.itproportal.com/features/cybercrime-is-a-constant-threat-to-smes/

The most common passwords of 2020 are atrocious

Bottom line: Choosing secure passwords has never been humanity’s strong suit and let’s face it, it’s never going to be. People simply have too many accounts to protect these days, leading to poor practices such as simplifying passwords to make them easier to remember and reusing the same password across multiple accounts.

https://www.techspot.com/news/87657-most-common-passwords-2020-atrocious.html#Share

Why ransomware is still so successful: Over a quarter of victims pay the ransom

Over a quarter of organisations that fall victim to ransomware attacks opt to pay the ransom as they feel as if they have no other option than to give into the demands of cyber criminals – and the average ransom amount is now more than $1 million.

https://www.zdnet.com/article/why-ransomware-is-still-so-successful-over-a-quarter-of-victims-pay-the-ransom/

Cyber crime is maturing. Here are 6 ways organisations can keep up

In 2020, the world has experienced many challenges. Among them, hastened digitalisation has brought new opportunities but also new risks. According to the World Economic Forum Global Risks Report 2020, cyber attacks rank first among global human-caused risks and RiskIQ predicts that by 2021 cyber crime will cost the world $11.4 million each minute.

https://www.weforum.org/agenda/2020/11/how-to-protect-companies-from-cybercrime/

Ransomware-as-a-service: The pandemic within a pandemic

Ransomware is a massive problem. But you already knew that.

Technical novices, along with seasoned cyber security professionals, have witnessed over the past year a slew of ransomware events that have devastated enterprises around the world. Even those outside of cyber security are now familiar with the concept: criminals behind a keyboard have found a way into an organization’s system, prevented anyone from actually using it by locking it up, and won’t let anyone resume normal activity until the organization pays a hefty fee.

https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/

CISOs say a distributed workforce has critically increased security concerns

73% of security and IT executives are concerned about new vulnerabilities and risks introduced by the distributed workforce, Skybox Security reveals.

The report also uncovered an alarming disconnect between confidence in security posture and increased cyberattacks during the global pandemic.

https://www.helpnetsecurity.com/2020/11/18/distributed-workforce-security/

Threats

Ransomware

Capcom confirms Ragnar Locker ransomware attack, data exposure

Capcom has confirmed that a recent security incident was due to a Ragnar Locker ransomware infection, potentially leading to the exposure of customer records.

This week, the Japanese gaming giant confirmed that the company had fallen prey to "customized ransomware" which gave attackers unauthorised access to its network -- as well as the data stored on Capcom Group systems.

https://www.zdnet.com/article/capcom-confirms-ransomware-attack-potential-theft-of-customer-employee-data/

Ransomware attack forces web hosting provider Managed.com to take servers offline

One of the biggest providers of managed web hosting solutions, has taken down all its servers in order to deal with a ransomware attack.

The ransomware impacted the company's public facing web hosting systems, resulting in some customer sites having their data encrypted.

The incident only impacted a limited number of customer sites, which the company said it immediately took offline.

https://www.zdnet.com/article/web-hosting-provider-managed-shuts-down-after-ransomware-attack/

Phishing

Office 365 phishing campaign detects sandboxes to evade detection

Microsoft is tracking an ongoing Office 365 phishing campaign that makes use of several methods to evade automated analysis in attacks against enterprise targets.

"We’re tracking an active credential phishing attack targeting enterprises that uses multiple sophisticated methods for defence evasion and social engineering," Microsoft said.

"The campaign uses timely lures relevant to remote work, like password updates, conferencing info, helpdesk tickets, etc."

https://www.bleepingcomputer.com/news/security/office-365-phishing-campaign-detects-sandboxes-to-evade-detection/

Malware

Adult site users targeted with ZLoader malware via fake Java update

A malware campaign ongoing since the beginning of the year has recently changed tactics, switching from exploit kits to social engineering to target adult content consumers.

The operators use an old trick to distribute a variant of ZLoader, a banking trojan that made a comeback earlier this year after an absence of almost two years, now used as an info stealer.

https://www.bleepingcomputer.com/news/security/adult-site-users-targeted-with-zloader-malware-via-fake-java-update/

Lazarus malware strikes South Korean supply chains

Lazarus malware has been tracked in new campaigns against South Korean supply chains, made possible through stolen security certificates.

Cyber security researchers reported the abuse of the certificates, stolen from two separate, legitimate South Korean companies.

https://www.zdnet.com/article/lazarus-malware-strikes-south-korean-supply-chains/

Malware activity spikes 128%, Office document phishing skyrockets

The report demonstrates threat actors becoming even more ruthless. Throughout Q3, hackers shifted focus from home networks to overburdened public entities, including the education sector and the Election Assistance Commission (EAC). Malware campaigns, like Emotet, utilized these events as phishing lure themes to assist in delivery.

https://www.helpnetsecurity.com/2020/11/13/malware-activity-q3-2020/

Cloud

Attackers can abuse a misconfigured IAM role across 16 Amazon services

Researchers at Palo Alto’s Unit 42 have confirmed that they have compromised a customer’s AWS cloud account with thousands of workloads using a misconfigured identity and access management (IAM) role.

https://www.scmagazine.com/home/security-news/cloud-security/attackers-can-abuse-a-misconfigured-iam-role-across-16-aws-services/

Vulnerabilities

More than 245,000 Windows systems still remain vulnerable to BlueKeep RDP bug

A year and a half after Microsoft disclosed the BlueKeep vulnerability impacting the Windows RDP service, more than 245,000 Windows systems still remain unpatched and vulnerable to attacks.

The number represents around 25% of the 950,000 systems that were initially discovered to be vulnerable to BlueKeep attacks during a first scan in May 2019.

https://www.zdnet.com/article/more-than-245000-windows-systems-still-remain-vulnerable-to-bluekeep-rdp-bug/

Windows Kerberos authentication breaks due to security updates

Microsoft is investigating a new known issue causing enterprise domain controllers to experience Kerberos authentication problems after installing security updates released to address CVE-2020-17049 during this month's Patch Tuesday, on November 10.

https://www.bleepingcomputer.com/news/microsoft/windows-kerberos-authentication-breaks-due-to-security-updates/

Cisco Patches Critical Flaw After PoC Exploit Code Release

A critical path-traversal flaw exists in Cisco Security Manager that lays bare sensitive information to remote, unauthenticated attackers.

A day after proof-of-concept (PoC) exploit code was published for a critical flaw in Cisco Security Manager, Cisco has hurried out a patch.

https://threatpost.com/critical-cisco-flaw-sensitive-data/161305/

Widespread Scans Underway for RCE Bugs in WordPress Websites

WordPress websites using buggy Epsilon Framework themes are being hunted by hackers.

Millions of malicious scans are rolling across the internet, looking for known vulnerabilities in the Epsilon Framework for building WordPress themes, according to researchers.

According to the Wordfence Threat Intelligence team, more than 7.5 million probes targeting these vulnerabilities have been observed, against more than 1.5 million WordPress sites, just since Tuesday.

https://threatpost.com/widespread-scans-rce-bugs-wordpress-websites/161374/

Webex fixed some seriously spooky security flaws

Cisco has patched several troubling security vulnerabilities in its Webex video conferencing service.

The flaws in the video conferencing software were flagged. Researchers took a deeper look at the collaboration tools being used for day-to-day work to better understand how they could impact sensitive meetings now being held virtually. During its investigation, the company's security researchers discovered three vulnerabilities in Webex.

https://www.techradar.com/news/cisco-webex-had-some-very-spooky-security-flaws

Data Breaches

Animal Jam was hacked, and data stolen; here’s what parents need to know

WildWorks,  the gaming company that makes the popular kids game Animal Jam, has confirmed a data breach.

Animal Jam is one of the most popular games for kids, ranking in the top five games in the 9-11 age category in Apple’s App Store in the U.S., according to data provided by App Annie. But while no data breach is ever good news, WildWorks has been more forthcoming about the incident than most companies would be, making it easier for parents to protect both their information and their kids’ data.

https://techcrunch.com/2020/11/16/animal-jam-data-breach/

Crown Prosecution Service guilty of ‘serious’ data breaches

Prosecutors are routinely guilty of “serious” data breaches that can endanger the public by disclosing addresses of people who report crimes, a watchdog has revealed.

Independent assessors of the Crown Prosecution Service found that prosecutors in England and Wales were responsible for “a significant number of data security breaches”.

https://www.thetimes.co.uk/article/crown-prosecution-service-guilty-of-serious-data-breaches-k7vhl0hnf

Privacy

MacOS Big Sur reveals Apple secretly hates your VPN and firewall

If you're using a Mac VPN and recently updated your device to Big Sur, your privacy may be at risk as it was discovered that Apple apps are able to bypass both firewalls and VPN services in the company's latest version of macOS.

Twitter user mxswd first spotted the issue back in October and provided more details in a tweet which reads: “Some Apple apps bypass some network extensions and VPN Apps. Maps for example can directly access the internet bypassing any NEFilterDataProvider or NEAppProxyProviders you have running”.

https://www.techradar.com/uk/news/macos-big-sur-reveals-apple-secretly-hates-your-vpn-and-firewall

Server failure unearths massive macOS tracking plans

More serious doubts have been raised about Apple's snooping tactics following fresh revelations about the company's macOS software. We’ve already reported how apps in the latest release of macOS can bypass firewalls and VPNs and how the release was bricking some older MacBook Pro machines.

https://www.techradar.com/news/server-failure-unearths-massive-macos-tracking-plans

Employee surveillance software demand increased as workers transitioned to home working

As people hunkered down to work from home during COVID-19, companies turned to employee surveillance software to track their staff.

What does the rise of intrusive tools such as employee surveillance software mean for workers at home?

A new study shows that the demand for employee surveillance software was up 55% in June 2020 compared to the pre-pandemic average. From webcam access to random screenshot monitoring, these surveillance software products can record almost everything an employee does on their computer.

https://www.zdnet.com/article/employee-surveillance-software-demand-increased-as-workers-transitioned-to-home-working/

Los Angeles police ban facial recognition software and launch review after officers accused of unauthorized use

The Los Angeles police department (LAPD) has banned commercial facial recognition software and launched a review after 25 officers were accused of using it unofficially to try to identify people.

https://www.theregister.com/2020/11/19/lapd_facial_recogntion/

Nation State Actors

More than 200 systems infected by new Chinese APT 'FunnyDream'

A new Chinese state-sponsored hacking group (also known as an APT) has infected more than 200 systems across Southeast Asia with malware over the past two years.

The malware infections are part of a widespread cyber-espionage campaign carried out by a group named FunnyDream, according to a new report published today by security firm Bitdefender.

The attacks have primarily targeted Southeast Asian governments. While Bitdefender has not named any victim countries, a report published earlier this spring by fellow security firm Kaspersky Lab has identified FunnyDream targets in Malaysia, Taiwan, and the Philippines, with the most victims being located in Vietnam.

https://www.zdnet.com/article/more-than-200-systems-infected-by-new-chinese-apt-funnydream/

Massive, China-state-funded hack hits companies around the world, report says

Attacks are linked to Cicada, a group believed to be funded by the Chinese state.

Researchers have uncovered a massive hacking campaign that’s using sophisticated tools and techniques to compromise the networks of companies around the world.

The hackers, most likely from a well-known group that’s funded by the Chinese government, are outfitted with both off-the-shelf and custom-made tools. One such tool exploits Zerologon, the name given to a Windows server vulnerability, patched in August, that can give attackers instant administrator privileges on vulnerable systems.

https://arstechnica.com/information-technology/2020/11/massive-china-state-funded-hack-hits-companies-around-the-word-report-says/

Other News

Hackers are leaning more heavily on cloud resources

Underground cloud services may seem like an oxymoron, but they are quite real, and criminals are using them to speed up attacks and leave very little room for compromised businesses to react.

This is according to a new report from cybersecurity firm Trend Micro, which found terabytes of internal business data and logins - including for Google, Amazon and PayPal - for sale on the dark web.

https://www.itproportal.com/news/hackers-are-leaning-more-heavily-on-cloud-resources/

CEOs Will Be Personally Liable for Cyber-Physical Security Incidents by 2024

Digital attack attempts in industrial environments are on the rise. In February 2020, IBM X-Force reported that it had observed a 2,000% increase in the attempts by threat actors to target Industrial Control Systems (ICS) and Operational Technology (OT) assets between 2018 and 2020. This surge eclipsed the total number of attacks against organizations’ industrial environments that had occurred over the previous three years combined.

https://www.tripwire.com/state-of-security/risk-based-security-for-executives/ceo-personally-liable-cyber-physical-security-incidents/

Reports Published in the Last Week

Sophos 2021 Threat Report: Navigating cybersecurity in an uncertain world

https://nakedsecurity.sophos.com/2020/11/18/sophos-threat-report-2021/

Verizon Releases First Cyber-Espionage Report

https://www.infosecurity-magazine.com/news/verizon-releases-first-cyber/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.

Top Cyber Headlines of the Week

Five Emerging Cyber-Threats to Watch Out for in 2021

What was the driving force behind your company’s digital strategy in 2020? Was it your CEO? Probably not. Your CTO or CISO? Perhaps.

For most organisations, it was COVID-19. In 2019, one company after another said: “work-from-home isn’t an option for us” or “we aren’t interested in shifting operations to the cloud.”

Then everything changed. The pandemic drove a massive shift towards remote work. For many companies, this wasn’t even an option — it was a case of ‘do or die.’

By April 2020, almost half of the American workforce was working from home. As organisations and employees become more comfortable with this, we shouldn’t expect a full return to the traditional in-office model anytime soon, if ever. Work-from-anywhere is the new way of doing business, with employees accessing cloud services, collaborative tools and remote systems from home and public networks – and not always through the safety of a VPN.

https://www.infosecurity-magazine.com/blogs/five-cyber-threats-2021/

Guernsey law firm fined £10,000 for data security breach

Trinity Chambers LLP sent private details about an individual and their family via emails and post, the Data Protection Authority (ODPA) found.

It said a lack of security had given "unconnected" third parties access to the data.

The breach of data by Trinity was the result of "repeated human error", an investigation found.

https://www.bbc.co.uk/news/world-europe-guernsey-54854333

Every employee has a cyber security blind spot

80% of companies say that an increased cyber security risk caused by human factors has posed a challenge during the COVID-19 pandemic, particularly in times of heightened stress.

This is a new report that explores the role employees and their personality play in keeping organisations safe from cyber threats. Including that:

·         Cyber crime has increased by 63% since the COVID-19 lockdown was introduced

·         Human error has been the biggest cyber security challenge during the COVID-19 pandemic, according to CISOs

·         Just a quarter of businesses consider their remote working strategy effective

·         47% of people are concerned about their ability to manage stress during the coronavirus crisis

https://www.helpnetsecurity.com/2020/11/09/cybersecurity-blind-spot/

Zoom settles FTC charges for misleading users about security features

Video conferencing software maker Zoom has reached a deal today with the US Federal Trade Commission to settle accusations that its misled users about some of its security features.

During the height of the COVID-19 pandemic, Zoom had attracted users to its platform with misleading claims that its product supported "end-to-end, 256-bit encryption" and that its service would store recorded calls in an encrypted format.

However, in a complaint filed earlier this year, the investigators found that Zoom's claims were deceptive.

Despite claiming to support end-to-end encrypted (E2EE) calls, Zoom didn't support E2EE calls in the classic meaning of the word.

https://www.zdnet.com/article/zoom-settles-ftc-charges-for-misleading-users-about-security-features/

Threats

Ransomware

How Ryuk Ransomware operators made $34 million from one victim

One hacker group that is targeting high-revenue companies with Ryuk ransomware received $34 million from one victim in exchange for the decryption key that unlocked their computers.

The threat actor is highly proficient at moving laterally inside a compromised network and erasing as much of their tracks as possible before detonating Ryuk ransomware.

https://www.bleepingcomputer.com/news/security/how-ryuk-ransomware-operators-made-34-million-from-one-victim/

Ransomware hits e-commerce platform X-Cart

E-commerce software vendor X-Cart suffered a ransomware attack at the end of October that brought down customer stores hosted on the company's hosting platform.

The incident is believed to have taken place after attackers exploited a vulnerability in a third-party software to gain access to X-Cart's store hosting systems.

https://www.zdnet.com/article/ransomware-hits-e-commerce-platform-x-cart

Linux version of RansomEXX ransomware discovered

A Linux version of the RansomEXX ransomware, marking the first time a major Windows ransomware strain has been ported to Linux to aid in targeted intrusions.

RansomEXX is a relatively new ransomware strain that was first spotted earlier this year in June.

https://www.zdnet.com/article/linux-version-of-ransomexx-ransomware-discovered/

Laptop mega-manufacturer Compal hit by DoppelPaymer ransomware – same one that hit German hospital

Compal, the world’s second-largest white-label laptop manufacturer, has been hit by the file-scrambling DoppelPaymer ransomware gang – and the hackers want $17m in cryptocurrency before they'll hand over the decryption key.

The Taiwanese factory giant, which builds systems for Apple, Lenovo, Dell, and HP, finally admitted malware infected its computers and encrypted its documents after first insisting it had suffered no more than an IT "abnormality" and that its staff had beaten off a cyber-attack.

https://www.theregister.com/2020/11/09/compal_ransomware_report/

Capcom hit by ransomware attack, is reportedly being extorted for $11 million

Earlier this week it emerged that third-party giant Capcom's internal systems had been hacked, though the company claimed that no customer data was affected.

 It has now emerged that the publisher was targeted by the Ragnar Locker ransomware, software designed to exfiltrate information from internal networks before encrypting the lot: at which point the victim is locked-out, contacted, and extorted.

https://www.pcgamer.com/capcom-hit-by-ransomware-attack-is-reportedly-being-extorted-for-pound11-million/

Business Email Compromise (BEC)

Jersey business targeted in £130,000 invoice scam

A Jersey building company has been targeted by a sophisticated impersonation scam, which saw fraudsters intercept more than £130,000 in invoice payments.

The owners, who wish to remain anonymous, said they were "left reeling" after realising their email correspondence with a customer had been hacked, and payments diverted to a scam bank account.

After taking swift action, they were able to recover all their money, but they now want to make sure other islanders do not fall victim. They are encouraging businesses in particular to be "extra vigilant".

https://www.itv.com/news/channel/2020-11-13/jersey-business-targeted-in-130000-invoice-scam

Phishing

Smishing attack tells you “mobile payment problem” – don’t fall for it!

As we’ve warned before, phishing via SMS, or smishing for short, is still popular with cybercriminals.

Sure, old-fashioned text messages have fallen out of favour for personal communications, superseded round the world by instant messaging apps such as WhatsApp, WeChat, Instagram, Telegram and Signal.

But for brief, one-off business communications such as “Your home delivery will arrive at 11:30 today” or “Your one-time login code is 217828”, SMS is still a popular and useful messaging system.

That’s because pretty much every mobile phone in the world can receive text messages, regardless of its age, feature set or ability to access the internet.

Even if you’ve got no credit to send messages or make calls, no third-party apps installed, and no Wi-Fi connectivity, SMSes sent to you will still show up.

https://nakedsecurity.sophos.com/2020/11/10/smishing-attack-tells-you-mobile-payment-problem-dont-fall-for-it/

Malware

Play Store identified as main distribution vector for most Android malware

The official Google Play Store has been identified as the primary source of malware installs on Android devices in a recent academic study — considered the largest one of its kind carried out to date.

Using telemetry data, researchers analysed the origin of app installations on more than 12 million Android devices for a four-month period between June and September 2019.

In total, researchers looked at more than 34 million APK (Android application) installs for 7.9 million unique apps.

https://www.zdnet.com/article/play-store-identified-as-main-distribution-vector-for-most-android-malware/

This new malware wants to add your Linux servers and IoT devices to its botnet

A new form of malware is targeting Linux servers and Internet of Things (IoT) devices and adding them to a botnet in what appears to be the first stage of a hacking campaign targeting cloud-computing infrastructure – although the purpose of the attacks remains unclear.

The malicious worm has been dubbed Gitpaste-12, reflecting on how it uses GitHub and Pastebin for housing component code and has 12 different means of compromising Linux-based x86 servers, as well as Linux ARM- and MIPS-based IoT devices.

https://www.zdnet.com/article/this-new-malware-wants-to-add-your-linux-servers-and-iot-devices-to-its-botnet/

New 'Ghimob' malware can spy on 153 Android mobile applications

Security researchers have discovered a new Android banking trojan that can spy and steal data from 153 Android applications.

Named Ghimob, the trojan is believed to have been developed by the same group behind the Astaroth (Guildma) Windows malware, according to a report published.

Distribution was never carried out via the official Play Store.

Instead, the Ghimob group used emails or malicious sites to redirect users to websites promoting Android apps.

https://www.zdnet.com/article/new-ghimob-malware-can-spy-on-153-android-mobile-applications/

Microsoft Teams Users Under Attack in ‘Fake Updates’ Malware Campaign

Attackers are using ads for fake Microsoft Teams updates to deploy backdoors, which use Cobalt Strike to infect companies’ networks with malware.

 The campaign is targeting various types of companies, with recent targets in the K-12 education sector, where organisations are currently dependent on using apps like Teams for videoconferencing due to COVID-19 restrictions.

Cobalt Strike is a commodity attack-simulation tool that’s used by attackers to spread malware, particularly ransomware. Recently, threat actors were seen using Cobalt Strike in attacks exploiting Zerologon, a privilege-elevation flaw that allows attackers to access a domain controller and completely compromise all Active Directory identity services.

https://threatpost.com/microsoft-teams-fakeupdates-malware/161071/

DDoS

DDoS attacks are cheaper and easier to carry out than ever before

DDoS attacks are getting more complex and more sophisticated while also getting cheaper and easier to carry out as cyber criminals take advantage of the sheer number of insecure internet-connected devices.

Distributed Denial of Service attacks have been a problem for many years, with cyber attackers gaining control of armies of devices and directing their internet traffic at targets in order to take the victim offline.

The disruption causes problems for both businesses and individual users who are prevented from accessing digital services they require – and that's especially a problem as 2020's coronavirus pandemic has forced people to be more reliant on digital services than ever before.

https://www.zdnet.com/article/ddos-attacks-are-cheaper-and-easier-to-carry-out-than-ever-before/

IoT

IoT security is a mess. These guidelines could help fix that

The supply chain around the Internet of Things (IoT) has become the weak link in cyber security, potentially leaving organisations open to cyber attacks via vulnerabilities they're not aware of. But a newly released set of guidelines aims to ensure that security forms part of the entire lifespan of IoT product development.

The Guidelines for Securing the IoT – Secure Supply Chain for IoT report from the European Union Agency for Cybersecurity (ENISA) sets out recommendations throughout the entire IoT supply chain to help keep organisations protected from vulnerabilities that can arise when building connected things.

https://www.zdnet.com/article/iot-security-is-a-mess-these-guidelines-could-help-fix-that/

Vulnerabilities

Windows 10 update created a major password problem

A temporary fix for a frustrating Windows 10 bug that prevents software from storing account credentials, meaning the user must re-enter their username and password each time they log-in.

The flaw is also said to delete cookies held in web browsers, preventing websites from memorising credentials and serving bespoke content to the user.

First reported in April, the issue is present in specific builds of Windows 10 version 2004 and affects applications such as Outlook, Chrome, Edge, OneDrive and more.

https://www.techradar.com/news/windows-10-update-made-a-right-mess-of-this-basic-password-feature

Colossal Intel Update Anchored by Critical Privilege-Escalation Bugs

A massive Intel security update this month addresses flaws across a myriad of products – most notably, critical bugs that can be exploited by unauthenticated cyber criminals in order to gain escalated privileges.

These critical flaws exist in products related to Wireless Bluetooth – including various Intel Wi-Fi modules and wireless network adapters – as well as in its remote out-of-band management tool, Active Management Technology (AMT).

Overall, Intel released 40 security advisories on Tuesday, each addressing critical-, high- and medium-severity vulnerabilities across various products. That by far trumps October’s Intel security update, which resolved one high-severity flaw.

https://threatpost.com/intel-update-critical-privilege-escalation-bugs/161087/

Hackers are exploiting unpatched VoIP flaws to compromise business accounts

A hacking campaign has compromised VoIP (Voice over Internet Protocol) phone systems at over 1,000 companies around the world over the past year in a campaign designed to make profit from selling compromised accounts.

While the main purpose appears to be dialling premium rate numbers owned by attackers or selling phone numbers and call plans that others can use for free, access to VoIP systems could provide cyber criminals with the ability to conduct other attacks, including listening to private calls, cryptomining, or even using compromised systems as a steppingstone towards much more intrusive campaigns.

One hacking group has compromised the VoIP networks of almost 1,200 organisations in over 20 countries by exploiting the vulnerability, with over half the victims in the UK. Industries including government, military, insurance, finance and manufacturing are believed to have fallen victim to the campaign

https://www.zdnet.com/article/hackers-are-exploiting-unpatched-voip-flaws-to-compromise-business-accounts/

Google patches two more Chrome zero-days

Google has released today Chrome version 86.0.4240.198 to patch two zero-day vulnerabilities that were exploited in the wild.

These two bugs mark the fourth and fifth zero-days that Google has patched in Chrome over the past three weeks.

The difference this time is that while the first three zero-days were discovered internally by Google security researchers, these two new zero-days came to Google's attention after tips from anonymous sources.

https://www.zdnet.com/article/google-patches-two-more-chrome-zero-days/

Data Breaches

Ticketmaster fined £1.25m over payment data breach

Ticketmaster UK has been fined £1.25m for failing to keep its customers' personal data secure.

The fine was issued by the Information Commissioner's Office (ICO) following a cyber-attack on the Ticketmaster website in 2018.

The ICO said personal information and payment details had potentially been stolen from more than nine million customers in Europe.

https://www.bbc.co.uk/news/technology-54931873

Millions of Hotel Guests Worldwide Caught Up in Mass Data Leak

A cloud misconfiguration affecting users of a popular reservation platform threatens travellers with identity theft, scams, credit-card fraud and vacation-stealing.

A widely used hotel reservation platform has exposed 10 million files related to guests at various hotels around the world, thanks to a misconfigured Amazon Web Services S3 bucket. The records include sensitive data, including credit-card details.

Prestige Software’s “Cloud Hospitality” is used by hotels to integrate their reservation systems with online booking websites like Expedia and Booking.com.

https://threatpost.com/millions-hotel-guests-worldwide-data-leak/161044/

DWP exposed 6,000 people’s data online for two years

The Department for Work and Pensions (DWP) has removed the personal details of thousands of people after they were exposed online for two years.

The files, published in March and June 2018, listed routine payments to the outsourcing giant Capita and included the National Insurance (NI) numbers of approximately 6,000 people, according to the Mirror. These individuals were believed to be applying for the disability benefit, PIP. No other personal data was exposed in the incident.

https://www.itpro.co.uk/security/data-breaches/357724/dwp-data-breach-exposed-6000-ni-numbers

Data breach at Mashable leaks users’ personal information online

Technology and culture news website Mashable have announced that the personal data of users has been discovered in a leaked database posted on the internet.

In a statement issued this week, Mashable confirmed that a database containing information from readers who made use of the platform’s social media sign-in feature had been found online.

The media company said that “a hacker known for targeting websites and apps” was responsible for the breach. The suspect has not been named.

Leaked data is said to include the full names, locations, email addresses, genders, IP addresses, and links to social media profiles of users.

https://portswigger.net/daily-swig/data-breach-at-mashable-leaks-users-nbsp-personal-information-online

Other News

Try to avoid thinking of the internet as a flashy new battlefield, warns former NCSC chief

https://www.theregister.com/2020/11/11/ciaran_martin_speech_cyber_policy/

Microsoft says three APTs have targeted seven COVID-19 vaccine makers

https://www.zdnet.com/article/microsoft-says-three-apts-have-targeted-seven-covid-19-vaccine-makers/

New stealthy hacker-for-hire group mimics state-backed attackers

https://www.bleepingcomputer.com/news/security/new-stealthy-hacker-for-hire-group-mimics-state-backed-attackers/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest of open source intelligence (OSINT), collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.

Top Cyber Headlines of the Week

2020 could be 'the worst year in cyber security history'

Businesses around the world are severely unprepared to face the sheer scale of cyber threats facing us today, new research has claimed.

The latest 2020 Business Threat Landscape report from security firm Bitdefender has said that this could be the worst year in cyber security history, as despite multiple warnings, many firms still aren't ready to protect themselves.

Bitdefender's report found that the "new normal" of remote working had led many businesses to face difficulties in ensuring their online protection, with 50% of organisations "completely unprepared" to face a scenario in which they had to migrate their entire workforce in a working from home environment.

https://www.techradar.com/news/2020-could-be-the-worst-year-in-cybersecurity-history

Two-Thirds of Financial Services Firms Suffered Cyber-Attack in the Past Year

Almost two-thirds (65%) of large financial services companies have suffered a cyber attack in the past year, while 45% have experienced a rise in attack attempts since the start of the COVID-19 pandemic.

This is according to new research from HelpSystems, which surveyed 250 CISOs and CIOs in global financial services firms about the impact of the pandemic on their cybersecurity.

It highlighted that these organisations are taking cybersecurity increasingly seriously, with 92% stating that they have increased investment in this area over the past 12 months, with 26% doing so by a significant amount. The main targets of this investment have included secure file transfer (64%), protecting the remote workforce (63%) and cloud/office365 (56%).

https://www.infosecurity-magazine.com/news/two-thirds-financial-services/

Proofpoint survey: IT security leaders worry about and are ill-prepared to defeat cyber-attacks

IT security leaders say they are ill-prepared for a cyber attack and believe that human error and a lack of security awareness are major risk factors for their organisations, according to a series of reports and surveys from cyber security vendor Proofpoint. But there are some marked variations in both the rates and the types of cyber attack between the regions surveyed.

It’s a dynamic attack landscape: in the DACH countries of Germany, Austria and Switzerland 67 per cent of IT security leaders say they have suffered at least one attack in the last 12 months, while in Benelux 72 per cent of respondents say their business has suffered at least one cyber attack in the same time period. In Sweden 59 per cent of businesses have been attacked at least once, while in the UAE the figure is much higher at 82 per cent - with 51 per cent of IT security leaders in the UAE saying their business has been targeted multiple times.

https://www.theregister.com/2020/11/05/proofpoint_survey_it_security_leaders/

Akamai sees doubling in malicious internet traffic as remote world’s bad actors boom, too

Akamai Technologies’ CEO said he is impressed by the amazing traffic levels on the internet during the coronavirus pandemic, and the world technology infrastructure’s ability to handle it. But during the stay-at-home boom, the web and cyber security expert also has been closely watching a boom in bad actors.

With so many people working from home, hackers are taking advantage, and massively increasing the number of attacks as daily routine changes caused by the pandemic are prolonged, and become potentially permanent.

“I think the threat actors are trying to take advantage of the pandemic, and of course, the prize is greater now that so much business has moved online”

Quarter-over-quarter — Akamai reported its Q3 results this week — the cyber security and cloud computing company has tracked a doubling of malicious traffic as telecommuting makes for easier targets.

https://www.cnbc.com/2020/10/29/akamai-malicious-net-traffic-doubles-as-remote-world-bad-actors-boom.html

Attacks Against Microsoft’s Remote Desktop Protocol Soar Under Work From Home Measures

The number of Remote Desktop Protocol (RDP) attacks soared by 140% in Q3 compared with the previous quarter, as cyber criminals looked to take advantage of companies relying on remote access while working from home.

RDP makes it possible for one computer to connect to another over a network and control it as though the individual was sat at the keyboard themselves. While the Microsoft tool is useful for businesses and popular among IT administrators, it has increasingly been targeted by hackers who try to gain administrator access to company servers. Once inside they are able to disable security software, steal files, delete data and install malicious software.

Slovak internet security firm ESET detected the surge between July and September, with the number of separate companies reporting brute-force attacks against their RDP connection increasing by 37% quarter-over-quarter.

https://www.verdict.co.uk/rdp-attacks-eset/

Threats

Ransomware

Ransomware gangs that steal your data don't always delete it

Ransomware gangs that steal a company's data and then get paid a ransom fee to delete it don't always follow through on their promise.

The number of cases where something like this has happened has increased, according to a report published by Coveware this week and according to several incidents shared by security researchers with ZDNet researchers over the past few months.

https://www.zdnet.com/article/ransomware-gangs-that-steal-your-data-dont-always-delete-it/

Spike in Emotet activity could mean big payday for ransomware gangs

There's been a massive increase in Emotet attacks and cyber criminals are taking advantage of machines compromised by the malware to launch more malware infections as well as ransomware campaigns.

The October 2020 HP-Bromium Threat Insights Report reports a 1,200% increase in Emotet detections from July to September compared to the previous three months in which deployment of the malware appeared to decline.

https://www.zdnet.com/article/spike-in-emotet-activity-could-mean-big-payday-for-ransomware-gangs/

Italian beverage vendor Campari knocked offline after ransomware attack

Campari Group, the famed Italian beverage vendor behind brands like Campari, Cinzano, and Appleton, has been hit by a ransomware attack and has taken down a large part of its IT network.

The attack took place last Sunday, on November 1, and has been linked to the RagnarLocker ransomware gang, according to a copy of the ransom note shared with ZDNet by a malware researcher who goes online by the name of Pancak3.

https://www.zdnet.com/article/italian-beverage-vendor-campari-knocked-offline-after-ransomware-attack/

Hackney Council still working to restore services as IT boss describes horror at cyber attack

Hackney’s director of information communication technology (ICT) Rob Miller was playing football with his family on a Sunday morning early in October when he got a message letting him know there was a systems outage being investigated at the Town Hall.

By the end of Sunday, the council had moved swiftly to shut down its systems, declared an emergency and notified national agencies after Miller’s team found “clear markers” that the local authority had been hit by a serious cyber attack.

https://www.hackneycitizen.co.uk/2020/11/04/council-still-working-restore-services-boss-horror-cyber-attack/

Leading toy maker Mattel hit by ransomware

Toy industry giant Mattel disclosed that they suffered a ransomware attack in July that impacted some of its business functions but did not lead to data theft.

Mattel is the second-largest toymaker in the world with 24,000 employees and $5.7 billion in revenue for 2019. Mattel is known for its popular brands, including Barbie, Hot Wheels, Fisher-Price, American Girl, and Thomas & Friends.

https://www.bleepingcomputer.com/news/security/leading-toy-maker-mattel-hit-by-ransomware/

Business Email Compromise (BEC)

BEC attacks increase in most industries, invoice and payment fraud rise by 155%

BEC attacks increased 15% quarter-over-quarter, driven by an explosion in invoice and payment fraud, Abnormal Security research reveals.

“As the industry’s only measure of BEC attack volume by industry, our quarterly BEC research is important for CISOs to prepare and stay ahead of attackers,” said Evan Reiser, CEO of Abnormal Security.

“Not only are BEC campaigns continuing to increase overall, they are rising in 75% of industries that we track. Since these attacks are targeted and sophisticated, these increases could indicate an ability for threat actors to scale that may overwhelm some businesses.”

For this research, BEC campaigns across eight major industries were tracked, including retail/consumer goods and manufacturing, technology, energy/infrastructure, services, medical, media/tv, finance and hospitality.

https://www.helpnetsecurity.com/2020/11/03/bec-attacks-increase-quarter-over-quarter/

Phishing

Sneaky Office 365 phishing inverts images to evade detection

A creative Office 365 phishing campaign has been inverting images used as backgrounds for landing pages to avoid getting flagged as malicious by crawlers designed to spot phishing sites.

These inverted backgrounds are commonly used as part of phishing kits that attempt to clone legitimate login pages as closely as possible to harvest a target's credentials by tricking them into entering them into a fake login form.

https://www.bleepingcomputer.com/news/security/sneaky-office-365-phishing-inverts-images-to-evade-detection/

The BBC Experiences Over 250,000 Malicious Email Attacks Per Day

The British Broadcasting Corporation (BBC), the UK’s public service broadcaster, faces in excess of a quarter of a million malicious email attacks every day, according to data obtained following a Freedom of Information (FoI) request.

The corporation blocked an average of 283,597 malicious emails per day during the first eight months of 2020.

According to the data, every month the BBC receives an average of 6,704,188 emails that are classified as scam or spam as well as 18,662 malware attacks such as viruses, ransomware and spyware. In total, 51,898,393 infected emails were blocked in the period from January to August 2020.

The month which contained the highest amount of recorded incidents was July, when the BBC received 6,787,635 spam and 13,592 malware attempts. The next highest was March, when the COVID-19 first struck the UK, with 6,768,632 spam emails and 14,089 malware attacks.

https://www.infosecurity-magazine.com/news/bbc-experiences-malicious-email/

Malware

US Cyber Command exposes new Russian malware

US Cyber Command has exposed eight new malware samples that were developed and deployed by Russian hackers in recent attacks

Six of the eight samples are for the ComRAT malware (used by the Turla hacking group), while the other two are samples for the Zebrocy malware (used by the APT28 hacking group).

Both ComRAT and Zebrocy are malware families that have been used by Russia hacking groups for years, with ComRAT being deployed in attacks for more than a decade, having evolved from the old Agent.BTZ malware.

https://www.zdnet.com/article/us-cyber-command-exposes-new-russian-malware/

IoT

New data shows just how badly home users overestimate IoT security

A new survey from the National Cyber Security Alliance (NCSA) shows adult workers vastly overestimate the security of the internet devices in their homes.

The survey polled 1,000 adults – 500 aged 18-34 and 500 aged 50-75 – and found that the overwhelming majority of both believed the internet of things devices they owned were secure.

IoT devices, particularly those that are cheap, outdated and hard to upgrade, are widely considered to be an easy target for hackers.  Yet 87 percent of the younger group and 77 percent of the older group said they were either “somewhat” or “very confident” in the security of their connected things

https://www.scmagazine.com/home/security-news/with-work-from-home-booming-new-data-shows-just-how-badly-home-users-overestimate-iot-security/

Vulnerabilities

Windows 10 zero-day could allow hackers to seize control of your computer

A security bug has been discovered that affects every version of the Windows operating system, from Windows 7 to Windows 10. The vulnerability can be found within the Windows Kernel Cryptography Driver and enables attackers to gain admin-level control of a victim’s computer.

The flaw was discovered by Google’s Project Zero security team, which subsequently notified Microsoft. The Redmond-based firm was given seven days to patch the bug before Google published further details – a task that proved beyond the company. 

https://www.techradar.com/uk/news/windows-10-zero-day-could-allow-hackers-to-seize-control-of-your-computer

Adobe warns Windows, MacOS users of critical acrobat and reader flaws

Adobe has fixed critical-severity flaws tied to four CVEs in the Windows and macOS versions of its Acrobat and Reader family of application software services. The vulnerabilities could be exploited to execute arbitrary code on affected products.

These critical flaws include a heap-based buffer overflow, out-of-bounds write glitch and two use-after free flaws. The bugs are part of Adobe’s regularly scheduled patches, which overall patched critical-, important- and moderate-severity vulnerabilities tied to 14 CVEs.

https://threatpost.com/adobe-windows-macos-critical-acrobat-reader-flaws/160903/

Zero-day in Cisco AnyConnect Secure Mobility Client yet to be fixed

Cisco has disclosed a zero-day vulnerability, in the Cisco AnyConnect Secure Mobility Client software with the public availability of a proof-of-concept exploit code.

The flaw resided in the inter-process communication (IPC) channel of Cisco AnyConnect Client, it can be exploited by authenticated and local attackers to execute malicious scripts via a targeted user.

https://securityaffairs.co/wordpress/110414/security/zero-day-cisco-anyconnect-secure-mobility-client.html

Critical bug actively used to deploy Cobalt Strike on Oracle servers

Threat actors are actively exploiting Oracle WebLogic servers unpatched against CVE-2020-14882 to deploy Cobalt Strike beacons which allow for persistent remote access to compromised devices.

Cobalt Strike is a legitimate penetration testing tool also used by threat actors in post-exploitation tasks and to deploy so-called beacons that enable them to gain persistent remote access.

This later allows them to access the compromised servers to harvest data and to deploy second stage malware payloads.

https://www.bleepingcomputer.com/news/security/critical-bug-actively-used-to-deploy-cobalt-strike-on-oracle-servers/

Oracle Solaris Zero-Day Attack Revealed

A previously known threat group, called UNC1945, has been compromising telecommunications companies and targeting financial and professional consulting industries, by exploiting a security flaw in Oracle’s Solaris operating system.

Researchers said that the group was exploiting the bug when it was a zero-day, long before a patch arrived.

The bug, was recently addressed in Oracle’s October 2020 Critical Patch Update. The vulnerability exists in the Oracle Solaris Pluggable Authentication Module (PAM) and allows an unauthenticated attacker with network access via multiple protocols to exploit and compromise the operating system. Threat actors utilized a remote exploitation tool, which researchers call “EVILSUN,” to exploit the flaw.

https://threatpost.com/oracle-solaris-zero-day-attack/160929/

Data Breaches

Marriott Hotels fined £18.4m for data breach that hit millions

The UK's data privacy watchdog has fined the Marriott Hotels chain £18.4m for a major data breach that may have affected up to 339 million guests.

The Information Commissioner's Office (ICO) said names, contact information, and passport details may all have been compromised in a cyber-attack.

The breach included seven million guest records for people in the UK.

The ICO said the company failed to put appropriate safeguards in place but acknowledged it had improved.

https://www.bbc.co.uk/news/technology-54748843

23,600 hacked databases have leaked from a defunct 'data breach index' site

More than 23,000 hacked databases have been made available for download on several hacking forums and Telegram channels in what threat intel analysts are calling the biggest leak of its kind.

The database collection is said to have originated from Cit0Day.in, a private service advertised on hacking forums to other cybercriminals.

Cit0day operated by collecting hacked databases and then providing access to usernames, emails, addresses, and even cleartext passwords to other hackers for a daily or monthly fee.

Cybercriminals would then use the site to identify possible passwords for targeted users and then attempt to breach their accounts at other, more high-profile sites.

https://www.zdnet.com/article/23600-hacked-databases-have-leaked-from-a-defunct-data-breach-index-site/

Other News

Deloitte's 'Test your Hacker IQ' site fails itself after exposing database user name, password in config file

Suspended sentence for bank IT worker who hacked his boss's webcam because he didn't get a payrise

APT Groups Finding Success with Mix of Old and New Tools

Quantum computing may make current encryption obsolete, a quantum internet could be the solution

Reports Published in the Last Week

NCSC defends UK from more than 700 cyber attacks while supporting national pandemic response

The NCSC's fourth Annual Review reveals its ongoing work against cyber attacks, support for the UK during the coronavirus pandemic.

https://www.ncsc.gov.uk/news/ncsc-defends-uk-700-cyber-attack-national-pandemic

Ransomware Demands continue to rise as Data Exfiltration becomes common, and Maze subdues

The Coveware Quarterly Ransomware Report describes ransomware incident response trends during Q3 of 2020. Ransomware groups continue to leverage data exfiltration as a tactic, though trust that stolen data will be deleted is eroding as defaults become more frequent when exfiltrated data is made public despite the victim paying. In Q3, Coveware saw the Maze group sunset their operations as the active affiliates migrated to Egregor (a fork of Maze). We also saw the return of the original Ryuk group, which has been dormant since the end of Q1.

https://www.coveware.com/blog/q3-2020-ransomware-marketplace-report

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.

Threats

Ransomware

Furniture Giant Steelcase Hit by Suspected Ransomware Attack

Steelcase, the world’s largest maker of office furniture, revealed in a filing with the US Securities and Exchange Commission (SEC) that it had become the latest big name to be hit by a major ransomware attack.

The firm claimed to have detected a cyber-attack on its IT systems last Thursday, October 22.

“The company promptly implemented a series of containment measures to address this situation including temporarily shutting down the affected systems and related operations,” it continued. “The company is actively engaged in restoring the affected systems and returning to normal levels of operations.”

https://www.infosecurity-magazine.com/news/furniture-giant-steelcase/

Multinational energy company Enel Group hit by ransomware again, Netwalker demands $14 million

Multinational energy company Enel Group has been hit by a ransomware attack for the second time this year. This time by Netwalker, who is asking a $14 million ransom for the decryption key and to not release several terabytes of stolen data.

Enel is one of the largest players in the European energy sector, with more than 61 million customers in 40 countries. As of August 10, it ranks 87 in Fortune Global 500, with a revenue of almost $90 billion in 2019.

https://www.bleepingcomputer.com/news/security/enel-group-hit-by-ransomware-again-netwalker-demands-14-million/

Ransomware vs WFH: How remote working is making cyber attacks easier to pull off

The unique conditions of 2020 mean businesses are more reliant on being digitally connected than ever before. Cyber criminals know this, which is why ransomware attacks have become even more pervasive – and effective during the course this year.Hackers are breaking into networks of organisations ranging from tech companies to local governments and almost every other sector; encrypting servers, services and files with ransomware before demanding a bitcoin ransom that can be measured in hundreds of thousands or even millions of dollars.

https://www.zdnet.com/article/ransomware-vs-wfh-how-remote-working-is-making-cyberattacks-easier-to-pull-off/

REvil ransomware gang claims over $100 million profit in a year

REvil ransomware developers say that they made more than $100 million in one year by extorting large businesses across the world from various sectors.

They are driven by profit and want to make $2 billion from their ransomware service, adopting the most lucrative trends in their pursuit of wealth.

https://www.bleepingcomputer.com/news/security/revil-ransomware-gang-claims-over-100-million-profit-in-a-year/

Phishing

Remote Workers Ignore Training to Open Suspicious Emails

Remote workers are increasingly putting corporate data and systems at risk by failing to follow best practice security, according to new research from Mimecast.

The email security vendor polled over 1000 global respondents working from corporate machines to compile its latest report, Company-issued computers: What are employees really doing with them?

It found a litany of risky behaviour: for example, 73% of respondents frequently use their company-issued device for personal matters such as checking webmail (47%), carrying out financial transactions (38%) and online shopping (35%).

https://www.infosecurity-magazine.com/news/remote-workers-ignore-training/

Malware

Emotet campaign used parked domains to deliver malware payloads

Researchers tracking malicious use of parked domains have spotted the Emotet botnet using such domains to deliver malware payloads as part of a large scale phishing campaign.

Domain owners park their domains using parking service providers to monetize them via advertisement networks while they're not being used to host an active website or online service.

https://www.bleepingcomputer.com/news/security/emotet-campaign-used-parked-domains-to-deliver-malware-payloads/

The world of malware has a new rising star - and that's a big problem

A fast-spreading malware-as-a-service offering could be providing an alternative to other well-known malware loaders like Emotet and BazarLoader, experts have warned.

Buer was first discovered in August 2019, when it was used to compromise Windows PCs, acting as a gateway for further attacks to follow.

Buer comes with bot functionality, specific to each download. The bots can be configured depending on a variety of filters, including whether the infected machine is 32 or 64 bits, the country where the exploit is taking place and what specific tasks are required.

https://www.techradar.com/uk/news/the-world-of-malware-has-a-new-rising-star-and-thats-a-problem

Akamai sees doubling in malicious internet traffic as remote world’s bad actors' boom, too

Akamai Technologies’ CEO Tom Leighton is impressed by the amazing traffic levels on the internet during the coronavirus pandemic, and the world technology infrastructure’s ability to handle it. But during the stay-at-home boom, the web and cyber security expert also has been closely watching a boom in bad actors.

With so many people working from home, hackers are taking advantage, and massively increasing the number of attacks as daily routine changes caused by the pandemic are prolonged and become potentially permanent.

https://www.cnbc.com/2020/10/29/akamai-malicious-net-traffic-doubles-as-remote-world-bad-actors-boom.html

Vulnerabilities

Microsoft warns of ongoing attacks using Windows Zerologon flaw

Microsoft today warned that threat actors are continuing to actively exploit systems unpatched against the ZeroLogon privilege escalation vulnerability in the Netlogon Remote Protocol (MS-NRPC).

https://www.bleepingcomputer.com/news/security/microsoft-warns-of-ongoing-attacks-using-windows-zerologon-flaw/

Oracle WebLogic Server RCE Flaw Under Active Attack

The flaw in the console component of the WebLogic Server, CVE-2020-14882, is under active attack, researchers warn.

If an organization hasn’t updated their Oracle WebLogic servers to protect them against a recently disclosed RCE flaw, researchers have a dire warning: “Assume it has been compromised.”

https://threatpost.com/oracle-weblogic-server-rce-flaw-attack/160723/

This CMS cyberattack has affected thousands of sites worldwide

Security researchers have tracked and analysed a highly sophisticated botnet which they believe to be responsible for infecting hundreds of thousands of websites by attacking their content management system (CMS) platforms.

The botnet, named Kashmir Black, has been in operation since November of last year and while it started out small, it has now evolved into a sophisticated operation capable of attacking thousands of sites each day.

https://www.techradar.com/news/this-cms-cyberattack-has-affected-thousands-of-sites-worldwide

Cisco routers have another high-risk vulnerability

A security vulnerability found in a number of its carrier-grade routers is actively being exploited in the wild by cyber criminals.

The vulnerability affects ASR 9000 series routers, iOS XRv 9000 router and the 540, 560, 1000, 5000, 5500 and 6000 series routers from its Network Convergence System (NCS) line.

https://www.techradar.com/news/cisco-routers-have-another-high-risk-vulnerability

Other News

Security scam hacker ogled 722 women via webcams

A computer hacker who used webcams to watch women undressing and having sex faces extradition to the US.

Christopher Taylor spied on 772 victims in 39 countries — including 52 in the UK — from his Wigan home.

The labourer, 57, tricked the women into downloading software that allowed him to take control of their webcams, Westminster magistrates’ court heard.

https://www.metro.news/security-scam-hacker-ogled-772-women-via-webcams/2199001/

Amazon Discloses Security Incident Involving Customers’ Email Addresses

Amazon informed some of its customers about a security incident that involved the unauthorized disclosure of their email addresses.

News of the security incident emerged over the weekend of October 23 when multiple users took to Twitter to voice their confusion over an email they had received from Amazon.

In an email notification the tech giant explained that it had fired an employee after they unlawfully disclosed some customers’ email addresses to a third party.

https://www.tripwire.com/state-of-security/security-data-protection/amazon-discloses-security-incident-involving-customers-email-addresses/

'Act of War' Clause Could Nix Cyber Insurance Payouts

Companies relying on their business interruption or property insurance policies to cover ransomware attacks and other cyber damages are running the risk of not having coverage during a major attack if insurers are successful in shielding themselves using the ubiquitous "act of war" clause, according to cyber security and insurance experts.

https://www.darkreading.com/attacks-breaches/act-of-war-clause-could-nix-cyber-insurance-payouts/d/d-id/1339317

Therapy patients blackmailed for cash after clinic data breach

Many patients of a large psychotherapy clinic in Finland have been contacted individually by a blackmailer, after their data was stolen.

The data appears to have included personal identification records and notes about what was discussed in therapy sessions.

https://www.bbc.co.uk/news/technology-54692120

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.

Threats

Ransomware

This week has been busy with ransomware related news, including new charges against Russian state-sponsored hackers and numerous attacks against well-known organisations.

In 2017, there was an attack utilizing the NotPetya ransomware to destroy data on systems worldwide. This week, the US govt indicted six Russian intelligence operatives [source], known to be part of the notorious 'Sandworm' group, for hacking operations, including NotPetya.

Ransomware variants continue to evolve as crooks chase bigger paydays

The number of ransomware attacks which threaten to leak stolen data if the victim doesn't pay a ransom to get their encrypted files and servers back is growing – and this is being reflected in the changing nature of the cyber criminal market.

Analysis by cyber security researchers found that over the last three months – between July and September - 80 percent of ransomware attacks combined with data dumps were associated with four families of ransomware – Maze, Sodinokibi, Conti and Netwalker.

The period from April to June saw just three ransomware families account for 80 percent of alerts – DoppelPaymer, Maze and Sodinokibi.

The way DoppelPayer has dropped off and how Conti and NetWalker have suddenly emerged some of the most prolific threats shows how the ransomware space continues to evolve, partly because of how successful it has already become for the crooks behind it. [source]

Why this matters:

Maze was the first major family of ransomware to add threats of data breaches to their ransom demands and other ransomware operators have taken note – and stolen the additional extortion tactic.

There is an inherent competitive nature that has befallen the ransomware landscape. The saturated ransomware market pushes ransomware developers to cut through the noise and gain the best ransomware title and this drives more affiliates to carry out their work and, thus, more successful attacks to reach their goal: to make as much money as possible.

DoppelPaymer's activity has dropped over the last few months – although it still remains active - enabling Conti and NetWalker to grab a larger slice of the pie.

Notable ransomware victims of the last week

French IT giant Sopra Steria hit by Ryuk ransomware

French IT services giant Sopra Steria suffered a cyber attack on October 20th, 2020, that reportedly encrypted portions of their network with the Ryuk ransomware.

Sopra Steria is a European information technology company with 46,000 employees in 25 countries worldwide. The company provides a wide range of IT services, including consulting, systems integration, and software development.

The firm has said that the attack has hit all geographies where they operate and have said it will take them several weeks to recover.

Numerous sources have confirmed that it was Ryuk ransomware threat actors who were behind the attack. This hacking group is known for its TrickBot and BazarLoader infections that allow threat actors to access a compromised network and deploy the Ryuk or Conti ransomware infections.

BazarLoader is increasingly being used in Ryuk attacks against high-value targets due to its stealthy nature and is less detected than TrickBot by security software.

When installed, BazarLoader will allow threat actors to remotely access the victim's computer and use it to compromise the rest of the network.

After gaining access to a Windows domain controller, the attackers then deploy the Ryuk ransomware on the network to encrypt all of its devices, as illustrated in the diagram above. [Source1] [source2]

The Nefilim ransomware operators have posted a long list of files that appear to belong to Italian eyewear and eyecare giant Luxottica.

Luxottica Group S.p.A. is an Italian eyewear conglomerate and the world’s largest company in the eyewear industry (which owns brands including LensCrafters, Sunglass Hut, Apex by Sunglass Hut, Pearle Vision, Target Optical, Eyemed vision care plan, and Glasses.com. Its best known brands are Ray-Ban, Persol, and Oakley) and employs over 80,000 people and generated 9.4 billion in revenue for 2019.

The company was hit by a cyber attack and some of the web sites operated by the company were not reachable, including Ray-Ban, Sunglass Hut, LensCrafters, EyeMed, and Pearle Vision.

Reports indicate that the firm was using a Citrix ADX controller device vulnerable to a critical vulnerability and it is believed that a threat actor or actors exploited the above flaw to infect the systems at the company with ransomware. This appears to have subsequently confirmed with Nefilim ransomware operators having posted a long list of files that appear to belong to Luxottica. [source]

Why this matters:

The analysis of the leaked files revealed that they contain confidential information regarding the recruitment process, professional resumes, and info about the internal structures of the Group’s human resource department. The ransomware operators also published a message which accuses Luxottica of having failed the properly manage the attack.

In the past months, the number of ransomware attacks surged, numerous ransomware gangs made the headlines targeting organisations worldwide and threatening victims with releasing the stolen data if the ransom was not paid.

Extortion is the new thing in cyber crime right now, more so than in the past. Companies cannot hide the cyber attack anymore. Now it’s more about how to manage the breach from the communication perspective. Defending companies from these types of attacks becomes even more strategic: data leak damages can generate tremendous amount of costs for companies worldwide.

Other notable ransomware victims this week include:

• Barnes & Noble hit by Egregor ransomware, strange data leaked [source]

• Montreal's STM public transport system hit by ransomware attack [source]

• WastedLocker ransomware hits US-based ski and golf resort operator Boyne Resorts (WastedLocker was the same one used in the attack on Garmin in July) [source]

Other Threats

Infected IoT Device Numbers Surge 100% in a Year

The volume of infected Internet of Things (IoT) devices globally has soared by 100% over the past year, according to new data from Nokia.

It revealed that infected IoT devices now comprise nearly a third (32.7%) of the total number of devices, up from 16.2% in the 2019 report.

Nokia argued that infection rates for connected devices depend dramatically upon the visibility of the devices on the internet.

In networks where devices are routinely assigned public facing internet IP addresses there is a higher infection rate. In networks where carrier grade NAT is used, the infection rate is considerably reduced, because the vulnerable devices are not visible to network scanning.

With the introduction of 5G well underway, it is expected that not only the number of IoT devices will increase dramatically, but also the share of IoT devices accessible directly from the internet will increase as well, and rates of infection rising accordingly. [source]

Brute force attacks increase due to more open RDP ports

While leaving your back door open while you are working from home may be something you do without giving it a second thought, having unnecessary ports open on your computer or on your corporate network is a security risk that is sometimes underestimated. That’s because an open port can be subject to brute force attacks.

A brute force attack is where an attacker tries every way he can think of to get in. Including throwing the kitchen sink at it. In cases where the method they are trying is to get logged in to your system, they will try endless combinations of usernames and passwords until a combination works.

Brute force attacks are usually automated, so it doesn’t cost the attacker a lot of time or energy. Certainly not as much as individually trying to figure out how to access a remote system. Based on a port number or another system specific property, the attacker picks the target and the method and then sets his brute force application in motion. He can then move on to the next target and will get notified when one of the systems has swallowed the hook.

RDP attacks are one of the main entry points when it comes to targeted ransomware operations. To increase effectiveness, ransomware attacks are getting more targeted and one of the primary attack vectors is the Remote Desktop Protocol (RDP). Remote desktop is exactly what the name implies, an option to remotely control a computer system. It almost feels as if you were actually sitting behind that computer. Which is exactly what makes an attacker with RDP access so dangerous. [source]

Why this matters:

Because of the current pandemic, many people are working from home and may be doing so for a while to come. Working from home has the side effect of more RDP ports being opened. Not only to enable the workforce to access company resources from home, but also to enable IT staff to troubleshoot problems on the workers’ devices. A lot of enterprises rely on tech support teams using RDP to troubleshoot problems on employee’s systems.

But ransomware, although prevalent, is not the only reason for these types of attacks. Cyber criminals can also install keyloggers or other spyware on target systems to learn more about the organization they have breached. Other possible objectives might be data theft, espionage, or extortion.

Phishing

Two in five employees are not sure what a mobile phishing attack is

The COVID-19 pandemic has clearly changed the way people work and accelerated the already growing remote work trend. This has also created new security challenges for IT departments, as employees increasingly use their own personal devices to access corporate data and services.

These changes, where employees, IT infrastructures, and customers are everywhere – has led to employees not prioritising security in their new world of work, and the current distributed remote work environment has also triggered a new threat landscape, with malicious actors increasingly targeting mobile devices with phishing attacks.

A new study looking at the impact that lockdown has had on employees working habits polled 1,200 workers across the US, UK, France, Germany, Belgium, Netherlands, Australia, and New Zealand showed that many employees were unaware of how to identify and avoid a phishing attack, and over two in five (43%) of employees are not even sure what a phishing attack is. [source]

Microsoft is Most Imitated Brand for Phishing Attempts in Q3 2020

The latest Check Point ‘Q3 Brand Phishing Report’, highlighting the brands that hackers imitated the most to lure people into giving up personal data, reveals the brands which were most frequently imitated by criminals in their attempts to steal individuals’ personal information or payment credentials during July, August and September.

In Q3, Microsoft was the most frequently targeted brand by cyber criminals, soaring from fifth place (relating to 7% of all brand phishing attempted globally in Q2 of 2020) to the top of the ranking. 19% of all brand phishing attempts related to the technology giant, as threat actors sought to capitalise on large numbers of employees still working remotely during the Covid-19 pandemic. For the first time in 2020, DHL entered the top 10 rankings, taking the second spot with 9% of all phishing attempts related to the company. [source]

Top phishing brands in Q3 2020

• Microsoft (19%)

• DHL (9%)

• Google (9%)

• PayPal (6%)

• Netflix (6%)

• Facebook (5%)

• Apple (5%)

• Whatsapp (5%)

• Amazon (4%)

• Instagram (4%)

Phishing Lures Shifting from COVID-19 updates to Job Opportunities

Researchers are seeing a pivot in the spear-phishing and phishing lures used by cybercriminals, to entice potential job candidates as businesses start to open up following the pandemic.

Cyber criminals cashed in on the surge of COVID-19 earlier this year, with email lures purporting to be from healthcare professionals offering more information about the pandemic. However, as the year moves forward, bad actors are continuing to swap up their attacks and researchers are now seeing ongoing email based attacks that tap into new job opportunities as businesses start to open up. [source]

Denial of Service Attacks

DDoS (Distributed Denial of Service) Attacks Triple in Size as Ransom Demands Re-Emerge

The last quarter of 2020 has seen a wave of web application attacks which have used ransom letters to target businesses across a number of industries.

According to research from Akamai, the largest of these attacks sent over 200Gbps of traffic at their targets as part of a sustained campaign of higher Bits Per Second (BPS) and Packets Per Second (PPS) than similar attacks had displayed a few weeks prior.

Prior to August most of these attacks were targeting the gaming industry but since then these attacks abruptly swung to financial organisations, and later in the cycle, multiple other verticals.

Akamai explained that none of the vectors involved in these series of attacks were new, as most of the traffic was generated by reflectors and systems that were used to amplify traffic. However, multiple organisations began to receive targeted emails with threats of DDoS attacks, where this would be launched unless a ransom amount was paid. A small DDoS would be made against the company to show that the attackers were serious, and then there was a threat of a 1Tbps attack if payment was not made.

Many extortion DDoS campaigns start as a threat letter, and never progress beyond that point but this this campaign has seen frequent ‘sample’ attacks that prove to the target that criminals have the capability to make life difficult.

Many of the extortion emails ended up being caught by spam filters, and not all targets are willing to admit they’ve received an email from the attackers.

Why this matters:

This extortion DDoS campaign is not over and the criminals behind this campaign are changing and evolving their attacks in order to throw off defenders and the law enforcement agencies that are working to track them down.

Vulnerabilities

New Google Chrome version fixes actively exploited zero-day bug

Google released Chrome 86.0.4240.111 this week to address five security vulnerabilities, one of which is being actively exploited.

The announcement from Google stated they they were aware of reports that an exploit for CVE-2020-15999 exists in the wild.

This new version of Chrome started rolling out to the entire userbase. Users on Windows, Mac, and Linux desktop users can upgrade to Chrome 86 by going to Settings -> Help -> About Google Chrome.

The Google Chrome web browser will then automatically check for the new update and install it when available.

Adobe releases another out-of-band patch, squashing critical bugs across creative software

Adobe has released a second out-of-band security update to patch critical vulnerabilities across numerous software products.

The patch, released outside of the tech giant's typical monthly security cycle, impacts Adobe Illustrator, Dreamweaver, Marketo, Animate, After Effects, Photoshop, Premiere Pro, Media Encoder, InDesign, and the Creative Cloud desktop application on Windows and macOS machines.

The vulnerabilities across the different products variously could result in privilege escalation, cross-site scripting (XSS), which could be weaponised to deploy malicious JavaScript in a browser session, or otherwise could result in arbitrary code execution.

Last week, Adobe released a separate set of out-of-band security fixes impacting the Magento platform. On October 15, Adobe said the patch resolved nine vulnerabilities, eight of which are critical -- including a bug that could be abused to tamper with Magento customer lists. [source]

WordPress deploys forced security update for dangerous bug in popular plugin

The WordPress security team has taken a rare step last week and used a lesser-known internal capability to forcibly push a security update for a popular plugin called Loginizer, which provides security enhancements for the WordPress login page, but that was found to contain a dangerous SQL injection bug that could have allowed hackers to take over WordPress sites running older versions of the plugin. [source]

Why this matters:

Remote attackers to run code against the WordPress database — in what is referred to as an unauthenticated SQL injection attack.

These are the most worrying vulnerabilities around today

Failure to patch once again leaves organisations open to attacks

The US National Security Agency (NSA) has published a new cyber security advisory in which it details 25 of the most dangerous vulnerabilities actively being exploited in the wild by Chinese state-sponsored hackers and other cyber criminals.

Unlike zero-day vulnerabilities where hardware and software makers have yet to release a patch, all of the vulnerabilities in the NSA's advisory are well-known and patches have been made available to download from their vendors. However, the problem lies in the fact that organisations have yet to patch their systems, leaving them vulnerable to potential exploits and attacks.

The NSA provided further details on the nature of the vulnerabilities in its advisory while urging organisations to patch them immediately.

Most of the vulnerabilities listed below can be exploited to gain initial access to victim networks using products that are directly accessible from the Internet and act as gateways to internal networks. The majority of the products are either for remote access or for external web services and should be prioritised for immediate patching. The full list can be found here.

The first bug in the list, tracked as CVE-2019-11510, relates to Pulse Secure VPN servers and how an unauthenticated remote attacker can expose keys or passwords by sending a specially crafted URI to perform an arbitrary file reading vulnerability.

Another notable bug from the list, tracked as CVE-2020-5902, affects the Traffic Management User Interface (TMUI) of F5 BIG-IP proxies and load balancers and it is vulnerable to a Remote Code Execution (RCE) vulnerability that if exploited, could allow a remote attacker to take over an entire BIG-IP device.

The Citrix Application Delivery Controller (ADC) and Gateway systems are vulnerable to a directory traversal bug, tracked as CVE-2019-19781, that can lead to remote code execution where an attacker does not need to possess valid credentials for the device.

The advisory also mentions BlueKeep, SigRed, Netlogon, CurveBall and other more well-known vulnerabilities.

To avoid falling victim to any potential attacks exploiting these vulnerabilities, the NSA recommends that organisations keep their systems and products updated and patched as soon as possible after vendors release them. [source]

Miscellaneous Cyber News of the Weeks

Hackers Can Clone Millions of Toyota, Hyundai, and Kia Keys

Owners of cars with keyless start systems have learned to worry about so-called relay attacks, in which hackers exploit radio-enabled keys to steal vehicles without leaving a trace. Now it turns out that many millions of other cars that use chip-enabled mechanical keys are also vulnerable to high-tech theft. A few cryptographic flaws combined with a little old-fashioned hot-wiring—or even a well-placed screwdriver—lets hackers clone those keys and drive away in seconds.

Researchers this week revealed new vulnerabilities in the encryption systems used by immobilisers, the radio-enabled devices inside of cars that communicate at close range with a key fob to unlock the car's ignition and allow it to start. Specifically, they found problems in how Toyota, Hyundai, and Kia implement their encryption system. A hacker who swipes a relatively inexpensive RFID reader/transmitter device near the key fob of any affected car can gain enough information to derive its secret cryptographic value. That, in turn, would allow the attacker to spoof the device to impersonate the key inside the car, disabling the immobiliser and letting them start the engine.

The researchers say the affected car models include the Toyota Camry, Corolla, and RAV4; the Kia Optima, Soul, and Rio; and the Hyundai I10, I20, and I40, amongst others. [source]

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.