Due to our continued growth and expansion, and to coincide with the opening of our first UK office in Bristol, we are recruiting for a number of cyber roles in the UK:

• Cyber Security Analysts

• Threat Intelligence Analysts

• Incident Responders and Digital Forensics

• IT Security/Technical Specialists

• Microsoft 365 Security Specialists

• Cyber Risk and Governance Consultants

• Penetration Testers and Red Team Specialists

• Trainers

• Cyber Operations Specialists

Contact us for more information careers@blackarrowcyber.com

blackarrowcyber.com/careers

Black Arrow are back in Jersey on 26 and 27 May, we have a few time slots available if anyone wanted to discuss their cyber security risk and governance requirements. Email contact@blackarrowcyber.com or call 01481 711 988 to set up a meeting.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Cyber Scams Cost Victims $6.9b-Plus Worldwide in 2021

Cyber-scams cost victims around the globe at least $6.9 billion last year, according to the FBI's latest Internet Crime Report.

Since 2017, the bureau's Internet Crime Complaint Center (IC3) received an average of 552,000 complaints per year. This includes reports of extortion, identity theft, phishing, fraud, and a slew of other nefarious schemes that cost victims no less than $18.7 billion in losses over the five-year period.

Unsurprisingly, the volume of these crimes — and related costs — have grown every year; 2021 set records for the total number of complaints (847,376) as well as losses exceeding $6.9 billion, a jump from the $4.2 billion reported a year earlier.

As with earlier years, phishing attacks were by far the most commonly reported crimes, with 323,972 last year. A subset of this category, business email compromise (BEC), is proving very lucrative and cost victims almost $2.4 billion from 19,954 victims, according to the Feds.

BEC involves a cyber criminal compromising a legitimate email account, and then tricking a business or individual into transferring funds, sending employees' personal data, or unlocking cryptocurrency wallets. The fraudster then steals the cash, drains the crypto wallet and/or sells employees' identities and credentials on the dark web.

https://www.theregister.com/2022/05/05/fbi_cyber_scams/

• Bad Actors Are Maximising Remote Everything

The rise of remote work and learning opened new opportunities for many people – as we’ve seen by the number of people who have moved to new places or adapted to “workcations.” Cyber criminals are taking advantage of the same opportunities – just in a different way. Evaluating the prevalence of malware variants by region reveals a sustained interest by cyber adversaries in maximising the remote work and learning attack vector.

As hybrid work and learning become embedded paradigms in our culture, there are fewer layers of protection between malware and would-be victims. And bad actors are gaining access to more tools to help them pull off their nefarious deeds – like exploit kits. At the same time, the attack surface has rapidly expanded and continues to do so.

That means enterprises must take a work-from-anywhere approach to their security. They need to deploy solutions capable of following, enabling and protecting users no matter where they are located. They need security on the endpoint (EDR) combined with zero trust network access (ZTNA) approaches.

https://threatpost.com/bad-actors-remote-everything/179458/

• This Sneaky Hacking Group Hid Inside Networks For 18 Months Without Being Detected

A previously undisclosed cyber-espionage group is using clever techniques to breach corporate networks and steal information related to mergers, acquisitions and other large financial transactions – and they've been able to remain undetected by victims for periods of more than 18 months.

Detailed by cyber security researchers at Mandiant, who've named it UNC3524, the hacking operation has been active since at least December 2019 and uses a range of advanced methods to infiltrate and maintain persistence on compromised networks that set it apart from most other hacking groups. These methods include the ability to immediately re-infect environments after access is removed. It's currently unknown how initial access is achieved. 

One of the reasons UNC3524 is so successful at maintaining persistence on networks for such a long time is because it installs backdoors on applications and services that don't support security tools, such as anti-virus or endpoint protection.

https://www.zdnet.com/article/this-sneaky-hacking-group-hid-inside-networks-for-18-months-without-being-detected/

• FBI: Business Email Compromise: The $43 Billion Scam

According to the FBI, business email compromise (BEC) and email account compromise (EAC) losses have surpassed $43 billion globally. BEC/EAC is a sophisticated scam that targets both businesses and individuals who perform legitimate transfer-of-funds requests.

The BEC/EAC scam continues to grow and evolve, targeting small local businesses to larger corporations, and personal transactions. Between July 2019 and December 2021, there was a 65% increase in identified global exposed losses, meaning the dollar loss that includes both actual and attempted loss in United States dollars.

The following information was derived from filings with financial institutions between June 2016 and December 2021:

• Domestic and international incidents: 241,206

• Domestic and international exposed dollar loss: $43,312,749,946

The following BEC/EAC statistics were reported in victim complaints to the IC3 between October 2013 and December 2021:

• Total US victims: 116,401

• Total US exposed dollar loss: $14,762,978,290

• Total non-US victims: 5,260

• Total non-US exposed dollar loss: $1,277,131,099

https://informationsecuritybuzz.com/expert-comments/fbi-business-email-compromise-the-43-billion-scam/

• Disgruntled Employees Cashing in On Confidential Information Over Dark Web

Disgruntled employees are making hundreds of thousands of dollars by leaking confidential information over a new platform on the so-called dark web, cyber researchers have said.

Hidden in a part of the internet that is only accessible using special software, the Industrial Spy platform promises huge payouts to staff willing to hand over "dirty secrets" to competitors, according to experts at intelligence business Cyberint.

Industrial Spy currently has data on twelve companies from a range of industries available to people who sign up, Cyberint said.

The platform recently managed to sell two tranches of company data for $400,000 (£318,236) and $750,000 each.

An individual has advertised the platform to potential purchasers of the data on the dark web.

The post said: "With our information you could refuse partnership with an unscrupulous partner, reveal dirty secrets of your competitors and earn millions of dollars using insider information."

Cyber criminals have long approached employees individually and offered a bribe to release sensitive information such as internal data and passwords to access computer systems.

But this new platform allows employees to act on their own initiative to steal data and sell it online.

https://www.telegraph.co.uk/business/2022/05/02/disgruntled-employees-cashing-confidential-information-dark/

• Google Sees More APTs Using Ukraine War-Related Themes

Researchers at Google's Threat Analysis Group (TAG) say the number of advanced threat actors using Ukraine war-related themes in cyber attacks went up in April with a surge in malware attacks targeting critical infrastructure.

According to Google, known state-backed APT groups from China, Iran, North Korea, and Russia, along with various unattributed groups have been using war-related themes in phishing and malware distribution campaigns.

Looking at the cyber attacks that target Eastern Europe, however, a new Google report notes there hasn't been a significant change from the normal levels of activity, despite the increased adoption of lures related to the Ukraine war.

https://www.securityweek.com/google-sees-more-apts-using-ukraine-war-related-themes

• Cryptocurrency Regulators Are Scrambling to Catch Up with Hackers Who Are Swiping Billions

Just four months in, 2022 has been a banner year for hackers, and fraudsters targeting the industry have swindled more than $1 billion from cryptocurrency investors, according to separate estimates by cryptocurrency analysis firm Immunefi.

The rise in fraud has put US regulators on the offensive. The US Securities and Exchange Commission, which has positioned itself as the industry’s main regulator and enforcer, announced on Tuesday that it was going to double its staff working to resources to combat the rise in fraud.

“Crypto markets have exploded in recent years, with retail investors bearing the brunt of abuses in this space. Meanwhile, cyber-related threats continue to pose existential risks to our financial markets and participants,” Gurbir Grewal, director of the SEC’s Division of Enforcement said in a statement. “The bolstered Crypto Assets and Cyber Unit will be at the forefront of protecting investors and ensuring fair and orderly markets in the face of these critical challenges.”

https://www.cyberscoop.com/cryptocurrency-sec-cybersecurity-bitcoin-regulation-enforcement/

• Tackling the Threats Posed by Shadow IT

While remote technologies have allowed businesses to shift their workforces online, this flexibility has created a swathe of challenges for IT teams who must provide a robust security framework for their organisation – encompassing all the personnel and devices within their remit. In addition to the ever-increasing number of personal devices, corporate devices and programs, more and more applications are moving to the cloud as workloads become increasingly distributed across public clouds and software-as-a-service (SaaS).

This means IT teams are even harder pressed to secure and manage the complex environments they operate in. The unsanctioned use of corporate IT systems, devices, and software – known as shadow IT – has increased significantly during the shift to remote work, and recent research found almost one in seven (68%) are concerned about information security because of employees following shadow IT practices.

Shadow IT can allow hackers to steal employee and customer identities, company intellectual property, and cause companies to fail compliance audits. It can also open the door to enterprises accidentally breaking laws and exposes organisations to data exfiltration, malware, and phishing.

https://www.helpnetsecurity.com/2022/05/05/shadow-it-risk/

• Hackers Used the Log4j Flaw to Gain Access Before Moving Across a Company's Network, Say Security Researchers

State-backed hacking groups are some of the most advanced cyber attack operations in the world - but criminals don't need to rely on them if they can exploit unpatched cyber security flaws.

A North Korean hacking and cyber espionage operation breached the network of an engineering firm linked to military and energy organisations by exploiting a cyber security vulnerability in Log4j.

First detailed in December, the vulnerability (CVE-2021-44228) allows attackers to remotely execute code and gain access to systems that use Log4j, a widely used Java logging library.

The ubiquitous nature of Log4j meant cyber security agencies urged organisations globally to apply security updates as quickly as possible, but months on from disclosure, many are still vulnerable to the flaw.

According to cyber security researchers at Symantec, one of those companies that was still vulnerable was an undisclosed engineering firm that works in the energy and military sectors. That vulnerability resulted in the company being breached when attackers exploited the gap on a public-facing VMware View server in February this year. From there, attackers were able to move around the network and compromise at least 18 computers.

https://www.zdnet.com/article/heres-how-hackers-used-the-log4j-flaw-to-gain-access-before-moving-across-a-companys-network/

• New Hacker Group Pursuing Corporate Employees Focused on Mergers and Acquisitions

[Explanatory note from Black Arrow: When a group of cyber attackers is identified by the cyber security community, it is given a code name usually composed of letters and digits. These groups are also sometimes referred to as APTs., or Advanced Persistent Threats, because the groups are highly skilled and are persistent in their attacks; they are often supported by their state government].

A newly discovered suspected espionage threat actor has been targeting employees focusing on mergers and acquisitions as well as large corporate transactions to facilitate bulk email collection from victim environments.

Mandiant is tracking the activity cluster under the uncategorised moniker UNC3524, citing a lack of evidence linking it to an existing group. However, some of the intrusions are said to mirror techniques used by different Russia-based hacking crews like APT28 and APT29.

"The high level of operational security, low malware footprint, adept evasive skills, and a large Internet of Things (IoT) device botnet set this group apart and emphasise the 'advanced' in Advanced Persistent Threat," the threat intelligence firm said in a report.

The initial access route is unknown but upon gaining a foothold, attack chains involving UNC3524 culminate in the deployment of a novel backdoor called QUIETEXIT for persistent remote access for as long as 18 months without getting detected in some cases.

https://thehackernews.com/2022/05/new-hacker-group-pursuing-corporate.html

Threats

Ransomware

• Lockbit 2.0, Conti Dominate Ransomware Attack Activity - MSSP Alert: Cyber Security News for MSSPs & MDR Service Providers

• Twitter May Have Given User's Private Data to A Ransomware Hacker, Who Then Ran a Researcher Offline - CyberScoop

• US DoS Offers a Reward of Up To $15M For Info on Conti Ransomware Gang - Security Affairs

• Trend Micro Discovers AvosLocker Can Disable Antivirus Software (techtarget.com)

• Experts Analyse Conti and Hive Ransomware Gangs' Chats with Their Victims (thehackernews.com)

• New Ransomware Strains Linked to North Korean Govt Hackers (bleepingcomputer.com)

• Ransomware Attacks: Why Case Studies Provide Rare Learning Opportunities - MSSP Alert: Cybersecurity News for MSSPs & MDR Service Providers

• REvil Revival: Are Ransomware Gangs Ever Really Gone? (darkreading.com)

• What We've Learned in the 12 Months Since the Colonial Pipeline Attack (darkreading.com)

Phishing & Email Based Attacks

• MSPs Need a Layered Defence Against Phishing - MSSP Alert: Cyber Security News for MSSPs & MDR Service Providers

• Google SMTP Relay Service Abused for Sending Phishing Emails (bleepingcomputer.com)

• US DoD Scammed Out of $23M in Phishing Attack on Jet-Fuel Vendors (darkreading.com)

• 1000s of Phishing Emails Sent from NHS Inboxes - IT Security Guru

Malware

• This New Fileless Malware Hides Shellcode in Windows Event Logs (thehackernews.com)

• Raspberry Robin Spreads Via Removable USB Devices - Security Affairs

• Hackers Using PrivateLoader PPI Service to Distribute New NetDooka Malware (thehackernews.com)

Mobile

• Android Monthly Updates Are Out – Critical Bugs Found in Critical Places! – Naked Security (sophos.com)

IoT

• Unpatched DNS Bug Affects Millions of Routers and IoT Devices (bleepingcomputer.com)

• What Should I Know About Defending IoT Attack Surfaces? (darkreading.com)

Organised Crime & Criminal Actors

• Scammer Infects His Own Machine with Spyware, Reveals True Identity (darkreading.com)

Cryptocurrency/Cryptomining/Cryptojacking/NFTs

• Crypto Hackers Stole More Than $370 Million In April Alone (vice.com)

• Ferrari Subdomain Hijacked to Push Fake Ferrari NFT Collection (bleepingcomputer.com)

Supply Chain

• NIST Issues Guidance for Addressing Software Supply-Chain Risk (darkreading.com)

Open Source

• Open-Source Security: It's Too Easy to Upload 'Devastating' Malicious Packages, Warns Google | ZDNet

• How Linux Became the New Bullseye for Bad Guys | SecurityWeek.Com

Passwords & Credential Stuffing

• Good End User Passwords Begin with A Well-Enforced Password Policy - Help Net Security

• 55% of People Rely on Their Memory To Manage Passwords - Help Net Security

• A Security Researcher Easily Found My Passwords and More: How My Digital Footprints Left Me Surprisingly Over-Exposed | ZDNet

• A Third of Americans Use Easy-to-Guess Pet Passwords (darkreading.com)

Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Mandiant CEO: False-flag Ops a Red Line For Nation-States • The Register

• Anonymous and Ukraine IT Army Continue to Target Russian Entities - Security Affairs

• Pro-Ukraine Hackers Use Docker Images to DDoS Russian Sites (bleepingcomputer.com)

• Chinese Hackers Caught Stealing Intellectual Property from Multinational Companies (thehackernews.com)

• Russia Hammered by Pro-Ukrainian Hackers Following Invasion | Ars Technica

Nation State Actors

Nation State Actors – Russia

• Russia-Linked APT29 Targets Diplomatic and Government Organisations - Security Affairs

• Russian Ransomware Group Claims Attack on Bulgarian Refugee Agency - CyberScoop

• Russia Cyber Attacks Raise Questions About Hacking Red Lines - Bloomberg

• Putin Threatens Supply Chains with Counter-Sanction Order • The Register

• Russian Hackers Targeting Diplomatic Entities in Europe, Americas, and Asia (thehackernews.com)

• China-linked APT Curious Gorge Targeted Russian Govt Agencies - Security Affairs

• Russia-Ukraine War Prompts Security Best Practices Refresher (techtarget.com)

Nation State Actors – China

• China-Linked Winnti APT Group Silently Stole Trade Secrets for Years: Report | SecurityWeek.Com

• State-Backed Chinese Hackers Target Russia - Infosecurity Magazine (infosecurity-magazine.com)

• Chinese "Override Panda" Hackers Resurface With New Espionage Attacks (thehackernews.com)

• Experts Uncover New Espionage Attacks by Chinese 'Mustang Panda' Hackers (thehackernews.com)

• China Not Happy With South Korea Joining NATO Cyber Defense Center | SecurityWeek.Com

Nation State Actors – North Korea

• Security Researchers: Here's How the Lazarus Hackers Start Their Attacks | ZDNet

• US Sanctions Cryptocurrency Mixer Blender for Helping North Korea Launder Millions (thehackernews.com)

• VHD Ransomware Variant Linked to North Korean Cyber Army (darkreading.com)

Nation State Actors – Misc

• Stealthy APT Group Plunders Very Specific Corporate Email Accounts - Help Net Security

• UNC3524 APT Uses IP Cameras to Deploy Backdoors and Target Exchange - Security Affairs

• 1,000+ Attacks in 2 Years: How the SideWinder APT Sheds Its Skin (darkreading.com)

Vulnerabilities

• CISA Adds Five Known Exploited Vulnerabilities to Catalogue | CISA

• Aruba and Avaya Network Switches Are Vulnerable to RCE Attacks (bleepingcomputer.com)

• Cisco Issues Patches for 3 New Flaws Affecting Enterprise NFVIS Software (thehackernews.com)

• F5 Warns of a New Critical BIG-IP Remote Code Execution Vulnerability (thehackernews.com)

• May 2022 Patch Tuesday Forecast: Look Beyond Just Application and OS Updates - Help Net Security

• Critical Cisco VM-Escape Bug Threatens Host Takeover (darkreading.com)

• Researchers Disclose Years-Old Vulnerabilities in Avast and AVG Antivirus (thehackernews.com)

• QNAP Releases Firmware Patches for 9 New Flaws Affecting NAS Devices (thehackernews.com)

• Multiple Vulnerabilities in Firefox Products Could Allow for Arbitrary Code Execution (cisecurity.org)

• Critical RCE Bug Reported in dotCMS Content Management Software (thehackernews.com)

Sector Specific

Financial Services Sector

• German Finance Watchdog Sees 'Very Big' Risk of Cyber Attacks | SecurityWeek.Com

Telecoms

• Top Ransomware Attack Targets: Telecom Leapfrogs Healthcare - MSSP Alert: Cybersecurity News for MSSPs & MDR Service Providers

• Chinese Hackers Caught Exploiting Popular Antivirus Products to Target Telecom Sector (thehackernews.com)

Health/Medical/Pharma Sector

• Healthcare and Education Sectors Most Susceptible to Cyber Incidents - Infosecurity Magazine

• Phishing Operation Hits NHS Email Accounts • The Register

Education and Academia

• April Ransomware Attacks Slam US Universities (techtarget.com)

• Healthcare and Education Sectors Most Susceptible to Cyber Incidents - Infosecurity Magazine

Other News

• WordPress Sites Getting Hacked ‘Within Seconds’ of TLS Certificates Being Issued | The Daily Swig (portswigger.net)

• Heroku: Cyber Attacker Used Stolen OAuth Tokens to Steal Customer Account Credentials (darkreading.com)

• Car Rental Company Sixt Hit by a Cyber Attack that Caused Disruptions - Security Affairs

• White House Says To Prepare For Cryptography-Cracking Quantum Computers - Information Security Buzz

• CMS-Based Sites Under Attack: The Latest Threats and Trends - Help Net Security

• Mozilla Finds Mental Health Apps Fail 'Spectacularly' at User Security, Data Policies | ZDNet

• Renew Focus on Web Application Security - MSSP Alert: Cybersecurity News for MSSPs & MDR Service Providers

• UK to Place Security Requirements on App Developers and Store Operators - Infosecurity Magazine

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Executive Summary

A set of five vulnerabilities named “TLStorm 2.0” have been discovered, affecting some network switches produced by Aruba and Avaya. The vulnerabilities could allow a malicious party to remotely execute code on the devices, allowing access to data flowing through the device or configuration control of the device which could lead to further attacks.

What’s the risk to me or my business?

Network switches are the backbone of IT infrastructure that allows data to flow from different devices. These switches also provide the ability to segregate data, such as having a separate guest and corporate network. If exploited, these vulnerabilities could allow a malicious attacker to bypass a guest network and gain access to the corporate network, which exposes corporate infrastructure to further attacks. There is currently evidence these vulnerabilities are being used in the wild.

What can I do?

Confirm with your managed service provider if affected devices are in use within your organisation, and if the appropriate patches have been supplied to the devices. It is important to remember all network devices when considering software and firmware patching, not just Windows endpoints. Other mitigation steps include limiting the potential attack service by denying management portal access on guest network ports or limiting this specifically to a dedicated management port.

Technical Summary

There are a total of five vulnerabilities disclosed affecting Avaya and Aruba switches. Only four of these vulnerabilities were given CVE’s, as the fifth vulnerability was only found on a discontinued product line. All the vulnerabilities relate to the NanoSSL library, and it’s implementation by the vendors on the network switches. It’s worth noting that the library itself does not contain the vulnerabilities, these vulnerabilities are present due to the vendor not following the correct implementation guidelines for the library.

Avaya - CVE-2022-29860, CVE-2022-29861

·         ERS3500 Series

·         ERS3600 Series

·         ERS4900 Series

·         ERS5900 Series

Aruba - CVE-2022-23677 and CVE-2022-23676

·         Aruba 5400R Series

·         Aruba 3810 Series

·         Aruba 2920 Series

·         Aruba 2930F Series

·         Aruba 2930M Series

·         Aruba 2530 Series

·         Aruba 2540 Series

Further details can be found here, under “Technical Overview”: TLStorm 2.0 - Armis

Need help understanding your gaps, or just want some advice? Get in touch with us.

Executive Summary

A privileged escalation hacking tool has been publicly disclosed, which allows an attacker to use the PowerShell to step through a process leading to local administrator access. Known as “KrbRelayUp” takes advantage of default configuration settings for Windows Domain environments, and the ability for local accounts to access Microsoft PowerShell. This attack requires a low-privilege account to be compromised, and could lead to further privilege escalation including compromising a domain administrator account.

What’s the risk to me or my business?

As the requirements for this attack are credentials to a low privileged account, and default configuration for Windows Active Directory, it is a likely path for an attacker to use once they have compromised an account in order to gain privileged access. This vulnerability affects any environments using either Local Domain Controllers, or a Hybrid between Azure and On-Premises Active Directory.

What can I do?

Contact your Managed Service Provider and request that tools such as “PSExec” and “PowerShell” are blocked for standard users, who would not require access to these tools typically used for administration purposes. Other mitigation options include enforcing “LDAP Signing” within active directory environments, however it is important to test the impact that making these changes may have on a production environment to avoid unexpected outcomes.

Technical Summary

The attack follows the following steps:

1.       Compromise/have access to low-privileged credentials linked to a Local Active Directory environment.

2.       Create a new machine account and add this to the domain.

3.       Obtain the SID for the machine account.

4.       Use the KrbRelay software to abuse the attribute “msDS-AllowedToActOnBehalfOfOtherIdentity” of the targeted computer account.

5.       Obtain privileged Silver Ticket for the local machine through Rebeus by performing a Resource-based Constrained Delegation attack (RBCD).

6.       Use the Silver Ticket to authenticate with local service manager, creating a new service as NT/System. This service now has local administrator access.

Further details can be found here:

GitHub - Dec0ne/KrbRelayUp: KrbRelayUp - a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings). Privilege Escalation using KrbRelay and RBCD · GitHub

Need help understanding your gaps, or just want some advice? Get in touch with us.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Ransomware Attacks Surged to New Highs in 2021

Ransomware attacks are getting more frequent, more successful and more expensive.

Sixty-six percent of the organisations surveyed by Sophos for its annual State of Ransomware report admitted that they were hit with a ransomware attack last year, up from 37% in 2020. And 65 percent of those attacks were successful in encrypting their victims' data, up from 54 percent the year before.

On top of that, the average ransom paid by organisations for their most significant ransomware attack grew by nearly five times, to just over $800,000, while the number of organisations that paid ransoms of $1 million or more tripled to 11%, the UK-based cybersecurity company said. For its annual report, Sophos surveyed 5,600 organisations from 31 countries. A total of 965 of those polled shared details of their ransomware attacks.

The numbers aren't a huge surprise after a year of epic ransomware attacks that shut down everything from a major oil pipeline to one of the largest meat processors in the US. While both Colonial Pipeline and JBS US Holdings paid millions in ransom, the attacks paused their operations long enough to spark panic buying and drive prices up for consumers.

https://www.cnet.com/tech/services-and-software/ransomware-attacks-surged-to-new-highs-in-2021/#ftag=CAD-09-10aai5b

• NCSC and Allies Publish Advisory on The Most Commonly Exploited Vulnerabilities In 2021

The UK and international partners have published an advisory for public and private sector organisations on the 15 most commonly exploited vulnerabilities in 2021.

The National Cyber Security Centre (NCSC), a part of GCHQ, has jointly published an advisory with agencies in the US, Australia, Canada and New Zealand, showing that malicious cyber actors aggressively targeted newly disclosed critical software vulnerabilities across the public and private sectors worldwide.

Threat actors often geared their efforts towards targeting internet-facing systems, such as email and virtual private network (VPN) servers.

It also indicates that, to a lesser extent, actors continue to exploit publicly known – and often dated – vulnerabilities, some of which were routinely exploited in 2020 or earlier.

The advisory directs organisations to follow specific mitigation advice to protect against exploitation, which includes applying timely patches, using a centralised patch management system and replacing any software no longer supported by the vendor.

https://www.ncsc.gov.uk/news/ncsc-and-allies-publish-advisory-on-the-most-commonly-exploited-vulnerabilities-in-2021

•  Network Attacks Increased to a 3-Year High

WatchGuard Technologies’ Internet Security Report for Q4 2021 revealed all threats were up, whether they’re network attacks or malware.

When the pandemic started, their research team saw a big drop in malware being detected by network security devices. In this period, tech based jobs moved to remote work, which meant a lot of users were no longer browsing the internet and encountering bad things through the network security control at the office. That’s probably why network detection for malware dropped quite a bit at the beginning of the pandemic.

Meanwhile, network attacks continued to rise even through the pandemic, since the servers still lived at the offices and the cloud, and network security still protected those.

The big takeaway in Q4 2021 is that malware rose significantly, returning to normal levels. The reason might be the holiday season, but it’s most probably the fact that, at the end of last year, a lot of tech-based offices started reopening and offering employees to come back in, and thus there’s a bigger chance for network security controls to catch malware.

https://www.helpnetsecurity.com/2022/04/25/network-attacks-q4-2021-video/

• World War Three Is Far More Likely Than Anyone Is Prepared to Admit

A Telegraph article looks at the Russia-Ukraine conflict and considers risks posed by new weapons and how the West’s failure to understand our enemies are raising the chances of a horrific conflict.

The fact is the world is becoming more, rather than less, dangerous: there are plenty of other wannabe Putins, and they are better equipped to sow death and destruction. Not only traditional and nuclear threats but bioterrorism is a growing worry and a major cyber attack or assault on transatlantic cables could be so devastating to an internet-based economy as to be seen as a declaration of war.

https://www.telegraph.co.uk/news/2022/04/27/world-war-three-far-likely-anyone-prepared-admit/

• The Ransomware Crisis Deepens, While Data Recovery Stalls

Higher probabilities of attack, soaring ransoms, and less chance of getting data back — the ransomware plague gets worse, and cyber insurance fails to be a panacea.

When it comes to ransomware, more companies are seeing attacks and have had data encrypted, according to research out this week. And even though more companies are backing up or paying ransom demands, less data was recovered in 2021 compared with the previous year.

For instance, in its "State of Ransomware 2022" report, cybersecurity firm Sophos found that 66% of surveyed companies had encountered ransomware in 2021, with two-thirds of those firms — or 43% overall — suffering from an actual attack that encrypted data. In its previous report covering 2020, the frequency of successful attacks was much smaller, with about 20% overall resulting in encryption.

The deteriorating cyberthreat landscape is largely due to the evolution of ransomware groups and their techniques, says Sean Gallagher, senior threat researcher with Sophos.

"Over the past couple of years, there has been a massive transition from ransomware to ransomware-as-a-service," he says. "There are very well-established [groups] that are doing these attacks, and as a result, the number of attacks companies are seeing has gone up."

Ransomware continues to plague companies with business-disrupting attacks and defy efforts by cybersecurity experts to rein in the operators behind the criminals’ campaigns. Not only did the portion of companies affected by ransomware more than double last year, but the mean ransomware payment more than quadrupled to $812,000, according to the Sophos report.

https://www.darkreading.com/attacks-breaches/ransomware-crisis-deepens-data-recovery-stalls

• Ransoms Only Make Up 15% of Ransomware Costs

New research suggests that paying ransoms is only the tip of the cost iceberg when it comes to ransomware attacks.

Researchers at Check Point have revealed that the collateral damage of ransomware attacks make up costs roughly seven times higher than the ransom demanded by threat actors.

The costs include financial implications caused by incident response efforts, system restoration, legal fees, monitoring costs and the overall impact of business disruption.

Ransomware attacks are an increasingly popular attack method, typically involving stealing data from the victim, encrypting data and forcing them to pay for decryption and avoiding a data leak.

Check Point said in the report:

“Most other losses, including response and restoration costs, legal fees, monitoring costs, etc., are applied whether the extortion demand was paid or not. The year 2020 showed that the average total cost of a ransomware attack was more than seven times higher than the average ransom paid.”

https://www.itsecurityguru.org/2022/04/28/ransoms-only-make-up-15-of-ransomware-costs/

• Defending Your Business Against Russian Cyber Warfare

We are likely to see Russian state sponsored attacks escalate as the West continues to increase sanctions and support Ukraine.

The eyes of the world are focused on the war in Ukraine. As expected, Russia has targeted Ukraine with cyber attacks first, and much of the West is wondering when Russia will also retaliate against countries supporting Ukraine. Most agree that some attacks are already in progress, and the attacks against western entities are sure to escalate as the war continues and more sanctions are put in place. 

The first wave of companies targeted by the Russian state, and threat actors it supports, will be those that suspend Russian operations or take direct action to support Ukraine. Information operations and subversion against these companies will likely ensue. In the event of Russian cyberwarfare, reviewing the industries, styles, and objectives of their attacks can help organisations to prepare and implement more robust defences. These defences include actions both inside and outside an enterprise's perimeter.

https://www.securityweek.com/defending-your-business-against-russian-cyberwarfare

• 5-Year Vulnerability Trends Are Both Surprising and Sadly Predictable

What 5,800+ pentests show us: Companies have been struggling with the same known and preventable security bugs year over year. Bandwidth stands at the heart of the problem.

Cyber crime can cause major disruption when it comes to the sustainability and long-term success of companies. Teams want to have robust security but often struggle to meet that objective. It's crucial for security professionals to leverage insights into emerging trends in cybersecurity to pinpoint which vulnerabilities put organisations at the greatest risk, and Cobalt's "State of Pentesting" reports explore how to achieve efficiency to strengthen security.

The "State of Pentesting 2022" surveyed 602 cybersecurity and software development professionals and analysed data from 2,380 pentests conducted over the course of 2021 to pull key insights that are relevant to security and development teams when it comes to fixing vulnerabilities.

As a result of the data collected, the top five most common vulnerability categories outlined in this year's "State of Pentesting" report include:

·       Server Security Misconfigurations

·       Cross-Site Scripting (XSS)

·       Broken Access Control

·       Sensitive Data Exposure

·       Authentication and Sessions

Surprisingly — yet predictably — these vulnerability categories have stayed at the top of the list for at least the last five years in a row. They're also recognisable to those who are familiar with OWASP Top 10 list for Web Application Security Risks.

The majority of these findings are connected to missing configurations, outdated software, and a lack of access management controls — all common and easily preventable security flaws. So, what's holding companies back from preventing well-known security flaws? Why does this come as a surprise?

https://www.darkreading.com/vulnerabilities-threats/5-year-vulnerability-trends-are-both-surprising-and-sadly-predictable

• Cisco Talos Observes 'Novel Increase' in APT Activity in Q1

Advanced persistent threat actors have been busy over the past few months, according to Cisco Talos.

The security vendor released its Quarterly Trends report, which examined incident response trends from engagements in the first quarter of 2022. While ransomware remained the top threat, as it has for the past two years now, Cisco observed a new trend of increased APT activity. The Cisco Talos Incident Response (CTIR) team attributed some of the increase to groups like Iranian state-sponsored Muddywater and China-based Mustang Panda.

One suspected Chinese APT, dubbed "Deep Panda," was connected to exploitation of the Log4j flaw that was discovered last year in the widely used Java logging tool. Log4j exploitation was the second most common threat for Q1 behind ransomware, indicating the bug is a growing threat despite a patch being available.

https://www.techtarget.com/searchsecurity/news/252516380/Cisco-Talos-observes-novel-increase-in-APT-activity-in-Q1

• Deepfakes Set to Be Used in Organised Crime

New research from Europol suggests that deepfakes will be used extensively in organised crime operations.

Europol has warned of a projected rise in the use of deepfake technology by organised crime organisations.

Deepfakes involve the use of artificial intelligence to create realistic audio and audio-visual content “that convincingly shows people saying or doing things they never did, or create personas that never existed in the first place.”

Law enforcement and the challenge of deepfakes is the first published analysis of the Europol Innovation Lab’s Observatory function, warning that law enforcement agencies must rapidly improve skills and technologies utilised by officers in order to keep up with criminal deepfake use.

The analysis report highlighted how deepfakes are used primarily in disinformation, non-consensual pornography and document fraud campaigns, which will grow more realistic in years to come.

https://www.itsecurityguru.org/2022/04/29/deepfakes-set-to-be-used-in-organised-crime/

• Smart Contract Developers Not Really Focused on Security. Who Knew?

"Smart contracts," which consist of self-executing code on a blockchain, are not nearly as smart as the label suggests.

They are at least as error-prone as any other software, where historically the error rate has been about one bug per hundred lines of code.

And they may be shoddier still due to disinterest in security among smart contract developers, and perhaps inadequate technical resources.

Multi-million dollar losses attributed to smart contract bugs – around $31m stolen from MonoX via smart contract exploit and ~$34m locked into a contract forever due to bad increment math, to name a few – illustrate the consequences.

https://www.theregister.com/2022/04/26/smart_contract_losses/

• Tractor-Trailer Brake Controllers Vulnerable to Remote Hacker Attacks

We’ve been predicting this for a while now and the move to more and more connected systems, autonomous and semi-autonomous vehicles, how long until someone is subject to threats to disconnect a vehicle’s brakes as they are driving along a motorway? Who wouldn’t pay the ransom demand in that scenario?

A report this week is related to articulated lorries but this is something that will be affecting all vehicles unless safeguards are put in place.

Researchers have analysed the cyber security of heavy vehicles and discovered that the brake controllers found on many tractor-trailers in North America are susceptible to remote hacker attacks.

The research was conducted by the US National Motor Freight Traffic Association (NMFTA), which is a non-profit organisation that represents roughly 500 motor freight carriers, in collaboration with Assured Information Security, Inc.

NMFTA has been analysing the cyber security of heavy vehicles since 2015 and it has periodically disclosed its findings. The latest report from the organisation came in early March, when the US Cybersecurity and Infrastructure Security Agency (CISA) also issued an advisory to describe two vulnerabilities affecting trailer brake controllers.

The flaws described in the CISA advisory are related to the power line communications (PLC) between tractors and trailers, specifically the PLC4TRUCKS technology, which uses a standard named J2497 for bidirectional communications between the tractor and trailer without adding new wires.

https://www.securityweek.com/tractor-trailer-brake-controllers-vulnerable-remote-hacker-attacks

Threats

Ransomware

• Prevent HEAT Attacks to Foil Ransomware Incidents - Help Net Security

• 4-Hour Time-to-Ransom Seen in Quantum Attack as Accelerated Ransomware Increasingly Common | SecurityWeek.Com

• Conti Ransomware Operations Surge Despite Recent Leak - Security Affairs

• Beware: Onyx Ransomware Destroys Files Instead of Encrypting Them (bleepingcomputer.com)

• FBI says BlackCat Rust-Based Ransomware Scratched 60+ Orgs • The Register

• REvil Ransomware Attacks Resume, But Operators Are Unknown (techtarget.com)

• Fake Windows 10 Updates Infect You with Magniber Ransomware (bleepingcomputer.com)

• New Black Basta Ransomware Springs into Action with A Dozen Breaches (bleepingcomputer.com)

• Companies Can't Get Enough of Good Ol' Tape Storage For Ransomware Resistance | PC Gamer

Phishing & Email Based Attacks

• Phishing Goes KISS: Don’t Let Plain and Simple Messages Catch You Out! – Naked Security (sophos.com)

• Phishing Attacks Benefiting from Shady SEO Practices (techtarget.com)

• Cyber Criminals Deliver IRS Tax Scams and Phishing Campaigns by Mimicking Government Vendors - Help Net Security

Malware

• Emotet Malware Now Installs Via Powershell in Windows Shortcut Files (bleepingcomputer.com)

• It’s Called BadUSB for a Reason - Security Affairs

• New RIG Exploit Kit Campaign Infecting Victims' PCs with RedLine Stealer (thehackernews.com)

• Emotet Tests New Attack Techniques: Sign of Things to Come? | CSO Online

• Cyber Criminals Using New Malware Loader 'Bumblebee' in the Wild (thehackernews.com)

• New Powerful Prynt Stealer Malware Sells for Just $100 Per Month (bleepingcomputer.com)

Mobile

• These Are Signs That Your Phone Could Be Infected with Malware - PhoneArena

Organised Crime & Criminal Actors

• Interpol: We Can't Arrest Our Way Out of Cyber Crime • The Register

Cryptocurrency/Cryptomining/Cryptojacking/NFTs

• Scammers Are Copying News Sites To Push Elon Musk-themed Crypto Scams - Information Security Buzz

• Why Did Hackers Target DeFi L1, L2 Solutions for a $1.2 Billion Theft in 2022? (watcher.guru)

• Intuit Sued Over Phishing Attack Targeting Trezor Crypto Wallet Users - Decrypt

• Crypto Trading Fund Partners Accused of Fraud - Infosecurity Magazine

• LemonDuck Botnet Evades Detection in Cryptomining Attacks (techtarget.com)

• Bored Ape Yacht Club Instagram Hacked, NFTs Worth Millions Stolen (vice.com)

Insider Risk and Insider Threats

• Don't Ignore Risks Lurking Within Your Own Network - Help Net Security

AML/CFT

• Two More Indicted Over North Korean Sanctions Evasion Plot - Infosecurity Magazine

• FCA: Challenger Banks Failing to Spot Money Launderers - Infosecurity Magazine

Denial of Service DoS/DDoS

• Cloudflare Stomps On 15.3 Million Requests Per Second DDoS • The Register

• How a New Generation of IoT Botnets Is Amplifying DDoS Attacks | CSO Online

• Attackers Remain Persistent and Indiscriminate As Multi-Vector DDoS Attacks Continue To Rise - Help Net Security

• DDoS Attacks Target Healthcare, Education Markets, Research Finds - MSSP Alert

Cloud

• Is Cloud Critical Infrastructure? Prep Now for Provider Outages (techtarget.com)

• Shadow IT Is A Top Concern Related To SaaS Adoption - Help Net Security

• Security Turbulence in the Cloud: Survey Says… | Threatpost

Travel

• Finnish Hotels' Data Compromised - Infosecurity Magazine

Parental Controls and Child Safety

• Hackers Sexually Extort Kids with Stolen Data: Report (gizmodo.com)

Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• The Hybrid War in Ukraine - Microsoft On the Issues

• Data-Wiper Malware Strains Surge Amid Ukraine Invasion • The Register

• Russia Is Being Hacked at an Unprecedented Scale | WIRED

• Chinese Hackers Targeting Russian Military Personnel with Updated PlugX Malware (thehackernews.com)

• Cyber Attacks Rage in Ukraine, Support Military Operations | Threatpost

• Ongoing DDoS Attacks from Compromised Sites Hit Ukraine - Security Affairs

• Anonymous Hacked Russian PSCB Commercial Bank and Energy Firms - Security Affairs

• Russia-Linked Threat Actors Launched Hundreds of Cyber Attacks on Ukraine - Security Affairs

• Russian Hacktivists Launch DDoS Attacks on Romanian Govt Sites (bleepingcomputer.com)

• Cyber Espionage APT Now Identified as Three Separate Actors | Threatpost

Nation State Actors

Nation State Actors – Russia

• Microsoft Documents Over 200 Cyber Attacks by Russia Against Ukraine (thehackernews.com)

• Russian Govt Impersonators Target Telcos in Phishing Attacks (bleepingcomputer.com)

• The Subject of Trusting ‘Russian’ Applications - Information Security Buzz

Nation State Actors – North Korea

• Nation-state Hackers Target Journalists with Goldbackdoor Malware | Threatpost

Nation State Actors – Iran

• Iran's Rocket Kitten Likely Behind VMware Exploitation • The Register

Nation State Actors – Misc

• Case Study: Why It's Difficult To Attribute Nation-State Attacks (techtarget.com)

• Experts Detail 3 Hacking Teams Working Under the Umbrella of TA410 Group (thehackernews.com)

Vulnerability Management

• Five Eyes Nations Reveal 2021's Fifteen Most-Exploited Flaws • The Register

• Experts Warn of A Surge In Zero-Day Flaws Observed And Exploited in 2021 - Security Affairs

• Cyber Criminals are Feasting Over 'Zero-day Hacks' While the World Watches (analyticsinsight.net)

Vulnerabilities

• CISA Adds 7 Vulnerabilities to List Of Bugs Exploited In Attacks (bleepingcomputer.com)

• Cisco Patches 11 High-Severity Vulnerabilities in Security Products | SecurityWeek.Com

• Update Now! Critical Patches for Chrome and Edge | Malwarebytes Labs

• Microsoft Patches Pair of Dangerous Vulnerabilities in Azure PostgreSQL (darkreading.com)

• Log4j Attack Surface Remains Massive (darkreading.com)

• Microsoft Discovers New Privilege Escalation Flaws in Linux Operating System (thehackernews.com)

• Millions of Java Apps Remain Vulnerable to Log4Shell | Threatpost

• Organisations Warned of Attacks Exploiting WSO2 Vulnerability | SecurityWeek.Com

• Critical Vulnerabilities Leave Some Network-Attached Storage Devices Open to Attack (darkreading.com)

• Vulnerability Found in WordPress Anti-Malware Firewall (searchenginejournal.com)

Sector Specific

Financial Services Sector

• Private Investigator Admits Role in Hedge Fund Hack - Infosecurity Magazine

Government

• Governments Under Attack Must Think Defensively - Help Net Security

• Data Breach Disrupts UK Army Recruitment - Infosecurity Magazine

Health/Medical/Pharma Sector

• French Hospital Group Disconnects Internet After Hackers Steal Data (bleepingcomputer.com)

• Medical Software Firm Fined €1.5M for Leaking Data of 490k Patients (bleepingcomputer.com)

• Data breach at US healthcare provider ARcare impacts 345,000 individuals | The Daily Swig (portswigger.net)

• DDoS Attacks Target Healthcare, Education Markets, Research Finds - MSSP Alert

• Smile Brands Breach Impacts 2.5 Million Individuals - Infosecurity Magazine

CNI, OT, ICS, IIoT and SCADA

• Why Is It So Easy To Break Into The Systems That Run The World’s Most Critical, Expert Weighs In - Information Security Buzz

• Chickens Baked Alive Due to Computer Glitch - Infosecurity Magazine

Education and Academia

• Universities Lose Over £2m to Ransomware - IT Security Guru

• DDoS Attacks Target Healthcare, Education Markets, Research Finds - MSSP Alert

Gaming/Gambling

• New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware (trendmicro.com)

Reports Published in the Last Week

• Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: Quarterly Report: Incident Response trends in Q1 2022

• Internet Security Report - Q4 2021 | WatchGuard Technologies

• State of Pentesting Report 2022 | Cobalt

Other News

• SolarWinds Breach Lawsuits: 6 Takeaways for CISOs | CSO Online

• 41% Of Businesses Had an API Security Incident Last Year - Help Net Security

• Security Leaders Relying More Heavily on MSPs Amid Talent Crunch - Help Net Security

• 2022 Security Priorities: Staffing and Remote Work (darkreading.com)

• GitHub: How Stolen OAuth Tokens Helped Breach Dozens of Orgs (bleepingcomputer.com)

• Why Companies Should Focus on Preventing Privilege Escalation (techtarget.com)

• German Wind Turbine Firm Hit by 'Targeted, Professional Cyber Attack' | SecurityWeek.Com

• 308,000 Exposed Databases Discovered, Proper Management Is Key - Help Net Security

• Lapsus$ targeting SharePoint, VPNs and virtual machines (techtarget.com)

• Indian Govt Orders Organisations to Report Security Breaches Within 6 Hours to CERT-In (thehackernews.com)

• Top Five Post-Pandemic Priorities for Cyber Security Leaders - Help Net Security

• Security Spending Set to Hit $198bn by 2025 - Infosecurity Magazine

• Companies Poorly Prepared to Meet CCPA, CPRA and GDPR Compliance Requirements - Help Net Security

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Executive Summary

A vulnerability which was previously disclosed in May 2021 and confirmed to be actively exploited in August 2021 is still being actively exploited by malicious actors on Microsoft Exchange systems that have not been patched. This vulnerability can be exploited by any compromised user account that can access an unpatched exchange server using PowerShell, and is a potential ingress point for further attacks including ransomware. This vulnerability relates to Microsoft Exchange instances that are either ‘on premises’, importantly this includes any IT provider hosted private cloud instances.

What’s the risk to my business?

The initial exploit required related CVE notices for the three vulnerabilities known as ‘ProxyShell’ were classified as two critical and one medium. However, it is now being actively exploited with only the medium vulnerability used to deliver ransomware attacks to unpatched systems. The compromised account does not need administrative access and could be any account which makes phishing a very likely vector for initial compromise.

What can I do?

If your business is using Microsoft Exchange on-premise, ensure that the appropriate security updates have been applied. If Microsoft Exchange is being hosted by an MSP, then ensure that the MSP confirms the vulnerabilities have been patched. As these security updates are for Exchange which facilitates business email, the application of these patches can involve system downtime. Since these vulnerabilities are being actively exploited it is now recommended that the patches are applied as soon as possible.

Technical Summary

The following Microsoft Exchange products are affected by this vulnerability: Microsoft Exchange Server 2019, 2016 and 2013. To address this, KB5003435 was issued which targets four CVE vulnerabilities: CVE-2021-31195, CVE-2021-31198, CVE-2021-31207 and CVE-2021-31209.

Further information on the security update can be found here, including the specific updates for different systems, and troubleshooting steps if the update is not applying correctly. Details on each individual CVE can also be found through this link: Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: May 11, 2021 (KB5003435)

Need help understanding your gaps, or just want some advice? Get in touch with us.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Why Ransomware Attacks Prefer Small Business Targets Rather Than Rich Enterprises

Enterprise businesses with 25,000 employees+ are less likely to get hit by a ransomware attack than smaller businesses — even though big companies typically can afford to pay higher ransoms, the 2022 CyberEdge Cyberthreat Defense Report concluded.

What explains hackers taking aim at small businesses more frequently than enterprise giants?  The answer: Damaging a critical infrastructure facility or similar disruptions are certain to catch the eye of federal law enforcement, or national governments — something that no hacker wants, CyberEdge said. Smaller to medium-sized firms, as it turns out, get hit more frequently by ransomware attacks, on average at roughly 70 percent, the report said.

Overall, some 71 percent of organisations have been bitten by ransomware in 2022, up a point and a half from last year and by 8.5 points in 2020. It’s companies of 10,000 to 24,999 employees that are the sweet spot for ransomware hackers, nearly 75 percent of which are victimised by cyber extortionists.

The extensive study, which surveyed 1,200 security decision makers and practitioners employed by companies of greater than 500 people in 17 countries across 19 industries, is geared to helping gauge their internal practices and investments against those of their counterparts in other parts of the world.

https://www.msspalert.com/cybersecurity-research/why-ransomware-attacks-prefer-small-business-targets-rather-than-rich-enterprises/

• Ransomware Plagues Finance Sector as Cyber Attacks Get More Complex

Cyber criminals have evolved from hacking wire transfers to targeting market data, as ransomware continues to hit financial firms, says a new VMware report. Here's what to do about it.

Ransomware plagues financial institutions as they face increasingly complex threats over previous years owing to the changing behaviour of cyber criminal cartels, according to VMware's latest Modern Bank Heists report.

This has happened as the cyber crime cartels have evolved beyond wire transfer frauds to target market strategies, take over brokerage accounts, and island-hop into banks, according to the report.

For the report, VMware surveyed 130 financial sector CISOs and security leaders from across different regions including North America, Europe, Asia Pacific, Central and South America, and Africa.

Report findings were consistent with observations by other security experts. "The Secret Service, in its investigative capacity to protect the nation's financial payment systems and financial infrastructure, has seen an evolution and increase in complex cyber-enabled fraud," says Jeremy Sheridan, former assistant director at the US Secret Service. "The persistent, inadequate security of systems connected to the internet provides opportunity and methodology."

https://www.csoonline.com/article/3657875/ransomware-plagues-finance-sector-as-cyberattacks-get-more-complex.html

• 76% of Organisations Worldwide Expect to Suffer a Cyber Attack This Year

Ransomware, phishing/social engineering, denial of service (DoS) attacks, and the business fallout of a data breach rank as the top concerns of global organisations, a new study shows.

The newly published Cyber Risk Index, a study by Trend Micro and the Ponemon Institute, shows that more than three-quarters of global organisations expect to suffer a cyber attack in the next 12 months — 25% of which say an attack is "very likely."

More than 80% of the 3,400 CISO and IT professionals and managers surveyed say their organisations were hit with one or more successful cyber attacks in the past 12 months, and 35% suffered seven or more attacks, according to the report, which covers the second half of 2021.

https://www.darkreading.com/attacks-breaches/76-of-organizations-worldwide-expect-to-suffer-a-cyberattack-this-year

• Most Email Security Approaches Fail to Block Common Threats

A full 89 percent of organisations experienced one or more successful email breaches during the previous 12 months, translating into big-time costs.

On overwhelming number of security teams believe their email security systems to be ineffective against the most serious inbound threats, including ransomware.

That’s according to a survey of business customers using Microsoft 365 for email commissioned by Cyren and conducted by Osterman Research, which examined concerns with phishing, business email compromise (BEC), and ransomware threats, attacks that became costly incidents, and preparedness to deal with attacks and incidents.

“Security team managers are most concerned that current email security solutions do not block serious inbound threats (particularly ransomware), which requires time for response and remediation by the security team before dangerous threats are triggered by users,” according to the report, released Wednesday.

Less than half of those surveyed said that their organisations can block delivery of email threats. And, correspondingly, less than half of organisations rank their currently deployed email security solutions as effective.

https://threatpost.com/email-security-fail-block-threats/179370/

• Financial Leaders Grappling with More Aggressive and Sophisticated Attack Methods

VMware released a report which takes the pulse of the financial industry’s top CISOs and security leaders on the changing behaviour of cyber criminal cartels and the defensive shift of the financial sector.

The report found that financial institutions are facing increased destructive attacks and falling victim to ransomware more than in years past, as sophisticated cyber crime cartels evolve beyond wire transfer fraud to now target market strategies, take over brokerage accounts and island hop into banks.

In the Modern Bank Heists report, 63% of financial institutions admitted experiencing an increase in destructive attacks, with cyber criminals leveraging this method as a means to burn evidence as part of a counter incident response.

Additionally, 74% experienced at least one ransomware attack over the past year, with 63% paying the ransom. When asked about the nation-state actors behind these attacks, the majority of financial instructions stated that Russia posed the greatest concern, as geopolitical tension continues to escalate in cyberspace.

https://www.helpnetsecurity.com/2022/04/21/cybercriminal-cartels-financial-sector/

• Hackers Sneak Malware into Resumes Sent to Corporate Hiring Managers

A new set of phishing attacks delivering the ‘more_eggs’ malware has been observed striking corporate hiring managers with bogus resumes as an infection vector, a year after potential candidates looking for work on LinkedIn were lured with weaponised job offers.

"This year the more_eggs operation has flipped the social engineering script, targeting hiring managers with fake resumes instead of targeting jobseekers with fake job offers," eSentire's research and reporting lead, Keegan Keplinger, said in a statement.

The Canadian cyber security company said it identified and disrupted four separate security incidents, three of which occurred at the end of March. Targeted entities include a US-based aerospace company, an accounting business located in the UK, a law firm, and a staffing agency, both based out of Canada.

The malware, suspected to be the handiwork of a threat actor called Golden Chickens (aka Venom Spider), is a stealthy, modular backdoor suite capable of stealing valuable information and conducting lateral movement across the compromised network.

"More_eggs achieves execution by passing malicious code to legitimate windows processes and letting those windows processes do the work for them," Keplinger said. The goal is to leverage the resumes as a decoy to launch the malware and sidestep detection.

https://thehackernews.com/2022/04/hackers-sneak-moreeggs-malware-into.html

• West Warns of Russian Cyber Attacks as Concerns Rise Over Putin’s Nuclear Rhetoric

Cyber crime groups have publicly pledged support for Russia, western officials worry about Putin’s reliance on nuclear threats and the battle for Mariupol in Ukraine grinds on.

The US and four of its closest allies have warned that “evolving intelligence” shows that Russia is contemplating cyber attacks on countries backing Ukraine, as the Kremlin’s frustration grows at its failure to make military gains.

Vladimir Putin used the launch on Wednesday of a powerful new Sarmat intercontinental ballistic missile (ICBM), capable of carrying ten or more warheads, to make nuclear threats against western countries.

The Sarmat has long been in development and test flights were initially due to start in 2017. The Pentagon confirmed that the US had been given notice of the test and was not alarmed. Western officials are more concerned by the increasing emphasis Moscow puts on its nuclear arsenal as its conventional forces have faltered in Ukraine.

The Ukrainian army continued to put up resistance in the besieged and devastated city of Mariupol, but Putin’s Chechen ally, Ramzan Kadyrov, predicted that the last stand of the port’s defenders at the Azovstal steel works would fall on Thursday.

The Kremlin has made repeated threats against the many countries that have been supplying Ukraine’s army with modern weapons, and members of the “Five Eyes” intelligence sharing network – the US, Britain, Canada, Australia and New Zealand – predicted Moscow could also work with cyber crime groups to launch attacks on governments, institutions and businesses.

https://www.theguardian.com/world/2022/apr/21/west-warns-of-russian-cyber-attacks-as-concerns-rise-over-putins-nuclear-rhetoric

• Criminals Adopting New Methods To Bypass Improved Defences, Says Zscaler

The number of phishing attacks worldwide jumped 29 percent last year as threat actors countered stronger enterprise defences with newer methods, according to researchers with Zscaler's ThreatLabz research team.

Cyber criminals have adapted to multi-factor authentication (MFA), employee security awareness training, and security controls by broadening who and where they will attack.

While the United States remained the country with the most phishing attempts, others are seeing faster growth in the number of incidents – exploiting new vectors like SMS and lowering the barrier of entry for launching attacks through pre-built tools made available on the market.

"Phishing attacks continue to remain one of the most prevalent attack vectors, often serving as a starting point for more advanced next stage attacks that may result in a large-scale breach," Deepen Desai, CISO and vice president of security research and operations at Zscaler, told The Register.

https://www.theregister.com/2022/04/20/phishing-attempts-on-rise-zscaler/

• Cyber Criminals Are ‘Drinking the Tears’ of Ukrainians

In biology, when an insect drinks the tears of a large creature, it is called lachryphagy. And in cyberspace, malicious actors are likewise “drinking tears” by exploiting humanitarian concerns about the war in Ukraine for profit. Different forms of deception include tricking people into donating to bogus charities, clicking on Ukraine-themed malicious links and attachments, and even impersonating officials to extort payment for rescuing loved ones.

It is an unfortunate reality that cyber opportunists are engaging in lachryphagy to exploit humanitarian concerns about the war for profit or data collection. To date, one of the largest cryptocurrency scams involving fraudulent Ukrainian relief payments totalled $50 million in March, the Wall Street Journal reports.

Immediately following Russia’s invasion of Ukraine, cybersecurity companies warned the public that criminals were preying on Ukrainian relief fundraising efforts with cryptocurrency scams. Bitdefender Labs reports that cyber criminals have impersonated Ukrainian government entities and charitable organisations such as UNICEF, and the Australian humanitarian agency, Act for Peace. “Some [scammers] are even pretending to be Wladimir Klitschko, whose brother Vitali is mayor of Ukraine’s capital, Kyiv,” according to the BBC.

https://thehill.com/opinion/cybersecurity/3273636-cyber-criminals-are-drinking-the-tears-of-ukrainians/?rl=1

• Hackers For Hire Attempt to Destroy Hedge Fund Manager's Reputation

Hackers bombarded a British hedge fund manager with 3,000 emails and fake news stories about his mortgage in an effort to destroy his reputation after being hired by a corporate rival.

Criminals even sought to gain personal information about Matthew Earl by pretending to be his sister in a three-year campaign when he raised concerns over the controversial German payments company Wirecard.

Mr Earl, a former City analyst who runs the hedge fund ShadowFall, said he was targeted by a group called Dark Basin.

This group has been linked to Aviram Azari, who this week pleaded guilty in New York to a conspiracy to target journalists and critics of Wirecard using phishing emails.

Mr Earl said the hacking attempts started in 2016 after ShadowFall, nicknamed the “dark destroyer” in the City, criticised the financial performance of Wirecard. The German company was later mired in a series of accounting scandals and went bust.

He said: “I was being sent very targeted emails, which were crafted with personal information about my interests, friends and family’s details. They were very specific.”

Mr Earl received news stories that appeared to be from media outlets such as Reuters and Bloomberg. Another email appeared to be sent by his sister, sharing family photographs, he added.

https://www.telegraph.co.uk/business/2022/04/21/reign-terror-hackers-hire-ramp-corporate-espionage/

• New Threat Groups and Malware Families Emerging

Mandiant announced the findings of an annual report that provides timely data and insights based on frontline investigations and remediations of high-impact cyber attacks worldwide. The 2022 report––which tracks investigation metrics between October 1, 2020 and December 31, 2021—reveals over 1,100 new threat groups and 733 new malware families.

The report also notes a realignment and retooling of China cyber espionage operations to align with the implementation of China’s 14th Five-Year Plan in 2021. The report warns that the national-level priorities included in the plan “signal an upcoming increase in China-nexus actors conducting intrusion attempts against intellectual property or other strategically important economic concerns, as well as defence industry products and other dual-use technologies over the next few years.”

https://www.helpnetsecurity.com/2022/04/22/adversaries-innovating-and-adapting/

Economic Warfare: Attacks on Critical Infrastructure Part of Geopolitical Conflict

We’ve known for years that since at least March of 2016, Russian government threat actors have been targeting multiple U.S. critical infrastructure sectors including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. The Department of Homeland Security (DHS), the Federal Bureau of Investigations (FBI), and other agencies have acknowledged this for quite some time in many of their technical alerts and statements.

In the intervening years, with the acceleration of digital transformation, cyber criminals and nation-state actors have increasingly set their sights on these sectors. The convergence of physical and digital assets brings competitive advantage but also inevitable risks. Attacks against hospitals, oil pipelines, food supply chains, and other critical infrastructure, have brought into sharp focus the vulnerability of cyber-physical systems (CPS) and the impact on lives and livelihoods when they are disrupted. Now, overwhelming signs indicate critical infrastructure companies are in the bullseye of geopolitical conflict.

https://www.securityweek.com/economic-warfare-attacks-critical-infrastructure-part-geopolitical-conflict

Threats

Ransomware

• How Ready Are Organisations to Manage and Recover From A Ransomware Attack? - Help Net Security

• FBI: BlackCat Ransomware Breached At Least 60 Entities Worldwide (bleepingcomputer.com)

• Ransomware: This Gang Is Getting a Lot Quicker at Encrypting Networks | ZDNet

• Hive Hackers Are Exploiting Microsoft Exchange Servers in Ransomware Spree | ZDNet

• REvil's TOR Sites Come Alive to Redirect To New Ransomware Operation (bleepingcomputer.com)

• PYSA Ransomware Attacks: Here's What MSSPs Need to Know - MSSP Alert

• An Investigation of the BlackCat Ransomware via Trend Micro Vision One

• REvil Resurrected? Ransomware Crew Appears to Be Back • The Register

• FBI Warning: Ransomware Gangs Are Going After This Lucrative but Unexpected Target | ZDNet

Phishing & Email Based Attacks

• LinkedIn Brand Takes Lead as Most Impersonated In Phishing Attacks (bleepingcomputer.com)

• FBI Warns of 'Reverse' Instant Payments Phishing Schemes | SecurityWeek.Com

• Spreading Malware Through Community Phishing - Help Net Security

Malware

• Windows Malware Can Steal Social Media Credentials and Banking Logins (komando.com)

• Emotet Botnet Switches to 64-bit Modules, Increases Activity (bleepingcomputer.com)

• New SolarMarker Malware Variant Using Updated Techniques to Stay Under the Radar (thehackernews.com)

• Emotet Reestablishes Itself at The Top Of The Malware World • The Register

Mobile

• Millions of Android Users at Risk Of Attack After Widespread Security Issue Uncovered | TechRadar

BYOD

• 60% of Companies using BYOD Face Serious Security Risks - Help Net Security

IoT

• How to Secure Smart Home (IOT) Devices | Reviews by Wirecutter (nytimes.com)

• New Stealthy BotenaGo Malware Variant Targets DVR Devices (bleepingcomputer.com)

Organised Crime & Criminal Actors

• Russian Hackers Are Seeking Alternative Money-Laundering Options (bleepingcomputer.com)

• How Russia Is Isolating Its Own Cyber Criminals (darkreading.com)

Cryptocurrency/Cryptomining/Cryptojacking

• Hackers Hammer SpringShell Vulnerability In Attempt To Install Cryptominers | Ars Technica

• Beanstalk DeFi Platform Loses $182 Million In Flash-Loan Attack (bleepingcomputer.com)

• Yet Another Phishing Attack? Terra Users Lose $4.3 Million, According To Security Firm (watcher.guru)

• Hackers Steal $655K After Picking MetaMask Seed from iCloud Backup (bleepingcomputer.com)

• LemonDuck Botnet Plunders Docker Cloud Instances in Cryptocurrency Crime Wave | ZDNet

Fraud, Scams & Financial Crime

• Security Lessons From a Payment Fraud Attack (darkreading.com)

• Scammers Snatch Up Expired Domains, Vexing Google | TechCrunch

Insurance

• Cyber Insurance and the Changing Global Risk Environment - Security Affairs

Dark Web

• Experts Spotted Industrial Spy, A New Stolen Data Marketplace - Security Affairs

Supply Chain and Third Parties

• Strength in Unity: Why It's Especially Important to Strengthen Your Supply Chain Now (darkreading.com)

• More Than Half of Initial Infections in Cyber Attacks Come Via Exploits, Supply Chain Compromises (darkreading.com)

Cloud

• IT Leaders Require Deeper Security Insights to Confidently Manage Multi-Cloud Workloads - Help Net Security

• Rethinking Cyber-Defence Strategies in the Public-Cloud Age | Threatpost

• Cyber Criminals Are Shifting Their Gaze To Kubernetes - Information Security Buzz

Passwords & Credential Stuffing

• What Is Peppering in Password Security and How Does It Work? (makeuseof.com)

Digital Transformation

• The Price of An Accelerated Digital Transformation - Help Net Security

Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Moving Towards Defence in Depth Under The Grey Skies Of Conflict - Help Net Security

• Locked Shields ‘Live Fire’ Cyber Drills to be Held as War in Ukraine Continues - Bloomberg

• Russian-Linked Shuckworm Crew Ups Attacks on Ukraine • The Register

• Russian Gamaredon APT Continues to Target Ukraine - Security Affairs

• Phishing Attacks Using the Topic "Azovstal" Targets Entities in Ukraine - Security Affairs

• Hackers Claim to Target Russia with Cyber Attacks and Leaks - The New York Times (nytimes.com)

• The Anonymous Collective Hacked Other Russian Organisations - Security Affairs

• Spyware Was Used Against Catalan Targets and UK Prime Minister and Foreign Office | CSO Online

• Stalkerware Detection Trends: Monitor and Spyware Findings - MSSP Alert

• Catalan Chief Accuses Spain's Intelligence Agency of Hacking | SecurityWeek.Com

• Anomaly 6 Tracked NSA and CIA Spies as Product Demo: Report (gizmodo.com)

Nation State Actors

Nation State Actors – Russia

• Five Eyes Nations Warn of Russian Cyber Attacks Against Critical Infrastructure (thehackernews.com)

• NATO Locked Shields War Games Prep for Real Russian Cyber Attack (gizmodo.com)

• The Russian Cyber Threat Is Here to Stay and NATO Needs To Understand It | Fox News

• A Russian Cyber Attack Is Coming —Lawmakers and Citizens Must Prepare | The Hill

• US Officials Increase Warnings About Russian Cyber-Attacks - Infosecurity Magazine

• Work From Home Software 'At Risk of Russian Cyber Attacks' (telegraph.co.uk)

• US Officials Preparing for Potential Russian Cyber Attacks - CBS News

• After Foiled Sandworm Attack, US Critical Infrastructure Should Stand Guard | CSO Online

Nation State Actors – China

• Chinese Hackers Behind Most Zero-Day Exploits During 2021 (bleepingcomputer.com)

Nation State Actors – North Korea

• North Korea Funds Nuclear Program with Cyber Crime- IT Security Guru

• North Korea Aims 'TraderTraitor' Malware at Cryptocurrency Workers (cyberscoop.com)

• Blockchain Companies Warned of North Korean Hackers - IT Security Guru

Nation State Actors – Misc

• State Actors Drive Record Number of Zero-Day Exploits in 2021 - Infosecurity Magazine

Vulnerability Management

• Vulnerabilities That Kept Security Leaders Busy in Q1 2022 - Help Net Security

• How Fast Do Cyber Criminals Capitalize on New Security Weaknesses? - Help Net Security

• Zero-Day Exploit Use Exploded in 2021 (darkreading.com)

Vulnerabilities

• VMware, Chrome Flaws Added to Known Exploited Vulnerabilities Catalogue - Security Affairs

• Hackers Exploiting Recently Reported Windows Print Spooler Vulnerability in the Wild (thehackernews.com)

• Cisco Releases Security Patches for TelePresence, RoomOS and Umbrella VA (thehackernews.com)

• Time to get patching: Oracle's quarterly Critical Patch Update arrives with 520 fixes | ZDNet

• 7-Zip Zero-Day Vulnerability Grants Privilege Escalation | TechSpot

• When “Secure” Isn’t Secure at All: High‑Impact UEFI Vulnerabilities Discovered in Lenovo Consumer Laptops | WeLiveSecurity

• QNAP Warns of New Bugs in Its Network Attached Storage Devices – Naked Security (sophos.com)

• Cisco Umbrella Default SSH Key Allows Theft of Admin Credentials (bleepingcomputer.com)

• Researcher Releases PoC for Recent Java Cryptographic Vulnerability (thehackernews.com)

• Critical Cryptographic Java Security Blunder Patched – Update Now! – Naked Security (sophos.com)

• Atlassian Drops Patches for Critical Jira Authentication Bypass Vulnerability (thehackernews.com)

• Unpatched Bug in RainLoop Webmail Could Give Hackers Access to all Emails (thehackernews.com)

• Zero-Day Exploits Found And Disclosed Hit A Record High In 2021, Google Project Zero says - CyberScoop

Sector Specific

Financial Services Sector

• Modern Bank Heists 5.0: The Escalation from Dwell to Destruction (vmware.com)

• Two-Thirds of Global Banks Witness Surge in Destructive Attacks - Infosecurity Magazine

FinTech

• Ransomware in Fintech: Cyber Criminals Adopt New Means as Theft Gives Way To Sabotage - Help Net Security

Health/Medical/Pharma Sector

• The New Cyberthreat To Healthcare: Killware - Information Security Buzz

• Many Medical Device Makers Skimp on Security Practices (darkreading.com)

Transport and Aviation

• Cyber-Attackers Hit Sunwing Airlines - Infosecurity Magazine (infosecurity-magazine.com)

Reports Published in the Last Week

• Modern Bank Heist 5.0 (vmware.com)

• 3 Key Takeaways from the 2022 ConnectWise MSP Threat Report - MSSP Alert

• Discover The Anatomy of An External Cyber Attack Surface With New RiskIQ Report - Microsoft Security Blog

Other News

• Why Companies Should Make ERP Security a Top Priority (techtarget.com)

• The Evolving Role of The Lawyer in Cyber Security - Help Net Security

• Cyber Security Litigation Risks: 4 Top Concerns for CISOs | CSO Online

• Ponemon Research - Businesses to Invest $172b On Cyber Security In 2022 - Information Security Buzz

• T-Mobile Admits Lapsus$ Hackers Gained Access to its Internal Tools and Source Code (thehackernews.com)

• Funkypigeon.com Suspends Orders After 'Cyber Security Incident' | Business News | Sky News

• The SEC Is About To Force CISOs Into America’s Boardrooms (forbes.com)

• Data Breaches, Ransomware Attacks Leave Security Teams “Exhausted” - MSSP Alert

• When Attacks Surge, Turn to Data to Strengthen Detection and Response | SecurityWeek.Com

• What Can Someone Do with Your IP Address? (makeuseof.com)

• Attacker Accessed Dozens of Repositories After OAuth Token Theft - Information Security Buzz

• 7 Best Practices for Web3 Security Risk Mitigation (techtarget.com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Executive Summary

UEFI Firmware provides an interface allowing for configuration of a computer at the beginning of the boot sequence, prior to the operating system loading. This firmware is supplied with every modern computer and allows an administrator to make hardware and security configuration changes to the system, while allowing the computer to boot successfully into the operating system. Lenovo has disclosed three vulnerabilities within this UEFI Firmware, affecting its consumer laptop range. These vulnerabilities could allow an attacker with local access to the machine to execute arbitrary code on the laptop.

What’s the risk to my business?

A malicious actor with local access to an affected laptop may be able to compromise the security and data stored on the laptop.

What can I do?

Updates to the UEFI Firmware on affected laptops are available and should be installed onto affected laptops. It’s noted that this firmware will need to be downloaded and installed from the Lenovo website, and these updates will not be supplied through Windows Update. As these firmware updates apply to low-level software that effectively makes the computer work, it is critical that the laptop is plugged in and not restarted while the update is taking place.

Important: Firmware updates have not been supplied for models that have reached end of development support with Lenovo. It is important to ensure that all corporate systems are within a support window with the manufacturer for this reason.

Technical Summary

Lenovo have issued firmware updates for the following CVE’s: CVE-2021-3970, CVE-2021-3971, CVE-2021-3972. Security researchers originally disclosed these updates on 11/10/2021, and Lenovo released fixes on 18/04/2022.

CVE-2021-3970 relates to a validation vulnerability within a variable named “LenovoVariable SMI Handler” which may allow an attacker with local access and elevated privileges to execute arbitrary code.

CVE-2021-3971 relates to a vulnerability within an older driver used during the manufacturing process that was mistakenly included within the BIOS image. This vulnerability could allow an attacker with elevated privileges to modify the firmware protection region by modifying an NVRAM variable.

CVE-2021-3972 relates to a vulnerability within an older driver used during the manufacturing process was mistakenly not deactivated which could allow an attacker with elevated privileges to modify secure boot settings by modifying an NVRAM variable.

Information on affected models with firmware updates available can be found here: Lenovo Notebook BIOS Vulnerabilities - Lenovo Support GB

Further information on the technicalities of the vulnerabilities can be found here: When “secure” isn’t secure at all: High‑impact UEFI vulnerabilities discovered in Lenovo consumer laptops | WeLiveSecurity

Need help understanding your gaps, or just want some advice? Get in touch with us.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Cyber Security Is Getting Harder: More Threats, More Complexity, Fewer People

Splunk and Enterprise Strategy Group released a global research report that examines the security issues facing the modern enterprise. More than 1,200 security leaders participated in the survey, revealing they’ve seen an increase in cyber attacks while their teams are facing widening talent gaps.

According to the report, 65% of respondents say they have seen an increase in attempted cyber attacks. In addition, many have been directly impacted by data breaches and costly ransomware attacks, which have left security teams exhausted:

·       49% of organisations say they have suffered a data breach over the past two years, an increase from 39% a year earlier.

·       79% of respondents say they’ve encountered ransomware attacks, and 35% admit that one or more of those attacks led them to lose access to data and systems.

·       59% of security teams say they had to devote significant time and resources to remediation, an increase from 42% a year ago.

·       54% of respondents report that their business-critical applications have suffered from unplanned outages related to cyber security incidents on at least a monthly basis, with a median of 12 outages per year. The median time to recover from unplanned downtime tied to cyber security incidents is 14 hours. Respondents estimated the cost of this downtime averaged about $200,000 per hour.

·       64% of security professionals have stated that it’s challenging to keep up with new security requirements, up from 49% a year ago.

https://www.helpnetsecurity.com/2022/04/13/modern-enterprise-security-issues/

• Terrible Cloud Security Is Leaving the Door Open for Hackers. Here's What You're Doing Wrong

A rise in hybrid work and a shift to cloud platforms has changed how businesses operate - but it's also leaving them vulnerable to cyber attacks.

Cloud applications and services are a prime target for hackers because poor cyber security management and misconfigured services are leaving them exposed to the internet and vulnerable to simple cyber attacks.

Analysis of identity and access management (IAM) polices taking into account hundreds of thousands of users in 18,000 cloud environments across 200 organisations by cyber security researchers at Palo Alto Networks found that cloud accounts and services are leaving open doors for cyber criminals to exploit – and putting businesses and users at risk.

The global pandemic pushed organisations and employees towards new ways of remote and hybrid working, with the aid of cloud services and applications. While beneficial to businesses and employees, it also created additional cyber security risks – and malicious hackers know this.

https://www.zdnet.com/article/terrible-cloud-security-is-leaving-the-door-open-for-hackers-heres-what-youre-doing-wrong/

• More Organisations Are Paying the Ransom. Why?

Most organisations (71%) have been hit by ransomware in 2021, and most of those (63%) opted for paying the requested ransom, the 2022 Cyberthreat Defense Report (CDR) by the CyberEdge Group has shown.

The research company says that possible explanations for the steady yearly rise of the percentage of organisations that decided to pay the ransom may include: the threat of exposing exfiltrated data, increased confidence for data recovery, and the fact that many organisations find that paying a ransom is significantly less costly than system downtime, customer disruption, and potential lawsuits.

“72% of ransom-paying victims recovered their data [in 2021], up from 49% in 2017. This increased confidence for successful data recovery is often factored into the ransom-paying decision,” the company noted.

Similarly, BakerHostatler’s 2022 Data Security Incident Response Report says that in ransomware incidents the US-based law firm was called in to manage in 2021, ransomware groups provided decryptors and stuck to their promise to not publish stolen data 97% of the time.

https://www.helpnetsecurity.com/2022/04/11/organizations-paying-ransom/

• Cyber Attack Puts City Firms on High Alert to Bolster Defences

Experts warn a combination of 'ignorance and arrogance' makes City executives vulnerable to attacks.

City firms on high alert for cyber attacks were sent a clear warning recently, bolstering concerns of the potential for breaches from Russia.

Ince Group, the London-listed law firm, last month fell prey to hackers who infiltrated its computer systems and stole confidential data. The company's security systems detected the intrusion on March 13, prompting the IT team to shut down servers to try and prevent widespread damage.

But soon after, the hackers demanded a ransom for stolen data and threatened to publish it on the dark web if Ince Group, which has clients in the shipping, energy and healthcare sectors, didn't pay up.

The incident has intensified worries of possible breaches after warnings that City firms could be targeted by Russian hackers following Putin’s invasion of Ukraine.

Julia O'Toole, chief executive of MyCena Security Solutions, says executives should be "very concerned" about any news of a cyber attack at a rival company.

https://www.telegraph.co.uk/business/2022/04/11/cyber-attack-puts-city-firms-high-alert-bolster-defences/

• More Than 60% of Organisations Suffered a Breach in the Past 12 Months

Firms focus too narrowly on external attackers when it's insiders, third parties, and stolen assets that cause many breaches, new study shows.

The majority of companies — 63% — have suffered at least one breach in the past 12 months. The global average breach cost $2.4 million — a price tag that increases to $3.0 million for companies unprepared to respond to compromises.

The new data from Forrester Research, released on April 8 in a report titled "The 2021 State Of Enterprise Breaches," found that the number of breaches and the cost of breaches varied widely depending on the geographic location of the business and to what degree the organisation is prepared to respond to breaches. Companies in North America had the largest disparity between the haves and have-nots: While the average organisation required 38 days to find, eradicate, and recover from a breach, companies that failed to adequately prepare for security challenges took 62 days.

The difference in response resulted in a large difference in cost as well, with the average North American company paying $3.0 million to recover from a breach, a bill that rises to $4.0 million if the company suffered from a lack of incident-response preparation.

"The misalignment between the expectation and the reality of breaches has become very important," says Allie Mellen, an analyst with Forrester's Security and Risk group. "On a global scale, there is a big disparity of about $600,000 between those who are prepared to respond to a breach and those who are not."

https://www.darkreading.com/attacks-breaches/more-than-60-of-organizations-suffered-a-breach-in-the-past-12-months

• Account Takeover Poised to Surpass Malware as The No. 1 Security Concern

As most researchers and financial executives can attest, virtually all types of fraud have dramatically risen over the past two years. However, attackers taking over legitimate financial accounts have become even more of a favourite with cyber criminals than most fraud schemes.

Many major recent research reports have pointed out that account takeover (ATO), a form of identity theft where bad actors access legitimate bank accounts, change the account information and passwords, and hijack a real customer’s account, has skyrocketed since last year. According to Javelin Research’s annual "Identity Fraud Study: The Virtual Battleground" report, account takeover increased by 90% to an estimated $11.4 billion in 2021 when compared with 2020 — representing roughly one-quarter of all identity fraud losses last year.

Like many types of financial fraud, cyber thieves are betting on the fact that if they attempt to seize a large number of legitimate accounts, eventually they will get a payoff.

Account takeovers are a numbers game, the more accounts that an organisation has, the bigger their risk that some of them will be compromised.

Account takeovers often piggyback off of previous attacks, making these crimes a way for hackers to make the most out of stolen information. Diskin pointed out that account takeovers most commonly happen when a password is “taken from another data leak and reused for different accounts. But there are a variety of risky scenarios that can lead to compromise.”

https://www.scmagazine.com/analysis/cybercrime/account-takeover-poised-to-surpass-malware-as-the-no-1-security-concern

• Security Research Reveals 42% Rise in New Ransomware Programs In 2021

Critical infrastructure in the crosshairs: operational technology vulnerabilities jump 88% .

Threat intelligence analysts at Skybox Research Lab uncovered a 42% increase in new ransomware programs targeting known vulnerabilities in 2021. The Silicon Valley cyber security company released its annual 2022 Vulnerability and Threat Trends Report, revealing how quickly cyber criminals capitalise on new security weaknesses – shrinking the window that organisations have to remediate vulnerabilities ahead of an attack.

With 20,175 new vulnerabilities published in 2021, Skybox Research Lab witnessed the most vulnerabilities ever reported in a single year. And these new vulnerabilities are just the tip of the iceberg. The total number of vulnerabilities published over the last 10 years reached 166,938 in 2021 — a three-fold increase over a decade. These cumulative vulnerabilities, piling up year after year, represent an enormous aggregate risk, and they’ve left organisations struggling with a mountain of cyber security debt. As the US Cybersecurity and Infrastructure Security Agency (CISA) highlights in its Top Routinely Exploited Vulnerabilities list, threat actors are routinely exploiting publicly disclosed vulnerabilities from years past.

The sheer volume of accumulated risks — hundreds of thousands or even millions of vulnerability instances within organisations — means they can’t possibly patch all of them. To prevent cyber security incidents, it is critical to prioritise exposed vulnerabilities that could cause the most significant disruption, then, apply appropriate remediation options including configuration changes or network segmentation to eliminate risk, even before patches are applied or in cases where patches aren’t available.

https://informationsecuritybuzz.com/study-research/skybox-security-research-reveals-42-rise-in-new-ransomware-programs-in-2021/

• Fraudsters Stole £58m with Remote Access Trojans (RATs) in 2021

2021 saw victims of Remote Access Tool (RAT) scams lose £58m in 2021, official UK police figures show.

RAT scams involve scammers taking control of a victim’s device, typically in order to access bank accounts.

Some 20,144 victims fell for this type of scam in 2021, averaging around £2800 stolen per incident.

Typically, RAT attacks begin with a victim being inundated with pop-ups claiming there is a problem with the computer. Users are often then asked to call a “hotline” number, when a scammer will persuade them to download a RAT.

RAT scams are often compared to the classic “tech support” scams. Modern RAT scams are typically more devious, however, with scammers often cold-calling their victims pretending to work for their bank and claiming that they need computer access to investigate a fraudulent transaction.

https://www.itsecurityguru.org/2022/04/11/fraudsters-stole-58m-with-rats-in-2021/

• As State-Backed Cyber Threats Grow, Here's How the World Is Reacting

With the ongoing conflict in Eurasia, cyber warfare is inevitably making its presence felt. The fight is not only being fought on the fields. There is also a big battle happening in cyberspace. Several cyber-attacks have been reported over the past months.

Notably, cyber attacks backed by state actors are becoming prominent. There have been reports of a rise of ransomware and other malware attacks such as Cyclops Blink, HermeticWiper, and BlackCat. These target businesses as well as government institutions and nonprofit organisations. There have been cases of several attempts to shut down online communications and IT infrastructure.

The ongoing list of significant cyber incidents curated by the Center for Strategic and International Studies (CSIS) shows that the number of major incidents in January 2022 is 100% higher compared to the same period in the previous year. With the recent activities in cyberspace impacted by the emergence of the geopolitical tumult in February, it is not going to be surprising to see an even more dramatic rise in the number of significant incidents.

https://thehackernews.com/2022/04/as-state-backed-cyber-threats-grow.html

• Q1 Reported Data Compromises Up 14% Over 2021

The Identity Theft Resource Center published a First Quarter 2022 Data Breach Analysis which found that Q1 of 2022 began with the highest number of publicly reported data compromises in the past three years.

Publicly reported data compromises totalled 404 through March 31, 2022, a 14 percent increase compared to Q1 2021.

This is the third consecutive year when the number of total data compromises increased compared to Q1 of the previous year. It also represents the highest number of Q1 data compromises since 2020.

https://informationsecuritybuzz.com/expert-comments/q1-reported-data-compromises-up-14-over-2021/

• Europol Announces Operation to Hit Russian Sanctions-Evaders

European police have announced a major new operation designed to crack down on Russian oligarchs and businesses looking to circumvent sanctions.

Operation Oscar will run for at least a year as an umbrella initiative that will feature many separate investigations, Europol explained.

The policing organisation’s European Financial and Economic Crime Centre will work to exchange information and intelligence with partners and provide operational support in financial crime investigations.

A key focus appears to be on illicit flows of money, which Russian individuals and entities will be trying to move around the region in order to bypass sanctions imposed since President Putin’s invasion of Ukraine.

“Europol will centralise and analyse all information contributed under this operation to identify international links, criminal groups and suspects, as well as new criminal trends and patterns,” Europol said.

“Europol will further provide tailor-made analytical support to investigations, as well as operational coordination, forensics and technical expertise, and financial support to the relevant national authorities.”

https://www.infosecurity-magazine.com/news/europol-hit-russian/

Threats

Ransomware

• Ransomware: These Two Gangs Are Behind Half of All Attacks | ZDNet

• Clueless Hackers Spent Months Inside a Network And Nobody Noticed. But Then a Ransomware Gang Turned Up | ZDNet

• Conti Ransomware Leak Shows Group Operates Like a Normal Tech Company, with an HR Department, Performance Reviews and an ‘Employee of the Month’ (cnbc.com)

• Don't Let Ransomware Gangs Spend Months in Your Network • The Register

• Dismantling ZLoader: How Malicious Ads Led to Disabled Security Tools And Ransomware - Microsoft Security Blog

• Analysis of the SunnyDay Ransomware - Security Affairs

• Karakurt Data Thieves Linked to Larger Conti Hacking Group | CSO Online

• Conti Ransomware Gang Claims Responsibility for The Nordex Hack - Security Affairs

• OldGremlin Ransomware Gang Targets Russia with New Malware (bleepingcomputer.com)

• Conti Ransomware Offshoot Targets Russian Organisations | Malwarebytes Labs

Other Social Engineering

• FBI: Payment App Users Targeted in Social Engineering Attacks (bleepingcomputer.com)

• These Hackers Pretend to Poach, Recruit Rival Bank Staff In New Cyber Attacks | ZDNet

Malware

• Credential-Stealing Malware Disguises Itself As Telegram, Targets Social Media Users | Malwarebytes Labs

• Microsoft Sounds The Alarm Over New Cunning Windows Malware | TechRadar

• Spring4Shell Under Active Exploit by Mirai Botnet Herders • The Register

• Haskers Gang Gives Away ZingoStealer Malware to Other Cyber Criminals for Free (thehackernews.com)

• Hackers Hijack Adult Websites to Infect Victims With Malware | TechRadar

• Qbot Malware Switches To New Windows Installer Infection Vector (bleepingcomputer.com)

• Windows 11 tool to Add Google Play Secretly Installed Malware (bleepingcomputer.com)

• Over 16,500 Sites Hacked to Distribute Malware via Web Redirect Service (thehackernews.com)

• Researchers Warn of FFDroider and Lightning Info-Stealers Targeting Users in The Wild (thehackernews.com)

• Enemybot: a New Mirai, Gafgyt Hybrid Botnet Joins The Scene | ZDNet

Mobile

• Android Banking Malware Intercepts Calls to Customer Support (bleepingcomputer.com)

• How to Stop Octo Malware From Remotely Accessing Your Android (lifehacker.com)

IoT

• New EnemyBot DDoS Botnet Recruits Routers and IoTs Into Its Army (bleepingcomputer.com)

• 3 Reasons Connected Devices are More Vulnerable than Ever (bleepingcomputer.com)

Data Breaches/Leaks

• GitHub Says Hackers Breached Dozens of Organisations Using Stolen OAuth Access Tokens (thehackernews.com)

Organised Crime & Criminal Actors

• New Industrial Spy Stolen Data Market Promoted Through Cracks, Adware (bleepingcomputer.com)

• Google Files Suit Against Cameroonian Cyber Criminal Who Used Puppies as Lures - CyberScoop

Cryptocurrency/Cryptomining/Cryptojacking

• 10 NFT and Cryptocurrency Security Risks That CISOs Must Navigate | CSO Online

• A Practical Reason Why Crypto Might Not Work for Large-Scale Sanctions Evasion - CyberScoop

Insider Risk and Insider Threats

• Who Is Your Biggest Insider Threat? | CSO Online

• Former DHS Acting IT Chief Convicted in Software, Database Theft Scheme (darkreading.com)

Fraud, Scams & Financial Crime

• Cyber Criminals Do Their Homework for Latest Banking Scam • The Register

Denial of Service DoS/DDoS

• New Fodcha DDoS Botnet Targets Over 100 Victims Every Day (bleepingcomputer.com)

• New EnemyBot DDoS Botnet Borrows Exploit Code from Mirai and Gafgyt (thehackernews.com)

Cloud

• 99% Of Cloud Identities Are Overly Permissive, Opening Door to Attackers | CSO Online

• The Perils of SaaS Misconfigurations - Help Net Security

• Top Attack Techniques for Breaching Enterprise And Cloud Environments - Help Net Security

• Finding Attack Paths in Cloud Environments (thehackernews.com)

• The Two Words You Should Never Forget When You’re Securing a Cloud - Help Net Security

Privacy

• Muting Your Mic Reportedly Doesn’t Stop Big Tech from Recording Your Audio (thenextweb.com)

Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Preparing for Armageddon: How Ukraine Battles Russian hackers | Ars Technica

• Ukraine Proves Cyber War Has No Borders - MSSP Alert

• Hackers Target Ukrainian Govt with IcedID Malware, Zimbra Exploits (bleepingcomputer.com)

• Russia’s Sandworm Hackers Attempted a Third Blackout In Ukraine | Ars Technica

• The Unceasing Action of Anonymous Against Russia - Security Affairs

• European Officials Reportedly Targeted by NSO Spyware • The Register

Nation State Actors

Nation State Actors – Russia

• CISA Warns Orgs of WatchGuard Bug Exploited by Russian State Hackers (bleepingcomputer.com)

Nation State Actors – China

• China-Linked Hafnium APT Leverages Tarrask Malware to Gain Persistence - Security Affairs

• China ‘Decodes’ An Orbiting US Satellite; Claims Expertise In Automatically Detecting & Fixing Security Flaws In Outer Space (eurasiantimes.com)

Nation State Actors – North Korea

• US Gov Believes Lazarus APT is Behind Ronin Validator Cyber Heist - Security Affairs

• Feds Offer $5m Reward for Info on North Korean Cyber Crooks • The Register

• FBI Links Largest Crypto Hack Ever to North Korean Hackers (bleepingcomputer.com)

• Symantec: North Korea's Lazarus Targets Chemical Companies • The Register

Vulnerabilities

• Microsoft Issues Patches for 2 Windows Zero-Days and 126 Other Vulnerabilities (thehackernews.com)

• Google Issues Third Emergency Fix For Chrome This Year • The Register

• Critical HP Teradici PCoIP Flaws Impact 15 Million Endpoints (bleepingcomputer.com)

• Critical Windows RPC Vulnerability Raises Alarm (techtarget.com)

• VMware Workspace One Flaw Actively Exploited in The Wild (techtarget.com)

• Adobe Patches Gaping Security Holes in Acrobat, Reader, Photoshop | SecurityWeek.Com

• Cisco Vulnerability Lets Hackers Craft Their Own Login Credentials (bleepingcomputer.com)

• Critical VMware Cloud Director Bug Could Let Hackers Takeover Entire Cloud Infrastructure (thehackernews.com)

• Several Vulnerabilities Allow Disabling of Palo Alto Networks Products | SecurityWeek.Com

• Cisco Patches Critical Vulnerability in Wireless LAN Controller | SecurityWeek.Com

• Critical Flaw in Elementor WordPress Plugin May Affect 500k Sites (bleepingcomputer.com)

• Critical Apache Struts RCE Vulnerability Wasn't Fully Fixed, Patch Now (bleepingcomputer.com)

• Attackers Are Exploiting VMware RCE to Deliver Malware (CVE-2022-22954) - Help Net Security

• These D-Link Routers Are Vulnerable To Remote Hacks And Should Be Retired Immediately | HotHardware

• Upgrades for Spring Framework Have Stalled (darkreading.com)

Sector Specific

CNI, OT, ICS, IIoT and SCADA

• CISA Alert on ICS, SCADA Devices Highlights Growing Enterprise IoT Security Risks (darkreading.com)

• Pipedream Malware: Feds Uncover 'Swiss Army Knife' for Industrial System Hacking | WIRED

• New Malware Tools Pose 'Clear and Present Threat' to ICS Environments (darkreading.com)

• US Warns of APT Hackers Targeting ICS/SCADA Systems with Specialized Malware (thehackernews.com)

• Flaws in ABB Network Interface Modules Expose Industrial Systems to DoS Attacks | SecurityWeek.Com

Energy & Utilities

• US Agencies Warn of Custom-Made Hacking Tools Targeting Energy Sector Systems - The Record by Recorded Future

Reports Published in the Last Week

• The 2021 State Of Enterprise Breaches | Forrester

• First Quarter 2022 Data Breach Analysis Report | Identity Theft Resource Centre
  

Other News

• Singapore To License Infosec Service Providers • The Register

• What Is the Cyber Kill Chain? A Model for Tracing Cyber Attacks | CSO Online

• Cyber Defense: Prioritized By Real-World Threat Data - Help Net Security

• How Can You Spot Fake News? And What Should We, As A Society, Do About Mass Disinformation? - Information Security Buzz

• The Cyber Criminal Isn’t Necessarily Who You Think… | Mind Matters

• Consumer Trust Is in The Doldrums: Indifference Towards Data Exposure Is Widespread - Help Net Security

• How Cryptocurrency Gave Birth to the Ransomware Epidemic (vice.com)

• Dark Data Is a Pain Point For Many Security Leaders - Help Net Security

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Executive Summary

As part of Microsoft’s Patch Tuesday, several high and critical vulnerabilities have been patched, of which at least four critical vulnerabilities affect all supported versions of Windows (Clients and Servers). These include ‘wormable’ vulnerabilities, meaning that the vulnerability can be exploited by a malicious program which can replicate itself across a network.

Security updates have also been released for other Microsoft products including Edge, Office and Active Directory Domain Services.

What’s the risk to me or my business?

Security updates are available for all supported versions of Windows, including Windows 7 to Windows 11, and Windows Server 2008 R2 to Windows Server 2022. As some of these updates address vulnerabilities that are known to be actively exploited, the updates should be applied as soon as possible.

What can I do?

Apply the available updates from Microsoft as soon as possible, while taking into consideration any potential downtime that these updates may cause.

Technical Summary

CVE-2022-24491 and CVE-2022-24497 relate to the previously mentioned ‘wormable’ vulnerability, which have CVSS scores of 9.8. They are Remote Code Execution vulnerabilities within the Windows Network File System (NFS). Further details on the individual updates and each affected Windows version can be found here: Microsoft Windows Security Updates April 2022 overview - gHacks Tech News

Need help understanding your gaps, or just want some advice? Get in touch with us.

Executive Summary

Adobe has released several security updates deemed as ‘critical’ across their product range to address various vulnerabilities. The affected applications include Adobe Acrobat and Reader which are used by most commercial organisations, along with Photoshop and other products within their range. Some of these vulnerabilities could give a malicious actor access to remote code execution.

What’s the risk to me or my business?

While Adobe has disclosed that they are not aware of these vulnerabilities being currently exploited, it is highly likely that they will a target by malicious actors since products such as Adobe Reader are used by a large percentage of organisations.

What can I do?

Apply the available updates from Adobe as soon as possible for the software products deployed across your organisation, while taking into consideration any potential downtime that these updates may cause.

Technical Summary

The vulnerabilities have been confirmed to affect both Windows and MacOS versions of various Adobe products, including Acrobat, Reader, Photoshop, After Effects, commerce, Magento Open Source, DC. Some of the effects of the vulnerabilities may be mitigated by good security practices, such as limiting end users local privileged access on end points. Further details on the individual vulnerabilities can be found here: Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution (cisecurity.org)

 Need help understanding your gaps, or just want some advice? Get in touch with us.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Nearly Two-Thirds of Ransomware Victims Paid Ransoms Last Year, Finds "2022 Cyberthreat Defense Report"

CyberEdge Group, a leading research and marketing firm serving the cyber security industry’s top vendors, announced the launch of its ninth annual Cyberthreat Defense Report (CDR). The award-winning CDR is the standard for assessing organisations’ security posture, gauging perceptions of information technology (IT) security professionals, and ascertaining current and planned investments in IT security infrastructure – across all industries and geographic regions.

A record 71% of organisations were impacted by successful ransomware attacks last year, according to the 2022 CDR, up from 55% in 2017. Of those that were victimised, nearly two-thirds (63%) paid the requested ransom, up from 39% in 2017.

https://www.darkreading.com/attacks-breaches/nearly-two-thirds-of-ransomware-victims-paid-ransoms-last-year-finds-2022-cyberthreat-defense-report-

• New Android Banking Malware Remotely Takes Control of Your Device

A new Android banking malware named Octo has appeared in the wild, featuring remote access capabilities that allow malicious operators to perform on-device fraud.

Octo is an evolved Android malware based on ExoCompact, a malware variant based on the Exo trojan that quit the cyber crime space and had its source code leaked in 2018.

The new variant has been discovered by researchers at ThreatFabric, who observed several users looking to purchase it on darknet forums.

https://www.bleepingcomputer.com/news/security/new-android-banking-malware-remotely-takes-control-of-your-device/

• Network Intrusion Detections Skyrocketing

A WatchGuard report shows a record number of evasive network malware detections with advanced threats increasing by 33%, indicating a higher level of zero day threats than ever before.

Researchers detected malware threats in EMEA at a much higher rate than other regions of the world in Q4 2021, with malware detections per Firebox at 49%, compared to Americas at 23% and APAC at 29%. The trajectory of network intrusion detections also continued its upward climb with the largest total detections of any quarter in the last three years and a 39% increase quarter over quarter.

Researchers suggest that this may be due to the continued targeting of old vulnerabilities as well as the growth in organisations’ networks. As new devices come online and old vulnerabilities remain unpatched, network security is becoming more complex.

https://www.helpnetsecurity.com/2022/04/08/network-malware-detections/

• Organisations Underestimating the Seriousness of Insider Threats

Imperva releases data that shows organisations are failing to address the issue of insider threats during a time when the risk is at its greatest.

New research, conducted by Forrester, found that 59% of incidents in EMEA organisations that negatively impacted sensitive data in the last 12 months were caused by insider threats, and yet 59% do not prioritise insider threats the way they prioritise external threats. Despite the fact that insider events occur more often than external ones, they receive lower levels of investment.

This approach is at odds with today’s threat landscape where the risk of malicious insiders has never been higher. The rapid shift to remote working means many employees are now outside the typical security controls that organisations employ, making it harder to detect and prevent insider threats.

Further, the Great Resignation is creating an environment where there is a higher risk of employees stealing data. This data could be stolen intentionally by people looking to help themselves in future employment, because they are disgruntled and want revenge, or it could be taken unintentionally when a careless employee leaves the business with important information.

https://www.helpnetsecurity.com/2022/04/08/organizations-insider-threats-issue/

• Watch Out for Phishing Emails from Genuine Mailing Lists, Following Mailchimp Hack

A Mailchimp hack means that you’ll want to be even more vigilant than usual about phishing emails. Attackers have taken a clever approach to making their emails appear genuine …

When you subscribe to an email list, there’s a decent chance that the emails you received are actually sent by a company called Mailchimp, rather than directly by the company itself. Mailchimp offers companies a range of tools that make it easy to manage email databases, and send marketing emails and newsletters.

Hackers managed to gain access to more than 100 Mailchimp customer accounts, giving them the ability to send emails that would appear to have come from any one of those businesses.

Users will need to be more vigilant when receiving emails and avoid clicking on links in emails, even if they appear genuine.

https://9to5mac.com/2022/04/05/mailchimp-hack-phishing-alert/

• SpringShell Attacks Target About One in Six Vulnerable Orgs

Roughly one out of six organisations worldwide that are impacted by the Spring4Shell zero-day vulnerability have already been targeted by threat actors, according to statistics from one cyber security company.

The exploitation attempts took place in the first four days since the disclosure of the severe remote code execution (RCE) flaw, tracked as CVE-2022-22965, and the associated exploit code.

According to Check Point, who compiled the report based on their telemetry data, 37,000 Spring4Shell attacks were detected over the past weekend alone.

https://www.bleepingcomputer.com/news/security/springshell-attacks-target-about-one-in-six-vulnerable-orgs/

• New Threat Group Underscores Mounting Concerns Over Russian Cyber Threats

Crowdstrike says Ember Bear is likely responsible for the wiper attack against Ukrainian networks and that future Russian cyber attacks might target the West.

As fears mount over the prospects of a “cyberwar” initiated by the Russian government, the number of identified Russian threat actors also continues to climb. Last week CrowdStrike publicly revealed a Russia-nexus state-sponsored actor that it tracks as Ember Bear.

CrowdStrike says that Ember Bear (also known as UAC-0056, Lorec53, Lorec Bear, Bleeding Bear, Saint Bear) is likely an intelligence-gathering adversary group that has operated against government and military organisations in eastern Europe since early 2021. The group seems “motivated to weaponize the access and data obtained during their intrusions to support information operations (IO) aimed at creating public mistrust in targeted institutions and degrading government ability to counter Russian cyber operations,” according to CrowdStrike intelligence.

Despite its state-sponsored Russia nexus, Ember Bear differs from its better-known kin such as Fancy Bear or Voodoo Bear because CrowdStrike can’t tie it to a specific Russian organisation. Its target profile, assessed intent, and technical tactics, techniques, and procedures (TTPs) are consistent with other Russian GRU cyber operations.

https://www.csoonline.com/article/3655976/new-threat-group-underscores-mounting-concerns-over-russian-cyber-threats.html

• Consumer Fraud Tripled in The Last Two Years

Reported cases of consumer fraud more than tripled in the years 2020-2021 from prior years, finds a new report by Accenture, presenting a growing challenge for public safety agencies to find new strategies to counter the trend.

The report compiled data from eight developed nations (Australia, Canada, France, Germany, Italy, Singapore, the United Kingdom, and the United States) on consumer fraud, defined as any fraud directly targeting citizens and excluding fraud targeting government agencies and companies. Reports of such fraud increased at an estimated 6.8% rate annually during 2013-2019 and then increased to a 22.5% annual growth rate yearly during 2020-2021 in parallel with the large shift of workers and consumers to digital channels and greater use of technology during the pandemic.

https://www.helpnetsecurity.com/2022/04/08/consumer-fraud-tripled/

• Borat RAT: Multiple Threat of Ransomware, DDoS and Spyware

A new remote access trojan (RAT) dubbed "Borat" doesn't come with many laughs but offers bad actors a menu of cyberthreats to choose from.

RATs are typically used by cyber criminals to get full control of a victim's system, enabling them to access files and network resources and manipulate the mouse and keyboard. Borat does all this and also delivers features to enable hackers to run ransomware, distributed denial of service attacks (DDoS) and other online assaults and to install spyware, according to researchers at cyber security biz Cyble.

"The Borat RAT provides a dashboard to Threat Actors (TAs) to perform RAT activities and also has an option to compile the malware binary for performing DDoS and ransomware attacks on the victim's machine," the researchers wrote in a blog post, noting the malware is being made available for sale to hackers.

Borat – named after the character made famous by actor Sacha Baron Cohen in two comedy films – comes with the standard requisite of RAT features in a package that includes such functions as builder binary, server certificate and supporting modules.

https://www.theregister.com/2022/04/04/borat-rat-ransomware-ddos/

• Bank Had No Firewall License, Intrusion or Phishing Protection – Guess the Rest

An Indian bank that did not have a valid firewall license, had not employed phishing protection, lacked an intrusion detection system and eschewed use of any intrusion prevention system has, shockingly, been compromised by criminals who made off with millions of rupees.

The unfortunate institution is called the Andra Pradesh Mahesh Co-Operative Urban Bank. Its 45 branches and just under $400 million of deposits make it one of India's smaller banks.

It certainly thinks small about security – at least according to Hyderabad City Police, which last week detailed an attack on the Bank that started with over 200 phishing emails being sent across three days in November 2021. At least one of those mails succeeded in fooling staff, resulting in the installation of a Remote Access Trojan (RAT).

Another technology the bank had chosen not to adopt was virtual LANs, so once the RAT went to work the attackers gained entry to the Bank's systems and were able to roam widely – even in its core banking application

https://www.theregister.com/2022/04/05/mahesh_bank_no_firewall_attack/

• Global APT Groups Use Ukraine War for Phishing Lures

Security researchers have detected multiple APT campaigns leveraging Ukraine war-themed documents and news sources to lure victims into clicking on spear-phishing links.

Check Point Research said victim locations ranged from South America to the Middle East, with malware downloads designed to perform keylogging and screenshotting and execute commands.

The threat groups in question include El Machete, which is targeting the financial and government sectors in Nicaragua and Venezuela with malicious macro-laden Word documents containing articles on the war.

One of the docs was an article written by the Russian ambassador to Nicaragua titled: “Dark plans of the neo-Nazi regime in Ukraine.”

Another is Lyceum, an Iranian state-linked group targeting the energy sector with emails about war crimes in Ukraine that link to a malicious document hosted elsewhere. Its victims so far have been in Israel and Saudi Arabia, according to Check Point.

One email contained a link to an article from The Guardian hosted on the news-spot[.]live domain, alongside several malicious docs about the war.

https://www.infosecurity-magazine.com/news/global-apt-ukraine-war-phishing/

• Paying Ransom Doesn’t Guarantee Data Recovery

OwnBackup announced the findings of a global survey conducted by Enterprise Strategy Group (ESG) that reveals a staggering 79% of respondent organisations have been targeted by ransomware within the past 12 months. Of those organisations, nearly three quarters said the attack was successful, meaning that it disrupted business operations.

Other key findings

·       Of the respondents that said their organisation paid a cyber ransom to regain access to data, applications, and/or systems after an attack, only 14% were able to recover all of their data.

·       87% of respondents who made ransom payments said that they experienced additional extortion attempts beyond the initial ransomware demand.

·       31% of respondent organisations targeted by ransomware indicated that application user and permission misconfigurations were the initial point of compromise.

·       87% of respondents are very or somewhat concerned about their backups being infected by ransomware attacks.

https://www.helpnetsecurity.com/2022/04/07/organizations-targeted-by-ransomware/

Threats

Ransomware

• March Ransomware Attacks Strike Finance, Government Targets (techtarget.com)

• Why Paying The Ransom Isn’t The Answer For Ransomware Victims - Information Security Buzz

• Companies Are More Prepared to Pay Ransoms Than Ever Before (tripwire.com)

• Conti Ransomware Deployed in IcedID Banking Trojan Attack (techtarget.com)

• Researchers Connect BlackCat Ransomware with Past BlackMatter Malware Activity (thehackernews.com)

• Notorious Hacking Group FIN7 Adds Ransomware to Its Repertoire - CyberScoop

• BlackCat Purveyor Shows Ransomware Operators Have 9 Lives (darkreading.com)

• FIN7 Hackers Evolve Toolset, Work with Multiple Ransomware Gangs (bleepingcomputer.com)

• LockBit Ransomware Attack Costs CRM Services Provider Over $42 Million - MSSP Alert

• Snap-on Discloses Data Breach Claimed by Conti Ransomware Gang (bleepingcomputer.com)

Phishing & Email Based Attacks

• Phishing Hook: Are you on the line? Cyber Security Experts Explain How the Criminals Lure You In. (winknews.com)

Other Social Engineering

• Hackers Employ Voicemail Phishing Attacks On WhatsApp Users | TechRepublic

Malware

• Borat RAT Malware: A 'Unique' Triple Threat That Is Far from Funny | ZDNet

• Multiple Hacker Groups Capitalizing on Ukraine Conflict for Distributing Malware (thehackernews.com)

• Experts Shed Light on BlackGuard Infostealer Malware Sold on Russian Hacking Forums (thehackernews.com)

• Malicious Web Redirect Service Infects 16,500 Sites to Push Malware (bleepingcomputer.com)

• Researchers Uncover How Colibri Malware Stays Persistent on Hacked Systems (thehackernews.com)

Mobile

• 44 Vulnerabilities Patched in Android With April 2022 Security Updates | SecurityWeek.Com

• Fake Versions of Real Smartphone Apps Are Being Used To Spread Malware. Here's How to Stay Safe | ZDNet

• Samsung Security Flaw Left Phones Exposed for Years (androidpolice.com)

• Six 'Antivirus' Apps Were Caught Spreading Malware That Steals Banking Info — Here Are the Culprits | Laptop Mag

• SharkBot Android Malware Continues Popping Up on Google Play | SecurityWeek.Com

• Android Apps With 45 Million Installs Used Data Harvesting SDK (bleepingcomputer.com)

• New Android Spyware Uses Turla-Linked Infrastructure | SecurityWeek.Com

Organised Crime & Criminal Actors

• Cyber Criminals Taking Advantage of The Ukraine Crisis To Create Charity Donation Scams - Help Net Security

Cryptocurrency/Cryptomining/Cryptojacking

• Crypto 2022: Hackers Have Nabbed $1.22 Billion Already (yahoo.com)

• Malicious Crypto Miners Can Make A Profit In A Few Hours - Help Net Security

• Malicious Actors Targeting the Cloud For Cryptocurrency-Mining Activities - Help Net Security

• Cryptocurrency-Mining AWS Lambda-Specific Malware Spotted • The Register

• MailChimp Breached, Intruders Conducted Phishing Attacks Against Crypto Customers - Security Affairs

• Turkey Seeks 40,000-Year Sentences for Alleged Cryptocurrency Exit Scammers | ZDNet

Insider Risk and Insider Threats

• New Insider Threat: Bad Business Decisions That Put IP At Risk | CSO Online

Fraud, Scams & Financial Crime

• Traditional Identity Fraud Losses Soar, Totalling $52 Billion in 2021 - Help Net Security

• Online Fraud Up 233% - Infosecurity Magazine

• Internal Auditors Stepping Up to Become Strategic Advisors In The Fight Against Fraud - Help Net Security

• South African and US Officers Swoop on Fraud Gang - Infosecurity Magazine

Insurance

• 18% Of the Top 99 Insurance Carriers Have A High Susceptibility To Ransomware - Help Net Security

Supply Chain

• The Blurring Line, and Growing Risk, Between Physical and Digital Supply Chains (darkreading.com)

Cloud

• The Importance of Understanding Cloud Native Security Risks - Help Net Security

• 15 Cyber Security Measures for the Cloud Era - Security Affairs

Privacy

• How You’re Still Being Tracked on the Internet - The New York Times (nytimes.com)

• Using Google's Chrome Browser? This New Feature Will Help You Fix Your Security Settings | ZDNet

Passwords & Credential Stuffing

• Attack on Ukraine Telecoms Provider Caused by Compromised Employee Credentials - Infosecurity Magazine (infosecurity-magazine.com)

• FIN7 Hackers Leveraging Password Reuse and Software Supply Chain Attacks (thehackernews.com)

Travel

• Hotels In Hackers’ Sights as Technology Replaces Personal Touch | Financial Times (ft.com)

Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Hackers Use Conti's Leaked Ransomware to Attack Russian Companies (bleepingcomputer.com)

• Hacking Group Claim It Has Leaked More Than 900,000 Emails from Russian State Media | The Independent

• What Is the Risk Of Retaliation For Taking A Corporate Stance on Russia? | CSO Online

• Anonymous and the IT ARMY of Ukraine Continue to Target Russian Entities - Security Affairs

Nation State Actors

Nation State Actors – Russia

• The Russian Cyber Attack Threat Might Force a New IT Stance | Computerworld

• FBI Operation Aims to Take Down Massive Russian GRU Botnet | TechCrunch

• Microsoft Sinkholes Russian Hacking Group's Domains Targeting Ukraine (darkreading.com)

• FBI Disrupts Russian Military Hackers, Preventing Botnet Amid Ukraine War | Fox News

• Russia (still) Trying To Weaponize Facebook Amid Ukraine War • The Register

Nation State Actors – China

• Symantec: Chinese APT Group Targeting Global MSPs | SecurityWeek.Com

• Chinese Hackers Are Using VLC Media Player to Launch Malware Attacks (androidpolice.com)

• Hacked: Inside the US-China Cyberwar | Cybersecurity | Al Jazeera

• China Uses AI Software to Improve Its Surveillance Capabilities | Reuters

Nation State Actors – Misc

• Israeli Officials Are Being Catfished by APT-C-23 Hackers | ZDNet

Vulnerabilities

• CISA Warns of Active Exploitation of Critical Spring4Shell Vulnerability (thehackernews.com)

• Palo Alto Networks firewalls, VPNs vulnerable to OpenSSL bug (bleepingcomputer.com)

• A Vulnerability in Zyxel Firewall Could Allow for Authentication Bypass (cisecurity.org)

• Citrix Releases Security Updates for Hypervisor | CISA

• Spring4Shell Patching Is Going Slow but Risk Not Comparable To Log4Shell | CSO Online

• VMware Releases Critical Patches for New Vulnerabilities Affecting Multiple Products (thehackernews.com)

• Apple Leaves Big Sur, Catalina Exposed to Critical Flaws: Intego | SecurityWeek.Com

• A Mirai-Based Botnet Is Exploiting the Spring4Shell Vulnerability - Security Affairs

• Steady Rise in Severe Web Vulnerabilities - Help Net Security

• ACF WordPress Plugin Vulnerability Affects Up To +2 Million Sites (searchenginejournal.com)

• Zero Days Are for Life, Not Just For Christmas. Here’s How to Deal With Them • The Register

Sector Specific

Financial Services Sector

• March Ransomware Attacks Strike Finance, Government Targets (techtarget.com)

FinTech

• Server-Side-Request-Forgery Enabled Administrative Account Takeover on FinTech Platform - IT Security Guru

Health/Medical/Pharma Sector

• 49% of Small Medical Practices Lack a Cyber Attack Response Plan - Help Net Security

Manufacturing

• A Cyber Attack Forced The Wind Turbine Manufacturer Nordex Group To Shut Down Some of IT Systems - Security Affairs

CNI, OT, ICS, IIoT and SCADA

• Europe Warned About Cyber Threat to Industrial Infrastructure | SecurityWeek.Com

• BlackCat Ransomware Targets Industrial Companies | SecurityWeek.Com

Energy & Utilities

• Spanish Energy Giant Hit by Data Breach - IT Security Guru

Reports Published in the Last Week

• Cyberthreat Defense Report 2021 - CyberEdge Group (cyber-edge.com)

Other News

• Okta CEO Says Lapsus$ Hack is 'Big Deal,' Aims to Restore Trust (yahoo.com)

• 86% of Developers Don't Prioritise Application Security - Help Net Security

• Digital Transformation Requires Security Intelligence - Help Net Security

• Government Officials: AI Threat Detection Still Needs Humans (techtarget.com)

• The Original APT: Advanced Persistent Teenagers – Krebs on Security

• Scan This: There's Danger in QR Codes (darkreading.com)

• How Many Steps Does It Take for Attackers To Compromise Critical Assets? - Help Net Security

• Cyber Talent Shortage Remains A Top Problem For Sec Pros – CEO Perspective - Information Security Buzz

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Executive Summary

VMware is a large supplier of virtualisation products which are used to run a variety of different services. They announced on 06/04/2022 that updates have been released for multiple products in their range to address different vulnerabilities. Some of these vulnerabilities have been marked as “critical”, including Spring4Shell due to the ability for a malicious actor to remotely execute code.

What’s the risk to me or my business?

As VMware are one of the primary suppliers of virtual infrastructure, it is highly likely that some business services will be hosted on machines running VMware software. There are a range of different critical and medium vulnerabilities being patched with these updates, including Spring4Shell, which CISA are now stating is being actively exploited.

What can I do?

As patches have been released, it is important that these are applied as soon as possible, particularly as some of the vulnerabilities are now being actively exploited.

Discuss with you Managed Service Provider (MSP) whether any of your devices or services are impacted, and when they can expect to be patched. While VMware has supplied workaround to help mitigate the issue if it cannot be immediately patched, it is strongly noted that the work arounds do not remove the vulnerabilities and may introduce additional unforeseen issues.

Technical Summary

The following VMware products have been listed as being affected by the following CVEs:

• VMware Workspace ONE Access (Access) | CVE-2022-22954, CVE-2022-22955, CVE-2022-22956, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2022-22961

• VMware Identity Manager (vIDM) | CVE-2022-22954, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2022-22961

• VMware vRealize Automation (vRA) | CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2022-22961

The following VMware products deploy the above affected components:

• VMware Cloud Foundation

• vRealize Suite Lifecycle Manager

CVE-2022-22954: Critical severity range with maximum CVSSv3 base score of 9.8, malicious actor with network access can trigger server-side template injection that could result in remote code execution.

CVE-2022-22955 & CVE-2022-22956: Critical severity range with maximum CVSSv3 base score of 9.8, malicious actor may bypass authentication mechanism and execute any operation due to exposed endpoints in the authentication framework.

CVE-2022-22957 & CVE-2022-22958: Critical severity range with maximum CVSSv3 base score of 9.1, malicious actor with administrator access can trigger deserialization of untrusted data through malicious Java Database Connectivity (JDBC) Uniform Resource Identifier (UDI), which can result in remote code execution.

CVE-2022-22959, CVE-2022-22960 & CVE-2022-22961: These vulnerabilities range from Important with maximum CVSSv3 base score of 8.8 to moderate with maximum CVSSv3 base score of 5.3.

Further technical information including a response patch matrix and workarounds can be found here: VMSA-2022-0011 (vmware.com), HW-154129 - Workaround instructions to address CVE-2022-22954, CVE-2022-22955, CVE-2022-22956, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960 in Workspace ONE Access Appliance (VMware Identity Manager) (88098)

Need help understanding your gaps, or just want some advice? Get in touch with us.

Update 05/04/2022: CISA have now confirmed that there is Active Exploitation of Critical Spring4Shell Vulnerability. It is recommended that patches are applied as soon as possible.

Executive Summary

Spring Core is a popular framework used for creating Java-based enterprise applications. Spring4Shell is a critical zero-day bug within this framework, that allows attackers to remotely execute code on affecting systems running certain, non-default configurations. Due to the popularity, Spring Core may be found within many java-based enterprise applications, and Java, is an almost ubiquitous software that’s found in billions of devices across the globe, from the enterprise to the home. The bug has been deemed “Critical”, primarily due to the remote root or administrator capabilities of an attacker if exploited.

This bug is currently receiving a large quantity of media attention. While we do not believe that this issue is of major concern at this time, it is something that is important to be aware of. We will continue to monitor and upgrade our advisory if we deem appropriate.

What’s the risk to me or my business?

While the use of the Spring Core framework is very popular, this exploit appears to be only exploitable in certain configurations. The bug is not noted to be widely exploited at this time, however attackers will leverage anything they can when compromising a network, and it may only be a matter of time now the bug has been made public. The risk will primarily come from a failure to patch the flaw, which may be easy to overlook.

What can I do?

A patch has been released for the Spring Framework. The bug affects versions 5.3.0 to 5.3.17, 5.2.0-5.2.19 and all other older versions. This bug will be present in any java application made using the Spring Framework.

Discuss with you Managed Service Provider (MSP) whether any of your devices or services are impacted, and when they can expect to be patched. Equally, keeping devices at home or elsewhere up to date is an important step to mitigation, both for your professional and private life.

It is advised that network administrators patch as soon as possible.

We are continuing to monitor this and will provide updates when more information is available.

Technical Summary

The bug, tracked as CVE-2022-22965, was first reported to VMware late Tuesday evening, 29/03/2022. Investigation and analysis into the issue was being conducted with the aim for an emergency release on Thursday, 31/03/2022 however details were leaked in full online prior to this. The vendor has detailed that if the application was deployed using the default configuration, then it should not be exploitable, however due to the nature of the vulnerability there may be more unknown ways to exploit it. Further technical details will be supplied when more details are released.

Need help understanding your gaps, or just want some advice? Get in touch with us.

Executive Summary

A critical flaw has been discovered in Sophos Firewall, allowing for remote code execution within the User Portal and Webadmin areas of the product. The bug impacts Sophos Firewall Network Access Control (NAC) systems, running versions v18.5 MR3 [18.5.3] and lower. The bug, achieving a 9.8 on the Common Vulnerability Scoring System (CVSS), allows attackers to remotely execute code on the device.

What’s the risk to my business?

Due to the severity of the bug, and the ability for attackers to gain remote code execution on a critical perimeter defence, the risk to businesses operating Sophos Firewalls is high, however if the device is configured using device access best practices as recommended by Sophos, then the bug is mitigated.

What can I do?

The bug has been reported, and a patch has been issued. Businesses operating these devices are urged to implement as soon as possible. Note: If “Allow automatic installation of hotfixes” feature is enabled, then the hotfixes should have already been installed.

Additional mitigations of ensuring that the User Portal and Webadmin portal are not exposed to the Wide Area Network (WAN) should be applied if not already in place following device access best practices issued by Sophos.

Technical Summary

Sophos have issued a patch for bug CVE-2022-1040, which was disclosed on 25/03/2022. Older, unsupported versions will require an upgrade in order to apply this fix. Follow Sophos Firewall: Verify if the hotfix for CVE-2022-1040 is applied to confirm that the hotfix has been applied. No further technical details on the bug are available at this time.

Need help understanding your gaps, or just want some advice? Get in touch with us.

Executive Summary

A critical flaw has been discovered within Zyxel Firewall products, allowing for a malicious user to bypass the Authentication requirement on the device, enabling unauthorised privileged access. The bug impacts several Zyxel Firewall Network Access Control (NAC) systems as detailed within the technical summary. The bug, achieves a 9.8 on the Common Vulnerability Scoring System (CVSS).

What’s the risk to my business?

Due to the severity of the bug, and the ability for attackers to gain unauthorised privileged access to critical perimeter defence, the risk to businesses operating affected Zyxel Firewalls is high.

What can I do?

The bug has been reported, and a patch has been issued. Businesses operating these devices are urged to implement as soon as possible.

Technical Summary

Zyxel have issued a patch for bug CVE-2022-0342, which was disclosed on 03/28/2022. Zyxel’s investigation has only been focused on devices within their warranty and support period. The following Zyxel products are confirmed to be affected, with the appropriate patches listed:

·         USG/ZyWALL, running version ZLD V4.20 to ZLD V4.70 | Fixed in Patch ZLD V4.71

·         USG FLEX, running version ZLD V4.50 to ZLD V5.20 | Fixed in Patch ZLD V5.21 Patch 1

·         ATP, running version ZLD V4.32 to ZLD V5.20 | Fixed in Patch ZLD V5.21 Patch 1

·         VPN, running version ZLD V4.30 to ZLD V5.20 | Fixed in Patch ZLD V5.21

·         NSG, running version V1.20 to V1.33 Patch 4 | Fixed in Hotfix V1.33p4_WK11, available from vendor. Fix will be included in standard patch V1.33 Patch 5 when released in May 2022.

Need help understanding your gaps, or just want some advice? Get in touch with us.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• One Tenth of UK Staff Bypass Corporate Security

A new study from Cisco has found that a tenth of UK employees actively circumvent their organisation’s security measures.

The network technology company polled over 1000 UK professionals working for organisations that allow hybrid working, in order to better understand the potential security risks of the modern, flexible workplace.

The research has revealed that many hybrid workers do not see cyber security as their responsibility, with many actively finding workarounds or engaging in risky behaviours such as password reuse.

19% of employees said they reuse passwords for multiple accounts and applications, with only 15% using password managers.

The problem seems to stem from user friction in existing security measures. Only 44% of survey participants said they found it easy to securely access their IT equipment.

A majority said they would be willing to use biometric authentication, a reflection of how enterprise security is still catching up to consumer functionality.

https://www.itsecurityguru.org/2022/03/28/one-tenth-of-uk-staff-bypass-corporate-security/

• Majority Of Data Security Incidents Caused by Insiders

New research from Imperva has revealed that 70% of EMEA organisations have no insider risk strategy, despite 59% of data security incidents being caused by employees.

The shocking revelation comes as part of a wider study carried out by Forrester: Insider Threats Drive Data Protection Improvements. The study involved interviewing 150 security and IT professionals in EMEA.

An insider threat is defined by Imperva as originating from “inappropriate use of legitimate authorised user accounts” by either their rightful owner or a threat actor who has managed to compromise them.

The study found that insider threats were responsible for 59% of incidents impacting sensitive data in the past 12 months. This supports a previous Imperva analysis of the most significant breaches of the past five years, revealing that 24% were caused by either human error or compromised credentials.

https://www.itsecurityguru.org/2022/04/01/majority-of-data-security-incidents-caused-by-insiders/

• One-Third of UK Firms Suffer a Cyber Attack Every Week

Cyber attacks and related incidents at UK organisations continue their seemingly unstoppable upward trajectory, with new statistics from the Department for Digital, Culture, Media and Sport (DCMS) revealing that 31% of businesses and 26% of charity organisations now experience incidents on a weekly basis.

The data, contained in the annual cyber security breaches survey report, paints a stark picture of the scale of the threat facing the average organisation, and the urgent need to boost standards and defences.

It is vital that every organisation takes cyber security seriously as more and more business is done online and we live in a time of increasing cyber risk.  No matter how big or small your organisation is, you need to take steps to improve digital resilience.

Some 20% of businesses and 19% of charities said they had experienced a negative outcome as a direct consequence of an attack. The average cost of an attack, spread out across all organisations, now works out at £4,200, or £19,400 if only medium and large businesses are considered, although there is probably a vast amount of under-reporting, so the true figures are certainly higher.

Meanwhile, 35% of businesses and 38% of charities said they had experienced some kind of negative impact during the incident, such as service downtime.

https://www.computerweekly.com/news/252515288/One-third-of-UK-firms-suffer-a-cyber-attack-every-week

• Russia's Cyber Criminals Fear Sanctions Will Erase Their Wealth

Punitive economic sanctions over Russia's invasion of Ukraine had crooks discussing the best ways to adapt to the new reality.

Members of Russian-language underground forums are not immune to the latest news. Russia's invasion of Ukraine and subsequent economic sanctions against Moscow got forum users to discuss how to live in this new world they find themselves in.

According to a report by the Digital Shadows Photon team, dark web forums are teeming with questions on how to ensure the safety of funds held in Russia-based accounts.

One user sought advice on what to do with dollars held in a Russian bank, with others suggesting converting dollars to rubles for a few months.

"I hope you were joking about [holding the funds in rubles for] half a year? After half a year, your rubles will only be good for lighting a fire, they will not be good for anything else," a forum user responded.

https://cybernews.com/news/russias-cybercriminals-fear-sanctions-will-erase-their-wealth/

• 86% Of Organisations Believe They Have Suffered a Nation-State Cyber Attack

A new study by Trellix and the Center for Strategic and International Studies (CSIS) has revealed that 86% of organisations believe they have fallen victim to a nation-state cyber attack.

The research surveyed 800 IT decision-makers in Australia, France, Germany, India, Japan, the UK and US.

It has also been revealed that 92% of respondents have faced, or suspect they have faced, a nation-state backed cyber attack in the past 18 months, or anticipate one in the future.

Russia and China were identified as the most likely suspects behind said attacks. 39% of organisations that believe they have been hit with a nation-state cyber attack believe Russia were the perpetrators.

https://www.itsecurityguru.org/2022/03/29/86-of-organisations-believe-they-have-suffered-a-nation-state-cyberattack/

• Multiple Hacking Groups Are Using the War in Ukraine as A Lure in Phishing Attempts

Hostile hacking groups are exploiting Russia's invasion of Ukraine to carry out cyber attacks designed to steal login credentials, sensitive information, money and more from victims around the world.

According to cyber security researchers at Google's Threat Analysis Group (TAG), government-backed hackers from Russia, China, Iran and North Korea, as well as various unattributed groups and cyber criminal gangs, are using various themes related to the war in Ukraine to lure people into becoming victims of cyber attacks.

In just the last two weeks alone, Google has seen several hacking groups looking to take advantage of the war to fulfil their malicious aims, whether that's stealing information, stealing money, or something else.

https://www.zdnet.com/article/google-multiple-hacking-groups-are-using-the-war-in-ukraine-as-a-lure-in-phishing-attempts/

• 4 Ways Attackers Target Humans to Gain Network Access

Since the day we started receiving email, we hope that our antivirus or endpoint protection software alerts us to problems. In reality, it often does not. When technology fails, it’s likely because the attacker made an end run around it by targeting humans. Here are four ways they do it:

1. The targeted human attack

2. Fraudulent wire transfer email

3. Tricking users into handing over credentials

4. Bypassing multi-factor authentication

https://www.csoonline.com/article/3654850/4-ways-attackers-target-humans-to-gain-network-access.html#tk.rss_news

• Security Incidents Reported to FCA Surge 52% in 2021

The number of cyber security incidents reported to the UK’s financial regulator surged by over 50% last year after a significant increase in cyber-attacks, according to new figures from Picus Security.

The security vendor submitted Freedom of Information (FoI) requests to the Financial Conduct Authority (FCA) to compile its latest report, Cyber Security Incidents in the UK Financial Sector.

The 52% year-on-year increase in “material” security incidents reported to the FCA seems to have been driven by cyber-attacks, which comprised nearly two-thirds (65%) of these reports.

Picus Security claimed that the rest are likely explained by “system and process failures and employee errors.”

In addition, a third of incident reports were about corporate or personal data breaches, and a fifth involved ransomware.

Picus Security explained that to qualify as a material incident, there needs to have been a significant loss of data, operational IT outages, unauthorized IT access, and/or an impact on a large number of customers.

https://www.infosecurity-magazine.com/news/security-incidents-reported-fca/

• NCSC Suggests Rethinking Russian Supply Chain Risks

The National Cyber Security Centre (NCSC) of the UK has urged organisations to reconsider the risks associated with “Russian-controlled” parts of their supply chains.

Ian Levy, technical director of the NCSC argued that “Russian law already contains legal obligations on companies to assist the Russian Federal Security Service (FSB), and the pressure to do so may increase in a time of war. We also have hacktivists on each side, further complicating matters, so the overall risk has materially changed.”

Levy has suggested that while there is currently nothing to suggest that the Russian state intends to force commercial providers to sabotage UK interests, that doesn’t mean it will not happen in the future.

https://www.itsecurityguru.org/2022/03/30/ncsc-suggests-rethinking-russian-supply-chain-risks/

• 25% Of Workers Lost Their Jobs in The Past 12 Months After Making Cyber Security Mistakes: Report

For business leaders, there is never a good time for their employees to make mistakes on the job. This is especially true now for workers who have anything to do with the cyber security of their companies and organisations. Given the growing risks of cyber attacks across the world and the increased threats posed by Russia in the aftermath of their invasion of Ukraine, these are certainly perilous times.

Indeed, a new study released by email security company Tessian found that one in four employees (26%) lost their job in the last 12 months after making a mistake that compromised their company’s security.

According to the second edition of Tessian’s Psychology of Human Error report, people are falling for more advanced phishing scams—and the business stakes for mistakes are much higher.

The study also found that:

• Two-fifths (40%) of employees sent an email to the wrong person, with almost one-third (29%) saying their business lost a client or customer because of the error

• Over one-third (36%) of employees have made a mistake at work that compromised security and fewer are reporting their mistakes to IT.

https://www.forbes.com/sites/edwardsegal/2022/03/29/25-of-workers-lost-their-jobs-in-the-past-12-months-after-making-cybersecurity-mistakes-report/?sh=d47cdfa49b26

• Attackers Compromise 94% of Critical Assets Within Four Steps of Initial Breach

New research from XM Cyber analysing the methods, attack paths, and impacts of cyber attacks has discovered that attackers can compromise 94% of critical assets within just four steps of initial breach points. The hybrid cloud security company’s Attack Path Management Impact Report incorporates insights from nearly two million endpoints, files, folders, and cloud resources throughout 2021, highlighting key findings on attack trends and techniques impacting critical assets across on-prem, multi-cloud, and hybrid environments.

The findings showed that 75% of an organisation’s critical assets are open to compromise in their current security state, while 73% of the top attack techniques used last year involved mismanaged or stolen credentials. Just over a quarter (27%) of most common attack techniques exploited a vulnerability or misconfiguration.

https://www.csoonline.com/article/3655633/attackers-compromise-94-of-critical-assets-within-four-steps-of-initial-breach.html

• UK Spy Chief Warns Russia Looking for Cyber Targets

A UK intelligence chief warned that the Kremlin is hunting for cyber targets and bringing in mercenaries to shore up its stalled military campaign in Ukraine.

Jeremy Fleming, who heads the GCHQ electronic spy agency, praised Ukrainian President Volodymyr Zelenskyy’s “information operation” for being highly effective at countering Russia’s massive disinformation drive spreading propaganda about the war.

While there were expectations that Russia would launch a major cyber attack as part of its military campaign, Fleming said such a move was never a central part of Moscow’s standard playbook for war.

“That’s not to say that we haven’t seen cyber in this conflict. We have — and lots of it,” Fleming said in a speech in Canberra, Australia, according to a transcript released in London on Wednesday.

He said GCHQ’s National Cyber Security Centre has picked up signs of “sustained intent” by Russia to disrupt Ukrainian government and military systems.

“We’ve seen what looks like some spillover of activity affecting surrounding countries,” Fleming said. “And we’ve certainly seen indicators which suggest Russia’s cyber actors are looking for targets in the countries that oppose their actions.”

He provided no further details. He said the UK and other Western allies will continue to support Ukraine in beefing up its cyber security defences.

https://www.securityweek.com/uk-spy-chief-warns-russia-looking-cyber-targets

Threats

Ransomware

• Ransomware Payments Hitting New Records In 2021 - Help Net Security

• UK Ransomware Attacks Double In Past Year, Expert Insight - Information Security Buzz

• Ransomware, Endpoint Risks Are Top Concerns for DFIR Professionals | CSO Online

• Not Enough Businesses Have A Formal Ransomware Plan In Place - Help Net Security

• Ukraine, Conti, and the law of unintended consequences | CSO Online

• FBI Investigating More than 100 Ransomware Variants - Infosecurity Magazine

• Precursor Malware Is an Early Warning Sign for Ransomware (darkreading.com)

• Cyber Blackmail Gains Traction in Ransomware Hijackers' Tool Set - MSSP Alert

• Services Giant Admits $42m Fallout from Ransomware Attack - Infosecurity Magazine

• Hive Ransomware Uses New 'IPfuscation' Trick to Hide Payload (bleepingcomputer.com)

• Shutterfly, Hit By Conti Ransomware Group, Warns Staff Their Data Has Been Stolen • Graham Cluley

• FBI: Ransomware Attacks Are Piling Up The Pressure On Public Services | ZDNet

BEC – Business Email Compromise

• FBI Disrupts BEC Cyber Crime Gangs Targeting Victims Worldwide (bleepingcomputer.com)

Phishing & Email Based Attacks

• Calendly Actively Abused in Microsoft Credentials Phishing (bleepingcomputer.com)

• Phishing Attacks: Malicious URLs May Outpace Email Attachment Risks - MSSP Alert

• Hackers Hijack Email Reply Chains on Unpatched Exchange Servers to Spread Malware (thehackernews.com)

• Phishing uses Azure Static Web Pages to impersonate Microsoft (bleepingcomputer.com)

Other Social Engineering

• 5 Old Social Engineering Tricks Employees Still Fall For, And 4 New Gotchas | CSO Online

• Fraudsters Use 'Fake Emergency Data Requests' To Steal Info • The Register

Malware

• A Third of Malware Infections Used Log4Shell- IT Security Guru

Mobile

• Russian-Linked Android Malware Records Audio, Tracks Your Location (bleepingcomputer.com)

• Malware Disguised As Cryptocurrency Wallets Used To Steal From iOS and Android Users (androidpolice.com)

IoT

• Wyze Cam Flaw Lets Hackers Remotely Access Your Saved Videos (bleepingcomputer.com)

Organised Crime & Criminal Actors

• Sanctions Hitting Russian Cyber-Criminals Hard - Infosecurity Magazine

• Secret World of Pro-Russia Hacking Group Exposed in Leak - WSJ

• UK Police Charges Two Teenagers for Their Alleged Role in Lapsus$ Group - Security Affairs

• LAPSUS$ Hacks Globant. 70GB of Data Leaked from IT Firm (bitdefender.com)

• Man Linked to Multi-Million Dollar Ransomware Attacks Gets 66 Months In Prison For Online Fraud | ZDNet

Cryptocurrency/Cryptomining/Cryptojacking

• How CISOs can Mitigate Cryptomining Malware (trendmicro.com)

• Ronin Blockchain Hit With $620 Million Crypto Heist - IT Security Guru

Insider Risk and Insider Threats

• Yale Finance Director Stole $40m In Computers to Resell • The Register

• Making Security Mistakes May Come With A High Price For Employees - Help Net Security

Fraud, Scams & Financial Crime

• How To Avoid Investment Scams On Social Media, As 25% Of UK Victims Are Youths Online - Information Security Buzz

• Europol Dismantles Massive Call Centre Investment Scam Operation (bleepingcomputer.com)

• Scammers Turn Attention to Hard-Up Students • The Register

• Emily Maitlis Opens Up About Terrifying Bank Scam: ‘I Feel Sick’ | The Independent

Supply Chain

• A Large-Scale Supply Chain Attack Distributed Over 800 Malicious NPM Packages (thehackernews.com)

Denial of Service DoS/DDoS

• DDoS Attacks Becoming Larger And More Complex, Finance Most Targeted Sector - Help Net Security

• Number of DDoS Attacks in 2021 Reached 9.75 Million - Help Net Security

• Beastmode Botnet Boosts DDoS Power With New Router Exploits (bleepingcomputer.com)

Passwords & Credential Stuffing

• What Is Credential Stuffing? And How To Prevent It? Security Affairs

Spyware, Espionage & Cyber Warfare

Russian Invasion of Ukraine

• Anonymous Targets Oligarchs' Russian Businesses - Security Affairs

• With War Next Door, EU is Warned on Cyber Security Gaps | SecurityWeek.Com

• Ukraine Intelligence Leaks Names of 620 Alleged Russian FSB Agents - Security Affairs

• Russian Credential Thieves Target NATO, European Military • The Register

• Viasat Confirms Satellite Modems Were Wiped with AcidRain Malware (bleepingcomputer.com)

• Internet Provider to Ukrainian Military Hit With Major Cyber Attack - WSJ

• GhostWriter APT Targets State Entities of Ukraine with Cobalt Strike Beacon - Security Affairs

• Hacked WordPress Sites Force Visitors to DDoS Ukrainian Targets (bleepingcomputer.com)

• Russia Facing Internet Outages Due to Equipment Shortage (bleepingcomputer.com)

• Anonymous Is Working On A Huge Data Dump That Will Blow Russia Away - Security Affairs

• Phishing Campaign Targets Russian Govt Dissidents With Cobalt Strike (bleepingcomputer.com)

• Leaked Hacker Logs Show Weaknesses of Russia’s Cyber Proxy Ecosystem | CSO Online

• Russian Aviation Authority Switches to Paper After Losing 65TB of Data | CyberNews

• Anonymous Hacked Russian Thozis Corp, But Denies Attacks on Rosaviatsia - Security Affairs

• ZTE Whistleblower: Chinese Companies Will Sell to Russia • The Register

Nation State Actors

Nation State Actors – Russia

• UK Spy Boss Warns About Russia-China Tech Collaboration • The Register

• UK Cyber Security Centre Advises Review of Russian Tech • The Register

• You're Going To See Russian Activity Directed Against Government And Military Capabilities: Fmr. NSA director (cnbc.com)

• Russia Ranks Top For State-Linked Online Misinformation • The Register

• Google: Russian phishing attacks target NATO, European military (bleepingcomputer.com)

• Russian Spies Unmasked In Embarrassing Blow For Vladimir Putin (telegraph.co.uk)

Nation State Actors – China

• Chinese Hackers Deep Panda Return With Log4Shell Exploits, New Fire Chili Rootkit | ZDNet

• China APT Group Uses COVID-19, Russia in Phishing Scams • The Register

Vulnerabilities

• CISA Adds 66 Vulnerabilities to 'Must Patch' List | SecurityWeek.Com

• Apple Rushes Out Patches for Two 0-days Threatening iOS and macOS Users | Ars Technica

• Zero-day Attacks Doubled in 2021 - Infosecurity Magazine

• Chrome Browser Gets Major Security Update | SecurityWeek.Com

• Critical SonicOS Vulnerability Affects SonicWall Firewall Appliances (thehackernews.com)

• Log4JShell Used to Swarm VMware Servers with Miners, Backdoors | Threatpost

• Experts Warn Defenders: Don't Relax on Log4j | SecurityWeek.Com

• Google Chrome, Microsoft Edge Updated to Close Security Hole • The Register

• RCE Bug in Spring Cloud Could Be the Next Log4Shell, Researchers Warn | Threatpost

• Spring4Shell: No need To Panic, But Mitigations Are Advised - Help Net Security

• Sophos Firewall Affected by A Critical Authentication Bypass Flaw - Security Affairs

• CVE-2022-1162 Flaw in GitLab Allowed Threat Actors To Take Over Accounts - Security Affairs

• Trend Micro Fixed High Severity Flaw In Apex Central Product Console - Security Affairs

• Zyxel Urges Customers To Patch Critical Firewall Bypass Vulnerability | ZDNet

• QNAP Warns of OpenSSL Infinite Loop Vulnerability Affecting NAS Devices (thehackernews.com)

Sector Specific

Health/Medical/Pharma Sector

Washington Health District Suffers Another Data Breach - Infosecurity Magazine (infosecurity-magazine.com)

Hive Ransomware Group Claims Partnership HealthPlan of California Data Breach | CSO Online

LockBit Victim Estimates Cost of Ransomware Attack To Be $42 Million (bleepingcomputer.com)

Retail/eCommerce

Shopping Trap: The Online Stores’ Scam That Hits Users Worldwide - Security Affairs

Automotive

Automaker Cyber Security Lagging Behind Tech Adoption, Experts Warn | Threatpost

CNI, OT, ICS, IIoT and SCADA

The Spectre of Stuxnet: CISA Issues Alert on Rockwell Automation ICS Vulnerabilities | ZDNet

Reports Published in the Last Week

• Cyber Security Breaches Survey 2022 - GOV.UK (www.gov.uk)

• Psychology of Human Error 2022 | Research Report | Tessian

• 2022 Attack Path Management Impact Report (xmcyber.com)

Other News

• Protecting Your Organisation Against a New Class of Cyber Threats: HEAT (darkreading.com)

• Why Do Organisations Need To Prioritize Cyber Resiliency? - Help Net Security

• How Security Complexity Is Being Weaponized (darkreading.com)

• In Charts: Cyber Security Risks And Companies’ Readiness | Financial Times (ft.com)

• CISA Warns of Attacks Against Internet-Connected UPS Devices | CSO Online

• New UK Study Shows Just 1/3rd Of Orgs Use MFA Auth, Practice Cyber Compliance - Information Security Buzz

• Hackers Posing as Police Convinced Apple and Meta to Share Basic Subscriber Info (softpedia.com)

• Exploring the Intersection of Physical Security and Cyber Security (darkreading.com)

• The Current State Of Enterprise Backup And Recovery - Help Net Security

• Why Metrics Are Crucial To Proving Cyber Security Programs’ Value | CSO Online

• COVID Bounce: A Massive 2021 Resurgence of Cyber Threats - Help Net Security

• Rapid7 Finds Zero-Day Attacks Surged In 2021 (techtarget.com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Executive Summary

Apple has released security updates yesterday, 31/03/2022, in response to two actively exploited zero-day vulnerabilities affecting iPhones, iPads and Mac Computers. One vulnerability allows attackers to execute malicious code with privileged access, while the other allows attackers to read privileged memory on the device. Apple has only released limited information on the vulnerabilities at this time.

What’s the risk to me or my business?

These bugs have been confirmed to be actively exploited, and it affects all users of iPhones, iPads and Mac Computers. The risk will primarily come from a failure to patch the critical vulnerability.

What can I do?

Patches have been released for both bugs by Apple within MacOS 12.3.1, iPad OS 15.4.1 and iOS 15.4.1. It is strongly advised that these updates are applied as soon as possible.

Technical Summary

There are two separate bugs tracked as CVE-2022-22675 and CVE-2022-22674.

CVE-2022-22675 affects MacOS versions prior to 12.3.1, iPadOS prior to 15.4.1 and iOS versions prior to 15.4.1. This bug relates to AppleAVD, which is used to decode certain media files. This vulnerability allows an application to execute arbitrary code with kernel privileges through an out of bounds write issue. Apple has not provided any further details on this specific vulnerability.

CVE-2022-22674 affects MacOS versions prior to 12.3.1. This bug specifically relates to the Intel Graphics Driver so is unlikely to affect M1 devices, but this has not been confirmed by Apple. This bug allows an application to read kernel memory through an out-of-bounds read issue. The patch addresses this issue with improved input validation. Apple has not provided any further details on this specific vulnerability.

Need help understanding your gaps, or just want some advice? Get in touch with us.

Executive Summary

Spring Core is a popular framework used for creating Java-based enterprise applications. Spring4Shell is a critical zero-day bug within this framework, that allows attackers to remotely execute code on affecting systems running certain, non-default configurations. Due to the popularity, Spring Core may be found within many java-based enterprise applications, and Java, is an almost ubiquitous software that’s found in billions of devices across the globe, from the enterprise to the home. The bug has been deemed “Critical”, primarily due to the remote root or administrator capabilities of an attacker if exploited.

This bug is currently receiving a large quantity of media attention. While we do not believe that this issue is of major concern at this time, it is something that is important to be aware of. We will continue to monitor and upgrade our advisory if we deem appropriate.

What’s the risk to me or my business?

While the use of the Spring Core framework is very popular, this exploit appears to be only exploitable in certain configurations. The bug is not noted to be widely exploited at this time, however attackers will leverage anything they can when compromising a network, and it may only be a matter of time now the bug has been made public. The risk will primarily come from a failure to patch the flaw, which may be easy to overlook.

What can I do?

A patch has been released for the Spring Framework. The bug affects versions 5.3.0 to 5.3.17, 5.2.0-5.2.19 and all other older versions. This bug will be present in any java application made using the Spring Framework.

Discuss with you Managed Service Provider (MSP) whether any of your devices or services are impacted, and when they can expect to be patched. Equally, keeping devices at home or elsewhere up to date is an important step to mitigation, both for your professional and private life.

It is advised that network administrators patch as soon as possible.

We are continuing to monitor this and will provide updates when more information is available.

Technical Summary

The bug, tracked as CVE-2022-22965, was first reported to VMware late Tuesday evening, 29/03/2022. Investigation and analysis into the issue was being conducted with the aim for an emergency release on Thursday, 31/03/2022 however details were leaked in full online prior to this. The vendor has detailed that if the application was deployed using the default configuration, then it should not be exploitable, however due to the nature of the vulnerability there may be more unknown ways to exploit it. Further technical details will be supplied when more details are released.

Need help understanding your gaps, or just want some advice? Get in touch with us.